diff --git a/.changelog/3792.txt b/.changelog/3792.txt
new file mode 100644
index 0000000000..b3a6425c41
--- /dev/null
+++ b/.changelog/3792.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_access_group: Added description strings to all rule types
+```
diff --git a/docs/data-sources/device_posture_rules.md b/docs/data-sources/device_posture_rules.md
index c91a2e9645..963ef3ba3b 100644
--- a/docs/data-sources/device_posture_rules.md
+++ b/docs/data-sources/device_posture_rules.md
@@ -28,7 +28,7 @@ data "cloudflare_device_posture_rules" "example" {
### Optional
- `name` (String) Name of the Device Posture Rule.
-- `type` (String) The device posture rule type. Available values: `serial_number`, `file`, `application`, `gateway`, `warp`, `domain_joined`, `os_version`, `disk_encryption`, `firewall`, `client_certificate`, `workspace_one`, `unique_client_id`, `crowdstrike_s2s`, `sentinelone`, `kolide`, `tanium_s2s`, `intune`, `sentinelone_s2s`.
+- `type` (String) The device posture rule type. Available values: `serial_number`, `file`, `application`, `gateway`, `warp`, `domain_joined`, `os_version`, `disk_encryption`, `firewall`, `client_certificate`, `client_certificate_v2`, `workspace_one`, `unique_client_id`, `crowdstrike_s2s`, `sentinelone`, `kolide`, `tanium_s2s`, `intune`, `sentinelone_s2s`.
### Read-Only
diff --git a/docs/resources/access_group.md b/docs/resources/access_group.md
index e48313575d..74e54fae76 100644
--- a/docs/resources/access_group.md
+++ b/docs/resources/access_group.md
@@ -84,29 +84,29 @@ resource "cloudflare_access_group" "example" {
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--include--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--include--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--include--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--include--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--include--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `include.auth_context`
@@ -115,7 +115,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -124,7 +124,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -132,8 +132,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -141,9 +141,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -151,8 +151,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -160,8 +160,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -169,9 +169,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
@@ -180,29 +180,29 @@ Optional:
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--exclude--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--exclude--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--exclude--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--exclude--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--exclude--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `exclude.auth_context`
@@ -211,7 +211,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -220,7 +220,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -228,8 +228,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -237,9 +237,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -247,8 +247,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -256,8 +256,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -265,9 +265,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
@@ -276,29 +276,29 @@ Optional:
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--require--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--require--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--require--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--require--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--require--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `require.auth_context`
@@ -307,7 +307,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -316,7 +316,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -324,8 +324,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -333,9 +333,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -343,8 +343,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -352,8 +352,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -361,9 +361,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
## Import
diff --git a/docs/resources/access_policy.md b/docs/resources/access_policy.md
index 7f2f0e077c..ed247a374c 100644
--- a/docs/resources/access_policy.md
+++ b/docs/resources/access_policy.md
@@ -66,7 +66,7 @@ resource "cloudflare_access_policy" "test_policy" {
### Optional
-- `account_id` (String) The account identifier to target for the resource. Conflicts with `zone_id`. **Modifying this attribute will force creation of a new resource.**
+- `account_id` (String) The account identifier to target for the resource. Conflicts with `zone_id`.
- `application_id` (String) The ID of the application the policy is associated with. Required when using `precedence`. **Modifying this attribute will force creation of a new resource.**
- `approval_group` (Block List) (see [below for nested schema](#nestedblock--approval_group))
- `approval_required` (Boolean)
@@ -77,7 +77,7 @@ resource "cloudflare_access_policy" "test_policy" {
- `purpose_justification_required` (Boolean) Whether to prompt the user for a justification for accessing the resource.
- `require` (Block List) A series of access conditions, see [Access Groups](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/access_group#conditions). (see [below for nested schema](#nestedblock--require))
- `session_duration` (String) How often a user will be forced to re-authorise. Must be in the format `48h` or `2h45m`.
