@pulumi/cloudflare 5.49.0-alpha.1737523920 → 5.49.0

package/apiShieldOperation.d.ts

@@ -1,6 +1,6 @@
 import * as pulumi from "@pulumi/pulumi";
 /**
- * Provides a resource to manage an operation in API Shield Endpoint Management.
+ * Api shield operation
  *
  * ## Example Usage
  *
@@ -33,19 +33,19 @@ export declare class ApiShieldOperation extends pulumi.CustomResource {
      */
     static isInstance(obj: any): obj is ApiShieldOperation;
     /**
-     * The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with `{varN}`, starting with `{var1}`. This will then be [Cloudflare-normalized](https://developers.cloudflare.com/rules/normalization/how-it-works/). **Modifying this attribute will force creation of a new resource.**
+     * The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with `{varN}`, starting with `{var1}`. This will then be [Cloudflare-normalized](https://developers.cloudflare.com/rules/normalization/how-it-works/)
      */
     readonly endpoint: pulumi.Output<string>;
     /**
-     * RFC3986-compliant host. **Modifying this attribute will force creation of a new resource.**
+     * RFC3986-compliant host
      */
     readonly host: pulumi.Output<string>;
     /**
-     * The HTTP method used to access the endpoint. **Modifying this attribute will force creation of a new resource.**
+     * The HTTP method used to access the endpoint
      */
     readonly method: pulumi.Output<string>;
     /**
-     * The zone identifier to target for the resource. **Modifying this attribute will force creation of a new resource.**
+     * The zone identifier to target for the resource.
      */
     readonly zoneId: pulumi.Output<string>;
     /**
@@ -62,19 +62,19 @@ export declare class ApiShieldOperation extends pulumi.CustomResource {
  */
 export interface ApiShieldOperationState {
     /**
-     * The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with `{varN}`, starting with `{var1}`. This will then be [Cloudflare-normalized](https://developers.cloudflare.com/rules/normalization/how-it-works/). **Modifying this attribute will force creation of a new resource.**
+     * The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with `{varN}`, starting with `{var1}`. This will then be [Cloudflare-normalized](https://developers.cloudflare.com/rules/normalization/how-it-works/)
      */
     endpoint?: pulumi.Input<string>;
     /**
-     * RFC3986-compliant host. **Modifying this attribute will force creation of a new resource.**
+     * RFC3986-compliant host
      */
     host?: pulumi.Input<string>;
     /**
-     * The HTTP method used to access the endpoint. **Modifying this attribute will force creation of a new resource.**
+     * The HTTP method used to access the endpoint
      */
     method?: pulumi.Input<string>;
     /**
-     * The zone identifier to target for the resource. **Modifying this attribute will force creation of a new resource.**
+     * The zone identifier to target for the resource.
      */
     zoneId?: pulumi.Input<string>;
 }
@@ -83,19 +83,19 @@ export interface ApiShieldOperationState {
  */
 export interface ApiShieldOperationArgs {
     /**
-     * The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with `{varN}`, starting with `{var1}`. This will then be [Cloudflare-normalized](https://developers.cloudflare.com/rules/normalization/how-it-works/). **Modifying this attribute will force creation of a new resource.**
+     * The endpoint which can contain path parameter templates in curly braces, each will be replaced from left to right with `{varN}`, starting with `{var1}`. This will then be [Cloudflare-normalized](https://developers.cloudflare.com/rules/normalization/how-it-works/)
      */
     endpoint: pulumi.Input<string>;
     /**
-     * RFC3986-compliant host. **Modifying this attribute will force creation of a new resource.**
+     * RFC3986-compliant host
      */
     host: pulumi.Input<string>;
     /**
-     * The HTTP method used to access the endpoint. **Modifying this attribute will force creation of a new resource.**
+     * The HTTP method used to access the endpoint
      */
     method: pulumi.Input<string>;
     /**
-     * The zone identifier to target for the resource. **Modifying this attribute will force creation of a new resource.**
+     * The zone identifier to target for the resource.
      */
     zoneId: pulumi.Input<string>;
 }

package/apiShieldOperation.js

@@ -6,7 +6,7 @@ exports.ApiShieldOperation = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("./utilities");
 /**
- * Provides a resource to manage an operation in API Shield Endpoint Management.
+ * Api shield operation
  *
  * ## Example Usage
  *

