[| no | +| [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no | +| [workload\_count](#input\_workload\_count) | The number of Workload VMs to deploy | `number` | `1` | no | +| [workloads\_subnets](#input\_workloads\_subnets) | Workload Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no | +| [zones](#input\_zones) | Specify which availability zone(s) to deploy VM resources in if zones\_enabled variable is set to true | `list(string)` |
"185.46.212.88",
"185.46.212.89"
]
[| no | +| [zones\_enabled](#input\_zones\_enabled) | Determine whether to provision Cloud Connector VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance | `bool` | `false` | no | +| [zpa\_enabled](#input\_zpa\_enabled) | Configure Azure Private DNS Outbound subnet, Resolvers, Rulesets/Rules, and Outbound Endpoint ZPA DNS redirection | `bool` | `true` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [testbedconfig](#output\_testbedconfig) | Azure Testbed results | + diff --git a/examples/base_1cc_zpa/backend.tf b/examples/base_1cc_zpa/backend.tf new file mode 100755 index 0000000..b739715 --- /dev/null +++ b/examples/base_1cc_zpa/backend.tf @@ -0,0 +1,5 @@ +terraform { + backend "local" { + path = "../terraform.tfstate" + } +} diff --git a/examples/base_1cc_zpa/main.tf b/examples/base_1cc_zpa/main.tf new file mode 100755 index 0000000..7dfc086 --- /dev/null +++ b/examples/base_1cc_zpa/main.tf @@ -0,0 +1,237 @@ +################################################################################ +# Generate a unique random string for resource name assignment and key pair +################################################################################ +resource "random_string" "suffix" { + length = 8 + upper = false + special = false +} + + +################################################################################ +# Map default tags with values to be assigned to all tagged resources +################################################################################ +locals { + global_tags = { + Owner = var.owner_tag + ManagedBy = "terraform" + Vendor = "Zscaler" + Environment = var.environment + } +} + + +################################################################################ +# The following lines generates a new SSH key pair and stores the PEM file +# locally. The public key output is used as the instance_key passed variable +# to the vm modules for admin_ssh_key public_key authentication. +# This is not recommended for production deployments. Please consider modifying +# to pass your own custom public key file located in a secure location. +################################################################################ +# private key for login +resource "tls_private_key" "key" { + algorithm = var.tls_key_algorithm +} + +# write private key to local pem file +resource "local_file" "private_key" { + content = tls_private_key.key.private_key_pem + filename = "../${var.name_prefix}-key-${random_string.suffix.result}.pem" + file_permission = "0600" +} + + +################################################################################ +# 1. Create/reference all network infrastructure resource dependencies for all +# child modules (Resource Group, VNet, Subnets, NAT Gateway, Route Tables) +################################################################################ +module "network" { + source = "../../modules/terraform-zscc-network-azure" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + location = var.arm_location + network_address_space = var.network_address_space + cc_subnets = var.cc_subnets + workloads_subnets = var.workloads_subnets + public_subnets = var.public_subnets + private_dns_subnet = var.private_dns_subnet + zones_enabled = var.zones_enabled + zones = var.zones + cc_service_ip = module.cc_vm.service_ip + workloads_enabled = true + bastion_enabled = true + lb_enabled = var.lb_enabled + zpa_enabled = var.zpa_enabled +} + + +################################################################################ +# 2. Create Bastion Host for workload and CC SSH jump access +################################################################################ +module "bastion" { + source = "../../modules/terraform-zscc-bastion-azure" + location = var.arm_location + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + resource_group = module.network.resource_group_name + public_subnet_id = module.network.bastion_subnet_ids[0] + ssh_key = tls_private_key.key.public_key_openssh + bastion_nsg_source_prefix = var.bastion_nsg_source_prefix +} + + +################################################################################ +# 3. Create Workload Hosts to test traffic connectivity through CC +################################################################################ +module "workload" { + source = "../../modules/terraform-zscc-workload-azure" + workload_count = var.workload_count + location = var.arm_location + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + resource_group = module.network.resource_group_name + subnet_id = module.network.workload_subnet_ids[0] + ssh_key = tls_private_key.key.public_key_openssh + dns_servers = [] +} + + +################################################################################ +# 4. Create specified number of CC VMs per cc_count by default in an +# availability set for Azure Data Center fault tolerance. Optionally, deployed +# CCs can automatically span equally across designated availabilty zones +# if enabled via "zones_enabled" and "zones" variables. E.g. cc_count set to +# 4 and 2 zones ['1","2"] will create 2x CCs in AZ1 and 2x CCs in AZ2 +################################################################################ +# Create the user_data file with necessary bootstrap variables for Cloud Connector registration +locals { + userdata = <
"1"
]
[| no | +| [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no | +| [workload\_count](#input\_workload\_count) | The number of Workload VMs to deploy | `number` | `1` | no | +| [workloads\_subnets](#input\_workloads\_subnets) | Workload Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no | +| [zones](#input\_zones) | Specify which availability zone(s) to deploy VM resources in if zones\_enabled variable is set to true | `list(string)` |
"185.46.212.88",
"185.46.212.89"
]
[| no | +| [zones\_enabled](#input\_zones\_enabled) | Determine whether to provision Cloud Connector VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance | `bool` | `false` | no | +| [zpa\_enabled](#input\_zpa\_enabled) | Configure Azure Private DNS Outbound subnet, Resolvers, Rulesets/Rules, and Outbound Endpoint ZPA DNS redirection | `bool` | `true` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [testbedconfig](#output\_testbedconfig) | Azure Testbed results | + diff --git a/examples/base_cc_lb_zpa/backend.tf b/examples/base_cc_lb_zpa/backend.tf new file mode 100755 index 0000000..b739715 --- /dev/null +++ b/examples/base_cc_lb_zpa/backend.tf @@ -0,0 +1,5 @@ +terraform { + backend "local" { + path = "../terraform.tfstate" + } +} diff --git a/examples/base_cc_lb_zpa/main.tf b/examples/base_cc_lb_zpa/main.tf new file mode 100755 index 0000000..88f50bf --- /dev/null +++ b/examples/base_cc_lb_zpa/main.tf @@ -0,0 +1,259 @@ +################################################################################ +# Generate a unique random string for resource name assignment and key pair +################################################################################ +resource "random_string" "suffix" { + length = 8 + upper = false + special = false +} + + +################################################################################ +# Map default tags with values to be assigned to all tagged resources +################################################################################ +locals { + global_tags = { + Owner = var.owner_tag + ManagedBy = "terraform" + Vendor = "Zscaler" + Environment = var.environment + } +} + + +################################################################################ +# The following lines generates a new SSH key pair and stores the PEM file +# locally. The public key output is used as the instance_key passed variable +# to the vm modules for admin_ssh_key public_key authentication. +# This is not recommended for production deployments. Please consider modifying +# to pass your own custom public key file located in a secure location. +################################################################################ +# private key for login +resource "tls_private_key" "key" { + algorithm = var.tls_key_algorithm +} + +# write private key to local pem file +resource "local_file" "private_key" { + content = tls_private_key.key.private_key_pem + filename = "../${var.name_prefix}-key-${random_string.suffix.result}.pem" + file_permission = "0600" +} + + +################################################################################ +# 1. Create/reference all network infrastructure resource dependencies for all +# child modules (Resource Group, VNet, Subnets, NAT Gateway, Route Tables) +################################################################################ +module "network" { + source = "../../modules/terraform-zscc-network-azure" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + location = var.arm_location + network_address_space = var.network_address_space + cc_subnets = var.cc_subnets + workloads_subnets = var.workloads_subnets + public_subnets = var.public_subnets + private_dns_subnet = var.private_dns_subnet + zones_enabled = var.zones_enabled + zones = var.zones + lb_frontend_ip = module.cc_lb.lb_ip + workloads_enabled = true + bastion_enabled = true + lb_enabled = var.lb_enabled + zpa_enabled = var.zpa_enabled +} + + +################################################################################ +# 2. Create Bastion Host for workload and CC SSH jump access +################################################################################ +module "bastion" { + source = "../../modules/terraform-zscc-bastion-azure" + location = var.arm_location + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + resource_group = module.network.resource_group_name + public_subnet_id = module.network.bastion_subnet_ids[0] + ssh_key = tls_private_key.key.public_key_openssh + bastion_nsg_source_prefix = var.bastion_nsg_source_prefix +} + + +################################################################################ +# 3. Create Workload Hosts to test traffic connectivity through CC +################################################################################ +module "workload" { + source = "../../modules/terraform-zscc-workload-azure" + workload_count = var.workload_count + location = var.arm_location + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + resource_group = module.network.resource_group_name + subnet_id = module.network.workload_subnet_ids[0] + ssh_key = tls_private_key.key.public_key_openssh + dns_servers = [] +} + + +################################################################################ +# 4. Create specified number of CC VMs per cc_count by default in an +# availability set for Azure Data Center fault tolerance. Optionally, deployed +# CCs can automatically span equally across designated availabilty zones +# if enabled via "zones_enabled" and "zones" variables. E.g. cc_count set to +# 4 and 2 zones ['1","2"] will create 2x CCs in AZ1 and 2x CCs in AZ2 +################################################################################ +# Create the user_data file with necessary bootstrap variables for Cloud Connector registration +locals { + userdata = <
"1"
]
[| no | | [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no | | [zones](#input\_zones) | Specify which availability zone(s) to deploy VM resources in if zones\_enabled variable is set to true | `list(string)` |
"185.46.212.88",
"185.46.212.89"
]
