From 18da351354c68275acb2101404dc67d4112775e0 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 1 Nov 2024 18:07:55 -0400 Subject: [PATCH 1/3] rename infrastructure access resource --- .../access/add-infrastructure-app.mdx | 11 +++--- .../cloudflare-one/access/add-target.mdx | 35 ++++++++++--------- 2 files changed, 26 insertions(+), 20 deletions(-) diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx index ecfb1ab39d24033..922c192b6d83df0 100644 --- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx +++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx @@ -79,11 +79,14 @@ import { Tabs, TabItem, Render } from "~/components" -1. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application: +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token): + - `Access: Apps and Policies Write` + +2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application: ```tf resource "cloudflare_zero_trust_access_application" "infra-app" { - account_id = "f037e56e89293a057740de681ac9abbe" + account_id = var.cloudflare_account_id name = "Example infrastructure app" type = "infrastructure" @@ -98,12 +101,12 @@ import { Tabs, TabItem, Render } from "~/components" } ``` -2. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application: +3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application: ```tf resource "cloudflare_zero_trust_access_policy" "infra-app-policy" { application_id = cloudflare_zero_trust_access_application.infra-app.id - account_id = "f037e56e89293a057740de681ac9abbe" + account_id = var.cloudflare_account_id name = "Allow a specific email" decision = "allow" precedence = 1 diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx index df037f7ef133b07..6830ff187d4298d 100644 --- a/src/content/partials/cloudflare-one/access/add-target.mdx +++ b/src/content/partials/cloudflare-one/access/add-target.mdx @@ -58,24 +58,27 @@ To create a new target: -Configure the [`cloudflare_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/infrastructure_access_target) resource: +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token): + - `Teams Write` -```tf -resource "cloudflare_infrastructure_access_target" "infra-ssh-target" { - account_id = "f037e56e89293a057740de681ac9abbe" - hostname = "infra-access-target" - ip = { - ipv4 = { - ip_addr = "187.26.29.249" - virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" - } - ipv6 = { - ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0" - virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" +2. Configure the [`cloudflare_zero_trust_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_infrastructure_access_target) resource: + + ```tf + resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" { + account_id = var.cloudflare_account_id + hostname = "infra-access-target" + ip = { + ipv4 = { + ip_addr = "187.26.29.249" + virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" + } + ipv6 = { + ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0" + virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55" + } } - } -} -``` + } + ``` From 49c74142104be1b11ff5acece6fd8c84d59e9323 Mon Sep 17 00:00:00 2001 From: Ranbel Sun Date: Fri, 1 Nov 2024 18:08:08 -0400 Subject: [PATCH 2/3] device enrollment examples --- .../access/create-service-token.mdx | 48 +++++++++++++++++- .../warp/device-enrollment-mtls.mdx | 50 ++++++++++++++++++- .../cloudflare-one/warp/device-enrollment.mdx | 43 +++++++++++++++- .../warp/service-token-enrollment.mdx | 32 ++++++++++++ 4 files changed, 170 insertions(+), 3 deletions(-) diff --git a/src/content/partials/cloudflare-one/access/create-service-token.mdx b/src/content/partials/cloudflare-one/access/create-service-token.mdx index fd5e525960b11de..ba1af6e6556945f 100644 --- a/src/content/partials/cloudflare-one/access/create-service-token.mdx +++ b/src/content/partials/cloudflare-one/access/create-service-token.mdx @@ -3,6 +3,10 @@ --- +import { Tabs, TabItem } from '~/components'; + + + 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Service Auth** > **Service Tokens**. 2. Select **Create Service Token**. @@ -16,5 +20,47 @@ 6. Copy the Client Secret. :::caution - This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. + This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token. ::: + + + +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token): + - `Access: Service Tokens Write` + +2. Configure the [`cloudflare_zero_trust_access_service_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_service_token) resource: + + ```tf + resource "cloudflare_zero_trust_access_service_token" "example_service_token" { + account_id = var.cloudflare_account_id + name = "Example service token" + duration = "8760h" + } + ``` + +3. Output the Client ID and Client Secret to the Terraform state file: + + ```tf + output "example_service_token_client_id" { + value = cloudflare_zero_trust_access_service_token.example_service_token.client_id + } + + output "example_service_token_client_secret" { + value = cloudflare_zero_trust_access_service_token.example_service_token.client_secret + sensitive = true + } + ``` +4. Apply the configuration: + ```sh + terraform apply + ``` + +5. Read the Client ID and Client Secret: + ```sh + terraform output example_service_token_client_id + ``` + ```sh + terraform output example_service_token_client_secret + ``` + + diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx index c609f3cdfc6fd3d..99ffab18f359b6f 100644 --- a/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx +++ b/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx @@ -3,10 +3,12 @@ --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip, Tabs, TabItem } from "~/components" To check for an mTLS certificate: + + 1. [Add an mTLS certificate](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration) to your account. You can generate a sample certificate using the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki). 