v1.4.0

What's Changed (November 12, 2024)

FEATURES:

• Module Changes:
  • terraform-zscc-ccvm-aws:
    • add variable additional_management_security_group_ids
    • add variables hostname_type and resource_name_dns_a_record_enabled
    • change default private_dns_name_options hostname_type to AWS recommended resource-name from ip-name
    • lifecycle ignore private_dns_name_options on aws_instance resource
      • While AWS supports changing hostname_type for deployed instances if stopped first, Cloud Connector does not. This change will only apply to newly deployed EC2 instances
  • terraform-zscc-asg-aws:
    • add variable additional_management_security_group_ids
    • add variables hostname_type and resource_name_dns_a_record_enabled
    • change default private_dns_name_options hostname_type to AWS recommended resource-name from ip-name
    • lifecycle ignore private_dns_name_options on aws_launch_template resource
      • While AWS supports changing hostname_type for deployed instances if stopped first, Cloud Connector does not. This change will only apply to newly deployed EC2 instances
  • terraform-zscc-sg-aws:
    • add resource aws_security_group.outbound_endpoint_sg
    • add variables byo_route53_resolver_outbound_endpoint_group_id and zpa_enabled
  • terraform-zscc-route53-aws:
    • add variable outbound_endpoint_security_group_ids
    • remove default security group usage per AWS best practices
  • terraform-zscc-gwlbendpoint-aws:
    • add variable byo_endpoint_service_name supporting brownfield deployments using a pre-existing VPC Endpoint Service
  • terraform-zscc-network-aws:
    • add variables byo_r53_subnet_ids and r53_route_table_enabled option for custom zpa deployments with existing Route53 subnets and/or Route Tables
    • change aws_subnet.route53_subnet resource count from hard coded "2" to the value of var.az_count or minimum 2 (whichever is greater) for more consistent private subnet creations
    • add variables hostname_type and resource_name_dns_a_record_enabled
    • change default private_dns_hostname_type_on_launch to AWS recommended resource-name from ip-name for greenfield CC Subnet creations
• feat: add zsec configuration support for Zscaler Cloud: zscalergov.net

ENHANCEMENTS:

• refactor: add zsec prompts brownfield zpa network options

Full Changelog: v1.3.3...v1.4.0

v1.3.3

What's Changed (August 30, 2024)

ENHANCEMENTS:

• refactor: add china marketplace specific product-code ("axnpwhsb4facossmbm1h9yad6") lookup
• refactor: update zsec china conditions

BUG FIXES:

• fix: add variable runtime with locals condition for python3.12 unsupported regions

Full Changelog: v1.3.2...v1.3.3

v1.3.2

What's Changed (August 26, 2024)

ENHANCEMENTS:

• refactor: add sns:ListSubscriptions and sns:Unsubscribe permissions to cc_tags_policy_document for increased performance supporting multi-account workload tags

BUG FIXES:

• fix: remove local file depends_on to avoid conflicts if file does not exist or needs recreated
• fix: egress_cc_mgmt_tcp_12002 security group rule conditional create logic
• fix(zsec): dig fallback to getent for remote support tunnel IP resolution
• fix: restrict az selection to only available (non-local) zones
• refactor: ccvm constraint and asg_zonal_enabled docs cleanup

Full Changelog: v1.3.1...v1.3.2

v1.3.1

What's Changed (May 13, 2024)

ENHANCEMENTS:

• feat: add ZSEC support for regions ap-southeast-4 and eu-south-2 by @jmolnar-zscaler in #79
• feat: add c6in.large EC2 type support for regions that do not support recommended m6i family by @jmolnar-zscaler in #79
• chore: bump aws provider version support by @jmolnar-zscaler in #79

Full Changelog: v1.3.0...v1.3.1

v1.3.0

What's Changed (April 14, 2024)

FEATURES:

• feat: add variable zonal_asg_enabled boolean. Expectations:
  • If false, then create only one Auto Scaling Group for all availability zones inputted per var.cc_subnet_ids
  • If true, then create one Auto Scaling Group per subnet availability zones inputted
  • Note: Single ASG is simpler to manage and recommended especially when enabling cross-zone gateway load balancing. ASG per AZ may be desirable for more consistent and granular control over scaling in/out. by @jmolnar-zscaler in #77
• feat: add all capacity and warm pool metrics to Auto Scaling Group enabled_metrics by @jmolnar-zscaler in #77
• feat: add zsec support for regions: ap-southeast-3, me-central-1, eu-central-2, and il-central-1 by @jmolnar-zscaler in #77
• feat: add variables support_access_enabled and zssupport_server for Zscaler Remote Support Tunnel enablement by @jmolnar-zscaler in #77
• feat: changed variable health_check_grace_period to 900 seconds to prevent instance termination in Auto Scaling Group when moved into InService even if its is found as unhealthy. Currently CC/ZTW VM requires more time for health stabilization at startup. by @vkrishnamurthy-zscaler in #72
• feat: Changed Python runtime for Lambda to use 3.12 version. arm64 architecture is now supported and is new default. This is more for cost/performance benefit. by @vkrishnamurthy-zscaler in

ENHANCEMENTS:

• feat: ASG bring-up/stability improvements with new Zscaler Lambda Zip file v1.0.6 by @vkrishnamurthy-zscaler in #75
• feat: user selection prompt for Zscaler cloud. Used for template validation and DNS lookup FQDN-to-IP mapping for security group rule creation by @jmolnar-zscaler in #77
• refactor: add prompt to enable/disable Zscaler Remote Support security group egress rule by @jmolnar-zscaler in #77
• feat: ZSEC bash script prompts for Auto Scaling Group zonal configuration by @jmolnar-zscaler in #77
• refactor: ZSEC bash script UI/UX and error handling improvements: by @jmolnar-zscaler in #77
  • Auto parse MFA STS output values
  • Discover/prompt for different local AWS config profiles
  • Improved selection constraints for regions and EC2 types
  • Add Zscaler Cloud selection for SG generation
• refactor: update AWS Provider default to 5.39.1 with minimum supported 5.32.0 (required for ASG/Lambda configurations) by @vkrishnamurthy-zscaler in #72
• docs: general UX improvements by @jmolnar-zscaler in #77

