Merge pull request #28 from zscaler/ztw-2331

fix: add dynamic support tunnel nsg rule creation

CHANGELOG.md

@@ -1,4 +1,5 @@
 ## TBD (UNRELEASED)
+
 FEATURES:
 * Azure China support (China East, China East 2, China North, China North 2, and China North 3)
 
@@ -7,6 +8,8 @@ BUG FIXES:
 * 
 ENHANCEMENTS:
 * ZSEC bash script support for Azure China regions
+* * add: variable support_access_enabled for dynamic NSG rule creation for Zscaler Support Tunnel access
+* add: zsec prompt for support tunnel rule creation
 
 ## v0.3.0 (September 30, 2023)
 

examples/base_1cc/README.md

@@ -109,6 +109,7 @@ From base_1cc directory execute:
 | <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
 | <a name="input_reuse_nsg"></a> [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no |
+| <a name="input_support_access_enabled"></a> [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no |
 | <a name="input_tls_key_algorithm"></a> [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no |
 | <a name="input_workload_count"></a> [workload\_count](#input\_workload\_count) | The number of Workload VMs to deploy | `number` | `1` | no |
 | <a name="input_workloads_subnets"></a> [workloads\_subnets](#input\_workloads\_subnets) | Workload Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |

examples/base_1cc/main.tf

@@ -162,13 +162,14 @@ module "cc_vm" {
 #    created and assigned to ALL Cloud Connectors
 ################################################################################
 module "cc_nsg" {
-  source         = "../../modules/terraform-zscc-nsg-azure"
-  nsg_count      = var.reuse_nsg == false ? var.cc_count : 1
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  resource_group = module.network.resource_group_name
-  location       = var.arm_location
-  global_tags    = local.global_tags
+  source                 = "../../modules/terraform-zscc-nsg-azure"
+  nsg_count              = var.reuse_nsg == false ? var.cc_count : 1
+  name_prefix            = var.name_prefix
+  resource_tag           = random_string.suffix.result
+  resource_group         = module.network.resource_group_name
+  location               = var.arm_location
+  global_tags            = local.global_tags
+  support_access_enabled = var.support_access_enabled
 }
 
 

examples/base_1cc/terraform.tfvars

@@ -169,7 +169,16 @@
 
 #encryption_at_host_enabled                 = false
 
-## 21. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
+## 21. By default, if Terraform is creating NSGs an outbound rule named Zscaler_Support_Access is configured enabling 
+##     Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
+##     efficiently if troubleshooting is required. Uncomment if you do not want to enable this rule. 
+##
+##     For more information, refer to: https://config.zscaler.com/zscaler.net/cloud-branch-connector and 
+##     https://help.zscaler.com/cloud-branch-connector/enabling-remote-access
+
+#support_access_enabled                     = false
+
+## 22. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
 ##     Uncomment and set this value to the path of a local subscription Microsoft.Compute image to override the 
 ##     Cloud Connector deployment with a private VHD instead of using the marketplace publisher.
 ##     *** This is recommended only for testing purposes and not supported for production deployments ***

examples/base_1cc/variables.tf

@@ -242,3 +242,9 @@ variable "encryption_at_host_enabled" {
   description = "User input for enabling or disabling host encryption"
   default     = true
 }
+
+variable "support_access_enabled" {
+  type        = bool
+  description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
+  default     = true
+}

examples/base_1cc_zpa/README.md

@@ -114,6 +114,7 @@ From base_1cc_zpa directory execute:
 | <a name="input_private_dns_subnet"></a> [private\_dns\_subnet](#input\_private\_dns\_subnet) | Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network\_address\_space variable. | `string` | `null` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
 | <a name="input_reuse_nsg"></a> [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no |
+| <a name="input_support_access_enabled"></a> [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no |
 | <a name="input_target_address"></a> [target\_address](#input\_target\_address) | Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses | `list(string)` | <pre>[<br>  "185.46.212.88",<br>  "185.46.212.89"<br>]</pre> | no |
 | <a name="input_tls_key_algorithm"></a> [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no |
 | <a name="input_workload_count"></a> [workload\_count](#input\_workload\_count) | The number of Workload VMs to deploy | `number` | `1` | no |

