diff --git a/.github/settings.yml b/.github/settings.yml index 4043f57..0e35f2d 100644 --- a/.github/settings.yml +++ b/.github/settings.yml @@ -1,11 +1,7 @@ # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch. _extends: .github repository: - name: template - description: Template for Terraform Components + name: aws-zscaler + description: This component is responsible for provisioning ZScaler Private Access Connector instances on Amazon Linux 2 AMIs homepage: https://cloudposse.com/accelerate topics: terraform, terraform-component - - - - diff --git a/README.yaml b/README.yaml index 73d70c3..2c61151 100644 --- a/README.yaml +++ b/README.yaml @@ -1,70 +1,149 @@ -name: "template" - +name: "aws-zscaler" # Canonical GitHub repo -github_repo: "cloudposse-terraform-components/template" - +github_repo: "cloudposse-terraform-components/aws-zscaler" # Short description of this project description: |- - Description of this component + This component is responsible for provisioning ZScaler Private Access Connector instances on Amazon Linux 2 AMIs. + + Prior to provisioning this component, it is required that a SecureString SSM Parameter containing the ZScaler App + Connector Provisioning Key is populated in each account corresponding to the regional stack the component is deployed + to, with the name of the SSM Parameter matching the value of `var.zscaler_key`. + + This parameter should be populated using `chamber`, which is included in the geodesic image: + + ``` + chamber write zscaler key + ``` + + Where `` is the ZScaler App Connector Provisioning Key. For more information on how to generate this key, see: + [ZScaler documentation on Configuring App Connectors](https://help.zscaler.com/zpa/configuring-connectors). -usage: |- - **Stack Level**: Regional or Test47 + ## Usage + + **Stack Level**: Regional + + The typical stack configuration for this component is as follows: - Here's an example snippet for how to use this component. - ```yaml components: terraform: - foo: + zscaler: vars: - enabled: true + zscaler_count: 2 ``` -include: - - "docs/terraform.md" + Preferably, regional stack configurations can be kept _DRY_ by importing `catalog/zscaler` via the `imports` list at the + top of the configuration. -tags: - - terraform - - terraform-modules - - aws - - components - - terraform-components - - root - - geodesic - - reference-implementation - - reference-architecture + ``` + import: + ... + - catalog/zscaler + ``` + + + + ## Requirements + + | Name | Version | + |------|---------| + | [terraform](#requirement\_terraform) | >= 0.13.0 | + | [aws](#requirement\_aws) | >= 3.0 | + | [null](#requirement\_null) | >= 3.0 | + | [random](#requirement\_random) | >= 3.0 | + | [template](#requirement\_template) | >= 2.2 | + | [utils](#requirement\_utils) | >= 1.10.0 | + + ## Providers + | Name | Version | + |------|---------| + | [aws](#provider\_aws) | >= 3.0 | + | [template](#provider\_template) | >= 2.2 | + + ## Modules + + | Name | Source | Version | + |------|--------|---------| + | [ec2\_zscaler](#module\_ec2\_zscaler) | cloudposse/ec2-instance/aws | 0.32.2 | + | [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | + | [this](#module\_this) | cloudposse/label/null | 0.24.1 | + + ## Resources + + | Name | Type | + |------|------| + | [aws_iam_role_policy_attachment.ssm_core](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | + | [aws_ami.amazon_linux_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | + | [aws_ssm_parameter.zscaler_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | + | [template_file.userdata](https://registry.terraform.io/providers/cloudposse/template/latest/docs/data-sources/file) | data source | + + ## Inputs + + | Name | Description | Type | Default | Required | + |------|-------------|------|---------|:--------:| + | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | + | [ami\_owner](#input\_ami\_owner) | The owner of the AMI used for the ZScaler EC2 instances. | `string` | `"amazon"` | no | + | [ami\_regex](#input\_ami\_regex) | The regex used to match the latest AMI to be used for the ZScaler EC2 instances. | `string` | `"^amzn2-ami-hvm.*"` | no | + | [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | + | [aws\_ssm\_enabled](#input\_aws\_ssm\_enabled) | Set true to install the AWS SSM agent on each EC2 instances. | `bool` | `true` | no | + | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {}
}
| no | + | [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | + | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | + | [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | + | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | + | [instance\_type](#input\_instance\_type) | The instance family to use for the ZScaler EC2 instances. | `string` | `"m5n.large"` | no | + | [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | + | [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | + | [label\_value\_case](#input\_label\_value\_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | + | [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | + | [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | + | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | + | [region](#input\_region) | AWS region | `string` | n/a | yes | + | [secrets\_store\_type](#input\_secrets\_store\_type) | Secret store type for Zscaler provisioning keys. Valid values: `SSM`, `ASM` (but `ASM` not currently supported) | `string` | `"SSM"` | no | + | [security\_group\_rules](#input\_security\_group\_rules) | A list of maps of Security Group rules.
