-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
05bbeb4
commit a22ffa0
Showing
6 changed files
with
187 additions
and
223 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,16 +1,21 @@ | ||
| ## This is only a sample terraform.tfvars file. | ||
| ## Uncomment and change the below variables according to your specific environment | ||
|
|
||
| ##################################################################################################################### | ||
| ##### Custom variables. Only change if required for your environment ##### | ||
| ##### Variables are populated automically if terraform is ran via ZSEC bash script. ##### | ||
| ##### Modifying the variables in this file will override any inputs from ZSEC ##### | ||
| ##################################################################################################################### | ||
|
|
||
| ## 1. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script | ||
| ## 1. The name string for all Cloud Connector resources created by Terraform for Tag/Name attributes. (Default: zscc) | ||
|
|
||
| #name_prefix = "zscc" | ||
|
|
||
| ## 2. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script | ||
| ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: westus2) | ||
|
|
||
| #arm_location = "westus2" | ||
|
|
||
|
|
||
| ## 2. Network Configuration: | ||
| ## 3. Network Configuration: | ||
|
|
||
| ## IPv4 CIDR configured with VNet creation. All Subnet resources (Workload, Public, and Cloud Connector) will be created based off this prefix | ||
| ## /24 subnets are created assuming this cidr is a /16. If you require creating a VNet smaller than /16, you may need to explicitly define all other | ||
|
|
@@ -33,18 +38,15 @@ | |
| #public_subnets = ["10.x.y.z/24"] | ||
| #workloads_subnets = ["10.x.y.z/24"] | ||
|
|
||
|
|
||
| ## 3. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space | ||
| ## 4. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space | ||
| ## in subnet configuration. Only applicable for "base" deployment types. Default workload subnet is /24 so 250 max | ||
|
|
||
| #workload_count = 2 | ||
|
|
||
|
|
||
| ## 4. Tag attribute "Owner" assigned to all resource created. (Default: "zscc-admin") | ||
| ## 5. Tag attribute "Owner" assigned to all resource created. (Default: "zscc-admin") | ||
|
|
||
| #owner_tag = "[email protected]" | ||
|
|
||
|
|
||
| ## 5. Tag attribute "Environment" assigned to all resources created. (Default: "Development") | ||
| ## 6. Tag attribute "Environment" assigned to all resources created. (Default: "Development") | ||
|
|
||
| #environment = "Development" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,11 +1,12 @@ | ||
| ## This is only a sample terraform.tfvars file. | ||
| ## Uncomment and change the below variables according to your specific environment | ||
|
|
||
| ##################################################################################################################### | ||
| ##### Variables are populated automically if terraform is ran via ZSEC bash script. ##### | ||
| ##### Modifying the variables in this file will override any inputs from ZSEC ##### | ||
| ##################################################################################################################### | ||
|
|
||
| ## Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. | ||
| ## 1. Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. | ||
| ## ** Note ** This will be auto populated for you via ZSEC bash script, so only uncomment if running Terraform manually. | ||
| ## E.g "abc12345-6789-0123-a456-bc1234567de8" | ||
|
|
||
|
|
@@ -14,15 +15,16 @@ | |
| ##################################################################################################################### | ||
| ##### Cloud Init Provisioning variables for userdata file ##### | ||
| ##################################################################################################################### | ||
| ## 1. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url | ||
|
|
||
| ## 2. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url | ||
|
|
||
| #cc_vm_prov_url = "connector.zscaler.net/api/v1/provUrl?name=azure_prov_url" | ||
|
|
||
| ## 2. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" | ||
| ## 3. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" | ||
|
|
||
| #azure_vault_url = "https://zscaler-cc-demo.vault.azure.net" | ||
|
|
||
| ## 3. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. | ||
| ## 4. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. | ||
| ## Uncomment and set custom probe port to a single value of 80 or any number between 1024-65535. Default is 50000. | ||
|
|
||
| #http_probe_port = 50000 | ||
|
|
@@ -35,18 +37,17 @@ | |
| ##### (minimum Role permissions: Microsoft.Network/networkInterfaces/read) ##### | ||
| ##################################################################################################################### | ||
|
|
||
|
|
||
| ## 4. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the | ||
| ## 5. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the | ||
| ## Managed Identity is in a different Subscription than the one where Cloud Connector is being deployed. | ||
| ## E.g "abc12345-6789-0123-a456-bc1234567de8" | ||
|
|
||
| #managed_identity_subscription_id = "abc12345-6789-0123-a456-bc1234567de8" | ||
|
|
||
| ## 5. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity | ||
| ## 6. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity | ||
|
|
||
| #cc_vm_managed_identity_name = "cloud_connector_managed_identity" | ||
|
|
||
| ## 6. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 | ||
| ## 7. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 | ||
|
|
||
| #cc_vm_managed_identity_rg = "cloud_connector_rg_1" | ||
|
|
||
|
|
