@pulumi/cloudflare 6.10.0-alpha.1759300545 → 6.10.0-alpha.1759443944

package/types/output.d.ts

@@ -813,7 +813,6 @@ export interface AccessApplicationSaasApp {
      * The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
      */
     consumerServiceUrl?: string;
-    createdAt: string;
     customAttributes?: outputs.AccessApplicationSaasAppCustomAttribute[];
     customClaims?: outputs.AccessApplicationSaasAppCustomClaim[];
     /**
@@ -867,7 +866,6 @@ export interface AccessApplicationSaasApp {
      * The endpoint where your SaaS application will send login requests.
      */
     ssoEndpoint: string;
-    updatedAt: string;
 }
 export interface AccessApplicationSaasAppCustomAttribute {
     /**
@@ -2633,37 +2631,37 @@ export interface AccountDnsSettingsZoneDefaultsNameservers {
      * Nameserver type
      * Available values: "cloudflare.standard", "cloudflare.standard.random", "custom.account", "custom.tenant".
      */
-    type: string;
+    type?: string;
 }
 export interface AccountDnsSettingsZoneDefaultsSoa {
     /**
      * Time in seconds of being unable to query the primary server after which secondary servers should stop serving the zone.
      */
-    expire: number;
+    expire?: number;
     /**
      * The time to live (TTL) for negative caching of records within the zone.
      */
-    minTtl: number;
+    minTtl?: number;
     /**
-     * The primary nameserver, which may be used for outbound zone transfers.
+     * The primary nameserver, which may be used for outbound zone transfers. If null, a Cloudflare-assigned value will be used.
      */
-    mname: string;
+    mname?: string;
     /**
      * Time in seconds after which secondary servers should re-check the SOA record to see if the zone has been updated.
      */
-    refresh: number;
+    refresh?: number;
     /**
      * Time in seconds after which secondary servers should retry queries after the primary server was unresponsive.
      */
-    retry: number;
+    retry?: number;
     /**
      * The email address of the zone administrator, with the first label representing the local part of the email address.
      */
-    rname: string;
+    rname?: string;
     /**
      * The time to live (TTL) of the SOA record itself.
      */
-    ttl: number;
+    ttl?: number;
 }
 export interface AccountMemberPolicy {
     /**
@@ -2822,11 +2820,6 @@ export interface AccountUnit {
     id?: string;
 }
 export interface AddressMapMembership {
-    /**
-     * Controls whether the membership can be deleted via the API or not.
-     */
-    canDelete: boolean;
-    createdAt: string;
     /**
      * The identifier for the membership (eg. a zone or account tag).
      */
@@ -4394,7 +4387,7 @@ export interface GetAccountDnsSettingsZoneDefaultsSoa {
      */
     minTtl: number;
     /**
-     * The primary nameserver, which may be used for outbound zone transfers.
+     * The primary nameserver, which may be used for outbound zone transfers. If null, a Cloudflare-assigned value will be used.
      */
     mname: string;
     /**
@@ -5947,10 +5940,14 @@ export interface GetByoIpPrefixesResult {
     accountId: string;
     /**
      * Prefix advertisement status to the Internet. This field is only not 'null' if on demand is enabled.
+     *
+     * @deprecated Prefer the [BGP Prefixes API](https://developers.cloudflare.com/api/resources/addressing/subresources/prefixes/subresources/bgp_prefixes/) instead, which allows for advertising multiple BGP routes within a single IP Prefix.
      */
     advertised: boolean;
     /**
      * Last time the advertisement status was changed. This field is only not 'null' if on demand is enabled.
+     *
+     * @deprecated Prefer the [BGP Prefixes API](https://developers.cloudflare.com/api/resources/addressing/subresources/prefixes/subresources/bgp_prefixes/) instead, which allows for advertising multiple BGP routes within a single IP Prefix.
      */
     advertisedModifiedAt: string;
     /**
@@ -5981,10 +5978,14 @@ export interface GetByoIpPrefixesResult {
     modifiedAt: string;
     /**
      * Whether advertisement of the prefix to the Internet may be dynamically enabled or disabled.
+     *
+     * @deprecated Prefer the [BGP Prefixes API](https://developers.cloudflare.com/api/resources/addressing/subresources/prefixes/subresources/bgp_prefixes/) instead, which allows for advertising multiple BGP routes within a single IP Prefix.
      */
     onDemandEnabled: boolean;
     /**
      * Whether advertisement status of the prefix is locked, meaning it cannot be changed.
+     *
+     * @deprecated Prefer the [BGP Prefixes API](https://developers.cloudflare.com/api/resources/addressing/subresources/prefixes/subresources/bgp_prefixes/) instead, which allows for advertising multiple BGP routes within a single IP Prefix.
      */
     onDemandLocked: boolean;
 }
@@ -6794,11 +6795,26 @@ export interface GetDnsFirewallsResult {
      */
     id: string;
     /**
-     * Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
+     * By default, Cloudflare attempts to cache responses for as long as
+     * indicated by the TTL received from upstream nameservers. This setting
+     * sets an upper bound on this duration. For caching purposes, higher TTLs
+     * will be decreased to the maximum value defined by this setting.
      */
     maximumCacheTtl: number;
     /**
-     * Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
+     * By default, Cloudflare attempts to cache responses for as long as
+     * indicated by the TTL received from upstream nameservers. This setting
+     * sets a lower bound on this duration. For caching purposes, lower TTLs
+     * will be increased to the minimum value defined by this setting.
+     *
+     * This setting does not affect the TTL value in the DNS response
+     * Cloudflare returns to clients. Cloudflare will always forward the TTL
+     * value received from upstream nameservers.
+     *
+     * Note that, even with this setting, there is no guarantee that a
+     * response will be cached for at least the specified duration. Cached
+     * responses may be removed earlier for capacity or other operational
+     * reasons.
      */
     minimumCacheTtl: number;
     /**
@@ -6810,7 +6826,12 @@ export interface GetDnsFirewallsResult {
      */
     name: string;
     /**
-     * Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
+     * This setting controls how long DNS Firewall should cache negative
+     * responses (e.g., NXDOMAIN) from the upstream servers.
+     *
+     * This setting does not affect the TTL value in the DNS response
+     * Cloudflare returns to clients. Cloudflare will always forward the TTL
+     * value received from upstream nameservers.
      */
     negativeCacheTtl: number;
     /**
@@ -8780,6 +8801,10 @@ export interface GetLoadBalancerPoolsResult {
      * The ID of the Monitor to use for checking the health of origins within this pool.
      */
     monitor: string;
+    /**
+     * The ID of the Monitor Group to use for checking the health of origins within this pool.
+     */
+    monitorGroup: string;
     /**
      * A short name (tag) for the pool. Only alphanumeric characters, hyphens, and underscores are allowed.
      */
@@ -10109,6 +10134,10 @@ export interface GetMagicTransitSitesResultLocation {
     lon: string;
 }
 export interface GetMagicWanGreTunnelGreTunnel {
+    /**
+     * True if automatic stateful return routing should be enabled for a tunnel, false otherwise.
+     */
+    automaticReturnRouting: boolean;
     bgp: outputs.GetMagicWanGreTunnelGreTunnelBgp;
     bgpStatus: outputs.GetMagicWanGreTunnelGreTunnelBgpStatus;
     /**
@@ -10224,6 +10253,10 @@ export interface GetMagicWanIpsecTunnelIpsecTunnel {
      * When `true`, the tunnel can use a null-cipher (`ENCR_NULL`) in the ESP tunnel (Phase 2).
      */
     allowNullCipher: boolean;
+    /**
+     * True if automatic stateful return routing should be enabled for a tunnel, false otherwise.
+     */
+    automaticReturnRouting: boolean;
     bgp: outputs.GetMagicWanIpsecTunnelIpsecTunnelBgp;
     bgpStatus: outputs.GetMagicWanIpsecTunnelIpsecTunnelBgpStatus;
     /**
@@ -10234,6 +10267,7 @@ export interface GetMagicWanIpsecTunnelIpsecTunnel {
      * The date and time the tunnel was created.
      */
     createdOn: string;
+    customRemoteIdentities: outputs.GetMagicWanIpsecTunnelIpsecTunnelCustomRemoteIdentities;
     /**
      * The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work.
      */
@@ -10299,6 +10333,13 @@ export interface GetMagicWanIpsecTunnelIpsecTunnelBgpStatus {
     tcpEstablished: boolean;
     updatedAt: string;
 }
+export interface GetMagicWanIpsecTunnelIpsecTunnelCustomRemoteIdentities {
+    /**
+     * A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The
+     * generated IKE IDs can still be used even if this custom value is specified.
+     */
+    fqdnId: string;
+}
 export interface GetMagicWanIpsecTunnelIpsecTunnelHealthCheck {
     /**
      * The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel.
@@ -14988,6 +15029,14 @@ export interface GetWorkerVersionBinding {
      * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm).
      */
     algorithm: string;
+    /**
+     * List of allowed destination addresses.
+     */
+    allowedDestinationAddresses: string[];
+    /**
+     * List of allowed sender addresses.
+     */
+    allowedSenderAddresses: string[];
     /**
      * R2 bucket to bind to.
      */
@@ -15004,6 +15053,10 @@ export interface GetWorkerVersionBinding {
      * The name of the dataset to bind to.
      */
     dataset: string;
+    /**
+     * Destination address for the email.
+     */
+    destinationAddress: string;
     /**
      * The environment of the scriptName to bind to.
      */
@@ -15025,6 +15078,11 @@ export interface GetWorkerVersionBinding {
      * JSON data to use.
      */
     json: string;
+    /**
+     * The [jurisdiction](https://developers.cloudflare.com/r2/reference/data-location/#jurisdictional-restrictions) of the R2 bucket.
+     * Available values: "eu", "fedramp".
+     */
+    jurisdiction: string;
     /**
      * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki".
      */
@@ -15045,10 +15103,18 @@ export interface GetWorkerVersionBinding {
      * Namespace identifier tag.
      */
     namespaceId: string;
+    /**
+     * The old name of the inherited binding. If set, the binding will be renamed from `oldName` to `name` in the new version. If not set, the binding will keep the same name between versions.
+     */
+    oldName: string;
     /**
      * Outbound worker.
      */
     outbound: outputs.GetWorkerVersionBindingOutbound;
+    /**
+     * The name of the file containing the data content. Only accepted for `service worker syntax` Workers.
+     */
+    part: string;
     /**
      * Name of the Pipeline to bind to.
      */
@@ -15079,13 +15145,17 @@ export interface GetWorkerVersionBinding {
     text: string;
     /**
      * The kind of resource that the binding provides.
-     * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "service", "tail*consumer", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow".
+     * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "data*blob", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "inherit", "images", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "send*email", "service", "tail*consumer", "text*blob", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow", "wasm*module".
      */
     type: string;
     /**
      * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages).
      */
     usages: string[];
+    /**
+     * Identifier for the version to inherit the binding from, which can be the version ID or the literal "latest" to inherit from the latest version. Defaults to inheriting the binding from the latest version.
+     */
+    versionId: string;
     /**
      * Name of the Workflow to bind to.
      */
@@ -15255,6 +15325,11 @@ export interface GetWorkerVersionsResult {
     migrations: outputs.GetWorkerVersionsResultMigrations;
     /**
      * Code, sourcemaps, and other content used at runtime.
+     *
+     * This includes [`_headers`](https://developers.cloudflare.com/workers/static-assets/headers/#custom-headers) and
+     * [`_redirects`](https://developers.cloudflare.com/workers/static-assets/redirects/) files used to configure
+     * [Static Assets](https://developers.cloudflare.com/workers/static-assets/). `_headers` and `_redirects` files should be
+     * included as modules named `_headers` and `_redirects` with content type `text/plain`.
      */
     modules: outputs.GetWorkerVersionsResultModule[];
     /**
@@ -15322,6 +15397,14 @@ export interface GetWorkerVersionsResultBinding {
      * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm).
      */
     algorithm: string;
+    /**
+     * List of allowed destination addresses.
+     */
+    allowedDestinationAddresses: string[];
+    /**
+     * List of allowed sender addresses.
+     */
+    allowedSenderAddresses: string[];
     /**
      * R2 bucket to bind to.
      */
@@ -15338,6 +15421,10 @@ export interface GetWorkerVersionsResultBinding {
      * The name of the dataset to bind to.
      */
     dataset: string;
+    /**
+     * Destination address for the email.
+     */
+    destinationAddress: string;
     /**
      * The environment of the scriptName to bind to.
      */
@@ -15359,6 +15446,11 @@ export interface GetWorkerVersionsResultBinding {
      * JSON data to use.
      */
     json: string;
+    /**
+     * The [jurisdiction](https://developers.cloudflare.com/r2/reference/data-location/#jurisdictional-restrictions) of the R2 bucket.
+     * Available values: "eu", "fedramp".
+     */
+    jurisdiction: string;
     /**
      * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki".
      */
@@ -15379,10 +15471,18 @@ export interface GetWorkerVersionsResultBinding {
      * Namespace identifier tag.
      */
     namespaceId: string;
+    /**
+     * The old name of the inherited binding. If set, the binding will be renamed from `oldName` to `name` in the new version. If not set, the binding will keep the same name between versions.
+     */
+    oldName: string;
     /**
      * Outbound worker.
      */
     outbound: outputs.GetWorkerVersionsResultBindingOutbound;
+    /**
+     * The name of the file containing the data content. Only accepted for `service worker syntax` Workers.
+     */
+    part: string;
     /**
      * Name of the Pipeline to bind to.
      */
@@ -15413,13 +15513,17 @@ export interface GetWorkerVersionsResultBinding {
     text: string;
     /**
      * The kind of resource that the binding provides.
-     * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "service", "tail*consumer", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow".
+     * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "data*blob", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "inherit", "images", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "send*email", "service", "tail*consumer", "text*blob", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow", "wasm*module".
      */
     type: string;
     /**
      * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages).
      */
     usages: string[];
+    /**
+     * Identifier for the version to inherit the binding from, which can be the version ID or the literal "latest" to inherit from the latest version. Defaults to inheriting the binding from the latest version.
+     */
+    versionId: string;
     /**
      * Name of the Workflow to bind to.
      */
@@ -15679,7 +15783,7 @@ export interface GetWorkersResult {
      */
     createdOn: string;
     /**
-     * Identifier.
+     * Immutable ID of the Worker.
      */
     id: string;
     /**
@@ -15890,6 +15994,42 @@ export interface GetWorkersScriptsResultTailConsumer {
      */
     service: string;
 }
+export interface GetWorkflowFilter {
+    /**
+     * Allows filtering workflows` name.
+     */
+    search?: string;
+}
+export interface GetWorkflowInstances {
+    complete: number;
+    errored: number;
+    paused: number;
+    queued: number;
+    running: number;
+    terminated: number;
+    waiting: number;
+    waitingForPause: number;
+}
+export interface GetWorkflowsResult {
+    className: string;
+    createdOn: string;
+    id: string;
+    instances: outputs.GetWorkflowsResultInstances;
+    modifiedOn: string;
+    name: string;
+    scriptName: string;
+    triggeredOn: string;
+}
+export interface GetWorkflowsResultInstances {
+    complete: number;
+    errored: number;
+    paused: number;
+    queued: number;
+    running: number;
+    terminated: number;
+    waiting: number;
+    waitingForPause: number;
+}
 export interface GetZeroTrustAccessApplicationCorsHeaders {
     /**
      * Allows all HTTP request headers.
@@ -16766,7 +16906,6 @@ export interface GetZeroTrustAccessApplicationSaasApp {
      * The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
      */
     consumerServiceUrl: string;
-    createdAt: string;
     customAttributes: outputs.GetZeroTrustAccessApplicationSaasAppCustomAttribute[];
     customClaims: outputs.GetZeroTrustAccessApplicationSaasAppCustomClaim[];
     /**
@@ -16820,7 +16959,6 @@ export interface GetZeroTrustAccessApplicationSaasApp {
      * The endpoint where your SaaS application will send login requests.
