-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
233 lines (199 loc) · 8.06 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
variable "name_prefix" {
type = string
description = "The name prefix for all your resources"
default = "zscc"
validation {
condition = length(var.name_prefix) <= 12
error_message = "Variable name_prefix must be 12 or less characters."
}
validation {
condition = can(regex("^[a-z][a-z0-9-]+$", var.name_prefix))
error_message = "Variable name_prefix using invalid characters."
}
}
variable "credentials" {
type = string
description = "Path to the service account json file for terraform to authenticate to Google Cloud"
}
variable "project" {
type = string
description = "Google Cloud project name"
}
variable "project_host" {
type = string
description = "Google Cloud Host Project name. Defaults to null. This variable is intended for environments where different resources might exist in separate host and service projects"
default = null
}
variable "region" {
type = string
description = "Google Cloud region"
}
variable "bastion_ssh_allow_ip" {
type = list(string)
description = "CIDR blocks of trusted networks for bastion host ssh access from Internet"
default = ["0.0.0.0/0"]
}
variable "default_nsg" {
type = list(string)
description = "Default CIDR list to permit workload traffic destined for Cloud Connector"
default = ["0.0.0.0/0"]
}
variable "allowed_ports" {
description = "A list of ports to permit inbound to Cloud Connector Service VPC. Default empty list means to allow all."
default = []
type = list(string)
}
variable "subnet_bastion" {
type = string
description = "A subnet IP CIDR for the greenfield/test bastion host in the Management VPC"
default = "10.0.0.0/24"
}
variable "subnet_workload" {
type = string
description = "A subnet IP CIDR for the greenfield/test workload in the Service VPC"
default = "10.1.2.0/24"
}
variable "subnet_cc_mgmt" {
type = string
description = "A subnet IP CIDR for the Cloud Connector in the Management VPC"
default = "10.0.1.0/24"
}
variable "subnet_cc_service" {
type = string
description = "A subnet IP CIDR for the Cloud Connector/Load Balancer in the Service VPC"
default = "10.1.1.0/24"
}
variable "ccvm_instance_type" {
type = string
description = "Cloud Connector Instance Type"
default = "n2-standard-2"
validation {
condition = (
var.ccvm_instance_type == "e2-standard-2" ||
var.ccvm_instance_type == "e2-standard-4" ||
var.ccvm_instance_type == "e2-standard-8" ||
var.ccvm_instance_type == "n2-standard-2" ||
var.ccvm_instance_type == "n2-standard-4" ||
var.ccvm_instance_type == "n2-standard-8" ||
var.ccvm_instance_type == "n2d-standard-2" ||
var.ccvm_instance_type == "n2d-standard-4" ||
var.ccvm_instance_type == "n2d-standard-8"
)
error_message = "Input ccvm_instance_type must be set to an approved vm instance type."
}
}
variable "secret_name" {
type = string
description = "Google Cloud Secret Name in Secret Manager"
}
variable "cc_vm_prov_url" {
type = string
description = "Zscaler Cloud Connector Provisioning URL"
}
variable "http_probe_port" {
type = number
description = "Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GCP LB"
default = 50000
validation {
condition = (
tonumber(var.http_probe_port) == 80 ||
(tonumber(var.http_probe_port) >= 1024 && tonumber(var.http_probe_port) <= 65535)
)
error_message = "Input http_probe_port must be set to a single value of 80 or any number between 1024-65535."
}
}
variable "tls_key_algorithm" {
type = string
description = "algorithm for tls_private_key resource"
default = "RSA"
}
variable "cc_count" {
type = number
description = "Default number of Cloud Connector appliances to create per Instance Group/Availability Zone"
default = 1
}
variable "az_count" {
type = number
description = "Default number zonal instance groups to create based on availability zone"
default = 1
validation {
condition = (
(var.az_count >= 1 && var.az_count <= 3)
)
error_message = "Input az_count must be set to a single value between 1 and 3. Note* some regions have greater than 3 AZs. Please modify az_count validation in variables.tf if you are utilizing more than 3 AZs in a region that supports it."
}
}
variable "zones" {
type = list(string)
description = "(Optional) Availability zone names. Only required if automatic zones selection based on az_count is undesirable"
default = []
}
variable "image_name" {
type = string
description = "Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index"
default = ""
}
variable "domain_names" {
type = map(any)
description = "Domain names fqdn/wildcard to have Google Cloud DNS zone forward ZPA App Segment DNS requests to Cloud Connector"
}
variable "support_access_enabled" {
type = bool
description = "Enable a specific outbound firewall rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
default = true
}
variable "workload_count" {
type = number
description = "The number of Workload VMs to deploy"
default = 1
validation {
condition = var.workload_count >= 1 && var.workload_count <= 250
error_message = "Input workload_count must be a whole number between 1 and 250."
}
}
## Custom name specifications. For granular deployments where autoname generation is not desirable
variable "service_account_id" {
type = string
description = "Custom Service Account ID string for Cloud Connector"
default = null
}
variable "service_account_display_name" {
type = string
description = "Custom Service Account display name string for Cloud Connector"
default = null
}
variable "instance_template_name_prefix" {
type = string
description = "Creates a unique Instance Template name beginning with the specified prefix. Conflicts with variable instance_template_name"
default = ""
}
variable "instance_template_name" {
type = string
description = "The name of the instance template. Conflicts with variable instance_template_name_prefix"
default = ""
}
variable "instance_group_name" {
type = list(string)
description = "The name of the Instance Group Manager. Must be 1-63 characters long and comply with RFC1035. Supported characters include lowercase letters, numbers, and hyphens"
default = [""]
}
variable "base_instance_name" {
type = list(string)
description = "The base instance name to use for instances in this group. The value must be a valid RFC1035 name. Supported characters are lowercase letters, numbers, and hyphens (-). Instances are named by appending a hyphen and a random four-character string to the base instance name"
default = [""]
}
variable "fw_cc_mgmt_ssh_ingress_name" {
type = string
description = "The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting SSH inbound from the VPC CIDR range by default"
default = null
}
variable "fw_cc_service_default_name" {
type = string
description = "The name of the compute firewall created on the user defined Cloud Connector Service VPC Network permitting workload traffic to be sent to Zscaler"
default = null
}
variable "fw_cc_mgmt_zssupport_tunnel_name" {
type = string
description = "The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting CC to establish zssupport tunnel"
default = null
}