Merge branch 'cloudflare:master' into master

.changelog/3358.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/cloudflare_access_policy: Fix forcing new access policies when account id is not set through import
+```

.changelog/3512.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_device_posture_rule: add ability to create client_certificate_v2 posture rule
+```

.changelog/3513.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_device_settings_policy: Add tunnel_protocol field for device policies
+```

.changelog/3563.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+cloudflare_zero_trust_risk_score_integration
+```

.changelog/3622.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+resource/cloud_connector_rules: register new resource for Cloud Connector API service
+```

.changelog/3674.txt

@@ -0,0 +1,3 @@
+```release-note:note
+resource/cloudflare_record: fix a bug that prematurely removed the ability to set the deprecated `value` field.
+```

.changelog/3699.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/cloudflare_record: refactor validation to use `ExactlyOneOf` instead of custom logic
+```

.changelog/3704.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/hyperdrive_config: use hyperdrive_config id when updating resource
+```

.changelog/3740.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/cloudflare_zero_trust_access_group: Fix false deprecation warnings
+```

.changelog/3745.txt

@@ -0,0 +1,3 @@
+```release-note:note
+resource/cloudflare_logpush_job: Deprecate `frequency` in favour of `max_upload_interval_seconds`
+```

.changelog/3764.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_device_posture_rule: Modify Tanium's eid_last_seen field to be relative instead of a timestamp value
+```

.changelog/3776.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/cloudflare_record: handle scenarios where `content` and `value` are both being set in state and erroneously always thinking the `content` field is the source of truth
+```

.goreleaser.yml

@@ -1,3 +1,4 @@
+version: 2
 builds:
   - env:
       # goreleaser does not work with CGO, it could also complicate
@@ -49,7 +50,7 @@ release:
 changelog:
   disable: true
 snapshot:
-  name_template: "{{.ShortCommit}}-dev"
+  version_template: "{{.ShortCommit}}-dev"
 
 announce:
   discord:

docs/resources/cloud_connector_rules.md

@@ -0,0 +1,61 @@
+---
+page_title: "cloudflare_cloud_connector_rules Resource - Cloudflare"
+subcategory: ""
+description: |-
+  The Cloud Connector Rules add link to doc resource allows you to create and manage cloud connector rules for a zone.
+---
+
+# cloudflare_cloud_connector_rules (Resource)
+
+The [Cloud Connector Rules](add link to doc) resource allows you to create and manage cloud connector rules for a zone.
+
+## Example Usage
+
+```terraform
+resource "cloudflare_cloud_connector_rules" "example" {
+  zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
+
+  rules {
+    description = "connect aws bucket"
+    enabled     = true
+    expression  = "http.uri"
+    provider    = "aws_s3"
+    parameters {
+      host = "mystorage.s3.ams.amazonaws.com"
+    }
+  }
+}
+```
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `zone_id` (String) The zone identifier to target for the resource.
+
+### Optional
+
+- `rules` (Block Set) List of Cloud Connector Rules (see [below for nested schema](#nestedblock--rules))
+
+<a id="nestedblock--rules"></a>
+### Nested Schema for `rules`
+
+Required:
+
+- `expression` (String) Criteria for an HTTP request to trigger the cloud connector rule. Uses the Firewall Rules expression language based on Wireshark display filters.
+- `provider` (String) Type of provider. Available values: `aws_s3`, `cloudflare_r2`, `azure_storage`, `gcp_storage`
+
+Optional:
+
+- `description` (String) Brief summary of the cloud connector rule and its intended use.
+- `enabled` (Boolean) Whether the headers rule is active.
+- `parameters` (Block, Optional) Cloud Connector Rule Parameters (see [below for nested schema](#nestedblock--rules--parameters))
+
+<a id="nestedblock--rules--parameters"></a>
+### Nested Schema for `rules.parameters`
+
+Required:
+
+- `host` (String) Host parameter for cloud connector rule
+
+

docs/resources/device_posture_rule.md

@@ -40,7 +40,7 @@ resource "cloudflare_device_posture_rule" "eaxmple" {
 ### Required
 
 - `account_id` (String) The account identifier to target for the resource.
-- `type` (String) The device posture rule type. Available values: `serial_number`, `file`, `application`, `gateway`, `warp`, `domain_joined`, `os_version`, `disk_encryption`, `firewall`, `client_certificate`, `workspace_one`, `unique_client_id`, `crowdstrike_s2s`, `sentinelone`, `kolide`, `tanium_s2s`, `intune`, `sentinelone_s2s`.
+- `type` (String) The device posture rule type. Available values: `serial_number`, `file`, `application`, `gateway`, `warp`, `domain_joined`, `os_version`, `disk_encryption`, `firewall`, `client_certificate`, `client_certificate_v2`, `workspace_one`, `unique_client_id`, `crowdstrike_s2s`, `sentinelone`, `kolide`, `tanium_s2s`, `intune`, `sentinelone_s2s`.
 
