fix: Fixed validation error and panic issue. (#396)

Author: willguibr

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## 4.0.6 (February, 12 2025)
+
+### Notes
+
+- Release date: **(February, 12  2025)**
+- Supported Terraform version: **v1.x**
+
+### Bug Fixes
+
+- [PR #396](https://github.com/zscaler/terraform-provider-zia/pull/396) - Fixed `zia_ssl_inspection_rules` validation error and panic issue.
+
 ## 4.0.5 (February, 10 2025)
 
 ### Notes

GNUmakefile

@@ -196,14 +196,14 @@ test\:integration\:zscalertwo:
 build13: GOOS=$(shell go env GOOS)
 build13: GOARCH=$(shell go env GOARCH)
 ifeq ($(OS),Windows_NT)  # is Windows_NT on XP, 2000, 7, Vista, 10...
-build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.0.5/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.0.6/$(GOOS)_$(GOARCH)
 else
-build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.0.5/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.0.6/$(GOOS)_$(GOARCH)
 endif
 build13: fmtcheck
 	@echo "==> Installing plugin to $(DESTINATION)"
 	@mkdir -p $(DESTINATION)
-	go build -o $(DESTINATION)/terraform-provider-zia_v4.0.5
+	go build -o $(DESTINATION)/terraform-provider-zia_v4.0.6
 
 coverage: test
 	@echo "✓ Opening coverage for unit tests ..."

docs/guides/release-notes.md

@@ -12,10 +12,21 @@ description: |-
 Track all ZIA Terraform provider's releases. New resources, features, and bug fixes will be tracked here.
 
 ---
-``Last updated: v4.0.5``
+``Last updated: v4.0.6``
 
 ---
 
+## 4.0.6 (February, 12 2025)
+
+### Notes
+
+- Release date: **(February, 12  2025)**
+- Supported Terraform version: **v1.x**
+
+### Bug Fixes
+
+- [PR #396](https://github.com/zscaler/terraform-provider-zia/pull/396) - Fixed `zia_ssl_inspection_rules` validation error and panic issue.
+
 ## 4.0.5 (February, 10 2025)
 
 ### Notes

docs/resources/zia_ssl_inspection_rules.md

@@ -180,134 +180,150 @@ The following arguments are supported:
 
 ### Required
 
-* `name` - (String) Name of the SSL Inspection
-* `order` - (String) Unique identifier for the SSL Inspection
+- `name` - (String) Name of the SSL Inspection
+- `order` - (String) Unique identifier for the SSL Inspection
 
 ## Attribute Reference
 
 In addition to all arguments above, the following attributes are supported:
 
