@pulumi/cloudflare 5.50.0-alpha.1744436206 → 6.0.0

package/zeroTrustAccessApplication.d.ts

@@ -2,20 +2,12 @@ import * as pulumi from "@pulumi/pulumi";
 import * as inputs from "./types/input";
 import * as outputs from "./types/output";
 /**
- * Provides a Cloudflare Access Application resource. Access
- * Applications are used to restrict access to a whole application using an
- * authorisation gateway managed by Cloudflare.
- *
- * > It's required that an `accountId` or `zoneId` is provided and in
- *    most cases using either is fine. However, if you're using a scoped
- *    access token, you must provide the argument that matches the token's
- *    scope. For example, an access token that is scoped to the "example.com"
- *    zone needs to use the `zoneId` argument.
+ * ## Example Usage
  *
  * ## Import
  *
  * ```sh
- * $ pulumi import cloudflare:index/zeroTrustAccessApplication:ZeroTrustAccessApplication example <account_id>/<application_id>
+ * $ pulumi import cloudflare:index/zeroTrustAccessApplication:ZeroTrustAccessApplication example '<{accounts|zones}/{account_id|zone_id}>/<app_id>'
  * ```
  */
 export declare class ZeroTrustAccessApplication extends pulumi.CustomResource {
@@ -35,155 +27,146 @@ export declare class ZeroTrustAccessApplication extends pulumi.CustomResource {
      */
     static isInstance(obj: any): obj is ZeroTrustAccessApplication;
     /**
-     * The account identifier to target for the resource. Conflicts with `zoneId`.
+     * The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
      */
-    readonly accountId: pulumi.Output<string>;
+    readonly accountId: pulumi.Output<string | undefined>;
     /**
-     * When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
+     * When set to true, users can authenticate to this application using their WARP session.  When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
      */
     readonly allowAuthenticateViaWarp: pulumi.Output<boolean | undefined>;
     /**
-     * The identity providers selected for the application.
+     * The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
      */
     readonly allowedIdps: pulumi.Output<string[] | undefined>;
     /**
-     * The logo URL of the app launcher.
+     * The image URL of the logo shown in the App Launcher header.
      */
     readonly appLauncherLogoUrl: pulumi.Output<string | undefined>;
     /**
-     * Option to show/hide applications in App Launcher. Defaults to `true`.
+     * Displays the application in the App Launcher.
      */
-    readonly appLauncherVisible: pulumi.Output<boolean | undefined>;
+    readonly appLauncherVisible: pulumi.Output<boolean>;
     /**
-     * Application Audience (AUD) Tag of the application.
+     * Audience tag.
      */
     readonly aud: pulumi.Output<string>;
     /**
-     * Option to skip identity provider selection if only one is configured in `allowedIdps`. Defaults to `false`.
+     * When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
      */
-    readonly autoRedirectToIdentity: pulumi.Output<boolean | undefined>;
+    readonly autoRedirectToIdentity: pulumi.Output<boolean>;
     /**
-     * The background color of the app launcher.
+     * The background color of the App Launcher page.
      */
     readonly bgColor: pulumi.Output<string | undefined>;
+    readonly corsHeaders: pulumi.Output<outputs.ZeroTrustAccessApplicationCorsHeaders>;
+    readonly createdAt: pulumi.Output<string>;
     /**
-     * CORS configuration for the Access Application. See below for reference structure.
-     */
-    readonly corsHeaders: pulumi.Output<outputs.ZeroTrustAccessApplicationCorsHeader[] | undefined>;
-    /**
-     * Option that returns a custom error message when a user is denied access to the application.
+     * The custom error message shown to a user when they are denied access to the application.
      */
     readonly customDenyMessage: pulumi.Output<string | undefined>;
     /**
-     * Option that redirects to a custom URL when a user is denied access to the application via identity based rules.
