diff --git a/examples/base/terraform.tfvars b/examples/base/terraform.tfvars index 661c5a5..c326332 100755 --- a/examples/base/terraform.tfvars +++ b/examples/base/terraform.tfvars @@ -1,16 +1,21 @@ ## This is only a sample terraform.tfvars file. ## Uncomment and change the below variables according to your specific environment + ##################################################################################################################### -##### Custom variables. Only change if required for your environment ##### +##### Variables are populated automically if terraform is ran via ZSEC bash script. ##### +##### Modifying the variables in this file will override any inputs from ZSEC ##### ##################################################################################################################### -## 1. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script +## 1. The name string for all Cloud Connector resources created by Terraform for Tag/Name attributes. (Default: zscc) + +#name_prefix = "zscc" + +## 2. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: westus2) #arm_location = "westus2" - -## 2. Network Configuration: +## 3. Network Configuration: ## IPv4 CIDR configured with VNet creation. All Subnet resources (Workload, Public, and Cloud Connector) will be created based off this prefix ## /24 subnets are created assuming this cidr is a /16. If you require creating a VNet smaller than /16, you may need to explicitly define all other @@ -33,18 +38,15 @@ #public_subnets = ["10.x.y.z/24"] #workloads_subnets = ["10.x.y.z/24"] - -## 3. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space +## 4. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space ## in subnet configuration. Only applicable for "base" deployment types. Default workload subnet is /24 so 250 max #workload_count = 2 - -## 4. Tag attribute "Owner" assigned to all resource created. (Default: "zscc-admin") +## 5. Tag attribute "Owner" assigned to all resource created. (Default: "zscc-admin") #owner_tag = "username@company.com" - -## 5. Tag attribute "Environment" assigned to all resources created. (Default: "Development") +## 6. Tag attribute "Environment" assigned to all resources created. (Default: "Development") #environment = "Development" diff --git a/examples/base_1cc/terraform.tfvars b/examples/base_1cc/terraform.tfvars index 7ccbeac..5b3cf3f 100755 --- a/examples/base_1cc/terraform.tfvars +++ b/examples/base_1cc/terraform.tfvars @@ -1,11 +1,12 @@ ## This is only a sample terraform.tfvars file. ## Uncomment and change the below variables according to your specific environment + ##################################################################################################################### ##### Variables are populated automically if terraform is ran via ZSEC bash script. ##### ##### Modifying the variables in this file will override any inputs from ZSEC ##### ##################################################################################################################### -## Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. +## 1. Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. ## ** Note ** This will be auto populated for you via ZSEC bash script, so only uncomment if running Terraform manually. ## E.g "abc12345-6789-0123-a456-bc1234567de8" @@ -14,15 +15,16 @@ ##################################################################################################################### ##### Cloud Init Provisioning variables for userdata file ##### ##################################################################################################################### -## 1. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url + +## 2. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url #cc_vm_prov_url = "connector.zscaler.net/api/v1/provUrl?name=azure_prov_url" -## 2. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" +## 3. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" #azure_vault_url = "https://zscaler-cc-demo.vault.azure.net" -## 3. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. +## 4. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. ## Uncomment and set custom probe port to a single value of 80 or any number between 1024-65535. Default is 50000. #http_probe_port = 50000 @@ -35,18 +37,17 @@ ##### (minimum Role permissions: Microsoft.Network/networkInterfaces/read) ##### ##################################################################################################################### - -## 4. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the +## 5. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the ## Managed Identity is in a different Subscription than the one where Cloud Connector is being deployed. ## E.g "abc12345-6789-0123-a456-bc1234567de8" #managed_identity_subscription_id = "abc12345-6789-0123-a456-bc1234567de8" -## 5. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity +## 6. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity #cc_vm_managed_identity_name = "cloud_connector_managed_identity" -## 6. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 +## 7. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 #cc_vm_managed_identity_rg = "cloud_connector_rg_1" @@ -55,13 +56,16 @@ ##### Custom variables. Only change if required for your environment ##### ##################################################################################################################### -## 7. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script +## 8. The name string for all Cloud Connector resources created by Terraform for Tag/Name attributes. (Default: zscc) + +#name_prefix = "zscc" + +## 9. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: westus2) #arm_location = "westus2" - -## 8. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. +## 10. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. ## (Default: Standard_D2s_v3) #ccvm_instance_type = "Standard_D2s_v3" @@ -70,28 +74,25 @@ #ccvm_instance_type = "Standard_D16s_v3" #ccvm_instance_type = "Standard_DS5_v2" - -## 9. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change -## (Default: "small") -## **** NOTE - There is a dependency between ccvm_instance_type and cc_instance_size selections **** -## If size = "small" any supported Azure VM instance size can be deployed, but "Standard_D2s_v3" is ideal -## If size = "medium" only Standard_DS3_v2/Standard_D8s_v3 and up Azure VM instance sizes can be deployed -## If size = "large" only Standard_D16s_v3/Standard_DS5_v2 Azure VM instance sizes can be deployed +## 11. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change +## (Default: "small") +## **** NOTE - There is a dependency between ccvm_instance_type and cc_instance_size selections **** +## If size = "small" any supported Azure VM instance size can be deployed, but "Standard_D2s_v3" is ideal +## If size = "medium" only Standard_DS3_v2/Standard_D8s_v3 and up Azure VM instance sizes can be deployed +## If size = "large" only Standard_D16s_v3/Standard_DS5_v2 Azure VM instance sizes can be deployed #cc_instance_size = "small" #cc_instance_size = "medium" #cc_instance_size = "large" - -## 10. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating +## 12. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating ## subnets based on the zones or byo_subnet_names variable and loop through for any deployments where cc_count > zones. ## Not configurable for base or base_1cc deployment types. (All others - Default: 2) ## E.g. cc_count set to 4 and 2 zones set ['1","2"] will create 2x CCs in AZ1 and 2x CCs in AZ2 #cc_count = 2 - -## 11. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure +## 13. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure ## (Virtual Machines and NAT Gateways) or Zone-Redundant (Public IP) based on whatever default configuration is. ## Setting this value to true will do the following: ## 1. will create zonal NAT Gateway resources in order of the zones [1-3] specified in zones variable. 1x per zone @@ -102,8 +103,7 @@ #zones_enabled = true - -## 12. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. +## 14. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. ## This should only be modified if zones_enabled is also set to true ## Doing so will change the default zone aware configuration for the 3 aforementioned resources with the values specified ## @@ -118,8 +118,7 @@ #zones = ["1","2"] #zones = ["1","2","3"] - -## 13. Network Configuration: +## 15. Network Configuration: ## IPv4 CIDR configured with VNet creation. All Subnet resources (Workload, Public, and Cloud Connector) will be created based off this prefix ## /24 subnets are created assuming this cidr is a /16. If you require creating a VNet smaller than /16, you may need to explicitly define all other @@ -143,30 +142,25 @@ #workloads_subnets = ["10.x.y.z/24","10.x.y.z/24"] #cc_subnets = ["10.x.y.z/24","10.x.y.z/24"] - -## 14. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space +## 16. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space ## in subnet configuration. Only applicable for "base" deployment types. Default workload subnet is /24 so 250 max #workload_count = 2 - -## 15. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") +## 17. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") #owner_tag = "username@company.com" - -## 16. Tag attribute "Environment" assigned to all resources created. (Default: "Development") +## 18. Tag attribute "Environment" assigned to all resources created. (Default: "Development") #environment = "Development" - -## 17. By default, this script will apply 1 Network Security Group per Cloud Connector instance. +## 19. By default, this script will apply 1 Network Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Network Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_nsg = true - -## 18. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature +## 20. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature ## enabled for your subscription though first. ## You can verify this by following the Azure Prerequisites guide here: ## https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli#prerequisites diff --git a/examples/base_1cc_zpa/terraform.tfvars b/examples/base_1cc_zpa/terraform.tfvars index f7f2ad2..6c5161d 100755 --- a/examples/base_1cc_zpa/terraform.tfvars +++ b/examples/base_1cc_zpa/terraform.tfvars @@ -1,11 +1,12 @@ ## This is only a sample terraform.tfvars file. ## Uncomment and change the below variables according to your specific environment + ##################################################################################################################### ##### Variables are populated automically if terraform is ran via ZSEC bash script. ##### ##### Modifying the variables in this file will override any inputs from ZSEC ##### ##################################################################################################################### -## Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. +## 1. Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. ## ** Note ** This will be auto populated for you via ZSEC bash script, so only uncomment if running Terraform manually. ## E.g "abc12345-6789-0123-a456-bc1234567de8" @@ -14,15 +15,16 @@ ##################################################################################################################### ##### Cloud Init Provisioning variables for userdata file ##### ##################################################################################################################### -## 1. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url + +## 2. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url #cc_vm_prov_url = "connector.zscaler.net/api/v1/provUrl?name=azure_prov_url" -## 2. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" +## 3. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" #azure_vault_url = "https://zscaler-cc-demo.vault.azure.net" -## 3. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. +## 4. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. ## Uncomment and set custom probe port to a single value of 80 or any number between 1024-65535. Default is 50000. #http_probe_port = 50000 @@ -35,18 +37,17 @@ ##### (minimum Role permissions: Microsoft.Network/networkInterfaces/read) ##### ##################################################################################################################### - -## 4. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the +## 5. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the ## Managed Identity is in a different Subscription than the one where Cloud Connector is being deployed. ## E.g "abc12345-6789-0123-a456-bc1234567de8" #managed_identity_subscription_id = "abc12345-6789-0123-a456-bc1234567de8" -## 5. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity +## 6. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity #cc_vm_managed_identity_name = "cloud_connector_managed_identity" -## 6. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 +## 7. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 #cc_vm_managed_identity_rg = "cloud_connector_rg_1" @@ -55,13 +56,16 @@ ##### Custom variables. Only change if required for your environment ##### ##################################################################################################################### -## 7. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script +## 8. The name string for all Cloud Connector resources created by Terraform for Tag/Name attributes. (Default: zscc) + +#name_prefix = "zscc" + +## 9. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: westus2) #arm_location = "westus2" - -## 8. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. +## 10. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. ## (Default: Standard_D2s_v3) #ccvm_instance_type = "Standard_D2s_v3" @@ -70,8 +74,7 @@ #ccvm_instance_type = "Standard_D16s_v3" #ccvm_instance_type = "Standard_DS5_v2" - -## 9. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change +## 11. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change ## (Default: "small") ## **** NOTE - There is a dependency between ccvm_instance_type and cc_instance_size selections **** ## If size = "small" any supported Azure VM instance size can be deployed, but "Standard_D2s_v3" is ideal @@ -82,16 +85,14 @@ #cc_instance_size = "medium" #cc_instance_size = "large" - -## 10. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating +## 12. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating ## subnets based on the zones or byo_subnet_names variable and loop through for any deployments where cc_count > zones. ## Not configurable for base or base_1cc deployment types. (All others - Default: 2) ## E.g. cc_count set to 4 and 2 zones set ['1","2"] will create 2x CCs in AZ1 and 2x CCs in AZ2 #cc_count = 2 - -## 11. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure +## 13. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure ## (Virtual Machines and NAT Gateways) or Zone-Redundant (Public IP) based on whatever default configuration is. ## Setting this value to true will do the following: ## 1. will create zonal NAT Gateway resources in order of the zones [1-3] specified in zones variable. 1x per zone @@ -102,8 +103,7 @@ #zones_enabled = true - -## 12. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. +## 14. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. ## This should only be modified if zones_enabled is also set to true ## Doing so will change the default zone aware configuration for the 3 aforementioned resources with the values specified ## @@ -118,8 +118,7 @@ #zones = ["1","2"] #zones = ["1","2","3"] - -## 13. Network Configuration: +## 15. Network Configuration: ## IPv4 CIDR configured with VNet creation. All Subnet resources (Workload, Public, and Cloud Connector) will be created based off this prefix ## /24 subnets are created assuming this cidr is a /16. If you require creating a VNet smaller than /16, you may need to explicitly define all other @@ -144,29 +143,25 @@ #cc_subnets = ["10.x.y.z/24","10.x.y.z/24"] #private_dns_subnet = "10.x.y.z/28" - -## 14. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space +## 16. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space ## in subnet configuration. Only applicable for "base" deployment types. Default workload subnet is /24 so 250 max #workload_count = 2 - -## 15. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") +## 17. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") #owner_tag = "username@company.com" - -## 16. Tag attribute "Environment" assigned to all resources created. (Default: "Development") +## 18. Tag attribute "Environment" assigned to all resources created. (Default: "Development") #environment = "Development" - -## 17. By default, this script will apply 1 Network Security Group per Cloud Connector instance. +## 19. By default, this script will apply 1 Network Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Network Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_nsg = true -## 18. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature +## 20. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature ## enabled for your subscription though first. ## You can verify this by following the Azure Prerequisites guide here: ## https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli#prerequisites @@ -179,7 +174,7 @@ ##################################################################################################################### ##### ZPA/Azure Private DNS specific variables ##### ##################################################################################################################### -## 19. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception. +## 21. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception. ## Only applicable for base + zpa or zpa_enabled = true deployment types where Outbound DNS subnets, Resolver Ruleset/Rules, ## and Outbound Endpoints are being created. Two example domains are populated to show the mapping structure and syntax. ## Azure does require a trailing dot "." on all domain entries. ZPA Module will read through each to create a resolver rule per @@ -190,8 +185,7 @@ # appseg2 = "app2.com." #} - -## 20. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses. +## 22. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses. ## The required expectation is that the target should follow VNet/subnet routing towards the configured Cloud Connector Load Balancer VIP for ## ZPA DNS interception diff --git a/examples/base_cc_lb/terraform.tfvars b/examples/base_cc_lb/terraform.tfvars index 7ccbeac..0af8c3f 100755 --- a/examples/base_cc_lb/terraform.tfvars +++ b/examples/base_cc_lb/terraform.tfvars @@ -1,11 +1,12 @@ ## This is only a sample terraform.tfvars file. ## Uncomment and change the below variables according to your specific environment + ##################################################################################################################### ##### Variables are populated automically if terraform is ran via ZSEC bash script. ##### ##### Modifying the variables in this file will override any inputs from ZSEC ##### ##################################################################################################################### -## Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. +## 1. Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. ## ** Note ** This will be auto populated for you via ZSEC bash script, so only uncomment if running Terraform manually. ## E.g "abc12345-6789-0123-a456-bc1234567de8" @@ -14,15 +15,16 @@ ##################################################################################################################### ##### Cloud Init Provisioning variables for userdata file ##### ##################################################################################################################### -## 1. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url + +## 2. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url #cc_vm_prov_url = "connector.zscaler.net/api/v1/provUrl?name=azure_prov_url" -## 2. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" +## 3. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" #azure_vault_url = "https://zscaler-cc-demo.vault.azure.net" -## 3. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. +## 4. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. ## Uncomment and set custom probe port to a single value of 80 or any number between 1024-65535. Default is 50000. #http_probe_port = 50000 @@ -35,18 +37,17 @@ ##### (minimum Role permissions: Microsoft.Network/networkInterfaces/read) ##### ##################################################################################################################### - -## 4. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the +## 5. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the ## Managed Identity is in a different Subscription than the one where Cloud Connector is being deployed. ## E.g "abc12345-6789-0123-a456-bc1234567de8" #managed_identity_subscription_id = "abc12345-6789-0123-a456-bc1234567de8" -## 5. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity +## 6. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity #cc_vm_managed_identity_name = "cloud_connector_managed_identity" -## 6. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 +## 7. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 #cc_vm_managed_identity_rg = "cloud_connector_rg_1" @@ -55,13 +56,16 @@ ##### Custom variables. Only change if required for your environment ##### ##################################################################################################################### -## 7. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script +## 8. The name string for all Cloud Connector resources created by Terraform for Tag/Name attributes. (Default: zscc) + +#name_prefix = "zscc" + +## 9. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: westus2) #arm_location = "westus2" - -## 8. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. +## 10. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. ## (Default: Standard_D2s_v3) #ccvm_instance_type = "Standard_D2s_v3" @@ -70,8 +74,7 @@ #ccvm_instance_type = "Standard_D16s_v3" #ccvm_instance_type = "Standard_DS5_v2" - -## 9. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change +## 11. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change ## (Default: "small") ## **** NOTE - There is a dependency between ccvm_instance_type and cc_instance_size selections **** ## If size = "small" any supported Azure VM instance size can be deployed, but "Standard_D2s_v3" is ideal @@ -82,16 +85,14 @@ #cc_instance_size = "medium" #cc_instance_size = "large" - -## 10. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating +## 12. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating ## subnets based on the zones or byo_subnet_names variable and loop through for any deployments where cc_count > zones. ## Not configurable for base or base_1cc deployment types. (All others - Default: 2) ## E.g. cc_count set to 4 and 2 zones set ['1","2"] will create 2x CCs in AZ1 and 2x CCs in AZ2 #cc_count = 2 - -## 11. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure +## 13. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure ## (Virtual Machines and NAT Gateways) or Zone-Redundant (Public IP) based on whatever default configuration is. ## Setting this value to true will do the following: ## 1. will create zonal NAT Gateway resources in order of the zones [1-3] specified in zones variable. 1x per zone @@ -102,8 +103,7 @@ #zones_enabled = true - -## 12. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. +## 14. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. ## This should only be modified if zones_enabled is also set to true ## Doing so will change the default zone aware configuration for the 3 aforementioned resources with the values specified ## @@ -118,8 +118,7 @@ #zones = ["1","2"] #zones = ["1","2","3"] - -## 13. Network Configuration: +## 15. Network Configuration: ## IPv4 CIDR configured with VNet creation. All Subnet resources (Workload, Public, and Cloud Connector) will be created based off this prefix ## /24 subnets are created assuming this cidr is a /16. If you require creating a VNet smaller than /16, you may need to explicitly define all other @@ -143,30 +142,25 @@ #workloads_subnets = ["10.x.y.z/24","10.x.y.z/24"] #cc_subnets = ["10.x.y.z/24","10.x.y.z/24"] - -## 14. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space +## 16. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space ## in subnet configuration. Only applicable for "base" deployment types. Default workload subnet is /24 so 250 max #workload_count = 2 - -## 15. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") +## 17. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") #owner_tag = "username@company.com" - -## 16. Tag attribute "Environment" assigned to all resources created. (Default: "Development") +## 18. Tag attribute "Environment" assigned to all resources created. (Default: "Development") #environment = "Development" - -## 17. By default, this script will apply 1 Network Security Group per Cloud Connector instance. +## 19. By default, this script will apply 1 Network Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Network Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_nsg = true - -## 18. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature +## 20. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature ## enabled for your subscription though first. ## You can verify this by following the Azure Prerequisites guide here: ## https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli#prerequisites diff --git a/examples/base_cc_lb_zpa/terraform.tfvars b/examples/base_cc_lb_zpa/terraform.tfvars index 7853911..d7b72b0 100755 --- a/examples/base_cc_lb_zpa/terraform.tfvars +++ b/examples/base_cc_lb_zpa/terraform.tfvars @@ -1,11 +1,12 @@ ## This is only a sample terraform.tfvars file. ## Uncomment and change the below variables according to your specific environment + ##################################################################################################################### -##### Variables are populated automically if terraform is ran via ZSEC bash script. ##### -##### Modifying the variables in this file will override any inputs from ZSEC ##### +##### Variables are populated automically if terraform is ran via ZSEC bash script. ##### +##### Modifying the variables in this file will override any inputs from ZSEC ##### ##################################################################################################################### -## Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. +## 1. Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. ## ** Note ** This will be auto populated for you via ZSEC bash script, so only uncomment if running Terraform manually. ## E.g "abc12345-6789-0123-a456-bc1234567de8" @@ -14,15 +15,16 @@ ##################################################################################################################### ##### Cloud Init Provisioning variables for userdata file ##### ##################################################################################################################### -## 1. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url + +## 2. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url #cc_vm_prov_url = "connector.zscaler.net/api/v1/provUrl?name=azure_prov_url" -## 2. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" +## 3. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" #azure_vault_url = "https://zscaler-cc-demo.vault.azure.net" -## 3. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. +## 4. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. ## Uncomment and set custom probe port to a single value of 80 or any number between 1024-65535. Default is 50000. #http_probe_port = 50000 @@ -35,18 +37,17 @@ ##### (minimum Role permissions: Microsoft.Network/networkInterfaces/read) ##### ##################################################################################################################### - -## 4. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the +## 5. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the ## Managed Identity is in a different Subscription than the one where Cloud Connector is being deployed. ## E.g "abc12345-6789-0123-a456-bc1234567de8" #managed_identity_subscription_id = "abc12345-6789-0123-a456-bc1234567de8" -## 5. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity +## 6. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity #cc_vm_managed_identity_name = "cloud_connector_managed_identity" -## 6. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 +## 7. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 #cc_vm_managed_identity_rg = "cloud_connector_rg_1" @@ -55,13 +56,16 @@ ##### Custom variables. Only change if required for your environment ##### ##################################################################################################################### -## 7. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script +## 8. The name string for all Cloud Connector resources created by Terraform for Tag/Name attributes. (Default: zscc) + +#name_prefix = "zscc" + +## 9. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: westus2) #arm_location = "westus2" - -## 8. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. +## 10. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. ## (Default: Standard_D2s_v3) #ccvm_instance_type = "Standard_D2s_v3" @@ -70,28 +74,25 @@ #ccvm_instance_type = "Standard_D16s_v3" #ccvm_instance_type = "Standard_DS5_v2" - -## 9. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change -## (Default: "small") -## **** NOTE - There is a dependency between ccvm_instance_type and cc_instance_size selections **** -## If size = "small" any supported Azure VM instance size can be deployed, but "Standard_D2s_v3" is ideal -## If size = "medium" only Standard_DS3_v2/Standard_D8s_v3 and up Azure VM instance sizes can be deployed -## If size = "large" only Standard_D16s_v3/Standard_DS5_v2 Azure VM instance sizes can be deployed +## 11. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change +## (Default: "small") +## **** NOTE - There is a dependency between ccvm_instance_type and cc_instance_size selections **** +## If size = "small" any supported Azure VM instance size can be deployed, but "Standard_D2s_v3" is ideal +## If size = "medium" only Standard_DS3_v2/Standard_D8s_v3 and up Azure VM instance sizes can be deployed +## If size = "large" only Standard_D16s_v3/Standard_DS5_v2 Azure VM instance sizes can be deployed #cc_instance_size = "small" #cc_instance_size = "medium" #cc_instance_size = "large" - -## 10. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating +## 12. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating ## subnets based on the zones or byo_subnet_names variable and loop through for any deployments where cc_count > zones. ## Not configurable for base or base_1cc deployment types. (All others - Default: 2) ## E.g. cc_count set to 4 and 2 zones set ['1","2"] will create 2x CCs in AZ1 and 2x CCs in AZ2 #cc_count = 2 - -## 11. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure +## 13. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure ## (Virtual Machines and NAT Gateways) or Zone-Redundant (Public IP) based on whatever default configuration is. ## Setting this value to true will do the following: ## 1. will create zonal NAT Gateway resources in order of the zones [1-3] specified in zones variable. 1x per zone @@ -102,8 +103,7 @@ #zones_enabled = true - -## 12. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. +## 14. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. ## This should only be modified if zones_enabled is also set to true ## Doing so will change the default zone aware configuration for the 3 aforementioned resources with the values specified ## @@ -118,12 +118,11 @@ #zones = ["1","2"] #zones = ["1","2","3"] - -## 13. Network Configuration: +## 15. Network Configuration: ## IPv4 CIDR configured with VNet creation. All Subnet resources (Workload, Public, and Cloud Connector) will be created based off this prefix ## /24 subnets are created assuming this cidr is a /16. If you require creating a VNet smaller than /16, you may need to explicitly define all other -## subnets via public_subnets, workload_subnets, cc_subnets and private_dns_subnet variables (Default: "10.1.0.0/16") +## subnets via public_subnets, workload_subnets, and cc_subnets variables (Default: "10.1.0.0/16") ## Note: This variable only applies if you let Terraform create a new VNet. Custom deployment with byo_vnet enabled will ignore this @@ -144,29 +143,25 @@ #cc_subnets = ["10.x.y.z/24","10.x.y.z/24"] #private_dns_subnet = "10.x.y.z/28" - -## 14. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space +## 16. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space ## in subnet configuration. Only applicable for "base" deployment types. Default workload subnet is /24 so 250 max #workload_count = 2 - -## 15. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") +## 17. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") #owner_tag = "username@company.com" - -## 16. Tag attribute "Environment" assigned to all resources created. (Default: "Development") +## 18. Tag attribute "Environment" assigned to all resources created. (Default: "Development") #environment = "Development" - -## 17. By default, this script will apply 1 Network Security Group per Cloud Connector instance. +## 19. By default, this script will apply 1 Network Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Network Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_nsg = true -## 18. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature +## 20. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature ## enabled for your subscription though first. ## You can verify this by following the Azure Prerequisites guide here: ## https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli#prerequisites @@ -179,7 +174,7 @@ ##################################################################################################################### ##### ZPA/Azure Private DNS specific variables ##### ##################################################################################################################### -## 19. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception. +## 21. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception. ## Only applicable for base + zpa or zpa_enabled = true deployment types where Outbound DNS subnets, Resolver Ruleset/Rules, ## and Outbound Endpoints are being created. Two example domains are populated to show the mapping structure and syntax. ## Azure does require a trailing dot "." on all domain entries. ZPA Module will read through each to create a resolver rule per @@ -190,8 +185,7 @@ # appseg2 = "app2.com." #} - -## 20. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses. +## 22. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses. ## The required expectation is that the target should follow VNet/subnet routing towards the configured Cloud Connector Load Balancer VIP for ## ZPA DNS interception diff --git a/examples/cc_lb/terraform.tfvars b/examples/cc_lb/terraform.tfvars index 215b443..226d866 100755 --- a/examples/cc_lb/terraform.tfvars +++ b/examples/cc_lb/terraform.tfvars @@ -1,11 +1,12 @@ ## This is only a sample terraform.tfvars file. ## Uncomment and change the below variables according to your specific environment + ##################################################################################################################### ##### Variables are populated automically if terraform is ran via ZSEC bash script. ##### ##### Modifying the variables in this file will override any inputs from ZSEC ##### ##################################################################################################################### -## Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. +## 1. Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider. ## ** Note ** This will be auto populated for you via ZSEC bash script, so only uncomment if running Terraform manually. ## E.g "abc12345-6789-0123-a456-bc1234567de8" @@ -14,15 +15,16 @@ ##################################################################################################################### ##### Cloud Init Provisioning variables for userdata file ##### ##################################################################################################################### -## 1. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url + +## 2. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url #cc_vm_prov_url = "connector.zscaler.net/api/v1/provUrl?name=azure_prov_url" -## 2. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" +## 3. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net" #azure_vault_url = "https://zscaler-cc-demo.vault.azure.net" -## 3. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. +## 4. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments. ## Uncomment and set custom probe port to a single value of 80 or any number between 1024-65535. Default is 50000. #http_probe_port = 50000 @@ -35,17 +37,17 @@ ##### (minimum Role permissions: Microsoft.Network/networkInterfaces/read) ##### ##################################################################################################################### -## 4. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the +## 5. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the ## Managed Identity is in a different Subscription than the one where Cloud Connector is being deployed. -## E.g "eab20328-8964-4168-a464-db4829164dc8" +## E.g "abc12345-6789-0123-a456-bc1234567de8" #managed_identity_subscription_id = "abc12345-6789-0123-a456-bc1234567de8" -## 5. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity +## 6. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity #cc_vm_managed_identity_name = "cloud_connector_managed_identity" -## 6. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 +## 7. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1 #cc_vm_managed_identity_rg = "cloud_connector_rg_1" @@ -54,13 +56,16 @@ ##### Custom variables. Only change if required for your environment ##### ##################################################################################################################### -## 7. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script +## 8. The name string for all Cloud Connector resources created by Terraform for Tag/Name attributes. (Default: zscc) + +#name_prefix = "zscc" + +## 9. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: westus2) #arm_location = "westus2" - -## 8. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. +## 10. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change. ## (Default: Standard_D2s_v3) #ccvm_instance_type = "Standard_D2s_v3" @@ -69,28 +74,25 @@ #ccvm_instance_type = "Standard_D16s_v3" #ccvm_instance_type = "Standard_DS5_v2" - -## 9. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change -## (Default: "small") -## **** NOTE - There is a dependency between ccvm_instance_type and cc_instance_size selections **** -## If size = "small" any supported Azure VM instance size can be deployed, but "Standard_D2s_v3" is ideal -## If size = "medium" only Standard_DS3_v2/Standard_D8s_v3 and up Azure VM instance sizes can be deployed -## If size = "large" only Standard_D16s_v3/Standard_DS5_v2 Azure VM instance sizes can be deployed +## 11. Cloud Connector Instance size selection. Uncomment cc_instance_size line with desired vm size to change +## (Default: "small") +## **** NOTE - There is a dependency between ccvm_instance_type and cc_instance_size selections **** +## If size = "small" any supported Azure VM instance size can be deployed, but "Standard_D2s_v3" is ideal +## If size = "medium" only Standard_DS3_v2/Standard_D8s_v3 and up Azure VM instance sizes can be deployed +## If size = "large" only Standard_D16s_v3/Standard_DS5_v2 Azure VM instance sizes can be deployed #cc_instance_size = "small" #cc_instance_size = "medium" #cc_instance_size = "large" - -## 10. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating +## 12. The number of Cloud Connector appliances to provision. Each incremental Cloud Connector will be created in alternating ## subnets based on the zones or byo_subnet_names variable and loop through for any deployments where cc_count > zones. ## Not configurable for base or base_1cc deployment types. (All others - Default: 2) ## E.g. cc_count set to 4 and 2 zones set ['1","2"] will create 2x CCs in AZ1 and 2x CCs in AZ2 #cc_count = 2 - -## 11. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure +## 13. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure ## (Virtual Machines and NAT Gateways) or Zone-Redundant (Public IP) based on whatever default configuration is. ## Setting this value to true will do the following: ## 1. will create zonal NAT Gateway resources in order of the zones [1-3] specified in zones variable. 1x per zone @@ -101,8 +103,7 @@ #zones_enabled = true - -## 12. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. +## 14. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets. ## This should only be modified if zones_enabled is also set to true ## Doing so will change the default zone aware configuration for the 3 aforementioned resources with the values specified ## @@ -117,12 +118,11 @@ #zones = ["1","2"] #zones = ["1","2","3"] - -## 13. Network Configuration: +## 15. Network Configuration: ## IPv4 CIDR configured with VNet creation. All Subnet resources (Workload, Public, and Cloud Connector) will be created based off this prefix ## /24 subnets are created assuming this cidr is a /16. If you require creating a VNet smaller than /16, you may need to explicitly define all other -## subnets via cc_subnets and private_dns_subnet variables (Default: "10.1.0.0/16") +## subnets via public_subnets, workload_subnets, and cc_subnets variables (Default: "10.1.0.0/16") ## Note: This variable only applies if you let Terraform create a new VNet. Custom deployment with byo_vnet enabled will ignore this @@ -138,26 +138,30 @@ ## Default/Minumum: 1 - Maximum: 3 ## Example: If you change network_address_space to "10.2.0.0/24", set below variables to cidrs that fit in that /24 like cc_subnets = ["10.2.0.0/27","10.2.0.32/27"] etc. +#public_subnets = ["10.x.y.z/24","10.x.y.z/24"] +#workloads_subnets = ["10.x.y.z/24","10.x.y.z/24"] #cc_subnets = ["10.x.y.z/24","10.x.y.z/24"] #private_dns_subnet = "10.x.y.z/28" -## 15. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") +## 16. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space +## in subnet configuration. Only applicable for "base" deployment types. Default workload subnet is /24 so 250 max -#owner_tag = "username@company.com" +#workload_count = 2 + +## 17. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin") +#owner_tag = "username@company.com" -## 16. Tag attribute "Environment" assigned to all resources created. (Default: "Development") +## 18. Tag attribute "Environment" assigned to all resources created. (Default: "Development") #environment = "Development" - -## 17. By default, this script will apply 1 Network Security Group per Cloud Connector instance. +## 19. By default, this script will apply 1 Network Security Group per Cloud Connector instance. ## Uncomment if you want to use the same Network Security Group for ALL Cloud Connectors (true or false. Default: false) #reuse_nsg = true - -## 18. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature +## 20. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature ## enabled for your subscription though first. ## You can verify this by following the Azure Prerequisites guide here: ## https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli#prerequisites @@ -171,35 +175,30 @@ ##### Custom BYO variables. Only applicable for "cc_lb" deployment without "base" resource requirements ##### ##################################################################################################################### -## 19. By default, this script will create a new Resource Group and place all resources in this group. +## 21. By default, this script will create a new Resource Group and place all resources in this group. ## Uncomment if you want to deploy all resources in an existing Resource Group? (true or false. Default: false) #byo_rg = true - -## 20. Provide your existing Resource Group name. Only uncomment and modify if you set byo_rg to true +## 22. Provide your existing Resource Group name. Only uncomment and modify if you set byo_rg to true #byo_rg_name = "existing-rg" - -## 21. By default, this script will create a new Azure Virtual Network in the default resource group. +## 23. By default, this script will create a new Azure Virtual Network in the default resource group. ## Uncomment if you want to deploy all resources to a VNet that already exists (true or false. Default: false) #byo_vnet = true - -## 22. Provide your existing VNet name. Only uncomment and modify if you set byo_vnet to true +## 24. Provide your existing VNet name. Only uncomment and modify if you set byo_vnet to true #byo_vnet_name = "existing-vnet" - -## 23. Provide the existing Resource Group name of your VNet. Only uncomment and modify if you set byo_vnet to true +## 25. Provide the existing Resource Group name of your VNet. Only uncomment and modify if you set byo_vnet to true ## Subnets depend on VNet so the same resource group is implied for subnets #byo_vnet_subnets_rg_name = "existing-vnet-rg" - -## 24. By default, this script will create 1 new Azure subnet in the default resource group unles the zones variable +## 26. By default, this script will create 1 new Azure subnet in the default resource group unles the zones variable ## specifies multiple zonal deployments in which case subnet 1 would logically map to resources in zone "1", etc. ## Uncomment