From 5aff7607543d2e54ad1e22fd16ef24ddee42a17d Mon Sep 17 00:00:00 2001 From: Tyler Stanish Date: Fri, 23 Sep 2022 10:29:03 -0500 Subject: [PATCH] WDAPI-1041 add device settings policy APIs --- .changelog/1926.txt | 11 + internal/provider/provider.go | 1 + ..._cloudflare_device_policy_certificates.go} | 0 ...dflare_device_policy_certificates_test.go} | 0 ...ource_cloudflare_device_settings_policy.go | 261 ++++++++++++++++++ ..._cloudflare_device_settings_policy_test.go | 165 +++++++++++ .../resource_cloudflare_fallback_domain.go | 63 ++++- ...esource_cloudflare_fallback_domain_test.go | 49 +++- .../resource_cloudflare_split_tunnel.go | 63 ++++- .../resource_cloudflare_split_tunnel_test.go | 35 ++- ...chema_cloudflare_device_settings_policy.go | 95 +++++++ .../schema_cloudflare_fallback_domain.go | 5 + .../schema_cloudflare_split_tunnel.go | 5 + 13 files changed, 733 insertions(+), 20 deletions(-) create mode 100644 .changelog/1926.txt rename internal/provider/{resource_cloudflare_device_policy.go => resource_cloudflare_device_policy_certificates.go} (100%) rename internal/provider/{resource_cloudflare_device_policy_test.go => resource_cloudflare_device_policy_certificates_test.go} (100%) create mode 100644 internal/provider/resource_cloudflare_device_settings_policy.go create mode 100644 internal/provider/resource_cloudflare_device_settings_policy_test.go create mode 100644 internal/provider/schema_cloudflare_device_settings_policy.go diff --git a/.changelog/1926.txt b/.changelog/1926.txt new file mode 100644 index 00000000000..bc9387d9ab6 --- /dev/null +++ b/.changelog/1926.txt @@ -0,0 +1,11 @@ +```release-note:new-resource +cloudflare_device_policy +``` + +```release-note:enhancement +resource/cloudflare_split_tunnel: Add configuring split tunnel for device policies +``` + +```release-note:enhancement +resource/cloudflare_fallback_domain: Add creating fallback domains for device policies +``` diff --git a/internal/provider/provider.go b/internal/provider/provider.go index f0c4a827007..11e6f13f4a4 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -214,6 +214,7 @@ func New(version string) func() *schema.Provider { "cloudflare_custom_hostname": resourceCloudflareCustomHostname(), "cloudflare_custom_pages": resourceCloudflareCustomPages(), "cloudflare_custom_ssl": resourceCloudflareCustomSsl(), + "cloudflare_device_policy": resourceCloudflareDeviceSettingsPolicy(), "cloudflare_device_policy_certificates": resourceCloudflareDevicePolicyCertificates(), "cloudflare_device_posture_integration": resourceCloudflareDevicePostureIntegration(), "cloudflare_device_posture_rule": resourceCloudflareDevicePostureRule(), diff --git a/internal/provider/resource_cloudflare_device_policy.go b/internal/provider/resource_cloudflare_device_policy_certificates.go similarity index 100% rename from internal/provider/resource_cloudflare_device_policy.go rename to internal/provider/resource_cloudflare_device_policy_certificates.go diff --git a/internal/provider/resource_cloudflare_device_policy_test.go b/internal/provider/resource_cloudflare_device_policy_certificates_test.go similarity index 100% rename from internal/provider/resource_cloudflare_device_policy_test.go rename to internal/provider/resource_cloudflare_device_policy_certificates_test.go diff --git a/internal/provider/resource_cloudflare_device_settings_policy.go b/internal/provider/resource_cloudflare_device_settings_policy.go new file mode 100644 index 00000000000..029fcedace3 --- /dev/null +++ b/internal/provider/resource_cloudflare_device_settings_policy.go @@ -0,0 +1,261 @@ +package provider + +import ( + "context" + "fmt" + "strings" + + "github.com/cloudflare/cloudflare-go" + "github.com/hashicorp/terraform-plugin-log/tflog" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func resourceCloudflareDeviceSettingsPolicy() *schema.Resource { + return &schema.Resource{ + Schema: resourceCloudflareDeviceSettingsPolicySchema(), + CreateContext: resourceCloudflareDeviceSettingsPolicyCreate, + ReadContext: resourceCloudflareDeviceSettingsPolicyRead, + UpdateContext: resourceCloudflareDeviceSettingsPolicyUpdate, + DeleteContext: resourceCloudflareDeviceSettingsPolicyDelete, + Importer: &schema.ResourceImporter{ + StateContext: resourceCloudflareDeviceSettingsPolicyImport, + }, + } +} + +func resourceCloudflareDeviceSettingsPolicyCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*cloudflare.API) + accountID := d.Get("account_id").(string) + defaultPolicy := d.Get("default").