-- `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`. **Modifying this attribute will force creation of a new resource.**
+- `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`.
### Read-Only
@@ -88,29 +88,29 @@ resource "cloudflare_access_policy" "test_policy" {
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--include--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--include--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--include--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--include--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--include--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `include.auth_context`
@@ -119,7 +119,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -128,7 +128,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -136,8 +136,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -145,9 +145,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -155,8 +155,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -164,8 +164,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -173,9 +173,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
@@ -197,29 +197,29 @@ Optional:
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--exclude--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--exclude--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--exclude--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--exclude--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--exclude--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `exclude.auth_context`
@@ -228,7 +228,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -237,7 +237,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -245,8 +245,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -254,9 +254,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -264,8 +264,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -273,8 +273,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -282,9 +282,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
@@ -293,29 +293,29 @@ Optional:
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--require--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--require--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--require--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--require--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--require--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `require.auth_context`
@@ -324,7 +324,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -333,7 +333,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -341,8 +341,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -350,9 +350,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -360,8 +360,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -369,8 +369,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -378,9 +378,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
## Import
diff --git a/docs/resources/device_posture_rule.md b/docs/resources/device_posture_rule.md
index d798ec44d4..a1a0edcc34 100644
--- a/docs/resources/device_posture_rule.md
+++ b/docs/resources/device_posture_rule.md
@@ -78,7 +78,7 @@ Optional:
- `is_active` (Boolean) True if SentinelOne device is active.
- `issue_count` (String) The number of issues for kolide.
- `last_seen` (String) The duration of time that the host was last seen from Crowdstrike. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`.
-- `locations` (Block List) List of locations to check for client certificate posture check. (see [below for nested schema](#nestedblock--certificate_locations))
+- `locations` (Block List) List of operating system locations to check for a client certificate.. (see [below for nested schema](#nestedblock--input--locations))
- `network_status` (String) The network status from SentinelOne. Available values: `connected`, `disconnected`, `disconnecting`, `connecting`.
- `operator` (String) The version comparison operator. Available values: `>`, `>=`, `<`, `<=`, `==`.
- `os` (String) OS signal score from Crowdstrike. Value must be between 1 and 100.
@@ -96,23 +96,24 @@ Optional:
- `thumbprint` (String) The thumbprint of the file certificate.
- `total_score` (Number) The total score from Tanium.
- `version` (String) The operating system semantic version.
-- `version_operator` (String) The version comparison operator for crowdstrike. Available values: `>`, `>=`, `<`, `<=`, `==`.
+- `version_operator` (String) The version comparison operator for Crowdstrike. Available values: `>`, `>=`, `<`, `<=`, `==`.
-
-
-### Nested Schema for `match`
+
+### Nested Schema for `input.locations`
Optional:
-- `platform` (String) The platform of the device. Available values: `windows`, `mac`, `linux`, `android`, `ios`, `chromeos`.
+- `paths` (Set of String) List of paths to check for client certificate rule.
+- `trust_stores` (Set of String) List of trust stores to check for client certificate rule. Available values: `system`, `user`.
+
-
-### Nested Schema for `locations`
+
+
+### Nested Schema for `match`
Optional:
-- `paths` (Set of String) List of paths to check for client certificate.
-- `trust_stores` (Set of String) List of trust stores to check for client certificate. Available values: `system`, `user`.
+- `platform` (String) The platform of the device. Available values: `windows`, `mac`, `linux`, `android`, `ios`, `chromeos`.
## Import
diff --git a/docs/resources/device_settings_policy.md b/docs/resources/device_settings_policy.md
index 016c5da942..4eda80a635 100644
--- a/docs/resources/device_settings_policy.md
+++ b/docs/resources/device_settings_policy.md
@@ -60,7 +60,7 @@ resource "cloudflare_device_settings_policy" "developer_warp_policy" {
- `service_mode_v2_port` (Number) The port to use for the proxy service mode. Required when using `service_mode_v2_mode`.