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@pulumi/cloudflare",
-    "version": "5.49.0-alpha.1737523920",
+    "version": "5.49.0",
     "description": "A Pulumi package for creating and managing Cloudflare cloud resources.",
     "keywords": [
         "pulumi",
@@ -23,6 +23,6 @@
     "pulumi": {
         "resource": true,
         "name": "cloudflare",
-        "version": "5.49.0-alpha.1737523920"
+        "version": "5.49.0"
     }
 }

package/ruleset.d.ts

@@ -55,7 +55,7 @@ export declare class Ruleset extends pulumi.CustomResource {
      */
     readonly name: pulumi.Output<string>;
     /**
-     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestSbfm`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
+     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
      */
     readonly phase: pulumi.Output<string>;
     /**
@@ -96,7 +96,7 @@ export interface RulesetState {
      */
     name?: pulumi.Input<string>;
     /**
-     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestSbfm`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
+     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
      */
     phase?: pulumi.Input<string>;
     /**
@@ -129,7 +129,7 @@ export interface RulesetArgs {
      */
     name: pulumi.Input<string>;
     /**
-     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestSbfm`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
+     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
      */
     phase: pulumi.Input<string>;
     /**

package/types/input.d.ts

@@ -35,14 +35,34 @@ export interface AccessApplicationCorsHeader {
     maxAge?: pulumi.Input<number>;
 }
 export interface AccessApplicationDestination {
+    /**
+     * The private CIDR of the destination. Only valid when type=private. IPs are computed as /32 cidr. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    cidr?: pulumi.Input<string>;
+    /**
+     * The private hostname of the destination. Only valid when type=private. Private hostnames currently match only Server Name Indications (SNI). Private destinations are an early access feature and gated behind a feature flag.
+     */
+    hostname?: pulumi.Input<string>;
+    /**
+     * The l4 protocol that matches this destination. Only valid when type=private. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    l4Protocol?: pulumi.Input<string>;
+    /**
+     * The port range of the destination. Only valid when type=private. Single ports are supported. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    portRange?: pulumi.Input<string>;
     /**
      * The destination type. Available values: `public`, `private`. Defaults to `public`.
      */
     type?: pulumi.Input<string>;
     /**
-     * The URI of the destination. Public destinations can include a domain and path with wildcards. Private destinations are an early access feature and gated behind a feature flag. Private destinations support private IPv4, IPv6, and Server Name Indications (SNI) with optional port ranges.
+     * The public URI of the destination. Can include a domain and path with wildcards. Only valid when type=public.
      */
-    uri: pulumi.Input<string>;
+    uri?: pulumi.Input<string>;
+    /**
+     * The VNet ID of the destination. Only valid when type=private. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    vnetId?: pulumi.Input<string>;
 }
 export interface AccessApplicationFooterLink {
     /**
@@ -2321,7 +2341,7 @@ export interface GetRulesetsFilter {
      */
     name?: string;
     /**
-     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestSbfm`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
+     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
      */
     phase?: string;
     /**
@@ -2343,7 +2363,7 @@ export interface GetRulesetsFilterArgs {
      */
     name?: pulumi.Input<string>;
     /**
-     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestSbfm`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
+     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
      */
     phase?: pulumi.Input<string>;
     /**
@@ -3998,7 +4018,7 @@ export interface RulesetRuleActionParameters {
      */
     overrides?: pulumi.Input<inputs.RulesetRuleActionParametersOverrides>;
     /**
-     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestSbfm`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
+     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
      */
