From 0922d72af871a6b2e2fe3c88d3be7d3c30c6aba7 Mon Sep 17 00:00:00 2001
From: William Guilherme <wguilherme@zscaler.com>
Date: Mon, 23 Sep 2024 00:10:39 -0700
Subject: [PATCH] Fix: Fixed Drift within pra_application attribute in
 zpa_policy_credential_access_rule (#491)

---
 CHANGELOG.md                                  | 12 +++
 GNUmakefile                                   |  6 +-
 docs/guides/release-notes.md                  | 14 +++-
 zpa/common.go                                 |  1 +
 ...ource_zpa_policy_access_timeout_rule_v2.go | 13 ++--
 ...rce_zpa_policy_capabilities_access_rule.go | 11 ++-
 ...ource_zpa_policy_credential_access_rule.go | 22 ++++--
 zpa/resource_zpa_pra_portal_controller.go     |  1 +
 zpa/resource_zpa_segment_group.go             | 77 ++++++-------------
 9 files changed, 81 insertions(+), 76 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 42925c11..ef6e9a1e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,17 @@
 # Changelog
 
+## 3.33.4 (September, 23 2024)
+
+### Notes
+
+- Release date: **(September, 23 2024)**
+- Supported Terraform version: **v1.x**
+
+### Bug Fixes
+- [PR #492](https://github.com/zscaler/terraform-provider-zpa/pull/492) - Fixed drift within attribute `zpa_policy_credential_access_rule`.
+- [PR #492](https://github.com/zscaler/terraform-provider-zpa/pull/492) - Fixed detachement function within `zpa_segment_group`
+  ~> **NOTE** This fix does not affect existing configurations.
+
 ## 3.33.3 (September, 18 2024)
 
 ### Notes
diff --git a/GNUmakefile b/GNUmakefile
index 9236491a..d8589ff8 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -55,14 +55,14 @@ test\:integration\:zpa:
 build13: GOOS=$(shell go env GOOS)
 build13: GOARCH=$(shell go env GOARCH)
 ifeq ($(OS),Windows_NT)  # is Windows_NT on XP, 2000, 7, Vista, 10...
-build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZPA_PROVIDER_NAMESPACE)/3.33.3/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(APPDATA)/terraform.d/plugins/$(ZPA_PROVIDER_NAMESPACE)/3.33.4/$(GOOS)_$(GOARCH)
 else
-build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZPA_PROVIDER_NAMESPACE)/3.33.3/$(GOOS)_$(GOARCH)
+build13: DESTINATION=$(HOME)/.terraform.d/plugins/$(ZPA_PROVIDER_NAMESPACE)/3.33.4/$(GOOS)_$(GOARCH)
 endif
 build13: fmtcheck
 	@echo "==> Installing plugin to $(DESTINATION)"
 	@mkdir -p $(DESTINATION)
-	go build -o $(DESTINATION)/terraform-provider-zpa_v3.33.3
+	go build -o $(DESTINATION)/terraform-provider-zpa_v3.33.4
 
 vet:
 	@echo "==> Checking source code against go vet and staticcheck"
diff --git a/docs/guides/release-notes.md b/docs/guides/release-notes.md
index 6a23611c..1fdb38b1 100644
--- a/docs/guides/release-notes.md
+++ b/docs/guides/release-notes.md
@@ -12,10 +12,22 @@ Track all ZPA Terraform provider's releases. New resources, features, and bug fi
 
 ---
 
-``Last updated: v3.33.3``
+``Last updated: v3.33.4``
 
 ---
 
+## 3.33.4 (September, 23 2024)
+
+### Notes
+
+- Release date: **(September, 23 2024)**
+- Supported Terraform version: **v1.x**
+
+### Bug Fixes
+- [PR #492](https://github.com/zscaler/terraform-provider-zpa/pull/492) - Fixed drift within attribute `zpa_policy_credential_access_rule`.
+- [PR #492](https://github.com/zscaler/terraform-provider-zpa/pull/492) - Fixed detachement function within `zpa_segment_group`
+  ~> **NOTE** This fix does not affect existing configurations.
+  
 ## 3.33.3 (September, 18 2024)
 
