diff --git a/CHANGELOG.md b/CHANGELOG.md index cfe1dccd..e863d07e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Changelog -## 2.7.0 (December, 13 2023) +## 2.7.0 (December, 19 2023) ### Notes -- Release date: **(December, 13 2023)** +- Release date: **(December, 19 2023)** - Supported Terraform version: **v1.x** ### Enhancements @@ -23,9 +23,20 @@ NEW - RESOURCES, DATA SOURCES - **Sandbox Submission** - `zia_sandbox_file_submission` - Submits raw or archive files (e.g., ZIP) to the Zscaler service for out-of-band file inspection to generate real-time verdicts for known and unknown files. It leverages capabilities such as Malware Prevention, Advanced Threat Prevention, Sandbox cloud effect, AI/ML-driven file analysis, and integrated third-party threat intelligence feeds to inspect files and classify them as benign or malicious instantaneously. ⚠️ **Note:**: The ZIA Terraform provider requires both the `ZIA_CLOUD` and `ZIA_SANDBOX_TOKEN` in order to authenticate to the Zscaler Cloud Sandbox environment. For details on how obtain the API Token visit the Zscaler help portal [About Sandbox API Token](https://help.zscaler.com/zia/about-sandbox-api-token) +- [PR #302](https://github.com/zscaler/terraform-provider-zia/pull/302) - Added new `zia_dlp_web_rules` attributes: + - `severity` - Supported values: `RULE_SEVERITY_HIGH`, `RULE_SEVERITY_MEDIUM`, `RULE_SEVERITY_LOW`, `RULE_SEVERITY_INFO` + - `user_risk_score_levels` - Supported values: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` + - `parent_rule` + - `sub_rules` + +- [PR #308](https://github.com/zscaler/terraform-provider-zia/pull/308) - ✨ Added 🆕 Cloud Browser Isolation Profile data source. The data source can be used to associate a CBI profile with the `zia_url_filtering_rules` resource when the action is set to `ISOLATE` + +- [PR #308](https://github.com/zscaler/terraform-provider-zia/pull/308) - ✨ Added 🆕 Cloud Browser Isolation Profile data source. The data source can be used to associate a CBI profile with the `zia_url_filtering_rules` resource when the action is set to `ISOLATE` + ### Fixes - [PR #299](https://github.com/zscaler/terraform-provider-zia/pull/299) - Fixed panic with ``zia_url_categories``. +- [PR #302](https://github.com/zscaler/terraform-provider-zia/pull/302) - Fixed `zia_dlp_web_rules` File Types validation function. ## 2.6.6 (November, 23 2023) diff --git a/docs/data-sources/zia_dlp_engines.md b/docs/data-sources/zia_dlp_engines.md index 99800f01..8a586154 100644 --- a/docs/data-sources/zia_dlp_engines.md +++ b/docs/data-sources/zia_dlp_engines.md @@ -14,18 +14,25 @@ Use the **zia_dlp_engines** data source to get information about a ZIA DLP Engin ```hcl # Retrieve a DLP Engine by name -data "zia_dlp_engines" "example"{ +data "zia_dlp_engines" "this"{ name = "Example" } ``` ```hcl # Retrieve a DLP Engine by ID -data "zia_dlp_engines" "example"{ +data "zia_dlp_engines" "this"{ id = 1234567890 } ``` +```hcl +# Retrieve a Predefined DLP Engine +data "zia_dlp_engines" "this"{ + predefined = "EXTERNAL" +} +``` + ## Argument Reference The following arguments are supported: diff --git a/docs/data-sources/zia_dlp_web_rules.md b/docs/data-sources/zia_dlp_web_rules.md index 0ce697fb..550a6e2c 100644 --- a/docs/data-sources/zia_dlp_web_rules.md +++ b/docs/data-sources/zia_dlp_web_rules.md @@ -55,9 +55,24 @@ rules. * `DISABLED` * `ENABLED` -* `file_types` - (String) The list of file types to which the DLP policy rule must be applied. For the complete list of supported file types refer to the [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post) +* `file_types` - (List) The list of file types to which the DLP policy rule must be applied. For the complete list of supported file types refer to the [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post) + + * ~> Note: `BITMAP`, `JPEG`, `PNG`, and `TIFF` file types are exclusively supported when optical character recognition `ocr_enabled` is set to `true` for DLP rules with content inspection. + + * ~> Note: `ALL_OUTBOUND` file type is applicable only when the predefined DLP engine called `EXTERNAL` is used and when the attribute `without_content_inspection` is set to `true`. For `EXTERNAL` DLP Engine See the [zia_dlp_engine](https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_dlp_engines) data source documentation + * `cloud_applications` - (Optional) The list of cloud applications to which the DLP policy rule must be applied. For the complete list of supported cloud applications refer to the [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post) +* `severity` - (String) Indicates the severity selected for the DLP rule violation: Returned values are: `RULE_SEVERITY_HIGH`, `RULE_SEVERITY_MEDIUM`, `RULE_SEVERITY_LOW`, `RULE_SEVERITY_INFO` + +* `user_risk_score_levels` (List) - Indicates the user risk score level selectedd for the DLP rule violation: Returned values are: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` + +* `parent_rule`(Number) - The unique identifier of the parent rule under which an exception rule is added. + ~> Note: Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings. + +* `sub_rules`(List) - The