diff --git a/.github/actions/validate_tf/action.yml b/.github/actions/validate_tf/action.yml deleted file mode 100644 index f9a8cd4..0000000 --- a/.github/actions/validate_tf/action.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: 'validate TF' -description: 'run all pre-req steps and the actual TF code validation' -inputs: - tf_version: # id of input - description: 'TF version used to validate code.' - required: true - path: - description: 'Path to code that will be validated.' - required: true -runs: - using: "composite" - steps: - - name: setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: ${{ inputs.tf_version }} - - name: run validation for ${{ inputs.path }} - run: | - cd "$GITHUB_WORKSPACE"/${{ inputs.path }} - terraform -version - terraform init -backend=false - terraform validate - shell: bash diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9eaac10..f3aa33f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,9 +1,10 @@ + --- name: CI/CD on: push: branches: - - master + - main - develop pull_request: schedule: @@ -22,11 +23,15 @@ jobs: uses: actions/setup-python@v2 with: # Semantic version range syntax (like 3.x) or the exact Python version - python-version: '3.9.4' + python-version: '3.11.0' - name: Run pre-commit framework as the developer should run it run: sudo ./scripts/install.sh && sudo ./scripts/run.sh + - name: The `git diff` showing whether the pre-commit mandated extra changes to the repository files + if: failure() + run: git diff + validate: name: Validate runs-on: ubuntu-latest @@ -36,14 +41,24 @@ jobs: uses: actions/checkout@v2 - name: Set up Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@v1 with: - terraform_version: 1.1.7 + terraform_version: 0.15.3 + - name: terraform validate + env: + AWS_DEFAULT_REGION: us-west-2 run: | cd "$GITHUB_WORKSPACE" - for dir in $(find examples -type d -not \( -name ".?*" \) -maxdepth 1 -mindepth 1); + for dir in $(find modules examples -type d -not \( -name ".?*" \) -maxdepth 1 -mindepth 1); do + if [[ "$dir" == "modules/transit_gateway_peering" ]]; + then + echo "Skipping directory: $dir" + echo "Terraform does not support validating a module which uses an aliased provider (module-specific; validating an entire configuration works fine)." + continue + fi + echo "Processing directory: $dir" cd "$GITHUB_WORKSPACE/$dir" terraform init -backend=false @@ -57,7 +72,7 @@ jobs: uses: actions/checkout@v2 - name : Zscaler IAC Scan - uses : ZscalerCWP/Zscaler-IaC-Action@v1.2.0 + uses : ZscalerCWP/Zscaler-IaC-Action@v1.5.0 id: zscaler-iac-scan with: client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} diff --git a/.github/workflows/tf_validate_ver.yml b/.github/workflows/tf_validate_ver.yml deleted file mode 100644 index 7e4d0c4..0000000 --- a/.github/workflows/tf_validate_ver.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -name: TF Validate -# description: Validate examples and modules against variety of TF versions - -on: - workflow_dispatch: - -env: - # tf_versions needs to be a string of TF versions we would like to test against - # versions have to be space delimited - # when providing only major.minor version the latest patch level will be used - tf_versions: 0.15 1.0 1.1 1.2 - -jobs: - prerequisites: - name: gather prerequisites - runs-on: ubuntu-latest - outputs: - modules: ${{ steps.preqs.outputs.modules }} - examples: ${{ steps.preqs.outputs.examples }} - tf_versions: ${{ steps.preqs.outputs.tf_versions }} - steps: - - name: checkout code - uses: actions/checkout@v3 - - name: set outputs - id: preqs - run: | - echo "::set-output name=modules::$(find modules -maxdepth 1 -mindepth 1 -type d -not \( -name ".?*" \) | jq -R -s -c 'split("\n")[:-1]')" - echo "::set-output name=examples::$(find examples -maxdepth 1 -mindepth 1 -type d -not \( -name ".?*" \) | jq -R -s -c 'split("\n")[:-1]')" - echo "::set-output name=tf_versions::$(echo ${tf_versions}| tr " " "\n" | jq -R -s -c 'split("\n")[:-1]')" - - modules: - needs: [prerequisites] - runs-on: ubuntu-latest - strategy: - matrix: - tf_versions: ${{ fromJson(needs.prerequisites.outputs.tf_versions) }} - modules: ${{ fromJson(needs.prerequisites.outputs.modules) }} - name: '${{ matrix.modules }}@${{ matrix.tf_versions }}' - steps: - - name: checkout code - uses: actions/checkout@v3 - - name: run validation - uses: ./.github/actions/validate_tf - with: - path: ${{ matrix.modules }} - tf_version: ${{ matrix.tf_versions }} - examples: - needs: [prerequisites] - runs-on: ubuntu-latest - strategy: - matrix: - tf_versions: ${{ fromJson(needs.prerequisites.outputs.tf_versions) }} - examples: ${{ fromJson(needs.prerequisites.outputs.examples) }} - name: '${{ matrix.examples }}@${{ matrix.tf_versions }}' - steps: - - name: checkout code - uses: actions/checkout@v3 - - name: run validation - uses: ./.github/actions/validate_tf - with: - path: ${{ matrix.examples }} - tf_version: ${{ matrix.tf_versions }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2625908..407042d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -27,13 +27,11 @@ repos: hooks: - id: check-merge-conflict - id: end-of-file-fixer - - repo: https://github.com/jorisroovers/gitlint rev: v0.19.1 hooks: - - id: gitlint - - # - repo: https://github.com/ZscalerCWP/iac-pre-commit-hooks - # rev: v0.0.1 - # hooks: - # - id: zscaler-iac-scanner + - id: gitlint + - repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets diff --git a/.releaserc.json b/.releaserc.json index 0fdbbbf..66a2de4 100644 --- a/.releaserc.json +++ b/.releaserc.json @@ -1,6 +1,6 @@ { "branches": [ - "main", + "master", "develop" ], "plugins": [ @@ -37,7 +37,7 @@ [ "@semantic-release/github", { - "successComment": ":tada: This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:\n\nThe release is available on [Terraform Registry](https://registry.terraform.io/modules/zscaler/terraform-azurerm-zpa-private-service-edge-modules/azurerm/latest) and [GitHub release](../releases/tag/v${nextRelease.version})\n\n> Posted by [semantic-release](https://github.com/semantic-release/semantic-release) bot" + "successComment": ":tada: This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:\n\nThe release is available on [Terraform