- `support_url` (String) The support URL that will be opened when sending feedback.
- `switch_locked` (Boolean) Enablement of the ZT client switch lock.
-- `tunnel_protocol` (String) Determines which tunnel protocol to use. Available values: `""`, `wireguard`, `masque`. Defaults to `wireguard`
+- `tunnel_protocol` (String) Determines which tunnel protocol to use. Available values: `""`, `wireguard`, `masque`. Defaults to `wireguard`.
### Read-Only
diff --git a/docs/resources/zero_trust_access_group.md b/docs/resources/zero_trust_access_group.md
index b05f84fd37..cb78bb1f8a 100644
--- a/docs/resources/zero_trust_access_group.md
+++ b/docs/resources/zero_trust_access_group.md
@@ -84,29 +84,29 @@ resource "cloudflare_zero_trust_access_group" "example" {
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--include--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--include--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--include--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--include--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--include--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `include.auth_context`
@@ -115,7 +115,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -124,7 +124,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -132,8 +132,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -141,9 +141,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -151,8 +151,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -160,8 +160,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -169,9 +169,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
@@ -180,29 +180,29 @@ Optional:
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--exclude--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--exclude--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--exclude--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--exclude--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--exclude--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `exclude.auth_context`
@@ -211,7 +211,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -220,7 +220,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -228,8 +228,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -237,9 +237,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -247,8 +247,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -256,8 +256,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -265,9 +265,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
@@ -276,29 +276,29 @@ Optional:
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--require--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--require--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--require--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--require--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--require--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `require.auth_context`
@@ -307,7 +307,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -316,7 +316,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -324,8 +324,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -333,9 +333,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -343,8 +343,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -352,8 +352,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -361,9 +361,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
## Import
diff --git a/docs/resources/zero_trust_access_policy.md b/docs/resources/zero_trust_access_policy.md
index 1b912338d7..a250658754 100644
--- a/docs/resources/zero_trust_access_policy.md
+++ b/docs/resources/zero_trust_access_policy.md
@@ -66,7 +66,7 @@ resource "cloudflare_zero_trust_access_policy" "test_policy" {
### Optional
-- `account_id` (String) The account identifier to target for the resource. Conflicts with `zone_id`. **Modifying this attribute will force creation of a new resource.**
+- `account_id` (String) The account identifier to target for the resource. Conflicts with `zone_id`.
- `application_id` (String) The ID of the application the policy is associated with. Required when using `precedence`. **Modifying this attribute will force creation of a new resource.**
- `approval_group` (Block List) (see [below for nested schema](#nestedblock--approval_group))
- `approval_required` (Boolean)
@@ -77,7 +77,7 @@ resource "cloudflare_zero_trust_access_policy" "test_policy" {
- `purpose_justification_required` (Boolean) Whether to prompt the user for a justification for accessing the resource.
- `require` (Block List) A series of access conditions, see [Access Groups](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/access_group#conditions). (see [below for nested schema](#nestedblock--require))
- `session_duration` (String) How often a user will be forced to re-authorise. Must be in the format `48h` or `2h45m`.
-- `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`. **Modifying this attribute will force creation of a new resource.**
+- `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`.
### Read-Only
@@ -88,29 +88,29 @@ resource "cloudflare_zero_trust_access_policy" "test_policy" {
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--include--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--include--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--include--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--include--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--include--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `include.auth_context`
@@ -119,7 +119,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -128,7 +128,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -136,8 +136,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -145,9 +145,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -155,8 +155,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -164,8 +164,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -173,9 +173,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
@@ -197,29 +197,29 @@ Optional:
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--exclude--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--exclude--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--exclude--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--exclude--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--exclude--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `exclude.auth_context`
@@ -228,7 +228,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -237,7 +237,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -245,8 +245,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -254,9 +254,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -264,8 +264,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -273,8 +273,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -282,9 +282,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
@@ -293,29 +293,29 @@ Optional:
Optional:
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
- `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--require--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
- `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--require--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--require--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--require--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
- `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--require--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured identity provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
+- `service_token` (List of String) The ID of an Access service token.
