Merge pull request #13 from zscaler/zpa-#13-ami-update

Zpa #13 ami update
zscaler · Mar 16, 2023 · 5ee899e · 5ee899e
2 parents be9e6d9 + e0c38ec
commit 5ee899e
Show file tree

Hide file tree

Showing 44 changed files with 445 additions and 195 deletions.
diff --git a/README.md b/README.md
@@ -9,12 +9,12 @@ These deployment templates are intended to be fully functional and self service
 
 Our Deployment scripts are leveraging Terraform v1.1.9 that includes full binary and provider support for MacOS M1 chips, but any Terraform version 0.13.7 should be generally supported.
 
-- provider registry.terraform.io/hashicorp/aws v4.7.x
+- provider registry.terraform.io/hashicorp/aws v4.58.x
 - provider registry.terraform.io/hashicorp/random v3.3.x
 - provider registry.terraform.io/hashicorp/local v2.2.x
 - provider registry.terraform.io/hashicorp/null v3.1.x
 - provider registry.terraform.io/providers/hashicorp/tls v3.4.x
-- provider registry.terraform.io/providers/zscaler/zpa v2.3.x
+- provider registry.terraform.io/providers/zscaler/zpa v2.6.x
 
 ### AWS requirements
 1. A valid AWS account

diff --git a/examples/ac/README.md b/examples/ac/README.md
@@ -42,18 +42,18 @@ From ac directory execute:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.7.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.58.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.2.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.1.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.3.0 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 3.4.0 |
-| <a name="requirement_zpa"></a> [zpa](#requirement\_zpa) | >=2.5.4 |
+| <a name="requirement_zpa"></a> [zpa](#requirement\_zpa) | ~> 2.6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.7.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.58.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | ~> 2.2.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | ~> 3.3.0 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | ~> 3.4.0 |
@@ -80,6 +80,8 @@ From ac directory execute:
 | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 
@@ -88,6 +90,7 @@ From ac directory execute:
 | <a name="input_ac_count"></a> [ac\_count](#input\_ac\_count) | Default number of App Connector appliances to create | `number` | `2` | no |
 | <a name="input_ac_subnets"></a> [ac\_subnets](#input\_ac\_subnets) | App Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
 | <a name="input_acvm_instance_type"></a> [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5a.xlarge"` | no |
+| <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_app_connector_group_country_code"></a> [app\_connector\_group\_country\_code](#input\_app\_connector\_group\_country\_code) | Optional: Country code of this App Connector Group. example 'US' | `string` | `""` | no |
 | <a name="input_app_connector_group_description"></a> [app\_connector\_group\_description](#input\_app\_connector\_group\_description) | Optional: Description of the App Connector Group | `string` | `"This App Connector Group belongs to: "` | no |
 | <a name="input_app_connector_group_dns_query_type"></a> [app\_connector\_group\_dns\_query\_type](#input\_app\_connector\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the App Connector Group | `string` | `"IPV4_IPV6"` | no |

diff --git a/examples/ac/main.tf b/examples/ac/main.tf
@@ -152,8 +152,9 @@ resource "local_file" "user_data_file" {
 locals {
   al2userdata = <<AL2USERDATA
 #!/usr/bin/bash
-sudo touch /etc/yum.repos.d/zscaler.repo
-sudo cat > /etc/yum.repos.d/zscaler.repo <<-EOT
+sleep 15
+touch /etc/yum.repos.d/zscaler.repo
+cat > /etc/yum.repos.d/zscaler.repo <<-EOT
 [zscaler]
 name=Zscaler Private Access Repository
 baseurl=https://yum.private.zscaler.com/yum/el7
@@ -190,7 +191,38 @@ resource "local_file" "al2_user_data_file" {
   filename = "../user_data"
 }
 
