fix: Added New Workload Group Resource and Implemented Fixes to addres Drifts (#482)

Author: willguibr

CHANGELOG.md

@@ -1,10 +1,23 @@
 # Changelog
 
-## 4.5.0 (September, xx 2025)
+## 4.5.1 (September, 22 2025)
 
 ### Notes
 
-- Release date: **(September, xx 2025)**
+- Release date: **(September, 22 2025)**
+- Supported Terraform version: **v1.x**
+
+### Enhancements
+
+- [PR #482](https://github.com/zscaler/terraform-provider-zia/pull/482) - Added new resource `zia_workload_groups`.
+- [PR #482](https://github.com/zscaler/terraform-provider-zia/pull/482) - Added new attribute `source_countries` to resource `zia_url_filtering_rules`. The attribute identifies destinations based on the location of a server. Provide a 2 letter [ISO3166 Alpha2 Country code](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes). i.e ``"US"``, ``"CA"``
+- [PR #482](https://github.com/zscaler/terraform-provider-zia/pull/482) - Fixed and updated several documentation fields across multiple resources and data sources.
+
+## 4.5.0 (September, 17 2025)
+
+### Notes
+
+- Release date: **(September, 17 2025)**
 - Supported Terraform version: **v1.x**
 
 ### NEW - DATA SOURCE AND RESOURCES

GNUmakefile

@@ -196,14 +196,14 @@ test\:integration\:zscalertwo:
 build13: GOOS=$(shell go env GOOS)
 build13: GOARCH=$(shell go env GOARCH)
 ifeq ($(OS),Windows_NT)  # is Windows_NT on XP, 2000, 7, Vista, 10...
-build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.5.0/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.5.1/$(GOOS)_$(GOARCH)
 else
-build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.5.0/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.5.1/$(GOOS)_$(GOARCH)
 endif
 build13: fmtcheck
 	@echo "==> Installing plugin to $(DESTINATION)"
 	@mkdir -p $(DESTINATION)
-	go build -o $(DESTINATION)/terraform-provider-zia_v4.5.0
+	go build -o $(DESTINATION)/terraform-provider-zia_v4.5.1
 
 coverage: test
 	@echo "✓ Opening coverage for unit tests ..."

docs/data-sources/zia_firewall_filtering_rule.md

@@ -89,8 +89,11 @@ In addition to all arguments above, the following attributes are exported:
 
 `destinations` supports the following attributes:
 
-* `dest_addresses`** - (Optional) -  IP addresses and fully qualified domain names (FQDNs), if the domain has multiple destination IP addresses or if its IP addresses may change. For IP addresses, you can enter individual IP addresses, subnets, or address ranges. If adding multiple items, hit Enter after each entry.
-* `dest_countries`** - (Optional) Identify destinations based on the location of a server, select Any to apply the rule to all countries or select the countries to which you want to control traffic.
+* `dest_addresses`** - (List of String) -  IP addresses and fully qualified domain names (FQDNs), if the domain has multiple destination IP addresses or if its IP addresses may change. For IP addresses, you can enter individual IP addresses, subnets, or address ranges. If adding multiple items, hit Enter after each entry.
+* `dest_countries`** - (List of String) Identify destinations based on the location of a server. Provide a 2 letter [ISO3166 Alpha2 Country code](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes). i.e ``"US"``, ``"CA"``
+
+* `source_countries`** - (List of String) Identify destinations based on the location of a server. Provide a 2 letter [ISO3166 Alpha2 Country code](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes). i.e ``"US"``, ``"CA"``
+
 * `dest_ip_categories`** - (Optional) identify destinations based on the URL category of the domain, select Any to apply the rule to all categories or select the specific categories you want to control.
       - `id` - (String) Identifier that uniquely identifies an entity
       - `name` - (String) The configured name of the entity

