From 235e0c76eb1b184148023b3882dcf87f8f8b2c84 Mon Sep 17 00:00:00 2001
From: ranbel <101146722+ranbel@users.noreply.github.com>
Date: Fri, 18 Oct 2024 16:06:27 -0400
Subject: [PATCH] add Terraform examples (#17640)
---
.../non-http/infrastructure-apps.mdx | 32 ++--
.../ssh/ssh-infrastructure-access.mdx | 8 +-
.../access/add-infrastructure-app.mdx | 138 +++++++++++++-----
.../access/add-infrastructure-policy.mdx | 19 ---
.../cloudflare-one/access/add-target.mdx | 61 ++++++--
5 files changed, 159 insertions(+), 99 deletions(-)
delete mode 100644 src/content/partials/cloudflare-one/access/add-infrastructure-policy.mdx
diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
index c9a67a7c65367f..89468a834912b7 100644
--- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
+++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx
@@ -47,29 +47,13 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
-## 3. Add a policy
-
-
-
-### Selectors
-
-The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications:
-
-- Email
-- Emails ending in
-- SAML group
-- Country
-- Authentication method
-- Device posture
-- Entra group, GitHub organization, Google Workspace group, Okta group
-
-## 4. Configure the server
+## 3. Configure the server
Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:
- [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#7-configure-ssh-server)
-## Connect as a user
+## 4. Connect as a user
Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname.
@@ -116,3 +100,15 @@ warp-cli target list
## Revoke a user's session
To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
+
+## Infrastructure policy selectors
+
+The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications:
+
+- Email
+- Emails ending in
+- SAML group
+- Country
+- Authentication method
+- Device posture
+- Entra group, GitHub organization, Google Workspace group, Okta group
\ No newline at end of file
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
index 2e2791101db732..7ac7f1e032a780 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
@@ -40,11 +40,7 @@ To connect your devices to Cloudflare:
-## 6. Add a policy
-
-
-
-## 7. Configure SSH server
+## 6. Configure SSH server
Next, configure your SSH server to trust the Cloudflare SSH CA. This allows Access to authenticate using short-lived certificates instead of traditional SSH keys.
@@ -65,7 +61,7 @@ To generate a Cloudflare SSH CA and get its public key:
### Restart your SSH server
-## 8. Connect as a user
+## 7. Connect as a user
Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is [connected to that virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) before initiating the connection. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal:
diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
index cf3f4c58d365cc..ecfb1ab39d2403 100644
--- a/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
+++ b/src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
@@ -15,57 +15,115 @@ import { Tabs, TabItem, Render } from "~/components"
5. In **Target criteria**, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future.
6. Enter the **Protocol** and **Port** that will be used to connect to the server.
7. (Optional) If a protocol runs on more than one port, select **Add new target criteria** and reconfigure the same target hostname and protocol with a different port number.
+ :::note
+ Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.
+ :::
8. Select **Next**.
+9. To secure your targets, configure a policy that defines who can connect and how they can connect:
+ 1. Enter any name for your policy.
+ 2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/policies/access/) and review the list of [infrastructure policy selectors](/cloudflare-one/applications/non-http/infrastructure-apps/#infrastructure-policy-selectors).
+ 3. In **Connection context**, enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`).
+4. Select **Add application**.