-* `description` (String) -  Enter additional notes or information. The description cannot exceed 10,240 characters.
-* `order` (String) -  Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule's place in the order.
-* `state` (String) - The state of the rule indicating whether it is enabled or disabled. Supported values: `ENABLED` or `DISABLED`
-* `rank` (Integer) - The admin rank specified for the rule based on your assigned admin rank. Admin rank determines the rule order that can be specified for the rule. Admin rank can be configured if it is enabled in the Advanced Settings.
-* `access_control` (String) - The access privilege (RBA) for this rule.
-* `road_warrior_for_kerberos` (Boolean) - Indicates whether this rule is applied to remote users that use PAC with Kerberos authentication.
-* `platforms` (Set of String) -  Zscaler Client Connector device platforms for which this rule is applied. Supported Values: `SCAN_IOS`, `SCAN_ANDROID`, `SCAN_MACOS`, `SCAN_WINDOWS`, `NO_CLIENT_CONNECTOR`, `SCAN_LINUX`
-* `cloud_applications` (Set of String) -  The list of URL categories to which the DLP policy rule must be applied. For the complete list of supported file types refer to the  [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post)
-* `url_categories` (Set of String) -  The list of URL categories to which the DLP policy rule must be applied.
-* `user_agent_types` (Set of String) -  A list of user agent types the rule applies to.
-* `device_trust_levels` (Set of String)  - List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation. Supported values: `ANY`, `UNKNOWN_DEVICETRUSTLEVEL`, `LOW_TRUST`, `MEDIUM_TRUST`, `HIGH_TRUST`
-* `action` (Block List) - Action taken when the traffic matches policy
-* `devices` (Block List) - ID pairs of devices for which the rule is applied
-* `device_groups` (Block List) - ID pairs of device groups for which the rule is applied.
-* `departments` (Block List) - ID pairs of departments for which the rule is applied.
-* `groups` (Block List) - ID pairs of groups for which the rule is applied. If not set, rule is applied for all groups.
-* `labels` (Block List) - ID pairs of labels associated with the rule.
-* `locations` (Block List) - ID pairs of locations to which the rule is applied. When empty, it implies applying to all locations.
-* `location_groups` (Block List) - ID pairs of location groups to which the rule is applied. When empty, it implies applying to all location groups.
-* `dest_ip_groups` (Block List) - ID pairs of destination IP address groups for which the rule is applied.
-* `source_ip_groups` (Block List) - ID pairs of source IP address groups for which the rule is applied.
-* `proxy_gateways` (Block List) - When using ZPA Gateway forwarding, name-ID pairs of ZPA Application Segments for which the rule is applicable.
-* `zpa_app_segments` (Block List) - The list of ZPA Application Segments for which this rule is applicable (applicable only for ZPA Gateway forwarding).
-* `workload_groups` (Block List) - The list of preconfigured workload groups to which the policy must be applied.
-* `time_windows` (Block List) - The time intervals during which the rule applies
-* `users` (Block List) - The list of preconfigured workload groups to which the policy must be applied.
+- `description` (String) -  Enter additional notes or information. The description cannot exceed 10,240 characters.
+- `order` (String) -  Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule's place in the order.
+- `state` (String) - The state of the rule indicating whether it is enabled or disabled. Supported values: `ENABLED` or `DISABLED`
+- `rank` (Integer) - The admin rank specified for the rule based on your assigned admin rank. Admin rank determines the rule order that can be specified for the rule. Admin rank can be configured if it is enabled in the Advanced Settings.
+- `access_control` (String) - The access privilege (RBA) for this rule.
+- `road_warrior_for_kerberos` (Boolean) - Indicates whether this rule is applied to remote users that use PAC with Kerberos authentication.
+- `platforms` (Set of String) -  Zscaler Client Connector device platforms for which this rule is applied. Supported Values: `SCAN_IOS`, `SCAN_ANDROID`, `SCAN_MACOS`, `SCAN_WINDOWS`, `NO_CLIENT_CONNECTOR`, `SCAN_LINUX`
+- `cloud_applications` (Set of String) -  The list of URL categories to which the DLP policy rule must be applied. For the complete list of supported file types refer to the  [ZIA API documentation](https://help.zscaler.com/zia/data-loss-prevention#/webDlpRules-post)
+- `url_categories` (Set of String) -  The list of URL categories to which the DLP policy rule must be applied.
+- `user_agent_types` (Set of String) -  A list of user agent types the rule applies to.
+- `device_trust_levels` (Set of String)  - List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation. Supported values: `ANY`, `UNKNOWN_DEVICETRUSTLEVEL`, `LOW_TRUST`, `MEDIUM_TRUST`, `HIGH_TRUST`
+- `action` (Block List) - Action taken when the traffic matches policy
+- `devices` (Block List) - ID pairs of devices for which the rule is applied
+- `device_groups` (Block List) - ID pairs of device groups for which the rule is applied.
+- `departments` (Block List) - ID pairs of departments for which the rule is applied.
+- `groups` (Block List) - ID pairs of groups for which the rule is applied. If not set, rule is applied for all groups.
+- `labels` (Block List) - ID pairs of labels associated with the rule.
+- `locations` (Block List) - ID pairs of locations to which the rule is applied. When empty, it implies applying to all locations.
+- `location_groups` (Block List) - ID pairs of location groups to which the rule is applied. When empty, it implies applying to all location groups.
+- `dest_ip_groups` (Block List) - ID pairs of destination IP address groups for which the rule is applied.
+- `source_ip_groups` (Block List) - ID pairs of source IP address groups for which the rule is applied.
+- `proxy_gateways` (Block List) - When using ZPA Gateway forwarding, name-ID pairs of ZPA Application Segments for which the rule is applicable.
+- `zpa_app_segments` (Block List) - The list of ZPA Application Segments for which this rule is applicable (applicable only for ZPA Gateway forwarding).
+- `workload_groups` (Block List) - The list of preconfigured workload groups to which the policy must be applied.
+- `time_windows` (Block List) - The time intervals during which the rule applies
+- `users` (Block List) - The list of preconfigured workload groups to which the policy must be applied.
 
