diff --git a/examples/ac/README.md b/examples/ac/README.md index d8147cb..952178c 100644 --- a/examples/ac/README.md +++ b/examples/ac/README.md @@ -42,18 +42,18 @@ From ac directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | | [tls](#requirement\_tls) | ~> 3.4.0 | -| [zpa](#requirement\_zpa) | >=2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | | [local](#provider\_local) | ~> 2.2.0 | | [random](#provider\_random) | ~> 3.3.0 | | [tls](#provider\_tls) | ~> 3.4.0 | @@ -80,6 +80,8 @@ From ac directory execute: | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -88,6 +90,7 @@ From ac directory execute: | [ac\_count](#input\_ac\_count) | Default number of App Connector appliances to create | `number` | `2` | no | | [ac\_subnets](#input\_ac\_subnets) | App Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5a.xlarge"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` |
[
""
]
| no | | [app\_connector\_group\_country\_code](#input\_app\_connector\_group\_country\_code) | Optional: Country code of this App Connector Group. example 'US' | `string` | `""` | no | | [app\_connector\_group\_description](#input\_app\_connector\_group\_description) | Optional: Description of the App Connector Group | `string` | `"This App Connector Group belongs to: "` | no | | [app\_connector\_group\_dns\_query\_type](#input\_app\_connector\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the App Connector Group | `string` | `"IPV4_IPV6"` | no | diff --git a/examples/ac/main.tf b/examples/ac/main.tf index fc48fb7..f30372c 100755 --- a/examples/ac/main.tf +++ b/examples/ac/main.tf @@ -152,8 +152,9 @@ resource "local_file" "user_data_file" { locals { al2userdata = < /etc/yum.repos.d/zscaler.repo <<-EOT +sleep 15 +touch /etc/yum.repos.d/zscaler.repo +cat > /etc/yum.repos.d/zscaler.repo <<-EOT [zscaler] name=Zscaler Private Access Repository baseurl=https://yum.private.zscaler.com/yum/el7 @@ -190,7 +191,38 @@ resource "local_file" "al2_user_data_file" { filename = "../user_data" } + +################################################################################ +# Locate Latest App Connector AMI by product code +################################################################################ +data "aws_ami" "appconnector" { + count = var.use_zscaler_ami ? 1 : 0 + most_recent = true + + filter { + name = "product-code" + values = ["by1wc5269g0048ix2nqvr0362"] + } + + owners = ["aws-marketplace"] +} + + +################################################################################ +# Locate Latest Amazon Linux 2 AMI for instance use +################################################################################ +data "aws_ssm_parameter" "amazon_linux_latest" { + count = var.use_zscaler_ami ? 0 : 1 + name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" +} + +locals { + ami_selected = try(data.aws_ami.appconnector[0].id, data.aws_ssm_parameter.amazon_linux_latest[0].value) +} + +################################################################################ # Create specified number of AC appliances +################################################################################ module "ac_vm" { source = "../../modules/terraform-zsac-acvm-aws" ac_count = var.ac_count @@ -204,7 +236,7 @@ module "ac_vm" { iam_instance_profile = module.ac_iam.iam_instance_profile_id security_group_id = module.ac_sg.ac_security_group_id associate_public_ip_address = var.associate_public_ip_address - use_zscaler_ami = var.use_zscaler_ami + ami_id = contains(var.ami_id, "") ? [local.ami_selected] : var.ami_id depends_on = [ module.zpa_provisioning_key, diff --git a/examples/ac/terraform.tfvars b/examples/ac/terraform.tfvars index 6dde645..60a4eb6 100755 --- a/examples/ac/terraform.tfvars +++ b/examples/ac/terraform.tfvars @@ -149,25 +149,34 @@ #reuse_iam = true +## 15. By default, terraform will always query the AWS Marketplace for the latest App Connector AMI available. +## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. +## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select ACs deployed based on the ac_count index + +## Note: Customers should NOT be hard coding AMI IDs as Zscaler recommendation is to always be deploying/running the latest version. +## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily. + +#ami_id = ["ami-123456789"] + ##################################################################################################################### ##### Custom BYO variables. Only applicable for deployments without "base" resource requirements ##### ##### E.g. "ac" ##### ##################################################################################################################### -## 15. By default, this script will create a new AWS VPC. +## 16. By default, this script will create a new AWS VPC. ## Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false) #byo_vpc = true -## 16. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) +## 17. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) ## Example: byo_vpc_id = "vpc-0588ce674df615334" #byo_vpc_id = "vpc-0588ce674df615334" -## 17. By default, this script will create new AWS subnets in the VPC defined based on az_count. +## 18. By default, this script will create new AWS subnets in the VPC defined based on az_count. ## Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false) ## Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist. ## Setting byo_subnet to true means byo_vpc must ALSO be set to true. @@ -175,7 +184,7 @@ #byo_subnets = true -## 18. Provide your existing App Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. +## 19. Provide your existing App Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. ## Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW, ## Route Tables, etc. Provide only one subnet per Availability Zone in a VPC ## @@ -188,7 +197,7 @@ #byo_subnet_ids = ["subnet-id"] -## 19. By default, this script will create a new Internet Gateway resource in the VPC. +## 20. By default, this script will create a new Internet Gateway resource in the VPC. ## Uncomment if you want to utlize an IGW that already exists (true or false. Default: false) ## Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist. ## Setting byo_igw to true means byo_vpc must ALSO be set to true. @@ -196,13 +205,13 @@ #byo_igw = true -## 20. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. +## 21. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. ## Example: byo_igw_id = "igw-090313c21ffed44d3" #byo_igw_id = "igw-090313c21ffed44d3" -## 21. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. +## 22. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. ## It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined ## based on the byo_igw variable and associate with the public subnet(s) ## Uncomment if you want to deploy App Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false) @@ -212,7 +221,7 @@ #byo_ngw = true -## 22. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_subnets to true +## 23. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_subnets to true ## NAT Gateway IDs must be added as a list with order determining assocations for the AC Route Tables (ac-rt) ## nat_gateway_id next hop ## @@ -227,31 +236,31 @@ ## affinity ensure you enter the list of NAT GW IDs in order of 1. if creating AC subnets az_count will ## go in order az1, az2, etc. 2. if byo_subnet_ids, map this list NAT Gateway ID-1 to Subnet ID-1, etc. ## -## Example: byo_natgw_ids = ["nat-0e1351f3e8025a30e","nat-0e98fc3d8e09ed0e9"] +## Example: byo_ngw_ids = ["nat-0e1351f3e8025a30e","nat-0e98fc3d8e09ed0e9"] #byo_ngw_ids = ["nat-id"] -## 23. By default, this script will create new IAM roles, policy, and Instance Profiles for the App Connector +## 24. By default, this script will create new IAM roles, policy, and Instance Profiles for the App Connector ## Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false) #byo_iam = true -## 24. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true +## 25. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true ## Example: byo_iam_instance_profile_id = ["instance-profile-1","instance-profile-2"] #byo_iam_instance_profile_id = ["instance-profile-1"] -## 25. By default, this script will create new Security Groups for the App Connector interface +## 26. By default, this script will create new Security Groups for the App Connector interface ## Uncomment if you want to use your own existing SGs (true or false. Default: false) #byo_security_group = true -## 26. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true +## 27. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true ## Example: byo_security_group_id = ["sg-1","sg-2"] diff --git a/examples/ac/variables.tf b/examples/ac/variables.tf index 86e1662..c18923a 100755 --- a/examples/ac/variables.tf +++ b/examples/ac/variables.tf @@ -96,6 +96,12 @@ variable "use_zscaler_ami" { description = "By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead" } +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] +} + # BYO (Bring-your-own) variables list variable "byo_vpc" { diff --git a/examples/ac_asg/README.md b/examples/ac_asg/README.md index 20db4c2..20edc27 100644 --- a/examples/ac_asg/README.md +++ b/examples/ac_asg/README.md @@ -42,18 +42,18 @@ From ac_asg directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | | [tls](#requirement\_tls) | ~> 3.4.0 | -| [zpa](#requirement\_zpa) | ~>2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | | [local](#provider\_local) | ~> 2.2.0 | | [random](#provider\_random) | ~> 3.3.0 | | [tls](#provider\_tls) | ~> 3.4.0 | @@ -80,6 +80,8 @@ From ac_asg directory execute: | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -87,6 +89,7 @@ From ac_asg directory execute: |------|-------------|------|---------|:--------:| | [ac\_subnets](#input\_ac\_subnets) | App Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` |
[
""
]