@@ -55,13 +56,16 @@ | |
| ##### Custom variables. Only change if required for your environment ##### | ||
| ##################################################################################################################### | ||
|
|
||
| ## 7. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script | ||
| ## 8. The name string for all Cloud Connector resources created by Terraform for Tag/Name attributes. (Default: zscc) | ||
|
|
||
| #name_prefix = "zscc" | ||
|
|
||
| ## 9. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script | ||
| ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: westus2) | ||
|
|
||
| #arm_location = "westus2" | ||
|
|
||
|
|
||
| ## 8. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. | ||
| ## 10. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. | ||
| ## (Default: Standard_D2s_v3) | ||
|
|
||
| #ccvm_instance_type = "Standard_D2s_v3" | ||
|
|
@@ -70,28 +74,25 @@ | |
| #ccvm_instance_type = "Standard_D16s_v3" | ||
| #ccvm_instance_type = "Standard_DS5_v2" | ||
|
|
||
|
|
||
| ## 9. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change | ||
| ## (Default: "small") | ||
| ## **** NOTE - There is a dependency between ccvm_instance_type and cc_instance_size selections **** | ||
| ## If size = "small" any supported Azure VM instance size can be deployed, but "Standard_D2s_v3" is ideal | ||
| ## If size = "medium" only Standard_DS3_v2/Standard_D8s_v3 and up Azure VM instance sizes can be deployed | ||
| ## If size = "large" only Standard_D16s_v3/Standard_DS5_v2 Azure VM instance sizes can be deployed | ||
| ## 11. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change | ||
| ## (Default: "small") | ||
| ## **** NOTE - There is a dependency between ccvm_instance_type and cc_instance_size selections **** | ||
| ## If size = "small" any supported Azure VM instance size can be deployed, but "Standard_D2s_v3" is ideal | ||
| ## If size = "medium" only Standard_DS3_v2/Standard_D8s_v3 and up Azure VM instance sizes can be deployed | ||
| ## If size = "large" only Standard_D16s_v3/Standard_DS5_v2 Azure VM instance sizes can be deployed | ||
|
|
||
| #cc_instance_size = "small" | ||
| #cc_instance_size = "medium" | ||
| #cc_instance_size = "large" | ||
|
|
||
|
|
||
| ## 10. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating | ||
| ## 12. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating | ||
| ## subnets based on the zones or byo_subnet_names variable and loop through for any deployments where cc_count > zones. | ||
| ## Not configurable for base or base_1cc deployment types. (All others - Default: 2) | ||
| ## E.g. cc_count set to 4 and 2 zones set ['1","2"] will create 2x CCs in AZ1 and 2x CCs in AZ2 | ||
|
|
||
| #cc_count = 2 | ||
|
|
||
|
|
||
| ## 11. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure | ||
| ## 13. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure | ||
| ## (Virtual Machines and NAT Gateways) or Zone-Redundant (Public IP) based on whatever default configuration is. | ||
| ## Setting this value to true will do the following: | ||
| ## 1. will create zonal NAT Gateway resources in order of the zones [1-3] specified in zones variable. 1x per zone | ||
|
|
@@ -102,8 +103,7 @@ | |
|
|
||
| #zones_enabled = true | ||
|
|
||
|
|
||
| ## 12. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. | ||
| ## 14. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. | ||
| ## This should only be modified if zones_enabled is also set to true | ||
| ## Doing so will change the default zone aware configuration for the 3 aforementioned resources with the values specified | ||
| ## | ||
|
|
@@ -118,8 +118,7 @@ | |
| #zones = ["1","2"] | ||
| #zones = ["1","2","3"] | ||
|
|
||
|
|
||
| ## 13. Network Configuration: | ||
| ## 15. Network Configuration: | ||
|
|
||
| ## IPv4 CIDR configured with VNet creation. All Subnet resources (Workload, Public, and Cloud Connector) will be created based off this prefix | ||
| ## /24 subnets are created assuming this cidr is a /16. If you require creating a VNet smaller than /16, you may need to explicitly define all other | ||
|
|
@@ -143,30 +142,25 @@ | |
| #workloads_subnets = ["10.x.y.z/24","10.x.y.z/24"] | ||
| #cc_subnets = ["10.x.y.z/24","10.x.y.z/24"] | ||
|
|
||
|
|
||
| ## 14. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space | ||
| ## 16. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space | ||
| ## in subnet configuration. Only applicable for "base" deployment types. Default workload subnet is /24 so 250 max | ||
|
|
||
| #workload_count = 2 | ||
|
|
||
|
|
||
| ## 15. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") | ||
| ## 17. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") | ||
|
|
||
| #owner_tag = "[email protected]" | ||
|
|
||
|
|
||
| ## 16. Tag attribute "Environment" assigned to all resources created. (Default: "Development") | ||
| ## 18. Tag attribute "Environment" assigned to all resources created. (Default: "Development") | ||
|
|
||
| #environment = "Development" | ||
|
|
||
|
|
||
| ## 17. By default, this script will apply 1 Network Security Group per Cloud Connector instance. | ||
| ## 19. By default, this script will apply 1 Network Security Group per Cloud Connector instance. | ||
| ## Uncomment if you want to use the same Network Security Group for ALL Cloud Connectors (true or false. Default: false) | ||
|
|
||
| #reuse_nsg = true | ||
|
|
||
|
|
||
| ## 18. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature | ||
| ## 20. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature | ||
| ## enabled for your subscription though first. | ||
| ## You can verify this by following the Azure Prerequisites guide here: | ||
| ## https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli#prerequisites | ||
|
|
||
Oops, something went wrong.