Merge branch 'master' into zia-#283-zpa-gateway-feature

.github/workflows/release.yml

@@ -28,15 +28,15 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: 1.19
+          go-version: "1.20"
 
       - name: Import GPG key
         id: import_gpg
-        uses: paultyng/ghaction-import-gpg@v2.1.0
-        env:
+        uses: crazy-max/ghaction-import-gpg@v6
           # These secrets will need to be configured for the repository:
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          PASSPHRASE: ${{ secrets.PASSPHRASE }}
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.PASSPHRASE }}
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5.0.0

.github/workflows/test.yml

@@ -62,4 +62,3 @@ jobs:
       TF_ACC: ${{ secrets.TF_ACC }}
     needs:
       - zs-beta-tests
-

CHANGELOG.md

@@ -12,6 +12,44 @@
 NEW - RESOURCES, DATA SOURCES
 
 - [PR #293](https://github.com/zscaler/terraform-provider-zia/pull/293) - ✨ Added support for ZIA 🆕 Custom ZPA Gateway for use with Forwarding Control policy to forward traffic to ZPA for Source IP Anchoring.
+- [PR #294](https://github.com/zscaler/terraform-provider-zia/pull/294) - ✨ Added support for ZIA 🆕 Forwarding Control Rule configuration.
+
+## 2.6.6 (November, 23 2023)
+
+### Notes
+
+- Release date: **(November, 23 2023)**
+- Supported Terraform version: **v1.x**
+
+### Fixes
+
+- [PR #291](https://github.com/zscaler/terraform-provider-zia/pull/291) - Fixed panic with resource `zia_admin_users` due to API changes.
+
+## 2.6.5 (November, 5 2023)
+
+### Notes
+
+- Release date: **(November, 5 2023)**
+- Supported Terraform version: **v1.x**
+
+### Fixes
+
+- [PR #285](https://github.com/zscaler/terraform-provider-zia/pull/285) - Fixed drift within `zia_firewall_filtering_rule` for the attribute `dest_countries`.
+
+## 2.6.4 (October, 25 2023)
+
+### Notes
+
+- Release date: **(October, 25 2023)**
+- Supported Terraform version: **v1.x**
+
+### Enhancements
+
+- [PR #285](https://github.com/zscaler/terraform-provider-zia/pull/285) - Introduced new `zia_location_management`  attributes: `other_sublocation`, `other6_sublocation`, `ipv6_enabled`, `ipv6_dns_64prefix`
+
+### Fixes
+
+- [PR #285](https://github.com/zscaler/terraform-provider-zia/pull/285) - Fixed `zia_location_management` resource attribute `ip_addresses` to `TypeSet` to prevent drifts in case the API returns IP addresses in an ordered fashion.
 
 ## 2.6.3 (October, 18 2023)
 
@@ -623,4 +661,4 @@ The  following resources are supported:
 
 - Static IP: Added ``ForceNew`` option to ``ip_address`` in the schema, so the resource will be destroyed and recreated [PR#40](https://github.com/zscaler/terraform-provider-zia/pull/40)
 
-- VPN Credentials: Added ``ForceNew`` option to ``type`` in the schema, so the resource will be destroyed and recreated if the type of the VPN resource needs to be changed from ``IP`` to ``UFQDN`` and vice-versa [PR#41](https://github.com/zscaler/terraform-provider-zia/pull/41)
+- VPN Credentials: Added ``ForceNew`` option to ``type`` in the schema, so the resource will be destroyed and recreated if the type of the VPN resource needs to be changed from ``IP`` to ``UFQDN`` and vice-versa [PR#41](https://github.com/zscaler/terraform-provider-zia/pull/41)

GNUmakefile

@@ -37,7 +37,7 @@ sweep:
 
 test:
 	echo $(TEST) | \
-		xargs -t -n4 go test $(TESTARGS) $(TEST_FILTER) -timeout=30s -parallel=30
+		xargs -t -n4 go test $(TESTARGS) $(TEST_FILTER) -timeout=30s -parallel=4
 
 testacc:
 	TF_ACC=1 go test $(TEST) $(TESTARGS) $(TEST_FILTER) -timeout 120m
@@ -72,9 +72,15 @@ fmtcheck:
 errcheck:
 	@sh -c "'$(CURDIR)/scripts/errcheck.sh'"
 