docs/data-sources/zia_url_filtering_rules.md

@@ -49,7 +49,7 @@ In addition to all arguments above, the following attributes are exported:
 * `last_modified_time` - (Number) When the rule was last modified
 * `enforce_time_validity` - (String) Enforce a set a validity time period for the URL Filtering rule.
 * `action` - (String) Action taken when traffic matches rule criteria. Supported values: `ANY`, `NONE`, `BLOCK`, `CAUTION`, `ALLOW`, `ICAP_RESPONSE`
-
+* `source_countries`** - (List of String) Identify destinations based on the location of a server. Provide a 2 letter [ISO3166 Alpha2 Country code](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes). i.e ``"US"``, ``"CA"``
 * `device_trust_levels` - (List) List of device trust levels for which the rule must be applied. This field is applicable for devices that are managed using Zscaler Client Connector. The trust levels are assigned to the devices based on your posture configurations in the Zscaler Client Connector Portal. If no value is set, this field is ignored during the policy evaluation. Supported values: `ANY`, `UNKNOWN_DEVICETRUSTLEVEL`, `LOW_TRUST`, `MEDIUM_TRUST`, `HIGH_TRUST`
 
 * `user_risk_score_levels` (List) - Indicates the user risk score level selectedd for the DLP rule violation: Returned values are: `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`

docs/guides/release-notes.md

@@ -12,15 +12,28 @@ description: |-
 Track all ZIA Terraform provider's releases. New resources, features, and bug fixes will be tracked here.
 
 ---
-``Last updated: v4.5.0``
+``Last updated: v4.5.1``
 
 ---
 
-## 4.5.0 (September, xx 2025)
+## 4.5.1 (September, 22 2025)
 
 ### Notes
 
-- Release date: **(September, xx 2025)**
+- Release date: **(September, 22 2025)**
+- Supported Terraform version: **v1.x**
+
+### Enhancements
+
+- [PR #482](https://github.com/zscaler/terraform-provider-zia/pull/482) - Added new resource `zia_workload_groups`.
+- [PR #482](https://github.com/zscaler/terraform-provider-zia/pull/482) - Added new attribute `source_countries` to resource `zia_url_filtering_rules`. The attribute identifies destinations based on the location of a server. Provide a 2 letter [ISO3166 Alpha2 Country code](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes). i.e ``"US"``, ``"CA"``
+- [PR #482](https://github.com/zscaler/terraform-provider-zia/pull/482) - Fixed and updated several documentation fields across multiple resources and data sources.
+
+## 4.5.0 (September, 17 2025)
+
+### Notes
+
+- Release date: **(September, 17 2025)**
 - Supported Terraform version: **v1.x**
 
 ### NEW - DATA SOURCE AND RESOURCES

docs/resources/zia_bandwidth_control_rule.md

@@ -20,18 +20,31 @@ Use the **zia_bandwidth_control_rule** resource allows the creation and manageme
 ## Example Usage - By Name
 
 ```hcl
-
-data "zia_bandwidth_control_rule" "this" {
-    name = "Streaming Media Bandwidth"
+data "zia_bandwidth_classes_web_conferencing" "this" {
+    name = "BANDWIDTH_CAT_WEBCONF"
 }
-```
-
-## Example Usage - By ID
 
-```hcl
-
-data "zia_bandwidth_control_rule" "this" {
-  id = 154658
+resource "zia_bandwidth_control_rule" "this" {
+    name = "Streaming Media Bandwidth"
+    description = "Streaming Media Bandwidth"
+    state = "ENABLED"
+    order = 1
+    rank = 7
+    min_bandwidth = 5
+    max_bandwidth = 100
+    protocols = ["ANY_RULE"]
+    bandwidth_classes  {
+        id = [data.zia_bandwidth_classes_web_conferencing.this.id]
+    }
+    labels  {
+        id = [1503197]
+    }
+    location_groups {
+        id = [8061255]
+    }
+    time_windows {
+        id = [483]
+    }
 }
 ```
 