BUG FIXES:

• fix: add variable cc_route_table_enabled for conditional creation of aws_route_table.cc_rt and aws_route_table_association.cc_rt_asssociation. This is to avoid conflicts for brownfield VPC requirements where a custom subnet route table already exists to just tell terraform not to implicitly create a new one by @jmolnar-zscaler in #77
• fix: workload/bastion AWS al2 to al2023 by @jmolnar-zscaler in #77

Full Changelog: v1.2.2...v1.3.0

v1.2.2

What's Changed (March 8, 2024)

ENHANCEMENTS:

• refactor: Add new region il-central-1 by @smone77 in #67

Full Changelog: v1.2.1...v1.2.2

v1.2.1

What's Changed: (February 4, 2024)

BUG FIXES:

• fix: remove var.gwlb_enabled condition for ingress_cc_service_all
• fix: add ingress rule ingress_cc_service_https_local for default implicit TCP/443 communication minimum between Cloud Connector Service Interfaces within a VPC cluster

Full Changelog: v1.2.0...v1.2.1

v1.2.0

What's Changed: (December 16, 2023)

FEATURES:

• feat: add optional cc_tags IAM Policy for AWS Workload Tags support with Cloud Connector Instance IAM Role creation. Permissions include:
  • sqs:DeleteMessage
  • sqs:ReceiveMessage
  • sqs:GetQueueUrl
  • sqs:GetQueueAttributes
  • sqs:SetQueueAttributes
  • sqs:DeleteQueue
  • sqs:CreateQueue
  • sns:Subscribe
• feat: add conditional variable cloud_tags_enabled by @jmolnar-zscaler in #54

ENHANCEMENTS:

• refactor: ZSEC bash script prompts for cloud workload tagging policy creation by @jmolnar-zscaler in #54
• refactor: add greenfield/pov workload ZS Root CA install by @jmolnar-zscaler in #53

Full Changelog: v1.1.0...v1.2.0

v1.1.0

[1.1.0] - 2023-11-3

---

FEATURES:

• AWS GovCloud (US) support

BUG FIXES:

• fix: arn support for all aws partitions

ENHANCEMENTS:

• ZSEC bash script support for automatic aws partition selection for MFA
• ZSEC general cleanup and optimizations

v1.0.0

[1.0.0] - 2023-10-19

---

BREAKING CHANGES:

• Zscaler Cloud Connector AMI version > ZS6.1.25.0 support for default interface swap of both autoscaling and non-autoscaling deployments. Service interface is now ENA0 and Management interface is now ENA1.

FEATURES:

• Auto Scaling Group official release
  • add: terraform-zscc-asg-aws module
  • add: terraform-zscc-asg-labda-aws module
  • change: IAM policies for ASG lifecycle and Cloudwatch metrics
  • add: deployment types base_cc_gwlb_asg/base_cc_gwlb_asg_zpa (greenfield/pov/test) and cc_gwlb_asg (brownfield/prod)
• Medium and Large Cloud Connector instance official release
• EC2 instance type changes:
  • new default/recommend EC2 type for small CCs: m6i.large; medium/large: m6i.4xlarge
  • add: m5n, m6i, and c6i family support
  • remove: m5 family support
• Module Changes:
  • AWS Provider version bump to 5.17.x default. Support from 4.59.x to 5.17.x
  • terraform-zscc-ccvm-aws:
    • rename: service_eni_1 output to management_eni
    • rename: private_ip output to forwarding_ip
    • rename: cc_service_private_ip to management_ip
    • add: forwarding_eni
  • module terraform-zscc-gwlb-aws:
    • add: variable asg_enabled for target group conditional instance rather than ip
    • rename: resource aws_lb_target_group_attachment.gwlb_target_group_attachment_small to aws_lb_target_group_attachment.gwlb_target_group_attachment
    • rename: variable cc_small_service_ips to cc_service_ips
    • remove: dedicated CC Medium/Large additional service IP dependencies from target group attachment
  • module terraform-zscc-ccvm-aws:
    • remove: secondary IP address from network interface index #1
    • add: interface device index #5 for "large" CC.
    • add: aws_network_interface.cc_vm_nic_index_0 for interface swap support
  • module terraform-zscc-gwlbendpoint-aws:
    • add: outputs vpce_service_id
    • add: outputs vpce_service_arn
  • module terraform-zscc-sg-aws:
    • refactor: management and service security group with more granular/required rules
    • add: variable mgmt_ssh_enabled if customer wants to restrict management access to only SSM
    • add: variable http_probe_port
    • add: gwlb_enabled default to true
    • add: all_ports_egress_enabled default to true
  • module terraform-zscc-iam-aws:
    • add: cc_metrics_policy_document permissions to CC IAM Role
    • add: cc_autoscale_lifecycle_policy_document permissions to CC IAM Role
    • remove: cc_callhome_policy_document as no longer required
• ZSEC support for AWS region ap-south-2 (Hyderabad)

ENHANCEMENTS:

• ZSEC bash script inputs for ASG deployments
• ZSEC bash script inputs for brownfield/byo network environments
• CC VM EBS changes: Volume type default now gp3 and AWS KMS encryption support enabled by default