Skip to content

Commit

Permalink
feat: ✨ Added New Forward Control Rule Resource (#294)
Browse files Browse the repository at this point in the history 
* feat: Added Forwarding Control Rule datasource
* feat: Added Forwarding Control ZPA Gateway
* feat: Added zpa gateway
* fix: fixed zpa_app_segments attribute
* fix: Removed ZPA Gateway resource
* feat: Added Forwarding Control Policy
* fix forwarding control test
* (doc) Updated Forward Control Rule documentation examples
* fix: Fix variable conflict with master
* fix: Fix deprecated schema functions
* feat: Fixed multiple validators and deprecated functions
* fix: Fixed forwarding control rule flattening function
* Fixed: GNUmakefile
  • Loading branch information
@willguibr
willguibr authored Dec 14, 2023
1 parent 45eb9e6 commit 313e19f
Show file tree
Hide file tree
Showing 27 changed files with 2,116 additions and 138 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/reuse-zia-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,4 +76,4 @@ jobs:
ZIA_CLOUD: ${{ secrets.ZIA_CLOUD }}
ZIA_SANDBOX_TOKEN: ${{ secrets.ZIA_SANDBOX_TOKEN }}
ZIA_ACC_TEST_FORCE_SWEEPERS: ${{ secrets.ZIA_ACC_TEST_FORCE_SWEEPERS }}
TF_ACC: ${{ secrets.TF_ACC }}
TF_ACC: ${{ secrets.TF_ACC }}
17 changes: 15 additions & 2 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# Changelog

## 2.7.0 (December, xx 2023)
## 2.7.0 (December, 13 2023)

### Notes

- Release date: **(December, xx 2023)**
- Release date: **(December, 13 2023)**
- Supported Terraform version: **v1.x**

### Enhancements
Expand All @@ -14,6 +14,19 @@ NEW - RESOURCES, DATA SOURCES
- [PR #293](https://github.com/zscaler/terraform-provider-zia/pull/293) - ✨ Added support for ZIA 🆕 Custom ZPA Gateway for use with Forwarding Control policy to forward traffic to ZPA for Source IP Anchoring.
- [PR #294](https://github.com/zscaler/terraform-provider-zia/pull/294) - ✨ Added support for ZIA 🆕 Forwarding Control Rule configuration.

- [PR #295](https://github.com/zscaler/terraform-provider-zia/pull/295) - ✨ Added ZIA Sandbox MD5 Hash and verdict report submission Resources:
- **Sandbox Advanced Settings** - `zia_sandbox_behavioral_analysis` Gets and Upddates the custom list of MD5 file hashes that are blocked by Sandbox.
- **Sandbox Report** - `zia_sandbox_report` Gets a full (i.e., complete) or summary detail report for an MD5 hash of a file that was analyzed by Sandbox.

- [PR #295](https://github.com/zscaler/terraform-provider-zia/pull/295) - ✨ Added ZIA Sandbox raw and archive file submission:
- **Sandbox Submission** - `zia_sandbox_file_submission` - Submits raw or archive files (e.g., ZIP) to Sandbox for analysis. You can submit up to 100 files per day and it supports all file types that are currently supported by Sandbox.
- **Sandbox Submission** - `zia_sandbox_file_submission` - Submits raw or archive files (e.g., ZIP) to the Zscaler service for out-of-band file inspection to generate real-time verdicts for known and unknown files. It leverages capabilities such as Malware Prevention, Advanced Threat Prevention, Sandbox cloud effect, AI/ML-driven file analysis, and integrated third-party threat intelligence feeds to inspect files and classify them as benign or malicious instantaneously.
⚠️ **Note:**: The ZIA Terraform provider requires both the `ZIA_CLOUD` and `ZIA_SANDBOX_TOKEN` in order to authenticate to the Zscaler Cloud Sandbox environment. For details on how obtain the API Token visit the Zscaler help portal [About Sandbox API Token](https://help.zscaler.com/zia/about-sandbox-api-token)

### Fixes

- [PR #299](https://github.com/zscaler/terraform-provider-zia/pull/299) - Fixed panic with ``zia_url_categories``.

