fix: Added Receiver attribute feature to Web and CASB DLP Rules (#468)

* fix: Fixed Firiewall Rule reordering logic, and EUN Heredocs

* fix: Added Receiver attribute feature to Web and CASB DLP Rules

* fix: Fixed Drift with emtpy receiver attribute in DLP Rules

Author: willguibr

CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## 4.4.9 (August, 26 2025)
+
+### Notes
+
+- Release date: **(August, 26 2025)**
+- Supported Terraform version: **v1.x**
+
+### Enhancements
+
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Added data source `zia_cloud_to_cloud_ir` - Retrieves the Cloud-to-Cloud Incident Receiver (C2CIR) information configured in the ZIA Admin Portal. This data source can be used to set the corresponding receiver when configuring the resource `zia_dlp_web_rules` or `zia_casb_dlp_rules`
+
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Added attribute `receiver` to `zia_dlp_web_rules` and `zia_casb_dlp_rules` resources to allow configuration of Cloud-to-Cloud Incident Receivers.
+
+### Bug Fixes
+
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Added `val` attribute to `zia_url_categories` resource to enable consistent referencing of URL categories in DLP web rules and other resources
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Fixed performance issue in firewall filtering rules reordering by removing unnecessary predefined rule processing that was causing excessive wait times
+
+### Documentation
+
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Updated documentation for `zia_url_categories` resource to include new `val` attribute
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Updated documentation for `zia_forwarding_control_rule` to remove unsupported attributes `devices` and `device_groups`
+
 ## 4.4.8 (August, 22 2025)
 
 ### Notes

GNUmakefile

@@ -196,14 +196,14 @@ test\:integration\:zscalertwo:
 build13: GOOS=$(shell go env GOOS)
 build13: GOARCH=$(shell go env GOARCH)
 ifeq ($(OS),Windows_NT)  # is Windows_NT on XP, 2000, 7, Vista, 10...
-build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.4.7/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.4.9/$(GOOS)_$(GOARCH)
 else
-build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.4.7/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.4.9/$(GOOS)_$(GOARCH)
 endif
 build13: fmtcheck
 	@echo "==> Installing plugin to $(DESTINATION)"
 	@mkdir -p $(DESTINATION)
-	go build -o $(DESTINATION)/terraform-provider-zia_v4.4.7
+	go build -o $(DESTINATION)/terraform-provider-zia_v4.4.9
 
 coverage: test
 	@echo "✓ Opening coverage for unit tests ..."

