fix: Fixed Application Segment Inspection Drift

CHANGELOG.md

@@ -1,17 +1,21 @@
 # Changelog
 
-## 3.3.30 (June, 2 2024)
+## 3.3.25 (July, 2 2024)
 
 ### Notes
 
-- Release date: **(June, 14 2024)**
+- Release date: **(July, 2 2024)**
 - Supported Terraform version: **v1.x**
 
 ### Deprecations
 - [PR #468](https://github.com/zscaler/terraform-provider-zpa/pull/468) The following attributes are not deprecated:
   - ``zpa_application_segment_browser_access``: `cname`, `hidden`, `local_name`, `path`
   - ``zpa_application_segment_pra``: `cname`, `segment_group_name`
 
+### Bug Fixes
+- [PR #468](https://github.com/zscaler/terraform-provider-zpa/pull/468) Fixed `zpa_application_segment_inspection` drift issues within `common_apps_dto` and `tcp_port_range`
+
+
 ## 3.3.24 (June, 14 2024)
 
 ### Notes

docs/guides/release-notes.md

@@ -12,10 +12,25 @@ Track all ZPA Terraform provider's releases. New resources, features, and bug fi
 
 ---
 
-``Last updated: v3.3.24``
+``Last updated: v3.3.25``
 
 ---
 
+## 3.3.25 (July, 2 2024)
+
+### Notes
+
+- Release date: **(July, 2 2024)**
+- Supported Terraform version: **v1.x**
+
+### Deprecations
+- [PR #468](https://github.com/zscaler/terraform-provider-zpa/pull/468) The following attributes are not deprecated:
+  - ``zpa_application_segment_browser_access``: `cname`, `hidden`, `local_name`, `path`
+  - ``zpa_application_segment_pra``: `cname`, `segment_group_name`
+
+### Bug Fixes
+- [PR #468](https://github.com/zscaler/terraform-provider-zpa/pull/468) Fixed `zpa_application_segment_inspection` drift issues within `common_apps_dto` and `tcp_port_range`
+
 ## 3.3.24 (June, 14 2024)
 
 ### Notes

docs/resources/zpa_application_segment_inspection.md

@@ -72,8 +72,9 @@ The following arguments are supported:
 - `tcp_port_ranges` - (List of String) TCP port ranges used to access the app.
 - `udp_port_ranges` - (List of String) UDP port ranges used to access the app.
 
+!> **WARNING:** Removing PRA applications from the `common_apps_dto.apps_config` block will cause the provider to force a replacement of the application segment.
+
 -> **NOTE:**  TCP and UDP ports can also be defined using the following model:
--> **NOTE:** When removing TCP and/or UDP ports, parameter must be defined but set as empty due to current API behavior.
 
 - `tcp_port_range` - (Block Set) TCP port ranges used to access the app.
   - `from:` (String) The starting port for a port range.

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/hashicorp/terraform-plugin-docs v0.19.4
 	github.com/hashicorp/terraform-plugin-sdk v1.17.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0
-	github.com/zscaler/zscaler-sdk-go/v2 v2.61.4
+	github.com/zscaler/zscaler-sdk-go/v2 v2.61.5
 )
 
 require (

go.sum

@@ -441,8 +441,8 @@ github.com/zclconf/go-cty v1.14.4/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgr
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b h1:FosyBZYxY34Wul7O/MSKey3txpPYyCqVO5ZyceuQJEI=
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
-github.com/zscaler/zscaler-sdk-go/v2 v2.61.4 h1:sXzIUt0QZrvBDDEOfroMsHn2jMe9WlB+qH1YXA/47Ho=
-github.com/zscaler/zscaler-sdk-go/v2 v2.61.4/go.mod h1:9x0nZWvx01g0VN0G+PqijowyN9fI4H+O8ekflXS+h/c=
+github.com/zscaler/zscaler-sdk-go/v2 v2.61.5 h1:dgLbmndNxELtp9/IEqEsPhkAo3RACCMgioVaJDx0rbo=
+github.com/zscaler/zscaler-sdk-go/v2 v2.61.5/go.mod h1:9x0nZWvx01g0VN0G+PqijowyN9fI4H+O8ekflXS+h/c=
 go.abhg.dev/goldmark/frontmatter v0.2.0 h1:P8kPG0YkL12+aYk2yU3xHv4tcXzeVnN+gU0tJ5JnxRw=
 go.abhg.dev/goldmark/frontmatter v0.2.0/go.mod h1:XqrEkZuM57djk7zrlRUB02x8I5J0px76YjkOzhB4YlU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=