     phases?: pulumi.Input<pulumi.Input<string>[]>;
     /**
@@ -4883,6 +4903,10 @@ export interface TeamsRuleRuleSettings {
      * Configure DLP Payload Logging settings for this rule.
      */
     payloadLog?: pulumi.Input<inputs.TeamsRuleRuleSettingsPayloadLog>;
+    /**
+     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action is set to 'resolve'.
+     */
+    resolveDnsInternally?: pulumi.Input<inputs.TeamsRuleRuleSettingsResolveDnsInternally>;
     /**
      * Enable sending queries that match the resolver policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when `dnsResolvers` are specified.
      */
@@ -5024,6 +5048,16 @@ export interface TeamsRuleRuleSettingsPayloadLog {
      */
     enabled: pulumi.Input<boolean>;
 }
+export interface TeamsRuleRuleSettingsResolveDnsInternally {
+    /**
+     * The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.
+     */
+    fallback?: pulumi.Input<string>;
+    /**
+     * The internal DNS view identifier that's passed to the internal DNS service.
+     */
+    viewId?: pulumi.Input<string>;
+}
 export interface TeamsRuleRuleSettingsUntrustedCert {
     /**
      * Action to be taken when the SSL certificate of upstream is invalid. Available values: `passThrough`, `block`, `error`.
@@ -5567,14 +5601,34 @@ export interface ZeroTrustAccessApplicationCorsHeader {
     maxAge?: pulumi.Input<number>;
 }
 export interface ZeroTrustAccessApplicationDestination {
+    /**
+     * The private CIDR of the destination. Only valid when type=private. IPs are computed as /32 cidr. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    cidr?: pulumi.Input<string>;
+    /**
+     * The private hostname of the destination. Only valid when type=private. Private hostnames currently match only Server Name Indications (SNI). Private destinations are an early access feature and gated behind a feature flag.
+     */
+    hostname?: pulumi.Input<string>;
+    /**
+     * The l4 protocol that matches this destination. Only valid when type=private. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    l4Protocol?: pulumi.Input<string>;
+    /**
+     * The port range of the destination. Only valid when type=private. Single ports are supported. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    portRange?: pulumi.Input<string>;
     /**
      * The destination type. Available values: `public`, `private`. Defaults to `public`.
      */
     type?: pulumi.Input<string>;
     /**
-     * The URI of the destination. Public destinations can include a domain and path with wildcards. Private destinations are an early access feature and gated behind a feature flag. Private destinations support private IPv4, IPv6, and Server Name Indications (SNI) with optional port ranges.
+     * The public URI of the destination. Can include a domain and path with wildcards. Only valid when type=public.
      */
-    uri: pulumi.Input<string>;
+    uri?: pulumi.Input<string>;
+    /**
+     * The VNet ID of the destination. Only valid when type=private. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    vnetId?: pulumi.Input<string>;
 }
 export interface ZeroTrustAccessApplicationFooterLink {
     /**
@@ -7466,6 +7520,10 @@ export interface ZeroTrustGatewayPolicyRuleSettings {
      * Configure DLP Payload Logging settings for this rule.
      */
     payloadLog?: pulumi.Input<inputs.ZeroTrustGatewayPolicyRuleSettingsPayloadLog>;
+    /**
+     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action is set to 'resolve'.
+     */
+    resolveDnsInternally?: pulumi.Input<inputs.ZeroTrustGatewayPolicyRuleSettingsResolveDnsInternally>;
     /**
      * Enable sending queries that match the resolver policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when `dnsResolvers` are specified.
      */
@@ -7607,6 +7665,16 @@ export interface ZeroTrustGatewayPolicyRuleSettingsPayloadLog {
      */
     enabled: pulumi.Input<boolean>;
 }
+export interface ZeroTrustGatewayPolicyRuleSettingsResolveDnsInternally {
+    /**
+     * The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.
+     */
+    fallback?: pulumi.Input<string>;
+    /**
+     * The internal DNS view identifier that's passed to the internal DNS service.
+     */
+    viewId?: pulumi.Input<string>;
+}
 export interface ZeroTrustGatewayPolicyRuleSettingsUntrustedCert {
     /**
      * Action to be taken when the SSL certificate of upstream is invalid. Available values: `passThrough`, `block`, `error`.

