feat: Web DLP Rule New Attribute Options

CHANGELOG.md

@@ -1,10 +1,10 @@
 # Changelog
 
-## 2.7.0 (December, 13 2023)
+## 2.7.0 (December, 19 2023)
 
 ### Notes
 
-- Release date: **(December, 13 2023)**
+- Release date: **(December, 19 2023)**
 - Supported Terraform version: **v1.x**
 
 ### Enhancements
@@ -23,9 +23,20 @@ NEW - RESOURCES, DATA SOURCES
   - **Sandbox Submission** - `zia_sandbox_file_submission` -  Submits raw or archive files (e.g., ZIP) to the Zscaler service for out-of-band file inspection to generate real-time verdicts for known and unknown files. It leverages capabilities such as Malware Prevention, Advanced Threat Prevention, Sandbox cloud effect, AI/ML-driven file analysis, and integrated third-party threat intelligence feeds to inspect files and classify them as benign or malicious instantaneously.
     ⚠️ **Note:**: The ZIA Terraform provider requires both the `ZIA_CLOUD` and `ZIA_SANDBOX_TOKEN` in order to authenticate to the Zscaler Cloud Sandbox environment. For details on how obtain the API Token visit the Zscaler help portal [About Sandbox API Token](https://help.zscaler.com/zia/about-sandbox-api-token)
 
+- [PR #302](https://github.com/zscaler/terraform-provider-zia/pull/302) - Added new `zia_dlp_web_rules` attributes:
+  - `severity` - Supported values: `RULE_SEVERITY_HIGH`, `RULE_SEVERITY_MEDIUM`, `RULE_SEVERITY_LOW`, `RULE_SEVERITY_INFO`
+  - `user_risk_score_levels` - Supported values: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`
+  - `parent_rule`
+  - `sub_rules`
+
+- [PR #308](https://github.com/zscaler/terraform-provider-zia/pull/308) - ✨ Added 🆕 Cloud Browser Isolation Profile data source. The data source can be used to associate a CBI profile with the `zia_url_filtering_rules` resource when the action is set to `ISOLATE`
+
+- [PR #308](https://github.com/zscaler/terraform-provider-zia/pull/308) - ✨ Added 🆕 Cloud Browser Isolation Profile data source. The data source can be used to associate a CBI profile with the `zia_url_filtering_rules` resource when the action is set to `ISOLATE`
+
 ### Fixes
 
 - [PR #299](https://github.com/zscaler/terraform-provider-zia/pull/299) - Fixed panic with ``zia_url_categories``.
+- [PR #302](https://github.com/zscaler/terraform-provider-zia/pull/302) - Fixed `zia_dlp_web_rules` File Types validation function.
 
 ## 2.6.6 (November, 23 2023)
 

docs/data-sources/zia_dlp_engines.md

@@ -14,18 +14,25 @@ Use the **zia_dlp_engines** data source to get information about a ZIA DLP Engin
 
 ```hcl
 # Retrieve a DLP Engine by name
-data "zia_dlp_engines" "example"{
+data "zia_dlp_engines" "this"{
     name = "Example"
 }
 ```
 
 ```hcl
 # Retrieve a DLP Engine by ID
-data "zia_dlp_engines" "example"{
+data "zia_dlp_engines" "this"{
     id = 1234567890
 }
 ```
 
+```hcl
+# Retrieve a Predefined DLP Engine
+data "zia_dlp_engines" "this"{
+    predefined = "EXTERNAL"
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:

docs/data-sources/zia_dlp_web_rules.md

@@ -55,9 +55,24 @@ rules.
   * `DISABLED`
   * `ENABLED`
 
-* `file_types` - (String) The list of file types to which the DLP policy rule must be applied. For the complete list of supported file types refer to the  [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post)
+* `file_types` - (List) The list of file types to which the DLP policy rule must be applied. For the complete list of supported file types refer to the  [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post)
+
+  * ~> Note: `BITMAP`, `JPEG`, `PNG`, and `TIFF` file types are exclusively supported when optical character recognition `ocr_enabled` is set to `true` for DLP rules with content inspection.
+
+  * ~> Note: `ALL_OUTBOUND` file type is applicable only when the predefined DLP engine called `EXTERNAL` is used and when the attribute `without_content_inspection` is set to `true`. For `EXTERNAL` DLP Engine See the [zia_dlp_engine](https://registry.terraform.io/providers/zscaler/zia/latest/docs/data-sources/zia_dlp_engines) data source documentation
+
 * `cloud_applications` - (Optional) The list of cloud applications to which the DLP policy rule must be applied. For the complete list of supported cloud applications refer to the  [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post)
 