 ### Notes
diff --git a/zpa/common.go b/zpa/common.go
index b4b64b9f..682dbb3f 100644
--- a/zpa/common.go
+++ b/zpa/common.go
@@ -1227,6 +1227,7 @@ func ConvertV1ResponseToV2Request(v1Response policysetcontrollerv2.PolicyRuleRes
 		PolicySetID:            v1Response.PolicySetID,
 		Operator:               v1Response.Operator,
 		CustomMsg:              v1Response.CustomMsg,
+		MicroTenantID:          v1Response.MicroTenantID,
 		ZpnIsolationProfileID:  v1Response.ZpnIsolationProfileID,
 		ZpnInspectionProfileID: v1Response.ZpnInspectionProfileID,
 		Conditions:             make([]policysetcontrollerv2.PolicyRuleResourceConditions, 0),
diff --git a/zpa/resource_zpa_policy_access_timeout_rule_v2.go b/zpa/resource_zpa_policy_access_timeout_rule_v2.go
index fa054b4f..055d3999 100644
--- a/zpa/resource_zpa_policy_access_timeout_rule_v2.go
+++ b/zpa/resource_zpa_policy_access_timeout_rule_v2.go
@@ -301,7 +301,13 @@ func resourcePolicyTimeoutRuleV2Update(d *schema.ResourceData, meta interface{})
 
 func resourcePolicyTimeoutRuleV2Delete(d *schema.ResourceData, meta interface{}) error {
 	zClient := meta.(*Client)
+
+	service := zClient.PolicySetControllerV2
+
 	microTenantID := GetString(d.Get("microtenant_id"))
+	if microTenantID != "" {
+		service = service.WithMicroTenant(microTenantID)
+	}
 
 	// Assume "TIMEOUT_POLICY" is the policy type for this resource. Adjust as needed.
 	policySetID, err := fetchPolicySetIDByType(zClient, "TIMEOUT_POLICY", microTenantID)
@@ -311,13 +317,8 @@ func resourcePolicyTimeoutRuleV2Delete(d *schema.ResourceData, meta interface{})
 
 	log.Printf("[INFO] Deleting policy set rule with id %v\n", d.Id())
 
-	service := zClient.PolicySetControllerV2
-	if microTenantID != "" {
-		service = service.WithMicroTenant(microTenantID)
-	}
-
 	if _, err := policysetcontrollerv2.Delete(service, policySetID, d.Id()); err != nil {
-		return err
+		return fmt.Errorf("failed to delete policy timeout rule: %w", err)
 	}
 
 	return nil
diff --git a/zpa/resource_zpa_policy_capabilities_access_rule.go b/zpa/resource_zpa_policy_capabilities_access_rule.go
index 8681b751..5c990fc8 100644
--- a/zpa/resource_zpa_policy_capabilities_access_rule.go
+++ b/zpa/resource_zpa_policy_capabilities_access_rule.go
@@ -307,9 +307,13 @@ func resourcePolicyCapabilitiesAccessRuleUpdate(d *schema.ResourceData, meta int
 
 func resourcePolicyCapabilitiesAccessRuleDelete(d *schema.ResourceData, meta interface{}) error {
 	zClient := meta.(*Client)
+	service := zClient.PolicySetControllerV2
+
 	microTenantID := GetString(d.Get("microtenant_id"))
+	if microTenantID != "" {
+		service = service.WithMicroTenant(microTenantID)
+	}
 
-	// Assume "CAPABILITIES_POLICY" is the policy type for this resource. Adjust as needed.
 	policySetID, err := fetchPolicySetIDByType(zClient, "CAPABILITIES_POLICY", microTenantID)
 	if err != nil {
 		return err
@@ -317,11 +321,6 @@ func resourcePolicyCapabilitiesAccessRuleDelete(d *schema.ResourceData, meta int
 
 	log.Printf("[INFO] Deleting policy set rule with id %v\n", d.Id())
 
-	service := zClient.PolicySetControllerV2
-	if microTenantID != "" {
-		service = service.WithMicroTenant(microTenantID)
-	}
-
 	if _, err := policysetcontrollerv2.Delete(service, policySetID, d.Id()); err != nil {
 		return err
 	}
diff --git a/zpa/resource_zpa_policy_credential_access_rule.go b/zpa/resource_zpa_policy_credential_access_rule.go
index 59fc396e..7b4852ee 100644
--- a/zpa/resource_zpa_policy_credential_access_rule.go
+++ b/zpa/resource_zpa_policy_credential_access_rule.go
@@ -1,6 +1,7 @@
 package zpa
 
 import (
+	"fmt"
 	"log"
 	"net/http"
 