 ### Action Attributes
 
 `action` has the following attributes:
 
-* `type` (String) - The action type for this rule. Possible values: `BLOCK`, `DECRYPT`, or `DO_NOT_DECRYPT`.
-* `show_eun` (Boolean) - Whether to show End User Notification (EUN).
-* `show_eunatp` (Boolean) - Whether to display the EUN ATP page.
-* `override_default_certificate` (Boolean) - Whether to override the default SSL interception certificate.
-* `ssl_interception_cert` (Block List) - The SSL interception certificate to be used. If not set it will use the default Zscaler certificate
-* `decrypt_sub_actions` (Block List) - Action taken when enabling SSL intercept
-* `do_not_decrypt_sub_actions` (Block List) - Action taken when bypassing SSL intercept
+- `type` (String) - The action type for this rule. Possible values: `BLOCK`, `DECRYPT`, or `DO_NOT_DECRYPT`.
+- `show_eun` (Boolean) - Whether to show End User Notification (EUN).
+- `show_eunatp` (Boolean) - Whether to display the EUN ATP page.
+- `override_default_certificate` (Boolean) - Whether to override the default SSL interception certificate.
+- `ssl_interception_cert` (Block List) - The SSL interception certificate to be used. If not set it will use the default Zscaler certificate
+- `decrypt_sub_actions` (Block List) - Action taken when enabling SSL intercept
+- `do_not_decrypt_sub_actions` (Block List) - Action taken when bypassing SSL intercept
 
 ### ssl_interception_cert Attributes
 
 `ssl_interception_cert` has the following attributes:
+  **NOTE** This block can only be set when `override_default_certificate` is `true`
 
-* `id` (Integer) - The unique ID of the SSL interception certificate.
-* `name` (String) - The name of the SSL interception certificate.
-* `default_certificate` (Boolean) - Indicates if this certificate is the default certificate.
+- `id` (Integer) - The unique ID of the SSL interception certificate.
+
+### action.type `BLOCK`
+
+`action` has the following attributes:
+
+- `type` (String) - The action type for this rule. Possible values: `BLOCK`.
+- `show_eun` (Boolean) - Enable this setting to display end user notifications.
+- `override_default_certificate` (Boolean) - Whether to override the default SSL interception certificate.
+- `ssl_interception_cert` has the following attributes:
+    **NOTE** This block can only be set when `override_default_certificate` is `true`
+
+- `id` (Integer) - The unique ID of the SSL interception certificate.
 
 ### decrypt_sub_actions Attributes
 
 `decrypt_sub_actions` has the following attributes:
 