      */
     ssoEndpoint: string;
-    updatedAt: string;
 }
 export interface GetZeroTrustAccessApplicationSaasAppCustomAttribute {
     /**
@@ -17063,7 +17201,6 @@ export interface GetZeroTrustAccessApplicationsResult {
      */
     bgColor: string;
     corsHeaders: outputs.GetZeroTrustAccessApplicationsResultCorsHeaders;
-    createdAt: string;
     /**
      * The custom error message shown to a user when they are denied access to the application.
      */
@@ -17180,7 +17317,6 @@ export interface GetZeroTrustAccessApplicationsResult {
      * Available values: "self*hosted", "saas", "ssh", "vnc", "app*launcher", "warp", "biso", "bookmark", "dashSso", "infrastructure", "rdp".
      */
     type: string;
-    updatedAt: string;
 }
 export interface GetZeroTrustAccessApplicationsResultCorsHeaders {
     /**
@@ -18036,7 +18172,6 @@ export interface GetZeroTrustAccessApplicationsResultSaasApp {
      * The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
      */
     consumerServiceUrl: string;
-    createdAt: string;
     customAttributes: outputs.GetZeroTrustAccessApplicationsResultSaasAppCustomAttribute[];
     customClaims: outputs.GetZeroTrustAccessApplicationsResultSaasAppCustomClaim[];
     /**
@@ -18090,7 +18225,6 @@ export interface GetZeroTrustAccessApplicationsResultSaasApp {
      * The endpoint where your SaaS application will send login requests.
      */
     ssoEndpoint: string;
-    updatedAt: string;
 }
 export interface GetZeroTrustAccessApplicationsResultSaasAppCustomAttribute {
     /**
@@ -18300,11 +18434,6 @@ export interface GetZeroTrustAccessApplicationsResultTargetCriteria {
     };
 }
 export interface GetZeroTrustAccessCustomPagesResult {
-    /**
-     * Number of apps the custom page is assigned to.
-     */
-    appCount: number;
-    createdAt: string;
     /**
      * Custom page name.
      */
@@ -18318,7 +18447,6 @@ export interface GetZeroTrustAccessCustomPagesResult {
      * UUID.
      */
     uid: string;
-    updatedAt: string;
 }
 export interface GetZeroTrustAccessGroupExclude {
     /**
@@ -19179,7 +19307,6 @@ export interface GetZeroTrustAccessGroupRequireServiceToken {
     tokenId: string;
 }
 export interface GetZeroTrustAccessGroupsResult {
-    createdAt: string;
     /**
      * Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
      */
@@ -19204,7 +19331,6 @@ export interface GetZeroTrustAccessGroupsResult {
      * Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
      */
     requires: outputs.GetZeroTrustAccessGroupsResultRequire[];
-    updatedAt: string;
 }
 export interface GetZeroTrustAccessGroupsResultExclude {
     /**
@@ -20551,7 +20677,6 @@ export interface GetZeroTrustAccessMtlsCertificatesResult {
      * The hostnames of the applications that will use this certificate.
      */
     associatedHostnames: string[];
-    createdAt: string;
     expiresOn: string;
     /**
      * The MD5 fingerprint of the certificate.
@@ -20565,7 +20690,6 @@ export interface GetZeroTrustAccessMtlsCertificatesResult {
      * The name of the certificate.
      */
     name: string;
-    updatedAt: string;
 }
 export interface GetZeroTrustAccessPoliciesResult {
     /**
@@ -21940,7 +22064,6 @@ export interface GetZeroTrustAccessServiceTokensResult {
      * The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
      */
     clientId: string;
-    createdAt: string;
     /**
      * The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
      */
@@ -21950,12 +22073,10 @@ export interface GetZeroTrustAccessServiceTokensResult {
      * The ID of the service token.
      */
     id: string;
-    lastSeenAt: string;
     /**
      * The name of the service token.
      */
     name: string;
-    updatedAt: string;
 }
 export interface GetZeroTrustAccessShortLivedCertificatesResult {
     /**
@@ -21972,16 +22093,10 @@ export interface GetZeroTrustAccessShortLivedCertificatesResult {
     publicKey: string;
 }
 export interface GetZeroTrustAccessTagsResult {
-    /**
-     * The number of applications that have this tag
-     */
-    appCount: number;
-    createdAt: string;
     /**
      * The name of the tag
      */
     name: string;
-    updatedAt: string;
 }
 export interface GetZeroTrustDeviceCustomProfileExclude {
     /**
@@ -23379,113 +23494,113 @@ export interface GetZeroTrustDnsLocationEndpoints {
 }
 export interface GetZeroTrustDnsLocationEndpointsDoh {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the DOH endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.GetZeroTrustDnsLocationEndpointsDohNetwork[];
     /**
-     * True if the endpoint requires [user identity](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/#filter-doh-requests-by-user) authentication.
+     * Specify whether the DOH endpoint requires user identity authentication.
      */
     requireToken: boolean;
 }
 export interface GetZeroTrustDnsLocationEndpointsDohNetwork {
     /**
-     * The IP address or IP CIDR.
+     * Specify the IP address or IP CIDR.
      */
     network: string;
 }
 export interface GetZeroTrustDnsLocationEndpointsDot {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the DOT endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.GetZeroTrustDnsLocationEndpointsDotNetwork[];
 }
 export interface GetZeroTrustDnsLocationEndpointsDotNetwork {
     /**
-     * The IP address or IP CIDR.
+     * Specify the IP address or IP CIDR.
      */
     network: string;
 }
 export interface GetZeroTrustDnsLocationEndpointsIpv4 {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the IPv4 endpoint is enabled for this location.
      */
     enabled: boolean;
 }
 export interface GetZeroTrustDnsLocationEndpointsIpv6 {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the IPV6 endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IPv6 network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.GetZeroTrustDnsLocationEndpointsIpv6Network[];
 }
 export interface GetZeroTrustDnsLocationEndpointsIpv6Network {
     /**
-     * The IPv6 address or IPv6 CIDR.
+     * Specify the IPv6 address or IPv6 CIDR.
      */
     network: string;
 }
 export interface GetZeroTrustDnsLocationNetwork {
     /**
-     * The IPv4 address or IPv4 CIDR. IPv4 CIDRs are limited to a maximum of /24.
+     * Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.
      */
     network: string;
 }
 export interface GetZeroTrustDnsLocationsResult {
     /**
-     * True if the location is the default location.
+     * Indicate whether this location is the default location.
      */
     clientDefault: boolean;
     createdAt: string;
     /**
-     * The identifier of the pair of IPv4 addresses assigned to this location.
+     * Indicate the identifier of the pair of IPv4 addresses assigned to this location.
      */
     dnsDestinationIpsId: string;
     /**
-     * The uuid identifier of the IPv6 block brought to the gateway, so that this location's IPv6 address is allocated from the Bring Your Own Ipv6(BYOIPv6) block and not from the standard Cloudflare IPv6 block.
+     * Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block.
      */
     dnsDestinationIpv6BlockId: string;
     /**
-     * The DNS over HTTPS domain to send DNS requests to. This field is auto-generated by Gateway.
+     * Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.
      */
     dohSubdomain: string;
     /**
-     * True if the location needs to resolve EDNS queries.
+     * Indicate whether the location must resolve EDNS queries.
      */
     ecsSupport: boolean;
     /**
-     * The destination endpoints configured for this location. When updating a location, if this field is absent or set with null, the endpoints configuration remains unchanged.
+     * Configure the destination endpoints for this location.
      */
     endpoints: outputs.GetZeroTrustDnsLocationsResultEndpoints;
     id: string;
     /**
-     * IPV6 destination ip assigned to this location. DNS requests sent to this IP will counted as the request under this location. This field is auto-generated by Gateway.
+     * Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.
      */
     ip: string;
     /**
-     * The primary destination IPv4 address from the pair identified by the dns*destination*ips_id. This field is read-only.
+     * Show the primary destination IPv4 address from the pair identified dns*destination*ips_id. This field read-only.
      */
     ipv4Destination: string;
     /**
-     * The backup destination IPv4 address from the pair identified by the dns*destination*ips_id. This field is read-only.
+     * Show the backup destination IPv4 address from the pair identified dns*destination*ips_id. This field read-only.
      */
     ipv4DestinationBackup: string;
     /**
-     * The name of the location.
+     * Specify the location name.
      */
     name: string;
     /**
-     * A list of network ranges that requests from this location would originate from. A non-empty list is only effective if the ipv4 endpoint is enabled for this location.
+     * Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location.
      */
     networks: outputs.GetZeroTrustDnsLocationsResultNetwork[];
     updatedAt: string;
@@ -23498,171 +23613,171 @@ export interface GetZeroTrustDnsLocationsResultEndpoints {
 }
 export interface GetZeroTrustDnsLocationsResultEndpointsDoh {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the DOH endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.GetZeroTrustDnsLocationsResultEndpointsDohNetwork[];
     /**
-     * True if the endpoint requires [user identity](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/#filter-doh-requests-by-user) authentication.
+     * Specify whether the DOH endpoint requires user identity authentication.
      */
     requireToken: boolean;
 }
 export interface GetZeroTrustDnsLocationsResultEndpointsDohNetwork {
     /**
-     * The IP address or IP CIDR.
+     * Specify the IP address or IP CIDR.
      */
     network: string;
 }
 export interface GetZeroTrustDnsLocationsResultEndpointsDot {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the DOT endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.GetZeroTrustDnsLocationsResultEndpointsDotNetwork[];
 }
 export interface GetZeroTrustDnsLocationsResultEndpointsDotNetwork {
     /**
-     * The IP address or IP CIDR.
+     * Specify the IP address or IP CIDR.
      */
     network: string;
 }
 export interface GetZeroTrustDnsLocationsResultEndpointsIpv4 {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the IPv4 endpoint is enabled for this location.
      */
     enabled: boolean;
 }
 export interface GetZeroTrustDnsLocationsResultEndpointsIpv6 {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the IPV6 endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IPv6 network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.GetZeroTrustDnsLocationsResultEndpointsIpv6Network[];
 }
 export interface GetZeroTrustDnsLocationsResultEndpointsIpv6Network {
     /**
-     * The IPv6 address or IPv6 CIDR.
+     * Specify the IPv6 address or IPv6 CIDR.
      */
     network: string;
 }
 export interface GetZeroTrustDnsLocationsResultNetwork {
     /**
-     * The IPv4 address or IPv4 CIDR. IPv4 CIDRs are limited to a maximum of /24.
+     * Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.
      */
     network: string;
 }
 export interface GetZeroTrustGatewayAppTypesListResult {
     /**
-     * The identifier for the type of this application. There can be many applications with the same type. This refers to the `id` of a returned application type.
+     * Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type.
      */
     applicationTypeId: number;
     createdAt: string;
     /**
-     * A short summary of applications with this type.
+     * Provide a short summary of applications with this type.
      */
     description: string;
     /**
-     * The identifier for this application. There is only one application per ID.
+     * Identify this application. Only one application per ID.
      */
     id: number;
     /**
-     * The name of the application or application type.
+     * Specify the name of the application or application type.
      */
     name: string;
 }
 export interface GetZeroTrustGatewayCategoriesListResult {
     /**
-     * True if the category is in beta and subject to change.
+     * Indicate whether the category is in beta and subject to change.
      */
     beta: boolean;
     /**
-     * Which account types are allowed to create policies based on this category. `blocked` categories are blocked unconditionally for all accounts. `removalPending` categories can be removed from policies but not added. `noBlock` categories cannot be blocked.
+     * Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking.
      * Available values: "free", "premium", "blocked", "removalPending", "noBlock".
      */
     class: string;
     /**
-     * A short summary of domains in the category.
+     * Provide a short summary of domains in the category.
      */
     description: string;
     /**
-     * The identifier for this category. There is only one category per ID.
+     * Identify this category. Only one category per ID.
      */
     id: number;
     /**
-     * The name of the category.
+     * Specify the category name.
      */
     name: string;
     /**
-     * All subcategories for this category.
+     * Provide all subcategories for this category.
      */
     subcategories: outputs.GetZeroTrustGatewayCategoriesListResultSubcategory[];
 }
 export interface GetZeroTrustGatewayCategoriesListResultSubcategory {
     /**
-     * True if the category is in beta and subject to change.
+     * Indicate whether the category is in beta and subject to change.
      */
     beta: boolean;
     /**
-     * Which account types are allowed to create policies based on this category. `blocked` categories are blocked unconditionally for all accounts. `removalPending` categories can be removed from policies but not added. `noBlock` categories cannot be blocked.
+     * Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking.
      * Available values: "free", "premium", "blocked", "removalPending", "noBlock".
      */
     class: string;
     /**
-     * A short summary of domains in the category.
+     * Provide a short summary of domains in the category.
      */
     description: string;
     /**
-     * The identifier for this category. There is only one category per ID.
+     * Identify this category. Only one category per ID.
      */
     id: number;
     /**
-     * The name of the category.
+     * Specify the category name.
      */
     name: string;
 }
 export interface GetZeroTrustGatewayCertificatesResult {
     /**
-     * The read only deployment status of the certificate on Cloudflare's edge. Certificates in the 'available' (previously called 'active') state may be used for Gateway TLS interception.
+     * Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.
      * Available values: "pending*deployment", "available", "pending*deletion", "inactive".
      */
     bindingStatus: string;
     /**
-     * The CA certificate(read only).
+     * Provide the CA certificate (read-only).
      */
     certificate: string;
     createdAt: string;
     expiresOn: string;
     /**
-     * The SHA256 fingerprint of the certificate(read only).
+     * Provide the SHA256 fingerprint of the certificate (read-only).
      */
     fingerprint: string;
     /**
-     * Certificate UUID tag.
+     * Identify the certificate with a UUID.
      */
     id: string;
     /**
-     * Read-only field that shows whether Gateway TLS interception is using this certificate. This value cannot be set directly. To configure the certificate for interception, use the Gateway configuration setting named certificate.
+     * Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only).
      */
     inUse: boolean;
     /**
-     * The organization that issued the certificate(read only).
+     * Indicate the organization that issued the certificate (read-only).
      */
     issuerOrg: string;
     /**
-     * The entire issuer field of the certificate(read only).
+     * Provide the entire issuer field of the certificate (read-only).
      */
     issuerRaw: string;
     /**
-     * The type of certificate, either BYO-PKI (custom) or Gateway-managed(read only).
+     * Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.
      * Available values: "custom", "gatewayManaged".
      */
     type: string;
@@ -23670,238 +23785,242 @@ export interface GetZeroTrustGatewayCertificatesResult {
     uploadedOn: string;
 }
 export interface GetZeroTrustGatewayLoggingSettingsByRuleType {
+    /**
+     * Configure logging settings for DNS firewall.
+     */
     dns: outputs.GetZeroTrustGatewayLoggingSettingsByRuleTypeDns;
+    /**
+     * Configure logging settings for HTTP/HTTPS firewall.
+     */
     http: outputs.GetZeroTrustGatewayLoggingSettingsByRuleTypeHttp;
+    /**
+     * Configure logging settings for Network firewall.
+     */
     l4: outputs.GetZeroTrustGatewayLoggingSettingsByRuleTypeL4;
 }
 export interface GetZeroTrustGatewayLoggingSettingsByRuleTypeDns {
     /**
-     * Log all requests to this service.
+     * Specify whether to log all requests to this service.
      */
     logAll: boolean;
     /**
-     * Log only blocking requests to this service.
+     * Specify whether to log only blocking requests to this service.
      */
     logBlocks: boolean;
 }
 export interface GetZeroTrustGatewayLoggingSettingsByRuleTypeHttp {
     /**
-     * Log all requests to this service.
+     * Specify whether to log all requests to this service.
      */
     logAll: boolean;
     /**
-     * Log only blocking requests to this service.
+     * Specify whether to log only blocking requests to this service.