+     * The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
      */
     readonly customDenyUrl: pulumi.Output<string | undefined>;
     /**
-     * Option that redirects to a custom URL when a user is denied access to the application via non identity rules.
+     * The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
      */
     readonly customNonIdentityDenyUrl: pulumi.Output<string | undefined>;
     /**
-     * The custom pages selected for the application.
+     * The custom pages that will be displayed when applicable for this application
      */
     readonly customPages: pulumi.Output<string[] | undefined>;
     /**
-     * A destination secured by Access. Only present for self_hosted, vnc, and ssh applications. Always includes the value set as `domain`. Supersedes `selfHostedDomains` to allow for more flexibility in defining different types of destinations. Conflicts with `selfHostedDomains`.
+     * List of destinations secured by Access. This supersedes `selfHostedDomains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `selfHostedDomains` will be ignored.
      */
-    readonly destinations: pulumi.Output<outputs.ZeroTrustAccessApplicationDestination[] | undefined>;
+    readonly destinations: pulumi.Output<outputs.ZeroTrustAccessApplicationDestination[]>;
     /**
-     * The primary hostname and path that Access will secure. If the app is visible in the App Launcher dashboard, this is the domain that will be displayed.
+     * The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
      */
-    readonly domain: pulumi.Output<string>;
+    readonly domain: pulumi.Output<string | undefined>;
     /**
-     * The type of the primary domain. Available values: `public`, `private`.
+     * Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
      */
-    readonly domainType: pulumi.Output<string>;
+    readonly enableBindingCookie: pulumi.Output<boolean>;
     /**
-     * Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to `false`.
+     * The links in the App Launcher footer.
      */
-    readonly enableBindingCookie: pulumi.Output<boolean | undefined>;
+    readonly footerLinks: pulumi.Output<outputs.ZeroTrustAccessApplicationFooterLink[]>;
     /**
-     * The footer links of the app launcher.
-     */
-    readonly footerLinks: pulumi.Output<outputs.ZeroTrustAccessApplicationFooterLink[] | undefined>;
-    /**
-     * The background color of the header bar in the app launcher.
+     * The background color of the App Launcher header.
      */
     readonly headerBgColor: pulumi.Output<string | undefined>;
     /**
-     * Option to add the `HttpOnly` cookie flag to access tokens.
+     * Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
      */
-    readonly httpOnlyCookieAttribute: pulumi.Output<boolean | undefined>;
+    readonly httpOnlyCookieAttribute: pulumi.Output<boolean>;
     /**
-     * The landing page design of the app launcher.
+     * The design of the App Launcher landing page shown to users when they log in.
      */
-    readonly landingPageDesign: pulumi.Output<outputs.ZeroTrustAccessApplicationLandingPageDesign | undefined>;
+    readonly landingPageDesign: pulumi.Output<outputs.ZeroTrustAccessApplicationLandingPageDesign>;
     /**
-     * Image URL for the logo shown in the app launcher dashboard.
+     * The image URL for the logo shown in the App Launcher dashboard.
      */
     readonly logoUrl: pulumi.Output<string | undefined>;
     /**
-     * Friendly name of the Access Application.
+     * The name of the application.
      */
-    readonly name: pulumi.Output<string>;
+    readonly name: pulumi.Output<string | undefined>;
     /**
-     * Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if corsHeaders is set. Defaults to `false`.
+     * Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if corsHeaders is set.
      */
     readonly optionsPreflightBypass: pulumi.Output<boolean | undefined>;
     /**
-     * The policies associated with the application, in ascending order of precedence. Warning: Do not use this field while you still have this application ID referenced as `applicationId` in any `cloudflare.AccessPolicy` resource, as it can result in an inconsistent state.
+     * Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
      */
-    readonly policies: pulumi.Output<string[] | undefined>;
+    readonly pathCookieAttribute: pulumi.Output<boolean>;
     /**
-     * SaaS configuration for the Access Application.