| no | | [app\_connector\_group\_country\_code](#input\_app\_connector\_group\_country\_code) | Optional: Country code of this App Connector Group. example 'US' | `string` | `""` | no | | [app\_connector\_group\_description](#input\_app\_connector\_group\_description) | Optional: Description of the App Connector Group | `string` | `"This App Connector Group belongs to: "` | no | | [app\_connector\_group\_dns\_query\_type](#input\_app\_connector\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the App Connector Group | `string` | `"IPV4_IPV6"` | no | diff --git a/examples/ac_asg/main.tf b/examples/ac_asg/main.tf index b20ebcc..4a8e12f 100755 --- a/examples/ac_asg/main.tf +++ b/examples/ac_asg/main.tf @@ -152,8 +152,9 @@ resource "local_file" "user_data_file" { locals { al2userdata = < /etc/yum.repos.d/zscaler.repo <<-EOT +sleep 15 +touch /etc/yum.repos.d/zscaler.repo +cat > /etc/yum.repos.d/zscaler.repo <<-EOT [zscaler] name=Zscaler Private Access Repository baseurl=https://yum.private.zscaler.com/yum/el7 @@ -190,7 +191,39 @@ resource "local_file" "al2_user_data_file" { filename = "../user_data" } + +################################################################################ +# Locate Latest App Connector AMI by product code +################################################################################ +data "aws_ami" "appconnector" { + count = var.use_zscaler_ami ? 1 : 0 + most_recent = true + + filter { + name = "product-code" + values = ["by1wc5269g0048ix2nqvr0362"] + } + + owners = ["aws-marketplace"] +} + + +################################################################################ +# Locate Latest Amazon Linux 2 AMI for instance use +################################################################################ +data "aws_ssm_parameter" "amazon_linux_latest" { + count = var.use_zscaler_ami ? 0 : 1 + name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" +} + +locals { + ami_selected = try(data.aws_ami.appconnector[0].id, data.aws_ssm_parameter.amazon_linux_latest[0].value) +} + + +################################################################################ # Create the specified AC VMs via Launch Template and Autoscaling Group +################################################################################ module "ac_asg" { source = "../../modules/terraform-zsac-asg-aws" name_prefix = var.name_prefix @@ -203,6 +236,7 @@ module "ac_asg" { iam_instance_profile = module.ac_iam.iam_instance_profile_id security_group_id = module.ac_sg.ac_security_group_id associate_public_ip_address = var.associate_public_ip_address + ami_id = contains(var.ami_id, "") ? [local.ami_selected] : var.ami_id max_size = var.max_size min_size = var.min_size diff --git a/examples/ac_asg/terraform.tfvars b/examples/ac_asg/terraform.tfvars index ae5a25b..02ea319 100644 --- a/examples/ac_asg/terraform.tfvars +++ b/examples/ac_asg/terraform.tfvars @@ -174,25 +174,34 @@ #target_cpu_util_value = 50 +## 23. By default, terraform will always query the AWS Marketplace for the latest App Connector AMI available. +## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. +## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select ACs deployed based on the ac_count index + +## Note: Customers should NOT be hard coding AMI IDs as Zscaler recommendation is to always be deploying/running the latest version. +## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily. + +#ami_id = ["ami-123456789"] + ##################################################################################################################### ##### Custom BYO variables. Only applicable for deployments without "base" resource requirements ##### ##### E.g. "ac_asg" ##### ##################################################################################################################### -## 23. By default, this script will create a new AWS VPC. +## 24. By default, this script will create a new AWS VPC. ## Uncomment if you want to deploy all resources to a VPC that already exists (true or false. Default: false) #byo_vpc = true -## 24. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) +## 25. Provide your existing VPC ID. Only uncomment and modify if you set byo_vpc to true. (Default: null) ## Example: byo_vpc_id = "vpc-0588ce674df615334" #byo_vpc_id = "vpc-0588ce674df615334" -## 25. By default, this script will create new AWS subnets in the VPC defined based on az_count. +## 26. By default, this script will create new AWS subnets in the VPC defined based on az_count. ## Uncomment if you want to deploy all resources to subnets that already exist (true or false. Default: false) ## Dependencies require in order to reference existing subnets, the corresponding VPC must also already exist. ## Setting byo_subnet to true means byo_vpc must ALSO be set to true. @@ -200,7 +209,7 @@ #byo_subnets = true -## 26. Provide your existing App Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. +## 27. Provide your existing App Connector private subnet IDs. Only uncomment and modify if you set byo_subnets to true. ## Subnet IDs must be added as a list with order determining assocations for resources like aws_instance, NAT GW, ## Route Tables, etc. Provide only one subnet per Availability Zone in a VPC ## @@ -213,7 +222,7 @@ #byo_subnet_ids = ["subnet-id"] -## 27. By default, this script will create a new Internet Gateway resource in the VPC. +## 28. By default, this script will create a new Internet Gateway resource in the VPC. ## Uncomment if you want to utlize an IGW that already exists (true or false. Default: false) ## Dependencies require in order to reference an existing IGW, the corresponding VPC must also already exist. ## Setting byo_igw to true means byo_vpc must ALSO be set to true. @@ -221,13 +230,13 @@ #byo_igw = true -## 28. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. +## 29. Provide your existing Internet Gateway ID. Only uncomment and modify if you set byo_igw to true. ## Example: byo_igw_id = "igw-090313c21ffed44d3" #byo_igw_id = "igw-090313c21ffed44d3" -## 29. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. +## 30. By default, this script will create new Public Subnets, and NAT Gateway w/ Elastic IP in the VPC defined or selected. ## It will also create a Route Table forwarding default 0.0.0.0/0 next hop to the Internet Gateway that is created or defined ## based on the byo_igw variable and associate with the public subnet(s) ## Uncomment if you want to deploy App Connectors routing to NAT Gateway(s)/Public Subnet(s) that already exist (true or false. Default: false) @@ -237,7 +246,7 @@ #byo_ngw = true -## 30. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_subnets to true +## 31. Provide your existing NAT Gateway IDs. Only uncomment and modify if you set byo_subnets to true ## NAT Gateway IDs must be added as a list with order determining assocations for the AC Route Tables (ac-rt) ## nat_gateway_id next hop ## @@ -252,31 +261,31 @@ ## affinity ensure you enter the list of NAT GW IDs in order of 1. if creating AC subnets az_count will ## go in order az1, az2, etc. 2. if byo_subnet_ids, map this list NAT Gateway ID-1 to Subnet ID-1, etc. ## -## Example: byo_natgw_ids = ["nat-0e1351f3e8025a30e","nat-0e98fc3d8e09ed0e9"] +## Example: byo_ngw_ids = ["nat-0e1351f3e8025a30e","nat-0e98fc3d8e09ed0e9"] #byo_ngw_ids = ["nat-id"] -## 31. By default, this script will create new IAM roles, policy, and Instance Profiles for the App Connector +## 32. By default, this script will create new IAM roles, policy, and Instance Profiles for the App Connector ## Uncomment if you want to use your own existing IAM Instance Profiles (true or false. Default: false) #byo_iam = true -## 32. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true +## 33. Provide your existing Instance Profile resource names. Only uncomment and modify if you set byo_iam to true ## Example: byo_iam_instance_profile_id = ["instance-profile-1","instance-profile-2"] #byo_iam_instance_profile_id = ["instance-profile-1"] -## 33. By default, this script will create new Security Groups for the App Connector interfaces +## 34. By default, this script will create new Security Groups for the App Connector interfaces ## Uncomment if you want to use your own existing SGs (true or false. Default: false) #byo_security_group = true -## 34. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true +## 35. Provide your existing Security Group resource names. Only uncomment and modify if you set byo_security_group to true ## Example: byo_security_group_id = ["sg-1","sg-2"] diff --git a/examples/ac_asg/variables.tf b/examples/ac_asg/variables.tf index 0e684f8..9b3516e 100755 --- a/examples/ac_asg/variables.tf +++ b/examples/ac_asg/variables.tf @@ -171,6 +171,12 @@ variable "target_cpu_util_value" { default = 50 } +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] +} + # BYO (Bring-your-own) variables list variable "byo_vpc" { diff --git a/examples/base/README.md b/examples/base/README.md index b44acae..565143e 100644 --- a/examples/base/README.md +++ b/examples/base/README.md @@ -38,7 +38,7 @@ From base directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | @@ -48,7 +48,7 @@ From base directory execute: | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | | [local](#provider\_local) | ~> 2.2.0 | | [random](#provider\_random) | ~> 3.3.0 | | [tls](#provider\_tls) | ~> 3.4.0 | diff --git a/examples/base_ac/README.md b/examples/base_ac/README.md index 2354106..d92e478 100644 --- a/examples/base_ac/README.md +++ b/examples/base_ac/README.md @@ -43,18 +43,18 @@ From base_ac directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | | [tls](#requirement\_tls) | ~> 3.4.0 | -| [zpa](#requirement\_zpa) | ~> 2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | | [local](#provider\_local) | ~> 2.2.0 | | [random](#provider\_random) | ~> 3.3.0 | | [tls](#provider\_tls) | ~> 3.4.0 | @@ -82,6 +82,8 @@ From base_ac directory execute: | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -90,6 +92,7 @@ From base_ac directory execute: | [ac\_count](#input\_ac\_count) | Default number of App Connector appliances to create | `number` | `2` | no | | [ac\_subnets](#input\_ac\_subnets) | App Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` |
[
""
]
| no | | [app\_connector\_group\_country\_code](#input\_app\_connector\_group\_country\_code) | Optional: Country code of this App Connector Group. example 'US' | `string` | `""` | no | | [app\_connector\_group\_description](#input\_app\_connector\_group\_description) | Optional: Description of the App Connector Group | `string` | `"This App Connector Group belongs to: "` | no | | [app\_connector\_group\_dns\_query\_type](#input\_app\_connector\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the App Connector Group | `string` | `"IPV4_IPV6"` | no | diff --git a/examples/base_ac/main.tf b/examples/base_ac/main.tf index a55aa8b..a041e23 100755 --- a/examples/base_ac/main.tf +++ b/examples/base_ac/main.tf @@ -197,7 +197,39 @@ resource "local_file" "al2_user_data_file" { filename = "../user_data" } + +################################################################################ +# Locate Latest App Connector AMI by product code +################################################################################ +data "aws_ami" "appconnector" { + count = var.use_zscaler_ami ? 