The values of map is fully completed with `aws_security_group_rule` resource.
To get more info see [security\_group\_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule). | `list(any)` | 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "from_port": 0,
    "protocol": "-1",
    "to_port": 65535,
    "type": "egress"
  }
]
| no | + | [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | + | [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | + | [zscaler\_count](#input\_zscaler\_count) | The number of Zscaler instances. | `number` | `1` | no | + | [zscaler\_key](#input\_zscaler\_key) | SSM key (without leading `/`) for the Zscaler provisioning key secret. | `string` | `"zscaler/key"` | no | + + ## Outputs + + | Name | Description | + |------|-------------| + | [instance\_id](#output\_instance\_id) | Instance ID | + | [private\_ip](#output\_private\_ip) | Private IP of the instance | + + + + ## References + + - [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/zscaler) - + Cloud Posse's upstream component +tags: + - component/zscaler + - layer/unassigned + - provider/aws # Categories of this project categories: - - terraform-modules/root - - terraform-components - + - component/zscaler + - layer/unassigned + - provider/aws # License of this project license: "APACHE2" - # Badges to display badges: - - name: "Latest Release" - image: "https://img.shields.io/github/release/cloudposse-terraform-components/template.svg?style=for-the-badge" - url: "https://github.com/cloudposse-terraform-components/template/releases/latest" - - name: "Slack Community" - image: "https://slack.cloudposse.com/for-the-badge.svg" - url: "https://slack.cloudposse.com" - -references: - - name: "Cloud Posse Documentation" - description: "Complete documentation for the Cloud Posse solution" - url: "https://docs.cloudposse.com" - - name: "Reference Architectures" - description: "Launch effortlessly with our turnkey reference architectures, built either by your team or ours." - url: "https://cloudposse.com/" - + - name: Latest Release + image: https://img.shields.io/github/release/cloudposse-terraform-components/aws-zscaler.svg?style=for-the-badge + url: https://github.com/cloudposse-terraform-components/aws-zscaler/releases/latest + - name: Slack Community + image: https://slack.cloudposse.com/for-the-badge.svg + url: https://slack.cloudposse.com related: -- name: "Cloud Posse Terraform Modules" - description: Our collection of reusable Terraform modules used by our reference architectures. - url: "https://docs.cloudposse.com/modules/" -- name: "Atmos" - description: "Atmos is like docker-compose but for your infrastructure" - url: "https://atmos.tools" - + - name: "Cloud Posse Terraform Modules" + description: Our collection of reusable Terraform modules used by our reference architectures. + url: "https://docs.cloudposse.com/modules/" + - name: "Atmos" + description: "Atmos is like docker-compose but for your infrastructure" + url: "https://atmos.tools" contributors: [] # If included generates contribs diff --git a/src/context.tf b/src/context.tf index 5e0ef88..81f99b4 100644 --- a/src/context.tf +++ b/src/context.tf @@ -8,8 +8,6 @@ # Cloud Posse's standard configuration inputs suitable for passing # to Cloud Posse modules. # -# curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf -# # Modules should access the whole context as `module.this.context` # to get the input variables with nulls for defaults, # for example `context = module.this.context`, @@ -22,11 +20,10 @@ module "this" { source = "cloudposse/label/null" - version = "0.25.0" # requires Terraform >= 0.13.0 + version = "0.24.1" # requires Terraform >= 0.13.0 enabled = var.enabled namespace = var.namespace - tenant = var.tenant environment = var.environment stage = var.stage name = var.name @@ -39,8 +36,6 @@ module "this" { id_length_limit = var.id_length_limit label_key_case = var.label_key_case label_value_case = var.label_value_case - descriptor_formats = var.descriptor_formats - labels_as_tags = var.labels_as_tags context = var.context } @@ -52,7 +47,6 @@ variable "context" { default = { enabled = true namespace = null - tenant = null environment = null stage = null name = null @@ -65,15 +59,6 @@ variable "context" { id_length_limit = null label_key_case = null label_value_case = null - descriptor_formats = {} - # Note: we have to use [] instead of null for unset lists due to - # https://github.com/hashicorp/terraform/issues/28137 - # which was not fixed until Terraform 1.0.0, - # but we want the default to be all the labels in `label_order` - # and we want users to be able to prevent all tag generation - # by setting `labels_as_tags` to `[]`, so we need - # a different sentinel to indicate "default" - labels_as_tags = ["unset"] } description = <<-EOT Single object for setting entire context at once. @@ -103,42 +88,32 @@ variable "enabled" { variable "namespace" { type = string default = null - description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" -} - -variable "tenant" { - type = string - default = null - description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for" + description = "Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp'" } variable "environment" { type = string default = null - description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" + description = "Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT'" } variable "stage" { type = string default = null - description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'" + description = "Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release'" } variable "name" { type = string default = null - description = <<-EOT - ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. - This is the only ID element not also included as a `tag`. - The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. - EOT + description = "Solution name, e.g. 'app' or 'jenkins'" } variable "delimiter" { type = string default = null description = <<-EOT - Delimiter to be used between ID elements. + Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`. Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. EOT } @@ -146,64 +121,36 @@ variable "delimiter" { variable "attributes" { type = list(string) default = [] - description = <<-EOT - ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, - in the order they appear in the list. New attributes are appended to the - end of the list. The elements of the list are joined by the `delimiter` - and treated as a single ID element. - EOT -} - -variable "labels_as_tags" { - type = set(string) - default = ["default"] - description = <<-EOT - Set of labels (ID elements) to include as tags in the `tags` output. - Default is to include all labels. - Tags with empty values will not be included in the `tags` output. - Set to `[]` to suppress all generated tags. - **Notes:** - The value of the `name` tag, if included, will be the `id`, not the `name`. - Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be - changed in later chained modules. Attempts to change it will be silently ignored. - EOT + description = "Additional attributes (e.g. `1`)" } variable "tags" { type = map(string) default = {} - description = <<-EOT - Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). - Neither the tag keys nor the tag values will be modified by this module. - EOT + description = "Additional tags (e.g. `map('BusinessUnit','XYZ')`" } variable "additional_tag_map" { type = map(string) default = {} - description = <<-EOT - Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. - This is for some rare cases where resources want additional configuration of tags - and therefore take a list of maps with tag key, value, and additional configuration. - EOT + description = "Additional tags for appending to tags_as_list_of_maps. Not added to `tags`." } variable "label_order" { type = list(string) default = null description = <<-EOT - The order in which the labels (ID elements) appear in the `id`. + The naming order of the id output and Name tag. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. - You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. - EOT + You can omit any of the 5 elements, but at least one must be present. + EOT } variable "regex_replace_chars" { type = string default = null description = <<-EOT - Terraform regular expression (regex) string. - Characters matching the regex will be removed from the ID elements. + Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`. If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. EOT } @@ -214,7 +161,7 @@ variable "id_length_limit" { description = <<-EOT Limit `id` to this many characters (minimum 6). Set to `0` for unlimited length. - Set to `null` for keep the existing setting, which defaults to `0`. + Set to `null` for default, which is `0`. Does not affect `id_full`. EOT validation { @@ -227,8 +174,7 @@ variable "label_key_case" { type = string default = null description = <<-EOT - Controls the letter case of the `tags` keys (label names) for tags generated by this module. - Does not affect keys of tags passed in via the `tags` input. + The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`. Possible values: `lower`, `title`, `upper`. Default value: `title`. EOT @@ -243,11 +189,8 @@ variable "label_value_case" { type = string default = null description = <<-EOT - Controls the letter case of ID elements (labels) as included in `id`, - set as tag values, and output by this module individually. - Does not affect values of tags passed in via the `tags` input. + The letter case of output label values (also used in `tags` and `id`). Possible values: `lower`, `title`, `upper` and `none` (no transformation). - Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs. Default value: `lower`. EOT @@ -256,24 +199,4 @@ variable "label_value_case" { error_message = "Allowed values: `lower`, `title`, `upper`, `none`." } } - -variable "descriptor_formats" { - type = any - default = {} - description = <<-EOT - Describe additional descriptors to be output in the `descriptors` output map. - Map of maps. Keys are names of descriptors. Values are maps of the form - `{ - format = string - labels = list(string) - }` - (Type is `any` so the map values can later be enhanced to provide additional options.) - `format` is a Terraform format string to be passed to the `format()` function. - `labels` is a list of labels, in order, to pass to `format()` function. - Label values will be normalized before being passed to `format()` so they will be - identical to how they appear in `id`. - Default is `{}` (`descriptors` output will be empty). - EOT -} - #### End of copy of cloudposse/terraform-null-label/variables.tf diff --git a/src/main.tf b/src/main.tf index 37156cf..8fc6734 100644 --- a/src/main.tf +++ b/src/main.tf @@ -1,8 +1,75 @@ locals { enabled = module.this.enabled + vpc_id = module.vpc.outputs.vpc_id + # Make sure local.vpc_private_subnet_ids is sorted so the order does not change + vpc_private_subnet_ids = sort(module.vpc.outputs.private_subnet_ids) + ssm_enabled = local.enabled && var.aws_ssm_enabled + instances_role_arns = local.ssm_enabled ? toset(module.ec2_zscaler[*].role) : [] + eks_outputs = module.eks.outputs + eks_cluster_managed_security_group_id = local.eks_outputs.eks_cluster_managed_security_group_id + ami_owner = var.ami_owner + ami_name_regex = var.ami_regex } +data "aws_ami" "amazon_linux_2" { + count = local.enabled ? 1 : 0 + most_recent = true + owners = [local.ami_owner] + name_regex = local.ami_name_regex + filter { + name = "architecture" + values = ["x86_64"] + } + filter { + name = "virtualization-type" + values = ["hvm"] + } +} + +data "aws_ssm_parameter" "zscaler_key" { + count = local.enabled && var.secrets_store_type == "SSM" ? 1 : 0 + name = format("/%s", var.zscaler_key) + with_decryption = true +} + +data "template_file" "userdata" { + count = local.enabled ? 1 : 0 + template = file("${path.module}/templates/userdata.sh.tmpl") + + vars = { + key = data.aws_ssm_parameter.zscaler_key[0].value + region = var.region + } +} + +module "ec2_zscaler" { + count = var.zscaler_count + source = "cloudposse/ec2-instance/aws" + version = "0.32.2" + ami = local.enabled ? data.aws_ami.amazon_linux_2[0].id : "" + ssh_key_pair = null + ami_owner = local.ami_owner + vpc_id = local.vpc_id + # Make sure local.vpc_private_subnet_ids is sorted so the order does not change + subnet = local.vpc_private_subnet_ids[count.index % length(local.vpc_private_subnet_ids)] + create_default_security_group = false + security_groups = [local.eks_cluster_managed_security_group_id] + instance_type = var.instance_type + # Zscaler is not compatible with IMDSv2 + metadata_http_tokens_required = false + metadata_http_put_response_hop_limit = 3 + user_data_base64 = local.enabled ? base64encode(data.template_file.userdata[0].rendered) : "" + attributes = [count.index] + context = module.this.context +} + +# Attach Amazon's managed policy for SSM managed instance +resource "aws_iam_role_policy_attachment" "ssm_core" { + for_each = local.enabled ? local.instances_role_arns : [] + role = each.key + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} diff --git a/src/outputs.tf b/src/outputs.tf index 3d08cfa..a6899d1 100644 --- a/src/outputs.tf +++ b/src/outputs.tf @@ -1,4 +1,9 @@ -output "mock" { - description = "Mock output example for the Cloud Posse Terraform component template" - value = local.enabled ? "hello ${basename(abspath(path.module))}" : "" +output "instance_id" { + value = module.ec2_zscaler.