From 4ad874bdd730e3ba17ee9f5bbe79bd2be52bd48e Mon Sep 17 00:00:00 2001 From: GitHub Terraform Date: Wed, 24 Jul 2024 19:14:03 -0700 Subject: [PATCH] doc: Fixed Policy Rule documentation --- docs/resources/zpa_policy_redirection_rule.md | 145 ++++++++++++++++++ go.mod | 2 +- go.sum | 4 +- zpa/common.go | 19 +-- zpa/common/version.go | 2 +- ...ce_zpa_application_segment_by_type_test.go | 7 +- zpa/provider_sweeper_test.go | 49 +++--- zpa/provider_test.go | 2 +- ...ce_zpa_policy_access_inspection_rule_v2.go | 1 - ...a_policy_access_inspection_rule_v2_test.go | 11 +- zpa/version.go | 2 +- 11 files changed, 193 insertions(+), 51 deletions(-) create mode 100644 docs/resources/zpa_policy_redirection_rule.md diff --git a/docs/resources/zpa_policy_redirection_rule.md b/docs/resources/zpa_policy_redirection_rule.md new file mode 100644 index 00000000..a8941202 --- /dev/null +++ b/docs/resources/zpa_policy_redirection_rule.md @@ -0,0 +1,145 @@ +--- +page_title: "zpa_policy_redirection_rule Resource - terraform-provider-zpa" +subcategory: "Policy Set Controller" +description: |- + Official documentation https://help.zscaler.com/zpa/about-redirection-policy + API documentation https://help.zscaler.com/zpa/configuring-redirection-policies-using-api + Creates and manages ZPA Policy Access Redirection Rule. +--- + +# zpa_policy_redirection_rule (Resource) + +* [Official documentation](https://help.zscaler.com/zpa/about-redirection-policy) +* [API documentation](https://help.zscaler.com/zpa/configuring-redirection-policies-using-api) + +The **zpa_policy_redirection_rule** resource creates a policy redirection access rule in the Zscaler Private Access cloud. + + ⚠️ **WARNING:**: The attribute ``rule_order`` is now deprecated in favor of the new resource [``policy_access_rule_reorder``](zpa_policy_access_rule_reorder.md) + +## Example Usage - REDIRECT_DEFAULT + +```terraform +resource "zpa_policy_redirection_rule" "this" { + name = "Example" + description = "Example" + action = "REDIRECT_DEFAULT" + + conditions { + operator = "OR" + operands { + object_type = "CLIENT_TYPE" + values = ["zpn_client_type_branch_connector"] + } + } +} +``` + +## Example Usage - REDIRECT_PREFERRED + +```terraform +data "zpa_service_edge_group" "this" { + name = "Service_Edge_Group01 +} + +resource "zpa_policy_redirection_rule" "this" { + name = "Example" + description = "Example" + action = "REDIRECT_PREFERRED" + + conditions { + operator = "OR" + operands { + object_type = "CLIENT_TYPE" + values = ["zpn_client_type_branch_connector"] + } + } + service_edge_groups { + id = [ data.zpa_service_edge_group.this.id ] + } +} +``` + +## Example Usage - REDIRECT_ALWAYS + +```terraform +data "zpa_service_edge_group" "this" { + name = "Service_Edge_Group01 +} + +resource "zpa_policy_redirection_rule" "this" { + name = "Example" + description = "Example" + action = "REDIRECT_ALWAYS" + + conditions { + operator = "OR" + operands { + object_type = "CLIENT_TYPE" + values = ["zpn_client_type_branch_connector"] + } + } + service_edge_groups { + id = [ data.zpa_service_edge_group.this.id ] + } +} +``` + +## Schema + +### Required + +- `name` (String) This is the name of the forwarding policy rule. +- `action` (String) This is for providing the rule action. + * The supported actions for a policy isolation rule are: ``BYPASS_ISOLATE``, or ``ISOLATE`` +- `zpn_isolation_profile_id` (String) Use [zpa_isolation_profile](https://registry.terraform.io/providers/zscaler/zpa/latest/docs/data-sources/zpa_isolation_profile) data source to retrieve the