### Nested Schema for `require.auth_context`
@@ -324,7 +324,7 @@ Required:
- `ac_id` (String) The ACID of the Authentication Context.
- `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -333,7 +333,7 @@ Required:
Optional:
- `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
@@ -341,8 +341,8 @@ Optional:
Optional:
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
@@ -350,9 +350,9 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
@@ -360,8 +360,8 @@ Optional:
Optional:
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
@@ -369,8 +369,8 @@ Optional:
Optional:
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
@@ -378,9 +378,9 @@ Optional:
Optional:
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
## Import
diff --git a/docs/resources/zero_trust_device_posture_rule.md b/docs/resources/zero_trust_device_posture_rule.md
index 510d43a9ad..03ed9341ae 100644
--- a/docs/resources/zero_trust_device_posture_rule.md
+++ b/docs/resources/zero_trust_device_posture_rule.md
@@ -40,7 +40,7 @@ resource "cloudflare_zero_trust_device_posture_rule" "eaxmple" {
### Required
- `account_id` (String) The account identifier to target for the resource.
-- `type` (String) The device posture rule type. Available values: `serial_number`, `file`, `application`, `gateway`, `warp`, `domain_joined`, `os_version`, `disk_encryption`, `firewall`, `client_certificate`, `workspace_one`, `unique_client_id`, `crowdstrike_s2s`, `sentinelone`, `kolide`, `tanium_s2s`, `intune`, `sentinelone_s2s`.
+- `type` (String) The device posture rule type. Available values: `serial_number`, `file`, `application`, `gateway`, `warp`, `domain_joined`, `os_version`, `disk_encryption`, `firewall`, `client_certificate`, `client_certificate_v2`, `workspace_one`, `unique_client_id`, `crowdstrike_s2s`, `sentinelone`, `kolide`, `tanium_s2s`, `intune`, `sentinelone_s2s`.
### Optional
@@ -63,19 +63,22 @@ Optional:
- `active_threats` (Number) The number of active threats from SentinelOne.
- `certificate_id` (String) The UUID of a Cloudflare managed certificate.
- `check_disks` (Set of String) Specific volume(s) to check for encryption.
+- `check_private_key` (Boolean) Confirm the certificate was not imported from another device.
- `cn` (String) The common name for a certificate.
- `compliance_status` (String) The workspace one or intune device compliance status. `compliant` and `noncompliant` are values supported by both providers. `unknown`, `conflict`, `error`, `ingraceperiod` values are only supported by intune. Available values: `compliant`, `noncompliant`, `unknown`, `conflict`, `error`, `ingraceperiod`.
- `connection_id` (String) The workspace one or intune connection id.
- `count_operator` (String) The count comparison operator for kolide. Available values: `>`, `>=`, `<`, `<=`, `==`.
- `domain` (String) The domain that the client must join.
-- `eid_last_seen` (String) The time a device last seen in Tanium. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`
+- `eid_last_seen` (String) The time a device last seen in Tanium. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`.
- `enabled` (Boolean) True if the firewall must be enabled.
- `exists` (Boolean) Checks if the file should exist.
+- `extended_key_usage` (Set of String) List of values indicating purposes for which the certificate public key can be used. Available values: `clientAuth`, `emailProtection`.
- `id` (String) The Teams List id. Required for `serial_number` and `unique_client_id` rule types.
- `infected` (Boolean) True if SentinelOne device is infected.
- `is_active` (Boolean) True if SentinelOne device is active.
- `issue_count` (String) The number of issues for kolide.
