feat: AWS Service Edge release

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @willguibr @jmolnar-zscaler

.gitignore

@@ -0,0 +1,51 @@
+# Local .terraform directories
+**/.terraform/*
+**/.terraform./*
+examples/**/.terraform/*
+examples/**/.terraform.*
+modules/**/.terraform.*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+examples/**/*.tfstate.*
+
+# Local artifacts after running terraform
+*.pem
+*.pub
+examples/.*rc*
+*.rc*
+**/bin/*
+user_data
+system-*.tar
+**/testbed*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# IDE stuff
+.idea/
+.DS_Store
+
+# My stuff
+.todo

.gitlint

@@ -0,0 +1,107 @@
+# Edit this file as you like.
+#
+# All these sections are optional. Each section with the exception of [general] represents
+# one rule and each key in it is an option for that specific rule.
+#
+# Rules and sections can be referenced by their full name or by id. For example
+# section "[body-max-line-length]" could be written as "[B1]". Full section names are
+# used in here for clarity.
+#
+[general]
+# Ignore certain rules, this example uses both full name and id
+# ignore=title-trailing-punctuation, T3
+ignore=B6
+
+# verbosity should be a value between 1 and 3, the commandline -v flags take precedence over this
+# verbosity = 2
+
+# By default gitlint will ignore merge, revert, fixup and squash commits. 
+# ignore-merge-commits=true
+# ignore-revert-commits=true
+# ignore-fixup-commits=true
+# ignore-squash-commits=true
+
+# Ignore any data send to gitlint via stdin
+# ignore-stdin=true
+
+# Fetch additional meta-data from the local repository when manually passing a 
+# commit message to gitlint via stdin or --commit-msg. Disabled by default.
+# staged=true
+
+# Enable debug mode (prints more output). Disabled by default.
+# debug=true
+
+# Enable community contributed rules
+# See http://jorisroovers.github.io/gitlint/contrib_rules for details
+# contrib=contrib-title-conventional-commits,CC1
+
+# Set the extra-path where gitlint will search for user defined rules
+# See http://jorisroovers.github.io/gitlint/user_defined_rules for details
+# extra-path=examples/
+
+# This is an example of how to configure the "title-max-length" rule and
+# set the line-length it enforces to 80
+# [title-max-length]
+# line-length=50
+
+# [title-must-not-contain-word]
+# Comma-separated list of words that should not occur in the title. Matching is case
+# insensitive. It's fine if the keyword occurs as part of a larger word (so "WIPING"
+# will not cause a violation, but "WIP: my title" will.
+# words=wip
+
+# [title-match-regex]
+# python like regex (https://docs.python.org/2/library/re.html) that the
+# commit-msg title must be matched to.
+# Note that the regex can contradict with other rules if not used correctly
+# (e.g. title-must-not-contain-word).
+# regex=^US[0-9]*
+
+# [body-max-line-length]
+# line-length=72
+
+# [body-min-length]
+# min-length=5
+
+# [body-is-missing]
+# Whether to ignore this rule on merge commits (which typically only have a title)
+# default = True
+# ignore-merge-commits=false
+
+# [body-changed-file-mention]
+# List of files that need to be explicitly mentioned in the body when they are changed
+# This is useful for when developers often erroneously edit certain files or git submodules.
+# By specifying this rule, developers can only change the file when they explicitly reference
+# it in the commit message.
+# files=gitlint/rules.py,README.md
+
+# [author-valid-email]
+# python like regex (https://docs.python.org/2/library/re.html) that the
+# commit author email address should be matched to
+# For example, use the following regex if you only want to allow email addresses from foo.com
+# regex=[^@][email protected]
+
+# [ignore-by-title]
+# Ignore certain rules for commits of which the title matches a regex
+# E.g. Match commit titles that start with "Release"
+# regex=^Release(.*)
+
+# Ignore certain rules, you can reference them by their id or by their full name
+# Use 'all' to ignore all rules
+# ignore=T1,body-min-length
+
+# [ignore-by-body]
+# Ignore certain rules for commits of which the body has a line that matches a regex
+# E.g. Match bodies that have a line that that contain "release"
+# regex=(.*)release(.*)
+#
+# Ignore certain rules, you can reference them by their id or by their full name
+# Use 'all' to ignore all rules
+# ignore=T1,body-min-length
+
+# This is a contrib rule - a community contributed rule. These are disabled by default.
+# You need to explicitly enable them one-by-one by adding them to the "contrib" option
+# under [general] section above.
+# [contrib-title-conventional-commits]
+# Specify allowed commit types. For details see: https://www.conventionalcommits.org/
+# types = bugfix,user-story,epic

