From ab3f8beb52594016fed4e9193f41268cd035bd5c Mon Sep 17 00:00:00 2001
From: James Royal <jroyal@cloudflare.com>
Date: Tue, 27 Aug 2024 10:40:07 -0500
Subject: [PATCH 1/2] Add descriptions for Access rules

---
 .changelog/3792.txt                           |   3 +
 docs/data-sources/device_posture_rules.md     |   2 +-
 docs/resources/access_group.md                | 192 ++++++++---------
 docs/resources/access_policy.md               | 196 +++++++++---------
 docs/resources/device_posture_rule.md         |  19 +-
 docs/resources/device_settings_policy.md      |   2 +-
 docs/resources/zero_trust_access_group.md     | 192 ++++++++---------
 docs/resources/zero_trust_access_policy.md    | 196 +++++++++---------
 .../zero_trust_device_posture_rule.md         |  16 +-
 docs/resources/zero_trust_device_profiles.md  |   1 +
 ...d => zero_trust_risk_score_integration.md} |   0
 .../schema_cloudflare_access_group.go         | 157 ++++++++------
 12 files changed, 512 insertions(+), 464 deletions(-)
 create mode 100644 .changelog/3792.txt
 rename docs/resources/{risk_score_integration.md => zero_trust_risk_score_integration.md} (100%)

diff --git a/.changelog/3792.txt b/.changelog/3792.txt
new file mode 100644
index 0000000000..b3a6425c41
--- /dev/null
+++ b/.changelog/3792.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_access_group: Added description strings to all rule types
+```
diff --git a/docs/data-sources/device_posture_rules.md b/docs/data-sources/device_posture_rules.md
index c91a2e9645..963ef3ba3b 100644
--- a/docs/data-sources/device_posture_rules.md
+++ b/docs/data-sources/device_posture_rules.md
@@ -28,7 +28,7 @@ data "cloudflare_device_posture_rules" "example" {
 ### Optional
 
 - `name` (String) Name of the Device Posture Rule.
-- `type` (String) The device posture rule type. Available values: `serial_number`, `file`, `application`, `gateway`, `warp`, `domain_joined`, `os_version`, `disk_encryption`, `firewall`, `client_certificate`, `workspace_one`, `unique_client_id`, `crowdstrike_s2s`, `sentinelone`, `kolide`, `tanium_s2s`, `intune`, `sentinelone_s2s`.
+- `type` (String) The device posture rule type. Available values: `serial_number`, `file`, `application`, `gateway`, `warp`, `domain_joined`, `os_version`, `disk_encryption`, `firewall`, `client_certificate`, `client_certificate_v2`, `workspace_one`, `unique_client_id`, `crowdstrike_s2s`, `sentinelone`, `kolide`, `tanium_s2s`, `intune`, `sentinelone_s2s`.
 
 ### Read-Only
 
diff --git a/docs/resources/access_group.md b/docs/resources/access_group.md
index e48313575d..daad9f8ceb 100644
--- a/docs/resources/access_group.md
+++ b/docs/resources/access_group.md
@@ -84,29 +84,29 @@ resource "cloudflare_access_group" "example" {
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--include--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--include--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--include--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--include--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--include--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--include--auth_context"></a>
 ### Nested Schema for `include.auth_context`
@@ -132,8 +132,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--include--github"></a>
@@ -141,9 +141,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--include--gsuite"></a>
@@ -151,8 +151,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--include--okta"></a>
@@ -160,8 +160,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--include--saml"></a>
@@ -169,9 +169,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 
 
@@ -180,29 +180,29 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--exclude--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--exclude--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--exclude--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--exclude--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--exclude--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--exclude--auth_context"></a>
 ### Nested Schema for `exclude.auth_context`
@@ -228,8 +228,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--exclude--github"></a>
@@ -237,9 +237,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--exclude--gsuite"></a>
@@ -247,8 +247,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--exclude--okta"></a>
@@ -256,8 +256,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--exclude--saml"></a>
@@ -265,9 +265,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 
 
@@ -276,29 +276,29 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--require--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--require--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--require--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--require--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--require--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--require--auth_context"></a>
 ### Nested Schema for `require.auth_context`
@@ -324,8 +324,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--require--github"></a>
@@ -333,9 +333,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--require--gsuite"></a>
@@ -343,8 +343,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--require--okta"></a>
@@ -352,8 +352,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--require--saml"></a>
@@ -361,9 +361,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 ## Import
 
diff --git a/docs/resources/access_policy.md b/docs/resources/access_policy.md
index 7f2f0e077c..f6e005ecfa 100644
--- a/docs/resources/access_policy.md
+++ b/docs/resources/access_policy.md
@@ -66,7 +66,7 @@ resource "cloudflare_access_policy" "test_policy" {
 
 ### Optional
 
-- `account_id` (String) The account identifier to target for the resource. Conflicts with `zone_id`. **Modifying this attribute will force creation of a new resource.**
+- `account_id` (String) The account identifier to target for the resource. Conflicts with `zone_id`.
 - `application_id` (String) The ID of the application the policy is associated with. Required when using `precedence`. **Modifying this attribute will force creation of a new resource.**
 - `approval_group` (Block List) (see [below for nested schema](#nestedblock--approval_group))
 - `approval_required` (Boolean)
@@ -77,7 +77,7 @@ resource "cloudflare_access_policy" "test_policy" {
 - `purpose_justification_required` (Boolean) Whether to prompt the user for a justification for accessing the resource.
 - `require` (Block List) A series of access conditions, see [Access Groups](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/access_group#conditions). (see [below for nested schema](#nestedblock--require))
 - `session_duration` (String) How often a user will be forced to re-authorise. Must be in the format `48h` or `2h45m`.
-- `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`. **Modifying this attribute will force creation of a new resource.**
+- `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`.
 