-To add an infrastructure application using the [API](/api/operations/access-applications-add-an-application):
-
-```sh
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
---header "Authorization: Bearer " \
---header "Content-Type: application/json" \
---data '{
- "name": "example app",
- "type": "infrastructure",
- "target_criteria": [
- {
- "target_attributes": {
- "hostname": [
- "infra-access-target"
- ]
- },
- "port": 22,
- "protocol": "SSH"
- }
- ],
- "policies": [
- {
- "name": "Allow a specific email",
- "decision": "allow",
- "include": [
- {
- "email": {
- "email": "jdoe@company.com"
- }
- }
- ],
- "connection_rules": {
- "ssh": {
- "usernames": [
- "root",
- "ec2-user"
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+ | Type | Item | Permission |
+ | ------- | ---------------- | ---------- |
+ | Account | Access: Apps & Policies | Edit |
+
+2. Make a `POST` request to the [Access applications](/api/operations/access-applications-add-an-application) endpoint:
+
+ ```sh
+ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
+ --header "Authorization: Bearer " \
+ --header "Content-Type: application/json" \
+ --data '{
+ "name": "Example infrastructure app",
+ "type": "infrastructure",
+ "target_criteria": [
+ {
+ "target_attributes": {
+ "hostname": [
+ "infra-access-target"
]
+ },
+ "port": 22,
+ "protocol": "SSH"
+ }
+ ],
+ "policies": [
+ {
+ "name": "Allow a specific email",
+ "decision": "allow",
+ "include": [
+ {
+ "email": {
+ "email": "jdoe@company.com"
+ }
+ }
+ ],
+ "connection_rules": {
+ "ssh": {
+ "usernames": [
+ "root",
+ "ec2-user"
+ ]
+ }
}
}
+ ]
+ }'
+ ```
+
+
+
+
+1. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application:
+
+ ```tf
+ resource "cloudflare_zero_trust_access_application" "infra-app" {
+ account_id = "f037e56e89293a057740de681ac9abbe"
+ name = "Example infrastructure app"
+ type = "infrastructure"
+
+ target_criteria {
+ port = 22
+ protocol = "SSH"
+ target_attributes {
+ name = "hostname"
+ values = ["infra-access-target"]
+ }
+ }
+ }
+ ```
+
+2. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application:
+
+ ```tf
+ resource "cloudflare_zero_trust_access_policy" "infra-app-policy" {
+ application_id = cloudflare_zero_trust_access_application.infra-app.id
+ account_id = "f037e56e89293a057740de681ac9abbe"
+ name = "Allow a specific email"
+ decision = "allow"
+ precedence = 1
+
+ include {
+ email = ["jdoe@company.com"]
}
- ]
-}'
-```
+ connection_rules {
+ ssh {
+ usernames = ["root", "ec2-user"]
+ }
+ }
+ }
+ ```
+The targets in this application are now secured by your infrastructure policies.
+
:::note
-Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.
+Gateway [network policies](/cloudflare-one/policies/gateway/network-policies/) take precedence over infrastructure policies. For example, if you block port `22` for all users in Gateway, then no one can SSH over port `22` to your targets.
:::
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/access/add-infrastructure-policy.mdx b/src/content/partials/cloudflare-one/access/add-infrastructure-policy.mdx
deleted file mode 100644
index 7cf23b612f4163..00000000000000
--- a/src/content/partials/cloudflare-one/access/add-infrastructure-policy.mdx
+++ /dev/null
@@ -1,19 +0,0 @@
----
-{}
-
----
-
-import { Tabs, TabItem, Render } from "~/components"
-
-To secure your targets, configure a policy that defines who can connect and how they can connect:
-
-1. Enter any name for your policy.
-2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/policies/access/).
-3. In **Connection context**, enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`).
-4. Select **Add application**.
-
-The targets in this application are now secured by your infrastructure policies.
-
-:::note
-Gateway [network policies](/cloudflare-one/policies/gateway/network-policies/) take precedence over infrastructure policies. For example, if you block port `22` for all users in Gateway, then no one can SSH over port `22` to your targets.
-:::
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx
index b61a3131c9b34d..be10872c9c84af 100644
--- a/src/content/partials/cloudflare-one/access/add-target.mdx
+++ b/src/content/partials/cloudflare-one/access/add-target.mdx
@@ -9,7 +9,7 @@ A target represents a single resource in your infrastructure (such as a server,
To create a new target:
-
+
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Network** > **Targets**.
2. Select **Add a target**.
@@ -30,22 +30,51 @@ To create a new target:
-```sh
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
---header "Authorization: Bearer " \
---data '{
- "hostname": "infra-access-target",
- "ip": {
- "ipv4": {
- "ip_addr": "187.26.29.249",
- "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
- },
- "ipv6": {
- "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
- "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+ | Type | Item | Permission |
+ | ------- | ---------------- | ---------- |
+ | Account | Zero Trust | Edit |
+
+2. Make a `POST` request to the [Infrastructure Access Targets](/api/operations/infra-targets-post) endpoint:
+
+ ```sh
+ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
+ --header "Authorization: Bearer " \
+ --data '{
+ "hostname": "infra-access-target",
+ "ip": {
+ "ipv4": {
+ "ip_addr": "187.26.29.249",
+ "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
+ },
+ "ipv6": {
+ "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
+ "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
+ }
+ }
+ }'
+ ```
+
+
+
+
+Configure the [`cloudflare_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/infrastructure_access_target) resource:
+
+```tf
+resource "cloudflare_infrastructure_access_target" "infra-ssh-target" {
+ account_id = "f037e56e89293a057740de681ac9abbe"
+ hostname = "infra-access-target"
+ ip = {
+ ipv4 = {
+ ip_addr = "187.26.29.249"
+ virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
+ }
+ ipv6 = {
+ ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
+ virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
+ }
}
- }
-}'
+}
```