Skip to content

Commit

Permalink
Merge pull request #2351 from jroyal/jroyal/auth-4939
Browse files Browse the repository at this point in the history 
feat(Access): Add isolation_required flag to access policies
  • Loading branch information
@jacobbednarz
jacobbednarz authored Apr 14, 2023
2 parents f8d0bc1 + f5427ea commit 9f21943
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .changelog/2351.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
resource/cloudflare_access_policy: Add isolation_required flag
```
1 change: 1 addition & 0 deletions docs/resources/access_policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ resource "cloudflare_access_policy" "test_policy" {
- `approval_group` (Block List) (see [below for nested schema](#nestedblock--approval_group))
- `approval_required` (Boolean)
- `exclude` (Block List) A series of access conditions, see [Access Groups](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/access_group#conditions). (see [below for nested schema](#nestedblock--exclude))
- `isolation_required` (Boolean) Require this application to be served in an isolated browser for users matching this policy.
- `purpose_justification_prompt` (String) The prompt to display to the user for a justification for accessing the resource. Required when using `purpose_justification_required`.
- `purpose_justification_required` (Boolean) Whether to prompt the user for a justification for accessing the resource.
- `require` (Block List) A series of access conditions, see [Access Groups](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/access_group#conditions). (see [below for nested schema](#nestedblock--require))
Expand Down
7 changes: 7 additions & 0 deletions internal/sdkv2provider/resource_cloudflare_access_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,10 @@ func resourceCloudflareAccessPolicyRead(ctx context.Context, d *schema.ResourceD
return diag.FromErr(fmt.Errorf("failed to set include attribute: %w", err))
}

if accessPolicy.IsolationRequired != nil {
d.Set("isolation_required", accessPolicy.IsolationRequired)
}

if accessPolicy.PurposeJustificationRequired != nil {
d.Set("purpose_justification_required", accessPolicy.PurposeJustificationRequired)
}
Expand Down Expand Up @@ -270,6 +274,9 @@ func appendConditionalAccessPolicyFields(policy cloudflare.AccessPolicy, d *sche
}
}

isolationRequired := d.Get("isolation_required").(bool)
policy.IsolationRequired = &isolationRequired

purposeJustificationRequired := d.Get("purpose_justification_required").(bool)
policy.PurposeJustificationRequired = &purposeJustificationRequired

Expand Down
50 changes: 50 additions & 0 deletions internal/sdkv2provider/resource_cloudflare_access_policy_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -864,3 +864,53 @@ func testAccessPolicyExternalEvalautionConfig(resourceID, zone, accountID string
`, resourceID, zone, accountID)
}

func TestAccCloudflareAccessPolicy_IsolationRequired(t *testing.T) {
rnd := generateRandomResourceName()
name := "cloudflare_access_policy." + rnd
zone := os.Getenv("CLOUDFLARE_DOMAIN")
accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")

resource.Test(t, resource.TestCase{
PreCheck: func() {
testAccPreCheck(t)
testAccPreCheckAccount(t)
},
ProviderFactories: providerFactories,
Steps: []resource.TestStep{
{
Config: testAccessPolicyIsolationRequiredConfig(rnd, zone, accountID),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(name, "name", rnd),
resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
resource.TestCheckResourceAttr(name, "isolation_required", "true"),
),
},
},
})
}

func testAccessPolicyIsolationRequiredConfig(resourceID, zone, accountID string) string {
return fmt.Sprintf(`
resource "cloudflare_access_application" "%[1]s" {
name = "%[1]s"
account_id = "%[3]s"
domain = "%[1]s.%[2]s"
}
resource "cloudflare_access_policy" "%[1]s" {
application_id = cloudflare_access_application.%[1]s.id
name = "%[1]s"
account_id = "%[3]s"
decision = "allow"
precedence = "1"
include {
email = ["[email protected]", "[email protected]"]
}
isolation_required = "true"
}
`, resourceID, zone, accountID)
}
5 changes: 5 additions & 0 deletions internal/sdkv2provider/schema_cloudflare_access_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,11 @@ func resourceCloudflareAccessPolicySchema() map[string]*schema.Schema {
Elem: AccessGroupOptionSchemaElement,
Description: "A series of access conditions, see [Access Groups](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/access_group#conditions).",
},
"isolation_required": {
Type: schema.TypeBool,
Optional: true,
Description: "Require this application to be served in an isolated browser for users matching this policy.",
},
"purpose_justification_required": {
Type: schema.TypeBool,
Optional: true,
Expand Down

0 comments on commit 9f21943

Please sign in to comment.