Fix: Fixed Rule Base Resources (#416)

* Fix: Fixed Rule Base Resources

* fix: Fixed rule reorder logic and error handling

* fix: Fixed Integration Tests

* fix: Fixed zia_firewall_filtering_rules reorder loigic

Author: willguibr

CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## 4.0.10 (April, 7 2025)
+
+### Notes
+
+- Release date: **(April, 7 2025)**
+- Supported Terraform version: **v1.x**
+
+### Bug Fixes
+
+- [PR #416](https://github.com/zscaler/terraform-provider-zia/pull/416) - Fixed `zia_dlp_web_rules` sub rule reorder logic to ensure rules are ordered correctly.
+- [PR #416](https://github.com/zscaler/terraform-provider-zia/pull/416) - Replaced attribute `malicious_urls` with `bypass_urls` in the resource `zia_atp_security_exceptions` documentation.
+- [PR #416](https://github.com/zscaler/terraform-provider-zia/pull/416) - Fixed the flattening function `flattenIDExtensionsListIDs` and schema function `setIDsSchemaTypeCustom`. This will ensure Terraform identifies plan changes when block lists are removed from the configuration.
+- [PR #416](https://github.com/zscaler/terraform-provider-zia/pull/416) - Fix to attribute the `order` attribute in all rule based resources to ensure consistency on ordering logic.
+- [PR #416](https://github.com/zscaler/terraform-provider-zia/pull/416) - Fix  custom order logic on the resource `zia_firewall_filtering_rules` to ensure pre-defined rules are placed in the correct position to prevent drifts
+
 ## 4.0.9 (March, 14 2025)
 
 ### Notes

GNUmakefile

@@ -196,14 +196,14 @@ test\:integration\:zscalertwo:
 build13: GOOS=$(shell go env GOOS)
 build13: GOARCH=$(shell go env GOARCH)
 ifeq ($(OS),Windows_NT)  # is Windows_NT on XP, 2000, 7, Vista, 10...
-build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.0.9/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.0.10/$(GOOS)_$(GOARCH)
 else
-build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.0.9/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZIA_PROVIDER_NAMESPACE)/4.0.10/$(GOOS)_$(GOARCH)
 endif
 build13: fmtcheck
 	@echo "==> Installing plugin to $(DESTINATION)"
 	@mkdir -p $(DESTINATION)
-	go build -o $(DESTINATION)/terraform-provider-zia_v4.0.9
+	go build -o $(DESTINATION)/terraform-provider-zia_v4.0.10
 
 coverage: test
 	@echo "✓ Opening coverage for unit tests ..."

docs/data-sources/zia_sandbox_rules.md

@@ -51,8 +51,6 @@ In addition to all arguments above, the following attributes are exported:
 * `url_categories` - (List of Strings) The list of URL categories to which the DLP policy rule must be applied.
 * `file_types` - (List of Strings) File type categories for which the policy is applied. If not set, the rule is applied across all file types.
 
-`Devices`
-
 `Who, Where and When` supports the following attributes:
 
 * `locations` - (List of Objects) You can manually select up to `8` locations. When not used it implies `Any` to apply the rule to all groups.

docs/guides/release-notes.md

@@ -12,10 +12,25 @@ description: |-
 Track all ZIA Terraform provider's releases. New resources, features, and bug fixes will be tracked here.
 
 ---
-``Last updated: v4.0.9``
+``Last updated: v4.0.10``
 
 ---
 
+## 4.0.10 (April, 7 2025)
+
+### Notes
+
+- Release date: **(April, 7 2025)**
+- Supported Terraform version: **v1.x**
+
+### Bug Fixes
+
+- [PR #416](https://github.com/zscaler/terraform-provider-zia/pull/416) - Fixed `zia_dlp_web_rules` sub rule reorder logic to ensure rules are ordered correctly.
+- [PR #416](https://github.com/zscaler/terraform-provider-zia/pull/416) - Replaced attribute `malicious_urls` with `bypass_urls` in the resource `zia_atp_security_exceptions` documentation.
+- [PR #416](https://github.com/zscaler/terraform-provider-zia/pull/416) - Fixed the flattening function `flattenIDExtensionsListIDs` and schema function `setIDsSchemaTypeCustom`. This will ensure Terraform identifies plan changes when block lists are removed from the configuration.
+- [PR #416](https://github.com/zscaler/terraform-provider-zia/pull/416) - Fix to attribute the `order` attribute in all rule based resources to ensure consistency on ordering logic.
+- [PR #416](https://github.com/zscaler/terraform-provider-zia/pull/416) - Fix  custom order logic on the resource `zia_firewall_filtering_rules` to ensure pre-defined rules are placed in the correct position to prevent drifts
+
 ## 4.0.9 (March, 14 2025)
 
