AUTH-3722 Add support for Access App cookie settings

cloudflare · Oct 11, 2021 · c00dc4f · c00dc4f
1 parent 2123dfc
commit c00dc4f
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 17 deletions.
diff --git a/.changelog/1241.txt b/.changelog/1241.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_access_application: add support for 'SameSite' and 'HttpOnly' cookie attributes
+```
diff --git a/cloudflare/resource_cloudflare_access_application.go b/cloudflare/resource_cloudflare_access_application.go
@@ -142,6 +142,15 @@ func resourceCloudflareAccessApplication() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"http_only_cookie_attribute": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
+			"same_site_cookie_attribute": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 		},
 	}
 }
@@ -153,14 +162,16 @@ func resourceCloudflareAccessApplicationCreate(d *schema.ResourceData, meta inte
 	appType := d.Get("type").(string)
 
 	newAccessApplication := cloudflare.AccessApplication{
-		Name:                   d.Get("name").(string),
-		Domain:                 d.Get("domain").(string),
-		Type:                   cloudflare.AccessApplicationType(appType),
-		SessionDuration:        d.Get("session_duration").(string),
-		AutoRedirectToIdentity: d.Get("auto_redirect_to_identity").(bool),
-		EnableBindingCookie:    d.Get("enable_binding_cookie").(bool),
-		CustomDenyMessage:      d.Get("custom_deny_message").(string),
-		CustomDenyURL:          d.Get("custom_deny_url").(string),
+		Name:                    d.Get("name").(string),
+		Domain:                  d.Get("domain").(string),
+		Type:                    cloudflare.AccessApplicationType(appType),
+		SessionDuration:         d.Get("session_duration").(string),
+		AutoRedirectToIdentity:  d.Get("auto_redirect_to_identity").(bool),
+		EnableBindingCookie:     d.Get("enable_binding_cookie").(bool),
+		CustomDenyMessage:       d.Get("custom_deny_message").(string),
+		CustomDenyURL:           d.Get("custom_deny_url").(string),
+		HttpOnlyCookieAttribute: d.Get("http_only_cookie_attribute").(bool),
+		SameSiteCookieAttribute: d.Get("same_site_cookie_attribute").(string),
 	}
 
 	if len(allowedIDPList) > 0 {
@@ -231,6 +242,8 @@ func resourceCloudflareAccessApplicationRead(d *schema.ResourceData, meta interf
 	d.Set("custom_deny_message", accessApplication.CustomDenyMessage)
 	d.Set("custom_deny_url", accessApplication.CustomDenyURL)
 	d.Set("allowed_idps", accessApplication.AllowedIdps)
+	d.Set("http_only_cookie_attribute", accessApplication.HttpOnlyCookieAttribute)
+	d.Set("same_site_cookie_attribute", accessApplication.SameSiteCookieAttribute)
 
 	corsConfig := convertCORSStructToSchema(d, accessApplication.CorsHeaders)
 	if corsConfigErr := d.Set("cors_headers", corsConfig); corsConfigErr != nil {
@@ -247,15 +260,17 @@ func resourceCloudflareAccessApplicationUpdate(d *schema.ResourceData, meta inte
 	appType := d.Get("type").(string)
 
 	updatedAccessApplication := cloudflare.AccessApplication{
-		ID:                     d.Id(),
-		Name:                   d.Get("name").(string),
-		Domain:                 d.Get("domain").(string),
-		Type:                   cloudflare.AccessApplicationType(appType),
-		SessionDuration:        d.Get("session_duration").(string),
-		AutoRedirectToIdentity: d.Get("auto_redirect_to_identity").(bool),
-		EnableBindingCookie:    d.Get("enable_binding_cookie").(bool),
-		CustomDenyMessage:      d.Get("custom_deny_message").(string),
-		CustomDenyURL:          d.Get("custom_deny_url").(string),
+		ID:                      d.Id(),
+		Name:                    d.Get("name").(string),
+		Domain:                  d.Get("domain").(string),
+		Type:                    cloudflare.AccessApplicationType(appType),
+		SessionDuration:         d.Get("session_duration").(string),
+		AutoRedirectToIdentity:  d.Get("auto_redirect_to_identity").(bool),
+		EnableBindingCookie:     d.Get("enable_binding_cookie").(bool),
+		CustomDenyMessage:       d.Get("custom_deny_message").(string),
+		CustomDenyURL:           d.Get("custom_deny_url").(string),
+		HttpOnlyCookieAttribute: d.Get("http_only_cookie_attribute").(bool),
+		SameSiteCookieAttribute: d.Get("same_site_cookie_attribute").(string),
 	}
 