if you want to deploy all resources in subnets that already exist (true or false. Default: false) ## Dependencies require in order to reference existing subnets, the corresponding VNet must also already exist. @@ -207,8 +206,7 @@ #byo_subnets = true - -## 25. Provide your existing Cloud Connector subnet names. Only uncomment and modify if you set byo_subnets to true +## 27. Provide your existing Cloud Connector subnet names. Only uncomment and modify if you set byo_subnets to true ## By default, management and service interfaces reside in a single subnet. Therefore, specifying multiple subnets ## implies only that you are doing a zonal deployment with resources in separate AZs and corresponding zonal NAT ## Gateway resources associated with the CC subnets mapped to the same respective zones. @@ -217,14 +215,12 @@ #byo_subnet_names = ["existing-cc-subnet"] - -## 26. By default, this script will create new Public IP resources to be associated with CC NAT Gateways. +## 28. By default, this script will create new Public IP resources to be associated with CC NAT Gateways. ## Uncomment if you want to use your own public IP for the NAT GW (true or false. Default: false) #byo_pips = true - -## 27. Provide your existing Azure Public IP resource names. Only uncomment and modify if you set byo_pips to true +## 29. Provide your existing Azure Public IP resource names. Only uncomment and modify if you set byo_pips to true ## Existing Public IP resource cannot be associated with any resource other than an existing NAT Gateway in which ## case existing_pip_association and existing_nat_gw_association need both set to true ## @@ -235,19 +231,16 @@ #byo_pip_names = ["pip-az1","pip-az2"] - -## 28. Provide the existing Resource Group name of your Azure public IPs. Only uncomment and modify if you set byo_pips to true +## 30. Provide the existing Resource Group name of your Azure public IPs. Only uncomment and modify if you set byo_pips to true #byo_pip_rg = "existing-pip-rg" - -## 29. By default, this script will create new NAT Gateway resources for the Cloud Connector subnets to be associated +## 31. By default, this script will create new NAT Gateway resources for the Cloud Connector subnets to be associated ## Uncomment if you want to use your own NAT Gateway (true or false. Default: false) #byo_nat_gws = true - -## 30. Provide your existing Azure NAT Gateway resource names. Only uncomment and modify if you set byo_nat_gws to true +## 32. Provide your existing Azure NAT Gateway resource names. Only uncomment and modify if you set byo_nat_gws to true ## ***** Note ***** ## If you already have existing NAT Gateways AND set zone_enabled to true these resource should be configured as zonal and ## be added here to this variable list in order of the zones specified in the "zones" variable. @@ -255,35 +248,30 @@ #byo_nat_gw_names = ["natgw-az1","natgw-az2"] - -## 31. Provide the existing Resource Group name of your NAT Gateway. Only uncomment and modify if you set byo_nat_gws to true +## 33. Provide the existing Resource Group name of your NAT Gateway. Only uncomment and modify if you set byo_nat_gws to true #byo_nat_gw_rg = "existing-nat-gw-rg" - -## 32. By default, this script will create a new Azure Public IP and associate it with new/existing NAT Gateways. +## 34. By default, this script will create a new Azure Public IP and associate it with new/existing NAT Gateways. ## Uncomment if you are deploying cloud connector to an environment where the PIP already exists AND is already asssociated to ## an existing NAT Gateway. (true or false. Default: false). ## Setting existing_pip_association to true means byo_nat_gws and byo_pips must ALSO be set to true. #existing_nat_gw_pip_association = true - -## 33. By default this script will create a new Azure NAT Gateway and associate it with new or existing CC subnets. +## 35. By default this script will create a new Azure NAT Gateway and associate it with new or existing CC subnets. ## Uncomment if you are deploying cloud connector to an environment where the subnet already exists AND is already asssociated to ## an existing NAT Gateway. (true or false. Default: false). ## Setting existing_nat_gw_association to true means byo_subnets AND byo_nat_gws must also be set to true. #existing_nat_gw_subnet_association = true - -## 34. By default, this script will create new Network Security Groups for the Cloud Connector mgmt and service interfaces +## 36. By default, this script will create new Network Security Groups for the Cloud Connector mgmt and service interfaces ## Uncomment if you want to use your own NSGs (true or false. Default: false) #byo_nsg = true - -## 35. Provide your existing Network Security Group resource names. Only uncomment and modify if you set byo_nsg to true +## 37. Provide your existing Network Security Group resource names. Only uncomment and modify if you set byo_nsg to true ## ***** Note ***** ## Example: byo_mgmt_nsg_names = ["mgmt-nsg-1","mgmt-nsg-2"] @@ -292,8 +280,7 @@ #byo_mgmt_nsg_names = ["mgmt-nsg-1","mgmt-nsg-2"] #byo_service_nsg_names = ["service-nsg-1","service-nsg-2"] - -## 36. Provide the existing Resource Group name of your Network Security Groups. Only uncomment and modify if you set byo_nsg to true +## 38. Provide the existing Resource Group name of your Network Security Groups. Only uncomment and modify if you set byo_nsg to true #byo_nsg_rg = "existing-nsg-rg" @@ -301,7 +288,7 @@ ##################################################################################################################### ##### ZPA/Azure Private DNS specific variables ##### ##################################################################################################################### -## 36. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception. +## 39. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception. ## Only applicable for base + zpa or zpa_enabled = true deployment types where Outbound DNS subnets, Resolver Ruleset/Rules, ## and Outbound Endpoints are being created. Two example domains are populated to show the mapping structure and syntax. ## Azure does require a trailing dot "." on all domain entries. ZPA Module will read through each to create a resolver rule per @@ -312,8 +299,7 @@ # appseg2 = "app2.com." #} - -## 37. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses. +## 40. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses. ## The required expectation is that the target should follow VNet/subnet routing towards the configured Cloud Connector Load Balancer VIP for ## ZPA DNS interception