docs/data-sources/zia_dlp_cloud_to_cloud_ir.md

@@ -0,0 +1,114 @@
+---
+subcategory: "Data Loss Prevention"
+layout: "zscaler"
+page_title: "ZIA: dlp_cloud_to_cloud_ir"
+description: |-
+  Official documentation https://help.zscaler.com/zia/dlp-cloud-cloud-incident-forwarding
+  API documentation https://help.zscaler.com/zia/data-loss-prevention#/cloudToCloudIR-get
+  Retrieves Cloud-to-Cloud Incident Receiver (C2CIR) information configured in the ZIA Admin Portal
+---
+
+# zia_dlp_cloud_to_cloud_ir (Data Source)
+
+* [Official documentation](https://help.zscaler.com/zia/dlp-cloud-cloud-incident-forwarding)
+* [API documentation](https://help.zscaler.com/zia/data-loss-prevention#/cloudToCloudIR-get)
+
+Use the **zia_dlp_cloud_to_cloud_ir** data source to get information about Cloud-to-Cloud Incident Receiver (C2CIR) tenants configured in the ZIA Admin Portal. This data source retrieves detailed information about C2CIR configurations including tenant authorization, onboardable entities, and validation status. The retrieved information can be used in Web DLP Rules [zia_dlp_web_rules](https://registry.terraform.io/providers/zscaler/zia/latest/docs/resources/zia_dlp_web_rules) or CASB DLP Rules [zia_casb_dlp_rules](https://registry.terraform.io/providers/zscaler/zia/latest/docs/resources/zia_casb_dlp_rules).
+
+## Example Usage
+
+```hcl
+# Retrieve the C2CIR by name
+data "zia_dlp_cloud_to_cloud_ir" "this" {
+  name = "AzureTenant01"
+}
+
+# Output the retrieved information
+output "zia_dlp_cloud_to_cloud_ir" {
+  value = data.zia_dlp_cloud_to_cloud_ir.this
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+### Required
+
+* `name` - (Required) The name of the Cloud-to-Cloud Incident Receiver tenant to retrieve.
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` - (Number) The unique identifier for the C2CIR tenant.
+* `name` - (String) The name of the C2CIR tenant.
+* `status` - (List of String) The current status of the C2CIR tenant (e.g., `CASB_TENANT_ACTIVE`).
+* `modified_time` - (Number) Timestamp when the C2CIR tenant was last modified.
+* `last_tenant_validation_time` - (Number) Timestamp of the last tenant validation.
+* `last_validation_msg` - (List) Last validation message information.
+  * `error_msg` - (String) Error message from validation.
+  * `error_code` - (Number) Error code from validation.
+* `last_modified_by` - (List) Information about who last modified the C2CIR tenant.
+  * `id` - (Number) Unique identifier for the modifier.
+  * `name` - (String) Name of the modifier.
+  * `external_id` - (String) External identifier for the modifier.
+  * `extensions` - (Map) Additional properties for the modifier.
+* `onboardable_entity` - (List) Information about the onboardable entity.
+  * `id` - (Number) Unique identifier for the onboardable entity.
+  * `name` - (String) Name of the onboardable entity.
+  * `type` - (String) Type of the onboardable entity (e.g., `SAAS_TENANT`).
+  * `enterprise_tenant_id` - (String) Enterprise tenant ID.
+  * `application` - (String) Application name (e.g., `SLACK`).
+  * `last_validation_msg` - (List) Last validation message for the onboardable entity.
+    * `error_msg` - (String) Error message from validation.
+    * `error_code` - (Number) Error code from validation.
+  * `tenant_authorization_info` - (List) Tenant authorization information.
+    * `access_token` - (String) Access token for authorization.
+    * `bot_token` - (String) Bot token for authorization.
+    * `redirect_url` - (String) Redirect URL for authorization.
+    * `type` - (String) Authorization type (e.g., `SLACK_BOT`).
+    * `env` - (String) Environment (e.g., `SALESFORCE_PRODUCTION`).
+    * `temp_auth_code` - (String) Temporary authorization code.
+    * `subdomain` - (String) Subdomain for the tenant.
+    * `apicp` - (String) API CP configuration.
+    * `client_id` - (String) Client ID for authorization.
+    * `client_secret` - (String) Client secret for authorization.
+    * `secret_token` - (String) Secret token for authorization.
+    * `user_name` - (String) Username for authorization.
+    * `user_pwd` - (String) User password for authorization.
+    * `instance_url` - (String) Instance URL for the tenant.
+    * `role_arn` - (String) Role ARN for authorization.
+    * `quarantine_bucket_name` - (String) Quarantine bucket name.
+    * `cloud_trail_bucket_name` - (String) Cloud trail bucket name.
+    * `bot_id` - (String) Bot ID for authorization.
+    * `org_api_key` - (String) Organization API key.
+    * `external_id` - (String) External identifier.
+    * `enterprise_id` - (String) Enterprise identifier.
+    * `cred_json` - (String) Credential JSON.
+    * `role` - (String) Role for authorization (e.g., `READ`).
+    * `organization_id` - (String) Organization identifier.
+    * `workspace_name` - (String) Workspace name.
+    * `workspace_id` - (String) Workspace identifier.
+    * `qtn_channel_url` - (String) Quarantine channel URL.
+    * `features_supported` - (List of String) Supported features (e.g., `CASB`).
+    * `mal_qtn_lib_name` - (String) Malware quarantine library name.
+    * `dlp_qtn_lib_name` - (String) DLP quarantine library name.
+    * `credentials` - (String) Credentials for authorization.
+    * `token_endpoint` - (String) Token endpoint for authorization.
+    * `rest_api_endpoint` - (String) REST API endpoint.
+    * `smir_bucket_config` - (List) SMIR bucket configuration.
+      * `id` - (Number) Unique identifier for the SMIR bucket.
+      * `config_name` - (String) Configuration name for the bucket.
+      * `metadata_bucket_name` - (String) Metadata bucket name URL.
+      * `data_bucket_name` - (String) Data bucket name URL.
+    * `qtn_info` - (List) Quarantine information.
+      * `admin_id` - (String) Administrator identifier.
+      * `qtn_folder_path` - (String) Quarantine folder path.
+      * `mod_time` - (Number) Modification time.
+    * `qtn_info_cleared` - (Boolean) Whether quarantine information is cleared.
+  * `zscaler_app_tenant_id` - (List) Zscaler app tenant ID information.
+    * `id` - (Number) Unique identifier for the Zscaler app tenant.
+    * `name` - (String) Name of the Zscaler app tenant.
+    * `external_id` - (String) External identifier for the Zscaler app tenant.
+    * `extensions` - (Map) Additional properties for the Zscaler app tenant

