zscaler
diff --git a/‎CHANGELOG.md‎
Lines changed: 5 additions & 2 deletions b/‎CHANGELOG.md‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎examples/base_1cc/README.md‎
Lines changed: 2 additions & 2 deletions b/‎examples/base_1cc/README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/base_1cc/main.tf‎
Lines changed: 2 additions & 2 deletions b/‎examples/base_1cc/main.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/base_1cc/terraform.tfvars‎
Lines changed: 5 additions & 1 deletion b/‎examples/base_1cc/terraform.tfvars‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎examples/base_1cc/variables.tf‎
Lines changed: 2 additions & 2 deletions b/‎examples/base_1cc/variables.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/base_1cc_zpa/README.md‎
Lines changed: 2 additions & 2 deletions b/‎examples/base_1cc_zpa/README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/base_1cc_zpa/main.tf‎
Lines changed: 2 additions & 2 deletions b/‎examples/base_1cc_zpa/main.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/base_1cc_zpa/terraform.tfvars‎
Lines changed: 5 additions & 1 deletion b/‎examples/base_1cc_zpa/terraform.tfvars‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎examples/base_1cc_zpa/variables.tf‎
Lines changed: 2 additions & 2 deletions b/‎examples/base_1cc_zpa/variables.tf‎
Lines changed: 2 additions & 2 deletions
@@ -1,7 +1,10 @@
 ## 0.3.1 (February 11, 2026)
 BUG FIXES:
-* add variable grant_pubsub_editor support for autoscaling deployment templates Service Account IAM Role module
-* add new roles/compute.viewer IAM requirement to the CC Service Account for better autoscaler detection and identification
+* add variable grant_pubsub_editor support for autoscaling deployment templates Service Account IAM Role module with default enabled
+* add new custom role creation with ["compute.autoscalers.list", "compute.autoscalers.get"] IAM requirement to the CC Service Account for better autoscaler detection and identification. *This may require additioinal Terraform Service account permissions like Role Administrator
+
+ENHANCEMENTS:
+* rename variable image_name to custom_image name to better differentiate between variable marketplace_image
 
