create tunnel using Terraform

Author: ranbel

src/content/docs/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel-api.mdx

@@ -142,49 +142,7 @@ To configure Zero Trust policies and connect as a user, refer to [Connect privat
 
 Install `cloudflared` on your server and run the tunnel using the `token` value obtained in [2. Create a tunnel](#2-create-a-tunnel). You can also get the tunnel token using the [Cloudflare Tunnel token](/api/resources/zero_trust/subresources/tunnels/subresources/cloudflared/subresources/token/methods/get/) endpoint.
 
-<Tabs> <TabItem label="Linux">
-
-1.  [Download and install](https://pkg.cloudflare.com/index.html) `cloudflared`.
-
-2.  Run the following command:
-
-        ```sh
-        sudo cloudflared service install <tunnel-token>
-        ```
-
-</TabItem> <TabItem label="Windows">
-
-1.  [Download and install](/cloudflare-one/connections/connect-networks/downloads/#windows) `cloudflared`.
-
-2.  Open Command Prompt as administrator.
-
-3.  Run the following command:
-
-        ```txt
-        cloudflared.exe service install <tunnel-token>
-        ```
-
-</TabItem> <TabItem label="macOS">
-
-1.  [Download and install](/cloudflare-one/connections/connect-networks/downloads/#macos) `cloudflared`.
-
-2.  Run the following command:
-
-        ```sh
-        sudo cloudflared service install <tunnel-token>
-        ```
-
-</TabItem> <TabItem label="Docker">
-
-1.  Open a terminal window.
-
-2.  Run the following command:
-
-        	```sh
-        	docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token <tunnel-token>
-        	```
-
-</TabItem>  </Tabs>
+<Render file="tunnel/install-and-run-tunnel" product="cloudflare-one" />
 
 ## 5. Verify tunnel status
 

src/content/docs/learning-paths/replace-vpn/connect-private-network/cloudflared.mdx

@@ -6,20 +6,113 @@ sidebar:
 
 ---
 
-import { Render } from "~/components"
+import { Render, Tabs, TabItem, Details } from "~/components"
 
 Cloudflare Tunnel is an outbound-only daemon service that can run on nearly any host machine and proxies local traffic once validated from the Cloudflare network. User traffic initiated from the WARP endpoint client onramps to Cloudflare, passes down your Cloudflare Tunnel connections, and terminates automatically in your local network. Traffic reaching your internal applications or services will carry the local source IP address of the host machine running the `cloudflared` daemon.
 
 ## Create a tunnel
 
 To connect your private network:
 
+<Tabs syncKey="dashPlusAPI">
+
+<TabItem label="Dashboard">
+
 <Render file="tunnel/create-tunnel" product="cloudflare-one" />
 
 9. In the **Private Networks** tab, enter the CIDR of your private network (for example, `10.0.0.0/8`).
 
 10. Select **Save tunnel**.
 
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Cloudflare Tunnel Write`
+
+2. Generate a secret for the tunnel using Terraform's [`random` provider](https://registry.terraform.io/providers/hashicorp/random/latest/docs):
+
+		```tf
+		resource "random_bytes" "tunnel_secret" {
+  		length = 64
+		}
+		```
+
+3. Create a tunnel using the [`cloudflare_zero_trust_tunnel_cloudflare`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_tunnel_cloudflared) resource.
+
+		```tf
+		resource "cloudflare_zero_trust_tunnel_cloudflared" "example_tunnel" {
+			account_id = var.cloudflare_account_id
+			name       = "Example tunnel"
+			tunnel_secret     = random_bytes.tunnel_secret.base64
+			config_src = "cloudflare"
+		}
+		```
+
+4. Route the CIDR of your private network through the tunnel using the [`cloudflare_zero_trust_tunnel_cloudflared_route`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_tunnel_cloudflared_route) resource:
+
+		```tf
+		resource "cloudflare_zero_trust_tunnel_cloudflared_route" "example_tunnel_route" {
+			account_id         = var.cloudflare_account_id
+			tunnel_id          = cloudflare_zero_trust_tunnel_cloudflared.example_tunnel.id
+			network            = "10.0.0.0/8"
+			comment            = "Example tunnel route"
+		}
+		```
+
+5. Get the [token](/cloudflare-one/connections/connect-networks/configure-tunnels/remote-tunnel-permissions/) used to run the tunnel:
+
+		```tf
+		data "cloudflare_zero_trust_tunnel_cloudflared_token" "tunnel_token" {
+			account_id = var.cloudflare_account_id
+			tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.example_tunnel.id
+		}
+		```
+
+		If your host machine is not managed in Terraform or you want to install the tunnel manually, you can output the token value to the CLI.
+	<Details header="Example: Output to CLI" open = {false}>
+  	1. Output the tunnel token to the Terraform state file:
+			```tf
+			output "tunnel_token" {
+				value       = data.cloudflare_zero_trust_tunnel_cloudflared_token.tunnel_token.token
+				sensitive   = true
+			}
+			```
+	2. Apply the configuration:
+			```sh
+			terraform apply
+			```
+	3. Read the tunnel token:
+			```sh
+			terraform output -raw tunnel_token
+			```
+			```sh output
+			eyJhIj...
+			```
+
+	</Details>
+
+		Alternatively, pass `data.cloudflare_zero_trust_tunnel_cloudflared_token.tunnel_token.token` directly into your host's Terraform configuration or store the token in your secret management tool.
+
+	<Details header="Example: Store in HashiCorp Vault" open = {false}>
+			```tf
+			resource "vault_generic_secret" "tunnel_token" {
+				path         = "kv/cloudflare/tunnel_token"
+
+				data_json = jsonencode({
+					"TUNNEL_TOKEN" = data.cloudflare_zero_trust_tunnel_cloudflared_token.tunnel_token.token
+				})
+			}
+			```
+	</Details>
+
+6. Install `cloudflared` on a host machine in your private network and run the tunnel:
+
+		<Render file="tunnel/install-and-run-tunnel" product="cloudflare-one" />
+
+</TabItem>
+</Tabs>
+
 All internal applications and services in this IP range are now connected to Cloudflare.
 
 :::note

src/content/partials/cloudflare-one/tunnel/install-and-run-tunnel.mdx

@@ -0,0 +1,50 @@
+---
+{}
+
+---
+
+import { Tabs, TabItem } from "~/components";
+
+<Tabs> <TabItem label="Linux">
+
+1.  [Download and install](https://pkg.cloudflare.com/index.html) `cloudflared`.
+
+2.  Run the following command:
+
+        ```sh
+        sudo cloudflared service install <TUNNEL_TOKEN>
+        ```
+
+</TabItem> <TabItem label="Windows">
+
+1.  [Download and install](/cloudflare-one/connections/connect-networks/downloads/#windows) `cloudflared`.
+
+2.  Open Command Prompt as administrator.
+
+3.  Run the following command:
+
+        ```txt
+        cloudflared.exe service install <TUNNEL_TOKEN>
+        ```
+
+</TabItem> <TabItem label="macOS">
+
+1.  [Download and install](/cloudflare-one/connections/connect-networks/downloads/#macos) `cloudflared`.
+
+2.  Open a terminal window and run the following command:
+
+        ```sh
+        sudo cloudflared service install <TUNNEL_TOKEN>
+        ```
+
+</TabItem> <TabItem label="Docker">
+
+1.  Open a terminal window.
+
+2.  Run the following command:
+
+        	```sh
+        	docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token <TUNNEL_TOKEN>
+        	```
+
+</TabItem>  </Tabs>