[ZT] Terraform examples (device enrollment, infra access) (#17936)

ranbel · jacobbednarz · web-flow · commit 08d4a710467d · 2024-11-14T11:29:16.000-05:00
* rename infrastructure access resource

* device enrollment examples

* Update src/content/partials/cloudflare-one/access/create-service-token.mdx

Co-authored-by: Jacob Bednarz &lt;jacob.bednarz@gmail.com&gt;

---------

Co-authored-by: Jacob Bednarz &lt;jacob.bednarz@gmail.com&gt;
diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
@@ -79,11 +79,14 @@ import { Tabs, TabItem, Render } from "~/components"
 </TabItem>
 <TabItem label="Terraform">
 
-1. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application:
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Apps and Policies Write`
+
+2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application:
 
 	```tf
 	resource "cloudflare_zero_trust_access_application" "infra-app" {
-		account_id = "f037e56e89293a057740de681ac9abbe"
+		account_id = var.cloudflare_account_id
 		name       = "Example infrastructure app"
 		type       = "infrastructure"
 
@@ -98,12 +101,12 @@ import { Tabs, TabItem, Render } from "~/components"
 	}
 	```
 
-2. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application:
+3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application:
 
 	```tf
 	resource "cloudflare_zero_trust_access_policy" "infra-app-policy" {
 		application_id = cloudflare_zero_trust_access_application.infra-app.id
-		account_id = "f037e56e89293a057740de681ac9abbe"
+		account_id = var.cloudflare_account_id
 		name       = "Allow a specific email"
 		decision   = "allow"
 		precedence = 1
diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx
@@ -58,24 +58,27 @@ To create a new target:
 </TabItem>
 <TabItem label="Terraform">
 
-Configure the [`cloudflare_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/infrastructure_access_target) resource:
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Teams Write`
 
-```tf
-resource "cloudflare_infrastructure_access_target" "infra-ssh-target" {
-  account_id = "f037e56e89293a057740de681ac9abbe"
-    hostname   = "infra-access-target"
-    ip = {
-			ipv4 = {
-         ip_addr = "187.26.29.249"
-         virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
-       }
-			ipv6 = {
-				ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
-				virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
+2. Configure the [`cloudflare_zero_trust_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_infrastructure_access_target) resource:
+
+	```tf
+	resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" {
+		account_id = var.cloudflare_account_id
+			hostname   = "infra-access-target"
+			ip = {
+				ipv4 = {
+					ip_addr = "187.26.29.249"
+					virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
+				}
+				ipv6 = {
+					ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
+					virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
+				}
 			}
-    }
-}
-```
+	}
+	```
 
 </TabItem>
 </Tabs>
diff --git a/src/content/partials/cloudflare-one/access/create-service-token.mdx b/src/content/partials/cloudflare-one/access/create-service-token.mdx
@@ -3,6 +3,10 @@
 
 ---
 
+import { Tabs, TabItem } from '~/components';
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Service Auth** > **Service Tokens**.
 
 2. Select **Create Service Token**.
@@ -16,5 +20,47 @@
 6. Copy the Client Secret.
 
    :::caution
-   This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. 
+   This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token.
    :::
+
+</TabItem> <TabItem label="Terraform">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Service Tokens Write`
+
+2. Configure the [`cloudflare_zero_trust_access_service_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_service_token) resource:
+
+		```tf
+		resource "cloudflare_zero_trust_access_service_token" "example_service_token" {
+		account_id = var.cloudflare_account_id
+		name       = "Example service token"
+		duration  = "8760h"
+		}
+		```
+
+3. Output the Client ID and Client Secret to the Terraform state file:
+
+		```tf
+		output "example_service_token_client_id" {
+			value     = cloudflare_zero_trust_access_service_token.example_service_token.client_id
+		}
+
+		output "example_service_token_client_secret" {
+			value     = cloudflare_zero_trust_access_service_token.example_service_token.client_secret
+			sensitive = true
+		}
+		```
+4. Apply the configuration:
+		```sh
+		terraform apply
+		```
+
+5. Read the Client ID and Client Secret:
+		```sh
+		terraform output -raw example_service_token_client_id
+		```
+		```sh
+		terraform output -raw example_service_token_client_secret
+		```
+
+</TabItem> </Tabs>
diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx
@@ -3,10 +3,12 @@
 
 ---
 
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip, Tabs, TabItem } from "~/components"
 
 To check for an mTLS certificate:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. [Add an mTLS certificate](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration) to your account. You can generate a sample certificate using the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki).
 
 2. In **Associated hostnames**, enter your Zero Trust <GlossaryTooltip term="team domain">team domain</GlossaryTooltip>: `<team-name>.cloudflareaccess.com`
@@ -18,3 +20,49 @@ To check for an mTLS certificate:
    | Allow  | Require   | Common Name | `<CERT-COMMON-NAME>` |
 