## 2.6.6 (November, 23 2023)

### Notes
Expand Down
57 changes: 47 additions & 10 deletions GNUmakefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ default: build

dep: # Download required dependencies

docs:
go generate

build: fmtcheck
go install

Expand All @@ -37,11 +40,12 @@ sweep:

test:
echo $(TEST) | \
xargs -t -n4 go test $(TESTARGS) $(TEST_FILTER) -timeout=30s -parallel=4
xargs -t -n4 go test $(TESTARGS) $(TEST_FILTER) -timeout=30s -parallel=10

testacc:
TF_ACC=1 go test $(TEST) $(TESTARGS) $(TEST_FILTER) -timeout 120m


build13: GOOS=$(shell go env GOOS)
build13: GOARCH=$(shell go env GOARCH)
ifeq ($(OS),Windows_NT) # is Windows_NT on XP, 2000, 7, Vista, 10...
Expand All @@ -54,6 +58,10 @@ build13: fmtcheck
@mkdir -p $(DESTINATION)
go build -o $(DESTINATION)/terraform-provider-zia_v2.7.0

coverage: test
@echo "✓ Opening coverage for unit tests ..."
@go tool cover -html=coverage.txt

vet:
@echo "==> Checking source code against go vet and staticcheck"
@go vet ./...
Expand All @@ -72,15 +80,9 @@ fmtcheck:
errcheck:
@sh -c "'$(CURDIR)/scripts/errcheck.sh'"

tools:
@which $(GOFMT) || go install mvdan.cc/[email protected]
@which $(TFPROVIDERLINT) || go install github.com/bflad/tfproviderlint/cmd/[email protected]
@which $(STATICCHECK) || go install honnef.co/go/tools/cmd/[email protected]

tools-update:
@go install mvdan.cc/[email protected]
@go install github.com/bflad/tfproviderlint/cmd/[email protected]
@go install honnef.co/go/tools/cmd/[email protected]
fmt-docs:
@echo "✓ Formatting code samples in documentation"
@terrafmt fmt -p '*.md' .

vendor-status:
@govendor status
Expand All @@ -93,6 +95,41 @@ test-compile:
fi
go test -c $(TEST) $(TESTARGS)

lint:
@echo "==> Checking source code against linters..."
@$(TFPROVIDERLINT) \
-c 1 \
-AT001 \
-R004 \
-S001 \
-S002 \
-S003 \
-S004 \
-S005 \
-S007 \
-S008 \
-S009 \
-S010 \
-S011 \
-S012 \
-S013 \
-S014 \
-S015 \
-S016 \
-S017 \
-S019 \
./$(PKG_NAME)

tools:
@which $(GOFMT) || go install mvdan.cc/[email protected]
@which $(TFPROVIDERLINT) || go install github.com/bflad/tfproviderlint/cmd/[email protected]
@which $(STATICCHECK) || go install honnef.co/go/tools/cmd/[email protected]

tools-update:
@go install mvdan.cc/[email protected]
@go install github.com/bflad/tfproviderlint/cmd/[email protected]
@go install honnef.co/go/tools/cmd/[email protected]

ziaActivator: GOOS=$(shell go env GOOS)
ziaActivator: GOARCH=$(shell go env GOARCH)
ifeq ($(OS),Windows_NT) # is Windows_NT on XP, 2000, 7, Vista, 10...
Expand Down
125 changes: 125 additions & 0 deletions docs/data-sources/zia_forwarding_control_rule.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
---
subcategory: "Forwarding Control Policy"
layout: "zscaler"
page_title: "ZIA): forwarding_control_rule"
description: |-
Get information about forwarding control rule.
---
# Data Source: forwarding_control_rule

Use the **forwarding_control_rule** data source to get information about a forwarding control rule which is used to forward selective Zscaler traffic to specific destinations based on your needs.For example, if you want to forward specific web traffic to a third-party proxy service or if you want to forward source IP anchored application traffic to a specific Zscaler Private Access (ZPA) App Connector or internal application traffic through ZIA threat and data protection engines, use forwarding control by configuring appropriate rules.

