fix: Fixed Policy Reorder Resource to validate Deception Rule (#450)

* fix: Fixed Policy Reorder Resource to validate Deception Rule

* fix: Added new attributes to Service Edge Group resource

* fix: Added new service edge group attributes to test

CHANGELOG.md

@@ -1,16 +1,32 @@
 # Changelog
 
-## 3.2.2 (May, xx 2024)
+## 3.2.11 (May, 3 2024)
 
 ### Notes
 
-- Release date: **(May, xx 2024)**
+- Release date: **(May, 3 2024)**
 - Supported Terraform version: **v1.x**
 
 ### Internal Changes
 
 - [PR #449](https://github.com/zscaler/terraform-provider-zpa/pull/449) - Added `CodeCov` Support to GitHub Workflow 
 
+### Bug Fixes
+- [PR #450](https://github.com/zscaler/terraform-provider-zpa/pull/450) - Implemented additional validation within the resource `zpa_policy_access_rule_reorder` to ensure it accounts for the potential existence of the `Zscaler Deception` rule. [Zscaler API Documentation](https://help.zscaler.com/zpa/configuring-access-policies-using-api#:~:text=Updating%20the%20rule,configured%20using%20Deception.) for further details.
+
+⚠️ **WARNING:**: This change does not affect existing rule configurations, and is only applicable for tenants with the Zscaler Deception rule configured. If your tenant have this rule configured, please refer to the [provider documentation](https://registry.terraform.io/providers/zscaler/zpa/latest/docs/resources/zpa_policy_access_rule_reorder) for further examples on how you can address potential drift issues due to rule order missmatch. [Issue #445](https://github.com/zscaler/terraform-provider-zpa/issues/445)
+
+### ENHACEMENTS
+- [PR #450](https://github.com/zscaler/terraform-provider-zpa/pull/450) - The resource `zpa_service_edge_group` now supports the following new attributes:
+  * `grace_distance_enabled`: Allows ZPA Private Service Edge Groups within the specified distance to be prioritized over a closer ZPA Public Service Edge.
+  * `grace_distance_value`: Indicates the maximum distance in miles or kilometers to ZPA Private Service Edge groups that would override a ZPA Public Service Edge.
+  * `grace_distance_value_unit`: Indicates the grace distance unit of measure in miles or kilometers. This value is only required if `grace_distance_enabled` is set to true. Support values are: `MILES` and `KMS`
+
+### Documentation
+- [PR #450](https://github.com/zscaler/terraform-provider-zpa/pull/450) - Updated documentation for `zpa_policy_access_rule_reorder` by removing deprecated `policy_set_id` attribute from the resource. Only the `policy_type` is required.
+### Documentation
+- [PR #450](https://github.com/zscaler/terraform-provider-zpa/pull/450) - Updated documentation for `zpa_service_edge_group` by including detailed description of the new attributes: `grace_distance_enabled`, `grace_distance_value`, `grace_distance_value_unit`.
+
 ## 3.2.1 (April, 8 2024)
 
 ### Notes

GNUmakefile

@@ -54,14 +54,14 @@ test\:integration\:zpa:
 build13: GOOS=$(shell go env GOOS)
 build13: GOARCH=$(shell go env GOARCH)
 ifeq ($(OS),Windows_NT)  # is Windows_NT on XP, 2000, 7, Vista, 10...
-build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZPA_PROVIDER_NAMESPACE)/3.2.1/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZPA_PROVIDER_NAMESPACE)/3.2.11/$(GOOS)_$(GOARCH)
 else
-build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZPA_PROVIDER_NAMESPACE)/3.2.1/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZPA_PROVIDER_NAMESPACE)/3.2.11/$(GOOS)_$(GOARCH)
 endif
 build13: fmtcheck
 	@echo "==> Installing plugin to $(DESTINATION)"
 	@mkdir -p $(DESTINATION)
-	go build -o $(DESTINATION)/terraform-provider-zpa_v3.2.1
+	go build -o $(DESTINATION)/terraform-provider-zpa_v3.2.11
 
 vet:
 	@echo "==> Checking source code against go vet and staticcheck"