 ## 0.3.0 (February 5, 2026)
 FEATURES:
 
@@ -93,12 +93,13 @@ From base_1cc directory execute:
 | <a name="input_cc_vm_prov_url"></a> [cc\_vm\_prov\_url](#input\_cc\_vm\_prov\_url) | Zscaler Cloud Connector Provisioning URL | `string` | n/a | yes |
 | <a name="input_ccvm_instance_type"></a> [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"n2-standard-2"` | no |
 | <a name="input_credentials"></a> [credentials](#input\_credentials) | Path to the service account json file for terraform to authenticate to Google Cloud | `string` | n/a | yes |
+| <a name="input_custom_image_name"></a> [custom\_image\_name](#input\_custom\_image\_name) | Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `string` | `""` | no |
 | <a name="input_default_nsg"></a> [default\_nsg](#input\_default\_nsg) | Default CIDR list to permit workload traffic destined for Cloud Connector | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_fw_cc_mgmt_hcp_vault_address_name"></a> [fw\_cc\_mgmt\_hcp\_vault\_address\_name](#input\_fw\_cc\_mgmt\_hcp\_vault\_address\_name) | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting CC to access to HCP Vault Address port number | `string` | `null` | no |
 | <a name="input_fw_cc_mgmt_ssh_ingress_name"></a> [fw\_cc\_mgmt\_ssh\_ingress\_name](#input\_fw\_cc\_mgmt\_ssh\_ingress\_name) | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting SSH inbound from the VPC CIDR range by default | `string` | `null` | no |
 | <a name="input_fw_cc_mgmt_zssupport_tunnel_name"></a> [fw\_cc\_mgmt\_zssupport\_tunnel\_name](#input\_fw\_cc\_mgmt\_zssupport\_tunnel\_name) | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting CC to establish zssupport tunnel | `string` | `null` | no |
 | <a name="input_fw_cc_service_default_name"></a> [fw\_cc\_service\_default\_name](#input\_fw\_cc\_service\_default\_name) | The name of the compute firewall created on the user defined Cloud Connector Service VPC Network permitting workload traffic to be sent to Zscaler | `string` | `null` | no |
-| <a name="input_grant_pubsub_editor"></a> [grant\_pubsub\_editor](#input\_grant\_pubsub\_editor) | If true, grant roles/pubsub.editor to the CCVM SA at project scope | `bool` | `false` | no |
+| <a name="input_grant_pubsub_editor"></a> [grant\_pubsub\_editor](#input\_grant\_pubsub\_editor) | If true, grant roles/pubsub.editor to the CCVM SA at project scope | `bool` | `true` | no |
 | <a name="input_hcp_gcp_auth_role_type"></a> [hcp\_gcp\_auth\_role\_type](#input\_hcp\_gcp\_auth\_role\_type) | Customer managed HashiCorp Vault GCP Auth Method | `string` | `"gcp_iam"` | no |
 | <a name="input_hcp_vault_address"></a> [hcp\_vault\_address](#input\_hcp\_vault\_address) | Customer managed HashiCorp Vault URL; including leading https (if applicable) and trailing port number | `string` | `""` | no |
 | <a name="input_hcp_vault_enabled"></a> [hcp\_vault\_enabled](#input\_hcp\_vault\_enabled) | True/False used to determine specific HCP Vault configured network firewall and Service Account IAM roles. Default is false | `bool` | `false` | no |
@@ -107,7 +108,6 @@ From base_1cc directory execute:
 | <a name="input_hcp_vault_role_name"></a> [hcp\_vault\_role\_name](#input\_hcp\_vault\_role\_name) | Customer managed HashiCorp Role Name | `string` | `""` | no |
 | <a name="input_hcp_vault_secret_path"></a> [hcp\_vault\_secret\_path](#input\_hcp\_vault\_secret\_path) | Customer managed HashiCorp Vault secret path. The path to a secret is formed from three parts: <namespace>/<engine mount point>/<path to secret>. If you are not using the enterprise version of Vault, you should omit the first part | `string` | `""` | no |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GCP LB | `number` | `50000` | no |
-| <a name="input_image_name"></a> [image\_name](#input\_image\_name) | Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `string` | `""` | no |
 | <a name="input_instance_group_name"></a> [instance\_group\_name](#input\_instance\_group\_name) | The name of the Instance Group Manager. Must be 1-63 characters long and comply with RFC1035. Supported characters include lowercase letters, numbers, and hyphens | `list(string)` | <pre>[<br/>  ""<br/>]</pre> | no |
 | <a name="input_instance_template_name"></a> [instance\_template\_name](#input\_instance\_template\_name) | The name of the instance template. Conflicts with variable instance\_template\_name\_prefix | `string` | `""` | no |
 | <a name="input_instance_template_name_prefix"></a> [instance\_template\_name\_prefix](#input\_instance\_template\_name\_prefix) | Creates a unique Instance Template name beginning with the specified prefix. Conflicts with variable instance\_template\_name | `string` | `""` | no |
 
@@ -149,7 +149,7 @@ resource "local_file" "user_data_file" {
 # Locate Latest CC Image
 ################################################################################
 data "google_compute_image" "zs_cc_img" {
-  count   = var.image_name != "" ? 0 : 1
+  count   = var.custom_image_name != "" ? 0 : 1
   project = "mpi-zscalercloudconnector-publ"
   name    = var.marketplace_image
 }
@@ -183,7 +183,7 @@ module "cc_vm" {
   cc_count                    = var.cc_count
   vpc_subnetwork_ccvm_mgmt    = module.network.mgmt_subnet
   vpc_subnetwork_ccvm_service = module.network.service_subnet
-  image_name                  = var.image_name != "" ? var.image_name : data.google_compute_image.zs_cc_img[0].self_link
+  custom_image_name           = var.custom_image_name != "" ? var.custom_image_name : data.google_compute_image.zs_cc_img[0].self_link
   service_account             = module.iam_service_account.service_account
 
   ## Optional: Custom instance names. If not specified and conditions are met for resource
 
@@ -122,7 +122,11 @@
 
 ## Note: It is NOT RECOMMENDED to statically set CC image versions. Zscaler recommends always running/deploying the latest version template
 
-#image_name                                 = "zs-image-gcp-20230928152536-la-1"
+#marketplace_image                          = "zs-cc-ga-02042026"
+#marketplace_image                          = "zs-cc-ga-02022025"
+#marketplace_image                          = "zs-cc-ga-10292023"
+
+#custom_image_name                          = "private-image-name" <<< Not recommended for production
 