 ### Read-Only
 
@@ -88,29 +88,29 @@ resource "cloudflare_access_policy" "test_policy" {
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--include--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--include--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--include--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--include--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--include--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--include--auth_context"></a>
 ### Nested Schema for `include.auth_context`
@@ -136,8 +136,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--include--github"></a>
@@ -145,9 +145,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--include--gsuite"></a>
@@ -155,8 +155,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--include--okta"></a>
@@ -164,8 +164,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--include--saml"></a>
@@ -173,9 +173,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 
 
@@ -197,29 +197,29 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--exclude--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--exclude--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--exclude--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--exclude--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--exclude--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--exclude--auth_context"></a>
 ### Nested Schema for `exclude.auth_context`
@@ -245,8 +245,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--exclude--github"></a>
@@ -254,9 +254,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--exclude--gsuite"></a>
@@ -264,8 +264,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--exclude--okta"></a>
@@ -273,8 +273,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--exclude--saml"></a>
@@ -282,9 +282,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 
 
@@ -293,29 +293,29 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--require--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--require--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--require--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--require--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--require--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--require--auth_context"></a>
 ### Nested Schema for `require.auth_context`
@@ -341,8 +341,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--require--github"></a>
@@ -350,9 +350,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--require--gsuite"></a>
@@ -360,8 +360,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--require--okta"></a>
@@ -369,8 +369,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--require--saml"></a>
@@ -378,9 +378,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 ## Import
 
diff --git a/docs/resources/device_posture_rule.md b/docs/resources/device_posture_rule.md
index d798ec44d4..edbebfe157 100644
--- a/docs/resources/device_posture_rule.md
+++ b/docs/resources/device_posture_rule.md
@@ -78,7 +78,7 @@ Optional:
 - `is_active` (Boolean) True if SentinelOne device is active.
 - `issue_count` (String) The number of issues for kolide.
 - `last_seen` (String) The duration of time that the host was last seen from Crowdstrike. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`.
-- `locations` (Block List) List of locations to check for client certificate posture check. (see [below for nested schema](#nestedblock--certificate_locations))
+- `locations` (Block List) List of locations to check for client certificate. (see [below for nested schema](#nestedblock--input--locations))
 - `network_status` (String) The network status from SentinelOne. Available values: `connected`, `disconnected`, `disconnecting`, `connecting`.
 - `operator` (String) The version comparison operator. Available values: `>`, `>=`, `<`, `<=`, `==`.
 - `os` (String) OS signal score from Crowdstrike. Value must be between 1 and 100.
@@ -98,21 +98,22 @@ Optional:
 - `version` (String) The operating system semantic version.
 - `version_operator` (String) The version comparison operator for crowdstrike. Available values: `>`, `>=`, `<`, `<=`, `==`.
 
-
-<a id="nestedblock--match"></a>
-### Nested Schema for `match`
+<a id="nestedblock--input--locations"></a>
+### Nested Schema for `input.locations`
 
 Optional:
 
-- `platform` (String) The platform of the device. Available values: `windows`, `mac`, `linux`, `android`, `ios`, `chromeos`.
+- `paths` (Set of String) List of paths to check for client certificate rule.
+- `trust_stores` (Set of String) List of trust stores to check for client certificate rule. Available values: `system`, `user`.
+
 
-<a id="nestedblock--certificate_locations"></a>
-### Nested Schema for `locations`
+
+<a id="nestedblock--match"></a>
+### Nested Schema for `match`
 
 Optional:
 
-- `paths` (Set of String) List of paths to check for client certificate.
-- `trust_stores` (Set of String) List of trust stores to check for client certificate. Available values: `system`, `user`.
+- `platform` (String) The platform of the device. Available values: `windows`, `mac`, `linux`, `android`, `ios`, `chromeos`.
 
 ## Import
 
diff --git a/docs/resources/device_settings_policy.md b/docs/resources/device_settings_policy.md
index 016c5da942..4eda80a635 100644
--- a/docs/resources/device_settings_policy.md
+++ b/docs/resources/device_settings_policy.md
@@ -60,7 +60,7 @@ resource "cloudflare_device_settings_policy" "developer_warp_policy" {
 - `service_mode_v2_port` (Number) The port to use for the proxy service mode. Required when using `service_mode_v2_mode`.
 - `support_url` (String) The support URL that will be opened when sending feedback.
 - `switch_locked` (Boolean) Enablement of the ZT client switch lock.
-- `tunnel_protocol` (String) Determines which tunnel protocol to use. Available values: `""`, `wireguard`, `masque`. Defaults to `wireguard`
+- `tunnel_protocol` (String) Determines which tunnel protocol to use. Available values: `""`, `wireguard`, `masque`. Defaults to `wireguard`.
 