+     * The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
      */
-    readonly saasApp: pulumi.Output<outputs.ZeroTrustAccessApplicationSaasApp | undefined>;
+    readonly policies: pulumi.Output<outputs.ZeroTrustAccessApplicationPolicy[]>;
+    readonly saasApp: pulumi.Output<outputs.ZeroTrustAccessApplicationSaasApp>;
     /**
-     * Defines the same-site cookie setting for access tokens. Available values: `none`, `lax`, `strict`.
+     * Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
      */
     readonly sameSiteCookieAttribute: pulumi.Output<string | undefined>;
     /**
      * Configuration for provisioning to this application via SCIM. This is currently in closed beta.
      */
-    readonly scimConfig: pulumi.Output<outputs.ZeroTrustAccessApplicationScimConfig | undefined>;
+    readonly scimConfig: pulumi.Output<outputs.ZeroTrustAccessApplicationScimConfig>;
     /**
-     * List of public domains secured by Access. Only present for self_hosted, vnc, and ssh applications. Always includes the value set as `domain`. Deprecated in favor of `destinations` and will be removed in the next major version. Conflicts with `destinations`.
-     *
-     * @deprecated Use `destinations` instead
+     * List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `selfHostedDomains` will be ignored.
      */
     readonly selfHostedDomains: pulumi.Output<string[] | undefined>;
     /**
-     * Option to return a 401 status code in service authentication rules on failed requests. Defaults to `false`.
+     * Returns a 401 status code when the request is blocked by a Service Auth policy.
      */
     readonly serviceAuth401Redirect: pulumi.Output<boolean | undefined>;
     /**
-     * How often a user will be forced to re-authorise. Must be in the format `48h` or `2h45m`. Defaults to `24h`.
+     * The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
      */
-    readonly sessionDuration: pulumi.Output<string | undefined>;
+    readonly sessionDuration: pulumi.Output<string>;
     /**
-     * Option to skip the App Launcher landing page. Defaults to `false`.
+     * Determines when to skip the App Launcher landing page.
      */
-    readonly skipAppLauncherLoginPage: pulumi.Output<boolean | undefined>;
+    readonly skipAppLauncherLoginPage: pulumi.Output<boolean>;
     /**
-     * Option to skip the authorization interstitial when using the CLI. Defaults to `false`.
+     * Enables automatic authentication through cloudflared.
      */
     readonly skipInterstitial: pulumi.Output<boolean | undefined>;
     /**
-     * The itags associated with the application.
+     * The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
      */
     readonly tags: pulumi.Output<string[] | undefined>;
+    readonly targetCriterias: pulumi.Output<outputs.ZeroTrustAccessApplicationTargetCriteria[]>;
     /**
-     * The payload for an infrastructure application which defines the port, protocol, and target attributes. Only applicable to Infrastructure Applications, in which case this field is required.
-     */
-    readonly targetCriterias: pulumi.Output<outputs.ZeroTrustAccessApplicationTargetCriteria[] | undefined>;
-    /**
-     * The application type. Available values: `appLauncher`, `bookmark`, `biso`, `dashSso`, `saas`, `selfHosted`, `ssh`, `vnc`, `warp`, `infrastructure`. Defaults to `selfHosted`.
+     * The application type.
      */
     readonly type: pulumi.Output<string | undefined>;
+    readonly updatedAt: pulumi.Output<string>;
     /**
-     * The zone identifier to target for the resource. Conflicts with `accountId`.
+     * The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
      */
-    readonly zoneId: pulumi.Output<string>;
+    readonly zoneId: pulumi.Output<string | undefined>;
     /**
      * Create a ZeroTrustAccessApplication resource with the given unique name, arguments, and options.
      *
@@ -198,111 +181,106 @@ export declare class ZeroTrustAccessApplication extends pulumi.CustomResource {
  */
 export interface ZeroTrustAccessApplicationState {
     /**
-     * The account identifier to target for the resource. Conflicts with `zoneId`.