+* `severity` - (String) Indicates the severity selected for the DLP rule violation: Returned values are:  `RULE_SEVERITY_HIGH`, `RULE_SEVERITY_MEDIUM`, `RULE_SEVERITY_LOW`, `RULE_SEVERITY_INFO`
+
+* `user_risk_score_levels` (List) - Indicates the user risk score level selectedd for the DLP rule violation: Returned values are: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`
+
+* `parent_rule`(Number) - The unique identifier of the parent rule under which an exception rule is added.
+ ~> Note: Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings.
+
+* `sub_rules`(List) - The list of exception rules added to a parent rule.
+ ~> Note: All attributes within the WebDlpRule model are applicable to the sub-rules. Values for each rule are specified by using the WebDlpRule object Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings.
+
 * `last_modified_by` - (Number)  The admin that modified the DLP policy rule last.
   * `id` - (Number) Identifier that uniquely identifies an entity
 

docs/guides/release-notes.md

@@ -16,11 +16,11 @@ Track all ZIA Terraform provider's releases. New resources, features, and bug fi
 
 ---
 
-## 2.7.0 (December, 13 2023)
+## 2.7.0 (December, 19 2023)
 
 ### Notes
 
-- Release date: **(December, 13 2023)**
+- Release date: **(December, 19 2023)**
 - Supported Terraform version: **v1.x**
 
 ### Enhancements
@@ -39,9 +39,20 @@ NEW - RESOURCES, DATA SOURCES
   - **Sandbox Submission** - `zia_sandbox_file_submission` -  Submits raw or archive files (e.g., ZIP) to the Zscaler service for out-of-band file inspection to generate real-time verdicts for known and unknown files. It leverages capabilities such as Malware Prevention, Advanced Threat Prevention, Sandbox cloud effect, AI/ML-driven file analysis, and integrated third-party threat intelligence feeds to inspect files and classify them as benign or malicious instantaneously.
     ⚠️ **Note:**: The ZIA Terraform provider requires both the `ZIA_CLOUD` and `ZIA_SANDBOX_TOKEN` in order to authenticate to the Zscaler Cloud Sandbox environment. For details on how obtain the API Token visit the Zscaler help portal [About Sandbox API Token](https://help.zscaler.com/zia/about-sandbox-api-token)
 
+- [PR #302](https://github.com/zscaler/terraform-provider-zia/pull/302) - Added new `zia_dlp_web_rules` attributes:
+  - `severity` - Supported values: `RULE_SEVERITY_HIGH`, `RULE_SEVERITY_MEDIUM`, `RULE_SEVERITY_LOW`, `RULE_SEVERITY_INFO`
+  - `user_risk_score_levels` - Supported values: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`
+  - `parent_rule`
+  - `sub_rules`
+
+- [PR #308](https://github.com/zscaler/terraform-provider-zia/pull/308) - ✨ Added 🆕 Cloud Browser Isolation Profile data source. The data source can be used to associate a CBI profile with the `zia_url_filtering_rules` resource when the action is set to `ISOLATE`
+
+- [PR #308](https://github.com/zscaler/terraform-provider-zia/pull/308) - ✨ Added 🆕 Cloud Browser Isolation Profile data source. The data source can be used to associate a CBI profile with the `zia_url_filtering_rules` resource when the action is set to `ISOLATE`
+
 ### Fixes
 
 - [PR #299](https://github.com/zscaler/terraform-provider-zia/pull/299) - Fixed panic with ``zia_url_categories``.
+- [PR #302](https://github.com/zscaler/terraform-provider-zia/pull/302) - Fixed `zia_dlp_web_rules` File Types validation function.
 
 ## 2.6.6 (November, 23 2023)
 

docs/resources/zia_dlp_web_rules.md

@@ -12,7 +12,7 @@ The **zia_dlp_web_rules** resource allows the creation and management of ZIA DLP
 
 ⚠️ **WARNING:** Zscaler Internet Access DLP supports a maximum of 127 Web DLP Rules to be created via API.
 