docs/data-sources/zia_dlp_web_rules.md

@@ -129,3 +129,13 @@ rules.
 * `workload_groups` (List) The list of preconfigured workload groups to which the policy must be applied
   * `id` - (Number) A unique identifier assigned to the workload group
   * `name` - (String) The name of the workload group
+
+* `receiver` - (Optional) The receiver information for the DLP policy rule.
+  * `id` - (Number) Unique identifier for the receiver
+  * `name` - (String) Name of the receiver
+  * `type` - (String) Type of the receiver
+  * `tenant` - (Optional) Tenant information for the receiver
+    * `id` - (Number) Unique identifier for the tenant
+    * `name` - (String) Name of the tenant
+    * `external_id` - (String) External identifier for the tenant
+    * `extensions` - (Map) Additional properties for the tenant

docs/guides/release-notes.md

@@ -12,10 +12,33 @@ description: |-
 Track all ZIA Terraform provider's releases. New resources, features, and bug fixes will be tracked here.
 
 ---
-``Last updated: v4.4.8``
+``Last updated: v4.4.9``
 
 ---
 
+## 4.4.9 (August, 26 2025)
+
+### Notes
+
+- Release date: **(August, 26 2025)**
+- Supported Terraform version: **v1.x**
+
+### Enhancements
+
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Added data source `zia_cloud_to_cloud_ir` - Retrieves the Cloud-to-Cloud Incident Receiver (C2CIR) information configured in the ZIA Admin Portal. This data source can be used to set the corresponding receiver when configuring the resource `zia_dlp_web_rules` or `zia_casb_dlp_rules`
+
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Added attribute `receiver` to `zia_dlp_web_rules` and `zia_casb_dlp_rules` resources to allow configuration of Cloud-to-Cloud Incident Receivers.
+
+### Bug Fixes
+
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Added `val` attribute to `zia_url_categories` resource to enable consistent referencing of URL categories in DLP web rules and other resources
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Fixed performance issue in firewall filtering rules reordering by removing unnecessary predefined rule processing that was causing excessive wait times
+
+### Documentation
+
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Updated documentation for `zia_url_categories` resource to include new `val` attribute
+- [PR #468](https://github.com/zscaler/terraform-provider-zia/pull/468) - Updated documentation for `zia_forwarding_control_rule` to remove unsupported attributes `devices` and `device_groups`
+
 ## 4.4.8 (August, 22 2025)
 