      */
     logBlocks: boolean;
 }
 export interface GetZeroTrustGatewayLoggingSettingsByRuleTypeL4 {
     /**
-     * Log all requests to this service.
+     * Specify whether to log all requests to this service.
      */
     logAll: boolean;
     /**
-     * Log only blocking requests to this service.
+     * Specify whether to log only blocking requests to this service.
      */
     logBlocks: boolean;
 }
 export interface GetZeroTrustGatewayPoliciesResult {
     /**
-     * The action to perform when the associated traffic, identity, and device posture expressions are either absent or evaluate to `true`.
+     * Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`.
      * Available values: "on", "off", "allow", "block", "scan", "noscan", "safesearch", "ytrestricted", "isolate", "noisolate", "override", "l4Override", "egress", "resolve", "quarantine", "redirect".
      */
     action: string;
     createdAt: string;
     /**
-     * Date of deletion, if any.
+     * Indicate the date of deletion, if any.
      */
     deletedAt: string;
     /**
-     * The description of the rule.
+     * Specify the rule description.
      */
     description: string;
     devicePosture: string;
     /**
-     * True if the rule is enabled.
+     * Specify whether the rule is enabled.
      */
     enabled: boolean;
     /**
-     * The expiration time stamp and default duration of a DNS policy. Takes
-     * precedence over the policy's `schedule` configuration, if any.
+     * Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This  does not apply to HTTP or network policies. Settable only for `dns` rules.
      */
     expiration: outputs.GetZeroTrustGatewayPoliciesResultExpiration;
     /**
-     * The protocol or layer to evaluate the traffic, identity, and device. posture expressions.
+     * Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions.
      */
     filters: string[];
     /**
-     * The API resource UUID.
+     * Identify the API resource with a UUID.
      */
     id: string;
     identity: string;
     /**
-     * The name of the rule.
+     * Specify the rule name.
      */
     name: string;
-    /**
-     * The rule cannot be shared via the Orgs API.
-     */
-    notSharable: boolean;
     precedence: number;
     /**
-     * The rule was shared via the Orgs API and cannot be edited by the current account.
+     * Indicate that this rule is shared via the Orgs API and read only.
      */
     readOnly: boolean;
-    /**
-     * Additional settings that modify the rule's action.
-     */
     ruleSettings: outputs.GetZeroTrustGatewayPoliciesResultRuleSettings;
     /**
-     * The schedule for activating DNS policies. This does not apply to HTTP or network policies.
+     * Defines the schedule for activating DNS policies. Settable only for `dns` and `dnsResolver` rules.
      */
     schedule: outputs.GetZeroTrustGatewayPoliciesResultSchedule;
     /**
-     * account tag of account that created the rule.
+     * Indicate that this rule is sharable via the Orgs API.
+     */
+    sharable: boolean;
+    /**
+     * Provide the account tag of the account that created the rule.
      */
     sourceAccount: string;
     traffic: string;
     updatedAt: string;
     /**
-     * version number of the rule.
+     * Indicate the version number of the rule(read-only).
      */
     version: number;
     /**
-     * Warning for a misconfigured rule, if any.
+     * Indicate a warning for a misconfigured rule, if any.
      */
     warningStatus: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultExpiration {
     /**
-     * The default duration a policy will be active in minutes. Must be set in order to use the `resetExpiration` endpoint on this rule.
+     * Defines the default duration a policy active in minutes. Must set in order to use the `resetExpiration` endpoint on this rule.
      */
     duration: number;
     /**
-     * Whether the policy has expired.
+     * Indicates whether the policy is expired.
      */
     expired: boolean;
     /**
-     * The time stamp at which the policy will expire and cease to be
-     * applied.
+     * Show the timestamp when the policy expires and stops applying.  The value must follow RFC 3339 and include a UTC offset.  The system accepts non-zero offsets but converts them to the equivalent UTC+00:00  value and returns timestamps with a trailing Z. Expiration policies ignore client  timezones and expire globally at the specified expiresAt time.
      */
     expiresAt: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettings {
     /**
-     * Add custom headers to allowed requests, in the form of key-value pairs. Keys are header names, pointing to an array with its header value(s).
+     * Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`.
      */
     addHeaders: {
         [key: string]: string[];
     };
     /**
-     * Set by parent MSP accounts to enable their children to bypass this rule.
+     * Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.
      */
     allowChildBypass: boolean;
     /**
-     * Settings for the Audit SSH action.
+     * Define the settings for the Audit SSH action. Settable only for `l4` rules with `auditSsh` action.
      */
     auditSsh: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsAuditSsh;
     /**
-     * Configure how browser isolation behaves.
+     * Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`.
      */
     bisoAdminControls: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsBisoAdminControls;
     /**
-     * Custom block page settings. If missing/null, blocking will use the the account settings.
+     * Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`.
      */
     blockPage: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsBlockPage;
     /**
-     * Enable the custom block page.
+     * Enable the custom block page. Settable only for `dns` rules with action `block`.
      */
     blockPageEnabled: boolean;
     /**
-     * The text describing why this block occurred, displayed on the custom block page (if enabled).
+     * Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`.
      */
     blockReason: string;
     /**
-     * Set by children MSP accounts to bypass their parent's rules.
+     * Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.
      */
     bypassParentRule: boolean;
     /**
-     * Configure how session check behaves.
+     * Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`.
      */
     checkSession: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsCheckSession;
     /**
-     * Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' are set. DNS queries will route to the address closest to their origin. Only valid when a rule's action is set to 'resolve'.
+     * Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     dnsResolvers: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsDnsResolvers;
     /**
-     * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs.
+     * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules.
      */
     egress: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsEgress;
     /**
-     * Set to true, to ignore the category matches at CNAME domains in a response. If unchecked, the categories in this rule will be checked against all the CNAME domain categories in a response.
+     * Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dnsResolver` rules.
      */
     ignoreCnameCategoryMatches: boolean;
     /**
-     * INSECURE - disable DNSSEC validation (for Allow actions).
+     * Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules.
      */
     insecureDisableDnssecValidation: boolean;
     /**
-     * Set to true to enable IPs in DNS resolver category blocks. By default categories only block based on domain names.
+     * Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dnsResolver` rules.
      */
     ipCategories: boolean;
     /**
-     * Set to true to include IPs in DNS resolver indicator feed blocks. By default indicator feeds only block based on domain names.
+     * Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dnsResolver` rules.
      */
     ipIndicatorFeeds: boolean;
     /**
-     * Send matching traffic to the supplied destination IP address. and port.
+     * Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4Override`.
      */
     l4override: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsL4override;
     /**
-     * Configure a notification to display on the user's device when this rule is matched.
+     * Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`.
      */
     notificationSettings: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsNotificationSettings;
     /**
-     * Override matching DNS queries with a hostname.
+     * Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`.
      */
     overrideHost: string;
     /**
-     * Override matching DNS queries with an IP or set of IPs.
+     * Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`.
      */
     overrideIps: string[];
     /**
-     * Configure DLP payload logging.
+     * Configure DLP payload logging. Settable only for `http` rules.
      */
     payloadLog: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsPayloadLog;
     /**
-     * Settings that apply to quarantine rules.
+     * Configure settings that apply to quarantine rules. Settable only for `http` rules.
      */
     quarantine: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsQuarantine;
     /**
-     * Settings that apply to redirect rules.
+     * Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`.
      */
     redirect: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsRedirect;
     /**
-     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action is set to 'resolve'.
+     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Not used when 'dns*resolvers' is specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     resolveDnsInternally: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsResolveDnsInternally;
     /**
-     * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns_internally' is set. Only valid when a rule's action is set to 'resolve'.
+     * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns*resolvers' specified or 'resolve*dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     resolveDnsThroughCloudflare: boolean;
     /**
-     * Configure behavior when an upstream cert is invalid or an SSL error occurs.
+     * Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`.
      */
     untrustedCert: outputs.GetZeroTrustGatewayPoliciesResultRuleSettingsUntrustedCert;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsAuditSsh {
     /**
-     * Enable to turn on SSH command logging.
+     * Enable SSH command logging.
      */
     commandLogging: boolean;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsBisoAdminControls {
     /**
-     * Configure whether copy is enabled or not. When set with "remote*only", copying isolated content from the remote browser to the user's local clipboard is disabled. When absent, copy is enabled. Only applies when `version == "v2"`.
+     * Configure copy behavior. If set to remote*only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     copy: string;
@@ -23918,7 +24037,7 @@ export interface GetZeroTrustGatewayPoliciesResultRuleSettingsBisoAdminControls
      */
     dk: boolean;
     /**
-     * Configure whether downloading enabled or not. When set with "remote*only", downloads are only available for viewing. Only applies when `version == "v2"`.
+     * Configure download behavior. When set to remote*only, users can view downloads but cannot save them. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     download: string;
@@ -23931,45 +24050,48 @@ export interface GetZeroTrustGatewayPoliciesResultRuleSettingsBisoAdminControls
      */
     du: boolean;
     /**
-     * Configure whether keyboard usage is enabled or not. When absent, keyboard usage is enabled. Only applies when `version == "v2"`.
+     * Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     keyboard: string;
     /**
-     * Configure whether pasting is enabled or not. When set with "remote*only", pasting content from the user's local clipboard into isolated pages is disabled. When absent, paste is enabled. Only applies when `version == "v2"`.
+     * Configure paste behavior. If set to remote*only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     paste: string;
     /**
-     * Configure whether printing is enabled or not. When absent, printing is enabled. Only applies when `version == "v2"`.
+     * Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     printing: string;
     /**
-     * Configure whether uploading is enabled or not. When absent, uploading is enabled. Only applies when `version == "v2"`.
+     * Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     upload: string;
     /**
-     * Indicates which version of the browser isolation controls should apply.
+     * Indicate which version of the browser isolation controls should apply.
      * Available values: "v1", "v2".
      */
     version: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsBlockPage {
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to pass the context information as query parameters.
      */
     includeContext: boolean;
     /**
-     * URI to which the user will be redirected.
+     * Specify the URI to which the user is redirected.
      */
     targetUri: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsCheckSession {
+    /**
+     * Sets the required session freshness threshold. The API returns a normalized version of this value.
+     */
     duration: string;
     /**
-     * Set to true to enable session enforcement.
+     * Enable session enforcement.
      */
     enforce: boolean;
 }
@@ -23979,71 +24101,71 @@ export interface GetZeroTrustGatewayPoliciesResultRuleSettingsDnsResolvers {
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsDnsResolversIpv4 {
     /**
-     * IPv4 address of upstream resolver.
+     * Specify the IPv4 address of the upstream resolver.
      */
     ip: string;
     /**
-     * A port number to use for upstream resolver. Defaults to 53 if unspecified.
+     * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.
      */
     port: number;
     /**
-     * Whether to connect to this resolver over a private network. Must be set when vnetId is set.
+     * Indicate whether to connect to this resolver over a private network. Must set when vnetId set.
      */
     routeThroughPrivateNetwork: boolean;
     /**
-     * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted.
+     * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.
      */
     vnetId: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsDnsResolversIpv6 {
     /**
-     * IPv6 address of upstream resolver.
+     * Specify the IPv6 address of the upstream resolver.
      */
     ip: string;
     /**
-     * A port number to use for upstream resolver. Defaults to 53 if unspecified.
+     * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.
      */
     port: number;
     /**
-     * Whether to connect to this resolver over a private network. Must be set when vnetId is set.
+     * Indicate whether to connect to this resolver over a private network. Must set when vnetId set.
      */
     routeThroughPrivateNetwork: boolean;
     /**
-     * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted.
+     * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.
      */
     vnetId: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsEgress {
     /**
-     * The IPv4 address to be used for egress.
+     * Specify the IPv4 address to use for egress.
      */
     ipv4: string;
     /**
-     * The fallback IPv4 address to be used for egress in the event of an error egressing with the primary IPv4. Can be '0.0.0.0' to indicate local egress via WARP IPs.
+     * Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.
      */
     ipv4Fallback: string;
     /**
-     * The IPv6 range to be used for egress.
+     * Specify the IPv6 range to use for egress.
      */
     ipv6: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsL4override {
     /**
-     * IPv4 or IPv6 address.
+     * Defines the IPv4 or IPv6 address.
      */
     ip: string;
     /**
-     * A port number to use for TCP/UDP overrides.
+     * Defines a port number to use for TCP/UDP overrides.
      */
     port: number;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsNotificationSettings {
     /**
-     * Set notification on.
+     * Enable notification.
      */
     enabled: boolean;
     /**
-     * If true, context information will be passed as query parameters.
+     * Indicates whether to pass the context information as query parameters.
      */
     includeContext: boolean;
     /**
@@ -24051,216 +24173,194 @@ export interface GetZeroTrustGatewayPoliciesResultRuleSettingsNotificationSettin
      */
     msg: string;
     /**
-     * Optional URL to direct users to additional information. If not set, the notification will open a block page.
+     * Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.
      */
     supportUrl: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsPayloadLog {
     /**
-     * Set to true to enable DLP payload logging for this rule.
+     * Enable DLP payload logging for this rule.
      */
     enabled: boolean;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsQuarantine {
     /**
-     * Types of files to sandbox.
+     * Specify the types of files to sandbox.
      */
     fileTypes: string[];
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsRedirect {
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to pass the context information as query parameters.
      */
     includeContext: boolean;
     /**
-     * If true, the path and query parameters from the original request will be appended to target_uri.
+     * Specify whether to append the path and query parameters from the original request to target_uri.
      */
     preservePathAndQuery: boolean;
     /**
-     * URI to which the user will be redirected.
+     * Specify the URI to which the user is redirected.
      */
     targetUri: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsResolveDnsInternally {
     /**
-     * The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.
+     * Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.
      * Available values: "none", "publicDns".
      */
     fallback: string;
     /**
-     * The internal DNS view identifier that's passed to the internal DNS service.
+     * Specify the internal DNS view identifier to pass to the internal DNS service.
      */
     viewId: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultRuleSettingsUntrustedCert {
     /**
-     * The action performed when an untrusted certificate is seen. The default action is an error with HTTP code 526.
+     * Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.
      * Available values: "passThrough", "block", "error".
      */
     action: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultSchedule {
-    /**
-     * The time intervals when the rule will be active on Fridays, in increasing order from 00:00-24:00.  If this parameter is omitted, the rule will be deactivated on Fridays.
-     */
     fri: string;
-    /**
-     * The time intervals when the rule will be active on Mondays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Mondays.
-     */
     mon: string;
-    /**
-     * The time intervals when the rule will be active on Saturdays, in increasing order from 00:00-24:00.  If this parameter is omitted, the rule will be deactivated on Saturdays.
-     */
     sat: string;
-    /**
-     * The time intervals when the rule will be active on Sundays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Sundays.
-     */
     sun: string;
-    /**
-     * The time intervals when the rule will be active on Thursdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Thursdays.
-     */
     thu: string;
     /**
-     * The time zone the rule will be evaluated against. If a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway will always use the current time at that time zone. If this parameter is omitted, then Gateway will use the time zone inferred from the user's source IP to evaluate the rule. If Gateway cannot determine the time zone from the IP, we will fall back to the time zone of the user's connected data center.
+     * Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.
      */
     timeZone: string;
-    /**
-     * The time intervals when the rule will be active on Tuesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Tuesdays.
-     */
     tue: string;
-    /**
-     * The time intervals when the rule will be active on Wednesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Wednesdays.
-     */
     wed: string;
 }
 export interface GetZeroTrustGatewayPolicyExpiration {
     /**
-     * The default duration a policy will be active in minutes. Must be set in order to use the `resetExpiration` endpoint on this rule.
+     * Defines the default duration a policy active in minutes. Must set in order to use the `resetExpiration` endpoint on this rule.
      */
     duration: number;
     /**
-     * Whether the policy has expired.
+     * Indicates whether the policy is expired.
      */
     expired: boolean;
     /**
-     * The time stamp at which the policy will expire and cease to be
-     * applied.
