GFI-618: support biso control v2 settings

With this commit, it becomes possible to configure gateway isolate
policies with the new version of BISO admin control settings.

Author: sebassimoes

.changelog/4962.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_zero_trust_gateway_policy: allow configuring isolate rules with BISO admin control V2 settings
+```

go.mod

@@ -4,7 +4,7 @@ go 1.23.3
 
 require (
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/cloudflare/cloudflare-go v0.114.0
+	github.com/cloudflare/cloudflare-go v0.115.0
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -68,7 +68,7 @@ require (
 	github.com/aws/smithy-go v1.21.0 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/hashicorp/go-checkpoint v0.5.0 // indirect

go.sum

@@ -53,6 +53,8 @@ github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vc
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cloudflare/cloudflare-go v0.114.0 h1:ucoti4/7Exo0XQ+rzpn1H+IfVVe++zgiM+tyKtf0HUA=
 github.com/cloudflare/cloudflare-go v0.114.0/go.mod h1:O7fYfFfA6wKqKFn2QIR9lhj7FDw6VQCGOY6hd2TBtd0=
+github.com/cloudflare/cloudflare-go v0.115.0 h1:84/dxeeXweCc0PN5Cto44iTA8AkG1fyT11yPO5ZB7sM=
+github.com/cloudflare/cloudflare-go v0.115.0/go.mod h1:Ds6urDwn/TF2uIU24mu7H91xkKP8gSAHxQ44DSZgVmU=
 github.com/cloudflare/cloudflare-go/v2 v2.4.0 h1:gys/26GoVDklgfq8NYV39WgvOEwzK/XAqYObmnI6iFg=
 github.com/cloudflare/cloudflare-go/v2 v2.4.0/go.mod h1:AoIzb05z/rvdJLztPct4tSa+3IqXJJ6c+pbUFMOlTr8=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -80,6 +82,8 @@ github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
 github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

internal/sdkv2provider/resource_cloudflare_teams_rules.go

@@ -344,6 +344,13 @@ func flattenTeamsRuleBisoAdminControls(settings *cloudflare.TeamsBISOAdminContro
 		"disable_upload":                settings.DisableUpload,
 		"disable_keyboard":              settings.DisableKeyboard,
 		"disable_clipboard_redirection": settings.DisableClipboardRedirection,
+		"version":                       settings.Version,
+		"copy":                          settings.Copy,
+		"download":                      settings.Download,
+		"keyboard":                      settings.Keyboard,
+		"paste":                         settings.Paste,
+		"printing":                      settings.Printing,
+		"upload":                        settings.Upload,
 	}}
 }
 
@@ -370,13 +377,27 @@ func inflateTeamsRuleBisoAdminControls(settings interface{}) *cloudflare.TeamsBI
 	disableUpload := settingsMap["disable_upload"].(bool)
 	disableKeyboard := settingsMap["disable_keyboard"].(bool)
 	disableClipboardRedirection := settingsMap["disable_clipboard_redirection"].(bool)
+	version := settingsMap["version"].(string)
+	copy := settingsMap["copy"].(string)
+	download := settingsMap["download"].(string)
+	keyboard := settingsMap["keyboard"].(string)
+	paste := settingsMap["paste"].(string)
+	printing := settingsMap["printing"].(string)
+	upload := settingsMap["upload"].(string)
 	return &cloudflare.TeamsBISOAdminControlSettings{
 		DisablePrinting:             disablePrinting,
 		DisableCopyPaste:            disableCopyPaste,
 		DisableDownload:             disableDownload,
 		DisableUpload:               disableUpload,
 		DisableKeyboard:             disableKeyboard,
 		DisableClipboardRedirection: disableClipboardRedirection,
+		Version:                     cloudflare.TeamsBISOAdminControlSettingsVersion(version),
+		Copy:                        cloudflare.TeamsTeamsBISOAdminControlSettingsValue(copy),
+		Download:                    cloudflare.TeamsTeamsBISOAdminControlSettingsValue(download),
+		Keyboard:                    cloudflare.TeamsTeamsBISOAdminControlSettingsValue(keyboard),
+		Paste:                       cloudflare.TeamsTeamsBISOAdminControlSettingsValue(paste),
+		Printing:                    cloudflare.TeamsTeamsBISOAdminControlSettingsValue(printing),
+		Upload:                      cloudflare.TeamsTeamsBISOAdminControlSettingsValue(upload),
 	}
 }
 