 ## 13. By default, if Terraform is creating an outbound VPC firewall rule named zscaler_support_access enabling 
 ##     Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
 
@@ -149,7 +149,7 @@ variable "zones" {
   default     = []
 }
 
-variable "image_name" {
+variable "custom_image_name" {
   type        = string
   description = "Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index"
   default     = ""
@@ -296,6 +296,6 @@ EOT
 
 variable "grant_pubsub_editor" {
   type        = bool
-  default     = false
+  default     = true
   description = "If true, grant roles/pubsub.editor to the CCVM SA at project scope"
 }
@@ -94,13 +94,14 @@ From base_1cc_zpa directory execute:
 | <a name="input_cc_vm_prov_url"></a> [cc\_vm\_prov\_url](#input\_cc\_vm\_prov\_url) | Zscaler Cloud Connector Provisioning URL | `string` | n/a | yes |
 | <a name="input_ccvm_instance_type"></a> [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"n2-standard-2"` | no |
 | <a name="input_credentials"></a> [credentials](#input\_credentials) | Path to the service account json file for terraform to authenticate to Google Cloud | `string` | n/a | yes |
+| <a name="input_custom_image_name"></a> [custom\_image\_name](#input\_custom\_image\_name) | Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `string` | `""` | no |
 | <a name="input_default_nsg"></a> [default\_nsg](#input\_default\_nsg) | Default CIDR list to permit workload traffic destined for Cloud Connector | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_domain_names"></a> [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Google Cloud DNS zone forward ZPA App Segment DNS requests to Cloud Connector | `map(any)` | n/a | yes |
 | <a name="input_fw_cc_mgmt_hcp_vault_address_name"></a> [fw\_cc\_mgmt\_hcp\_vault\_address\_name](#input\_fw\_cc\_mgmt\_hcp\_vault\_address\_name) | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting CC to access to HCP Vault Address port number | `string` | `null` | no |
 | <a name="input_fw_cc_mgmt_ssh_ingress_name"></a> [fw\_cc\_mgmt\_ssh\_ingress\_name](#input\_fw\_cc\_mgmt\_ssh\_ingress\_name) | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting SSH inbound from the VPC CIDR range by default | `string` | `null` | no |
 | <a name="input_fw_cc_mgmt_zssupport_tunnel_name"></a> [fw\_cc\_mgmt\_zssupport\_tunnel\_name](#input\_fw\_cc\_mgmt\_zssupport\_tunnel\_name) | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting CC to establish zssupport tunnel | `string` | `null` | no |
 | <a name="input_fw_cc_service_default_name"></a> [fw\_cc\_service\_default\_name](#input\_fw\_cc\_service\_default\_name) | The name of the compute firewall created on the user defined Cloud Connector Service VPC Network permitting workload traffic to be sent to Zscaler | `string` | `null` | no |
-| <a name="input_grant_pubsub_editor"></a> [grant\_pubsub\_editor](#input\_grant\_pubsub\_editor) | If true, grant roles/pubsub.editor to the CCVM SA at project scope | `bool` | `false` | no |
+| <a name="input_grant_pubsub_editor"></a> [grant\_pubsub\_editor](#input\_grant\_pubsub\_editor) | If true, grant roles/pubsub.editor to the CCVM SA at project scope | `bool` | `true` | no |
 | <a name="input_hcp_gcp_auth_role_type"></a> [hcp\_gcp\_auth\_role\_type](#input\_hcp\_gcp\_auth\_role\_type) | Customer managed HashiCorp Vault GCP Auth Method | `string` | `"gcp_iam"` | no |
 | <a name="input_hcp_vault_address"></a> [hcp\_vault\_address](#input\_hcp\_vault\_address) | Customer managed HashiCorp Vault URL; including leading https (if applicable) and trailing port number | `string` | `""` | no |
 | <a name="input_hcp_vault_enabled"></a> [hcp\_vault\_enabled](#input\_hcp\_vault\_enabled) | True/False used to determine specific HCP Vault configured network firewall and Service Account IAM roles. Default is false | `bool` | `false` | no |
@@ -109,7 +110,6 @@ From base_1cc_zpa directory execute:
 | <a name="input_hcp_vault_role_name"></a> [hcp\_vault\_role\_name](#input\_hcp\_vault\_role\_name) | Customer managed HashiCorp Role Name | `string` | `""` | no |
 | <a name="input_hcp_vault_secret_path"></a> [hcp\_vault\_secret\_path](#input\_hcp\_vault\_secret\_path) | Customer managed HashiCorp Vault secret path. The path to a secret is formed from three parts: <namespace>/<engine mount point>/<path to secret>. If you are not using the enterprise version of Vault, you should omit the first part | `string` | `""` | no |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GCP LB | `number` | `50000` | no |
-| <a name="input_image_name"></a> [image\_name](#input\_image\_name) | Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `string` | `""` | no |
 | <a name="input_instance_group_name"></a> [instance\_group\_name](#input\_instance\_group\_name) | The name of the Instance Group Manager. Must be 1-63 characters long and comply with RFC1035. Supported characters include lowercase letters, numbers, and hyphens | `list(string)` | <pre>[<br/>  ""<br/>]</pre> | no |
 | <a name="input_instance_template_name"></a> [instance\_template\_name](#input\_instance\_template\_name) | The name of the instance template. Conflicts with variable instance\_template\_name\_prefix | `string` | `""` | no |
 | <a name="input_instance_template_name_prefix"></a> [instance\_template\_name\_prefix](#input\_instance\_template\_name\_prefix) | Creates a unique Instance Template name beginning with the specified prefix. Conflicts with variable instance\_template\_name | `string` | `""` | no |
 