 ### Optional
 
@@ -63,19 +63,22 @@ Optional:
 - `active_threats` (Number) The number of active threats from SentinelOne.
 - `certificate_id` (String) The UUID of a Cloudflare managed certificate.
 - `check_disks` (Set of String) Specific volume(s) to check for encryption.
+- `check_private_key` (Boolean) Confirm the certificate was not imported from another device.
 - `cn` (String) The common name for a certificate.
 - `compliance_status` (String) The workspace one or intune device compliance status. `compliant` and `noncompliant` are values supported by both providers. `unknown`, `conflict`, `error`, `ingraceperiod` values are only supported by intune. Available values: `compliant`, `noncompliant`, `unknown`, `conflict`, `error`, `ingraceperiod`.
 - `connection_id` (String) The workspace one or intune connection id.
 - `count_operator` (String) The count comparison operator for kolide. Available values: `>`, `>=`, `<`, `<=`, `==`.
 - `domain` (String) The domain that the client must join.
-- `eid_last_seen` (String) The datetime a device last seen in RFC 3339 format from Tanium.
+- `eid_last_seen` (String) The time a device last seen in Tanium. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`.
 - `enabled` (Boolean) True if the firewall must be enabled.
 - `exists` (Boolean) Checks if the file should exist.
+- `extended_key_usage` (Set of String) List of values indicating purposes for which the certificate public key can be used. Available values: `clientAuth`, `emailProtection`.
 - `id` (String) The Teams List id. Required for `serial_number` and `unique_client_id` rule types.
 - `infected` (Boolean) True if SentinelOne device is infected.
 - `is_active` (Boolean) True if SentinelOne device is active.
 - `issue_count` (String) The number of issues for kolide.
 - `last_seen` (String) The duration of time that the host was last seen from Crowdstrike. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`.
+- `locations` (Block List) List of locations to check for client certificate posture check. (see [below for nested schema](#nestedblock--certificate_locations))
 - `network_status` (String) The network status from SentinelOne. Available values: `connected`, `disconnected`, `disconnecting`, `connecting`.
 - `operator` (String) The version comparison operator. Available values: `>`, `>=`, `<`, `<=`, `==`.
 - `os` (String) OS signal score from Crowdstrike. Value must be between 1 and 100.
@@ -103,6 +106,14 @@ Optional:
 
 - `platform` (String) The platform of the device. Available values: `windows`, `mac`, `linux`, `android`, `ios`, `chromeos`.
 
+<a id="nestedblock--certificate_locations"></a>
+### Nested Schema for `locations`
+
+Optional:
+
+- `paths` (Set of String) List of paths to check for client certificate.
+- `trust_stores` (Set of String) List of trust stores to check for client certificate. Available values: `system`, `user`.
+
 ## Import
 
 Import is supported using the following syntax:

