doc: Fixed Policy Rule documentation

docs/resources/zpa_policy_redirection_rule.md

@@ -0,0 +1,145 @@
+---
+page_title: "zpa_policy_redirection_rule Resource - terraform-provider-zpa"
+subcategory: "Policy Set Controller"
+description: |-
+  Official documentation https://help.zscaler.com/zpa/about-redirection-policy
+  API documentation https://help.zscaler.com/zpa/configuring-redirection-policies-using-api
+  Creates and manages ZPA Policy Access Redirection Rule.
+---
+
+# zpa_policy_redirection_rule (Resource)
+
+* [Official documentation](https://help.zscaler.com/zpa/about-redirection-policy)
+* [API documentation](https://help.zscaler.com/zpa/configuring-redirection-policies-using-api)
+
+The **zpa_policy_redirection_rule** resource creates a policy redirection access rule in the Zscaler Private Access cloud.
+
+  ⚠️ **WARNING:**: The attribute ``rule_order`` is now deprecated in favor of the new resource  [``policy_access_rule_reorder``](zpa_policy_access_rule_reorder.md)
+
+## Example Usage - REDIRECT_DEFAULT
+
+```terraform
+resource "zpa_policy_redirection_rule" "this" {
+  name                          = "Example"
+  description                   = "Example"
+  action                        = "REDIRECT_DEFAULT"
+
+  conditions {
+    operator = "OR"
+    operands {
+      object_type = "CLIENT_TYPE"
+      values      = ["zpn_client_type_branch_connector"]
+    }
+  }
+}
+```
+
+## Example Usage - REDIRECT_PREFERRED
+
+```terraform
+data "zpa_service_edge_group" "this" {
+    name = "Service_Edge_Group01
+}
+
+resource "zpa_policy_redirection_rule" "this" {
+  name                          = "Example"
+  description                   = "Example"
+  action                        = "REDIRECT_PREFERRED"
+
+  conditions {
+    operator = "OR"
+    operands {
+      object_type = "CLIENT_TYPE"
+      values      = ["zpn_client_type_branch_connector"]
+    }
+  }
+  service_edge_groups {
+    id = [ data.zpa_service_edge_group.this.id ]
+  }
+}
+```
+
+## Example Usage - REDIRECT_ALWAYS
+
+```terraform
+data "zpa_service_edge_group" "this" {
+    name = "Service_Edge_Group01
+}
+
+resource "zpa_policy_redirection_rule" "this" {
+  name                          = "Example"
+  description                   = "Example"
+  action                        = "REDIRECT_ALWAYS"
+
+  conditions {
+    operator = "OR"
+    operands {
+      object_type = "CLIENT_TYPE"
+      values      = ["zpn_client_type_branch_connector"]
+    }
+  }
+  service_edge_groups {
+    id = [ data.zpa_service_edge_group.this.id ]
+  }
+}
+```
+
+## Schema
+
+### Required
+
+- `name` (String) This is the name of the forwarding policy rule.
+- `action` (String) This is for providing the rule action.
+  * The supported actions for a policy isolation rule are: ``BYPASS_ISOLATE``, or ``ISOLATE``
+- `zpn_isolation_profile_id` (String) Use [zpa_isolation_profile](https://registry.terraform.io/providers/zscaler/zpa/latest/docs/data-sources/zpa_isolation_profile) data source to retrieve the necessary Isolation profile ID ``zpn_isolation_profile_id``
+
+### Optional
+
+- `policy_set_id` - (String) Use [zpa_policy_type](https://registry.terraform.io/providers/zscaler/zpa/latest/docs/data-sources/zpa_policy_type) data source to retrieve the necessary policy Set ID ``policy_set_id``
+    ~> **NOTE** As of v3.2.0 the ``policy_set_id`` attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations.
+- `description` - (String) This is the description of the access policy rule.
+- `operator` (String) Supported values: ``AND``, ``OR``
+- `rule_order` (String, Deprecated)
+
+    ⚠️ **WARNING:**: The attribute ``rule_order`` is now deprecated in favor of the new resource  [``policy_access_rule_reorder``](zpa_policy_access_rule_reorder.md)
+
+- `microtenant_id` (String) The ID of the microtenant the resource is to be associated with.
+
+⚠️ **WARNING:**: The attribute ``microtenant_id`` is optional and requires the microtenant license and feature flag enabled for the respective tenant. The provider also supports the microtenant ID configuration via the environment variable `ZPA_MICROTENANT_ID` which is the recommended method.
+
+- `conditions` (Block Set)
+Specifies the set of conditions for the policy rule.
+  - `operator` (String) Supported values: ``AND``, and ``OR``
+  - `microtenant_id` (String) The ID of the microtenant the resource is to be associated with.
+
+  ⚠️ **WARNING:**: The attribute ``microtenant_id`` is optional and requires the microtenant license and feature flag enabled for the respective tenant. The provider also supports the microtenant ID configuration via the environment variable `ZPA_MICROTENANT_ID` which is the recommended method.
+
+  - `operands` (Block Set) - Operands block must be repeated if multiple per `object_type` conditions are to be added to the rule.
+    - `lhs` (String) LHS must always carry the string value ``id`` or the attribute ID of the resource being associated with the rule.
+    - `rhs` (String) RHS is either the ID attribute of a resource or fixed string value. Refer to the chart below for further details.
+    - `idp_id` (String)
+    - `object_type` (String) This is for specifying the policy critiera. Supported values: `CLIENT_TYPE`, `COUNTRY_CODE`.
+        - `CLIENT_TYPE` (String) - The below options are the only ones supported in a timeout policy rule.
+            - ``zpn_client_type_machine_tunnel``
+            - ``zpn_client_type_edge_connector``
+            - ``zpn_client_type_zapp``
+            - ``zpn_client_type_zapp_partner``
+            - ``zpn_client_type_branch_connector``
+
+        - `COUNTRY_CODE` (String) - Use a standard 2 letter `ISO3166 Alpha2` Country codes. See list [here](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes)
+    - `microtenant_id` (String) The ID of the microtenant the resource is to be associated with.
+
+    ⚠️ **WARNING:**: The attribute ``microtenant_id`` is optional and requires the microtenant license and feature flag enabled for the respective tenant. The provider also supports the microtenant ID configuration via the environment variable `ZPA_MICROTENANT_ID` which is the recommended method.
+
+## Import
+
+Zscaler offers a dedicated tool called Zscaler-Terraformer to allow the automated import of ZPA configurations into Terraform-compliant HashiCorp Configuration Language.
+[Visit](https://github.com/zscaler/zscaler-terraformer)
+
+Policy Access Isolation Rule can be imported by using `<POLICY REDIRECTION RULE ID>` as the import ID.
+
+For example:
+
+```shell
+terraform import zpa_policy_isolation_rule.example <rule_id>
+```

