fix: Fixed zia_dlp_web_rules new parent_rule and sub_rules attributes (…

…#345) * fix: Fixed zia_dlp_web_rules new parent_rule and sub_rules attributes * fix: Fixed dlp web rule data source
zscaler · May 23, 2024 · 7d8e44b · 7d8e44b
1 parent dd7f7d5
commit 7d8e44b
Show file tree

Hide file tree

Showing 15 changed files with 155 additions and 192 deletions.
diff --git a/.github/workflows/zia-test.yml b/.github/workflows/zia-test.yml
@@ -100,7 +100,7 @@ jobs:
         environment:
           - ZIA_ZSCLOUD
           - ZIA_ZS0
-          - ZIA_ZS3
+          # - ZIA_ZS3
     environment: ${{ matrix.environment }}
     steps:
       - name: Checkout code

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Changelog
 
+## 2.9.0 (May, 22 2024) - BREAKING CHANGE
+
+### Notes
+
+- Release date: **(May, 22 2024)**
+- Supported Terraform version: **v1.x**
+
+### Bug Fixes - BREAKING CHANGE
+
+- [PR #345](https://github.com/zscaler/terraform-provider-zia/345) - The attribute `ocr_enabled` has been deprecated at the upstream API and is no longer accepted. The OCR feature must be enabled via the [DLP Advanced Settings](https://help.zscaler.com/zia/configuring-dlp-advanced-settings).
+  **NOTE** DLP engines support OCR scanning of `PNG`, `JPEG`, `TIFF`, and `BMP` files.
+
+- [PR #345](https://github.com/zscaler/terraform-provider-zia/345) - Implemented Fix for `zia_dlp_web_rules` for new attributes `parent_rule` and `sub_rules`. A parent rule must be configured with rank 0 and prior to any potential subrule. It is not possible to add existing rules as as subrules under the parent rule.
+
 ## 2.8.31 (May, 21 2024)
 
 ### Notes

diff --git a/GNUmakefile b/GNUmakefile
@@ -194,14 +194,14 @@ test\:integration\:zscalertwo:
 build13: GOOS=$(shell go env GOOS)
 build13: GOARCH=$(shell go env GOARCH)
 ifeq ($(OS),Windows_NT)  # is Windows_NT on XP, 2000, 7, Vista, 10...
-build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/2.8.31/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/2.9.0/$(GOOS)_$(GOARCH)
 else
-build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/2.8.31/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/2.9.0/$(GOOS)_$(GOARCH)
 endif
 build13: fmtcheck
 	@echo "==> Installing plugin to $(DESTINATION)"
 	@mkdir -p $(DESTINATION)
-	go build -o $(DESTINATION)/terraform-provider-zia_v2.8.31
+	go build -o $(DESTINATION)/terraform-provider-zia_v2.9.0
 
 coverage: test
 	@echo "✓ Opening coverage for unit tests ..."

diff --git a/docs/guides/release-notes.md b/docs/guides/release-notes.md
@@ -12,10 +12,24 @@ description: |-
 Track all ZIA Terraform provider's releases. New resources, features, and bug fixes will be tracked here.
 
 ---
-``Last updated: v2.8.31``
+``Last updated: v2.9.0``
 
 ---
 
+## 2.9.0 (May, 22 2024) - BREAKING CHANGE
+
+### Notes
+
+- Release date: **(May, 22 2024)**
+- Supported Terraform version: **v1.x**
+
+### Bug Fixes - BREAKING CHANGE
+
+- [PR #345](https://github.com/zscaler/terraform-provider-zia/345) - The attribute `ocr_enabled` has been deprecated at the upstream API and is no longer accepted. The OCR feature must be enabled via the [DLP Advanced Settings](https://help.zscaler.com/zia/configuring-dlp-advanced-settings).
+  **NOTE** DLP engines support OCR scanning of `PNG`, `JPEG`, `TIFF`, and `BMP` files.
+
+- [PR #345](https://github.com/zscaler/terraform-provider-zia/345) - Implemented Fix for `zia_dlp_web_rules` for new attributes `parent_rule` and `sub_rules`. A parent rule must be configured with rank 0 and prior to any potential subrule. It is not possible to add existing rules as as subrules under the parent rule.
+
 ## 2.8.31 (May, 21 2024)
 
 ### Notes

diff --git a/docs/resources/zia_dlp_web_rules.md b/docs/resources/zia_dlp_web_rules.md
@@ -12,28 +12,7 @@ The **zia_dlp_web_rules** resource allows the creation and management of ZIA DLP
 
 ⚠️ **WARNING:** Zscaler Internet Access DLP supports a maximum of 127 Web DLP Rules to be created via API.
 
