asg release

gcp autoscaling module checkin

Author: jmolnar-zscaler

CHANGELOG.md

@@ -1,3 +1,16 @@
+## 0.3.0 (January 23, 2026)
+FEATURES:
+* Official support for Cloud Connector Auto Scaling on GCP - (Requires new Marketplace Compute Image: zs-cc-ga-02042026 or greater )
+    - add: module terraform-zscc-cloud-function-gcp for Cloud Run Function and dependency resources
+    - update: module terraform-zscc-ccvm-gcp for autoscaling_enabled conditions including: dynamically removing stateful disk and internal_ip attributes and the addition of google_compute_autoscaler.cc_asg resource
+    - update: module terraform-zscc-iam-service-account-gcp to include Monitoring Metric Writer role for CC SA when autoscaling is enabled
+    - add: zsec script support for ASG greenfield and brownfield deployments
+
+ENHANCEMENTS:
+* add: variable marketplace_image for all deployment templates defaulting to the latest available image "zs-cc-ga-02042026" upgraded to ZscalerOS 42 and supporting autoscaling
+* add: ssh_config creations to deployment templates outputs.tf for improvement UX
+* add: variable tags applied to google_compute_instance_template.cc_instance_template resource
+
 ## 0.2.1 (February 25, 2025)
 BUG FIXES:
 * fix: add missing lb_vip attribute back to ilb based template userdata file generation

examples/README.md

@@ -46,11 +46,14 @@ Optional: Edit the terraform.tfvars file under your desired deployment type (ie:
 **Test/Greenfield Deployment Types:**
 
 ```
-Deployment Type: (base_1cc | base_1cc_zpa | base_cc_ilb | base_cc_ilb_zpa):
+Deployment Type: (base_1cc | base_1cc_zpa | base_cc_ilb | base_cc_ilb_zpa | base_cc_asg | base_cc_asg_zpa):
 base_1cc: Creates 1 new "Management" VPC with 1 CC-Mgmt subnet and 1 bastion subnet; 1 "Service" VPC with 1 CC-Service subnet and 1 workload subnet; 1 Cloud Router + NAT Gateway per VPC; 1 Ubuntu client workload with a tagged default route next-hop to Cloud Connector service network instance; 1 Bastion Host assigned a dynamic public IP; generates local key pair .pem file for ssh access to all VMs; 1 Cloud Connector compute instance template + zonal managed instance group to deploy a single Cloud Connector appliance with a dedicated service account associated for accessing Secret Manager; tagged route table pointing workload default route next-hop to the CC Instance.
 base_1cc_zpa: Everything from base_1cc + creates Google Cloud DNS forward zones intended for ZPA App Segment DNS redirection.
 base_cc_ilb: Everything from base_1cc + option to deploy multiple Cloud Connectors across multiple zonal managed instance groups behind an Internal Load Balancer (ILB) including new: backend service, forwarding rule, health check, and firewall rules needed to front all cloud connector instances for highly available/resilient workload traffic forwarding; tagged route table pointing workload default route next-hop to the ILB front end IP.
 base_cc_ilb_zpa: Everything from base_cc_ilb + creates Google Cloud DNS forward zones intended for ZPA App Segment DNS redirection.
+base_cc_asg: Everything from base_cc_ilb except the number of Cloud Connectors is determined based on min/max size variables for autoscaling group configuration. The configured Instance Group(s) will be associated with an autoscaler policy. Cloud Run Functions will also be created for VM health monitoring and resource synchronization.
+base_cc_asg_zpa: Everything from base_cc_asg + creates Google Cloud DNS forward zones intended for ZPA App Segment DNS redirection.
+
 ```
 