 ### Notes

docs/resources/zia_atp_security_exceptions.md

@@ -14,7 +14,7 @@ The **zia_atp_security_exceptions** resource alows you to updates security excep
 
 ```hcl
 resource "zia_atp_security_exceptions" "this" {
-    malicious_urls = [
+    bypass_urls = [
         "site1.example.com",
         "site2.example.com",
         "site3.example.com",

docs/resources/zia_sandbox_rules.md

@@ -93,8 +93,6 @@ In addition to all arguments above, the following attributes are supported:
 * `url_categories` - (List of Strings) The list of URL categories to which the DLP policy rule must be applied.
 * `file_types` - (List of Strings) File type categories for which the policy is applied. If not set, the rule is applied across all file types.
 
-`Devices`
-
 `Who, Where and When` supports the following attributes:
 
 * `locations` - (List of Objects) You can manually select up to `8` locations. When not used it implies `Any` to apply the rule to all groups.
@@ -113,3 +111,35 @@ In addition to all arguments above, the following attributes are supported:
 
 * `zpa_app_segments` (List of Objects) The ZPA application segments to which the rule applies
       - `id` - (Integer) Identifier that uniquely identifies an entity
+
+|                              **Supported File Types**                                           |
+|:--------------------------------------------------------------------------------------------------------|
+|---------------------------------------------------------------------------------------|
+| `FTCATEGORY_BAT`, `FTCATEGORY_APK`, `FTCATEGORY_WINDOWS_SCRIPT_FILES`,|
+| `FTCATEGORY_JAVA_APPLET`, `FTCATEGORY_PDF_DOCUMENT`, `FTCATEGORY_MS_RTF`,|
+| `FTCATEGORY_FLASH`, `FTCATEGORY_POWERSHELL`, `FTCATEGORY_WINDOWS_LIBRARY`,|
+| `FTCATEGORY_MS_EXCEL`, `FTCATEGORY_HTA`, `FTCATEGORY_VISUAL_BASIC_SCRIPT`,|
+| `FTCATEGORY_MS_POWERPOINT`, `FTCATEGORY_TAR`, `FTCATEGORY_WINDOWS_EXECUTABLES`, |
+| `FTCATEGORY_SCZIP`, `FTCATEGORY_RAR`, `FTCATEGORY_ZIP`, `FTCATEGORY_P7Z`,|
+| `FTCATEGORY_MICROSOFT_INSTALLER`, `FTCATEGORY_BZIP2`, `FTCATEGORY_PYTHON`,|
+| `FTCATEGORY_MS_WORD`|
+|-------------------------------------------------------------------------------------------|
+
+## Import
+
+Zscaler offers a dedicated tool called Zscaler-Terraformer to allow the automated import of ZIA configurations into Terraform-compliant HashiCorp Configuration Language.
+[Visit](https://github.com/zscaler/zscaler-terraformer)
+
+**zia_sandbox_rules** can be imported by using `<RULE ID>` or `<RULE NAME>` as the import ID.
+
+For example:
+
+```shell
+terraform import zia_sandbox_rules.example <rule_id>
+```
+
+or
+
+```shell
+terraform import zia_sandbox_rules.example <rule_name>
+```

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/terraform-plugin-sdk v1.17.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.36.1
-	github.com/zscaler/zscaler-sdk-go/v3 v3.1.10
+	github.com/zscaler/zscaler-sdk-go/v3 v3.1.13
 )
 
 require (

go.sum

@@ -401,8 +401,8 @@ github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRK
 github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo=
 github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
-github.com/zscaler/zscaler-sdk-go/v3 v3.1.10 h1:umE4roT71TpzAr+bBYY8NwlHrkGa6juo6fvm34z9fig=
-github.com/zscaler/zscaler-sdk-go/v3 v3.1.10/go.mod h1:Iqwd9ZsD0SGNCkAejOP2dOMBgZh1PNFxiMXR2XMO6R4=
+github.com/zscaler/zscaler-sdk-go/v3 v3.1.13 h1:wqWLYFVL2HsPXLcX+Os709eY0Hv6ETnWfHGUGS2K8fo=
+github.com/zscaler/zscaler-sdk-go/v3 v3.1.13/go.mod h1:DEBcnZb0Yx1TYcR0kqhsFncIvjJ2+bo6UQl/qUUwTVo=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=

zia/common.go

@@ -42,6 +42,32 @@ func listIDsSchemaType(desc string) *schema.Schema {
 }
 
 func setIDsSchemaTypeCustom(maxItems *int, desc string) *schema.Schema {
+	ids := &schema.Schema{
+		Type:     schema.TypeSet,
+		Optional: true,
+		Elem: &schema.Schema{
+			Type: schema.TypeInt,
+		},
+	}
+	if maxItems != nil && *maxItems > 0 {
+		ids.MaxItems = *maxItems
+	}
+	return &schema.Schema{
+		Type:     schema.TypeSet,
+		Optional: true,
+		// Computed:    true,
+		MaxItems:    1,
+		Description: desc,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"id": ids,
+			},
+		},
+	}
+}
+
