split tunnel mode

ranbel · ranbel · commit b8e8a3f25058 · 2025-05-07T15:13:32.000-04:00
diff --git a/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx b/src/content/partials/cloudflare-one/warp/change-split-tunnels-mode.mdx
@@ -2,6 +2,10 @@
 {}
 ---
 
+import { Tabs, TabItem } from '~/components';
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
 2. Under **Device settings**, locate the [device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) you would like to modify and select **Configure**.
 3. Scroll down to **Split Tunnels**.
@@ -10,4 +14,56 @@
    - **Exclude IPs and domains** — (Default) All traffic will be sent to Cloudflare Gateway except for the IPs and domains you specify.
    - **Include IPs and Domains** — Only traffic destined to the IPs or domains you specify will be sent to Cloudflare Gateway. All other traffic will bypass Gateway and will no longer be filtered by your network or HTTP policies. In order to use certain features, you will need to manually add [Zero Trust domains](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#cloudflare-zero-trust-domains).
 
+</TabItem> <TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. Choose a [`cloudflare_zero_trust_device_default_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_default_profile) or [`cloudflare_zero_trust_device_custom_profile`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_device_custom_profile) resource to modify, or [create a new device profile](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/#create-a-new-profile).
+
+3. In your device profile, configure either the `exclude` or `include` argument. You cannot set both `exclude` and `include` in a given device profile.
+
+	a. To manage Split Tunnel routes in **Exclude** mode, use the `exclude` argument:
+
+		```tf
+		resource "cloudflare_zero_trust_device_custom_profile" "exclude_example" {
+			account_id            = var.cloudflare_account_id
+			name                  = "Device profile in Split Tunnels Exclude mode"
+			enabled               = true
+			precedence            = 101
+			service_mode_v2       = {mode = "warp"}
+			match 								=  "identity.email == \"test@cloudflare.com\""
+
+			exclude = [{
+					address = "10.0.0.0/8"
+					description = "Example route to exclude from WARP tunnel"
+			}]
+		}
+		```
+
+		In this example, all traffic will be sent to Cloudflare Gateway except for traffic destined to `10.0.0.0/8`. To exclude the default IPs and domains recommended by Cloudflare, refer to [Add a route](#add-a-route).
+
+	b. To manage Split Tunnel routes in **Include** mode, use the `include` argument:
+
+		```tf
+		resource "cloudflare_zero_trust_device_custom_profile" "include_example" {
+			account_id            = var.cloudflare_account_id
+			name                  = "Device profile in Split Tunnels Include mode"
+			enabled               = true
+			precedence            = 101
+			service_mode_v2       = {mode = "warp"}
+			match 								=  "identity.email == \"test@cloudflare.com\""
+
+			include = [{
+					address = "10.0.0.0/8"
+					description = "Example route to include in WARP tunnel"
+			}]
+		}
+		```
+
+		In this example, only traffic destined to `10.0.0.0/8` will be sent to Cloudflare Gateway.
+
+</TabItem>
+</Tabs>
+
 All clients with this device profile will now switch to the new mode and its default route configuration. Next, [add](#add-a-route) or [remove](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/#remove-a-route) routes from your Split Tunnel configuration.
diff --git a/src/content/partials/learning-paths/zero-trust/split-tunnel-settings.mdx b/src/content/partials/learning-paths/zero-trust/split-tunnel-settings.mdx
@@ -3,7 +3,7 @@
 
 ---
 
-import { Render } from "~/components"
+import { Render} from "~/components"
 
 Split tunnel settings determine which traffic WARP does and does not proxy.
 
@@ -14,7 +14,9 @@ WARP offers two different split tunnel modes:
 
 ## Update Split Tunnels mode
 
-To change your Split Tunnels mode: <Render file="warp/change-split-tunnels-mode" product="cloudflare-one" />
+To change your Split Tunnels mode:
+
+<Render file="warp/change-split-tunnels-mode" product="cloudflare-one" />
 
 ## Add a route
 