necessary Isolation profile ID ``zpn_isolation_profile_id`` + +### Optional + +- `policy_set_id` - (String) Use [zpa_policy_type](https://registry.terraform.io/providers/zscaler/zpa/latest/docs/data-sources/zpa_policy_type) data source to retrieve the necessary policy Set ID ``policy_set_id`` + ~> **NOTE** As of v3.2.0 the ``policy_set_id`` attribute is now optional, and will be automatically determined based on the policy type being configured. The attribute is being kept for backwards compatibility, but can be safely removed from existing configurations. +- `description` - (String) This is the description of the access policy rule. +- `operator` (String) Supported values: ``AND``, ``OR`` +- `rule_order` (String, Deprecated) + + ⚠️ **WARNING:**: The attribute ``rule_order`` is now deprecated in favor of the new resource [``policy_access_rule_reorder``](zpa_policy_access_rule_reorder.md) + +- `microtenant_id` (String) The ID of the microtenant the resource is to be associated with. + +⚠️ **WARNING:**: The attribute ``microtenant_id`` is optional and requires the microtenant license and feature flag enabled for the respective tenant. The provider also supports the microtenant ID configuration via the environment variable `ZPA_MICROTENANT_ID` which is the recommended method. + +- `conditions` (Block Set) +Specifies the set of conditions for the policy rule. + - `operator` (String) Supported values: ``AND``, and ``OR`` + - `microtenant_id` (String) The ID of the microtenant the resource is to be associated with. + + ⚠️ **WARNING:**: The attribute ``microtenant_id`` is optional and requires the microtenant license and feature flag enabled for the respective tenant. The provider also supports the microtenant ID configuration via the environment variable `ZPA_MICROTENANT_ID` which is the recommended method. + + - `operands` (Block Set) - Operands block must be repeated if multiple per `object_type` conditions are to be added to the rule. + - `lhs` (String) LHS must always carry the string value ``id`` or the attribute ID of the resource being associated with the rule. + - `rhs` (String) RHS is either the ID attribute of a resource or fixed string value. Refer to the chart below for further details. + - `idp_id` (String) + - `object_type` (String) This is for specifying the policy critiera. Supported values: `CLIENT_TYPE`, `COUNTRY_CODE`. + - `CLIENT_TYPE` (String) - The below options are the only ones supported in a timeout policy rule. + - ``zpn_client_type_machine_tunnel`` + - ``zpn_client_type_edge_connector`` + - ``zpn_client_type_zapp`` + - ``zpn_client_type_zapp_partner`` + - ``zpn_client_type_branch_connector`` + + - `COUNTRY_CODE` (String) - Use a standard 2 letter `ISO3166 Alpha2` Country codes. See list [here](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes) + - `microtenant_id` (String) The ID of the microtenant the resource is to be associated with. + + ⚠️ **WARNING:**: The attribute ``microtenant_id`` is optional and requires the microtenant license and feature flag enabled for the respective tenant. The provider also supports the microtenant ID configuration via the environment variable `ZPA_MICROTENANT_ID` which is the recommended method. + +## Import + +Zscaler offers a dedicated tool called Zscaler-Terraformer to allow the automated import of ZPA configurations into Terraform-compliant HashiCorp Configuration Language. +[Visit](https://github.com/zscaler/zscaler-terraformer) + +Policy Access Isolation Rule can be imported by using `` as the import ID. + +For