zscaler-terraformer import fails with 'authz.featureflag.permission.denied'

[jcastilloixl]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the library and it is still present.

zscaler-terraformer version

zscaler-terraformer v0.3.0

Expected outcome

running zscaler-terraformer import --resources="zpa" successfully imports all of my ZPA resources.

Actual outcome

zscaler-terraformer import --resources="zpa" successfully imports zpa_policy_access_rules, zpa_application_segment_browser_access, zpa_segment_groups, before failing with an Inspection Control Controller API call:

FATA[0085] FAILED: GET, https://config.private.zscaler.com/mgmtconfig/v1/admin/customers/288262545456758784/inspectionProfile?page=1&pagesize=500, 401, 401 Unauthorized, {
  "params" : [ "ui.waf", "288262545456758784" ],
  "id" : "authz.featureflag.permission.denied",
  "reason" : "Feature flag ui.waf disabled for customer 288,262,545,456,758,784"
}

I am not familiar with what this resource is. It appears to be part of ZPA, but I am unclear as to whether or not we are using it.

If it is an add-on feature we have not subscribed to, I would expect this call to gracefully get skipped and the script would move on to the next import group. I have full ZPA admin in my org and cannot successfully search for 'Inspection' or 'WAF' while logged in at admin.private.zscaler.com so I am not sure what this service is.

Steps to reproduce

1. Using my access key and API config info, running zscaler-terraformer import --resources="zpa" reliably reproduces this issue.

References

No response

[jcastilloixl]

As a fast hack, I was able to work around this by commenting out all of the 'inspection'-related key-value pairs in the var resourceImportStringFormats definition and related case blocks in internal/app/zscaler-terraformer/cmd/import.go and then rebuild from source. (not sure if all of that was necessary.) I havent had time to look at this further.

Worth noting that although the docs only mentioned ~/.zscaler-terraformer.yaml and the wrapper script looks for that, it seems like the Terraform component of this script also expected/required ~/.zpa/credentials.jsonin order to function without environment vars, example:

No ~/.zscaler-terraformer.yaml:

$ ./zscaler-terraformer import --resources="zpa"
FATA[0000] 'zpaClientID' must be set.

Created ~/.zscaler-terraformer.yaml and re-ran without ~/.zpa/credentials.json:

$ ./zscaler-terraformer import --resources="zpa"
terraform import zpa_app_connector_group.resource_XYZ XYZ
INFO[0006] [ERROR] error while running import:exit status 1

Error: Invalid provider configuration

Provider "registry.terraform.io/zscaler/zpa" requires explicit configuration.
Add a provider block to the root module and configure the provider's required
arguments as described in the provider documentation.



Error: failed configuring the provided

  with provider["registry.terraform.io/zscaler/zpa"],
  on <empty> line 0:
  (source code not available)

error:Could not open credentials file, needs to contain one json object with
keys: zpa_client_id, zpa_client_secret, zpa_customer_id, and zpa_cloud. open
/Users/jcastillo/.zpa/credentials.json: no such file or directory

terraform import zpa_app_connector_group.resource_XYZ XYZ
INFO[0006] [ERROR] error while running import:exit status 1

Error: Invalid provider configuration

Provider "registry.terraform.io/zscaler/zpa" requires explicit configuration.
Add a provider block to the root module and configure the provider's required
arguments as described in the provider documentation.



Error: failed configuring the provided

  with provider["registry.terraform.io/zscaler/zpa"],
  on <empty> line 0:
  (source code not available)

error:Could not open credentials file, needs to contain one json object with
keys: zpa_client_id, zpa_client_secret, zpa_customer_id, and zpa_cloud. open
/Users/jcastillo/.zpa/credentials.json: no such file or directory

terraform import zpa_app_connector_group.resource_XYZ XYZ
INFO[0006] [ERROR] error while running import:exit status 1

Error: Invalid provider configuration

Provider "registry.terraform.io/zscaler/zpa" requires explicit configuration.
Add a provider block to the root module and configure the provider's required
arguments as described in the provider documentation.



Error: failed configuring the provided

  with provider["registry.terraform.io/zscaler/zpa"],
  on <empty> line 0:
  (source code not available)

error:Could not open credentials file, needs to contain one json object with
keys: zpa_client_id, zpa_client_secret, zpa_customer_id, and zpa_cloud. open
/Users/jcastillo/.zpa/credentials.json: no such file or directory

Creating ~/.zpa/credentials.json allowed the rebuilt script to run without issue.