[ZT] Terraform - Replace your VPN policies (#22338)

* lists

* policies

* session timeout

* block page

Author: ranbel

src/content/docs/learning-paths/replace-vpn/build-policies/block-page.mdx

@@ -5,7 +5,7 @@ sidebar:
   order: 5
 ---
 
-import { Render } from "~/components";
+import { Render, Tabs, TabItem } from "~/components";
 
 With Cloudflare Zero Trust, you can deliver actionable feedback to users when they are blocked by a Gateway policy. Custom block messages can reduce user confusion and decrease your IT ticket load.
 
@@ -35,6 +35,8 @@ The Gateway custom block page is a different concept from [Access custom block p
 
 For DNS policies, you will need to enable the block page on a per-policy basis.
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 <Render
 	file="gateway/add-block-page"
 	product="cloudflare-one"
@@ -45,6 +47,47 @@ For DNS policies, you will need to enable the block page on a per-policy basis.
 
 />
 
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. Choose a DNS policy with a Block action.
+
+3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), turn on `block_page_enabled`. If you have configured a [custom Gateway block page](/cloudflare-one/policies/gateway/block-page/#customize-the-block-page), you can optionally show an additional `block_reason` when traffic is blocked by this policy.
+
+	```tf
+	resource "cloudflare_zero_trust_gateway_policy" "dns_block_security_categories" {
+		name        = "Block DNS Security Categories"
+		enabled     = true
+		account_id  = var.cloudflare_account_id
+		description = "Managed by Terraform - Generic security policy based on Cloudflare Threat Intelligence categories."
+		precedence  = 101
+		action      = "block"
+		filters     = ["dns"]
+		/* Categories being enabled here:
+			- 80:  "Command and Control & Botnet"
+			- 83:  "Cryptomining"
+			- 117: "Malware"
+			- 131: "Phishing"
+			- 153: "Spyware"
+			- 175: "DNS Tunneling"
+			- 176: "DGA Domains"
+			- 178: "Brand Embedding"
+		*/
+		traffic = "any(dns.security_category[*] in {80 83 117 131 153 175 176 178})"
+		identity = ""
+
+		rule_settings = {
+			block_page_enabled = true
+			block_reason  = "This domain has been flagged as a potential security risk." // Adds an additional message to the custom block page. Requires enabling custom block page in cloudflare_zero_trust_gateway_settings.
+		}
+	}
+	```
+</TabItem>
+</Tabs>
+
 ### Customize the block page
 
 <Render file="gateway/customize-block-page" product="cloudflare-one" />

src/content/docs/learning-paths/replace-vpn/build-policies/create-policy.mdx

@@ -77,7 +77,25 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
 }'
 ```
 
-</TabItem> </Tabs>
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "dns_allow_wiki_domains" {
+	name        = "Company Wiki DNS policy"
+	enabled     = true
+	account_id  = var.cloudflare_account_id
+	description = "Managed by Terraform - Allow employees to access company wiki domains."
+	precedence  = 102
+	action      = "allow"
+	filters     = ["dns"]
+	traffic     = "any(dns.domains[*] in ${"$"}${cloudflare_zero_trust_list.wiki_domains.id})"
+	identity    = "identity.email matches \".*@example.com\""
+}
+```
+
+</TabItem>
+</Tabs>
 
 ## Example network policy
 
@@ -135,7 +153,25 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
 }'
 ```
 
-</TabItem> </Tabs>
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "network_allow_wiki_IPs" {
+	name        = "Company Wiki Network policy"
+	enabled     = true
+	account_id  = var.cloudflare_account_id
+	description = "Managed by Terraform - Allow employees to access company wiki IPs."
+	precedence  = 103
+	action      = "allow"
+	filters     = ["l4"]
+	traffic     = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.wiki_IPs.id}"
+	identity    = "identity.email matches \".*@example.com\""
+}
+```
+
+</TabItem>
+</Tabs>
 
