check on ip surrogate in location management & some fixes

zscaler · Oct 17, 2021 · 05a176f · 05a176f
1 parent 49b148e
commit 05a176f
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 17 deletions.
diff --git a/examples/zia_firewall_filtering_rule/main.tf b/examples/zia_firewall_filtering_rule/main.tf
@@ -19,20 +19,14 @@ resource "zia_firewall_filtering_rule" "example" {
   access_control      = "READ_WRITE"
   enable_full_logging = false
   order               = 1
-  rank                = 1
   dest_countries      = ["COUNTRY_CA", "COUNTRY_US", "COUNTRY_BR"]
   locations {
     id = [
-      data.zia_location_management.vancouver.id,
-      data.zia_location_management.toronto.id
+      data.zia_location_management.sjc1.id
     ]
   }
 }
 
-data "zia_location_management" "vancouver" {
-  name = "SGIO-IPSEC-Vancouver"
-}
-
-data "zia_location_management" "toronto" {
-  name = "SGIO-IPSEC-Toronto"
+data "zia_location_management" "sjc1" {
+  name = "sjc-1"
 }
diff --git a/examples/zia_location_management/main.tf b/examples/zia_location_management/main.tf
@@ -12,19 +12,19 @@ provider "zia" {}
 resource "zia_location_management" "toronto"{
     name = "SGIO-IPSEC-Toronto"
     description = "Created with Terraform"
-    ssl_scan_enabled = true
-    zapp_ssl_scan_enabled = true
     ip_addresses = [ zia_traffic_forwarding_static_ip.example.ip_address ]
+    surrogate_ip = true
+    idle_time_in_minutes = 10
+    auth_required = true
     vpn_credentials {
        id = zia_traffic_forwarding_vpn_credentials.example.vpn_credental_id
        type = zia_traffic_forwarding_vpn_credentials.example.type
     }
-
 }
 
 resource "zia_traffic_forwarding_vpn_credentials" "example"{
     type = "UFQDN"
-    fqdn = "sjc-1-37@securitygeek.io"
+    fqdn = "sjc-1-373@securitygeek.io"
     comments = "created automatically"
     pre_shared_key = "newPassword123!"
 }

diff --git a/zia/resource_zia_firewall_filtering_rules.go b/zia/resource_zia_firewall_filtering_rules.go
@@ -42,7 +42,7 @@ func resourceFirewallFilteringRules() *schema.Resource {
 			"rank": {
 				Type:        schema.TypeInt,
 				Optional:    true,
-				Default:     7,
+				Computed:    true,
 				Description: "Admin rank of the Firewall Filtering policy rule",
 			},
 			"access_control": {

diff --git a/zia/resource_zia_location_management.go b/zia/resource_zia_location_management.go
@@ -79,6 +79,7 @@ func resourceLocationManagement() *schema.Resource {
 						"fqdn": {
 							Type:     schema.TypeString,
 							Optional: true,
+							Computed: true,
 						},
 						"pre_shared_key": {
 							Type:     schema.TypeString,
@@ -88,6 +89,7 @@ func resourceLocationManagement() *schema.Resource {
 						"comments": {
 							Type:     schema.TypeString,
 							Optional: true,
+							Computed: true,
 						},
 					},
 				},
@@ -126,6 +128,7 @@ func resourceLocationManagement() *schema.Resource {
 			"display_time_unit": {
 				Type:     schema.TypeString,
 				Optional: true,
+				Default:  "MINUTE",
 				ValidateFunc: validation.StringInSlice([]string{
 					"MINUTE",
 					"HOUR",
@@ -215,7 +218,9 @@ func resourceLocationManagementCreate(d *schema.ResourceData, m interface{}) err
 
 	req := expandLocationManagement(d)
 	log.Printf("[INFO] Creating zia location management\n%+v\n", req)
-
+	if err := checkSurrogateIPIdletTimeout(req); err != nil {
+		return err
+	}
 	resp, err := zClient.locationmanagement.Create(&req)
 	if err != nil {
 		return err
@@ -227,6 +232,16 @@ func resourceLocationManagementCreate(d *schema.ResourceData, m interface{}) err
 	return resourceLocationManagementRead(d, m)
 }
 
+func checkSurrogateIPIdletTimeout(loc locationmanagement.Locations) error {
+	if loc.SurrogateIP && loc.IdleTimeInMinutes == 0 {
+		return fmt.Errorf("surrogate IP requires setting of an idle timeout")
+	}
+	if loc.SurrogateIP && !loc.AuthRequired {
+		return fmt.Errorf("authentication required must be enabled, when enabling surrogate IP")
+	}
+	return nil
+}
+
 func resourceLocationManagementRead(d *schema.ResourceData, m interface{}) error {
 	zClient := m.(*Client)
 
@@ -309,7 +324,9 @@ func resourceLocationManagementUpdate(d *schema.ResourceData, m interface{}) err
 	}
 	log.Printf("[INFO] Updating location management ID: %v\n", id)
 	req := expandLocationManagement(d)
-
+	if err := checkSurrogateIPIdletTimeout(req); err != nil {
+		return err
+	}
 	if _, _, err := zClient.locationmanagement.Update(id, &req); err != nil {
 		return err
 	}

diff --git a/zia/resource_zia_traffic_forwarding_vpn_credentials.go b/zia/resource_zia_traffic_forwarding_vpn_credentials.go
@@ -78,7 +78,7 @@ func resourceTrafficForwardingVPNCredentialsRead(d *schema.ResourceData, m inter
 	resp, err := zClient.vpncredentials.Get(id)
 
 	if err != nil {
-		if err.(*client.ErrorResponse).IsObjectNotFound() {
+		if obj, ok := err.(*client.ErrorResponse); ok && obj.IsObjectNotFound() {
 			log.Printf("[WARN] Removing vpn credentials %s from state because it no longer exists in ZIA", d.Id())
 			d.SetId("")
 			return nil