docs/data-sources/zpa_service_edge_group.md

@@ -54,6 +54,10 @@ In addition to all arguments above, the following attributes are exported:
 * `creation_time` - (string)
 * `geo_location_id` - (string)
 * `is_public` - (string)
+* `grace_distance_enabled`: Allows ZPA Private Service Edge Groups within the specified distance to be prioritized over a closer ZPA Public Service Edge.
+* `grace_distance_value`: Indicates the maximum distance in miles or kilometers to ZPA Private Service Edge groups that would override a ZPA Public Service Edge.
+* `grace_distance_value_unit`: Indicates the grace distance unit of measure in miles or kilometers. This value is only required if `grace_distance_enabled` is set to true. Support values are: `MILES` and `KMS`
+
 * `latitude` - (string) Latitude of the Service Edge Group. Integer or decimal. With values in the range of `-90` to `90`
 * `longitude` - (string) Longitude of the Service Edge Group.Integer or decimal. With values in the range of `-180` to `180`
 * `location` - (string) Location of the Service Edge Group.

docs/guides/release-notes.md

@@ -12,21 +12,37 @@ Track all ZPA Terraform provider's releases. New resources, features, and bug fi
 
 ---
 
-``Last updated: v3.2.2``
+``Last updated: v3.2.11``
 
 ---
 
-## 3.2.2 (May, xx 2024)
+## 3.2.11 (May, 3 2024)
 
 ### Notes
 
-- Release date: **(May, xx 2024)**
+- Release date: **(May, 3 2024)**
 - Supported Terraform version: **v1.x**
 
 ### Internal Changes
 
 - [PR #449](https://github.com/zscaler/terraform-provider-zpa/pull/449) - Added `CodeCov` Support to GitHub Workflow 
 
+### Bug Fixes
+- [PR #450](https://github.com/zscaler/terraform-provider-zpa/pull/450) - Implemented additional validation within the resource `zpa_policy_access_rule_reorder` to ensure it accounts for the potential existence of the `Zscaler Deception` rule. [Zscaler API Documentation](https://help.zscaler.com/zpa/configuring-access-policies-using-api#:~:text=Updating%20the%20rule,configured%20using%20Deception.) for further details.
+
+⚠️ **WARNING:**: This change does not affect existing rule configurations, and is only applicable for tenants with the Zscaler Deception rule configured. If your tenant have this rule configured, please refer to the [provider documentation](https://registry.terraform.io/providers/zscaler/zpa/latest/docs/resources/zpa_policy_access_rule_reorder) for further examples on how you can address potential drift issues due to rule order missmatch. [Issue #445](https://github.com/zscaler/terraform-provider-zpa/issues/445)
+
+### ENHACEMENTS
+- [PR #450](https://github.com/zscaler/terraform-provider-zpa/pull/450) - The resource `zpa_service_edge_group` now supports the following new attributes:
+  * `grace_distance_enabled`: Allows ZPA Private Service Edge Groups within the specified distance to be prioritized over a closer ZPA Public Service Edge.
+  * `grace_distance_value`: Indicates the maximum distance in miles or kilometers to ZPA Private Service Edge groups that would override a ZPA Public Service Edge.
+  * `grace_distance_value_unit`: Indicates the grace distance unit of measure in miles or kilometers. This value is only required if `grace_distance_enabled` is set to true. Support values are: `MILES` and `KMS`
+
+### Documentation
+- [PR #450](https://github.com/zscaler/terraform-provider-zpa/pull/450) - Updated documentation for `zpa_policy_access_rule_reorder` by removing deprecated `policy_set_id` attribute from the resource. Only the `policy_type` is required.
+### Documentation
+- [PR #450](https://github.com/zscaler/terraform-provider-zpa/pull/450) - Updated documentation for `zpa_service_edge_group` by including detailed description of the new attributes: `grace_distance_enabled`, `grace_distance_value`, `grace_distance_value_unit`.
+
 ## 3.2.1 (April, 8 2024)
 
 ### Notes

docs/resources/zpa_policy_access_rule_reorder.md

@@ -16,6 +16,8 @@ The **zpa_policy_access_rule_reorder** is a dedicated resource to manage and upd
 
 ⚠️ **WARNING:**: The attribute ``rule_order`` is now deprecated in favor of this resource for all ZPA policy types.
 