-* `server_certificates` (String) - Action to take on server certificates. Valid values might include `ALLOW`, `BLOCK`, or `PASS_THRU`.
-* `ocsp_check` (Boolean) - Whether to enable OCSP check.
-* `block_ssl_traffic_with_no_sni_enabled` (Boolean) - Whether to block SSL traffic when SNI is not present.
-* `min_client_tls_version` (String) - The minimum TLS version allowed on the client side: Supported Values are: `CLIENT_TLS_1_0`, `CLIENT_TLS_1_1`, `CLIENT_TLS_1_2`,  `CLIENT_TLS_1_3`.
-* `min_server_tls_version` (String) - The minimum TLS version allowed on the server side: Supported Values are: `SERVER_TLS_1_0`, `SERVER_TLS_1_1`, `SERVER_TLS_1_2`,  `SERVER_TLS_1_3`.
-* `block_undecrypt` (Boolean) - Enable to block traffic from servers that use non-standard encryption methods or require mutual TLS authentication.
-* `http2_enabled` (Boolean)
+- `server_certificates` (String) - Action to take on server certificates. Valid values might include `ALLOW`, `BLOCK`, or `PASS_THRU`.
+- `ocsp_check` (Boolean) - Whether to enable OCSP check.
+- `block_ssl_traffic_with_no_sni_enabled` (Boolean) - Whether to block SSL traffic when SNI is not present.
+- `min_client_tls_version` (String) - The minimum TLS version allowed on the client side: Supported Values are: `CLIENT_TLS_1_0`, `CLIENT_TLS_1_1`, `CLIENT_TLS_1_2`,  `CLIENT_TLS_1_3`.
+- `min_server_tls_version` (String) - The minimum TLS version allowed on the server side: Supported Values are: `SERVER_TLS_1_0`, `SERVER_TLS_1_1`, `SERVER_TLS_1_2`,  `SERVER_TLS_1_3`.
+- `block_undecrypt` (Boolean) - Enable to block traffic from servers that use non-standard encryption methods or require mutual TLS authentication.
+- `http2_enabled` (Boolean)
+- `ssl_interception_cert` has the following attributes:
+    **NOTE** This block can only be set when `override_default_certificate` is `true`
+
+- `id` (Integer) - The unique ID of the SSL interception certificate.
 
 ### do_not_decrypt_sub_actions Attributes
 
 `do_not_decrypt_sub_actions` has the following attributes:
 
-* `bypass_other_policies` (Boolean) - Whether to bypass other policies when action is set to `DO_NOT_DECRYPT`.
-* `server_certificates` (String) - Action to take on server certificates. Valid values might include `ALLOW`, `BLOCK`, or `PASS_THRU`.
-* `ocsp_check` (Boolean) - Whether to enable OCSP check.
-* `block_ssl_traffic_with_no_sni_enabled` (Boolean) - Whether to block SSL traffic when SNI is not present.
-* `min_tls_version` (String) -  The minimum TLS version allowed on the server side: Supported Values are: `SERVER_TLS_1_0`, `SERVER_TLS_1_1`, `SERVER_TLS_1_2`,  `SERVER_TLS_1_3`.
+- `bypass_other_policies` (Boolean) - Whether to bypass other policies when action is set to `DO_NOT_DECRYPT`.
+- `server_certificates` (String) - Action to take on server certificates. Valid values might include `ALLOW`, `BLOCK`, or `PASS_THRU`.
+- `ocsp_check` (Boolean) - Whether to enable OCSP check.
+- `block_ssl_traffic_with_no_sni_enabled` (Boolean) - Whether to block SSL traffic when SNI is not present.
+- `min_tls_version` (String) -  The minimum TLS version allowed on the server side: Supported Values are: `SERVER_TLS_1_0`, `SERVER_TLS_1_1`, `SERVER_TLS_1_2`,  `SERVER_TLS_1_3`.
+  **NOTE** `min_tls_version` and `server_certificates` CANNOT be set if `bypass_other_policies` is `true`
 
 ### Devices Attributes
 
-* `id` (Integer) - A unique identifier for the device.
+- `id` (Integer) - A unique identifier for the device.
 
 ### Device Groups Attributes
 
-* `id` (Integer) - A unique identifier for the device groups.
+- `id` (Integer) - A unique identifier for the device groups.
 
 ### Labels Attributes
 
-* `id` (Integer) - A unique identifier for the label.
+- `id` (Integer) - A unique identifier for the label.
 