(bool) + + tflog.Debug(ctx, fmt.Sprintf("Creating Cloudflare device settings policy: accountID=%s default=%t", accountID, defaultPolicy)) + + if defaultPolicy { + d.SetId(fmt.Sprintf("%s/default", accountID)) + return resourceCloudflareDeviceSettingsPolicyUpdate(ctx, d, meta) + } + + req, err := buildDeviceSettingsPolicyRequest(d) + if err != nil { + return diag.FromErr(fmt.Errorf("error creating Cloudflare device settings policy request: %q: %w", accountID, err)) + } + + policy, err := client.CreateDeviceSettingsPolicy(ctx, accountID, req) + if err != nil { + return diag.FromErr(fmt.Errorf("error creating Cloudflare device settings policy %q: %w", accountID, err)) + } + + if policy.Result.PolicyID == nil { + return diag.FromErr(fmt.Errorf("error creating Cloudflare device settings policy: returned policyID was missing after creating policy for account: %q", accountID)) + } + d.SetId(fmt.Sprintf("%s/%s", accountID, *policy.Result.PolicyID)) + return resourceCloudflareDeviceSettingsPolicyRead(ctx, d, meta) +} + +func resourceCloudflareDeviceSettingsPolicyUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*cloudflare.API) + accountID, policyID, err := parseDeviceSettingsID(d.Id()) + if err != nil { + return diag.FromErr(err) + } + + tflog.Debug(ctx, fmt.Sprintf("Updating Cloudflare device settings policy: accountID=%s policyID=%s", accountID, policyID)) + + req, err := buildDeviceSettingsPolicyRequest(d) + if err != nil { + return diag.FromErr(fmt.Errorf("error creating Cloudflare device settings policy request: %q: %w", accountID, err)) + } + + if policyID == "default" { + _, err = client.UpdateDefaultDeviceSettingsPolicy(ctx, accountID, req) + } else { + _, err = client.UpdateDeviceSettingsPolicy(ctx, accountID, policyID, req) + } + if err != nil { + return diag.FromErr(fmt.Errorf("error updating Cloudflare device settings policy %q: %w", accountID, err)) + } + + return resourceCloudflareDeviceSettingsPolicyRead(ctx, d, meta) +} + +func resourceCloudflareDeviceSettingsPolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client := meta.(*cloudflare.API) + accountID, policyID, err := parseDeviceSettingsID(d.Id()) + if err != nil { + return diag.FromErr(err) + } + + var policy cloudflare.DeviceSettingsPolicyResponse + if policyID == "default" { + policy, err = client.GetDefaultDeviceSettingsPolicy(ctx, accountID) + } else { + policy, err = client.GetDeviceSettingsPolicy(ctx, accountID, policyID) + } + + if err != nil { + return diag.FromErr(fmt.Errorf("error reading device settings policy %q %s: %w", accountID, policyID, err)) + } + + if err := d.Set("disable_auto_fallback", policy.Result.DisableAutoFallback); err != nil { + return diag.FromErr(fmt.Errorf("error parsing disable_auto_fallback")) + } + if err := d.Set("captive_portal", policy.Result.CaptivePortal); err != nil { + return diag.FromErr(fmt.Errorf("error parsing captive_portal")) + } + if err := d.Set("allow_mode_switch", policy.Result.AllowModeSwitch); err != nil { + return diag.FromErr(fmt.Errorf("error parsing allow_mode_switch")) + } + if err := d.Set("switch_locked", policy.Result.SwitchLocked); err != nil { + return diag.FromErr(fmt.Errorf("error parsing switch_locked")) + } + if err := d.Set("allow_updates", policy.Result.AllowUpdates); err != nil { + return diag.FromErr(fmt.Errorf("error parsing allow_updates")) + } + if err := d.Set("auto_connect", policy.Result.AutoConnect); err != nil { + return diag.FromErr(fmt.Errorf("error parsing auto_connect")) + } + if err := d.Set("allowed_to_leave", policy.Result.AllowedToLeave); err != nil { + return diag.FromErr(fmt.Errorf("error parsing allowed_to_leave")) + } + if err := d.Set("support_url", policy.Result.SupportURL); err != nil { + return diag.FromErr(fmt.Errorf("error parsing support_url")) + } + if err := d.Set("default", policy.Result.Default); err != nil { + return diag.FromErr(fmt.Errorf("error setting default")) + } + if err := d.Set("service_mode_v2_mode", policy.Result.ServiceModeV2.Mode); err != nil { + return diag.FromErr(fmt.Errorf("error setting service_mode_v2_mode")) + } + if err := d.Set("service_mode_v2_port", policy.Result.ServiceModeV2.Port); err != nil { + return diag.FromErr(fmt.Errorf("error setting service_mode_v2_port")) + } + // ignore setting forbidden fields for default policies + if policy.Result.Name != nil { + if err := d.Set("name", policy.Result.Name); err != nil { + return diag.FromErr(fmt.Errorf("error parsing name")) + } + } + if policy.Result.Precedence != nil { + if err := d.Set("precedence", apiToProviderRulePrecedence(uint64(*policy.Result.Precedence), d.Get("name").