AUTH-5608 added warp auth fields to access organizations and apps

cloudflare · Feb 5, 2024 · 3e1dca8 · 3e1dca8
1 parent 34a4599
commit 3e1dca8
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 1 deletion.
diff --git a/.changelog/3103.txt b/.changelog/3103.txt
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/cloudflare_access_application: adds the ability to set allow_authenticate_via_warp.
+```
+
+```release-note:enhancement
+resource/cloudflare_access_organization: adds the ability to set allow_authenticate_via_warp and warp_auth_session_duration.
+```
diff --git a/internal/sdkv2provider/resource_cloudflare_access_application.go b/internal/sdkv2provider/resource_cloudflare_access_application.go
@@ -53,6 +53,7 @@ func resourceCloudflareAccessApplicationCreate(ctx context.Context, d *schema.Re
 		SkipInterstitial:         cloudflare.BoolPtr(d.Get("skip_interstitial").(bool)),
 		AppLauncherVisible:       cloudflare.BoolPtr(d.Get("app_launcher_visible").(bool)),
 		ServiceAuth401Redirect:   cloudflare.BoolPtr(d.Get("service_auth_401_redirect").(bool)),
+		AllowAuthenticateViaWarp: cloudflare.BoolPtr(d.Get("allow_authenticate_via_warp").(bool)),
 	}
 
 	if value, ok := d.GetOk("allowed_idps"); ok {
@@ -159,6 +160,7 @@ func resourceCloudflareAccessApplicationRead(ctx context.Context, d *schema.Reso
 	d.Set("bg_color", accessApplication.AccessAppLauncherCustomization.BackgroundColor)
 	d.Set("header_bg_color", accessApplication.AccessAppLauncherCustomization.HeaderBackgroundColor)
 	d.Set("app_launcher_logo_url", accessApplication.AccessAppLauncherCustomization.LogoURL)
+	d.Set("allow_authenticate_via_warp", accessApplication.AllowAuthenticateViaWarp)
 
 	if _, ok := d.GetOk("footer_links"); ok {
 		footerLinks := convertFooterLinksStructToSchema(d, accessApplication.AccessAppLauncherCustomization.FooterLinks)
@@ -213,6 +215,7 @@ func resourceCloudflareAccessApplicationUpdate(ctx context.Context, d *schema.Re
 		SkipInterstitial:         cloudflare.BoolPtr(d.Get("skip_interstitial").(bool)),
 		AppLauncherVisible:       cloudflare.BoolPtr(d.Get("app_launcher_visible").(bool)),
 		ServiceAuth401Redirect:   cloudflare.BoolPtr(d.Get("service_auth_401_redirect").(bool)),
+		AllowAuthenticateViaWarp: cloudflare.BoolPtr(d.Get("allow_authenticate_via_warp").(bool)),
 	}
 
 	if appType != "saas" {

diff --git a/internal/sdkv2provider/resource_cloudflare_access_application_test.go b/internal/sdkv2provider/resource_cloudflare_access_application_test.go
@@ -97,6 +97,7 @@ func TestAccCloudflareAccessApplication_BasicZone(t *testing.T) {
 					resource.TestCheckResourceAttr(name, "cors_headers.#", "0"),
 					resource.TestCheckResourceAttr(name, "saas_app.#", "0"),
 					resource.TestCheckResourceAttr(name, "auto_redirect_to_identity", "false"),
+					resource.TestCheckResourceAttr(name, "allow_authenticate_via_warp", "true"),
 				),
 			},
 		},
@@ -126,6 +127,7 @@ func TestAccCloudflareAccessApplication_BasicAccount(t *testing.T) {
 					resource.TestCheckResourceAttr(name, "cors_headers.#", "0"),
 					resource.TestCheckResourceAttr(name, "sass_app.#", "0"),
 					resource.TestCheckResourceAttr(name, "auto_redirect_to_identity", "false"),
+					resource.TestCheckResourceAttr(name, "allow_authenticate_via_warp", "true"),
 				),
 			},
 		},
@@ -641,6 +643,7 @@ resource "cloudflare_access_application" "%[1]s" {
   type                      = "self_hosted"
   session_duration          = "24h"
   auto_redirect_to_identity = false
+	allow_authenticate_via_warp = true
 }
 `, rnd, domain, identifier.Type, identifier.Identifier)
 }