[| no | | [zones\_enabled](#input\_zones\_enabled) | Determine whether to provision Cloud Connector VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance | `bool` | `false` | no | +| [zpa\_enabled](#input\_zpa\_enabled) | Configure Azure Private DNS Outbound subnet, Resolvers, Rulesets/Rules, and Outbound Endpoint ZPA DNS redirection | `bool` | `true` | no | ## Outputs diff --git a/examples/cc_lb/main.tf b/examples/cc_lb/main.tf index 764b2a0..6764d2d 100755 --- a/examples/cc_lb/main.tf +++ b/examples/cc_lb/main.tf @@ -53,8 +53,11 @@ module "network" { location = var.arm_location network_address_space = var.network_address_space cc_subnets = var.cc_subnets + private_dns_subnet = var.private_dns_subnet zones_enabled = var.zones_enabled zones = var.zones + lb_frontend_ip = module.cc_lb.lb_ip + zpa_enabled = var.zpa_enabled #bring-your-own variables byo_rg = var.byo_rg byo_rg_name = var.byo_rg_name @@ -190,6 +193,40 @@ module "cc_lb" { } +################################################################################ +# 6. Create Azure Private DNS Resolver Ruleset, Rules, and Outbound Endpoint +# for utilization with DNS redirection/conditional forwarding to Cloud +# Connector to enabling ZPA and/or ZIA DNS control features. +# This can optionally be enabled/disabled per variable "zpa_enabled". +################################################################################ +module "private_dns" { + count = var.zpa_enabled ? 1 : 0 + source = "../../modules/terraform-zscc-private-dns-azure" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + resource_group = module.network.resource_group_name + location = var.arm_location + vnet_id = module.network.virtual_network_id + private_dns_subnet_id = module.network.private_dns_subnet_id + domain_names = var.domain_names + target_address = var.target_address +} + +################################################################################ +# Optional: Example create Azure Private DNS Resolver Virtual Network Link +# variable spoke_vnets does not exist in this deployment. This is simply +# an example of how you may utilize the private_dns module to create +# virtual network links for spoke VNets +################################################################################ +#resource "azurerm_private_dns_resolver_virtual_network_link" "dns_vnet_link" { +# count = length(var.spoke_vnets) +# name = "${var.name_prefix}-vnet-link-${count.index + 1}-${random_string.suffix.result}" +# dns_forwarding_ruleset_id = module.private_dns.private_dns_forwarding_ruleset_id +# virtual_network_id = element(var.spoke_vnets, count.index) +#} + + ################################################################################ # Validation for Cloud Connector instance size and VM Instance Type # compatibilty. Terraform does not have a good/native way to raise an error at diff --git a/examples/cc_lb/outputs.tf b/examples/cc_lb/outputs.tf index 667b907..3006279 100755 --- a/examples/cc_lb/outputs.tf +++ b/examples/cc_lb/outputs.tf @@ -17,6 +17,15 @@ ${module.cc_lb.lb_ip} All NAT GW IPs: ${join("\n", module.network.public_ip_address)} +Private DNS Resolver: +${try(module.private_dns.private_dns_resolver_name, "")} + +Private DNS Forwarding Ruleset: +${try(module.private_dns.private_dns_forwarding_ruleset_name, "")} + +Private DNS Outbound Endpoint: +${try(module.private_dns.private_dns_outbound_endpoint_name, "")} + TB } diff --git a/examples/cc_lb/terraform.tfvars b/examples/cc_lb/terraform.tfvars index b747167..7d3efa0 100755 --- a/examples/cc_lb/terraform.tfvars +++ b/examples/cc_lb/terraform.tfvars @@ -122,7 +122,7 @@ ## IPv4 CIDR configured with VNet creation. All Subnet resources (Workload, Public, and Cloud Connector) will be created based off this prefix ## /24 subnets are created assuming this cidr is a /16. If you require creating a VNet smaller than /16, you may need to explicitly define all other -## subnets via public_subnets, workload_subnets, and cc_subnets variables (Default: "10.1.0.0/16") +## subnets via cc_subnets and private_dns_subnet variables (Default: "10.1.0.0/16") ## Note: This variable only applies if you let Terraform create a new VNet. Custom deployment with byo_vnet enabled will ignore this @@ -138,10 +138,8 @@ ## Default/Minumum: 1 - Maximum: 3 ## Example: If you change network_address_space to "10.2.0.0/24", set below variables to cidrs that fit in that /24 like cc_subnets = ["10.2.0.0/27","10.2.0.32/27"] etc. -#public_subnets = ["10.x.y.z/24","10.x.y.z/24"] -#workloads_subnets = ["10.x.y.z/24","10.x.y.z/24"] #cc_subnets = ["10.x.y.z/24","10.x.y.z/24"] - +#private_dns_subnet = "10.x.y.z/28" ## 15. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") @@ -287,3 +285,25 @@ ## 35. Provide the existing Resource Group name of your Network Security Groups. Only uncomment and modify if you set byo_nsg to true #byo_nsg_rg = "existing-nsg-rg" + + +##################################################################################################################### +##### ZPA/Azure Private DNS specific variables ##### +##################################################################################################################### +## 36. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception. +## Only applicable for base + zpa or zpa_enabled = true deployment types where Outbound DNS subnets, Resolver Ruleset/Rules, +## and Outbound Endpoints are being created. Two example domains are populated to show the mapping structure and syntax. +## Azure does require a trailing dot "." on all domain entries. ZPA Module will read through each to create a resolver rule per +## domain_names entry. Ucomment domain_names variable and add any additional appsegXX mappings as needed. + +#domain_names = { +# appseg1 = "app1.com." +# appseg2 = "app2.com." +#} + + +## 37. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses. +## The required expectation is that the target should follow VNet/subnet routing towards the configured Cloud Connector Load Balancer VIP for +## ZPA DNS interception + +#target_address = ["185.46.212.88", "185.46.212.89"] diff --git a/examples/cc_lb/variables.tf b/examples/cc_lb/variables.tf index 69a52a5..ac8207c 100755 --- a/examples/cc_lb/variables.tf +++ b/examples/cc_lb/variables.tf @@ -46,6 +46,12 @@ variable "cc_subnets" { default = null } +variable "private_dns_subnet" { + type = string + description = "Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network_address_space variable." + default = null +} + variable "managed_identity_subscription_id" { type = string description = "Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env_subscription_id" @@ -208,6 +214,25 @@ variable "load_distribution" { } +# Azure Private DNS specific variables +variable "zpa_enabled" { + type = bool + description = "Configure Azure Private DNS Outbound subnet, Resolvers, Rulesets/Rules, and Outbound Endpoint ZPA DNS redirection" + default = true +} + +variable "domain_names" { + type = map(any) + description = "Domain names fqdn/wildcard to have Azure Private DNS redirect DNS requests to Cloud Connector" +} + +variable "target_address" { + type = list(string) + description = "Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses" + default = ["185.46.212.88", "185.46.212.89"] +} + + ################################################################################ # BYO (Bring-your-own) variables list ################################################################################ diff --git a/examples/zsec b/examples/zsec index 4a696cd..9c245bf 100755 --- a/examples/zsec +++ b/examples/zsec @@ -41,10 +41,10 @@ if [[ "$oper" == "up" ]]; then done while [ "$deploy" == "greenfield" ]; do - read -r -p "Deployment Type: ( base | base_1cc | base_cc_lb ) : " dtype + read -r -p "Deployment Type: ( base | base_1cc | base_1cc_zpa | base_cc_lb | base_cc_lb_zpa ) : " dtype case $dtype in - base|base_1cc|base_cc_lb|cc_lb) + base|base_1cc|base_1cc_zpa|base_cc_lb|base_cc_lb_zpa) echo "Deployment Type: ${dtype}" break ;; @@ -448,6 +448,70 @@ else echo "Azure region ${azure_location} does not support Zones. Proceeding..." fi +if [[ "$dtype" == "cc"* ]]; then + while true; do + read -r -p "Enable Azure Private DNS for ZPA? (yes/no): " zpa_response +case $zpa_response in + yes|y ) + echo "Enabling Azure Private DNS module..." + zpa_enabled=true + echo "export TF_VAR_zpa_enabled=$zpa_enabled" >> .zsecrc + break + ;; + no|n ) + echo "No ZPA enablement..." + zpa_enabled=false + echo "export TF_VAR_zpa_enabled=$zpa_enabled" >> .zsecrc + break + ;; + * ) echo "invalid response. Please enter yes or no";; + esac +done +fi + +if [[ "$zpa_enabled" == "true" || "$dtype" == *"zpa" ]]; then +array=() +domain_names_map="'{ " +counter=0 +while true; do +read -r -p "How many Domain/FQDN application segments to add to Private DNS Resolver Rules? " domain_number +if [[ $domain_number == 0 ]]; then + echo "Invalid input. Please enter a whole number for the number of domains you will be adding..." +elif [[ $domain_number =~ ^[0-9]+$ ]]; then + echo "$domain_number domains to enter..." + break +else + echo "Invalid input. Please enter a whole number for the number of domains you will be adding..." +fi +done +for i in $(seq $domain_number); do +read -r -p "Enter a single ZPA Domain/FQDN ending with a trailing dot ( e.g. azure.company.com. ): " domain_name + if [[ $domain_name = *" "* ]]; then + echo "Spaces not allowed. Please enter only one domain at a time. Delete .zsecrc file and re-run zsec up..." + exit 1 + elif [[ $domain_name == '' ]]; then + echo "Empty entries are not allowed. Delete .zsecrc file and re-run zsec up..." + exit 1 + elif [[ $domain_name == "." ]]; then + echo "You entered '.' dot. While Azure does support this to forward all domain requests, this could have unintended consequences/compatibility issues with Azure services" + elif [[ $domain_name == "."* ]]; then + echo "Invalid format. Domains cannot start with a dot (.). Delete .zsecrc file and re-run zsec up..." + exit 1 + elif [[ $domain_name == "*"* ]]; then + echo "Invalid format. Domains cannot start with a star/wildcard (*). Delete .zsecrc file and re-run zsec up..." + exit 1 + elif [[ $domain_name != *"." ]]; then + echo "Invalid format. Domains must end with a dot (.). Delete .zsecrc file and re-run zsec up..." + exit 1 + fi +array+=("$domain_name") + counter=$(( $counter + 1 )) + domain_names_map+="appseg$counter: \"$domain_name\", " +done +domain_names_map+="}'" +echo "export TF_VAR_domain_names=$domain_names_map" >> .zsecrc +fi + fi diff --git a/modules/terraform-zscc-network-azure/README.md b/modules/terraform-zscc-network-azure/README.md index 4f5218b..28a84f3 100644 --- a/modules/terraform-zscc-network-azure/README.md +++ b/modules/terraform-zscc-network-azure/README.md @@ -2,6 +2,30 @@ This module has multi-purpose use and is leveraged by all other Zscaler Cloud Connector child modules in some capacity. All network infrastructure resources pertaining to connectivity dependencies for a successful Cloud Connector deployment in a private subnet are referenced here. Full list of resources can be found below, but in general this module will handle all Resource Group, VNet, Subnets, NAT Gateways, Public IP, and Route Table creations to build out a resilient Azure network architecture. Most resources also have "conditional create" capabilities where, by default, they will all be created unless instructed not to with various "byo" and "enabled" variables. Use cases are documented in more detail in each description in variables.tf as well as the terraform.tfvars example file for all non-base deployment types (ie: cc_lb, etc.). +## Private DNS Resolver Network Restrictions + +
"1"
]
[| no | | [zones\_enabled](#input\_zones\_enabled) | Determine whether to provision Cloud Connector VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance | `bool` | `false` | no | +| [zpa\_enabled](#input\_zpa\_enabled) | Configure Private DNS Resolver Outbound Endpoint Subnet and route table for conditional forwarding to Cloud Connector if set to true | `bool` | `false` | no | ## Outputs @@ -83,7 +112,9 @@ No modules. |------|-------------| | [bastion\_subnet\_ids](#output\_bastion\_subnet\_ids) | Bastion Host Subnet ID | | [cc\_subnet\_ids](#output\_cc\_subnet\_ids) | Cloud Connector Subnet ID | +| [private\_dns\_subnet\_id](#output\_private\_dns\_subnet\_id) | Private DNS Outbound Endpoint Subnet ID | | [public\_ip\_address](#output\_public\_ip\_address) | Azure Public IP Address | | [resource\_group\_name](#output\_resource\_group\_name) | Azure Resource Group Name | +| [virtual\_network\_id](#output\_virtual\_network\_id) | Azure Virtual Network ID | | [workload\_subnet\_ids](#output\_workload\_subnet\_ids) | Workloads Subnet ID | diff --git a/modules/terraform-zscc-network-azure/main.tf b/modules/terraform-zscc-network-azure/main.tf index e3105a4..2b0bb94 100755 --- a/modules/terraform-zscc-network-azure/main.tf +++ b/modules/terraform-zscc-network-azure/main.tf @@ -16,7 +16,8 @@ resource "azurerm_resource_group" "rg" { } data "azurerm_resource_group" "rg_selected" { - name = var.byo_rg == false ? azurerm_resource_group.rg[0].name : var.byo_rg_name + count = var.byo_rg ? 1 : 0 + name = var.byo_rg_name } @@ -29,14 +30,15 @@ resource "azurerm_virtual_network" "vnet" { name = "${var.name_prefix}-vnet-${var.resource_tag}" address_space = [var.network_address_space] location = var.location - resource_group_name = data.azurerm_resource_group.rg_selected.name + resource_group_name = try(data.azurerm_resource_group.rg_selected[0].name, azurerm_resource_group.rg[0].name) tags = var.global_tags } data "azurerm_virtual_network" "vnet_selected" { - name = var.byo_vnet == false ? azurerm_virtual_network.vnet[0].name : var.byo_vnet_name - resource_group_name = var.byo_vnet == false ? azurerm_virtual_network.vnet[0].resource_group_name : var.byo_vnet_subnets_rg_name + count = var.byo_vnet ? 1 : 0 + name = var.byo_vnet_name + resource_group_name = var.byo_vnet_subnets_rg_name } @@ -48,7 +50,7 @@ resource "azurerm_public_ip" "pip" { count = var.byo_pips == false && var.base_only == false ? length(distinct(var.zones)) : 0 name = "${var.name_prefix}-public-ip-${count.index + 1}-${var.resource_tag}" location = var.location - resource_group_name = data.azurerm_resource_group.rg_selected.name + resource_group_name = try(data.azurerm_resource_group.rg_selected[0].name, azurerm_resource_group.rg[0].name) allocation_method = "Static" sku = "Standard" idle_timeout_in_minutes = 30 @@ -62,9 +64,9 @@ resource "azurerm_public_ip" "pip" { } data "azurerm_public_ip" "pip_selected" { - count = var.byo_pips == false ? length(azurerm_public_ip.pip[*].id) : length(var.byo_pip_names) - name = var.byo_pips == false ? azurerm_public_ip.pip[count.index].name : element(var.byo_pip_names, count.index) - resource_group_name = var.byo_pips == false ? data.azurerm_resource_group.rg_selected.name : var.byo_pip_rg + count = var.byo_pips ? length(var.byo_pip_names) : 0 + name = element(var.byo_pip_names, count.index) + resource_group_name = var.byo_pip_rg } @@ -73,7 +75,7 @@ resource "azurerm_nat_gateway" "ngw" { count = var.byo_nat_gws == false && var.base_only == false ? length(distinct(var.zones)) : 0 name = "${var.name_prefix}-ngw-${count.index + 1}-${var.resource_tag}" location = var.location - resource_group_name = data.azurerm_resource_group.rg_selected.name + resource_group_name = try(data.azurerm_resource_group.rg_selected[0].name, azurerm_resource_group.rg[0].name) idle_timeout_in_minutes = 10 zones = local.zones_supported ? [element(var.zones, count.index)] : null @@ -81,21 +83,20 @@ resource "azurerm_nat_gateway" "ngw" { } data "azurerm_nat_gateway" "ngw_selected" { - count = var.byo_nat_gws == false ? length(azurerm_nat_gateway.ngw[*].id) : length(var.byo_nat_gw_names) - name = var.byo_nat_gws == false ? azurerm_nat_gateway.ngw[count.index].name : element(var.byo_nat_gw_names, count.index) - resource_group_name = var.byo_nat_gws == false ? data.azurerm_resource_group.rg_selected.name : var.byo_nat_gw_rg + count = var.byo_nat_gws ? length(var.byo_nat_gw_names) : 0 + name = element(var.byo_nat_gw_names, count.index) + resource_group_name = var.byo_nat_gw_rg } # Associate Public IP to NAT Gateway -resource "azurerm_nat_gateway_public_ip_association" "ngw_association" { - count = var.existing_nat_gw_pip_association == false ? length(data.azurerm_nat_gateway.ngw_selected[*].id) : 0 - nat_gateway_id = data.azurerm_nat_gateway.ngw_selected[count.index].id - public_ip_address_id = data.azurerm_public_ip.pip_selected[count.index].id +locals { + ngw_associations_selected = var.byo_nat_gws ? data.azurerm_nat_gateway.ngw_selected[*].id : azurerm_nat_gateway.ngw[*].id +} - depends_on = [ - data.azurerm_public_ip.pip_selected, - data.azurerm_nat_gateway.ngw_selected - ] +resource "azurerm_nat_gateway_public_ip_association" "ngw_association" { + count = var.existing_nat_gw_pip_association ? 