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/terraform-plugin-docs v0.19.4
 	github.com/hashicorp/terraform-plugin-sdk v1.17.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0
-	github.com/zscaler/zscaler-sdk-go/v2 v2.61.12
+	github.com/zscaler/zscaler-sdk-go/v2 v2.70.0
 )
 
 require (

go.sum

@@ -441,8 +441,8 @@ github.com/zclconf/go-cty v1.14.4/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgr
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b h1:FosyBZYxY34Wul7O/MSKey3txpPYyCqVO5ZyceuQJEI=
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
-github.com/zscaler/zscaler-sdk-go/v2 v2.61.12 h1:UVdddc8UZEzu/5uLtuaYcKd2yivMdaUxubJZEkrS/l4=
-github.com/zscaler/zscaler-sdk-go/v2 v2.61.12/go.mod h1:GDYmG+wN13d/chGX6r6T95Gqbqq3UejMxfDud6FORJc=
+github.com/zscaler/zscaler-sdk-go/v2 v2.70.0 h1:pabyVnCNIs+EOSqDK6ROR+8H9HHhrmFfzZPUTdbZ3GY=
+github.com/zscaler/zscaler-sdk-go/v2 v2.70.0/go.mod h1:GDYmG+wN13d/chGX6r6T95Gqbqq3UejMxfDud6FORJc=
 go.abhg.dev/goldmark/frontmatter v0.2.0 h1:P8kPG0YkL12+aYk2yU3xHv4tcXzeVnN+gU0tJ5JnxRw=
 go.abhg.dev/goldmark/frontmatter v0.2.0/go.mod h1:XqrEkZuM57djk7zrlRUB02x8I5J0px76YjkOzhB4YlU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=

