Merge pull request #1667 from Noanan/noan/add_pkce_idps

Noan/add pkce idps
cloudflare · Jun 13, 2022 · ed36fcf · ed36fcf
2 parents 92bbcdd + 100700f
commit ed36fcf
Show file tree

Hide file tree

Showing 16 changed files with 41 additions and 31 deletions.
diff --git a/.changelog/1667.txt b/.changelog/1667.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_access_identity_provider: Add support for PKCE when creating IDPS.
+```
diff --git a/docs/resources/access_application.md b/docs/resources/access_application.md
@@ -40,11 +40,11 @@ zone needs to use the `zone_id` argument.
 - `enable_binding_cookie` (Boolean) Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to `false`.
 - `http_only_cookie_attribute` (Boolean) Option to add the `HttpOnly` cookie flag to access tokens. Defaults to `true`.
 - `logo_url` (String) Image URL for the logo shown in the app launcher dashboard.
-- `same_site_cookie_attribute` (String) Defines the same-site cookie setting for access tokens. Available values: `"none"`, `"lax"`, `"strict"`.
+- `same_site_cookie_attribute` (String) Defines the same-site cookie setting for access tokens. Available values: `none`, `lax`, `strict`.
 - `service_auth_401_redirect` (Boolean) Option to return a 401 status code in service authentication rules on failed requests. Defaults to `false`.
 - `session_duration` (String) How often a user will be forced to re-authorise. Must be in the format `48h` or `2h45m`. Defaults to `24h`.
 - `skip_interstitial` (Boolean) Option to skip the authorization interstitial when using the CLI. Defaults to `false`.
-- `type` (String) The application type. Available values: `"self_hosted"`, `"ssh"`, `"vnc"`, `"file"`. Defaults to `self_hosted`.
+- `type` (String) The application type. Available values: `self_hosted`, `ssh`, `vnc`, `file`. Defaults to `self_hosted`.
 - `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`.
 
 ### Read-Only

diff --git a/docs/resources/access_identity_provider.md b/docs/resources/access_identity_provider.md
@@ -22,7 +22,7 @@ zone needs to use the `zone_id` argument.
 ### Required
 
 - `name` (String) Friendly name of the Access Identity Provider configuration.
-- `type` (String) The provider type to use. Available values: `"centrify"`, `"facebook"`, `"google-apps"`, `"oidc"`, `"github"`, `"google"`, `"saml"`, `"linkedin"`, `"azureAD"`, `"okta"`, `"onetimepin"`, `"onelogin"`, `"yandex"`.
+- `type` (String) The provider type to use. Available values: `centrify`, `facebook`, `google-apps`, `oidc`, `github`, `google`, `saml`, `linkedin`, `azureAD`, `okta`, `onetimepin`, `onelogin`, `yandex`.
 
 ### Optional
 
@@ -54,6 +54,7 @@ Optional:
 - `issuer_url` (String)
 - `okta_account` (String)
 - `onelogin_account` (String)
+- `pkce_enabled` (Boolean)
 - `redirect_url` (String)
 - `sign_request` (Boolean)
 - `sso_target_url` (String)

diff --git a/docs/resources/access_policy.md b/docs/resources/access_policy.md
@@ -22,7 +22,7 @@ zone needs to use the `zone_id` argument.
 ### Required
 
 - `application_id` (String) The ID of the application the policy is associated with.
-- `decision` (String) Defines the action Access will take if the policy matches the user. Available values: `"allow"`, `"deny"`, `"non_identity"`, `"bypass"`.
+- `decision` (String) Defines the action Access will take if the policy matches the user. Available values: `allow`, `deny`, `non_identity`, `bypass`.
 - `include` (Block List, Min: 1) A series of access conditions, see [Access Groups](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/access_group#conditions). (see [below for nested schema](#nestedblock--include))
 - `name` (String) Friendly name of the Access Policy.
 - `precedence` (Number) The unique precedence for policies on a single application.

diff --git a/docs/resources/access_rule.md b/docs/resources/access_rule.md
@@ -59,7 +59,7 @@ resource "cloudflare_access_rule" "office_network" {
 ### Required
 
 - `configuration` (Block List, Min: 1, Max: 1) Rule configuration to apply to a matched request. (see [below for nested schema](#nestedblock--configuration))
-- `mode` (String) The action to apply to a matched request. Available values: `"block"`, `"challenge"`, `"whitelist"`, `"js_challenge"`, `"managed_challenge"`.
+- `mode` (String) The action to apply to a matched request. Available values: `block`, `challenge`, `whitelist`, `js_challenge`, `managed_challenge`.
 
