zscaler · jmolnar-zscaler · Mar 7, 2025 · Mar 7, 2025 · Mar 7, 2025 · Mar 7, 2025
diff --git a/.gitignore b/.gitignore
@@ -1,51 +1,52 @@
-# Local .terraform directories
-**/.terraform/*
-**/.terraform./*
-examples/**/.terraform/*
-examples/**/.terraform.*
-modules/**/.terraform.*
-
-# .tfstate files
-*.tfstate
-*.tfstate.*
-examples/**/*.tfstate.*
-
-# Local artifacts after running terraform
-*.pem
-*.pub
-examples/.*rc*
-*zsecrc*
-**/bin/*
-user_data
-system-*.tar
-**/testbed*
-
-# Crash log files
-crash.log
-
-# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
-# .tfvars files are managed as part of configuration and so should be included in
-# version control.
-#
-# example.tfvars
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
-
-# Include override files you do wish to add to version control using negated pattern
-#
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
-# IDE stuff
-.idea/
-.DS_Store
-
-# My stuff
-.todo
+# Local .terraform directories
+**/.terraform/*
+**/.terraform./*
+examples/**/.terraform/*
+examples/**/.terraform.*
+modules/**/.terraform.*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+examples/**/*.tfstate.*
+
+# Local artifacts after running terraform
+*.pem
+*.pub
+examples/.*rc*
+*zsecrc*
+**/bin/*
+user_data
+system-*.tar
+**/testbed*
+examples/ssh*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# IDE stuff
+.idea/
+.DS_Store
+
+# My stuff
+.todo
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,22 @@
-## TBD (Unreleased)
+## TBD (UNRELEASED)
+FEATURES:
+* New templates: base_ztgateway (greenfield/pov) and ztgateway (brownfield/production) enabling Zero Trust Gateway deployments
+* ZSEC script support for ztgateway deployments
+
+ENHANCEMENTS:
+* Module Changes:
+    - terraform-zscc-network-aws:
+        - add variables exclude_igw and exclud_ngw supporting deployment configurations without requiring any NAT Gateway and/or Internet Gateway to be created or referenced such as Zero Trust Gateway topologies
+        - add variable az_ids to explicitly set CC/ZT Gateway Availability Zones if letting templates create new subnets. Setting this will take precedence over var.az_count 
+        - add outputs zs_subnet_az_names, zs_subnet_az_ids, and zs_subnet_az_cidrs
+        - general code refactoring and cleanup
+    - terraform-zscc-gwlbendpoint-aws:
+        - variable gwlb_arn made optional with default null value added supporting module use with byo endpoint service
+    - terraform-zscc-workload-aws:
+        - add output instance_id
+    - terraform-zscc-bastion-aws:
+        - add output instance_id
+* refactor: include ssh_config generation with auto mapping all workload/cc instances for base/greenfield deployments
 
 BUG FIXES:
 * fix: add explicit egress udp/53 rules to security group module
@@ -36,7 +54,6 @@ FEATURES:
 ENHANCEMENTS:
 * refactor: add zsec prompts brownfield zpa network options
 
-
 ## 1.3.3 (August 30, 2024)
 ENHANCEMENTS:
 * refactor: add china marketplace specific product-code ("axnpwhsb4facossmbm1h9yad6") lookup 

diff --git a/README.md b/README.md
@@ -9,8 +9,7 @@ Zscaler Cloud Connector AWS Terraform Modules
 ===========================================================================================================
 
 # **README for AWS Terraform**
-This README serves as a quick start guide to deploy Zscaler Cloud Connector resources in an AWS cloud using Terraform. To learn more about
-the resources created when deploying Cloud Connector with Terraform, see [Deployment Templates for Zscaler Cloud Connector](https://help.zscaler.com/cloud-branch-connector/deployment-templates-zscaler-cloud-connector).
+This README serves as a quick start guide to deploy Zscaler Cloud Connector resources in an AWS cloud using Terraform. To learn more about the resources created when deploying Cloud Connector with Terraform, see [Deployment Templates for Zscaler Cloud Connector](https://help.zscaler.com/cloud-branch-connector/deployment-templates-zscaler-cloud-connector).
 
 ## **AWS Deployment Scripts for Terraform**
 
@@ -19,14 +18,13 @@ cloud (VPC). The [examples](examples/) directory contains complete automation sc
 
 ## **Prerequisites**
 
-The AWS Terraform scripts leverage Terraform v1.1.9 which includes full binary and provider support for macOS M1 chips, but any Terraform
-version 0.13.7 should be generally supported.
+The AWS Terraform scripts leverage Terraform v1.1.9 which includes full binary and provider support for macOS M1 chips, but any Terraform version 0.13.7 should be generally supported.
 