internal/sdkv2provider/resource_cloudflare_teams_rules_test.go

@@ -348,3 +348,70 @@ resource "cloudflare_zero_trust_gateway_policy" "%[1]s" {
 }
 `, rnd, accountID)
 }
+
+func TestAccCloudflareTeamsRule_WithBisoV2(t *testing.T) {
+	// Temporarily unset CLOUDFLARE_API_TOKEN if it is set as the Access
+	// service does not yet support the API tokens and it results in
+	// misleading state error messages.
+	if os.Getenv("CLOUDFLARE_API_TOKEN") != "" {
+		t.Setenv("CLOUDFLARE_API_TOKEN", "")
+	}
+
+	rnd := generateRandomResourceName()
+	name := fmt.Sprintf("cloudflare_zero_trust_gateway_policy.%s", rnd)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		ProviderFactories: providerFactories,
+		CheckDestroy:      testAccCheckCloudflareTeamsRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareTeamsRuleConfigWithBisoV2(rnd, accountID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "description", "desc"),
+					resource.TestCheckResourceAttr(name, "precedence", "12302"),
+					resource.TestCheckResourceAttr(name, "action", "isolate"),
+					resource.TestCheckResourceAttr(name, "filters.0", "http"),
+					resource.TestCheckResourceAttr(name, "traffic", "http.conn.src_ip == 1.2.3.4"),
+					resource.TestCheckResourceAttr(name, "rule_settings.#", "1"),
+					resource.TestCheckResourceAttr(name, "rule_settings.0.biso_admin_controls.0.version", "v2"),
+					resource.TestCheckResourceAttr(name, "rule_settings.0.biso_admin_controls.0.printing", "enabled"),
+					resource.TestCheckResourceAttr(name, "rule_settings.0.biso_admin_controls.0.copy", "remote_only"),
+					resource.TestCheckResourceAttr(name, "rule_settings.0.biso_admin_controls.0.paste", "remote_only"),
+					resource.TestCheckResourceAttr(name, "rule_settings.0.biso_admin_controls.0.download", "disabled"),
+					resource.TestCheckResourceAttr(name, "rule_settings.0.biso_admin_controls.0.upload", "enabled"),
+					resource.TestCheckResourceAttr(name, "rule_settings.0.biso_admin_controls.0.keyboard", "disabled"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCloudflareTeamsRuleConfigWithBisoV2(rnd, accountID string) string {
+	return fmt.Sprintf(`
+resource "cloudflare_zero_trust_gateway_policy" "%[1]s" {
+  name = "%[1]s"
+  account_id = "%[2]s"
+  description = "desc"
+  precedence = 12302
+  action = "isolate"
+  filters = ["http"]
+  traffic = "http.conn.src_ip == 1.2.3.4"
+  rule_settings {
+    biso_admin_controls {
+	  version = "v2"
+      printing = "enabled"
+      copy = "remote_only"
+	  paste = "remote_only"
+      download = "disabled"
+      upload = "enabled"
+      keyboard = "disabled"
+    }
+  }
+}
+`, rnd, accountID)
+}

internal/sdkv2provider/schema_cloudflare_teams_rules.go

@@ -310,35 +310,71 @@ var teamsAuditSSHSettings = map[string]*schema.Schema{
 }
 
 var teamsBisoAdminControls = map[string]*schema.Schema{
+	"version": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Default:     "v1",
+		Description: "Indicates which version (v1 or v2) of the browser isolation controls should apply.",
+	},
 	"disable_printing": {
 		Type:        schema.TypeBool,
 		Optional:    true,
-		Description: "Disable printing.",
+		Description: "Disable printing. Only applies when version == v1.",
 	},
 	"disable_copy_paste": {
 		Type:        schema.TypeBool,
 		Optional:    true,
-		Description: "Disable copy-paste.",
+		Description: "Disable copy-paste. Only applies when version == v1.",
 	},
 	"disable_download": {
 		Type:        schema.TypeBool,
 		Optional:    true,
-		Description: "Disable download.",
+		Description: "Disable download. Only applies when version == v1.",
 	},
 	"disable_keyboard": {
 		Type:        schema.TypeBool,
 		Optional:    true,
-		Description: "Disable keyboard usage.",
+		Description: "Disable keyboard usage. Only applies when version == v1.",
 	},
 	"disable_upload": {
 		Type:        schema.TypeBool,
 		Optional:    true,
-		Description: "Disable upload.",
+		Description: "Disable upload. Only applies when version == v1.",
 	},
 	"disable_clipboard_redirection": {
 		Type:        schema.TypeBool,
 		Optional:    true,
-		Description: "Disable clipboard redirection.",
+		Description: "Disable clipboard redirection. Only applies when version == v1.",
+	},
+	"copy": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "Configure whether copy is enabled or not. When set with 'remote_only', copying isolated content from the remote browser to the user's local clipboard is disabled. When absent, copy is enabled. Only applies when version == v2.",
+	},
+	"download": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "Configure whether downloading enabled or not. When absent, downloading is enabled. Only applies when version == v2.",
+	},
+	"keyboard": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "Configure whether keyboard usage is enabled or not. When absent, keyboard usage is enabled. Only applies when version == v2.",
+	},
+	"paste": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "Configure whether pasting is enabled or not. When set with 'remote_only', pasting content from the user's local clipboard into isolated pages is disabled. When absent, paste is enabled. Only applies when version == v2.",
+	},
+	"printing": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "Configure whether printing is enabled or not. When absent, printing is enabled. Only applies when version == v2.",
+	},
+	"upload": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "Configure whether uploading is enabled or not. When absent, uploading is enabled. Only applies when version == v2.",
 	},
 }