 **2. Prod/Brownfield Deployments**
@@ -73,8 +76,9 @@ Optional: Edit the terraform.tfvars file under your desired deployment type (ie:
 **Prod/Brownfield Deployment Types**
 
 ```
-Deployment Type: (cc_ilb):
+Deployment Type: (cc_ilb | cc_asg):
 cc_ilb: Creates 1 new "Management" VPC with 1 CC-Mgmt subnet; 1 "Service" VPC with 1 CC-Service subnet; 1 Cloud Router + NAT Gateway per VPC; generates local key pair .pem file for ssh access to all VMs. All network infrastructure resource have conditional "byo" variables, that can be inputted if they already exist (like VPC, subnet, Cloud Router, and Cloud NAT); creates 1 Cloud Connector compute instance template with option to deploy multiple Cloud Connectors across multiple zonal managed instance groups behind an Internal Load Balancer (ILB) including new: backend service, forwarding rule, health check, and firewall rules needed to front all cloud connector instances for highly available/resilient workload traffic forwarding; and optional capability to create Google Cloud DNS forward zones intended for ZPA App Segment DNS redirection.
+cc_asg: All options from cc_ilb with the addition of autoscaling dependencies including autoscaler policies and Cloud Run Functions
 ```
 
 ## Destroying the cluster

examples/base_1cc/README.md

@@ -72,6 +72,7 @@ From base_1cc directory execute:
 |------|------|
 | [google_compute_route.route_to_cc_vm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource |
 | [local_file.private_key](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [local_file.ssh_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.testbed](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
@@ -109,6 +110,7 @@ From base_1cc directory execute:
 | <a name="input_instance_group_name"></a> [instance\_group\_name](#input\_instance\_group\_name) | The name of the Instance Group Manager. Must be 1-63 characters long and comply with RFC1035. Supported characters include lowercase letters, numbers, and hyphens | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_instance_template_name"></a> [instance\_template\_name](#input\_instance\_template\_name) | The name of the instance template. Conflicts with variable instance\_template\_name\_prefix | `string` | `""` | no |
 | <a name="input_instance_template_name_prefix"></a> [instance\_template\_name\_prefix](#input\_instance\_template\_name\_prefix) | Creates a unique Instance Template name beginning with the specified prefix. Conflicts with variable instance\_template\_name | `string` | `""` | no |
+| <a name="input_marketplace_image"></a> [marketplace\_image](#input\_marketplace\_image) | Available marketplace image name to deploy. Zscaler recommends always deploying new instances with the latest image | `string` | `"zs-cc-ga-02042026"` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
 | <a name="input_project"></a> [project](#input\_project) | Google Cloud project name | `string` | n/a | yes |
 | <a name="input_project_host"></a> [project\_host](#input\_project\_host) | Google Cloud Host Project name. Defaults to null. This variable is intended for environments where different resources might exist in separate host and service projects | `string` | `null` | no |

examples/base_1cc/main.tf

@@ -151,7 +151,7 @@ resource "local_file" "user_data_file" {
 data "google_compute_image" "zs_cc_img" {
   count   = var.image_name != "" ? 0 : 1
   project = "mpi-zscalercloudconnector-publ"
-  name    = "zs-cc-ga-02022025"
+  name    = var.marketplace_image
 }
 
 

examples/base_1cc/outputs.tf

@@ -4,29 +4,52 @@ locals {
 By default, these templates store two critical files to the "examples" directory. DO NOT delete/lose these files:
 1. Terraform State file (terraform.tfstate) - Terraform must store state about your managed infrastructure and configuration. 
    This state is used by Terraform to map real world resources to your configuration, keep track of metadata, and to improve performance for large infrastructures.
+
    Terraform uses state to determine which changes to make to your infrastructure. 
    Prior to any operation, Terraform does a refresh to update the state with the real infrastructure.
+
    If this file is missing, you will NOT be able to make incremental changes to the environment resources without first importing state back to terraform manually.
+
 2. SSH Private Key (.pem) file - Zscaler templates will attempt to create a new local private/public key pair for VM access (if a pre-existing one is not specified). 
    You (and subsequently Zscaler) will NOT be able to remotely access these VMs once deployed without valid SSH access.
 ***Disclaimer***
 
