Merge pull request #1 from zscaler/zpa-#1-feat-initial-release

feat: Initial Release

.github/workflows/ci.yml

@@ -1,9 +1,10 @@
+
 ---
 name: CI/CD
 on:
   push:
     branches:
-      - master
+      - main
       - develop
   pull_request:
   schedule:
@@ -22,11 +23,15 @@ jobs:
         uses: actions/setup-python@v2
         with:
           # Semantic version range syntax (like 3.x) or the exact Python version
-          python-version: '3.9.4'
+          python-version: '3.11.0'
 
       - name: Run pre-commit framework as the developer should run it
         run: sudo ./scripts/install.sh && sudo ./scripts/run.sh
 
+      - name: The `git diff` showing whether the pre-commit mandated extra changes to the repository files
+        if: failure()
+        run: git diff
+
   validate:
     name: Validate
     runs-on: ubuntu-latest
@@ -36,14 +41,24 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: 1.1.7
+          terraform_version: 0.15.3
+
       - name: terraform validate
+        env:
+          AWS_DEFAULT_REGION: us-west-2
         run: |
           cd "$GITHUB_WORKSPACE"
-          for dir in $(find examples -type d -not \( -name ".?*" \) -maxdepth 1 -mindepth 1);
+          for dir in $(find modules examples -type d -not \( -name ".?*" \) -maxdepth 1 -mindepth 1);
           do
+            if [[ "$dir" == "modules/transit_gateway_peering" ]];
+            then
+              echo "Skipping directory: $dir"
+              echo "Terraform does not support validating a module which uses an aliased provider (module-specific; validating an entire configuration works fine)."
+              continue
+            fi
+
             echo "Processing directory: $dir"
             cd "$GITHUB_WORKSPACE/$dir"
             terraform init -backend=false
@@ -57,7 +72,7 @@ jobs:
         uses: actions/checkout@v2
 
       - name : Zscaler IAC Scan
-        uses : ZscalerCWP/Zscaler-IaC-Action@v1.2.0
+        uses : ZscalerCWP/Zscaler-IaC-Action@v1.5.0
         id: zscaler-iac-scan
         with:
           client_id : ${{ secrets.ZSCANNER_CLIENT_ID }}

.pre-commit-config.yaml

@@ -27,13 +27,11 @@ repos:
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer
-
   - repo: https://github.com/jorisroovers/gitlint
     rev:  v0.19.1
     hooks:
-      - id: gitlint
-
-  # - repo: https://github.com/ZscalerCWP/iac-pre-commit-hooks
-  #   rev: v0.0.1
-  #   hooks:
-  #     - id: zscaler-iac-scanner
+    -   id: gitlint
+  - repo: https://github.com/Yelp/detect-secrets
+    rev:  v1.4.0
+    hooks:
+    -   id: detect-secrets

.releaserc.json

@@ -1,6 +1,6 @@
 {
   "branches": [
-    "main",
+    "master",
     "develop"
   ],
   "plugins": [
@@ -37,7 +37,7 @@
     [
       "@semantic-release/github",
       {
-        "successComment": ":tada: This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:\n\nThe release is available on [Terraform Registry](https://registry.terraform.io/modules/zscaler/terraform-azurerm-zpa-private-service-edge-modules/azurerm/latest) and [GitHub release](../releases/tag/v${nextRelease.version})\n\n> Posted by [semantic-release](https://github.com/semantic-release/semantic-release) bot"
+        "successComment": ":tada: This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:\n\nThe release is available on [Terraform Registry](https://registry.terraform.io/modules/zscaler/zpa-private-service-edge-modules/azurerm/latest) and [GitHub release](../releases/tag/v${nextRelease.version})\n\n> Posted by [semantic-release](https://github.com/semantic-release/semantic-release) bot"
       }
     ]
   ],

README.md

@@ -9,6 +9,7 @@ Zscaler Private Service Edge Azure Terraform Modules
 ===========================================================================================================
 
 ## Description
+
 This repository contains various modules and deployment configurations that can be used to deploy Zscaler Private Service Edge appliances to securely connect to workloads within Microsoft Azure via the Zscaler Zero Trust Exchange. The examples directory contains complete automation scripts for both greenfield/POV and brownfield/production use.
 