list of exception rules added to a parent rule. + ~> Note: All attributes within the WebDlpRule model are applicable to the sub-rules. Values for each rule are specified by using the WebDlpRule object Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings. + * `last_modified_by` - (Number) The admin that modified the DLP policy rule last. * `id` - (Number) Identifier that uniquely identifies an entity diff --git a/docs/guides/release-notes.md b/docs/guides/release-notes.md index dbf5fac1..d44fca41 100644 --- a/docs/guides/release-notes.md +++ b/docs/guides/release-notes.md @@ -16,11 +16,11 @@ Track all ZIA Terraform provider's releases. New resources, features, and bug fi --- -## 2.7.0 (December, 13 2023) +## 2.7.0 (December, 19 2023) ### Notes -- Release date: **(December, 13 2023)** +- Release date: **(December, 19 2023)** - Supported Terraform version: **v1.x** ### Enhancements @@ -39,9 +39,20 @@ NEW - RESOURCES, DATA SOURCES - **Sandbox Submission** - `zia_sandbox_file_submission` - Submits raw or archive files (e.g., ZIP) to the Zscaler service for out-of-band file inspection to generate real-time verdicts for known and unknown files. It leverages capabilities such as Malware Prevention, Advanced Threat Prevention, Sandbox cloud effect, AI/ML-driven file analysis, and integrated third-party threat intelligence feeds to inspect files and classify them as benign or malicious instantaneously. ⚠️ **Note:**: The ZIA Terraform provider requires both the `ZIA_CLOUD` and `ZIA_SANDBOX_TOKEN` in order to authenticate to the Zscaler Cloud Sandbox environment. For details on how obtain the API Token visit the Zscaler help portal [About Sandbox API Token](https://help.zscaler.com/zia/about-sandbox-api-token) +- [PR #302](https://github.com/zscaler/terraform-provider-zia/pull/302) - Added new `zia_dlp_web_rules` attributes: + - `severity` - Supported values: `RULE_SEVERITY_HIGH`, `RULE_SEVERITY_MEDIUM`, `RULE_SEVERITY_LOW`, `RULE_SEVERITY_INFO` + - `user_risk_score_levels` - Supported values: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` + - `parent_rule` + - `sub_rules` + +- [PR #308](https://github.com/zscaler/terraform-provider-zia/pull/308) - ✨ Added 🆕 Cloud Browser Isolation Profile data source. The data source can be used to associate a CBI profile with the `zia_url_filtering_rules` resource when the action is set to `ISOLATE` + +- [PR #308](https://github.com/zscaler/terraform-provider-zia/pull/308) - ✨ Added 🆕 Cloud Browser Isolation Profile data source. The data source can be used to associate a CBI profile with the `zia_url_filtering_rules` resource when the action is set to `ISOLATE` + ### Fixes - [PR #299](https://github.com/zscaler/terraform-provider-zia/pull/299) - Fixed panic with ``zia_url_categories``. +- [PR #302](https://github.com/zscaler/terraform-provider-zia/pull/302) - Fixed `zia_dlp_web_rules` File Types validation function. ## 2.6.6 (November, 23 2023) diff --git a/docs/resources/zia_dlp_web_rules.md b/docs/resources/zia_dlp_web_rules.md index 80531518..187ecf14 100644 --- a/docs/resources/zia_dlp_web_rules.md +++ b/docs/resources/zia_dlp_web_rules.md @@ -12,7 +12,7 @@ The **zia_dlp_web_rules** resource allows the creation and management of ZIA DLP ⚠️ **WARNING:** Zscaler Internet Access DLP supports a maximum of 127 Web DLP Rules to be created via API. -## Example Usage +## Example Usage - OCR ENABLED ```hcl resource "zia_dlp_web_rules" "test" { @@ -27,12 +27,39 @@ resource "zia_dlp_web_rules" "test" { without_content_inspection = false match_only = false ocr_enabled = true - file_types = [ "WINDOWS_META_FORMAT", "BITMAP", "JPEG", "PNG", "TIFF"] + file_types = [ "BITMAP", "JPEG", "PNG", "TIFF"] min_size = 20 zscaler_incident_receiver = true } ``` +## Example Usage - "ALL_OUTBOUND" File Type + +```hcl +data "zia_dlp_engines" "this" { + predefined_engine_name = "EXTERNAL" +} + +resource "zia_dlp_web_rules" "this" { + name = "Example" + description = "Example" + action = "BLOCK" + order = 1 + rank = 7 + state = "ENABLED" + # ocr_enabled = true + protocols = [ "FTP_RULE", "HTTPS_RULE", "HTTP_RULE" ] + file_types = [ "ALL_OUTBOUND" ] + zscaler_incident_receiver = true + without_content_inspection = false + user_risk_score_levels = [ "LOW", "MEDIUM", "HIGH", "CRITICAL" ] + severity = "RULE_SEVERITY_HIGH" + dlp_engines { + id = [ data.zia_dlp_engines.this.id ] + } +} +``` + ## Argument Reference The following arguments are supported: @@ -48,6 +75,8 @@ The following arguments are supported: * `external_auditor_email` - (Optional) The email address of an external auditor to whom DLP email notifications are sent. * `match_only` - (Optional) The match only criteria for DLP engines. * `without_content_inspection` - (Optional) Indicates a DLP policy rule without content inspection, when the value is set to true. + * `without_content_inspection` must be set to false if `file_types` is not defined. + * `ocr_enabled` - (Optional) Enables or disables image file scanning. When OCR is enabled only the following ``file_types`` are supported: ``WINDOWS_META_FORMAT``, ``BITMAP``, ``JPEG``, ``PNG``, ``TIFF`` * `zscaler_incident_receiver` - (Optional) Indicates whether