- `last_seen` (String) The duration of time that the host was last seen from Crowdstrike. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`.
+- `locations` (Block List) List of operating system locations to check for a client certificate.. (see [below for nested schema](#nestedblock--input--locations))
- `network_status` (String) The network status from SentinelOne. Available values: `connected`, `disconnected`, `disconnecting`, `connecting`.
- `operator` (String) The version comparison operator. Available values: `>`, `>=`, `<`, `<=`, `==`.
- `os` (String) OS signal score from Crowdstrike. Value must be between 1 and 100.
@@ -93,7 +96,16 @@ Optional:
- `thumbprint` (String) The thumbprint of the file certificate.
- `total_score` (Number) The total score from Tanium.
- `version` (String) The operating system semantic version.
-- `version_operator` (String) The version comparison operator for crowdstrike. Available values: `>`, `>=`, `<`, `<=`, `==`.
+- `version_operator` (String) The version comparison operator for Crowdstrike. Available values: `>`, `>=`, `<`, `<=`, `==`.
+
+
+### Nested Schema for `input.locations`
+
+Optional:
+
+- `paths` (Set of String) List of paths to check for client certificate rule.
+- `trust_stores` (Set of String) List of trust stores to check for client certificate rule. Available values: `system`, `user`.
+
diff --git a/docs/resources/zero_trust_device_profiles.md b/docs/resources/zero_trust_device_profiles.md
index 4cd3c8388c..4d26262eb0 100644
--- a/docs/resources/zero_trust_device_profiles.md
+++ b/docs/resources/zero_trust_device_profiles.md
@@ -59,6 +59,7 @@ resource "cloudflare_zero_trust_device_profiles" "developer_warp_policy" {
- `service_mode_v2_port` (Number) The port to use for the proxy service mode. Required when using `service_mode_v2_mode`.
- `support_url` (String) The support URL that will be opened when sending feedback.
- `switch_locked` (Boolean) Enablement of the ZT client switch lock.
+- `tunnel_protocol` (String) Determines which tunnel protocol to use. Available values: `""`, `wireguard`, `masque`. Defaults to `wireguard`.
### Read-Only
diff --git a/docs/resources/risk_score_integration.md b/docs/resources/zero_trust_risk_score_integration.md
similarity index 100%
rename from docs/resources/risk_score_integration.md
rename to docs/resources/zero_trust_risk_score_integration.md
diff --git a/internal/sdkv2provider/schema_cloudflare_access_group.go b/internal/sdkv2provider/schema_cloudflare_access_group.go
index d9bd5ddd6e..95e083a10c 100644
--- a/internal/sdkv2provider/schema_cloudflare_access_group.go
+++ b/internal/sdkv2provider/schema_cloudflare_access_group.go
@@ -48,22 +48,25 @@ func resourceCloudflareAccessGroupSchema() map[string]*schema.Schema {
var AccessGroupOptionSchemaElement = &schema.Resource{
Schema: map[string]*schema.Schema{
"email": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "The email of the user.",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"email_domain": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "The email domain to match.",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"email_list": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "The ID of a previously created email list.",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
@@ -78,112 +81,130 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
},
"ip_list": {
Type: schema.TypeList,
- Description: "The ID of an existing IP list to reference.",
+ Description: "The ID of a previously created IP list.",
Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"service_token": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "The ID of an Access service token.",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"any_valid_service_token": {
- Type: schema.TypeBool,
- Optional: true,
+ Type: schema.TypeBool,
+ Description: "Matches any valid Access service token.",
+ Optional: true,
},
"group": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "The ID of a previously created Access group.",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"everyone": {
- Type: schema.TypeBool,
- Optional: true,
+ Type: schema.TypeBool,
+ Description: "Matches everyone.",
+ Optional: true,
},
"certificate": {
- Type: schema.TypeBool,
- Optional: true,
+ Type: schema.TypeBool,
+ Description: "Matches any valid client certificate.",
+ Optional: true,
},
"common_name": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "Matches a valid client certificate common name.",
+ Optional: true,
},
"auth_method": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.",
+ Optional: true,
},