Registry](https://registry.terraform.io/modules/zscaler/zpa-private-service-edge-modules/azurerm/latest) and [GitHub release](../releases/tag/v${nextRelease.version})\n\n> Posted by [semantic-release](https://github.com/semantic-release/semantic-release) bot" } ] ], diff --git a/README.md b/README.md index e05208b..dcd3743 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ Zscaler Private Service Edge Azure Terraform Modules =========================================================================================================== ## Description + This repository contains various modules and deployment configurations that can be used to deploy Zscaler Private Service Edge appliances to securely connect to workloads within Microsoft Azure via the Zscaler Zero Trust Exchange. The examples directory contains complete automation scripts for both greenfield/POV and brownfield/production use. These deployment templates are intended to be fully functional and self service for both greenfield/pov as well as production use. All modules may also be utilized as design recommendations based on Zscaler's Official [Zero Trust Access to Private Apps in Azure with ZPA](https://help.zscaler.com/downloads/zpa/reference-architecture/zero-trust-access-private-apps-microsoft-azure-zscaler-private-access/Zero-Trust-Access-to-Private-Apps-in-Azure-with-Zscaler-Private-Access.pdf). @@ -25,6 +26,7 @@ Our Deployment scripts are leveraging Terraform v1.1.9 that includes full binary - provider registry.terraform.io/providers/hashicorp/tls v3.4.x ### Azure Requirements + 1. Azure Subscription Id [link to Azure subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) 2. Have/Create a Service Principal. See: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal). Then Collect: @@ -34,6 +36,7 @@ Our Deployment scripts are leveraging Terraform v1.1.9 that includes full binary 3. Azure Region (e.g. westus2) where Private Service Edge resources are to be deployed ### Zscaler requirements + 4. A valid Zscaler Private Access subscription and portal access 5. Zscaler ZPA API Keys. Details on how to find and generate ZPA API keys can be located here: https://help.zscaler.com/zpa/about-api-keys#:~:text=An%20API%20key%20is%20required,from%20the%20API%20Keys%20page - Client ID @@ -44,6 +47,7 @@ Our Deployment scripts are leveraging Terraform v1.1.9 that includes full binary See: [Zscaler Private Service Edge Azure Deployment Guide](https://help.zscaler.com/zpa/service-edge-deployment-guide-microsoft-azure) for additional prerequisite provisioning steps. ## How to deploy + Provisioning templates are available for customer use/reference to successfully deploy fully operational Private Service Edge appliances once the prerequisites have been completed. Please follow the instructions located in [examples](examples/README.md). ## Format @@ -51,7 +55,7 @@ Provisioning templates are available for customer use/reference to successfully This repository follows the [Hashicorp Standard Modules Structure](https://www.terraform.io/registry/modules/publish): * `modules` - All module resources utilized by and customized specifically for Private Service Edge deployments. The intent is these modules are resusable and functional for any deployment type referencing for both production or lab/testing purposes. -* `examples` - Zscaler provides fully functional deployment templates utilizing a combination of some or all of the modules published. These can utilized in there entirety or as reference templates for more advanced customers or custom deployments. For novice Terraform users, we also provide a bash script (zsec) that can be run from any Linux/Mac OS or CSP Cloud Shell that walks through all provisioning requirements as well as downloading/running an isolated teraform process. This allows Private Service Edge deployments from any supported client without having to even have Terraform installed or know how the language/syntax for running it. +* `examples` - Zscaler provides fully functional deployment templates utilizing a combination of some or all of the modules published. These can utilized in there entirety or as reference templates for more advanced customers or custom deployments. For novice Terraform users, we also provide a bash script (zspse) that can be run from any Linux/Mac OS or CSP Cloud Shell that walks through all provisioning requirements as well as downloading/running an isolated teraform process. This allows Private Service Edge deployments from any supported client without having to even have Terraform installed or know how the language/syntax for running it. ## Versioning diff --git a/examples/README.md b/examples/README.md index 492a37e..9178ff5 100644 --- a/examples/README.md +++ b/examples/README.md @@ -25,8 +25,8 @@ See: [Zscaler App Connector Azure Deployment Guide](https://help.zscaler.com/zpa ## Deploying the cluster -(The automated tool can run only from MacOS and Linux. You can also upload all repo contents to the respective public cloud provider Cloud Shells and run directly from there). - +(The automated tool can run only from MacOS and Linux. You can also upload all repo contents to the respective public cloud provider Cloud Shells and run directly from there). + **1. Greenfield Deployments** (Use this if you are building an entire cluster from ground up. @@ -36,10 +36,10 @@ See: [Zscaler App Connector Azure Deployment Guide](https://help.zscaler.com/zpa bash cd examples Optional: Edit the terraform.tfvars file under your desired deployment type (ie: base_ac) to setup your App Connector Group (Details are documented inside the file) -- ./zsac up +- ./zspse up - enter "greenfield" - enter -- follow prompts for any additional configuration inputs. *keep in mind, any modifications done to terraform.tfvars first will override any inputs from the zsac script* +- follow prompts for any additional configuration inputs. *keep in mind, any modifications done to terraform.tfvars first will override any inputs from the zspse script* - script will detect client operating system and download/run a specific version of terraform in a temporary bin directory - inputs will be validated and terraform init/apply will automatically exectute. - verify all