[ZT] Terraform split tunnels (#22277)

ranbel · web-flow · commit 22b4647fbe9a · 2025-05-08T15:40:39.000-04:00
* split tunnel mode

* add split tunnel route
diff --git a/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx b/src/content/partials/cloudflare-one/warp/add-split-tunnels-route.mdx
@@ -4,6 +4,8 @@
 
 import { GlossaryTooltip, TabItem, Tabs, Render } from "~/components";
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
 2. Under **Device settings**, locate the [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**.
 3. Under **Split Tunnels**, check whether your [Split Tunnels mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#change-split-tunnels-mode) is set to **Exclude** or **Include**.
@@ -33,6 +35,107 @@ import { GlossaryTooltip, TabItem, Tabs, Render } from "~/components";
 
 		</TabItem> </Tabs>
 
+</TabItem> <TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. Choose a [`cloudflare_zero_trust_device_default_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_default_profile) or [`cloudflare_zero_trust_device_custom_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_custom_profile) resource to modify, or [create a new device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/#create-a-new-profile).
+
+3. (Optional) Create a list of split tunnel routes that you can reuse across multiple device profiles. For example, you can declare a local value in the same module as your device profiles:
+
+	```tf title="split-tunnels.local.tf"
+	locals {
+		global_exclude_list = [
+			# Default Split Tunnel entries recommended by Cloudflare
+			{
+				address     = "ff05::/16"
+			},
+			{
+				address     = "ff04::/16"
+			},
+			{
+				address     = "ff03::/16"
+			},
+			{
+				address     = "ff02::/16"
+			},
+			{
+				address     = "ff01::/16"
+			},
+			{
+				address     = "fe80::/10"
+				description = "IPv6 Link Local"
+			},
+			{
+				address     = "fd00::/8"
+			},
+			{
+				address     = "255.255.255.255/32"
+				description = "DHCP Broadcast"
+			},
+			{
+				address     = "240.0.0.0/4"
+			},
+			{
+				address     = "224.0.0.0/24"
+			},
+			{
+				address     = "192.168.0.0/16"
+			},
+			{
+				address     = "192.0.0.0/24"
+			},
+			{
+				address     = "172.16.0.0/12"
+			},
+			{
+				address     = "169.254.0.0/16"
+				description = "DHCP Unspecified"
+			},
+			{
+				address     = "100.64.0.0/10"
+			},
+			{
+				address     = "10.0.0.0/8"
+			}
+		]
+	}
+	```
+4. In the device profile, exclude or include routes based on either their IP address or domain:
+
+	```tf title="device-profiles.tf"
+	resource "cloudflare_zero_trust_device_custom_profile" "example" {
+		account_id            = var.cloudflare_account_id
+		name                  = "Example custom profile with split tunnels"
+		enabled               = true
+		precedence            = 101
+		service_mode_v2       = {mode = "warp"}
+		match                 =  "identity.email == \"test@cloudflare.com\""
+
+		exclude = concat(
+			# Global entries
+			local.global_exclude_list,
+
+			# Profile-specific entries
+			[
+				{
+					address = "192.0.2.0/24"
+					description = "Example IP to exclude from WARP"
+				},
+				{
+					host = "example.com"
+					description = "Example domain to exclude from WARP"
+				}
+			]
+		)
+	}
+	```
+	 When possible we recommend adding an IP address instead of a domain. To learn about the consequences of adding a domain, refer to [Domain-based Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#domain-based-split-tunnels).
+
+</TabItem>
+</Tabs>
+
 <Render file="warp/client-notification-lag" product="cloudflare-one" />
 
 We recommend keeping the Split Tunnels list short, as each entry takes time for the client to parse. In particular, domains are slower to action than IP addresses because they require on-the-fly IP lookups and routing table / local firewall changes. A shorter list will also make it easier to understand and debug your configuration. For information on device profile limits, refer to [Account limits](/cloudflare-one/account-limits/#warp).
diff --git a/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx b/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx
@@ -2,6 +2,10 @@
 {}
 ---
 
+import { Tabs, TabItem } from '~/components';
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
 2. Under **Device settings**, locate the [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**.
 3. Scroll down to **Split Tunnels**.
@@ -10,4 +14,56 @@
    - **Exclude IPs and domains** — (Default) All traffic will be sent to Cloudflare Gateway except for the IPs and domains you specify.
    - **Include IPs and Domains** — Only traffic destined to the IPs or domains you specify will be sent to Cloudflare Gateway. All other traffic will bypass Gateway and will no longer be filtered by your network or HTTP policies. In order to use certain features, you will need to manually add [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains).
 
+</TabItem> <TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. Choose a [`cloudflare_zero_trust_device_default_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_default_profile) or [`cloudflare_zero_trust_device_custom_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_custom_profile) resource to modify, or [create a new device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/#create-a-new-profile).
+
+3. In your device profile, configure either the `exclude` or `include` argument. You cannot set both `exclude` and `include` in a given device profile.
+
+	a. To manage Split Tunnel routes in **Exclude** mode, use the `exclude` argument:
+
+		```tf
+		resource "cloudflare_zero_trust_device_custom_profile" "exclude_example" {
+			account_id            = var.cloudflare_account_id
+			name                  = "Custom profile in Split Tunnels Exclude mode"
+			enabled               = true
+			precedence            = 101
+			service_mode_v2       = {mode = "warp"}
+			match 								=  "identity.email == \"test@cloudflare.com\""
+
+			exclude = [{
+					address = "10.0.0.0/8"
+					description = "Example route to exclude from WARP tunnel"
+			}]
+		}
+		```
+
+		In this example, all traffic will be sent to Cloudflare Gateway except for traffic destined to `10.0.0.0/8`. To exclude the default IPs and domains recommended by Cloudflare, refer to [Add a route](#add-a-route).
+
+	b. To manage Split Tunnel routes in **Include** mode, use the `include` argument:
+
+		```tf
+		resource "cloudflare_zero_trust_device_custom_profile" "include_example" {
+			account_id            = var.cloudflare_account_id
+			name                  = "Custom profile in Split Tunnels Include mode"
+			enabled               = true
+			precedence            = 101
+			service_mode_v2       = {mode = "warp"}
+			match 								=  "identity.email == \"test@cloudflare.com\""
+
+			include = [{
+					address = "10.0.0.0/8"
+					description = "Example route to include in WARP tunnel"
+			}]
+		}
+		```
+
+		In this example, only traffic destined to `10.0.0.0/8` will be sent to Cloudflare Gateway.
+
+</TabItem>
+</Tabs>
+
 All clients with this device profile will now switch to the new mode and its default route configuration. Next, [add](#add-a-route) or [remove](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) routes from your Split Tunnel configuration.
diff --git a/src/content/partials/learning-paths/zero-trust/split-tunnel-settings.mdx b/src/content/partials/learning-paths/zero-trust/split-tunnel-settings.mdx
@@ -3,7 +3,7 @@
 
 ---
 
-import { Render } from "~/components"
+import { Render} from "~/components"
 
 Split tunnel settings determine which traffic WARP does and does not proxy.
 
@@ -14,7 +14,9 @@ WARP offers two different split tunnel modes:
 
 ## Update Split Tunnels mode
 
-To change your Split Tunnels mode: <Render file="warp/change-split-tunnels-mode" product="cloudflare-one" />
+To change your Split Tunnels mode:
+
+<Render file="warp/change-split-tunnels-mode" product="cloudflare-one" />
 
 ## Add a route
 