package/types/output.d.ts

@@ -34,14 +34,34 @@ export interface AccessApplicationCorsHeader {
     maxAge?: number;
 }
 export interface AccessApplicationDestination {
+    /**
+     * The private CIDR of the destination. Only valid when type=private. IPs are computed as /32 cidr. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    cidr: string;
+    /**
+     * The private hostname of the destination. Only valid when type=private. Private hostnames currently match only Server Name Indications (SNI). Private destinations are an early access feature and gated behind a feature flag.
+     */
+    hostname?: string;
+    /**
+     * The l4 protocol that matches this destination. Only valid when type=private. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    l4Protocol?: string;
+    /**
+     * The port range of the destination. Only valid when type=private. Single ports are supported. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    portRange: string;
     /**
      * The destination type. Available values: `public`, `private`. Defaults to `public`.
      */
     type?: string;
     /**
-     * The URI of the destination. Public destinations can include a domain and path with wildcards. Private destinations are an early access feature and gated behind a feature flag. Private destinations support private IPv4, IPv6, and Server Name Indications (SNI) with optional port ranges.
+     * The public URI of the destination. Can include a domain and path with wildcards. Only valid when type=public.
      */
-    uri: string;
+    uri?: string;
+    /**
+     * The VNet ID of the destination. Only valid when type=private. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    vnetId?: string;
 }
 export interface AccessApplicationFooterLink {
     /**
@@ -2498,7 +2518,7 @@ export interface GetRulesetsFilter {
      */
     name?: string;
     /**
-     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestSbfm`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
+     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
      */
     phase?: string;
     /**
@@ -2524,7 +2544,7 @@ export interface GetRulesetsRuleset {
      */
     name: string;
     /**
-     * Point in the request/response lifecycle where the ruleset executes. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestSbfm`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`
+     * Point in the request/response lifecycle where the ruleset executes. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`
      */
     phase: string;
     /**
@@ -2705,7 +2725,7 @@ export interface GetRulesetsRulesetRuleActionParameters {
      */
     overrides?: outputs.GetRulesetsRulesetRuleActionParametersOverrides;
     /**
-     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestSbfm`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`
+     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`
      */
     phases?: string[];
     /**
@@ -4907,7 +4927,7 @@ export interface RulesetRuleActionParameters {
      */
     overrides?: outputs.RulesetRuleActionParametersOverrides;
     /**
-     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestSbfm`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
+     * Point in the request/response lifecycle where the ruleset will be created. Available values: `ddosL4`, `ddosL7`, `httpConfigSettings`, `httpCustomErrors`, `httpLogCustomFields`, `httpRatelimit`, `httpRequestCacheSettings`, `httpRequestDynamicRedirect`, `httpRequestFirewallCustom`, `httpRequestFirewallManaged`, `httpRequestLateTransform`, `httpRequestOrigin`, `httpRequestRedirect`, `httpRequestSanitize`, `httpRequestTransform`, `httpResponseCompression`, `httpResponseFirewallManaged`, `httpResponseHeadersTransform`, `magicTransit`.
      */
     phases?: string[];
     /**
@@ -5792,6 +5812,10 @@ export interface TeamsRuleRuleSettings {
      * Configure DLP Payload Logging settings for this rule.
      */
     payloadLog?: outputs.TeamsRuleRuleSettingsPayloadLog;
+    /**
+     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action is set to 'resolve'.
+     */
+    resolveDnsInternally?: outputs.TeamsRuleRuleSettingsResolveDnsInternally;
     /**
      * Enable sending queries that match the resolver policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when `dnsResolvers` are specified.
      */
@@ -5933,6 +5957,16 @@ export interface TeamsRuleRuleSettingsPayloadLog {
      */
     enabled: boolean;
 }
+export interface TeamsRuleRuleSettingsResolveDnsInternally {
+    /**
+     * The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.
+     */
+    fallback?: string;
+    /**
+     * The internal DNS view identifier that's passed to the internal DNS service.
+     */
+    viewId?: string;
+}
 export interface TeamsRuleRuleSettingsUntrustedCert {
     /**
      * Action to be taken when the SSL certificate of upstream is invalid. Available values: `passThrough`, `block`, `error`.
@@ -6476,14 +6510,34 @@ export interface ZeroTrustAccessApplicationCorsHeader {
     maxAge?: number;
 }
 export interface ZeroTrustAccessApplicationDestination {
+    /**
+     * The private CIDR of the destination. Only valid when type=private. IPs are computed as /32 cidr. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    cidr: string;
+    /**
+     * The private hostname of the destination. Only valid when type=private. Private hostnames currently match only Server Name Indications (SNI). Private destinations are an early access feature and gated behind a feature flag.
+     */
+    hostname?: string;
+    /**
+     * The l4 protocol that matches this destination. Only valid when type=private. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    l4Protocol?: string;
+    /**
+     * The port range of the destination. Only valid when type=private. Single ports are supported. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    portRange: string;
     /**
      * The destination type. Available values: `public`, `private`. Defaults to `public`.
      */
     type?: string;
     /**
-     * The URI of the destination. Public destinations can include a domain and path with wildcards. Private destinations are an early access feature and gated behind a feature flag. Private destinations support private IPv4, IPv6, and Server Name Indications (SNI) with optional port ranges.
+     * The public URI of the destination. Can include a domain and path with wildcards. Only valid when type=public.
      */
-    uri: string;
+    uri?: string;
+    /**
+     * The VNet ID of the destination. Only valid when type=private. Private destinations are an early access feature and gated behind a feature flag.
+     */
+    vnetId?: string;
 }
 export interface ZeroTrustAccessApplicationFooterLink {
     /**
@@ -8375,6 +8429,10 @@ export interface ZeroTrustGatewayPolicyRuleSettings {
      * Configure DLP Payload Logging settings for this rule.
      */
     payloadLog?: outputs.ZeroTrustGatewayPolicyRuleSettingsPayloadLog;
+    /**
+     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action is set to 'resolve'.
+     */
+    resolveDnsInternally?: outputs.ZeroTrustGatewayPolicyRuleSettingsResolveDnsInternally;
     /**
      * Enable sending queries that match the resolver policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when `dnsResolvers` are specified.
      */
@@ -8516,6 +8574,16 @@ export interface ZeroTrustGatewayPolicyRuleSettingsPayloadLog {
      */
     enabled: boolean;
 }
+export interface ZeroTrustGatewayPolicyRuleSettingsResolveDnsInternally {
+    /**
+     * The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.
+     */
+    fallback?: string;
+    /**
+     * The internal DNS view identifier that's passed to the internal DNS service.
+     */
+    viewId?: string;
+}
 export interface ZeroTrustGatewayPolicyRuleSettingsUntrustedCert {
     /**
      * Action to be taken when the SSL certificate of upstream is invalid. Available values: `passThrough`, `block`, `error`.