diff --git a/.changelog/2303.txt b/.changelog/2303.txt new file mode 100644 index 00000000000..41a50584828 --- /dev/null +++ b/.changelog/2303.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +schema_cloudflare_teams_rules.go: updated gateway rule action audit ssh and rule settings +``` diff --git a/docs/resources/access_organization.md b/docs/resources/access_organization.md index c551d4d296c..30484f3d5f2 100644 --- a/docs/resources/access_organization.md +++ b/docs/resources/access_organization.md @@ -41,6 +41,7 @@ resource "cloudflare_access_organization" "example" { - `is_ui_read_only` (Boolean) When set to true, this will disable all editing of Access resources via the Zero Trust Dashboard. - `login_design` (Block List) (see [below for nested schema](#nestedblock--login_design)) - `name` (String) The name of your Zero Trust organization. +- `ui_read_only_toggle_reason` (String) A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time` (String) The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Must be in the format `300ms` or `2h45m`. - `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`. diff --git a/docs/resources/teams_rule.md b/docs/resources/teams_rule.md index 0870c095983..843f43d9ad1 100644 --- a/docs/resources/teams_rule.md +++ b/docs/resources/teams_rule.md @@ -57,18 +57,30 @@ resource "cloudflare_teams_rule" "example" { Optional: - `add_headers` (Map of String) Add custom headers to allowed requests in the form of key-value pairs. +- `allow_child_bypass` (Boolean) Allow parent MSP accounts to enable bypass their children's rules. +- `audit_ssh` (Block List, Max: 1) AuditSsh Settings. (see [below for nested schema](#nestedblock--rule_settings--audit_ssh)) - `biso_admin_controls` (Block List, Max: 1) Configure how browser isolation behaves. (see [below for nested schema](#nestedblock--rule_settings--biso_admin_controls)) - `block_page_enabled` (Boolean) Indicator of block page enablement. - `block_page_reason` (String) The displayed reason for a user being blocked. +- `bypass_parent_rule` (Boolean) Allow child MSP accounts to bypass their parent's rule. - `check_session` (Block List, Max: 1) Configure how session check behaves. (see [below for nested schema](#nestedblock--rule_settings--check_session)) - `egress` (Block List, Max: 1) Configure how Proxy traffic egresses. Can be set for rules with Egress action and Egress filter. Can be omitted to indicate local egress via Warp IPs. (see [below for nested schema](#nestedblock--rule_settings--egress)) - `insecure_disable_dnssec_validation` (Boolean) Disable DNSSEC validation (must be Allow rule). +- `ip_categories` (Boolean) Turns on ip category based filter on dns if the rule contains dns category checks. - `l4override` (Block List, Max: 1) Settings to forward layer 4 traffic. (see [below for nested schema](#nestedblock--rule_settings--l4override)) - `override_host` (String) The host to override matching DNS queries with. - `override_ips` (List of String) The IPs to override matching DNS queries with. - `payload_log` (Block List, Max: 1) Configure DLP Payload Logging settings for this rule. (see [below for nested schema](#nestedblock--rule_settings--payload_log)) - `untrusted_cert` (Block List, Max: 1) Configure untrusted certificate settings for this rule. (see [below for nested schema](#nestedblock--rule_settings--untrusted_cert)) + +### Nested Schema for `rule_settings.audit_ssh` + +Required: + +- `command_logging` (Boolean) Log all SSH commands. + + ### Nested Schema for `rule_settings.biso_admin_controls` diff --git a/docs/resources/worker_script.md b/docs/resources/worker_script.md index 76b0e5dc540..b01c286ba6a 100644 --- a/docs/resources/worker_script.md +++ b/docs/resources/worker_script.md @@ -76,9 +76,9 @@ resource "cloudflare_worker_script" "my_script" { ### Optional - `analytics_engine_binding` (Block Set) (see [below for nested schema](#nestedblock--analytics_engine_binding)) +- `compatibility_date` (String) The date to use for the compatibility flag. - `kv_namespace_binding` (Block Set) (see [below for nested schema](#nestedblock--kv_namespace_binding)) - `module` (Boolean) Whether to upload Worker as a module. -- `compatibility_date` (String) The date to use for the compatibility