-## Example Usage - OCR ENABLED
-
-```hcl
-resource "zia_dlp_web_rules" "test" {
-    name                        = "Test"
-    description                 = "Test"
-    action                      = "ALLOW"
-    state                       = "ENABLED"
-    order                       = 1
-    rank                        = 7
-    protocols                 = ["FTP_RULE", "HTTPS_RULE", "HTTP_RULE"]
-    cloud_applications          = ["ZENDESK", "LUCKY_ORANGE", "MICROSOFT_POWERAPPS", "MICROSOFTLIVEMEETING"]
-    without_content_inspection  = false
-    match_only                  = false
-    ocr_enabled                 = true
-    file_types                = [ "BITMAP", "JPEG", "PNG", "TIFF"]
-    min_size                    = 20
-    zscaler_incident_receiver   = true
-}
-```
-
-## Example Usage - "ALL_OUTBOUND" File Type
+## Example Usage - "ALL_OUTBOUND" File Type"
 
 ```hcl
 data "zia_dlp_engines" "this" {
@@ -89,6 +68,8 @@ resource "zia_dlp_web_rules" "this" {
 }
 ```
 
+## Example Usage - "Specify Incident Receiver Setting"
+
 ```hcl
 // Retrieve a custom URL Category by Name
 data "zia_url_categories" "this"{
@@ -119,6 +100,45 @@ resource "zia_dlp_web_rules" "this" {
 }
 ```
 
+## Example Usage - "Creating Parent Rules and SubRules"
+
+⚠️ **WARNING:** Destroying a parent rule will also destroy all subrules
+
+ **NOTE** Exception rules can be configured only when the inline DLP rule evaluation type is set
+ to evaluate all DLP rules in the DLP Advanced Settings.
+ To learn more, see [Configuring DLP Advanced Settings](https://help.zscaler.com/%22/zia/configuring-dlp-advanced-settings/%22)
+
+```hcl
+resource "zia_dlp_web_rules" "parent_rule" {
+  name                       = "ParentRule1"
+  description                = "ParentRule1"
+  action                     = "ALLOW"
+  state                      = "ENABLED"
+  order                      = 1
+  rank                       = 0
+  protocols                  = ["FTP_RULE", "HTTPS_RULE", "HTTP_RULE"]
+  cloud_applications         = ["GOOGLE_WEBMAIL", "WINDOWS_LIVE_HOTMAIL"]
+  without_content_inspection = false
+  match_only                 = false
+  min_size                   = 20
+  zscaler_incident_receiver  = true
+}
+
+resource "zia_dlp_web_rules" "subrule1" {
+  name                       = "SubRule1"
+  description                = "SubRule1"
+  action                     = "ALLOW"
+  state                      = "ENABLED"
+  order                      = 1
+  rank                       = 0
+  protocols                  = ["FTP_RULE", "HTTPS_RULE", "HTTP_RULE"]
+  cloud_applications         = ["GOOGLE_WEBMAIL", "WINDOWS_LIVE_HOTMAIL"]
+  without_content_inspection = false
+  match_only                 = false
+  parent_rule = zia_dlp_web_rules.parent_rule.id
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -162,11 +182,15 @@ The following arguments are supported:
 
 * `user_risk_score_levels` (Optional) - Indicates the user risk score level selectedd for the DLP rule violation: Returned values are: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`
 
-* `parent_rule`(Optional) - The unique identifier of the parent rule under which an exception rule is added.
- ~> Note: Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings.
+* `parent_rule`(Optional) - The unique identifier of the parent rule under which an exception rule is added. The rule rank must be set to `0`
+
+    ~> **Note**: Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings. To learn more, see [Configuring DLP Advanced Settings](https://help.zscaler.com/%22/zia/configuring-dlp-advanced-settings/%22)
+
+    ~> **Note**: It is not possible to add existing rules as as subrules under the parent rule.
+
+* `sub_rules`(List) - The list of exception rules added to a parent rule. The rule rank must be set to `0`
 