 ### Read-Only
 
diff --git a/docs/resources/zero_trust_access_group.md b/docs/resources/zero_trust_access_group.md
index b05f84fd37..5868fc3b69 100644
--- a/docs/resources/zero_trust_access_group.md
+++ b/docs/resources/zero_trust_access_group.md
@@ -84,29 +84,29 @@ resource "cloudflare_zero_trust_access_group" "example" {
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--include--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--include--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--include--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--include--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--include--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--include--auth_context"></a>
 ### Nested Schema for `include.auth_context`
@@ -132,8 +132,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--include--github"></a>
@@ -141,9 +141,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--include--gsuite"></a>
@@ -151,8 +151,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--include--okta"></a>
@@ -160,8 +160,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--include--saml"></a>
@@ -169,9 +169,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 
 
@@ -180,29 +180,29 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--exclude--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--exclude--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--exclude--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--exclude--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--exclude--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--exclude--auth_context"></a>
 ### Nested Schema for `exclude.auth_context`
@@ -228,8 +228,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--exclude--github"></a>
@@ -237,9 +237,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--exclude--gsuite"></a>
@@ -247,8 +247,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--exclude--okta"></a>
@@ -256,8 +256,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--exclude--saml"></a>
@@ -265,9 +265,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 
 
@@ -276,29 +276,29 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--require--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--require--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--require--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--require--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--require--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--require--auth_context"></a>
 ### Nested Schema for `require.auth_context`
@@ -324,8 +324,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--require--github"></a>
@@ -333,9 +333,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--require--gsuite"></a>
@@ -343,8 +343,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--require--okta"></a>
@@ -352,8 +352,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--require--saml"></a>
@@ -361,9 +361,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 ## Import
 
diff --git a/docs/resources/zero_trust_access_policy.md b/docs/resources/zero_trust_access_policy.md
index 1b912338d7..a6b5f389be 100644
--- a/docs/resources/zero_trust_access_policy.md
+++ b/docs/resources/zero_trust_access_policy.md
@@ -66,7 +66,7 @@ resource "cloudflare_zero_trust_access_policy" "test_policy" {
 
 ### Optional
 
-- `account_id` (String) The account identifier to target for the resource. Conflicts with `zone_id`. **Modifying this attribute will force creation of a new resource.**
+- `account_id` (String) The account identifier to target for the resource. Conflicts with `zone_id`.
 - `application_id` (String) The ID of the application the policy is associated with. Required when using `precedence`. **Modifying this attribute will force creation of a new resource.**
 - `approval_group` (Block List) (see [below for nested schema](#nestedblock--approval_group))
 - `approval_required` (Boolean)
@@ -77,7 +77,7 @@ resource "cloudflare_zero_trust_access_policy" "test_policy" {
 - `purpose_justification_required` (Boolean) Whether to prompt the user for a justification for accessing the resource.
 - `require` (Block List) A series of access conditions, see [Access Groups](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/access_group#conditions). (see [below for nested schema](#nestedblock--require))
 - `session_duration` (String) How often a user will be forced to re-authorise. Must be in the format `48h` or `2h45m`.
-- `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`. **Modifying this attribute will force creation of a new resource.**
+- `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`.
 
 ### Read-Only
 
@@ -88,29 +88,29 @@ resource "cloudflare_zero_trust_access_policy" "test_policy" {
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--include--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--include--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--include--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--include--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--include--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--include--auth_context"></a>
 ### Nested Schema for `include.auth_context`
@@ -136,8 +136,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--include--github"></a>
@@ -145,9 +145,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--include--gsuite"></a>
@@ -155,8 +155,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--include--okta"></a>
@@ -164,8 +164,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--include--saml"></a>
@@ -173,9 +173,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 
 
@@ -197,29 +197,29 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--exclude--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--exclude--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--exclude--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--exclude--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--exclude--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--exclude--auth_context"></a>
 ### Nested Schema for `exclude.auth_context`
@@ -245,8 +245,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--exclude--github"></a>
@@ -254,9 +254,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--exclude--gsuite"></a>
@@ -264,8 +264,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--exclude--okta"></a>
@@ -273,8 +273,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--exclude--saml"></a>
@@ -282,9 +282,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 
 
@@ -293,29 +293,29 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean)
+- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
-- `auth_method` (String)
-- `azure` (Block List) (see [below for nested schema](#nestedblock--require--azure))
-- `certificate` (Boolean)
-- `common_name` (String)
+- `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
+- `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
+- `certificate` (Boolean) Matches any valid client certificate.
+- `common_name` (String) Matches a valid client certificate common name.
 - `common_names` (List of String) Overflow field if you need to have multiple common_name rules in a single policy.  Use in place of the singular common_name field.
-- `device_posture` (List of String)
-- `email` (List of String)
-- `email_domain` (List of String)
-- `email_list` (List of String)
-- `everyone` (Boolean)
-- `external_evaluation` (Block List) (see [below for nested schema](#nestedblock--require--external_evaluation))
-- `geo` (List of String)
-- `github` (Block List) (see [below for nested schema](#nestedblock--require--github))
-- `group` (List of String)
-- `gsuite` (Block List) (see [below for nested schema](#nestedblock--require--gsuite))
+- `device_posture` (List of String) The ID of a device posture integration.
+- `email` (List of String) The email of the user.
+- `email_domain` (List of String) The email domain to match.
+- `email_list` (List of String) The ID of a previously created email list.
+- `everyone` (Boolean) Matches everyone.
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `geo` (List of String) Matches a specific country.
+- `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
+- `group` (List of String) The ID of a previously created Access group.
+- `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
-- `ip_list` (List of String) The ID of an existing IP list to reference.
-- `login_method` (List of String)
-- `okta` (Block List) (see [below for nested schema](#nestedblock--require--okta))
-- `saml` (Block List) (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String)
+- `ip_list` (List of String) The ID of a previously created IP list.
+- `login_method` (List of String) The ID of a configured Identity Provider.
+- `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
+- `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
+- `service_token` (List of String) The ID of a Service Token.
 
 <a id="nestedblock--require--auth_context"></a>
 ### Nested Schema for `require.auth_context`
@@ -341,8 +341,8 @@ Optional:
 
 Optional:
 
-- `evaluate_url` (String)
-- `keys_url` (String)
+- `evaluate_url` (String) The API endpoint containing your business logic.
+- `keys_url` (String) The API endpoint containing the key that Access uses to verify that the response came from your API.
 