resources that will be created/modified and enter "yes" to confirm @@ -63,10 +63,10 @@ Deployment Type: (base | base_ac ): bash cd examples Optional: Edit the terraform.tfvars file under your desired deployment type (ie: ac) to setup your App Connector (Details are documented inside the file) -- ./zsac up +- ./zspse up - enter "brownfield" - enter -- follow prompts for any additional configuration inputs. *keep in mind, any modifications done to terraform.tfvars first will override any inputs from the zsac script* +- follow prompts for any additional configuration inputs. *keep in mind, any modifications done to terraform.tfvars first will override any inputs from the zspse script* - script will detect client operating system and download/run a specific version of terraform in a temporary bin directory - inputs will be validated and terraform init/apply will automatically exectute. - verify all resources that will be created/modified and enter "yes" to confirm @@ -86,7 +86,7 @@ VNet, and subnets. ## Destroying the cluster ``` cd examples -- ./zsac destroy +- ./zspse destroy - verify all resources that will be destroyed and enter "yes" to confirm ``` @@ -94,5 +94,5 @@ cd examples ``` 1. For auto approval set environment variable **AUTO_APPROVE** or add `export AUTO_APPROVE=1` 2. For deployment type set environment variable **dtype** to the required deployment type or add e.g. `export dtype=base_ac` -3. To provide new credentials or region, delete the autogenerated .zsacrc file in your current working directory and re-run zsac. +3. To provide new credentials or region, delete the autogenerated .zspserc file in your current working directory and re-run zspse. ``` diff --git a/examples/base/README.md b/examples/base/README.md index 5291d79..c3704b4 100644 --- a/examples/base/README.md +++ b/examples/base/README.md @@ -8,8 +8,8 @@ This deployment type is just for greenfield/POV reference and/or spoke workload ## How to deploy: ### Option 1 (guided): -From the examples directory, run the zsac bash script that walks to all required inputs. -- ./zsac up +From the examples directory, run the zspse bash script that walks to all required inputs. +- ./zspse up - enter "greenfield" - enter "base" - follow the remainder of the authentication and configuration input prompts. @@ -27,8 +27,8 @@ From base directory execute: ## How to destroy: ### Option 1 (guided): -From the examples directory, run the zsac bash script that walks to all required inputs. -- ./zsac destroy +From the examples directory, run the zspse bash script that walks to all required inputs. +- ./zspse destroy ### Option 2 (manual): From base directory execute: @@ -79,7 +79,7 @@ From base directory execute: | [environment](#input\_environment) | Customer defined environment tag. ie: Dev, QA, Prod, etc. | `string` | `"Development"` | no | | [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNet IP CIDR Range. All subnet resources that might get created (public, private service edge) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public\_subnets and pse\_subnets variables | `string` | `"10.1.0.0/16"` | no | -| [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zsac-admin"` | no | +| [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zspse-admin"` | no | | [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no | | [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no | | [zones](#input\_zones) | Specify which availability zone(s) to deploy VM resources in if zones\_enabled variable is set to true | `list(string)` | 
[
  "1"
]
| no | diff --git a/examples/base/terraform.tfvars b/examples/base/terraform.tfvars index 1801300..b1c8a81 100755 --- a/examples/base/terraform.tfvars +++ b/examples/base/terraform.tfvars @@ -31,7 +31,7 @@ #public_subnets = ["10.x.y.z/24"] -## 3. Tag attribute "Owner" assigned to all resource created. (Default: "zsac-admin") +## 3. Tag attribute "Owner" assigned to all resource created. (Default: "zspse-admin") #owner_tag = "username@company.com" diff --git a/examples/base/variables.tf b/examples/base/variables.tf index c6088f0..4d1bd59 100755 --- a/examples/base/variables.tf +++ b/examples/base/variables.tf @@ -31,7 +31,7 @@ variable "environment" { variable "owner_tag" { type = string description = "Customer defined owner tag value. ie: Org, Dept, username, etc." - default = "zsac-admin" + default = "zspse-admin" } variable "tls_key_algorithm" { diff --git a/examples/base_pse/README.md b/examples/base_pse/README.md index d15fca8..20fd295 100644 --- a/examples/base_pse/README.md +++ b/examples/base_pse/README.md @@ -13,8 +13,8 @@ We are leveraging the [Zscaler ZPA Provider](https://github.com/zscaler/terrafor ### Option 1 (guided): Optional: Edit the terraform.tfvars file under your desired deployment type (ie: base_ac) to setup your Service Edge Group (Details are documented inside the file) -From the examples directory, run the zsac bash script that walks to all required inputs. -- ./zsac up +From the examples directory, run the zspse bash script that walks to all required inputs. +- ./zspse up - enter "greenfield" - enter "base_ac" - follow the remainder of the authentication and configuration input prompts. @@ -32,8 +32,8 @@ From base_ac directory execute: ## How to destroy: ### Option 1 (guided): -From the examples directory, run the zsac bash script that walks to all required inputs. -- ./zsac destroy +From the examples directory, run the zspse bash script that walks to all required inputs. +- ./zspse destroy ### Option 2 (manual): From base_ac directory execute: @@ -93,14 +93,13 @@ From base_ac directory execute: | [environment](#input\_environment) | Customer defined environment tag. ie: Dev, QA, Prod, etc. | `string` | `"Development"` | no | | [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zsdemo"` | no | | [network\_address\_space](#input\_network\_address\_space) | VNet IP CIDR Range. All subnet resources that might get created (public, Private Service Edge) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public\_subnets and pse\_subnets variables | `string` | `"10.1.0.0/16"` | no | -| [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zsac-admin"` | no | +| [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zspse-admin"` | no | | [provisioning\_key\_association\_type](#input\_provisioning\_key\_association\_type) | Specifies the provisioning key type for Private Service Edges or ZPA Private Service Edges. The supported values are CONNECTOR\_GRP and SERVICE\_EDGE\_GRP | `string` | `"SERVICE_EDGE_GRP"` | no | | [provisioning\_key\_enabled](#input\_provisioning\_key\_enabled) | Whether the provisioning key is enabled or not. Default: true | `bool` | `true` | no | | [provisioning\_key\_max\_usage](#input\_provisioning\_key\_max\_usage) | The maximum number of instances where this provisioning key can be used for enrolling an Private Service Edge or Service Edge | `number` | `10` | no | | [pse\_count](#input\_pse\_count) | The number of PSEs to deploy. Validation assumes max for /24 subnet but could be smaller or larger as long as subnet can accommodate | `number` | `2` | no | | [pse\_group\_country\_code](#input\_pse\_group\_country\_code) | Optional: Country code of this Service Edge Group. example 'US' | `string` | `""` | no | | [pse\_group\_description](#input\_pse\_group\_description) | Optional: Description of the Service Edge Group | `string` | `"This Service Edge Group belongs to: "` | no | -| [pse\_group\_dns\_query\_type](#input\_pse\_group\_dns\_query\_type) | Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the Service Edge Group | `string` | `"IPV4_IPV6"` | no | | [pse\_group\_enabled](#input\_pse\_group\_enabled) | Whether this Service Edge Group is enabled or not | `bool` | `true` | no | | [pse\_group\_latitude](#input\_pse\_group\_latitude) | Latitude of the Service Edge Group. Integer or decimal. With values in the range of -90 to 90 | `string` | `"37.3382082"` | no | | [pse\_group\_location](#input\_pse\_group\_location) | location of the Service Edge Group in City, State, Country format. example: 'San Jose, CA, USA' | `string` | `"San Jose, CA, USA"` | no | @@ -121,6 +120,7 @@ From base_ac directory execute: | [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no | | [zones](#input\_zones) | Specify which availability zone(s) to deploy VM resources in if zones\_enabled variable is set to true | `list(string)` | 
[
  "1"
]
| no | | [zones\_enabled](#input\_zones\_enabled) | Determine whether to provision Private Service Edge VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance | `bool` | `false` | no | +| [zpa\_trusted\_network\_name](#input\_zpa\_trusted\_network\_name) | To query trusted network that are associated with a specific Zscaler cloud, it is required to append the cloud name to the name of the trusted network. For more details refer to docs: https://registry.terraform.io/providers/zscaler/zpa/latest/docs/data-sources/zpa_trusted_network | `string` | n/a | yes | ## Outputs diff --git a/examples/base_pse/main.tf b/examples/base_pse/main.tf index 57a4516..c7c155c 100755 --- a/examples/base_pse/main.tf +++ b/examples/base_pse/main.tf @@ -94,7 +94,7 @@ module "zpa_service_edge_group" { pse_group_override_version_profile = var.pse_group_override_version_profile pse_group_version_profile_id = var.pse_group_version_profile_id pse_is_public = var.pse_is_public - #zpa_trusted_network_name = var.zpa_trusted_network_name + zpa_trusted_network_name = var.zpa_trusted_network_name } diff --git a/examples/base_pse/outputs.tf b/examples/base_pse/outputs.tf index 8ce1acc..43c670b 100755 --- a/examples/base_pse/outputs.tf +++ b/examples/base_pse/outputs.tf @@ -9,9 +9,9 @@ scp -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ${var.name_pref ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem centos@${module.bastion.public_ip} 3) SSH to the Private Service Edge -ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem centos@${module.pse_vm.private_ip[0]} -o "proxycommand ssh -W %h:%p -i ${var.name_prefix}-key-${random_string.suffix.result}.pem centos@${module.bastion.public_ip}" +ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem zpse-admin@${module.pse_vm.private_ip[0]} -o "proxycommand ssh -W %h:%p -i ${var.name_prefix}-key-${random_string.suffix.result}.pem centos@${module.bastion.public_ip}" -All Private Service Edge Management IPs. Replace private IP below with zspse-admin@"ip address" in ssh example command above. +All Private Service Edge Management IPs. Replace private IP below with "zpse-admin"@"ip address" in ssh example command above. ${join("\n", module.pse_vm.private_ip)} Resource Group: diff --git a/examples/base_pse/terraform.tfvars b/examples/base_pse/terraform.tfvars index 702d01c..3f15a20 100755 --- a/examples/base_pse/terraform.tfvars +++ b/examples/base_pse/terraform.tfvars @@ -1,8 +1,8 @@ ## This is only a sample terraform.tfvars file. ## Uncomment and change the below variables according to your specific environment ##################################################################################################################### -##### Variables 5-13 are populated automically if terraform is ran via ZSAC bash script. ##### -##### Modifying the variables in this file will override any inputs from ZSAC ##### +##### Variables 5-13 are populated automically if terraform is ran via zspse bash script. ##### +##### Modifying the variables in this file will override any inputs from zspse ##### ##################################################################################################################### ##################################################################################################################### @@ -34,7 +34,8 @@ #pse_group_upgrade_time_in_secs = "66600" #pse_group_override_version_profile = true #pse_group_version_profile_id = "2" -#pse_group_dns_query_type = "IPV4_IPV6" +#pse_is_public = false +#zpa_trusted_network_name = "Corporate-Network (zscalertwo.net)" ##################################################################################################################### @@ -57,7 +58,7 @@ ##### Custom variables. Only change if required for your environment ##### ##################################################################################################################### -## 5. Azure region where Private Service Edge resources will be deployed. This environment variable is automatically