diff --git a/.changelog/2826.txt b/.changelog/2826.txt new file mode 100644 index 0000000000..5b83235794 --- /dev/null +++ b/.changelog/2826.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/cloudflare_teams_accounts: Add support for setting ssh encryption key in ZT settings +``` \ No newline at end of file diff --git a/internal/sdkv2provider/resource_cloudflare_teams_accounts.go b/internal/sdkv2provider/resource_cloudflare_teams_accounts.go index 9ec3bdd242..97fabd8e9b 100644 --- a/internal/sdkv2provider/resource_cloudflare_teams_accounts.go +++ b/internal/sdkv2provider/resource_cloudflare_teams_accounts.go @@ -106,6 +106,18 @@ func resourceCloudflareTeamsAccountRead(ctx context.Context, d *schema.ResourceD return diag.FromErr(fmt.Errorf("error parsing teams account device settings: %w", err)) } + sshSessionLogSettings, _, err := client.GetAuditSSHSettings(ctx, cloudflare.AccountIdentifier(accountID), cloudflare.GetAuditSSHSettingsParams{}) + if err == nil { + if err := d.Set("ssh_session_log", flattenSSHSessionLogSettings(&sshSessionLogSettings)); err != nil { + return diag.FromErr(fmt.Errorf("error parsing payload log settings: %w", err)) + } + } else { + var notFoundError *cloudflare.NotFoundError + if !errors.As(err, ¬FoundError) { + return diag.FromErr(fmt.Errorf("error finding SSH session account settings %q: %w", d.Id(), err)) + } + } + payloadLogSettings, err := client.GetDLPPayloadLogSettings(ctx, cloudflare.AccountIdentifier(accountID), cloudflare.GetDLPPayloadLogSettingsParams{}) if err == nil { if err := d.Set("payload_log", flattenPayloadLogSettings(&payloadLogSettings)); err != nil { @@ -130,6 +142,7 @@ func resourceCloudflareTeamsAccountUpdate(ctx context.Context, d *schema.Resourc loggingConfig := inflateLoggingSettings(d.Get("logging")) deviceConfig := inflateDeviceSettings(d.Get("proxy")) payloadLogSettings := inflatePayloadLogSettings(d.Get("payload_log")) + sshSessionLogSettings := inflateSSHSessionLogSettings(d.Get("ssh_session_log")) updatedTeamsAccount := cloudflare.TeamsConfiguration{ Settings: cloudflare.TeamsAccountSettings{ Antivirus: antivirusConfig, @@ -180,6 +193,12 @@ func resourceCloudflareTeamsAccountUpdate(ctx context.Context, d *schema.Resourc } } + if sshSessionLogSettings != nil { + if _, err := client.UpdateAuditSSHSettings(ctx, cloudflare.AccountIdentifier(accountID), cloudflare.UpdateAuditSSHSettingsParams{PublicKey: sshSessionLogSettings.PublicKey}); err != nil { + return diag.FromErr(fmt.Errorf("error updating SSH session account settings %q: %w", accountID, err)) + } + } + if payloadLogSettings != nil { if _, err := client.UpdateDLPPayloadLogSettings(ctx, cloudflare.AccountIdentifier(accountID), *payloadLogSettings); err != nil { return diag.FromErr(fmt.Errorf("error updating DLP Account configuration for account %q: %w", accountID, err)) @@ -379,6 +398,24 @@ func inflateDeviceSettings(device interface{}) *cloudflare.TeamsDeviceSettings { RootCertificateInstallationEnabled: deviceSettings["root_ca"].(bool), } } +func flattenSSHSessionLogSettings(logSettings *cloudflare.AuditSSHSettings) []interface{} { + return []interface{}{map[string]interface{}{ + "public_key": logSettings.PublicKey, + }} +} + +func inflateSSHSessionLogSettings(payloadLog interface{}) *cloudflare.AuditSSHSettings { + payloadLogList := payloadLog.([]interface{}) + if len(payloadLogList) != 1 { + return nil + } + + payloadLogMap := payloadLogList[0].(map[string]interface{}) + publicKey := payloadLogMap["public_key"].(string) + return &cloudflare.AuditSSHSettings{ + PublicKey: publicKey, + } +} func flattenPayloadLogSettings(payloadLogSettings *cloudflare.DLPPayloadLogSettings) []interface{} { return []interface{}{map[string]interface{}{ diff --git a/internal/sdkv2provider/resource_cloudflare_teams_accounts_test.go b/internal/sdkv2provider/resource_cloudflare_teams_accounts_test.go index a3c1a3d5fc..ceba7a3435 100644 --- a/internal/sdkv2provider/resource_cloudflare_teams_accounts_test.go +++ b/internal/sdkv2provider/resource_cloudflare_teams_accounts_test.go @@ -53,6 +53,7 @@ func TestAccCloudflareTeamsAccounts_ConfigurationBasic(t *testing.T) { resource.TestCheckResourceAttr(name, "proxy.0.udp", "false"), resource.TestCheckResourceAttr(name, "proxy.0.root_ca", "true"), resource.TestCheckResourceAttr(name, "payload_log.0.public_key", "EmpOvSXw8BfbrGCi0fhGiD/3yXk2SiV1Nzg2lru3oj0="), + resource.TestCheckResourceAttr(name, "ssh_session_log.0.public_key", "testvSXw8BfbrGCi0fhGiD/3yXk2SiV1Nzg2lru3oj0="), ), }, }, @@ -106,6 +107,9 @@ resource "cloudflare_teams_account" "%[1]s" { } } } + ssh_session_log { + public_key = "testvSXw8BfbrGCi0fhGiD/3yXk2SiV1Nzg2lru3oj0=" + } payload_log { public_key = "EmpOvSXw8BfbrGCi0fhGiD/3yXk2SiV1Nzg2lru3oj0=" } diff --git a/internal/sdkv2provider/schema_cloudflare_teams_accounts.go b/internal/sdkv2provider/schema_cloudflare_teams_accounts.go index dab78e2699..3336a62cd0 100644 --- a/internal/sdkv2provider/schema_cloudflare_teams_accounts.go +++ b/internal/sdkv2provider/schema_cloudflare_teams_accounts.go @@ -76,6 +76,15 @@ func resourceCloudflareTeamsAccountSchema() map[string]*schema.Schema { }, Description: "Configuration block for specifying which protocols are proxied.", }, + "ssh_session_log": { + Type: schema.TypeList, + MaxItems: 1, + Optional: true, + Elem: &schema.Resource{ + Schema: sshSessionLogSchema, + }, + Description: "Configuration for SSH Session Logging.", + }, "payload_log": { Type: schema.TypeList, MaxItems: 1, @@ -232,6 +241,14 @@ var loggingEnabledSchema = map[string]*schema.Schema{ }, } +var sshSessionLogSchema = map[string]*schema.Schema{ + "public_key": { + Type: schema.TypeString, + Required: true, + Description: "Public key used to encrypt ssh session.", + }, +} + var payloadLogSchema = map[string]*schema.Schema{ "public_key": { Type: schema.TypeString,