diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
index ecfb1ab39d24033..922c192b6d83df0 100644
--- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
+++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
@@ -79,11 +79,14 @@ import { Tabs, TabItem, Render } from "~/components"
-1. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application:
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+ - `Access: Apps and Policies Write`
+
+2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application:
```tf
resource "cloudflare_zero_trust_access_application" "infra-app" {
- account_id = "f037e56e89293a057740de681ac9abbe"
+ account_id = var.cloudflare_account_id
name = "Example infrastructure app"
type = "infrastructure"
@@ -98,12 +101,12 @@ import { Tabs, TabItem, Render } from "~/components"
}
```
-2. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application:
+3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application:
```tf
resource "cloudflare_zero_trust_access_policy" "infra-app-policy" {
application_id = cloudflare_zero_trust_access_application.infra-app.id
- account_id = "f037e56e89293a057740de681ac9abbe"
+ account_id = var.cloudflare_account_id
name = "Allow a specific email"
decision = "allow"
precedence = 1
diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx
index df037f7ef133b07..6830ff187d4298d 100644
--- a/src/content/partials/cloudflare-one/access/add-target.mdx
+++ b/src/content/partials/cloudflare-one/access/add-target.mdx
@@ -58,24 +58,27 @@ To create a new target:
-Configure the [`cloudflare_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/infrastructure_access_target) resource:
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+ - `Teams Write`
-```tf
-resource "cloudflare_infrastructure_access_target" "infra-ssh-target" {
- account_id = "f037e56e89293a057740de681ac9abbe"
- hostname = "infra-access-target"
- ip = {
- ipv4 = {
- ip_addr = "187.26.29.249"
- virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
- }
- ipv6 = {
- ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
- virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
+2. Configure the [`cloudflare_zero_trust_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_infrastructure_access_target) resource:
+
+ ```tf
+ resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" {
+ account_id = var.cloudflare_account_id
+ hostname = "infra-access-target"
+ ip = {
+ ipv4 = {
+ ip_addr = "187.26.29.249"
+ virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
+ }
+ ipv6 = {
+ ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
+ virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
+ }
}
- }
-}
-```
+ }
+ ```
diff --git a/src/content/partials/cloudflare-one/access/create-service-token.mdx b/src/content/partials/cloudflare-one/access/create-service-token.mdx
index fd5e525960b11de..3934f7e169045b4 100644
--- a/src/content/partials/cloudflare-one/access/create-service-token.mdx
+++ b/src/content/partials/cloudflare-one/access/create-service-token.mdx
@@ -3,6 +3,10 @@
---
+import { Tabs, TabItem } from '~/components';
+
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Service Auth** > **Service Tokens**.
2. Select **Create Service Token**.
@@ -16,5 +20,47 @@
6. Copy the Client Secret.
:::caution
- This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token.
+ This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token.
:::
+
+
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+ - `Access: Service Tokens Write`
+
+2. Configure the [`cloudflare_zero_trust_access_service_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_service_token) resource:
+
+ ```tf
+ resource "cloudflare_zero_trust_access_service_token" "example_service_token" {
+ account_id = var.cloudflare_account_id
+ name = "Example service token"
+ duration = "8760h"
+ }
+ ```
+
+3. Output the Client ID and Client Secret to the Terraform state file:
+
+ ```tf
+ output "example_service_token_client_id" {
+ value = cloudflare_zero_trust_access_service_token.example_service_token.client_id
+ }
+
+ output "example_service_token_client_secret" {
+ value = cloudflare_zero_trust_access_service_token.example_service_token.client_secret
+ sensitive = true
+ }
+ ```
+4. Apply the configuration:
+ ```sh
+ terraform apply
+ ```
+
+5. Read the Client ID and Client Secret:
+ ```sh
+ terraform output -raw example_service_token_client_id
+ ```
+ ```sh
+ terraform output -raw example_service_token_client_secret
+ ```
+
+
diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx
index c609f3cdfc6fd3d..99ffab18f359b6f 100644
--- a/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx
+++ b/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx
@@ -3,10 +3,12 @@
---
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip, Tabs, TabItem } from "~/components"
To check for an mTLS certificate:
+
+
1. [Add an mTLS certificate](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration) to your account. You can generate a sample certificate using the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki).
