-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathterraform.tfvars
204 lines (142 loc) · 12.2 KB
/
terraform.tfvars
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
## This is only a sample terraform.tfvars file.
## Uncomment and change the below variables according to your specific environment
#####################################################################################################################
##### Variables are populated automically if terraform is ran via ZSEC bash script. #####
##### Modifying the variables in this file will override any inputs from ZSEC #####
#####################################################################################################################
## 1. Provide the Azure Subscription ID where Terraform will authenticate to via the azurerm provider.
## ** Note ** This will be auto populated for you via ZSEC bash script, so only uncomment if running Terraform manually.
## E.g "abc12345-6789-0123-a456-bc1234567de8"
#env_subscription_id = "abc12345-6789-0123-a456-bc1234567de8"
#####################################################################################################################
##### Cloud Init Provisioning variables for userdata file #####
#####################################################################################################################
## 2. Zscaler Cloud Connector Provisioning URL E.g. connector.zscaler.net/api/v1/provUrl?name=azure_prov_url
#cc_vm_prov_url = "connector.zscaler.net/api/v1/provUrl?name=azure_prov_url"
## 3. Azure Vault URL E.g. "https://zscaler-cc-demo.vault.azure.net"
#azure_vault_url = "https://zscaler-cc-demo.vault.azure.net"
## 4. Cloud Connector cloud init provisioning listener port. This is required for Azure LB Health Probe deployments.
## Uncomment and set custom probe port to a single value of 80 or any number between 1024-65535. Default is 50000.
#http_probe_port = 50000
#####################################################################################################################
##### Prerequisite Provisioned Managed Identity Resource and Resource Group #####
##### Managed Identity should have GET/LIST access to Key Vault Secrets and #####
##### Network Contributor Role Assignment to Subscription or RG where Cloud #####
##### Connectors will be provisioned prior to terraform deployment. #####
##### (minimum Role permissions: Microsoft.Network/networkInterfaces/read) #####
#####################################################################################################################
## 5. Provide the Azure Subscription ID where the User Managed Identity resides. Leave commented out unless the
## Managed Identity is in a different Subscription than the one where Cloud Connector is being deployed.
## E.g "abc12345-6789-0123-a456-bc1234567de8"
#managed_identity_subscription_id = "abc12345-6789-0123-a456-bc1234567de8"
## 6. Provide your existing Azure Managed Identity name to attach to the CC VM. E.g cloud_connector_managed_identity
#cc_vm_managed_identity_name = "cloud_connector_managed_identity"
## 7. Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. cloud_connector_rg_1
#cc_vm_managed_identity_rg = "cloud_connector_rg_1"
#####################################################################################################################
##### Custom variables. Only change if required for your environment #####
#####################################################################################################################
## 8. The name string for all Cloud Connector resources created by Terraform for Tag/Name attributes. (Default: zscc)
#name_prefix = "zscc"
## 9. Azure region where Cloud Connector resources will be deployed. This environment variable is automatically populated if running ZSEC script
## and thus will override any value set here. Only uncomment and set this value if you are deploying terraform standalone. (Default: westus2)
#arm_location = "westus2"
## 10. Cloud Connector Azure VM Instance size selection. Uncomment ccvm_instance_type line with desired vm size to change.
## (Default: Standard_D2s_v3)
#ccvm_instance_type = "Standard_D2s_v3"
## 11. By default, no zones are specified in any resource creation meaning they are either auto-assigned by Azure
## (Virtual Machines and NAT Gateways) or Zone-Redundant (Public IP) based on whatever default configuration is.
## Setting this value to true will do the following:
## 1. will create zonal NAT Gateway resources in order of the zones [1-3] specified in zones variable. 1x per zone
## 2. will NOT create availability set resource nor associate Cloud Connector VMs to one
## 3. will create zonal Cloud Connector Virtual Machine appliances looping through and alternating per the order of the zones
## [1-3] specified in the zones variable AND total number of Cloud Connectors specified in cc_count variable.
## (Default: false)
#zones_enabled = true
## 12. By default, this variable is used as a count (1) for resource creation of Public IP, NAT Gateway, and CC Subnets.
## This should only be modified if zones_enabled is also set to true
## Doing so will change the default zone aware configuration for the 3 aforementioned resources with the values specified
##
## Use case: Define zone numbers "1" and "2". This will create 2x Public IPs (one in zone 1; the other in zone 2),
## 2x NAT Gateways (one in zone 1; the other in zone 2), associate the zone 1 PIP w/ zone 1 NAT GW and the zone 2
## PIP w/ zone 2 NAT GW, create 2x CC Subnets and associate subnet 1 w/ zone 1 NAT GW and subnet 2 w/ zone 2 NAT GW,
## then each CC created will be assigned a zone in the subnet corresponding to the same zone of the NAT GW and PIP associated.