-## Example Usage
+## Example Usage - OCR ENABLED
 
 ```hcl
 resource "zia_dlp_web_rules" "test" {
@@ -27,12 +27,39 @@ resource "zia_dlp_web_rules" "test" {
     without_content_inspection  = false
     match_only                  = false
     ocr_enabled                 = true
-    file_types                = [ "WINDOWS_META_FORMAT", "BITMAP", "JPEG", "PNG", "TIFF"]
+    file_types                = [ "BITMAP", "JPEG", "PNG", "TIFF"]
     min_size                    = 20
     zscaler_incident_receiver   = true
 }
 ```
 
+## Example Usage - "ALL_OUTBOUND" File Type
+
+```hcl
+data "zia_dlp_engines" "this" {
+  predefined_engine_name = "EXTERNAL"
+}
+
+resource "zia_dlp_web_rules" "this" {
+  name                       = "Example"
+  description                = "Example"
+  action                     = "BLOCK"
+  order                      = 1
+  rank                       = 7
+  state                      = "ENABLED"
+  # ocr_enabled              = true
+  protocols                  = [ "FTP_RULE", "HTTPS_RULE", "HTTP_RULE" ]
+  file_types                 = [ "ALL_OUTBOUND" ]
+  zscaler_incident_receiver  = true
+  without_content_inspection = false
+  user_risk_score_levels     = [ "LOW", "MEDIUM", "HIGH", "CRITICAL" ]
+  severity                   = "RULE_SEVERITY_HIGH"
+  dlp_engines {
+    id = [ data.zia_dlp_engines.this.id ]
+  }
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -48,6 +75,8 @@ The following arguments are supported:
 * `external_auditor_email` - (Optional) The email address of an external auditor to whom DLP email notifications are sent.
 * `match_only` - (Optional) The match only criteria for DLP engines.
 * `without_content_inspection` - (Optional) Indicates a DLP policy rule without content inspection, when the value is set to true.
+  * `without_content_inspection` must be set to false if `file_types` is not defined.
+
 * `ocr_enabled` - (Optional) Enables or disables image file scanning. When OCR is enabled only the following ``file_types`` are supported: ``WINDOWS_META_FORMAT``, ``BITMAP``, ``JPEG``, ``PNG``, ``TIFF``
 * `zscaler_incident_receiver` - (Optional) Indicates whether a Zscaler Incident Receiver is associated to the DLP policy rule.
 
@@ -63,7 +92,22 @@ The following arguments are supported:
   * `ENABLED`
 
 * `file_types` - (Optional) The list of file types to which the DLP policy rule must be applied. For the complete list of supported file types refer to the  [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post)
-* `cloud_applications` - (Optional) The list of cloud applications to which the DLP policy rule must be applied. For the complete list of supported cloud applications refer to the  [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post)
+
+  * ~> Note: `BITMAP`, `JPEG`, `PNG`, and `TIFF` file types are exclusively supported when optical character recognition `ocr_enabled` is set to `true` for DLP rules with content inspection.
+
+  * ~> Note: `ALL_OUTBOUND` file type is applicable only when the predefined DLP engine called `EXTERNAL` is used and when the attribute `without_content_inspection` is set to `false`.
+
+  * ~> Note: `ALL_OUTBOUND` file type cannot be used alongside any any other file type.
+
+* `severity` - (String) Indicates the severity selected for the DLP rule violation: Returned values are:  `RULE_SEVERITY_HIGH`, `RULE_SEVERITY_MEDIUM`, `RULE_SEVERITY_LOW`, `RULE_SEVERITY_INFO`
+
+* `user_risk_score_levels` (Optional) - Indicates the user risk score level selectedd for the DLP rule violation: Returned values are: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`
+
+* `parent_rule`(Optional) - The unique identifier of the parent rule under which an exception rule is added.
+ ~> Note: Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings.
+
+* `sub_rules`(List) - The list of exception rules added to a parent rule.
+ ~> Note: All attributes within the WebDlpRule model are applicable to the sub-rules. Values for each rule are specified by using the WebDlpRule object Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings.
 
 * `notification_template` - (Optional) The template used for DLP notification emails.
   * `id` - (Optional) Identifier that uniquely identifies an entity

go.mod

@@ -3,13 +3,13 @@ module github.com/zscaler/terraform-provider-zia/v2
 go 1.20
 
 require (
-	github.com/biter777/countries v1.7.2
+	github.com/biter777/countries v1.6.6
 	github.com/fabiotavarespr/iso3166 v0.0.2
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
-	github.com/hashicorp/go-hclog v1.6.2
+	github.com/hashicorp/go-hclog v1.5.0
 	github.com/hashicorp/terraform-plugin-sdk v1.17.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.31.0
-	github.com/zscaler/zscaler-sdk-go/v2 v2.3.2
+	github.com/zscaler/zscaler-sdk-go/v2 v2.3.3
 )
 