 ### Locations Attributes
 
-* `id` (Integer) - A unique identifier for the locations.
+- `id` (Integer) - A unique identifier for the locations.
 
 ### Location Groups Attributes
 
-* `id` (Integer) - A unique identifier for the location groups.
+- `id` (Integer) - A unique identifier for the location groups.
 
 ### Departments Attributes
 
-* `id` (Integer) - A unique identifier for the departments.
+- `id` (Integer) - A unique identifier for the departments.
 
 ### Destination IP Groups Attributes
 
-* `id` (Integer) - A unique identifier for the destination ip group.
+- `id` (Integer) - A unique identifier for the destination ip group.
 
 ### Groups Attributes
 
-* `id` (Integer) - A unique identifier for the groups.
+- `id` (Integer) - A unique identifier for the groups.
 
 ### Source IP Groups Attributes
 
-* `id` (Integer) - A unique identifier for the source ip group.
+- `id` (Integer) - A unique identifier for the source ip group.
 
 ### Users Attributes
 
-* `id` (Integer) - A unique identifier for the users.
+- `id` (Integer) - A unique identifier for the users.
 
 ### Time Windows Attributes
 
-* `id` (Integer) - A unique identifier for the time window.
+- `id` (Integer) - A unique identifier for the time window.
 
 ### Proxy Gateways Attributes
 
-* `id` (Integer) - A unique identifier assigned to the Application Segment
+- `id` (Integer) - A unique identifier assigned to the Application Segment
 
 ### ZPA App Segments Attributes
 
-* `id` (Integer) - A unique identifier assigned to the Application Segment
+- `id` (Integer) - A unique identifier assigned to the Application Segment
 
 ### Workload Groups Attributes
 
-* `id` (Integer) - A unique identifier assigned to the workload group
+- `id` (Integer) - A unique identifier assigned to the workload group

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/terraform-plugin-sdk v1.17.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.36.0
-	github.com/zscaler/zscaler-sdk-go/v3 v3.1.4
+	github.com/zscaler/zscaler-sdk-go/v3 v3.1.5
 )
 
 require (

go.sum

@@ -401,8 +401,8 @@ github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRK
 github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo=
 github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
-github.com/zscaler/zscaler-sdk-go/v3 v3.1.4 h1:1rQ3BzfsBeqczpVkdi2aQTAefhft5iUs85J+u/naaME=
-github.com/zscaler/zscaler-sdk-go/v3 v3.1.4/go.mod h1:2gXo+LVFYtr+/oCe+mETsXlb9sJEzRtPl6JwPhSIgWM=
+github.com/zscaler/zscaler-sdk-go/v3 v3.1.5 h1:h69bAs9daPFnbkX9y4n5PEukp/zr+vukeh75ncoHO/M=
+github.com/zscaler/zscaler-sdk-go/v3 v3.1.5/go.mod h1:2gXo+LVFYtr+/oCe+mETsXlb9sJEzRtPl6JwPhSIgWM=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=

zia/data_source_zia_ssl_inspection_rules.go

@@ -115,14 +115,14 @@ func dataSourceSSLInspectionRules() *schema.Resource {
 										Type:     schema.TypeInt,
 										Computed: true,
 									},
-									"name": {
-										Type:     schema.TypeString,
-										Computed: true,
-									},
-									"default_certificate": {
-										Type:     schema.TypeBool,
-										Computed: true,
-									},
+									// "name": {
+									// 	Type:     schema.TypeString,
+									// 	Computed: true,
+									// },
+									// "default_certificate": {
+									// 	Type:     schema.TypeBool,
+									// 	Computed: true,
+									// },
 								},
 							},
 						},
@@ -811,7 +811,7 @@ func flattenSSLInterceptionCert(cert *sslinspection.SSLInterceptionCert) []inter
 	}
 	c := make(map[string]interface{})
 	c["id"] = cert.ID
-	c["name"] = cert.Name
+	// c["name"] = cert.Name
 	// c["default_certificate"] = cert.DefaultCertificate
 	return []interface{}{c}
 }