 	if len(allowedIDPList) > 0 {

diff --git a/cloudflare/resource_cloudflare_access_application_test.go b/cloudflare/resource_cloudflare_access_application_test.go
@@ -203,6 +203,58 @@ func TestAccCloudflareAccessApplicationWithADefinedIdps(t *testing.T) {
 	})
 }
 
+func TestAccCloudflareAccessApplicationWithHttpOnlyCookieAttribute(t *testing.T) {
+	rnd := generateRandomResourceName()
+	name := fmt.Sprintf("cloudflare_access_application.%s", rnd)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccessAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudflareAccessApplicationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccessApplicationConfigWithHttpOnlyCookieAttribute(rnd, zoneID, domain),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "zone_id", zoneID),
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "domain", fmt.Sprintf("%s.%s", rnd, domain)),
+					resource.TestCheckResourceAttr(name, "type", "self_hosted"),
+					resource.TestCheckResourceAttr(name, "session_duration", "24h"),
+					resource.TestCheckResourceAttr(name, "http_only_cookie_attribute", "true"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccCloudflareAccessApplicationWithSameSiteCookieAttribute(t *testing.T) {
+	rnd := generateRandomResourceName()
+	name := fmt.Sprintf("cloudflare_access_application.%s", rnd)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccessAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckCloudflareAccessApplicationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccessApplicationConfigSameSiteCookieAttribute(rnd, zoneID, domain),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "zone_id", zoneID),
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "domain", fmt.Sprintf("%s.%s", rnd, domain)),
+					resource.TestCheckResourceAttr(name, "type", "self_hosted"),
+					resource.TestCheckResourceAttr(name, "session_duration", "24h"),
+					resource.TestCheckResourceAttr(name, "same_site_cookie_attribute", "strict"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCloudflareAccessApplicationConfigBasic(rnd string, domain string, identifier AccessIdentifier) string {
 	return fmt.Sprintf(`
 resource "cloudflare_access_application" "%[1]s" {
@@ -294,6 +346,32 @@ resource "cloudflare_access_application" "%[1]s" {
 `, rnd, zoneID, domain, accountID)
 }
 
+func testAccCloudflareAccessApplicationConfigWithHttpOnlyCookieAttribute(rnd, zoneID, domain string) string {
+	return fmt.Sprintf(`
+resource "cloudflare_access_application" "%[1]s" {
+  zone_id                    = "%[2]s"
+  name                       = "%[1]s"
+  domain                     = "%[1]s.%[3]s"
+  type                       = "self_hosted"
+  session_duration           = "24h"
+  http_only_cookie_attribute = true
+}
+`, rnd, zoneID, domain)
+}
+
+func testAccCloudflareAccessApplicationConfigSameSiteCookieAttribute(rnd, zoneID, domain string) string {
+	return fmt.Sprintf(`
+resource "cloudflare_access_application" "%[1]s" {
+  zone_id                    = "%[2]s"
+  name                       = "%[1]s"
+  domain                     = "%[1]s.%[3]s"
+  type                       = "self_hosted"
+  session_duration           = "24h"
+  same_site_cookie_attribute = "strict"
+}
+`, rnd, zoneID, domain)
+}
+
 func testAccCheckCloudflareAccessApplicationDestroy(s *terraform.State) error {
 	client := testAccProvider.Meta().(*cloudflare.API)