 -   provider registry.terraform.io/hashicorp/aws v5.49.x (minimum 5.32.0)
--   provider registry.terraform.io/hashicorp/random v3.3.x
--   provider registry.terraform.io/hashicorp/local v2.2.x
--   provider registry.terraform.io/hashicorp/null v3.1.x
--   provider registry.terraform.io/providers/hashicorp/tls v3.4.x
+-   provider registry.terraform.io/hashicorp/random v3.6.x
+-   provider registry.terraform.io/hashicorp/local v2.5.x
+-   provider registry.terraform.io/hashicorp/null v3.2.x
+-   provider registry.terraform.io/providers/hashicorp/tls v4.0.x
 
 ### **AWS requirements**
 
@@ -80,15 +78,22 @@ Use the [**Starter Deployment Template with ASG and GWLB**](examples/base_cc_gwl
 
 Use the [**Starter Deployment Template with ASG, GWLB and ZPA**](examples/base_cc_gwlb_asg_zpa) to deploy your Cloud Connectors in a new VPC and to load balance traffic across multiple Cloud Connectors. Zscaler\'s recommended deployment method is Gateway Load Balancer (GWLB). GWLB distributes traffic across multiple Cloud Connectors and achieves high availability. For added resiliency and elasticity, Cloud Connectors are deployed via a Launch Template configured Auto Scaling group. Route 53 endpoints redirect DNS resolver capability for ZPA.
 
+### **Starter Deployment Template with Zero Trust Gateway**
+
+Use the [**Starter Deployment Template with Zero Trust Gateway**](examples/base_ztgateway) to deploy Zscaler Zero Trust Endpoints. This deployment type is intended for greenfield/pov/lab purposes. It will deploy a fully functioning sandbox environment in a new VPC with test workload VMs to integrate with an already provisioned Zscaler Zero Trust Gateway.
+
 ## **Brownfield Deployment**
 
-Brownfield deployment templates are most applicable for production deployments and have more customization options than a \"base\"
-deployment. They also do not include a bastion or workload hosts deployed. See [Modules](https://github.com/zscaler/terraform-aws-cloud-connector-modules/tree/main/examples) for the Terraform configurations for brownfield deployment.
+Brownfield deployment templates are most applicable for production deployments and have more customization options than a \"base\" deployment. They also do not include a bastion or workload hosts deployed. See [Modules](https://github.com/zscaler/terraform-aws-cloud-connector-modules/tree/main/examples) for the Terraform configurations for brownfield deployment.
 
 ### **Custom Deployment Template with Gateway Load Balancer (GWLB)**
 
-Use the [**Custom Deployment template with GWLB**](examples/cc_gwlb) to deploy your Cloud Connector in a new or existing VPC and load balance traffic across multiple Cloud Connectors. Zscaler\'s recommended deployment method is Gateway Load Balancer (GWLB). GWLB distributes traffic across multiple Cloud Connectors and achieves high availability. Optional ZPA/Route 53 add-on capabilities.
+Use the [**Custom Deployment Template with GWLB**](examples/cc_gwlb) to deploy your Cloud Connector in a new or existing VPC and load balance traffic across multiple Cloud Connectors. Zscaler\'s recommended deployment method is Gateway Load Balancer (GWLB). GWLB distributes traffic across multiple Cloud Connectors and achieves high availability. Optional ZPA/Route 53 add-on capabilities.
 