+
+################################################################################
+# Locate Latest App Connector AMI by product code
+################################################################################
+data "aws_ami" "appconnector" {
+  count       = var.use_zscaler_ami ? 1 : 0
+  most_recent = true
+
+  filter {
+    name   = "product-code"
+    values = ["by1wc5269g0048ix2nqvr0362"]
+  }
+
+  owners = ["aws-marketplace"]
+}
+
+
+################################################################################
+# Locate Latest Amazon Linux 2 AMI for instance use
+################################################################################
+data "aws_ssm_parameter" "amazon_linux_latest" {
+  count = var.use_zscaler_ami ? 0 : 1
+  name  = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"
+}
+
+locals {
+  ami_selected = try(data.aws_ami.appconnector[0].id, data.aws_ssm_parameter.amazon_linux_latest[0].value)
+}
+
+################################################################################
 # Create specified number of AC appliances
+################################################################################
 module "ac_vm" {
   source                      = "../../modules/terraform-zsac-acvm-aws"
   ac_count                    = var.ac_count
@@ -204,7 +236,7 @@ module "ac_vm" {
   iam_instance_profile        = module.ac_iam.iam_instance_profile_id
   security_group_id           = module.ac_sg.ac_security_group_id
   associate_public_ip_address = var.associate_public_ip_address
-  use_zscaler_ami             = var.use_zscaler_ami
+  ami_id                      = contains(var.ami_id, "") ? [local.ami_selected] : var.ami_id
 
   depends_on = [
     module.zpa_provisioning_key,

diff --git a/examples/ac/terraform.tfvars b/examples/ac/terraform.tfvars
@@ -149,33 +149,42 @@
 
 #reuse_iam                                      = true
 
+## 15. By default, terraform will always query the AWS Marketplace for the latest App Connector AMI available.
+##     This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. 
+##     It is also inputted as a list to facilitate if a customer desired to manually upgrade only select ACs deployed based on the ac_count index
+
+##     Note: Customers should NOT be hard coding AMI IDs as Zscaler recommendation is to always be deploying/running the latest version.
+##           Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily.
+
+#ami_id                                         = ["ami-123456789"]
+
 
 #####################################################################################################################
 ##### Custom BYO variables. Only applicable for deployments without "base" resource requirements  #####
 #####                                 E.g. "ac"                                                   #####
 #####################################################################################################################
 
-## 15. By default, this script will create a new AWS VPC.
+## 16. By default, this script will create a new AWS VPC.
 ##     Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false)
 
 #byo_vpc                                        = true
 
 
-## 16. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null)
+## 17. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null)
 ##     Example: byo_vpc_id = "vpc-0588ce674df615334"
 
 #byo_vpc_id                                     = "vpc-0588ce674df615334"
 
 
-## 17. By default, this script will create new AWS subnets in the VPC defined based on az_count.
+## 18. By default, this script will create new AWS subnets in the VPC defined based on az_count.
 ##     Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false)
 ##     Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist.
 ##     Setting byo_subnet to true means byo_vpc must ALSO be set to true.
 
 #byo_subnets                                    = true
 
 
-## 18. Provide your existing App Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true.
+## 19. Provide your existing App Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true.
 ##     Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW,
 ##     Route Tables, etc. Provide only one subnet per Availability Zone in a VPC
 ##
@@ -188,21 +197,21 @@
 #byo_subnet_ids                                 = ["subnet-id"]
 
 
-## 19. By default, this script will create a new Internet Gateway resource in the VPC.
+## 20. By default, this script will create a new Internet Gateway resource in the VPC.
 ##     Uncomment if you want to utlize an IGW that already exists (true or false. Default: false)
 ##     Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist.
 ##     Setting byo_igw to true means byo_vpc must ALSO be set to true.
 
