Merge pull request #4918 from sebassimoes/sebastiao/GFI-564

.changelog/4918.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_zero_trust_gateway_policy: allow configuring resolver rules with internal DNS
+```

docs/resources/teams_rule.md

@@ -74,6 +74,7 @@ Optional:
 - `override_host` (String) The host to override matching DNS queries with.
 - `override_ips` (List of String) The IPs to override matching DNS queries with.
 - `payload_log` (Block List, Max: 1) Configure DLP Payload Logging settings for this rule. (see [below for nested schema](#nestedblock--rule_settings--payload_log))
+- `resolve_dns_internally` (Block List, Max: 1) Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Cannot be set when 'dns_resolvers' are specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action is set to 'resolve'. (see [below for nested schema](#nestedblock--rule_settings--resolve_dns_internally))
 - `resolve_dns_through_cloudflare` (Boolean) Enable sending queries that match the resolver policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when `dns_resolvers` are specified.
 - `untrusted_cert` (Block List, Max: 1) Configure untrusted certificate settings for this rule. (see [below for nested schema](#nestedblock--rule_settings--untrusted_cert))
 
@@ -184,6 +185,15 @@ Required:
 - `enabled` (Boolean) Enable or disable DLP Payload Logging for this rule.
 
 
+<a id="nestedblock--rule_settings--resolve_dns_internally"></a>
+### Nested Schema for `rule_settings.resolve_dns_internally`
+
+Optional:
+
+- `fallback` (String) The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.
+- `view_id` (String) The internal DNS view identifier that's passed to the internal DNS service.
+
+
 <a id="nestedblock--rule_settings--untrusted_cert"></a>
 ### Nested Schema for `rule_settings.untrusted_cert`
 

docs/resources/zero_trust_gateway_policy.md

@@ -74,6 +74,7 @@ Optional:
 - `override_host` (String) The host to override matching DNS queries with.
 - `override_ips` (List of String) The IPs to override matching DNS queries with.
 - `payload_log` (Block List, Max: 1) Configure DLP Payload Logging settings for this rule. (see [below for nested schema](#nestedblock--rule_settings--payload_log))
+- `resolve_dns_internally` (Block List, Max: 1) Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Cannot be set when 'dns_resolvers' are specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action is set to 'resolve'. (see [below for nested schema](#nestedblock--rule_settings--resolve_dns_internally))
 - `resolve_dns_through_cloudflare` (Boolean) Enable sending queries that match the resolver policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when `dns_resolvers` are specified.
 - `untrusted_cert` (Block List, Max: 1) Configure untrusted certificate settings for this rule. (see [below for nested schema](#nestedblock--rule_settings--untrusted_cert))
 
@@ -184,6 +185,15 @@ Required:
 - `enabled` (Boolean) Enable or disable DLP Payload Logging for this rule.
 
 
+<a id="nestedblock--rule_settings--resolve_dns_internally"></a>
+### Nested Schema for `rule_settings.resolve_dns_internally`
+
+Optional:
+
+- `fallback` (String) The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.
+- `view_id` (String) The internal DNS view identifier that's passed to the internal DNS service.
+
+
 <a id="nestedblock--rule_settings--untrusted_cert"></a>
 ### Nested Schema for `rule_settings.untrusted_cert`
 

internal/sdkv2provider/resource_cloudflare_teams_rules.go

@@ -257,6 +257,10 @@ func flattenTeamsRuleSettings(settings *cloudflare.TeamsRuleSettings) []interfac
 		result["dns_resolvers"] = flattenTeamsDnsResolverSettings(settings.DnsResolverSettings)
 	}
 
+	if settings.ResolveDnsInternallySettings != nil {
+		result["resolve_dns_internally"] = flattenTeamsResolveDnsInternallySettings(settings.ResolveDnsInternallySettings)
+	}
+
 	return []interface{}{result}
 }
 