 require (

go.sum

@@ -68,8 +68,8 @@ github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3A
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/biter777/countries v1.7.2 h1:sEnpwvVggSCpKBc+PGrzEkIOkoze/n93DzfxvucRAsg=
-github.com/biter777/countries v1.7.2/go.mod h1:1HSpZ526mYqKJcpT5Ti1kcGQ0L0SrXWIaptUWjFfv2E=
+github.com/biter777/countries v1.6.6 h1:07RfPdL1INfMBhxVGBgNMM8cTrhdqMtgIc3N1KrUMR8=
+github.com/biter777/countries v1.6.6/go.mod h1:1HSpZ526mYqKJcpT5Ti1kcGQ0L0SrXWIaptUWjFfv2E=
 github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -186,8 +186,8 @@ github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320/go.mod h1:EiZBM
 github.com/hashicorp/go-getter v1.5.3/go.mod h1:BrrV/1clo8cCYu6mxvboYg+KutTiFnXjMEgDD8+i7ZI=
 github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.6.2 h1:NOtoftovWkDheyUM/8JW3QMiXyxJK3uHRK7wV04nD2I=
-github.com/hashicorp/go-hclog v1.6.2/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
+github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
@@ -367,8 +367,8 @@ github.com/zclconf/go-cty v1.14.1 h1:t9fyA35fwjjUMcmL5hLER+e/rEPqrbCK1/OSE4SI9KA
 github.com/zclconf/go-cty v1.14.1/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
-github.com/zscaler/zscaler-sdk-go/v2 v2.3.2 h1:vcOXFuQsSJCrZhkJWl8cpGV2Ivijr6w+yHbv4llp4g8=
-github.com/zscaler/zscaler-sdk-go/v2 v2.3.2/go.mod h1:N4ObD/UOxvLM5FauUWsq6mEQsX0ksn/IPxBJr/7QVNc=
+github.com/zscaler/zscaler-sdk-go/v2 v2.3.3 h1:otlw4yupo9NV+wTcneXSoQu88SFv5LfycG1rkTqgU5A=
+github.com/zscaler/zscaler-sdk-go/v2 v2.3.3/go.mod h1:N4ObD/UOxvLM5FauUWsq6mEQsX0ksn/IPxBJr/7QVNc=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -386,8 +386,8 @@ golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=

zia/common.go

@@ -560,19 +560,6 @@ func getCloudFirewallNwServicesTag() *schema.Schema {
 	}
 }
 
-func getDLPRuleFileTypes(desc string) *schema.Schema {
-	return &schema.Schema{
-		Type:        schema.TypeSet,
-		Description: "The list of file types to which the DLP policy rule must be applied.",
-		Elem: &schema.Schema{
-			Type:             schema.TypeString,
-			ValidateDiagFunc: validateDLPRuleFileTypes(),
-		},
-		Optional: true,
-		Computed: true,
-	}
-}
-
 func sortOrders(ruleOrderMap map[int]orderWithState) RuleIDOrderPairList {
 	pl := make(RuleIDOrderPairList, len(ruleOrderMap))
 	i := 0

zia/common/testing/variable/variable.go

@@ -110,9 +110,8 @@ const (
 	DLPWebRuleDesc           = "this is an acceptance test"
 	DLPRuleResourceAction    = "ALLOW"
 	DLPRuleResourceState     = "ENABLED"
-	DLPRuleContentInspection = false
+	DLPRuleContentInspection = true
 	DLPMatchOnly             = false
-	DLPOCREnabled            = false
 )
 
 // DLP Dictionaries resource/datasource

zia/data_source_zia_dlp_engines.go

@@ -24,7 +24,7 @@ func dataSourceDLPEngines() *schema.Resource {
 			},
 			"predefined_engine_name": {
 				Type:        schema.TypeString,
-				Computed:    true,
+				Optional:    true,
 				Description: "The name of the predefined DLP engine.",
 			},
 			"engine_expression": {
@@ -69,6 +69,16 @@ func dataSourceDLPEnginesRead(d *schema.ResourceData, m interface{}) error {
 		resp = res
 	}
 
+	predefined, _ := d.Get("predefined_engine_name").(string)
+	if resp == nil && predefined != "" {
+		log.Printf("[INFO] Getting data for predefined dlp engine name: %s\n", predefined)
+		res, err := zClient.dlp_engines.GetByPredefinedEngine(predefined)
+		if err != nil {
+			return err
+		}
+		resp = res
+	}
+
 	if resp != nil {
 		d.SetId(fmt.Sprintf("%d", resp.ID))
 		_ = d.Set("name", resp.Name)