-
Notifications
You must be signed in to change notification settings - Fork 18
/
variables.tf
executable file
·261 lines (225 loc) · 9.68 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
variable "aws_region" {
type = string
description = "The AWS region."
default = "us-west-2"
}
variable "name_prefix" {
type = string
description = "The name prefix for all your resources"
default = "zscc"
validation {
condition = length(var.name_prefix) <= 12
error_message = "Variable name_prefix must be 12 or less characters."
}
}
variable "vpc_cidr" {
type = string
description = "VPC IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VPC smaller than /16, you may need to explicitly define all other subnets via public_subnets, workload_subnets, cc_subnets, and route53_subnets variables"
default = "10.1.0.0/16"
}
variable "public_subnets" {
type = list(string)
description = "Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable."
default = null
}
variable "workloads_subnets" {
type = list(string)
description = "Workload Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable."
default = null
}
variable "cc_subnets" {
type = list(string)
description = "Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable."
default = null
}
variable "route53_subnets" {
type = list(string)
description = "Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable."
default = null
}
variable "workload_count" {
type = number
description = "Default number of workload VMs to create"
default = 1
}
variable "az_count" {
type = number
description = "Default number of subnets to create based on availability zone"
default = 1
validation {
condition = (
(var.az_count >= 1 && var.az_count <= 3)
)
error_message = "Input az_count must be set to a single value between 1 and 3. Note* some regions have greater than 3 AZs. Please modify az_count validation in variables.tf if you are utilizing more than 3 AZs in a region that supports it. https://aws.amazon.com/about-aws/global-infrastructure/regions_az/."
}
}
variable "owner_tag" {
type = string
description = "populate custom owner tag attribute"
default = "zscc-admin"
}
variable "tls_key_algorithm" {
type = string
description = "algorithm for tls_private_key resource"
default = "RSA"
}
variable "bastion_nsg_source_prefix" {
type = list(string)
description = "CIDR blocks of trusted networks for bastion host ssh access"
default = ["0.0.0.0/0"]
}
variable "cc_count" {
type = number
description = "Default number of Cloud Connector appliances to create"
default = 1
}
variable "ccvm_instance_type" {
type = string
description = "Cloud Connector Instance Type"
default = "m6i.large"
validation {
condition = (
var.ccvm_instance_type == "t3.medium" ||
var.ccvm_instance_type == "m5n.large" ||
var.ccvm_instance_type == "c5a.large" ||
var.ccvm_instance_type == "m6i.large" ||
var.ccvm_instance_type == "c6i.large" ||
var.ccvm_instance_type == "c6in.large" ||
var.ccvm_instance_type == "m5n.4xlarge" ||
var.ccvm_instance_type == "m6i.4xlarge" ||
var.ccvm_instance_type == "c6i.4xlarge" ||
var.ccvm_instance_type == "c6in.4xlarge"
)
error_message = "Input ccvm_instance_type must be set to an approved vm instance type."
}
}
variable "cc_instance_size" {
type = string
description = "Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration"
default = "small"
validation {
condition = (
var.cc_instance_size == "small" ||
var.cc_instance_size == "medium" ||
var.cc_instance_size == "large"
)
error_message = "Input cc_instance_size must be set to an approved cc instance type."
}
}
# Validation to ensure that ccvm_instance_type and cc_instance_size are set appropriately
locals {
small_cc_instance = ["t3.medium", "m5n.large", "c5a.large", "m6i.large", "c6i.large", "c6in.large", "m5n.4xlarge", "m6i.4xlarge", "c6i.4xlarge", "c6in.4xlarge"]
medium_cc_instance = ["m5n.4xlarge", "m6i.4xlarge", "c6i.4xlarge", "c6in.4xlarge"]
large_cc_instance = ["m5n.4xlarge", "m6i.4xlarge", "c6i.4xlarge", "c6in.4xlarge"]
valid_cc_create = (
contains(local.small_cc_instance, var.ccvm_instance_type) && var.cc_instance_size == "small" ||
contains(local.medium_cc_instance, var.ccvm_instance_type) && var.cc_instance_size == "medium" ||
contains(local.large_cc_instance, var.ccvm_instance_type) && var.cc_instance_size == "large"
)
}
variable "cc_vm_prov_url" {
type = string
description = "Zscaler Cloud Connector Provisioning URL"
}
variable "secret_name" {
type = string
description = "AWS Secrets Manager Secret Name for Cloud Connector provisioning"
}
variable "http_probe_port" {
type = number
description = "Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group"
default = 50000
validation {
condition = (
tonumber(var.http_probe_port) == 80 ||
(tonumber(var.http_probe_port) >= 1024 && tonumber(var.http_probe_port) <= 65535)
)
error_message = "Input http_probe_port must be set to a single value of 80 or any number between 1024-65535."
}
}
variable "reuse_security_group" {
type = bool
description = "Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances"
default = false
}
variable "reuse_iam" {
type = bool
description = "Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances"
default = false
}
variable "domain_names" {
type = map(any)
description = "Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables"
}
variable "target_address" {
type = list(string)
description = "Route 53 DNS queries will be forwarded to these Zscaler Global VIP addresses"
default = ["185.46.212.88", "185.46.212.89"]
}
variable "zpa_enabled" {
type = bool
default = true
description = "Configure Route 53 Subnets, Route Tables, and Resolvers for ZPA DNS redirection with route53 module"
}
variable "ami_id" {
type = list(string)
description = "AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index"
default = [""]
}
variable "mgmt_ssh_enabled" {
type = bool
description = "Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group"
default = true
}
variable "all_ports_egress_enabled" {
type = bool
default = true
description = "Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group"
}
variable "ebs_volume_type" {
type = string
description = "(Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3"
default = "gp3"
}
variable "ebs_encryption_enabled" {
type = bool
description = "true/false whether to enable EBS encryption on the root volume. Default is true"
default = true
}
variable "byo_kms_key_alias" {
type = string
description = "Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/<key-alias>' to use a custom KMS key"
default = null
}
variable "cloud_tags_enabled" {
type = bool
description = "Determines whether or not to create the cc_tags_policy IAM Policy and attach it to the CC IAM Role"
default = false
}
variable "support_access_enabled" {
type = bool
description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
default = true
}
variable "zssupport_server" {
type = string
description = "destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net"
default = "199.168.148.101/32" #for commercial clouds
}
variable "hostname_type" {
type = string
description = "Type of hostname for Amazon EC2 instances"
default = "resource-name"
validation {
condition = (
var.hostname_type == "resource-name" ||
var.hostname_type == "ip-name"
)
error_message = "Input hostname_type must be set to either resource-name or ip-name."
}
}
variable "resource_name_dns_a_record_enabled" {
type = bool
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false"
default = false
}