"geo": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "Matches a specific country.",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"login_method": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "The ID of a configured identity provider.",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"device_posture": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "The ID of a device posture integration.",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"gsuite": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "Matches a group in Google Workspace. Requires a Google Workspace identity provider.",
+ Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"email": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "The email of the Google Workspace group.",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"identity_provider_id": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "The ID of your Google Workspace identity provider.",
+ Optional: true,
},
},
},
},
"github": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "Matches a Github organization. Requires a Github identity provider.",
+ Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"name": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "The name of the organization.",
+ Optional: true,
},
"teams": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "The teams that should be matched.",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"identity_provider_id": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "The ID of your Github identity provider.",
+ Optional: true,
},
},
},
},
"azure": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "Matches an Azure group. Requires an Azure identity provider.",
+ Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"id": {
@@ -196,63 +217,73 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
},
"identity_provider_id": {
Type: schema.TypeString,
- Description: "The ID of the Azure Identity provider",
+ Description: "The ID of the Azure identity provider",
Optional: true,
},
},
},
},
"okta": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "Matches an Okta group. Requires an Okta identity provider.",
+ Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"name": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "The name of the Okta Group",
+ Optional: true,
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"identity_provider_id": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "The ID of your Okta identity provider.",
+ Optional: true,
},
},
},
},
"saml": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "Matches a SAML group. Requires a SAML identity provider.",
+ Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"attribute_name": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "The name of the SAML attribute.",
+ Optional: true,
},
"attribute_value": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "The SAML attribute value to look for.",
+ Optional: true,
},
"identity_provider_id": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "The ID of your SAML identity provider.",
+ Optional: true,
},
},
},
},
"external_evaluation": {
- Type: schema.TypeList,
- Optional: true,
+ Type: schema.TypeList,
+ Description: "Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/",
+ Optional: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"evaluate_url": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "The API endpoint containing your business logic.",
+ Optional: true,
},
"keys_url": {
- Type: schema.TypeString,
- Optional: true,
+ Type: schema.TypeString,
+ Description: "The API endpoint containing the key that Access uses to verify that the response came from your API.",
+ Optional: true,
},
},
},
@@ -272,7 +303,7 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
},
"identity_provider_id": {
Type: schema.TypeString,
- Description: "The ID of the Azure Identity provider",
+ Description: "The ID of the Azure identity provider",
Required: true,
},
"ac_id": {
diff --git a/internal/sdkv2provider/schema_cloudflare_device_posture_rule.go b/internal/sdkv2provider/schema_cloudflare_device_posture_rule.go
index f14e7d0a1b..89d7a5acae 100644
--- a/internal/sdkv2provider/schema_cloudflare_device_posture_rule.go
+++ b/internal/sdkv2provider/schema_cloudflare_device_posture_rule.go
@@ -178,7 +178,7 @@ func resourceCloudflareDevicePostureRuleSchema() map[string]*schema.Schema {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringInSlice([]string{">", ">=", "<", "<=", "=="}, true),
- Description: fmt.Sprintf("The version comparison operator for crowdstrike. %s", renderAvailableDocumentationValuesStringSlice([]string{">", ">=", "<", "<=", "=="})),
+ Description: fmt.Sprintf("The version comparison operator for Crowdstrike. %s", renderAvailableDocumentationValuesStringSlice([]string{">", ">=", "<", "<=", "=="})),
},
"last_seen": {
Type: schema.TypeString,
@@ -287,7 +287,7 @@ func resourceCloudflareDevicePostureRuleSchema() map[string]*schema.Schema {
},
},
Optional: true,
- Description: "List of locations to check for client certificate.",
+ Description: "List of operating system locations to check for a client certificate..",
},
},
},