(feat) Location Basic Auth and User Auth Methods … (#202)

* (feat) Location Basic Auth and User Auth Methods
* Added support to preview cloud
* enroll user on creation
* Update GNUmakefile to v2.5.0
* enroll also on update
* Update .gitignore
* (feat): Added new auth methods to location mgmt
* Updated CHANGELOG and release-notes

docs/data-sources/zia_user_management.md

@@ -31,10 +31,11 @@ The following arguments are supported:
 In addition to all arguments above, the following attributes are exported:
 
 * `email` - (Required) User email consists of a user name and domain name. It does not have to be a valid email address, but it must be unique and its domain must belong to the organization
-* `admin_user` - (Optional) True if this user is an Admin user. readOnly: `true` default: `false`
-* `comments` - (Optional) Additional information about this user.
+* `admin_user` - (String) True if this user is an Admin user. readOnly: `true` default: `false`
+* `comments` - (String) Additional information about this user.
 * `password` -(String, Sensitive)
 * `temp_auth_email` - (String) Temporary Authentication Email. If you enabled one-time tokens or links, enter the email address to which the Zscaler service sends the tokens or links. If this is empty, the service will send the email to the User email.
+* `auth_methods` - (String) Type of authentication method to be enabled. Supported values are: ``BASIC`` and ``DIGEST``
 * `type` - (String) User type. Provided only if this user is not an end user. The supported types are:
   * `SUPERADMIN`
   * `ADMIN`
@@ -43,14 +44,14 @@ In addition to all arguments above, the following attributes are exported:
   * `REPORT_USER`
   * `UNAUTH_TRAFFIC_DEFAULT`
 
-* `department` - (Required) Department a user belongs to
+* `department` - (String) Department a user belongs to
   * `id` - (Number) Department ID
   * `name` - (String) Department name
   * `idp_id` - (Number) Identity provider (IdP) ID
   * `comments` - (String) Additional information about this department
   * `deleted` - (Boolean) default: `false`
 
-* `groups` - (Required) List of Groups a user belongs to. Groups are used in policies.
+* `groups` - (String) List of Groups a user belongs to. Groups are used in policies.
   * `id` - (Number) Unique identfier for the group
   * `name` - (String) Group name
   * `idp_id` - (Number) Unique identfier for the identity provider (IdP)

docs/resources/zia_user_management.md

@@ -27,6 +27,7 @@ resource "zia_user_management" "john_ashcroft" {
  name         = "John Ashcroft"
  email        = "john.ashcroft@acme.com"
  password     = "P@ssw0rd123*"
+ auth_methods = ["BASIC", "DIGEST"]
  groups {
   id = data.zia_group_management.normal_internet.id
   }
@@ -58,3 +59,4 @@ The following attributes are supported:
 
 * `comments` - (Optional) Additional information about this user.
 * `temp_auth_email` - (Optional) Temporary Authentication Email. If you enabled one-time tokens or links, enter the email address to which the Zscaler service sends the tokens or links. If this is empty, the service will send the email to the User email.
+* `auth_methods` - (Optional) Type of authentication method to be enabled. Supported values are: ``BASIC`` and ``DIGEST``

examples/zia_user_management/zia_user_management_data/basic.tf

@@ -1,9 +1,8 @@
-provider "zia" {}
-
 resource "zia_user_management" "john_ashcroft" {
  name = "John Ashcroft"
  email = "john.ashcroft@acme.com"
  password = "P@ssw0rd123*"
+ auth_methods = ["BASIC", "DIGEST"]
  groups {
   id = [ data.zia_group_management.normal_internet.id,
          data.zia_group_management.devops.id ]