flag. This is used to determine which version of the Workers runtime to use. The date must be in the format `YYYY-MM-DD`. - `plain_text_binding` (Block Set) (see [below for nested schema](#nestedblock--plain_text_binding)) - `queue_binding` (Block Set) (see [below for nested schema](#nestedblock--queue_binding)) - `r2_bucket_binding` (Block Set) (see [below for nested schema](#nestedblock--r2_bucket_binding)) diff --git a/internal/sdkv2provider/resource_cloudflare_teams_rules.go b/internal/sdkv2provider/resource_cloudflare_teams_rules.go index 6c84e1f5a4a..5bee82ff39e 100644 --- a/internal/sdkv2provider/resource_cloudflare_teams_rules.go +++ b/internal/sdkv2provider/resource_cloudflare_teams_rules.go @@ -196,7 +196,7 @@ func resourceCloudflareTeamsRuleImport(ctx context.Context, d *schema.ResourceDa } func flattenTeamsRuleSettings(settings *cloudflare.TeamsRuleSettings) []interface{} { - return []interface{}{map[string]interface{}{ + result := map[string]interface{}{ "block_page_enabled": settings.BlockPageEnabled, "block_page_reason": settings.BlockReason, "override_ips": settings.OverrideIPs, @@ -209,7 +209,25 @@ func flattenTeamsRuleSettings(settings *cloudflare.TeamsRuleSettings) []interfac "egress": flattenTeamsEgressSettings(settings.EgressSettings), "untrusted_cert": flattenTeamsUntrustedCertSettings(settings.UntrustedCertSettings), "payload_log": flattenTeamsDlpPayloadLogSettings(settings.PayloadLog), - }} + } + + if settings.IPCategories { + result["ip_categories"] = true + } + + if settings.AllowChildBypass { + result["allow_child_bypass"] = settings.AllowChildBypass + } + + if settings.BypassParentRule { + result["bypass_parent_rule"] = settings.AllowChildBypass + } + + if settings.AuditSSH != nil { + result["audit_ssh"] = flattenTeamsAuditSSHSettings(settings.AuditSSH) + } + + return []interface{}{result} } func inflateTeamsRuleSettings(settings interface{}) *cloudflare.TeamsRuleSettings { @@ -373,6 +391,15 @@ func inflateTeamsL4Override(settings interface{}) *cloudflare.TeamsL4OverrideSet } } +func flattenTeamsAuditSSHSettings(settings *cloudflare.AuditSSHRuleSettings) []interface{} { + if settings == nil { + return nil + } + return []interface{}{map[string]interface{}{ + "command_logging": settings.CommandLogging, + }} +} + func flattenTeamsEgressSettings(settings *cloudflare.EgressSettings) []interface{} { if settings == nil { return nil diff --git a/internal/sdkv2provider/schema_cloudflare_teams_rules.go b/internal/sdkv2provider/schema_cloudflare_teams_rules.go index 7fc82a40179..c485645bf69 100644 --- a/internal/sdkv2provider/schema_cloudflare_teams_rules.go +++ b/internal/sdkv2provider/schema_cloudflare_teams_rules.go @@ -101,6 +101,30 @@ var teamsRuleSettings = map[string]*schema.Schema{ Optional: true, Description: "The host to override matching DNS queries with.", }, + "ip_categories": { + Type: schema.TypeBool, + Optional: true, + Description: "Turns on ip category based filter on dns if the rule contains dns category checks.", + }, + "allow_child_bypass": { + Type: schema.TypeBool, + Optional: true, + Description: "Allow parent MSP accounts to enable bypass their children's rules.", + }, + "bypass_parent_rule": { + Type: schema.TypeBool, + Optional: true, + Description: "Allow child MSP accounts to bypass their parent's rule.", + }, + "audit_ssh": { + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + Elem: &schema.Resource{ + Schema: teamsAuditSSHSettings, + }, + Description: "AuditSsh Settings.", + }, "l4override": { Type: schema.TypeList, MaxItems: 1, @@ -218,6 +242,14 @@ var teamsL4OverrideSettings = map[string]*schema.Schema{ }, } +var teamsAuditSSHSettings = map[string]*schema.Schema{ + "command_logging": { + Type: schema.TypeBool, + Required: true, + Description: "Log all SSH commands.", + }, +} + var teamsBisoAdminControls = map[string]*schema.Schema{ "disable_printing": { Type: schema.TypeBool, diff --git a/tools/cmd/changelog-check/main.go b/tools/cmd/changelog-check/main.go index 9e8221d44d9..4e09b314254 100644 --- a/tools/cmd/changelog-check/main.go +++ b/tools/cmd/changelog-check/main.go @@ -128,7 +128,7 @@ func main() { if err != nil { log.Fatalf("failed to comment on pull request %s/%s#%d: %s", owner, repo, prNo, err) - } + } os.Exit(1) }