GFI-564: support gw rules internal dns settings

sebassimoes · sebassimoes · commit c017fa4c3eac · 2025-01-21T10:45:39.000Z
This commit adds support to configure internal dns settings on gateway
resolver rules.
diff --git a/.changelog/4918.txt b/.changelog/4918.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_zero_trust_gateway_policy: allow configuring resolver rules with internal DNS
+```
diff --git a/internal/sdkv2provider/resource_cloudflare_teams_rules.go b/internal/sdkv2provider/resource_cloudflare_teams_rules.go
@@ -257,6 +257,10 @@ func flattenTeamsRuleSettings(settings *cloudflare.TeamsRuleSettings) []interfac
 		result["dns_resolvers"] = flattenTeamsDnsResolverSettings(settings.DnsResolverSettings)
 	}
 
+	if settings.ResolveDnsInternallySettings != nil {
+		result["resolve_dns_internally"] = flattenTeamsResolveDnsInternallySettings(settings.ResolveDnsInternallySettings)
+	}
+
 	return []interface{}{result}
 }
 
@@ -287,6 +291,7 @@ func inflateTeamsRuleSettings(settings interface{}) *cloudflare.TeamsRuleSetting
 	untrustedCertSettings := inflateTeamsUntrustedCertSettings(settingsMap["untrusted_cert"].([]interface{}))
 	notificationSettings := inflateTeamsNotificationSettings(settingsMap["notification_settings"])
 	dnsResolverSettings := inflateTeamsDnsResolverSettings(settingsMap["dns_resolvers"].([]interface{}))
+	internalDnsSettings := inflateTeamsResolveDnsInternallySettings(settingsMap["resolve_dns_internally"].([]interface{}))
 
 	ignoreCNAMECategoryMatches := readOptionalBooleanSettings(settingsMap, "ignore_cname_category_matches")
 	allowChildBypass := readOptionalBooleanSettings(settingsMap, "allow_child_bypass")
@@ -314,6 +319,7 @@ func inflateTeamsRuleSettings(settings interface{}) *cloudflare.TeamsRuleSetting
 		IgnoreCNAMECategoryMatches:      &ignoreCNAMECategoryMatches,
 		IPCategories:                    ipCategories,
 		AuditSSH:                        auditSSHSettings,
+		ResolveDnsInternallySettings:    internalDnsSettings,
 	}
 
 	// set optional settings if present, so api won't complain
@@ -609,6 +615,40 @@ func inflateTeamsDnsResolverAddressesV6(settings []interface{}) []cloudflare.Tea
 	return ret
 }
 
+func flattenTeamsResolveDnsInternallySettings(settings *cloudflare.TeamsResolveDnsInternallySettings) []interface{} {
+	if settings == nil {
+		return nil
+	}
+
+	var fallback cloudflare.TeamsResolveDnsInternallyFallbackStrategy
+	if settings.Fallback != "" {
+		fallback = settings.Fallback
+	} else {
+		fallback = cloudflare.None
+	}
+
+	return []interface{}{map[string]interface{}{
+		"view_id":  settings.ViewID,
+		"fallback": string(fallback),
+	}}
+}
+
+func inflateTeamsResolveDnsInternallySettings(settings interface{}) *cloudflare.TeamsResolveDnsInternallySettings {
+	settingsList := settings.([]interface{})
+	if len(settingsList) != 1 {
+		return nil
+	}
+
+	settingsMap := settingsList[0].(map[string]interface{})
+	viewId := settingsMap["view_id"].(string)
+	fallback := cloudflare.TeamsResolveDnsInternallyFallbackStrategy(settingsMap["fallback"].(string))
+
+	return &cloudflare.TeamsResolveDnsInternallySettings{
+		ViewID:   viewId,
+		Fallback: fallback,
+	}
+}
+
 func inflateTeamsDlpPayloadLogSettings(settings interface{}) *cloudflare.TeamsDlpPayloadLogSettings {
 	settingsList := settings.([]interface{})
 	if len(settingsList) != 1 {
diff --git a/internal/sdkv2provider/schema_cloudflare_teams_rules.go b/internal/sdkv2provider/schema_cloudflare_teams_rules.go
@@ -224,6 +224,15 @@ var teamsRuleSettings = map[string]*schema.Schema{
 		},
 		Description: "Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when resolve_dns_through_cloudflare is set. DNS queries will route to the address closest to their origin.",
 	},
+	"resolve_dns_internally": {
+		Type:     schema.TypeList,
+		MaxItems: 1,
+		Optional: true,
+		Elem: &schema.Resource{
+			Schema: teamsResolveDnsInternallySettings,
+		},
+		Description: "Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Cannot be set when 'dns_resolvers' are specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action is set to 'resolve'.",
+	},
 }
 
 var payloadLogSettings = map[string]*schema.Schema{
@@ -390,3 +399,16 @@ var teamsDnsResolverAddress = map[string]*schema.Schema{
 		Description: "Whether to connect to this resolver over a private network. Must be set when `vnet_id` is set.",
 	},
 }
+
+var teamsResolveDnsInternallySettings = map[string]*schema.Schema{
+	"view_id": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "The internal DNS view identifier that's passed to the internal DNS service.",
+	},
+	"fallback": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.",
+	},
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	`+resource/cloudflare_zero_trust_gateway_policy: allow configuring resolver rules with internal DNS`
	`3`	+```