From 06dd31c932afcbc9e7882d7d0389809906159fd2 Mon Sep 17 00:00:00 2001 From: Jameson Molnar Date: Wed, 15 Mar 2023 22:09:46 -0400 Subject: [PATCH 1/3] chore: zpa and aws provider bump --- README.md | 4 ++-- examples/ac/versions.tf | 4 ++-- examples/ac_asg/versions.tf | 4 ++-- examples/base/versions.tf | 2 +- examples/base_ac/versions.tf | 4 ++-- examples/base_ac_asg/versions.tf | 4 ++-- modules/terraform-zpa-app-connector-group/versions.tf | 2 +- modules/terraform-zpa-provisioning-key/versions.tf | 2 +- modules/terraform-zsac-acvm-aws/versions.tf | 2 +- modules/terraform-zsac-asg-aws/versions.tf | 2 +- modules/terraform-zsac-bastion-aws/versions.tf | 2 +- modules/terraform-zsac-iam-aws/versions.tf | 2 +- modules/terraform-zsac-network-aws/versions.tf | 2 +- modules/terraform-zsac-sg-aws/versions.tf | 2 +- 14 files changed, 19 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 1b3181d..9ee05ab 100644 --- a/README.md +++ b/README.md @@ -9,12 +9,12 @@ These deployment templates are intended to be fully functional and self service Our Deployment scripts are leveraging Terraform v1.1.9 that includes full binary and provider support for MacOS M1 chips, but any Terraform version 0.13.7 should be generally supported. -- provider registry.terraform.io/hashicorp/aws v4.7.x +- provider registry.terraform.io/hashicorp/aws v4.58.x - provider registry.terraform.io/hashicorp/random v3.3.x - provider registry.terraform.io/hashicorp/local v2.2.x - provider registry.terraform.io/hashicorp/null v3.1.x - provider registry.terraform.io/providers/hashicorp/tls v3.4.x -- provider registry.terraform.io/providers/zscaler/zpa v2.3.x +- provider registry.terraform.io/providers/zscaler/zpa v2.6.x ### AWS requirements 1. A valid AWS account diff --git a/examples/ac/versions.tf b/examples/ac/versions.tf index 587d9ac..124b884 100755 --- a/examples/ac/versions.tf +++ b/examples/ac/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } random = { source = "hashicorp/random" @@ -22,7 +22,7 @@ terraform { } zpa = { source = "zscaler/zpa" - version = ">=2.5.4" + version = "~> 2.6.0" } } diff --git a/examples/ac_asg/versions.tf b/examples/ac_asg/versions.tf index c1d8a08..124b884 100755 --- a/examples/ac_asg/versions.tf +++ b/examples/ac_asg/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } random = { source = "hashicorp/random" @@ -22,7 +22,7 @@ terraform { } zpa = { source = "zscaler/zpa" - version = "~>2.5.4" + version = "~> 2.6.0" } } diff --git a/examples/base/versions.tf b/examples/base/versions.tf index 2786838..b706251 100755 --- a/examples/base/versions.tf +++ b/examples/base/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } random = { source = "hashicorp/random" diff --git a/examples/base_ac/versions.tf b/examples/base_ac/versions.tf index e9da58e..124b884 100755 --- a/examples/base_ac/versions.tf +++ b/examples/base_ac/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } random = { source = "hashicorp/random" @@ -22,7 +22,7 @@ terraform { } zpa = { source = "zscaler/zpa" - version = "~> 2.5.4" + version = "~> 2.6.0" } } diff --git a/examples/base_ac_asg/versions.tf b/examples/base_ac_asg/versions.tf index 587d9ac..124b884 100755 --- a/examples/base_ac_asg/versions.tf +++ b/examples/base_ac_asg/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } random = { source = "hashicorp/random" @@ -22,7 +22,7 @@ terraform { } zpa = { source = "zscaler/zpa" - version = ">=2.5.4" + version = "~> 2.6.0" } } diff --git a/modules/terraform-zpa-app-connector-group/versions.tf b/modules/terraform-zpa-app-connector-group/versions.tf index 1737193..96cba28 100755 --- a/modules/terraform-zpa-app-connector-group/versions.tf +++ b/modules/terraform-zpa-app-connector-group/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { zpa = { source = "zscaler/zpa" - version = "~> 2.5.4" + version = "~> 2.6.0" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zpa-provisioning-key/versions.tf b/modules/terraform-zpa-provisioning-key/versions.tf index 1737193..96cba28 100755 --- a/modules/terraform-zpa-provisioning-key/versions.tf +++ b/modules/terraform-zpa-provisioning-key/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { zpa = { source = "zscaler/zpa" - version = "~> 2.5.4" + version = "~> 2.6.0" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zsac-acvm-aws/versions.tf b/modules/terraform-zsac-acvm-aws/versions.tf index a1484b1..3c60bed 100755 --- a/modules/terraform-zsac-acvm-aws/versions.tf +++ b/modules/terraform-zsac-acvm-aws/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } local = { source = "hashicorp/local" diff --git a/modules/terraform-zsac-asg-aws/versions.tf b/modules/terraform-zsac-asg-aws/versions.tf index b3ba9f6..d5dd2f0 100644 --- a/modules/terraform-zsac-asg-aws/versions.tf +++ b/modules/terraform-zsac-asg-aws/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zsac-bastion-aws/versions.tf b/modules/terraform-zsac-bastion-aws/versions.tf index b3ba9f6..d5dd2f0 100755 --- a/modules/terraform-zsac-bastion-aws/versions.tf +++ b/modules/terraform-zsac-bastion-aws/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zsac-iam-aws/versions.tf b/modules/terraform-zsac-iam-aws/versions.tf index b3ba9f6..d5dd2f0 100755 --- a/modules/terraform-zsac-iam-aws/versions.tf +++ b/modules/terraform-zsac-iam-aws/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zsac-network-aws/versions.tf b/modules/terraform-zsac-network-aws/versions.tf index b3ba9f6..d5dd2f0 100755 --- a/modules/terraform-zsac-network-aws/versions.tf +++ b/modules/terraform-zsac-network-aws/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } } required_version = ">= 0.13.7, < 2.0.0" diff --git a/modules/terraform-zsac-sg-aws/versions.tf b/modules/terraform-zsac-sg-aws/versions.tf index b3ba9f6..d5dd2f0 100755 --- a/modules/terraform-zsac-sg-aws/versions.tf +++ b/modules/terraform-zsac-sg-aws/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.7.0" + version = "~> 4.58.0" } } required_version = ">= 0.13.7, < 2.0.0" From 388018c50d5db54ac5ef056a38639fc1fa12a3a3 Mon Sep 17 00:00:00 2001 From: Jameson Molnar Date: Wed, 15 Mar 2023 22:11:20 -0400 Subject: [PATCH 2/3] refactor: zsac cleanup --- examples/zsac | 191 +++++++++++++++++++++++++++++++++++++------------- 1 file changed, 143 insertions(+), 48 deletions(-) diff --git a/examples/zsac b/examples/zsac index 46b08f6..c403ac1 100755 --- a/examples/zsac +++ b/examples/zsac @@ -141,24 +141,30 @@ if [[ $dtype == "base" && ! -e ./.zsacrc ]]; then unset AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY read -r -p "Enter token code from MFA device: " mfa_token echo "getting session token (aws sts get-session-token --serial-number arn:aws:iam::${aws_account_id}:mfa/${aws_user_account} --token-code)" - aws sts get-session-token --serial-number arn:aws:iam::${aws_account_id}:mfa/${aws_user_account} --token-code ${mfa_token} - - read -r -p "Enter AWS Session Token: " aws_session_token + aws sts get-session-token --serial-number arn:aws:iam::${aws_account_id}:mfa/${aws_user_account} --token-code ${mfa_token} + fi read -r -p "Enter AWS Access Key ID: " aws_key read -r -p "Enter AWS Secret Access Key: " aws_secret + read -r -p "Enter AWS Session Token (if applicable): " aws_session_token read -r -p "Enter AWS Region (e.g. us-west-2): " aws_region if [[ ${aws_regions[*]} =~ $aws_region ]]; then echo "AWS Region entered is: $aws_region" else echo "Invalid AWS region name entered." - echo "Delete .zsacrc file and re-run zsac up..." + echo "Delete .zsacrc file and re-run zsec up..." exit 1 fi - echo "export AWS_ACCESS_KEY_ID='\"${aws_key}\"'" > .zsacrc - echo "export