+     * The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
      */
     accountId?: pulumi.Input<string>;
     /**
-     * When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
+     * When set to true, users can authenticate to this application using their WARP session.  When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
      */
     allowAuthenticateViaWarp?: pulumi.Input<boolean>;
     /**
-     * The identity providers selected for the application.
+     * The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
      */
     allowedIdps?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The logo URL of the app launcher.
+     * The image URL of the logo shown in the App Launcher header.
      */
     appLauncherLogoUrl?: pulumi.Input<string>;
     /**
-     * Option to show/hide applications in App Launcher. Defaults to `true`.
+     * Displays the application in the App Launcher.
      */
     appLauncherVisible?: pulumi.Input<boolean>;
     /**
-     * Application Audience (AUD) Tag of the application.
+     * Audience tag.
      */
     aud?: pulumi.Input<string>;
     /**
-     * Option to skip identity provider selection if only one is configured in `allowedIdps`. Defaults to `false`.
+     * When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
      */
     autoRedirectToIdentity?: pulumi.Input<boolean>;
     /**
-     * The background color of the app launcher.
+     * The background color of the App Launcher page.
      */
     bgColor?: pulumi.Input<string>;
+    corsHeaders?: pulumi.Input<inputs.ZeroTrustAccessApplicationCorsHeaders>;
+    createdAt?: pulumi.Input<string>;
     /**
-     * CORS configuration for the Access Application. See below for reference structure.
-     */
-    corsHeaders?: pulumi.Input<pulumi.Input<inputs.ZeroTrustAccessApplicationCorsHeader>[]>;
-    /**
-     * Option that returns a custom error message when a user is denied access to the application.
+     * The custom error message shown to a user when they are denied access to the application.
      */
     customDenyMessage?: pulumi.Input<string>;
     /**
-     * Option that redirects to a custom URL when a user is denied access to the application via identity based rules.
+     * The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
      */
     customDenyUrl?: pulumi.Input<string>;
     /**
-     * Option that redirects to a custom URL when a user is denied access to the application via non identity rules.
+     * The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
      */
     customNonIdentityDenyUrl?: pulumi.Input<string>;
     /**
-     * The custom pages selected for the application.
+     * The custom pages that will be displayed when applicable for this application
      */
     customPages?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * A destination secured by Access. Only present for self_hosted, vnc, and ssh applications. Always includes the value set as `domain`. Supersedes `selfHostedDomains` to allow for more flexibility in defining different types of destinations. Conflicts with `selfHostedDomains`.
+     * List of destinations secured by Access. This supersedes `selfHostedDomains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `selfHostedDomains` will be ignored.
      */
     destinations?: pulumi.Input<pulumi.Input<inputs.ZeroTrustAccessApplicationDestination>[]>;
     /**
-     * The primary hostname and path that Access will secure. If the app is visible in the App Launcher dashboard, this is the domain that will be displayed.
+     * The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
      */
     domain?: pulumi.Input<string>;
     /**
-     * The type of the primary domain. Available values: `public`, `private`.
-     */
-    domainType?: pulumi.Input<string>;
-    /**
-     * Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to `false`.
+     * Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
      */
     enableBindingCookie?: pulumi.Input<boolean>;
     /**
-     * The footer links of the app launcher.
+     * The links in the App Launcher footer.
      */
     footerLinks?: pulumi.Input<pulumi.Input<inputs.ZeroTrustAccessApplicationFooterLink>[]>;
     /**
-     * The background color of the header bar in the app launcher.
+     * The background color of the App Launcher header.
      */
     headerBgColor?: pulumi.Input<string>;
     /**
-     * Option to add the `HttpOnly` cookie flag to access tokens.
+     * Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
      */
     httpOnlyCookieAttribute?: pulumi.Input<boolean>;
     /**
-     * The landing page design of the app launcher.
+     * The design of the App Launcher landing page shown to users when they log in.
