Merge pull request #4665 from Michael9127/mike/ZTIA-355

Mike/ztia-355 Adds allow_email_alias connection rule boolean to access infra policy
cloudflare · Dec 5, 2024 · 99c1406 · 99c1406
2 parents 4a99153 + 79a3483
commit 99c1406
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 6 deletions.
diff --git a/.changelog/4665.txt b/.changelog/4665.txt
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/cloudflare_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag
+```
+
+```release-note:enhancement
+resource/cloudflare_zero_trust_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag
+```
diff --git a/docs/resources/access_policy.md b/docs/resources/access_policy.md
@@ -70,6 +70,7 @@ resource "cloudflare_access_policy" "infra-app-example-allow" {
   connection_rules {
     ssh {
       usernames = ["ec2-user"]
+      allow_email_alias = true
     }
   }
 }
@@ -244,6 +245,7 @@ Required:
 Required:
 
 - `usernames` (List of String) Contains the Unix usernames that may be used when connecting over SSH.
+- `allow_email_alias` (Boolean) Allows connecting to Unix username that matches the authenticating email prefix.
 
 
 

diff --git a/docs/resources/zero_trust_access_policy.md b/docs/resources/zero_trust_access_policy.md
@@ -206,6 +206,7 @@ Required:
 Required:
 
 - `usernames` (List of String) Contains the Unix usernames that may be used when connecting over SSH.
+- `allow_email_alias` (Boolean) Allows connecting to Unix username that matches the authenticating email prefix.
 
 
 

diff --git a/examples/resources/cloudflare_access_policy/resource.tf b/examples/resources/cloudflare_access_policy/resource.tf
@@ -44,6 +44,7 @@ resource "cloudflare_access_policy" "infra-app-example-allow" {
   connection_rules {
     ssh {
       usernames = ["ec2-user"]
+      allow_email_alias = true
     }
   }
 }

diff --git a/internal/sdkv2provider/resource_cloudflare_access_policy.go b/internal/sdkv2provider/resource_cloudflare_access_policy.go
@@ -66,6 +66,7 @@ func apiAccessPolicyApprovalGroupToSchema(approvalGroup cloudflare.AccessApprova
 
 func schemaAccessPolicyConnectionRulesToAPI(connectionRules map[string]interface{}) (*cloudflare.AccessInfrastructureConnectionRules, error) {
 	usernames := []string{}
+	var allowEmailAlias *bool
 	if sshVal, ok := connectionRules["ssh"].([]interface{}); ok && len(sshVal) > 0 {
 		if sshMap, ok := sshVal[0].(map[string]interface{}); ok {
 			str_return := []string{}
@@ -75,12 +76,18 @@ func schemaAccessPolicyConnectionRulesToAPI(connectionRules map[string]interface
 				}
 			}
 			usernames = str_return
+
+			if allowAlias, ok := sshMap["allow_email_alias"].(bool); ok {
+				allowEmailAlias = &allowAlias
+			}
+
 		}
 	}
 
 	return &cloudflare.AccessInfrastructureConnectionRules{
 		SSH: &cloudflare.AccessInfrastructureConnectionRulesSSH{
-			Usernames: usernames,
+			Usernames:       usernames,
+			AllowEmailAlias: allowEmailAlias,
 		},
 	}, nil
 }
@@ -91,14 +98,15 @@ func apiAccessPolicyConnectionRulesToSchema(connectionRules *cloudflare.AccessIn
 	}
 
 	var connectionRulesSchema []interface{}
-	var usernameList []map[string]interface{}
+	var sshArgList []map[string]interface{}
 
-	usernameMap := map[string]interface{}{
-		"usernames": connectionRules.SSH.Usernames,
+	sshArgMap := map[string]interface{}{
+		"usernames":         connectionRules.SSH.Usernames,
+		"allow_email_alias": connectionRules.SSH.AllowEmailAlias,
 	}
-	usernameList = append(usernameList, usernameMap)
+	sshArgList = append(sshArgList, sshArgMap)
 	connectionRulesSchema = append(connectionRulesSchema, map[string]interface{}{
-		"ssh": usernameList,
+		"ssh": sshArgList,
 	})
 
 	return connectionRulesSchema

diff --git a/internal/sdkv2provider/resource_cloudflare_access_policy_test.go b/internal/sdkv2provider/resource_cloudflare_access_policy_test.go
@@ -991,6 +991,7 @@ func TestAccCloudflareAccessPolicy_ConnectionRules(t *testing.T) {
 					resource.TestCheckResourceAttr(name, "name", rnd),
 					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
 					resource.TestCheckResourceAttr(name, "connection_rules.0.ssh.0.usernames.0", "tfgo-acc-test"),
+					resource.TestCheckResourceAttr(name, "connection_rules.0.ssh.0.allow_email_alias", "true"),
 					resource.TestCheckResourceAttr(name, "include.0.email.0", "[email protected]"),
 				),
 			},
@@ -1024,6 +1025,7 @@ func testAccessPolicyConnectionRulesConfig(resourceID, zone, accountID string) s
 	  connection_rules {
 		ssh {
 		  usernames = ["tfgo-acc-test"]
+		  allow_email_alias = true
 		}
       }
       include {

diff --git a/internal/sdkv2provider/schema_cloudflare_access_policy.go b/internal/sdkv2provider/schema_cloudflare_access_policy.go
@@ -125,6 +125,11 @@ func resourceCloudflareAccessPolicySchema() map[string]*schema.Schema {
 										Type: schema.TypeString,
 									},
 								},
+								"allow_email_alias": {
+									Type:        schema.TypeBool,
+									Optional:    true,
+									Description: "Allows connecting to Unix username that matches the authenticating email prefix.",
+								},
 							},
 						},
 					},
Original file line number	Diff line number	Diff line change
Expand Up		@@ -206,6 +206,7 @@ Required:
		Required:

		- `usernames` (List of String) Contains the Unix usernames that may be used when connecting over SSH.
		- `allow_email_alias` (Boolean) Allows connecting to Unix username that matches the authenticating email prefix.



Expand Down
-Original file line number
+Diff line change
@@ Expand Up @@
       connection_rules {
         ssh {
           usernames = ["ec2-user"]
+          allow_email_alias = true
         }
       }
     }
@@ Expand Down @@