1 : 0 + most_recent = true + + filter { + name = "product-code" + values = ["by1wc5269g0048ix2nqvr0362"] + } + + owners = ["aws-marketplace"] +} + + +################################################################################ +# Locate Latest Amazon Linux 2 AMI for instance use +################################################################################ +data "aws_ssm_parameter" "amazon_linux_latest" { + count = var.use_zscaler_ami ? 0 : 1 + name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" +} + +locals { + ami_selected = try(data.aws_ami.appconnector[0].id, data.aws_ssm_parameter.amazon_linux_latest[0].value) +} + + +################################################################################ # Create specified number of AC appliances +################################################################################ module "ac_vm" { source = "../../modules/terraform-zsac-acvm-aws" ac_count = var.ac_count @@ -211,7 +243,7 @@ module "ac_vm" { iam_instance_profile = module.ac_iam.iam_instance_profile_id security_group_id = module.ac_sg.ac_security_group_id associate_public_ip_address = var.associate_public_ip_address - use_zscaler_ami = var.use_zscaler_ami + ami_id = contains(var.ami_id, "") ? [local.ami_selected] : var.ami_id depends_on = [ module.zpa_provisioning_key, diff --git a/examples/base_ac/terraform.tfvars b/examples/base_ac/terraform.tfvars index 47b8e10..4bb6cd1 100755 --- a/examples/base_ac/terraform.tfvars +++ b/examples/base_ac/terraform.tfvars @@ -60,11 +60,11 @@ ## 5. AWS region where App Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: us-west-2) -aws_region = "us-west-2" +#aws_region = "us-west-2" ## 6. By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead" -#use_zscaler_ami = false +#use_zscaler_ami = false ## 7. App Connector AWS EC2 Instance size selection. Uncomment #acvm_instance_type line with desired vm size to change. ## (Default: m5.large) @@ -148,3 +148,12 @@ aws_region = "us-west-2" ## Uncomment if you want to use the same IAM Role/Instance Profile for ALL App Connectors (true or false. Default: false) #reuse_iam = true + +## 15. By default, terraform will always query the AWS Marketplace for the latest App Connector AMI available. +## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. +## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select ACs deployed based on the ac_count index + +## Note: Customers should NOT be hard coding AMI IDs as Zscaler recommendation is to always be deploying/running the latest version. +## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily. + +#ami_id = ["ami-123456789"] diff --git a/examples/base_ac/variables.tf b/examples/base_ac/variables.tf index 59f6e37..8687eb1 100755 --- a/examples/base_ac/variables.tf +++ b/examples/base_ac/variables.tf @@ -119,6 +119,13 @@ variable "use_zscaler_ami" { description = "By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead" } +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] +} + + # ZPA Provider specific variables for App Connector Group and Provisioning Key creation variable "byo_provisioning_key" { type = bool diff --git a/examples/base_ac_asg/README.md b/examples/base_ac_asg/README.md index e941273..cce7909 100644 --- a/examples/base_ac_asg/README.md +++ b/examples/base_ac_asg/README.md @@ -42,18 +42,18 @@ From base_ac_asg directory execute: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | | [random](#requirement\_random) | ~> 3.3.0 | | [tls](#requirement\_tls) | ~> 3.4.0 | -| [zpa](#requirement\_zpa) | >=2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | | [local](#provider\_local) | ~> 2.2.0 | | [random](#provider\_random) | ~> 3.3.0 | | [tls](#provider\_tls) | ~> 3.4.0 | @@ -81,6 +81,8 @@ From base_ac_asg directory execute: | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -88,6 +90,7 @@ From base_ac_asg directory execute: |------|-------------|------|---------|:--------:| | [ac\_subnets](#input\_ac\_subnets) | App Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` |
[
""
]
| no | | [app\_connector\_group\_country\_code](#input\_app\_connector\_group\_country\_code) | Optional: Country code of this App Connector Group. example 'US' | `string` | `""` | no | | [app\_connector\_group\_description](#input\_app\_connector\_group\_description) | Optional: Description of the App Connector Group | `string` | `"This App Connector Group belongs to: "` | no | | [app\_connector\_group\_dns\_query\_type](#input\_app\_connector\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the App Connector Group | `string` | `"IPV4_IPV6"` | no | diff --git a/examples/base_ac_asg/main.tf b/examples/base_ac_asg/main.tf index c426944..8251437 100755 --- a/examples/base_ac_asg/main.tf +++ b/examples/base_ac_asg/main.tf @@ -158,8 +158,9 @@ resource "local_file" "user_data_file" { locals { al2userdata = < /etc/yum.repos.d/zscaler.repo <<-EOT +sleep 15 +touch /etc/yum.repos.d/zscaler.repo +cat > /etc/yum.repos.d/zscaler.repo <<-EOT [zscaler] name=Zscaler Private Access Repository baseurl=https://yum.private.zscaler.com/yum/el7 @@ -196,7 +197,39 @@ resource "local_file" "al2_user_data_file" { filename = "../user_data" } + +################################################################################ +# Locate Latest App Connector AMI by product code +################################################################################ +data "aws_ami" "appconnector" { + count = var.use_zscaler_ami ? 