 
 <a id="nestedblock--require--github"></a>
@@ -350,9 +350,9 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (String)
-- `teams` (List of String)
+- `identity_provider_id` (String) The ID of your Github identity provider.
+- `name` (String) The name of the organization.
+- `teams` (List of String) The teams that should be matched.
 
 
 <a id="nestedblock--require--gsuite"></a>
@@ -360,8 +360,8 @@ Optional:
 
 Optional:
 
-- `email` (List of String)
-- `identity_provider_id` (String)
+- `email` (List of String) The email of the Google Workspace group.
+- `identity_provider_id` (String) The ID of your Google Workspace identity provider.
 
 
 <a id="nestedblock--require--okta"></a>
@@ -369,8 +369,8 @@ Optional:
 
 Optional:
 
-- `identity_provider_id` (String)
-- `name` (List of String)
+- `identity_provider_id` (String) The ID of your Okta identity provider.
+- `name` (List of String) The name of the Okta Group.
 
 
 <a id="nestedblock--require--saml"></a>
@@ -378,9 +378,9 @@ Optional:
 
 Optional:
 
-- `attribute_name` (String)
-- `attribute_value` (String)
-- `identity_provider_id` (String)
+- `attribute_name` (String) The name of the SAML attribute.
+- `attribute_value` (String) The SAML attribute value to look for.
+- `identity_provider_id` (String) The ID of your SAML identity provider.
 
 ## Import
 
diff --git a/docs/resources/zero_trust_device_posture_rule.md b/docs/resources/zero_trust_device_posture_rule.md
index 510d43a9ad..5271c76aa4 100644
--- a/docs/resources/zero_trust_device_posture_rule.md
+++ b/docs/resources/zero_trust_device_posture_rule.md
@@ -40,7 +40,7 @@ resource "cloudflare_zero_trust_device_posture_rule" "eaxmple" {
 ### Required
 
 - `account_id` (String) The account identifier to target for the resource.
-- `type` (String) The device posture rule type. Available values: `serial_number`, `file`, `application`, `gateway`, `warp`, `domain_joined`, `os_version`, `disk_encryption`, `firewall`, `client_certificate`, `workspace_one`, `unique_client_id`, `crowdstrike_s2s`, `sentinelone`, `kolide`, `tanium_s2s`, `intune`, `sentinelone_s2s`.
+- `type` (String) The device posture rule type. Available values: `serial_number`, `file`, `application`, `gateway`, `warp`, `domain_joined`, `os_version`, `disk_encryption`, `firewall`, `client_certificate`, `client_certificate_v2`, `workspace_one`, `unique_client_id`, `crowdstrike_s2s`, `sentinelone`, `kolide`, `tanium_s2s`, `intune`, `sentinelone_s2s`.
 
 ### Optional
 
@@ -63,19 +63,22 @@ Optional:
 - `active_threats` (Number) The number of active threats from SentinelOne.
 - `certificate_id` (String) The UUID of a Cloudflare managed certificate.
 - `check_disks` (Set of String) Specific volume(s) to check for encryption.
+- `check_private_key` (Boolean) Confirm the certificate was not imported from another device.
 - `cn` (String) The common name for a certificate.
 - `compliance_status` (String) The workspace one or intune device compliance status. `compliant` and `noncompliant` are values supported by both providers. `unknown`, `conflict`, `error`, `ingraceperiod` values are only supported by intune. Available values: `compliant`, `noncompliant`, `unknown`, `conflict`, `error`, `ingraceperiod`.
 - `connection_id` (String) The workspace one or intune connection id.
 - `count_operator` (String) The count comparison operator for kolide. Available values: `>`, `>=`, `<`, `<=`, `==`.
 - `domain` (String) The domain that the client must join.
-- `eid_last_seen` (String) The time a device last seen in Tanium. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`
+- `eid_last_seen` (String) The time a device last seen in Tanium. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`.
 - `enabled` (Boolean) True if the firewall must be enabled.
 - `exists` (Boolean) Checks if the file should exist.
+- `extended_key_usage` (Set of String) List of values indicating purposes for which the certificate public key can be used. Available values: `clientAuth`, `emailProtection`.
 - `id` (String) The Teams List id. Required for `serial_number` and `unique_client_id` rule types.
 - `infected` (Boolean) True if SentinelOne device is infected.
 - `is_active` (Boolean) True if SentinelOne device is active.
 - `issue_count` (String) The number of issues for kolide.
 - `last_seen` (String) The duration of time that the host was last seen from Crowdstrike. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`.
+- `locations` (Block List) List of locations to check for client certificate. (see [below for nested schema](#nestedblock--input--locations))
 - `network_status` (String) The network status from SentinelOne. Available values: `connected`, `disconnected`, `disconnecting`, `connecting`.
 - `operator` (String) The version comparison operator. Available values: `>`, `>=`, `<`, `<=`, `==`.
 - `os` (String) OS signal score from Crowdstrike. Value must be between 1 and 100.
@@ -95,6 +98,15 @@ Optional:
 - `version` (String) The operating system semantic version.
 - `version_operator` (String) The version comparison operator for crowdstrike. Available values: `>`, `>=`, `<`, `<=`, `==`.
 
