Operationalizing Zero Trust Cloud platform in cloud environments using Terraform Cloud and GitHub

Introduction

One of the most interesting aspects of my role at Zscaler is collaborating with customers to design and architect solutions based on Zscaler’s Zero Trust Cloud (ZT Cloud) platform tailored to their large and complex cloud environments. Central to the ZT Cloud platform are Zscaler Cloud Connectors, which play a crucial role in securely forwarding traffic from cloud environments to the Zscaler Zero Trust Exchange. This past week, during a design session with the customer, we had an engaging discussion about how best to operationalize Zscaler Cloud Connectors using Terraform. 

Terraform is an excellent way to automate the deployment of infrastructure, including Zscaler Cloud Connectors, in any cloud environment. However, when it comes to deploying the same infrastructure across multiple regions and environments, customers are often faced with an important challenge: how to effectively organize the terraform files, variables and terraform state for scalability and maintainability.

Real World Use Case

For example, let us take this customer’s environment, I was having a discussion with. They have presence across 2 Cloud environments i.e. AWS and Azure and in each cloud they have presence across 3 regions. Additionally, they also have 3 different environments in each cloud region i.e. Production, Dev and Staging. So in total = 2*3*3 = 18 distinct environments requiring cloud connector infrastructure deployment and ongoing management. And some obvious questions we ended up discussing were:

• Should the Terraform code for each environment be managed separately? Does it mean 18 different code repositories?
• How can variables, secrets, backend configurations and terraform states be managed more efficiently?
• Should we have a shared state vs isolated state files
• How best to balance code reusability with the need for environment specific customizations

Managing Terraform code across multiple environments can be a difficult task and the questions that we just discussed highlight a need for a solution that can ensure code organization, consistency, efficiency and team collaboration.

One effective way to address these challenges is by integrating Terraform Cloud and GitHub. Together these tools offer powerful capabilities for managing Terraform configurations in large multi-region/multi-cloud environments. Terraform cloud simplifies remote state management, common configuration management and state versioning etc. whereas Github provides seamless version control and CI/CD workflows.

Now, let us see how we can address the challenges mentioned above using Terraform Cloud and Github. Note: This is not a tutorial for either Terraform Cloud or Github. Please make adjustments to the steps mentioned below based on your environment

• Clone the appropriate Zscaler repositories containing Azure and AWS terraform modules to your GitHub account.
  1. URL for  Zscaler’s AWS Terraform Module Repository - https://github.com/zscaler/terraform-aws-cloud-connector-modules.git
  2. URL for Zscaler’s Azure Terraform Module Repository - https://github.com/zscaler/terraform-azurerm-cloud-connector-modules.git
  3. Note: - Even though we are not talking about GCP in this blog. Here is the link for Zscaler’s GCP Terraform Module Repository - https://github.com/zscaler/terraform-gcp-cloud-connector-modules.git
• Create and Set up your Terraform Cloud Account (Skip this step if you already have one) - You can either use your Hashicorp Cloud Platform Account or create a new/separate Terraform Cloud Account on - https://app.terraform.io/ 

• Create Workspaces - Think about workspace as a container in which Terraform cloud will execute and deploy your terraform infrastructure in. Every workspace has its own state and set of variables that are applicable to it. So, in our example, we will have one workspace per environment. I.e. 18 workspaces for 18 environments in which we want to deploy Zscaler Cloud Connectors

• Connect Workspaces to the right GitHub repository - Every workspace also has its own Version Control System (VCS) connection to code repositories. So, in our example, we have integrated our single GitHub Azure Terraform Module Repository with all 9 azure workspaces in Terraform Cloud. Similarly, we can integrate our github AWS Terraform Module Repository to all of our 9 AWS workspaces Note: There are a few options while setting up the VCS connection that you can play around with based on your requirements

• Create the Variable Sets and apply them to relevant workspaces - Variable Set allows us to define and reuse variables in an efficient and centralized way. Once the variable set is defined, it can be applied to one/multiple/all workspaces. For instance, in our example, we will need Azure Service Principal Credentials for every environment. So, we can create a variable set for the Service Principal credentials and then apply them to all the workspaces. That way we are only managing the common variables once. You can create multiple variable sets for any other common variables applicable to your set ups. For instance, in our example, we should create another Variable Set containing common Cloud Connector variables like Provisioning_URL, Subscription_ID, ARM_Location, Owner_Tags, Prefixes etc. that will be common to all azure workspaces and then apply it to all 9 azure workspaces.

• Create additional variables in the respective workspaces: Create additional variables in the Workspace that are only applicable to that workspace. For example, in our case, the region where we want to deploy the infrastructure will be unique per cloud. So, we can create that variable separately in every workspace

• Trigger Terraform Plan and Apply - There are two ways to trigger Terraform Plan and Apply on Workspaces
  1. Through UI - Every Workspace has an option to run Terraform Plan and Apply from the UI.
  2. Based on commits to the connected github branch. You can configure this during the VCS integration.

Every Terraform workspace has its own state file that is stored and managed by Terraform. In addition to this, Terraform Cloud also retains historical versions of the Terraform State for each workspace which can be analyzed to understand the infrastructure changes over time.

• Additional Options - Terraform Cloud also provides multiple other options like Role Based Access Control, policy controls to be applied on every Terraform Run etc. that can be used. But we are not discussing those options in this blog.

Benefits of this approach

So, we just saw how we can deploy Zscaler Cloud Connectors in 18 different environments using Terraform Cloud and GitHub in a seamless manner. The use of Terraform Cloud with a platform like GitHub allows us to scale our deployment and ongoing management of Zscaler Cloud Connector Infrastructure in seamless fashion by

1. Allowing us to use the same terraform code/files (per cloud) across different environments. No need to have separate terraform files in different folders per environment. This greatly reduces the overhead of managing separate code for each environment as well as significantly reduces the chances of misconfigurations. In our case, we were able to use the same azure terraform code/files for all 9 azure environments

2. Automated State management by Terraform Cloud along with maintaining historical state versions

3. Ability to reuse common configuration elements like variables across workspaces

4. Full control on how to roll out the Zscaler Cloud Connectors in a phased manner in multi-region and multi-cloud environments

Summary

Deploying Zscaler Cloud Connectors using Terraform Cloud and GitHub is just one of the many ways to simplify the operationalization of Zscaler’s Zero Trust Cloud Platform. 

However, Zscaler is streamlining this process even further by launching Zero Trust Gateway (ZTGW) that allows customers to consume the Zero Trust Cloud Platform as a service. With Zero Trust Gateway Service, Zscaler takes on the responsibility of deploying, managing, and maintaining the Zero Trust Cloud platform, enabling customers to secure their cloud environment in minutes while significantly reducing complexity and operational overhead.

In the next iteration of this blog, we will look at how we can achieve this using Zero Trust Gateway Service. Stay Tuned.