1 : 0 + most_recent = true + + filter { + name = "product-code" + values = ["by1wc5269g0048ix2nqvr0362"] + } + + owners = ["aws-marketplace"] +} + + +################################################################################ +# Locate Latest Amazon Linux 2 AMI for instance use +################################################################################ +data "aws_ssm_parameter" "amazon_linux_latest" { + count = var.use_zscaler_ami ? 0 : 1 + name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" +} + +locals { + ami_selected = try(data.aws_ami.appconnector[0].id, data.aws_ssm_parameter.amazon_linux_latest[0].value) +} + + +################################################################################ # Create the specified AC VMs via Launch Template and Autoscaling Group +################################################################################ module "ac_asg" { source = "../../modules/terraform-zsac-asg-aws" name_prefix = var.name_prefix @@ -209,6 +242,7 @@ module "ac_asg" { iam_instance_profile = module.ac_iam.iam_instance_profile_id security_group_id = module.ac_sg.ac_security_group_id associate_public_ip_address = var.associate_public_ip_address + ami_id = contains(var.ami_id, "") ? [local.ami_selected] : var.ami_id max_size = var.max_size min_size = var.min_size diff --git a/examples/base_ac_asg/terraform.tfvars b/examples/base_ac_asg/terraform.tfvars index aca9f6f..dc26ab6 100644 --- a/examples/base_ac_asg/terraform.tfvars +++ b/examples/base_ac_asg/terraform.tfvars @@ -172,3 +172,12 @@ ## (Default: 50%) #target_cpu_util_value = 50 + +## 23. By default, terraform will always query the AWS Marketplace for the latest App Connector AMI available. +## This variable is provided if a customer desires to override or retain an old ami for existing deployments rather than upgrading and forcing a replacement. +## It is also inputted as a list to facilitate if a customer desired to manually upgrade only select ACs deployed based on the ac_count index + +## Note: Customers should NOT be hard coding AMI IDs as Zscaler recommendation is to always be deploying/running the latest version. +## Leave this variable commented out unless you are absolutely certain why/that you need to set it and only temporarily. + +#ami_id = ["ami-123456789"] diff --git a/examples/base_ac_asg/variables.tf b/examples/base_ac_asg/variables.tf index 9d0973e..fb06475 100755 --- a/examples/base_ac_asg/variables.tf +++ b/examples/base_ac_asg/variables.tf @@ -176,6 +176,12 @@ variable "target_cpu_util_value" { default = 50 } +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] +} + # ZPA Provider specific variables for App Connector Group and Provisioning Key creation variable "byo_provisioning_key" { diff --git a/modules/terraform-zpa-app-connector-group/README.md b/modules/terraform-zpa-app-connector-group/README.md index 523d4a1..96951c8 100644 --- a/modules/terraform-zpa-app-connector-group/README.md +++ b/modules/terraform-zpa-app-connector-group/README.md @@ -8,13 +8,13 @@ This module provides the resources necessary to create a new ZPA App Connector G | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [zpa](#requirement\_zpa) | ~> 2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [zpa](#provider\_zpa) | ~> 2.5.4 | +| [zpa](#provider\_zpa) | ~> 2.6.0 | ## Modules diff --git a/modules/terraform-zpa-provisioning-key/README.md b/modules/terraform-zpa-provisioning-key/README.md index b237be6..2cfc237 100644 --- a/modules/terraform-zpa-provisioning-key/README.md +++ b/modules/terraform-zpa-provisioning-key/README.md @@ -10,13 +10,13 @@ There is a "BYO" option where you can conditionally create new or reference an e | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [zpa](#requirement\_zpa) | ~> 2.5.4 | +| [zpa](#requirement\_zpa) | ~> 2.6.0 | ## Providers | Name | Version | |------|---------| -| [zpa](#provider\_zpa) | ~> 2.5.4 | +| [zpa](#provider\_zpa) | ~> 2.6.0 | ## Modules diff --git a/modules/terraform-zsac-acvm-aws/README.md b/modules/terraform-zsac-acvm-aws/README.md index f4cf095..5363a00 100644 --- a/modules/terraform-zsac-acvm-aws/README.md +++ b/modules/terraform-zsac-acvm-aws/README.md @@ -8,7 +8,7 @@ This module creates all AWS EC2 instance resources needed to deploy App Connecto | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | | [local](#requirement\_local) | ~> 2.2.0 | | [null](#requirement\_null) | ~> 3.1.0 | @@ -16,7 +16,7 @@ This module creates all AWS EC2 instance resources needed to deploy App Connecto | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules @@ -27,8 +27,6 @@ No modules. | Name | Type | |------|------| | [aws_instance.ac_vm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | -| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | -| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -37,6 +35,7 @@ No modules. | [ac\_count](#input\_ac\_count) | Default number of App Connector appliances to create | `number` | `1` | no | | [ac\_subnet\_ids](#input\_ac\_subnet\_ids) | App Connector EC2 Instance subnet ID | `list(string)` | n/a | yes | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` |