2. In **Associated hostnames**, enter your Zero Trust team domain: `.cloudflareaccess.com`
@@ -18,3 +20,49 @@ To check for an mTLS certificate:
| Allow | Require | Common Name | `` |
4. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
+
+
+
+1. Add the following permissions to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+ - `Access: Mutual TLS Certificates Write`
+ - `Access: Apps and Policies Write`
+
+2. Use the [`cloudflare_zero_trust_access_mtls_certificate`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_mtls_certificate) resource to add an mTLS certificate to your account:
+
+ ```tf
+ resource "cloudflare_zero_trust_access_mtls_certificate" "example_mtls_cert" {
+ account_id = var.cloudflare_account_id
+ name = "WARP enrollment mTLS cert"
+ certificate = <
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment.mdx
index 52144f8faa57b8b..31168e5300ee792 100644
--- a/src/content/partials/cloudflare-one/warp/device-enrollment.mdx
+++ b/src/content/partials/cloudflare-one/warp/device-enrollment.mdx
@@ -3,6 +3,10 @@
---
+import { Tabs, TabItem } from '~/components';
+
+
+
1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**.
2. In **Device enrollment permissions**, select **Manage**.
3. In the **Rules** tab, configure one or more [Access policies](/cloudflare-one/policies/access/) to define who can join their device. For example, you could allow all users with a company email address:
@@ -12,8 +16,45 @@
:::note
-Device posture checks are not supported in device enrollment policies. WARP can only perform posture checks after the device is enrolled.
+Device posture checks are not supported in device enrollment policies. WARP can only perform posture checks after the device is enrolled.
:::
4. In the **Authentication** tab, select the [identity providers](/cloudflare-one/identity/idp-integration/) users can authenticate with. If you have not integrated an identity provider, you can use the [one-time PIN](/cloudflare-one/identity/one-time-pin/).
5. Select **Save**.
+
+
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+ - `Access: Apps and Policies Write`
+
+2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an application with type `warp`.
+
+ ```tf
+ resource "cloudflare_zero_trust_access_application" "warp_enrollment_app" {
+ account_id = var.cloudflare_account_id
+ session_duration = "18h"
+ name = "Warp device enrollment"
+ allowed_idps = [cloudflare_zero_trust_access_identity_provider.microsoft_entra_id.id]
+ auto_redirect_to_identity = true
+ type = "warp"
+ app_launcher_visible = false
+ }
+ ```
+
+3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to define enrollment permissions.
+
+ ```tf
+ resource "cloudflare_zero_trust_access_policy" "warp_enrollment_employees" {
+ application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
+ account_id = var.cloudflare_account_id
+ name = "Allow company emails"
+ decision = "allow"
+ precedence = 1
+
+ include {
+ email_domain = ["company.com"]
+ }
+ }
+ ```
+
+
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx b/src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx
index 7f95e48840c7953..a2f90732528e3b4 100644
--- a/src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx
+++ b/src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx
@@ -3,6 +3,10 @@
---
+import { Tabs, TabItem } from '~/components';
+
+
+
1. [Create a service token](/cloudflare-one/identity/service-tokens/#create-a-service-token).
2. Copy the token's **Client ID** and **Client Secret**.
@@ -17,4 +21,32 @@
* `auth_client_id`: The **Client ID** of your service token.
* `auth_client_secret`: The **Client Secret** of your service token.
+
+
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+ - `Access: Apps and Policies Write`
+
+2. [Create a service token](/cloudflare-one/identity/service-tokens/#create-a-service-token) and copy its **Client ID** and **Client Secret**.
+
+3. Add the following policy to your [WARP enrollment Access application](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions):
+
+ ```tf
+ resource "cloudflare_zero_trust_access_policy" "warp_enrollment_service_token" {
+ application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
+ account_id = var.cloudflare_account_id
+ name = "Allow service token"
+ decision = "non_identity"
+ precedence = 2
+
+ include {
+ service_token = [cloudflare_zero_trust_access_service_token.example_service_token.id]
+ }
+ }
+ ```
+4. In your MDM [deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/), add the following fields:
+ * `auth_client_id`: The **Client ID** of your service token.
+ * `auth_client_secret`: The **Client Secret** of your service token.
+
+
+
When you deploy the WARP client with your MDM provider, WARP will automatically connect the device to your Zero Trust organization.