+Login Instructions & Resource Attributes
+SSH to CLOUD CONNECTOR
+%{for k, v in local.cc_map~}
+ssh -F ssh_config ccvm-${k}
+%{endfor~}  
+
+All Cloud Connector Management IPs:
+%{for k, v in local.cc_map~}
+ccvm-${k} = ${v}
+%{endfor~}
+
+All Cloud Connector Service IPs:
+${join("\n", module.cc_vm.cc_forwarding_ip)}
+
+
+WORKLOAD Details/Commands:
+SSH to WORKLOAD
+%{for k, v in local.workload_map~}
+ssh -F ssh_config workload-${k}
+%{endfor~}  
 
-### SSH to CC VM
-1) Copy the SSH key to the bastion host
-scp -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ${var.name_prefix}-key-${random_string.suffix.result}.pem ubuntu@${module.bastion.public_ip}:/home/ubuntu/.
+WORKLOAD IPs:
+%{for k, v in local.workload_map~}
+workload-${k} = ${v}
+%{endfor~}  
 
-2) SSH to the CC VM bastion host
-ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ubuntu@${module.bastion.public_ip}
 
-3) SSH to the CC
-ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem zsroot@${module.cc_vm.cc_management_ip[0]} -o "proxycommand ssh -W %h:%p -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ubuntu@${module.bastion.public_ip}"
+BASTION Jump Host Details/Commands:
+1) Copy the SSH key to BASTION home directory
+scp -F ssh_config ${var.name_prefix}-key-${random_string.suffix.result}.pem bastion:~/.
 
-4) SSH to the workload host
-ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ubuntu@${module.workload.private_ip[0]} -o "proxycommand ssh -W %h:%p -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ubuntu@${module.bastion.public_ip}"
+2) SSH to BASTION
+ssh -F ssh_config bastion
 
-All Workload IPs. Replace private IP below with ubuntu@"ip address" in ssh example command above.
-${join("\n", module.workload.private_ip)}
+BASTION Public IP: 
+${module.bastion.public_ip}
 
 
 Project Name:
@@ -47,17 +70,59 @@ ${join("\n", module.cc_vm.instance_group_zones)}
 Instance Group Names:
 ${join("\n", module.cc_vm.instance_group_names)}
 
-All Cloud Connector Instance Primary Forwarding IPs:
-${join("\n", module.cc_vm.cc_forwarding_ip)}
 
 TB
 }
 
+
+locals {
+  workload_map = {
+    for index, ip in module.workload.private_ip :
+    index => ip
+  }
+  cc_map = {
+    for index, ip in module.cc_vm.cc_management_ip :
+    index => ip
+  }
+  ssh_config_contents = <<SSH_CONFIG
+    Host bastion
+      HostName ${module.bastion.public_ip}
+      User ubuntu
+      IdentityFile ${var.name_prefix}-key-${random_string.suffix.result}.pem
+
+    %{for k, v in local.workload_map~}
+Host workload-${k}
+      HostName ${v}
+      User ubuntu
+      IdentityFile ${var.name_prefix}-key-${random_string.suffix.result}.pem
+      StrictHostKeyChecking no
+      ProxyJump bastion
+      ProxyCommand ssh bastion -W %h:%p
+    %{endfor~}    
+    
+    %{for k, v in local.cc_map~}
+Host ccvm-${k}
+      HostName ${v}
+      User zsroot
+      IdentityFile ${var.name_prefix}-key-${random_string.suffix.result}.pem
+      StrictHostKeyChecking no
+      ProxyJump bastion        
+      ProxyCommand ssh bastion -W %h:%p
+    %{endfor~}
+  SSH_CONFIG
+}
+
+
 output "testbedconfig" {
   description = "Google Cloud Testbed results"
   value       = local.testbedconfig
 }
 