docs/resources/device_settings_policy.md

@@ -31,6 +31,7 @@ resource "cloudflare_device_settings_policy" "developer_warp_policy" {
   service_mode_v2_mode  = "warp"
   service_mode_v2_port  = 3000
   exclude_office_ips    = false
+  tunnel_protocol       = "wireguard"
 }
 ```
 <!-- schema generated by tfplugindocs -->
@@ -59,6 +60,7 @@ resource "cloudflare_device_settings_policy" "developer_warp_policy" {
 - `service_mode_v2_port` (Number) The port to use for the proxy service mode. Required when using `service_mode_v2_mode`.
 - `support_url` (String) The support URL that will be opened when sending feedback.
 - `switch_locked` (Boolean) Enablement of the ZT client switch lock.
+- `tunnel_protocol` (String) Determines which tunnel protocol to use. Available values: `""`, `wireguard`, `masque`. Defaults to `wireguard`
 
 ### Read-Only
 

docs/resources/logpush_job.md

@@ -119,7 +119,7 @@ resource "cloudflare_logpush_job" "example_job" {
 - `account_id` (String) The account identifier to target for the resource. Must provide only one of `account_id`, `zone_id`.
 - `enabled` (Boolean) Whether to enable the job.
 - `filter` (String) Use filters to select the events to include and/or remove from your logs. For more information, refer to [Filters](https://developers.cloudflare.com/logs/reference/logpush-api-configuration/filters/).
-- `frequency` (String) A higher frequency will result in logs being pushed on faster with smaller files. `low` frequency will push logs less often with larger files. Available values: `high`, `low`. Defaults to `high`.
+- `frequency` (String, Deprecated) A higher frequency will result in logs being pushed on faster with smaller files. `low` frequency will push logs less often with larger files. Available values: `high`, `low`. Defaults to `high`.
 - `kind` (String) The kind of logpush job to create. Available values: `edge`, `instant-logs`, `""`.
 - `logpull_options` (String) Configuration string for the Logshare API. It specifies things like requested fields and timestamp formats. See [Logpush options documentation](https://developers.cloudflare.com/logs/logpush/logpush-configuration-api/understanding-logpush-api/#options).
 - `max_upload_bytes` (Number) The maximum uncompressed file size of a batch of logs. Value must be between 5MB and 1GB.

docs/resources/notification_policy_webhooks.md

@@ -36,7 +36,7 @@ resource "cloudflare_notification_policy_webhooks" "example" {
 
 - `created_at` (String) Timestamp of when the notification webhook was created.
 - `id` (String) The ID of this resource.
-- `last_failure` (String) Timestamp of when the notification webhook last faiuled.
+- `last_failure` (String) Timestamp of when the notification webhook last failed.
 - `last_success` (String) Timestamp of when the notification webhook was last successful.
 - `type` (String)
 

docs/resources/record.md

@@ -51,14 +51,14 @@ resource "cloudflare_record" "_sip_tls" {
 
 - `allow_overwrite` (Boolean) Allow creation of this record in Terraform to overwrite an existing record, if any. This does not affect the ability to update the record in Terraform and does not prevent other resources within Terraform or manual changes outside Terraform from overwriting this record. **This configuration is not recommended for most environments**. Defaults to `false`.
 - `comment` (String) Comments or notes about the DNS record. This field has no effect on DNS responses.
-- `content` (String) The content of the record. Conflicts with `data`.
-- `data` (Block List, Max: 1) Map of attributes that constitute the record value. Conflicts with `value`. (see [below for nested schema](#nestedblock--data))
+- `content` (String) The content of the record. Must provide only one of `data`, `content`, `value`.
+- `data` (Block List, Max: 1) Map of attributes that constitute the record value. Must provide only one of `data`, `content`, `value`. (see [below for nested schema](#nestedblock--data))
 - `priority` (Number) The priority of the record.
 - `proxied` (Boolean) Whether the record gets Cloudflare's origin protection.
 - `tags` (Set of String) Custom tags for the DNS record.
 - `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
 - `ttl` (Number) The TTL of the record.
-- `value` (String, Deprecated) The value of the record. Conflicts with `data`.
+- `value` (String, Deprecated) The value of the record. Must provide only one of `data`, `content`, `value`.
 
 ### Read-Only
 

docs/resources/risk_score_integration.md

@@ -0,0 +1,32 @@
+---
+page_title: "cloudflare_zero_trust_risk_score_integration Resource - Cloudflare"
+subcategory: ""
+description: |-
+  The Risk Score Integration https://developers.cloudflare.com/cloudflare-one/insights/risk-score/#send-risk-score-to-okta resource allows you to transmit changes in User Risk Score to a specified vendor such as Okta.
+---
+
+# cloudflare_zero_trust_risk_score_integration (Resource)
+
+The [Risk Score Integration](https://developers.cloudflare.com/cloudflare-one/insights/risk-score/#send-risk-score-to-okta) resource allows you to transmit changes in User Risk Score to a specified vendor such as Okta.
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `account_id` (String) The account identifier to target for the resource.