[
""
]
| no | | [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | enable/disable public IP addresses on App Connector instances | `bool` | `false` | no | | [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no | | [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM instance profile ID assigned to App Connector | `list(string)` | n/a | yes | @@ -44,7 +43,6 @@ No modules. | [name\_prefix](#input\_name\_prefix) | A prefix to associate to all the App Connector module resources | `string` | `null` | no | | [resource\_tag](#input\_resource\_tag) | A tag to associate to all the App Connector module resources | `string` | `null` | no | | [security\_group\_id](#input\_security\_group\_id) | App Connector EC2 Instance management subnet id | `list(string)` | n/a | yes | -| [use\_zscaler\_ami](#input\_use\_zscaler\_ami) | By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead | `bool` | `true` | no | | [user\_data](#input\_user\_data) | App Init data | `string` | n/a | yes | ## Outputs diff --git a/modules/terraform-zsac-acvm-aws/main.tf b/modules/terraform-zsac-acvm-aws/main.tf index e1672cc..169a16d 100755 --- a/modules/terraform-zsac-acvm-aws/main.tf +++ b/modules/terraform-zsac-acvm-aws/main.tf @@ -1,32 +1,9 @@ -################################################################################ -# Locate Latest App Connector AMI by product code -################################################################################ -data "aws_ami" "appconnector" { - most_recent = true - - filter { - name = "product-code" - values = ["3n2udvk6ba2lglockhnetlujo"] - } - - owners = ["aws-marketplace"] -} - - -################################################################################ -# Locate Latest Amazon Linux 2 AMI for instance use -################################################################################ -data "aws_ssm_parameter" "amazon_linux_latest" { - name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" -} - - ################################################################################ # Create App Connector VM ################################################################################ resource "aws_instance" "ac_vm" { count = var.ac_count - ami = var.use_zscaler_ami == true ? data.aws_ami.appconnector.id : data.aws_ssm_parameter.amazon_linux_latest.value + ami = element(var.ami_id, count.index) instance_type = var.acvm_instance_type iam_instance_profile = element(var.iam_instance_profile, count.index) vpc_security_group_ids = [element(var.security_group_id, count.index)] diff --git a/modules/terraform-zsac-acvm-aws/variables.tf b/modules/terraform-zsac-acvm-aws/variables.tf index ea10133..d40774d 100755 --- a/modules/terraform-zsac-acvm-aws/variables.tf +++ b/modules/terraform-zsac-acvm-aws/variables.tf @@ -84,8 +84,8 @@ variable "associate_public_ip_address" { description = "enable/disable public IP addresses on App Connector instances" } -variable "use_zscaler_ami" { - default = true - type = bool - description = "By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead" +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] } diff --git a/modules/terraform-zsac-asg-aws/README.md b/modules/terraform-zsac-asg-aws/README.md index ad3faa8..8767b52 100644 --- a/modules/terraform-zsac-asg-aws/README.md +++ b/modules/terraform-zsac-asg-aws/README.md @@ -8,13 +8,13 @@ This module creates a AWS Launch Template, Autoscaling Group, and Policy resourc | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules @@ -27,8 +27,6 @@ No modules. | [aws_autoscaling_group.ac_asg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource | | [aws_autoscaling_policy.ac_asg_target_tracking_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_policy) | resource | | [aws_launch_template.ac_launch_template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource | -| [aws_ami.appconnector](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | -| [aws_ssm_parameter.amazon_linux_latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs @@ -36,6 +34,7 @@ No modules. |------|-------------|------|---------|:--------:| | [ac\_subnet\_ids](#input\_ac\_subnet\_ids) | App Connector EC2 Instance subnet IDs list | `list(string)` | n/a | yes | | [acvm\_instance\_type](#input\_acvm\_instance\_type) | App Connector Instance Type | `string` | `"m5.large"` | no | +| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac\_count index | `list(string)` |
[
""
]
| no | | [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | enable/disable public IP addresses on App Connector instances | `bool` | `false` | no | | [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no | | [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The amount of time until EC2 Auto Scaling performs the first health check on new instances after they are put into service. Default is 5 minutes | `number` | `300` | no | @@ -50,7 +49,6 @@ No modules. | [security\_group\_id](#input\_security\_group\_id) | App Connector EC2 Instance management subnet id | `list(string)` | n/a | yes | | [target\_cpu\_util\_value](#input\_target\_cpu\_util\_value) | Target value number for autoscaling policy CPU utilization target tracking. ie: trigger a scale in/out to keep average CPU Utliization