[Gateway] Resolver policy and Terraform precedence (#20600)

* Add resolver policy precendence info

* Add Terraform policy warning

* Update src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx

Co-authored-by: Patricia Santa Ana <[email protected]>

---------

Co-authored-by: Patricia Santa Ana <[email protected]>

Author: 2 people

src/content/docs/cloudflare-one/policies/gateway/dns-policies/index.mdx

@@ -24,6 +24,8 @@ When creating a DNS policy, you can select as many security risk categories and
 	params={{ type: "query", example: "Source IP", example2: "Resolved IP" }}
 />
 
+<Render file="gateway/terraform-precedence-warning" product="cloudflare-one" />
+
 ## Actions
 
 Just like actions in HTTP policies, actions in DNS policies allow you to choose what to do with a given set of elements. You can assign one action per policy.

src/content/docs/cloudflare-one/policies/gateway/egress-policies/index.mdx

@@ -18,6 +18,8 @@ Egress policies allow you to control which dedicated egress IP is used and when,
 
 Cloudflare does not publish WARP egress IP ranges. WARP egress IPs are not documented at [Cloudflare's IP Ranges](https://cloudflare.com/ips). To obtain a dedicated WARP egress IP, contact your account team.
 
+<Render file="gateway/terraform-precedence-warning" product="cloudflare-one" />
+
 ## Force IP version
 
 To control whether only IPv4 or IPv6 is used to egress, ensure you are [filtering DNS traffic](/cloudflare-one/policies/gateway/initial-setup/dns/), then create a DNS policy to [block AAAA or A records](/cloudflare-one/policies/gateway/dns-policies/common-policies/#control-ip-version).

src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx

@@ -26,6 +26,8 @@ An HTTP policy consists of an **Action** as well as a logical expression that de
 	params={{ type: "query", example: "Source IP", example2: "Resolved IP" }}
 />
 
+<Render file="gateway/terraform-precedence-warning" product="cloudflare-one" />
+
 ## Actions
 
 Actions in HTTP policies allow you to choose what to do with a given set of elements (domains, IP addresses, file types, and so on). You can assign one action per policy.

src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx

@@ -26,6 +26,8 @@ A network policy consists of an **Action** as well as a logical expression that
 	params={{ type: "query", example: "Source IP", example2: "Resolved IP" }}
 />
 
+<Render file="gateway/terraform-precedence-warning" product="cloudflare-one" />
+
 ## Actions
 
 Like actions in DNS and HTTP policies, actions in network policies define which decision you want to apply to a given set of elements. You can assign one action per policy.

src/content/docs/cloudflare-one/policies/gateway/resolver-policies.mdx

@@ -79,6 +79,8 @@ Gateway will filter, resolve, and log your queries regardless of endpoint.
 
 For more information on creating a DNS policy, refer to [DNS policies](/cloudflare-one/policies/gateway/dns-policies/).
 
+<Render file="gateway/terraform-precedence-warning" product="cloudflare-one" />
+
 ## Selectors
 
 ### Content Categories

src/content/partials/cloudflare-one/gateway/create-resolver-policy.mdx

@@ -14,7 +14,7 @@
 
 4. In **Select DNS resolver**, choose _Configure custom DNS resolvers_.
 5. Enter the IP addresses of your custom DNS resolver.
-   :::tip[Search virtual networks]
+   :::note[Search virtual networks]
    As you enter an IP address, Gateway will search through your [virtual networks](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/) configured in Zero Trust.
    :::
 6. In **Network**, choose whether to route queries publicly (to the Internet) or privately (to a private network service).

src/content/partials/cloudflare-one/gateway/order-of-enforcement.mdx

@@ -73,7 +73,8 @@ Gateway applies your policies in the following order:
 2. DNS policies with selectors evaluated after resolution
 3. HTTP policies
 4. Network policies
-5. Egress policies (if applicable)
+5. Resolver policies (if applicable)
+6. Egress policies (if applicable)
 
 DNS policies are standalone. For example, if you block a site with a DNS policy but do not create a corresponding HTTP policy, users can still access the site if they know its IP address.
 
@@ -129,6 +130,10 @@ Next, Gateway checks decrypted traffic against your Isolate policies. When a use
 
 Lastly, Gateway evaluates all Allow, Block, and Do Not Scan policies. These policies apply to both isolated and non-isolated traffic. For example, if `example.com` is isolated and `example.com/subpage` is blocked, Gateway will block the subpage inside of the remote browser.
 
+### Resolver policies
+
+When [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/) are present, Gateway first evaluates any DNS policies with pre-resolution selectors, then routes any DNS queries according to the [order of precedence](#order-of-precedence) of your resolver policies, and lastly evaluates any DNS policies with post-resolution selectors.
+
 ### Order of precedence
 
 <Render
@@ -137,27 +142,27 @@ Lastly, Gateway evaluates all Allow, Block, and Do Not Scan policies. These poli
 	params={{ one: "DNS, network, or HTTP" }}
 />
 
-:::caution[Terraform precedence limitation]
-
-To avoid conflicts, Terraform applies a hash calculation to precedences. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of your policies via the [Cloudflare API](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/).
-:::
+<Render file="gateway/terraform-precedence-warning" product="cloudflare-one" />
 
 ## Example
 
 Suppose you have a list of policies arranged in the following order of precedence:
 
 - DNS policies: <Render file="gateway/order-of-precedence-dns" product="cloudflare-one" />
 - HTTP policies:
-  | Precedence | Selector | Operator | Value | Action |
+
+  | Precedence | Selector | Operator | Value               | Action         |
   | ---------- | -------- | -------- | ------------------- | -------------- |
-  | 1 | Host | is | `example.com` | Block |
-  | 2 | Host | is | `test2.example.com` | Do Not Inspect |
+  | 1          | Host     | is       | `example.com`       | Block          |
+  | 2          | Host     | is       | `test2.example.com` | Do Not Inspect |
+
 - Network policies:
-  | Precedence | Selector | Operator | Value | Action |
+
+  | Precedence | Selector         | Operator | Value              | Action |
   | ---------- | ---------------- | -------- | ------------------ | ------ |
-  | 1 | Destination Port | is | `80` | Block |
-  | 2 | Destination port | is | `443` | Allow |
-  | 3 | SNI Domain | is | `test.example.com` | Block |
+  | 1          | Destination Port | is       | `80`               | Block  |
+  | 2          | Destination port | is       | `443`              | Allow  |
+  | 3          | SNI Domain       | is       | `test.example.com` | Block  |
 
 When a user goes to `https://test.example.com`, Gateway performs the following operations:
 

src/content/partials/cloudflare-one/gateway/terraform-precedence-warning.mdx

@@ -0,0 +1,7 @@
+---
+{}
+---
+
+:::caution[Terraform precedence limitation]
+To avoid conflicts, Terraform applies a hash calculation to policy precedence. For example, a precedence of `1000` may become `1000901`. This can cause errors when reordering policies. To avoid this issue, manually set the precedence of policies created with Terraform using the [Update a Zero Trust Gateway rule](/api/resources/zero_trust/subresources/gateway/subresources/rules/methods/update/) endpoint.
+:::