docs/resources/zia_location_management.md

@@ -197,7 +197,7 @@ The following arguments are supported:
 * `aup_timeout_in_days` - (Number) Custom AUP Frequency. Refresh time (in days) to re-validate the AUP.
 * `cookies_and_proxy` - (Boolean) Enable Cookies and proxy feature
 * `digest_auth_enabled` - (Boolean) Enable Digest Auth feature
-* `kerberos_auth_enabled` - (Boolean) Enable Kerberos Auth feature
+* `kerberos_auth` - (Boolean) Enable Kerberos Auth feature
 * `auth_required` - (Boolean) Enforce Authentication. Required when ports are enabled, IP Surrogate is enabled, or Kerberos Authentication is enabled.
 * `caution_enabled` - (Boolean) Enable Caution. When set to true, a caution notifcation is enabled for the location.
 * `display_time_unit` - (String) Display Time Unit. The time unit to display for IP Surrogate idle time to disassociation.

docs/resources/zia_risk_profiles.md

@@ -20,7 +20,7 @@ See [About Cloud Application Risk Profile](https://help.zscaler.com/zia/about-cl
 
 ```hcl
 resource "zia_risk_profiles" "this" {
-    name = "RiskProfile_12346"
+    profile_name = "RiskProfile_12346"
     status="SANCTIONED"
     risk_index=[1, 2, 3, 4, 5]
     certifications=["AICPA", "CCPA", "CISP"]
@@ -63,7 +63,7 @@ resource "zia_risk_profiles" "this" {
 
 The following arguments are supported:
 
-* `name` - (Required, String) Cloud application risk profile name.
+* `profile_name` - (Required, String) Cloud application risk profile name.
 
 ## Attribute Reference
 

docs/resources/zia_url_filtering_rules.md

@@ -175,6 +175,8 @@ Supported values: `OPTIONS`, `GET`, `HEAD`, `POST`, `PUT`, `DELETE`, `TRACE`, `C
 
 * `url_categories` - (List of Strings) The list of URL categories to which the URL Filtering rule must be applied. See the [URL Categories API](https://help.zscaler.com/zia/url-categories#/urlCategories-get) for the list of available categories or use the data source `zia_url_categories` to retrieve the list of URL categories.
 
+* `source_countries`** - (List of String) Identify destinations based on the location of a server. Provide a 2 letter [ISO3166 Alpha2 Country code](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes). i.e ``"US"``, ``"CA"``
+
 * `locations` - (List of Object) The locations to which the Firewall Filtering policy rule applies
   * `id` - (Optional) Identifier that uniquely identifies an entity
 

docs/resources/zia_workload_groups.md

@@ -0,0 +1,141 @@
+---
+subcategory: "Workload Groups"
+layout: "zscaler"
+page_title: "ZIA: workload_groups"
+description: |-
+    Official documentation https://help.zscaler.com/zia/about-workload-groups
+    API documentation https://help.zscaler.com/zia/workload-groups#/workloadGroups-get
+    Get information about Workload Groups.
+---
+
+# zia_workload_groups (Resource)
+
+* [Official documentation](https://help.zscaler.com/zia/about-workload-groups)
+* [API documentation](https://help.zscaler.com/zia/workload-groups#/workloadGroups-get)
+
+Use the **zia_workload_groups** resource allows the creation and management of Workload Group objects in the Zscaler Internet Access. This resource can then be used as a criterion in ZIA policies such as, Firewall Filtering, URL Filtering, and Data Loss Prevention (DLP) to apply security policies to the workload traffic.
+
+## Example Usage
+
+```hcl
+resource "zia_workload_groups" "example" {
+  name = "Test Group"
+  description = "Test Group"
+
+  expression_json {
+    expression_containers {
+      tag_type = "ATTR"
+      operator = "AND"
+
+      tag_container {
+        operator = "AND"
+
+        tags {
+          key   = "GroupName"
+          value = "example"
+        }
+      }
+    }
+
+    expression_containers {
+      tag_type = "ENI"
+      operator = "AND"
+
+      tag_container {
+        operator = "AND"
+
+        tags {
+          key   = "GroupId"
+          value = "123456789"
+        }
+      }
+    }
+
+    expression_containers {
+      tag_type = "VPC"
+      operator = "AND"
+
+      tag_container {
+        operator = "AND"
+
+        tags {
+          key   = "Vpc-id"
+          value = "vpcid12344"
+        }