.pre-commit-config.yaml

@@ -0,0 +1,37 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.75.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_validate
+      - id: terraform_docs
+        args:
+          - '--args=--lockfile=false'
+      - id: terraform_tflint
+        args:
+          - '--args=--only=terraform_deprecated_interpolation'
+          - '--args=--only=terraform_deprecated_index'
+          - '--args=--only=terraform_unused_declarations'
+          - '--args=--only=terraform_comment_syntax'
+          - '--args=--only=terraform_documented_outputs'
+          - '--args=--only=terraform_documented_variables'
+          - '--args=--only=terraform_typed_variables'
+          - '--args=--only=terraform_module_pinned_source'
+          - '--args=--only=terraform_naming_convention'
+          - '--args=--only=terraform_required_version'
+          - '--args=--only=terraform_required_providers'
+          - '--args=--only=terraform_standard_module_structure'
+          - '--args=--only=terraform_workspace_remote'
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.3.0
+    hooks:
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+  - repo: https://github.com/jorisroovers/gitlint
+    rev:  v0.17.0
+    hooks:
+    -   id: gitlint
+  - repo: https://github.com/Yelp/detect-secrets
+    rev:  v1.4.0
+    hooks:
+    -   id: detect-secrets

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Zscaler, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1 +1,81 @@
-initial commit
+<a href="https://terraform.io">
+    <img src="https://raw.githubusercontent.com/hashicorp/terraform-website/master/public/img/logo-text.svg" alt="Terraform logo" title="Terraform" height="50" width="250" />
+</a>
+<a href="https://www.zscaler.com/">
+    <img src="https://www.zscaler.com/themes/custom/zscaler/logo.svg" alt="Zscaler logo" title="Zscaler" height="50" width="250" />
+</a>
+
+Zscaler Service Edge AWS Terraform Modules
+===========================================================================================================
+
+
+## Description
+This repository contains various modules and deployment configurations that can be used to deploy Zscaler Service Edge appliances to securely connect to workloads within Amazon Web Services (AWS) via the Zscaler Zero Trust Exchange. The examples directory contains complete automation scripts for both greenfield/POV and brownfield/production use.
+
+These deployment templates are intended to be fully functional and self service for both greenfield/pov as well as production use. All modules may also be utilized as design recommendation based on Zscaler's Official [Zero Trust Access to Private Apps in AWS with ZPA](https://www.zscaler.com/resources/reference-architecture/zero-trust-with-zpa.pdf).
+
+## Prerequisites
+
+Our Deployment scripts are leveraging Terraform v1.1.9 that includes full binary and provider support for MacOS M1 chips, but any Terraform version 0.13.7 should be generally supported.
+
+- provider registry.terraform.io/hashicorp/aws v4.7.x
+- provider registry.terraform.io/hashicorp/random v3.3.x
+- provider registry.terraform.io/hashicorp/local v2.2.x
+- provider registry.terraform.io/hashicorp/null v3.1.x
+- provider registry.terraform.io/providers/hashicorp/tls v3.4.x
+- provider registry.terraform.io/providers/zscaler/zpa v2.5.x
+
+### AWS requirements
+1. A valid AWS account
+2. AWS ACCESS KEY ID
+3. AWS SECRET ACCESS KEY
+4. AWS Region (E.g. us-west-2)
+5. Subscribe and accept terms of using Amazon Linux 2 AMI (for base deployments with workloads + bastion) at [this link](https://aws.amazon.com/marketplace/pp/prodview-zc4x2k7vt6rpu)
+6. Subscribe and accept terms of using Zscaler Service Edge image at [this link](https://aws.amazon.com/marketplace/pp/prodview-epy3md7fcvk4g)
+
+### Zscaler requirements
+7. A valid Zscaler Private Access subscription and portal access
+8. Zscaler ZPA API Keys. Details on how to find and generate ZPA API keys can be located here: https://help.zscaler.com/zpa/about-api-keys#:~:text=An%20API%20key%20is%20required,from%20the%20API%20Keys%20page
+- Client ID
+- Client Secret
+- Customer ID
+9. (Optional) An existing Service Edge Group and Provisioning Key. Otherwise, you can follow the prompts in the examples terraform.tfvars to create a new Connector Group and Provisioning Key
+
+See: [Zscaler Service Edge AWS Deployment Guide](https://help.zscaler.com/zpa/service-edge-deployment-guide-amazon-web-services) for additional prerequisite provisioning steps.
+
+## How to deploy
+Provisioning templates are available for customer use/reference to successfully deploy fully operational Service Edge appliances once the prerequisites have been completed. Please follow the instructions located in [examples](examples/README.md).
+
+## Format
+
+This repository follows the [Hashicorp Standard Modules Structure](https://www.terraform.io/registry/modules/publish):
+
+* `modules` - All module resources utilized by and customized specifically for Service Edge deployments. The intent is these modules are resusable and functional for any deployment type referencing for both production or lab/testing purposes.
+* `examples` - Zscaler provides fully functional deployment templates utilizing a combination of some or all of the modules published. These can utilized in there entirety or as reference templates for more advanced customers or custom deployments. For novice Terraform users, we also provide a bash script (zspse) that can be run from any Linux/Mac OS or CSP Cloud Shell that walks through all provisioning requirements as well as downloading/running an isolated teraform process. This allows Service Edge deployments from any supported client without needing to even have Terraform installed or know how the language/syntax for running it.
+
+## Versioning
+
+These modules follow recommended release tagging in [Semantic Versioning](http://semver.org/). You can find each new release,
+along with the changelog, on the GitHub [Releases](https://github.com/zscaler/terraform-aws-zpa-private-service-edge-modules/releases) page.
+
+# License and Copyright
+
+Copyright (c) 2022 Zscaler, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