zpa/resource_zpa_application_segment_inspection.go

@@ -61,11 +61,6 @@ func resourceApplicationSegmentInspection() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 			},
-			"segment_group_name": {
-				Type:     schema.TypeString,
-				Optional: true,
-				Computed: true,
-			},
 			"bypass_type": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -205,7 +200,6 @@ func resourceApplicationSegmentInspection() *schema.Resource {
 			"common_apps_dto": {
 				Type:     schema.TypeSet,
 				Optional: true,
-				ForceNew: true,
 				MaxItems: 1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
@@ -215,54 +209,50 @@ func resourceApplicationSegmentInspection() *schema.Resource {
 							ForceNew: true,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
-									"name": {
+									"id": {
 										Type:     schema.TypeString,
-										Optional: true,
-										ForceNew: true,
+										Computed: true,
 									},
-									"description": {
+									"name": {
 										Type:     schema.TypeString,
 										Optional: true,
-										ForceNew: true,
 									},
 									"enabled": {
 										Type:     schema.TypeBool,
 										Optional: true,
-										ForceNew: true,
+										Computed: true,
 									},
 									"app_types": {
 										Type:     schema.TypeSet,
 										Optional: true,
-										ForceNew: true,
 										Elem:     &schema.Schema{Type: schema.TypeString},
 									},
 									"application_port": {
 										Type:     schema.TypeString,
 										Optional: true,
-										ForceNew: true,
 									},
 									"application_protocol": {
 										Type:     schema.TypeString,
 										Optional: true,
-										ForceNew: true,
+										// ForceNew: true,
 										ValidateFunc: validation.StringInSlice([]string{
 											"HTTP",
 											"HTTPS",
 										}, false),
 									},
 									"certificate_id": {
-										Type:     schema.TypeString,
-										ForceNew: true,
+										Type: schema.TypeString,
+										// ForceNew: true,
 										Optional: true,
 									},
 									"domain": {
-										Type:     schema.TypeString,
-										ForceNew: true,
+										Type: schema.TypeString,
+										// ForceNew: true,
 										Optional: true,
 									},
 									"trust_untrusted_cert": {
-										Type:     schema.TypeBool,
-										ForceNew: true,
+										Type: schema.TypeBool,
+										// ForceNew: true,
 										Optional: true,
 									},
 								},
@@ -348,7 +338,6 @@ func resourceApplicationSegmentInspectionRead(d *schema.ResourceData, m interfac
 	log.Printf("[INFO] Getting sra application segment:\n%+v\n", resp)
 	d.SetId(resp.ID)
 	_ = d.Set("segment_group_id", resp.SegmentGroupID)
-	_ = d.Set("segment_group_name", resp.SegmentGroupName)
 	_ = d.Set("bypass_type", resp.BypassType)
 	_ = d.Set("config_space", resp.ConfigSpace)
 	_ = d.Set("domain_names", resp.DomainNames)
@@ -371,26 +360,30 @@ func resourceApplicationSegmentInspectionRead(d *schema.ResourceData, m interfac
 	_ = d.Set("udp_port_ranges", convertPortsToListString(resp.UDPAppPortRange))
 	_ = d.Set("server_groups", flattenInspectionAppServerGroupsSimple(resp.AppServerGroups))
 
-	if err := d.Set("common_apps_dto", flattenInspectionCommonAppsDto(d, resp.InspectionAppDto)); err != nil {
+	if err := d.Set("common_apps_dto", flattenInspectionCommonAppsDto(resp.InspectionAppDto)); err != nil {
 		return fmt.Errorf("failed to read common application in application segment %s", err)
 	}
 
 	if err := d.Set("tcp_port_range", flattenNetworkPorts(resp.TCPAppPortRange)); err != nil {
 		return err
 	}
 