+<a id="nestedblock--input--locations"></a>
+### Nested Schema for `input.locations`
+
+Optional:
+
+- `paths` (Set of String) List of paths to check for client certificate rule.
+- `trust_stores` (Set of String) List of trust stores to check for client certificate rule. Available values: `system`, `user`.
+
+
 
 <a id="nestedblock--match"></a>
 ### Nested Schema for `match`
diff --git a/docs/resources/zero_trust_device_profiles.md b/docs/resources/zero_trust_device_profiles.md
index 4cd3c8388c..4d26262eb0 100644
--- a/docs/resources/zero_trust_device_profiles.md
+++ b/docs/resources/zero_trust_device_profiles.md
@@ -59,6 +59,7 @@ resource "cloudflare_zero_trust_device_profiles" "developer_warp_policy" {
 - `service_mode_v2_port` (Number) The port to use for the proxy service mode. Required when using `service_mode_v2_mode`.
 - `support_url` (String) The support URL that will be opened when sending feedback.
 - `switch_locked` (Boolean) Enablement of the ZT client switch lock.
+- `tunnel_protocol` (String) Determines which tunnel protocol to use. Available values: `""`, `wireguard`, `masque`. Defaults to `wireguard`.
 
 ### Read-Only
 
diff --git a/docs/resources/risk_score_integration.md b/docs/resources/zero_trust_risk_score_integration.md
similarity index 100%
rename from docs/resources/risk_score_integration.md
rename to docs/resources/zero_trust_risk_score_integration.md
diff --git a/internal/sdkv2provider/schema_cloudflare_access_group.go b/internal/sdkv2provider/schema_cloudflare_access_group.go
index d9bd5ddd6e..cf7a519d98 100644
--- a/internal/sdkv2provider/schema_cloudflare_access_group.go
+++ b/internal/sdkv2provider/schema_cloudflare_access_group.go
@@ -48,22 +48,25 @@ func resourceCloudflareAccessGroupSchema() map[string]*schema.Schema {
 var AccessGroupOptionSchemaElement = &schema.Resource{
 	Schema: map[string]*schema.Schema{
 		"email": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "The email of the user.",
+			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
 			},
 		},
 		"email_domain": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "The email domain to match.",
+			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
 			},
 		},
 		"email_list": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "The ID of a previously created email list.",
+			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
 			},
@@ -78,112 +81,130 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
 		},
 		"ip_list": {
 			Type:        schema.TypeList,
-			Description: "The ID of an existing IP list to reference.",
+			Description: "The ID of a previously created IP list.",
 			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
 			},
 		},
 		"service_token": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "The ID of a Service Token.",
+			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
 			},
 		},
 		"any_valid_service_token": {
-			Type:     schema.TypeBool,
-			Optional: true,
+			Type:        schema.TypeBool,
+			Description: "Matches any valid Access Service Token.",
+			Optional:    true,
 		},
 		"group": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "The ID of a previously created Access group.",
+			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
 			},
 		},
 		"everyone": {
-			Type:     schema.TypeBool,
-			Optional: true,
+			Type:        schema.TypeBool,
+			Description: "Matches everyone.",
+			Optional:    true,
 		},
 		"certificate": {
-			Type:     schema.TypeBool,
-			Optional: true,
+			Type:        schema.TypeBool,
+			Description: "Matches any valid client certificate.",
+			Optional:    true,
 		},
 		"common_name": {
-			Type:     schema.TypeString,
-			Optional: true,
+			Type:        schema.TypeString,
+			Description: "Matches a valid client certificate common name.",
+			Optional:    true,
 		},
 		"auth_method": {
-			Type:     schema.TypeString,
-			Optional: true,
+			Type:        schema.TypeString,
+			Description: "The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.",
+			Optional:    true,
 		},
 		"geo": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "Matches a specific country.",
+			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
 			},
 		},
 		"login_method": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "The ID of a configured Identity Provider.",
+			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
 			},
 		},
 		"device_posture": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "The ID of a device posture integration.",
+			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
 			},
 		},
 		"gsuite": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "Matches a group in Google Workspace. Requires a Google Workspace identity provider.",
+			Optional:    true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
 					"email": {
-						Type:     schema.TypeList,
-						Optional: true,
+						Type:        schema.TypeList,
+						Description: "The email of the Google Workspace group.",
+						Optional:    true,
 						Elem: &schema.Schema{
 							Type: schema.TypeString,
 						},
 					},
 					"identity_provider_id": {
-						Type:     schema.TypeString,
-						Optional: true,
+						Type:        schema.TypeString,
+						Description: "The ID of your Google Workspace identity provider.",
+						Optional:    true,
 					},
 				},
 			},
 		},
 		"github": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "Matches a Github organization. Requires a Github identity provider.",
+			Optional:    true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
 					"name": {
-						Type:     schema.TypeString,
-						Optional: true,
+						Type:        schema.TypeString,
+						Description: "The name of the organization.",
+						Optional:    true,
 					},
 					"teams": {
-						Type:     schema.TypeList,
-						Optional: true,
+						Type:        schema.TypeList,
+						Description: "The teams that should be matched.",
+						Optional:    true,
 						Elem: &schema.Schema{
 							Type: schema.TypeString,
 						},
 					},
 					"identity_provider_id": {
-						Type:     schema.TypeString,
-						Optional: true,
+						Type:        schema.TypeString,
+						Description: "The ID of your Github identity provider.",
+						Optional:    true,
 					},
 				},
 			},
 		},
 		"azure": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "Matches an Azure group. Requires an Azure identity provider.",
+			Optional:    true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
 					"id": {
@@ -203,56 +224,66 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
 			},
 		},
 		"okta": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "Matches an Okta group. Requires an Okta identity provider.",
+			Optional:    true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
 					"name": {
-						Type:     schema.TypeList,
-						Optional: true,
+						Type:        schema.TypeList,
+						Description: "The name of the Okta Group",
+						Optional:    true,
 						Elem: &schema.Schema{
 							Type: schema.TypeString,
 						},
 					},
 					"identity_provider_id": {
-						Type:     schema.TypeString,
-						Optional: true,
+						Type:        schema.TypeString,
+						Description: "The ID of your Okta identity provider.",
+						Optional:    true,
 					},
 				},
 			},
 		},
 		"saml": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "Matches a SAML group. Requires a SAML identity provider.",
+			Optional:    true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
 					"attribute_name": {
-						Type:     schema.TypeString,
-						Optional: true,
+						Type:        schema.TypeString,
+						Description: "The name of the SAML attribute.",
+						Optional:    true,
 					},
 					"attribute_value": {
-						Type:     schema.TypeString,
-						Optional: true,
+						Type:        schema.TypeString,
+						Description: "The SAML attribute value to look for.",
+						Optional:    true,
 					},
 					"identity_provider_id": {
-						Type:     schema.TypeString,
-						Optional: true,
+						Type:        schema.TypeString,
+						Description: "The ID of your SAML identity provider.",
+						Optional:    true,
 					},
 				},
 			},
 		},
 		"external_evaluation": {
-			Type:     schema.TypeList,
-			Optional: true,
+			Type:        schema.TypeList,
+			Description: "Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation",
+			Optional:    true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
 					"evaluate_url": {
-						Type:     schema.TypeString,
-						Optional: true,
+						Type:        schema.TypeString,
+						Description: "The API endpoint containing your business logic.",
+						Optional:    true,
 					},
 					"keys_url": {
-						Type:     schema.TypeString,
-						Optional: true,
+						Type:        schema.TypeString,
+						Description: "The API endpoint containing the key that Access uses to verify that the response came from your API.",
+						Optional:    true,
 					},
 				},
 			},