+resource "local_file" "ssh_config" {
+  content  = local.ssh_config_contents
+  filename = "../ssh_config"
+}
+
 resource "local_file" "testbed" {
   content  = local.testbedconfig
   filename = "../testbed.txt"

examples/base_1cc/variables.tf

@@ -155,6 +155,12 @@ variable "image_name" {
   default     = ""
 }
 
+variable "marketplace_image" {
+  type        = string
+  description = "Available marketplace image name to deploy. Zscaler recommends always deploying new instances with the latest image"
+  default     = "zs-cc-ga-02042026"
+}
+
 variable "support_access_enabled" {
   type        = bool
   description = "Enable a specific outbound firewall rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"

examples/base_1cc_zpa/README.md

@@ -73,6 +73,7 @@ From base_1cc_zpa directory execute:
 |------|------|
 | [google_compute_route.route_to_cc_vm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource |
 | [local_file.private_key](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [local_file.ssh_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.testbed](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.user_data_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
@@ -111,6 +112,7 @@ From base_1cc_zpa directory execute:
 | <a name="input_instance_group_name"></a> [instance\_group\_name](#input\_instance\_group\_name) | The name of the Instance Group Manager. Must be 1-63 characters long and comply with RFC1035. Supported characters include lowercase letters, numbers, and hyphens | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_instance_template_name"></a> [instance\_template\_name](#input\_instance\_template\_name) | The name of the instance template. Conflicts with variable instance\_template\_name\_prefix | `string` | `""` | no |
 | <a name="input_instance_template_name_prefix"></a> [instance\_template\_name\_prefix](#input\_instance\_template\_name\_prefix) | Creates a unique Instance Template name beginning with the specified prefix. Conflicts with variable instance\_template\_name | `string` | `""` | no |
+| <a name="input_marketplace_image"></a> [marketplace\_image](#input\_marketplace\_image) | Available marketplace image name to deploy. Zscaler recommends always deploying new instances with the latest image | `string` | `"zs-cc-ga-02042026"` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
 | <a name="input_project"></a> [project](#input\_project) | Google Cloud project name | `string` | n/a | yes |
 | <a name="input_project_host"></a> [project\_host](#input\_project\_host) | Google Cloud Host Project name. Defaults to null. This variable is intended for environments where different resources might exist in separate host and service projects | `string` | `null` | no |

examples/base_1cc_zpa/main.tf

@@ -150,7 +150,7 @@ resource "local_file" "user_data_file" {
 data "google_compute_image" "zs_cc_img" {
   count   = var.image_name != "" ? 0 : 1
   project = "mpi-zscalercloudconnector-publ"
-  name    = "zs-cc-ga-02022025"
+  name    = var.marketplace_image
 }
 
 

examples/base_1cc_zpa/outputs.tf

@@ -4,29 +4,52 @@ locals {
 By default, these templates store two critical files to the "examples" directory. DO NOT delete/lose these files:
 1. Terraform State file (terraform.tfstate) - Terraform must store state about your managed infrastructure and configuration. 
    This state is used by Terraform to map real world resources to your configuration, keep track of metadata, and to improve performance for large infrastructures.
+
    Terraform uses state to determine which changes to make to your infrastructure. 
    Prior to any operation, Terraform does a refresh to update the state with the real infrastructure.
+
    If this file is missing, you will NOT be able to make incremental changes to the environment resources without first importing state back to terraform manually.
+
 2. SSH Private Key (.pem) file - Zscaler templates will attempt to create a new local private/public key pair for VM access (if a pre-existing one is not specified). 
    You (and subsequently Zscaler) will NOT be able to remotely access these VMs once deployed without valid SSH access.
 ***Disclaimer***
 
+Login Instructions & Resource Attributes
+SSH to CLOUD CONNECTOR
+%{for k, v in local.cc_map~}
+ssh -F ssh_config ccvm-${k}
+%{endfor~}  
+
+All Cloud Connector Management IPs:
+%{for k, v in local.cc_map~}
+ccvm-${k} = ${v}
+%{endfor~}
+
+All Cloud Connector Service IPs:
+${join("\n", module.cc_vm.cc_forwarding_ip)}
+
+
+WORKLOAD Details/Commands:
+SSH to WORKLOAD
+%{for k, v in local.workload_map~}
+ssh -F ssh_config workload-${k}
+%{endfor~}  
 