-	if err := d.Set("tcp_port_range", flattenNetworkPorts(resp.UDPAppPortRange)); err != nil {
+	if err := d.Set("udp_port_range", flattenNetworkPorts(resp.UDPAppPortRange)); err != nil {
 		return err
 	}
 	return nil
 }
 
 func flattenInspectionAppServerGroupsSimple(serverGroup []applicationsegmentinspection.AppServerGroups) []interface{} {
-	ids := make([]interface{}, len(serverGroup))
+	result := make([]interface{}, 1)
+	mapIds := make(map[string]interface{})
+	ids := make([]string, len(serverGroup))
 	for i, group := range serverGroup {
 		ids[i] = group.ID
 	}
-	return ids
+	mapIds["id"] = ids
+	result[0] = mapIds
+	return result
 }
 
 func resourceApplicationSegmentInspectionUpdate(d *schema.ResourceData, m interface{}) error {
@@ -459,34 +452,11 @@ func resourceApplicationSegmentInspectionDelete(d *schema.ResourceData, m interf
 	return nil
 }
 
-/*
-	func detachInspectionPortalsFromGroup(client *Client, segmentID, segmentGroupID string) error {
-		log.Printf("[INFO] Detaching inspection application segment  %s from segment group: %s\n", segmentID, segmentGroupID)
-		service := client.SegmentGroup
-
-		segGroup, _, err := segmentgroup.Get(service, segmentGroupID)
-		if err != nil {
-			log.Printf("[error] Error while getting segment group id: %s", segmentGroupID)
-			return err
-		}
-		adaptedApplications := []segmentgroup.Application{}
-		for _, app := range segGroup.Applications {
-			if app.ID != segmentID {
-				adaptedApplications = append(adaptedApplications, app)
-			}
-		}
-		segGroup.Applications = adaptedApplications
-		_, err = segmentgroup.Update(service, segmentGroupID, segGroup)
-		return err
-	}
-*/
-
 func expandInspectionApplicationSegment(d *schema.ResourceData, zClient *Client, id string) applicationsegmentinspection.AppSegmentInspection {
 	details := applicationsegmentinspection.AppSegmentInspection{
 		ID:                        d.Id(),
 		Name:                      d.Get("name").(string),
 		SegmentGroupID:            d.Get("segment_group_id").(string),
-		SegmentGroupName:          d.Get("segment_group_name").(string),
 		BypassType:                d.Get("bypass_type").(string),
 		ConfigSpace:               d.Get("config_space").(string),
 		ICMPAccessType:            d.Get("icmp_access_type").(string),
@@ -512,9 +482,6 @@ func expandInspectionApplicationSegment(d *schema.ResourceData, zClient *Client,
 	if d.HasChange("name") {
 		details.Name = d.Get("name").(string)
 	}
-	if d.HasChange("segment_group_name") {
-		details.SegmentGroupName = d.Get("segment_group_name").(string)
-	}
 	if d.HasChange("server_groups") {
 		details.AppServerGroups = expandInspectionAppServerGroups(d)
 	}
@@ -561,20 +528,12 @@ func expandInspectionApplicationSegment(d *schema.ResourceData, zClient *Client,
 
 func expandInspectionCommonAppsDto(d *schema.ResourceData) applicationsegmentinspection.CommonAppsDto {
 	result := applicationsegmentinspection.CommonAppsDto{}
-	appsConfigInterface, ok := d.GetOk("common_apps_dto")
-	if !ok {
-		return result
-	}
-	appsConfigSet, ok := appsConfigInterface.(*schema.Set)
-	if !ok {
-		return result
-	}
-	for _, appconf := range appsConfigSet.List() {
-		appConfMap, ok := appconf.(map[string]interface{})
-		if !ok {
-			return result
+	if commonAppsInterface, ok := d.GetOk("common_apps_dto"); ok {
+		commonAppsList := commonAppsInterface.(*schema.Set).List()
+		if len(commonAppsList) > 0 {
+			commonAppMap := commonAppsList[0].(map[string]interface{})
+			result.AppsConfig = expandInspectionAppsConfig(commonAppMap["apps_config"])
 		}
-		result.AppsConfig = expandInspectionAppsConfig(appConfMap["apps_config"])
 	}
 	return result
 }
@@ -596,7 +555,6 @@ func expandInspectionAppsConfig(appsConfigInterface interface{}) []applicationse
 			appTypes := SetToStringSlice(appTypesSet)
 			commonAppConfigDto = append(commonAppConfigDto, applicationsegmentinspection.AppsConfig{
 				Name:                commonAppConfig["name"].(string),
-				Description:         commonAppConfig["description"].(string),
 				Enabled:             commonAppConfig["enabled"].(bool),
 				ApplicationPort:     commonAppConfig["application_port"].(string),
 				ApplicationProtocol: commonAppConfig["application_protocol"].(string),
@@ -632,38 +590,31 @@ func expandInspectionAppServerGroups(d *schema.ResourceData) []applicationsegmen
 	return []applicationsegmentinspection.AppServerGroups{}
 }
 