 ### Optional
 
@@ -75,7 +75,7 @@ resource "cloudflare_access_rule" "office_network" {
 
 Required:
 
-- `target` (String) The request property to target. Available values: `"ip"`, `"ip6"`, `"ip_range"`, `"asn"`, `"country"`.
+- `target` (String) The request property to target. Available values: `ip`, `ip6`, `ip_range`, `asn`, `country`.
 - `value` (String) The value to target. Depends on target's type.
 
 ## Import

diff --git a/docs/resources/api_token.md b/docs/resources/api_token.md
@@ -163,7 +163,7 @@ Required:
 
 Optional:
 
-- `effect` (String) Effect of the policy. Available values: `"allow"`, `"deny"`. Defaults to `allow`.
+- `effect` (String) Effect of the policy. Available values: `allow`, `deny`. Defaults to `allow`.
 
 
 <a id="nestedblock--condition"></a>

diff --git a/docs/resources/argo.md b/docs/resources/argo.md
@@ -27,8 +27,8 @@ resource "cloudflare_argo" "example" {
 
 ### Optional
 
-- `smart_routing` (String) Whether smart routing is enabled. Available values: `"on"`, `"off"`.
-- `tiered_caching` (String) Whether tiered caching is enabled. Available values: `"on"`, `"off"`.
+- `smart_routing` (String) Whether smart routing is enabled. Available values: `on`, `off`.
+- `tiered_caching` (String) Whether tiered caching is enabled. Available values: `on`, `off`.
 
 ### Read-Only
 

diff --git a/docs/resources/healthcheck.md b/docs/resources/healthcheck.md
@@ -73,13 +73,13 @@ resource "cloudflare_healthcheck" "tcp_health_check" {
 
 - `address` (String) The hostname or IP address of the origin server to run health checks on.
 - `name` (String) A short name to identify the health check. Only alphanumeric characters, hyphens, and underscores are allowed.
-- `type` (String) The protocol to use for the health check. Available values: `"TCP"`, `"HTTP"`, `"HTTPS"`.
+- `type` (String) The protocol to use for the health check. Available values: `TCP`, `HTTP`, `HTTPS`.
 - `zone_id` (String) The zone identifier to target for the resource.
 
 ### Optional
 
 - `allow_insecure` (Boolean) Do not validate the certificate when the health check uses HTTPS. Defaults to `false`.
-- `check_regions` (List of String) A list of regions from which to run health checks. If not set, Cloudflare will pick a default region. Available values: `"WNAM"`, `"ENAM"`, `"WEU"`, `"EEU"`, `"NSAM"`, `"SSAM"`, `"OC"`, `"ME"`, `"NAF"`, `"SAF"`, `"IN"`, `"SEAS"`, `"NEAS"`, `"ALL_REGIONS"`.
+- `check_regions` (List of String) A list of regions from which to run health checks. If not set, Cloudflare will pick a default region. Available values: `WNAM`, `ENAM`, `WEU`, `EEU`, `NSAM`, `SSAM`, `OC`, `ME`, `NAF`, `SAF`, `IN`, `SEAS`, `NEAS`, `ALL_REGIONS`.
 - `consecutive_fails` (Number) The number of consecutive fails required from a health check before changing the health to unhealthy. Defaults to `1`.
 - `consecutive_successes` (Number) The number of consecutive successes required from a health check before changing the health to healthy. Defaults to `1`.
 - `description` (String) A human-readable description of the health check.
@@ -88,7 +88,7 @@ resource "cloudflare_healthcheck" "tcp_health_check" {
 - `follow_redirects` (Boolean) Follow redirects if the origin returns a 3xx status code. Defaults to `false`.
 - `header` (Block Set) The HTTP request headers to send in the health check. It is recommended you set a Host header by default. The User-Agent header cannot be overridden. (see [below for nested schema](#nestedblock--header))
 - `interval` (Number) The interval between each health check. Shorter intervals may give quicker notifications if the origin status changes, but will increase the load on the origin as we check from multiple locations. Defaults to `60`.
-- `method` (String) The HTTP method to use for the health check. Available values: `"connection_established"`, `"GET"`, `"HEAD"`.
+- `method` (String) The HTTP method to use for the health check. Available values: `connection_established`, `GET`, `HEAD`.
 - `notification_email_addresses` (List of String, Deprecated) A list of email addresses we want to send the notifications to. Deprecated, use cloudflare_notification_policy instead.
 - `notification_suspended` (Boolean, Deprecated) Whether the notifications are suspended or not. Useful for maintenance periods. Defaults to `false`.
 - `path` (String) The endpoint path to health check against. Defaults to `/`.

