WDAPI-1041 add device settings policy APIs

.changelog/1926.txt

@@ -0,0 +1,11 @@
+```release-note:new-resource
+cloudflare_device_policy
+```
+
+```release-note:enhancement
+resource/cloudflare_split_tunnel: Add configuring split tunnel for device policies
+```
+
+```release-note:enhancement
+resource/cloudflare_fallback_domain: Add creating fallback domains for device policies
+```

docs/resources/device_policy.md

@@ -0,0 +1,69 @@
+---
+page_title: "cloudflare_device_policy Resource - Cloudflare"
+subcategory: ""
+description: |-
+  Provides a Cloudflare Device Policy resource. Device policies configure settings applied to WARP devices.
+---
+
+# cloudflare_device_policy (Resource)
+
+Provides a Cloudflare Device Policy resource. Device policies configure settings applied to WARP devices.
+
+## Example Usage
+
+```terraform
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id            = "f037e56e89293a057740de681ac9abbe"
+  name                  = "Developers WARP settings policy"
+  precedence            = 10
+  match                 = "any(identity.groups.name[*] in {\"Developers\"})"
+  default               = false
+  enabled               = true
+  allow_mode_switch     = true
+  allow_updates         = true
+  allowed_to_leave      = true
+  auto_connect          = 0
+  captive_portal        = 5
+  disable_auto_fallback = true
+  support_url           = "https://cloudflare.com"
+  switch_locked         = true
+  service_mode_v2_mode  = "warp"
+  service_mode_v2_port  = 3000
+}
+```
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `account_id` (String) The account identifier to target for the resource.
+- `name` (String) Name of the policy.
+
+### Optional
+
+- `allow_mode_switch` (Boolean) Whether to allow mode switch for this policy.
+- `allow_updates` (Boolean) Whether to allow updates under this policy.
+- `allowed_to_leave` (Boolean) Whether to allow devices to leave the organization. Defaults to `true`.
+- `auto_connect` (Number) The amount of time in minutes to reconnect after having been disabled.
+- `captive_portal` (Number) The captive portal value for this policy. Defaults to `180`.
+- `default` (Boolean) Whether the policy refers to the default account policy.
+- `disable_auto_fallback` (Boolean) Whether to disable auto fallback for this policy.
+- `enabled` (Boolean) Whether the policy is enabled (cannot be set for default policies). Defaults to `true`.
+- `match` (String) Wirefilter expression to match a device against when evaluating whether this policy should take effect for that device.
+- `precedence` (Number) The precedence of the policy. Lower values indicate higher precedence.
+- `service_mode_v2_mode` (String) The service mode. Defaults to `warp`.
+- `service_mode_v2_port` (Number) The port to use for the proxy service mode. Required when using `service_mode_v2_mode`.
+- `support_url` (String) The support URL that will be opened when sending feedback.
+- `switch_locked` (Boolean) Enablement of the ZT client switch lock.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+## Import
+
+Import is supported using the following syntax:
+```shell
+# You can use "default" as the device policy ID when using the default.
+$ terraform import cloudflare_device_policy.example <account_id>/<device_policy_id>
+```

docs/resources/fallback_domain.md

@@ -1,23 +1,30 @@
 ---
-layout: "cloudflare"
-page_title: "Cloudflare: cloudflare_fallback_domain"
-description: Provides a Cloudflare Fallback Domain resource.
+page_title: "cloudflare_fallback_domain Resource - Cloudflare"
+subcategory: ""
+description: |-
+  Provides a Cloudflare Fallback Domain resource. Fallback domains are
+  used to ignore DNS requests to a given list of domains. These DNS
+  requests will be passed back to other DNS servers configured on
+  existing network interfaces on the device.
 ---
 
-# cloudflare_fallback_domain
+# cloudflare_fallback_domain (Resource)
 
-Provides a Cloudflare Fallback Domain resource. Fallback domains are used to ignore DNS requests to a given list of domains. These DNS requests will be passed back to other DNS servers configured on existing network interfaces on the device.
+Provides a Cloudflare Fallback Domain resource. Fallback domains are
+used to ignore DNS requests to a given list of domains. These DNS
+requests will be passed back to other DNS servers configured on
+existing network interfaces on the device.
 
 ## Example Usage
 
-```hcl
-# Use DNS servers 1.1.1.1 or 1.0.0.1 for example.com
+```terraform
+# Use DNS servers 192.0.2.0 or 192.0.2.1 for example.com
 resource "cloudflare_fallback_domain" "example" {
   account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
   domains {
     suffix      = "example.com"
     description = "Example domain"
-    dns_server  = ["1.1.1.1", "1.0.0.1"]
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
   }
 }
 
@@ -34,29 +41,59 @@ resource "cloudflare_fallback_domain" "example" {
   domains {
     suffix      = "example.com"
     description = "Example domain"
-    dns_server  = ["1.1.1.1", "1.0.0.1"]
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
+  }
+}
+
+# Create a device policy
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id    = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  name          = "Developers"
+  precedence    = 10
+  match         = "any(identity.groups.name[*] in {\"Developers\"})"
+  switch_locked = true
+}
+
+# Use DNS servers 192.0.2.0 or 192.0.2.1 for example.com for a particular device policy
+resource "cloudflare_fallback_domain" "example" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  policy_id  = cloudflare_device_policy.developer_warp_policy.id
+  domains {
+    suffix      = "example.com"
+    description = "Example domain"
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
   }
 }
 ```
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `account_id` (String) The account identifier to target for the resource.
+- `domains` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--domains))
 
-## Argument Reference
+### Optional
 
-The following arguments are supported:
+- `policy_id` (String) The settings policy for which to configure this fallback domain policy.
 
-- `account_id` - (Required) The account to which the device posture rule should be added.
-- `domains` - (Required) The value of the domain attributes (refer to the [nested schema](#nestedblock--domains)).
+### Read-Only
+
+- `id` (String) The ID of this resource.
 
 <a id="nestedblock--domains"></a>
-**Nested schema for `domains`**
+### Nested Schema for `domains`
 
-- `suffix` - (Required) The domain to ignore DNS requests.
-- `description` - (Optional) The description of the domain.
-- `dns_server` - (Optional) The DNS servers to receive the redirected request.
+Optional:
 
-## Import
+- `description` (String) A description of the fallback domain, displayed in the client UI.
+- `dns_server` (List of String) A list of IP addresses to handle domain resolution.
+- `suffix` (String) The domain suffix to match when resolving locally.
 
-Fallback Domains can be imported using the account identifer.
+## Import
 
-```
-$ terraform import cloudflare_fallback_domain.example 1d5fdc9e88c8a8c4518b068cd94331fe
+Import is supported using the following syntax:
+```shell
+# Fallback Domains for default device policies must use "default" as the policy ID.
+$ terraform import cloudflare_fallback_domain.example <account_id>/<policy_id>
 ```

docs/resources/split_tunnel.md

@@ -1,23 +1,25 @@
 ---
-layout: "cloudflare"
-page_title: "Cloudflare: cloudflare_split_tunnel"
-description: Provides a Cloudflare Split Tunnel resource.
+page_title: "cloudflare_split_tunnel Resource - Cloudflare"
+subcategory: ""
+description: |-
+  Provides a Cloudflare Split Tunnel resource. Split tunnels are used to either
+  include or exclude lists of routes from the WARP client's tunnel.
 ---
 
-# cloudflare_split_tunnel
+# cloudflare_split_tunnel (Resource)
 
 Provides a Cloudflare Split Tunnel resource. Split tunnels are used to either
 include or exclude lists of routes from the WARP client's tunnel.
 
 ## Example Usage
 
-```hcl
+```terraform
 # Excluding *.example.com from WARP routes
 resource "cloudflare_split_tunnel" "example_split_tunnel_exclude" {
   account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
   mode       = "exclude"
   tunnels {
-    host        = "*.example.com",
+    host        = "*.example.com"
     description = "example domain"
   }
 }
@@ -27,31 +29,72 @@ resource "cloudflare_split_tunnel" "example_split_tunnel_include" {
   account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
   mode       = "include"
   tunnels {
-    host        = "*.example.com",
+    host        = "*.example.com"
+    description = "example domain"
+  }
+}
+
+# Create a device policy
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id    = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  name          = "Developers"
+  precedence    = 10
+  match         = "any(identity.groups.name[*] in {\"Developers\"})"
+  switch_locked = true
+}
+
+# Excluding *.example.com from WARP routes for a particular device policy
+resource "cloudflare_split_tunnel" "example_device_policy_split_tunnel_exclude" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  policy_id  = cloudflare_device_policy.developer_warp_policy.id
+  mode       = "exclude"
+  tunnels {
+    host        = "*.example.com"
+    description = "example domain"
+  }
+}
+
+# Including *.example.com in WARP routes for a particular device policy
+resource "cloudflare_split_tunnel" "example_split_tunnel_include" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  policy_id  = cloudflare_device_policy.developer_warp_policy.id
+  mode       = "include"
+  tunnels {
+    host        = "*.example.com"
     description = "example domain"
   }
 }
 ```
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
 
-## Argument Reference
+- `account_id` (String) The account identifier to target for the resource.
+- `mode` (String) The mode of the split tunnel policy. Available values: `include`, `exclude`.
+- `tunnels` (Block List, Min: 1) The value of the tunnel attributes. (see [below for nested schema](#nestedblock--tunnels))
 
-The following arguments are supported:
+### Optional
 
-- `account_id` - (Required) The account to which the device posture rule should be added.
-- `mode` - (Required) The split tunnel mode. Valid values are `include` or `exclude`.
-- `tunnels` - (Required) The value of the tunnel attributes (refer to the [nested schema](#nestedblock--tunnels)).
+- `policy_id` (String) The settings policy for which to configure this split tunnel policy.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
 
 <a id="nestedblock--tunnels"></a>
-**Nested schema for `tunnels`**
+### Nested Schema for `tunnels`
 
-- `address` - (Optional) The address in CIDR format to include in the tunnel configuration. Conflicts with `"host"`.
-- `host` - (Optional) The domain name to include in the tunnel configuration. Conflicts with `"address"`.
-- `description` - (Optional) The description of the tunnel.
+Optional:
 
-## Import
+- `address` (String) The address for the tunnel.
+- `description` (String) A description for the tunnel.
+- `host` (String) The domain name for the tunnel.
 
-Split Tunnels can be imported using the account identifer and mode.
+## Import
 
-```
-$ terraform import cloudflare_split_tunnel.example 1d5fdc9e88c8a8c4518b068cd94331fe/exclude
+Import is supported using the following syntax:
+```shell
+# Split Tunnels for default device policies must use "default" as the policy ID.
+$ terraform import cloudflare_split_tunnel.example <account_id>/<policy_id>/<mode>
 ```

examples/resources/cloudflare_device_policy/import.sh

@@ -0,0 +1,2 @@
+# You can use "default" as the device policy ID when using the default.
+$ terraform import cloudflare_device_policy.example <account_id>/<device_policy_id>

examples/resources/cloudflare_device_policy/resource.tf

@@ -0,0 +1,18 @@
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id            = "f037e56e89293a057740de681ac9abbe"
+  name                  = "Developers WARP settings policy"
+  precedence            = 10
+  match                 = "any(identity.groups.name[*] in {\"Developers\"})"
+  default               = false
+  enabled               = true
+  allow_mode_switch     = true
+  allow_updates         = true
+  allowed_to_leave      = true
+  auto_connect          = 0
+  captive_portal        = 5
+  disable_auto_fallback = true
+  support_url           = "https://cloudflare.com"
+  switch_locked         = true
+  service_mode_v2_mode  = "warp"
+  service_mode_v2_port  = 3000
+}

examples/resources/cloudflare_fallback_domain/import.sh

@@ -0,0 +1,2 @@
+# Fallback Domains for default device policies must use "default" as the policy ID.
+$ terraform import cloudflare_fallback_domain.example <account_id>/<policy_id>

examples/resources/cloudflare_fallback_domain/resource.tf

@@ -0,0 +1,46 @@
+# Use DNS servers 192.0.2.0 or 192.0.2.1 for example.com
+resource "cloudflare_fallback_domain" "example" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  domains {
+    suffix      = "example.com"
+    description = "Example domain"
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
+  }
+}
+
+# Explicitly adding example.com to the default entries.
+resource "cloudflare_fallback_domain" "example" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  dynamic "domains" {
+    for_each = toset(["intranet", "internal", "private", "localdomain", "domain", "lan", "home", "host", "corp", "local", "localhost", "home.arpa", "invalid", "test"])
+    content {
+      suffix = domains.value
+    }
+  }
+
+  domains {
+    suffix      = "example.com"
+    description = "Example domain"
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
+  }
+}
+
+# Create a device policy
+resource "cloudflare_device_policy" "developer_warp_policy" {
+  account_id    = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  name          = "Developers"
+  precedence    = 10
+  match         = "any(identity.groups.name[*] in {\"Developers\"})"
+  switch_locked = true
+}
+
+# Use DNS servers 192.0.2.0 or 192.0.2.1 for example.com for a particular device policy
+resource "cloudflare_fallback_domain" "example" {
+  account_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
+  policy_id  = cloudflare_device_policy.developer_warp_policy.id
+  domains {
+    suffix      = "example.com"
+    description = "Example domain"
+    dns_server  = ["192.0.2.0", "192.0.2.1"]
+  }
+}

examples/resources/cloudflare_split_tunnel/import.sh

@@ -0,0 +1,2 @@
+# Split Tunnels for default device policies must use "default" as the policy ID.
+$ terraform import cloudflare_split_tunnel.example <account_id>/<policy_id>/<mode>