version

@@ -1 +1 @@
-2.3.2
+2.5.0

zia/data_source_zia_location_management.go

@@ -128,6 +128,27 @@ func dataSourceLocationManagement() *schema.Resource {
 				Type:     schema.TypeBool,
 				Computed: true,
 			},
+			"basic_auth_enabled": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+				Description: "Enable Basic Authentication at the location",
+			},
+			"digest_auth_enabled": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "Enable Digest Authentication at the location",
+			},
+			"kerberos_auth_enabled": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "Enable Kerberos Authentication at the location",
+			},
+			"iot_discovery_enabled": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "Enable IOT Discovery at the location",
+			},
 			"ssl_scan_enabled": {
 				Type:     schema.TypeBool,
 				Computed: true,
@@ -239,6 +260,10 @@ func dataSourceLocationManagementRead(d *schema.ResourceData, m interface{}) err
 		_ = d.Set("ip_addresses", resp.IPAddresses)
 		_ = d.Set("ports", resp.Ports)
 		_ = d.Set("auth_required", resp.AuthRequired)
+		_ = d.Set("basic_auth_enabled", resp.BasicAuthEnabled)
+		_ = d.Set("digest_auth_enabled", resp.DigestAuthEnabled)
+		_ = d.Set("kerberos_auth_enabled", resp.KerberosAuth)
+		_ = d.Set("iot_discovery_enabled", resp.IOTDiscoveryEnabled)
 		_ = d.Set("ssl_scan_enabled", resp.SSLScanEnabled)
 		_ = d.Set("zapp_ssl_scan_enabled", resp.ZappSSLScanEnabled)
 		_ = d.Set("xff_forward_enabled", resp.XFFForwardEnabled)

zia/data_source_zia_user_management_users.go

@@ -5,6 +5,7 @@ import (
 	"log"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/zscaler/zscaler-sdk-go/zia/services/usermanagement"
 )
 
@@ -84,6 +85,18 @@ func dataSourceUserManagement() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"auth_methods": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				Description: "Accepted Authentication Methods",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+					ValidateFunc: validation.StringInSlice([]string{
+						"BASIC",
+						"DIGEST",
+					}, false),
+				},
+			},
 			"is_auditor": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -131,6 +144,7 @@ func dataSourceUserManagementRead(d *schema.ResourceData, m interface{}) error {
 		_ = d.Set("temp_auth_email", resp.TempAuthEmail)
 		_ = d.Set("admin_user", resp.AdminUser)
 		_ = d.Set("type", resp.Type)
+		_ = d.Set("auth_methods", resp.AuthMethods)
 
 		if err := d.Set("department", flattenUserDepartment(resp.Department)); err != nil {
 			return err

zia/provider.go

@@ -44,6 +44,8 @@ func Provider() *schema.Provider {
 					"zscloud",
 					"zscalerbeta",
 					"zscalergov",
+					"zscalerten",
+					"zspreview",
 				}, false),
 				Required: true,
 			},

zia/resource_zia_location_management.go

@@ -161,6 +161,30 @@ func resourceLocationManagement() *schema.Resource {
 				Computed:    true,
 				Description: "Enable Surrogate IP. When set to true, users are mapped to internal device IP addresses.",
 			},
+			"basic_auth_enabled": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+				Description: "Enable Basic Authentication at the location",
+			},
+			"digest_auth_enabled": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+				Description: "Enable Digest Authentication at the location",
+			},
+			"kerberos_auth_enabled": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+				Description: "Enable Kerberos Authentication at the location",
+			},
+			"iot_discovery_enabled": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Computed:    true,
+				Description: "Enable IOT Discovery at the location",
+			},
 			"auth_required": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -347,6 +371,10 @@ func resourceLocationManagementRead(d *schema.ResourceData, m interface{}) error
 	_ = d.Set("ip_addresses", resp.IPAddresses)
 	_ = d.Set("ports", resp.Ports)
 	_ = d.Set("auth_required", resp.AuthRequired)
+	_ = d.Set("basic_auth_enabled", resp.BasicAuthEnabled)
+	_ = d.Set("digest_auth_enabled", resp.DigestAuthEnabled)
+	_ = d.Set("kerberos_auth_enabled", resp.KerberosAuth)
+	_ = d.Set("iot_discovery_enabled", resp.IOTDiscoveryEnabled)
 	_ = d.Set("ssl_scan_enabled", resp.SSLScanEnabled)
 	_ = d.Set("zapp_ssl_scan_enabled", resp.ZappSSLScanEnabled)
 	_ = d.Set("xff_forward_enabled", resp.XFFForwardEnabled)
@@ -468,6 +496,10 @@ func expandLocationManagement(d *schema.ResourceData) locationmanagement.Locatio
 		IPAddresses:                         removeEmpty(ListToStringSlice(d.Get("ip_addresses").([]interface{}))),
 		Ports:                               d.Get("ports").(string),
 		AuthRequired:                        d.Get("auth_required").(bool),
+		BasicAuthEnabled:                    d.Get("basic_auth_enabled").(bool),
+		DigestAuthEnabled:                   d.Get("digest_auth_enabled").(bool),
+		KerberosAuth:                        d.Get("kerberos_auth_enabled").(bool),
+		IOTDiscoveryEnabled:                 d.Get("iot_discovery_enabled").(bool),
 		SSLScanEnabled:                      d.Get("ssl_scan_enabled").(bool),
 		ZappSSLScanEnabled:                  d.Get("zapp_ssl_scan_enabled").(bool),
 		XFFForwardEnabled:                   d.Get("xff_forward_enabled").(bool),

