GATE-2256: Set the gateway FIPS config

cloudflare · Jan 13, 2022 · be1ce3d · be1ce3d
1 parent 5925aab
commit be1ce3d
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 2 deletions.
diff --git a/.changelog/1379.txt b/.changelog/1379.txt
@@ -1,3 +1,3 @@
-```release-note:dependency
-`github.com/cloudflare/cloudflare-go` v0.29.0 => v0.30.0
+```release-note:enhancement
+resource/cloudflare_teams_accounts: Add the `fips` field for configuring FIPS-compliant TLS.
 ```
diff --git a/cloudflare/resource_cloudflare_teams_accounts.go b/cloudflare/resource_cloudflare_teams_accounts.go
@@ -62,18 +62,26 @@ func resourceCloudflareTeamsAccountRead(d *schema.ResourceData, meta interface{}
 			return errors.Wrap(err, "error parsing account activity log enablement")
 		}
 	}
+
+	if configuration.Settings.FIPS != nil {
+		if err := d.Set("fips", flattenFIPSConfig(configuration.Settings.FIPS)); err != nil {
+			return errors.Wrap(err, "error parsing account FIPS config")
+		}
+	}
 	return nil
 }
 
 func resourceCloudflareTeamsAccountUpdate(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*cloudflare.API)
 	accountID := d.Get("account_id").(string)
 	blockPageConfig := inflateBlockPageConfig(d.Get("block_page"))
+	fipsConfig := inflateFIPSConfig(d.Get("fips"))
 	antivirusConfig := inflateAntivirusConfig(d.Get("antivirus"))
 	updatedTeamsAccount := cloudflare.TeamsConfiguration{
 		Settings: cloudflare.TeamsAccountSettings{
 			Antivirus: antivirusConfig,
 			BlockPage: blockPageConfig,
+			FIPS:      fipsConfig,
 		},
 	}
 
@@ -155,3 +163,21 @@ func inflateAntivirusConfig(antivirus interface{}) *cloudflare.TeamsAntivirus {
 		FailClosed:           avMap["fail_closed"].(bool),
 	}
 }
+
+func flattenFIPSConfig(fips *cloudflare.TeamsFIPS) []interface{} {
+	return []interface{}{map[string]interface{}{
+		"tls": fips.TLS,
+	}}
+}
+
+func inflateFIPSConfig(fipsList interface{}) *cloudflare.TeamsFIPS {
+	list := fipsList.([]interface{})
+	if len(list) != 1 {
+		return nil
+	}
+
+	m := list[0].(map[string]interface{})
+	return &cloudflare.TeamsFIPS{
+		TLS: m["tls"].(bool),
+	}
+}
diff --git a/cloudflare/resource_cloudflare_teams_accounts_test.go b/cloudflare/resource_cloudflare_teams_accounts_test.go
@@ -33,6 +33,7 @@ func TestAccCloudflareTeamsAccountConfigurationBasic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(name, "account_id", accountID),
 					resource.TestCheckResourceAttr(name, "tls_decrypt_enabled", "true"),
+					resource.TestCheckResourceAttr(name, "fips.0.tls", "true"),
 					resource.TestCheckResourceAttr(name, "block_page.0.name", rnd),
 					resource.TestCheckResourceAttr(name, "block_page.0.enabled", "true"),
 					resource.TestCheckResourceAttr(name, "block_page.0.footer_text", "hello"),
@@ -58,6 +59,9 @@ resource "cloudflare_teams_account" "%[1]s" {
     logo_path = "https://example.com"
     background_color = "#000000"
   }
+  fips {
+	tls = true
+  }
   antivirus {
     enabled_download_phase = true
     enabled_upload_phase = false

diff --git a/cloudflare/schema_cloudflare_teams_accounts.go b/cloudflare/schema_cloudflare_teams_accounts.go
@@ -16,6 +16,14 @@ func resourceCloudflareTeamsAccountSchema() map[string]*schema.Schema {
 				Schema: blockPageSchema,
 			},
 		},
+		"fips": {
+			Type:     schema.TypeList,
+			MaxItems: 1,
+			Optional: true,
+			Elem: &schema.Resource{
+				Schema: fipsSchema,
+			},
+		},
 		"antivirus": {
 			Type:     schema.TypeList,
 			MaxItems: 1,
@@ -35,6 +43,13 @@ func resourceCloudflareTeamsAccountSchema() map[string]*schema.Schema {
 	}
 }
 
+var fipsSchema = map[string]*schema.Schema{
+	"tls": {
+		Type:     schema.TypeBool,
+		Optional: true,
+	},
+}
+
 var blockPageSchema = map[string]*schema.Schema{
 	"enabled": {
 		Type:     schema.TypeBool,

diff --git a/website/docs/r/teams_account.html.markdown b/website/docs/r/teams_account.html.markdown
@@ -33,6 +33,7 @@ The following arguments are supported:
 * `account_id` - (Required) The account to which the teams location should be added.
 * `tls_decrypt_enabled` - (Optional) Indicator that decryption of TLS traffic is enabled.
 * `block_page` - (Optional) Configuration for a custom block page.
+* `fips` - (Optional) Configure compliance with Federal Information Processing Standards
 * `antivirus` - (Optional) Configuration for antivirus traffic scanning.
 
 The **block_page** block supports:
@@ -43,6 +44,9 @@ The **block_page** block supports:
 * `logo_path` - (Optional) URL of block page logo.
 * `background_color` - (Optional) Hex code of block page background color.
 
+The **FIPS** block supports:
+* `tls` - (Optional) Only allow FIPS-compliant TLS configuration
+
 ## Import
 
 Since a Teams account does not have a unique resource ID, configuration can be