 #byo_igw                                        = true
 
 
-## 20. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true.
+## 21. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true.
 ##     Example: byo_igw_id = "igw-090313c21ffed44d3"
 
 #byo_igw_id                                     = "igw-090313c21ffed44d3"
 
 
-## 21. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected.
+## 22. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected.
 ##     It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined
 ##     based on the byo_igw variable and associate with the public subnet(s)
 ##     Uncomment if you want to deploy App Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false)
@@ -212,7 +221,7 @@
 #byo_ngw                                        = true
 
 
-## 22. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_subnets to true
+## 23. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_subnets to true
 ##     NAT Gateway IDs must be added as a list with order determining assocations for the AC Route Tables (ac-rt)
 ##     nat_gateway_id next hop
 ##
@@ -227,31 +236,31 @@
 ##     affinity ensure you enter the list of NAT GW IDs in order of 1. if creating AC subnets az_count will
 ##     go in order az1, az2, etc. 2. if byo_subnet_ids, map this list NAT Gateway ID-1 to Subnet ID-1, etc.
 ##
-##     Example: byo_natgw_ids = ["nat-0e1351f3e8025a30e","nat-0e98fc3d8e09ed0e9"]
+##     Example: byo_ngw_ids = ["nat-0e1351f3e8025a30e","nat-0e98fc3d8e09ed0e9"]
 
 #byo_ngw_ids                                    = ["nat-id"]
 
 
-## 23. By default, this script will create new IAM roles, policy, and Instance Profiles for the App Connector
+## 24. By default, this script will create new IAM roles, policy, and Instance Profiles for the App Connector
 ##     Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false)
 
 #byo_iam                                        = true
 
 
-## 24. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true
+## 25. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true
 
 ##    Example: byo_iam_instance_profile_id      = ["instance-profile-1","instance-profile-2"]
 
 #byo_iam_instance_profile_id                    = ["instance-profile-1"]
 
 
-## 25. By default, this script will create new Security Groups for the App Connector interface
+## 26. By default, this script will create new Security Groups for the App Connector interface
 ##     Uncomment if you want to use your own existing SGs (true or false. Default: false)
 
 #byo_security_group                             = true
 
 
-## 26. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true
+## 27. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true
 
 ##     Example: byo_security_group_id           = ["sg-1","sg-2"]
 

diff --git a/examples/ac/variables.tf b/examples/ac/variables.tf
@@ -96,6 +96,12 @@ variable "use_zscaler_ami" {
   description = "By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead"
 }
 
+variable "ami_id" {
+  type        = list(string)
+  description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index"
+  default     = [""]
+}
+
 
 # BYO (Bring-your-own) variables list
 variable "byo_vpc" {

diff --git a/examples/ac/versions.tf b/examples/ac/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.7.0"
+      version = "~> 4.58.0"
     }
     random = {
       source  = "hashicorp/random"
@@ -22,7 +22,7 @@ terraform {
     }
     zpa = {
       source  = "zscaler/zpa"
-      version = ">=2.5.4"
+      version = "~> 2.6.0"
     }
   }
 

diff --git a/examples/ac_asg/README.md b/examples/ac_asg/README.md
@@ -42,18 +42,18 @@ From ac_asg directory execute:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.7.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.58.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.2.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.1.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.3.0 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 3.4.0 |
-| <a name="requirement_zpa"></a> [zpa](#requirement\_zpa) | ~>2.5.4 |
+| <a name="requirement_zpa"></a> [zpa](#requirement\_zpa) | ~> 2.6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.7.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.58.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | ~> 2.2.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | ~> 3.3.0 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | ~> 3.4.0 |
@@ -80,13 +80,16 @@ From ac_asg directory execute:
 | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_ac_subnets"></a> [ac\_subnets](#input\_ac\_subnets) | App Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
 | <a name="input_acvm_instance_type"></a> [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no |
+| <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_app_connector_group_country_code"></a> [app\_connector\_group\_country\_code](#input\_app\_connector\_group\_country\_code) | Optional: Country code of this App Connector Group. example 'US' | `string` | `""` | no |
 | <a name="input_app_connector_group_description"></a> [app\_connector\_group\_description](#input\_app\_connector\_group\_description) | Optional: Description of the App Connector Group | `string` | `"This App Connector Group belongs to: "` | no |
 | <a name="input_app_connector_group_dns_query_type"></a> [app\_connector\_group\_dns\_query\_type](#input\_app\_connector\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the App Connector Group | `string` | `"IPV4_IPV6"` | no |