-### SSH to CC VM
-1) Copy the SSH key to the bastion host
-scp -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ${var.name_prefix}-key-${random_string.suffix.result}.pem ubuntu@${module.bastion.public_ip}:/home/ubuntu/.
+WORKLOAD IPs:
+%{for k, v in local.workload_map~}
+workload-${k} = ${v}
+%{endfor~}  
 
-2) SSH to the CC VM bastion host
-ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ubuntu@${module.bastion.public_ip}
 
-3) SSH to the CC
-ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem zsroot@${module.cc_vm.cc_management_ip[0]} -o "proxycommand ssh -W %h:%p -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ubuntu@${module.bastion.public_ip}"
+BASTION Jump Host Details/Commands:
+1) Copy the SSH key to BASTION home directory
+scp -F ssh_config ${var.name_prefix}-key-${random_string.suffix.result}.pem bastion:~/.
 
-4) SSH to the workload host
-ssh -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ubuntu@${module.workload.private_ip[0]} -o "proxycommand ssh -W %h:%p -i ${var.name_prefix}-key-${random_string.suffix.result}.pem ubuntu@${module.bastion.public_ip}"
+2) SSH to BASTION
+ssh -F ssh_config bastion
 
-All Workload IPs. Replace private IP below with ubuntu@"ip address" in ssh example command above.
-${join("\n", module.workload.private_ip)}
+BASTION Public IP: 
+${module.bastion.public_ip}
 
 
 Project Name:
@@ -47,17 +70,59 @@ ${join("\n", module.cc_vm.instance_group_zones)}
 Instance Group Names:
 ${join("\n", module.cc_vm.instance_group_names)}
 
-All Cloud Connector Instance Primary Forwarding IPs:
-${join("\n", module.cc_vm.cc_forwarding_ip)}
 
 TB
 }
 
+
+locals {
+  workload_map = {
+    for index, ip in module.workload.private_ip :
+    index => ip
+  }
+  cc_map = {
+    for index, ip in module.cc_vm.cc_management_ip :
+    index => ip
+  }
+  ssh_config_contents = <<SSH_CONFIG
+    Host bastion
+      HostName ${module.bastion.public_ip}
+      User ubuntu
+      IdentityFile ${var.name_prefix}-key-${random_string.suffix.result}.pem
+
+    %{for k, v in local.workload_map~}
+Host workload-${k}
+      HostName ${v}
+      User ubuntu
+      IdentityFile ${var.name_prefix}-key-${random_string.suffix.result}.pem
+      StrictHostKeyChecking no
+      ProxyJump bastion
+      ProxyCommand ssh bastion -W %h:%p
+    %{endfor~}    
+    
+    %{for k, v in local.cc_map~}
+Host ccvm-${k}
+      HostName ${v}
+      User zsroot
+      IdentityFile ${var.name_prefix}-key-${random_string.suffix.result}.pem
+      StrictHostKeyChecking no
+      ProxyJump bastion        
+      ProxyCommand ssh bastion -W %h:%p
+    %{endfor~}
+  SSH_CONFIG
+}
+
+
 output "testbedconfig" {
   description = "Google Cloud Testbed results"
   value       = local.testbedconfig
 }
 
+resource "local_file" "ssh_config" {
+  content  = local.ssh_config_contents
+  filename = "../ssh_config"
+}
+
 resource "local_file" "testbed" {
   content  = local.testbedconfig
   filename = "../testbed.txt"

examples/base_1cc_zpa/variables.tf

@@ -155,6 +155,12 @@ variable "image_name" {
   default     = ""
 }
 
+variable "marketplace_image" {
+  type        = string
+  description = "Available marketplace image name to deploy. Zscaler recommends always deploying new instances with the latest image"
+  default     = "zs-cc-ga-02042026"
+}
+
 variable "domain_names" {
   type        = map(any)
   description = "Domain names fqdn/wildcard to have Google Cloud DNS zone forward ZPA App Segment DNS requests to Cloud Connector"