Note: Scroll down this article to download the terrafom files in zip format. |
Terraform for Cloud Security Connector for Zscaler (ZIA) with PriCPA on AWS
This Terraform project deploys the necessary AWS infrastructure for a single Cloud Security Connector (CSC) for Zscaler (ZIA) with PriCPA instance. The configuration is designed for a single instance setup with two network interfaces for external (public) and internal (private) traffic.
Overview
The template automates the creation of the following AWS resources:
- An EC2 Instance based on a specified CSC AMI.
- Two Elastic Network Interfaces (ENIs):
eth0: The primary external interface, attached to a public subnet.eth1: The internal interface for your private network traffic, attached to a private subnet.
- Two Elastic IP (EIP) addresses associated with the external network interface. This provides stable public IPs for the GRE tunnel and other services like Bypasses & PriCPA.
- Two Security Groups to control inbound and outbound traffic for the external and internal interfaces.
- An IAM Instance Profile attachment to grant the EC2 instance necessary permissions.
Prerequisites
Before you begin, ensure you have the following:
- Terraform installed on your local machine.
- AWS Credentials configured for Terraform to use (e.g., via environment variables or the
~/.aws/credentialsfile). - An existing AWS VPC with at least one public and one private subnet.
- An existing IAM Role and Instance Profile for the EC2 instance as described in the CSC Admin Guide documentation.
- An existing EC2 Key Pair in your target AWS region to allow for SSH access.
Deployment Steps
Follow these steps to deploy the CSC infrastructure:
1. Configure Input Variables
Use the file named terraform.auto.tfvars in the root of the project directory. This file contain the specific values for your deployment. Use the example below as a template.
terraform.auto.tfvars Example:
# Network Configurations
vpc_id = "vpc-00339e4adbdabde5e"
external_subnet_id = "subnet-0fcc9e0d66a55c85c"
internal_subnet_id = "subnet-035779a6aae387e37"
# Stack & Deployment Configurations
stack_name = "csc-zscaler-pricpa-v-5-0"
deployment_region = "us-east-1"
# Instance Configurations
instance_name = "csc-zscaler-pricpa-v-5-0"
instance_type = "t3a.small"
keyname = "myKeyName"
# IAM Role Configuration
attach_existing_iam_profile = true
iam_instance_profile_name = "csc-EC2-Instance-Role"
2. Prepare User Data
The EC2 instance is configured at boot time using a user_data script. The Terraform code expects this configuration in a file named configUserData.json.
Copy one of the provided default files (configUserData-default-initial-deployment.json or configUserData-default-upgrade.json) to a new file named configUserData.json.
Modify configUserData.json with your specific configuration details.
If you want to
upgradethe CSC to a new version, go to thevariables.tffile, section"ec2regionmap"and put the correct AMI ID for your region. Also, use the fileconfigUserData-default-upgrade.jsonto pass the values already configured in the running CSC viaconfigUserData.json
3. Initialize and Apply Terraform
Open your terminal in the project directory and run the following commands:
# Initialize the Terraform workspace
terraform init
# Review the execution plan
terraform plan
# Apply the configuration to create the resources
terraform apply
Terraform will prompt you for confirmation. Type yes to proceed with the infrastructure creation.
4. Inputs Table
This block details the configurable input variables for the module.
Inputs
The following input variables are used to configure the deployment.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
vpc_id | The ID of the VPC where the resources will be deployed. | string | null | Yes |
external_subnet_id | The ID of the public subnet for the external network interface (eth0). | string | null | Yes |
internal_subnet_id | The ID of the private subnet for the internal network interface (eth1). | string | null | Yes |
stack_name | A unique name for the deployment stack, used for naming resources like security groups. | string | null | Yes |
deployment_region | The AWS region where the infrastructure will be deployed. | string | null | Yes |
instance_name | The name tag for the EC2 instance. | string | null | Yes |
keyname | The name of the EC2 Key Pair for SSH access. | string | null | Yes |
instance_type | The EC2 instance type to use. A list of valid types is available in variables.tf. | string | "t3a.medium" | No |
attach_existing_iam_profile | If true, attaches an existing IAM instance profile to the EC2 instance. | bool | false | No |
iam_instance_profile_name | The name of the existing IAM instance profile to attach if the above is true. | string | "" | No |
userdata | (Optional) For advanced deployments, you can paste the content of configUserData.json here directly. | string | "" | No |
5. Outputs Table
This section describes the values that will be output after a successful deployment.
Outputs
Upon successful deployment, Terraform will provide the following outputs.
| Name | Description |
|---|---|
a-CSC-InstanceName | The instance Name of the deployed CSC EC2 instance. |
b-CSC-InstanceID | The instance ID of the deployed CSC EC2 instance. |
c-VPC-ID | A reference to the VPC where the CSC was deployed. |
d-CSC-Public-IP-EIP01 | This EIP01 should be the public IP address for the GRE tunnel & Services, but Terraform sometimes doesn't assign the EIPs in the correct order. Check the CSC for the proper assignment. |
e-CSC-Public-IP-EIP02 | This EIP02 should be the public IP address for Bypass, PriCPA, and Advanced NAT GW, but Terraform sometimes doesn't assign the EIPs in the correct order. Check the CSC for the proper assignment. |
f-CSC-GW-Private-IP | The primary private IP address of the internal network interface (eth1). |
g-InternalNetworkInterface | The ID of the internal network interface. |
©️ Copyright
Copyright © 2025 Maidenhead Bridge Limited Contact: support@maidenheadbridge.com
All rights reserved