cloudflare · jacobbednarz · Apr 26, 2024 · Apr 25, 2024 · Apr 26, 2024 · Apr 26, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_access_application: added support for options_preflight_bypass
+```
@@ -71,6 +71,7 @@ resource "cloudflare_access_application" "staging_app" {
 - `landing_page_design` (Block List, Max: 1) The landing page design of the app launcher. (see [below for nested schema](#nestedblock--landing_page_design))
 - `logo_url` (String) Image URL for the logo shown in the app launcher dashboard.
 - `name` (String) Friendly name of the Access Application.
+- `options_preflight_bypass` (Boolean) Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. Defaults to `false`.
 - `saas_app` (Block List, Max: 1) SaaS configuration for the Access Application. (see [below for nested schema](#nestedblock--saas_app))
 - `same_site_cookie_attribute` (String) Defines the same-site cookie setting for access tokens. Available values: `none`, `lax`, `strict`.
 - `self_hosted_domains` (Set of String) List of domains that access will secure. Only present for self_hosted, vnc, and ssh applications. Always includes the value set as `domain`.

@@ -53,6 +53,7 @@ func resourceCloudflareAccessApplicationCreate(ctx context.Context, d *schema.Re
 		SkipInterstitial:         cloudflare.BoolPtr(d.Get("skip_interstitial").(bool)),
 		AppLauncherVisible:       cloudflare.BoolPtr(d.Get("app_launcher_visible").(bool)),
 		ServiceAuth401Redirect:   cloudflare.BoolPtr(d.Get("service_auth_401_redirect").(bool)),
+		OptionsPreflightBypass:   cloudflare.BoolPtr(d.Get("options_preflight_bypass").(bool)),
 	}
 
 	if _, ok := d.GetOk("allow_authenticate_via_warp"); ok {
@@ -181,6 +182,7 @@ func resourceCloudflareAccessApplicationRead(ctx context.Context, d *schema.Reso
 	d.Set("header_bg_color", accessApplication.AccessAppLauncherCustomization.HeaderBackgroundColor)
 	d.Set("app_launcher_logo_url", accessApplication.AccessAppLauncherCustomization.LogoURL)
 	d.Set("allow_authenticate_via_warp", accessApplication.AllowAuthenticateViaWarp)
+	d.Set("options_preflight_bypass", accessApplication.OptionsPreflightBypass)
 
 	if _, ok := d.GetOk("footer_links"); ok {
 		footerLinks := convertFooterLinksStructToSchema(d, accessApplication.AccessAppLauncherCustomization.FooterLinks)
@@ -235,6 +237,7 @@ func resourceCloudflareAccessApplicationUpdate(ctx context.Context, d *schema.Re
 		SkipInterstitial:         cloudflare.BoolPtr(d.Get("skip_interstitial").(bool)),
 		AppLauncherVisible:       cloudflare.BoolPtr(d.Get("app_launcher_visible").(bool)),
 		ServiceAuth401Redirect:   cloudflare.BoolPtr(d.Get("service_auth_401_redirect").(bool)),
+		OptionsPreflightBypass:   cloudflare.BoolPtr(d.Get("options_preflight_bypass").(bool)),
 	}
 
 	if _, ok := d.GetOk("allow_authenticate_via_warp"); ok {

@@ -98,6 +98,7 @@ func TestAccCloudflareAccessApplication_BasicZone(t *testing.T) {
 					resource.TestCheckResourceAttr(name, "saas_app.#", "0"),
 					resource.TestCheckResourceAttr(name, "auto_redirect_to_identity", "false"),
 					resource.TestCheckResourceAttr(name, "allow_authenticate_via_warp", "false"),
+					resource.TestCheckResourceAttr(name, "options_preflight_bypass", "false"),
 				),
 			},
 		},
@@ -128,6 +129,7 @@ func TestAccCloudflareAccessApplication_BasicAccount(t *testing.T) {
 					resource.TestCheckResourceAttr(name, "sass_app.#", "0"),
 					resource.TestCheckResourceAttr(name, "auto_redirect_to_identity", "false"),
 					resource.TestCheckResourceAttr(name, "allow_authenticate_via_warp", "false"),
+					resource.TestCheckResourceAttr(name, "options_preflight_bypass", "false"),
 				),
 			},
 		},

@@ -458,6 +458,12 @@ func resourceCloudflareAccessApplicationSchema() map[string]*schema.Schema {
 			Optional:    true,
 			Description: "When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.",
 		},
+		"options_preflight_bypass": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Default:     false,
+			Description: "Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.",
+		},
 	}
 }