This deployment type is intended for greenfield/pov/lab purposes. It will deploy a fully functioning sandbox environment in a new VPC with test workload VMs. Full set of resources provisioned listed below, but this will effectively create all network infrastructure dependencies for an AWS environment. Everything from "Base_1cc" deployment type (Creates 1 new VPC with 1 public subnet and 1 private/workload subnet; 1 IGW; 1 NAT Gateway; 1 Amazon Linux 2023 server workload in the private subnet routing to NAT Gateway; 1 Bastion Host in the public subnet assigned an Elastic IP and routing to the IGW; generates local key pair .pem file for ssh access; Creates 1 Cloud Connector private subnet; 1 Cloud Connector VM routing to NAT Gateway; workload private subnet route repointed to service ENI of Cloud Connector.)
Additionally: Creates 2 Route 53 subnets routing to the service ENI of Cloud Connector; Route 53 outbound resolver endpoint; and Route 53 resolver rules for ZPA DNS redirection.
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec up
- enter "greenfield"
- enter "base_1cc_zpa"
- follow the remainder of the authentication and configuration input prompts.
- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
- inputs will be validated and terraform init/apply will automatically exectute.
- verify all resources that will be created/modified and enter "yes" to confirm
Modify/populate any required variable input values in base_1cc_zpa/terraform.tfvars file and save.
From base_1cc_zpa directory execute:
- terraform init
- terraform apply
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec destroy
From base_1cc_zpa directory execute:
- terraform destroy
| Name | Version |
|---|---|
| terraform | >= 0.13.7, < 2.0.0 |
| aws | >= 5.32.0, <= 5.49.0 |
| local | ~> 2.2.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Version |
|---|---|
| aws | >= 5.32.0, <= 5.49.0 |
| local | ~> 2.2.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Source | Version |
|---|---|---|
| bastion | ../../modules/terraform-zscc-bastion-aws | n/a |
| cc_iam | ../../modules/terraform-zscc-iam-aws | n/a |
| cc_sg | ../../modules/terraform-zscc-sg-aws | n/a |
| cc_vm | ../../modules/terraform-zscc-ccvm-aws | n/a |
| network | ../../modules/terraform-zscc-network-aws | n/a |
| route53 | ../../modules/terraform-zscc-route53-aws | n/a |
| workload | ../../modules/terraform-zscc-workload-aws | n/a |
| Name | Type |
|---|---|
| aws_key_pair.deployer | resource |
| local_file.private_key | resource |
| local_file.testbed | resource |
| local_file.user_data_file | resource |
| null_resource.cc_error_checker | resource |
| random_string.suffix | resource |
| tls_private_key.key | resource |
| aws_ami.cloudconnector | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| all_ports_egress_enabled | Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group | bool |
true |
no |
| ami_id | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index | list(string) |
[ |
no |
| aws_region | The AWS region. | string |
"us-west-2" |
no |
| az_count | Default number of subnets to create based on availability zone | number |
1 |
no |
| bastion_nsg_source_prefix | CIDR blocks of trusted networks for bastion host ssh access | list(string) |
[ |
no |
| byo_kms_key_alias | Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | string |
null |
no |
| cc_count | Default number of Cloud Connector appliances to create | number |
1 |
no |
| cc_instance_size | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | string |
"small" |
no |
| cc_subnets | Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| cc_vm_prov_url | Zscaler Cloud Connector Provisioning URL | string |
n/a | yes |
| ccvm_instance_type | Cloud Connector Instance Type | string |
"m6i.large" |
no |
| cloud_tags_enabled | Determines whether or not to create the cc_tags_policy IAM Policy and attach it to the CC IAM Role | bool |
false |
no |
| domain_names | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | map(any) |
n/a | yes |
| ebs_encryption_enabled | true/false whether to enable EBS encryption on the root volume. Default is true | bool |
true |
no |
| ebs_volume_type | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | string |
"gp3" |
no |
| hostname_type | Type of hostname for Amazon EC2 instances | string |
"resource-name" |
no |
| http_probe_port | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | number |
50000 |
no |
| mgmt_ssh_enabled | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | bool |
true |
no |
| name_prefix | The name prefix for all your resources | string |
"zscc" |
no |
| owner_tag | populate custom owner tag attribute | string |
"zscc-admin" |
no |
| public_subnets | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| resource_name_dns_a_record_enabled | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | bool |
false |
no |
| reuse_iam | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | bool |
false |
no |
| reuse_security_group | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | bool |
false |
no |
| route53_subnets | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| secret_name | AWS Secrets Manager Secret Name for Cloud Connector provisioning | string |
n/a | yes |
| support_access_enabled | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | bool |
true |
no |
| target_address | Route 53 DNS queries will be forwarded to these Zscaler Global VIP addresses | list(string) |
[ |
no |
| tls_key_algorithm | algorithm for tls_private_key resource | string |
"RSA" |
no |
| vpc_cidr | VPC IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VPC smaller than /16, you may need to explicitly define all other subnets via public_subnets, workload_subnets, cc_subnets, and route53_subnets variables | string |
"10.1.0.0/16" |
no |
| workload_count | Default number of workload VMs to create | number |
1 |
no |
| workloads_subnets | Workload Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| zpa_enabled | Configure Route 53 Subnets, Route Tables, and Resolvers for ZPA DNS redirection with route53 module | bool |
true |
no |
| zssupport_server | destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net | string |
"199.168.148.101/32" |
no |
| Name | Description |
|---|---|
| testbedconfig | AWS Testbed results |