-fmt-docs:
-	@echo "✓ Formatting code samples in documentation"
-	@terrafmt fmt -p '*.md' .
+tools:
+	@which $(GOFMT) || go install mvdan.cc/gofumpt@v0.4.0
+	@which $(TFPROVIDERLINT) || go install github.com/bflad/tfproviderlint/cmd/tfproviderlint@v0.28.1
+	@which $(STATICCHECK) || go install honnef.co/go/tools/cmd/staticcheck@v0.4.2
+
+tools-update:
+	@go install mvdan.cc/gofumpt@v0.4.0
+	@go install github.com/bflad/tfproviderlint/cmd/tfproviderlint@v0.28.1
+	@go install honnef.co/go/tools/cmd/staticcheck@v0.4.2
 
 vendor-status:
 	@govendor status
@@ -87,42 +93,6 @@ test-compile:
 	fi
 	go test -c $(TEST) $(TESTARGS)
 
-lint:
-	@echo "==> Checking source code against linters..."
-	@$(TFPROVIDERLINT) \
-		-c 1 \
-		-AT001 \
-    -R004 \
-		-S001 \
-		-S002 \
-		-S003 \
-		-S004 \
-		-S005 \
-		-S007 \
-		-S008 \
-		-S009 \
-		-S010 \
-		-S011 \
-		-S012 \
-		-S013 \
-		-S014 \
-		-S015 \
-		-S016 \
-		-S017 \
-		-S019 \
-		./$(PKG_NAME)
-
-tools:
-	@which $(GOFMT) || go install mvdan.cc/gofumpt@v0.5.0
-	@which $(TFPROVIDERLINT) || go install github.com/bflad/tfproviderlint/cmd/tfproviderlint@v0.29.0
-	@which $(STATICCHECK) || go install honnef.co/go/tools/cmd/staticcheck@v0.4.6
-
-tools-update:
-	@go install mvdan.cc/gofumpt@v0.5.0
-	@go install github.com/bflad/tfproviderlint/cmd/tfproviderlint@v0.29.0
-	@go install honnef.co/go/tools/cmd/staticcheck@v0.4.6
-
-
 ziaActivator: GOOS=$(shell go env GOOS)
 ziaActivator: GOARCH=$(shell go env GOARCH)
 ifeq ($(OS),Windows_NT)  # is Windows_NT on XP, 2000, 7, Vista, 10...

docs/guides/release-notes.md

@@ -16,18 +16,41 @@ Track all ZIA Terraform provider's releases. New resources, features, and bug fi
 
 ---
 
-## 2.7.0 (November, xx 2023)
+## 2.7.0 (December, xx 2023)
 
 ### Notes
 
-- Release date: **(November, xx 2023)**
+- Release date: **(December, xx 2023)**
 - Supported Terraform version: **v1.x**
 
 ### Enhancements
 
 NEW - RESOURCES, DATA SOURCES
 
 - [PR #293](https://github.com/zscaler/terraform-provider-zia/pull/293) - ✨ Added support for ZIA 🆕 Custom ZPA Gateway for use with Forwarding Control policy to forward traffic to ZPA for Source IP Anchoring.
+- [PR #294](https://github.com/zscaler/terraform-provider-zia/pull/294) - ✨ Added support for ZIA 🆕 Forwarding Control Rule configuration.
+
+## 2.6.6 (November, 23 2023)
+
+### Notes
+
+- Release date: **(November, 23 2023)**
+- Supported Terraform version: **v1.x**
+
+### Fixes
+
+- [PR #291](https://github.com/zscaler/terraform-provider-zia/pull/291) - Fixed panic with resource `zia_admin_users` due to API changes.
+
+## 2.6.5 (November, 5 2023)
+
+### Notes
+
+- Release date: **(November, 5 2023)**
+- Supported Terraform version: **v1.x**
+
+### Fixes
+
+- [PR #285](https://github.com/zscaler/terraform-provider-zia/pull/285) - Fixed drift within `zia_firewall_filtering_rule` for the attribute `dest_countries`.
 
 ## 2.6.3 (October, 18 2023)
 
@@ -737,4 +760,4 @@ The  following resources are supported:
 - New Data Source: data_source_zia_url_filtering_rules 🆕
 - New Data Source: data_source_zia_user_management_departments 🆕
 - New Data Source: data_source_zia_user_management_groups 🆕
-- New Data Source: data_source_zia_user_management_users 🆕
+- New Data Source: data_source_zia_user_management_users 🆕

docs/resources/zia_admin_users.md

@@ -10,17 +10,64 @@ description: |-
 
 The **zia_admin_users** resource allows the creation and management of ZIA admin user account created in the Zscaler Internet Access cloud or via the API.
 