+     * Show the timestamp when the policy expires and stops applying.  The value must follow RFC 3339 and include a UTC offset.  The system accepts non-zero offsets but converts them to the equivalent UTC+00:00  value and returns timestamps with a trailing Z. Expiration policies ignore client  timezones and expire globally at the specified expiresAt time.
      */
     expiresAt: string;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettings {
     /**
-     * Add custom headers to allowed requests, in the form of key-value pairs. Keys are header names, pointing to an array with its header value(s).
+     * Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`.
      */
     addHeaders: {
         [key: string]: string[];
     };
     /**
-     * Set by parent MSP accounts to enable their children to bypass this rule.
+     * Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.
      */
     allowChildBypass: boolean;
     /**
-     * Settings for the Audit SSH action.
+     * Define the settings for the Audit SSH action. Settable only for `l4` rules with `auditSsh` action.
      */
     auditSsh: outputs.GetZeroTrustGatewayPolicyRuleSettingsAuditSsh;
     /**
-     * Configure how browser isolation behaves.
+     * Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`.
      */
     bisoAdminControls: outputs.GetZeroTrustGatewayPolicyRuleSettingsBisoAdminControls;
     /**
-     * Custom block page settings. If missing/null, blocking will use the the account settings.
+     * Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`.
      */
     blockPage: outputs.GetZeroTrustGatewayPolicyRuleSettingsBlockPage;
     /**
-     * Enable the custom block page.
+     * Enable the custom block page. Settable only for `dns` rules with action `block`.
      */
     blockPageEnabled: boolean;
     /**
-     * The text describing why this block occurred, displayed on the custom block page (if enabled).
+     * Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`.
      */
     blockReason: string;
     /**
-     * Set by children MSP accounts to bypass their parent's rules.
+     * Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.
      */
     bypassParentRule: boolean;
     /**
-     * Configure how session check behaves.
+     * Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`.
      */
     checkSession: outputs.GetZeroTrustGatewayPolicyRuleSettingsCheckSession;
     /**
-     * Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' are set. DNS queries will route to the address closest to their origin. Only valid when a rule's action is set to 'resolve'.
+     * Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     dnsResolvers: outputs.GetZeroTrustGatewayPolicyRuleSettingsDnsResolvers;
     /**
-     * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs.
+     * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules.
      */
     egress: outputs.GetZeroTrustGatewayPolicyRuleSettingsEgress;
     /**
-     * Set to true, to ignore the category matches at CNAME domains in a response. If unchecked, the categories in this rule will be checked against all the CNAME domain categories in a response.
+     * Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dnsResolver` rules.
      */
     ignoreCnameCategoryMatches: boolean;
     /**
-     * INSECURE - disable DNSSEC validation (for Allow actions).
+     * Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules.
      */
     insecureDisableDnssecValidation: boolean;
     /**
-     * Set to true to enable IPs in DNS resolver category blocks. By default categories only block based on domain names.
+     * Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dnsResolver` rules.
      */
     ipCategories: boolean;
     /**
-     * Set to true to include IPs in DNS resolver indicator feed blocks. By default indicator feeds only block based on domain names.
+     * Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dnsResolver` rules.
      */
     ipIndicatorFeeds: boolean;
     /**
-     * Send matching traffic to the supplied destination IP address. and port.
+     * Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4Override`.
      */
     l4override: outputs.GetZeroTrustGatewayPolicyRuleSettingsL4override;
     /**
-     * Configure a notification to display on the user's device when this rule is matched.
+     * Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`.
      */
     notificationSettings: outputs.GetZeroTrustGatewayPolicyRuleSettingsNotificationSettings;
     /**
-     * Override matching DNS queries with a hostname.
+     * Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`.
      */
     overrideHost: string;
     /**
-     * Override matching DNS queries with an IP or set of IPs.
+     * Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`.
      */
     overrideIps: string[];
     /**
-     * Configure DLP payload logging.
+     * Configure DLP payload logging. Settable only for `http` rules.
      */
     payloadLog: outputs.GetZeroTrustGatewayPolicyRuleSettingsPayloadLog;
     /**
-     * Settings that apply to quarantine rules.
+     * Configure settings that apply to quarantine rules. Settable only for `http` rules.
      */
     quarantine: outputs.GetZeroTrustGatewayPolicyRuleSettingsQuarantine;
     /**
-     * Settings that apply to redirect rules.
+     * Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`.
      */
     redirect: outputs.GetZeroTrustGatewayPolicyRuleSettingsRedirect;
     /**
-     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action is set to 'resolve'.
+     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Not used when 'dns*resolvers' is specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     resolveDnsInternally: outputs.GetZeroTrustGatewayPolicyRuleSettingsResolveDnsInternally;
     /**
-     * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns_internally' is set. Only valid when a rule's action is set to 'resolve'.
+     * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns*resolvers' specified or 'resolve*dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     resolveDnsThroughCloudflare: boolean;
     /**
-     * Configure behavior when an upstream cert is invalid or an SSL error occurs.
+     * Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`.
      */
     untrustedCert: outputs.GetZeroTrustGatewayPolicyRuleSettingsUntrustedCert;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsAuditSsh {
     /**
-     * Enable to turn on SSH command logging.
+     * Enable SSH command logging.
      */
     commandLogging: boolean;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsBisoAdminControls {
     /**
-     * Configure whether copy is enabled or not. When set with "remote*only", copying isolated content from the remote browser to the user's local clipboard is disabled. When absent, copy is enabled. Only applies when `version == "v2"`.
+     * Configure copy behavior. If set to remote*only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     copy: string;
@@ -24277,7 +24377,7 @@ export interface GetZeroTrustGatewayPolicyRuleSettingsBisoAdminControls {
      */
     dk: boolean;
     /**
-     * Configure whether downloading enabled or not. When set with "remote*only", downloads are only available for viewing. Only applies when `version == "v2"`.
+     * Configure download behavior. When set to remote*only, users can view downloads but cannot save them. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     download: string;
@@ -24290,45 +24390,48 @@ export interface GetZeroTrustGatewayPolicyRuleSettingsBisoAdminControls {
      */
     du: boolean;
     /**
-     * Configure whether keyboard usage is enabled or not. When absent, keyboard usage is enabled. Only applies when `version == "v2"`.
+     * Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     keyboard: string;
     /**
-     * Configure whether pasting is enabled or not. When set with "remote*only", pasting content from the user's local clipboard into isolated pages is disabled. When absent, paste is enabled. Only applies when `version == "v2"`.
+     * Configure paste behavior. If set to remote*only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     paste: string;
     /**
-     * Configure whether printing is enabled or not. When absent, printing is enabled. Only applies when `version == "v2"`.
+     * Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     printing: string;
     /**
-     * Configure whether uploading is enabled or not. When absent, uploading is enabled. Only applies when `version == "v2"`.
+     * Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     upload: string;
     /**
-     * Indicates which version of the browser isolation controls should apply.
+     * Indicate which version of the browser isolation controls should apply.
      * Available values: "v1", "v2".
      */
     version: string;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsBlockPage {
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to pass the context information as query parameters.
      */
     includeContext: boolean;
     /**
-     * URI to which the user will be redirected.
+     * Specify the URI to which the user is redirected.
      */
     targetUri: string;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsCheckSession {
+    /**
+     * Sets the required session freshness threshold. The API returns a normalized version of this value.
+     */
     duration: string;
     /**
-     * Set to true to enable session enforcement.
+     * Enable session enforcement.
      */
     enforce: boolean;
 }
@@ -24338,71 +24441,71 @@ export interface GetZeroTrustGatewayPolicyRuleSettingsDnsResolvers {
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsDnsResolversIpv4 {
     /**
-     * IPv4 address of upstream resolver.
+     * Specify the IPv4 address of the upstream resolver.
      */
     ip: string;
     /**
-     * A port number to use for upstream resolver. Defaults to 53 if unspecified.
+     * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.
      */
     port: number;
     /**
-     * Whether to connect to this resolver over a private network. Must be set when vnetId is set.
+     * Indicate whether to connect to this resolver over a private network. Must set when vnetId set.
      */
     routeThroughPrivateNetwork: boolean;
     /**
-     * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted.
+     * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.
      */
     vnetId: string;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsDnsResolversIpv6 {
     /**
-     * IPv6 address of upstream resolver.
+     * Specify the IPv6 address of the upstream resolver.
      */
     ip: string;
     /**
-     * A port number to use for upstream resolver. Defaults to 53 if unspecified.
+     * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.
      */
     port: number;
     /**
-     * Whether to connect to this resolver over a private network. Must be set when vnetId is set.
+     * Indicate whether to connect to this resolver over a private network. Must set when vnetId set.
      */
     routeThroughPrivateNetwork: boolean;
     /**
-     * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted.
+     * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.
      */
     vnetId: string;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsEgress {
     /**
-     * The IPv4 address to be used for egress.
+     * Specify the IPv4 address to use for egress.
      */
     ipv4: string;
     /**
-     * The fallback IPv4 address to be used for egress in the event of an error egressing with the primary IPv4. Can be '0.0.0.0' to indicate local egress via WARP IPs.
+     * Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.
      */
     ipv4Fallback: string;
     /**
-     * The IPv6 range to be used for egress.
+     * Specify the IPv6 range to use for egress.
      */
     ipv6: string;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsL4override {
     /**
-     * IPv4 or IPv6 address.
+     * Defines the IPv4 or IPv6 address.
      */
     ip: string;
     /**
-     * A port number to use for TCP/UDP overrides.
+     * Defines a port number to use for TCP/UDP overrides.
      */
     port: number;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsNotificationSettings {
     /**
-     * Set notification on.
+     * Enable notification.
      */
     enabled: boolean;
     /**
-     * If true, context information will be passed as query parameters.
+     * Indicates whether to pass the context information as query parameters.
      */
     includeContext: boolean;
     /**
@@ -24410,356 +24513,333 @@ export interface GetZeroTrustGatewayPolicyRuleSettingsNotificationSettings {
      */
     msg: string;
     /**
-     * Optional URL to direct users to additional information. If not set, the notification will open a block page.
+     * Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.
      */
     supportUrl: string;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsPayloadLog {
     /**
-     * Set to true to enable DLP payload logging for this rule.
+     * Enable DLP payload logging for this rule.
      */
     enabled: boolean;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsQuarantine {
     /**
-     * Types of files to sandbox.
+     * Specify the types of files to sandbox.
      */
     fileTypes: string[];
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsRedirect {
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to pass the context information as query parameters.
      */
     includeContext: boolean;
     /**
-     * If true, the path and query parameters from the original request will be appended to target_uri.
+     * Specify whether to append the path and query parameters from the original request to target_uri.
      */
     preservePathAndQuery: boolean;
     /**
-     * URI to which the user will be redirected.
+     * Specify the URI to which the user is redirected.
      */
     targetUri: string;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsResolveDnsInternally {
     /**
-     * The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.
+     * Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.
      * Available values: "none", "publicDns".
      */
     fallback: string;
     /**
-     * The internal DNS view identifier that's passed to the internal DNS service.
+     * Specify the internal DNS view identifier to pass to the internal DNS service.
      */
     viewId: string;
 }
 export interface GetZeroTrustGatewayPolicyRuleSettingsUntrustedCert {
     /**
-     * The action performed when an untrusted certificate is seen. The default action is an error with HTTP code 526.
+     * Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.
      * Available values: "passThrough", "block", "error".
      */
     action: string;
 }
 export interface GetZeroTrustGatewayPolicySchedule {
-    /**
-     * The time intervals when the rule will be active on Fridays, in increasing order from 00:00-24:00.  If this parameter is omitted, the rule will be deactivated on Fridays.
-     */
     fri: string;
-    /**
-     * The time intervals when the rule will be active on Mondays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Mondays.
-     */
     mon: string;
-    /**
-     * The time intervals when the rule will be active on Saturdays, in increasing order from 00:00-24:00.  If this parameter is omitted, the rule will be deactivated on Saturdays.
-     */
     sat: string;
-    /**
-     * The time intervals when the rule will be active on Sundays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Sundays.
-     */
     sun: string;
-    /**
-     * The time intervals when the rule will be active on Thursdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Thursdays.
-     */
     thu: string;
     /**
-     * The time zone the rule will be evaluated against. If a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway will always use the current time at that time zone. If this parameter is omitted, then Gateway will use the time zone inferred from the user's source IP to evaluate the rule. If Gateway cannot determine the time zone from the IP, we will fall back to the time zone of the user's connected data center.
+     * Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.
      */
     timeZone: string;
-    /**
-     * The time intervals when the rule will be active on Tuesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Tuesdays.
-     */
     tue: string;
-    /**
-     * The time intervals when the rule will be active on Wednesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Wednesdays.
-     */
     wed: string;
 }
 export interface GetZeroTrustGatewaySettingsSettings {
     /**
-     * Activity log settings.
+     * Specify activity log settings.
      */
     activityLog: outputs.GetZeroTrustGatewaySettingsSettingsActivityLog;
     /**
-     * Anti-virus settings.
+     * Specify anti-virus settings.
      */
     antivirus: outputs.GetZeroTrustGatewaySettingsSettingsAntivirus;
     /**
-     * Block page layout settings.
+     * Specify block page layout settings.
      */
     blockPage: outputs.GetZeroTrustGatewaySettingsSettingsBlockPage;
     /**
-     * DLP body scanning settings.
+     * Specify the DLP inspection mode.
      */
     bodyScanning: outputs.GetZeroTrustGatewaySettingsSettingsBodyScanning;
     /**
-     * Browser isolation settings.
+     * Specify Clientless Browser Isolation settings.
      */
     browserIsolation: outputs.GetZeroTrustGatewaySettingsSettingsBrowserIsolation;
     /**
-     * Certificate settings for Gateway TLS interception. If not specified, the Cloudflare Root CA will be used.
+     * Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.
      */
     certificate: outputs.GetZeroTrustGatewaySettingsSettingsCertificate;
     /**
-     * Custom certificate settings for BYO-PKI. (deprecated and replaced by `certificate`).
+     * Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead.
      *
      * @deprecated This attribute is deprecated.
      */
     customCertificate: outputs.GetZeroTrustGatewaySettingsSettingsCustomCertificate;
     /**
-     * Extended e-mail matching settings.
+     * Specify user email settings for the firewall policies. When this is enabled, we standardize the email addresses in the identity part of the rule, so that they match the extended email variants in the firewall policies. When this setting is turned off, the email addresses in the identity part of the rule will be matched exactly as provided. If your email has `.` or `+` modifiers, you should enable this setting.
      */
     extendedEmailMatching: outputs.GetZeroTrustGatewaySettingsSettingsExtendedEmailMatching;
     /**
-     * FIPS settings.
+     * Specify FIPS settings.
      */
     fips: outputs.GetZeroTrustGatewaySettingsSettingsFips;
     /**
-     * Setting to enable host selector in egress policies.
+     * Enable host selection in egress policies.
      */
     hostSelector: outputs.GetZeroTrustGatewaySettingsSettingsHostSelector;
     /**
-     * Setting to define inspection settings.
+     * Define the proxy inspection mode.
      */
     inspection: outputs.GetZeroTrustGatewaySettingsSettingsInspection;
     /**
-     * Protocol Detection settings.
+     * Specify whether to detect protocols from the initial bytes of client traffic.
      */
     protocolDetection: outputs.GetZeroTrustGatewaySettingsSettingsProtocolDetection;
     /**
-     * Sandbox settings.
+     * Specify whether to enable the sandbox.
      */
     sandbox: outputs.GetZeroTrustGatewaySettingsSettingsSandbox;
     /**
-     * TLS interception settings.
+     * Specify whether to inspect encrypted HTTP traffic.
      */
     tlsDecrypt: outputs.GetZeroTrustGatewaySettingsSettingsTlsDecrypt;
 }
 export interface GetZeroTrustGatewaySettingsSettingsActivityLog {
     /**
-     * Enable activity logging.
+     * Specify whether to log activity.