      */
     landingPageDesign?: pulumi.Input<inputs.ZeroTrustAccessApplicationLandingPageDesign>;
     /**
-     * Image URL for the logo shown in the app launcher dashboard.
+     * The image URL for the logo shown in the App Launcher dashboard.
      */
     logoUrl?: pulumi.Input<string>;
     /**
-     * Friendly name of the Access Application.
+     * The name of the application.
      */
     name?: pulumi.Input<string>;
     /**
-     * Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if corsHeaders is set. Defaults to `false`.
+     * Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if corsHeaders is set.
      */
     optionsPreflightBypass?: pulumi.Input<boolean>;
     /**
-     * The policies associated with the application, in ascending order of precedence. Warning: Do not use this field while you still have this application ID referenced as `applicationId` in any `cloudflare.AccessPolicy` resource, as it can result in an inconsistent state.
+     * Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
      */
-    policies?: pulumi.Input<pulumi.Input<string>[]>;
+    pathCookieAttribute?: pulumi.Input<boolean>;
     /**
-     * SaaS configuration for the Access Application.
+     * The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
      */
+    policies?: pulumi.Input<pulumi.Input<inputs.ZeroTrustAccessApplicationPolicy>[]>;
     saasApp?: pulumi.Input<inputs.ZeroTrustAccessApplicationSaasApp>;
     /**
-     * Defines the same-site cookie setting for access tokens. Available values: `none`, `lax`, `strict`.
+     * Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
      */
     sameSiteCookieAttribute?: pulumi.Input<string>;
     /**
@@ -310,41 +288,37 @@ export interface ZeroTrustAccessApplicationState {
      */
     scimConfig?: pulumi.Input<inputs.ZeroTrustAccessApplicationScimConfig>;
     /**
-     * List of public domains secured by Access. Only present for self_hosted, vnc, and ssh applications. Always includes the value set as `domain`. Deprecated in favor of `destinations` and will be removed in the next major version. Conflicts with `destinations`.
-     *
-     * @deprecated Use `destinations` instead
+     * List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `selfHostedDomains` will be ignored.
      */
     selfHostedDomains?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * Option to return a 401 status code in service authentication rules on failed requests. Defaults to `false`.
+     * Returns a 401 status code when the request is blocked by a Service Auth policy.
      */
     serviceAuth401Redirect?: pulumi.Input<boolean>;
     /**
-     * How often a user will be forced to re-authorise. Must be in the format `48h` or `2h45m`. Defaults to `24h`.
+     * The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
      */
     sessionDuration?: pulumi.Input<string>;
     /**
-     * Option to skip the App Launcher landing page. Defaults to `false`.
+     * Determines when to skip the App Launcher landing page.
      */
     skipAppLauncherLoginPage?: pulumi.Input<boolean>;
     /**
-     * Option to skip the authorization interstitial when using the CLI. Defaults to `false`.
+     * Enables automatic authentication through cloudflared.
      */
     skipInterstitial?: pulumi.Input<boolean>;
     /**
-     * The itags associated with the application.
+     * The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
      */
     tags?: pulumi.Input<pulumi.Input<string>[]>;
-    /**
-     * The payload for an infrastructure application which defines the port, protocol, and target attributes. Only applicable to Infrastructure Applications, in which case this field is required.
-     */
     targetCriterias?: pulumi.Input<pulumi.Input<inputs.ZeroTrustAccessApplicationTargetCriteria>[]>;
     /**
-     * The application type. Available values: `appLauncher`, `bookmark`, `biso`, `dashSso`, `saas`, `selfHosted`, `ssh`, `vnc`, `warp`, `infrastructure`. Defaults to `selfHosted`.
+     * The application type.
      */
     type?: pulumi.Input<string>;
+    updatedAt?: pulumi.Input<string>;
     /**
-     * The zone identifier to target for the resource. Conflicts with `accountId`.