populated if running ZSAC script +## 5. Azure region where Private Service Edge resources will be deployed. This environment variable is automatically populated if running zspse script ## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: westus2) arm_location = "canadacentral" @@ -66,7 +67,7 @@ arm_location = "canadacentral" ## (Default: Standard_D4s_v3) psevm_instance_type = "Standard_D4s_v3" -#acvm_instance_type = "Standard_F4s_v2" +#psevm_instance_type = "Standard_F4s_v2" ## 7. The number of Private Service Edge appliances to provision. Each incremental Private Service Edge will be created in alternating ## subnets based on the zones or byo_subnet_names variable and loop through for any deployments where ac_count > zones. @@ -123,7 +124,7 @@ pse_count = 1 #public_subnets = ["10.x.y.z/24","10.x.y.z/24"] #ac_subnets = ["10.x.y.z/24","10.x.y.z/24"] -## 11. Tag attribute "Owner" assigned to all resoure creation. (Default: "zspse-admin") +## 11. Tag attribute "Owner" assigned to all resoure creation. (Default: "zpse-admin") #owner_tag = "username@company.com" diff --git a/examples/base_pse/variables.tf b/examples/base_pse/variables.tf index f312174..1f00581 100755 --- a/examples/base_pse/variables.tf +++ b/examples/base_pse/variables.tf @@ -37,7 +37,7 @@ variable "environment" { variable "owner_tag" { type = string description = "Customer defined owner tag value. ie: Org, Dept, username, etc." - default = "zsac-admin" + default = "zspse-admin" } variable "tls_key_algorithm" { @@ -224,27 +224,12 @@ variable "pse_is_public" { default = false } -variable "pse_group_dns_query_type" { +variable "zpa_trusted_network_name" { type = string - description = "Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the Service Edge Group" - default = "IPV4_IPV6" - - validation { - condition = ( - var.pse_group_dns_query_type == "IPV4_IPV6" || - var.pse_group_dns_query_type == "IPV4" || - var.pse_group_dns_query_type == "IPV6" - ) - error_message = "Input pse_group_dns_query_type must be set to an approved value." - } + description = "To query trusted network that are associated with a specific Zscaler cloud, it is required to append the cloud name to the name of the trusted network. For more details refer to docs: https://registry.terraform.io/providers/zscaler/zpa/latest/docs/data-sources/zpa_trusted_network" + #default = "" # a valid example name + cloud >> "Corporate-Network (zscalertwo.net)" } -# variable "zpa_trusted_network_name" { -# type = string -# description = "To query trusted network that are associated with a specific Zscaler cloud, it is required to append the cloud name to the name of the trusted network. For more details refer to docs: https://registry.terraform.io/providers/zscaler/zpa/latest/docs/data-sources/zpa_trusted_network" -# #default = "" # a valid example name + cloud >> "Corporate-Network (zscalertwo.net)" -# } - variable "provisioning_key_enabled" { type = bool description = "Whether the provisioning key is enabled or not. Default: true" diff --git a/examples/pse/main.tf b/examples/pse/main.tf index 701fa4f..443a658 100644 --- a/examples/pse/main.tf +++ b/examples/pse/main.tf @@ -92,7 +92,7 @@ module "zpa_service_edge_group" { pse_group_override_version_profile = var.pse_group_override_version_profile pse_group_version_profile_id = var.pse_group_version_profile_id pse_is_public = var.pse_is_public - #zpa_trusted_network_name = var.zpa_trusted_network_name + zpa_trusted_network_name = var.zpa_trusted_network_name } diff --git a/examples/pse/outputs.tf b/examples/pse/outputs.tf index 7fb9f28..c995a7b 100644 --- a/examples/pse/outputs.tf +++ b/examples/pse/outputs.tf @@ -5,7 +5,7 @@ locals { Resource Group: ${module.network.resource_group_name} -All Private Service Edges Management IPs. Username "zspse-admin" +All Private Service Edges Management IPs. Username ""zpse-admin"" ${join("\n", module.pse_vm.private_ip)} All NAT GW Public IPs: diff --git a/examples/pse/terraform.tfvars b/examples/pse/terraform.tfvars index af91003..c3ecc1b 100644 --- a/examples/pse/terraform.tfvars +++ b/examples/pse/terraform.tfvars @@ -23,18 +23,20 @@ ## For any questions populating the below values, please reference: ## https://registry.terraform.io/providers/zscaler/zpa/latest/docs/resources/zpa_service_edge_group -#pse_group_description = "new_group_name" -#pse_group_enabled = true -#pse_group_country_code = "new_group_name" -#pse_group_latitude = "37.3382082" -#pse_group_longitude = "-121.8863286" -#pse_group_location = "San Jose, CA, USA" -#pse_group_upgrade_day = "SUNDAY" -#pse_group_upgrade_time_in_secs = "66600" -#pse_group_override_version_profile = true -#pse_group_version_profile_id = "2" -#pse_is_public = true -#pse_group_dns_query_type = "IPV4_IPV6" +#pse_group_name = "new_group_name" +#pse_group_description = "group_description" +#pse_group_enabled = true +#pse_group_country_code = "US" +#pse_group_latitude = "37.3382082" +#pse_group_longitude = "-121.8863286" +#pse_group_location = "San Jose, CA, USA" +#pse_group_upgrade_day = "SUNDAY" +#pse_group_upgrade_time_in_secs = "66600" +#pse_group_override_version_profile = true +#pse_group_version_profile_id = "2" +#pse_is_public = false +#zpa_trusted_network_name = "Corporate-Network (zscalertwo.net)" + ##################################################################################################################### @@ -121,7 +123,7 @@ pse_count = 2 #public_subnets = ["10.x.y.z/24","10.x.y.z/24"] #pse_subnets = ["10.x.y.z/24","10.x.y.z/24"] -## 11. Tag attribute "Owner" assigned to all resoure creation. (Default: "zspse-admin") +## 11. Tag attribute "Owner" assigned to all resoure creation. (Default: "zpse-admin") #owner_tag = "username@company.com" diff --git a/examples/pse/variables.tf b/examples/pse/variables.tf index 22f3490..c0c3946 100644 --- a/examples/pse/variables.tf +++ b/examples/pse/variables.tf @@ -37,7 +37,7 @@ variable "environment" { variable "owner_tag" { type = string description = "Customer defined owner tag value. ie: Org, Dept, username, etc." - default = "zsac-admin" + default = "zspse-admin" } variable "tls_key_algorithm" { @@ -218,27 +218,12 @@ variable "pse_is_public" { default = false } -variable "pse_group_dns_query_type" { +variable "zpa_trusted_network_name" { type = string - description = "Whether to enable IPv4 or IPv6, or both, for DNS resolution of all applications in the Service Edge Group" - default = "IPV4_IPV6" - - validation { - condition = ( - var.pse_group_dns_query_type == "IPV4_IPV6" || - var.pse_group_dns_query_type == "IPV4" || - var.pse_group_dns_query_type == "IPV6" - ) - error_message = "Input pse_group_dns_query_type must be set to an approved value." - } + description = "To query trusted network that are associated with a specific Zscaler cloud, it is required to append the cloud name to the name of the trusted network. For more details refer to docs: https://registry.terraform.io/providers/zscaler/zpa/latest/docs/data-sources/zpa_trusted_network" + #default = "" # a valid example name + cloud >> "Corporate-Network (zscalertwo.net)" } -# variable "zpa_trusted_network_name" { -# type = string -# description = "To query trusted network that are associated with a specific Zscaler cloud, it is required to append the cloud name to the name of the trusted network. For more details refer to docs: https://registry.terraform.io/providers/zscaler/zpa/latest/docs/data-sources/zpa_trusted_network" -# #default = "" # a valid example name + cloud >> "Corporate-Network (zscalertwo.net)" -# } - variable "provisioning_key_enabled" { type = bool description = "Whether the provisioning key is enabled or not. Default: true" diff --git a/examples/zspse b/examples/zspse index 601ab0c..df936c7 100755 --- a/examples/zspse +++ b/examples/zspse @@ -44,7 +44,7 @@ if [[ "$oper" == "up" ]]; then read -r -p "Deployment Type: ( base | base_pse | pse ) : " dtype case $dtype in - base|base_ac) + base|base_pse|pse) echo "Deployment Type: ${dtype}" break ;; @@ -112,23 +112,23 @@ elif [[ ! -d $dir ]]; then fi az_regions=["westus","West US","westus2","West US 2","eastus","East US","centralus","Central US","centraluseuap","Central US EUAP","southcentralus","South Central US","northcentralus","North Central US","westcentralus","West Central US","eastus2","East US 2","eastus2euap","East US 2 EUAP","brazilsouth","Brazil South","northeurope","North Europe","westeurope","West Europe","eastasia","East Asia","southeastasia","Southeast Asia","japanwest","Japan West","japaneast","Japan East","koreacentral","Korea Central","koreasouth","Korea South","southindia","South India","westindia","West India","centralindia","Central India","australiaeast","Australia East","australiasoutheast","Australia Southeast","canadacentral","Canada Central","canadaeast","Canada East","uksouth","UK South","ukwest","UK West","francecentral","France Central","francesouth","France South","australiacentral","Australia Central","australiacentral2","Australia Central 2","uaecentral","UAE Central","uaenorth","UAE North","southafricanorth"," South Africa North","southafricawest","South Africa West","switzerlandnorth","Switzerland North","switzerlandwest","Switzerland West","germanynorth","Germany North","germanywestcentral","Germany West Central","norwayeast","Norway East","norwaywest","Norway West","brazilsoutheast","Brazil Southeast","westus3","West US 3","swedencentral","Sweden Central","swedensouth","Sweden South"] -# if .zsacrc is not present we'll assume that Azure env was never set -if [[ $dtype == "base" && ! -e ./.zsacrc ]]; then +# if .zspserc is not present we'll assume that Azure env was never set +if [[ $dtype == "base" && ! -e ./.zspserc ]]; then echo "Checking Azure Environment Variables..." read -r -p "Enter Azure Subcription ID: " azure_subscription_id - echo "export ARM_SUBSCRIPTION_ID=${azure_subscription_id}" > .zsacrc + echo "export ARM_SUBSCRIPTION_ID=${azure_subscription_id}" > .zspserc read -r -p "Enter Directory (tenant) ID: " azure_tenant_id - echo "export ARM_TENANT_ID=${azure_tenant_id}" >> .zsacrc + echo "export ARM_TENANT_ID=${azure_tenant_id}" >> .zspserc read -r -p "Enter Application (client) ID of Service Principal: " azure_client_id - echo "export ARM_CLIENT_ID=${azure_client_id}" >> .zsacrc + echo "export ARM_CLIENT_ID=${azure_client_id}" >> .zspserc read -r -p "Enter Client Secret Value of Service Principal: " azure_client_secret - echo "export ARM_CLIENT_SECRET=${azure_client_secret}" >> .zsacrc + echo "export ARM_CLIENT_SECRET=${azure_client_secret}" >> .zspserc read -r -p "Enter Azure Region (e.g. westus2): " azure_location if [[ ${az_regions[*]} =~ $azure_location ]]; then - echo "export TF_VAR_arm_location=${azure_location}" >> .zsacrc + echo "export TF_VAR_arm_location=${azure_location}" >> .zspserc else echo "Invalid Azure region name entered." - echo "Delete .zsacrc file and re-run zsec up..." + echo "Delete .zspserc file and re-run zsec up..." exit 1 fi while [[ "$dtype" == "base" && "$oper" == "up" ]]; do @@ -138,7 +138,7 @@ clientpublicip=$(curl -s ifconfig.me) case $bastion_response in yes|y ) echo "Updating Bastion NSG to permit SSH only from ${clientpublicip}: " - echo "export TF_VAR_bastion_nsg_source_prefix=${clientpublicip}" >> .zsacrc + echo "export TF_VAR_bastion_nsg_source_prefix=${clientpublicip}" >> .zspserc useclientip=true break ;; @@ -156,14 +156,14 @@ read -r -p "Lock SSH access to a different IP address or range? Default is open case $changebastionip in yes|y ) read -r -p "Enter new IP Address or CIDR range (e.g. 2.2.2.2/32): " bastionipinput - echo "export TF_VAR_bastion_nsg_source_prefix=${bastionipinput}" >> .zsacrc + echo "export TF_VAR_bastion_nsg_source_prefix=${bastionipinput}" >> .zspserc if [[ $bastionipinput =~ ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[1-9]))$ ]] then echo "$bastionipinput - IP/Netmask valid" else echo "$bastionipinput is not valid IP CIDR format" - echo "Delete .zsacrc file and re-run zsec up..." + echo "Delete .zspserc file and re-run zsec up..." exit 1 fi break @@ -179,39 +179,39 @@ fi fi echo "Checking Azure Environment Variables and Private Service Edge bootstrap requirements... For custom/byo deployments, please stop and refer to the README and terraform.tfvars file instructions" -# if .zsacrc is not present we'll assume that Azure env was never set -if [[ ! -e ./.zsacrc ]]; then +# if .zspserc is not present we'll assume that Azure env was never set +if [[ ! -e ./.zspserc ]]; then read -r -p "Enter Azure Subcription ID: " azure_subscription_id - echo "export ARM_SUBSCRIPTION_ID=${azure_subscription_id}" > .zsacrc + echo "export ARM_SUBSCRIPTION_ID=${azure_subscription_id}" > .zspserc read -r -p "Enter Directory (tenant) ID: " azure_tenant_id - echo "export ARM_TENANT_ID=${azure_tenant_id}" >> .zsacrc + echo "export ARM_TENANT_ID=${azure_tenant_id}" >> .zspserc read -r -p "Enter Application (client) ID of Service Principal: " azure_client_id - echo "export ARM_CLIENT_ID=${azure_client_id}" >> .zsacrc + echo "export ARM_CLIENT_ID=${azure_client_id}" >> .zspserc read -r -p "Enter Client Secret Value of Service Principal: " azure_client_secret - echo "export ARM_CLIENT_SECRET=${azure_client_secret}" >> .zsacrc + echo "export ARM_CLIENT_SECRET=${azure_client_secret}" >> .zspserc read -r -p "Enter Azure Region (e.g. westus2): " azure_location if [[ ${az_regions[*]} =~ $azure_location ]]; then - echo "export TF_VAR_arm_location='${azure_location}'" >> .zsacrc + echo "export TF_VAR_arm_location='${azure_location}'" >> .zspserc else echo "Invalid Azure region name entered." - echo "Delete .zsacrc file and re-run zsec up..." + echo "Delete .zspserc file and re-run zsec up..." exit 1 fi while true; do read -r -p "Enter ZPA Client ID: " zpa_client_id - echo "export ZPA_CLIENT_ID=\"${zpa_client_id}\"" >> .zsacrc + echo "export ZPA_CLIENT_ID=\"${zpa_client_id}\"" >> .zspserc read -r -p "Enter ZPA Client Secret: " zpa_client_secret - echo "export ZPA_CLIENT_SECRET=\"${zpa_client_secret}\"" >> .zsacrc + echo "export ZPA_CLIENT_SECRET=\"${zpa_client_secret}\"" >> .zspserc read -r -p "Enter ZPA Customer ID: " zpa_customer_id - echo "export ZPA_CUSTOMER_ID=\"${zpa_customer_id}\"" >> .zsacrc + echo "export ZPA_CUSTOMER_ID=\"${zpa_customer_id}\"" >> .zspserc read -r -p "Do you already have a Service Edge provisioning key to use? [yes/no] " prov_key_response case $prov_key_response in yes|y ) read -r -p "Enter the name of your existing Service Edge provisioning key: " byo_provisioning_key_name - echo "export TF_VAR_byo_provisioning_key=true" >> .zsacrc - echo "export TF_VAR_byo_provisioning_key_name=${byo_provisioning_key_name}" >> .zsacrc + echo "export TF_VAR_byo_provisioning_key=true" >> .zspserc + echo "export TF_VAR_byo_provisioning_key_name=${byo_provisioning_key_name}" >> .zspserc break ;; no|n ) @@ -230,7 +230,7 @@ clientpublicip=$(curl -s ifconfig.me) case $bastion_response in yes|y ) echo "Updating Bastion NSG to permit SSH only from ${clientpublicip}: " - echo "export TF_VAR_bastion_nsg_source_prefix=${clientpublicip}" >> .zsacrc + echo "export TF_VAR_bastion_nsg_source_prefix=${clientpublicip}" >> .zspserc useclientip=true break ;; @@ -248,14 +248,14 @@ read -r -p "Lock SSH access to a different IP address or range? Default is open case $changebastionip in yes|y ) read -r -p "Enter new IP Address or CIDR range (e.g. 2.2.2.2/32): " bastionipinput - echo "export TF_VAR_bastion_nsg_source_prefix=${bastionipinput}" >> .zsacrc + echo "export TF_VAR_bastion_nsg_source_prefix=${bastionipinput}" >> .zspserc if [[ $bastionipinput =~ ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[1-9]))$ ]] then echo "$bastionipinput - IP/Netmask valid" else echo "$bastionipinput is not valid IP CIDR format" - echo "Delete .zsacrc file and re-run zsec up..." + echo "Delete .zspserc file and re-run zsec up..." exit 1 fi break @@ -271,12 +271,12 @@ fi psevm_instance_type_default=Standard_D4s_v3 while true; do - read -r -p "Enter desired Azure VM type for AC. [Default=$psevm_instance_type_default]: " psevm_instance_type_input + read -r -p "Enter desired Azure VM type for Private Service Edge. [Default=$psevm_instance_type_default]: " psevm_instance_type_input psevm_instance_type=${psevm_instance_type_input:-$psevm_instance_type_default} case $psevm_instance_type in Standard_D4s_v3|Standard_F4s_v2 ) echo "Private Service Edge VM type: ${psevm_instance_type}" - echo "export TF_VAR_psevm_instance_type=${psevm_instance_type}" >> .zsacrc + echo "export TF_VAR_psevm_instance_type=${psevm_instance_type}" >> .zspserc break ;; *) @@ -289,10 +289,10 @@ pse_count_default=2 pse_count=${pse_count_input:-$pse_count_default} if ((pse_count >= 1 && pse_count <= 20)); then echo "${dtype} will deploy ${pse_count} Private Service Edge in ${azure_location}" - echo "export TF_VAR_pse_count=${pse_count}" >> .zsacrc + echo "export TF_VAR_pse_count=${pse_count}" >> .zspserc else echo "invalid pse_count value. Must be a number between 1 and 20" - echo "Delete .zsacrc file and re-run zsec up..." + echo "Delete .zspserc file and re-run zsec up..." exit 1 fi @@ -305,11 +305,11 @@ zones_enabled_default=no zones_enabled=${zones_enabled_input:-$zones_enabled_default} case $zones_enabled in yes|y ) - echo "export TF_VAR_zones_enabled=true" >> .zsacrc + echo "export TF_VAR_zones_enabled=true" >> .zspserc break ;; no|n ) - echo "export TF_VAR_zones_enabled=false" >> .zsacrc + echo "export TF_VAR_zones_enabled=false" >> .zspserc echo "No zones defined. Proceeding with availability sets fault tolerance..." break ;; @@ -368,28 +368,28 @@ case $zone3_response in done if [[ "$zone1_use" == "true" && "$zone2_use" == "false" && "$zone3_use" == "false" ]]; then echo "Zones selected: 1" - echo "export TF_VAR_zones='[\"1\"]'" >> .zsacrc + echo "export TF_VAR_zones='[\"1\"]'" >> .zspserc elif [[ "$zone1_use" == "false" && "$zone2_use" == "true" && "$zone3_use" == "false" ]]; then echo "Zones selected: 2" - echo "export TF_VAR_zones='[\"2\"]'" >> .zsacrc + echo "export TF_VAR_zones='[\"2\"]'" >> .zspserc elif [[ "$zone1_use" == "false" && "$zone2_use" == "false" && "$zone3_use" == "true" ]]; then echo "Zones selected: 3" - echo "export TF_VAR_zones='[\"3\"]'" >> .zsacrc + echo "export TF_VAR_zones='[\"3\"]'" >> .zspserc elif [[ "$zone1_use" == "true" && "$zone2_use" == "true" && "$zone3_use" == "false" ]]; then echo "Zones selected: 1 and 2" - echo "export TF_VAR_zones='[\"1\", \"2\"]'" >> .zsacrc + echo "export TF_VAR_zones='[\"1\", \"2\"]'" >> .zspserc elif [[ "$zone1_use" == "true" && "$zone2_use" == "true" && "$zone3_use" == "true" ]]; then echo "Zones selected: 1, 2, and 3" - echo "export TF_VAR_zones='[\"1\", \"2\", \"3\"]'" >> .zsacrc + echo "export TF_VAR_zones='[\"1\", \"2\", \"3\"]'" >> .zspserc elif [[ "$zone1_use" == "true" && "$zone2_use" == "false" && "$zone3_use" == "true" ]]; then echo "Zones selected: 1 and 3" - echo "export TF_VAR_zones='[\"1\", \"3\"]'" >> .zsacrc + echo "export TF_VAR_zones='[\"1\", \"3\"]'" >> .zspserc elif [[ "$zone1_use" == "false" && "$zone2_use" == "true" && "$zone3_use" == "true" ]]; then echo "Zones selected: 2 and 3" - echo "export TF_VAR_zones='[\"2\", \"3\"]'" >> .zsacrc + echo "export TF_VAR_zones='[\"2\", \"3\"]'" >> .zspserc else echo "Invalid Zones selection. exiting..." - echo "Delete .zsacrc file and re-run zsec up..." + echo "Delete .zspserc file and re-run zsec up..." exit 1 fi fi @@ -401,23 +401,23 @@ fi #add local bin directory to PATH -if ! grep -Fxq "export PATH=\${PATH}:\${PWD}/bin" .zsacrc; then - echo 'export PATH=${PATH}:${PWD}/bin' >> .zsacrc +if ! grep -Fxq "export PATH=\${PATH}:\${PWD}/bin" .zspserc; then + echo 'export PATH=${PATH}:${PWD}/bin' >> .zspserc fi -# add deployment type to .zsacrc for future runs +# add deployment type to .zspserc for future runs if [[ "$oper" == "up" ]]; then - echo "Updating .zsacrc with dtype of $dtype" - sed -i'' -e '/dtype/d' .zsacrc - echo "export dtype=${dtype}" >> .zsacrc + echo "Updating .zspserc with dtype of $dtype" + sed -i'' -e '/dtype/d' .zspserc + echo "export dtype=${dtype}" >> .zspserc fi # initialize environment variables -. ./.zsacrc +. ./.zspserc -# check for valid environment variables in .zsacrc +# check for valid environment variables in .zspserc if [ -z "$ARM_CLIENT_ID" ] || [ -z "$ARM_CLIENT_SECRET" ] || [ -z "$ARM_SUBSCRIPTION_ID" ] || [ -z "$ARM_TENANT_ID" ] || [ -z "$TF_VAR_arm_location" ]; then - echo "Azure Access info is missing. Remove .zsacrc file and rerun $0 $1" + echo "Azure Access info is missing. Remove .zspserc file and rerun $0 $1" exit 1 fi @@ -460,7 +460,7 @@ elif [[ "$oper" == "destroy" ]]; then rm -rf systems.json setup-*.tar rm -rf **/errorlog.txt now=$(date +'%Y-%m-%d-%H_%M_%S') - echo "archiving .zsacrc file to .zsacrc-${now}" - cp .zsacrc .zsacrc-${now} - rm -rf .zsacrc && rm -rf .zsacrc.bak + echo "archiving .zspserc file to .zspserc-${now}" + cp .zspserc .zspserc-${now} + rm -rf .zspserc && rm -rf .zspserc.bak fi diff --git a/modules/terraform-zpse-vm-azure/README.md b/modules/terraform-zpse-vm-azure/README.md index 50904a6..10f1943 100644 --- a/modules/terraform-zpse-vm-azure/README.md +++ b/modules/terraform-zpse-vm-azure/README.md @@ -52,11 +52,11 @@ No modules. | [pse\_count](#input\_pse\_count) | The number of Private Service Edges to deploy. Validation assumes max for /24 subnet but could be smaller or larger as long as subnet can accommodate | `number` | `1` | no | | [pse\_nsg\_id](#input\_pse\_nsg\_id) | Private Service Edge management interface nsg id | `list(string)` | n/a | yes | | [pse\_subnet\_id](#input\_pse\_subnet\_id) | Private Service Edge subnet id | `list(string)` | n/a | yes | -| [pse\_username](#input\_pse\_username) | Default Private Service Edge admin/root username | `string` | `"zsroot"` | no | -| [psevm\_image\_offer](#input\_psevm\_image\_offer) | Azure Marketplace Zscaler Private Service Edge Image Offer | `string` | `"CentOS"` | no | -| [psevm\_image\_publisher](#input\_psevm\_image\_publisher) | Azure Marketplace Zscaler Private Service Edge Image Publisher | `string` | `"Ntegral"` | no | -| [psevm\_image\_sku](#input\_psevm\_image\_sku) | Azure Marketplace Zscaler Private Service Edge Image SKU | `string` | `"ntg_centos_7"` | no | -| [psevm\_image\_version](#input\_psevm\_image\_version) | Azure Marketplace Private Service Edge Image Version | `string` | `"latest"` | no | +| [pse\_username](#input\_pse\_username) | Default Private Service Edge admin/root username | `string` | `"zpse-admin"` | no | +| [psevm\_image\_offer](#input\_psevm\_image\_offer) | Azure Marketplace CIS CentOS Image Offer | `string` | `"cis-centos-7-v2-1-1-l1"` | no | +| [psevm\_image\_publisher](#input\_psevm\_image\_publisher) | Azure Marketplace CIS CentOS Image Publisher | `string` | `"center-for-internet-security-inc"` | no | +| [psevm\_image\_sku](#input\_psevm\_image\_sku) | Azure Marketplace CIS CentOS Image SKU | `string` | `"cis-centos7-l1"` | no | +| [psevm\_image\_version](#input\_psevm\_image\_version) | Azure Marketplace CIS CentOS Image Version | `string` | `"3.1.15"` | no | | [psevm\_instance\_type](#input\_psevm\_instance\_type) | Private Service Edge Image size | `string` | `"Standard_D2s_v3"` | no | | [resource\_group](#input\_resource\_group) | Main Resource Group Name | `string` | n/a | yes | | [resource\_tag](#input\_resource\_tag) | A tag to associate to all the AC VM module resources | `string` | `null` | no | diff --git a/modules/terraform-zpse-vm-azure/variables.tf b/modules/terraform-zpse-vm-azure/variables.tf index 0abfd19..f0997b2 100755 --- a/modules/terraform-zpse-vm-azure/variables.tf +++ b/modules/terraform-zpse-vm-azure/variables.tf @@ -34,7 +34,7 @@ variable "pse_subnet_id" { variable "pse_username" { type = string description = "Default Private Service Edge admin/root username" - default = "zsroot" + default = "zpse-admin" } variable "ssh_key" { @@ -62,26 +62,26 @@ variable "user_data" { variable "psevm_image_publisher" { type = string - description = "Azure Marketplace Zscaler Private Service Edge Image Publisher" - default = "Ntegral" + description = "Azure Marketplace CIS CentOS Image Publisher" + default = "center-for-internet-security-inc" } variable "psevm_image_offer" { type = string - description = "Azure Marketplace Zscaler Private Service Edge Image Offer" - default = "CentOS" + description = "Azure Marketplace CIS CentOS Image Offer" + default = "cis-centos-7-v2-1-1-l1" } variable "psevm_image_sku" { type = string - description = "Azure Marketplace Zscaler Private Service Edge Image SKU" - default = "ntg_centos_7" + description = "Azure Marketplace CIS CentOS Image SKU" + default = "cis-centos7-l1" } variable "psevm_image_version" { type = string - description = "Azure Marketplace Private Service Edge Image Version" - default = "latest" + description = "Azure Marketplace CIS CentOS Image Version" + default = "3.1.15" } variable "pse_count" {