      */
     enabled: boolean;
 }
 export interface GetZeroTrustGatewaySettingsSettingsAntivirus {
     /**
-     * Enable anti-virus scanning on downloads.
+     * Specify whether to enable anti-virus scanning on downloads.
      */
     enabledDownloadPhase: boolean;
     /**
-     * Enable anti-virus scanning on uploads.
+     * Specify whether to enable anti-virus scanning on uploads.
      */
     enabledUploadPhase: boolean;
     /**
-     * Block requests for files that cannot be scanned.
+     * Specify whether to block requests for unscannable files.
      */
     failClosed: boolean;
     /**
-     * Configure a message to display on the user's device when an antivirus search is performed.
+     * Configure the message the user's device shows during an antivirus scan.
      */
     notificationSettings: outputs.GetZeroTrustGatewaySettingsSettingsAntivirusNotificationSettings;
 }
 export interface GetZeroTrustGatewaySettingsSettingsAntivirusNotificationSettings {
     /**
-     * Set notification on.
+     * Specify whether to enable notifications.
      */
     enabled: boolean;
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to include context information as query parameters.
      */
     includeContext: boolean;
     /**
-     * Customize the message shown in the notification.
+     * Specify the message to show in the notification.
      */
     msg: string;
     /**
-     * Optional URL to direct users to additional information. If not set, the notification will open a block page.
+     * Specify a URL that directs users to more information. If unset, the notification opens a block page.
      */
     supportUrl: string;
 }
 export interface GetZeroTrustGatewaySettingsSettingsBlockPage {
     /**
-     * If mode is customized_block_page: block page background color in #rrggbb format.
+     * Specify the block page background color in `#rrggbb` format when the mode is customized*block*page.
      */
     backgroundColor: string;
     /**
-     * Enable only cipher suites and TLS versions compliant with FIPS. 140-2.
+     * Specify whether to enable the custom block page.
      */
     enabled: boolean;
     /**
-     * If mode is customized_block_page: block page footer text.
+     * Specify the block page footer text when the mode is customized*block*page.
      */
     footerText: string;
     /**
-     * If mode is customized_block_page: block page header text.
+     * Specify the block page header text when the mode is customized*block*page.
      */
     headerText: string;
     /**
-     * If mode is redirect_uri: when enabled, context will be appended to targetUri as query parameters.
+     * Specify whether to append context to target*uri as query parameters. This applies only when the mode is redirect*uri.
      */
     includeContext: boolean;
     /**
-     * If mode is customized_block_page: full URL to the logo file.
+     * Specify the full URL to the logo file when the mode is customized*block*page.
      */
     logoPath: string;
     /**
-     * If mode is customized_block_page: admin email for users to contact.
+     * Specify the admin email for users to contact when the mode is customized*block*page.
      */
     mailtoAddress: string;
     /**
-     * If mode is customized_block_page: subject line for emails created from block page.
+     * Specify the subject line for emails created from the block page when the mode is customized*block*page.
      */
     mailtoSubject: string;
     /**
-     * Controls whether the user is redirected to a Cloudflare-hosted block page or to a customer-provided URI.
-     * Available values: "", "customizedBlockPage", "redirectUri".
+     * Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.
+     * Available values: "", "customized*block*page", "redirectUri".
      */
     mode: string;
     /**
-     * If mode is customized_block_page: block page title.
+     * Specify the block page title when the mode is customized*block*page.
      */
     name: string;
     /**
-     * This setting was shared via the Orgs API and cannot be edited by the current account.
+     * Indicate that this setting was shared via the Orgs API and read only for the current account.
      */
     readOnly: boolean;
     /**
-     * Account tag of account that shared this setting.
+     * Indicate the account tag of the account that shared this setting.
      */
     sourceAccount: string;
     /**
-     * If mode is customized_block_page: suppress detailed info at the bottom of the block page.
+     * Specify whether to suppress detailed information at the bottom of the block page when the mode is customized*block*page.
      */
     suppressFooter: boolean;
     /**
-     * If mode is redirect_uri: URI to which the user should be redirected.
+     * Specify the URI to redirect users to when the mode is redirect_uri.
      */
     targetUri: string;
     /**
-     * Version number of the setting.
+     * Indicate the version number of the setting.
      */
     version: number;
 }
 export interface GetZeroTrustGatewaySettingsSettingsBodyScanning {
     /**
-     * Set the inspection mode to either `deep` or `shallow`.
+     * Specify the inspection mode as either `deep` or `shallow`.
      * Available values: "deep", "shallow".
      */
     inspectionMode: string;
 }
 export interface GetZeroTrustGatewaySettingsSettingsBrowserIsolation {
     /**
-     * Enable non-identity onramp support for Browser Isolation.
+     * Specify whether to enable non-identity onramp support for Browser Isolation.
      */
     nonIdentityEnabled: boolean;
     /**
-     * Enable Clientless Browser Isolation.
+     * Specify whether to enable Clientless Browser Isolation.
      */
     urlBrowserIsolationEnabled: boolean;
 }
 export interface GetZeroTrustGatewaySettingsSettingsCertificate {
     /**
-     * UUID of certificate to be used for interception. Certificate must be available (previously called 'active') on the edge. A nil UUID will indicate the Cloudflare Root CA should be used.
+     * Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.
      */
     id: string;
 }
 export interface GetZeroTrustGatewaySettingsSettingsCustomCertificate {
     /**
-     * Certificate status (internal).
+     * Indicate the internal certificate status.
      */
     bindingStatus: string;
     /**
-     * Enable use of custom certificate authority for signing Gateway. traffic.
+     * Specify whether to enable a custom certificate authority for signing Gateway traffic.
      */
     enabled: boolean;
     /**
-     * UUID of certificate (ID from MTLS certificate store).
+     * Specify the UUID of the certificate (ID from MTLS certificate store).
      */
     id: string;
     updatedAt: string;
 }
 export interface GetZeroTrustGatewaySettingsSettingsExtendedEmailMatching {
     /**
-     * Enable matching all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.
+     * Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.
      */
     enabled: boolean;
     /**
-     * This setting was shared via the Orgs API and cannot be edited by the current account.
+     * Indicate that this setting was shared via the Orgs API and read only for the current account.
      */
     readOnly: boolean;
     /**
-     * Account tag of account that shared this setting.
+     * Indicate the account tag of the account that shared this setting.
      */
     sourceAccount: string;
     /**
-     * Version number of the setting.
+     * Indicate the version number of the setting.
      */
     version: number;
 }
 export interface GetZeroTrustGatewaySettingsSettingsFips {
     /**
-     * Enable only cipher suites and TLS versions compliant with FIPS. 140-2.
+     * Enforce cipher suites and TLS versions compliant with FIPS 140-2.
      */
     tls: boolean;
 }
 export interface GetZeroTrustGatewaySettingsSettingsHostSelector {
     /**
-     * Enable filtering via hosts for egress policies.
+     * Specify whether to enable filtering via hosts for egress policies.
      */
     enabled: boolean;
 }
 export interface GetZeroTrustGatewaySettingsSettingsInspection {
     /**
-     * Defines the mode of inspection the proxy will use.
-     * - static: Gateway will use static inspection to inspect HTTP on TCP(80). If TLS decryption is on, Gateway will inspect HTTPS traffic on TCP(443) & UDP(443).
-     * - dynamic: Gateway will use protocol detection to dynamically inspect HTTP and HTTPS traffic on any port. TLS decryption must be on to inspect HTTPS traffic.
+     * Define the proxy inspection mode.   1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443).   2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.
      * Available values: "static", "dynamic".
      */
     mode: string;
 }
 export interface GetZeroTrustGatewaySettingsSettingsProtocolDetection {
     /**
-     * Enable detecting protocol on initial bytes of client traffic.
+     * Specify whether to detect protocols from the initial bytes of client traffic.
      */
     enabled: boolean;
 }
 export interface GetZeroTrustGatewaySettingsSettingsSandbox {
     /**
-     * Enable sandbox.
+     * Specify whether to enable the sandbox.
      */
     enabled: boolean;
     /**
-     * Action to take when the file cannot be scanned.
+     * Specify the action to take when the system cannot scan the file.
      * Available values: "allow", "block".
      */
     fallbackAction: string;
 }
 export interface GetZeroTrustGatewaySettingsSettingsTlsDecrypt {
     /**
-     * Enable inspecting encrypted HTTP traffic.
+     * Specify whether to inspect encrypted HTTP traffic.
      */
     enabled: boolean;
 }
 export interface GetZeroTrustListFilter {
     /**
-     * The type of list.
+     * Specify the list type.
      * Available values: "SERIAL", "URL", "DOMAIN", "EMAIL", "IP".
      */
     type?: string;
@@ -24767,38 +24847,38 @@ export interface GetZeroTrustListFilter {
 export interface GetZeroTrustListItem {
     createdAt: string;
     /**
-     * The description of the list item, if present.
+     * Provide the list item description (optional).
      */
     description: string;
     /**
-     * The value of the item in a list.
+     * Specify the item value.
      */
     value: string;
 }
 export interface GetZeroTrustListsResult {
     createdAt: string;
     /**
-     * The description of the list.
+     * Provide the list description.
      */
     description: string;
     /**
-     * API Resource UUID tag.
+     * Identify the API resource with a UUID.
      */
     id: string;
     /**
-     * The items in the list.
+     * Provide the list items.
      */
     items: outputs.GetZeroTrustListsResultItem[];
     /**
-     * The number of items in the list.
+     * Indicate the number of items in the list.
      */
     listCount: number;
     /**
-     * The name of the list.
+     * Specify the list name.
      */
     name: string;
     /**
-     * The type of list.
+     * Specify the list type.
      * Available values: "SERIAL", "URL", "DOMAIN", "EMAIL", "IP".
      */
     type: string;
@@ -24807,14 +24887,70 @@ export interface GetZeroTrustListsResult {
 export interface GetZeroTrustListsResultItem {
     createdAt: string;
     /**
-     * The description of the list item, if present.
+     * Provide the list item description (optional).
      */
     description: string;
     /**
-     * The value of the item in a list.
+     * Specify the item value.
      */
     value: string;
 }
+export interface GetZeroTrustNetworkHostnameRouteFilter {
+    /**
+     * If set, only list hostname routes with the given comment.
+     */
+    comment?: string;
+    /**
+     * If provided, include only resources that were created (and not deleted) before this time. URL encoded.
+     */
+    existedAt?: string;
+    /**
+     * If set, only list hostname routes that contain a substring of the given value, the filter is case-insensitive.
+     */
+    hostname?: string;
+    /**
+     * The hostname route ID.
+     */
+    id?: string;
+    /**
+     * If `true`, only return deleted hostname routes. If `false`, exclude deleted hostname routes.
+     */
+    isDeleted: boolean;
+    /**
+     * If set, only list hostname routes that point to a specific tunnel.
+     */
+    tunnelId?: string;
+}
+export interface GetZeroTrustNetworkHostnameRoutesResult {
+    /**
+     * An optional description of the hostname route.
+     */
+    comment: string;
+    /**
+     * Timestamp of when the resource was created.
+     */
+    createdAt: string;
+    /**
+     * Timestamp of when the resource was deleted. If `null`, the resource has not been deleted.
+     */
+    deletedAt: string;
+    /**
+     * The hostname of the route.
+     */
+    hostname: string;
+    /**
+     * The hostname route ID.
+     */
+    id: string;
+    /**
+     * UUID of the tunnel.
+     */
+    tunnelId: string;
+    /**
+     * A user-friendly name for a tunnel.
+     */
+    tunnelName: string;
+}
 export interface GetZeroTrustOrganizationCustomPages {
     /**
      * The uid of the custom page to use when a user is denied access after failing a non-identity rule.
@@ -24901,10 +25037,6 @@ export interface GetZeroTrustTunnelCloudflaredConfigConfig {
      * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
      */
     originRequest: outputs.GetZeroTrustTunnelCloudflaredConfigConfigOriginRequest;
-    /**
-     * Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.
-     */
-    warpRouting: outputs.GetZeroTrustTunnelCloudflaredConfigConfigWarpRouting;
 }
 export interface GetZeroTrustTunnelCloudflaredConfigConfigIngress {
     /**
@@ -25062,9 +25194,6 @@ export interface GetZeroTrustTunnelCloudflaredConfigConfigOriginRequestAccess {
     required: boolean;
     teamName: string;
 }
-export interface GetZeroTrustTunnelCloudflaredConfigConfigWarpRouting {
-    enabled: boolean;
-}
 export interface GetZeroTrustTunnelCloudflaredConnection {
     /**
      * UUID of the Cloudflare Tunnel connector.
@@ -25589,7 +25718,7 @@ export interface GetZoneDnsSettingsSoa {
      */
     minTtl: number;
     /**
-     * The primary nameserver, which may be used for outbound zone transfers.
+     * The primary nameserver, which may be used for outbound zone transfers. If null, a Cloudflare-assigned value will be used.
      */
     mname: string;
     /**
@@ -29776,276 +29905,274 @@ export interface StreamWatermark {
 }
 export interface TeamsAccountSettings {
     /**
-     * Activity log settings.
+     * Specify activity log settings.
      */
     activityLog?: outputs.TeamsAccountSettingsActivityLog;
     /**
-     * Anti-virus settings.
+     * Specify anti-virus settings.
      */
     antivirus?: outputs.TeamsAccountSettingsAntivirus;
     /**
-     * Block page layout settings.
+     * Specify block page layout settings.
      */
     blockPage?: outputs.TeamsAccountSettingsBlockPage;
     /**
-     * DLP body scanning settings.
+     * Specify the DLP inspection mode.
      */
     bodyScanning?: outputs.TeamsAccountSettingsBodyScanning;
     /**
-     * Browser isolation settings.
+     * Specify Clientless Browser Isolation settings.
      */
     browserIsolation?: outputs.TeamsAccountSettingsBrowserIsolation;
     /**
-     * Certificate settings for Gateway TLS interception. If not specified, the Cloudflare Root CA will be used.
+     * Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.
      */
     certificate?: outputs.TeamsAccountSettingsCertificate;
     /**
-     * Custom certificate settings for BYO-PKI. (deprecated and replaced by `certificate`).
+     * Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead.
      *
      * @deprecated This attribute is deprecated.
      */
     customCertificate?: outputs.TeamsAccountSettingsCustomCertificate;
     /**
-     * Extended e-mail matching settings.
+     * Specify user email settings for the firewall policies. When this is enabled, we standardize the email addresses in the identity part of the rule, so that they match the extended email variants in the firewall policies. When this setting is turned off, the email addresses in the identity part of the rule will be matched exactly as provided. If your email has `.` or `+` modifiers, you should enable this setting.
      */
     extendedEmailMatching?: outputs.TeamsAccountSettingsExtendedEmailMatching;
     /**
-     * FIPS settings.
+     * Specify FIPS settings.
      */
     fips?: outputs.TeamsAccountSettingsFips;
     /**
-     * Setting to enable host selector in egress policies.
+     * Enable host selection in egress policies.
      */
     hostSelector?: outputs.TeamsAccountSettingsHostSelector;
     /**
-     * Setting to define inspection settings.
+     * Define the proxy inspection mode.
      */
     inspection?: outputs.TeamsAccountSettingsInspection;
     /**
-     * Protocol Detection settings.
+     * Specify whether to detect protocols from the initial bytes of client traffic.
      */
     protocolDetection?: outputs.TeamsAccountSettingsProtocolDetection;
     /**
-     * Sandbox settings.
+     * Specify whether to enable the sandbox.
      */
     sandbox?: outputs.TeamsAccountSettingsSandbox;
     /**
-     * TLS interception settings.
+     * Specify whether to inspect encrypted HTTP traffic.
      */
     tlsDecrypt?: outputs.TeamsAccountSettingsTlsDecrypt;
 }
 export interface TeamsAccountSettingsActivityLog {
     /**
-     * Enable activity logging.
+     * Specify whether to log activity.
      */
     enabled?: boolean;
 }
 export interface TeamsAccountSettingsAntivirus {
     /**
-     * Enable anti-virus scanning on downloads.