examples/README.md

@@ -0,0 +1,92 @@
+# Zscaler Service Edge Cluster Infrastructure Setup
+
+**Terraform configurations and modules for deploying Zscaler Service Edge Cluster in AWS.**
+
+## Prerequisites (You will be prompted for AWS keys and region during deployment)
+
+### AWS requirements
+1. A valid AWS account
+2. AWS ACCESS KEY ID
+3. AWS SECRET ACCESS KEY
+4. AWS Region (E.g. us-west-2)
+5. Subscribe and accept terms of using Amazon Linux 2 AMI (for base deployments with workloads + bastion) at [this link](https://aws.amazon.com/marketplace/pp/prodview-zc4x2k7vt6rpu)
+6. Subscribe and accept terms of using Zscaler Private Service Edge image at [this link](https://aws.amazon.com/marketplace/pp/prodview-wribnrdlalkme)
+
+### Zscaler requirements
+7. A valid Zscaler Private Access subscription and portal access
+8. Zscaler ZPA API Keys. Details on how to find and generate ZPA API keys can be located here: https://help.zscaler.com/zpa/about-api-keys#:~:text=An%20API%20key%20is%20required,from%20the%20API%20Keys%20page
+- Client ID
+- Client Secret
+- Customer ID
+9. (Optional) An existing Service Edge Group and Provisioning Key. Otherwise, you can follow the prompts in the examples terraform.tfvars to create a new Connector Group and Provisioning Key
+
+See: [Zscaler Service Edge AWS Deployment Guide](https://help.zscaler.com/zpa/service-edge-deployment-guide-amazon-web-services) for additional prerequisite provisioning steps.
+
+## Deploying the cluster
+(The automated tool can run only from MacOS and Linux. You can also upload all repo contents to the respective public cloud provider Cloud Shells and run directly from there).   
+
+**1. Greenfield Deployments**
+
+(Use this if you are building an entire cluster from ground up.
+ Particularly useful for a Customer Demo/PoC or dev-test environment)
+
+```
+bash
+cd examples
+Optional: Edit the terraform.tfvars file under your desired deployment type (ie: base_pse) to setup your Service Edge Group (Details are documented inside the file)
+- ./zspse up
+- enter "greenfield"
+- enter <desired deployment type>
+- follow prompts for any additional configuration inputs. *keep in mind, any modifications done to terraform.tfvars first will override any inputs from the zspse script*
+- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
+- inputs will be validated and terraform init/apply will automatically exectute.
+- verify all resources that will be created/modified and enter "yes" to confirm
+```
+
+**Greenfield Deployment Types:**
+
+```
+Deployment Type: (base | base_pse | base_pse_asg):
+base: Creates 1 new VPC with 1 public subnet and 1 private/workload subnet; 1 IGW; 1 NAT Gateway; 1 Bastion Host in the public subnet assigned an Elastic IP and routing to the IGW; generates local key pair .pem file for ssh access. This template alone will NOT create any Service Edge appliances
+base_pse: Base Deployment Type + Creates Service Edge private subnets and Service Edge VMs egressing through the NAT Gateways in their respective availability zones. Please refer to additional requirements in this deployment folder terraform.tfvars file prior to running to step through requirements to create a new Service Edge Group if you do NOT already have one created.
