Merge pull request #2041 from Cyb3r-Jak3/cloudflare_tunnel_config

Add support for tunnel_config

.changelog/2041.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+cloudflare_tunnel_config
+```

.semgrep.yml

@@ -11,6 +11,7 @@ rules:
         - 'templates/'
     patterns:
       - pattern-regex: '\d+\.\d+\.\d+\.\d+'
+      - pattern-not: '127.0.0.1'
       - pattern-not-regex: '10\.\d+\.\d+.\d+'
       - pattern-not-regex: '192\.168\.\d+.\d+'
       - pattern-not-regex: '192\.0\.2\.\d+'    # 192.0.2.0/24 (TEST-NET-1, rfc5737)

docs/resources/tunnel_config.md

@@ -0,0 +1,141 @@
+---
+page_title: "cloudflare_tunnel_config Resource - Cloudflare"
+subcategory: ""
+description: |-
+  Provides a Cloudflare Tunnel configuration resource.
+---
+
+# cloudflare_tunnel_config (Resource)
+
+Provides a Cloudflare Tunnel configuration resource.
+
+!> When you delete a tunnel configuration, the tunnel will be deleted. You need to make sure that the tunnel is not in use before deleting the configuration.
+
+## Example Usage
+
+```terraform
+resource "cloudflare_argo_tunnel" "example_tunnel" {
+  account_id = "f037e56e89293a057740de681ac9abbe"
+  name       = "example_tunnel"
+  secret     = "<32 character secret>"
+}
+
+resource "cloudflare_tunnel_config" "example_config" {
+  account_id = "f037e56e89293a057740de681ac9abbe"
+  tunnel_id  = cloudflare_argo_tunnel.example_tunnel.id
+
+  config {
+    warp_routing {
+      enabled = true
+    }
+    origin_request {
+      connect_timeout          = "1m0s"
+      tls_timeout              = "1m0s"
+      tcp_keep_alive           = "1m0s"
+      no_happy_eyeballs        = false
+      keep_alive_connections   = 1024
+      keep_alive_timeout       = "1m0s"
+      http_host_header         = "baz"
+      origin_server_name       = "foobar"
+      ca_pool                  = "/path/to/unsigned/ca/pool"
+      no_tls_verify            = false
+      disable_chunked_encoding = false
+      bastion_mode             = false
+      proxy_address            = "10.0.0.1"
+      proxy_port               = "8123"
+      proxy_type               = "socks"
+      ip_rules {
+        prefix = "/web"
+        ports  = [80, 443]
+        allow  = false
+      }
+    }
+    ingress_rule {
+      hostname = "foo"
+      path     = "/bar"
+      service  = "http://10.0.0.2:8080"
+    }
+    ingress_rule {
+      service = "https://10.0.0.3:8081"
+    }
+  }
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `account_id` (String) The account identifier to target for the resource.
+- `config` (Block List, Min: 1, Max: 1) Configuration block for Tunnel Configuration. (see [below for nested schema](#nestedblock--config))
+- `tunnel_id` (String) Identifier of the Tunnel to target for this configuration.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--config"></a>
+### Nested Schema for `config`
+
+Required:
+
+- `ingress_rule` (Block List, Min: 1) Each incoming request received by cloudflared causes cloudflared to send a request to a local service. This section configures the rules that determine which requests are sent to which local services. [Read more](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/local/local-management/ingress/). (see [below for nested schema](#nestedblock--config--ingress_rule))
+
+Optional:
+
+- `origin_request` (Block List, Max: 1) (see [below for nested schema](#nestedblock--config--origin_request))
+- `warp_routing` (Block List, Max: 1) If you're exposing a [private network](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/private-net/), you need to add the `warp-routing` key and set it to `true`. (see [below for nested schema](#nestedblock--config--warp_routing))
+
+<a id="nestedblock--config--ingress_rule"></a>
+### Nested Schema for `config.ingress_rule`
+
+Required:
+
+- `service` (String) Name of the service to which the request will be sent.
+
+Optional:
+
+- `hostname` (String) Hostname to match the incoming request with. If the hostname matches, the request will be sent to the service.
+- `path` (String) Path of the incoming request. If the path matches, the request will be sent to the local service.
+
+
+<a id="nestedblock--config--origin_request"></a>
+### Nested Schema for `config.origin_request`
+
+Optional:
+
+- `bastion_mode` (Boolean) Runs as jump host.
+- `ca_pool` (String) Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. Defaults to `""`.
+- `connect_timeout` (String) Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by `tlsTimeout`. Defaults to `30s`.
+- `disable_chunked_encoding` (Boolean) Disables chunked transfer encoding. Useful if you are running a Web Server Gateway Interface (WSGI) server. Defaults to `false`.
+- `http_host_header` (String) Sets the HTTP Host header on requests sent to the local service. Defaults to `""`.
+- `ip_rules` (Block Set) IP rules for the proxy service. (see [below for nested schema](#nestedblock--config--origin_request--ip_rules))
+- `keep_alive_connections` (Number) Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. Defaults to `100`.
+- `keep_alive_timeout` (String) Timeout after which an idle keepalive connection can be discarded. Defaults to `1m30s`.
+- `no_happy_eyeballs` (Boolean) Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. Defaults to `false`.
+- `no_tls_verify` (Boolean) Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Defaults to `false`.
+- `origin_server_name` (String) Hostname that cloudflared should expect from your origin server certificate. Defaults to `""`.
+- `proxy_address` (String) cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen address for that proxy. Defaults to `127.0.0.1`.
+- `proxy_port` (Number) cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen port for that proxy. If set to zero, an unused port will randomly be chosen. Defaults to `0`.
+- `proxy_type` (String) cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Available values: ``, `socks`. Defaults to `""`.
+- `tcp_keep_alive` (String) The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. Defaults to `30s`.
+- `tls_timeout` (String) Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. Defaults to `10s`.
+
+<a id="nestedblock--config--origin_request--ip_rules"></a>
+### Nested Schema for `config.origin_request.ip_rules`
+
+Optional:
+
+- `allow` (Boolean) Whether to allow the IP prefix.
+- `ports` (List of Number) Ports to use within the IP rule.
+- `prefix` (String) IP rule prefix.
+
+
+
+<a id="nestedblock--config--warp_routing"></a>
+### Nested Schema for `config.warp_routing`
+
+Optional:
+
+- `enabled` (Boolean) Whether WARP routing is enabled.

