https://github.com/zscaler/terraform-libvirt-branch-connector-modules

Terraform Modules for Zscaler Branch Connector on Linux KVM
https://github.com/zscaler/terraform-libvirt-branch-connector-modules

iac-module iac-terraform sase terraform zero-trust zscaler

Last synced: over 1 year ago
JSON representation

Terraform Modules for Zscaler Branch Connector on Linux KVM

• Host: GitHub
• URL: https://github.com/zscaler/terraform-libvirt-branch-connector-modules
• Owner: zscaler
• License: mit
• Created: 2022-07-11T19:33:52.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2023-05-11T01:51:33.000Z (about 3 years ago)
• Last Synced: 2025-01-04T21:46:04.540Z (over 1 year ago)
• Topics: iac-module, iac-terraform, sase, terraform, zero-trust, zscaler
• Language: HCL
• Homepage:
• Size: 45.9 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

          


    





    



Zscaler Branch Connector Linux KVM Terraform Modules

===========================================================================================================

# **README for Linux KVM Terraform**

This README serves as a quick start guide to deploy Zscaler Branch Connector resources in a Linux KVM environment using Terraform. To learn more about the resources created when deploying Branch Connector with Terraform, see [Deployment Templates for Zscaler Branch Connector](https://help.zscaler.com/cloud-branch-connector/deployment-templates-zscaler-branch-connector-app-connector). These deployment templates are intended to be fully functional and self service for production use. All modules may also be utilized as design recommendation based on the [Zscaler Zero Trust SD-WAN Datasheet](https://www.zscaler.com/resources/data-sheets/zscaler-zero-trust-sd-wan.pdf).

## **KVM Deployment Scripts for Terraform**

Use this repository to create the deployment resources required to deploy and operate Branch Connector in an existing Linux KVM environment. The [examples](examples/) directory contains complete automation scripts for all deployment template solutions.

## Prerequisites

Our Deployment scripts are leveraging Terraform v1.1.9 that includes full binary and provider support for MacOS M1 chips, but any Terraform version 0.13.7 and higher should be generally supported.

- provider registry.terraform.io/providers/dmacvicar/libvirt v0.7.x

- provider registry.terraform.io/hashicorp/random v3.3.x

- provider registry.terraform.io/hashicorp/local v2.2.x

- provider registry.terraform.io/hashicorp/null v3.1.x

- provider registry.terraform.io/providers/zscaler/zpa v2.5.x

### KVM requirements

1. A valid connection URI to connect to the KVM hypervisor. For full more information on connection URI methods, click [here.](https://registry.terraform.io/providers/dmacvicar/libvirt/latest/docs)

Note:


On Ubuntu distros SELinux is enforced by qemu even if it is disabled globally, this might cause unexpected `Could not open '/var/lib/libvirt/images/': Permission denied` errors. Double check that `security_driver = "none"` is uncommented in `/etc/libvirt/qemu.conf` and issue `sudo systemctl restart libvirt-bin` to restart the daemon.


### Terraform client requirements

2. If executing Terraform via the "zsec" wrapper bash script, it is advised that you run from a MacOS or Linux workstation. Minimum installed application requirements to successfully from the script are:

- bash

- curl

- unzip







Even if you are running Terraform manually, there are still the following local application dependencies for the libvirt Terraform provider:

- mkisofs

- xsltproc







These can all be installed via your distribution app installer. ie: sudo apt install bash curl unzip mkisofs xsltproc

### Zscaler requirements

3. A valid Zscaler Branch Connector provisioning URL generated from the Branch Connector Portal

4. Zscaler Branch Connector Credentials (api key, username, password)

5. Download the Branch Connector qcow2 image file and save to the desired deployment type 'bootstrap' directory.

### Branch Connector + App Connector requirements

6. A valid Zscaler Private Access subscription and portal access

7. Zscaler ZPA API Keys. Details on how to find and generate ZPA API keys can be located [here:](https://help.zscaler.com/zpa/about-api-keys)

- Client ID

- Client Secret

- Customer ID

8. (Optional) An existing App Connector Group and Provisioning Key. Otherwise, you can follow the prompts in the examples terraform.tfvars to create a new Connector Group and Provisioning Key

###  **Starter Deployment Template**

Use the [**Starter Deployment Template**](examples/bc/) to deploy your Branch Connector in an existing KVM environment.

### **Starter Deployment Template with App Connector**

Use the [**Starter Deployment Template with App Connector**](examples/bc_ac) to deploy your combined Branch Connector + App Connector in an existing KVM environment.

### **Starter Deployment Template with High-Availability**

Use the [**Starter Deployment Template with High-Availability**](examples/bc_ha) to deploy your Branch Connector in an existing KVM environment. This template achieves high availability between two Branch Connectors.

***This will deploy both VMs on a single KVM host. For production deployments, it is recommended to deploy VMs on separate physical hypervisor hosts for resiliency.***

### **Starter Deployment Template with App Connector and High-Availability**

Use the [**Starter Deployment Template with App Connector and High-Availability**](examples/bc_ha_ac) to deploy your combined Branch Connector + App Connector in an existing KVM environment. This template achieves high availability between two Branch Connectors.

***This will deploy both VMs on a single KVM host. For production deployments, it is recommended to deploy VMs on separate physical hypervisor hosts for resiliency.***