Add policy partial and Terraform procedure

maxvp · maxvp · commit df5d23954c22 · 2025-02-10T15:42:37.000-06:00
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-dns-policies/recommended-dns-policies.mdx
@@ -140,7 +140,7 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_restrict_quarantined_users"
 <Render file="zero-trust/blocklist-security-categories" />
 
 <Render
-	file="gateway/policies/block-security-categories"
+	file="gateway/policies/block-security-categories-dash-plus-api"
 	product="cloudflare-one"
 />
 
diff --git a/src/content/partials/cloudflare-one/gateway/policies/block-security-categories-dash-plus-api.mdx b/src/content/partials/cloudflare-one/gateway/policies/block-security-categories-dash-plus-api.mdx
@@ -0,0 +1,56 @@
+---
+{}
+---
+
+import { Tabs, TabItem, Render } from "~/components";
+
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
+
+<Render
+	file="gateway/policies/block-security-categories"
+	product="cloudflare-one"
+/>
+
+</TabItem>
+<TabItem label="API">
+
+```bash
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rule \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+--data '{
+  "name": "Block security threats",
+  "description": "Block all default Cloudflare DNS security categories",
+  "enabled": true,
+  "action": "block",
+  "filters": [
+    "dns"
+  ],
+  "traffic": "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})",
+  "identity": ""
+}'
+```
+
+</TabItem>
+<TabItem label="Terraform">
+
+```tf
+resource "cloudflare_zero_trust_gateway_policy" "block_security_threats" {
+  account_id  = var.account_id
+  name        = "All-DNS-SecurityCategories-Blocklist"
+  description = "Block all default Cloudflare DNS security categories"
+  precednece  = 20
+	enabled     = false
+  action      = "block"
+  filters     = ["dns"]
+  traffic     = "any(dns.security_category[*] in {68 178 80 83 176 175 117 131 134 151 153})"
+	rule_settings {
+			block_page_enabled = true
+			notification_settings {
+					enabled = true
+				}
+		}
+}
+```
+
+</TabItem> </Tabs>
diff --git a/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx b/src/content/partials/cloudflare-one/gateway/policies/enforce-device-posture.mdx
@@ -2,17 +2,21 @@
 {}
 ---
 
-import { Tabs, TabItem, Render } from "~/components";
+import { Tabs, TabItem } from "~/components";
 
 In the following example, you can use a list of [device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) to ensure users can only access an application if they connect with the WARP client from a company device:
+
 <Tabs syncKey="dashPlusAPI">
 <TabItem label="Dashboard">
+
 | Selector                     | Operator | Value                   | Logic | Action |
 | ---------------------------- | -------- | ----------------------- | ----- | ------ |
 | Passed Device Posture Checks | not in   | _Device serial numbers_ | And   | Block  |
 | SNI Domain                   | is       | `internalapp.com`       |       |        |
+
 </TabItem>
 <TabItem label="API">
+
 ```sh
 curl --request POST \
   --url https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules \
@@ -35,8 +39,10 @@ curl --request POST \
     }
 	}'
 ```
+
 </TabItem>
 <TabItem label="Terraform">
+
 ```tf
 resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule" {
   account_id  = var.account_id
@@ -54,5 +60,6 @@ resource "cloudflare_zero_trust_gateway_policy" "dns_resolvedip_blocklist_rule"
     }
 }
 ```
+
 </TabItem>
 </Tabs>