@@ -213,6 +214,15 @@ func resourcePolicyCredentialAccessRuleRead(d *schema.ResourceData, meta interfa
 	_ = d.Set("conditions", flattenConditionsV2(v2PolicyRule.Conditions))
 	_ = d.Set("credential", flattenCredential(resp.Credential))
 
+	// Ensure microtenant_id is being correctly set in state
+	if v2PolicyRule.MicroTenantID != "" {
+		log.Printf("[INFO] Setting microtenant_id in state: %s\n", v2PolicyRule.MicroTenantID)
+		_ = d.Set("microtenant_id", v2PolicyRule.MicroTenantID)
+	} else {
+		log.Printf("[WARN] microtenant_id is empty in response.")
+		_ = d.Set("microtenant_id", "")
+	}
+
 	return nil
 }
 
@@ -259,7 +269,12 @@ func resourcePolicyCredentialAccessRuleUpdate(d *schema.ResourceData, meta inter
 
 func resourcePolicyCredentialAccessRuleDelete(d *schema.ResourceData, meta interface{}) error {
 	zClient := meta.(*Client)
+	service := zClient.PolicySetControllerV2
+
 	microTenantID := GetString(d.Get("microtenant_id"))
+	if microTenantID != "" {
+		service = service.WithMicroTenant(microTenantID)
+	}
 
 	policySetID, err := fetchPolicySetIDByType(zClient, "CREDENTIAL_POLICY", microTenantID)
 	if err != nil {
@@ -268,13 +283,8 @@ func resourcePolicyCredentialAccessRuleDelete(d *schema.ResourceData, meta inter
 
 	log.Printf("[INFO] Deleting policy credential rule with id %v\n", d.Id())
 
-	service := zClient.PolicySetControllerV2
-	if microTenantID != "" {
-		service = service.WithMicroTenant(microTenantID)
-	}
-
 	if _, err := policysetcontrollerv2.Delete(service, policySetID, d.Id()); err != nil {
-		return err
+		return fmt.Errorf("failed to delete policy credential rule: %w", err)
 	}
 
 	return nil
diff --git a/zpa/resource_zpa_pra_portal_controller.go b/zpa/resource_zpa_pra_portal_controller.go
index 0399b111..da9bd684 100644
--- a/zpa/resource_zpa_pra_portal_controller.go
+++ b/zpa/resource_zpa_pra_portal_controller.go
@@ -74,6 +74,7 @@ func resourcePRAPortalController() *schema.Resource {
 			"certificate_id": {
 				Type:        schema.TypeString,
 				Optional:    true,
+				Computed:    true,
 				Description: "The unique identifier of the certificate",
 			},
 			"user_notification": {
diff --git a/zpa/resource_zpa_segment_group.go b/zpa/resource_zpa_segment_group.go
index affd8576..c276ee15 100644
--- a/zpa/resource_zpa_segment_group.go
+++ b/zpa/resource_zpa_segment_group.go
@@ -7,6 +7,8 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	client "github.com/zscaler/zscaler-sdk-go/v2/zpa"
+	"github.com/zscaler/zscaler-sdk-go/v2/zpa/services"
+	"github.com/zscaler/zscaler-sdk-go/v2/zpa/services/policysetcontroller"
 	"github.com/zscaler/zscaler-sdk-go/v2/zpa/services/segmentgroup"
 )
 
@@ -178,53 +180,38 @@ func resourceSegmentGroupUpdate(d *schema.ResourceData, meta interface{}) error
 	return resourceSegmentGroupRead(d, meta)
 }
 