0 : length(local.ngw_associations_selected) + nat_gateway_id = try(data.azurerm_nat_gateway.ngw_selected[count.index].id, azurerm_nat_gateway.ngw[count.index].id) + public_ip_address_id = try(data.azurerm_public_ip.pip_selected[count.index].id, azurerm_public_ip.pip[count.index].id) } @@ -106,8 +107,8 @@ resource "azurerm_nat_gateway_public_ip_association" "ngw_association" { resource "azurerm_subnet" "cc_subnet" { count = var.byo_subnets == false && var.base_only == false ? length(distinct(var.zones)) : 0 name = "${var.name_prefix}-cc-subnet-${count.index + 1}-${var.resource_tag}" - resource_group_name = var.byo_vnet == false ? data.azurerm_virtual_network.vnet_selected.resource_group_name : var.byo_vnet_subnets_rg_name - virtual_network_name = var.byo_vnet == false ? data.azurerm_virtual_network.vnet_selected.name : var.byo_vnet_name + resource_group_name = var.byo_vnet == false ? try(data.azurerm_virtual_network.vnet_selected[0].resource_group_name, azurerm_virtual_network.vnet[0].resource_group_name) : var.byo_vnet_subnets_rg_name + virtual_network_name = var.byo_vnet == false ? try(data.azurerm_virtual_network.vnet_selected[0].name, azurerm_virtual_network.vnet[0].name) : var.byo_vnet_name address_prefixes = var.cc_subnets != null ? [element(var.cc_subnets, count.index)] : [cidrsubnet(var.network_address_space, 8, count.index + 200)] } @@ -115,19 +116,18 @@ resource "azurerm_subnet" "cc_subnet" { data "azurerm_subnet" "cc_subnet_selected" { count = var.byo_subnets == false ? length(azurerm_subnet.cc_subnet[*].id) : length(var.byo_subnet_names) name = var.byo_subnets == false ? azurerm_subnet.cc_subnet[count.index].name : element(var.byo_subnet_names, count.index) - resource_group_name = var.byo_vnet == false ? data.azurerm_virtual_network.vnet_selected.resource_group_name : var.byo_vnet_subnets_rg_name - virtual_network_name = var.byo_vnet == false ? data.azurerm_virtual_network.vnet_selected.name : var.byo_vnet_name + resource_group_name = var.byo_vnet == false ? try(data.azurerm_virtual_network.vnet_selected[0].resource_group_name, azurerm_virtual_network.vnet[0].resource_group_name) : var.byo_vnet_subnets_rg_name + virtual_network_name = var.byo_vnet == false ? try(data.azurerm_virtual_network.vnet_selected[0].name, azurerm_virtual_network.vnet[0].name) : var.byo_vnet_name } # Associate Cloud Connector Subnet to NAT Gateway resource "azurerm_subnet_nat_gateway_association" "cc_subnet_nat_association" { count = var.existing_nat_gw_subnet_association == false ? length(data.azurerm_subnet.cc_subnet_selected[*].id) : 0 subnet_id = data.azurerm_subnet.cc_subnet_selected[count.index].id - nat_gateway_id = data.azurerm_nat_gateway.ngw_selected[count.index].id + nat_gateway_id = try(data.azurerm_nat_gateway.ngw_selected[count.index].id, azurerm_nat_gateway.ngw[count.index].id) depends_on = [ data.azurerm_subnet.cc_subnet_selected, - data.azurerm_nat_gateway.ngw_selected ] } @@ -139,8 +139,8 @@ resource "azurerm_subnet_nat_gateway_association" "cc_subnet_nat_association" { resource "azurerm_subnet" "workload_subnet" { count = var.workloads_enabled == true ? 1 : 0 name = "${var.name_prefix}-workload-subnet-${var.resource_tag}" - resource_group_name = data.azurerm_resource_group.rg_selected.name - virtual_network_name = data.azurerm_virtual_network.vnet_selected.name + resource_group_name = try(data.azurerm_resource_group.rg_selected[0].name, azurerm_resource_group.rg[0].name) + virtual_network_name = try(data.azurerm_virtual_network.vnet_selected[0].name, azurerm_virtual_network.vnet[0].name) address_prefixes = var.workloads_subnets != null ? [element(var.workloads_subnets, count.index)] : [cidrsubnet(var.network_address_space, 8, count.index + 1)] } @@ -149,7 +149,7 @@ resource "azurerm_route_table" "workload_rt" { count = var.workloads_enabled == true ? 1 : 0 name = "${var.name_prefix}-workload-rt-${var.resource_tag}" location = var.location - resource_group_name = data.azurerm_resource_group.rg_selected.name + resource_group_name = try(data.azurerm_resource_group.rg_selected[0].name, azurerm_resource_group.rg[0].name) disable_bgp_route_propagation = true @@ -176,7 +176,52 @@ resource "azurerm_subnet_route_table_association" "workload_rt_association" { resource "azurerm_subnet" "bastion_subnet" { count = var.bastion_enabled == true ? 1 : 0 name = "${var.name_prefix}-bastion-subnet-${var.resource_tag}" - resource_group_name = data.azurerm_resource_group.rg_selected.name - virtual_network_name = data.azurerm_virtual_network.vnet_selected.name + resource_group_name = try(data.azurerm_resource_group.rg_selected[0].name, azurerm_resource_group.rg[0].name) + virtual_network_name = try(data.azurerm_virtual_network.vnet_selected[0].name, azurerm_virtual_network.vnet[0].name) address_prefixes = var.public_subnets != null ? [element(var.public_subnets, count.index)] : [cidrsubnet(var.network_address_space, 8, 101)] } + + +################################################################################ +# Outbound Private DNS Subnet and Route Table +################################################################################ +# Create private subnet for outbound private DNS and delegate to dnsResolvers service +resource "azurerm_subnet" "private_dns_subnet" { + count = var.zpa_enabled ? 1 : 0 + name = "${var.name_prefix}-outbound-dns-subnet-${var.resource_tag}" + resource_group_name = try(data.azurerm_resource_group.rg_selected[0].name, azurerm_resource_group.rg[0].name) + virtual_network_name = try(data.azurerm_virtual_network.vnet_selected[0].name, azurerm_virtual_network.vnet[0].name) + address_prefixes = var.private_dns_subnet != null ? [var.private_dns_subnet] : [cidrsubnet(var.network_address_space, 12, 2480)] + + delegation { + name = "Microsoft.Network.dnsResolvers" + service_delegation { + actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"] + name = "Microsoft.Network/dnsResolvers" + } + } +} + +# Create Outbound DNS Route Table to send to Cloud Connector +resource "azurerm_route_table" "private_dns_rt" { + count = var.zpa_enabled ? 1 : 0 + name = "${var.name_prefix}-outbound-dns-rt-${var.resource_tag}" + location = var.location + resource_group_name = try(data.azurerm_resource_group.rg_selected[0].name, azurerm_resource_group.rg[0].name) + + disable_bgp_route_propagation = true + + route { + name = "default-route" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = var.lb_enabled == true ? var.lb_frontend_ip : element(var.cc_service_ip, count.index) + } +} + +# Associate Route Table with Outbound DNS Subnet +resource "azurerm_subnet_route_table_association" "private_dns_rt_association" { + count = length(azurerm_route_table.private_dns_rt[*].id) + subnet_id = azurerm_subnet.private_dns_subnet[count.index].id + route_table_id = azurerm_route_table.private_dns_rt[count.index].id +} diff --git a/modules/terraform-zscc-network-azure/outputs.tf b/modules/terraform-zscc-network-azure/outputs.tf index 6f309e7..59d7cde 100755 --- a/modules/terraform-zscc-network-azure/outputs.tf +++ b/modules/terraform-zscc-network-azure/outputs.tf @@ -1,6 +1,6 @@ output "resource_group_name" { description = "Azure Resource Group Name" - value = data.azurerm_resource_group.rg_selected.name + value = var.byo_rg ? data.azurerm_resource_group.rg_selected[0].name : azurerm_resource_group.rg[0].name } output "cc_subnet_ids" { @@ -10,7 +10,7 @@ output "cc_subnet_ids" { output "public_ip_address" { description = "Azure Public IP Address" - value = data.azurerm_public_ip.pip_selected[*].ip_address + value = var.byo_pips ? data.azurerm_public_ip.pip_selected[*].ip_address : azurerm_public_ip.pip[*].ip_address } output "bastion_subnet_ids" { @@ -22,3 +22,13 @@ output "workload_subnet_ids" { description = "Workloads Subnet ID" value = azurerm_subnet.workload_subnet[*].id } + +output "virtual_network_id" { + description = "Azure Virtual Network ID" + value = var.byo_vnet ? data.azurerm_virtual_network.vnet_selected[0].id : azurerm_virtual_network.vnet[0].id +} + +output "private_dns_subnet_id" { + description = "Private DNS Outbound Endpoint Subnet ID" + value = var.zpa_enabled ? azurerm_subnet.private_dns_subnet[0].id : "" +} diff --git a/modules/terraform-zscc-network-azure/variables.tf b/modules/terraform-zscc-network-azure/variables.tf index 7f97866..48e2f37 100755 --- a/modules/terraform-zscc-network-azure/variables.tf +++ b/modules/terraform-zscc-network-azure/variables.tf @@ -45,6 +45,12 @@ variable "public_subnets" { default = null } +variable "private_dns_subnet" { + type = string + description = "Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network_address_space variable." + default = null +} + # Validation to determine if Azure Region selected supports availabilty zones if desired locals { az_supported_regions = ["australiaeast", "Australia East", "brazilsouth", "Brazil South", "canadacentral", "Canada Central", "centralindia", "Central India", "centralus", "Central US", "eastasia", "East Asia", "eastus", "East US", "francecentral", "France Central", "germanywestcentral", "Germany West Central", "japaneast", "Japan East", "koreacentral", "Korea Central", "northeurope", "North Europe", "norwayeast", "Norway East", "southafricanorth", "South Africa North", "southcentralus", "South Central US", "southeastasia", "Southeast Asia", "swedencentral", "Sweden Central", "uksouth", "UK South", "westeurope", "West Europe", "westus2", "West US 2", "westus3", "West US 3"] @@ -107,6 +113,12 @@ variable "cc_service_ip" { default = [""] } +variable "zpa_enabled" { + type = bool + default = false + description = "Configure Private DNS Resolver Outbound Endpoint Subnet and route table for conditional forwarding to Cloud Connector if set to true" +} + # BYO (Bring-your-own) variables list variable "byo_rg" { diff --git a/modules/terraform-zscc-private-dns-azure/README.md b/modules/terraform-zscc-private-dns-azure/README.md new file mode 100755 index 0000000..792353a --- /dev/null +++ b/modules/terraform-zscc-private-dns-azure/README.md @@ -0,0 +1,104 @@ +# Zscaler Cloud Connector / Azure DNS Private Resolver Module + +This module creates the required resource dependencies to deploy Azure Private DNS that can be utilized to facilitate conditional DNS forwarding from Azure to Zscaler Cloud Connector for ZPA resolution and/or ZIA DNS Controls security. Resources included: Private DNS Resolver, Ruleset, Forwarding Rules, and Outbound Endpoint resources. For more information about Azure DNS Private Resolver, check here: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview + +See: [Private Resolver Architecture](https://learn.microsoft.com/en-us/azure/dns/private-resolver-architecture) for additional information discussing two architectural design options that are available to resolve DNS names, including private DNS zones across your Azure network using an Azure DNS Private Resolver. +See: [Private Resolver Resiliency/Reliability](https://learn.microsoft.com/en-us/azure/dns/private-resolver-reliability) for additional information describing reliability support in Azure DNS Private Resolver. + + + +## Considerations + +If deploying via one of the Zscaler provider example templates, there is a creation dependency with the terraform-zscc-network-azure module where Terraform will create a new subnet delegated for the dnsResolvers service in the same VNet as the Cloud Connector(s). This subnet is where the Outbound Endpoint gets created. Terraform will also create a new Route Table associated with this subnet pointing a default route (0.0.0.0/0) towards the Cloud Connector service IP or Load Balancer Front-End IP for HA deployments to ensure that conditionally forwarded request get redirected to the Cloud Connector. + +This module can create multiple Resolver Rules and links associated with only a single VNet. This follows Azure Well-Architected Framework and Hub-Spoke design model where spokes have access/connectivity directly to the Hub Virtual Network. + +Rule domain names must be dot-terminated and have either zero labels (for wildcard) or between 2 and 34 labels). For example, contoso.com. has two labels. + +## Azure Limitations + +https://learn.microsoft.com/en-us/azure/dns/dns-faq#what-are-the-usage-limits-for-azure-dns-:~:text=limits%20are%20dropped.-,DNS%20private%20resolver,-Resource + +Rulesets have the following associations: + +- A single ruleset can be associated with multiple outbound endpoints. +- A ruleset can have up to 25 DNS forwarding rules. +- A ruleset can be linked to up to 10 virtual networks in the same region + +## Private DNS Resolver Network Restrictions + +
"1"
]
[| no | +| [vnet\_id](#input\_vnet\_id) | The ID of the Virtual Network that is linked to the Private DNS Resolver | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [private\_dns\_forwarding\_ruleset\_id](#output\_private\_dns\_forwarding\_ruleset\_id) | The ID of the Private DNS Resolver Dns Forwarding Ruleset. Use this if you want to link other Virtual Networks to this Ruleset | +| [private\_dns\_forwarding\_ruleset\_name](#output\_private\_dns\_forwarding\_ruleset\_name) | The name of the Private DNS Resolver Dns Forwarding Ruleset. Use this if you want to link other Virtual Networks to this Ruleset | +| [private\_dns\_outbound\_endpoint\_id](#output\_private\_dns\_outbound\_endpoint\_id) | The ID of the Private DNS Resolver Outbound Endpoint | +| [private\_dns\_outbound\_endpoint\_name](#output\_private\_dns\_outbound\_endpoint\_name) | The name of the Private DNS Resolver Outbound Endpoint | +| [private\_dns\_resolver\_id](#output\_private\_dns\_resolver\_id) | The ID of the Private DNS Resolver | +| [private\_dns\_resolver\_name](#output\_private\_dns\_resolver\_name) | The name of the Private DNS Resolver | + diff --git a/modules/terraform-zscc-private-dns-azure/main.tf b/modules/terraform-zscc-private-dns-azure/main.tf new file mode 100755 index 0000000..d7edc5d --- /dev/null +++ b/modules/terraform-zscc-private-dns-azure/main.tf @@ -0,0 +1,58 @@ +################################################################################ +# Create Azure Private DNS Resolver +################################################################################ +resource "azurerm_private_dns_resolver" "dns_resolver" { + name = "${var.name_prefix}-${var.location}-dns-resolver-${var.resource_tag}" + resource_group_name = var.resource_group + location = var.location + virtual_network_id = var.vnet_id + + tags = var.global_tags +} + + +################################################################################ +# Create Azure Private DNS Resolver Outbound Endpoint +################################################################################ +resource "azurerm_private_dns_resolver_outbound_endpoint" "dns_outbound_endpoint" { + name = "${var.name_prefix}-outbound-endpoint-${var.resource_tag}" + private_dns_resolver_id = azurerm_private_dns_resolver.dns_resolver.id + location = var.location + subnet_id = var.private_dns_subnet_id + + tags = var.global_tags +} + + +################################################################################ +# Create Azure Private DNS Resolver Forwarding Ruleset +################################################################################ +resource "azurerm_private_dns_resolver_dns_forwarding_ruleset" "dns_forwarding_ruleset" { + name = "${var.name_prefix}-fwd-ruleset-${var.resource_tag}" + resource_group_name = var.resource_group + location = var.location + private_dns_resolver_outbound_endpoint_ids = [azurerm_private_dns_resolver_outbound_endpoint.dns_outbound_endpoint.id] + + tags = var.global_tags +} + + +################################################################################ +# Create Azure Private DNS Resolver Forwarding Rules +################################################################################ +resource "azurerm_private_dns_resolver_forwarding_rule" "dns_forwarding_rule" { + for_each = var.domain_names + name = "${var.name_prefix}-fwd-rule-${each.key}-${var.resource_tag}" + dns_forwarding_ruleset_id = azurerm_private_dns_resolver_dns_forwarding_ruleset.dns_forwarding_ruleset.id + domain_name = each.value + enabled = true + + dynamic "target_dns_servers" { + for_each = var.target_address + + content { + ip_address = target_dns_servers.value + port = 53 + } + } +} diff --git a/modules/terraform-zscc-private-dns-azure/outputs.tf b/modules/terraform-zscc-private-dns-azure/outputs.tf new file mode 100755 index 0000000..1f8afcd --- /dev/null +++ b/modules/terraform-zscc-private-dns-azure/outputs.tf @@ -0,0 +1,29 @@ +output "private_dns_resolver_id" { + description = "The ID of the Private DNS Resolver" + value = azurerm_private_dns_resolver.dns_resolver.id +} + +output "private_dns_resolver_name" { + description = "The name of the Private DNS Resolver" + value = azurerm_private_dns_resolver.dns_resolver.name +} + +output "private_dns_outbound_endpoint_id" { + description = "The ID of the Private DNS Resolver Outbound Endpoint" + value = azurerm_private_dns_resolver_outbound_endpoint.dns_outbound_endpoint.id +} + +output "private_dns_outbound_endpoint_name" { + description = "The name of the Private DNS Resolver Outbound Endpoint" + value = azurerm_private_dns_resolver_outbound_endpoint.dns_outbound_endpoint.name +} + +output "private_dns_forwarding_ruleset_id" { + description = "The ID of the Private DNS Resolver Dns Forwarding Ruleset. Use this if you want to link other Virtual Networks to this Ruleset" + value = azurerm_private_dns_resolver_dns_forwarding_ruleset.dns_forwarding_ruleset.id +} + +output "private_dns_forwarding_ruleset_name" { + description = "The name of the Private DNS Resolver Dns Forwarding Ruleset. Use this if you want to link other Virtual Networks to this Ruleset" + value = azurerm_private_dns_resolver_dns_forwarding_ruleset.dns_forwarding_ruleset.name +} diff --git a/modules/terraform-zscc-private-dns-azure/variables.tf b/modules/terraform-zscc-private-dns-azure/variables.tf new file mode 100755 index 0000000..ae43f29 --- /dev/null +++ b/modules/terraform-zscc-private-dns-azure/variables.tf @@ -0,0 +1,48 @@ +variable "name_prefix" { + type = string + description = "A prefix to associate to all the Private DNS module resources" + default = null +} + +variable "resource_tag" { + type = string + description = "A tag to associate to all the Private DNS module resources" + default = null +} + +variable "global_tags" { + type = map(string) + description = "Populate any custom user defined tags from a map" + default = {} +} + +variable "resource_group" { + type = string + description = "Specifies the name of the Resource Group where the Private DNS Resolver should exist" +} + +variable "location" { + type = string + description = "Specifies the Azure Region where the Private DNS Resolver should exist" +} + +variable "vnet_id" { + type = string + description = "The ID of the Virtual Network that is linked to the Private DNS Resolver" +} + +variable "private_dns_subnet_id" { + type = string + description = "The ID of the Subnet that is linked to the Private DNS Resolver Outbound Endpoint" +} + +variable "target_address" { + type = list(string) + description = "Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses" + default = ["185.46.212.88", "185.46.212.89"] +} + +variable "domain_names" { + type = map(any) + description = "Domain names fqdn/wildcard to have Azure Private DNS redirect DNS requests to Cloud Connector" +} diff --git a/modules/terraform-zscc-private-dns-azure/versions.tf b/modules/terraform-zscc-private-dns-azure/versions.tf new file mode 100755 index 0000000..0dc1d32 --- /dev/null +++ b/modules/terraform-zscc-private-dns-azure/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.46.0" + } + } + required_version = ">= 0.13.7, < 2.0.0" +} From 757c47c2ae9d44e2600e45cdb2a382b5e1ee234c Mon Sep 17 00:00:00 2001 From: nmizhquirizs <127783638+nmizhquirizs@users.noreply.github.com> Date: Thu, 10 Aug 2023 15:28:22 -0400 Subject: [PATCH 02/10] Bug 142643 (#18) * - Modified terraform modules to support encryption_at_host - Modified examples/* to support encryption_at_host - Modified zsec script to support encryption_at_host and also verify if subscription is present in customer(s) account - Updated README.md to reflect instructions on how to enable Azure feature * Formatted code w/ New Line in the end. * refactor: rename host encryption variable and default to true * - Changing default value of encryptin to be true - Removing prompt for Yes and Alowing Enter Only if Yes. Otherwise, No will be required - Re-Opening for PR to be targetted to dev --------- Co-authored-by: Jameson Molnar
"185.46.212.88",
"185.46.212.89"
]
These can all be installed via your distribution app installer. ie: sudo apt install bash curl unzip
+ ### **Zscaler requirements** -1. A valid Zscaler Cloud Connector provisioning URL generated. This is done via the Cloud Connector portal (E.g. connector..net/login) -2. Zscaler Cloud Connector Credentials (api key, username, password) are stored in Azure Key Vault from step 5. +8. A valid Zscaler Cloud Connector provisioning URL generated. This is done via the Cloud Connector portal (E.g. connector..net/login) +9. Zscaler Cloud Connector Credentials (api key, username, password) are stored in Azure Key Vault from step 5. ## **Greenfield Deployments** diff --git a/examples/base/outputs.tf b/examples/base/outputs.tf index 09878cf..d88cad2 100755 --- a/examples/base/outputs.tf +++ b/examples/base/outputs.tf @@ -1,6 +1,20 @@ locals { testbedconfig = <These can all be installed via your distribution app installer. ie: sudo apt install bash curl unzip
+ +### **Zscaler requirements** + +8. A valid Zscaler Cloud Connector provisioning URL generated. This is done via the Cloud Connector portal (E.g. connector..net/login) +9. Zscaler Cloud Connector Credentials (api key, username, password) are stored in Azure Key Vault from step 5. See: [Zscaler Cloud Cloud Connector Azure Deployment Guide](https://help.zscaler.com/cloud-connector/deploying-cloud-connector-microsoft-azure) for additional prerequisite provisioning steps. +### *Host Disk Encryption* +To enable host encryption. You **must** subscribe to the feature on your azure account. Official Microsoft Documentation on how to enable this feature can be found [here](https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-cli#prerequisites) + ## Deploying the cluster (The automated tool can run only from MacOS and Linux. You can also upload all repo contents to the respective public cloud provider Cloud Shells and run directly from there). -**1. Greenfield Deployments** +**1. Test/Greenfield Deployments** (Use this if you are building an entire cluster from ground up. Particularly useful for a Customer Demo/PoC or dev-test environment) @@ -50,7 +56,7 @@ Optional: Edit the terraform.tfvars file under your desired deployment type (ie: - verify all resources that will be created/modified and enter "yes" to confirm ``` -**Greenfield Deployment Types:** +**Test/Greenfield Deployment Types:** ``` Deployment Type: (base | base_1cc | base_1cc_zpa | base_cc_lb | base_cc_lb_zpa): @@ -66,7 +72,7 @@ Deployment Type: (base | base_1cc | base_1cc_zpa | base_cc_lb | base_cc_lb_zpa): ``` -**2. Brownfield Deployments** +**2. Prod/Brownfield Deployments** (These templates would be most applicable for production deployments and have more customization options than a "base" deployments) @@ -83,7 +89,7 @@ Optional: Edit the terraform.tfvars file under your desired deployment type (ie: - verify all resources that will be created/modified and enter "yes" to confirm ``` -**Brownfield Deployment Types** +**Prod/Brownfield Deployment Types** ``` Deployment Type: (cc_lb): diff --git a/examples/zsec b/examples/zsec index b8ba32e..7e7b81b 100755 --- a/examples/zsec +++ b/examples/zsec @@ -29,6 +29,9 @@ if [[ "$oper" == "up" ]]; then case $deploy in greenfield) + echo "" + echo "**Caution** These deployments include test workloads and publicly accessible jump hosts and are intended primarily for lab/test environments" + echo "" break ;; brownfield) From 0d894f156c2cb8f2207a07d32cc91601dadceadd Mon Sep 17 00:00:00 2001 From: jmolnar-zscaler <106208217+jmolnar-zscaler@users.noreply.github.com> Date: Thu, 10 Aug 2023 22:17:56 -0400 Subject: [PATCH 07/10] fix: Azure LB health probe attributes (#15) * fix: Azure LB health probe attributes * chore: tflint --- CHANGELOG.md | 2 +- examples/base_cc_lb/README.md | 3 +++ examples/base_cc_lb/main.tf | 25 +++++++++++--------- examples/base_cc_lb/variables.tf | 24 +++++++++++++++++++ examples/base_cc_lb_zpa/README.md | 3 +++ examples/base_cc_lb_zpa/main.tf | 25 +++++++++++--------- examples/base_cc_lb_zpa/variables.tf | 25 ++++++++++++++++++++ examples/cc_lb/README.md | 3 +++ examples/cc_lb/main.tf | 25 +++++++++++--------- examples/cc_lb/variables.tf | 24 +++++++++++++++++++ modules/terraform-zscc-lb-azure/README.md | 3 +++ modules/terraform-zscc-lb-azure/main.tf | 13 ++++++---- modules/terraform-zscc-lb-azure/variables.tf | 24 +++++++++++++++++++ 13 files changed, 160 insertions(+), 39 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b5996b4..cbd95ae 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,3 @@ - ## TBD (Unreleased) * Add encryption_at_host_enabled variable and default to true * Azure Private DNS module (terraform-zscc-private-dns-azure) @@ -7,6 +6,7 @@ * zsec additions for new deployment options + domains adding to Private DNS Resolver Rule creation * workload VM for greenfield deployments dns_servers set to Azure DNS default * terraform-zscc-network-azure refactoring to remove data source read dependencies +* probe_threshold variable added for [Azure LB health probe fixes](https://learn.microsoft.com/en-us/azure/load-balancer/whats-new#known-issues:~:text=February%202020-,Known%20issues,-The%20product%20group) * Add AZURE_MANAGED_IDENTITY_CLIENT_ID field to userdata generation ## v0.2.0 (March 7, 2023) diff --git a/examples/base_cc_lb/README.md b/examples/base_cc_lb/README.md index 084fc01..4e15e2c 100644 --- a/examples/base_cc_lb/README.md +++ b/examples/base_cc_lb/README.md @@ -102,13 +102,16 @@ From base_cc_lb directory execute: | [encryption\_at\_host\_enabled](#input\_encryption\_at\_host\_enabled) | User input for enabling or disabling host encryption | `bool` | `true` | no | | [env\_subscription\_id](#input\_env\_subscription\_id) | Azure Subscription ID where resources are to be deployed in | `string` | n/a | yes | | [environment](#input\_environment) | Customer defined environment tag. ie: Dev, QA, Prod, etc. | `string` | `"Development"` | no | +| [health\_check\_interval](#input\_health\_check\_interval) | The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 | `number` | `15` | no | | [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | `number` | `50000` | no | | [lb\_enabled](#input\_lb\_enabled) | Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb\_frontend\_ip. If false, default route next hop directly to the CC Service IP passed from var.cc\_service\_ip | `bool` | `true` | no | | [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"SourceIP"` | no | | [managed\_identity\_subscription\_id](#input\_managed\_identity\_subscription\_id) | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env\_subscription\_id | `string` | `null` | no | | [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public\_subnets, workload\_subnets, cc\_subnets, and route53\_subnets variables | `string` | `"10.1.0.0/16"` | no | +| [number\_of\_probes](#input\_number\_of\_probes) | The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure | `number` | `1` | no | | [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no | +| [probe\_threshold](#input\_probe\_threshold) | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | `number` | `2` | no | | [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no | | [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no | | [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no | diff --git a/examples/base_cc_lb/main.tf b/examples/base_cc_lb/main.tf index 6e178f3..bd3dbad 100755 --- a/examples/base_cc_lb/main.tf +++ b/examples/base_cc_lb/main.tf @@ -196,17 +196,20 @@ module "cc_identity" { ################################################################################ # Azure Load Balancer Module variables module "cc_lb" { - source = "../../modules/terraform-zscc-lb-azure" - name_prefix = var.name_prefix - resource_tag = random_string.suffix.result - global_tags = local.global_tags - resource_group = module.network.resource_group_name - location = var.arm_location - subnet_id = module.network.cc_subnet_ids[0] - http_probe_port = var.http_probe_port - load_distribution = var.load_distribution - zones_enabled = var.zones_enabled - zones = var.zones + source = "../../modules/terraform-zscc-lb-azure" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + resource_group = module.network.resource_group_name + location = var.arm_location + subnet_id = module.network.cc_subnet_ids[0] + http_probe_port = var.http_probe_port + load_distribution = var.load_distribution + zones_enabled = var.zones_enabled + zones = var.zones + health_check_interval = var.health_check_interval + probe_threshold = var.probe_threshold + number_of_probes = var.number_of_probes } diff --git a/examples/base_cc_lb/variables.tf b/examples/base_cc_lb/variables.tf index eadf493..62e5577 100755 --- a/examples/base_cc_lb/variables.tf +++ b/examples/base_cc_lb/variables.tf @@ -241,6 +241,30 @@ variable "lb_enabled" { default = true } +variable "health_check_interval" { + type = number + description = "The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5" + default = 15 + validation { + condition = ( + var.health_check_interval > 4 + ) + error_message = "Input health_check_interval must be a number 5 or greater." + } +} + +variable "probe_threshold" { + type = number + description = "The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation." + default = 2 +} + +variable "number_of_probes" { + type = number + description = "The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure" + default = 1 +} + variable "encryption_at_host_enabled" { type = bool description = "User input for enabling or disabling host encryption" diff --git a/examples/base_cc_lb_zpa/README.md b/examples/base_cc_lb_zpa/README.md index caa6914..10dcbb3 100644 --- a/examples/base_cc_lb_zpa/README.md +++ b/examples/base_cc_lb_zpa/README.md @@ -106,14 +106,17 @@ From base_cc_lb_zpa directory execute: | [encryption\_at\_host\_enabled](#input\_encryption\_at\_host\_enabled) | User input for enabling or disabling host encryption | `bool` | `true` | no | | [env\_subscription\_id](#input\_env\_subscription\_id) | Azure Subscription ID where resources are to be deployed in | `string` | n/a | yes | | [environment](#input\_environment) | Customer defined environment tag. ie: Dev, QA, Prod, etc. | `string` | `"Development"` | no | +| [health\_check\_interval](#input\_health\_check\_interval) | The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 | `number` | `15` | no | | [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | `number` | `50000` | no | | [lb\_enabled](#input\_lb\_enabled) | Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb\_frontend\_ip. If false, default route next hop directly to the CC Service IP passed from var.cc\_service\_ip | `bool` | `true` | no | | [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"SourceIP"` | no | | [managed\_identity\_subscription\_id](#input\_managed\_identity\_subscription\_id) | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env\_subscription\_id | `string` | `null` | no | | [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public\_subnets, workload\_subnets, cc\_subnets, and route53\_subnets variables | `string` | `"10.1.0.0/16"` | no | +| [number\_of\_probes](#input\_number\_of\_probes) | The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure | `number` | `1` | no | | [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no | | [private\_dns\_subnet](#input\_private\_dns\_subnet) | Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network\_address\_space variable. | `string` | `null` | no | +| [probe\_threshold](#input\_probe\_threshold) | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | `number` | `2` | no | | [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no | | [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no | | [target\_address](#input\_target\_address) | Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses | `list(string)` |[| no | diff --git a/examples/base_cc_lb_zpa/main.tf b/examples/base_cc_lb_zpa/main.tf index 25d1178..0789327 100755 --- a/examples/base_cc_lb_zpa/main.tf +++ b/examples/base_cc_lb_zpa/main.tf @@ -198,17 +198,20 @@ module "cc_identity" { ################################################################################ # Azure Load Balancer Module variables module "cc_lb" { - source = "../../modules/terraform-zscc-lb-azure" - name_prefix = var.name_prefix - resource_tag = random_string.suffix.result - global_tags = local.global_tags - resource_group = module.network.resource_group_name - location = var.arm_location - subnet_id = module.network.cc_subnet_ids[0] - http_probe_port = var.http_probe_port - load_distribution = var.load_distribution - zones_enabled = var.zones_enabled - zones = var.zones + source = "../../modules/terraform-zscc-lb-azure" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + resource_group = module.network.resource_group_name + location = var.arm_location + subnet_id = module.network.cc_subnet_ids[0] + http_probe_port = var.http_probe_port + load_distribution = var.load_distribution + zones_enabled = var.zones_enabled + zones = var.zones + health_check_interval = var.health_check_interval + probe_threshold = var.probe_threshold + number_of_probes = var.number_of_probes } diff --git a/examples/base_cc_lb_zpa/variables.tf b/examples/base_cc_lb_zpa/variables.tf index 52f5608..29aa6d3 100755 --- a/examples/base_cc_lb_zpa/variables.tf +++ b/examples/base_cc_lb_zpa/variables.tf @@ -247,12 +247,37 @@ variable "lb_enabled" { default = true } +variable "health_check_interval" { + type = number + description = "The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5" + default = 15 + validation { + condition = ( + var.health_check_interval > 4 + ) + error_message = "Input health_check_interval must be a number 5 or greater." + } +} + +variable "probe_threshold" { + type = number + description = "The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation." + default = 2 +} + +variable "number_of_probes" { + type = number + description = "The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure" + default = 1 +} + variable "encryption_at_host_enabled" { type = bool description = "User input for enabling or disabling host encryption" default = true } + # Azure Private DNS specific variables variable "zpa_enabled" { type = bool diff --git a/examples/cc_lb/README.md b/examples/cc_lb/README.md index 499d026..3be7751 100644 --- a/examples/cc_lb/README.md +++ b/examples/cc_lb/README.md @@ -123,13 +123,16 @@ From cc_lb directory execute: | [environment](#input\_environment) | Customer defined environment tag. ie: Dev, QA, Prod, etc. | `string` | `"Development"` | no | | [existing\_nat\_gw\_pip\_association](#input\_existing\_nat\_gw\_pip\_association) | Set this to true only if both byo\_pips and byo\_nat\_gws variables are true. This implies that there are already NAT Gateway resources with Public IP Addresses associated so we do not attempt any new associations | `bool` | `false` | no | | [existing\_nat\_gw\_subnet\_association](#input\_existing\_nat\_gw\_subnet\_association) | Set this to true only if both byo\_nat\_gws and byo\_subnets variables are true. this implies that there are already NAT Gateway resources associated to subnets where Cloud Connectors are being deployed to | `bool` | `false` | no | +| [health\_check\_interval](#input\_health\_check\_interval) | The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 | `number` | `15` | no | | [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | `number` | `50000` | no | | [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"SourceIP"` | no | | [managed\_identity\_subscription\_id](#input\_managed\_identity\_subscription\_id) | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env\_subscription\_id | `string` | `null` | no | | [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNET CIDR / address prefix | `string` | `"10.1.0.0/16"` | no | +| [number\_of\_probes](#input\_number\_of\_probes) | The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure | `number` | `1` | no | | [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no | | [private\_dns\_subnet](#input\_private\_dns\_subnet) | Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network\_address\_space variable. | `string` | `null` | no | +| [probe\_threshold](#input\_probe\_threshold) | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | `number` | `2` | no | | [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no | | [target\_address](#input\_target\_address) | Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses | `list(string)` |
"185.46.212.88",
"185.46.212.89"
]
[| no | | [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no | diff --git a/examples/cc_lb/main.tf b/examples/cc_lb/main.tf index 5d21753..9aaf427 100755 --- a/examples/cc_lb/main.tf +++ b/examples/cc_lb/main.tf @@ -181,17 +181,20 @@ module "cc_identity" { # Health Probes ################################################################################ module "cc_lb" { - source = "../../modules/terraform-zscc-lb-azure" - name_prefix = var.name_prefix - resource_tag = random_string.suffix.result - global_tags = local.global_tags - resource_group = module.network.resource_group_name - location = var.arm_location - subnet_id = module.network.cc_subnet_ids[0] - http_probe_port = var.http_probe_port - load_distribution = var.load_distribution - zones_enabled = var.zones_enabled - zones = var.zones + source = "../../modules/terraform-zscc-lb-azure" + name_prefix = var.name_prefix + resource_tag = random_string.suffix.result + global_tags = local.global_tags + resource_group = module.network.resource_group_name + location = var.arm_location + subnet_id = module.network.cc_subnet_ids[0] + http_probe_port = var.http_probe_port + load_distribution = var.load_distribution + zones_enabled = var.zones_enabled + zones = var.zones + health_check_interval = var.health_check_interval + probe_threshold = var.probe_threshold + number_of_probes = var.number_of_probes } diff --git a/examples/cc_lb/variables.tf b/examples/cc_lb/variables.tf index 9f4fa32..31864f6 100755 --- a/examples/cc_lb/variables.tf +++ b/examples/cc_lb/variables.tf @@ -213,6 +213,30 @@ variable "load_distribution" { } } +variable "health_check_interval" { + type = number + description = "The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5" + default = 15 + validation { + condition = ( + var.health_check_interval > 4 + ) + error_message = "Input health_check_interval must be a number 5 or greater." + } +} + +variable "probe_threshold" { + type = number + description = "The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation." + default = 2 +} + +variable "number_of_probes" { + type = number + description = "The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure" + default = 1 +} + variable "encryption_at_host_enabled" { type = bool description = "User input for enabling or disabling host encryption" diff --git a/modules/terraform-zscc-lb-azure/README.md b/modules/terraform-zscc-lb-azure/README.md index 7c3e363..a48da8f 100644 --- a/modules/terraform-zscc-lb-azure/README.md +++ b/modules/terraform-zscc-lb-azure/README.md @@ -34,10 +34,13 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no | +| [health\_check\_interval](#input\_health\_check\_interval) | The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 | `number` | `15` | no | | [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | `number` | `50000` | no | | [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"SourceIP"` | no | | [location](#input\_location) | Cloud Connector Azure Region | `string` | n/a | yes | | [name\_prefix](#input\_name\_prefix) | A prefix to associate to all the lb module resources | `string` | `null` | no | +| [number\_of\_probes](#input\_number\_of\_probes) | The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure | `number` | `1` | no | +| [probe\_threshold](#input\_probe\_threshold) | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | `number` | `2` | no | | [resource\_group](#input\_resource\_group) | Main Resource Group Name | `string` | n/a | yes | | [resource\_tag](#input\_resource\_tag) | A tag to associate to all the lb module resources | `string` | `null` | no | | [subnet\_id](#input\_subnet\_id) | Subnet ID for LB Frontend IP placement | `string` | n/a | yes | diff --git a/modules/terraform-zscc-lb-azure/main.tf b/modules/terraform-zscc-lb-azure/main.tf index 870ee25..146b9c8 100755 --- a/modules/terraform-zscc-lb-azure/main.tf +++ b/modules/terraform-zscc-lb-azure/main.tf @@ -44,11 +44,14 @@ resource "azurerm_lb_backend_address_pool" "cc_lb_backend_pool" { # Define load balancer health probe parameters ################################################################################ resource "azurerm_lb_probe" "cc_lb_probe" { - name = "${var.name_prefix}-cc-lb-probe-${var.resource_tag}" - loadbalancer_id = azurerm_lb.cc_lb.id - protocol = "Http" - port = var.http_probe_port - request_path = "/?cchealth" + name = "${var.name_prefix}-cc-lb-probe-${var.resource_tag}" + loadbalancer_id = azurerm_lb.cc_lb.id + protocol = "Http" + port = var.http_probe_port + request_path = "/?cchealth" + interval_in_seconds = var.health_check_interval + probe_threshold = var.probe_threshold + number_of_probes = var.number_of_probes } diff --git a/modules/terraform-zscc-lb-azure/variables.tf b/modules/terraform-zscc-lb-azure/variables.tf index e84026a..c515c2d 100755 --- a/modules/terraform-zscc-lb-azure/variables.tf +++ b/modules/terraform-zscc-lb-azure/variables.tf @@ -84,3 +84,27 @@ variable "zones" { error_message = "Input zones variable must be a number 1-3." } } + +variable "health_check_interval" { + type = number + description = "The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5" + default = 15 + validation { + condition = ( + var.health_check_interval > 4 + ) + error_message = "Input health_check_interval must be a number 5 or greater." + } +} + +variable "probe_threshold" { + type = number + description = "The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation." + default = 2 +} + +variable "number_of_probes" { + type = number + description = "The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure" + default = 1 +} From ee7e899d88de6ec93a8bb2dbaac48ecf3a5b570d Mon Sep 17 00:00:00 2001 From: jmolnar-zscaler <106208217+jmolnar-zscaler@users.noreply.github.com> Date: Wed, 27 Sep 2023 11:49:21 -0400 Subject: [PATCH 08/10] Release refactoring (#19) * fix: remove legacy med/lrg resources * feat: change var load_distribution default * chore: azurerm bump to 3.74 * refactor: name_prefix default to zscc * fix: ip configuration rename * docs: readme and changelog updates * docs(CHANGELOG): update --- CHANGELOG.md | 29 +++++++++---- README.md | 4 +- examples/README.md | 2 +- examples/base/README.md | 4 +- examples/base/variables.tf | 6 ++- examples/base/versions.tf | 2 +- examples/base_1cc/README.md | 4 +- examples/base_1cc/variables.tf | 6 ++- examples/base_1cc/versions.tf | 2 +- examples/base_1cc_zpa/README.md | 6 +-- examples/base_1cc_zpa/variables.tf | 6 ++- examples/base_1cc_zpa/versions.tf | 2 +- examples/base_cc_lb/README.md | 6 +-- examples/base_cc_lb/variables.tf | 8 +++- examples/base_cc_lb/versions.tf | 2 +- examples/base_cc_lb_zpa/README.md | 8 ++-- examples/base_cc_lb_zpa/variables.tf | 8 +++- examples/base_cc_lb_zpa/versions.tf | 2 +- examples/cc_lb/README.md | 6 +-- examples/cc_lb/variables.tf | 8 +++- examples/cc_lb/versions.tf | 2 +- examples/zsec | 28 ++++++------- .../terraform-zscc-bastion-azure/README.md | 4 +- .../terraform-zscc-bastion-azure/versions.tf | 2 +- modules/terraform-zscc-ccvm-azure/README.md | 7 +--- modules/terraform-zscc-ccvm-azure/main.tf | 42 +++---------------- modules/terraform-zscc-ccvm-azure/versions.tf | 2 +- .../terraform-zscc-identity-azure/README.md | 4 +- .../terraform-zscc-identity-azure/versions.tf | 2 +- modules/terraform-zscc-lb-azure/README.md | 6 +-- modules/terraform-zscc-lb-azure/variables.tf | 2 +- modules/terraform-zscc-lb-azure/versions.tf | 2 +- .../terraform-zscc-network-azure/README.md | 4 +- .../terraform-zscc-network-azure/versions.tf | 2 +- modules/terraform-zscc-nsg-azure/README.md | 4 +- modules/terraform-zscc-nsg-azure/versions.tf | 2 +- .../README.md | 4 +- .../versions.tf | 2 +- .../terraform-zscc-workload-azure/README.md | 4 +- .../terraform-zscc-workload-azure/versions.tf | 2 +- 40 files changed, 125 insertions(+), 123 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cbd95ae..9b581e1 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,13 +1,24 @@ -## TBD (Unreleased) -* Add encryption_at_host_enabled variable and default to true +## v0.3.0 (September 30, 2023) + +FEATURES: * Azure Private DNS module (terraform-zscc-private-dns-azure) -* New greenfield deployment options (base_1cc_zpa and base_cc_lb_zpa) with Azure Private DNS module integration -* zpa_enabled variable added to dynamically create Outbound DNS subnet and Route Table in VNet if set to true -* zsec additions for new deployment options + domains adding to Private DNS Resolver Rule creation -* workload VM for greenfield deployments dns_servers set to Azure DNS default -* terraform-zscc-network-azure refactoring to remove data source read dependencies -* probe_threshold variable added for [Azure LB health probe fixes](https://learn.microsoft.com/en-us/azure/load-balancer/whats-new#known-issues:~:text=February%202020-,Known%20issues,-The%20product%20group) -* Add AZURE_MANAGED_IDENTITY_CLIENT_ID field to userdata generation + - add: deployment types base_1cc_zpa/base_cc_lb_zpa (greenfield/pov/test) with Azure Private DNS module integration + - add: conditional variable zpa_enabled for cc_lb (brownfield/prod) deployment for Azure Private DNS module integration + - add: zsec additions for new deployment options + domains adding to Private DNS Resolver Rule creation +* AzureRM Provider version bump to 3.74.x default. Support from 3.46.x to 3.74.x + +ENHANCEMENTS: +* Encryption at Host enabled by default + - add: encryption_at_host_enabled variable and default to true +* change: workload VM for greenfield deployments dns_servers to Azure DNS default +* add: AZURE_MANAGED_IDENTITY_CLIENT_ID field to userdata generation +* change: variable load_distribution set to Azure "Default" corresponding to None/5-tuple session persistency in the Azure Portal. +* change: name_prefix variable default to zscc + +BUG FIXES: +* refactor: terraform-zscc-network-azure to remove data source read dependencies +* add: variable probe_threshold for [Azure LB health probe fixes](https://learn.microsoft.com/en-us/azure/load-balancer/whats-new#known-issues:~:text=February%202020-,Known%20issues,-The%20product%20group) + ## v0.2.0 (March 7, 2023) diff --git a/README.md b/README.md index c847668..8803472 100755 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Use this repository to create the deployment resources required to deploy and op Our Deployment scripts are leveraging Terraform v1.1.9 which includes full binary and provider support for macOS M1 chips, but any Terraform version 0.13.7 should be generally supported. -- provider registry.terraform.io/hashicorp/azurerm v3.46.x +- provider registry.terraform.io/hashicorp/azurerm v3.74.x (minimum 3.46.x) - provider registry.terraform.io/hashicorp/random v3.3.x - provider registry.terraform.io/hashicorp/local v2.2.x - provider registry.terraform.io/hashicorp/null v3.1.x @@ -57,7 +57,7 @@ To enable host encryption. You **must** subscribe to the feature on your azure a ## **Greenfield Deployments** -Use this if you are building an entire cluster from the ground up. These templates include a bastion host and test workloads and are designed for greenfield/POV testing. +Use this if you are building an entire cluster from the ground up. These templates include a bastion host and test workloads and are designed for greenfield/POV testing. See [Modules](modules/) for the Terraform configurations for greenfield deployment. ### **Starter Deployment Template** diff --git a/examples/README.md b/examples/README.md index 07b4529..a7741b6 100644 --- a/examples/README.md +++ b/examples/README.md @@ -74,7 +74,7 @@ Deployment Type: (base | base_1cc | base_1cc_zpa | base_cc_lb | base_cc_lb_zpa): **2. Prod/Brownfield Deployments** -(These templates would be most applicable for production deployments and have more customization options than a "base" deployments) +(These templates would be most applicable for production deployments and have more customization options than a "base" deployments). They also do not include a bastion or workload hosts deployed. ``` bash diff --git a/examples/base/README.md b/examples/base/README.md index b4536b7..f3cd751 100644 --- a/examples/base/README.md +++ b/examples/base/README.md @@ -40,7 +40,7 @@ From base directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | @@ -78,7 +78,7 @@ From base directory execute: | [arm\_location](#input\_arm\_location) | The Azure Region where resources are to be deployed | `string` | `"westus2"` | no | | [bastion\_nsg\_source\_prefix](#input\_bastion\_nsg\_source\_prefix) | User input for locking down SSH access to bastion to a specific IP or CIDR range. Defaults to any IP | `string` | `"*"` | no | | [environment](#input\_environment) | Customer defined environment tag. ie: Dev, QA, Prod, etc. | `string` | `"Development"` | no | -| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | +| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public\_subnets, workload\_subnets, cc\_subnets, and route53\_subnets variables | `string` | `"10.1.0.0/16"` | no | | [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no | | [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no | diff --git a/examples/base/variables.tf b/examples/base/variables.tf index 00a8695..5d4879f 100755 --- a/examples/base/variables.tf +++ b/examples/base/variables.tf @@ -7,7 +7,11 @@ variable "arm_location" { variable "name_prefix" { type = string description = "The name prefix for all your resources" - default = "zsdemo" + default = "zscc" + validation { + condition = length(var.name_prefix) <= 12 + error_message = "Variable name_prefix must be 12 or less characters." + } } variable "network_address_space" { diff --git a/examples/base/versions.tf b/examples/base/versions.tf index 012f54b..07808ac 100755 --- a/examples/base/versions.tf +++ b/examples/base/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } random = { source = "hashicorp/random" diff --git a/examples/base_1cc/README.md b/examples/base_1cc/README.md index a85ffb9..2a51891 100644 --- a/examples/base_1cc/README.md +++ b/examples/base_1cc/README.md @@ -41,7 +41,7 @@ From base_1cc directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | @@ -103,7 +103,7 @@ From base_1cc directory execute: | [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | `number` | `50000` | no | | [lb\_enabled](#input\_lb\_enabled) | Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb\_frontend\_ip. If false, default route next hop directly to the CC Service IP passed from var.cc\_service\_ip | `bool` | `false` | no | | [managed\_identity\_subscription\_id](#input\_managed\_identity\_subscription\_id) | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env\_subscription\_id | `string` | `null` | no | -| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | +| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public\_subnets, workload\_subnets, cc\_subnets, and route53\_subnets variables | `string` | `"10.1.0.0/16"` | no | | [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no | | [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no | diff --git a/examples/base_1cc/variables.tf b/examples/base_1cc/variables.tf index 7d5767c..7626071 100755 --- a/examples/base_1cc/variables.tf +++ b/examples/base_1cc/variables.tf @@ -13,7 +13,11 @@ variable "arm_location" { variable "name_prefix" { type = string description = "The name prefix for all your resources" - default = "zsdemo" + default = "zscc" + validation { + condition = length(var.name_prefix) <= 12 + error_message = "Variable name_prefix must be 12 or less characters." + } } variable "network_address_space" { diff --git a/examples/base_1cc/versions.tf b/examples/base_1cc/versions.tf index e97eecf..82f3301 100755 --- a/examples/base_1cc/versions.tf +++ b/examples/base_1cc/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } random = { source = "hashicorp/random" diff --git a/examples/base_1cc_zpa/README.md b/examples/base_1cc_zpa/README.md index c3e5d28..7fd7fe2 100644 --- a/examples/base_1cc_zpa/README.md +++ b/examples/base_1cc_zpa/README.md @@ -41,7 +41,7 @@ From base_1cc_zpa directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | @@ -51,7 +51,7 @@ From base_1cc_zpa directory execute: | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.46.0 | +| [azurerm](#provider\_azurerm) | >= 3.46, <= 3.74 | | [local](#provider\_local) | ~> 2.2.0 | | [null](#provider\_null) | ~> 3.1.0 | | [random](#provider\_random) | ~> 3.3.0 | @@ -107,7 +107,7 @@ From base_1cc_zpa directory execute: | [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | `number` | `50000` | no | | [lb\_enabled](#input\_lb\_enabled) | Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb\_frontend\_ip. If false, default route next hop directly to the CC Service IP passed from var.cc\_service\_ip | `bool` | `false` | no | | [managed\_identity\_subscription\_id](#input\_managed\_identity\_subscription\_id) | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env\_subscription\_id | `string` | `null` | no | -| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | +| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public\_subnets, workload\_subnets, cc\_subnets, and route53\_subnets variables | `string` | `"10.1.0.0/16"` | no | | [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no | | [private\_dns\_subnet](#input\_private\_dns\_subnet) | Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network\_address\_space variable. | `string` | `null` | no | diff --git a/examples/base_1cc_zpa/variables.tf b/examples/base_1cc_zpa/variables.tf index 829aa7e..db3e38e 100755 --- a/examples/base_1cc_zpa/variables.tf +++ b/examples/base_1cc_zpa/variables.tf @@ -13,7 +13,11 @@ variable "arm_location" { variable "name_prefix" { type = string description = "The name prefix for all your resources" - default = "zsdemo" + default = "zscc" + validation { + condition = length(var.name_prefix) <= 12 + error_message = "Variable name_prefix must be 12 or less characters." + } } variable "network_address_space" { diff --git a/examples/base_1cc_zpa/versions.tf b/examples/base_1cc_zpa/versions.tf index e97eecf..82f3301 100755 --- a/examples/base_1cc_zpa/versions.tf +++ b/examples/base_1cc_zpa/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } random = { source = "hashicorp/random" diff --git a/examples/base_cc_lb/README.md b/examples/base_cc_lb/README.md index 4e15e2c..75b2e93 100644 --- a/examples/base_cc_lb/README.md +++ b/examples/base_cc_lb/README.md @@ -42,7 +42,7 @@ From base_cc_lb directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | @@ -105,9 +105,9 @@ From base_cc_lb directory execute: | [health\_check\_interval](#input\_health\_check\_interval) | The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 | `number` | `15` | no | | [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | `number` | `50000` | no | | [lb\_enabled](#input\_lb\_enabled) | Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb\_frontend\_ip. If false, default route next hop directly to the CC Service IP passed from var.cc\_service\_ip | `bool` | `true` | no | -| [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"SourceIP"` | no | +| [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"Default"` | no | | [managed\_identity\_subscription\_id](#input\_managed\_identity\_subscription\_id) | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env\_subscription\_id | `string` | `null` | no | -| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | +| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public\_subnets, workload\_subnets, cc\_subnets, and route53\_subnets variables | `string` | `"10.1.0.0/16"` | no | | [number\_of\_probes](#input\_number\_of\_probes) | The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure | `number` | `1` | no | | [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no | diff --git a/examples/base_cc_lb/variables.tf b/examples/base_cc_lb/variables.tf index 62e5577..e4b762b 100755 --- a/examples/base_cc_lb/variables.tf +++ b/examples/base_cc_lb/variables.tf @@ -13,7 +13,11 @@ variable "arm_location" { variable "name_prefix" { type = string description = "The name prefix for all your resources" - default = "zsdemo" + default = "zscc" + validation { + condition = length(var.name_prefix) <= 12 + error_message = "Variable name_prefix must be 12 or less characters." + } } variable "network_address_space" { @@ -224,7 +228,7 @@ variable "bastion_nsg_source_prefix" { variable "load_distribution" { type = string description = "Azure LB load distribution method" - default = "SourceIP" + default = "Default" validation { condition = ( var.load_distribution == "SourceIP" || diff --git a/examples/base_cc_lb/versions.tf b/examples/base_cc_lb/versions.tf index e97eecf..82f3301 100755 --- a/examples/base_cc_lb/versions.tf +++ b/examples/base_cc_lb/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } random = { source = "hashicorp/random" diff --git a/examples/base_cc_lb_zpa/README.md b/examples/base_cc_lb_zpa/README.md index 10dcbb3..7d4adc8 100644 --- a/examples/base_cc_lb_zpa/README.md +++ b/examples/base_cc_lb_zpa/README.md @@ -42,7 +42,7 @@ From base_cc_lb_zpa directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | @@ -52,7 +52,7 @@ From base_cc_lb_zpa directory execute: | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.46.0 | +| [azurerm](#provider\_azurerm) | >= 3.46, <= 3.74 | | [local](#provider\_local) | ~> 2.2.0 | | [null](#provider\_null) | ~> 3.1.0 | | [random](#provider\_random) | ~> 3.3.0 | @@ -109,9 +109,9 @@ From base_cc_lb_zpa directory execute: | [health\_check\_interval](#input\_health\_check\_interval) | The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 | `number` | `15` | no | | [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | `number` | `50000` | no | | [lb\_enabled](#input\_lb\_enabled) | Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb\_frontend\_ip. If false, default route next hop directly to the CC Service IP passed from var.cc\_service\_ip | `bool` | `true` | no | -| [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"SourceIP"` | no | +| [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"Default"` | no | | [managed\_identity\_subscription\_id](#input\_managed\_identity\_subscription\_id) | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env\_subscription\_id | `string` | `null` | no | -| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | +| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public\_subnets, workload\_subnets, cc\_subnets, and route53\_subnets variables | `string` | `"10.1.0.0/16"` | no | | [number\_of\_probes](#input\_number\_of\_probes) | The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure | `number` | `1` | no | | [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no | diff --git a/examples/base_cc_lb_zpa/variables.tf b/examples/base_cc_lb_zpa/variables.tf index 29aa6d3..2df8851 100755 --- a/examples/base_cc_lb_zpa/variables.tf +++ b/examples/base_cc_lb_zpa/variables.tf @@ -13,7 +13,11 @@ variable "arm_location" { variable "name_prefix" { type = string description = "The name prefix for all your resources" - default = "zsdemo" + default = "zscc" + validation { + condition = length(var.name_prefix) <= 12 + error_message = "Variable name_prefix must be 12 or less characters." + } } variable "network_address_space" { @@ -230,7 +234,7 @@ variable "bastion_nsg_source_prefix" { variable "load_distribution" { type = string description = "Azure LB load distribution method" - default = "SourceIP" + default = "Default" validation { condition = ( var.load_distribution == "SourceIP" || diff --git a/examples/base_cc_lb_zpa/versions.tf b/examples/base_cc_lb_zpa/versions.tf index e97eecf..82f3301 100755 --- a/examples/base_cc_lb_zpa/versions.tf +++ b/examples/base_cc_lb_zpa/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } random = { source = "hashicorp/random" diff --git a/examples/cc_lb/README.md b/examples/cc_lb/README.md index 3be7751..4cde591 100644 --- a/examples/cc_lb/README.md +++ b/examples/cc_lb/README.md @@ -45,7 +45,7 @@ From cc_lb directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | @@ -125,9 +125,9 @@ From cc_lb directory execute: | [existing\_nat\_gw\_subnet\_association](#input\_existing\_nat\_gw\_subnet\_association) | Set this to true only if both byo\_nat\_gws and byo\_subnets variables are true. this implies that there are already NAT Gateway resources associated to subnets where Cloud Connectors are being deployed to | `bool` | `false` | no | | [health\_check\_interval](#input\_health\_check\_interval) | The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 | `number` | `15` | no | | [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | `number` | `50000` | no | -| [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"SourceIP"` | no | +| [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"Default"` | no | | [managed\_identity\_subscription\_id](#input\_managed\_identity\_subscription\_id) | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env\_subscription\_id | `string` | `null` | no | -| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | +| [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNET CIDR / address prefix | `string` | `"10.1.0.0/16"` | no | | [number\_of\_probes](#input\_number\_of\_probes) | The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure | `number` | `1` | no | | [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no | diff --git a/examples/cc_lb/variables.tf b/examples/cc_lb/variables.tf index 31864f6..b2d0662 100755 --- a/examples/cc_lb/variables.tf +++ b/examples/cc_lb/variables.tf @@ -13,7 +13,11 @@ variable "arm_location" { variable "name_prefix" { type = string description = "The name prefix for all your resources" - default = "zsdemo" + default = "zscc" + validation { + condition = length(var.name_prefix) <= 12 + error_message = "Variable name_prefix must be 12 or less characters." + } } variable "network_address_space" { @@ -202,7 +206,7 @@ variable "accelerated_networking_enabled" { variable "load_distribution" { type = string description = "Azure LB load distribution method" - default = "SourceIP" + default = "Default" validation { condition = ( var.load_distribution == "SourceIP" || diff --git a/examples/cc_lb/versions.tf b/examples/cc_lb/versions.tf index e97eecf..82f3301 100755 --- a/examples/cc_lb/versions.tf +++ b/examples/cc_lb/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } random = { source = "hashicorp/random" diff --git a/examples/zsec b/examples/zsec index 7e7b81b..0db5d45 100755 --- a/examples/zsec +++ b/examples/zsec @@ -301,23 +301,23 @@ fi cc_instance_size_default=small - read -r -p "Enter CC Instance Size. Valid input = small, medium, or large. This needs to match the size chosen in the CC provisioning template [Default=$cc_instance_size_default]: " cc_instance_size_input -cc_instance_size=${cc_instance_size_input:-$cc_instance_size_default} - case $cc_instance_size in - small|medium|large) - echo "Cloud Connector size: ${cc_instance_size}" - echo "export TF_VAR_cc_instance_size=${cc_instance_size}" >> .zsecrc - ;; - *) - echo "Invalid Cloud Connector size: ${cc_instance_size}." - echo "Delete .zsecrc file and re-run zsecup ..." - exit 1 - ;; - esac + #read -r -p "Enter CC Instance Size. Valid input = small, medium, or large. This needs to match the size chosen in the CC provisioning template [Default=$cc_instance_size_default]: " cc_instance_size_input +#cc_instance_size=${cc_instance_size_input:-$cc_instance_size_default} +# case $cc_instance_size in +# small|medium|large) +# echo "Cloud Connector size: ${cc_instance_size}" +# echo "export TF_VAR_cc_instance_size=${cc_instance_size}" >> .zsecrc +# ;; +# *) +# echo "Invalid Cloud Connector size: ${cc_instance_size}." +# echo "Delete .zsecrc file and re-run zsecup ..." +# exit 1 +# ;; +# esac ccvm_instance_type_default=Standard_D2s_v3 while true; do - read -r -p "Enter desired Azure VM type for CC. Recommended types: Small CC (Standard_D2s_v3); Medium (Standard_D8s_v3 or Standard_DS3_v2); Large (Standard_D16s_v3 or Standard_DS5_v2) [Default=$ccvm_instance_type_default]: " ccvm_instance_type_input + read -r -p "Enter desired Azure VM type for CC. Recommended types: Small CC (Standard_D2s_v3) [Default=$ccvm_instance_type_default]: " ccvm_instance_type_input ccvm_instance_type=${ccvm_instance_type_input:-$ccvm_instance_type_default} case $ccvm_instance_type in Standard_D2s_v3|Standard_DS3_v2|Standard_D8s_v3|Standard_D16s_v3|Standard_DS5_v2 ) diff --git a/modules/terraform-zscc-bastion-azure/README.md b/modules/terraform-zscc-bastion-azure/README.md index 2a880af..ad2100e 100644 --- a/modules/terraform-zscc-bastion-azure/README.md +++ b/modules/terraform-zscc-bastion-azure/README.md @@ -8,13 +8,13 @@ This module creates all Azure VM, NSG, and Public IP resources needed to deploy | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.46.0 | +| [azurerm](#provider\_azurerm) | >= 3.46, <= 3.74 | ## Modules diff --git a/modules/terraform-zscc-bastion-azure/versions.tf b/modules/terraform-zscc-bastion-azure/versions.tf index 0dc1d32..903cd9b 100755 --- a/modules/terraform-zscc-bastion-azure/versions.tf +++ b/modules/terraform-zscc-bastion-azure/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zscc-ccvm-azure/README.md b/modules/terraform-zscc-ccvm-azure/README.md index 2d03727..cc8504e 100644 --- a/modules/terraform-zscc-ccvm-azure/README.md +++ b/modules/terraform-zscc-ccvm-azure/README.md @@ -21,7 +21,7 @@ az vm image terms accept --urn zscaler1579058425289:zia_cloud_connector:zs_ser_g | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | @@ -29,7 +29,7 @@ az vm image terms accept --urn zscaler1579058425289:zia_cloud_connector:zs_ser_g | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.46.0 | +| [azurerm](#provider\_azurerm) | >= 3.46, <= 3.74 | | [null](#provider\_null) | ~> 3.1.0 | ## Modules @@ -47,9 +47,6 @@ No modules. | [azurerm_network_interface.cc_service_nic_1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) | resource | | [azurerm_network_interface.cc_service_nic_2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) | resource | | [azurerm_network_interface.cc_service_nic_3](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface) | resource | -| [azurerm_network_interface_backend_address_pool_association.cc_vm_service_1_nic_lb_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_backend_address_pool_association) | resource | -| [azurerm_network_interface_backend_address_pool_association.cc_vm_service_2_nic_lb_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_backend_address_pool_association) | resource | -| [azurerm_network_interface_backend_address_pool_association.cc_vm_service_3_nic_lb_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_backend_address_pool_association) | resource | | [azurerm_network_interface_backend_address_pool_association.cc_vm_service_nic_lb_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_backend_address_pool_association) | resource | | [azurerm_network_interface_security_group_association.cc_mgmt_nic_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association) | resource | | [azurerm_network_interface_security_group_association.cc_service_nic_1_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface_security_group_association) | resource | diff --git a/modules/terraform-zscc-ccvm-azure/main.tf b/modules/terraform-zscc-ccvm-azure/main.tf index 3f8e55d..e4d12b5 100755 --- a/modules/terraform-zscc-ccvm-azure/main.tf +++ b/modules/terraform-zscc-ccvm-azure/main.tf @@ -9,7 +9,7 @@ resource "azurerm_network_interface" "cc_mgmt_nic" { resource_group_name = var.resource_group ip_configuration { - name = "${var.name_prefix}-cc-mgmt-nic-conf-${var.resource_tag}" + name = "${var.name_prefix}-ccvm-mgmt-nic-conf-${var.resource_tag}" subnet_id = element(var.mgmt_subnet_id, count.index) private_ip_address_allocation = "Dynamic" primary = true @@ -37,14 +37,14 @@ resource "azurerm_network_interface_security_group_association" "cc_mgmt_nic_ass ################################################################################ resource "azurerm_network_interface" "cc_service_nic" { count = local.valid_cc_create ? var.cc_count : 0 - name = var.cc_instance_size == "small" ? "${var.name_prefix}-ccvm-${count.index + 1}-service-nic-${var.resource_tag}" : "${var.name_prefix}-ccvm-${count.index + 1}-lb-nic-${var.resource_tag}" + name = "${var.name_prefix}-ccvm-${count.index + 1}-fwd-nic-${var.resource_tag}" location = var.location resource_group_name = var.resource_group enable_ip_forwarding = true enable_accelerated_networking = var.accelerated_networking_enabled ip_configuration { - name = var.cc_instance_size == "small" ? "${var.name_prefix}-cc-service-nic-conf-${var.resource_tag}" : "${var.name_prefix}-cc-lb-nic-conf-${var.resource_tag}" + name = "${var.name_prefix}-ccvm-fwd-nic-conf-${var.resource_tag}" subnet_id = element(var.service_subnet_id, count.index) private_ip_address_allocation = "Dynamic" primary = true @@ -57,7 +57,7 @@ resource "azurerm_network_interface" "cc_service_nic" { ################################################################################ -# Associate CC Service/LB NIC to Service NSG +# Associate CC Service/Forwarding NIC to Service NSG ################################################################################ resource "azurerm_network_interface_security_group_association" "cc_service_nic_association" { count = local.valid_cc_create ? var.cc_count : 0 @@ -182,41 +182,11 @@ resource "azurerm_network_interface_security_group_association" "cc_service_nic_ ################################################################################ # Create Cloud Connector Network Interface to Load Balancer associations ################################################################################ -# Associate "small" CC service interface to Azure LB backend pool. This resource will not be created for "medium" or "large" CC instances +# Associate CC forwarding interface to Azure LB backend pool resource "azurerm_network_interface_backend_address_pool_association" "cc_vm_service_nic_lb_association" { count = var.lb_association_enabled == true && var.cc_instance_size == "small" ? var.cc_count : 0 network_interface_id = azurerm_network_interface.cc_service_nic[count.index].id - ip_configuration_name = "${var.name_prefix}-cc-service-nic-conf-${var.resource_tag}" - backend_address_pool_id = var.backend_address_pool - - depends_on = [var.backend_address_pool] -} - -# Associate "medium/large" CC service interface-1 to Azure LB backend pool. This resource will not be created for "small" CC instances -resource "azurerm_network_interface_backend_address_pool_association" "cc_vm_service_1_nic_lb_association" { - count = var.lb_association_enabled == true && var.cc_instance_size != "small" ? var.cc_count : 0 - network_interface_id = azurerm_network_interface.cc_service_nic_1[count.index].id - ip_configuration_name = "${var.name_prefix}-cc-service-nic-1-conf-${var.resource_tag}" - backend_address_pool_id = var.backend_address_pool - - depends_on = [var.backend_address_pool] -} - -# Associate "medium/large" CC service interface-2 to Azure LB backend pool. This resource will not be created for "small" CC instances -resource "azurerm_network_interface_backend_address_pool_association" "cc_vm_service_2_nic_lb_association" { - count = var.lb_association_enabled == true && var.cc_instance_size != "small" ? var.cc_count : 0 - network_interface_id = azurerm_network_interface.cc_service_nic_2[count.index].id - ip_configuration_name = "${var.name_prefix}-cc-service-nic-2-conf-${var.resource_tag}" - backend_address_pool_id = var.backend_address_pool - - depends_on = [var.backend_address_pool] -} - -# Associate "large" CC service interface-3 to Azure LB backend pool. This resource will not be created for "small" or "medium" CC instances -resource "azurerm_network_interface_backend_address_pool_association" "cc_vm_service_3_nic_lb_association" { - count = var.lb_association_enabled == true && var.cc_instance_size == "large" ? var.cc_count : 0 - network_interface_id = azurerm_network_interface.cc_service_nic_3[count.index].id - ip_configuration_name = "${var.name_prefix}-cc-service-nic-3-conf-${var.resource_tag}" + ip_configuration_name = "${var.name_prefix}-ccvm-fwd-nic-conf-${var.resource_tag}" backend_address_pool_id = var.backend_address_pool depends_on = [var.backend_address_pool] diff --git a/modules/terraform-zscc-ccvm-azure/versions.tf b/modules/terraform-zscc-ccvm-azure/versions.tf index 2f497b3..5c56d84 100755 --- a/modules/terraform-zscc-ccvm-azure/versions.tf +++ b/modules/terraform-zscc-ccvm-azure/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } local = { source = "hashicorp/local" diff --git a/modules/terraform-zscc-identity-azure/README.md b/modules/terraform-zscc-identity-azure/README.md index 4319506..a3a0cb1 100644 --- a/modules/terraform-zscc-identity-azure/README.md +++ b/modules/terraform-zscc-identity-azure/README.md @@ -8,13 +8,13 @@ This module takes name and resource group inputs of an existing User Managed Ide | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.46.0 | +| [azurerm](#provider\_azurerm) | >= 3.46, <= 3.74 | ## Modules diff --git a/modules/terraform-zscc-identity-azure/versions.tf b/modules/terraform-zscc-identity-azure/versions.tf index 0dc1d32..903cd9b 100755 --- a/modules/terraform-zscc-identity-azure/versions.tf +++ b/modules/terraform-zscc-identity-azure/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zscc-lb-azure/README.md b/modules/terraform-zscc-lb-azure/README.md index a48da8f..7d57651 100644 --- a/modules/terraform-zscc-lb-azure/README.md +++ b/modules/terraform-zscc-lb-azure/README.md @@ -8,13 +8,13 @@ This module creates a Standard Load Balancer, backend addres pool, LB rules, and | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.46.0 | +| [azurerm](#provider\_azurerm) | >= 3.46, <= 3.74 | ## Modules @@ -36,7 +36,7 @@ No modules. | [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no | | [health\_check\_interval](#input\_health\_check\_interval) | The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 | `number` | `15` | no | | [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | `number` | `50000` | no | -| [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"SourceIP"` | no | +| [load\_distribution](#input\_load\_distribution) | Azure LB load distribution method | `string` | `"Default"` | no | | [location](#input\_location) | Cloud Connector Azure Region | `string` | n/a | yes | | [name\_prefix](#input\_name\_prefix) | A prefix to associate to all the lb module resources | `string` | `null` | no | | [number\_of\_probes](#input\_number\_of\_probes) | The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure | `number` | `1` | no | diff --git a/modules/terraform-zscc-lb-azure/variables.tf b/modules/terraform-zscc-lb-azure/variables.tf index c515c2d..87d39f8 100755 --- a/modules/terraform-zscc-lb-azure/variables.tf +++ b/modules/terraform-zscc-lb-azure/variables.tf @@ -47,7 +47,7 @@ variable "http_probe_port" { variable "load_distribution" { type = string description = "Azure LB load distribution method" - default = "SourceIP" + default = "Default" validation { condition = ( var.load_distribution == "SourceIP" || diff --git a/modules/terraform-zscc-lb-azure/versions.tf b/modules/terraform-zscc-lb-azure/versions.tf index 0dc1d32..903cd9b 100755 --- a/modules/terraform-zscc-lb-azure/versions.tf +++ b/modules/terraform-zscc-lb-azure/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zscc-network-azure/README.md b/modules/terraform-zscc-network-azure/README.md index 28a84f3..ecae9bb 100644 --- a/modules/terraform-zscc-network-azure/README.md +++ b/modules/terraform-zscc-network-azure/README.md @@ -32,13 +32,13 @@ Subnets used for DNS resolver have the following limitations: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.46.0 | +| [azurerm](#provider\_azurerm) | >= 3.46, <= 3.74 | ## Modules diff --git a/modules/terraform-zscc-network-azure/versions.tf b/modules/terraform-zscc-network-azure/versions.tf index 24849f6..192026f 100755 --- a/modules/terraform-zscc-network-azure/versions.tf +++ b/modules/terraform-zscc-network-azure/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } local = { source = "hashicorp/local" diff --git a/modules/terraform-zscc-nsg-azure/README.md b/modules/terraform-zscc-nsg-azure/README.md index 29f7ae8..46f8148 100644 --- a/modules/terraform-zscc-nsg-azure/README.md +++ b/modules/terraform-zscc-nsg-azure/README.md @@ -8,13 +8,13 @@ This module can be used to create default Management and Service interface NSG r | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.46.0 | +| [azurerm](#provider\_azurerm) | >= 3.46, <= 3.74 | ## Modules diff --git a/modules/terraform-zscc-nsg-azure/versions.tf b/modules/terraform-zscc-nsg-azure/versions.tf index 0dc1d32..903cd9b 100755 --- a/modules/terraform-zscc-nsg-azure/versions.tf +++ b/modules/terraform-zscc-nsg-azure/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zscc-private-dns-azure/README.md b/modules/terraform-zscc-private-dns-azure/README.md index 792353a..fbdb036 100755 --- a/modules/terraform-zscc-private-dns-azure/README.md +++ b/modules/terraform-zscc-private-dns-azure/README.md @@ -56,13 +56,13 @@ Subnets used for DNS resolver have the following limitations: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.46.0 | +| [azurerm](#provider\_azurerm) | >= 3.46, <= 3.74 | ## Modules diff --git a/modules/terraform-zscc-private-dns-azure/versions.tf b/modules/terraform-zscc-private-dns-azure/versions.tf index 0dc1d32..903cd9b 100755 --- a/modules/terraform-zscc-private-dns-azure/versions.tf +++ b/modules/terraform-zscc-private-dns-azure/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zscc-workload-azure/README.md b/modules/terraform-zscc-workload-azure/README.md index 6cc6951..630b68e 100644 --- a/modules/terraform-zscc-workload-azure/README.md +++ b/modules/terraform-zscc-workload-azure/README.md @@ -8,13 +8,13 @@ This module creates all Azure VM and NSG resources needed to deploy test workloa | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.46.0 | +| [azurerm](#requirement\_azurerm) | >= 3.46, <= 3.74 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 3.46.0 | +| [azurerm](#provider\_azurerm) | >= 3.46, <= 3.74 | ## Modules diff --git a/modules/terraform-zscc-workload-azure/versions.tf b/modules/terraform-zscc-workload-azure/versions.tf index 0dc1d32..903cd9b 100755 --- a/modules/terraform-zscc-workload-azure/versions.tf +++ b/modules/terraform-zscc-workload-azure/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.46.0" + version = ">= 3.46, <= 3.74" } } required_version = ">= 0.13.7, < 2.0.0" From 05bbeb4155ec02ec57e33c5ba4b3e22ae27f7a53 Mon Sep 17 00:00:00 2001 From: jmolnar-zscaler <106208217+jmolnar-zscaler@users.noreply.github.com> Date: Wed, 27 Sep 2023 14:44:36 -0400 Subject: [PATCH 09/10] fix: zsec cc_instance_size * fix: zsec cc_instance_size --- examples/zsec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/zsec b/examples/zsec index 0db5d45..75ce9fa 100755 --- a/examples/zsec +++ b/examples/zsec @@ -300,7 +300,8 @@ fi # --- - cc_instance_size_default=small + cc_instance_size=small + echo "export TF_VAR_cc_instance_size=${cc_instance_size}" >> .zsecrc #read -r -p "Enter CC Instance Size. Valid input = small, medium, or large. This needs to match the size chosen in the CC provisioning template [Default=$cc_instance_size_default]: " cc_instance_size_input #cc_instance_size=${cc_instance_size_input:-$cc_instance_size_default} # case $cc_instance_size in From a22ffa0ba2807baee1b80872ed3f406f9135ac98 Mon Sep 17 00:00:00 2001 From: Jameson Molnar
"185.46.212.88",
"185.46.212.89"
]