+      }
+    }
+
+    expression_containers {
+      tag_type = "VM"
+      operator = "AND"
+
+      tag_container {
+        operator = "AND"
+
+        tags {
+          key   = "IamInstanceProfile-Arn"
+          value = "test01"
+        }
+      }
+    }
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+### Required
+
+* `name` - (Required) The name of the workload group.
+
+### Optional
+
+* `description` - (Optional) The description of the workload group.
+* `expression_json` - (Optional) The workload group expression containing tag types, tags, and their relationships represented in a JSON format.
+  * `expression_containers` - (Optional) Contains one or more tag types (and associated tags) combined using logical operators within a workload group.
+    * `tag_type` - (Optional) The tag type selected from a predefined list. Supported values are: `ANY`, `VPC`, `SUBNET`, `VM`, `ENI`, `ATTR`.
+    * `operator` - (Optional) The operator (either AND or OR) used to create logical relationships among tag types. Supported values are: `AND`, `OR`, `OPEN_PARENTHESES`, `CLOSE_PARENTHESES`.
+    * `tag_container` - (Optional) Contains one or more tags and the logical operator used to combine the tags within a tag type.
+      * `operator` - (Optional) The logical operator (either AND or OR) used to combine the tags within a tag type. Supported values are: `AND`, `OR`.
+      * `tags` - (Optional) One or more tags, each consisting of a key-value pair, selected within a tag type. If multiple tags are present within a tag type, they are combined using a logical operator. Note: A maximum of 8 tags can be added to a workload group, irrespective of the number of tag types present.
+        * `key` - (Optional) The key component present in the key-value pair contained in a tag.
+        * `value` - (Optional) The value component present in the key-value pair contained in a tag.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - (String) A unique identifier assigned to the workload group.
+* `group_id` - (Number) A unique identifier assigned to the workload group.
+* `name` - (String) The name of the workload group.
+* `description` - (String) The description of the workload group.
+* `expression_json` - (List) The workload group expression containing tag types, tags, and their relationships represented in a JSON format.
+  * `expression_containers` - (List) Contains one or more tag types (and associated tags) combined using logical operators within a workload group.
+    * `tag_type` - (String) The tag type selected from a predefined list. Returned values are: `ANY`, `VPC`, `SUBNET`, `VM`, `ENI`, `ATTR`.
+    * `operator` - (String) The operator (either AND or OR) used to create logical relationships among tag types. Returned values are: `AND`, `OR`, `OPEN_PARENTHESES`, `CLOSE_PARENTHESES`.
+    * `tag_container` - (List) Contains one or more tags and the logical operator used to combine the tags within a tag type.
+      * `operator` - (String) The logical operator (either AND or OR) used to combine the tags within a tag type. Returned values are: `AND`, `OR`.
+      * `tags` - (List) One or more tags, each consisting of a key-value pair, selected within a tag type. If multiple tags are present within a tag type, they are combined using a logical operator. Note: A maximum of 8 tags can be added to a workload group, irrespective of the number of tag types present.
+        * `key` - (String) The key component present in the key-value pair contained in a tag.
+        * `value` - (String) The value component present in the key-value pair contained in a tag.
+
+## Import
+
+Zscaler offers a dedicated tool called Zscaler-Terraformer to allow the automated import of ZIA configurations into Terraform-compliant HashiCorp Configuration Language.
+[Visit](https://github.com/zscaler/zscaler-terraformer)
+
+**zia_workload_groups** can be imported by using `<GROUP_ID>` or `<GROUP_NAME>` as the import ID.
+
+For example:
+
+```shell
+terraform import zia_workload_groups.example <group_id>
+```
+
+or
+
+```shell
+terraform import zia_workload_groups.example <group_name>
+```