2. In **Associated hostnames**, enter your Zero Trust team domain: `.cloudflareaccess.com` @@ -18,3 +20,49 @@ To check for an mTLS certificate: | Allow | Require | Common Name | `` | 4. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser). + + + +1. Add the following permissions to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token): + - `Access: Mutual TLS Certificates Write` + - `Access: Apps and Policies Write` + +2. Use the [`cloudflare_zero_trust_access_mtls_certificate`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_mtls_certificate) resource to add an mTLS certificate to your account: + + ```tf + resource "cloudflare_zero_trust_access_mtls_certificate" "example_mtls_cert" { + account_id = var.cloudflare_account_id + name = "WARP enrollment mTLS cert" + certificate = < \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment.mdx index 52144f8faa57b8b..31168e5300ee792 100644 --- a/src/content/partials/cloudflare-one/warp/device-enrollment.mdx +++ b/src/content/partials/cloudflare-one/warp/device-enrollment.mdx @@ -3,6 +3,10 @@ --- +import { Tabs, TabItem } from '~/components'; + + + 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **WARP Client**. 2. In **Device enrollment permissions**, select **Manage**. 3. In the **Rules** tab, configure one or more [Access policies](/cloudflare-one/policies/access/) to define who can join their device. For example, you could allow all users with a company email address: @@ -12,8 +16,45 @@ :::note -Device posture checks are not supported in device enrollment policies. WARP can only perform posture checks after the device is enrolled. +Device posture checks are not supported in device enrollment policies. WARP can only perform posture checks after the device is enrolled. ::: 4. In the **Authentication** tab, select the [identity providers](/cloudflare-one/identity/idp-integration/) users can authenticate with. If you have not integrated an identity provider, you can use the [one-time PIN](/cloudflare-one/identity/one-time-pin/). 5. Select **Save**. + + + +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token): + - `Access: Apps and Policies Write` + +2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an application with type `warp`. + + ```tf + resource "cloudflare_zero_trust_access_application" "warp_enrollment_app" { + account_id = var.cloudflare_account_id + session_duration = "18h" + name = "Warp device enrollment" + allowed_idps = [cloudflare_zero_trust_access_identity_provider.microsoft_entra_id.id] + auto_redirect_to_identity = true + type = "warp" + app_launcher_visible = false + } + ``` + +3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to define enrollment permissions. + + ```tf + resource "cloudflare_zero_trust_access_policy" "warp_enrollment_employees" { + application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id + account_id = var.cloudflare_account_id + name = "Allow company emails" + decision = "allow" + precedence = 1 + + include { + email_domain = ["company.com"] + } + } + ``` + + \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx b/src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx index 7f95e48840c7953..a2f90732528e3b4 100644 --- a/src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx +++ b/src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx @@ -3,6 +3,10 @@ --- +import { Tabs, TabItem } from '~/components'; + + + 1. [Create a service token](/cloudflare-one/identity/service-tokens/#create-a-service-token). 2. Copy the token's **Client ID** and **Client Secret**. @@ -17,4 +21,32 @@ * `auth_client_id`: The **Client ID** of your service token. * `auth_client_secret`: The **Client Secret** of your service token. + + +1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token): + - `Access: Apps and Policies Write` + +2. [Create a service token](/cloudflare-one/identity/service-tokens/#create-a-service-token) and copy its **Client ID** and **Client Secret**. + +3. Add the following policy to your [WARP enrollment Access application](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions): + + ```tf + resource "cloudflare_zero_trust_access_policy" "warp_enrollment_service_token" { + application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id + account_id = var.cloudflare_account_id + name = "Allow service token" + decision = "non_identity" + precedence = 2 + + include { + service_token = [cloudflare_zero_trust_access_service_token.example_service_token.id] + } + } + ``` +4. In your MDM [deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/), add the following fields: + * `auth_client_id`: The **Client ID** of your service token. + * `auth_client_secret`: The **Client Secret** of your service token. + + + When you deploy the WARP client with your MDM provider, WARP will automatically connect the device to your Zero Trust organization. From d1269e8e9495f0b82feaa8c224a1d85e7eaa9ce2 Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Thu, 14 Nov 2024 09:47:27 -0500 Subject: [PATCH 3/3] Update src/content/partials/cloudflare-one/access/create-service-token.mdx Co-authored-by: Jacob Bednarz --- .../partials/cloudflare-one/access/create-service-token.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/partials/cloudflare-one/access/create-service-token.mdx b/src/content/partials/cloudflare-one/access/create-service-token.mdx index ba1af6e6556945f..3934f7e169045b4 100644 --- a/src/content/partials/cloudflare-one/access/create-service-token.mdx +++ b/src/content/partials/cloudflare-one/access/create-service-token.mdx @@ -57,10 +57,10 @@ import { Tabs, TabItem } from '~/components'; 5. Read the Client ID and Client Secret: ```sh - terraform output example_service_token_client_id + terraform output -raw example_service_token_client_id ``` ```sh - terraform output example_service_token_client_secret + terraform output -raw example_service_token_client_secret ```