This deployment type is intended for greenfield/pov/lab purposes. It will deploy a fully functioning sandbox environment in a new Management and Service VPC with a test workload VM and bastion host. Full set of resources provisioned listed below, but this will effectively create all network infrastructure dependencies for a GCP environment. Creates 1 new "Management" VPC with 1 CC-Mgmt subnet and 1 bastion subnet; 1 "Service" VPC with 1 CC-Service subnet and 1 workload subnet; 1 Cloud Router + NAT Gateway per VPC; 1 Ubuntu client workload with a tagged default route next-hop to Cloud Connector service network instance; 1 Bastion Host assigned a dynamic public IP; generates local key pair .pem file for ssh access to all VMs.
Additionally: Creates 1 Cloud Connector compute instance template + between [1-3] zonal managed instance groups to deploy Cloud Connector appliances with a dedicated service account associated for accessing Secret Manager. This template also leverages the terraform-zscc-ilb-gcp module to create the necessary backend service, forwarding rule, health check, and firewall rules needed to front all cloud connector instances for highly available/resilient workload traffic forwarding.
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec up
- enter "greenfield"
- enter "base_cc_ilb"
- follow the remainder of the authentication and configuration input prompts.
- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
- inputs will be validated and terraform init/apply will automatically exectute.
- verify all resources that will be created/modified and enter "yes" to confirm
Modify/populate any required variable input values in base_cc_ilb/terraform.tfvars file and save.
From base_cc_ilb directory execute:
- terraform init
- terraform apply
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec destroy
From base_cc_ilb directory execute:
- terraform destroy
| Name | Version |
|---|---|
| terraform | >= 0.13.7, < 2.0.0 |
| ~> 5.11.0 | |
| local | ~> 2.2.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Version |
|---|---|
| ~> 5.11.0 | |
| local | ~> 2.2.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Source | Version |
|---|---|---|
| bastion | ../../modules/terraform-zscc-bastion-gcp | n/a |
| cc_vm | ../../modules/terraform-zscc-ccvm-gcp | n/a |
| iam_service_account | ../../modules/terraform-zscc-iam-service-account-gcp | n/a |
| ilb | ../../modules/terraform-zscc-ilb-gcp | n/a |
| network | ../../modules/terraform-zscc-network-gcp | n/a |
| workload | ../../modules/terraform-zscc-workload-gcp | n/a |
| Name | Type |
|---|---|
| google_compute_route.route_to_cc_vm | resource |
| local_file.private_key | resource |
| local_file.testbed | resource |
| local_file.user_data_file | resource |
| random_string.suffix | resource |
| tls_private_key.key | resource |
| google_compute_image.zs_cc_img | data source |
| google_compute_zones.available | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow_global_access | true: Clients can access ILB from all regions; false: Only allow access from clients in the same region as the internal load balancer. | bool |
false |
no |
| allowed_ports | A list of ports to permit inbound to Cloud Connector Service VPC. Default empty list means to allow all. | list(string) |
[] |
no |
| az_count | Default number zonal instance groups to create based on availability zone | number |
2 |
no |
| base_instance_name | The base instance name to use for instances in this group. The value must be a valid RFC1035 name. Supported characters are lowercase letters, numbers, and hyphens (-). Instances are named by appending a hyphen and a random four-character string to the base instance name | list(string) |
[ |
no |
| bastion_ssh_allow_ip | CIDR blocks of trusted networks for bastion host ssh access from Internet | list(string) |
[ |
no |
| cc_count | Default number of Cloud Connector appliances to create per Instance Group/Availability Zone | number |
2 |
no |
| cc_vm_prov_url | Zscaler Cloud Connector Provisioning URL | string |
n/a | yes |
| ccvm_instance_type | Cloud Connector Instance Type | string |
"n2-standard-2" |
no |
| credentials | Path to the service account json file for terraform to authenticate to Google Cloud | string |
n/a | yes |
| default_nsg | Default CIDR list to permit workload traffic destined for Cloud Connector | list(string) |
[ |
no |
| fw_cc_mgmt_ssh_ingress_name | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting SSH inbound from the VPC CIDR range by default | string |
null |
no |
| fw_cc_mgmt_zssupport_tunnel_name | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting CC to establish zssupport tunnel | string |
null |
no |
| fw_cc_service_default_name | The name of the compute firewall created on the user defined Cloud Connector Service VPC Network permitting workload traffic to be sent to Zscaler | string |
null |
no |
| fw_ilb_health_check_name | Name of the firewall rule created with ILB permitting GCP health check probe source ranges on the configured HTTP probe port inbound to the Cloud Connector service interface(s) | string |
null |
no |
| health_check_interval | Interval for ILB health check probing, in seconds, of Cloud Connector targets | number |
10 |
no |
| healthy_threshold | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | number |
2 |
no |
| http_probe_port | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GCP LB | number |
50000 |
no |
| ilb_backend_service_name | Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | string |
null |
no |
| ilb_forwarding_rule_name | Name of the resource; provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | string |
null |
no |
| ilb_frontend_ip_name | Name of the resource. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | string |
null |
no |
| ilb_health_check_name | Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression a-z? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash | string |
null |
no |
| image_name | Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index | string |
"" |
no |
| instance_group_name | The name of the Instance Group Manager. Must be 1-63 characters long and comply with RFC1035. Supported characters include lowercase letters, numbers, and hyphens | list(string) |
[ |
no |
| instance_template_name | The name of the instance template. Conflicts with variable instance_template_name_prefix | string |
"" |
no |
| instance_template_name_prefix | Creates a unique Instance Template name beginning with the specified prefix. Conflicts with variable instance_template_name | string |
"" |
no |
| name_prefix | The name prefix for all your resources | string |
"zscc" |
no |
| project | Google Cloud project name | string |
n/a | yes |
| project_host | Google Cloud Host Project name. Defaults to null. This variable is intended for environments where different resources might exist in separate host and service projects | string |
null |
no |
| region | Google Cloud region | string |
n/a | yes |
| secret_name | Google Cloud Secret Name in Secret Manager | string |
n/a | yes |
| service_account_display_name | Custom Service Account display name string for Cloud Connector | string |
null |
no |
| service_account_id | Custom Service Account ID string for Cloud Connector | string |
null |
no |
| session_affinity | Controls the distribution of new connections from clients to the load balancer's backend VMs | string |
"CLIENT_IP_PROTO" |
no |
| subnet_bastion | A subnet IP CIDR for the greenfield/test bastion host in the Management VPC | string |
"10.0.0.0/24" |
no |
| subnet_cc_mgmt | A subnet IP CIDR for the Cloud Connector in the Management VPC | string |
"10.0.1.0/24" |
no |
| subnet_cc_service | A subnet IP CIDR for the Cloud Connector/Load Balancer in the Service VPC | string |
"10.1.1.0/24" |
no |
| subnet_workload | A subnet IP CIDR for the greenfield/test workload in the Service VPC | string |
"10.1.2.0/24" |
no |
| support_access_enabled | Enable a specific outbound firewall rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | bool |
true |
no |
| tls_key_algorithm | algorithm for tls_private_key resource | string |
"RSA" |
no |
| unhealthy_threshold | The number of unsuccessful health checks required before an healthy target becomes unhealthy. Minimum 2 and maximum 10 | number |
3 |
no |
| workload_count | The number of Workload VMs to deploy | number |
2 |
no |
| zones | (Optional) Availability zone names. Only required if automatic zones selection based on az_count is undesirable | list(string) |
[] |
no |
| Name | Description |
|---|---|
| testbedconfig | Google Cloud Testbed results |