 ### Notes

docs/guides/troubleshooting.md

@@ -157,3 +157,13 @@ This error is commonly returned when attempting to create a `zia_dlp_dictionarie
 ```sh
 │ Error: no dictionary found with name: Social Security Numbers (US)
 ```
+
+### │ Error: deletion of the predefined rule i.e 'Office 365 One Click Rule' is not allowed
+
+This error occurs when attempting to delete a predefined firewall filtering rule. Predefined rules such as "Office 365 One Click Rule", "UCaaS One Click Rule", "Block All IPv6", "Block malicious IPs and domains", and "Default Firewall Filtering Rule" cannot be deleted as they are system-managed rules.
+
+**Solution**: Remove the rule from your Terraform configuration and run `terraform apply` instead of `terraform destroy`. The rule will remain in the ZIA system but will no longer be managed by Terraform.
+
+```sh
+│ Error: deletion of the predefined rule 'Office 365 One Click Rule' is not allowed
+```

docs/resources/zia_casb_dlp_rules.md

@@ -80,6 +80,92 @@ resource "zia_casb_dlp_rules" "this" {
 }
 ```
 
+## Example Usage - Configure Cloud to Cloud Forwarding
+
+```hcl
+data "zia_casb_tenant" "this" {
+  tenant_name = "Jira_Tenant01"
+}
+
+data "zia_dlp_incident_receiver_servers" "this" {
+  name = "ZS_Incident_Receiver"
+}
+
+data "zia_rule_labels" "this" {
+    name = "RuleLabel01
+}
+
+data "zia_dlp_engines" "this" {
+    name = "PCI"
+}
+
+data "zia_admin_users" "this" {
+    username = auditor01
+}
+
+# Retrieve Cloud-to-Cloud Incident Receiver (C2CIR) information
+data "zia_dlp_cloud_to_cloud_ir" "this" {
+  name = "AzureTenant01"
+}
+
+# Output the retrieved C2CIR information for reference
+output "zia_dlp_cloud_to_cloud_ir" {
+  value = data.zia_dlp_cloud_to_cloud_ir.this
+}
+
+resource "zia_casb_dlp_rules" "this" {
+  name = "SaaS_ITSM_App_Rule"
+  description = "SaaS_ITSM_App_Rule"
+  order = 1
+  rank = 7
+  type = "OFLCASB_DLP_ITSM"
+  action = "OFLCASB_DLP_REPORT_INCIDENT"
+  severity = "RULE_SEVERITY_HIGH"
+  without_content_inspection = false
+  external_auditor_email = "[email protected]"
+  file_types = [
+        "FTCATEGORY_APPX",
+        "FTCATEGORY_SQL",
+  ]
+  collaboration_scope = [
+        "ANY",
+  ]
+  components = [
+        "COMPONENT_ITSM_OBJECTS",
+        "COMPONENT_ITSM_ATTACHMENTS",
+  ]
+ cloud_app_tenants {
+    id = [data.zia_casb_tenant.this.tenant_id]
+  }
+ dlp_engines {
+    id = [data.zia_dlp_engines.this.id]
+  }
+  object_types {
+    id = [32, 33, 34]
+  }
+ labels {
+    id = [data.zia_rule_labels.this.id]
+  }
+  zscaler_incident_receiver {
+    id = data.zia_dlp_incident_receiver_servers.this.id
+  }
+  auditor_notification {
+    id = data.zia_admin_users.this.id
+  }
+
+  # Configure receiver using values from the C2CIR data source
+  receiver {
+    id   = tostring(data.zia_dlp_cloud_to_cloud_ir.this.onboardable_entity[0].tenant_authorization_info[0].smir_bucket_config[0].id)
+    name = data.zia_dlp_cloud_to_cloud_ir.this.onboardable_entity[0].tenant_authorization_info[0].smir_bucket_config[0].config_name
+    type = data.zia_dlp_cloud_to_cloud_ir.this.onboardable_entity[0].type
+    tenant {
+      id   = tostring(data.zia_dlp_cloud_to_cloud_ir.this.id)
+      name = data.zia_dlp_cloud_to_cloud_ir.this.name
+    }
+  }
+}
+```
+
 ## Schema
 
 ### Required