AWS_SECRET_ACCESS_KEY='\"${aws_secret}\"'" >> .zsacrc - echo "export AWS_DEFAULT_REGION=${aws_region}" >> .zsacrc - echo "export TF_VAR_aws_region=${aws_region}" >> .zsacrc + echo "export AWS_ACCESS_KEY_ID='$aws_key'" > .zsacrc + echo "export AWS_SECRET_ACCESS_KEY='$aws_secret'" >> .zsacrc + echo "export AWS_DEFAULT_REGION='$aws_region'" >> .zsacrc + echo "export TF_VAR_aws_region='$aws_region'" >> .zsacrc + if [[ $aws_session_token == "" ]]; then + echo "No AWS Session Token entered..." + else + echo "AWS Session token entered..." + echo "export AWS_SESSION_TOKEN='$aws_session_token'" >> .zsacrc + fi while [[ "$dtype" == "base" && "$oper" == "up" ]]; do clientpublicip=$(curl -s ifconfig.me) @@ -220,49 +226,85 @@ if [[ "$oper" == "up" && "$dtype" != base && ! -e ./.zsacrc ]]; then unset AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY read -r -p "Enter token code from MFA device: " mfa_token echo "getting session token (aws sts get-session-token --serial-number arn:aws:iam::${aws_account_id}:mfa/${aws_user_account} --token-code)" - aws sts get-session-token --serial-number arn:aws:iam::${aws_account_id}:mfa/${aws_user_account} --token-code ${mfa_token} - - read -r -p "Enter AWS Session Token: " aws_session_token + aws sts get-session-token --serial-number arn:aws:iam::${aws_account_id}:mfa/${aws_user_account} --token-code ${mfa_token} + fi read -r -p "Enter AWS Access Key ID: " aws_key - echo "export AWS_ACCESS_KEY_ID=\"${aws_key}\"" > .zsacrc read -r -p "Enter AWS Secret Access Key: " aws_secret - echo "export AWS_SECRET_ACCESS_KEY=\"${aws_secret}\"" >> .zsacrc + read -r -p "Enter AWS Session Token (if applicable): " aws_session_token read -r -p "Enter AWS Region (e.g. us-west-2): " aws_region if [[ ${aws_regions[*]} =~ $aws_region ]]; then echo "AWS Region entered is: $aws_region" - echo "export AWS_DEFAULT_REGION=${aws_region}" >> .zsacrc - echo "export TF_VAR_aws_region=${aws_region}" >> .zsacrc else echo "Invalid AWS region name entered." - echo "Delete .zsacrc file and re-run zsac up..." + echo "Delete .zsacrc file and re-run zsec up..." exit 1 fi + echo "export AWS_ACCESS_KEY_ID='$aws_key'" > .zsacrc + echo "export AWS_SECRET_ACCESS_KEY='$aws_secret'" >> .zsacrc + echo "export AWS_DEFAULT_REGION='$aws_region'" >> .zsacrc + echo "export TF_VAR_aws_region='$aws_region'" >> .zsacrc + if [[ $aws_session_token == "" ]]; then + echo "No AWS Session Token entered..." + else + echo "AWS Session token entered..." + echo "export AWS_SESSION_TOKEN='$aws_session_token'" >> .zsacrc + fi + zpa_cloud_default=PRODUCTION while true; do + read -r -p "Enter ZPA Cloud Name (PRODUCTION, BETA, GOV, or PREVIEW) [Default=$zpa_cloud_default]: " zpa_cloud_input + zpa_cloud=${zpa_cloud_input:-$zpa_cloud_default} + case $zpa_cloud in + PROD*|prod*|PRODUCTION|production) + echo "ZPA Cloud selected: PRODUCTION" + echo "export ZPA_CLOUD=\"PRODUCTION\"" >> .zsacrc + break + ;; + BETA|beta|b|B) + echo "ZPA Cloud selected: BETA" + echo "export ZPA_CLOUD=\"BETA\"" >> .zsacrc + break + ;; + GOV|gov|g|G) + echo "ZPA Cloud selected: GOV" + echo "export ZPA_CLOUD=\"GOV\"" >> .zsacrc + break + ;; + PREVIEW|preview|pre*|PRE*) + echo "ZPA Cloud selected: PREVIEW" + echo "export ZPA_CLOUD=\"PREVIEW\"" >> .zsacrc + break + ;; + *) + echo "Invalid Cloud. Supported values are PRODUCTION, BETA, GOV, or PREVIEW: ${zpa_cloud}." + ;; + esac + done read -r -p "Enter ZPA Client ID: " zpa_client_id - echo "export ZPA_CLIENT_ID=\"${zpa_client_id}\"" >> .zsacrc + echo "export ZPA_CLIENT_ID='$zpa_client_id'" >> .zsacrc read -r -p "Enter ZPA Client Secret: " zpa_client_secret - echo "export ZPA_CLIENT_SECRET=\"${zpa_client_secret}\"" >> .zsacrc + echo "export ZPA_CLIENT_SECRET='$zpa_client_secret'" >> .zsacrc read -r -p "Enter ZPA Customer ID: " zpa_customer_id - echo "export ZPA_CUSTOMER_ID=\"${zpa_customer_id}\"" >> .zsacrc + echo "export ZPA_CUSTOMER_ID='$zpa_customer_id'" >> .zsacrc - read -r -p "Do you already have an App Connector provisioning key to use? [yes/no] " prov_key_response - case $prov_key_response in - yes|y ) - read -r -p "Enter the name of your existing App Connector provisioning key: " byo_provisioning_key_name - echo "export TF_VAR_byo_provisioning_key=true" >> .zsacrc - echo "export TF_VAR_byo_provisioning_key_name=${byo_provisioning_key_name}" >> .zsacrc - break - ;; - no|n ) - echo "Terraform will be creating a new App Connector Group and provisioning key" - echo "Before proceeding, make sure you have entered all variable requirements from steps 1 and 2 in $dtype/terraform.tfvars" - break - ;; - * ) echo "invalid response. Please enter yes or no";; - esac -done + while true; do + read -r -p "Do you already have an App Connector provisioning key to use? [yes/no] " prov_key_response + case $prov_key_response in + yes|y ) + read -r -p "Enter the name of your existing App Connector provisioning key: " byo_provisioning_key_name + echo "export TF_VAR_byo_provisioning_key=true" >> .zsacrc + echo "export TF_VAR_byo_provisioning_key_name='$byo_provisioning_key_name'" >> .zsacrc + break + ;; + no|n ) + echo "Terraform will be creating a new App Connector Group and provisioning key" + echo "Before proceeding, make sure you have entered all variable requirements from steps 1 and 2 in $dtype/terraform.tfvars" + break + ;; + * ) echo "invalid response. Please enter yes or no";; + esac + done ami_default=zscaler while true; do @@ -343,28 +385,28 @@ acvm_instance_type=${acvm_instance_type_input:-$acvm_instance_type_default} if [[ "$use_zs_ami" == "true" ]]; then case $acvm_instance_type in t3.xlarge|m5a.xlarge) - echo "AC EC2 type: ${acvm_instance_type} to be deployed on Zscaler AMI" - echo "export TF_VAR_acvm_instance_type=${acvm_instance_type}" >> .zsacrc + echo "AC EC2 type: $acvm_instance_type to be deployed on Zscaler AMI" + echo "export TF_VAR_acvm_instance_type='$acvm_instance_type'" >> .zsacrc break ;; *) - echo "Invalid App Connector VM type: ${acvm_instance_type}. Please enter an approved VM type" + echo "Invalid App Connector VM type: $acvm_instance_type. Please enter an approved VM type" ;; esac elif [[ "$use_zs_ami" == "false" ]]; then case $acvm_instance_type in t3.xlarge|m5a.xlarge) - echo "AC EC2 type: ${acvm_instance_type} to be deployed on Amazon Linux 2 AMI." - echo "export TF_VAR_acvm_instance_type=${acvm_instance_type}" >> .zsacrc + echo "AC EC2 type: $acvm_instance_type to be deployed on Amazon Linux 2 AMI." + echo "export TF_VAR_acvm_instance_type='$acvm_instance_type'" >> .zsacrc break ;; t2.micro) - echo "AC EC2 type: ${acvm_instance_type} to be deployed on Amazon Linux 2 AMI. This is NOT intended for production use" - echo "export TF_VAR_acvm_instance_type=${acvm_instance_type}" >> .zsacrc + echo "AC EC2 type: $acvm_instance_type to be deployed on Amazon Linux 2 AMI. This is NOT intended for production use" + echo "export TF_VAR_acvm_instance_type='$acvm_instance_type'" >> .zsacrc break ;; *) - echo "Invalid App Connector VM type: ${acvm_instance_type}. Please enter an approved VM type" + echo "Invalid App Connector VM type: $acvm_instance_type. Please enter an approved VM type" ;; esac fi @@ -568,10 +610,54 @@ if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ] || [ -z "$AWS_ fi +# Only check for existing aws session token if user has not already been prompted for it in zsec up sequence +if [[ -z $aws_session_token ]]; then + +# Prompt user to refresh AWS credentials on up or destroy if there is a previous session token in .zsacrc +if [[ $mfa_enabled == false ]]; then + if [ -z "$AWS_SESSION_TOKEN" ]; then + echo "No session token found. Proceeding with existing AWS credentials..." + else + while