WDAPI-1041 add docs for device settings policy APIs

docs/resources/device_policy.md

@@ -0,0 +1,70 @@
+---
+layout: "cloudflare"
+page_title: "Cloudflare: cloudflare_device_policy"
+description: Provides a Cloudflare Device Policy resource.
+---
+
+# cloudflare_device_policy
+
+Provides a Cloudflare Device Policy resource. Device policies configure settings applied to WARP devices.
+
+## Example Usage
+
+```hcl
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  name = "Developers"
+  precedence = 10
+  match = "any(identity.groups.name[*] in {\"Developers\"})"
+  default = false
+  enabled = true
+  allow_mode_switch = true
+  allow_updates = true
+  allowed_to_leave = true
+  auto_connect = 0
+  captive_portal = 5
+  disable_auto_fallback = true
+  support_url = "https://cloudflare.com"
+  switch_locked = true
+  service_mode_v2_mode = "warp"
+  service_mode_v2_port = 3000
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- `account_id` - (Required) The account to which the device policy should be added.
+- `name` - (Required) Name of the device policy.
+- `precedence` - (Optional) The precedence of the device policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. Cannot be set for the default policy.
+- `match` - (Optional) The wirefilter expression to match devices. Cannot be set for the default policy.
+- `default` - (Optional) Whether this device policy refers to the default policy.
+- `enabled` - (Optional) Whether this device policy is enabled. Cannot be set for the default policy.
+- `allow_mode_switch` - (Optional) Whether to allow mode switch for this policy.
+- `allow_updates` - (Optional) Whether to allow updates under this policy.
+- `allowed_to_leave` - (Optional) Whether to allow devices to leave the organization.
+- `auto_connect` - (Optional) The amount of time in minutes to reconnect after having been disabled.
+- `captive_portal` - (Optional) The captive portal value for this policy.
+- `disable_auto_fallback` - (Optional) Whether to disable auto fallback for this policy.
+- `support_url` - (Optional) The support URL that will be opened when sending feedback.
+- `switch_locked` - (Optional) Enablement of the ZT client switch lock.
+- `service_mode_v2_mode` - (Optional) The service mode.
+- `service_mode_v2_port` - (Optional) The port to use for the proxy service mode.
+
+## Attributes Reference
+
+The following additional attributes are exported:
+
+- `id` - ID of the device policy.
+
+## Import
+
+Device policies can be imported using a composite ID formed of account
+ID and device policy ID. The default policy does not have an ID but can be
+imported with `default` as the policy ID.
+
+```
+$ terraform import cloudflare_device_policy.developers cb029e245cfdd66dc8d2e570d5dd3322/0ade592a-62d6-46ab-bac8-01f47c7fa792
+$ terraform import cloudflare_device_policy.developers cb029e245cfdd66dc8d2e570d5dd3322/default
+```

docs/resources/fallback_domain.md

@@ -11,13 +11,13 @@ Provides a Cloudflare Fallback Domain resource. Fallback domains are used to ign
 ## Example Usage
 
 ```hcl
-# Use DNS servers 1.1.1.1 or 1.0.0.1 for example.com
+# Use DNS servers 192.0.2.0 or 192.0.2.1 for example.com
 resource "cloudflare_fallback_domain" "example" {
   account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
   domains {
     suffix      = "example.com"
     description = "Example domain"
-    dns_server  = ["1.1.1.1", "1.0.0.1"]
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
   }
 }
 
@@ -34,7 +34,27 @@ resource "cloudflare_fallback_domain" "example" {
   domains {
     suffix      = "example.com"
     description = "Example domain"
-    dns_server  = ["1.1.1.1", "1.0.0.1"]
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
+  }
+}
+
+# Create a device policy
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id  = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  name        = "Developers"
+  precedence = 10
+  match = "any(identity.groups.name[*] in {\"Developers\"})"
+  switch_locked = true
+}
+
+# Use DNS servers 192.0.2.0 or 192.0.2.1 for example.com for a particular device policy
+resource "cloudflare_fallback_domain" "example" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  policy_id  = cloudflare_device_policy.developer_warp_policy.id
+  domains {
+    suffix      = "example.com"
+    description = "Example domain"
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
   }
 }
 ```
@@ -45,6 +65,7 @@ The following arguments are supported:
 
 - `account_id` - (Required) The account to which the device posture rule should be added.
 - `domains` - (Required) The value of the domain attributes (refer to the [nested schema](#nestedblock--domains)).
+- `policy_id` - (Optional) The device policy ID with which to associate this fallback domain configuration. If missing, will refer to the default device policy.
 