+// Used for Computed Attributes
+func setIDsSchemaTypeCustomSpecial(maxItems *int, desc string) *schema.Schema {
 	ids := &schema.Schema{
 		Type:     schema.TypeSet,
 		Optional: true,
@@ -65,7 +91,6 @@ func setIDsSchemaTypeCustom(maxItems *int, desc string) *schema.Schema {
 		},
 	}
 }
-
 func setSingleIDSchemaTypeCustom(desc string) *schema.Schema {
 	return &schema.Schema{
 		Type:        schema.TypeSet,
@@ -312,23 +337,49 @@ func flattenCustomIDSet(customID *common.IDCustom) []interface{} {
 }
 
 func flattenIDExtensionsListIDs(list []common.IDNameExtensions) []interface{} {
-	if list == nil {
+	// Skip if the list is empty
+	if len(list) == 0 {
 		return nil
 	}
+
 	ids := []int{}
 	for _, item := range list {
 		if item.ID == 0 && item.Name == "" {
 			continue
 		}
 		ids = append(ids, item.ID)
 	}
+
+	// Skip if no valid IDs
+	if len(ids) == 0 {
+		return nil
+	}
+
 	return []interface{}{
 		map[string]interface{}{
 			"id": ids,
 		},
 	}
 }
 
+// func flattenIDExtensionsListIDs(list []common.IDNameExtensions) []interface{} {
+// 	if len(list) == 0 {
+// 		return nil
+// 	}
+// 	ids := []int{}
+// 	for _, item := range list {
+// 		if item.ID == 0 && item.Name == "" {
+// 			continue
+// 		}
+// 		ids = append(ids, item.ID)
+// 	}
+// 	return []interface{}{
+// 		map[string]interface{}{
+// 			"id": ids,
+// 		},
+// 	}
+// }
+
 // Flattening function used in the Forwarding Control Policy Resource
 func flattenIDNameSet(idName *common.IDName) []interface{} {
 	idNameSet := make([]interface{}, 0)
@@ -740,7 +791,7 @@ func getSandboxFileTypes() *schema.Schema {
 			Type:             schema.TypeString,
 			ValidateDiagFunc: validateSandboxRuleFileTypes(),
 		},
-		Optional: true,
+		Required: true,
 	}
 }
 
@@ -822,9 +873,9 @@ func (p RuleIDOrderPairList) Less(i, j int) bool {
 }
 func (p RuleIDOrderPairList) Swap(i, j int) { p[i], p[j] = p[j], p[i] }
 
-func reorderAll(resourceType string, getCount func() (int, error), updateOrder func(id, order int) error) {
-	ticker := time.NewTicker(time.Second * 5) // create a ticker that ticks every half minute
-	defer ticker.Stop()                       // stop the ticker when the loop ends
+func reorderAll(resourceType string, getCount func() (int, error), updateOrder func(id, order int) error, beforeReorder func()) {
+	ticker := time.NewTicker(time.Second * 10) // create a ticker that ticks every half minute
+	defer ticker.Stop()                        // stop the ticker when the loop ends
 	numResources := []int{0, 0, 0}
 	for {
 		select {
@@ -845,6 +896,9 @@ func reorderAll(resourceType string, getCount func() (int, error), updateOrder f
 				// sort by order (ascending)
 				sorted := sortOrders(rules.orders[resourceType])
 				log.Printf("[INFO] sorting filtering rule after tick; sorted:%v", sorted)
+				if beforeReorder != nil {
+					beforeReorder()
+				}
 				for _, v := range sorted {
 					if v.Order <= count {
 						if err := updateOrder(v.ID, v.Order); err != nil {
@@ -870,7 +924,7 @@ func markOrderRuleAsDone(id int, resourceType string) {
 	rules.Unlock()
 }
 
-func reorder(order, id int, resourceType string, getCount func() (int, error), updateOrder func(id, order int) error) {
+func reorderWithBeforeReorder(order, id int, resourceType string, getCount func() (int, error), updateOrder func(id, order int) error, beforeReorder func()) {
 	rules.Lock()
 	shouldCallReorder := false
 	if len(rules.orders) == 0 {
@@ -891,6 +945,10 @@ func reorder(order, id int, resourceType string, getCount func() (int, error), u
 	if shouldCallReorder {
 		log.Printf("[INFO] starting to reorder the rules, delegating to rule:%d, order:%d", id, order)
 		// one resource will wait until all resources are done and reorder then return
-		reorderAll(resourceType, getCount, updateOrder)
+		reorderAll(resourceType, getCount, updateOrder, beforeReorder)
 	}
 }
+
+func reorder(order, id int, resourceType string, getCount func() (int, error), updateOrder func(id, order int) error) {
+	reorderWithBeforeReorder(order, id, resourceType, getCount, updateOrder, nil)
+}

zia/common/version.go

@@ -1,6 +1,6 @@
 package common
 
-var version = "4.0.9"
+var version = "4.0.10"
 
 // Version returns version of provider
 func Version() string {