fix: update permissions for autoscaling

CHANGELOG.md

@@ -1,4 +1,13 @@
-## 0.3.0 (February 6, 2026)
+## 0.3.1 (February 11, 2026)
+BUG FIXES:
+* add variable grant_pubsub_editor support for autoscaling deployment templates Service Account IAM Role module with default enabled
+* add new custom role creation with ["compute.autoscalers.list", "compute.autoscalers.get"] IAM requirement to the CC Service Account for better autoscaler detection and identification. *This may require additioinal Terraform Service account permissions like Role Administrator
+* add explicit region to google_compute_region_backend_service resource
+
+ENHANCEMENTS:
+* rename variable image_name to custom_image name to better differentiate between variable marketplace_image
+
+## 0.3.0 (February 5, 2026)
 FEATURES:
 * Official support for Cloud Connector Auto Scaling on GCP - (Requires new Marketplace Compute Image: zs-cc-ga-02042026 or greater )
     - add: module terraform-zscc-cloud-function-gcp for Cloud Run Function and dependency resources

examples/base_1cc/README.md

@@ -86,28 +86,29 @@ From base_1cc directory execute:
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_ports"></a> [allowed\_ports](#input\_allowed\_ports) | A list of ports to permit inbound to Cloud Connector Service VPC. Default empty list means to allow all. | `list(string)` | `[]` | no |
 | <a name="input_az_count"></a> [az\_count](#input\_az\_count) | Default number zonal instance groups to create based on availability zone | `number` | `1` | no |
-| <a name="input_base_instance_name"></a> [base\_instance\_name](#input\_base\_instance\_name) | The base instance name to use for instances in this group. The value must be a valid RFC1035 name. Supported characters are lowercase letters, numbers, and hyphens (-). Instances are named by appending a hyphen and a random four-character string to the base instance name | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
-| <a name="input_bastion_ssh_allow_ip"></a> [bastion\_ssh\_allow\_ip](#input\_bastion\_ssh\_allow\_ip) | CIDR blocks of trusted networks for bastion host ssh access from Internet | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
-| <a name="input_byo_ccvm_service_account"></a> [byo\_ccvm\_service\_account](#input\_byo\_ccvm\_service\_account) | "Customer provided existing Service Account ID. If set, module will use this instead of trying to create a new one<br> - The name of the service account within the project (e.g. my-service)<br> - The fully-qualified path to a service account resource (e.g. projects/my-project/serviceAccounts/...)<br> - The email address of the service account (e.g. my-service@my-project.iam.gserviceaccount.com)" | `string` | `""` | no |
+| <a name="input_base_instance_name"></a> [base\_instance\_name](#input\_base\_instance\_name) | The base instance name to use for instances in this group. The value must be a valid RFC1035 name. Supported characters are lowercase letters, numbers, and hyphens (-). Instances are named by appending a hyphen and a random four-character string to the base instance name | `list(string)` | <pre>[<br/>  ""<br/>]</pre> | no |
+| <a name="input_bastion_ssh_allow_ip"></a> [bastion\_ssh\_allow\_ip](#input\_bastion\_ssh\_allow\_ip) | CIDR blocks of trusted networks for bastion host ssh access from Internet | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_byo_ccvm_service_account"></a> [byo\_ccvm\_service\_account](#input\_byo\_ccvm\_service\_account) | "Customer provided existing Service Account ID. If set, module will use this instead of trying to create a new one<br/> - The name of the service account within the project (e.g. my-service)<br/> - The fully-qualified path to a service account resource (e.g. projects/my-project/serviceAccounts/...)<br/> - The email address of the service account (e.g. my-service@my-project.iam.gserviceaccount.com)" | `string` | `""` | no |
 | <a name="input_cc_count"></a> [cc\_count](#input\_cc\_count) | Default number of Cloud Connector appliances to create per Instance Group/Availability Zone | `number` | `1` | no |
 | <a name="input_cc_vm_prov_url"></a> [cc\_vm\_prov\_url](#input\_cc\_vm\_prov\_url) | Zscaler Cloud Connector Provisioning URL | `string` | n/a | yes |
 | <a name="input_ccvm_instance_type"></a> [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"n2-standard-2"` | no |
 | <a name="input_credentials"></a> [credentials](#input\_credentials) | Path to the service account json file for terraform to authenticate to Google Cloud | `string` | n/a | yes |
-| <a name="input_default_nsg"></a> [default\_nsg](#input\_default\_nsg) | Default CIDR list to permit workload traffic destined for Cloud Connector | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_custom_image_name"></a> [custom\_image\_name](#input\_custom\_image\_name) | Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `string` | `""` | no |