 <a id="nestedblock--domains"></a>
 **Nested schema for `domains`**
@@ -55,8 +76,9 @@ The following arguments are supported:
 
 ## Import
 
-Fallback Domains can be imported using the account identifer.
+Fallback Domains can be imported using the account identifer and the policy ID. Fallback Domains for default device policies must use "default" as the policy ID.
 
 ```
-$ terraform import cloudflare_fallback_domain.example 1d5fdc9e88c8a8c4518b068cd94331fe
+$ terraform import cloudflare_fallback_domain.example 1d5fdc9e88c8a8c4518b068cd94331fe/default
+$ terraform import cloudflare_fallback_domain.example 1d5fdc9e88c8a8c4518b068cd94331fe/0ade592a-62d6-46ab-bac8-01f47c7fa792
 ```

docs/resources/split_tunnel.md

@@ -31,6 +31,37 @@ resource "cloudflare_split_tunnel" "example_split_tunnel_include" {
     description = "example domain"
   }
 }
+
+# Create a device policy
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id  = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  name        = "Developers"
+  precedence = 10
+  match = "any(identity.groups.name[*] in {\"Developers\"})"
+  switch_locked = true
+}
+
+# Excluding *.example.com from WARP routes for a particular device policy
+resource "cloudflare_split_tunnel" "example_device_policy_split_tunnel_exclude" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  policy_id  = cloudflare_device_policy.developer_warp_policy.id
+  mode       = "exclude"
+  tunnels {
+    host        = "*.example.com",
+    description = "example domain"
+  }
+}
+
+# Including *.example.com in WARP routes for a particular device policy
+resource "cloudflare_split_tunnel" "example_split_tunnel_include" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  policy_id  = cloudflare_device_policy.developer_warp_policy.id
+  mode       = "include"
+  tunnels {
+    host        = "*.example.com",
+    description = "example domain"
+  }
+}
 ```
 
 ## Argument Reference
@@ -40,6 +71,7 @@ The following arguments are supported:
 - `account_id` - (Required) The account to which the device posture rule should be added.
 - `mode` - (Required) The split tunnel mode. Valid values are `include` or `exclude`.
 - `tunnels` - (Required) The value of the tunnel attributes (refer to the [nested schema](#nestedblock--tunnels)).
+- `policy_id` - (Optional) The device policy ID with which to associate this split tunnel configuration. If missing, will refer to the default device policy.
 
 <a id="nestedblock--tunnels"></a>
 **Nested schema for `tunnels`**
@@ -50,8 +82,9 @@ The following arguments are supported:
 
 ## Import
 
-Split Tunnels can be imported using the account identifer and mode.
+Split Tunnels can be imported using the account identifer, policy ID, and mode. Split Tunnels for default device policies must use "default" as the policy ID.
 
