feat: updated gateway rule action audit ssh and rule settings

.changelog/2303.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+schema_cloudflare_teams_rules.go: updated gateway rule action audit ssh and rule settings
+```

docs/resources/access_organization.md

@@ -41,6 +41,7 @@ resource "cloudflare_access_organization" "example" {
 - `is_ui_read_only` (Boolean) When set to true, this will disable all editing of Access resources via the Zero Trust Dashboard.
 - `login_design` (Block List) (see [below for nested schema](#nestedblock--login_design))
 - `name` (String) The name of your Zero Trust organization.
+- `ui_read_only_toggle_reason` (String) A description of the reason why the UI read only field is being toggled.
 - `user_seat_expiration_inactive_time` (String) The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Must be in the format `300ms` or `2h45m`.
 - `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`.
 

docs/resources/teams_rule.md

@@ -57,18 +57,30 @@ resource "cloudflare_teams_rule" "example" {
 Optional:
 
 - `add_headers` (Map of String) Add custom headers to allowed requests in the form of key-value pairs.
+- `allow_child_bypass` (Boolean) Allow parent MSP accounts to enable bypass their children's rules.
+- `audit_ssh` (Block List, Max: 1) AuditSsh Settings. (see [below for nested schema](#nestedblock--rule_settings--audit_ssh))
 - `biso_admin_controls` (Block List, Max: 1) Configure how browser isolation behaves. (see [below for nested schema](#nestedblock--rule_settings--biso_admin_controls))
 - `block_page_enabled` (Boolean) Indicator of block page enablement.
 - `block_page_reason` (String) The displayed reason for a user being blocked.
+- `bypass_parent_rule` (Boolean) Allow child MSP accounts to bypass their parent's rule.
 - `check_session` (Block List, Max: 1) Configure how session check behaves. (see [below for nested schema](#nestedblock--rule_settings--check_session))
 - `egress` (Block List, Max: 1) Configure how Proxy traffic egresses. Can be set for rules with Egress action and Egress filter. Can be omitted to indicate local egress via Warp IPs. (see [below for nested schema](#nestedblock--rule_settings--egress))
 - `insecure_disable_dnssec_validation` (Boolean) Disable DNSSEC validation (must be Allow rule).
+- `ip_categories` (Boolean) Turns on ip category based filter on dns if the rule contains dns category checks.
 - `l4override` (Block List, Max: 1) Settings to forward layer 4 traffic. (see [below for nested schema](#nestedblock--rule_settings--l4override))
 - `override_host` (String) The host to override matching DNS queries with.
 - `override_ips` (List of String) The IPs to override matching DNS queries with.
 - `payload_log` (Block List, Max: 1) Configure DLP Payload Logging settings for this rule. (see [below for nested schema](#nestedblock--rule_settings--payload_log))
 - `untrusted_cert` (Block List, Max: 1) Configure untrusted certificate settings for this rule. (see [below for nested schema](#nestedblock--rule_settings--untrusted_cert))
 
+<a id="nestedblock--rule_settings--audit_ssh"></a>
+### Nested Schema for `rule_settings.audit_ssh`
+
+Required:
+
+- `command_logging` (Boolean) Log all SSH commands.
+
+
 <a id="nestedblock--rule_settings--biso_admin_controls"></a>
 ### Nested Schema for `rule_settings.biso_admin_controls`
 

docs/resources/worker_script.md

@@ -76,9 +76,9 @@ resource "cloudflare_worker_script" "my_script" {
 ### Optional
 
 - `analytics_engine_binding` (Block Set) (see [below for nested schema](#nestedblock--analytics_engine_binding))
+- `compatibility_date` (String) The date to use for the compatibility flag.
 - `kv_namespace_binding` (Block Set) (see [below for nested schema](#nestedblock--kv_namespace_binding))
 - `module` (Boolean) Whether to upload Worker as a module.
-- `compatibility_date` (String) The date to use for the compatibility flag. This is used to determine which version of the Workers runtime to use. The date must be in the format `YYYY-MM-DD`.
 - `plain_text_binding` (Block Set) (see [below for nested schema](#nestedblock--plain_text_binding))
 - `queue_binding` (Block Set) (see [below for nested schema](#nestedblock--queue_binding))
 - `r2_bucket_binding` (Block Set) (see [below for nested schema](#nestedblock--r2_bucket_binding))

internal/sdkv2provider/resource_cloudflare_teams_rules.go

@@ -196,7 +196,7 @@ func resourceCloudflareTeamsRuleImport(ctx context.Context, d *schema.ResourceDa
 }
 
 func flattenTeamsRuleSettings(settings *cloudflare.TeamsRuleSettings) []interface{} {
-	return []interface{}{map[string]interface{}{
+	result := map[string]interface{}{
 		"block_page_enabled":                 settings.BlockPageEnabled,
 		"block_page_reason":                  settings.BlockReason,
 		"override_ips":                       settings.OverrideIPs,
@@ -209,7 +209,25 @@ func flattenTeamsRuleSettings(settings *cloudflare.TeamsRuleSettings) []interfac
 		"egress":                             flattenTeamsEgressSettings(settings.EgressSettings),
 		"untrusted_cert":                     flattenTeamsUntrustedCertSettings(settings.UntrustedCertSettings),
 		"payload_log":                        flattenTeamsDlpPayloadLogSettings(settings.PayloadLog),
-	}}
+	}
+
+	if settings.IPCategories {
+		result["ip_categories"] = true
+	}
+
+	if settings.AllowChildBypass {
+		result["allow_child_bypass"] = settings.AllowChildBypass
+	}
+
+	if settings.BypassParentRule {
+		result["bypass_parent_rule"] = settings.AllowChildBypass
+	}
+
+	if settings.AuditSSH != nil {
+		result["audit_ssh"] = flattenTeamsAuditSSHSettings(settings.AuditSSH)
+	}
+
+	return []interface{}{result}
 }
 
 func inflateTeamsRuleSettings(settings interface{}) *cloudflare.TeamsRuleSettings {
@@ -373,6 +391,15 @@ func inflateTeamsL4Override(settings interface{}) *cloudflare.TeamsL4OverrideSet
 	}
 }
 
+func flattenTeamsAuditSSHSettings(settings *cloudflare.AuditSSHRuleSettings) []interface{} {
+	if settings == nil {
+		return nil
+	}
+	return []interface{}{map[string]interface{}{
+		"command_logging": settings.CommandLogging,
+	}}
+}
+
 func flattenTeamsEgressSettings(settings *cloudflare.EgressSettings) []interface{} {
 	if settings == nil {
 		return nil

internal/sdkv2provider/schema_cloudflare_teams_rules.go

@@ -101,6 +101,30 @@ var teamsRuleSettings = map[string]*schema.Schema{
 		Optional:    true,
 		Description: "The host to override matching DNS queries with.",
 	},
+	"ip_categories": {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Description: "Turns on ip category based filter on dns if the rule contains dns category checks.",
+	},
+	"allow_child_bypass": {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Description: "Allow parent MSP accounts to enable bypass their children's rules.",
+	},
+	"bypass_parent_rule": {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Description: "Allow child MSP accounts to bypass their parent's rule.",
+	},
+	"audit_ssh": {
+		Type:     schema.TypeList,
+		MaxItems: 1,
+		Optional: true,
+		Elem: &schema.Resource{
+			Schema: teamsAuditSSHSettings,
+		},
+		Description: "AuditSsh Settings.",
+	},
 	"l4override": {
 		Type:     schema.TypeList,
 		MaxItems: 1,
@@ -218,6 +242,14 @@ var teamsL4OverrideSettings = map[string]*schema.Schema{
 	},
 }
 
+var teamsAuditSSHSettings = map[string]*schema.Schema{
+	"command_logging": {
+		Type:        schema.TypeBool,
+		Required:    true,
+		Description: "Log all SSH commands.",
+	},
+}
+
 var teamsBisoAdminControls = map[string]*schema.Schema{
 	"disable_printing": {
 		Type:        schema.TypeBool,

tools/cmd/changelog-check/main.go

@@ -128,7 +128,7 @@ func main() {
 
 	if err != nil {
 		log.Fatalf("failed to comment on pull request %s/%s#%d: %s", owner, repo, prNo, err)
-	}	
+	}
 
 	os.Exit(1)
 }