+- `integration_type` (String) The type of integration, e.g. 'Okta'. Full list of allowed values can be found here: https://developers.cloudflare.com/api/operations/dlp-zt-risk-score-integration-create#request-body
+- `tenant_url` (String) The base url of the tenant, e.g. 'https://tenant.okta.com'. Must be your Okta Tenant URL and not your custom domain.
+
+### Optional
+
+- `active` (Boolean) Whether this integration is enabled. If disabled, no risk changes will be exported to the third-party.
+- `reference_id` (String) A reference id that can be supplied by the client. Currently this should be set to the Access-Okta IDP ID (a UUIDv4). If omitted, a random UUIDv4 is used. https://developers.cloudflare.com/api/operations/access-identity-providers-get-an-access-identity-provider
+
+### Read-Only
+
+- `id` (String) The identifier of this resource.
+- `well_known_url` (String) The URL for the Shared Signals Framework configuration, e.g. '/.well-known/sse-configuration/{integration_uuid}/'. https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1
+
+

docs/resources/zero_trust_device_posture_rule.md

@@ -68,7 +68,7 @@ Optional:
 - `connection_id` (String) The workspace one or intune connection id.
 - `count_operator` (String) The count comparison operator for kolide. Available values: `>`, `>=`, `<`, `<=`, `==`.
 - `domain` (String) The domain that the client must join.
-- `eid_last_seen` (String) The datetime a device last seen in RFC 3339 format from Tanium.
+- `eid_last_seen` (String) The time a device last seen in Tanium. Must be in the format `1h` or `30m`. Valid units are `d`, `h` and `m`
 - `enabled` (Boolean) True if the firewall must be enabled.
 - `exists` (Boolean) Checks if the file should exist.
 - `id` (String) The Teams List id. Required for `serial_number` and `unique_client_id` rule types.

examples/resources/cloudflare_cloud_connector_rules/resource.tf

@@ -0,0 +1,13 @@
+resource "cloudflare_cloud_connector_rules" "example" {
+  zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
+
+  rules {
+    description = "connect aws bucket"
+    enabled     = true
+    expression  = "http.uri"
+    provider    = "aws_s3"
+    parameters {
+      host = "mystorage.s3.ams.amazonaws.com"
+    }
+  }
+}

examples/resources/cloudflare_device_settings_policy/resource.tf

@@ -17,4 +17,5 @@ resource "cloudflare_device_settings_policy" "developer_warp_policy" {
   service_mode_v2_mode  = "warp"
   service_mode_v2_port  = 3000
   exclude_office_ips    = false
+  tunnel_protocol       = "wireguard"
 }

internal/framework/provider/provider.go

@@ -17,6 +17,7 @@ import (
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/muxclient"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/access_mutual_tls_hostname_settings"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/api_token_permissions_groups"
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/cloud_connector_rules"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/d1"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/dlp_datasets"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/email_routing_address"
@@ -35,6 +36,7 @@ import (
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/workers_for_platforms_dispatch_namespace_deprecated"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/zero_trust_access_mtls_hostname_settings"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/zero_trust_risk_behavior"
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/zero_trust_risk_score_integration"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/sdkv2provider"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/utils"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
@@ -362,6 +364,7 @@ func (p *CloudflareProvider) Configure(ctx context.Context, req provider.Configu
 
 func (p *CloudflareProvider) Resources(ctx context.Context) []func() resource.Resource {
 	return []func() resource.Resource{
+		cloud_connector_rules.NewResource,
 		d1.NewResource,
 		email_routing_address.NewResource,
 		email_routing_rule.NewResource,
@@ -376,6 +379,7 @@ func (p *CloudflareProvider) Resources(ctx context.Context) []func() resource.Re
 		zero_trust_access_mtls_hostname_settings.NewResource,
 		workers_for_platforms_dispatch_namespace_deprecated.NewResource,
 		workers_for_platforms_dispatch_namespace.NewResource,
+		zero_trust_risk_score_integration.NewResource,
 	}
 }
 

internal/framework/service/cloud_connector_rules/model.go

@@ -0,0 +1,20 @@
+package cloud_connector_rules
+
+import "github.com/hashicorp/terraform-plugin-framework/types"
+
+type CloudConnectorRules struct {
+	ZoneID types.String         `tfsdk:"zone_id"`
+	Rules  []CloudConnectorRule `tfsdk:"rules"`
+}
+
+type CloudConnectorRule struct {
+	Enabled     types.Bool                   `tfsdk:"enabled"`
+	Expression  types.String                 `tfsdk:"expression"`
+	Provider    types.String                 `tfsdk:"provider"`
+	Description types.String                 `tfsdk:"description"`
+	Parameters  CloudConnectorRuleParameters `tfsdk:"parameters"`
+}
+
+type CloudConnectorRuleParameters struct {
+	Host types.String `tfsdk:"host"`
+}