From 2272b8c9d2b86161ae1d9282c463cb31708e8f3c Mon Sep 17 00:00:00 2001
From: James Royal <jroyal@cloudflare.com>
Date: Tue, 27 Aug 2024 15:52:33 -0500
Subject: [PATCH 2/2] PR comment fixes

---
 docs/resources/access_group.md                | 36 +++++++++----------
 docs/resources/access_policy.md               | 36 +++++++++----------
 docs/resources/device_posture_rule.md         |  4 +--
 docs/resources/zero_trust_access_group.md     | 36 +++++++++----------
 docs/resources/zero_trust_access_policy.md    | 36 +++++++++----------
 .../zero_trust_device_posture_rule.md         |  4 +--
 .../schema_cloudflare_access_group.go         | 12 +++----
 .../schema_cloudflare_device_posture_rule.go  |  4 +--
 8 files changed, 84 insertions(+), 84 deletions(-)

diff --git a/docs/resources/access_group.md b/docs/resources/access_group.md
index daad9f8ceb..74e54fae76 100644
--- a/docs/resources/access_group.md
+++ b/docs/resources/access_group.md
@@ -84,7 +84,7 @@ resource "cloudflare_access_group" "example" {
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
@@ -96,17 +96,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--include--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--include--auth_context"></a>
 ### Nested Schema for `include.auth_context`
@@ -115,7 +115,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--include--azure"></a>
@@ -124,7 +124,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--include--external_evaluation"></a>
@@ -180,7 +180,7 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
@@ -192,17 +192,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--exclude--auth_context"></a>
 ### Nested Schema for `exclude.auth_context`
@@ -211,7 +211,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--exclude--azure"></a>
@@ -220,7 +220,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--exclude--external_evaluation"></a>
@@ -276,7 +276,7 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
@@ -288,17 +288,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--require--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--require--auth_context"></a>
 ### Nested Schema for `require.auth_context`
@@ -307,7 +307,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--require--azure"></a>
@@ -316,7 +316,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--require--external_evaluation"></a>
diff --git a/docs/resources/access_policy.md b/docs/resources/access_policy.md
index f6e005ecfa..ed247a374c 100644
--- a/docs/resources/access_policy.md
+++ b/docs/resources/access_policy.md
@@ -88,7 +88,7 @@ resource "cloudflare_access_policy" "test_policy" {
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
@@ -100,17 +100,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--include--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--include--auth_context"></a>
 ### Nested Schema for `include.auth_context`
@@ -119,7 +119,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--include--azure"></a>
@@ -128,7 +128,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--include--external_evaluation"></a>
@@ -197,7 +197,7 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
@@ -209,17 +209,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--exclude--auth_context"></a>
 ### Nested Schema for `exclude.auth_context`
@@ -228,7 +228,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--exclude--azure"></a>
@@ -237,7 +237,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--exclude--external_evaluation"></a>
@@ -293,7 +293,7 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
@@ -305,17 +305,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--require--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--require--auth_context"></a>
 ### Nested Schema for `require.auth_context`
@@ -324,7 +324,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--require--azure"></a>
@@ -333,7 +333,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--require--external_evaluation"></a>
diff --git a/docs/resources/device_posture_rule.md b/docs/resources/device_posture_rule.md
index edbebfe157..a1a0edcc34 100644
--- a/docs/resources/device_posture_rule.md
+++ b/docs/resources/device_posture_rule.md
@@ -78,7 +78,7 @@ Optional:
 - `is_active` (Boolean) True if SentinelOne device is active.
 - `issue_count` (String) The number of issues for kolide.
 - `last_seen` (String) The duration of time that the host was last seen from Crowdstrike. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`.
-- `locations` (Block List) List of locations to check for client certificate. (see [below for nested schema](#nestedblock--input--locations))
+- `locations` (Block List) List of operating system locations to check for a client certificate.. (see [below for nested schema](#nestedblock--input--locations))
 - `network_status` (String) The network status from SentinelOne. Available values: `connected`, `disconnected`, `disconnecting`, `connecting`.
 - `operator` (String) The version comparison operator. Available values: `>`, `>=`, `<`, `<=`, `==`.
 - `os` (String) OS signal score from Crowdstrike. Value must be between 1 and 100.
@@ -96,7 +96,7 @@ Optional:
 - `thumbprint` (String) The thumbprint of the file certificate.
 - `total_score` (Number) The total score from Tanium.
 - `version` (String) The operating system semantic version.
-- `version_operator` (String) The version comparison operator for crowdstrike. Available values: `>`, `>=`, `<`, `<=`, `==`.
+- `version_operator` (String) The version comparison operator for Crowdstrike. Available values: `>`, `>=`, `<`, `<=`, `==`.
 