zpa/common.go

@@ -1190,15 +1190,16 @@ func fetchPolicySetIDByType(client *Client, policyType string, microTenantID str
 // ConvertV1ResponseToV2Request converts a PolicyRuleResource (API v1 response) to a PolicyRule (API v2 request) with aggregated values.
 func ConvertV1ResponseToV2Request(v1Response policysetcontrollerv2.PolicyRuleResource) policysetcontrollerv2.PolicyRule {
 	v2Request := policysetcontrollerv2.PolicyRule{
-		ID:                    v1Response.ID,
-		Name:                  v1Response.Name,
-		Description:           v1Response.Description,
-		Action:                v1Response.Action,
-		PolicySetID:           v1Response.PolicySetID,
-		Operator:              v1Response.Operator,
-		CustomMsg:             v1Response.CustomMsg,
-		ZpnIsolationProfileID: v1Response.ZpnIsolationProfileID,
-		Conditions:            make([]policysetcontrollerv2.PolicyRuleResourceConditions, 0),
+		ID:                     v1Response.ID,
+		Name:                   v1Response.Name,
+		Description:            v1Response.Description,
+		Action:                 v1Response.Action,
+		PolicySetID:            v1Response.PolicySetID,
+		Operator:               v1Response.Operator,
+		CustomMsg:              v1Response.CustomMsg,
+		ZpnIsolationProfileID:  v1Response.ZpnIsolationProfileID,
+		ZpnInspectionProfileID: v1Response.ZpnInspectionProfileID,
+		Conditions:             make([]policysetcontrollerv2.PolicyRuleResourceConditions, 0),
 	}
 
 	for _, condition := range v1Response.Conditions {

zpa/common/version.go

@@ -1,6 +1,6 @@
 package common
 
-var version = "3.3.25"
+var version = "3.32.0"
 
 // Version returns version of provider
 func Version() string {

zpa/data_source_zpa_application_segment_by_type_test.go

@@ -39,8 +39,8 @@ func testAccDataSourceApplicationSegmentByTypeCheck(application_type string) res
 func testAccCheckDataSourceApplicationSegmentByTypeConfig_basic(resourceNameSuffix, domainNameSuffix string) string {
 	return fmt.Sprintf(`
 resource "zpa_segment_group" "this" {
-  name                   = "tf-acc-test-01"
-  description            = "tf-acc-test-01"
+  name                   = "tf-acc-test-10"
+  description            = "tf-acc-test-10"
   enabled                = true
 }
 
@@ -64,6 +64,7 @@ resource "zpa_application_segment_pra" "this" {
       app_types = [ "SECURE_REMOTE_ACCESS" ]
     }
   }
+  depends_on = [zpa_segment_group.this]
 }
 
 data "zpa_ba_certificate" "jenkins" {
@@ -91,6 +92,7 @@ resource "zpa_application_segment_inspection" "this" {
       app_types            = [ "INSPECT" ]
     }
   }
+  depends_on = [zpa_segment_group.this]
 }
 
 resource "zpa_application_segment_browser_access" "this" {
@@ -112,6 +114,7 @@ resource "zpa_application_segment_browser_access" "this" {
         certificate_id        = data.zpa_ba_certificate.jenkins.id
         trust_untrusted_cert  = true
     }
+  depends_on = [zpa_segment_group.this]
 }
 
 data "zpa_application_segment_by_type" "pra" {

zpa/provider_sweeper_test.go

@@ -30,7 +30,6 @@ import (
 	"github.com/zscaler/zscaler-sdk-go/v2/zpa/services/privilegedremoteaccess/pracredential"
 	"github.com/zscaler/zscaler-sdk-go/v2/zpa/services/privilegedremoteaccess/praportal"
 	"github.com/zscaler/zscaler-sdk-go/v2/zpa/services/provisioningkey"
-	"github.com/zscaler/zscaler-sdk-go/v2/zpa/services/segmentgroup"
 	"github.com/zscaler/zscaler-sdk-go/v2/zpa/services/servergroup"
 	"github.com/zscaler/zscaler-sdk-go/v2/zpa/services/serviceedgegroup"
 )
@@ -101,7 +100,7 @@ func TestRunForcedSweeper(t *testing.T) {
 	sweepTestLSSConfigController(testClient) // TODO: Tests is failing on QA2 tenant. Needs further investigation.
 	sweepTestAccessPolicyRuleByType(testClient)
 	sweepTestProvisioningKey(testClient)
-	sweepTestSegmentGroup(testClient)
+	// sweepTestSegmentGroup(testClient)
 	sweepTestServerGroup(testClient)
 	sweepTestServiceEdgeGroup(testClient)
 	sweepTestCBIBanner(testClient)
@@ -493,32 +492,34 @@ func sweepTestProvisioningKey(client *testClient) error {
 	return condenseError(errorList)
 }
 
