diff --git a/.changelog/4665.txt b/.changelog/4665.txt new file mode 100644 index 0000000000..6fb818aa0c --- /dev/null +++ b/.changelog/4665.txt @@ -0,0 +1,7 @@ +```release-note:enhancement +resource/cloudflare_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag +``` + +```release-note:enhancement +resource/cloudflare_zero_trust_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag +``` diff --git a/docs/resources/access_policy.md b/docs/resources/access_policy.md index f9d034af67..44ac5b241f 100644 --- a/docs/resources/access_policy.md +++ b/docs/resources/access_policy.md @@ -70,6 +70,7 @@ resource "cloudflare_access_policy" "infra-app-example-allow" { connection_rules { ssh { usernames = ["ec2-user"] + allow_email_alias = true } } } @@ -244,6 +245,7 @@ Required: Required: - `usernames` (List of String) Contains the Unix usernames that may be used when connecting over SSH. +- `allow_email_alias` (Boolean) Allows connecting to Unix username that matches the authenticating email prefix. diff --git a/docs/resources/zero_trust_access_policy.md b/docs/resources/zero_trust_access_policy.md index c91bb77417..6b370b963a 100644 --- a/docs/resources/zero_trust_access_policy.md +++ b/docs/resources/zero_trust_access_policy.md @@ -206,6 +206,7 @@ Required: Required: - `usernames` (List of String) Contains the Unix usernames that may be used when connecting over SSH. +- `allow_email_alias` (Boolean) Allows connecting to Unix username that matches the authenticating email prefix. diff --git a/examples/resources/cloudflare_access_policy/resource.tf b/examples/resources/cloudflare_access_policy/resource.tf index 4a3d00850f..2878d23137 100644 --- a/examples/resources/cloudflare_access_policy/resource.tf +++ b/examples/resources/cloudflare_access_policy/resource.tf @@ -44,6 +44,7 @@ resource "cloudflare_access_policy" "infra-app-example-allow" { connection_rules { ssh { usernames = ["ec2-user"] + allow_email_alias = true } } } diff --git a/internal/sdkv2provider/resource_cloudflare_access_policy.go b/internal/sdkv2provider/resource_cloudflare_access_policy.go index 9ecb7c4dd6..ca9e2a3064 100644 --- a/internal/sdkv2provider/resource_cloudflare_access_policy.go +++ b/internal/sdkv2provider/resource_cloudflare_access_policy.go @@ -66,6 +66,7 @@ func apiAccessPolicyApprovalGroupToSchema(approvalGroup cloudflare.AccessApprova func schemaAccessPolicyConnectionRulesToAPI(connectionRules map[string]interface{}) (*cloudflare.AccessInfrastructureConnectionRules, error) { usernames := []string{} + var allowEmailAlias *bool if sshVal, ok := connectionRules["ssh"].([]interface{}); ok && len(sshVal) > 0 { if sshMap, ok := sshVal[0].(map[string]interface{}); ok { str_return := []string{} @@ -75,12 +76,18 @@ func schemaAccessPolicyConnectionRulesToAPI(connectionRules map[string]interface } } usernames = str_return + + if allowAlias, ok := sshMap["allow_email_alias"].(bool); ok { + allowEmailAlias = &allowAlias + } + } } return &cloudflare.AccessInfrastructureConnectionRules{ SSH: &cloudflare.AccessInfrastructureConnectionRulesSSH{ - Usernames: usernames, + Usernames: usernames, + AllowEmailAlias: allowEmailAlias, }, }, nil } @@ -91,14 +98,15 @@ func apiAccessPolicyConnectionRulesToSchema(connectionRules *cloudflare.AccessIn } var connectionRulesSchema []interface{} - var usernameList []map[string]interface{} + var sshArgList []map[string]interface{} - usernameMap := map[string]interface{}{ - "usernames": connectionRules.SSH.Usernames, + sshArgMap := map[string]interface{}{ + "usernames": connectionRules.SSH.Usernames, + "allow_email_alias": connectionRules.SSH.AllowEmailAlias, } - usernameList = append(usernameList, usernameMap) + sshArgList = append(sshArgList, sshArgMap) connectionRulesSchema = append(connectionRulesSchema, map[string]interface{}{ - "ssh": usernameList, + "ssh": sshArgList, }) return connectionRulesSchema diff --git a/internal/sdkv2provider/resource_cloudflare_access_policy_test.go b/internal/sdkv2provider/resource_cloudflare_access_policy_test.go index de4a45a4eb..14b5d78efe 100644 --- a/internal/sdkv2provider/resource_cloudflare_access_policy_test.go +++ b/internal/sdkv2provider/resource_cloudflare_access_policy_test.go @@ -991,6 +991,7 @@ func TestAccCloudflareAccessPolicy_ConnectionRules(t *testing.T) { resource.TestCheckResourceAttr(name, "name", rnd), resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID), resource.TestCheckResourceAttr(name, "connection_rules.0.ssh.0.usernames.0", "tfgo-acc-test"), + resource.TestCheckResourceAttr(name, "connection_rules.0.ssh.0.allow_email_alias", "true"), resource.TestCheckResourceAttr(name, "include.0.email.0", "devuser@cloudflare.com"), ), }, @@ -1024,6 +1025,7 @@ func testAccessPolicyConnectionRulesConfig(resourceID, zone, accountID string) s connection_rules { ssh { usernames = ["tfgo-acc-test"] + allow_email_alias = true } } include { diff --git a/internal/sdkv2provider/schema_cloudflare_access_policy.go b/internal/sdkv2provider/schema_cloudflare_access_policy.go index 328748e168..273717f417 100644 --- a/internal/sdkv2provider/schema_cloudflare_access_policy.go +++ b/internal/sdkv2provider/schema_cloudflare_access_policy.go @@ -125,6 +125,11 @@ func resourceCloudflareAccessPolicySchema() map[string]*schema.Schema { Type: schema.TypeString, }, }, + "allow_email_alias": { + Type: schema.TypeBool, + Optional: true, + Description: "Allows connecting to Unix username that matches the authenticating email prefix.", + }, }, }, },