 These deployment templates are intended to be fully functional and self service for both greenfield/pov as well as production use. All modules may also be utilized as design recommendations based on Zscaler's Official [Zero Trust Access to Private Apps in Azure with ZPA](https://help.zscaler.com/downloads/zpa/reference-architecture/zero-trust-access-private-apps-microsoft-azure-zscaler-private-access/Zero-Trust-Access-to-Private-Apps-in-Azure-with-Zscaler-Private-Access.pdf).
@@ -25,6 +26,7 @@ Our Deployment scripts are leveraging Terraform v1.1.9 that includes full binary
 - provider registry.terraform.io/providers/hashicorp/tls v3.4.x
 
 ### Azure Requirements
+
 1. Azure Subscription Id
 [link to Azure subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade)
 2. Have/Create a Service Principal. See: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal). Then Collect:
@@ -34,6 +36,7 @@ Our Deployment scripts are leveraging Terraform v1.1.9 that includes full binary
 3. Azure Region (e.g. westus2) where Private Service Edge resources are to be deployed
 
 ### Zscaler requirements
+
 4. A valid Zscaler Private Access subscription and portal access
 5. Zscaler ZPA API Keys. Details on how to find and generate ZPA API keys can be located here: https://help.zscaler.com/zpa/about-api-keys#:~:text=An%20API%20key%20is%20required,from%20the%20API%20Keys%20page
 - Client ID
@@ -44,14 +47,15 @@ Our Deployment scripts are leveraging Terraform v1.1.9 that includes full binary
 See: [Zscaler Private Service Edge Azure Deployment Guide](https://help.zscaler.com/zpa/service-edge-deployment-guide-microsoft-azure) for additional prerequisite provisioning steps.
 
 ## How to deploy
+
 Provisioning templates are available for customer use/reference to successfully deploy fully operational Private Service Edge appliances once the prerequisites have been completed. Please follow the instructions located in [examples](examples/README.md).
 
 ## Format
 
 This repository follows the [Hashicorp Standard Modules Structure](https://www.terraform.io/registry/modules/publish):
 
 * `modules` - All module resources utilized by and customized specifically for Private Service Edge deployments. The intent is these modules are resusable and functional for any deployment type referencing for both production or lab/testing purposes.
-* `examples` - Zscaler provides fully functional deployment templates utilizing a combination of some or all of the modules published. These can utilized in there entirety or as reference templates for more advanced customers or custom deployments. For novice Terraform users, we also provide a bash script (zsec) that can be run from any Linux/Mac OS or CSP Cloud Shell that walks through all provisioning requirements as well as downloading/running an isolated teraform process. This allows Private Service Edge deployments from any supported client without having to even have Terraform installed or know how the language/syntax for running it.
+* `examples` - Zscaler provides fully functional deployment templates utilizing a combination of some or all of the modules published. These can utilized in there entirety or as reference templates for more advanced customers or custom deployments. For novice Terraform users, we also provide a bash script (zspse) that can be run from any Linux/Mac OS or CSP Cloud Shell that walks through all provisioning requirements as well as downloading/running an isolated teraform process. This allows Private Service Edge deployments from any supported client without having to even have Terraform installed or know how the language/syntax for running it.
 
 ## Versioning
 

examples/README.md

@@ -25,8 +25,8 @@ See: [Zscaler App Connector Azure Deployment Guide](https://help.zscaler.com/zpa
 
 
 ## Deploying the cluster
-(The automated tool can run only from MacOS and Linux. You can also upload all repo contents to the respective public cloud provider Cloud Shells and run directly from there).   
- 
+(The automated tool can run only from MacOS and Linux. You can also upload all repo contents to the respective public cloud provider Cloud Shells and run directly from there).
+
 **1. Greenfield Deployments**
 