-func sweepTestSegmentGroup(client *testClient) error {
-	var errorList []error
-	group, _, err := segmentgroup.GetAll(client.sdkClient.SegmentGroup)
-	if err != nil {
-		return err
-	}
-	// Logging the number of identified resources before the deletion loop
-	sweeperLogger.Warn(fmt.Sprintf("Found %d resources to sweep", len(group)))
-	for _, b := range group {
-		// Check if the resource name has the required prefix before deleting it
-		if strings.HasPrefix(b.Name, testResourcePrefix) || strings.HasPrefix(b.Name, updateResourcePrefix) {
-			if _, err := segmentgroup.Delete(client.sdkClient.SegmentGroup, b.ID); err != nil {
-				errorList = append(errorList, err)
-				continue
+/*
+	func sweepTestSegmentGroup(client *testClient) error {
+		var errorList []error
+		group, _, err := segmentgroup.GetAll(client.sdkClient.SegmentGroup)
+		if err != nil {
+			return err
+		}
+		// Logging the number of identified resources before the deletion loop
+		sweeperLogger.Warn(fmt.Sprintf("Found %d resources to sweep", len(group)))
+		for _, b := range group {
+			// Check if the resource name has the required prefix before deleting it
+			if strings.HasPrefix(b.Name, testResourcePrefix) || strings.HasPrefix(b.Name, updateResourcePrefix) {
+				if _, err := segmentgroup.Delete(client.sdkClient.SegmentGroup, b.ID); err != nil {
+					errorList = append(errorList, err)
+					continue
+				}
+				logSweptResource(resourcetype.ZPASegmentGroup, fmt.Sprintf(b.ID), b.Name)
 			}
-			logSweptResource(resourcetype.ZPASegmentGroup, fmt.Sprintf(b.ID), b.Name)
 		}
-	}
-	// Log errors encountered during the deletion process
-	if len(errorList) > 0 {
-		for _, err := range errorList {
-			sweeperLogger.Error(err.Error())
+		// Log errors encountered during the deletion process
+		if len(errorList) > 0 {
+			for _, err := range errorList {
+				sweeperLogger.Error(err.Error())
+			}
 		}
+		return condenseError(errorList)
 	}
-	return condenseError(errorList)
-}
+*/
 
 func sweepTestServerGroup(client *testClient) error {
 	var errorList []error

zpa/provider_test.go

@@ -53,7 +53,7 @@ func TestMain(m *testing.M) {
 		setupSweeper(resourcetype.ZPAInspectionCustomControl, sweepTestInspectionCustomControl)
 		setupSweeper(resourcetype.ZPAInspectionProfile, sweepTestInspectionProfile)
 		setupSweeper(resourcetype.ZPALSSController, sweepTestLSSConfigController)
-		setupSweeper(resourcetype.ZPASegmentGroup, sweepTestSegmentGroup)
+		// setupSweeper(resourcetype.ZPASegmentGroup, sweepTestSegmentGroup)
 		setupSweeper(resourcetype.ZPAServerGroup, sweepTestServerGroup)
 		setupSweeper(resourcetype.ZPAServiceEdgeGroup, sweepTestServiceEdgeGroup)
 		setupSweeper(resourcetype.ZPAPolicyAccessRule, sweepTestAccessPolicyRuleByType)

zpa/resource_zpa_policy_access_inspection_rule_v2.go

@@ -18,7 +18,6 @@ func resourcePolicyInspectionRuleV2() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: importPolicyStateContextFuncV2([]string{"INSPECTION_POLICY"}),
 		},
-
 		Schema: map[string]*schema.Schema{
 			"id": {
 				Type:     schema.TypeString,

zpa/resource_zpa_policy_access_inspection_rule_v2_test.go

@@ -35,20 +35,13 @@ func TestAccResourcePolicyInspectionRuleV2_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceTypeAndName, "action", "INSPECT"),
 					resource.TestCheckResourceAttr(resourceTypeAndName, "conditions.#", "1"),
 				),
-				// ExpectNonEmptyPlan: true,
-			},
-			// Import test
-			{
-				ResourceName:      resourceTypeAndName,
-				ImportState:       true,
-				ImportStateVerify: true,
 			},
 			// Update test
 			{
-				Config: testAccCheckPolicyInspectionRuleConfigure(resourceTypeAndName, generatedName, updatedRName, randDesc),
+				Config: testAccCheckPolicyInspectionRuleV2Configure(resourceTypeAndName, generatedName, updatedRName, randDesc),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckPolicyInspectionRuleV2Exists(resourceTypeAndName),
-					resource.TestCheckResourceAttr(resourceTypeAndName, "name", rName),
+					resource.TestCheckResourceAttr(resourceTypeAndName, "name", updatedRName),
 					resource.TestCheckResourceAttr(resourceTypeAndName, "description", randDesc),
 					resource.TestCheckResourceAttr(resourceTypeAndName, "action", "INSPECT"),
 					resource.TestCheckResourceAttr(resourceTypeAndName, "conditions.#", "1"),

zpa/version.go

@@ -1,4 +1,4 @@
 package zpa
 
 // ProviderVersion is set at build-time in the release process
-var ProviderVersion = "3.3.25"
+var ProviderVersion = "3.32.0"