+⚠️ **WARNING:**: Updating the rule order of an access policy configured using `Zscaler Deception` is not supported. When changing the rule order of a regular access policy and there is an access policy configured using Deception, the rule order of the regular access policy must be greater than the rule order for an access policy configured using Deception. Please refer to the [Zscaler API Documentation](https://help.zscaler.com/zpa/configuring-access-policies-using-api#:~:text=Updating%20the%20rule,configured%20using%20Deception.) for further details.
+
 ## Example Usage 1
 
 ```terraform
@@ -24,15 +26,13 @@ resource "zpa_policy_access_rule" "example001" {
   description   = "example001"
   action        = "ALLOW"
   operator      = "AND"
-  policy_set_id = data.zpa_policy_type.access_policy.id
 }
 
 resource "zpa_policy_access_rule" "example002" {
   name          = "example002"
   description   = "example002"
   action        = "ALLOW"
   operator      = "AND"
-  policy_set_id = data.zpa_policy_type.access_policy.id
 }
 
 locals {
@@ -43,7 +43,6 @@ locals {
 }
 
 resource "zpa_policy_access_rule_reorder" "access_policy_reorder" {
-  policy_set_id = data.zpa_policy_type.access_policy.id
   policy_type   = "ACCESS_POLICY"
 
   dynamic "rules" {
@@ -99,6 +98,96 @@ resource "zpa_policy_access_rule_reorder" "access_policy_reorder" {
 }
 ```
 
+## Example Usage 3 - Used when Zscaler Deception Rule Exists
+
+```terraform
+# IF NO ZSCALER DECEPTION RULE EXIST, DECREASE THE INDEX TO +1 TO PREVENT DRIFTS
+locals {
+  policy_config = yamldecode(file("${path.module}/policies.yaml"))
+  policies = { for policy in local.policy_config.policies : policy.name => merge(policy, { rule_number = index(local.policy_config.policies, policy) + 2 }) }
+}
+
+resource "zpa_policy_access_rule" "rules" {
+  for_each      = local.policies
+  name          = each.value.name
+  action        = each.value.action
+  description   = each.value.description
+  custom_msg    = try(each.value.custom_msg, null)
+  operator      = try(each.value.operator, "AND")
+}
+
+resource "zpa_policy_access_rule_reorder" "access_policy_reorder" {
+  policy_type = "ACCESS_POLICY"
+
+  dynamic "rules" {
+    for_each = local.policies
+    content {
+      id    = zpa_policy_access_rule.rules[rules.key].id
+      order = rules.value.rule_number
+    }
+  }
+}
+```
+
+## Example Usage 4 - Similar to Example 3 - No YAML File
+
+```terraform
+locals {
+  policies = { for index, policy in var.policy_config.policies :
+    policy.name => merge(policy, { rule_number = index + 1 })
+  }
+}
+
+resource "zpa_policy_access_rule" "rules" {
+  for_each      = { for rule in local.policies : rule.name => rule }
+  name          = each.value.name
+  action        = each.value.action
+  description   = each.value.description
+  custom_msg    = try(each.value.custom_msg, null)
+  operator      = try(each.value.operator, "AND")
+}
+
+
+resource "zpa_policy_access_rule_reorder" "access_policy_reorder" {
+  policy_type = "ACCESS_POLICY"
+
+  dynamic "rules" {
+    for_each = local.policies  # This sets up 'rules' as the variable within the block
+    content {
+      id    = zpa_policy_access_rule.rules[rules.key].id  # Access 'rules.key' for the map key
+      order = rules.value.rule_number  # Use 'rules.value' to get the values from the map
+    }
+  }
+}
+
+variable "policy_config" {
+  description = "Configuration for policy rules"
+  type = object({
+    policies = list(object({
+      name        = string
+      description = string
+      action = string
+      // Additional attributes can be included here as needed
+    }))
+  })
+
+  default = {
+    policies = [
+      { name = "example001", description = "example001", action = "ALLOW"},
+      { name = "example002", description = "example002", action = "DENY" },
+      { name = "example003", description = "example003", action = "ALLOW" },
+      { name = "example004", description = "example004", action = "DENY" },
+      { name = "example005", description = "example005", action = "ALLOW" },
+      { name = "example006", description = "example006", action = "DENY" },
+      { name = "example007", description = "example007", action = "ALLOW" },
+      { name = "example008", description = "example008", action = "DENY" },
+      { name = "example009", description = "example009", action = "ALLOW" },
+      { name = "example010", description = "example010", action = "DENY" },
+    ]
+  }
+}
+```
+
 ## Schema
 