+| <a name="input_default_nsg"></a> [default\_nsg](#input\_default\_nsg) | Default CIDR list to permit workload traffic destined for Cloud Connector | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_fw_cc_mgmt_hcp_vault_address_name"></a> [fw\_cc\_mgmt\_hcp\_vault\_address\_name](#input\_fw\_cc\_mgmt\_hcp\_vault\_address\_name) | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting CC to access to HCP Vault Address port number | `string` | `null` | no |
 | <a name="input_fw_cc_mgmt_ssh_ingress_name"></a> [fw\_cc\_mgmt\_ssh\_ingress\_name](#input\_fw\_cc\_mgmt\_ssh\_ingress\_name) | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting SSH inbound from the VPC CIDR range by default | `string` | `null` | no |
 | <a name="input_fw_cc_mgmt_zssupport_tunnel_name"></a> [fw\_cc\_mgmt\_zssupport\_tunnel\_name](#input\_fw\_cc\_mgmt\_zssupport\_tunnel\_name) | The name of the compute firewall created on the user defined Cloud Connector Management VPC Network permitting CC to establish zssupport tunnel | `string` | `null` | no |
 | <a name="input_fw_cc_service_default_name"></a> [fw\_cc\_service\_default\_name](#input\_fw\_cc\_service\_default\_name) | The name of the compute firewall created on the user defined Cloud Connector Service VPC Network permitting workload traffic to be sent to Zscaler | `string` | `null` | no |
+| <a name="input_grant_pubsub_editor"></a> [grant\_pubsub\_editor](#input\_grant\_pubsub\_editor) | If true, grant roles/pubsub.editor to the CCVM SA at project scope | `bool` | `true` | no |
 | <a name="input_hcp_gcp_auth_role_type"></a> [hcp\_gcp\_auth\_role\_type](#input\_hcp\_gcp\_auth\_role\_type) | Customer managed HashiCorp Vault GCP Auth Method | `string` | `"gcp_iam"` | no |
 | <a name="input_hcp_vault_address"></a> [hcp\_vault\_address](#input\_hcp\_vault\_address) | Customer managed HashiCorp Vault URL; including leading https (if applicable) and trailing port number | `string` | `""` | no |
 | <a name="input_hcp_vault_enabled"></a> [hcp\_vault\_enabled](#input\_hcp\_vault\_enabled) | True/False used to determine specific HCP Vault configured network firewall and Service Account IAM roles. Default is false | `bool` | `false` | no |
-| <a name="input_hcp_vault_ips"></a> [hcp\_vault\_ips](#input\_hcp\_vault\_ips) | Default CIDR list to permit Cloud Connector traffic destined for customer defined HCP Vault address(es) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_hcp_vault_ips"></a> [hcp\_vault\_ips](#input\_hcp\_vault\_ips) | Default CIDR list to permit Cloud Connector traffic destined for customer defined HCP Vault address(es) | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_hcp_vault_port"></a> [hcp\_vault\_port](#input\_hcp\_vault\_port) | Default TCP Port Number for customer defined HCP Vault address(es) | `string` | `"8200"` | no |
 | <a name="input_hcp_vault_role_name"></a> [hcp\_vault\_role\_name](#input\_hcp\_vault\_role\_name) | Customer managed HashiCorp Role Name | `string` | `""` | no |
 | <a name="input_hcp_vault_secret_path"></a> [hcp\_vault\_secret\_path](#input\_hcp\_vault\_secret\_path) | Customer managed HashiCorp Vault secret path. The path to a secret is formed from three parts: <namespace>/<engine mount point>/<path to secret>. If you are not using the enterprise version of Vault, you should omit the first part | `string` | `""` | no |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GCP LB | `number` | `50000` | no |
-| <a name="input_image_name"></a> [image\_name](#input\_image\_name) | Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `string` | `""` | no |
-| <a name="input_instance_group_name"></a> [instance\_group\_name](#input\_instance\_group\_name) | The name of the Instance Group Manager. Must be 1-63 characters long and comply with RFC1035. Supported characters include lowercase letters, numbers, and hyphens | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
+| <a name="input_instance_group_name"></a> [instance\_group\_name](#input\_instance\_group\_name) | The name of the Instance Group Manager. Must be 1-63 characters long and comply with RFC1035. Supported characters include lowercase letters, numbers, and hyphens | `list(string)` | <pre>[<br/>  ""<br/>]</pre> | no |
 | <a name="input_instance_template_name"></a> [instance\_template\_name](#input\_instance\_template\_name) | The name of the instance template. Conflicts with variable instance\_template\_name\_prefix | `string` | `""` | no |
 | <a name="input_instance_template_name_prefix"></a> [instance\_template\_name\_prefix](#input\_instance\_template\_name\_prefix) | Creates a unique Instance Template name beginning with the specified prefix. Conflicts with variable instance\_template\_name | `string` | `""` | no |
 | <a name="input_marketplace_image"></a> [marketplace\_image](#input\_marketplace\_image) | Available marketplace image name to deploy. Zscaler recommends always deploying new instances with the latest image | `string` | `"zs-cc-ga-02042026"` | no |