a Zscaler Incident Receiver is associated to the DLP policy rule. @@ -63,7 +92,22 @@ The following arguments are supported: * `ENABLED` * `file_types` - (Optional) The list of file types to which the DLP policy rule must be applied. For the complete list of supported file types refer to the [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post) -* `cloud_applications` - (Optional) The list of cloud applications to which the DLP policy rule must be applied. For the complete list of supported cloud applications refer to the [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post) + + * ~> Note: `BITMAP`, `JPEG`, `PNG`, and `TIFF` file types are exclusively supported when optical character recognition `ocr_enabled` is set to `true` for DLP rules with content inspection. + + * ~> Note: `ALL_OUTBOUND` file type is applicable only when the predefined DLP engine called `EXTERNAL` is used and when the attribute `without_content_inspection` is set to `false`. + + * ~> Note: `ALL_OUTBOUND` file type cannot be used alongside any any other file type. + +* `severity` - (String) Indicates the severity selected for the DLP rule violation: Returned values are: `RULE_SEVERITY_HIGH`, `RULE_SEVERITY_MEDIUM`, `RULE_SEVERITY_LOW`, `RULE_SEVERITY_INFO` + +* `user_risk_score_levels` (Optional) - Indicates the user risk score level selectedd for the DLP rule violation: Returned values are: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` + +* `parent_rule`(Optional) - The unique identifier of the parent rule under which an exception rule is added. + ~> Note: Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings. + +* `sub_rules`(List) - The list of exception rules added to a parent rule. + ~> Note: All attributes within the WebDlpRule model are applicable to the sub-rules. Values for each rule are specified by using the WebDlpRule object Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings. * `notification_template` - (Optional) The template used for DLP notification emails. * `id` - (Optional) Identifier that uniquely identifies an entity diff --git a/go.mod b/go.mod index ea650173..6d22a82a 100644 --- a/go.mod +++ b/go.mod @@ -3,13 +3,13 @@ module github.com/zscaler/terraform-provider-zia/v2 go 1.20 require ( - github.com/biter777/countries v1.7.2 + github.com/biter777/countries v1.6.6 github.com/fabiotavarespr/iso3166 v0.0.2 github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 - github.com/hashicorp/go-hclog v1.6.2 + github.com/hashicorp/go-hclog v1.5.0 github.com/hashicorp/terraform-plugin-sdk v1.17.2 github.com/hashicorp/terraform-plugin-sdk/v2 v2.31.0 - github.com/zscaler/zscaler-sdk-go/v2 v2.3.2 + github.com/zscaler/zscaler-sdk-go/v2 v2.3.3 ) require ( diff --git a/go.sum b/go.sum index 065fb936..7e563e10 100644 --- a/go.sum +++ b/go.sum @@ -68,8 +68,8 @@ github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3A github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= -github.com/biter777/countries v1.7.2 h1:sEnpwvVggSCpKBc+PGrzEkIOkoze/n93DzfxvucRAsg= -github.com/biter777/countries v1.7.2/go.mod h1:1HSpZ526mYqKJcpT5Ti1kcGQ0L0SrXWIaptUWjFfv2E= +github.com/biter777/countries v1.6.6 h1:07RfPdL1INfMBhxVGBgNMM8cTrhdqMtgIc3N1KrUMR8= +github.com/biter777/countries v1.6.6/go.mod h1:1HSpZ526mYqKJcpT5Ti1kcGQ0L0SrXWIaptUWjFfv2E= github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -186,8 +186,8 @@ github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320/go.mod h1:EiZBM github.com/hashicorp/go-getter v1.5.3/go.mod h1:BrrV/1clo8cCYu6mxvboYg+KutTiFnXjMEgDD8+i7ZI= github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v1.6.2 h1:NOtoftovWkDheyUM/8JW3QMiXyxJK3uHRK7wV04nD2I= -github.com/hashicorp/go-hclog v1.6.2/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c= +github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= @@ -367,8 +367,8 @@ github.com/zclconf/go-cty v1.14.1 h1:t9fyA35fwjjUMcmL5hLER+e/rEPqrbCK1/OSE4SI9KA github.com/zclconf/go-cty v1.14.1/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8= github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0= -github.com/zscaler/zscaler-sdk-go/v2 v2.3.2 h1:vcOXFuQsSJCrZhkJWl8cpGV2Ivijr6w+yHbv4llp4g8= -github.com/zscaler/zscaler-sdk-go/v2 v2.3.2/go.mod h1:N4ObD/UOxvLM5FauUWsq6mEQsX0ksn/IPxBJr/7QVNc= +github.com/zscaler/zscaler-sdk-go/v2 v2.3.3 h1:otlw4yupo9NV+wTcneXSoQu88SFv5LfycG1rkTqgU5A= +github.com/zscaler/zscaler-sdk-go/v2 v2.3.3/go.mod h1:N4ObD/UOxvLM5FauUWsq6mEQsX0ksn/IPxBJr/7QVNc= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -386,8 +386,8 @@ golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY= +golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= diff --git a/zia/common.go b/zia/common.go index 64117e30..69968dc3 100644 --- a/zia/common.go +++ b/zia/common.go @@ -560,19 +560,6 @@ func getCloudFirewallNwServicesTag() *schema.Schema { } } -func getDLPRuleFileTypes(desc string) *schema.Schema { - return &schema.Schema{ - Type: schema.TypeSet, - Description: "The list of file types to which the DLP policy rule must be applied.", - Elem: &schema.Schema{ - Type: schema.TypeString, - ValidateDiagFunc: validateDLPRuleFileTypes(), - }, - Optional: true, - Computed: true, - } -} - func sortOrders(ruleOrderMap map[int]orderWithState) RuleIDOrderPairList { pl := make(RuleIDOrderPairList, len(ruleOrderMap)) i := 0 diff --git a/zia/common/testing/variable/variable.go b/zia/common/testing/variable/variable.go index 0711338b..a62f5d7b 100644 --- a/zia/common/testing/variable/variable.go +++ b/zia/common/testing/variable/variable.go @@ -110,9 +110,8 @@ const ( DLPWebRuleDesc = "this is an acceptance test" DLPRuleResourceAction = "ALLOW" DLPRuleResourceState = "ENABLED" - DLPRuleContentInspection = false + DLPRuleContentInspection = true DLPMatchOnly = false - DLPOCREnabled = false ) // DLP Dictionaries resource/datasource diff --git a/zia/data_source_zia_dlp_engines.go b/zia/data_source_zia_dlp_engines.go index 032377c7..0f05b680 100644 --- a/zia/data_source_zia_dlp_engines.go +++ b/zia/data_source_zia_dlp_engines.go @@ -24,7 +24,7 @@ func dataSourceDLPEngines() *schema.Resource { }, "predefined_engine_name": { Type: schema.TypeString, - Computed: true, + Optional: true, Description: "The name of the predefined DLP engine.", }, "engine_expression": { @@ -69,6 +69,16 @@ func dataSourceDLPEnginesRead(d *schema.ResourceData, m interface{}) error { resp = res } + predefined, _ := d.Get("predefined_engine_name").(string) + if resp == nil && predefined != "" { + log.Printf("[INFO] Getting data for predefined dlp engine name: %s\n", predefined) + res, err := zClient.dlp_engines.GetByPredefinedEngine(predefined) + if err != nil { + return err + } + resp = res + } + if resp != nil { d.SetId(fmt.Sprintf("%d", resp.ID)) _ = d.Set("name", resp.Name) diff --git a/zia/data_source_zia_dlp_web_rules.go b/zia/data_source_zia_dlp_web_rules.go index af60dc34..844deef3 100644 --- a/zia/data_source_zia_dlp_web_rules.go +++ b/zia/data_source_zia_dlp_web_rules.go @@ -254,6 +254,22 @@ func dataSourceDlpWebRules() *schema.Resource { Computed: true, Description: "Enables or disables the DLP policy rule.", }, + "severity": { + Type: schema.TypeString, + Computed: true, + Description: "Indicates the severity selected for the DLP rule violation", + }, + "parent_rule": { + Type: schema.TypeInt, + Computed: true, + Description: "The unique identifier of the parent rule under which an exception rule is added.", + }, + "sub_rules": { + Type: schema.TypeList, + Computed: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Description: "The list of exception rules added to a parent rule", + }, "time_windows": { Type: schema.TypeList, Computed: true, @@ -554,12 +570,17 @@ func dataSourceDlpWebRulesRead(d *schema.ResourceData, m interface{}) error { _ = d.Set("state", resp.State) _ = d.Set("min_size", resp.MinSize) _ = d.Set("action", resp.Action) + _ = d.Set("severity", resp.Severity) + _ = d.Set("parent_rule", resp.ParentRule) + _ = d.Set("sub_rules", resp.SubRules) _ = d.Set("match_only", resp.MatchOnly) _ = d.Set("last_modified_time", resp.LastModifiedTime) _ = d.Set("external_auditor_email", resp.ExternalAuditorEmail) _ = d.Set("without_content_inspection", resp.WithoutContentInspection) _ = d.Set("ocr_enabled", resp.OcrEnabled) _ = d.Set("zscaler_incident_receiver", resp.ZscalerIncidentReceiver) + _ = d.Set("zcc_notifications_enabled", resp.ZCCNotificationsEnabled) + _ = d.Set("dlp_download_scan_enabled", resp.DLPDownloadScanEnabled) if err := d.Set("locations", flattenIDExtensions(resp.Locations)); err != nil { return err diff --git a/zia/data_source_zia_dlp_web_rules_test.go b/zia/data_source_zia_dlp_web_rules_test.go index db53ee9d..dae1abbf 100644 --- a/zia/data_source_zia_dlp_web_rules_test.go +++ b/zia/data_source_zia_dlp_web_rules_test.go @@ -28,8 +28,8 @@ func TestAccDataSourceDlpWebRules_Basic(t *testing.T) { resource.TestCheckResourceAttrPair(dataSourceTypeAndName, "state", resourceTypeAndName, "state"), resource.TestCheckResourceAttr(dataSourceTypeAndName, "protocols.#", "3"), resource.TestCheckResourceAttr(resourceTypeAndName, "without_content_inspection", strconv.FormatBool(variable.DLPRuleContentInspection)), - resource.TestCheckResourceAttr(resourceTypeAndName, "match_only", strconv.FormatBool(variable.DLPMatchOnly)), - resource.TestCheckResourceAttr(resourceTypeAndName, "ocr_enabled", strconv.FormatBool(variable.DLPOCREnabled)), + //resource.TestCheckResourceAttr(resourceTypeAndName, "match_only", strconv.FormatBool(variable.DLPMatchOnly)), + ), }, }, diff --git a/zia/resource_zia_dlp_web_rules.go b/zia/resource_zia_dlp_web_rules.go index d5932c56..5e2997d0 100644 --- a/zia/resource_zia_dlp_web_rules.go +++ b/zia/resource_zia_dlp_web_rules.go @@ -59,9 +59,8 @@ func resourceDlpWebRules() *schema.Resource { Computed: true, }, "name": { - Type: schema.TypeString, - Required: true, - // ValidateFunc: validation.StringLenBetween(0, 31), + Type: schema.TypeString, + Required: true, Description: "The DLP policy rule name.", }, "description": { @@ -92,6 +91,38 @@ func resourceDlpWebRules() *schema.Resource { Computed: true, Description: "The rule order of execution for the DLP policy rule with respect to other rules.", }, + "severity": { + Type: schema.TypeString, + Optional: true, + Computed: true, + Description: "Indicates the severity selected for the DLP rule