(string))); err != nil { + return diag.FromErr(fmt.Errorf("error parsing precedence")) + } + } + if policy.Result.Match != nil { + if err := d.Set("match", policy.Result.Match); err != nil { + return diag.FromErr(fmt.Errorf("error parsing match")) + } + } + if policy.Result.Enabled != nil { + if err := d.Set("enabled", policy.Result.Enabled); err != nil { + return diag.FromErr(fmt.Errorf("error parsing enabled")) + } + } + + return nil +} + +func resourceCloudflareDeviceSettingsPolicyImport(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { + accountID, policyID, err := parseDeviceSettingsID(d.Id()) + if err != nil { + return nil, err + } + + tflog.Debug(ctx, fmt.Sprintf("Importing Cloudflare device settings policy: id %s for account %s", policyID, accountID)) + + d.Set("account_id", accountID) + d.SetId(fmt.Sprintf("%s/%s", accountID, policyID)) + + resourceCloudflareDeviceSettingsPolicyRead(ctx, d, meta) + + return []*schema.ResourceData{d}, nil +} + +func resourceCloudflareDeviceSettingsPolicyDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + accountID, policyID, err := parseDeviceSettingsID(d.Id()) + if err != nil { + return diag.FromErr(err) + } + + client := meta.(*cloudflare.API) + if policyID == "default" { + d.SetId("") + return diag.Diagnostics{diag.Diagnostic{ + Severity: diag.Warning, + Summary: "Cannot delete a default policy, instead simply removing from terraform management without deleting", + }} + } + + if _, err := client.DeleteDeviceSettingsPolicy(ctx, accountID, policyID); err != nil { + return diag.FromErr(fmt.Errorf("error deleting device settings policy %q: %w", accountID, err)) + } + + d.SetId("") + + return nil +} + +func buildDeviceSettingsPolicyRequest(d *schema.ResourceData) (cloudflare.DeviceSettingsPolicyRequest, error) { + defaultPolicy := (d.Get("default").(bool) || d.Id() == fmt.Sprintf("%s/default", d.Get("account_id").(string))) + + req := cloudflare.DeviceSettingsPolicyRequest{ + DisableAutoFallback: cloudflare.BoolPtr(d.Get("disable_auto_fallback").(bool)), + CaptivePortal: cloudflare.IntPtr(d.Get("captive_portal").(int)), + AllowModeSwitch: cloudflare.BoolPtr(d.Get("allow_mode_switch").(bool)), + SwitchLocked: cloudflare.BoolPtr(d.Get("switch_locked").(bool)), + AllowUpdates: cloudflare.BoolPtr(d.Get("allow_updates").(bool)), + AutoConnect: cloudflare.IntPtr(d.Get("auto_connect").(int)), + AllowedToLeave: cloudflare.BoolPtr(d.Get("allowed_to_leave").(bool)), + SupportURL: cloudflare.StringPtr(d.Get("support_url").(string)), + ServiceModeV2: &cloudflare.ServiceModeV2{ + Mode: d.Get("service_mode_v2_mode").(string), + Port: d.Get("service_mode_v2_port").(int), + }, + } + + name := d.Get("name").(string) + enabled := d.Get("enabled").(bool) + if defaultPolicy && !enabled { + return req, fmt.Errorf("enabled cannot be false for default policies") + } + if !defaultPolicy { + req.Name = &name + req.Enabled = &enabled + } + + match, ok := d.GetOk("match") + if defaultPolicy && ok { + return req, fmt.Errorf("match cannot be set for default policies") + } + if !defaultPolicy && !ok { + return req, fmt.Errorf("match must be set for non-default policies") + } + if ok { + matchStr := match.(string) + req.Match = &matchStr + } + + precedence, ok := d.GetOk("precedence") + if defaultPolicy && ok { + return req, fmt.Errorf("precedence cannot be set for default policies") + } + if !defaultPolicy && !ok { + return req, fmt.Errorf("precedence must be set for non-default policies") + } + if ok { + precedenceVal := int(providerToApiRulePrecedence(int64(precedence.(int)), d.Get("name").(string))) + req.Precedence = &precedenceVal + } + + return req, nil +} + +func parseDeviceSettingsID(id string) (string, string, error) { + attributes := strings.SplitN(id, "/", 2) + + if len(attributes) != 2 { + return "", "", fmt.Errorf("invalid id (\"%s\") specified, should be in format \"accountID/policyID\" or \"accountID/default\" for the default account policy", id) + } + + return attributes[0], attributes[1], nil +} diff --git a/internal/provider/resource_cloudflare_device_settings_policy_test.go b/internal/provider/resource_cloudflare_device_settings_policy_test.go new file mode 100644 index 00000000000..f7d5a815864 --- /dev/null +++ b/internal/provider/resource_cloudflare_device_settings_policy_test.go @@ -0,0 +1,165 @@ +package provider + +import ( + "context" + "fmt" + "os" + "regexp" + "testing" + + "github.com/cloudflare/cloudflare-go" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" +) + +func TestAccCloudflareDeviceSettingsPolicyCreate(t *testing.T) { + // Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the Access + // service does not yet support the API tokens and it results in + // misleading state error messages. + if os.Getenv("CLOUDFLARE_API_TOKEN") != "" { + defer func(apiToken string) { + os.Setenv("CLOUDFLARE_API_TOKEN", apiToken) + }(os.Getenv("CLOUDFLARE_API_TOKEN")) + os.Setenv("CLOUDFLARE_API_TOKEN", "") + } + + rnd, defaultRnd := generateRandomResourceName(), generateRandomResourceName() + name, defaultName := fmt.Sprintf("cloudflare_device_policy.%s", rnd), fmt.Sprintf("cloudflare_device_policy.%s", defaultRnd) + precedence := uint64(10) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { + testAccPreCheck(t) + }, + ProviderFactories: providerFactories, + CheckDestroy: testAccCheckCloudflareDeviceSettingsPolicyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccCloudflareDeviceSettingsPolicy(rnd, accountID, precedence), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(name, "account_id", accountID), + resource.TestCheckResourceAttr(name, "allow_mode_switch", "true"), + resource.TestCheckResourceAttr(name, "allow_updates", "true"), + resource.TestCheckResourceAttr(name, "allowed_to_leave", "true"), + resource.TestCheckResourceAttr(name, "auto_connect", "0"), + resource.TestCheckResourceAttr(name, "captive_portal", "5"), + resource.TestCheckResourceAttr(name, "default", "false"), + resource.TestCheckResourceAttr(name, "disable_auto_fallback", "true"), + resource.TestCheckResourceAttr(name, "enabled", "true"), + resource.TestCheckResourceAttr(name, "match", "identity.email == \"foo@example.com\""), + resource.TestCheckResourceAttr(name, "name", rnd), + resource.TestCheckResourceAttr(name, "precedence", fmt.Sprintf("%d", precedence)), + resource.TestCheckResourceAttr(name, "service_mode_v2_mode", "warp"), + resource.TestCheckResourceAttr(name, "service_mode_v2_port", "0"), + resource.TestCheckResourceAttr(name, "support_url", "https://cloudflare.com"), + resource.TestCheckResourceAttr(name, "switch_locked", "true"), + ), + }, + { + Config: testAccCloudflareDefaultDeviceSettingsPolicy(defaultRnd, accountID), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(defaultName, "id", accountID+"/default"), + resource.TestCheckResourceAttr(defaultName, "account_id", accountID), + resource.TestCheckResourceAttr(defaultName, "allow_mode_switch", "true"), + resource.TestCheckResourceAttr(defaultName, "allow_updates", "true"), + resource.TestCheckResourceAttr(defaultName, "allowed_to_leave", "true"), + resource.TestCheckResourceAttr(defaultName, "auto_connect", "0"), + resource.TestCheckResourceAttr(defaultName, "captive_portal", "5"), + resource.TestCheckResourceAttr(defaultName, "default", "true"), + resource.TestCheckResourceAttr(defaultName, "disable_auto_fallback", "true"), + resource.TestCheckResourceAttr(defaultName, "enabled", "true"), + resource.TestCheckResourceAttr(defaultName, "name", defaultRnd), + resource.TestCheckResourceAttr(defaultName, "service_mode_v2_mode", "warp"), + resource.TestCheckResourceAttr(defaultName, "service_mode_v2_port", "0"), + resource.TestCheckResourceAttr(defaultName, "support_url", "https://cloudflare.com"), + resource.TestCheckResourceAttr(defaultName, "switch_locked", "true"), + ), + }, + { + Config: testAccCloudflareInvalidDefaultDeviceSettingsPolicy(rnd, accountID), + ExpectError: regexp.MustCompile(regexp.QuoteMeta("match cannot be set for default policies")), + }, + }, + }) +} + +func testAccCloudflareDeviceSettingsPolicy(rnd, accountID string, precedence uint64) string { + return fmt.Sprintf(` +resource "cloudflare_device_policy" "%[1]s" { + account_id = "%[2]s" + allow_mode_switch = true + allow_updates = true + allowed_to_leave = true + auto_connect = 0 + captive_portal = 5 + disable_auto_fallback = true + enabled = true + match = "identity.email == \"foo@example.com\"" + name = "%[1]s" + precedence = %[3]d + support_url = "https://cloudflare.com" + switch_locked = true +} +`, rnd, accountID, precedence) +} + +func testAccCloudflareDefaultDeviceSettingsPolicy(rnd, accountID string) string { + return fmt.Sprintf(` +resource "cloudflare_device_policy" "%[1]s" { + account_id = "%[2]s" + default = true + name = "%[1]s" + allow_mode_switch = true + allow_updates = true + allowed_to_leave = true + auto_connect = 0 + captive_portal = 5 + disable_auto_fallback = true + enabled = true + support_url = "https://cloudflare.com" + switch_locked = true +} +`, rnd, accountID) +} + +// invalid configuration - not allowed to set match for default policies. +func testAccCloudflareInvalidDefaultDeviceSettingsPolicy(rnd, accountID string) string { + return fmt.Sprintf(` +resource "cloudflare_device_policy" "%[1]s" { + account_id = "%[2]s" + default = true + name = "%[1]s" + allow_mode_switch = true + allow_updates = true + allowed_to_leave = true + auto_connect = 0 + captive_portal = 5 + disable_auto_fallback = true + support_url = "https://cloudflare.com" + switch_locked = true + match = "identity.email == \"foo@example.com\"" +} +`, rnd, accountID) +} + +func testAccCheckCloudflareDeviceSettingsPolicyDestroy(s *terraform.State) error { + client := testAccProvider.Meta().(*cloudflare.API) + + for _, rs := range s.RootModule().Resources { + if rs.Type != "cloudflare_device_policy" { + continue + } + + _, policyId, err := parseDeviceSettingsID(rs.Primary.ID) + if err != nil { + return err + } + + _, err = client.GetDeviceSettingsPolicy(context.Background(), rs.Primary.Attributes["account_id"], policyId) + if err == nil { + return fmt.Errorf("Device Posture Integration still exists") + } + } + + return nil +} diff --git a/internal/provider/resource_cloudflare_fallback_domain.go b/internal/provider/resource_cloudflare_fallback_domain.go index f75cda6c305..1a6b01a367c 100644 --- a/internal/provider/resource_cloudflare_fallback_domain.go +++ b/internal/provider/resource_cloudflare_fallback_domain.go @@ -3,6 +3,7 @@ package provider import ( "context" "fmt" + "strings" cloudflare "github.com/cloudflare/cloudflare-go" "github.com/hashicorp/terraform-plugin-sdk/v2/diag" @@ -25,8 +26,21 @@ func resourceCloudflareFallbackDomain() *schema.Resource { func resourceCloudflareFallbackDomainRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { client := meta.(*cloudflare.API) accountID := d.Get("account_id").(string) + policyID := d.Get("policy_id").(string) + var err error + if policyID != "" { + accountID, policyID, err = parseDeviceSettingsID(d.Get("policy_id").(string)) + if err != nil { + return diag.FromErr(err) + } + } - domain, err := client.ListFallbackDomains(ctx, accountID) + var domain []cloudflare.FallbackDomain + if policyID == "default" || policyID == "" { + domain, err = client.ListFallbackDomains(ctx, accountID) + } else { + domain, err = client.ListFallbackDomainsDeviceSettingsPolicy(ctx, accountID, policyID) + } if err != nil { return diag.FromErr(fmt.Errorf("error finding Fallback Domains: %w", err)) } @@ -41,10 +55,24 @@ func resourceCloudflareFallbackDomainRead(ctx context.Context, d *schema.Resourc func resourceCloudflareFallbackDomainUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { client := meta.(*cloudflare.API) accountID := d.Get("account_id").(string) + policyID := d.Get("policy_id").(string) + var err error + if policyID != "" { + accountID, policyID, err = parseDeviceSettingsID(d.Get("policy_id").(string)) + if err != nil { + return diag.FromErr(err) + } + } domainList := expandFallbackDomains(d.Get("domains").(*schema.Set)) - newFallbackDomains, err := client.UpdateFallbackDomain(ctx, accountID, domainList) + var newFallbackDomains []cloudflare.FallbackDomain + if policyID == "default" || policyID == "" { + newFallbackDomains, err = client.UpdateFallbackDomain(ctx, accountID, domainList) + policyID = "default" + } else { + newFallbackDomains, err = client.UpdateFallbackDomainDeviceSettingsPolicy(ctx, accountID, policyID, domainList) + } if err != nil { return diag.FromErr(fmt.Errorf("error updating Fallback Domains: %w", err)) } @@ -53,7 +81,7 @@ func resourceCloudflareFallbackDomainUpdate(ctx context.Context, d *schema.Resou return diag.FromErr(fmt.Errorf("error setting domain attribute: %w", err)) } - d.SetId(accountID) + d.SetId(fmt.Sprintf("%s/%s", accountID, policyID)) return resourceCloudflareFallbackDomainRead(ctx, d, meta) } @@ -61,8 +89,20 @@ func resourceCloudflareFallbackDomainUpdate(ctx context.Context, d *schema.Resou func resourceCloudflareFallbackDomainDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { client := meta.(*cloudflare.API) accountID := d.Get("account_id").(string) + policyID := d.Get("policy_id").(string) + var err error + if policyID != "" { + accountID, policyID, err = parseDeviceSettingsID(d.Get("policy_id").(string)) + if err != nil { + return diag.FromErr(err) + } + } - err := client.RestoreFallbackDomainDefaults(ctx, accountID) + if policyID == "default" || policyID == "" { + err = client.RestoreFallbackDomainDefaults(ctx, accountID) + } else { + err = client.RestoreFallbackDomainDefaultsDeviceSettingsPolicy(ctx, accountID, policyID) + } if err != nil { return diag.FromErr(err) } @@ -72,14 +112,25 @@ func resourceCloudflareFallbackDomainDelete(ctx context.Context, d *schema.Resou } func resourceCloudflareFallbackDomainImport(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { - accountID := d.Id() + attributes := strings.SplitN(d.Id(), "/", 2) + + if len(attributes) != 2 { + return nil, fmt.Errorf("invalid id (\"%s\") specified, should be in format \"accountID/policyID\"", d.Id()) + } + + accountID, policyID := attributes[0], attributes[1] if accountID == "" { return nil, fmt.Errorf("must provide account ID") } + if policyID == "" { + return nil, fmt.Errorf("must provide policy ID ('default' for default policy for the given account)") + } + d.Set("account_id", accountID) - d.SetId(accountID) + d.Set("policy_id", fmt.Sprintf("%s/%s", accountID, policyID)) + d.SetId(fmt.Sprintf("%s/%s", accountID, policyID)) resourceCloudflareFallbackDomainRead(ctx, d, meta) diff --git a/internal/provider/resource_cloudflare_fallback_domain_test.go b/internal/provider/resource_cloudflare_fallback_domain_test.go index 871303470a8..305a4a53df9 100644 --- a/internal/provider/resource_cloudflare_fallback_domain_test.go +++ b/internal/provider/resource_cloudflare_fallback_domain_test.go @@ -31,31 +31,73 @@ func TestAccCloudflareFallbackDomain(t *testing.T) { ProviderFactories: providerFactories, Steps: []resource.TestStep{ { - Config: testAccCloudflareFallbackDomain(rnd, accountID, "example domain", "example.com", "1.0.0.1"), + Config: testAccCloudflareDefaultFallbackDomain(rnd, accountID, "example domain", "example.com", "1.0.0.1"), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(name, "account_id", accountID), resource.TestCheckResourceAttr(name, "domains.#", "1"), resource.TestCheckResourceAttr(name, "domains.0.description", "example domain"), resource.TestCheckResourceAttr(name, "domains.0.suffix", "example.com"), resource.TestCheckResourceAttr(name, "domains.0.dns_server.0", "1.0.0.1"), + resource.TestCheckNoResourceAttr(name, "policy_id"), ), }, { - Config: testAccCloudflareFallbackDomain(rnd, accountID, "second example domain", "example.net", "1.1.1.1"), + Config: testAccCloudflareDefaultFallbackDomain(rnd, accountID, "second example domain", "example.net", "1.1.1.1"), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(name, "account_id", accountID), resource.TestCheckResourceAttr(name, "domains.#", "1"), resource.TestCheckResourceAttr(name, "domains.0.description", "second example domain"), resource.TestCheckResourceAttr(name, "domains.0.suffix", "example.net"), resource.TestCheckResourceAttr(name, "domains.0.dns_server.0", "1.1.1.1"), + resource.TestCheckNoResourceAttr(name, "policy_id"), + ), + }, + { + Config: testAccCloudflareFallbackDomain(rnd, accountID, "third example domain", "example.net", "1.1.1.1"), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(name, "account_id", accountID), + resource.TestCheckResourceAttr(name, "domains.#", "1"), + resource.TestCheckResourceAttr(name, "domains.0.description", "third example domain"), + resource.TestCheckResourceAttr(name, "domains.0.suffix", "example.net"), + resource.TestCheckResourceAttr(name, "domains.0.dns_server.0", "1.1.1.1"), + resource.TestCheckResourceAttrSet(name, "policy_id"), ), }, }, }) } -func testAccCloudflareFallbackDomain(rnd, accountID string, description string, suffix string, dns_server string) string { +func testAccCloudflareDefaultFallbackDomain(rnd, accountID string, description string, suffix string, dns_server string) string { + return fmt.Sprintf(` +resource "cloudflare_fallback_domain" "%[1]s" { + account_id = "%[2]s" + domains { + description = "%[3]s" + suffix = "%[4]s" + dns_server = ["%[5]s"] + } +} +`, rnd, accountID, description, suffix, dns_server) +} + +func testAccCloudflareFallbackDomain(rnd, accountID, description string, suffix string, dns_server string) string { return fmt.Sprintf(` +resource "cloudflare_device_policy" "%[1]s" { + account_id = "%[2]s" + allow_mode_switch = true + allow_updates = true + allowed_to_leave = true + auto_connect = 0 + captive_portal = 5 + disable_auto_fallback = true + enabled = true + match = "identity.email == \"foo@example.com\"" + name = "%[1]s" + precedence = 10 + support_url = "support_url" + switch_locked = true +} + resource "cloudflare_fallback_domain" "%[1]s" { account_id = "%[2]s" domains { @@ -63,6 +105,7 @@ resource "cloudflare_fallback_domain" "%[1]s" { suffix = "%[4]s" dns_server = ["%[5]s"] } + policy_id = "${cloudflare_device_policy.%[1]s.id}" } `, rnd, accountID, description, suffix, dns_server) } diff --git a/internal/provider/resource_cloudflare_split_tunnel.go b/internal/provider/resource_cloudflare_split_tunnel.go index 165adcb2471..9255dbd336a 100644 --- a/internal/provider/resource_cloudflare_split_tunnel.go +++ b/internal/provider/resource_cloudflare_split_tunnel.go @@ -28,8 +28,24 @@ func resourceCloudflareSplitTunnelRead(ctx context.Context, d *schema.ResourceDa client := meta.(*cloudflare.API) accountID := d.Get("account_id").(string) mode := d.Get("mode").(string) + policyID := d.Get("policy_id").(string) + if policyID != "" { + var err error + accountID, policyID, err = parseDeviceSettingsID(d.Get("policy_id").(string)) + if err != nil { + return diag.FromErr(err) + } + } + + var splitTunnel []cloudflare.SplitTunnel + var err error + if policyID == "default" || policyID == "" { + splitTunnel, err = client.ListSplitTunnels(ctx, accountID, mode) + policyID = "default" + } else { + splitTunnel, err = client.ListSplitTunnelsDeviceSettingsPolicy(ctx, accountID, policyID, mode) + } - splitTunnel, err := client.ListSplitTunnels(ctx, accountID, mode) if err != nil { return diag.FromErr(fmt.Errorf("error finding %q Split Tunnels: %w", mode, err)) } @@ -45,13 +61,27 @@ func resourceCloudflareSplitTunnelUpdate(ctx context.Context, d *schema.Resource client := meta.(*cloudflare.API) accountID := d.Get("account_id").(string) mode := d.Get("mode").(string) + policyID := d.Get("policy_id").(string) + if policyID != "" { + var err error + accountID, policyID, err = parseDeviceSettingsID(d.Get("policy_id").(string)) + if err != nil { + return diag.FromErr(err) + } + } tunnelList, err := expandSplitTunnels(d.Get("tunnels").([]interface{})) if err != nil { return diag.FromErr(fmt.Errorf("error updating %q Split Tunnels: %w", mode, err)) } - newSplitTunnels, err := client.UpdateSplitTunnel(ctx, accountID, mode, tunnelList) + var newSplitTunnels []cloudflare.SplitTunnel + if policyID == "default" || policyID == "" { + newSplitTunnels, err = client.UpdateSplitTunnel(ctx, accountID, mode, tunnelList) + policyID = "default" + } else { + newSplitTunnels, err = client.UpdateSplitTunnelDeviceSettingsPolicy(ctx, accountID, policyID, mode, tunnelList) + } if err != nil { return diag.FromErr(fmt.Errorf("error updating %q Split Tunnels: %w", mode, err)) } @@ -60,7 +90,7 @@ func resourceCloudflareSplitTunnelUpdate(ctx context.Context, d *schema.Resource return diag.FromErr(fmt.Errorf("error setting %q tunnels attribute: %w", mode, err)) } - d.SetId(accountID) + d.SetId(fmt.Sprintf("%s/%s", accountID, policyID)) return resourceCloudflareSplitTunnelRead(ctx, d, meta) } @@ -69,8 +99,20 @@ func resourceCloudflareSplitTunnelDelete(ctx context.Context, d *schema.Resource client := meta.(*cloudflare.API) accountID := d.Get("account_id").(string) mode := d.Get("mode").(string) + policyID := d.Get("policy_id").(string) + var err error + if policyID != "" { + accountID, policyID, err = parseDeviceSettingsID(d.Get("policy_id").(string)) + if err != nil { + return diag.FromErr(err) + } + } - _, err := client.UpdateSplitTunnel(ctx, accountID, mode, nil) + if policyID == "default" || policyID == "" { + _, err = client.UpdateSplitTunnel(ctx, accountID, mode, nil) + } else { + _, err = client.UpdateSplitTunnelDeviceSettingsPolicy(ctx, accountID, policyID, mode, nil) + } if err != nil { return diag.FromErr(err) } @@ -80,17 +122,20 @@ func resourceCloudflareSplitTunnelDelete(ctx context.Context, d *schema.Resource } func resourceCloudflareSplitTunnelImport(ctx context.Context, d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { - attributes := strings.SplitN(d.Id(), "/", 2) + attributes := strings.SplitN(d.Id(), "/", 3) - if len(attributes) != 2 { - return nil, fmt.Errorf("invalid id (\"%s\") specified, should be in format \"accountID/mode\"", d.Id()) + if len(attributes) != 3 { + return nil, fmt.Errorf("invalid id (\"%s\") specified, should be in format \"accountID/policyID/mode\"", d.Id()) } - accountID, mode := attributes[0], attributes[1] + accountID, policyID, mode := attributes[0], attributes[1], attributes[2] d.Set("mode", mode) d.Set("account_id", accountID) - d.SetId(accountID) + // we re-write policy_id to avoid having to parse out the policyID from accountID/policyID + // which is how the ID is defined in the device_policy resource + d.Set("policy_id", fmt.Sprintf("%s/%s", accountID, policyID)) + d.SetId(fmt.Sprintf("%s/%s", accountID, policyID)) resourceCloudflareSplitTunnelRead(ctx, d, meta) diff --git a/internal/provider/resource_cloudflare_split_tunnel_test.go b/internal/provider/resource_cloudflare_split_tunnel_test.go index af252049498..3f23cd717cb 100644 --- a/internal/provider/resource_cloudflare_split_tunnel_test.go +++ b/internal/provider/resource_cloudflare_split_tunnel_test.go @@ -27,21 +27,23 @@ func TestAccCloudflareSplitTunnel_Include(t *testing.T) { ProviderFactories: providerFactories, Steps: []resource.TestStep{ { - Config: testAccCloudflareSplitTunnelInclude(rnd, accountID, "example domain", "*.example.com", "include"), + Config: testAccCloudflareDefaultSplitTunnelInclude(rnd, accountID, "example domain", "*.example.com", "include"), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(name, "account_id", accountID), resource.TestCheckResourceAttr(name, "mode", "include"), resource.TestCheckResourceAttr(name, "tunnels.0.description", "example domain"), resource.TestCheckResourceAttr(name, "tunnels.0.host", "*.example.com"), + resource.TestCheckNoResourceAttr(name, "policy_id"), ), }, { - Config: testAccCloudflareSplitTunnelInclude(rnd, accountID, "example domain", "test.example.com", "include"), + Config: testAccCloudflareDefaultSplitTunnelInclude(rnd, accountID, "example domain", "test.example.com", "include"), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(name, "account_id", accountID), resource.TestCheckResourceAttr(name, "mode", "include"), resource.TestCheckResourceAttr(name, "tunnels.0.description", "example domain"), resource.TestCheckResourceAttr(name, "tunnels.0.host", "test.example.com"), + resource.TestCheckNoResourceAttr(name, "policy_id"), ), }, }, @@ -72,8 +74,37 @@ func TestAccCloudflareSplitTunnel_ConflictingTunnelProperties(t *testing.T) { }) } +func testAccCloudflareDefaultSplitTunnelInclude(rnd, accountID string, description string, host string, mode string) string { + return fmt.Sprintf(` +resource "cloudflare_split_tunnel" "%[1]s" { + account_id = "%[2]s" + mode = "%[5]s" + tunnels { + description = "%[3]s" + host = "%[4]s" + } +} +`, rnd, accountID, description, host, mode) +} + func testAccCloudflareSplitTunnelInclude(rnd, accountID string, description string, host string, mode string) string { return fmt.Sprintf(` +resource "cloudflare_device_policy" "%[1]s" { + account_id = "%[2]s" + allow_mode_switch = true + allow_updates = true + allowed_to_leave = true + auto_connect = 0 + captive_portal = 5 + disable_auto_fallback = true + enabled = true + match = "identity.email == \"foo@example.com\"" + name = "%[1]s" + precedence = 10 + support_url = "https://cloudflare.com" + switch_locked = true +} + resource "cloudflare_split_tunnel" "%[1]s" { account_id = "%[2]s" mode = "%[5]s" diff --git a/internal/provider/schema_cloudflare_device_settings_policy.go b/internal/provider/schema_cloudflare_device_settings_policy.go new file mode 100644 index 00000000000..74bd8501934 --- /dev/null +++ b/internal/provider/schema_cloudflare_device_settings_policy.go @@ -0,0 +1,95 @@ +package provider + +import ( + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func resourceCloudflareDeviceSettingsPolicySchema() map[string]*schema.Schema { + return map[string]*schema.Schema{ + "account_id": { + Description: "The account identifier to target for the resource.", + Type: schema.TypeString, + Required: true, + }, + "default": { + Description: "Whether the policy refers to the default account policy.", + Type: schema.TypeBool, + Optional: true, + }, + "name": { + Description: "Name of the policy.", + Type: schema.TypeString, + Required: true, + }, + "precedence": { + Description: "The precedence of the policy. Lower values indicate higher precedence.", + Type: schema.TypeInt, + Optional: true, + }, + "match": { + Description: "Wirefilter expression to match a device against when evaluating whether this policy should take effect for that device.", + Type: schema.TypeString, + Optional: true, + }, + "enabled": { + Description: "Whether the policy is enabled (cannot be set for default policies).", + Type: schema.TypeBool, + Optional: true, + Default: true, + }, + "disable_auto_fallback": { + Description: "Whether to disable auto fallback for this policy.", + Type: schema.TypeBool, + Optional: true, + }, + "captive_portal": { + Description: "The captive portal value for this policy.", + Type: schema.TypeInt, + Optional: true, + Default: 180, + }, + "allow_mode_switch": { + Description: "Whether to allow mode switch for this policy.", + Type: schema.TypeBool, + Optional: true, + }, + "switch_locked": { + Description: "Enablement of the ZT client switch lock.", + Type: schema.TypeBool, + Optional: true, + }, + "allow_updates": { + Description: "Whether to allow updates under this policy.", + Type: schema.TypeBool, + Optional: true, + }, + "auto_connect": { + Description: "The amount of time in minutes to reconnect after having been disabled.", + Type: schema.TypeInt, + Optional: true, + }, + "allowed_to_leave": { + Description: "Whether to allow devices to leave the organization.", + Type: schema.TypeBool, + Optional: true, + Default: true, + }, + "support_url": { + Description: "The support URL that will be opened when sending feedback.", + Type: schema.TypeString, + Optional: true, + }, + "service_mode_v2_mode": { + Description: "The service mode.", + Type: schema.TypeString, + Optional: true, + Default: "warp", + }, + "service_mode_v2_port": { + Description: "The port to use for the proxy service mode.", + Type: schema.TypeInt, + Optional: true, + RequiredWith: []string{"service_mode_v2_mode"}, + }, + } +} diff --git a/internal/provider/schema_cloudflare_fallback_domain.go b/internal/provider/schema_cloudflare_fallback_domain.go index 0726f4f4107..02da18430d4 100644 --- a/internal/provider/schema_cloudflare_fallback_domain.go +++ b/internal/provider/schema_cloudflare_fallback_domain.go @@ -37,5 +37,10 @@ func resourceCloudflareFallbackDomainSchema() map[string]*schema.Schema { }, }, }, + "policy_id": { + Optional: true, + Type: schema.TypeString, + Description: "The settings policy for which to configure this fallback domain policy.", + }, } } diff --git a/internal/provider/schema_cloudflare_split_tunnel.go b/internal/provider/schema_cloudflare_split_tunnel.go index ad50a7a7401..20cea5928b2 100644 --- a/internal/provider/schema_cloudflare_split_tunnel.go +++ b/internal/provider/schema_cloudflare_split_tunnel.go @@ -41,5 +41,10 @@ func resourceCloudflareSplitTunnelSchema() map[string]*schema.Schema { }, }, }, + "policy_id": { + Optional: true, + Type: schema.TypeString, + Description: "The settings policy for which to configure this split tunnel policy.", + }, } }