-/*
-func detachSegmentGroupFromAllPolicyRules(id string, policySetControllerService *services.Service) {
+func detachSegmentGroupFromAllPolicyRules(d *schema.ResourceData, policySetControllerService *services.Service) {
 	policyRulesDetchLock.Lock()
 	defer policyRulesDetchLock.Unlock()
-
-	var rules []policysetcontroller.PolicyRule
-	types := []string{"ACCESS_POLICY", "TIMEOUT_POLICY", "SIEM_POLICY", "CLIENT_FORWARDING_POLICY", "INSPECTION_POLICY"}
-
-	for _, t := range types {
-		policySet, _, err := policysetcontroller.GetByPolicyType(policySetControllerService, t)
-		if err != nil {
-			continue
-		}
-		r, _, err := policysetcontroller.GetAllByType(policySetControllerService, t)
-		if err != nil {
-			continue
-		}
-		for _, rule := range r {
-			rule.PolicySetID = policySet.ID
-			rules = append(rules, rule)
-		}
+	accessPolicySet, _, err := policysetcontroller.GetByPolicyType(policySetControllerService, "ACCESS_POLICY")
+	if err != nil {
+		return
+	}
+	rules, _, err := policysetcontroller.GetAllByType(policySetControllerService, "ACCESS_POLICY")
+	if err != nil {
+		return
 	}
-
 	for _, rule := range rules {
+		ids := []policysetcontroller.AppConnectorGroups{}
 		changed := false
-		for i, condition := range rule.Conditions {
-			operands := []policysetcontroller.Operands{}
-			for _, op := range condition.Operands {
-				if op.ObjectType == "APP_GROUP" && op.LHS == "id" && op.RHS == id {
-					changed = true
-					continue
-				}
-				operands = append(operands, op)
+		for _, app := range rule.AppConnectorGroups {
+			if app.ID == d.Id() {
+				changed = true
+				continue
 			}
-			rule.Conditions[i].Operands = operands
-		}
-		if len(rule.Conditions) == 0 {
-			rule.Conditions = []policysetcontroller.Conditions{}
+			ids = append(ids, policysetcontroller.AppConnectorGroups{
+				ID: app.ID,
+			})
 		}
+		rule.AppConnectorGroups = ids
 		if changed {
-			if _, err := policysetcontroller.UpdateRule(policySetControllerService, rule.PolicySetID, rule.ID, &rule); err != nil {
+			microTenantID := GetString(d.Get("microtenant_id"))
+			if _, err := policysetcontroller.UpdateRule(policySetControllerService.WithMicroTenant(microTenantID), accessPolicySet.ID, rule.ID, &rule); err != nil {
 				continue
 			}
 		}
 	}
 }
-*/
 
 func resourceSegmentGroupDelete(d *schema.ResourceData, meta interface{}) error {
 	zClient := meta.(*Client)
@@ -243,34 +230,16 @@ func resourceSegmentGroupDelete(d *schema.ResourceData, meta interface{}) error
 	log.Printf("[INFO] Deleting app connector group ID: %v\n", d.Id())
 
 	//detach app connector group from all access policy rules
-	detachAppConnectorGroupFromAllAccessPolicyRules(d, policySetControllerService)
+	detachSegmentGroupFromAllPolicyRules(d, policySetControllerService)
 
 	if _, err := segmentgroup.Delete(service, d.Id()); err != nil {
 		return err
 	}
 	d.SetId("")
-	log.Printf("[INFO] app connector group deleted")
+	log.Printf("[INFO] segment group deleted")
 	return nil
 }
 
-// func resourceSegmentGroupDelete(d *schema.ResourceData, meta interface{}) error {
-// 	zClient := meta.(*Client)
-// 	microTenantID := GetString(d.Get("microtenant_id"))
-// 	policySetControllerService := zClient.PolicySetController.WithMicroTenant(microTenantID)
-// 	service := zClient.SegmentGroup.WithMicroTenant(microTenantID)
-
-// 	log.Printf("[INFO] Deleting segment group ID: %v\n", d.Id())
-
-// 	detachSegmentGroupFromAllPolicyRules(d.Id(), policySetControllerService)
-
-// 	if _, err := segmentgroup.Delete(service, d.Id()); err != nil {
-// 		return err
-// 	}
-// 	d.SetId("")
-// 	log.Printf("[INFO] segment group deleted")
-// 	return nil
-// }
-
 func expandSegmentGroup(d *schema.ResourceData) segmentgroup.SegmentGroup {
 	segmentGroup := segmentgroup.SegmentGroup{
 		ID:            d.Id(),