+     * The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
      */
     zoneId?: pulumi.Input<string>;
 }
@@ -353,107 +327,101 @@ export interface ZeroTrustAccessApplicationState {
  */
 export interface ZeroTrustAccessApplicationArgs {
     /**
-     * The account identifier to target for the resource. Conflicts with `zoneId`.
+     * The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
      */
     accountId?: pulumi.Input<string>;
     /**
-     * When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
+     * When set to true, users can authenticate to this application using their WARP session.  When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
      */
     allowAuthenticateViaWarp?: pulumi.Input<boolean>;
     /**
-     * The identity providers selected for the application.
+     * The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
      */
     allowedIdps?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * The logo URL of the app launcher.
+     * The image URL of the logo shown in the App Launcher header.
      */
     appLauncherLogoUrl?: pulumi.Input<string>;
     /**
-     * Option to show/hide applications in App Launcher. Defaults to `true`.
+     * Displays the application in the App Launcher.
      */
     appLauncherVisible?: pulumi.Input<boolean>;
     /**
-     * Option to skip identity provider selection if only one is configured in `allowedIdps`. Defaults to `false`.
+     * When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
      */
     autoRedirectToIdentity?: pulumi.Input<boolean>;
     /**
-     * The background color of the app launcher.
+     * The background color of the App Launcher page.
      */
     bgColor?: pulumi.Input<string>;
+    corsHeaders?: pulumi.Input<inputs.ZeroTrustAccessApplicationCorsHeaders>;
     /**
-     * CORS configuration for the Access Application. See below for reference structure.
-     */
-    corsHeaders?: pulumi.Input<pulumi.Input<inputs.ZeroTrustAccessApplicationCorsHeader>[]>;
-    /**
-     * Option that returns a custom error message when a user is denied access to the application.
+     * The custom error message shown to a user when they are denied access to the application.
      */
     customDenyMessage?: pulumi.Input<string>;
     /**
-     * Option that redirects to a custom URL when a user is denied access to the application via identity based rules.
+     * The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
      */
     customDenyUrl?: pulumi.Input<string>;
     /**
-     * Option that redirects to a custom URL when a user is denied access to the application via non identity rules.
+     * The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
      */
     customNonIdentityDenyUrl?: pulumi.Input<string>;
     /**
-     * The custom pages selected for the application.
+     * The custom pages that will be displayed when applicable for this application
      */
     customPages?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * A destination secured by Access. Only present for self_hosted, vnc, and ssh applications. Always includes the value set as `domain`. Supersedes `selfHostedDomains` to allow for more flexibility in defining different types of destinations. Conflicts with `selfHostedDomains`.
+     * List of destinations secured by Access. This supersedes `selfHostedDomains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `selfHostedDomains` will be ignored.
      */
     destinations?: pulumi.Input<pulumi.Input<inputs.ZeroTrustAccessApplicationDestination>[]>;
     /**
-     * The primary hostname and path that Access will secure. If the app is visible in the App Launcher dashboard, this is the domain that will be displayed.
+     * The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
      */
     domain?: pulumi.Input<string>;
     /**
-     * The type of the primary domain. Available values: `public`, `private`.
-     */
-    domainType?: pulumi.Input<string>;
-    /**
-     * Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to `false`.
+     * Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
      */
     enableBindingCookie?: pulumi.Input<boolean>;
     /**
-     * The footer links of the app launcher.
+     * The links in the App Launcher footer.
      */
     footerLinks?: pulumi.Input<pulumi.Input<inputs.ZeroTrustAccessApplicationFooterLink>[]>;
     /**
-     * The background color of the header bar in the app launcher.
+     * The background color of the App Launcher header.
      */
     headerBgColor?: pulumi.Input<string>;
     /**
-     * Option to add the `HttpOnly` cookie flag to access tokens.
+     * Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
      */
     httpOnlyCookieAttribute?: pulumi.Input<boolean>;
     /**
-     * The landing page design of the app launcher.
+     * The design of the App Launcher landing page shown to users when they log in.