example: + +```shell +terraform import zpa_policy_isolation_rule.example +``` diff --git a/go.mod b/go.mod index 726b3b56..40306002 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/hashicorp/terraform-plugin-docs v0.19.4 github.com/hashicorp/terraform-plugin-sdk v1.17.2 github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0 - github.com/zscaler/zscaler-sdk-go/v2 v2.61.12 + github.com/zscaler/zscaler-sdk-go/v2 v2.70.0 ) require ( diff --git a/go.sum b/go.sum index 4886e43e..a2ea9c0b 100644 --- a/go.sum +++ b/go.sum @@ -441,8 +441,8 @@ github.com/zclconf/go-cty v1.14.4/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgr github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b h1:FosyBZYxY34Wul7O/MSKey3txpPYyCqVO5ZyceuQJEI= github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8= github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0= -github.com/zscaler/zscaler-sdk-go/v2 v2.61.12 h1:UVdddc8UZEzu/5uLtuaYcKd2yivMdaUxubJZEkrS/l4= -github.com/zscaler/zscaler-sdk-go/v2 v2.61.12/go.mod h1:GDYmG+wN13d/chGX6r6T95Gqbqq3UejMxfDud6FORJc= +github.com/zscaler/zscaler-sdk-go/v2 v2.70.0 h1:pabyVnCNIs+EOSqDK6ROR+8H9HHhrmFfzZPUTdbZ3GY= +github.com/zscaler/zscaler-sdk-go/v2 v2.70.0/go.mod h1:GDYmG+wN13d/chGX6r6T95Gqbqq3UejMxfDud6FORJc= go.abhg.dev/goldmark/frontmatter v0.2.0 h1:P8kPG0YkL12+aYk2yU3xHv4tcXzeVnN+gU0tJ5JnxRw= go.abhg.dev/goldmark/frontmatter v0.2.0/go.mod h1:XqrEkZuM57djk7zrlRUB02x8I5J0px76YjkOzhB4YlU= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= diff --git a/zpa/common.go b/zpa/common.go index ba56964b..ee263e46 100644 --- a/zpa/common.go +++ b/zpa/common.go @@ -1190,15 +1190,16 @@ func fetchPolicySetIDByType(client *Client, policyType string, microTenantID str // ConvertV1ResponseToV2Request converts a PolicyRuleResource (API v1 response) to a PolicyRule (API v2 request) with aggregated values. func ConvertV1ResponseToV2Request(v1Response policysetcontrollerv2.PolicyRuleResource) policysetcontrollerv2.PolicyRule { v2Request := policysetcontrollerv2.PolicyRule{ - ID: v1Response.ID, - Name: v1Response.Name, - Description: v1Response.Description, - Action: v1Response.Action, - PolicySetID: v1Response.PolicySetID, - Operator: v1Response.Operator, - CustomMsg: v1Response.CustomMsg, - ZpnIsolationProfileID: v1Response.ZpnIsolationProfileID, - Conditions: make([]policysetcontrollerv2.PolicyRuleResourceConditions, 0), + ID: v1Response.ID, + Name: v1Response.Name, + Description: v1Response.Description, + Action: v1Response.Action, + PolicySetID: v1Response.PolicySetID, + Operator: v1Response.Operator, + CustomMsg: v1Response.CustomMsg, + ZpnIsolationProfileID: v1Response.ZpnIsolationProfileID, + ZpnInspectionProfileID: v1Response.ZpnInspectionProfileID, + Conditions: make([]policysetcontrollerv2.PolicyRuleResourceConditions, 0), } for _, condition := range v1Response.Conditions { diff --git a/zpa/common/version.go b/zpa/common/version.go index 46eda84e..e5ed2a10 100644 --- a/zpa/common/version.go +++ b/zpa/common/version.go @@ -1,6 +1,6 @@ package common -var version = "3.3.25" +var version = "3.32.0" // Version returns version of provider func Version() string { diff --git a/zpa/data_source_zpa_application_segment_by_type_test.go b/zpa/data_source_zpa_application_segment_by_type_test.go index b3b50c22..f6a5a9ee 100644 --- a/zpa/data_source_zpa_application_segment_by_type_test.go +++ b/zpa/data_source_zpa_application_segment_by_type_test.go @@ -39,8 +39,8 @@ func testAccDataSourceApplicationSegmentByTypeCheck(application_type string) res func