@@ -148,7 +148,7 @@ resource "local_file" "user_data_file" {
 # Locate Latest CC Image
 ################################################################################
 data "google_compute_image" "zs_cc_img" {
-  count   = var.image_name != "" ? 0 : 1
+  count   = var.custom_image_name != "" ? 0 : 1
   project = "mpi-zscalercloudconnector-publ"
   name    = var.marketplace_image
 }
@@ -182,7 +182,7 @@ module "cc_vm" {
   cc_count                    = var.cc_count
   vpc_subnetwork_ccvm_mgmt    = module.network.mgmt_subnet
   vpc_subnetwork_ccvm_service = module.network.service_subnet
-  image_name                  = var.image_name != "" ? var.image_name : data.google_compute_image.zs_cc_img[0].self_link
+  custom_image_name           = var.custom_image_name != "" ? var.custom_image_name : data.google_compute_image.zs_cc_img[0].self_link
   service_account             = module.iam_service_account.service_account
 
   ## Optional: Custom instance names. If not specified and conditions are met for resource
 
@@ -122,7 +122,11 @@
 
 ## Note: It is NOT RECOMMENDED to statically set CC image versions. Zscaler recommends always running/deploying the latest version template
 
-#image_name                                 = "zs-image-gcp-20230928152536-la-1"
+#marketplace_image                          = "zs-cc-ga-02042026"
+#marketplace_image                          = "zs-cc-ga-02022025"
+#marketplace_image                          = "zs-cc-ga-10292023"
+
+#custom_image_name                          = "private-image-name" <<< Not recommended for production
 
 ## 13. By default, if Terraform is creating an outbound VPC firewall rule named zscaler_support_access enabling 
 ##     Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
 
@@ -149,7 +149,7 @@ variable "zones" {
   default     = []
 }
 
-variable "image_name" {
+variable "custom_image_name" {
   type        = string
   description = "Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index"
   default     = ""
@@ -300,6 +300,6 @@ EOT
 
 variable "grant_pubsub_editor" {
   type        = bool
-  default     = false
+  default     = true
   description = "If true, grant roles/pubsub.editor to the CCVM SA at project scope"
 }
Original file line number	Diff line number	Diff line change
`@@ -149,7 +149,7 @@ variable "zones" {`
`149`	`149`	`default = []`
`150`	`150`	`}`
`151`	`151`
`152`		`-variable "image_name" {`
	`152`	`+variable "custom_image_name" {`
`153`	`153`	`type = string`
`154`	`154`	`description = "Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index"`
`155`	`155`	`default = ""`
`@@ -296,6 +296,6 @@ EOT`
`296`	`296`
`297`	`297`	`variable "grant_pubsub_editor" {`
`298`	`298`	`type = bool`
`299`		`- default = false`
	`299`	`+ default = true`
`300`	`300`	`description = "If true, grant roles/pubsub.editor to the CCVM SA at project scope"`
`301`	`301`	`}`