 ### Required

docs/resources/zpa_service_edge_group.md

@@ -71,6 +71,11 @@ In addition to all arguments above, the following attributes are exported:
 - `enabled` - (Boolean) Whether this Service Edge Group is enabled or not. Default value: `true` Supported values: `true`, `false`
 - `description` - (String) Description of the Service Edge Group.
 - `is_public` - (String) Enable or disable public access for the Service Edge Group. Default value: `false` Supported values: `true`, `false`
+
+- `grace_distance_enabled`: Allows ZPA Private Service Edge Groups within the specified distance to be prioritized over a closer ZPA Public Service Edge.
+- `grace_distance_value`: Indicates the maximum distance in miles or kilometers to ZPA Private Service Edge groups that would override a ZPA Public Service Edge.
+- `grace_distance_value_unit`: Indicates the grace distance unit of measure in miles or kilometers. This value is only required if `grace_distance_enabled` is set to true. Support values are: `MILES` and `KMS`
+
 - `override_version_profile` - (Boolean) Whether the default version profile of the App Connector Group is applied or overridden. Default: `false` Supported values: `true`, `false`
 - `version_profile_id` - (String) ID of the version profile. To learn more, see Version Profile Use Cases. Supported values are:
   - ``0`` = ``Default``

zpa/data_source_zpa_service_edge_group.go

@@ -362,6 +362,21 @@ func dataSourceServiceEdgeGroup() *schema.Resource {
 				Computed:    true,
 				Description: "ID of the version profile. To learn more",
 			},
+			"grace_distance_enabled": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "If enabled, allows ZPA Private Service Edge Groups within the specified distance to be prioritized over a closer ZPA Public Service Edge.",
+			},
+			"grace_distance_value": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Indicates the maximum distance in miles or kilometers to ZPA Private Service Edge groups that would override a ZPA Public Service Edge",
+			},
+			"grace_distance_value_unit": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Indicates the grace distance unit of measure in miles or kilometers. This value is only required if grace_distance_value is set to true",
+			},
 		},
 	}
 }
@@ -409,6 +424,9 @@ func dataSourceServiceEdgeGroupRead(d *schema.ResourceData, m interface{}) error
 		_ = d.Set("version_profile_id", resp.VersionProfileID)
 		_ = d.Set("version_profile_name", resp.VersionProfileName)
 		_ = d.Set("version_profile_visibility_scope", resp.VersionProfileVisibilityScope)
+		_ = d.Set("grace_distance_enabled", resp.GraceDistanceEnabled)
+		_ = d.Set("grace_distance_value", resp.GraceDistanceValue)
+		_ = d.Set("grace_distance_value_unit", resp.GraceDistanceValueUnit)
 		_ = d.Set("trusted_networks", flattenTrustedNetworks(resp))
 		_ = d.Set("service_edges", flattenServiceEdges(resp.ServiceEdges))
 

zpa/data_source_zpa_service_edge_group_test.go

@@ -30,6 +30,9 @@ func TestAccDataSourceServiceEdgeGroup_Basic(t *testing.T) {
 					resource.TestCheckResourceAttrPair(dataSourceTypeAndName, "longitude", resourceTypeAndName, "longitude"),
 					resource.TestCheckResourceAttrPair(dataSourceTypeAndName, "location", resourceTypeAndName, "location"),
 					resource.TestCheckResourceAttrPair(dataSourceTypeAndName, "version_profile_name", resourceTypeAndName, "version_profile_name"),
+					resource.TestCheckResourceAttrPair(dataSourceTypeAndName, "grace_distance_enabled", resourceTypeAndName, "grace_distance_enabled"),
+					resource.TestCheckResourceAttrPair(dataSourceTypeAndName, "grace_distance_value", resourceTypeAndName, "grace_distance_value"),
+					resource.TestCheckResourceAttrPair(dataSourceTypeAndName, "grace_distance_value_unit", resourceTypeAndName, "grace_distance_value_unit"),
 				),
 			},
 		},