## Example Usage

```hcl
# ZIA Forwarding Control - ZPA Gateway
data "zia_forwarding_control_rule" "this" {
name = "FWD_RULE01"
}
```

## Argument Reference

The following arguments are supported:

* `name` - (Required) The name of the forwarding rule.
* `id` - (Optional) A unique identifier assigned to the forwarding rule.

## Attribute Reference

In addition to all arguments above, the following attributes are exported:

* `description` - (string) - Additional information about the forwarding rule
* `type` - (string) - The rule type selected from the available options
* `forward_method` - (string) - The type of traffic forwarding method selected from the available options.
* `state` - (string) - Indicates whether the forwarding rule is enabled or disabled.
* `order` - (string) - The order of execution for the forwarding rule order.

`Who, Where and When` supports the following attributes:

* `locations` - (Optional) You can manually select up to `8` locations. When not used it implies `Any` to apply the rule to all groups.
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity
* `location_groups` - (Optional) You can manually select up to `32` location groups. When not used it implies `Any` to apply the rule to all location groups.
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity

* `ec_groups` - (list) - Name-ID pairs of the Zscaler Cloud Connector groups to which the forwarding rule applies
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity
* `departments` - (list) Apply to any number of departments When not used it implies `Any` to apply the rule to all departments.
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity
* `groups` - (list) You can manually select up to `8` groups. When not used it implies `Any` to apply the rule to all groups.
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity
* `users` - (list) You can manually select up to `4` general and/or special users. When not used it implies `Any` to apply the rule to all users.
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity

`network services` supports the following attributes:

* `nw_service_groups` - (list) Any number of predefined or custom network service groups to which the rule applies.
* `nw_services`- (list) When not used it applies the rule to all network services or you can select specific network services. The Zscaler firewall has predefined services and you can configure up to `1,024` additional custom services.

`network applications` supports the following attributes:

* `nw_application_groups` - (list) Any number of application groups that you want to control with this rule. The service provides predefined applications that you can group, but not modify
* `nw_applications` - (Optional) When not used it applies the rule to all applications. The service provides predefined applications, which you can group, but not modify.

`source ip addresses` supports the following attributes:

* `src_ip_groups` - (list) Any number of source IP address groups that you want to control with this rule.
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity
* `src_ips` - (Optional) You can enter individual IP addresses, subnets, or address ranges.

`destinations` supports the following attributes:

* `dest_addresses`** - (list) - IP addresses and fully qualified domain names (FQDNs), if the domain has multiple destination IP addresses or if its IP addresses may change. For IP addresses, you can enter individual IP addresses, subnets, or address ranges. If adding multiple items, hit Enter after each entry.
* `dest_countries`** - (list) estination countries for which the rule is applicable. If not set, the rule is not restricted to specific destination countries. Provide a 2 letter [ISO3166 Alpha2 Country code](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes).
* `res_categories`** - (list) List of destination domain categories to which the rule applies.
* `dest_ip_categories`** - (list) identify destinations based on the URL category of the domain, select Any to apply the rule to all categories or select the specific categories you want to control.
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity
* `dest_ip_groups`** - (list) Any number of destination IP address groups that you want to control with this rule.
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity

* `app_service_groups` (list) - Application service groups on which this rule is applied
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity

* `app_services` (list) - Application services on which this rule is applied
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity

* `labels` (list) Labels that are applicable to the rule.
- `id` - (String) Identifier that uniquely identifies an entity
- `name` - (String) The configured name of the entity.
* `devices` (list) Name-ID pairs of devices for which the rule must be applied. Specifies devices that are managed using Zscaler Client Connector. If no value is set, this field is ignored during the policy evaluation.
- `id` - (int) Identifier that uniquely identifies an entity

* `device_groups` (list) Name-ID pairs of device groups for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. If no value is set, this field is ignored during the policy evaluation.
- `id` - (int) Identifier that uniquely identifies an entity

* `zpa_gateway` (set) The ZPA Gateway for which this rule is applicable. This field is applicable only for the `ZPA` forwarding method.
- `id` - (int) Identifier that uniquely identifies an entity
- `name` - (string) The configured name of the entity

* `zpa_app_segments` (set) The list of ZPA Application Segments for which this rule is applicable. This field is applicable only for the `ZPA` Gateway forwarding method.
- `name` - (string) The configured name of the entity
- `external_id` - (int) Identifier that uniquely identifies an entity

* `proxy_gateway` (set) The proxy gateway for which the rule is applicable. This field is applicable only for the `PROXYCHAIN` forwarding method.
- `id` - (int) Identifier that uniquely identifies an entity
- `name` - (string) The configured name of the entity.