@@ -287,6 +291,7 @@ func inflateTeamsRuleSettings(settings interface{}) *cloudflare.TeamsRuleSetting
 	untrustedCertSettings := inflateTeamsUntrustedCertSettings(settingsMap["untrusted_cert"].([]interface{}))
 	notificationSettings := inflateTeamsNotificationSettings(settingsMap["notification_settings"])
 	dnsResolverSettings := inflateTeamsDnsResolverSettings(settingsMap["dns_resolvers"].([]interface{}))
+	internalDnsSettings := inflateTeamsResolveDnsInternallySettings(settingsMap["resolve_dns_internally"].([]interface{}))
 
 	ignoreCNAMECategoryMatches := readOptionalBooleanSettings(settingsMap, "ignore_cname_category_matches")
 	allowChildBypass := readOptionalBooleanSettings(settingsMap, "allow_child_bypass")
@@ -314,6 +319,7 @@ func inflateTeamsRuleSettings(settings interface{}) *cloudflare.TeamsRuleSetting
 		IgnoreCNAMECategoryMatches:      &ignoreCNAMECategoryMatches,
 		IPCategories:                    ipCategories,
 		AuditSSH:                        auditSSHSettings,
+		ResolveDnsInternallySettings:    internalDnsSettings,
 	}
 
 	// set optional settings if present, so api won't complain
@@ -609,6 +615,40 @@ func inflateTeamsDnsResolverAddressesV6(settings []interface{}) []cloudflare.Tea
 	return ret
 }
 
+func flattenTeamsResolveDnsInternallySettings(settings *cloudflare.TeamsResolveDnsInternallySettings) []interface{} {
+	if settings == nil {
+		return nil
+	}
+
+	var fallback cloudflare.TeamsResolveDnsInternallyFallbackStrategy
+	if settings.Fallback != "" {
+		fallback = settings.Fallback
+	} else {
+		fallback = cloudflare.None
+	}
+
+	return []interface{}{map[string]interface{}{
+		"view_id":  settings.ViewID,
+		"fallback": string(fallback),
+	}}
+}
+
+func inflateTeamsResolveDnsInternallySettings(settings interface{}) *cloudflare.TeamsResolveDnsInternallySettings {
+	settingsList := settings.([]interface{})
+	if len(settingsList) != 1 {
+		return nil
+	}
+
+	settingsMap := settingsList[0].(map[string]interface{})
+	viewId := settingsMap["view_id"].(string)
+	fallback := cloudflare.TeamsResolveDnsInternallyFallbackStrategy(settingsMap["fallback"].(string))
+
+	return &cloudflare.TeamsResolveDnsInternallySettings{
+		ViewID:   viewId,
+		Fallback: fallback,
+	}
+}
+
 func inflateTeamsDlpPayloadLogSettings(settings interface{}) *cloudflare.TeamsDlpPayloadLogSettings {
 	settingsList := settings.([]interface{})
 	if len(settingsList) != 1 {

internal/sdkv2provider/schema_cloudflare_teams_rules.go

@@ -224,6 +224,15 @@ var teamsRuleSettings = map[string]*schema.Schema{
 		},
 		Description: "Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when resolve_dns_through_cloudflare is set. DNS queries will route to the address closest to their origin.",
 	},
+	"resolve_dns_internally": {
+		Type:     schema.TypeList,
+		MaxItems: 1,
+		Optional: true,
+		Elem: &schema.Resource{
+			Schema: teamsResolveDnsInternallySettings,
+		},
+		Description: "Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Cannot be set when 'dns_resolvers' are specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action is set to 'resolve'.",
+	},
 }
 
 var payloadLogSettings = map[string]*schema.Schema{
@@ -390,3 +399,16 @@ var teamsDnsResolverAddress = map[string]*schema.Schema{
 		Description: "Whether to connect to this resolver over a private network. Must be set when `vnet_id` is set.",
 	},
 }
+
+var teamsResolveDnsInternallySettings = map[string]*schema.Schema{
+	"view_id": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "The internal DNS view identifier that's passed to the internal DNS service.",
+	},
+	"fallback": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.",
+	},
+}