true; do + read -r -p "An existing AWS session token has been identified with Access Key $AWS_ACCESS_KEY_ID. Is this still valid? (yes/no): " valid_key_response + case $valid_key_response in + yes|y ) + echo "Terraform will use existing AWS credentials stored in .zsacrc..." + break + ;; + no|n ) + echo "Refreshing AWS credentials prior to Terraform apply" + read -r -p "Enter AWS Access Key ID: " aws_key + read -r -p "Enter AWS Secret Access Key: " aws_secret + read -r -p "Enter AWS Session Token (if applicable): " aws_session_token + + # remove existing aws credentials from .zsacrc + sed -i'' -e '/AWS_ACCESS_KEY_ID/d' .zsacrc + sed -i'' -e '/AWS_SECRET_ACCESS_KEY/d' .zsacrc + sed -i'' -e '/AWS_SESSION_TOKEN/d' .zsacrc + echo "export AWS_ACCESS_KEY_ID='$aws_key'" >> .zsacrc + echo "export AWS_SECRET_ACCESS_KEY='$aws_secret'" >> .zsacrc + if [[ $aws_session_token == "" ]]; then + echo "No AWS Session Token entered..." + echo "export AWS_SESSION_TOKEN=bad_input" >> .zsacrc + else + echo "AWS Session token entered..." + echo "export AWS_SESSION_TOKEN='$aws_session_token'" >> .zsacrc + fi + break + ;; + * ) echo "invalid response. Please enter yes or no";; + esac + done + fi +# Reinitialize environment variables +. ./.zsacrc +fi + # Get new MFA session token if [[ $mfa_enabled == true ]]; then if [ -z "$AWS_SESSION_TOKEN" ]; then - echo "export AWS_SESSION_TOKEN=\"${aws_session_token}\"" >> .zsacrc + echo "export AWS_SESSION_TOKEN='$aws_session_token'" >> .zsacrc else echo "zsacrc file has existing session token. Resetting to ensure credentials are refreshed" echo "unsetting existing AWS Environment variables (unset AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY)" @@ -587,17 +673,21 @@ else echo "getting session token (aws sts get-session-token --serial-number arn:aws:iam::${aws_account_id}:mfa/${aws_user_account} --token-code)" aws sts get-session-token --serial-number arn:aws:iam::${aws_account_id}:mfa/${aws_user_account} --token-code ${mfa_token} - read -r -p "Enter AWS Session Token: " aws_session_token - echo "export AWS_SESSION_TOKEN=\"${aws_session_token}\"" >> .zsacrc read -r -p "Enter AWS Access Key ID: " aws_key read -r -p "Enter AWS Secret Access Key: " aws_secret - echo "export AWS_ACCESS_KEY_ID=\"${aws_key}\"" >> .zsacrc - echo "export AWS_SECRET_ACCESS_KEY=\"${aws_secret}\"" >> .zsacrc + read -r -p "Enter AWS Session Token: " aws_session_token + echo "export AWS_ACCESS_KEY_ID='$aws_key'" >> .zsacrc + echo "export AWS_SECRET_ACCESS_KEY='$aws_secret'" >> .zsacrc + echo "export AWS_SESSION_TOKEN='$aws_session_token'" >> .zsacrc fi # Reinitialize environment variables . ./.zsacrc fi +else + echo "Proceeding..." +fi + echo "Download terraform binary for $ostype if not present..." if [[ ! -e ./$dir/terraform ]]; then @@ -628,6 +718,7 @@ elif [[ "$oper" == "destroy" ]]; then else TF_DATA_DIR=../.terraform ./$dir/terraform -chdir="$dtype" destroy -compact-warnings fi + echo "Removing Terraform files and directories..." rm -rf bin rm -rf **/.terraform/* && rm -rf **/.terraform* find . -type f -name '.terraform.lock.hcl' -delete @@ -637,4 +728,8 @@ elif [[ "$oper" == "destroy" ]]; then rm -rf user.key user.crt rm -rf systems.json setup-*.tar rm -rf **/errorlog.txt +now=$(date +'%Y-%m-%d-%H_%M_%S') + echo "archiving .zsacrc file to .zsacrc-${now}" + cp .zsacrc .zsacrc-${now} + rm -rf .zsacrc && rm -rf .zsacrc.bak fi From e0c38ecefe61625b6cbe50ba5181700cbf886713 Mon Sep 17 00:00:00 2001 From: Jameson Molnar Date: Wed, 15 Mar 2023 22:30:17 -0400 Subject: [PATCH 3/3] fix: marketplace ami update - update ami lookup for new product code by1wc5269g0048ix2nqvr0362 - move ami data source lookups from acvm module to main deployment types - add ami_id variable - userdata cleanup --- examples/ac/README.md | 9 +++-- examples/ac/main.tf | 38 +++++++++++++++++-- examples/ac/terraform.tfvars | 35 ++++++++++------- examples/ac/variables.tf | 6 +++ examples/ac_asg/README.md | 9 +++-- examples/ac_asg/main.tf | 38 ++++++++++++++++++- examples/ac_asg/terraform.tfvars | 35 ++++++++++------- examples/ac_asg/variables.tf | 6 +++ examples/base/README.md | 4 +- examples/base_ac/README.md | 9 +++-- examples/base_ac/main.tf | 34 ++++++++++++++++- examples/base_ac/terraform.tfvars | 13 ++++++- examples/base_ac/variables.tf | 7 ++++ examples/base_ac_asg/README.md | 9 +++-- examples/base_ac_asg/main.tf | 38 ++++++++++++++++++- examples/base_ac_asg/terraform.tfvars | 9 +++++ examples/base_ac_asg/variables.tf | 6 +++ .../README.md | 4 +- .../terraform-zpa-provisioning-key/README.md | 4 +- modules/terraform-zsac-acvm-aws/README.md | 8 ++-- modules/terraform-zsac-acvm-aws/main.tf | 25 +----------- modules/terraform-zsac-acvm-aws/variables.tf | 8 ++-- modules/terraform-zsac-asg-aws/README.md | 8 ++-- modules/terraform-zsac-asg-aws/main.tf | 25 +----------- modules/terraform-zsac-asg-aws/variables.tf | 8 ++-- modules/terraform-zsac-bastion-aws/README.md | 4 +- modules/terraform-zsac-iam-aws/README.md | 4 +- modules/terraform-zsac-network-aws/README.md | 4 +- modules/terraform-zsac-sg-aws/README.md | 4 +- 29 files changed, 283 insertions(+), 128 deletions(-) diff --git a/examples/ac/README.md b/examples/ac/README.md index d8147cb..952178c 100644 --- a/examples/ac/README.md +++ b/examples/ac/README.md @@ -42,18 +42,18 @@ From ac directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | | [tls](#requirement\_tls) | ~> 3.4.0 | -| [zpa](#requirement\_zpa) | >=2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | | [local](#provider\_local) | ~> 2.2.0 | | [random](#provider\_random) | ~> 3.3.0 | | [tls](#provider\_tls) | ~> 3.4.0 | @@ -80,6 +80,8 @@ From ac directory execute: | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -88,6 +90,7 @@ From ac directory execute: | [ac\_count](#input\_ac\_count) | Default number of App Connector appliances to create | `number` | `2` | no | | [ac\_subnets](#input\_ac\_subnets) | App Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5a.xlarge"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` | 
[
  ""
]
| no | | [app\_connector\_group\_country\_code](#input\_app\_connector\_group\_country\_code) | Optional: Country code of this App Connector Group. example 'US' | `string` | `""` | no | | [app\_connector\_group\_description](#input\_app\_connector\_group\_description) | Optional: Description of the App Connector Group | `string` | `"This App Connector Group belongs to: "` | no | | [app\_connector\_group\_dns\_query\_type](#input\_app\_connector\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the App Connector Group | `string` | `"IPV4_IPV6"` | no | diff --git a/examples/ac/main.tf b/examples/ac/main.tf index fc48fb7..f30372c 100755 --- a/examples/ac/main.tf +++ b/examples/ac/main.tf @@ -152,8 +152,9 @@ resource "local_file" "user_data_file" { locals { al2userdata = < /etc/yum.repos.d/zscaler.repo <<-EOT +sleep 15 +touch /etc/yum.repos.d/zscaler.repo +cat > /etc/yum.repos.d/zscaler.repo <<-EOT [zscaler] name=Zscaler Private Access Repository baseurl=https://yum.private.zscaler.com/yum/el7 @@ -190,7 +191,38 @@ resource "local_file" "al2_user_data_file" { filename = "../user_data" } + +################################################################################ +# Locate Latest App Connector AMI by product code +################################################################################ +data "aws_ami" "appconnector" { + count = var.use_zscaler_ami ? 