* `zpa_application_segments` (set) List of ZPA Application Segments for which this rule is applicable. This field is applicable only for the `ECZPA` forwarding method (used for Zscaler Cloud Connector).
- `name` - (string) The configured name of the entity
- `external_id` - (int) Identifier that uniquely identifies an entity

* `zpa_application_segment_groups` (set) List of ZPA Application Segment Groups for which this rule is applicable. This field is applicable only for the `ECZPA` forwarding method (used for Zscaler Cloud Connector).
- `name` - (string) The configured name of the entity
- `external_id` - (int) Identifier that uniquely identifies an entity
17 changes: 15 additions & 2 deletions docs/guides/release-notes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@ Track all ZIA Terraform provider's releases. New resources, features, and bug fi

---

## 2.7.0 (December, xx 2023)
## 2.7.0 (December, 13 2023)

### Notes

- Release date: **(December, xx 2023)**
- Release date: **(December, 13 2023)**
- Supported Terraform version: **v1.x**

### Enhancements
Expand All @@ -30,6 +30,19 @@ NEW - RESOURCES, DATA SOURCES
- [PR #293](https://github.com/zscaler/terraform-provider-zia/pull/293) - ✨ Added support for ZIA 🆕 Custom ZPA Gateway for use with Forwarding Control policy to forward traffic to ZPA for Source IP Anchoring.
- [PR #294](https://github.com/zscaler/terraform-provider-zia/pull/294) - ✨ Added support for ZIA 🆕 Forwarding Control Rule configuration.

- [PR #295](https://github.com/zscaler/terraform-provider-zia/pull/295) - ✨ Added ZIA Sandbox MD5 Hash and verdict report submission Resources:
- **Sandbox Advanced Settings** - `zia_sandbox_behavioral_analysis` Gets and Upddates the custom list of MD5 file hashes that are blocked by Sandbox.
- **Sandbox Report** - `zia_sandbox_report` Gets a full (i.e., complete) or summary detail report for an MD5 hash of a file that was analyzed by Sandbox.

- [PR #295](https://github.com/zscaler/terraform-provider-zia/pull/295) - ✨ Added ZIA Sandbox raw and archive file submission:
- **Sandbox Submission** - `zia_sandbox_file_submission` - Submits raw or archive files (e.g., ZIP) to Sandbox for analysis. You can submit up to 100 files per day and it supports all file types that are currently supported by Sandbox.
- **Sandbox Submission** - `zia_sandbox_file_submission` - Submits raw or archive files (e.g., ZIP) to the Zscaler service for out-of-band file inspection to generate real-time verdicts for known and unknown files. It leverages capabilities such as Malware Prevention, Advanced Threat Prevention, Sandbox cloud effect, AI/ML-driven file analysis, and integrated third-party threat intelligence feeds to inspect files and classify them as benign or malicious instantaneously.
⚠️ **Note:**: The ZIA Terraform provider requires both the `ZIA_CLOUD` and `ZIA_SANDBOX_TOKEN` in order to authenticate to the Zscaler Cloud Sandbox environment. For details on how obtain the API Token visit the Zscaler help portal [About Sandbox API Token](https://help.zscaler.com/zia/about-sandbox-api-token)

### Fixes

- [PR #299](https://github.com/zscaler/terraform-provider-zia/pull/299) - Fixed panic with ``zia_url_categories``.

## 2.6.6 (November, 23 2023)

### Notes
Expand Down
Loading

0 comments on commit 313e19f

Please sign in to comment.