+     * Specify whether to enable anti-virus scanning on downloads.
      */
     enabledDownloadPhase: boolean;
     /**
-     * Enable anti-virus scanning on uploads.
+     * Specify whether to enable anti-virus scanning on uploads.
      */
     enabledUploadPhase: boolean;
     /**
-     * Block requests for files that cannot be scanned.
+     * Specify whether to block requests for unscannable files.
      */
     failClosed: boolean;
     /**
-     * Configure a message to display on the user's device when an antivirus search is performed.
+     * Configure the message the user's device shows during an antivirus scan.
      */
     notificationSettings: outputs.TeamsAccountSettingsAntivirusNotificationSettings;
 }
 export interface TeamsAccountSettingsAntivirusNotificationSettings {
     /**
-     * Set notification on.
+     * Specify whether to enable notifications.
      */
     enabled?: boolean;
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to include context information as query parameters.
      */
     includeContext?: boolean;
     /**
-     * Customize the message shown in the notification.
+     * Specify the message to show in the notification.
      */
     msg?: string;
     /**
-     * Optional URL to direct users to additional information. If not set, the notification will open a block page.
+     * Specify a URL that directs users to more information. If unset, the notification opens a block page.
      */
     supportUrl?: string;
 }
 export interface TeamsAccountSettingsBlockPage {
     /**
-     * If mode is customized_block_page: block page background color in #rrggbb format.
+     * Specify the block page background color in `#rrggbb` format when the mode is customized*block*page.
      */
     backgroundColor?: string;
     /**
-     * Enable only cipher suites and TLS versions compliant with FIPS. 140-2.
+     * Specify whether to enable the custom block page.
      */
     enabled?: boolean;
     /**
-     * If mode is customized_block_page: block page footer text.
+     * Specify the block page footer text when the mode is customized*block*page.
      */
     footerText?: string;
     /**
-     * If mode is customized_block_page: block page header text.
+     * Specify the block page header text when the mode is customized*block*page.
      */
     headerText?: string;
     /**
-     * If mode is redirect_uri: when enabled, context will be appended to targetUri as query parameters.
+     * Specify whether to append context to target*uri as query parameters. This applies only when the mode is redirect*uri.
      */
     includeContext?: boolean;
     /**
-     * If mode is customized_block_page: full URL to the logo file.
+     * Specify the full URL to the logo file when the mode is customized*block*page.
      */
     logoPath?: string;
     /**
-     * If mode is customized_block_page: admin email for users to contact.
+     * Specify the admin email for users to contact when the mode is customized*block*page.
      */
     mailtoAddress?: string;
     /**
-     * If mode is customized_block_page: subject line for emails created from block page.
+     * Specify the subject line for emails created from the block page when the mode is customized*block*page.
      */
     mailtoSubject?: string;
     /**
-     * Controls whether the user is redirected to a Cloudflare-hosted block page or to a customer-provided URI.
-     * Available values: "", "customizedBlockPage", "redirectUri".
+     * Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.
+     * Available values: "", "customized*block*page", "redirectUri".
      */
     mode?: string;
     /**
-     * If mode is customized_block_page: block page title.
+     * Specify the block page title when the mode is customized*block*page.
      */
     name?: string;
     /**
-     * This setting was shared via the Orgs API and cannot be edited by the current account.
+     * Indicate that this setting was shared via the Orgs API and read only for the current account.
      */
     readOnly: boolean;
     /**
-     * Account tag of account that shared this setting.
+     * Indicate the account tag of the account that shared this setting.
      */
     sourceAccount: string;
     /**
-     * If mode is customized_block_page: suppress detailed info at the bottom of the block page.
+     * Specify whether to suppress detailed information at the bottom of the block page when the mode is customized*block*page.
      */
     suppressFooter?: boolean;
     /**
-     * If mode is redirect_uri: URI to which the user should be redirected.
+     * Specify the URI to redirect users to when the mode is redirect_uri.
      */
     targetUri?: string;
     /**
-     * Version number of the setting.
+     * Indicate the version number of the setting.
      */
     version: number;
 }
 export interface TeamsAccountSettingsBodyScanning {
     /**
-     * Set the inspection mode to either `deep` or `shallow`.
+     * Specify the inspection mode as either `deep` or `shallow`.
      * Available values: "deep", "shallow".
      */
     inspectionMode?: string;
 }
 export interface TeamsAccountSettingsBrowserIsolation {
     /**
-     * Enable non-identity onramp support for Browser Isolation.
+     * Specify whether to enable non-identity onramp support for Browser Isolation.
      */
     nonIdentityEnabled?: boolean;
     /**
-     * Enable Clientless Browser Isolation.
+     * Specify whether to enable Clientless Browser Isolation.
      */
     urlBrowserIsolationEnabled?: boolean;
 }
 export interface TeamsAccountSettingsCertificate {
     /**
-     * UUID of certificate to be used for interception. Certificate must be available (previously called 'active') on the edge. A nil UUID will indicate the Cloudflare Root CA should be used.
+     * Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.
      */
     id: string;
 }
 export interface TeamsAccountSettingsCustomCertificate {
     /**
-     * Certificate status (internal).
+     * Indicate the internal certificate status.
      */
     bindingStatus: string;
     /**
-     * Enable use of custom certificate authority for signing Gateway. traffic.
+     * Specify whether to enable a custom certificate authority for signing Gateway traffic.
      */
     enabled: boolean;
     /**
-     * UUID of certificate (ID from MTLS certificate store).
+     * Specify the UUID of the certificate (ID from MTLS certificate store).
      */
     id?: string;
     updatedAt: string;
 }
 export interface TeamsAccountSettingsExtendedEmailMatching {
     /**
-     * Enable matching all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.
+     * Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.
      */
     enabled?: boolean;
     /**
-     * This setting was shared via the Orgs API and cannot be edited by the current account.
+     * Indicate that this setting was shared via the Orgs API and read only for the current account.
      */
     readOnly: boolean;
     /**
-     * Account tag of account that shared this setting.
+     * Indicate the account tag of the account that shared this setting.
      */
     sourceAccount: string;
     /**
-     * Version number of the setting.
+     * Indicate the version number of the setting.
      */
     version: number;
 }
 export interface TeamsAccountSettingsFips {
     /**
-     * Enable only cipher suites and TLS versions compliant with FIPS. 140-2.
+     * Enforce cipher suites and TLS versions compliant with FIPS 140-2.
      */
     tls?: boolean;
 }
 export interface TeamsAccountSettingsHostSelector {
     /**
-     * Enable filtering via hosts for egress policies.
+     * Specify whether to enable filtering via hosts for egress policies.
      */
     enabled?: boolean;
 }
 export interface TeamsAccountSettingsInspection {
     /**
-     * Defines the mode of inspection the proxy will use.
-     * - static: Gateway will use static inspection to inspect HTTP on TCP(80). If TLS decryption is on, Gateway will inspect HTTPS traffic on TCP(443) & UDP(443).
-     * - dynamic: Gateway will use protocol detection to dynamically inspect HTTP and HTTPS traffic on any port. TLS decryption must be on to inspect HTTPS traffic.
+     * Define the proxy inspection mode.   1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443).   2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.
      * Available values: "static", "dynamic".
      */
     mode?: string;
 }
 export interface TeamsAccountSettingsProtocolDetection {
     /**
-     * Enable detecting protocol on initial bytes of client traffic.
+     * Specify whether to detect protocols from the initial bytes of client traffic.
      */
     enabled?: boolean;
 }
 export interface TeamsAccountSettingsSandbox {
     /**
-     * Enable sandbox.
+     * Specify whether to enable the sandbox.
      */
     enabled?: boolean;
     /**
-     * Action to take when the file cannot be scanned.
+     * Specify the action to take when the system cannot scan the file.
      * Available values: "allow", "block".
      */
     fallbackAction?: string;
 }
 export interface TeamsAccountSettingsTlsDecrypt {
     /**
-     * Enable inspecting encrypted HTTP traffic.
+     * Specify whether to inspect encrypted HTTP traffic.
      */
     enabled?: boolean;
 }
 export interface TeamsListItem {
     /**
-     * The description of the list item, if present.
+     * Provide the list item description (optional).
      */
     description?: string;
     /**
-     * The value of the item in a list.
+     * Specify the item value.
      */
     value?: string;
 }
@@ -30057,264 +30184,266 @@ export interface TeamsLocationEndpoints {
 }
 export interface TeamsLocationEndpointsDoh {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the DOH endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.TeamsLocationEndpointsDohNetwork[];
     /**
-     * True if the endpoint requires [user identity](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/#filter-doh-requests-by-user) authentication.
+     * Specify whether the DOH endpoint requires user identity authentication.
      */
     requireToken: boolean;
 }
 export interface TeamsLocationEndpointsDohNetwork {
     /**
-     * The IP address or IP CIDR.
+     * Specify the IP address or IP CIDR.
      */
     network: string;
 }
 export interface TeamsLocationEndpointsDot {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the DOT endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.TeamsLocationEndpointsDotNetwork[];
 }
 export interface TeamsLocationEndpointsDotNetwork {
     /**
-     * The IP address or IP CIDR.
+     * Specify the IP address or IP CIDR.
      */
     network: string;
 }
 export interface TeamsLocationEndpointsIpv4 {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the IPv4 endpoint is enabled for this location.
      */
     enabled: boolean;
 }
 export interface TeamsLocationEndpointsIpv6 {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the IPV6 endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IPv6 network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.TeamsLocationEndpointsIpv6Network[];
 }
 export interface TeamsLocationEndpointsIpv6Network {
     /**
-     * The IPv6 address or IPv6 CIDR.
+     * Specify the IPv6 address or IPv6 CIDR.
      */
     network: string;
 }
 export interface TeamsLocationNetwork {
     /**
-     * The IPv4 address or IPv4 CIDR. IPv4 CIDRs are limited to a maximum of /24.
+     * Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.
      */
     network: string;
 }
 export interface TeamsRuleExpiration {
     /**
-     * The default duration a policy will be active in minutes. Must be set in order to use the `resetExpiration` endpoint on this rule.
+     * Defines the default duration a policy active in minutes. Must set in order to use the `resetExpiration` endpoint on this rule.
      */
     duration?: number;
     /**
-     * Whether the policy has expired.
+     * Indicates whether the policy is expired.
      */
     expired: boolean;
     /**
-     * The time stamp at which the policy will expire and cease to be
-     * applied.
+     * Show the timestamp when the policy expires and stops applying.  The value must follow RFC 3339 and include a UTC offset.  The system accepts non-zero offsets but converts them to the equivalent UTC+00:00  value and returns timestamps with a trailing Z. Expiration policies ignore client  timezones and expire globally at the specified expiresAt time.
      */
     expiresAt: string;
 }
 export interface TeamsRuleRuleSettings {
     /**
-     * Add custom headers to allowed requests, in the form of key-value pairs. Keys are header names, pointing to an array with its header value(s).
+     * Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`.
      */
     addHeaders?: {
         [key: string]: string[];
     };
     /**
-     * Set by parent MSP accounts to enable their children to bypass this rule.
+     * Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.
      */
     allowChildBypass: boolean;
     /**
-     * Settings for the Audit SSH action.
+     * Define the settings for the Audit SSH action. Settable only for `l4` rules with `auditSsh` action.
      */
     auditSsh?: outputs.TeamsRuleRuleSettingsAuditSsh;
     /**
-     * Configure how browser isolation behaves.
+     * Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`.
      */
     bisoAdminControls?: outputs.TeamsRuleRuleSettingsBisoAdminControls;
     /**
-     * Custom block page settings. If missing/null, blocking will use the the account settings.
+     * Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`.
      */
     blockPage?: outputs.TeamsRuleRuleSettingsBlockPage;
     /**
-     * Enable the custom block page.
+     * Enable the custom block page. Settable only for `dns` rules with action `block`.
      */
     blockPageEnabled: boolean;
     /**
-     * The text describing why this block occurred, displayed on the custom block page (if enabled).
+     * Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`.
      */
     blockReason: string;
     /**
-     * Set by children MSP accounts to bypass their parent's rules.
+     * Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.
      */
     bypassParentRule?: boolean;
     /**
-     * Configure how session check behaves.
+     * Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`.
      */
     checkSession?: outputs.TeamsRuleRuleSettingsCheckSession;
     /**
-     * Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' are set. DNS queries will route to the address closest to their origin. Only valid when a rule's action is set to 'resolve'.
+     * Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     dnsResolvers?: outputs.TeamsRuleRuleSettingsDnsResolvers;
     /**
-     * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs.
+     * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules.
      */
     egress?: outputs.TeamsRuleRuleSettingsEgress;
     /**
-     * Set to true, to ignore the category matches at CNAME domains in a response. If unchecked, the categories in this rule will be checked against all the CNAME domain categories in a response.
+     * Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dnsResolver` rules.
      */
     ignoreCnameCategoryMatches: boolean;
     /**
-     * INSECURE - disable DNSSEC validation (for Allow actions).
+     * Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules.
      */
     insecureDisableDnssecValidation: boolean;
     /**
-     * Set to true to enable IPs in DNS resolver category blocks. By default categories only block based on domain names.
+     * Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dnsResolver` rules.
      */
     ipCategories: boolean;
     /**
-     * Set to true to include IPs in DNS resolver indicator feed blocks. By default indicator feeds only block based on domain names.
+     * Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dnsResolver` rules.
      */
     ipIndicatorFeeds: boolean;
     /**
-     * Send matching traffic to the supplied destination IP address. and port.
+     * Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4Override`.
      */
     l4override?: outputs.TeamsRuleRuleSettingsL4override;
     /**
-     * Configure a notification to display on the user's device when this rule is matched.
+     * Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`.
      */
     notificationSettings?: outputs.TeamsRuleRuleSettingsNotificationSettings;
     /**
-     * Override matching DNS queries with a hostname.
+     * Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`.
      */
     overrideHost: string;
     /**
-     * Override matching DNS queries with an IP or set of IPs.
+     * Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`.
      */
     overrideIps: string[];
     /**
-     * Configure DLP payload logging.
+     * Configure DLP payload logging. Settable only for `http` rules.
      */
     payloadLog?: outputs.TeamsRuleRuleSettingsPayloadLog;
     /**
-     * Settings that apply to quarantine rules.
+     * Configure settings that apply to quarantine rules. Settable only for `http` rules.
      */
     quarantine?: outputs.TeamsRuleRuleSettingsQuarantine;
     /**
-     * Settings that apply to redirect rules.
+     * Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`.
      */
     redirect?: outputs.TeamsRuleRuleSettingsRedirect;
     /**
-     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action is set to 'resolve'.
+     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Not used when 'dns*resolvers' is specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     resolveDnsInternally?: outputs.TeamsRuleRuleSettingsResolveDnsInternally;
     /**
-     * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns_internally' is set. Only valid when a rule's action is set to 'resolve'.
+     * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns*resolvers' specified or 'resolve*dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     resolveDnsThroughCloudflare: boolean;
     /**
-     * Configure behavior when an upstream cert is invalid or an SSL error occurs.
+     * Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`.
      */
     untrustedCert?: outputs.TeamsRuleRuleSettingsUntrustedCert;
 }
 export interface TeamsRuleRuleSettingsAuditSsh {
     /**
-     * Enable to turn on SSH command logging.
+     * Enable SSH command logging.
      */
     commandLogging?: boolean;
 }
 export interface TeamsRuleRuleSettingsBisoAdminControls {
     /**
-     * Configure whether copy is enabled or not. When set with "remote*only", copying isolated content from the remote browser to the user's local clipboard is disabled. When absent, copy is enabled. Only applies when `version == "v2"`.
+     * Configure copy behavior. If set to remote*only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     copy?: string;
     /**
      * Set to false to enable copy-pasting. Only applies when `version == "v1"`.
      */
-    dcp: boolean;
+    dcp?: boolean;
     /**
      * Set to false to enable downloading. Only applies when `version == "v1"`.