examples/base_1cc/main.tf

@@ -149,7 +149,7 @@ resource "local_file" "user_data_file" {
 # Locate Latest CC Image
 ################################################################################
 data "google_compute_image" "zs_cc_img" {
-  count   = var.image_name != "" ? 0 : 1
+  count   = var.custom_image_name != "" ? 0 : 1
   project = "mpi-zscalercloudconnector-publ"
   name    = var.marketplace_image
 }
@@ -183,7 +183,7 @@ module "cc_vm" {
   cc_count                    = var.cc_count
   vpc_subnetwork_ccvm_mgmt    = module.network.mgmt_subnet
   vpc_subnetwork_ccvm_service = module.network.service_subnet
-  image_name                  = var.image_name != "" ? var.image_name : data.google_compute_image.zs_cc_img[0].self_link
+  custom_image_name           = var.custom_image_name != "" ? var.custom_image_name : data.google_compute_image.zs_cc_img[0].self_link
   service_account             = module.iam_service_account.service_account
 
   ## Optional: Custom instance names. If not specified and conditions are met for resource
@@ -202,7 +202,7 @@ module "cc_vm" {
 module "iam_service_account" {
   source                   = "../../modules/terraform-zscc-iam-service-account-gcp"
   project                  = var.project
-  grant_pubsub_editor      = true
+  grant_pubsub_editor      = var.grant_pubsub_editor
   byo_ccvm_service_account = var.byo_ccvm_service_account
   ## If byo_ccvm_service_account is provided any non-empty value, all variables below will be
   ## ignored/unused. Script assumes that role permissions for either Secret Manager

examples/base_1cc/outputs.tf

@@ -70,6 +70,8 @@ ${join("\n", module.cc_vm.instance_group_zones)}
 Instance Group Names:
 ${join("\n", module.cc_vm.instance_group_names)}
 
+CCVM Service Account:
+${module.iam_service_account.service_account}
 
 TB
 }

examples/base_1cc/terraform.tfvars

@@ -38,7 +38,7 @@
 #secret_name                                =  "projects/1234567890123/secrets/secret_name"
 
 
-## Option B. HashiCorp (HCP) Vault information. Uncomment and supply all variables formatted as th examples below
+## Option B. HashiCorp (HCP) Vault information. Uncomment and supply all variables formatted as the examples below
 ##           When set to true, the hcp_vault_enabled variable serves three functions.
 ##           1. Select the correct userdata locals generation
 ##           2. Add role iam.serviceAccountTokenCreator to the Service Account (assuming script is creating that as well)
@@ -122,7 +122,11 @@
 
 ## Note: It is NOT RECOMMENDED to statically set CC image versions. Zscaler recommends always running/deploying the latest version template
 
-#image_name                                 = "zs-image-gcp-20230928152536-la-1"
+#marketplace_image                          = "zs-cc-ga-02042026"
+#marketplace_image                          = "zs-cc-ga-02022025"
+#marketplace_image                          = "zs-cc-ga-10292023"
+
+#custom_image_name                          = "private-image-name" <<< Not recommended for production
 
 ## 13. By default, if Terraform is creating an outbound VPC firewall rule named zscaler_support_access enabling 
 ##     Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
@@ -145,6 +149,13 @@
 
 #byo_ccvm_service_account                   = "service-account-id"
 
+## 16. By default, minimum required roles/permissions added to the Cloud Connector VM Service Account when created
+##     by Terraform. Uncomment to set to true, which will grant the pubsub.editor role at project scope to either a 
+##     new or existing CCVM SA depending on the byo_ccvm_service_account setting. This is needed for Workload Discovery
+##     Service (WDS) integration.
+
+#grant_pubsub_editor                        = true
+
 
 #####################################################################################################################
 ##### Override resource auto-name generation. Only change/set if required for your environment                  #####

examples/base_1cc/variables.tf

@@ -149,7 +149,7 @@ variable "zones" {
   default     = []
 }
 
-variable "image_name" {
+variable "custom_image_name" {
   type        = string
   description = "Custom image name to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same Image as templates always pull the latest from Google Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index"
   default     = ""
@@ -293,3 +293,9 @@ variable "byo_ccvm_service_account" {
 EOT
   default     = ""
 }
+
+variable "grant_pubsub_editor" {
+  type        = bool
+  default     = true
+  description = "If true, grant roles/pubsub.editor to the CCVM SA at project scope"
+}