zia/resource_zia_user_management_users.go

@@ -72,6 +72,18 @@ func resourceUserManagement() *schema.Resource {
 				Optional:    true,
 				Description: "Temporary Authentication Email. If you enabled one-time tokens or links, enter the email address to which the Zscaler service sends the tokens or links. If this is empty, the service will send the email to the User email.",
 			},
+			"auth_methods": {
+				Type:        schema.TypeSet,
+				Optional:    true,
+				Description: "Accepted Authentication Methods",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+					ValidateFunc: validation.StringInSlice([]string{
+						"BASIC",
+						"DIGEST",
+					}, false),
+				},
+			},
 			"password": {
 				Type:        schema.TypeString,
 				Required:    true,
@@ -130,6 +142,16 @@ func resourceUserManagementCreate(d *schema.ResourceData, m interface{}) error {
 		return err
 	}
 	log.Printf("[INFO] Created zia user request. ID: %v\n", resp)
+	authMethods := SetToStringList(d, "auth_methods")
+	if len(authMethods) > 0 {
+		_, err = zClient.usermanagement.EnrollUser(resp.ID, usermanagement.EnrollUserRequest{
+			AuthMethods: authMethods,
+			Password:    resp.Password,
+		})
+		if err != nil {
+			log.Printf("[ERROR] enrolling user failed: %v\n", err)
+		}
+	}
 	d.SetId(strconv.Itoa(resp.ID))
 	_ = d.Set("user_id", resp.ID)
 	return resourceUserManagementRead(d, m)
@@ -190,7 +212,16 @@ func resourceUserManagementUpdate(d *schema.ResourceData, m interface{}) error {
 	if _, _, err := zClient.usermanagement.Update(id, &req); err != nil {
 		return err
 	}
-
+	authMethods := SetToStringList(d, "auth_methods")
+	if d.HasChange("auth_methods") && len(authMethods) > 0 {
+		_, err := zClient.usermanagement.EnrollUser(id, usermanagement.EnrollUserRequest{
+			AuthMethods: authMethods,
+			Password:    req.Password,
+		})
+		if err != nil {
+			log.Printf("[ERROR] enrolling user failed: %v\n", err)
+		}
+	}
 	return resourceUserManagementRead(d, m)
 }
 
@@ -235,8 +266,7 @@ func expandUsers(d *schema.ResourceData) usermanagement.Users {
 		Comments:      d.Get("comments").(string),
 		TempAuthEmail: d.Get("temp_auth_email").(string),
 		Password:      d.Get("password").(string),
-		// Department:    expandIDNameExtensionsSet(d, "department"),
-		Groups: expandIDNameExtensionsSet(d, "groups"),
+		Groups:        expandIDNameExtensionsSet(d, "groups"),
 	}
 
 	department := expandUserDepartment(d)