Skip to content

Commit 7c6eea2

Browse files
ranbelranbel
authored
[ZT] Terraform Gateway settings (cloudflare#22334)
* gateway proxy * tls decryption * resolver policy
1 parent 76a7bb2 commit 7c6eea2

File tree

3 files changed

+81
-0
lines changed

3 files changed

+81
-0
lines changed

src/content/partials/cloudflare-one/gateway/create-resolver-policy.mdx

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,10 @@
22
{}
33
---
44

5+
import { TabItem, Tabs } from "~/components";
6+
7+
<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
8+
59
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Gateway** > **Resolver policies**.
610
2. Select **Add a policy**.
711
3. Create an expression for your desired traffic. For example, you can resolve a hostname for an internal service:
@@ -23,6 +27,48 @@
2327

2428
Custom resolvers are saved to your account for future use. You can add up to 10 IPv4 and 10 IPv6 addresses to a policy.
2529

30+
</TabItem>
31+
<TabItem label="Terraform (v5)">
32+
33+
1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
34+
- `Zero Trust Write`
35+
36+
2. Create a resolver policy using the [`cloudflare_zero_trust_gateway_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy) resource:
37+
38+
```tf
39+
resource "cloudflare_zero_trust_gateway_policy" "resolver_policy" {
40+
name = "Example resolver policy"
41+
enabled = true
42+
account_id = var.cloudflare_account_id
43+
description = "TERRAFORM MANAGED resolver policy"
44+
action = "resolve"
45+
traffic = "dns.fqdn in {\"internal.example.com\"}"
46+
identity = "identity.email in {\"[email protected]\"}"
47+
precedence = 1
48+
rule_settings = {
49+
dns_resolvers = {
50+
# You can add up to 10 IPv4 and 10 IPv6 addresses to a policy.
51+
ipv4 = [{
52+
ip = "192.0.2.24"
53+
port = 53
54+
route_through_private_network = true
55+
vnet_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id
56+
}]
57+
ipv6 = [{
58+
ip = "2001:DB8::"
59+
port = 53
60+
route_through_private_network = true
61+
vnet_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.staging_vnet.id
62+
}]
63+
}
64+
}
65+
}
66+
```
67+
68+
69+
</TabItem>
70+
</Tabs>
71+
2672
When a user's query matches a resolver policy, Gateway will send the query to your listed resolvers in the following order:
2773

2874
1. Public resolvers

src/content/partials/cloudflare-one/gateway/enable-tls-decryption.mdx

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,30 @@
22
{}
33
---
44

5+
import { TabItem, Tabs } from "~/components";
6+
7+
<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
8+
59
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Network**.
610
2. In **Firewall**, turn on **TLS decryption**.
11+
12+
</TabItem>
13+
<TabItem label="Terraform (v5)">
14+
15+
1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
16+
- `Zero Trust Write`
17+
18+
2. Configure the `tls_decrypt` argument in [`cloudflare_zero_trust_gateway_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_settings):
19+
20+
```tf
21+
resource "cloudflare_zero_trust_gateway_settings" "team_name" {
22+
account_id = var.cloudflare_account_id
23+
settings = {
24+
tls_decrypt = {
25+
enabled = true
26+
}
27+
}
28+
}
29+
```
30+
</TabItem>
31+
</Tabs>

src/content/partials/cloudflare-one/tunnel/enable-gateway-proxy.mdx

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,20 @@
44

55
import { Tabs, TabItem } from "~/components";
66

7+
<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
8+
79
1. Go to **Settings** > **Network**.
810
2. In **Firewall**, turn on **Proxy**.
911
3. Select **TCP**.
1012
4. (Recommended) To proxy traffic to internal DNS resolvers, select **UDP**.
1113
5. (Recommended) To proxy traffic for diagnostic tools such as `ping` and `traceroute`, select **ICMP**. You may also need to [update your system](/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/common-errors/#ping-and-traceroute-commands-do-not-work) to allow ICMP traffic through `cloudflared`.
1214

15+
</TabItem>
16+
<TabItem label="Terraform (v5)">
17+
18+
Proxy settings are not currently supported by the Terraform v5 provider (as of version 5.3.0). To turn on the Gateway proxy, use the dashboard or API.
19+
20+
</TabItem>
21+
</Tabs>
22+
1323
Cloudflare will now proxy traffic from enrolled devices, except for the traffic excluded in your [split tunnel settings](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#3-route-private-network-ips-through-warp). For more information on how Gateway forwards traffic, refer to [Gateway proxy](/cloudflare-one/policies/gateway/proxy/).

0 commit comments

Comments
 (0)