      */
-    dd: boolean;
+    dd?: boolean;
     /**
      * Set to false to enable keyboard usage. Only applies when `version == "v1"`.
      */
-    dk: boolean;
+    dk?: boolean;
     /**
-     * Configure whether downloading enabled or not. When set with "remote*only", downloads are only available for viewing. Only applies when `version == "v2"`.
+     * Configure download behavior. When set to remote*only, users can view downloads but cannot save them. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     download?: string;
     /**
      * Set to false to enable printing. Only applies when `version == "v1"`.
      */
-    dp: boolean;
+    dp?: boolean;
     /**
      * Set to false to enable uploading. Only applies when `version == "v1"`.
      */
-    du: boolean;
+    du?: boolean;
     /**
-     * Configure whether keyboard usage is enabled or not. When absent, keyboard usage is enabled. Only applies when `version == "v2"`.
+     * Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     keyboard?: string;
     /**
-     * Configure whether pasting is enabled or not. When set with "remote*only", pasting content from the user's local clipboard into isolated pages is disabled. When absent, paste is enabled. Only applies when `version == "v2"`.
+     * Configure paste behavior. If set to remote*only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     paste?: string;
     /**
-     * Configure whether printing is enabled or not. When absent, printing is enabled. Only applies when `version == "v2"`.
+     * Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     printing?: string;
     /**
-     * Configure whether uploading is enabled or not. When absent, uploading is enabled. Only applies when `version == "v2"`.
+     * Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     upload?: string;
     /**
-     * Indicates which version of the browser isolation controls should apply.
+     * Indicate which version of the browser isolation controls should apply.
      * Available values: "v1", "v2".
      */
     version: string;
 }
 export interface TeamsRuleRuleSettingsBlockPage {
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to pass the context information as query parameters.
      */
     includeContext?: boolean;
     /**
-     * URI to which the user will be redirected.
+     * Specify the URI to which the user is redirected.
      */
     targetUri: string;
 }
 export interface TeamsRuleRuleSettingsCheckSession {
+    /**
+     * Sets the required session freshness threshold. The API returns a normalized version of this value.
+     */
     duration?: string;
     /**
-     * Set to true to enable session enforcement.
+     * Enable session enforcement.
      */
     enforce?: boolean;
 }
@@ -30324,71 +30453,71 @@ export interface TeamsRuleRuleSettingsDnsResolvers {
 }
 export interface TeamsRuleRuleSettingsDnsResolversIpv4 {
     /**
-     * IPv4 address of upstream resolver.
+     * Specify the IPv4 address of the upstream resolver.
      */
     ip: string;
     /**
-     * A port number to use for upstream resolver. Defaults to 53 if unspecified.
+     * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.
      */
     port?: number;
     /**
-     * Whether to connect to this resolver over a private network. Must be set when vnetId is set.
+     * Indicate whether to connect to this resolver over a private network. Must set when vnetId set.
      */
     routeThroughPrivateNetwork?: boolean;
     /**
-     * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted.
+     * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.
      */
     vnetId?: string;
 }
 export interface TeamsRuleRuleSettingsDnsResolversIpv6 {
     /**
-     * IPv6 address of upstream resolver.
+     * Specify the IPv6 address of the upstream resolver.
      */
     ip: string;
     /**
-     * A port number to use for upstream resolver. Defaults to 53 if unspecified.
+     * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.
      */
     port?: number;
     /**
-     * Whether to connect to this resolver over a private network. Must be set when vnetId is set.
+     * Indicate whether to connect to this resolver over a private network. Must set when vnetId set.
      */
     routeThroughPrivateNetwork?: boolean;
     /**
-     * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted.
+     * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.
      */
     vnetId?: string;
 }
 export interface TeamsRuleRuleSettingsEgress {
     /**
-     * The IPv4 address to be used for egress.
+     * Specify the IPv4 address to use for egress.
      */
     ipv4?: string;
     /**
-     * The fallback IPv4 address to be used for egress in the event of an error egressing with the primary IPv4. Can be '0.0.0.0' to indicate local egress via WARP IPs.
+     * Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.
      */
     ipv4Fallback?: string;
     /**
-     * The IPv6 range to be used for egress.
+     * Specify the IPv6 range to use for egress.
      */
     ipv6?: string;
 }
 export interface TeamsRuleRuleSettingsL4override {
     /**
-     * IPv4 or IPv6 address.
+     * Defines the IPv4 or IPv6 address.
      */
     ip?: string;
     /**
-     * A port number to use for TCP/UDP overrides.
+     * Defines a port number to use for TCP/UDP overrides.
      */
     port?: number;
 }
 export interface TeamsRuleRuleSettingsNotificationSettings {
     /**
-     * Set notification on.
+     * Enable notification.
      */
     enabled?: boolean;
     /**
-     * If true, context information will be passed as query parameters.
+     * Indicates whether to pass the context information as query parameters.
      */
     includeContext?: boolean;
     /**
@@ -30396,86 +30525,65 @@ export interface TeamsRuleRuleSettingsNotificationSettings {
      */
     msg?: string;
     /**
-     * Optional URL to direct users to additional information. If not set, the notification will open a block page.
+     * Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.
      */
     supportUrl?: string;
 }
 export interface TeamsRuleRuleSettingsPayloadLog {
     /**
-     * Set to true to enable DLP payload logging for this rule.
+     * Enable DLP payload logging for this rule.
      */
     enabled?: boolean;
 }
 export interface TeamsRuleRuleSettingsQuarantine {
     /**
-     * Types of files to sandbox.
+     * Specify the types of files to sandbox.
      */
     fileTypes?: string[];
 }
 export interface TeamsRuleRuleSettingsRedirect {
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to pass the context information as query parameters.
      */
     includeContext?: boolean;
     /**
-     * If true, the path and query parameters from the original request will be appended to target_uri.
+     * Specify whether to append the path and query parameters from the original request to target_uri.
      */
     preservePathAndQuery?: boolean;
     /**
-     * URI to which the user will be redirected.
+     * Specify the URI to which the user is redirected.
      */
     targetUri: string;
 }
 export interface TeamsRuleRuleSettingsResolveDnsInternally {
     /**
-     * The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.
+     * Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.
      * Available values: "none", "publicDns".
      */
     fallback?: string;
     /**
-     * The internal DNS view identifier that's passed to the internal DNS service.
+     * Specify the internal DNS view identifier to pass to the internal DNS service.
      */
     viewId?: string;
 }
 export interface TeamsRuleRuleSettingsUntrustedCert {
     /**
-     * The action performed when an untrusted certificate is seen. The default action is an error with HTTP code 526.
+     * Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.
      * Available values: "passThrough", "block", "error".
      */
     action?: string;
 }
 export interface TeamsRuleSchedule {
-    /**
-     * The time intervals when the rule will be active on Fridays, in increasing order from 00:00-24:00.  If this parameter is omitted, the rule will be deactivated on Fridays.
-     */
     fri?: string;
-    /**
-     * The time intervals when the rule will be active on Mondays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Mondays.
-     */
     mon?: string;
-    /**
-     * The time intervals when the rule will be active on Saturdays, in increasing order from 00:00-24:00.  If this parameter is omitted, the rule will be deactivated on Saturdays.
-     */
     sat?: string;
-    /**
-     * The time intervals when the rule will be active on Sundays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Sundays.
-     */
     sun?: string;
-    /**
-     * The time intervals when the rule will be active on Thursdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Thursdays.
-     */
     thu?: string;
     /**
-     * The time zone the rule will be evaluated against. If a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway will always use the current time at that time zone. If this parameter is omitted, then Gateway will use the time zone inferred from the user's source IP to evaluate the rule. If Gateway cannot determine the time zone from the IP, we will fall back to the time zone of the user's connected data center.
+     * Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.
      */
     timeZone?: string;
-    /**
-     * The time intervals when the rule will be active on Tuesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Tuesdays.
-     */
     tue?: string;
-    /**
-     * The time intervals when the rule will be active on Wednesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Wednesdays.
-     */
     wed?: string;
 }
 export interface TunnelConfigConfig {
@@ -30833,10 +30941,18 @@ export interface WorkerObservabilityLogs {
     invocationLogs: boolean;
 }
 export interface WorkerScriptAssets {
+    /**
+     * The SHA-256 hash of the asset manifest of files to upload.
+     */
+    assetManifestSha256: string;
     /**
      * Configuration for assets within a Worker.
      */
     config?: outputs.WorkerScriptAssetsConfig;
+    /**
+     * Path to the directory containing asset files to upload.
+     */
+    directory?: string;
     /**
      * Token provided upon successful upload of all files from a registered manifest.
      */
@@ -30877,6 +30993,14 @@ export interface WorkerScriptBinding {
      * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm).
      */
     algorithm?: string;
+    /**
+     * List of allowed destination addresses.
+     */
+    allowedDestinationAddresses?: string[];
+    /**
+     * List of allowed sender addresses.
+     */
+    allowedSenderAddresses?: string[];
     /**
      * R2 bucket to bind to.
      */
@@ -30893,6 +31017,10 @@ export interface WorkerScriptBinding {
      * The name of the dataset to bind to.
      */
     dataset?: string;
+    /**
+     * Destination address for the email.
+     */
+    destinationAddress?: string;
     /**
      * The environment of the scriptName to bind to.
      */
@@ -30914,6 +31042,11 @@ export interface WorkerScriptBinding {
      * JSON data to use.
      */
     json?: string;
+    /**
+     * The [jurisdiction](https://developers.cloudflare.com/r2/reference/data-location/#jurisdictional-restrictions) of the R2 bucket.
+     * Available values: "eu", "fedramp".
+     */
+    jurisdiction?: string;
     /**
      * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki".
      */
@@ -30934,10 +31067,18 @@ export interface WorkerScriptBinding {
      * Namespace identifier tag.
      */
     namespaceId: string;
+    /**
+     * The old name of the inherited binding. If set, the binding will be renamed from `oldName` to `name` in the new version. If not set, the binding will keep the same name between versions.
+     */
+    oldName?: string;
     /**
      * Outbound worker.
      */
     outbound?: outputs.WorkerScriptBindingOutbound;
+    /**
+     * The name of the file containing the data content. Only accepted for `service worker syntax` Workers.
+     */
+    part?: string;
     /**
      * Name of the Pipeline to bind to.
      */
@@ -30968,13 +31109,17 @@ export interface WorkerScriptBinding {
     text?: string;
     /**
      * The kind of resource that the binding provides.
-     * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "service", "tail*consumer", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow".
+     * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "data*blob", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "inherit", "images", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "send*email", "service", "tail*consumer", "text*blob", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow", "wasm*module".
      */
     type: string;
     /**
      * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages).
      */
     usages?: string[];
+    /**
+     * Identifier for the version to inherit the binding from, which can be the version ID or the literal "latest" to inherit from the latest version. Defaults to inheriting the binding from the latest version.
+     */
+    versionId?: string;
     /**
      * Name of the Workflow to bind to.
      */
@@ -31031,6 +31176,10 @@ export interface WorkerScriptObservability {
     logs?: outputs.WorkerScriptObservabilityLogs;
 }
 export interface WorkerScriptObservabilityLogs {
+    /**
+     * A list of destinations where logs will be exported to.
+     */
+    destinations?: string[];
     /**
      * Whether logs are enabled for the Worker.
      */
@@ -31043,6 +31192,10 @@ export interface WorkerScriptObservabilityLogs {
      * Whether [invocation logs](https://developers.cloudflare.com/workers/observability/logs/workers-logs/#invocation-logs) are enabled for the Worker.
      */
     invocationLogs: boolean;
+    /**
+     * Whether log persistence is enabled for the Worker.
+     */
+    persist: boolean;
 }
 export interface WorkerScriptPlacement {
     /**
@@ -31105,32 +31258,52 @@ export interface WorkerVersionAnnotations {
     workersTriggeredBy: string;
 }
 export interface WorkerVersionAssets {
+    /**
+     * The SHA-256 hash of the asset manifest of files to upload.
+     */
+    assetManifestSha256: string;
     /**
      * Configuration for assets within a Worker.
      */
-    config?: outputs.WorkerVersionAssetsConfig;
+    config: outputs.WorkerVersionAssetsConfig;
+    /**
+     * Path to the directory containing asset files to upload.
+     */
+    directory?: string;
+    /**
+     * Token provided upon successful upload of all files from a registered manifest.
+     */
+    jwt?: string;
 }
 export interface WorkerVersionAssetsConfig {
     /**
      * Determines the redirects and rewrites of requests for HTML content.
      * Available values: "auto-trailing-slash", "force-trailing-slash", "drop-trailing-slash", "none".
      */
-    htmlHandling?: string;
+    htmlHandling: string;
     /**
      * Determines the response when a request does not match a static asset, and there is no Worker script.
      * Available values: "none", "404-page", "single-page-application".
      */
-    notFoundHandling?: string;
+    notFoundHandling: string;
     /**
      * Contains a list path rules to control routing to either the Worker or assets. Glob (*) and negative (!) rules are supported. Rules must start with either '/' or '!/'. At least one non-negative rule must be provided, and negative rules have higher precedence than non-negative rules.
      */
-    runWorkerFirsts?: string[];
+    runWorkerFirsts: string[];
 }
 export interface WorkerVersionBinding {
     /**
      * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm).
      */
     algorithm?: string;
+    /**
+     * List of allowed destination addresses.
+     */
+    allowedDestinationAddresses?: string[];
+    /**
+     * List of allowed sender addresses.
+     */
+    allowedSenderAddresses?: string[];
     /**
      * R2 bucket to bind to.
      */
@@ -31147,6 +31320,10 @@ export interface WorkerVersionBinding {
      * The name of the dataset to bind to.
      */
     dataset?: string;
+    /**
+     * Destination address for the email.
+     */
+    destinationAddress?: string;
     /**
      * The environment of the scriptName to bind to.
      */
@@ -31168,6 +31345,11 @@ export interface WorkerVersionBinding {
      * JSON data to use.
      */
     json?: string;
+    /**
+     * The [jurisdiction](https://developers.cloudflare.com/r2/reference/data-location/#jurisdictional-restrictions) of the R2 bucket.
+     * Available values: "eu", "fedramp".
+     */
+    jurisdiction?: string;
     /**
      * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki".
      */
@@ -31188,10 +31370,18 @@ export interface WorkerVersionBinding {
      * Namespace identifier tag.
      */
     namespaceId: string;
+    /**
+     * The old name of the inherited binding. If set, the binding will be renamed from `oldName` to `name` in the new version. If not set, the binding will keep the same name between versions.
+     */
+    oldName?: string;
     /**
      * Outbound worker.
      */
     outbound?: outputs.WorkerVersionBindingOutbound;
+    /**
+     * The name of the file containing the data content. Only accepted for `service worker syntax` Workers.
+     */
+    part?: string;
     /**
      * Name of the Pipeline to bind to.
      */
@@ -31222,13 +31412,17 @@ export interface WorkerVersionBinding {
     text?: string;
     /**
      * The kind of resource that the binding provides.
-     * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "service", "tail*consumer", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow".
+     * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "data*blob", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "inherit", "images", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "send*email", "service", "tail*consumer", "text*blob", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow", "wasm*module".
      */
     type: string;
     /**
      * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages).
      */
     usages?: string[];
+    /**
+     * Identifier for the version to inherit the binding from, which can be the version ID or the literal "latest" to inherit from the latest version. Defaults to inheriting the binding from the latest version.
+     */
+    versionId?: string;
     /**
      * Name of the Workflow to bind to.
      */
@@ -31379,10 +31573,18 @@ export interface WorkersDeploymentVersion {
     versionId: string;
 }
 export interface WorkersScriptAssets {
+    /**
+     * The SHA-256 hash of the asset manifest of files to upload.
+     */
+    assetManifestSha256: string;
     /**
      * Configuration for assets within a Worker.
      */
     config?: outputs.WorkersScriptAssetsConfig;
+    /**
+     * Path to the directory containing asset files to upload.