violation", + ValidateFunc: validation.StringInSlice([]string{ + "RULE_SEVERITY_HIGH", + "RULE_SEVERITY_MEDIUM", + "RULE_SEVERITY_LOW", + "RULE_SEVERITY_INFO", + }, false), + }, + "parent_rule": { + Type: schema.TypeInt, + Optional: true, + Computed: true, + Description: "The unique identifier of the parent rule under which an exception rule is added", + }, + "sub_rules": { + Type: schema.TypeSet, + Optional: true, + Computed: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Description: "The list of exception rules added to a parent rule", + }, + "user_risk_score_levels": { + Type: schema.TypeSet, + Optional: true, + Computed: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Description: "", + }, "cloud_applications": { Type: schema.TypeSet, Optional: true, @@ -99,6 +130,13 @@ func resourceDlpWebRules() *schema.Resource { Elem: &schema.Schema{Type: schema.TypeString}, Description: "The list of cloud applications to which the DLP policy rule must be applied.", }, + "file_types": { + Type: schema.TypeSet, + Optional: true, + Computed: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Description: "The list of file types for which the DLP policy rule must be applied.", + }, "min_size": { Type: schema.TypeInt, Optional: true, @@ -171,7 +209,6 @@ func resourceDlpWebRules() *schema.Resource { Computed: true, Description: "Indicates whether a Zscaler Incident Receiver is associated to the DLP policy rule.", }, - "file_types": getDLPRuleFileTypes("The list of file types to which the DLP policy rule must be applied."), "locations": setIDsSchemaTypeCustom(intPtr(8), "The Name-ID pairs of locations to which the DLP policy rule must be applied."), "location_groups": setIDsSchemaTypeCustom(intPtr(32), "The Name-ID pairs of locations groups to which the DLP policy rule must be applied."), "users": setIDsSchemaTypeCustom(intPtr(4), "The Name-ID pairs of users to which the DLP policy rule must be applied."), @@ -194,10 +231,17 @@ func resourceDlpWebRules() *schema.Resource { func resourceDlpWebRulesCreate(d *schema.ResourceData, m interface{}) error { zClient := m.(*Client) req := expandDlpWebRules(d) - errValidation := validateDlpWebRules(req) - if errValidation != nil { - return errValidation + + // Validate file types + if err := validateDLPRuleFileTypes(req); err != nil { + return err + } + + // Validate the OCR DLP web rules (assuming this is another validation function you have) + if err := validateOCRDlpWebRules(req); err != nil { + return err } + log.Printf("[INFO] Creating zia web dlp rule\n%+v\n", req) timeout := d.Timeout(schema.TimeoutCreate) @@ -225,7 +269,7 @@ func resourceDlpWebRulesCreate(d *schema.ResourceData, m interface{}) error { if err != nil { if strings.Contains(err.Error(), "INVALID_INPUT_ARGUMENT") && !strings.Contains(err.Error(), "ICAP Receiver with id") { if time.Since(start) < timeout { - time.Sleep(10 * time.Second) // Wait before retrying + time.Sleep(5 * time.Second) // Wait before retrying continue } } @@ -295,9 +339,13 @@ func resourceDlpWebRulesRead(d *schema.ResourceData, m interface{}) error { _ = d.Set("description", resp.Description) _ = d.Set("file_types", resp.FileTypes) _ = d.Set("cloud_applications", resp.CloudApplications) + _ = d.Set("user_risk_score_levels", resp.UserRiskScoreLevels) _ = d.Set("state", resp.State) _ = d.Set("min_size", resp.MinSize) _ = d.Set("action", resp.Action) + _ = d.Set("severity", resp.Severity) + _ = d.Set("parent_rule", resp.ParentRule) + _ = d.Set("sub_rules", resp.SubRules) _ = d.Set("match_only", resp.MatchOnly) _ = d.Set("external_auditor_email", resp.ExternalAuditorEmail) _ = d.Set("without_content_inspection", resp.WithoutContentInspection) @@ -375,10 +423,16 @@ func resourceDlpWebRulesUpdate(d *schema.ResourceData, m interface{}) error { } log.Printf("[INFO] Updating web dlp rule ID: %v\n", id) req := expandDlpWebRules(d) - errValidation := validateDlpWebRules(req) - if errValidation != nil { - return errValidation + // Validate file types + if err := validateDLPRuleFileTypes(req); err != nil { + return err + } + + // Validate the OCR DLP web rules (assuming this is another validation function you have) + if err := validateOCRDlpWebRules(req); err != nil { + return err } + if _, err := zClient.dlp_web_rules.Get(id); err != nil { if respErr, ok := err.(*client.ErrorResponse); ok && respErr.IsObjectNotFound() { d.SetId("") @@ -417,7 +471,7 @@ func resourceDlpWebRulesUpdate(d *schema.ResourceData, m interface{}) error { err = resourceDlpWebRulesRead(d, m) if err != nil { if time.Since(start) < timeout { - time.Sleep(10 * time.Second) // Wait before retrying + time.Sleep(5 * time.Second) // Wait before retrying continue } return err @@ -447,26 +501,6 @@ func resourceDlpWebRulesDelete(d *schema.ResourceData, m interface{}) error { return nil } -func validateDlpWebRules(dlp dlp_web_rules.WebDLPRules) error { - fileTypes := []string{"BITMAP", "PNG", "JPEG", "TIFF", "WINDOWS_META_FORMAT"} - if dlp.OcrEnabled { - // dlp.FileTypes must be a subset of fileTypes - for _, t1 := range dlp.FileTypes { - found := false - for _, t2 := range fileTypes { - if t1 == t2 { - found = true - break - } - } - if !found { - return fmt.Errorf("web dlp rule file types must be a subset of %v when OcrEnabled is disabled", fileTypes) - } - } - } - return nil -} - func expandDlpWebRules(d *schema.ResourceData) dlp_web_rules.WebDLPRules { id, _ := getIntFromResourceData(d, "rule_id") result := dlp_web_rules.WebDLPRules{ @@ -477,6 +511,7 @@ func expandDlpWebRules(d *schema.ResourceData) dlp_web_rules.WebDLPRules { Description: d.Get("description").