examples/resources/cloudflare_tunnel_config/resource.tf

@@ -0,0 +1,46 @@
+resource "cloudflare_argo_tunnel" "example_tunnel" {
+  account_id = "f037e56e89293a057740de681ac9abbe"
+  name       = "example_tunnel"
+  secret     = "<32 character secret>"
+}
+
+resource "cloudflare_tunnel_config" "example_config" {
+  account_id = "f037e56e89293a057740de681ac9abbe"
+  tunnel_id  = cloudflare_argo_tunnel.example_tunnel.id
+
+  config {
+    warp_routing {
+      enabled = true
+    }
+    origin_request {
+      connect_timeout          = "1m0s"
+      tls_timeout              = "1m0s"
+      tcp_keep_alive           = "1m0s"
+      no_happy_eyeballs        = false
+      keep_alive_connections   = 1024
+      keep_alive_timeout       = "1m0s"
+      http_host_header         = "baz"
+      origin_server_name       = "foobar"
+      ca_pool                  = "/path/to/unsigned/ca/pool"
+      no_tls_verify            = false
+      disable_chunked_encoding = false
+      bastion_mode             = false
+      proxy_address            = "10.0.0.1"
+      proxy_port               = "8123"
+      proxy_type               = "socks"
+      ip_rules {
+        prefix = "/web"
+        ports  = [80, 443]
+        allow  = false
+      }
+    }
+    ingress_rule {
+      hostname = "foo"
+      path     = "/bar"
+      service  = "http://10.0.0.2:8080"
+    }
+    ingress_rule {
+      service = "https://10.0.0.3:8081"
+    }
+  }
+}

internal/provider/provider.go

@@ -259,6 +259,7 @@ func New(version string) func() *schema.Provider {
 				"cloudflare_teams_list":                             resourceCloudflareTeamsList(),
 				"cloudflare_teams_location":                         resourceCloudflareTeamsLocation(),
 				"cloudflare_teams_proxy_endpoint":                   resourceCloudflareTeamsProxyEndpoint(),
+				"cloudflare_tunnel_config":                          resourceCloudflareTunnelConfig(),
 				"cloudflare_teams_rule":                             resourceCloudflareTeamsRule(),
 				"cloudflare_total_tls":                              resourceCloudflareTotalTLS(),
 				"cloudflare_tunnel_route":                           resourceCloudflareTunnelRoute(),