testAccCheckDataSourceApplicationSegmentByTypeConfig_basic(resourceNameSuffix, domainNameSuffix string) string { return fmt.Sprintf(` resource "zpa_segment_group" "this" { - name = "tf-acc-test-01" - description = "tf-acc-test-01" + name = "tf-acc-test-10" + description = "tf-acc-test-10" enabled = true } @@ -64,6 +64,7 @@ resource "zpa_application_segment_pra" "this" { app_types = [ "SECURE_REMOTE_ACCESS" ] } } + depends_on = [zpa_segment_group.this] } data "zpa_ba_certificate" "jenkins" { @@ -91,6 +92,7 @@ resource "zpa_application_segment_inspection" "this" { app_types = [ "INSPECT" ] } } + depends_on = [zpa_segment_group.this] } resource "zpa_application_segment_browser_access" "this" { @@ -112,6 +114,7 @@ resource "zpa_application_segment_browser_access" "this" { certificate_id = data.zpa_ba_certificate.jenkins.id trust_untrusted_cert = true } + depends_on = [zpa_segment_group.this] } data "zpa_application_segment_by_type" "pra" { diff --git a/zpa/provider_sweeper_test.go b/zpa/provider_sweeper_test.go index 282eb944..e3e6edb6 100644 --- a/zpa/provider_sweeper_test.go +++ b/zpa/provider_sweeper_test.go @@ -30,7 +30,6 @@ import ( "github.com/zscaler/zscaler-sdk-go/v2/zpa/services/privilegedremoteaccess/pracredential" "github.com/zscaler/zscaler-sdk-go/v2/zpa/services/privilegedremoteaccess/praportal" "github.com/zscaler/zscaler-sdk-go/v2/zpa/services/provisioningkey" - "github.com/zscaler/zscaler-sdk-go/v2/zpa/services/segmentgroup" "github.com/zscaler/zscaler-sdk-go/v2/zpa/services/servergroup" "github.com/zscaler/zscaler-sdk-go/v2/zpa/services/serviceedgegroup" ) @@ -101,7 +100,7 @@ func TestRunForcedSweeper(t *testing.T) { sweepTestLSSConfigController(testClient) // TODO: Tests is failing on QA2 tenant. Needs further investigation. sweepTestAccessPolicyRuleByType(testClient) sweepTestProvisioningKey(testClient) - sweepTestSegmentGroup(testClient) + // sweepTestSegmentGroup(testClient) sweepTestServerGroup(testClient) sweepTestServiceEdgeGroup(testClient) sweepTestCBIBanner(testClient) @@ -493,32 +492,34 @@ func sweepTestProvisioningKey(client *testClient) error { return condenseError(errorList) } -func sweepTestSegmentGroup(client *testClient) error { - var errorList []error - group, _, err := segmentgroup.GetAll(client.sdkClient.SegmentGroup) - if err != nil { - return err - } - // Logging the number of identified resources before the deletion loop - sweeperLogger.Warn(fmt.Sprintf("Found %d resources to sweep", len(group))) - for _, b := range group { - // Check if the resource name has the required prefix before deleting it - if strings.HasPrefix(b.Name, testResourcePrefix) || strings.HasPrefix(b.Name, updateResourcePrefix) { - if _, err := segmentgroup.Delete(client.sdkClient.SegmentGroup, b.ID); err != nil { - errorList = append(errorList, err) - continue +/* + func sweepTestSegmentGroup(client *testClient) error { + var errorList []error + group, _, err := segmentgroup.GetAll(client.sdkClient.SegmentGroup) + if err != nil { + return err + } + // Logging the number of identified resources before the deletion loop + sweeperLogger.Warn(fmt.Sprintf("Found %d resources to sweep", len(group))) + for _, b := range group { + // Check if the resource name has the required prefix before deleting it + if strings.HasPrefix(b.Name, testResourcePrefix) || strings.HasPrefix(b.Name, updateResourcePrefix) { + if _, err := segmentgroup.Delete(client.sdkClient.SegmentGroup, b.ID); err != nil { + errorList = append(errorList, err) + continue + } + logSweptResource(resourcetype.ZPASegmentGroup, fmt.Sprintf(b.ID), b.Name) } - logSweptResource(resourcetype.ZPASegmentGroup, fmt.Sprintf(b.ID), b.Name) } - } - // Log errors encountered during the deletion process - if len(errorList) > 0 { - for _, err := range errorList { - sweeperLogger.Error(err.Error()) + // Log errors encountered during the deletion process + if len(errorList) > 0 { + for _, err := range errorList { + sweeperLogger.Error(err.Error()) + } } + return condenseError(errorList) } - return condenseError(errorList) -} +*/ func sweepTestServerGroup(client *testClient) error { var errorList []error diff --git a/zpa/provider_test.go b/zpa/provider_test.go index a5fd3447..6f12de15 100644 --- a/zpa/provider_test.go +++ b/zpa/provider_test.go @@ -53,7 +53,7 @@ func TestMain(m *testing.M) { setupSweeper(resourcetype.ZPAInspectionCustomControl, sweepTestInspectionCustomControl) setupSweeper(resourcetype.ZPAInspectionProfile, sweepTestInspectionProfile) setupSweeper(resourcetype.ZPALSSController, sweepTestLSSConfigController) - setupSweeper(resourcetype.ZPASegmentGroup, sweepTestSegmentGroup) + // setupSweeper(resourcetype.ZPASegmentGroup, sweepTestSegmentGroup) setupSweeper(resourcetype.ZPAServerGroup, sweepTestServerGroup) setupSweeper(resourcetype.ZPAServiceEdgeGroup, sweepTestServiceEdgeGroup) setupSweeper(resourcetype.ZPAPolicyAccessRule, sweepTestAccessPolicyRuleByType) diff --git a/zpa/resource_zpa_policy_access_inspection_rule_v2.go b/zpa/resource_zpa_policy_access_inspection_rule_v2.go index 55fadd41..cef7ebd8 100644 --- a/zpa/resource_zpa_policy_access_inspection_rule_v2.go +++ b/zpa/resource_zpa_policy_access_inspection_rule_v2.go @@ -18,7 +18,6 @@ func resourcePolicyInspectionRuleV2() *schema.Resource { Importer: &schema.ResourceImporter{ StateContext: importPolicyStateContextFuncV2([]string{"INSPECTION_POLICY"}), }, - Schema: map[string]*schema.Schema{ "id": { Type: schema.TypeString, diff --git a/zpa/resource_zpa_policy_access_inspection_rule_v2_test.go b/zpa/resource_zpa_policy_access_inspection_rule_v2_test.go index 451581e5..f13c3d6e 100644 --- a/zpa/resource_zpa_policy_access_inspection_rule_v2_test.go +++ b/zpa/resource_zpa_policy_access_inspection_rule_v2_test.go @@ -35,20 +35,13 @@ func TestAccResourcePolicyInspectionRuleV2_Basic(t *testing.T) { resource.TestCheckResourceAttr(resourceTypeAndName, "action", "INSPECT"), resource.TestCheckResourceAttr(resourceTypeAndName, "conditions.#", "1"), ), - // ExpectNonEmptyPlan: true, - }, - // Import test - { - ResourceName: resourceTypeAndName, - ImportState: true, - ImportStateVerify: true, }, // Update test { - Config: testAccCheckPolicyInspectionRuleConfigure(resourceTypeAndName, generatedName, updatedRName, randDesc), + Config: testAccCheckPolicyInspectionRuleV2Configure(resourceTypeAndName, generatedName, updatedRName, randDesc), Check: resource.ComposeTestCheckFunc( testAccCheckPolicyInspectionRuleV2Exists(resourceTypeAndName), - resource.TestCheckResourceAttr(resourceTypeAndName, "name", rName), + resource.TestCheckResourceAttr(resourceTypeAndName, "name", updatedRName), resource.TestCheckResourceAttr(resourceTypeAndName, "description", randDesc), resource.TestCheckResourceAttr(resourceTypeAndName, "action", "INSPECT"), resource.TestCheckResourceAttr(resourceTypeAndName, "conditions.#", "1"), diff --git a/zpa/version.go b/zpa/version.go index a3c51a87..47b26610 100644 --- a/zpa/version.go +++ b/zpa/version.go @@ -1,4 +1,4 @@ package zpa // ProviderVersion is set at build-time in the release process -var ProviderVersion = "3.3.25" +var ProviderVersion = "3.32.0"