diff --git a/internal/sdkv2provider/resource_cloudflare_access_organization.go b/internal/sdkv2provider/resource_cloudflare_access_organization.go
@@ -61,6 +61,8 @@ func resourceCloudflareAccessOrganizationRead(ctx context.Context, d *schema.Res
 	d.Set("user_seat_expiration_inactive_time", organization.UserSeatExpirationInactiveTime)
 	d.Set("auto_redirect_to_identity", organization.AutoRedirectToIdentity)
 	d.Set("session_duration", organization.SessionDuration)
+	d.Set("warp_auth_session_duration", organization.WarpAuthSessionDuration)
+	d.Set("allow_authenticate_via_warp", organization.AllowAuthenticateViaWarp)
 
 	loginDesign := convertLoginDesignStructToSchema(ctx, d, &organization.LoginDesign)
 	if loginDesignErr := d.Set("login_design", loginDesign); loginDesignErr != nil {
@@ -87,6 +89,8 @@ func resourceCloudflareAccessOrganizationUpdate(ctx context.Context, d *schema.R
 		UserSeatExpirationInactiveTime: d.Get("user_seat_expiration_inactive_time").(string),
 		AutoRedirectToIdentity:         cloudflare.BoolPtr(d.Get("auto_redirect_to_identity").(bool)),
 		SessionDuration:                cloudflare.StringPtr(d.Get("session_duration").(string)),
+		WarpAuthSessionDuration:        cloudflare.StringPtr(d.Get("warp_auth_session_duration").(string)),
+		AllowAuthenticateViaWarp:       cloudflare.BoolPtr(d.Get("allow_authenticate_via_warp").(bool)),
 	}
 	loginDesign := convertLoginDesignSchemaToStruct(d)
 	updatedAccessOrganization.LoginDesign = *loginDesign

diff --git a/internal/sdkv2provider/resource_cloudflare_access_organization_test.go b/internal/sdkv2provider/resource_cloudflare_access_organization_test.go
@@ -37,6 +37,8 @@ func TestAccCloudflareAccessOrganization(t *testing.T) {
 					resource.TestCheckResourceAttr(name, "login_design.0.header_text", "My header text"),
 					resource.TestCheckResourceAttr(name, "login_design.0.footer_text", "My footer text"),
 					resource.TestCheckResourceAttr(name, "session_duration", "12h"),
+					resource.TestCheckResourceAttr(name, "warp_auth_session_duration", "36h"),
+					resource.TestCheckResourceAttr(name, "allow_authenticate_via_warp", "false"),
 				),
 				ResourceName:     name,
 				ImportState:      true,
@@ -86,6 +88,8 @@ func testAccCloudflareAccessOrganizationConfigBasic(rnd, accountID string) strin
 			user_seat_expiration_inactive_time = "1460h"
 			auto_redirect_to_identity = false
 			session_duration = "12h"
+			warp_auth_session_duration = "36h"
+			allow_authenticate_via_warp = false
 
 			login_design {
 				background_color = "#FFFFFF"

diff --git a/internal/sdkv2provider/schema_cloudflare_access_application.go b/internal/sdkv2provider/schema_cloudflare_access_application.go
@@ -2,9 +2,10 @@ package sdkv2provider
 
 import (
 	"fmt"
-	"github.com/cloudflare/cloudflare-go"
 	"time"
 
+	"github.com/cloudflare/cloudflare-go"
+
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/consts"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
@@ -386,6 +387,11 @@ func resourceCloudflareAccessApplicationSchema() map[string]*schema.Schema {
 				},
 			},
 		},
+		"allow_authenticate_via_warp": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Description: "When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.",
+		},
 	}
 }
 

diff --git a/internal/sdkv2provider/schema_cloudflare_access_organization.go b/internal/sdkv2provider/schema_cloudflare_access_organization.go
@@ -121,6 +121,16 @@ func resourceCloudflareAccessOrganizationSchema() map[string]*schema.Schema {
 				},
 			},
 		},
+		"allow_authenticate_via_warp": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Description: "When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.",
+		},
+		"warp_auth_session_duration": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Description: "The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.",
+		},
 	}
 }