diff --git a/docs/resources/ipsec_tunnel.md b/docs/resources/ipsec_tunnel.md
@@ -42,7 +42,7 @@ resource "cloudflare_ipsec_tunnel" "example" {
 - `fqdn_id` (String) `remote_id` in the form of a fqdn. This value is generated by cloudflare.
 - `health_check_enabled` (Boolean) Specifies if ICMP tunnel health checks are enabled. Default: `true`.
 - `health_check_target` (String) The IP address of the customer endpoint that will receive tunnel health checks. Default: `<customer_gre_endpoint>`.
-- `health_check_type` (String) Specifies the ICMP echo type for the health check (`request` or `reply`). Available values: `"request"`, `"reply"` Default: `reply`.
+- `health_check_type` (String) Specifies the ICMP echo type for the health check (`request` or `reply`). Available values: `request`, `reply` Default: `reply`.
 - `hex_id` (String) `remote_id` as a hex string. This value is generated by cloudflare.
 - `psk` (String, Sensitive) Pre shared key to be used with the IPsec tunnel. If left unset, it will be autogenerated.
 - `remote_id` (String) ID to be used while setting up the IPsec tunnel. This value is generated by cloudflare.

diff --git a/docs/resources/logpush_job.md b/docs/resources/logpush_job.md
@@ -109,15 +109,15 @@ resource "cloudflare_logpush_job" "example_job" {
 
 ### Required
 
-- `dataset` (String) Uniquely identifies a resource (such as an s3 bucket) where data will be pushed. Additional configuration parameters supported by the destination may be included. See [Logpush destination documentation](https://developers.cloudflare.com/logs/reference/logpush-api-configuration#destination). Available values: `"firewall_events"`, `"http_requests"`, `"spectrum_events"`, `"nel_reports"`, `"audit_logs"`, `"gateway_dns"`, `"gateway_http"`, `"gateway_network"`, `"dns_logs"`, `"network_analytics_logs"`.
+- `dataset` (String) Uniquely identifies a resource (such as an s3 bucket) where data will be pushed. Additional configuration parameters supported by the destination may be included. See [Logpush destination documentation](https://developers.cloudflare.com/logs/reference/logpush-api-configuration#destination). Available values: `firewall_events`, `http_requests`, `spectrum_events`, `nel_reports`, `audit_logs`, `gateway_dns`, `gateway_http`, `gateway_network`, `dns_logs`, `network_analytics_logs`.
 - `destination_conf` (String) Uniquely identifies a resource (such as an s3 bucket) where data will be pushed. Additional configuration parameters supported by the destination may be included. See [Logpush destination documentation](https://developers.cloudflare.com/logs/reference/logpush-api-configuration#destination).
 
 ### Optional
 
 - `account_id` (String) The account identifier to target for the resource.
 - `enabled` (Boolean) Whether to enable the job.
 - `filter` (String) Use filters to select the events to include and/or remove from your logs. For more information, refer to [Filters](https://developers.cloudflare.com/logs/reference/logpush-api-configuration/filters/).
-- `frequency` (String) A higher frequency will result in logs being pushed on faster with smaller files. `low` frequency will push logs less often with larger files. Available values: `"high"`, `"low"`. Defaults to `high`.
+- `frequency` (String) A higher frequency will result in logs being pushed on faster with smaller files. `low` frequency will push logs less often with larger files. Available values: `high`, `low`. Defaults to `high`.
 - `logpull_options` (String) Configuration string for the Logshare API. It specifies things like requested fields and timestamp formats. See [Logpull options documentation](https://developers.cloudflare.com/logs/logpush/logpush-configuration-api/understanding-logpush-api/#options).
 - `name` (String) The name of the logpush job to create. Must match the regular expression `^[a-zA-Z0-9\-\.]*$`.
 - `ownership_challenge` (String) Ownership challenge token to prove destination ownership, required when destination is Amazon S3, Google Cloud Storage, Microsoft Azure or Sumo Logic. See [Developer documentation](https://developers.cloudflare.com/logs/logpush/logpush-configuration-api/understanding-logpush-api/#usage).