1 : 0 + most_recent = true + + filter { + name = "product-code" + values = ["by1wc5269g0048ix2nqvr0362"] + } + + owners = ["aws-marketplace"] +} + + +################################################################################ +# Locate Latest Amazon Linux 2 AMI for instance use +################################################################################ +data "aws_ssm_parameter" "amazon_linux_latest" { + count = var.use_zscaler_ami ? 0 : 1 + name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" +} + +locals { + ami_selected = try(data.aws_ami.appconnector[0].id, data.aws_ssm_parameter.amazon_linux_latest[0].value) +} + +################################################################################ # Create specified number of AC appliances +################################################################################ module "ac_vm" { source = "../../modules/terraform-zsac-acvm-aws" ac_count = var.ac_count @@ -204,7 +236,7 @@ module "ac_vm" { iam_instance_profile = module.ac_iam.iam_instance_profile_id security_group_id = module.ac_sg.ac_security_group_id associate_public_ip_address = var.associate_public_ip_address - use_zscaler_ami = var.use_zscaler_ami + ami_id = contains(var.ami_id, "") ? [local.ami_selected] : var.ami_id depends_on = [ module.zpa_provisioning_key, diff --git a/examples/ac/terraform.tfvars b/examples/ac/terraform.tfvars index 6dde645..60a4eb6 100755 --- a/examples/ac/terraform.tfvars +++ b/examples/ac/terraform.tfvars @@ -149,25 +149,34 @@ #reuse_iam = true +## 15. By default, terraform will always query the AWS Marketplace for the latest App Connector AMI available. +## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. +## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select ACs deployed based on the ac_count index + +## Note: Customers should NOT be hard coding AMI IDs as Zscaler recommendation is to always be deploying/running the latest version. +## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily. + +#ami_id = ["ami-123456789"] + ##################################################################################################################### ##### Custom BYO variables. Only applicable for deployments without "base" resource requirements ##### ##### E.g. "ac" ##### ##################################################################################################################### -## 15. By default, this script will create a new AWS VPC. +## 16. By default, this script will create a new AWS VPC. ## Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false) #byo_vpc = true -## 16. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) +## 17. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) ## Example: byo_vpc_id = "vpc-0588ce674df615334" #byo_vpc_id = "vpc-0588ce674df615334" -## 17. By default, this script will create new AWS subnets in the VPC defined based on az_count. +## 18. By default, this script will create new AWS subnets in the VPC defined based on az_count. ## Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false) ## Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist. ## Setting byo_subnet to true means byo_vpc must ALSO be set to true. @@ -175,7 +184,7 @@ #byo_subnets = true -## 18. Provide your existing App Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. +## 19. Provide your existing App Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. ## Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW, ## Route Tables, etc. Provide only one subnet per Availability Zone in a VPC ## @@ -188,7 +197,7 @@ #byo_subnet_ids = ["subnet-id"] -## 19. By default, this script will create a new Internet Gateway resource in the VPC. +## 20. By default, this script will create a new Internet Gateway resource in the VPC. ## Uncomment if you want to utlize an IGW that already exists (true or false. Default: false) ## Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist. ## Setting byo_igw to true means byo_vpc must ALSO be set to true. @@ -196,13 +205,13 @@ #byo_igw = true -## 20. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. +## 21. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. ## Example: byo_igw_id = "igw-090313c21ffed44d3" #byo_igw_id = "igw-090313c21ffed44d3" -## 21. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. +## 22. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. ## It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined ## based on the byo_igw variable and associate with the public subnet(s) ## Uncomment if you want to deploy App Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false) @@ -212,7 +221,7 @@ #byo_ngw = true -## 22. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_subnets to true +## 23. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_subnets to true ## NAT Gateway IDs must be added as a list with order determining assocations for the AC Route Tables (ac-rt) ## nat_gateway_id next hop ## @@ -227,31 +236,31 @@ ## affinity ensure you enter the list of NAT GW IDs in order of 1. if creating AC subnets az_count will ## go in order az1, az2, etc. 2. if byo_subnet_ids, map this list NAT Gateway ID-1 to Subnet ID-1, etc. ## -## Example: byo_natgw_ids = ["nat-0e1351f3e8025a30e","nat-0e98fc3d8e09ed0e9"] +## Example: byo_ngw_ids = ["nat-0e1351f3e8025a30e","nat-0e98fc3d8e09ed0e9"] #byo_ngw_ids = ["nat-id"] -## 23. By default, this script will create new IAM roles, policy, and Instance Profiles for the App Connector +## 24. By default, this script will create new IAM roles, policy, and Instance Profiles for the App Connector ## Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false) #byo_iam = true -## 24. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true +## 25. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true ## Example: byo_iam_instance_profile_id = ["instance-profile-1","instance-profile-2"] #byo_iam_instance_profile_id = ["instance-profile-1"] -## 25. By default, this script will create new Security Groups for the App Connector interface +## 26. By default, this script will create new Security Groups for the App Connector interface ## Uncomment if you want to use your own existing SGs (true or false. Default: false) #byo_security_group = true -## 26. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true +## 27. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true ## Example: byo_security_group_id = ["sg-1","sg-2"] diff --git a/examples/ac/variables.tf b/examples/ac/variables.tf index 86e1662..c18923a 100755 --- a/examples/ac/variables.tf +++ b/examples/ac/variables.tf @@ -96,6 +96,12 @@ variable "use_zscaler_ami" { description = "By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead" } +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] +} + # BYO (Bring-your-own) variables list variable "byo_vpc" { diff --git a/examples/ac_asg/README.md b/examples/ac_asg/README.md index 20db4c2..20edc27 100644 --- a/examples/ac_asg/README.md +++ b/examples/ac_asg/README.md @@ -42,18 +42,18 @@ From ac_asg directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | | [tls](#requirement\_tls) | ~> 3.4.0 | -| [zpa](#requirement\_zpa) | ~>2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | | [local](#provider\_local) | ~> 2.2.0 | | [random](#provider\_random) | ~> 3.3.0 | | [tls](#provider\_tls) | ~> 3.4.0 | @@ -80,6 +80,8 @@ From ac_asg directory execute: | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -87,6 +89,7 @@ From ac_asg directory execute: |------|-------------|------|---------|:--------:| | [ac\_subnets](#input\_ac\_subnets) | App Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` | 
[
  ""
]
