This deployment type is intended for greenfield/pov/lab purposes. It will deploy a fully functioning sandbox environment in a new Management and Service VPC with a test workload VM and bastion host. Full set of resources provisioned listed below, but this will effectively create all network infrastructure dependencies for a GCP environment. Creates 1 new "Management" VPC with 1 CC-Mgmt subnet and 1 bastion subnet; 1 "Service" VPC with 1 CC-Service subnet and 1 workload subnet; 1 Cloud Router + NAT Gateway per VPC; 1 Ubuntu client workload with a tagged default route next-hop to Cloud Connector service network instance; 1 Bastion Host assigned a dynamic public IP; generates local key pair .pem file for ssh access to all VMs.
Additionally: Creates 1 Cloud Connector compute instance template + zonal managed instance group to deploy a single Cloud Connector appliance with a dedicated service account associated for accessing Secret Manager. This template also leverages the terraform-zscc-cloud-dns-gcp module to create Google Cloud DNS forward zones intended for ZPA App Segment DNS redirection.
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec up
- enter "greenfield"
- enter "base_1cc_zpa"
- follow the remainder of the authentication and configuration input prompts.
- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
- inputs will be validated and terraform init/apply will automatically exectute.
- verify all resources that will be created/modified and enter "yes" to confirm
Modify/populate any required variable input values in base_1cc_zpa/terraform.tfvars file and save.
From base_1cc_zpa directory execute:
- terraform init
- terraform apply
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec destroy
From base_1cc_zpa directory execute:
- terraform destroy
| Name | Version |
|---|---|
| terraform | >= 0.13.7, < 2.0.0 |
| ~> 5.11.0 | |
| local | ~> 2.2.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Version |
|---|---|
| ~> 5.11.0 | |
| local | ~> 2.2.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Source | Version |
|---|---|---|
| bastion | ../../modules/terraform-zscc-bastion-gcp | n/a |
| cc_vm | ../../modules/terraform-zscc-ccvm-gcp | n/a |
| cloud_dns | ../../modules/terraform-zscc-cloud-dns-gcp | n/a |
| iam_service_account | ../../modules/terraform-zscc-iam-service-account-gcp | n/a |
| network | ../../modules/terraform-zscc-network-gcp | n/a |
| workload | ../../modules/terraform-zscc-workload-gcp | n/a |
| Name | Type |
|---|---|
| google_compute_route.route_to_cc_vm | resource |
| local_file.private_key | resource |
| local_file.testbed | resource |
| local_file.user_data_file | resource |
| random_string.suffix | resource |
| tls_private_key.key | resource |
| google_compute_image.zs_cc_img | data source |
| google_compute_zones.available | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_ports | A list of ports to permit inbound to Cloud Connector Service VPC. Default empty list means to allow all. | list(string) |
[] |
no |
| az_count | Default number zonal instance groups to create based on availability zone | number |
1 |
no |
| base_instance_name | The base instance name to use for instances in this group. The value must be a valid RFC1035 name. Supported characters are lowercase letters, numbers, and hyphens (-). Instances are named by appending a hyphen and a random four-character string to the base instance name | list(string) |
[ |
no |
| bastion_ssh_allow_ip | CIDR blocks of trusted networks for bastion host ssh access from Internet | list(string) |
[ |
no |
| cc_count | Default number of Cloud Connector appliances to create per Instance Group/Availability Zone | number |
1 |
no |
| cc_vm_prov_url | Zscaler Cloud Connector Provisioning URL | string |
n/a | yes |
| ccvm_instance_type | Cloud Connector Instance Type | string |
"n2-standard-2" |
no |
| credentials | Path to the service account json file for terraform to authenticate to Google Cloud | string |
n/a | yes |
| default_nsg | Default CIDR list to permit workload traffic destined for Cloud Connector | list(string) |
[ |
no |
| domain_names | Domain names fqdn/wildcard to have Google Cloud DNS zone forward ZPA App Segment DNS requests to Cloud Connector | map(any) |
n/a | yes |
| fw_cc_mgmt_ssh_ingress_name | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting SSH inbound from the VPC CIDR range by default | string |
null |
no |
| fw_cc_mgmt_zssupport_tunnel_name | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting CC to establish zssupport tunnel | string |
null |
no |
| fw_cc_service_default_name | The name of the compute firewall created on the user defined Cloud Connector Service VPC Network permitting workload traffic to be sent to Zscaler | string |
null |
no |
| http_probe_port | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GCP LB | number |
50000 |
no |
| image_name | Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index | string |
"" |
no |
| instance_group_name | The name of the Instance Group Manager. Must be 1-63 characters long and comply with RFC1035. Supported characters include lowercase letters, numbers, and hyphens | list(string) |
[ |
no |
| instance_template_name | The name of the instance template. Conflicts with variable instance_template_name_prefix | string |
"" |
no |
| instance_template_name_prefix | Creates a unique Instance Template name beginning with the specified prefix. Conflicts with variable instance_template_name | string |
"" |
no |
| name_prefix | The name prefix for all your resources | string |
"zscc" |
no |
| project | Google Cloud project name | string |
n/a | yes |
| project_host | Google Cloud Host Project name. Defaults to null. This variable is intended for environments where different resources might exist in separate host and service projects | string |
null |
no |
| region | Google Cloud region | string |
n/a | yes |
| secret_name | Google Cloud Secret Name in Secret Manager | string |
n/a | yes |
| service_account_display_name | Custom Service Account display name string for Cloud Connector | string |
null |
no |
| service_account_id | Custom Service Account ID string for Cloud Connector | string |
null |
no |
| subnet_bastion | A subnet IP CIDR for the greenfield/test bastion host in the Management VPC | string |
"10.0.0.0/24" |
no |
| subnet_cc_mgmt | A subnet IP CIDR for the Cloud Connector in the Management VPC | string |
"10.0.1.0/24" |
no |
| subnet_cc_service | A subnet IP CIDR for the Cloud Connector/Load Balancer in the Service VPC | string |
"10.1.1.0/24" |
no |
| subnet_workload | A subnet IP CIDR for the greenfield/test workload in the Service VPC | string |
"10.1.2.0/24" |
no |
| support_access_enabled | Enable a specific outbound firewall rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | bool |
true |
no |
| tls_key_algorithm | algorithm for tls_private_key resource | string |
"RSA" |
no |
| workload_count | The number of Workload VMs to deploy | number |
1 |
no |
| zones | (Optional) Availability zone names. Only required if automatic zones selection based on az_count is undesirable | list(string) |
[] |
no |
| Name | Description |
|---|---|
| testbedconfig | Google Cloud Testbed results |