-* `sub_rules`(List) - The list of exception rules added to a parent rule.
- ~> Note: All attributes within the WebDlpRule model are applicable to the sub-rules. Values for each rule are specified by using the WebDlpRule object Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings.
+    ~> **Note**: All attributes within the WebDlpRule model are applicable to the sub-rules. Values for each rule are specified by using the WebDlpRule object Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings. To learn more, see [Configuring DLP Advanced Settings](https://help.zscaler.com/%22/zia/configuring-dlp-advanced-settings/%22)
 
 * `notification_template` - (Optional) The template used for DLP notification emails.
   * `id` - (Optional) Identifier that uniquely identifies an entity

diff --git a/go.mod b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/terraform-plugin-sdk v1.17.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0
-	github.com/zscaler/zscaler-sdk-go/v2 v2.5.2
+	github.com/zscaler/zscaler-sdk-go/v2 v2.5.21
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -388,8 +388,8 @@ github.com/zclconf/go-cty v1.14.4/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgr
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b h1:FosyBZYxY34Wul7O/MSKey3txpPYyCqVO5ZyceuQJEI=
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
-github.com/zscaler/zscaler-sdk-go/v2 v2.5.2 h1:R6BSrfVPptaJAAU8o2ZxIOWsA6WDvh7PsKX5gF6GNcY=
-github.com/zscaler/zscaler-sdk-go/v2 v2.5.2/go.mod h1:ORk1VkYcUqRb5Ipg3h3kKacdwbbPydKL43Ku+AQjAr0=
+github.com/zscaler/zscaler-sdk-go/v2 v2.5.21 h1:KGWj5qDoK4U4Z1SpjhmzrJjc3wmMAifcOed8tkYOklY=
+github.com/zscaler/zscaler-sdk-go/v2 v2.5.21/go.mod h1:2IDq+V+4mHWV11D6nUwWFHJ0bTwXa8h40clGMh6JsuE=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=

diff --git a/zia/data_source_zia_admin_roles.go b/zia/data_source_zia_admin_roles.go
@@ -91,17 +91,8 @@ func dataSourceAdminRolesRead(d *schema.ResourceData, m interface{}) error {
 	zClient := m.(*Client)
 
 	var resp *roles.AdminRoles
-	id, ok := getIntFromResourceData(d, "id")
-	if ok {
-		log.Printf("[INFO] Getting data for admin role id: %d\n", id)
-		res, err := zClient.roles.Get(id)
-		if err != nil {
-			return err
-		}
-		resp = res
-	}
-	name, _ := d.Get("name").(string)
-	if resp == nil && name != "" {
+	name, ok := d.Get("name").(string)
+	if ok && name != "" {
 		log.Printf("[INFO] Getting data for admin role name: %s\n", name)
 		res, err := zClient.roles.GetByName(name)
 		if err != nil {
@@ -128,7 +119,7 @@ func dataSourceAdminRolesRead(d *schema.ResourceData, m interface{}) error {
 		_ = d.Set("role_type", resp.RoleType)
 
 	} else {
-		return fmt.Errorf("couldn't find any admin role name '%s' or id '%d'", name, id)
+		return fmt.Errorf("couldn't find any admin role name '%s'", name)
 	}
 
 	return nil

diff --git a/zia/data_source_zia_application_services_group_lite.go b/zia/data_source_zia_application_services_group_lite.go
@@ -35,17 +35,8 @@ func dataSourceFWApplicationServicesGroupLiteRead(d *schema.ResourceData, m inte
 	zClient := m.(*Client)
 
 	var resp *appservicegroups.ApplicationServicesGroupLite
-	id, ok := getIntFromResourceData(d, "id")
-	if ok {
-		log.Printf("[INFO] Getting data for application services group id: %d\n", id)
-		res, err := zClient.appservicegroups.Get(id)
-		if err != nil {
-			return err
-		}
-		resp = res
-	}
-	name, _ := d.Get("name").(string)
-	if resp == nil && name != "" {
+	name, ok := d.Get("name").(string)
+	if ok && name != "" {
 		log.Printf("[INFO] Getting data for application services group: %s\n", name)
 		res, err := zClient.appservicegroups.GetByName(name)
 		if err != nil {
@@ -60,7 +51,7 @@ func dataSourceFWApplicationServicesGroupLiteRead(d *schema.ResourceData, m inte
 		_ = d.Set("name_l10n_tag", resp.NameL10nTag)
 
 	} else {
-		return fmt.Errorf("couldn't find any device name '%s' or id '%d'", name, id)
+		return fmt.Errorf("couldn't find any device name '%s'", name)
 	}
 
 	return nil

diff --git a/zia/data_source_zia_application_services_lite.go b/zia/data_source_zia_application_services_lite.go
@@ -35,17 +35,8 @@ func dataSourceFWApplicationServicesLiteRead(d *schema.ResourceData, m interface
 	zClient := m.(*Client)
 
 	var resp *applicationservices.ApplicationServicesLite
-	id, ok := getIntFromResourceData(d, "id")
-	if ok {
-		log.Printf("[INFO] Getting data for application services id: %d\n", id)
-		res, err := zClient.applicationservices.Get(id)
-		if err != nil {
-			return err
-		}
-		resp = res
-	}
-	name, _ := d.Get("name").(string)
-	if resp == nil && name != "" {
+	name, ok := d.Get("name").(string)
+	if ok && name != "" {
 		log.Printf("[INFO] Getting data for application service name: %s\n", name)
 		res, err := zClient.applicationservices.GetByName(name)
 		if err != nil {
@@ -60,7 +51,7 @@ func dataSourceFWApplicationServicesLiteRead(d *schema.ResourceData, m interface
 		_ = d.Set("name_l10n_tag", resp.NameL10nTag)
 
 	} else {
-		return fmt.Errorf("couldn't find any application service name '%s' or id '%d'", name, id)
+		return fmt.Errorf("couldn't find any application service name '%s'", name)
 	}
 
 	return nil

diff --git a/zia/data_source_zia_cloud_browser_isolation_profile.go b/zia/data_source_zia_cloud_browser_isolation_profile.go
@@ -40,17 +40,8 @@ func dataSourceCBIProfileRead(d *schema.ResourceData, m interface{}) error {
 	zClient := m.(*Client)
 
 	var resp *cloudbrowserisolation.IsolationProfile
-	id, ok := d.Get("id").(string)
-	if ok && id != "" {
-		log.Printf("[INFO] Getting data for cloud browser isolation profile %s\n", id)
-		res, err := zClient.cloudbrowserisolation.Get(id)
-		if err != nil {
-			return err
-		}
-		resp = res
-	}
 	name, ok := d.Get("name").(string)
-	if id == "" && ok && name != "" {
+	if ok && name != "" {
 		log.Printf("[INFO] Getting data for cloud browser isolation profile name %s\n", name)
 		res, err := zClient.cloudbrowserisolation.GetByName(name)
 		if err != nil {
@@ -65,7 +56,7 @@ func dataSourceCBIProfileRead(d *schema.ResourceData, m interface{}) error {
 		_ = d.Set("default_profile", resp.DefaultProfile)
 
 	} else {
-		return fmt.Errorf("couldn't find any cloud browser isolation profile with name '%s' or id '%s'", name, id)
+		return fmt.Errorf("couldn't find any cloud browser isolation profile with name '%s'", name)
 	}
 
 	return nil

diff --git a/zia/data_source_zia_device_group.go b/zia/data_source_zia_device_group.go
@@ -60,17 +60,8 @@ func dataSourceDeviceGroupsRead(d *schema.ResourceData, m interface{}) error {
 	zClient := m.(*Client)
 
 	var resp *devicegroups.DeviceGroups
-	id, ok := getIntFromResourceData(d, "id")
-	if ok {
-		log.Printf("[INFO] Getting data for device group id: %d\n", id)
-		res, err := zClient.devicegroups.GetDeviceGroups(id)
-		if err != nil {
-			return err
-		}
-		resp = res
-	}
-	name, _ := d.Get("name").(string)
-	if resp == nil && name != "" {
+	name, ok := d.Get("name").(string)
+	if ok && name != "" {
 		log.Printf("[INFO] Getting data for device group name: %s\n", name)
 		res, err := zClient.devicegroups.GetDeviceGroupByName(name)
 		if err != nil {
@@ -90,7 +81,7 @@ func dataSourceDeviceGroupsRead(d *schema.ResourceData, m interface{}) error {
 		_ = d.Set("device_count", resp.DeviceCount)
 
 	} else {
-		return fmt.Errorf("couldn't find any device group name '%s' or id '%d'", name, id)
+		return fmt.Errorf("couldn't find any device group name '%s'", name)
 	}
 
 	return nil