 4. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
+
+</TabItem> <TabItem label="Terraform">
+
+1. Add the following permissions to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Mutual TLS Certificates Write`
+	- `Access: Apps and Policies Write`
+
+2. Use the [`cloudflare_zero_trust_access_mtls_certificate`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_mtls_certificate) resource to add an mTLS certificate to your account:
+
+	```tf
+	resource "cloudflare_zero_trust_access_mtls_certificate" "example_mtls_cert" {
+		account_id     = var.cloudflare_account_id
+		name           = "WARP enrollment mTLS cert"
+		certificate    = <<EOT
+		-----BEGIN CERTIFICATE-----
+		xxxx
+		xxxx
+		-----END CERTIFICATE-----
+		EOT
+		associated_hostnames = ["your-team-name.cloudflareaccess.com"]
+	}
+	```
+
+3. Add the following policy to your [WARP enrollment Access application](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions):
+
+	```tf
+	resource "cloudflare_zero_trust_access_policy" "warp_enrollment_employees" {
+		application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
+		account_id     = var.cloudflare_account_id
+		name           = "Allow company emails"
+		decision       = "allow"
+		precedence     = 1
+
+		include {
+			email_domain = ["company.com"]
+		}
+
+		require {
+			common_names = ["Common name 1", "Common name 2"]
+		}
+	}
+	```
+
+4. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
+
+</TabItem> </Tabs>
diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment.mdx
@@ -3,6 +3,10 @@
 
 ---
 
+import { Tabs, TabItem } from '~/components';
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
 2. In **Device enrollment permissions**, select **Manage**.
 3. In the **Rules** tab, configure one or more [Access policies](/cloudflare-one/policies/access/) to define who can join their device. For example, you could allow all users with a company email address:
@@ -12,8 +16,45 @@
 
 :::note
 
-Device posture checks are not supported in device enrollment policies. WARP can only perform posture checks after the device is enrolled. 
+Device posture checks are not supported in device enrollment policies. WARP can only perform posture checks after the device is enrolled.
 :::
 
 4. In the **Authentication** tab, select the [identity providers](/cloudflare-one/identity/idp-integration/) users can authenticate with. If you have not integrated an identity provider, you can use the [one-time PIN](/cloudflare-one/identity/one-time-pin/).
 5. Select **Save**.
+
+</TabItem> <TabItem label="Terraform">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Apps and Policies Write`
+
+2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an application with type `warp`.
+
+	```tf
+	resource "cloudflare_zero_trust_access_application" "warp_enrollment_app" {
+		account_id                = var.cloudflare_account_id
+		session_duration          = "18h"
+		name                      = "Warp device enrollment"
+		allowed_idps              = [cloudflare_zero_trust_access_identity_provider.microsoft_entra_id.id]
+		auto_redirect_to_identity = true
+		type                      = "warp"
+		app_launcher_visible      = false
+	}
+	```
+
+3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to define enrollment permissions.
+
+	```tf
+	resource "cloudflare_zero_trust_access_policy" "warp_enrollment_employees" {
+		application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
+		account_id     = var.cloudflare_account_id
+		name           = "Allow company emails"
+		decision       = "allow"
+		precedence     = 1
+
+		include {
+			email_domain = ["company.com"]
+		}
+	}
+	```
+
+</TabItem> </Tabs>
diff --git a/src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx b/src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx
@@ -3,6 +3,10 @@
 
 ---
 
+import { Tabs, TabItem } from '~/components';
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. [Create a service token](/cloudflare-one/identity/service-tokens/#create-a-service-token).
 
 2. Copy the token's **Client ID** and **Client Secret**.
@@ -17,4 +21,32 @@
    * `auth_client_id`: The **Client ID** of your service token.
    * `auth_client_secret`: The **Client Secret** of your service token.
 
+</TabItem> <TabItem label="Terraform">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+	- `Access: Apps and Policies Write`
+
+2. [Create a service token](/cloudflare-one/identity/service-tokens/#create-a-service-token) and copy its **Client ID** and **Client Secret**.
+
+3. Add the following policy to your [WARP enrollment Access application](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions):
+
+	```tf
+	resource "cloudflare_zero_trust_access_policy" "warp_enrollment_service_token" {
+		application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
+		account_id     = var.cloudflare_account_id
+		name           = "Allow service token"
+		decision       = "non_identity"
+		precedence     = 2
+
+		include {
+			service_token = [cloudflare_zero_trust_access_service_token.example_service_token.id]
+		}
+	}
+	```
+4. In your MDM [deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/), add the following fields:
+   * `auth_client_id`: The **Client ID** of your service token.
+   * `auth_client_secret`: The **Client Secret** of your service token.
+
+</TabItem> </Tabs>
+
 When you deploy the WARP client with your MDM provider, WARP will automatically connect the device to your Zero Trust organization.