percentage across all instances at/under this number | `number` | `50` | no | | [target\_tracking\_metric](#input\_target\_tracking\_metric) | The AWS ASG pre-defined target tracking metric type. App Connector recommends ASGAverageCPUUtilization | `string` | `"ASGAverageCPUUtilization"` | no | -| [use\_zscaler\_ami](#input\_use\_zscaler\_ami) | By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead | `bool` | `true` | no | | [user\_data](#input\_user\_data) | App Init data | `string` | n/a | yes | | [warm\_pool\_enabled](#input\_warm\_pool\_enabled) | If set to true, add a warm pool to the specified Auto Scaling group. See [warm\_pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#warm_pool). | `bool` | `"false"` | no | | [warm\_pool\_max\_group\_prepared\_capacity](#input\_warm\_pool\_max\_group\_prepared\_capacity) | Specifies the total maximum number of instances that are allowed to be in the warm pool or in any state except Terminated for the Auto Scaling group. Ignored when 'warm\_pool\_enabled' is false | `number` | `null` | no | diff --git a/modules/terraform-zsac-asg-aws/main.tf b/modules/terraform-zsac-asg-aws/main.tf index 1d7aba4..19689f8 100755 --- a/modules/terraform-zsac-asg-aws/main.tf +++ b/modules/terraform-zsac-asg-aws/main.tf @@ -1,26 +1,3 @@ -################################################################################ -# Locate Latest App Connector AMI by product code -################################################################################ -data "aws_ami" "appconnector" { - most_recent = true - - filter { - name = "product-code" - values = ["3n2udvk6ba2lglockhnetlujo"] - } - - owners = ["aws-marketplace"] -} - - -################################################################################ -# Locate Latest Amazon Linux 2 AMI for instance use -################################################################################ -data "aws_ssm_parameter" "amazon_linux_latest" { - name = "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" -} - - ################################################################################ # Create launch template for App Connector autoscaling group instance creation. # Mgmt and service interface device indexes are swapped to support ASG + GWLB @@ -29,7 +6,7 @@ data "aws_ssm_parameter" "amazon_linux_latest" { resource "aws_launch_template" "ac_launch_template" { count = 1 name = "${var.name_prefix}-ac-launch-template-${var.resource_tag}" - image_id = var.use_zscaler_ami == true ? data.aws_ami.appconnector.id : data.aws_ssm_parameter.amazon_linux_latest.value + image_id = element(var.ami_id, count.index) instance_type = var.acvm_instance_type key_name = var.instance_key user_data = base64encode(var.user_data) diff --git a/modules/terraform-zsac-asg-aws/variables.tf b/modules/terraform-zsac-asg-aws/variables.tf index df1637c..eeb939f 100644 --- a/modules/terraform-zsac-asg-aws/variables.tf +++ b/modules/terraform-zsac-asg-aws/variables.tf @@ -79,10 +79,10 @@ variable "associate_public_ip_address" { description = "enable/disable public IP addresses on App Connector instances" } -variable "use_zscaler_ami" { - default = true - type = bool - description = "By default, App Connector will deploy via the Zscaler Latest AMI. Setting this to false will deploy the latest Amazon Linux 2 AMI instead" +variable "ami_id" { + type = list(string) + description = "AMI ID(s) to be used for deploying App Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select ACs deployed based on the ac_count index" + default = [""] } variable "min_size" { diff --git a/modules/terraform-zsac-bastion-aws/README.md b/modules/terraform-zsac-bastion-aws/README.md index fc8136d..89f8b00 100644 --- a/modules/terraform-zsac-bastion-aws/README.md +++ b/modules/terraform-zsac-bastion-aws/README.md @@ -8,13 +8,13 @@ This module creates all AWS EC2 instance, IAM, and Security Group resources need | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules diff --git a/modules/terraform-zsac-iam-aws/README.md b/modules/terraform-zsac-iam-aws/README.md index b13488f..8883c27 100644 --- a/modules/terraform-zsac-iam-aws/README.md +++ b/modules/terraform-zsac-iam-aws/README.md @@ -8,13 +8,13 @@ This module creates IAM Policies, Roles, and Instance Profile resources required | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules diff --git a/modules/terraform-zsac-network-aws/README.md b/modules/terraform-zsac-network-aws/README.md index 5dd036b..636acd3 100644 --- a/modules/terraform-zsac-network-aws/README.md +++ b/modules/terraform-zsac-network-aws/README.md @@ -8,13 +8,13 @@ This module has multi-purpose use and is leveraged by all other Zscaler App Conn | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules diff --git a/modules/terraform-zsac-sg-aws/README.md b/modules/terraform-zsac-sg-aws/README.md index 1485d21..05bb733 100644 --- a/modules/terraform-zsac-sg-aws/README.md +++ b/modules/terraform-zsac-sg-aws/README.md @@ -8,13 +8,13 @@ This module creates Security Rules and Groups resources required for successful | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 | -| [aws](#requirement\_aws) | ~> 4.7.0 | +| [aws](#requirement\_aws) | ~> 4.58.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 4.7.0 | +| [aws](#provider\_aws) | ~> 4.58.0 | ## Modules