examples/base_1cc_zpa/main.tf

@@ -164,13 +164,14 @@ module "cc_vm" {
 #    created and assigned to ALL Cloud Connectors
 ################################################################################
 module "cc_nsg" {
-  source         = "../../modules/terraform-zscc-nsg-azure"
-  nsg_count      = var.reuse_nsg == false ? var.cc_count : 1
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  resource_group = module.network.resource_group_name
-  location       = var.arm_location
-  global_tags    = local.global_tags
+  source                 = "../../modules/terraform-zscc-nsg-azure"
+  nsg_count              = var.reuse_nsg == false ? var.cc_count : 1
+  name_prefix            = var.name_prefix
+  resource_tag           = random_string.suffix.result
+  resource_group         = module.network.resource_group_name
+  location               = var.arm_location
+  global_tags            = local.global_tags
+  support_access_enabled = var.support_access_enabled
 }
 
 

examples/base_1cc_zpa/terraform.tfvars

@@ -170,7 +170,16 @@
 
 #encryption_at_host_enabled                 = false
 
-## 21. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
+## 21. By default, if Terraform is creating NSGs an outbound rule named Zscaler_Support_Access is configured enabling 
+##     Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
+##     efficiently if troubleshooting is required. Uncomment if you do not want to enable this rule. 
+##
+##     For more information, refer to: https://config.zscaler.com/zscaler.net/cloud-branch-connector and 
+##     https://help.zscaler.com/cloud-branch-connector/enabling-remote-access
+
+#support_access_enabled                     = false
+
+## 22. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
 ##     Uncomment and set this value to the path of a local subscription Microsoft.Compute image to override the 
 ##     Cloud Connector deployment with a private VHD instead of using the marketplace publisher.
 ##     *** This is recommended only for testing purposes and not supported for production deployments ***
@@ -182,7 +191,7 @@
 #####################################################################################################################
 ##### ZPA/Azure Private DNS specific variables #####
 #####################################################################################################################
-## 22. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception. 
+## 23. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception. 
 ##     Only applicable for base + zpa or zpa_enabled = true deployment types where Outbound DNS subnets, Resolver Ruleset/Rules, 
 ##     and Outbound Endpoints are being created. Two example domains are populated to show the mapping structure and syntax.
 ##     Azure does require a trailing dot "." on all domain entries. ZPA Module will read through each to create a resolver rule per 
@@ -193,7 +202,7 @@
 #  appseg2 = "app2.com."
 #}
 
-## 23. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses.
+## 24. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses.
 ##     The required expectation is that the target should follow VNet/subnet routing towards the configured Cloud Connector Load Balancer VIP for 
 ##     ZPA DNS interception
 

examples/base_1cc_zpa/variables.tf

@@ -266,3 +266,9 @@ variable "target_address" {
   description = "Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses"
   default     = ["185.46.212.88", "185.46.212.89"]
 }
+
+variable "support_access_enabled" {
+  type        = bool
+  description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
+  default     = true
+}

examples/base_cc_lb/README.md

@@ -115,6 +115,7 @@ From base_cc_lb directory execute:
 | <a name="input_probe_threshold"></a> [probe\_threshold](#input\_probe\_threshold) | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | `number` | `2` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
 | <a name="input_reuse_nsg"></a> [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no |
+| <a name="input_support_access_enabled"></a> [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no |
 | <a name="input_tls_key_algorithm"></a> [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no |
 | <a name="input_workload_count"></a> [workload\_count](#input\_workload\_count) | The number of Workload VMs to deploy | `number` | `1` | no |
 | <a name="input_workloads_subnets"></a> [workloads\_subnets](#input\_workloads\_subnets) | Workload Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |

examples/base_cc_lb/main.tf

@@ -165,13 +165,14 @@ module "cc_vm" {
 #    created and assigned to ALL Cloud Connectors
 ################################################################################
 module "cc_nsg" {
-  source         = "../../modules/terraform-zscc-nsg-azure"
-  nsg_count      = var.reuse_nsg == false ? var.cc_count : 1
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  resource_group = module.network.resource_group_name
-  location       = var.arm_location
-  global_tags    = local.global_tags
+  source                 = "../../modules/terraform-zscc-nsg-azure"
+  nsg_count              = var.reuse_nsg == false ? var.cc_count : 1
+  name_prefix            = var.name_prefix
+  resource_tag           = random_string.suffix.result
+  resource_group         = module.network.resource_group_name
+  location               = var.arm_location
+  global_tags            = local.global_tags
+  support_access_enabled = var.support_access_enabled
 }
 
 

examples/base_cc_lb/terraform.tfvars

@@ -169,7 +169,16 @@
 
 #encryption_at_host_enabled                 = false
 
-## 21. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
+## 21. By default, if Terraform is creating NSGs an outbound rule named Zscaler_Support_Access is configured enabling 
+##     Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
+##     efficiently if troubleshooting is required. Uncomment if you do not want to enable this rule. 
+##
+##     For more information, refer to: https://config.zscaler.com/zscaler.net/cloud-branch-connector and 
+##     https://help.zscaler.com/cloud-branch-connector/enabling-remote-access
+
+#support_access_enabled                     = false
+
+## 22. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
 ##     Uncomment and set this value to the path of a local subscription Microsoft.Compute image to override the 
 ##     Cloud Connector deployment with a private VHD instead of using the marketplace publisher.
 ##     *** This is recommended only for testing purposes and not supported for production deployments ***

examples/base_cc_lb/variables.tf

@@ -280,3 +280,9 @@ variable "encryption_at_host_enabled" {
   description = "User input for enabling or disabling host encryption"
   default     = true
 }
+
+variable "support_access_enabled" {
+  type        = bool
+  description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
+  default     = true
+}

examples/base_cc_lb_zpa/README.md

@@ -120,6 +120,7 @@ From base_cc_lb_zpa directory execute:
 | <a name="input_probe_threshold"></a> [probe\_threshold](#input\_probe\_threshold) | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | `number` | `2` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
 | <a name="input_reuse_nsg"></a> [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no |
+| <a name="input_support_access_enabled"></a> [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no |
 | <a name="input_target_address"></a> [target\_address](#input\_target\_address) | Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses | `list(string)` | <pre>[<br>  "185.46.212.88",<br>  "185.46.212.89"<br>]</pre> | no |
 | <a name="input_tls_key_algorithm"></a> [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no |
 | <a name="input_workload_count"></a> [workload\_count](#input\_workload\_count) | The number of Workload VMs to deploy | `number` | `1` | no |

examples/base_cc_lb_zpa/main.tf

@@ -167,13 +167,14 @@ module "cc_vm" {
 #    created and assigned to ALL Cloud Connectors
 ################################################################################
 module "cc_nsg" {
-  source         = "../../modules/terraform-zscc-nsg-azure"
-  nsg_count      = var.reuse_nsg == false ? var.cc_count : 1
-  name_prefix    = var.name_prefix
-  resource_tag   = random_string.suffix.result
-  resource_group = module.network.resource_group_name
-  location       = var.arm_location
-  global_tags    = local.global_tags
+  source                 = "../../modules/terraform-zscc-nsg-azure"
+  nsg_count              = var.reuse_nsg == false ? var.cc_count : 1
+  name_prefix            = var.name_prefix
+  resource_tag           = random_string.suffix.result
+  resource_group         = module.network.resource_group_name
+  location               = var.arm_location
+  global_tags            = local.global_tags
+  support_access_enabled = var.support_access_enabled
 }