-func flattenInspectionCommonAppsDto(d *schema.ResourceData, apps []applicationsegmentinspection.InspectionAppDto) []interface{} {
-	commonApp := make([]interface{}, 1)
-	commonApp[0] = map[string]interface{}{
-		"apps_config": flattenInspectionAppsConfig(d, apps),
-	}
-	return commonApp
-}
-
-func flattenInspectionAppsConfig(d *schema.ResourceData, appConfigs []applicationsegmentinspection.InspectionAppDto) []interface{} {
-	cApp := expandInspectionCommonAppsDto(d)
-
-	appConfig := make([]interface{}, len(appConfigs))
-	for i, val := range appConfigs {
+func flattenInspectionCommonAppsDto(apps []applicationsegmentinspection.InspectionAppDto) []interface{} {
+	commonAppsDto := make([]interface{}, 1)
+	appsConfig := make([]interface{}, len(apps))
+	for i, app := range apps {
 		appTypes := []string{}
-		for _, a := range cApp.AppsConfig {
-			if a.Name == val.Name {
-				appTypes = a.AppTypes
-			}
+		if app.ApplicationProtocol == "HTTP" || app.ApplicationProtocol == "HTTPS" {
+			appTypes = append(appTypes, "INSPECT")
 		}
-		appConfig[i] = map[string]interface{}{
-			"name":                 val.Name,
-			"description":          val.Description,
-			"enabled":              val.Enabled,
-			"domain":               val.Domain,
-			"application_port":     val.ApplicationPort,
-			"certificate_id":       val.CertificateID,
-			"application_protocol": val.ApplicationProtocol,
-			"trust_untrusted_cert": val.TrustUntrustedCert,
+		appConfigMap := map[string]interface{}{
+			"id":                   app.ID,
+			"name":                 app.Name,
+			"enabled":              app.Enabled,
+			"domain":               app.Domain,
+			"application_port":     app.ApplicationPort,
+			"certificate_id":       app.CertificateID,
+			"application_protocol": app.ApplicationProtocol,
+			"trust_untrusted_cert": app.TrustUntrustedCert,
 			"app_types":            appTypes,
 		}
+		appsConfig[i] = appConfigMap
+	}
+	commonAppsDto[0] = map[string]interface{}{
+		"apps_config": appsConfig,
 	}
-	return appConfig
+	return commonAppsDto
 }
 
 func validateProtocolAndCertID(d *schema.ResourceData) error {

zpa/resource_zpa_application_segment_inspection_test.go

@@ -58,11 +58,11 @@ func TestAccResourceApplicationSegmentInspectionBasic(t *testing.T) {
 				),
 			},
 			// Import test
-			// {
-			// 	ResourceName:      appSegmentTypeAndName,
-			// 	ImportState:       true,
-			// 	ImportStateVerify: true,
-			// },
+			{
+				ResourceName:      appSegmentTypeAndName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }

zpa/resource_zpa_application_segment_pra.go

@@ -89,7 +89,6 @@ func resourceApplicationSegmentPRA() *schema.Resource {
 				Description: "UDP port ranges used to access the app.",
 				Elem:        &schema.Schema{Type: schema.TypeString},
 			},
-
 			"config_space": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -385,6 +384,11 @@ func resourceApplicationSegmentPRAUpdate(d *schema.ResourceData, m interface{})
 	zClient := m.(*Client)
 	service := zClient.ApplicationSegmentPRA
 
+	microTenantID := GetString(d.Get("microtenant_id"))
+	if microTenantID != "" {
+		service = service.WithMicroTenant(microTenantID)
+	}
+
 	id := d.Id()
 	log.Printf("[INFO] Updating pra application segment ID: %v\n", id)
 	req := expandSRAApplicationSegment(d, zClient, id)
@@ -439,7 +443,7 @@ func resourceApplicationSegmentPRADelete(d *schema.ResourceData, m interface{})
 			}
 		}
 	}
-	log.Printf("[INFO] Deleting sra application segment with id %v\n", id)
+	log.Printf("[INFO] Deleting pra application segment with id %v\n", id)
 	if _, err := applicationsegmentpra.Delete(service, id); err != nil {
 		return err
 	}