 <a id="nestedblock--input--locations"></a>
 ### Nested Schema for `input.locations`
diff --git a/docs/resources/zero_trust_access_group.md b/docs/resources/zero_trust_access_group.md
index 5868fc3b69..cb78bb1f8a 100644
--- a/docs/resources/zero_trust_access_group.md
+++ b/docs/resources/zero_trust_access_group.md
@@ -84,7 +84,7 @@ resource "cloudflare_zero_trust_access_group" "example" {
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
@@ -96,17 +96,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--include--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--include--auth_context"></a>
 ### Nested Schema for `include.auth_context`
@@ -115,7 +115,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--include--azure"></a>
@@ -124,7 +124,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--include--external_evaluation"></a>
@@ -180,7 +180,7 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
@@ -192,17 +192,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--exclude--auth_context"></a>
 ### Nested Schema for `exclude.auth_context`
@@ -211,7 +211,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--exclude--azure"></a>
@@ -220,7 +220,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--exclude--external_evaluation"></a>
@@ -276,7 +276,7 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
@@ -288,17 +288,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--require--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--require--auth_context"></a>
 ### Nested Schema for `require.auth_context`
@@ -307,7 +307,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--require--azure"></a>
@@ -316,7 +316,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--require--external_evaluation"></a>
diff --git a/docs/resources/zero_trust_access_policy.md b/docs/resources/zero_trust_access_policy.md
index a6b5f389be..a250658754 100644
--- a/docs/resources/zero_trust_access_policy.md
+++ b/docs/resources/zero_trust_access_policy.md
@@ -88,7 +88,7 @@ resource "cloudflare_zero_trust_access_policy" "test_policy" {
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--include--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--include--azure))
@@ -100,17 +100,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--include--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--include--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--include--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--include--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--include--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--include--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--include--auth_context"></a>
 ### Nested Schema for `include.auth_context`
@@ -119,7 +119,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--include--azure"></a>
@@ -128,7 +128,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--include--external_evaluation"></a>
@@ -197,7 +197,7 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--exclude--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--exclude--azure))
@@ -209,17 +209,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--exclude--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--exclude--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--exclude--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--exclude--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--exclude--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--exclude--auth_context"></a>
 ### Nested Schema for `exclude.auth_context`
@@ -228,7 +228,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--exclude--azure"></a>
@@ -237,7 +237,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--exclude--external_evaluation"></a>
@@ -293,7 +293,7 @@ Optional:
 
 Optional:
 
-- `any_valid_service_token` (Boolean) Matches any valid Access Service Token.
+- `any_valid_service_token` (Boolean) Matches any valid Access service token.
 - `auth_context` (Block List) (see [below for nested schema](#nestedblock--require--auth_context))
 - `auth_method` (String) The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
 - `azure` (Block List) Matches an Azure group. Requires an Azure identity provider. (see [below for nested schema](#nestedblock--require--azure))
@@ -305,17 +305,17 @@ Optional:
 - `email_domain` (List of String) The email domain to match.
 - `email_list` (List of String) The ID of a previously created email list.
 - `everyone` (Boolean) Matches everyone.
-- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation. (see [below for nested schema](#nestedblock--require--external_evaluation))
+- `external_evaluation` (Block List) Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/. (see [below for nested schema](#nestedblock--require--external_evaluation))
 - `geo` (List of String) Matches a specific country.
 - `github` (Block List) Matches a Github organization. Requires a Github identity provider. (see [below for nested schema](#nestedblock--require--github))
 - `group` (List of String) The ID of a previously created Access group.
 - `gsuite` (Block List) Matches a group in Google Workspace. Requires a Google Workspace identity provider. (see [below for nested schema](#nestedblock--require--gsuite))
 - `ip` (List of String) An IPv4 or IPv6 CIDR block.
 - `ip_list` (List of String) The ID of a previously created IP list.
-- `login_method` (List of String) The ID of a configured Identity Provider.
+- `login_method` (List of String) The ID of a configured identity provider.
 - `okta` (Block List) Matches an Okta group. Requires an Okta identity provider. (see [below for nested schema](#nestedblock--require--okta))
 - `saml` (Block List) Matches a SAML group. Requires a SAML identity provider. (see [below for nested schema](#nestedblock--require--saml))
-- `service_token` (List of String) The ID of a Service Token.
+- `service_token` (List of String) The ID of an Access service token.
 