+base_pse_asg: Base Deployment Type + Creates Service Edges via Launch Template in an Autoscaling Group. Please refer to additional requirements in this deployment folder terraform.tfvars file prior to running to step through requirements to create a new Service Edge Group if you do NOT already have one created.
+```
+
+**2. Brownfield Deployments**
+
+(These templates would be most applicable for production deployments and have more customization options than a "base" deployments). They also do not include a bastion host deployed.
+
+```
+bash
+cd examples
+Optional: Edit the terraform.tfvars file under your desired deployment type (ie: ac) to setup your Service Edge (Details are documented inside the file)
+- ./zspse up
+- enter "brownfield"
+- enter <desired deployment type>
+- follow prompts for any additional configuration inputs. *keep in mind, any modifications done to terraform.tfvars first will override any inputs from the zspse script*
+- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
+- inputs will be validated and terraform init/apply will automatically exectute.
+- verify all resources that will be created/modified and enter "yes" to confirm
+```
+
+**Brownfield Deployment Types**
+
+```
+Deployment Type: (pse | pse_asg):
+pse: Creates 1 new VPC with 2 public subnets and 2 Service Edge private subnets; 1 IGW; 2 NAT Gateways; 2 Service Edge VMs (1 per subnet/AZ) routing to the NAT Gateway in their same AZ; generates local key pair .pem file for ssh access; The number of Service Edges and subnets deployed is customizable; There are also "byo" variables providing the ability to use existing resources (VPC, subnets, IGW, NAT Gateways, IAM, Security Groups, etc.) generates local key pair .pem file for ssh access to all instances. Please refer to additional requirements in this deployment folder terraform.tfvars file prior to running to step through requirements to create a new Service Edge Group if you do NOT already have one created or if you intend to reference any existing byo network resources.
+pse_asg: Same resource creation and "byo" options as pse deployment type, but the Service Edges VMs are instead deployed via a Launch Template in Autoscaling Group configuration. Please refer to additional requirements in this deployment folder terraform.tfvars file prior to running to step through requirements to create a new Service Edge Group if you do NOT already have one created or if you intend to reference any existing byo network resources.
+```
+
+## Destroying the cluster
+```
+cd examples
+- ./zspse destroy
+- verify all resources that will be destroyed and enter "yes" to confirm
+```
+
+## Notes
+```
+1. For auto approval set environment variable **AUTO_APPROVE** or add `export AUTO_APPROVE=1`
+2. For deployment type set environment variable **dtype** to the required deployment type or add `export dtype=base_pse`
+3. To provide new credentials or region, delete the autogenerated .zspserc file in your current working directory and re-run zspse.
+```