 ### **Custom Deployment Template with Auto Scaling and Gateway Load Balancer (GWLB)**
 
-Use the [**Custom Deployment template with GWLB**](examples/cc_gwlb_asg) to deploy your Cloud Connector in a new or existing VPC and load balance traffic across multiple Cloud Connectors. Zscaler\'s recommended deployment method is Gateway Load Balancer (GWLB). GWLB distributes traffic across multiple Cloud Connectors and achieves high availability. For added resiliency and elasticity, Cloud Connectors are deployed via a Launch Template configured Auto Scaling group. Optional ZPA/Route 53 add-on capabilities.
+Use the [**Custom Deployment Template with ASG and GWLB**](examples/cc_gwlb_asg) to deploy your Cloud Connector in a new or existing VPC and load balance traffic across multiple Cloud Connectors. Zscaler\'s recommended deployment method is Gateway Load Balancer (GWLB). GWLB distributes traffic across multiple Cloud Connectors and achieves high availability. For added resiliency and elasticity, Cloud Connectors are deployed via a Launch Template configured Auto Scaling group. Optional ZPA/Route 53 add-on capabilities.
+
+### **Custom Deployment Template with Zero Trust Gateway**
+
+Use the [**Custom Deployment Template with Zero Trust Gateway**](examples/ztgateway) to deploy Zscaler Zero Trust Endpoints in a new or existing AWS VPC environment to integrate with a Zero Trust Gateway.
diff --git a/examples/README.md b/examples/README.md
@@ -52,7 +52,7 @@ Optional: Edit the terraform.tfvars file under your desired deployment type (ie:
 **Test/Greenfield Deployment Types:**
 
 ```
-Deployment Type: (base | base_1cc | base_1cc_zpa | base_2cc | base_2cc_zpa | base_cc_gwlb | base_cc_gwlb_zpa | base_cc_gwlb_asg | base_cc_gwlb_asg_zpa):
+Deployment Type: (base | base_1cc | base_1cc_zpa | base_2cc | base_2cc_zpa | base_cc_gwlb | base_cc_gwlb_zpa | base_cc_gwlb_asg | base_cc_gwlb_asg_zpa | base_ztgateway):
 base: Creates 1 new VPC with 1 public subnet and 1 private/workload subnet; 1 IGW; 1 NAT Gateway; 1 Amazon Linux 2023 server workload in the private subnet routing to NAT Gateway; This does NOT deploy any actual Cloud Connectors.
 1 Bastion Host in the public subnet assigned an Elastic IP and routing to the IGW; generates local key pair .pem file for ssh access
 base_1cc: Base Deployment Type + Creates 1 Cloud Connector private subnet; 1 Cloud Connector VM routing to NAT Gateway; workload private subnet route repointed to service ENI of Cloud Connector
@@ -63,6 +63,7 @@ base_cc_gwlb: Base Deployment Type + Creates 4 Cloud Connectors (2 per subnet/AZ
 base_cc_gwlb_zpa: Everything from base_cc_gwlb + Creates 2 Route 53 subnets routing to service ENI of Cloud Connector; Route 53 outbound resolver endpoint; Route 53 resolver rules for ZPA
 base_cc_gwlb_asg: Everything from base_cc_gwlb except the number of Cloud Connectors is determined based on min/max size variables for autoscaling group configuration
 base_cc_gwlb_asg_zpa: Everything from base_cc_gwlb_asg + Creates 2 Route 53 subnets routing to service ENI of Cloud Connector; Route 53 outbound resolver endpoint; Route 53 resolver rules for ZPA
+base_ztgateway: Base Deployment Type + Creates 1 or more Zscaler private subnets based on how many availability zone ids specified; 1 Zero Trust Endpoint per AZ; workload private subnet route table default route pointing to ZT Endpoint in each respective AZ
 ```
 
 **2. Prod/Brownfield Deployments**
@@ -85,10 +86,11 @@ Optional: Edit the terraform.tfvars file under your desired deployment type (ie:
 **Prod/Brownfield Deployment Types**
 
 ```
-Deployment Type: (cc_ha | cc_gwlb | cc_gwlb_asg):
+Deployment Type: (cc_ha | cc_gwlb | cc_gwlb_asg | ztgateway):
 cc_ha (**deprecated**): Creates 1 new VPC with 2 public subnets and 2 Cloud Connector private subnets; 1 IGW; 2 NAT Gateways; 2 Cloud Connector VMs (1 per subnet/AZ) routing to the NAT Gateway in their same AZ; generates local key pair .pem file for ssh access; Number of Cloud Connectors and subnets deployed, ability to use existing resources (VPC, subnets, IGW, NAT Gateways), and toggle ZPA/R53 and Lambda HA failover features; generates local key pair .pem file for ssh access
 cc_gwlb: All options from cc_ha + replace lambda with Gateway Load Balancer auto registering service ips to target group with health checks; VPC Endpoint Service; 1 GWLB Endpoints per Cloud Connector subnet
 cc_gwlb_asg: All options from cc_gwlb except replace cc_vm module with cc_asg module containing Launch Template and Autoscaling Groups resources
+ztgateway: Deploy Zscaler Zero Trust Endpoints in a new or existing AWS VPC environment to integrate with a Zscaler Zero Trust Gateway
 ```
 
