Skip to content

Commit

Permalink
Merge pull request #4665 from Michael9127/mike/ZTIA-355
Browse files Browse the repository at this point in the history
Mike/ztia-355 Adds allow_email_alias connection rule boolean to access infra policy
  • Loading branch information
jacobbednarz authored Dec 5, 2024
2 parents 4a99153 + 79a3483 commit 99c1406
Show file tree
Hide file tree
Showing 7 changed files with 32 additions and 6 deletions.
7 changes: 7 additions & 0 deletions .changelog/4665.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
```release-note:enhancement
resource/cloudflare_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag
```

```release-note:enhancement
resource/cloudflare_zero_trust_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag
```
2 changes: 2 additions & 0 deletions docs/resources/access_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ resource "cloudflare_access_policy" "infra-app-example-allow" {
connection_rules {
ssh {
usernames = ["ec2-user"]
allow_email_alias = true
}
}
}
Expand Down Expand Up @@ -244,6 +245,7 @@ Required:
Required:

- `usernames` (List of String) Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias` (Boolean) Allows connecting to Unix username that matches the authenticating email prefix.



Expand Down
1 change: 1 addition & 0 deletions docs/resources/zero_trust_access_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,7 @@ Required:
Required:

- `usernames` (List of String) Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias` (Boolean) Allows connecting to Unix username that matches the authenticating email prefix.



Expand Down
1 change: 1 addition & 0 deletions examples/resources/cloudflare_access_policy/resource.tf
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ resource "cloudflare_access_policy" "infra-app-example-allow" {
connection_rules {
ssh {
usernames = ["ec2-user"]
allow_email_alias = true
}
}
}
Expand Down
20 changes: 14 additions & 6 deletions internal/sdkv2provider/resource_cloudflare_access_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ func apiAccessPolicyApprovalGroupToSchema(approvalGroup cloudflare.AccessApprova

func schemaAccessPolicyConnectionRulesToAPI(connectionRules map[string]interface{}) (*cloudflare.AccessInfrastructureConnectionRules, error) {
usernames := []string{}
var allowEmailAlias *bool
if sshVal, ok := connectionRules["ssh"].([]interface{}); ok && len(sshVal) > 0 {
if sshMap, ok := sshVal[0].(map[string]interface{}); ok {
str_return := []string{}
Expand All @@ -75,12 +76,18 @@ func schemaAccessPolicyConnectionRulesToAPI(connectionRules map[string]interface
}
}
usernames = str_return

if allowAlias, ok := sshMap["allow_email_alias"].(bool); ok {
allowEmailAlias = &allowAlias
}

}
}

return &cloudflare.AccessInfrastructureConnectionRules{
SSH: &cloudflare.AccessInfrastructureConnectionRulesSSH{
Usernames: usernames,
Usernames: usernames,
AllowEmailAlias: allowEmailAlias,
},
}, nil
}
Expand All @@ -91,14 +98,15 @@ func apiAccessPolicyConnectionRulesToSchema(connectionRules *cloudflare.AccessIn
}

var connectionRulesSchema []interface{}
var usernameList []map[string]interface{}
var sshArgList []map[string]interface{}

usernameMap := map[string]interface{}{
"usernames": connectionRules.SSH.Usernames,
sshArgMap := map[string]interface{}{
"usernames": connectionRules.SSH.Usernames,
"allow_email_alias": connectionRules.SSH.AllowEmailAlias,
}
usernameList = append(usernameList, usernameMap)
sshArgList = append(sshArgList, sshArgMap)
connectionRulesSchema = append(connectionRulesSchema, map[string]interface{}{
"ssh": usernameList,
"ssh": sshArgList,
})

return connectionRulesSchema
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -991,6 +991,7 @@ func TestAccCloudflareAccessPolicy_ConnectionRules(t *testing.T) {
resource.TestCheckResourceAttr(name, "name", rnd),
resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
resource.TestCheckResourceAttr(name, "connection_rules.0.ssh.0.usernames.0", "tfgo-acc-test"),
resource.TestCheckResourceAttr(name, "connection_rules.0.ssh.0.allow_email_alias", "true"),
resource.TestCheckResourceAttr(name, "include.0.email.0", "devuser@cloudflare.com"),
),
},
Expand Down Expand Up @@ -1024,6 +1025,7 @@ func testAccessPolicyConnectionRulesConfig(resourceID, zone, accountID string) s
connection_rules {
ssh {
usernames = ["tfgo-acc-test"]
allow_email_alias = true
}
}
include {
Expand Down
5 changes: 5 additions & 0 deletions internal/sdkv2provider/schema_cloudflare_access_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,11 @@ func resourceCloudflareAccessPolicySchema() map[string]*schema.Schema {
Type: schema.TypeString,
},
},
"allow_email_alias": {
Type: schema.TypeBool,
Optional: true,
Description: "Allows connecting to Unix username that matches the authenticating email prefix.",
},
},
},
},
Expand Down

0 comments on commit 99c1406

Please sign in to comment.