(string), Action: d.Get("action").(string), State: d.Get("state").(string), + Severity: d.Get("severity").(string), ExternalAuditorEmail: d.Get("external_auditor_email").(string), MatchOnly: d.Get("match_only").(bool), WithoutContentInspection: d.Get("without_content_inspection").(bool), @@ -485,9 +520,12 @@ func expandDlpWebRules(d *schema.ResourceData) dlp_web_rules.WebDLPRules { ZCCNotificationsEnabled: d.Get("zcc_notifications_enabled").(bool), ZscalerIncidentReceiver: d.Get("zscaler_incident_receiver").(bool), MinSize: d.Get("min_size").(int), + ParentRule: d.Get("parent_rule").(int), Protocols: SetToStringList(d, "protocols"), FileTypes: SetToStringList(d, "file_types"), CloudApplications: SetToStringList(d, "cloud_applications"), + UserRiskScoreLevels: SetToStringList(d, "user_risk_score_levels"), + SubRules: SetToStringList(d, "sub_rules"), Auditor: expandIDNameExtensionsListSingle(d, "auditor"), NotificationTemplate: expandIDNameExtensionsListSingle(d, "notification_template"), IcapServer: expandIDNameExtensionsListSingle(d, "icap_server"), diff --git a/zia/resource_zia_dlp_web_rules_test.go b/zia/resource_zia_dlp_web_rules_test.go index e19b7b09..7ad1cbe5 100644 --- a/zia/resource_zia_dlp_web_rules_test.go +++ b/zia/resource_zia_dlp_web_rules_test.go @@ -15,7 +15,7 @@ import ( "github.com/zscaler/zscaler-sdk-go/v2/zia/services/dlp/dlp_web_rules" ) -func TestAccResourceDlpWebRulesBasic(t *testing.T) { +func TestAccResourceDlpWebRules_Basic(t *testing.T) { var rules dlp_web_rules.WebDLPRules resourceTypeAndName, _, generatedName := method.GenerateRandomSourcesTypeAndName(resourcetype.DLPWebRules) @@ -31,13 +31,13 @@ func TestAccResourceDlpWebRulesBasic(t *testing.T) { Config: testAccCheckDlpWebRulesConfigure(resourceTypeAndName, generatedName, initialName, variable.DLPWebRuleDesc, variable.DLPRuleResourceAction, variable.DLPRuleResourceState), Check: resource.ComposeTestCheckFunc( testAccCheckDlpWebRulesExists(resourceTypeAndName, &rules), - resource.TestCheckResourceAttr(resourceTypeAndName, "name", "tf-acc-test-"+initialName), + resource.TestCheckResourceAttr(resourceTypeAndName, "name", initialName), resource.TestCheckResourceAttr(resourceTypeAndName, "description", variable.DLPWebRuleDesc), resource.TestCheckResourceAttr(resourceTypeAndName, "action", variable.DLPRuleResourceAction), resource.TestCheckResourceAttr(resourceTypeAndName, "state", variable.DLPRuleResourceState), resource.TestCheckResourceAttr(resourceTypeAndName, "protocols.#", "3"), resource.TestCheckResourceAttr(resourceTypeAndName, "without_content_inspection", strconv.FormatBool(variable.DLPRuleContentInspection)), - resource.TestCheckResourceAttr(resourceTypeAndName, "match_only", strconv.FormatBool(variable.DLPMatchOnly)), + // resource.TestCheckResourceAttr(resourceTypeAndName, "match_only", strconv.FormatBool(variable.DLPMatchOnly)), ), }, @@ -46,13 +46,13 @@ func TestAccResourceDlpWebRulesBasic(t *testing.T) { Config: testAccCheckDlpWebRulesConfigure(resourceTypeAndName, generatedName, updatedName, variable.DLPWebRuleDesc, variable.DLPRuleResourceAction, variable.DLPRuleResourceState), Check: resource.ComposeTestCheckFunc( testAccCheckDlpWebRulesExists(resourceTypeAndName, &rules), - resource.TestCheckResourceAttr(resourceTypeAndName, "name", "tf-acc-test-"+updatedName), + resource.TestCheckResourceAttr(resourceTypeAndName, "name", updatedName), resource.TestCheckResourceAttr(resourceTypeAndName, "description", variable.DLPWebRuleDesc), resource.TestCheckResourceAttr(resourceTypeAndName, "action", variable.DLPRuleResourceAction), resource.TestCheckResourceAttr(resourceTypeAndName, "state", variable.DLPRuleResourceState), resource.TestCheckResourceAttr(resourceTypeAndName, "protocols.#", "3"), resource.TestCheckResourceAttr(resourceTypeAndName, "without_content_inspection", strconv.FormatBool(variable.DLPRuleContentInspection)), - resource.TestCheckResourceAttr(resourceTypeAndName, "match_only", strconv.FormatBool(variable.DLPMatchOnly)), + // resource.TestCheckResourceAttr(resourceTypeAndName, "match_only", strconv.FormatBool(variable.DLPMatchOnly)), ), }, // Import test @@ -132,29 +132,6 @@ func testAccCheckDlpWebRulesExists(resource string, rule *dlp_web_rules.WebDLPRu } } -// func testAccCheckDlpWebRulesConfigure(resourceTypeAndName, generatedName, name, description, action, state, ruleLabelTypeAndName, ruleLabelHCL string) string { -// return fmt.Sprintf(` -// // rule label resource -// %s - -// // dlp web rule resource -// %s - -// data "%s" "%s" { -// id = "${%s.id}" -// } -// `, -// // resource variables -// ruleLabelHCL, -// getDLPWebRuleResourceHCL(generatedName, name, description, action, state, ruleLabelTypeAndName), - -// // data source variables -// resourcetype.DLPWebRules, -// generatedName, -// resourceTypeAndName, -// ) -// } - func testAccCheckDlpWebRulesConfigure(resourceTypeAndName, generatedName, name, description, action, state string) string { resourceName := strings.Split(resourceTypeAndName, ".")