*.id + description = "Instance ID" +} + +output "private_ip" { + value = module.ec2_zscaler.*.private_ip + description = "Private IP of the instance" } diff --git a/src/providers.tf b/src/providers.tf new file mode 100644 index 0000000..ef923e1 --- /dev/null +++ b/src/providers.tf @@ -0,0 +1,19 @@ +provider "aws" { + region = var.region + + # Profile is deprecated in favor of terraform_role_arn. When profiles are not in use, terraform_profile_name is null. + profile = module.iam_roles.terraform_profile_name + + dynamic "assume_role" { + # module.iam_roles.terraform_role_arn may be null, in which case do not assume a role. + for_each = compact([module.iam_roles.terraform_role_arn]) + content { + role_arn = assume_role.value + } + } +} + +module "iam_roles" { + source = "../account-map/modules/iam-roles" + context = module.this.context +} diff --git a/src/templates/userdata.sh.tmpl b/src/templates/userdata.sh.tmpl new file mode 100644 index 0000000..63b2869 --- /dev/null +++ b/src/templates/userdata.sh.tmpl @@ -0,0 +1,17 @@ +#!/bin/bash +cat < /etc/yum.repos.d/zscaler.repo +[zscaler] +name=Zscaler Private Access Repository +baseurl=https://yum.private.zscaler.com/yum/el7 +enabled=1 +gpgcheck=1 +gpgkey=https://yum.private.zscaler.com/gpg +EOF +yum update -y +sudo yum install -y zpa-connector +echo "${key}" > /opt/zscaler/var/provision_key +systemctl enable zpa-connector +systemctl start zpa-connector +sleep 60 # https://help.zscaler.com/zpa/connector-deployment-guide-amazon-web-services +systemctl stop zpa-connector +systemctl start zpa-connector diff --git a/src/variables.tf b/src/variables.tf new file mode 100644 index 0000000..2dd8277 --- /dev/null +++ b/src/variables.tf @@ -0,0 +1,71 @@ +variable "region" { + type = string + description = "AWS region" +} + +variable "ami_owner" { + type = string + description = "The owner of the AMI used for the ZScaler EC2 instances." + default = "amazon" +} + +variable "ami_regex" { + type = string + description = "The regex used to match the latest AMI to be used for the ZScaler EC2 instances." + default = "^amzn2-ami-hvm.*" +} + +variable "aws_ssm_enabled" { + type = bool + description = "Set true to install the AWS SSM agent on each EC2 instances." + default = true +} + +variable "instance_type" { + type = string + # We default to m5n.large because it is cheapest instance that satisfies + # DenyInstancesWithoutEncryptionInTransit SCP + # (see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-transit ) + default = "m5n.large" + description = "The instance family to use for the ZScaler EC2 instances." +} +variable "secrets_store_type" { + type = string + description = "Secret store type for Zscaler provisioning keys. Valid values: `SSM`, `ASM` (but `ASM` not currently supported)" + default = "SSM" + + validation { + condition = var.secrets_store_type == "SSM" + error_message = "Only SSM is currently supported as the Secrets Store type." + } +} + +variable "zscaler_key" { + type = string + description = "SSM key (without leading `/`) for the Zscaler provisioning key secret." + default = "zscaler/key" +} + +variable "zscaler_count" { + type = number + description = "The number of Zscaler instances." + default = 1 +} + +variable "security_group_rules" { + type = list(any) + default = [ + { + type = "egress" + from_port = 0 + to_port = 65535 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + ] + description = <<-EOT + A list of maps of Security Group rules. + The values of map is fully completed with `aws_security_group_rule` resource. + To get more info see [security_group_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule). + EOT +} diff --git a/src/versions.tf b/src/versions.tf index e2a3d73..a35488b 100644 --- a/src/versions.tf +++ b/src/versions.tf @@ -1,5 +1,26 @@ terraform { - required_version = ">= 1.0.0" + required_version = ">= 0.13.0" - required_providers {} + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.0" + } + template = { + source = "cloudposse/template" + version = ">= 2.2" + } + null = { + source = "hashicorp/null" + version = ">= 3.0" + } + random = { + source = "hashicorp/random" + version = ">= 3.0" + } + utils = { + source = "cloudposse/utils" + version = ">= 1.10.0" + } + } }