 (Use this if you are building an entire cluster from ground up.
@@ -36,10 +36,10 @@ See: [Zscaler App Connector Azure Deployment Guide](https://help.zscaler.com/zpa
 bash
 cd examples
 Optional: Edit the terraform.tfvars file under your desired deployment type (ie: base_ac) to setup your App Connector Group (Details are documented inside the file)
-- ./zsac up
+- ./zspse up
 - enter "greenfield"
 - enter <desired deployment type>
-- follow prompts for any additional configuration inputs. *keep in mind, any modifications done to terraform.tfvars first will override any inputs from the zsac script*
+- follow prompts for any additional configuration inputs. *keep in mind, any modifications done to terraform.tfvars first will override any inputs from the zspse script*
 - script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
 - inputs will be validated and terraform init/apply will automatically exectute.
 - verify all resources that will be created/modified and enter "yes" to confirm
@@ -63,10 +63,10 @@ Deployment Type: (base | base_ac ):
 bash
 cd examples
 Optional: Edit the terraform.tfvars file under your desired deployment type (ie: ac) to setup your App Connector (Details are documented inside the file)
-- ./zsac up
+- ./zspse up
 - enter "brownfield"
 - enter <desired deployment type>
-- follow prompts for any additional configuration inputs. *keep in mind, any modifications done to terraform.tfvars first will override any inputs from the zsac script*
+- follow prompts for any additional configuration inputs. *keep in mind, any modifications done to terraform.tfvars first will override any inputs from the zspse script*
 - script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
 - inputs will be validated and terraform init/apply will automatically exectute.
 - verify all resources that will be created/modified and enter "yes" to confirm
@@ -86,13 +86,13 @@ VNet, and subnets.
 ## Destroying the cluster
 ```
 cd examples
-- ./zsac destroy
+- ./zspse destroy
 - verify all resources that will be destroyed and enter "yes" to confirm
 ```
 
 ## Notes
 ```
 1. For auto approval set environment variable **AUTO_APPROVE** or add `export AUTO_APPROVE=1`
 2. For deployment type set environment variable **dtype** to the required deployment type or add e.g. `export dtype=base_ac`
-3. To provide new credentials or region, delete the autogenerated .zsacrc file in your current working directory and re-run zsac.
+3. To provide new credentials or region, delete the autogenerated .zspserc file in your current working directory and re-run zspse.
 ```

examples/base/README.md

@@ -8,8 +8,8 @@ This deployment type is just for greenfield/POV reference and/or spoke workload
 ## How to deploy:
 
 ### Option 1 (guided):
-From the examples directory, run the zsac bash script that walks to all required inputs.
-- ./zsac up
+From the examples directory, run the zspse bash script that walks to all required inputs.
+- ./zspse up
 - enter "greenfield"
 - enter "base"
 - follow the remainder of the authentication and configuration input prompts.
@@ -27,8 +27,8 @@ From base directory execute:
 ## How to destroy:
 
 ### Option 1 (guided):
-From the examples directory, run the zsac bash script that walks to all required inputs.
-- ./zsac destroy
+From the examples directory, run the zspse bash script that walks to all required inputs.
+- ./zspse destroy
 
 ### Option 2 (manual):
 From base directory execute:
@@ -79,7 +79,7 @@ From base directory execute:
 | <a name="input_environment"></a> [environment](#input\_environment) | Customer defined environment tag. ie: Dev, QA, Prod, etc. | `string` | `"Development"` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no |
 | <a name="input_network_address_space"></a> [network\_address\_space](#input\_network\_address\_space) | VNet IP CIDR Range. All subnet resources that might get created (public, private service edge) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public\_subnets and pse\_subnets variables | `string` | `"10.1.0.0/16"` | no |
-| <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zsac-admin"` | no |
+| <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zspse-admin"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
 | <a name="input_tls_key_algorithm"></a> [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no |
 | <a name="input_zones"></a> [zones](#input\_zones) | Specify which availability zone(s) to deploy VM resources in if zones\_enabled variable is set to true | `list(string)` | <pre>[<br>  "1"<br>]</pre> | no |

examples/base/terraform.tfvars

@@ -31,7 +31,7 @@
 
 #public_subnets                             = ["10.x.y.z/24"]
 
-## 3. Tag attribute "Owner" assigned to all resource created. (Default: "zsac-admin")
+## 3. Tag attribute "Owner" assigned to all resource created. (Default: "zspse-admin")
 
 #owner_tag                                  = "username@company.com"
 

examples/base/variables.tf

@@ -31,7 +31,7 @@ variable "environment" {
 variable "owner_tag" {
   type        = string
   description = "Customer defined owner tag value. ie: Org, Dept, username, etc."
-  default     = "zsac-admin"
+  default     = "zspse-admin"
 }
 
 variable "tls_key_algorithm" {