[1] // Extract the resource name @@ -168,13 +145,6 @@ data "zia_url_categories" "finance"{ id = "FINANCE" } -data "zia_dlp_engines" "pci" { - name = "PCI" -} - -data "zia_dlp_engines" "glba" { - name = "GLBA" -} data "zia_rule_labels" "can"{ name = "GLOBAL" } @@ -211,18 +181,22 @@ data "zia_location_groups" "sdwan_usa" { name = "SDWAN_USA" } +data "zia_dlp_engines" "this" { + predefined_engine_name = "EXTERNAL" + } + resource "%s" "%s" { - name = "tf-acc-test-%s" + name = "%s" description = "%s" action = "%s" state = "%s" order = 1 rank = 7 protocols = ["FTP_RULE", "HTTPS_RULE", "HTTP_RULE"] - without_content_inspection = false - match_only = false - file_types = [] - min_size = 20 + without_content_inspection = true + file_types = [ "ALL_OUTBOUND" ] + user_risk_score_levels = ["LOW", "MEDIUM", "HIGH", "CRITICAL"] + severity = "RULE_SEVERITY_HIGH" zscaler_incident_receiver = true location_groups { id = [data.zia_location_groups.sdwan_usa.id, data.zia_location_groups.sdwan_can.id] @@ -236,12 +210,12 @@ resource "%s" "%s" { time_windows { id = [data.zia_firewall_filtering_time_window.work_hours.id, data.zia_firewall_filtering_time_window.off_hours.id] } - dlp_engines { - id = [data.zia_dlp_engines.pci.id, data.zia_dlp_engines.glba.id] - } url_categories { id = [data.zia_url_categories.corporate_marketing.val, data.zia_url_categories.finance.val] } + dlp_engines { + id = [data.zia_dlp_engines.this.id] + } } data "%s" "%s" { diff --git a/zia/utils.go b/zia/utils.go index c2fdffed..c784b59d 100644 --- a/zia/utils.go +++ b/zia/utils.go @@ -173,3 +173,13 @@ func DiffSuppressFuncCoordinate(_, old, new string, _ *schema.ResourceData) bool func createValidResourceName(name string) string { return strings.ReplaceAll(name, " ", "_") } + +// contains checks if a slice contains a specific element +func contains(slice []string, element string) bool { + for _, v := range slice { + if v == element { + return true + } + } + return false +} diff --git a/zia/validator.go b/zia/validator.go index 64dfb5cc..ea0b34e0 100644 --- a/zia/validator.go +++ b/zia/validator.go @@ -9,6 +9,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/diag" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" + "github.com/zscaler/zscaler-sdk-go/v2/zia/services/dlp/dlp_web_rules" ) // Validate URL Filtering Category Options @@ -299,39 +300,97 @@ func validateCloudFirewallNwServicesTag() schema.SchemaValidateDiagFunc { } } -func validateDLPRuleFileTypes() schema.SchemaValidateDiagFunc { - return func(i interface{}, path cty.Path) diag.Diagnostics { - value, ok := i.(string) - if !ok { - return diag.Diagnostics{ - { - Severity: diag.Error, - Summary: "Expected type to be string", - Detail: "Type assertion failed, expected string type for DLP Rule File Types validation", - }, +func validateOCRDlpWebRules(dlp dlp_web_rules.WebDLPRules) error { + // Define supported file types for OCR enabled scenarios + supportedFileTypesWithOCREnabled := []string{"BITMAP", "PNG", "JPEG", "TIFF"} + + // Check if OCR is enabled + if dlp.OcrEnabled { + // Validate that dlp.FileTypes must be a subset of supportedFileTypesWithOCREnabled + for _, fileType := range dlp.FileTypes { + if !contains(supportedFileTypesWithOCREnabled, fileType) { + return fmt.Errorf("web dlp rule file type '%s' is not supported when OCR is enabled. Supported types: %v", fileType, supportedFileTypesWithOCREnabled) } } + } - // Convert the cty.Path to a string representation - pathStr := fmt.Sprintf("%+v", path) + return nil +} - // Use StringInSlice from helper/validation package - var diags diag.Diagnostics - if _, errs := validation.StringInSlice(supportedDLPRuleFileTypes, false)(value, pathStr); len(errs) > 0 { - for _, err := range errs { - diags = append(diags, diag.FromErr(err)...) - } - } +func validateDLPRuleFileTypes(dlp dlp_web_rules.WebDLPRules) error { + // New check: If FileTypes is not defined, WithoutContentInspection must be false + if len(dlp.FileTypes) == 0 && dlp.WithoutContentInspection { + return fmt.Errorf("without_content_inspection must be set to false when no file types are defined") + } - return diags + var allowedFileTypes []string + + allOutboundSelected := contains(dlp.FileTypes, "ALL_OUTBOUND") + + // If ALL_OUTBOUND is selected and withoutContentInspection is true, it should not trigger an error. + if allOutboundSelected && len(dlp.FileTypes) == 1 && dlp.WithoutContentInspection { + return nil + } + + if allOutboundSelected && len(dlp.FileTypes) > 1 { + return fmt.Errorf("cannot have other file types when ALL_OUTBOUND is selected") } -} -var supportedDLPRuleFileTypes = []string{ - "ANY", "CHEMDRAW_FILES", "BITMAP", "SCT", "ASM", "COBOL", "PDF_DOCUMENT", "RES_FILES", - "POSTSCRIPT", "OAB", "BASIC_SOURCE_CODE", "JAVASCRIPT", "QLIKVIEW_FILES", "BORLAND_CPP_FILES", "JAVA_FILES", "APPLE_DOCUMENTS", "MS_MSG", "DSP", "MSC", "RUBY_FILES", "GO_FILES", "DMD", "MS_MDB", "FORM_DATA_POST", "TDSX", "MATLAB_FILES", "PYTHON", "CML", "C_FILES", "SCALA", "X1B", "TLI", "TLH", "YAML_FILES", "MS_RTF", "POD", "DELPHI", "SCZIP", "SAS", "FOR", "JAVA_APPLET", "F_FILES", "VISUAL_BASIC_SCRIPT", "TBM", "MS_EXCEL", "MS_CPP_FILES", "POWERSHELL", "TXT", "CSX", "INCLUDE_FILES", "RSP", "APPX", "INF", "JPEG", "SQL", "MM", "PNG", "COMPILED_HTML_HELP", "WINDOWS_META_FORMAT", "MS_WORD", "NATVIS", "ACCDB", "CSV", "BCP", "MAKE_FILES", "CP", "IFC", "PERL_FILES", "WINDOWS_SCRIPT_FILES", "RPY", "SHELL_SCRAP", "VISUAL_CPP_FILES", "VISUAL_BASIC_FILES", "XAML", "MS_POWERPOINT", "BASH_SCRIPTS", "SC", "VSDX", "TDS", "TIFF", + if dlp.WithoutContentInspection { + // Define allowed file types when without_content_inspection is true + allowedFileTypes = []string{ + "ACCDB", "APPLE_DOCUMENTS", "APPX", "ASM", "AU3", "BASH_SCRIPTS", "BASIC_SOURCE_CODE", "BCP", "BORLAND_CPP_FILES", "C_FILES", "CHEMDRAW_FILES", "CML", "COBOL", "COMPILED_HTML_HELP", "CP", "CSV", "CSX", "DAT", "DELPHI", "DMD", "DSP", "EML_FILES", "F_FILES", "FOR", "FORM_DATA_POST", "GO_FILES", "IFC", "INCLUDE_FILES", "INF", "JAVA_FILES", "LOG_FILES", "MAKE_FILES", "MATLAB_FILES", "MM", "MS_CPP_FILES", "MS_EXCEL", "MS_MDB", "MS_MSG", "MS_POWERPOINT", "MS_RTF", "MS_WORD", "MSC", "NATVIS", "OAB", "PDF_DOCUMENT", "PERL_FILES", "POD", "POSTSCRIPT", "POWERSHELL", "PYTHON", "QLIKVIEW_FILES", "RES_FILES", "RPY", "RSP", "RUBY_FILES", "SAS", "SC", "SCALA", "SCT", "SCZIP", "SHELL_SCRAP", "SQL", "TABLEAU_FILES", "TLH", "TLI", "TXT", "VISUAL_BASIC_FILES", "VISUAL_BASIC_SCRIPT", "VISUAL_CPP_FILES", "VSDX", "WINDOWS_META_FORMAT", "WINDOWS_SCRIPT_FILES", "X1B", "XAML", "YAML_FILES", "JAVA_APPLET", "JAVASCRIPT", + } + } else { + // Define allowed file types when without_content_inspection is false + allowedFileTypes = []string{ + "A_FILE", "ACCDB", "ADE", "APPLE_DOCUMENTS", "APPX", "ASM", "AU3", "AUTOCAD", "BASH_SCRIPTS", "BASIC_SOURCE_CODE", "BCP", "BGI", "BITMAP", "BORLAND_CPP_FILES", "BZIP2", "C_FILES", "CAB", "CER", "CERT", "CHEMDRAW_FILES", "CML", "COBOL", "COMPILED_HTML_HELP", "CP", "CSV", "CSX", "DAT", "DB", "DB2", "DBF", "DELPHI", "DER", "DMD", "DRV", "DSP", "EML_FILES", "ENCRYPT", "F_FILES", "FOR", "FORM_DATA_POST", "GIF", "GO_FILES", "GZIP", "IFC", "INCLUDE_FILES", "INF", "INI", "INTEGRATED_CIRCUIT_FILES", "ISO", "JAVA_FILES", "JKS", "JPEG", "KEY", "LOG_FILES", "MAKE_FILES", "MANIFEST", "MATLAB_FILES", "MM", "MS_CPP_FILES", "MS_EXCEL", "MS_MDB", "MS_MSG", "MS_POWERPOINT", "MS_RTF", "MS_WORD", "MSC", "NATVIS", "NCB", "NFM", "NLS", "OAB", "ONENOTE", "P12", "P7B", "P7Z", "PCAP", "PDF_DOCUMENT", "PEM", "PERL_FILES", "PHOTOSHOP", "PNG", "POD", "POSTSCRIPT", "POWERSHELL", "PYTHON", "QLIKVIEW_FILES", "RAR", "RES_FILES", "RPY", "RSP", "RUBY_FILES", "SAS", "SC", "SCALA", "SCT", "SCZIP", "SHELL_SCRAP", "SQL", "STL", "STUFFIT", "TABLEAU_FILES", "TAR", "TIFF", "TLH", "TLI", "TXT", "VISUAL_BASIC_FILES", "VISUAL_BASIC_SCRIPT", "VISUAL_CPP_FILES", "VSDX", "WINDOWS_META_FORMAT", "WINDOWS_SCRIPT_FILES", "X1B", "XAML", "YAML_FILES", "ZIP", "FLASH", "JAVA_APPLET", "JAVASCRIPT", + } + } + for _, fileType := range dlp.FileTypes { + if !contains(allowedFileTypes, fileType) { + return fmt.Errorf("the file_type '%s' is not accepted when without_content_inspection is false", fileType) + } + } + + return nil } +/* + func validateDLPRuleFileTypes() schema.SchemaValidateDiagFunc { + return func(i interface{}, path cty.Path) diag.Diagnostics { + value, ok := i.(string) + if !ok { + return diag.Diagnostics{ + { + Severity: diag.Error, + Summary: "Expected type to be string", + Detail: "Type assertion failed, expected string type for DLP Rule File Types validation", + }, + } + } + + // Convert the cty.Path to a string representation + pathStr := fmt.Sprintf("%+v", path) + + // Use StringInSlice from helper/validation package + var diags diag.Diagnostics + if _, errs := validation.StringInSlice(supportedDLPRuleFileTypes, false)(value, pathStr); len(errs) > 0 { + for _, err := range errs { + diags = append(diags, diag.FromErr(err)...) + } + } + + return diags + } + } + + var supportedDLPRuleFileTypes = []string{ + "ANY", "CHEMDRAW_FILES", "BITMAP", "SCT", "ASM", "COBOL", "PDF_DOCUMENT", "RES_FILES", + "POSTSCRIPT", "OAB", "BASIC_SOURCE_CODE", "JAVASCRIPT", "QLIKVIEW_FILES", "BORLAND_CPP_FILES", "JAVA_FILES", "APPLE_DOCUMENTS", "MS_MSG", "DSP", "MSC", "RUBY_FILES", "GO_FILES", "DMD", "MS_MDB", "FORM_DATA_POST", "TDSX", "MATLAB_FILES", "PYTHON", "CML", "C_FILES", "SCALA", "X1B", "TLI", "TLH", "YAML_FILES", "MS_RTF", "POD", "DELPHI", "SCZIP", "SAS", "FOR", "JAVA_APPLET", "F_FILES", "VISUAL_BASIC_SCRIPT", "TBM", "MS_EXCEL", "MS_CPP_FILES", "POWERSHELL", "TXT", "CSX", "INCLUDE_FILES", "RSP", "APPX", "INF", "JPEG", "SQL", "MM", "PNG", "COMPILED_HTML_HELP", "WINDOWS_META_FORMAT", "MS_WORD", "NATVIS", "ACCDB", "CSV", "BCP", "MAKE_FILES", "CP", "IFC", "PERL_FILES", "WINDOWS_SCRIPT_FILES", "RPY", "SHELL_SCRAP", "VISUAL_CPP_FILES", "VISUAL_BASIC_FILES", "XAML", "MS_POWERPOINT", "BASH_SCRIPTS", "SC", "VSDX", "TDS", "TIFF", + } +*/ + func validateDeviceTrustLevels() schema.SchemaValidateDiagFunc { return func(i interface{}, path cty.Path) diag.Diagnostics { value, ok := i.(string)