[ZT] Device enrollment Terraform examples

src/content/partials/cloudflare-one/access/create-service-token.mdx

@@ -23,16 +23,12 @@ import { Tabs, TabItem, Details } from '~/components';
    This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token.
    :::
 
-</TabItem> <TabItem label="Terraform (v4)">
+</TabItem> <TabItem label="Terraform (v5)">
 
-:::note[Provider versions]
-The following example requires Cloudflare provider version `>=4.40.0`.
-:::
-
-1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
 	- `Access: Service Tokens Write`
 
-2. Configure the [`cloudflare_zero_trust_access_service_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_service_token) resource:
+2. Configure the [`cloudflare_zero_trust_access_service_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_service_token) resource:
 
 		```tf
 		resource "cloudflare_zero_trust_access_service_token" "example_service_token" {

src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx

@@ -21,17 +21,13 @@ To check for an mTLS certificate:
 
 4. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
 
-</TabItem> <TabItem label="Terraform (v4)">
+</TabItem> <TabItem label="Terraform (v5)">
 
-:::note[Provider versions]
-The following example requires Cloudflare provider version `>=4.40.0`.
-:::
-
-1. Add the following permissions to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+1. Add the following permissions to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
 	- `Access: Mutual TLS Certificates Write`
 	- `Access: Apps and Policies Write`
 
-2. Use the [`cloudflare_zero_trust_access_mtls_certificate`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/zero_trust_access_mtls_certificate) resource to add an mTLS certificate to your account:
+2. Use the [`cloudflare_zero_trust_access_mtls_certificate`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_mtls_certificate) resource to add an mTLS certificate to your account:
 
 	```tf
 	resource "cloudflare_zero_trust_access_mtls_certificate" "example_mtls_cert" {
@@ -47,26 +43,38 @@ The following example requires Cloudflare provider version `>=4.40.0`.
 	}
 	```
 
-3. Add the following policy to your [WARP enrollment Access application](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions):
+3. Create the following Access policy:
 
 	```tf
-	resource "cloudflare_zero_trust_access_policy" "warp_enrollment_employees" {
-		application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
+	resource "cloudflare_zero_trust_access_policy" "warp_enrollment_mtls" {
 		account_id     = var.cloudflare_account_id
-		name           = "Allow company emails"
+		name           = "Allow employees with mTLS cert"
 		decision       = "allow"
-		precedence     = 1
-
-		include {
-			email_domain = ["company.com"]
-		}
-
-		require {
-			common_names = ["Common name 1", "Common name 2"]
-		}
+		include = [
+			{
+				email_domain = {
+					domain = "@example.com"
+				}
+			}
+		]
+
+		require = [
+			{
+				common_name = {
+					common_name = "Common name 1"
+				}
+			},
+					{
+				common_name = {
+					common_name = "Common name 2"
+				}
+			}
+		]
 	}
 	```
 
-4. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
+4. Add the policy to your [`cloudflared_zero_trust_access_application` for WARP](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions).
+
+5. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
 
 </TabItem> </Tabs>

src/content/partials/cloudflare-one/warp/device-enrollment.mdx

@@ -22,43 +22,46 @@ Device posture checks are not supported in device enrollment policies. WARP can
 4. In the **Authentication** tab, select the [identity providers](/cloudflare-one/identity/idp-integration/) users can authenticate with. If you have not integrated an identity provider, you can use the [one-time PIN](/cloudflare-one/identity/one-time-pin/).
 5. Select **Save**.
 
-</TabItem> <TabItem label="Terraform (v4)">
+</TabItem> <TabItem label="Terraform (v5)">
 
-:::note[Provider versions]
-The following example requires Cloudflare provider version `>=4.40.0`.
-:::
-
-1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
 	- `Access: Apps and Policies Write`
 
-2. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_application) resource to create an application with type `warp`.
+2. Create a reusable Access policy using the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_policy) resource:
+
+		```tf
+		resource "cloudflare_zero_trust_access_policy" "allow_company_emails" {
+			account_id   = var.cloudflare_account_id
+			name         = "Allow company emails"
+			decision     = "allow"
+			include      = [
+				{
+					email_domain = {
+						domain = "@example.com"
+					}
+				}
+			]
+		}
+		```
+
+3. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_application) resource to create an application with type `warp`.
 
 	```tf
-	resource "cloudflare_zero_trust_access_application" "warp_enrollment_app" {
-		account_id                = var.cloudflare_account_id
-		session_duration          = "18h"
-		name                      = "Warp device enrollment"
+	resource "cloudflare_zero_trust_access_application" "device_enrollment" {
+		account_id       = var.cloudflare_account_id
+		type             = "warp"
+		name             = "Warp device enrollment"
 		allowed_idps              = [cloudflare_zero_trust_access_identity_provider.microsoft_entra_id.id]
 		auto_redirect_to_identity = true
-		type                      = "warp"
 		app_launcher_visible      = false
+		policies = [
+			{
+				id = cloudflare_zero_trust_access_policy.allow_company_emails.id
+				precedence = 1
+			}
+		]
 	}
 	```
 
-3. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_access_policy) resource to define enrollment permissions.
-
-	```tf
-	resource "cloudflare_zero_trust_access_policy" "warp_enrollment_employees" {
-		application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
-		account_id     = var.cloudflare_account_id
-		name           = "Allow company emails"
-		decision       = "allow"
-		precedence     = 1
-
-		include {
-			email_domain = ["company.com"]
-		}
-	}
-	```
-
-</TabItem> </Tabs>
+</TabItem>
+ </Tabs>

src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx

@@ -23,33 +23,33 @@ import { Tabs, TabItem } from '~/components';
    * `auth_client_id`: The **Client ID** of your service token.
    * `auth_client_secret`: The **Client Secret** of your service token.
 
-</TabItem> <TabItem label="Terraform (v4)">
+</TabItem> <TabItem label="Terraform (v5)">
 
-:::note[Provider versions]
-The following example requires Cloudflare provider version `>=4.40.0`.
-:::
-
-1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.40.0/docs/resources/api_token):
+1. Add the following permissions to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
 	- `Access: Apps and Policies Write`
+	- `Access: Service Tokens Write`
 
 2. [Create a service token](/cloudflare-one/identity/service-tokens/#create-a-service-token) and copy its **Client ID** and **Client Secret**.
 
-3. Add the following policy to your [WARP enrollment Access application](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions):
+3. Create the following Access policy:
 
 	```tf
 	resource "cloudflare_zero_trust_access_policy" "warp_enrollment_service_token" {
-		application_id = cloudflare_zero_trust_access_application.warp_enrollment_app.id
 		account_id     = var.cloudflare_account_id
 		name           = "Allow service token"
 		decision       = "non_identity"
-		precedence     = 2
-
-		include {
-			service_token = [cloudflare_zero_trust_access_service_token.example_service_token.id]
-		}
+		include = [
+			{
+				service_token = {
+					token_id = cloudflare_zero_trust_access_service_token.example_service_token.id
+				}
+			}
+		]
 	}
 	```
-4. In your MDM [deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/), add the following fields:
+4. Add the policy to your [`cloudflared_zero_trust_access_application` for WARP](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions).
+
+5. In your MDM [deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/), add the following fields:
    * `auth_client_id`: The **Client ID** of your service token.
    * `auth_client_secret`: The **Client Secret** of your service token.