 ```
-$ terraform import cloudflare_split_tunnel.example 1d5fdc9e88c8a8c4518b068cd94331fe/exclude
+$ terraform import cloudflare_split_tunnel.example 1d5fdc9e88c8a8c4518b068cd94331fe/default/exclude
+$ terraform import cloudflare_split_tunnel.example 1d5fdc9e88c8a8c4518b068cd94331fe/0ade592a-62d6-46ab-bac8-01f47c7fa792/exclude
 ```

examples/resources/cloudflare_device_policy/import.sh

@@ -0,0 +1 @@
+$ terraform import cloudflare_device_policy.example <account_id>/<device_policy_id>

examples/resources/cloudflare_device_policy/resource.tf

@@ -0,0 +1,18 @@
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id = "f037e56e89293a057740de681ac9abbe"
+  name = "Developers WARP settings policy"
+  precedence = 10
+  match = "any(identity.groups.name[*] in {\"Developers\"})"
+  default = false
+  enabled = true
+  allow_mode_switch = true
+  allow_updates = true
+  allowed_to_leave = true
+  auto_connect = 0
+  captive_portal = 5
+  disable_auto_fallback = true
+  support_url = "https://cloudflare.com"
+  switch_locked = true
+  service_mode_v2_mode = "warp"
+  service_mode_v2_port = 3000
+}

templates/resources/device_policy.md

@@ -0,0 +1,70 @@
+---
+layout: "cloudflare"
+page_title: "Cloudflare: cloudflare_device_policy"
+description: Provides a Cloudflare Device Policy resource.
+---
+
+# cloudflare_device_policy
+
+Provides a Cloudflare Device Policy resource. Device policies configure settings applied to WARP devices.
+
+## Example Usage
+
+```hcl
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  name = "Developers"
+  precedence = 10
+  match = "any(identity.groups.name[*] in {\"Developers\"})"
+  default = false
+  enabled = true
+  allow_mode_switch = true
+  allow_updates = true
+  allowed_to_leave = true
+  auto_connect = 0
+  captive_portal = 5
+  disable_auto_fallback = true
+  support_url = "https://cloudflare.com"
+  switch_locked = true
+  service_mode_v2_mode = "warp"
+  service_mode_v2_port = 3000
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+- `account_id` - (Required) The account to which the device policy should be added.
+- `name` - (Required) Name of the device policy.
+- `precedence` - (Optional) The precedence of the device policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. Cannot be set for the default policy.
+- `match` - (Optional) The wirefilter expression to match devices. Cannot be set for the default policy.
+- `default` - (Optional) Whether this device policy refers to the default policy.
+- `enabled` - (Optional) Whether this device policy is enabled. Cannot be set for the default policy.
+- `allow_mode_switch` - (Optional) Whether to allow mode switch for this policy.
+- `allow_updates` - (Optional) Whether to allow updates under this policy.
+- `allowed_to_leave` - (Optional) Whether to allow devices to leave the organization.
+- `auto_connect` - (Optional) The amount of time in minutes to reconnect after having been disabled.
+- `captive_portal` - (Optional) The captive portal value for this policy.
+- `disable_auto_fallback` - (Optional) Whether to disable auto fallback for this policy.
+- `support_url` - (Optional) The support URL that will be opened when sending feedback.
+- `switch_locked` - (Optional) Enablement of the ZT client switch lock.
+- `service_mode_v2_mode` - (Optional) The service mode.
+- `service_mode_v2_port` - (Optional) The port to use for the proxy service mode.
+
+## Attributes Reference
+
+The following additional attributes are exported:
+
+- `id` - ID of the device policy.
+
+## Import
+
+Device policies can be imported using a composite ID formed of account
+ID and device policy ID. The default policy does not have an ID but can be
+imported with `default` as the policy ID.
+
+```
+$ terraform import cloudflare_device_policy.developers cb029e245cfdd66dc8d2e570d5dd3322/0ade592a-62d6-46ab-bac8-01f47c7fa792
+$ terraform import cloudflare_device_policy.developers cb029e245cfdd66dc8d2e570d5dd3322/default
+```

templates/resources/fallback_domain.md

@@ -11,13 +11,13 @@ Provides a Cloudflare Fallback Domain resource. Fallback domains are used to ign
 ## Example Usage
 
 ```hcl
-# Use DNS servers 1.1.1.1 or 1.0.0.1 for example.com
+# Use DNS servers 192.0.2.0 or 192.0.2.1 for example.com
 resource "cloudflare_fallback_domain" "example" {
   account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
   domains {
     suffix      = "example.com"
     description = "Example domain"
-    dns_server  = ["1.1.1.1", "1.0.0.1"]
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
   }
 }
 
@@ -34,7 +34,27 @@ resource "cloudflare_fallback_domain" "example" {
   domains {
     suffix      = "example.com"
     description = "Example domain"
-    dns_server  = ["1.1.1.1", "1.0.0.1"]
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
+  }
+}
+
+# Create a device policy
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id  = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  name        = "Developers"
+  precedence = 10
+  match = "any(identity.groups.name[*] in {\"Developers\"})"
+  switch_locked = true
+}
+
+# Use DNS servers 192.0.2.0 or 192.0.2.1 for example.com for a particular device policy
+resource "cloudflare_fallback_domain" "example" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  policy_id  = cloudflare_device_policy.developer_warp_policy.id
+  domains {
+    suffix      = "example.com"
+    description = "Example domain"
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
   }
 }
 ```
@@ -45,6 +65,7 @@ The following arguments are supported:
 
 - `account_id` - (Required) The account to which the device posture rule should be added.
 - `domains` - (Required) The value of the domain attributes (refer to the [nested schema](#nestedblock--domains)).
+- `policy_id` - (Optional) The device policy ID with which to associate this fallback domain configuration. If missing, will refer to the default device policy.
 
 <a id="nestedblock--domains"></a>
 **Nested schema for `domains`**
@@ -55,8 +76,9 @@ The following arguments are supported:
 
 ## Import
 
-Fallback Domains can be imported using the account identifer.
+Fallback Domains can be imported using the account identifer and the policy ID. Fallback Domains for default device policies must use "default" as the policy ID.
 
 ```
-$ terraform import cloudflare_fallback_domain.example 1d5fdc9e88c8a8c4518b068cd94331fe
+$ terraform import cloudflare_fallback_domain.example 1d5fdc9e88c8a8c4518b068cd94331fe/default
+$ terraform import cloudflare_fallback_domain.example 1d5fdc9e88c8a8c4518b068cd94331fe/0ade592a-62d6-46ab-bac8-01f47c7fa792
 ```