      */
     landingPageDesign?: pulumi.Input<inputs.ZeroTrustAccessApplicationLandingPageDesign>;
     /**
-     * Image URL for the logo shown in the app launcher dashboard.
+     * The image URL for the logo shown in the App Launcher dashboard.
      */
     logoUrl?: pulumi.Input<string>;
     /**
-     * Friendly name of the Access Application.
+     * The name of the application.
      */
     name?: pulumi.Input<string>;
     /**
-     * Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if corsHeaders is set. Defaults to `false`.
+     * Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if corsHeaders is set.
      */
     optionsPreflightBypass?: pulumi.Input<boolean>;
     /**
-     * The policies associated with the application, in ascending order of precedence. Warning: Do not use this field while you still have this application ID referenced as `applicationId` in any `cloudflare.AccessPolicy` resource, as it can result in an inconsistent state.
+     * Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
      */
-    policies?: pulumi.Input<pulumi.Input<string>[]>;
+    pathCookieAttribute?: pulumi.Input<boolean>;
     /**
-     * SaaS configuration for the Access Application.
+     * The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
      */
+    policies?: pulumi.Input<pulumi.Input<inputs.ZeroTrustAccessApplicationPolicy>[]>;
     saasApp?: pulumi.Input<inputs.ZeroTrustAccessApplicationSaasApp>;
     /**
-     * Defines the same-site cookie setting for access tokens. Available values: `none`, `lax`, `strict`.
+     * Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
      */
     sameSiteCookieAttribute?: pulumi.Input<string>;
     /**
@@ -461,41 +429,36 @@ export interface ZeroTrustAccessApplicationArgs {
      */
     scimConfig?: pulumi.Input<inputs.ZeroTrustAccessApplicationScimConfig>;
     /**
-     * List of public domains secured by Access. Only present for self_hosted, vnc, and ssh applications. Always includes the value set as `domain`. Deprecated in favor of `destinations` and will be removed in the next major version. Conflicts with `destinations`.
-     *
-     * @deprecated Use `destinations` instead
+     * List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `selfHostedDomains` will be ignored.
      */
     selfHostedDomains?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * Option to return a 401 status code in service authentication rules on failed requests. Defaults to `false`.
+     * Returns a 401 status code when the request is blocked by a Service Auth policy.
      */
     serviceAuth401Redirect?: pulumi.Input<boolean>;
     /**
-     * How often a user will be forced to re-authorise. Must be in the format `48h` or `2h45m`. Defaults to `24h`.
+     * The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
      */
     sessionDuration?: pulumi.Input<string>;
     /**
-     * Option to skip the App Launcher landing page. Defaults to `false`.
+     * Determines when to skip the App Launcher landing page.
      */
     skipAppLauncherLoginPage?: pulumi.Input<boolean>;
     /**
-     * Option to skip the authorization interstitial when using the CLI. Defaults to `false`.
+     * Enables automatic authentication through cloudflared.
      */
     skipInterstitial?: pulumi.Input<boolean>;
     /**
-     * The itags associated with the application.
+     * The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
      */
     tags?: pulumi.Input<pulumi.Input<string>[]>;
-    /**
-     * The payload for an infrastructure application which defines the port, protocol, and target attributes. Only applicable to Infrastructure Applications, in which case this field is required.
-     */
     targetCriterias?: pulumi.Input<pulumi.Input<inputs.ZeroTrustAccessApplicationTargetCriteria>[]>;
     /**
-     * The application type. Available values: `appLauncher`, `bookmark`, `biso`, `dashSso`, `saas`, `selfHosted`, `ssh`, `vnc`, `warp`, `infrastructure`. Defaults to `selfHosted`.
+     * The application type.
      */
     type?: pulumi.Input<string>;
     /**
-     * The zone identifier to target for the resource. Conflicts with `accountId`.
+     * The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
      */
     zoneId?: pulumi.Input<string>;
 }