 ## Destroying the cluster

diff --git a/examples/base/README.md b/examples/base/README.md
@@ -39,19 +39,19 @@ From base directory execute:
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.7, < 2.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.32.0, <= 5.49.0 |
-| <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.2.0 |
-| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.1.0 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.3.0 |
-| <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 3.4.0 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.5.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.6.0 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 4.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.32.0, <= 5.49.0 |
-| <a name="provider_local"></a> [local](#provider\_local) | ~> 2.2.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.3.0 |
-| <a name="provider_tls"></a> [tls](#provider\_tls) | ~> 3.4.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | ~> 2.5.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.6.0 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | ~> 4.0.0 |
 
 ## Modules
 
@@ -67,6 +67,7 @@ From base directory execute:
 |------|------|
 | [aws_key_pair.deployer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
 | [local_file.private_key](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [local_file.ssh_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.testbed](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [tls_private_key.key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |

diff --git a/examples/base/outputs.tf b/examples/base/outputs.tf
@@ -12,24 +12,36 @@ By default, these templates store two critical files to the "examples" directory
    You (and subsequently Zscaler) will NOT be able to remotely access these VMs once deployed without valid SSH access.
 ***Disclaimer***
 
-1) Copy the SSH key to the bastion host
-scp -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ${var.name_prefix}-key-${random_string.suffix.result}.pem ec2-user@${module.bastion.public_dns}:/home/ec2-user/.
+Login Instructions & Resource Attributes
 
-2) SSH to the bastion host
-ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ec2-user@${module.bastion.public_dns}
+WORKLOAD Details/Commands:
+SSH to WORKLOADS
+%{for k, v in local.workload_map~}
+ssh -F ssh_config workload-${k}
+%{endfor~}  
 
-3) SSH to the workload host
-ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ec2-user@${module.workload.private_ip[0]} -o "proxycommand ssh -W %h:%p -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ec2-user@${module.bastion.public_dns}"
+WORKLOAD IPs:
+%{for k, v in local.workload_map~}
+workload-${k} = ${v}
+%{endfor~} 
+
+WORKLOAD Instance IDs:
+${join("\n", module.workload.instance_id)}
+
+
+BASTION Jump Host Details/Commands:
+1) Copy the SSH key to BASTION home directory
+scp -F ssh_config ${var.name_prefix}-key-${random_string.suffix.result}.pem bastion:~/.
+
+2) SSH to BASTION
+ssh -F ssh_config bastion
+BASTION Instance ID:
+${module.bastion.instance_id}
 
-All Workload IPs. Replace private IP below with ec2-user@"ip address" in ssh example command above.
-${join("\n", module.workload.private_ip)}
 
 VPC:         
 ${module.network.vpc_id}
 
-All NAT GW IPs:
-${join("\n", module.network.nat_gateway_ips)}
-
 TB
 }
 
@@ -42,3 +54,30 @@ resource "local_file" "testbed" {
   content  = local.testbedconfig
   filename = "../testbed.txt"
 }
+
+resource "local_file" "ssh_config" {
+  content  = local.ssh_config_contents
+  filename = "../ssh_config"
+}
+
+locals {
+  workload_map = {
+    for index, ip in module.workload.private_ip :
+    index => ip
+  }
+  ssh_config_contents = <<SSH_CONFIG
+    Host bastion
+      HostName ${module.bastion.public_dns}
+      User ec2-user
+      IdentityFile ${var.name_prefix}-key-${random_string.suffix.result}.pem
+    %{for k, v in local.workload_map~}
+Host workload-${k}
+      HostName ${v}
+      User ec2-user
+      IdentityFile ${var.name_prefix}-key-${random_string.suffix.result}.pem
+      StrictHostKeyChecking no
+      ProxyJump bastion
+      ProxyCommand ssh bastion -W %h:%p
+    %{endfor~}
+  SSH_CONFIG
+}
diff --git a/examples/base/versions.tf b/examples/base/versions.tf
@@ -6,19 +6,19 @@ terraform {
     }
     random = {
       source  = "hashicorp/random"
-      version = "~> 3.3.0"
+      version = "~> 3.6.0"
     }
     local = {
       source  = "hashicorp/local"
-      version = "~> 2.2.0"
+      version = "~> 2.5.0"
     }
     null = {
       source  = "hashicorp/null"
-      version = "~> 3.1.0"
+      version = "~> 3.2.0"
     }
     tls = {
       source  = "hashicorp/tls"
-      version = "~> 3.4.0"
+      version = "~> 4.0.0"
     }
   }