-## Example Usage
+## Example Usage - Organization Scope
 
 ```hcl
+resource "zia_admin_users" "john_smith" {
+  login_name                      = "john.smith@acme.com"
+  user_name                       = "John Smith"
+  email                           = "john.smith@acme.com"
+  is_password_login_allowed       = true
+  password                        = "AeQ9E5w8B$"
+  is_security_report_comm_enabled = true
+  is_service_update_comm_enabled  = true
+  is_product_update_comm_enabled  = true
+  comments                        = "Administrator User"
+  role {
+    id = data.zia_admin_roles.super_admin.id
+  }
+  admin_scope_type = "ORGANIZATION"
+}
+
+data "zia_admin_roles" "super_admin" {
+  name = "Super Admin"
+}
+```
+
+## Example Usage - Department Scope
+
+```hcl
+resource "zia_admin_users" "john_smith" {
+  login_name                      = "john.smith@acme.com"
+  user_name                       = "John Smith"
+  email                           = "john.smith@acme.com"
+  is_password_login_allowed       = true
+  password                        = "AeQ9E5w8B$"
+  is_security_report_comm_enabled = true
+  is_service_update_comm_enabled  = true
+  is_product_update_comm_enabled  = true
+  comments                        = "Administrator User"
+  role {
+    id = data.zia_admin_roles.super_admin.id
+  }
+  admin_scope_type = "DEPARTMENT"
+    admin_scope_entities {
+        id = [ data.zia_department_management.engineering.id, data.zia_department_management.sales.id ]
+    }
+}
+
 data "zia_admin_roles" "super_admin" {
   name = "Super Admin"
 }
 
 data "zia_department_management" "engineering" {
   name = "Engineering"
 }
+```
 
+## Example Usage - Location Scope
+
+```hcl
 resource "zia_admin_users" "john_smith" {
   login_name                      = "john.smith@acme.com"
   user_name                       = "John Smith"
@@ -34,12 +81,49 @@ resource "zia_admin_users" "john_smith" {
   role {
     id = data.zia_admin_roles.super_admin.id
   }
-  admin_scope {
-    type = "DEPARTMENT"
-    scope_entities {
-      id = [data.zia_department_management.engineering.id]
+  admin_scope_type = "LOCATION"
+    admin_scope_entities {
+        id = [ data.zia_location_management.au_sydney_branch01.id ]
     }
+}
+
+data "zia_admin_roles" "super_admin" {
+  name = "Super Admin"
+}
+
+data "zia_location_management" "au_sydney_branch01" {
+  name = "AU - Sydney - Branch01"
+}
+```
+
+## Example Usage - Location Group Scope
+
+```hcl
+resource "zia_admin_users" "john_smith" {
+  login_name                      = "john.smith@acme.com"
+  user_name                       = "John Smith"
+  email                           = "john.smith@acme.com"
+  is_password_login_allowed       = true
+  password                        = "AeQ9E5w8B$"
+  is_security_report_comm_enabled = true
+  is_service_update_comm_enabled  = true
+  is_product_update_comm_enabled  = true
+  comments                        = "Administrator User"
+  role {
+    id = data.zia_admin_roles.super_admin.id
   }
+  admin_scope_type = "LOCATION_GROUP"
+    admin_scope_entities {
+        id = [ data.zia_location_groups.corporate_user_traffic_group.id ]
+    }
+}
+
+data "zia_admin_roles" "super_admin" {
+  name = "Super Admin"
+}
+
+data "zia_location_groups" "corporate_user_traffic_group" {
+  name = "Corporate User Traffic Group"
 }
 ```
 
@@ -71,11 +155,6 @@ The following arguments are supported:
 * `is_security_report_comm_enabled` - (Optional) Communication for Security Report is enabled.
 * `is_service_update_comm_enabled` - (Optional) Communication setting for Service Update.
 
-* `admin_scope` - (Optional) The admin's scope. A scope is required for admins, but not applicable to auditors. This attribute is subject to change.
-  * `scope_group_member_entities` - (Optional) Only applicable for the LOCATION_GROUP admin scope type, in which case this attribute gives the list of ID/name pairs of locations within the location group.
-    * `id` - (Optional) Identifier that uniquely identifies an entity
-    * `name` - (Optional) The configured name of the entity
-  * `type` - (Optional) The admin scope type. The attribute name is subject to change.
-  * `scope_entities` - (Optional) Based on the admin scope type, the entities can be the ID/name pair of departments, locations, or location groups.
+* `admin_scope_type` - (Optional) The admin's scope. A scope is required for admins, but not applicable to auditors. This attribute is subject to change. Support values are: `ORGANIZATION`, `DEPARTMENT`, `LOCATION`, `LOCATION_GROUP`
+  * `admin_scope_entities` - (Optional) Based on the admin scope type, the entities can be the ID/name pair of departments, locations, or location groups.
     * `id` - (Optional) Identifier that uniquely identifies an entity
-    * `name` - (Optional) The configured name of the entity