 ### Catch-all policy
 
@@ -197,7 +233,24 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \
 }'
 ```
 
-</TabItem> </Tabs>
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "network_catch_all" {
+  name        = "Catch-all block policy"
+  enabled     = true
+  account_id  = var.cloudflare_account_id
+  description = "Managed by Terraform - Block access to private network."
+  precedence  = 14002
+  action      = "block"
+  filters     = ["l4"]
+  traffic     = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.private_IPs.id} or any(net.sni.domains[*] in ${"$"}${cloudflare_zero_trust_list.private_domains.id})"
+}
+```
+
+</TabItem>
+</Tabs>
 
 Network policies are evaluated in [top-down order](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence), so if a user does not match an explicitly defined policy for an application, they will be blocked.
 To learn how multiple policies interact, refer to [Order of enforcement](/cloudflare-one/policies/gateway/order-of-enforcement/).

src/content/partials/cloudflare-one/gateway/customize-block-page.mdx

@@ -2,10 +2,14 @@
 {}
 ---
 
+import { Tabs, TabItem } from "~/components";
+
 You can customize the Cloudflare-hosted block page by making global changes that Gateway will display every time a user reaches your block page. Customizations will apply regardless of the type of policy (DNS or HTTP) that blocks the traffic.
 
 To customize your block page:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Custom Pages**.
 2. Under **Account Gateway block page**, select **Customize**.
 3. Choose **Custom Gateway block page**. Gateway will display a preview of your custom block page. Available customizations include:
@@ -17,4 +21,35 @@ To customize your block page:
    - Background color
 4. Select **Save**.
 
+
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. In [`cloudflare_zero_trust_gateway_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_settings), configure the `block_page` argument with your customizations:
+
+	```tf
+	resource "cloudflare_zero_trust_gateway_settings" "team_name" {
+		account_id = var.cloudflare_account_id
+		settings = {
+			block_page = {
+				enabled = true //do not use the default Gateway block page
+				mode = "customized_block_page" //use a custom block page
+				name = "Cloudflare"
+				logo_path = "https://logos.com/a.png"
+				header_text = "--header--"
+				footer_text = "--footer--"
+				mailto_address = "[email protected]"
+				mailto_subject = "Blocked Request"
+				background_color = "#ffffff"
+				suppress_footer = false
+			}
+		}
+	}
+	```
+</TabItem>
+</Tabs>
+
 Gateway will now display a custom Gateway block page when your users visit a blocked website.

src/content/partials/cloudflare-one/gateway/lists.mdx

@@ -25,12 +25,42 @@ When you format a CSV file for upload:
 
 To upload the list to Zero Trust:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **My Team** > **Lists**.
 2. Select **Upload CSV**.
 3. Next, specify a **List name**, enter an optional description, and choose a **List type**.
 4. Drag and drop a file into the **CSV file** window, or select a file.
 5. Select **Create**.
 
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. Decode the contents of the CSV file and store it as a local value:
+
+	```tf
+	locals {
+		ip_list = csvdecode(file("${path.module}/list-test.csv"))
+	}
+	```
+3. Create a list using the [`cloudflare_zero_trust_list`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_list) resource:
+
+	```tf
+	resource "cloudflare_zero_trust_list" "ips_from_csv" {
+		account_id  = var.cloudflare_account_id
+		name        = "IPs imported from CSV"
+		description = "Managed by Terraform"
+		type        = "IP"
+		items 			= local.ip_list
+	}
+	```
+
+</TabItem>
+</Tabs>
+
 You can now use this list in the policy builder by choosing the _in list_ operator.
 
 ## Create a list manually
@@ -59,6 +89,51 @@ curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists \
 }'
 ```
 
-</TabItem> </Tabs>
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. Create a list using the [`cloudflare_zero_trust_list`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_list) resource.
+
+	Example list of IPs:
+	```tf
+	resource "cloudflare_zero_trust_list" "wiki_IPs" {
+		account_id  = var.cloudflare_account_id
+		name        = "Company Wiki IP addresses"
+		description = "Managed by Terraform"
+		type        = "IP"
+		items = [
+			{
+				description = "Example IP address range"
+				value = "192.0.2.0/24",
+			},
+			{
+				value = "198.51.100.0/24"
+			}
+		]
+	}
+	```
+
+	Example list of domains:
+	```tf
+	resource "cloudflare_zero_trust_list" "wiki_domains" {
+		account_id  = var.cloudflare_account_id
+		name        = "Company Wiki Domains"
+		description = "Managed by Terraform"
+		type        = "DOMAIN"
+		items = [
+			{
+				value = "wiki.example.com"
+			},
+			{
+				value = "wiki2.example.com"
+			}]
+	}
+	```
+
+</TabItem>
+</Tabs>
 
 You can now use this list in the policy builder by choosing the _in list_ operator.

src/content/partials/cloudflare-one/warp/warp-sessions-gateway.mdx

@@ -3,16 +3,53 @@
 
 ---
 
+import { TabItem, Tabs } from "~/components";
+
 You can enforce WARP session timeouts on any Gateway Network and HTTP policy that has an Allow action. If you do not specify a session timeout, the WARP session will be unlimited by default.
 
 Session timeouts have no impact on Gateway DNS policies. DNS policies remain active even when a user needs to re-authenticate.
 
 To configure a session timeout for a Gateway policy:
 
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to either **Gateway** > **Firewall Policies**. Choose either **Network** or **HTTP**.
 2. Add a policy and select the *Allow* action. Alternatively, choose any existing *Allow* policy.
 3. Under **Step 4 - Configure policy settings**, select **Edit** next to **Enforce WARP client session duration**.
 4. Enter a session expiration time in `1h30m0s` format and save.
 5. Save the policy.
 
+</TabItem>
+<TabItem label="Terraform (v5)">
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+	- `Zero Trust Write`
+
+2. Choose a Network (`l4`) or HTTP (`http`) policy with an Allow action.
+
+3. In the policy's [`rule_settings`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_gateway_policy), use the `check_session` argument to enable and configure a session timeout:
+
+	```tf
+	resource "cloudflare_zero_trust_gateway_policy" "network_allow_wiki_IPs" {
+		name        = "Company Wiki Network policy"
+		enabled     = true
+		account_id  = var.cloudflare_account_id
+		description = "Managed by Terraform - Allow employees to access company wiki IPs."
+		precedence  = 103
+		action      = "allow"
+		filters     = ["l4"]
+		traffic     = "net.dst.ip in ${"$"}${cloudflare_zero_trust_list.wiki_IPs.id}"
+		identity    = "identity.email matches \".*@example.com\""
+
+		rule_settings = {
+			check_session = {
+				enforce = true
+				duration = "1h30m0s"
+			}
+		}
+	}
+	```
+</TabItem>
+</Tabs>
+
 Session checks are now enabled for the application protected by this policy. Users can continue to reach applications outside of the policy definition.