[ZT] Terraform local domain fallback (#22318)

* local domain fallback

* Apply suggestions from code review

Co-authored-by: Pedro Sousa <[email protected]>

---------

Co-authored-by: Pedro Sousa <[email protected]>

Author: ranbel

src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx

@@ -39,20 +39,7 @@ Local Domain Fallback configuration only impacts where DNS requests get resolved
 
 ### Add a domain
 
-<Render file="warp/view-local-domains" product="cloudflare-one" />
-4\. In **Domain**, enter the domain that you want to exclude from Gateway. All
-prefixes under the domain are subject to the local domain fallback rule (in
-other words, `example.com` is interpreted as `*.example.com`).
-
-5. <Render file="warp/add-local-domain-ip" product="cloudflare-one" />
-
-6. Enter an optional description and select **Save domain**.
-
-7. DNS traffic to the local domain fallback server is routed according to your [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) configuration. To ensure that queries can reach your private DNS server:
-   - If your DNS server is only reachable outside of the WARP tunnel (for example, via a third-party VPN), [exclude](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) the server's IP.
-   - If your DNS server is only reachable through the WARP tunnel (for example, if it is connected to Cloudflare via `cloudflared` or Magic WAN), [include](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#add-a-route) the server's IP.
-
-[Learn more](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/#how-the-warp-client-handles-dns-requests) about how WARP handles DNS requests.
+<Render file="warp/add-local-domain" product="cloudflare-one" />
 
 ### Delete a domain
 

src/content/partials/cloudflare-one/warp/add-local-domain-IP.mdx

@@ -0,0 +1,119 @@
+---
+{}
+
+---
+
+import { Render, Tabs, TabItem } from "~/components"
+
+To add a domain to the Local Domain Fallback list:
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+<Render file="warp/view-local-domains" product="cloudflare-one" />
+
+4. In **Domain**, enter the apex domain (`example.com`) that you want to resolve using your private DNS server. All prefixes under the apex domain are subject to Local Domain Fallback (in other words, `example.com` is interpreted as `*.example.com`).
+
+5. In **DNS Servers**, enter the IP address of the DNS servers that should resolve that domain name.
+
+6. Enter an optional description and select **Save domain**.
+
+</TabItem> <TabItem label="Terraform (v5)">
+
+A Local Domain Fallback list is scoped to a specific [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/). If a device profile does not have a corresponding Local Domain Fallback resource, those devices will use the default local domains shown in Step 2.
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. (Optional) Create a list of domains that you can reuse across multiple device profiles. For example, you can declare a local value in the same module as your device profiles:
+
+	```tf title="local-domains.local.tf"
+	locals {
+		default_local_domains = [
+			# Default Local Domain Fallback entries recommended by Cloudflare
+	    {
+      suffix = "corp"
+    },
+    {
+      suffix = "domain"
+    },
+    {
+      suffix = "home"
+    },
+    {
+      suffix = "home.arpa"
+    },
+    {
+      suffix = "host"
+    },
+    {
+      suffix = "internal"
+    },
+    {
+      suffix = "intranet"
+    },
+    {
+      suffix = "invalid"
+    },
+    {
+      suffix = "lan"
+    },
+    {
+      suffix = "local"
+    },
+    {
+      suffix = "localdomain"
+    },
+    {
+      suffix = "localhost"
+    },
+    {
+      suffix = "private"
+    },
+    {
+      suffix = "test"
+    }
+		]
+	}
+	```
+4. To configure Local Domain Fallback for the default device profile, use the [`cloudflare_zero_trust_device_default_profile_local_domain_fallback`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_default_profile_local_domain_fallback) resource. To configure Local Domain Fallback for a custom device profile, use[`cloudflare_zero_trust_device_custom_profile_local_domain_fallback`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_custom_profile_local_domain_fallback). For example:
+
+	```tf title="device-profiles.tf"
+	resource "cloudflare_zero_trust_device_custom_profile_local_domain_fallback" "example" {
+		account_id = var.cloudflare_account_id
+		policy_id  = cloudflare_zero_trust_device_custom_profile.example.id
+		domains = concat(
+			# Global entries
+			local.default_local_domains,
+
+			# Profile-specific entries
+			[
+				{
+				suffix = "example.com"
+				description = "Domain for local development"
+				dns_server = ["1.1.1.1", "192.168.0.1"]
+				}
+			]
+		)
+	}
+	```
+
+For `suffix`, specify the apex domain (`example.com`) that you want to resolve using your private DNS server. All prefixes under the apex domain are subject to Local Domain Fallback (in other words, `example.com` is interpreted as `*.example.com`). For `dns_server`, enter the IP address of the DNS servers that should resolve that domain name.
+
+</TabItem>
+</Tabs>
+
+WARP tries all servers and always uses the fastest response, even if that response is `no records found`. We recommend specifying at least one DNS server for each domain. If a value is not specified, the WARP client will try to identify the DNS server (or servers) used on the device before it started, and use that server for each domain in the Local Domain Fallback list.
+
+### Route traffic to fallback server
+
+The WARP client routes DNS traffic to your [Local Domain Fallback server](#add-a-domain) according to your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/). To ensure that queries can reach your private DNS server:
+
+- If your DNS server is only reachable inside of the WARP tunnel (for example, via `cloudflared` or Magic WAN):
+
+   1. Go to **Networks** > **Routes** and verify that the DNS server is connected to Cloudflare. To connect a DNS server, refer to [Private networks](/cloudflare-one/connections/connect-networks/private-net/).
+
+   2. In your [Split Tunnel configuration](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/), verify that the DNS server IP routes through the WARP tunnel.
+
+- If your DNS server is only reachable outside of the WARP tunnel (for example, via a third-party VPN), verify that the DNS server IP is [excluded from the WARP tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/).
+
+For more information, refer to [How the WARP client handles DNS requests](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/#how-the-warp-client-handles-dns-requests).

src/content/partials/cloudflare-one/warp/add-local-domain.mdx

@@ -7,4 +7,4 @@
 
 2. Under **Device settings**, locate the [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) you would like to view or modify and select **Configure**.
 
-3. Scroll down to **Local Domain Fallback** and select **Manage**.
+3. Scroll down to **Local Domain Fallback** and select **Manage**.

src/content/partials/cloudflare-one/warp/view-local-domains.mdx

@@ -18,19 +18,7 @@ To learn more about how Local Domain Fallback works, refer to [How the WARP clie
 
 ### Add a domain
 
-To add a domain to the Local Domain Fallback list:
-
-<Render file="warp/view-local-domains" product="cloudflare-one" />
-
-4. In **Domain**, enter the apex domain (`example.com`) that you want to resolve using your private DNS server. All prefixes under the apex domain are subject to local domain fallback (in other words, `example.com` is interpreted as `*.example.com`).
-
-5. <Render file="warp/add-local-domain-ip" product="cloudflare-one" />
-
-6. Enter an optional description and select **Save domain**.
-
-7. Ensure that the WARP client can proxy DNS traffic to your private DNS server:
-   1. Go to **Networks** > **Routes** and verify that the DNS server is connected via Cloudflare Tunnel (either `cloudflared` or WARP Connector).
-   2. In your [Split Tunnel configuration](/learning-paths/replace-vpn/configure-device-agent/split-tunnel-settings/), verify that the DNS server IP routes through the WARP tunnel.
+<Render file="warp/add-local-domain" product="cloudflare-one" />
 
 ## Resolver policies