| no | | [app\_connector\_group\_country\_code](#input\_app\_connector\_group\_country\_code) | Optional: Country code of this App Connector Group. example 'US' | `string` | `""` | no | | [app\_connector\_group\_description](#input\_app\_connector\_group\_description) | Optional: Description of the App Connector Group | `string` | `"This App Connector Group belongs to: "` | no | | [app\_connector\_group\_dns\_query\_type](#input\_app\_connector\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the App Connector Group | `string` | `"IPV4_IPV6"` | no | diff --git a/examples/ac_asg/main.tf b/examples/ac_asg/main.tf index b20ebcc..4a8e12f 100755 --- a/examples/ac_asg/main.tf +++ b/examples/ac_asg/main.tf @@ -152,8 +152,9 @@ resource "local_file" "user_data_file" { locals { al2userdata = < /etc/yum.repos.d/zscaler.repo <<-EOT +sleep 15 +touch /etc/yum.repos.d/zscaler.repo +cat > /etc/yum.repos.d/zscaler.repo <<-EOT [zscaler] name=Zscaler Private Access Repository baseurl=https://yum.private.zscaler.com/yum/el7 @@ -190,7 +191,39 @@ resource "local_file" "al2_user_data_file" { filename = "../user_data" } + +################################################################################ +# Locate Latest App Connector AMI by product code +################################################################################ +data "aws_ami" "appconnector" { + count = var.use_zscaler_ami ? 1 : 0 + most_recent = true + + filter { + name = "product-code" + values = ["by1wc5269g0048ix2nqvr0362"] + } + + owners = ["aws-marketplace"] +} + + +################################################################################ +# Locate Latest Amazon Linux 2 AMI for instance use +################################################################################ +data "aws_ssm_parameter" "amazon_linux_latest" { + count = var.use_zscaler_ami ? 0 : 1 + name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" +} + +locals { + ami_selected = try(data.aws_ami.appconnector[0].id, data.aws_ssm_parameter.amazon_linux_latest[0].value) +} + + +################################################################################ # Create the specified AC VMs via Launch Template and Autoscaling Group +################################################################################ module "ac_asg" { source = "../../modules/terraform-zsac-asg-aws" name_prefix = var.name_prefix @@ -203,6 +236,7 @@ module "ac_asg" { iam_instance_profile = module.ac_iam.iam_instance_profile_id security_group_id = module.ac_sg.ac_security_group_id associate_public_ip_address = var.associate_public_ip_address + ami_id = contains(var.ami_id, "") ? [local.ami_selected] : var.ami_id max_size = var.max_size min_size = var.min_size diff --git a/examples/ac_asg/terraform.tfvars b/examples/ac_asg/terraform.tfvars index ae5a25b..02ea319 100644 --- a/examples/ac_asg/terraform.tfvars +++ b/examples/ac_asg/terraform.tfvars @@ -174,25 +174,34 @@ #target_cpu_util_value = 50 +## 23. By default, terraform will always query the AWS Marketplace for the latest App Connector AMI available. +## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. +## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select ACs deployed based on the ac_count index + +## Note: Customers should NOT be hard coding AMI IDs as Zscaler recommendation is to always be deploying/running the latest version. +## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily. + +#ami_id = ["ami-123456789"] + ##################################################################################################################### ##### Custom BYO variables. Only applicable for deployments without "base" resource requirements ##### ##### E.g. "ac_asg" ##### ##################################################################################################################### -## 23. By default, this script will create a new AWS VPC. +## 24. By default, this script will create a new AWS VPC. ## Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false) #byo_vpc = true -## 24. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) +## 25. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) ## Example: byo_vpc_id = "vpc-0588ce674df615334" #byo_vpc_id = "vpc-0588ce674df615334" -## 25. By default, this script will create new AWS subnets in the VPC defined based on az_count. +## 26. By default, this script will create new AWS subnets in the VPC defined based on az_count. ## Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false) ## Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist. ## Setting byo_subnet to true means byo_vpc must ALSO be set to true. @@ -200,7 +209,7 @@ #byo_subnets = true -## 26. Provide your existing App Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. +## 27. Provide your existing App Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. ## Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW, ## Route Tables, etc. Provide only one subnet per Availability Zone in a VPC ## @@ -213,7 +222,7 @@ #byo_subnet_ids = ["subnet-id"] -## 27. By default, this script will create a new Internet Gateway resource in the VPC. +## 28. By default, this script will create a new Internet Gateway resource in the VPC. ## Uncomment if you want to utlize an IGW that already exists (true or false. Default: false) ## Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist. ## Setting byo_igw to true means byo_vpc must ALSO be set to true. @@ -221,13 +230,13 @@ #byo_igw = true -## 28. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. +## 29. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. ## Example: byo_igw_id = "igw-090313c21ffed44d3" #byo_igw_id = "igw-090313c21ffed44d3" -## 29. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. +## 30. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. ## It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined ## based on the byo_igw variable and associate with the public subnet(s) ## Uncomment if you want to deploy App Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false) @@ -237,7 +246,7 @@ #byo_ngw = true -## 30. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_subnets to true +## 31. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_subnets to true ## NAT Gateway IDs must be added as a list with order determining assocations for the AC Route Tables (ac-rt) ## nat_gateway_id next hop ## @@ -252,31 +261,31 @@ ## affinity ensure you enter the list of NAT GW IDs in order of 1. if creating AC subnets az_count will ## go in order az1, az2, etc. 2. if byo_subnet_ids, map this list NAT Gateway ID-1 to Subnet ID-1, etc. ## -## Example: byo_natgw_ids = ["nat-0e1351f3e8025a30e","nat-0e98fc3d8e09ed0e9"] +## Example: byo_ngw_ids = ["nat-0e1351f3e8025a30e","nat-0e98fc3d8e09ed0e9"] #byo_ngw_ids = ["nat-id"] -## 31. By default, this script will create new IAM roles, policy, and Instance Profiles for the App Connector +## 32. By default, this script will create new IAM roles, policy, and Instance Profiles for the App Connector ## Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false) #byo_iam = true -## 32. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true +## 33. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true ## Example: byo_iam_instance_profile_id = ["instance-profile-1","instance-profile-2"] #byo_iam_instance_profile_id = ["instance-profile-1"] -## 33. By default, this script will create new Security Groups for the App Connector interfaces +## 34. By default, this script will create new Security Groups for the App Connector interfaces ## Uncomment if you want to use your own existing SGs (true or false. Default: false) #byo_security_group = true -## 34. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true +## 35. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true ## Example: byo_security_group_id = ["sg-1","sg-2"] diff --git a/examples/ac_asg/variables.tf b/examples/ac_asg/variables.tf index 0e684f8..9b3516e 100755 --- a/examples/ac_asg/variables.tf +++ b/examples/ac_asg/variables.tf @@ -171,6 +171,12 @@ variable "target_cpu_util_value" { default = 50 } +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] +} + # BYO (Bring-your-own) variables list variable "byo_vpc" { diff --git a/examples/base/README.md b/examples/base/README.md index b44acae..565143e 100644 --- a/examples/base/README.md +++ b/examples/base/README.md @@ -38,7 +38,7 @@ From base directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | @@ -48,7 +48,7 @@ From base directory execute: | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | | [local](#provider\_local) | ~> 2.2.0 | | [random](#provider\_random) | ~> 3.3.0 | | [tls](#provider\_tls) | ~> 3.4.0 | diff --git a/examples/base_ac/README.md b/examples/base_ac/README.md index 2354106..d92e478 100644 --- a/examples/base_ac/README.md +++ b/examples/base_ac/README.md @@ -43,18 +43,18 @@ From base_ac directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | | [tls](#requirement\_tls) | ~> 3.4.0 | -| [zpa](#requirement\_zpa) | ~> 2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | | [local](#provider\_local) | ~> 2.2.0 | | [random](#provider\_random) | ~> 3.3.0 | | [tls](#provider\_tls) | ~> 3.4.0 | @@ -82,6 +82,8 @@ From base_ac directory execute: | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -90,6 +92,7 @@ From base_ac directory execute: | [ac\_count](#input\_ac\_count) | Default number of App Connector appliances to create | `number` | `2` | no | | [ac\_subnets](#input\_ac\_subnets) | App Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` | 
[
  ""
]
| no | | [app\_connector\_group\_country\_code](#input\_app\_connector\_group\_country\_code) | Optional: Country code of this App Connector Group. example 'US' | `string` | `""` | no | | [app\_connector\_group\_description](#input\_app\_connector\_group\_description) | Optional: Description of the App Connector Group | `string` | `"This App Connector Group belongs to: "` | no | | [app\_connector\_group\_dns\_query\_type](#input\_app\_connector\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the App Connector Group | `string` | `"IPV4_IPV6"` | no | diff --git a/examples/base_ac/main.tf b/examples/base_ac/main.tf index a55aa8b..a041e23 100755 --- a/examples/base_ac/main.tf +++ b/examples/base_ac/main.tf @@ -197,7 +197,39 @@ resource "local_file" "al2_user_data_file" { filename = "../user_data" } + +################################################################################ +# Locate Latest App Connector AMI by product code +################################################################################ +data "aws_ami" "appconnector" { + count = var.use_zscaler_ami ? 1 : 0 + most_recent = true + + filter { + name = "product-code" + values = ["by1wc5269g0048ix2nqvr0362"] + } + + owners = ["aws-marketplace"] +} + + +################################################################################ +# Locate Latest Amazon Linux 2 AMI for instance use +################################################################################ +data "aws_ssm_parameter" "amazon_linux_latest" { + count = var.use_zscaler_ami ? 0 : 1 + name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" +} + +locals { + ami_selected = try(data.aws_ami.appconnector[0].id, data.aws_ssm_parameter.amazon_linux_latest[0].value) +} + + +################################################################################ # Create specified number of AC appliances +################################################################################ module "ac_vm" { source = "../../modules/terraform-zsac-acvm-aws" ac_count = var.ac_count @@ -211,7 +243,7 @@ module "ac_vm" { iam_instance_profile = module.ac_iam.iam_instance_profile_id security_group_id = module.ac_sg.ac_security_group_id associate_public_ip_address = var.associate_public_ip_address - use_zscaler_ami = var.use_zscaler_ami + ami_id = contains(var.ami_id, "") ? [local.ami_selected] : var.ami_id depends_on = [ module.zpa_provisioning_key, diff --git a/examples/base_ac/terraform.tfvars b/examples/base_ac/terraform.tfvars index 47b8e10..4bb6cd1 100755 --- a/examples/base_ac/terraform.tfvars +++ b/examples/base_ac/terraform.tfvars @@ -60,11 +60,11 @@ ## 5. AWS region where App Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: us-west-2) -aws_region = "us-west-2" +#aws_region = "us-west-2" ## 6. By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead" -#use_zscaler_ami = false +#use_zscaler_ami = false ## 7. App Connector AWS EC2 Instance size selection. Uncomment #acvm_instance_type line with desired vm size to change. ## (Default: m5.large) @@ -148,3 +148,12 @@ aws_region = "us-west-2" ## Uncomment if you want to use the same IAM Role/Instance Profile for ALL App Connectors (true or false. Default: false) #reuse_iam = true + +## 15. By default, terraform will always query the AWS Marketplace for the latest App Connector AMI available. +## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. +## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select ACs deployed based on the ac_count index + +## Note: Customers should NOT be hard coding AMI IDs as Zscaler recommendation is to always be deploying/running the latest version. +## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily. + +#ami_id = ["ami-123456789"] diff --git a/examples/base_ac/variables.tf b/examples/base_ac/variables.tf index 59f6e37..8687eb1 100755 --- a/examples/base_ac/variables.tf +++ b/examples/base_ac/variables.tf @@ -119,6 +119,13 @@ variable "use_zscaler_ami" { description = "By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead" } +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] +} + + # ZPA Provider specific variables for App Connector Group and Provisioning Key creation variable "byo_provisioning_key" { type = bool diff --git a/examples/base_ac_asg/README.md b/examples/base_ac_asg/README.md index e941273..cce7909 100644 --- a/examples/base_ac_asg/README.md +++ b/examples/base_ac_asg/README.md @@ -42,18 +42,18 @@ From base_ac_asg directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | | [tls](#requirement\_tls) | ~> 3.4.0 | -| [zpa](#requirement\_zpa) | >=2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | | [local](#provider\_local) | ~> 2.2.0 | | [random](#provider\_random) | ~> 3.3.0 | | [tls](#provider\_tls) | ~> 3.4.0 | @@ -81,6 +81,8 @@ From base_ac_asg directory execute: | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -88,6 +90,7 @@ From base_ac_asg directory execute: |------|-------------|------|---------|:--------:| | [ac\_subnets](#input\_ac\_subnets) | App Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` | 
[
  ""
]