 <a id="nestedblock--require--auth_context"></a>
 ### Nested Schema for `require.auth_context`
@@ -324,7 +324,7 @@ Required:
 
 - `ac_id` (String) The ACID of the Authentication Context.
 - `id` (String) The ID of the Authentication Context.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--require--azure"></a>
@@ -333,7 +333,7 @@ Required:
 Optional:
 
 - `id` (List of String) The ID of the Azure group or user.
-- `identity_provider_id` (String) The ID of the Azure Identity provider.
+- `identity_provider_id` (String) The ID of the Azure identity provider.
 
 
 <a id="nestedblock--require--external_evaluation"></a>
diff --git a/docs/resources/zero_trust_device_posture_rule.md b/docs/resources/zero_trust_device_posture_rule.md
index 5271c76aa4..03ed9341ae 100644
--- a/docs/resources/zero_trust_device_posture_rule.md
+++ b/docs/resources/zero_trust_device_posture_rule.md
@@ -78,7 +78,7 @@ Optional:
 - `is_active` (Boolean) True if SentinelOne device is active.
 - `issue_count` (String) The number of issues for kolide.
 - `last_seen` (String) The duration of time that the host was last seen from Crowdstrike. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`.
-- `locations` (Block List) List of locations to check for client certificate. (see [below for nested schema](#nestedblock--input--locations))
+- `locations` (Block List) List of operating system locations to check for a client certificate.. (see [below for nested schema](#nestedblock--input--locations))
 - `network_status` (String) The network status from SentinelOne. Available values: `connected`, `disconnected`, `disconnecting`, `connecting`.
 - `operator` (String) The version comparison operator. Available values: `>`, `>=`, `<`, `<=`, `==`.
 - `os` (String) OS signal score from Crowdstrike. Value must be between 1 and 100.
@@ -96,7 +96,7 @@ Optional:
 - `thumbprint` (String) The thumbprint of the file certificate.
 - `total_score` (Number) The total score from Tanium.
 - `version` (String) The operating system semantic version.
-- `version_operator` (String) The version comparison operator for crowdstrike. Available values: `>`, `>=`, `<`, `<=`, `==`.
+- `version_operator` (String) The version comparison operator for Crowdstrike. Available values: `>`, `>=`, `<`, `<=`, `==`.
 
 <a id="nestedblock--input--locations"></a>
 ### Nested Schema for `input.locations`
diff --git a/internal/sdkv2provider/schema_cloudflare_access_group.go b/internal/sdkv2provider/schema_cloudflare_access_group.go
index cf7a519d98..95e083a10c 100644
--- a/internal/sdkv2provider/schema_cloudflare_access_group.go
+++ b/internal/sdkv2provider/schema_cloudflare_access_group.go
@@ -89,7 +89,7 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
 		},
 		"service_token": {
 			Type:        schema.TypeList,
-			Description: "The ID of a Service Token.",
+			Description: "The ID of an Access service token.",
 			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
@@ -97,7 +97,7 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
 		},
 		"any_valid_service_token": {
 			Type:        schema.TypeBool,
-			Description: "Matches any valid Access Service Token.",
+			Description: "Matches any valid Access service token.",
 			Optional:    true,
 		},
 		"group": {
@@ -138,7 +138,7 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
 		},
 		"login_method": {
 			Type:        schema.TypeList,
-			Description: "The ID of a configured Identity Provider.",
+			Description: "The ID of a configured identity provider.",
 			Optional:    true,
 			Elem: &schema.Schema{
 				Type: schema.TypeString,
@@ -217,7 +217,7 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
 					},
 					"identity_provider_id": {
 						Type:        schema.TypeString,
-						Description: "The ID of the Azure Identity provider",
+						Description: "The ID of the Azure identity provider",
 						Optional:    true,
 					},
 				},
@@ -271,7 +271,7 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
 		},
 		"external_evaluation": {
 			Type:        schema.TypeList,
-			Description: "Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/learning-paths/zero-trust-web-access/advanced-workflows/external-evaluation",
+			Description: "Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/",
 			Optional:    true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
@@ -303,7 +303,7 @@ var AccessGroupOptionSchemaElement = &schema.Resource{
 					},
 					"identity_provider_id": {
 						Type:        schema.TypeString,
-						Description: "The ID of the Azure Identity provider",
+						Description: "The ID of the Azure identity provider",
 						Required:    true,
 					},
 					"ac_id": {
diff --git a/internal/sdkv2provider/schema_cloudflare_device_posture_rule.go b/internal/sdkv2provider/schema_cloudflare_device_posture_rule.go
index f14e7d0a1b..89d7a5acae 100644
--- a/internal/sdkv2provider/schema_cloudflare_device_posture_rule.go
+++ b/internal/sdkv2provider/schema_cloudflare_device_posture_rule.go
@@ -178,7 +178,7 @@ func resourceCloudflareDevicePostureRuleSchema() map[string]*schema.Schema {
 						Type:         schema.TypeString,
 						Optional:     true,
 						ValidateFunc: validation.StringInSlice([]string{">", ">=", "<", "<=", "=="}, true),
-						Description:  fmt.Sprintf("The version comparison operator for crowdstrike. %s", renderAvailableDocumentationValuesStringSlice([]string{">", ">=", "<", "<=", "=="})),
+						Description:  fmt.Sprintf("The version comparison operator for Crowdstrike. %s", renderAvailableDocumentationValuesStringSlice([]string{">", ">=", "<", "<=", "=="})),
 					},
 					"last_seen": {
 						Type:        schema.TypeString,
@@ -287,7 +287,7 @@ func resourceCloudflareDevicePostureRuleSchema() map[string]*schema.Schema {
 							},
 						},
 						Optional:    true,
-						Description: "List of locations to check for client certificate.",
+						Description: "List of operating system locations to check for a client certificate..",
 					},
 				},
 			},