## Uncomment one of the desired zones configuration below.
#zones = ["1"]
#zones = ["1","2"]
#zones = ["1","2","3"]
## 13. Network Configuration:
## IPv4 CIDR configured with VNet creation. All Subnet resources (Workload, Public, and Cloud Connector) will be created based off this prefix
## /24 subnets are created assuming this cidr is a /16. If you require creating a VNet smaller than /16, you may need to explicitly define all other
## subnets via public_subnets, workload_subnets, and cc_subnets variables (Default: "10.1.0.0/16")
## Note: This variable only applies if you let Terraform create a new VNet. Custom deployment with byo_vnet enabled will ignore this
#network_address_space = "10.1.0.0/16"
## Subnet space. (Minimum /28 required. Default is null). If you do not specify subnets, they will automatically be assigned based on the default cidrsubnet
## creation within the VNet address_prefix block. Uncomment and modify if byo_vnet is set to true but byo_subnets is left false meaning you want terraform to create
## NEW subnets in that existing VNet. OR if you choose to modify the network_address_space from the default /16 so a smaller CIDR, you may need to edit the below variables
## to accommodate that address space.
## ***** Note *****
## It does not matter how many subnets you specify here. this script will only create in order 1 or as many as defined in the zones variable
## Default/Minumum: 1 - Maximum: 3
## Example: If you change network_address_space to "10.2.0.0/24", set below variables to cidrs that fit in that /24 like cc_subnets = ["10.2.0.0/27","10.2.0.32/27"] etc.
#public_subnets = ["10.x.y.z/24","10.x.y.z/24"]
#workloads_subnets = ["10.x.y.z/24","10.x.y.z/24"]
#cc_subnets = ["10.x.y.z/24","10.x.y.z/24"]
## 14. Number of Workload VMs to be provisioned in the workload subnet. Only limitation is available IP space
## in subnet configuration. Only applicable for "base" deployment types. Default workload subnet is /24 so 250 max
#workload_count = 2
## 15. Tag attribute "Owner" assigned to all resoure creation. (Default: "zscc-admin")
#owner_tag = "[email protected]"
## 16. Tag attribute "Environment" assigned to all resources created. (Default: "Development")
#environment = "Development"
## 17. By default, Host encryption is enabled for Cloud Connector VMs. This does require the EncryptionAtHost feature
## enabled for your subscription though first.
## You can verify this by following the Azure Prerequisites guide here:
## https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli#prerequisites
##
## Uncomment if you want to not enable this VM setting
#encryption_at_host_enabled = false
## 18. By default, if Terraform is creating NSGs an outbound rule named Zscaler_Support_Access is configured enabling
## Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
## efficiently if troubleshooting is required. Uncomment if you do not want to enable this rule.
##
## For more information, refer to: https://config.zscaler.com/zscaler.net/cloud-branch-connector and
## https://help.zscaler.com/cloud-branch-connector/enabling-remote-access
#support_access_enabled = false
## 19. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
## Uncomment and set this value to the path of a local subscription Microsoft.Compute image to override the
## Cloud Connector deployment with a private VHD instead of using the marketplace publisher.
## *** This is recommended only for testing purposes and not supported for production deployments ***
## Example: /subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Compute/images/<image_name>
#ccvm_source_image_id = "<insert path to image>"
#vmss_default_ccs = 2 # number of CCs VMSS defaults too if no metrics are published, recommended to set to same value as vmss_min_ccs
#vmss_min_ccs = 2
#vmss_max_ccs = 4
# Note: Per Azure recommended reference architecture/resiliency, the number of Virtual Machine Scale Sets created will be based on region zones support
# AND Terraform configuration enablement. e.g. If you set var.zones_enabled to true and specify 2x AZs in var.zones, Terraform will expect
# 2x separate Cloud Connector private subnets and create 2x separate VMSS resources; one in subnet-1 and the other in subnet-2.
# Therefore, vmss_default/min/max are PER VMSS. For example if you set vmss_min_ccs to 2 with 2x AZs, you will end up with 2x VMSS each with 2x CCs
# for a total of 4x Cloud Connectors in the cluster behind Azure Load Balancer
#scale_in_threshold = 30
#scale_out_threshold = 70
#terminate_unhealthy_instances = false
## Variables for enabling scheduled scaling, leaving it commented out will default to no scheduled scaling and will scale
## purely off the load on the CCs
#scheduled_scaling_enabled = true
#scheduled_scaling_vmss_min_ccs = 4
#scheduled_scaling_days_of_week = ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"]
#scheduled_scaling_start_time_hour = 8
#scheduled_scaling_start_time_min = 30
#scheduled_scaling_end_time_hour = 17
#scheduled_scaling_end_time_min = 30
# Azure Function App Source
#upload_function_app_zip = true
#zscaler_cc_function_public_url = "<file-url>"
#existing_storage_account = false
#existing_storage_account_name = "<storage-account-name"
#existing_storage_account_rg = "<storage-account-resource-group"
#### Optional inputs: By default, Terraform will use the same Managed Identity as the CC VMSS for the Function App
# Provide your existing Azure Managed Identity name to attach to the Function App. E.g tunction_app_managed_identity
#function_app_managed_identity_name = "function_app_managed_identity"
# Provide the existing Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. function_connector_rg_1
#function_app_managed_identity_rg = "function_rg_1"