| no | | [app\_connector\_group\_country\_code](#input\_app\_connector\_group\_country\_code) | Optional: Country code of this App Connector Group. example 'US' | `string` | `""` | no | | [app\_connector\_group\_description](#input\_app\_connector\_group\_description) | Optional: Description of the App Connector Group | `string` | `"This App Connector Group belongs to: "` | no | | [app\_connector\_group\_dns\_query\_type](#input\_app\_connector\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the App Connector Group | `string` | `"IPV4_IPV6"` | no | diff --git a/examples/base_ac_asg/main.tf b/examples/base_ac_asg/main.tf index c426944..8251437 100755 --- a/examples/base_ac_asg/main.tf +++ b/examples/base_ac_asg/main.tf @@ -158,8 +158,9 @@ resource "local_file" "user_data_file" { locals { al2userdata = < /etc/yum.repos.d/zscaler.repo <<-EOT +sleep 15 +touch /etc/yum.repos.d/zscaler.repo +cat > /etc/yum.repos.d/zscaler.repo <<-EOT [zscaler] name=Zscaler Private Access Repository baseurl=https://yum.private.zscaler.com/yum/el7 @@ -196,7 +197,39 @@ resource "local_file" "al2_user_data_file" { filename = "../user_data" } + +################################################################################ +# Locate Latest App Connector AMI by product code +################################################################################ +data "aws_ami" "appconnector" { + count = var.use_zscaler_ami ? 1 : 0 + most_recent = true + + filter { + name = "product-code" + values = ["by1wc5269g0048ix2nqvr0362"] + } + + owners = ["aws-marketplace"] +} + + +################################################################################ +# Locate Latest Amazon Linux 2 AMI for instance use +################################################################################ +data "aws_ssm_parameter" "amazon_linux_latest" { + count = var.use_zscaler_ami ? 0 : 1 + name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" +} + +locals { + ami_selected = try(data.aws_ami.appconnector[0].id, data.aws_ssm_parameter.amazon_linux_latest[0].value) +} + + +################################################################################ # Create the specified AC VMs via Launch Template and Autoscaling Group +################################################################################ module "ac_asg" { source = "../../modules/terraform-zsac-asg-aws" name_prefix = var.name_prefix @@ -209,6 +242,7 @@ module "ac_asg" { iam_instance_profile = module.ac_iam.iam_instance_profile_id security_group_id = module.ac_sg.ac_security_group_id associate_public_ip_address = var.associate_public_ip_address + ami_id = contains(var.ami_id, "") ? [local.ami_selected] : var.ami_id max_size = var.max_size min_size = var.min_size diff --git a/examples/base_ac_asg/terraform.tfvars b/examples/base_ac_asg/terraform.tfvars index aca9f6f..dc26ab6 100644 --- a/examples/base_ac_asg/terraform.tfvars +++ b/examples/base_ac_asg/terraform.tfvars @@ -172,3 +172,12 @@ ## (Default: 50%) #target_cpu_util_value = 50 + +## 23. By default, terraform will always query the AWS Marketplace for the latest App Connector AMI available. +## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. +## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select ACs deployed based on the ac_count index + +## Note: Customers should NOT be hard coding AMI IDs as Zscaler recommendation is to always be deploying/running the latest version. +## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily. + +#ami_id = ["ami-123456789"] diff --git a/examples/base_ac_asg/variables.tf b/examples/base_ac_asg/variables.tf index 9d0973e..fb06475 100755 --- a/examples/base_ac_asg/variables.tf +++ b/examples/base_ac_asg/variables.tf @@ -176,6 +176,12 @@ variable "target_cpu_util_value" { default = 50 } +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] +} + # ZPA Provider specific variables for App Connector Group and Provisioning Key creation variable "byo_provisioning_key" { diff --git a/modules/terraform-zpa-app-connector-group/README.md b/modules/terraform-zpa-app-connector-group/README.md index 523d4a1..96951c8 100644 --- a/modules/terraform-zpa-app-connector-group/README.md +++ b/modules/terraform-zpa-app-connector-group/README.md @@ -8,13 +8,13 @@ This module provides the resources necessary to create a new ZPA App Connector G | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [zpa](#requirement\_zpa) | ~> 2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [zpa](#provider\_zpa) | ~> 2.5.4 | +| [zpa](#provider\_zpa) | ~> 2.6.0 | ## Modules diff --git a/modules/terraform-zpa-provisioning-key/README.md b/modules/terraform-zpa-provisioning-key/README.md index b237be6..2cfc237 100644 --- a/modules/terraform-zpa-provisioning-key/README.md +++ b/modules/terraform-zpa-provisioning-key/README.md @@ -10,13 +10,13 @@ There is a "BYO" option where you can conditionally create new or reference an e | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [zpa](#requirement\_zpa) | ~> 2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [zpa](#provider\_zpa) | ~> 2.5.4 | +| [zpa](#provider\_zpa) | ~> 2.6.0 | ## Modules diff --git a/modules/terraform-zsac-acvm-aws/README.md b/modules/terraform-zsac-acvm-aws/README.md index f4cf095..5363a00 100644 --- a/modules/terraform-zsac-acvm-aws/README.md +++ b/modules/terraform-zsac-acvm-aws/README.md @@ -8,7 +8,7 @@ This module creates all AWS EC2 instance resources needed to deploy App Connecto | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | @@ -16,7 +16,7 @@ This module creates all AWS EC2 instance resources needed to deploy App Connecto | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules @@ -27,8 +27,6 @@ No modules. | Name | Type | |------|------| | [aws_instance.ac_vm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | -| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | -| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -37,6 +35,7 @@ No modules. | [ac\_count](#input\_ac\_count) | Default number of App Connector appliances to create | `number` | `1` | no | | [ac\_subnet\_ids](#input\_ac\_subnet\_ids) | App Connector EC2 Instance subnet ID | `list(string)` | n/a | yes | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` | 
[
  ""
]
| no | | [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | enable/disable public IP addresses on App Connector instances | `bool` | `false` | no | | [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no | | [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM instance profile ID assigned to App Connector | `list(string)` | n/a | yes | @@ -44,7 +43,6 @@ No modules. | [name\_prefix](#input\_name\_prefix) | A prefix to associate to all the App Connector module resources | `string` | `null` | no | | [resource\_tag](#input\_resource\_tag) | A tag to associate to all the App Connector module resources | `string` | `null` | no | | [security\_group\_id](#input\_security\_group\_id) | App Connector EC2 Instance management subnet id | `list(string)` | n/a | yes | -| [use\_zscaler\_ami](#input\_use\_zscaler\_ami) | By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead | `bool` | `true` | no | | [user\_data](#input\_user\_data) | App Init data | `string` | n/a | yes | ## Outputs diff --git a/modules/terraform-zsac-acvm-aws/main.tf b/modules/terraform-zsac-acvm-aws/main.tf index e1672cc..169a16d 100755 --- a/modules/terraform-zsac-acvm-aws/main.tf +++ b/modules/terraform-zsac-acvm-aws/main.tf @@ -1,32 +1,9 @@ -################################################################################ -# Locate Latest App Connector AMI by product code -################################################################################ -data "aws_ami" "appconnector" { - most_recent = true - - filter { - name = "product-code" - values = ["3n2udvk6ba2lglockhnetlujo"] - } - - owners = ["aws-marketplace"] -} - - -################################################################################ -# Locate Latest Amazon Linux 2 AMI for instance use -################################################################################ -data "aws_ssm_parameter" "amazon_linux_latest" { - name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" -} - - ################################################################################ # Create App Connector VM ################################################################################ resource "aws_instance" "ac_vm" { count = var.ac_count - ami = var.use_zscaler_ami == true ? data.aws_ami.appconnector.id : data.aws_ssm_parameter.amazon_linux_latest.value + ami = element(var.ami_id, count.index) instance_type = var.acvm_instance_type iam_instance_profile = element(var.iam_instance_profile, count.index) vpc_security_group_ids = [element(var.security_group_id, count.index)] diff --git a/modules/terraform-zsac-acvm-aws/variables.tf b/modules/terraform-zsac-acvm-aws/variables.tf index ea10133..d40774d 100755 --- a/modules/terraform-zsac-acvm-aws/variables.tf +++ b/modules/terraform-zsac-acvm-aws/variables.tf @@ -84,8 +84,8 @@ variable "associate_public_ip_address" { description = "enable/disable public IP addresses on App Connector instances" } -variable "use_zscaler_ami" { - default = true - type = bool - description = "By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead" +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] } diff --git a/modules/terraform-zsac-asg-aws/README.md b/modules/terraform-zsac-asg-aws/README.md index ad3faa8..8767b52 100644 --- a/modules/terraform-zsac-asg-aws/README.md +++ b/modules/terraform-zsac-asg-aws/README.md @@ -8,13 +8,13 @@ This module creates a AWS Launch Template, Autoscaling Group, and Policy resourc | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules @@ -27,8 +27,6 @@ No modules. | [aws_autoscaling_group.ac_asg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource | | [aws_autoscaling_policy.ac_asg_target_tracking_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_policy) | resource | | [aws_launch_template.ac_launch_template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource | -| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | -| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -36,6 +34,7 @@ No modules. |------|-------------|------|---------|:--------:| | [ac\_subnet\_ids](#input\_ac\_subnet\_ids) | App Connector EC2 Instance subnet IDs list | `list(string)` | n/a | yes | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` | 
[
  ""
]
| no | | [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | enable/disable public IP addresses on App Connector instances | `bool` | `false` | no | | [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no | | [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The amount of time until EC2 Auto Scaling performs the first health check on new instances after they are put into service. Default is 5 minutes | `number` | `300` | no | @@ -50,7 +49,6 @@ No modules. | [security\_group\_id](#input\_security\_group\_id) | App Connector EC2 Instance management subnet id | `list(string)` | n/a | yes | | [target\_cpu\_util\_value](#input\_target\_cpu\_util\_value) | Target value number for autoscaling policy CPU utilization target tracking. ie: trigger a scale in/out to keep average CPU Utliization percentage across all instances at/under this number | `number` | `50` | no | | [target\_tracking\_metric](#input\_target\_tracking\_metric) | The AWS ASG pre-defined target tracking metric type. App Connector recommends ASGAverageCPUUtilization | `string` | `"ASGAverageCPUUtilization"` | no | -| [use\_zscaler\_ami](#input\_use\_zscaler\_ami) | By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead | `bool` | `true` | no | | [user\_data](#input\_user\_data) | App Init data | `string` | n/a | yes | | [warm\_pool\_enabled](#input\_warm\_pool\_enabled) | If set to true, add a warm pool to the specified Auto Scaling group. See [warm\_pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#warm_pool). | `bool` | `"false"` | no | | [warm\_pool\_max\_group\_prepared\_capacity](#input\_warm\_pool\_max\_group\_prepared\_capacity) | Specifies the total maximum number of instances that are allowed to be in the warm pool or in any state except Terminated for the Auto Scaling group. Ignored when 'warm\_pool\_enabled' is false | `number` | `null` | no | diff --git a/modules/terraform-zsac-asg-aws/main.tf b/modules/terraform-zsac-asg-aws/main.tf index 1d7aba4..19689f8 100755 --- a/modules/terraform-zsac-asg-aws/main.tf +++ b/modules/terraform-zsac-asg-aws/main.tf @@ -1,26 +1,3 @@ -################################################################################ -# Locate Latest App Connector AMI by product code -################################################################################ -data "aws_ami" "appconnector" { - most_recent = true - - filter { - name = "product-code" - values = ["3n2udvk6ba2lglockhnetlujo"] - } - - owners = ["aws-marketplace"] -} - - -################################################################################ -# Locate Latest Amazon Linux 2 AMI for instance use -################################################################################ -data "aws_ssm_parameter" "amazon_linux_latest" { - name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" -} - - ################################################################################ # Create launch template for App Connector autoscaling group instance creation. # Mgmt and service interface device indexes are swapped to support ASG + GWLB @@ -29,7 +6,7 @@ data "aws_ssm_parameter" "amazon_linux_latest" { resource "aws_launch_template" "ac_launch_template" { count = 1 name = "${var.name_prefix}-ac-launch-template-${var.resource_tag}" - image_id = var.use_zscaler_ami == true ? data.aws_ami.appconnector.id : data.aws_ssm_parameter.amazon_linux_latest.value + image_id = element(var.ami_id, count.index) instance_type = var.acvm_instance_type key_name = var.instance_key user_data = base64encode(var.user_data) diff --git a/modules/terraform-zsac-asg-aws/variables.tf b/modules/terraform-zsac-asg-aws/variables.tf index df1637c..eeb939f 100644 --- a/modules/terraform-zsac-asg-aws/variables.tf +++ b/modules/terraform-zsac-asg-aws/variables.tf @@ -79,10 +79,10 @@ variable "associate_public_ip_address" { description = "enable/disable public IP addresses on App Connector instances" } -variable "use_zscaler_ami" { - default = true - type = bool - description = "By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead" +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] } variable "min_size" { diff --git a/modules/terraform-zsac-bastion-aws/README.md b/modules/terraform-zsac-bastion-aws/README.md index fc8136d..89f8b00 100644 --- a/modules/terraform-zsac-bastion-aws/README.md +++ b/modules/terraform-zsac-bastion-aws/README.md @@ -8,13 +8,13 @@ This module creates all AWS EC2 instance, IAM, and Security Group resources need | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules diff --git a/modules/terraform-zsac-iam-aws/README.md b/modules/terraform-zsac-iam-aws/README.md index b13488f..8883c27 100644 --- a/modules/terraform-zsac-iam-aws/README.md +++ b/modules/terraform-zsac-iam-aws/README.md @@ -8,13 +8,13 @@ This module creates IAM Policies, Roles, and Instance Profile resources required | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules diff --git a/modules/terraform-zsac-network-aws/README.md b/modules/terraform-zsac-network-aws/README.md index 5dd036b..636acd3 100644 --- a/modules/terraform-zsac-network-aws/README.md +++ b/modules/terraform-zsac-network-aws/README.md @@ -8,13 +8,13 @@ This module has multi-purpose use and is leveraged by all other Zscaler App Conn | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules diff --git a/modules/terraform-zsac-sg-aws/README.md b/modules/terraform-zsac-sg-aws/README.md index 1485d21..05bb733 100644 --- a/modules/terraform-zsac-sg-aws/README.md +++ b/modules/terraform-zsac-sg-aws/README.md @@ -8,13 +8,13 @@ This module creates Security Rules and Groups resources required for successful | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules