feat(zero_trust_access_application): Add support for MCP & MCP_PORTAL (#6326)

Author: GreenStage

docs/resources/zero_trust_access_application.md

@@ -154,7 +154,7 @@ The header value will be interpreted as a json object similar to:
 - `tags` (Set of String) The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
 - `target_criteria` (Attributes List) (see [below for nested schema](#nestedatt--target_criteria))
 - `type` (String) The application type.
-Available values: "self_hosted", "saas", "ssh", "vnc", "app_launcher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
+Available values: "self_hosted", "saas", "ssh", "vnc", "app_launcher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp", "mcp", "mcp_portal".
 - `zone_id` (String) The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
 
 ### Read-Only
@@ -186,6 +186,7 @@ Optional:
 - `hostname` (String) The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
 - `l4_protocol` (String) The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
 Available values: "tcp", "udp".
+- `mcp_server_id` (String) A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
 - `port_range` (String) The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
 - `type` (String) Available values: "public", "private".
 - `uri` (String) The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).

internal/customvalidator/required_when_other_attribute_is_one_of_validator.go

@@ -3,14 +3,15 @@ package customvalidator
 import (
 	"context"
 	"fmt"
+	"strings"
+
 	"github.com/hashicorp/terraform-plugin-framework-validators/helpers/validatordiag"
 	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 	"github.com/hashicorp/terraform-plugin-framework/tfsdk"
 	"github.com/hashicorp/terraform-plugin-framework/types"
-	"strings"
 )
 
 func RequiredWhenOtherStringIsOneOf(pathExpr path.Expression, wantStrValues ...string) requiredWhenOtherAttributeIsOneOfValidator {
@@ -85,3 +86,7 @@ func (i requiredWhenOtherAttributeIsOneOfValidator) validateAny(ctx context.Cont
 func (i requiredWhenOtherAttributeIsOneOfValidator) ValidateObject(ctx context.Context, req validator.ObjectRequest, res *validator.ObjectResponse) {
 	i.validateAny(ctx, &req.Config, req.PathExpression, req.Path, req.ConfigValue, &res.Diagnostics)
 }
+
+func (i requiredWhenOtherAttributeIsOneOfValidator) ValidateString(ctx context.Context, req validator.StringRequest, res *validator.StringResponse) {
+	i.validateAny(ctx, &req.Config, req.PathExpression, req.Path, req.ConfigValue, &res.Diagnostics)
+}

internal/services/zero_trust_access_application/data_source_schema.go

@@ -136,7 +136,7 @@ func DataSourceSchema(ctx context.Context) schema.Schema {
 				Computed:    true,
 			},
 			"type": schema.StringAttribute{
-				Description: "The application type.\nAvailable values: \"self_hosted\", \"saas\", \"ssh\", \"vnc\", \"app_launcher\", \"warp\", \"biso\", \"bookmark\", \"dash_sso\", \"infrastructure\", \"rdp\".",
+				Description: "The application type.\nAvailable values: \"self_hosted\", \"saas\", \"ssh\", \"vnc\", \"app_launcher\", \"warp\", \"biso\", \"bookmark\", \"dash_sso\", \"infrastructure\", \"rdp\", \"mcp\", \"mcp_portal\".",
 				Computed:    true,
 				Validators: []validator.String{
 					stringvalidator.OneOfCaseInsensitive(
@@ -151,6 +151,8 @@ func DataSourceSchema(ctx context.Context) schema.Schema {
 						"dash_sso",
 						"infrastructure",
 						"rdp",
+						"mcp",
+						"mcp_portal",
 					),
 				},
 			},
@@ -251,7 +253,7 @@ func DataSourceSchema(ctx context.Context) schema.Schema {
 							Description: `Available values: "public", "private".`,
 							Computed:    true,
 							Validators: []validator.String{
-								stringvalidator.OneOfCaseInsensitive("public", "private"),
+								stringvalidator.OneOfCaseInsensitive("public", "private", "via_mcp_server_portal"),
 							},
 						},
 						"uri": schema.StringAttribute{
@@ -281,6 +283,10 @@ func DataSourceSchema(ctx context.Context) schema.Schema {
 							Description: "The VNET ID to match the destination. When omitted, all VNETs will match.",
 							Computed:    true,
 						},
+						"mcp_server_id": schema.StringAttribute{
+							Description: "A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.",
+							Optional:    true,
+						},
 					},
 				},
 			},

internal/services/zero_trust_access_application/list_data_source_schema.go

@@ -70,7 +70,7 @@ func ListDataSourceSchema(ctx context.Context) schema.Schema {
 							Computed:    true,
 						},
 						"type": schema.StringAttribute{
-							Description: "The application type.\nAvailable values: \"self_hosted\", \"saas\", \"ssh\", \"vnc\", \"app_launcher\", \"warp\", \"biso\", \"bookmark\", \"dash_sso\", \"infrastructure\", \"rdp\".",
+							Description: "The application type.\nAvailable values: \"self_hosted\", \"saas\", \"ssh\", \"vnc\", \"app_launcher\", \"warp\", \"biso\", \"bookmark\", \"dash_sso\", \"infrastructure\", \"rdp\", \"mcp\", \"mcp_portal\".",
 							Computed:    true,
 							Validators: []validator.String{
 								stringvalidator.OneOfCaseInsensitive(
@@ -85,6 +85,8 @@ func ListDataSourceSchema(ctx context.Context) schema.Schema {
 									"dash_sso",
 									"infrastructure",
 									"rdp",
+									"mcp",
+									"mcp_portal",
 								),
 							},
 						},
@@ -208,7 +210,7 @@ func ListDataSourceSchema(ctx context.Context) schema.Schema {
 										Description: `Available values: "public", "private".`,
 										Computed:    true,
 										Validators: []validator.String{
-											stringvalidator.OneOfCaseInsensitive("public", "private"),
+											stringvalidator.OneOfCaseInsensitive("public", "private", "via_mcp_server_portal"),
 										},
 									},
 									"uri": schema.StringAttribute{
@@ -238,6 +240,10 @@ func ListDataSourceSchema(ctx context.Context) schema.Schema {
 										Description: "The VNET ID to match the destination. When omitted, all VNETs will match.",
 										Computed:    true,
 									},
+									"mcp_server_id": schema.StringAttribute{
+										Description: "A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.",
+										Optional:    true,
+									},
 								},
 							},
 						},

internal/services/zero_trust_access_application/migrations_test.go

@@ -17,7 +17,7 @@ import (
 )
 
 // TestMigrateZeroTrustAccessApplication_Basic tests basic state schema migration within v5 provider
-// Note: This tests the state migration (v0->v1) within the same resource type, 
+// Note: This tests the state migration (v0->v1) within the same resource type,
 // not the resource type migration (cloudflare_access_application -> cloudflare_zero_trust_access_application)
 // which requires the cmd/migrate tool and terraform state mv commands.
 func TestMigrateZeroTrustAccessApplication_Basic(t *testing.T) {
@@ -439,7 +439,7 @@ func TestMigrateZeroTrustAccessApplication_V4toV5_WithPolicies(t *testing.T) {
 		t.Setenv("CLOUDFLARE_API_TOKEN", "")
 	}
 
-	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID") 
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
 	domain := os.Getenv("CLOUDFLARE_DOMAIN")
 	rnd := utils.GenerateRandomResourceName()
 	appResourceName := "cloudflare_zero_trust_access_application." + rnd
@@ -681,7 +681,7 @@ resource "cloudflare_zero_trust_access_application" "%[1]s" {
 	})
 }
 
-// TestMigrateZeroTrustAccessApplication_CORSHeaders_Manual tests recovery from cors_headers 
+// TestMigrateZeroTrustAccessApplication_CORSHeaders_Manual tests recovery from cors_headers
 // array-to-object state corruption by manual state editing
 func TestMigrateZeroTrustAccessApplication_CORSHeaders_Manual(t *testing.T) {
 	t.Skip("Manual test: This test demonstrates the cors_headers state issue. " +
@@ -740,4 +740,4 @@ resource "cloudflare_zero_trust_access_application" "%[1]s" {
 			},
 		},
 	})
-}
+}

internal/services/zero_trust_access_application/model.go

@@ -188,13 +188,14 @@ type ZeroTrustAccessApplicationTargetCriteriaModel struct {
 }
 
 type ZeroTrustAccessApplicationDestinationsModel struct {
-	Type       types.String `tfsdk:"type" json:"type,computed_optional"`
-	URI        types.String `tfsdk:"uri" json:"uri,optional"`
-	CIDR       types.String `tfsdk:"cidr" json:"cidr,optional"`
-	Hostname   types.String `tfsdk:"hostname" json:"hostname,optional"`
-	L4Protocol types.String `tfsdk:"l4_protocol" json:"l4_protocol,optional"`
-	PortRange  types.String `tfsdk:"port_range" json:"port_range,optional"`
-	VnetID     types.String `tfsdk:"vnet_id" json:"vnet_id,optional"`
+	Type        types.String `tfsdk:"type" json:"type,computed_optional"`
+	URI         types.String `tfsdk:"uri" json:"uri,optional"`
+	CIDR        types.String `tfsdk:"cidr" json:"cidr,optional"`
+	Hostname    types.String `tfsdk:"hostname" json:"hostname,optional"`
+	L4Protocol  types.String `tfsdk:"l4_protocol" json:"l4_protocol,optional"`
+	PortRange   types.String `tfsdk:"port_range" json:"port_range,optional"`
+	VnetID      types.String `tfsdk:"vnet_id" json:"vnet_id,optional"`
+	McpServerID types.String `tfsdk:"mcp_server_id" json:"mcp_server_id,optional"`
 }
 
 type ZeroTrustAccessApplicationLandingPageDesignModel struct {

internal/services/zero_trust_access_application/plan_modifiers.go

@@ -5,19 +5,20 @@ import (
 	"regexp"
 	"slices"
 
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/customfield"
 	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/types"
-	"github.com/cloudflare/terraform-provider-cloudflare/internal/customfield"
 )
 
 var (
-	selfHostedAppTypes                    = []string{"self_hosted", "ssh", "vnc", "rdp"}
+	selfHostedAppTypes                    = []string{"self_hosted", "ssh", "vnc", "rdp", "mcp_portal"}
+	destinationCompatibleAppTypes         = []string{"self_hosted", "ssh", "vnc", "rdp", "mcp_portal", "mcp"}
 	saasAppTypes                          = []string{"saas", "dash_sso"}
 	appLauncherVisibleAppTypes            = []string{"self_hosted", "ssh", "vnc", "rdp", "saas", "bookmark"}
 	targetCompatibleAppTypes              = []string{"rdp", "infrastructure"}
-	sessionDurationCompatibleAppTypes     = []string{"saas", "dash_sso", "self_hosted", "ssh", "vnc", "rdp", "app_launcher", "warp"}
+	sessionDurationCompatibleAppTypes     = []string{"saas", "dash_sso", "self_hosted", "ssh", "vnc", "rdp", "app_launcher", "warp", "mcp_portal", "mcp"}
 	authenticateViaWarpCompatibleAppTypes = []string{"self_hosted", "ssh", "vnc", "rdp", "saas", "dash_sso"}
 	durationRegex                         = regexp.MustCompile(`^(?:0|[-+]?(\d+(?:\.\d*)?|\.\d+)(?:ns|us|µs|ms|s|m|h)(?:(\d+(?:\.\d*)?|\.\d+)(?:ns|us|µs|ms|s|m|h))*)$`)
 )
@@ -46,7 +47,6 @@ func modifyPlanForDomains(ctx context.Context, planApp, stateApp *ZeroTrustAcces
 
 	setDefaultAccordingToAppTypes(selfHostedAppTypes, appType, &planApp.SelfHostedDomains, customfield.UnknownList[types.String](ctx), customfield.NullList[types.String](ctx))
 	setDefaultAccordingToAppTypes(selfHostedAppTypes, appType, &planApp.Destinations, customfield.UnknownObjectList[ZeroTrustAccessApplicationDestinationsModel](ctx), customfield.NullObjectList[ZeroTrustAccessApplicationDestinationsModel](ctx))
-	setDefaultAccordingToAppTypes(selfHostedAppTypes, appType, &planApp.HTTPOnlyCookieAttribute, types.BoolUnknown(), types.BoolNull())
 
 	// A self_hosted_app's 'domain', 'self_hosted_domains', and 'destinations' are all tied together in the API.
 	// changing one, causes the others to change. So we need to tell TF to set the other two to unknown if any of them
@@ -128,7 +128,7 @@ func modifyPlan(ctx context.Context, req resource.ModifyPlanRequest, res *resour
 	appType := planApp.Type.ValueString()
 
 	// Add default values for some app type specific attributes
-	setDefaultAccordingToAppTypes(selfHostedAppTypes, appType, &planApp.HTTPOnlyCookieAttribute, types.BoolValue(true), types.BoolNull())
+	setDefaultAccordingToAppTypes(append(selfHostedAppTypes, "mcp"), appType, &planApp.HTTPOnlyCookieAttribute, types.BoolValue(true), types.BoolNull())
 	setDefaultAccordingToAppTypes(appLauncherVisibleAppTypes, appType, &planApp.AppLauncherVisible, types.BoolValue(true), types.BoolNull())
 	setDefaultAccordingToAppType("app_launcher", appType, &planApp.SkipAppLauncherLoginPage, types.BoolValue(false), types.BoolNull())
 	setDefaultAccordingToAppTypes(sessionDurationCompatibleAppTypes, appType, &planApp.SessionDuration, types.StringValue("24h"), types.StringNull())

internal/services/zero_trust_access_application/resource_test.go

@@ -2035,3 +2035,70 @@ func TestAccCloudflareAccessApplication_TagsOrderIgnored(t *testing.T) {
 func testAccCloudflareAccessApplicationConfigWithTagsOrdering(rnd, domain, accountID string) string {
 	return acctest.LoadTestCase("accessapplicationconfigwithtagsordering.tf", rnd, domain, accountID)
 }
+
+func TestAccCloudflareAccessApplication_MCPSetup(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	mcpAppName := fmt.Sprintf("cloudflare_zero_trust_access_application.%s_mcp_server", rnd)
+	mcpPortalAppName := fmt.Sprintf("cloudflare_zero_trust_access_application.%s_mcp_portal", rnd)
+	mcpPortalDomain := fmt.Sprintf("%[1]s.%[2]s", rnd, domain)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.TestAccPreCheck(t)
+			acctest.TestAccPreCheck_AccountID(t)
+		},
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckCloudflareAccessApplicationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccessApplicationMCPConfig(rnd, domain, accountID),
+				ConfigStateChecks: []statecheck.StateCheck{
+					// check mcp server app
+					statecheck.ExpectKnownValue(mcpAppName, tfjsonpath.New(consts.AccountIDSchemaKey), knownvalue.StringExact(accountID)),
+					statecheck.ExpectKnownValue(mcpAppName, tfjsonpath.New("name"), knownvalue.StringExact(rnd+"_mcp_server")),
+					statecheck.ExpectKnownValue(mcpAppName, tfjsonpath.New("domain"), knownvalue.Null()),
+					statecheck.ExpectKnownValue(mcpAppName, tfjsonpath.New("type"), knownvalue.StringExact("mcp")),
+					statecheck.ExpectKnownValue(mcpAppName, tfjsonpath.New("destinations"), knownvalue.ListExact([]knownvalue.Check{
+						knownvalue.ObjectPartial(map[string]knownvalue.Check{
+							"type":          knownvalue.StringExact("via_mcp_server_portal"),
+							"mcp_server_id": knownvalue.StringExact(rnd),
+						}),
+					})),
+					// check mcp server portal app
+					statecheck.ExpectKnownValue(mcpPortalAppName, tfjsonpath.New(consts.AccountIDSchemaKey), knownvalue.StringExact(accountID)),
+					statecheck.ExpectKnownValue(mcpPortalAppName, tfjsonpath.New("name"), knownvalue.StringExact(rnd+"_mcp_portal")),
+					statecheck.ExpectKnownValue(mcpPortalAppName, tfjsonpath.New("domain"), knownvalue.StringExact(mcpPortalDomain)),
+					statecheck.ExpectKnownValue(mcpPortalAppName, tfjsonpath.New("type"), knownvalue.StringExact("mcp_portal")),
+					statecheck.ExpectKnownValue(mcpPortalAppName, tfjsonpath.New("destinations"), knownvalue.ListExact([]knownvalue.Check{
+						knownvalue.ObjectPartial(map[string]knownvalue.Check{
+							"type": knownvalue.StringExact("public"),
+							"uri":  knownvalue.StringExact(mcpPortalDomain),
+						}),
+					})),
+				},
+			},
+			{
+				ResourceName:            mcpPortalAppName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateIdPrefix:     fmt.Sprintf("accounts/%s/", accountID),
+				ImportStateVerifyIgnore: []string{"enable_binding_cookie", "options_preflight_bypass", "auto_redirect_to_identity"},
+			},
+			{
+				ResourceName:            mcpAppName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateIdPrefix:     fmt.Sprintf("accounts/%s/", accountID),
+				ImportStateVerifyIgnore: []string{"service_auth_401_redirect", "destinations", "enable_binding_cookie", "options_preflight_bypass", "self_hosted_domains", "tags", "auto_redirect_to_identity"},
+			},
+			{
+				Config:   testAccCloudflareAccessApplicationMCPConfig(rnd, domain, accountID),
+				PlanOnly: true,
+			},
+		},
+	})
+}
+
+func testAccCloudflareAccessApplicationMCPConfig(rnd, domain, accountID string) string {
+	return acctest.LoadTestCase("accessapplicationmcpconfig.tf", rnd, domain, accountID)
+}

internal/services/zero_trust_access_application/schema.go

@@ -140,7 +140,7 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 				},
 			},
 			"type": schema.StringAttribute{
-				Description: "The application type.\nAvailable values: \"self_hosted\", \"saas\", \"ssh\", \"vnc\", \"app_launcher\", \"warp\", \"biso\", \"bookmark\", \"dash_sso\", \"infrastructure\", \"rdp\".",
+				Description: "The application type.\nAvailable values: \"self_hosted\", \"saas\", \"ssh\", \"vnc\", \"app_launcher\", \"warp\", \"biso\", \"bookmark\", \"dash_sso\", \"infrastructure\", \"rdp\", \"mcp\", \"mcp_portal\".",
 				Optional:    true,
 				Validators: []validator.String{
 					stringvalidator.OneOfCaseInsensitive(
@@ -155,6 +155,8 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 						"dash_sso",
 						"infrastructure",
 						"rdp",
+						"mcp",
+						"mcp_portal",
 					),
 				},
 			},
@@ -490,7 +492,7 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 				Computed:    true,
 				CustomType:  customfield.NewNestedObjectListType[ZeroTrustAccessApplicationDestinationsModel](ctx),
 				Validators: []validator.List{
-					customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRoot("type"), selfHostedAppTypes...),
+					customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRoot("type"), destinationCompatibleAppTypes...),
 					listvalidator.ConflictsWith(path.Expressions{
 						path.MatchRoot("self_hosted_domains"),
 					}...),
@@ -503,7 +505,7 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 							Computed:    true,
 							Default:     stringdefault.StaticString("public"),
 							Validators: []validator.String{
-								stringvalidator.OneOfCaseInsensitive("public", "private"),
+								stringvalidator.OneOfCaseInsensitive("public", "private", "via_mcp_server_portal"),
 							},
 						},
 						"uri": schema.StringAttribute{
@@ -549,6 +551,15 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 								customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRelative().AtParent().AtName("type"), "private"),
 							},
 						},
+						"mcp_server_id": schema.StringAttribute{
+							Description: "A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.",
+							Optional:    true,
+							Validators: []validator.String{
+								customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRelative().AtParent().AtName("type"), "via_mcp_server_portal"),
+								customvalidator.RequiredWhenOtherStringIsOneOf(path.MatchRelative().AtParent().AtName("type"), "via_mcp_server_portal"),
+								customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRoot("type"), "mcp"),
+							},
+						},
 					},
 				},
 			},

internal/services/zero_trust_access_application/testdata/accessapplicationmcpconfig.tf

@@ -0,0 +1,20 @@
+resource "cloudflare_zero_trust_access_application" "%[1]s_mcp_server" {
+  account_id       = "%[3]s"
+  name             = "%[1]s_mcp_server"
+  type             = "mcp"
+  destinations = [
+    {
+      "type": "via_mcp_server_portal",
+      "mcp_server_id": "%[1]s"
+    }
+  ]
+}
+
+resource "cloudflare_zero_trust_access_application" "%[1]s_mcp_portal" {
+  account_id       = "%[3]s"
+  name             = "%[1]s_mcp_portal"
+  type             = "mcp_portal"
+  session_duration = "24h"
+  domain           = "%[1]s.%[2]s"
+  self_hosted_domains = ["%[1]s.%[2]s"]
+}