docs/resources/zia_location_management.md

@@ -70,7 +70,7 @@ The following arguments are supported:
 * `description` - (String) Additional notes or information regarding the location or sub-location. The description cannot exceed 1024 characters.
 * `country` - (Optional) Country
 * `tz` - (Optional) Timezone of the location. If not specified, it defaults to GMT.
-* `profile` - (Optional) Profile tag that specifies the location traffic type. If not specified, this tag defaults to `Unassigned`. The supported options are: `NONE`, `CORPORATE`, `SERVER`, `GUESTWIFI`, `IOT`.
+* `profile` - (Optional) Profile tag that specifies the location traffic type. If not specified, this tag defaults to `Unassigned`. The supported options are: `NONE`, `CORPORATE`, `SERVER`, `GUESTWIFI`, `IOT`, `WORKLOAD`.
 
 * `aup_block_internet_until_accepted` - (Optional) For First Time AUP Behavior, Block Internet Access. When set, all internet access (including non-HTTP traffic) is disabled until the user accepts the AUP.
 * `aup_enabled` - (Optional) Enable AUP. When set to true, AUP is enabled for the location.
@@ -94,6 +94,14 @@ The following arguments are supported:
 * `xff_forward_enabled` - (Optional) Enable XFF Forwarding. When set to true, traffic is passed to Zscaler Cloud via the X-Forwarded-For (XFF) header.
 * `zapp_ssl_scan_enabled` - (Optional) This parameter was deprecated and no longer has an effect on SSL policy. It remains supported in the API payload in order to maintain backwards compatibility with existing scripts, but it will be removed in future.
 
+* `other_sublocation` - (Optional) If set to true, indicates that this is a default sub-location created by the Zscaler service to accommodate IPv4 addresses that are not part of any user-defined sub-locations. The default sub-location is created with the name Other and it can be renamed, if required.
+
+* `other6_sublocation` - (Optional) If set to true, indicates that this is a default sub-location created by the Zscaler service to accommodate IPv6 addresses that are not part of any user-defined sub-locations. The default sub-location is created with the name Other6 and it can be renamed, if required. This field is applicable only if ipv6Enabled is set is true.
+
+* `ipv6_enabled` - (Optional) If set to true, IPv6 is enabled for the location and IPv6 traffic from the location can be forwarded to the Zscaler service to enforce security policies.
+
+* `ipv6_dns_64prefix` - (Optional) Name-ID pair of the NAT64 prefix configured as the DNS64 prefix for the location. If specified, the DNS64 prefix is used for the IP addresses that reside in this location. If not specified, a prefix is selected from the set of supported prefixes. This field is applicable only if ipv6Enabled is set is true.
+
 * `managed_by` - (Optional)
   * `id` - (Optional) Identifier that uniquely identifies an entity
   * `name` - (Optional) The configured name of the entity

examples/zia_admin_user/admin_user_department_scope.tf

@@ -11,12 +11,10 @@ resource "zia_admin_users" "john_smith" {
   role {
     id = data.zia_admin_roles.super_admin.id
   }
-  admin_scope {
-    type = "DEPARTMENT"
-    scope_entities {
-      id = [data.zia_department_management.engineering.id]
+  admin_scope_type = "DEPARTMENT"
+    admin_scope_entities {
+        id = [ data.zia_department_management.engineering.id, data.zia_department_management.sales.id ]
     }
-  }
 }
 
 data "zia_admin_roles" "super_admin" {
@@ -26,3 +24,8 @@ data "zia_admin_roles" "super_admin" {
 data "zia_department_management" "engineering" {
   name = "Engineering"
 }
+
+data "zia_department_management" "sales" {
+  name = "Sales"
+}
+

examples/zia_admin_user/admin_user_location_group_scope.tf

@@ -11,12 +11,10 @@ resource "zia_admin_users" "john_smith" {
   role {
     id = data.zia_admin_roles.super_admin.id
   }
-  admin_scope {
-    type = "LOCATION_GROUP"
-    scope_entities {
-      id = [data.zia_location_groups.corporate_user_traffic_group.id]
+  admin_scope_type = "LOCATION_GROUP"
+    admin_scope_entities {
+        id = [ data.zia_location_groups.corporate_user_traffic_group.id ]
     }
-  }
 }
 
 data "zia_admin_roles" "super_admin" {