+     */
+    directory?: string;
     /**
      * Token provided upon successful upload of all files from a registered manifest.
      */
@@ -31423,6 +31625,14 @@ export interface WorkersScriptBinding {
      * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm).
      */
     algorithm?: string;
+    /**
+     * List of allowed destination addresses.
+     */
+    allowedDestinationAddresses?: string[];
+    /**
+     * List of allowed sender addresses.
+     */
+    allowedSenderAddresses?: string[];
     /**
      * R2 bucket to bind to.
      */
@@ -31439,6 +31649,10 @@ export interface WorkersScriptBinding {
      * The name of the dataset to bind to.
      */
     dataset?: string;
+    /**
+     * Destination address for the email.
+     */
+    destinationAddress?: string;
     /**
      * The environment of the scriptName to bind to.
      */
@@ -31460,6 +31674,11 @@ export interface WorkersScriptBinding {
      * JSON data to use.
      */
     json?: string;
+    /**
+     * The [jurisdiction](https://developers.cloudflare.com/r2/reference/data-location/#jurisdictional-restrictions) of the R2 bucket.
+     * Available values: "eu", "fedramp".
+     */
+    jurisdiction?: string;
     /**
      * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki".
      */
@@ -31480,10 +31699,18 @@ export interface WorkersScriptBinding {
      * Namespace identifier tag.
      */
     namespaceId: string;
+    /**
+     * The old name of the inherited binding. If set, the binding will be renamed from `oldName` to `name` in the new version. If not set, the binding will keep the same name between versions.
+     */
+    oldName?: string;
     /**
      * Outbound worker.
      */
     outbound?: outputs.WorkersScriptBindingOutbound;
+    /**
+     * The name of the file containing the data content. Only accepted for `service worker syntax` Workers.
+     */
+    part?: string;
     /**
      * Name of the Pipeline to bind to.
      */
@@ -31514,13 +31741,17 @@ export interface WorkersScriptBinding {
     text?: string;
     /**
      * The kind of resource that the binding provides.
-     * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "service", "tail*consumer", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow".
+     * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "data*blob", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "inherit", "images", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "send*email", "service", "tail*consumer", "text*blob", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow", "wasm*module".
      */
     type: string;
     /**
      * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages).
      */
     usages?: string[];
+    /**
+     * Identifier for the version to inherit the binding from, which can be the version ID or the literal "latest" to inherit from the latest version. Defaults to inheriting the binding from the latest version.
+     */
+    versionId?: string;
     /**
      * Name of the Workflow to bind to.
      */
@@ -31577,6 +31808,10 @@ export interface WorkersScriptObservability {
     logs?: outputs.WorkersScriptObservabilityLogs;
 }
 export interface WorkersScriptObservabilityLogs {
+    /**
+     * A list of destinations where logs will be exported to.
+     */
+    destinations?: string[];
     /**
      * Whether logs are enabled for the Worker.
      */
@@ -31589,6 +31824,10 @@ export interface WorkersScriptObservabilityLogs {
      * Whether [invocation logs](https://developers.cloudflare.com/workers/observability/logs/workers-logs/#invocation-logs) are enabled for the Worker.
      */
     invocationLogs: boolean;
+    /**
+     * Whether log persistence is enabled for the Worker.
+     */
+    persist: boolean;
 }
 export interface WorkersScriptPlacement {
     /**
@@ -31620,6 +31859,16 @@ export interface WorkersScriptTailConsumer {
      */
     service: string;
 }
+export interface WorkflowInstances {
+    complete: number;
+    errored: number;
+    paused: number;
+    queued: number;
+    running: number;
+    terminated: number;
+    waiting: number;
+    waitingForPause: number;
+}
 export interface ZeroTrustAccessApplicationCorsHeaders {
     /**
      * Allows all HTTP request headers.
@@ -32434,7 +32683,6 @@ export interface ZeroTrustAccessApplicationSaasApp {
      * The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
      */
     consumerServiceUrl?: string;
-    createdAt: string;
     customAttributes?: outputs.ZeroTrustAccessApplicationSaasAppCustomAttribute[];
     customClaims?: outputs.ZeroTrustAccessApplicationSaasAppCustomClaim[];
     /**
@@ -32488,7 +32736,6 @@ export interface ZeroTrustAccessApplicationSaasApp {
      * The endpoint where your SaaS application will send login requests.
      */
     ssoEndpoint: string;
-    updatedAt: string;
 }
 export interface ZeroTrustAccessApplicationSaasAppCustomAttribute {
     /**
@@ -34555,11 +34802,11 @@ export interface ZeroTrustDexTestData {
     /**
      * The desired endpoint to test.
      */
-    host?: string;
+    host: string;
     /**
      * The type of test.
      */
-    kind?: string;
+    kind: string;
     /**
      * The HTTP request method type.
      */
@@ -34569,15 +34816,15 @@ export interface ZeroTrustDexTestTargetPolicy {
     /**
      * Whether the DEX rule is the account default
      */
-    default?: boolean;
+    default: boolean;
     /**
      * The id of the DEX rule
      */
-    id?: string;
+    id: string;
     /**
      * The name of the DEX rule
      */
-    name?: string;
+    name: string;
 }
 export interface ZeroTrustDlpCustomEntryConfidence {
     /**
@@ -34823,299 +35070,310 @@ export interface ZeroTrustDnsLocationEndpoints {
 }
 export interface ZeroTrustDnsLocationEndpointsDoh {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the DOH endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.ZeroTrustDnsLocationEndpointsDohNetwork[];
     /**
-     * True if the endpoint requires [user identity](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/#filter-doh-requests-by-user) authentication.
+     * Specify whether the DOH endpoint requires user identity authentication.
      */
     requireToken: boolean;
 }
 export interface ZeroTrustDnsLocationEndpointsDohNetwork {
     /**
-     * The IP address or IP CIDR.
+     * Specify the IP address or IP CIDR.
      */
     network: string;
 }
 export interface ZeroTrustDnsLocationEndpointsDot {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the DOT endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.ZeroTrustDnsLocationEndpointsDotNetwork[];
 }
 export interface ZeroTrustDnsLocationEndpointsDotNetwork {
     /**
-     * The IP address or IP CIDR.
+     * Specify the IP address or IP CIDR.
      */
     network: string;
 }
 export interface ZeroTrustDnsLocationEndpointsIpv4 {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the IPv4 endpoint is enabled for this location.
      */
     enabled: boolean;
 }
 export interface ZeroTrustDnsLocationEndpointsIpv6 {
     /**
-     * True if the endpoint is enabled for this location.
+     * Indicate whether the IPV6 endpoint is enabled for this location.
      */
     enabled: boolean;
     /**
-     * A list of allowed source IPv6 network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location.
+     * Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.
      */
     networks: outputs.ZeroTrustDnsLocationEndpointsIpv6Network[];
 }
 export interface ZeroTrustDnsLocationEndpointsIpv6Network {
     /**
-     * The IPv6 address or IPv6 CIDR.
+     * Specify the IPv6 address or IPv6 CIDR.
      */
     network: string;
 }
 export interface ZeroTrustDnsLocationNetwork {
     /**
-     * The IPv4 address or IPv4 CIDR. IPv4 CIDRs are limited to a maximum of /24.
+     * Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.
      */
     network: string;
 }
 export interface ZeroTrustGatewayLoggingSettingsByRuleType {
+    /**
+     * Configure logging settings for DNS firewall.
+     */
     dns: outputs.ZeroTrustGatewayLoggingSettingsByRuleTypeDns;
+    /**
+     * Configure logging settings for HTTP/HTTPS firewall.
+     */
     http: outputs.ZeroTrustGatewayLoggingSettingsByRuleTypeHttp;
+    /**
+     * Configure logging settings for Network firewall.
+     */
     l4: outputs.ZeroTrustGatewayLoggingSettingsByRuleTypeL4;
 }
 export interface ZeroTrustGatewayLoggingSettingsByRuleTypeDns {
     /**
-     * Log all requests to this service.
+     * Specify whether to log all requests to this service.
      */
     logAll: boolean;
     /**
-     * Log only blocking requests to this service.
+     * Specify whether to log only blocking requests to this service.
      */
     logBlocks: boolean;
 }
 export interface ZeroTrustGatewayLoggingSettingsByRuleTypeHttp {
     /**
-     * Log all requests to this service.
+     * Specify whether to log all requests to this service.
      */
     logAll: boolean;
     /**
-     * Log only blocking requests to this service.
+     * Specify whether to log only blocking requests to this service.
      */
     logBlocks: boolean;
 }
 export interface ZeroTrustGatewayLoggingSettingsByRuleTypeL4 {
     /**
-     * Log all requests to this service.
+     * Specify whether to log all requests to this service.
      */
     logAll: boolean;
     /**
-     * Log only blocking requests to this service.
+     * Specify whether to log only blocking requests to this service.
      */
     logBlocks: boolean;
 }
 export interface ZeroTrustGatewayPolicyExpiration {
     /**
-     * The default duration a policy will be active in minutes. Must be set in order to use the `resetExpiration` endpoint on this rule.
+     * Defines the default duration a policy active in minutes. Must set in order to use the `resetExpiration` endpoint on this rule.
      */
     duration?: number;
     /**
-     * Whether the policy has expired.
+     * Indicates whether the policy is expired.
      */
     expired: boolean;
     /**
-     * The time stamp at which the policy will expire and cease to be
-     * applied.
+     * Show the timestamp when the policy expires and stops applying.  The value must follow RFC 3339 and include a UTC offset.  The system accepts non-zero offsets but converts them to the equivalent UTC+00:00  value and returns timestamps with a trailing Z. Expiration policies ignore client  timezones and expire globally at the specified expiresAt time.
      */
     expiresAt: string;
 }
 export interface ZeroTrustGatewayPolicyRuleSettings {
     /**
-     * Add custom headers to allowed requests, in the form of key-value pairs. Keys are header names, pointing to an array with its header value(s).
+     * Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`.
      */
     addHeaders?: {
         [key: string]: string[];
     };
     /**
-     * Set by parent MSP accounts to enable their children to bypass this rule.
+     * Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.
      */
     allowChildBypass: boolean;
     /**
-     * Settings for the Audit SSH action.
+     * Define the settings for the Audit SSH action. Settable only for `l4` rules with `auditSsh` action.
      */
     auditSsh?: outputs.ZeroTrustGatewayPolicyRuleSettingsAuditSsh;
     /**
-     * Configure how browser isolation behaves.
+     * Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`.
      */
     bisoAdminControls?: outputs.ZeroTrustGatewayPolicyRuleSettingsBisoAdminControls;
     /**
-     * Custom block page settings. If missing/null, blocking will use the the account settings.
+     * Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`.
      */
     blockPage?: outputs.ZeroTrustGatewayPolicyRuleSettingsBlockPage;
     /**
-     * Enable the custom block page.
+     * Enable the custom block page. Settable only for `dns` rules with action `block`.
      */
     blockPageEnabled: boolean;
     /**
-     * The text describing why this block occurred, displayed on the custom block page (if enabled).
+     * Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`.
      */
     blockReason: string;
     /**
-     * Set by children MSP accounts to bypass their parent's rules.
+     * Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.
      */
     bypassParentRule?: boolean;
     /**
-     * Configure how session check behaves.
+     * Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`.
      */
     checkSession?: outputs.ZeroTrustGatewayPolicyRuleSettingsCheckSession;
     /**
-     * Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' are set. DNS queries will route to the address closest to their origin. Only valid when a rule's action is set to 'resolve'.
+     * Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     dnsResolvers?: outputs.ZeroTrustGatewayPolicyRuleSettingsDnsResolvers;
     /**
-     * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs.
+     * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules.
      */
     egress?: outputs.ZeroTrustGatewayPolicyRuleSettingsEgress;
     /**
-     * Set to true, to ignore the category matches at CNAME domains in a response. If unchecked, the categories in this rule will be checked against all the CNAME domain categories in a response.
+     * Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dnsResolver` rules.
      */
     ignoreCnameCategoryMatches: boolean;
     /**
-     * INSECURE - disable DNSSEC validation (for Allow actions).
+     * Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules.
      */
     insecureDisableDnssecValidation: boolean;
     /**
-     * Set to true to enable IPs in DNS resolver category blocks. By default categories only block based on domain names.
+     * Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dnsResolver` rules.
      */
     ipCategories: boolean;
     /**
-     * Set to true to include IPs in DNS resolver indicator feed blocks. By default indicator feeds only block based on domain names.
+     * Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dnsResolver` rules.
      */
     ipIndicatorFeeds: boolean;
     /**
-     * Send matching traffic to the supplied destination IP address. and port.
+     * Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4Override`.
      */
     l4override?: outputs.ZeroTrustGatewayPolicyRuleSettingsL4override;
     /**
-     * Configure a notification to display on the user's device when this rule is matched.
+     * Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`.
      */
     notificationSettings?: outputs.ZeroTrustGatewayPolicyRuleSettingsNotificationSettings;
     /**
-     * Override matching DNS queries with a hostname.
+     * Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`.
      */
     overrideHost: string;
     /**
-     * Override matching DNS queries with an IP or set of IPs.
+     * Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`.
      */
     overrideIps: string[];
     /**
-     * Configure DLP payload logging.
+     * Configure DLP payload logging. Settable only for `http` rules.
      */
     payloadLog?: outputs.ZeroTrustGatewayPolicyRuleSettingsPayloadLog;
     /**
-     * Settings that apply to quarantine rules.
+     * Configure settings that apply to quarantine rules. Settable only for `http` rules.
      */
     quarantine?: outputs.ZeroTrustGatewayPolicyRuleSettingsQuarantine;
     /**
-     * Settings that apply to redirect rules.
+     * Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`.
      */
     redirect?: outputs.ZeroTrustGatewayPolicyRuleSettingsRedirect;
     /**
-     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action is set to 'resolve'.
+     * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Not used when 'dns*resolvers' is specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     resolveDnsInternally?: outputs.ZeroTrustGatewayPolicyRuleSettingsResolveDnsInternally;
     /**
-     * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns_internally' is set. Only valid when a rule's action is set to 'resolve'.
+     * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns*resolvers' specified or 'resolve*dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules.
      */
     resolveDnsThroughCloudflare: boolean;
     /**
-     * Configure behavior when an upstream cert is invalid or an SSL error occurs.
+     * Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`.
      */
     untrustedCert?: outputs.ZeroTrustGatewayPolicyRuleSettingsUntrustedCert;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsAuditSsh {
     /**
-     * Enable to turn on SSH command logging.
+     * Enable SSH command logging.
      */
     commandLogging?: boolean;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsBisoAdminControls {
     /**
-     * Configure whether copy is enabled or not. When set with "remote*only", copying isolated content from the remote browser to the user's local clipboard is disabled. When absent, copy is enabled. Only applies when `version == "v2"`.
+     * Configure copy behavior. If set to remote*only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     copy?: string;
     /**
      * Set to false to enable copy-pasting. Only applies when `version == "v1"`.
      */
-    dcp: boolean;
+    dcp?: boolean;
     /**
      * Set to false to enable downloading. Only applies when `version == "v1"`.
      */
-    dd: boolean;
+    dd?: boolean;
     /**
      * Set to false to enable keyboard usage. Only applies when `version == "v1"`.
      */
-    dk: boolean;
+    dk?: boolean;
     /**
-     * Configure whether downloading enabled or not. When set with "remote*only", downloads are only available for viewing. Only applies when `version == "v2"`.
+     * Configure download behavior. When set to remote*only, users can view downloads but cannot save them. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     download?: string;
     /**
      * Set to false to enable printing. Only applies when `version == "v1"`.
      */
-    dp: boolean;
+    dp?: boolean;
     /**
      * Set to false to enable uploading. Only applies when `version == "v1"`.
      */
-    du: boolean;
+    du?: boolean;
     /**
-     * Configure whether keyboard usage is enabled or not. When absent, keyboard usage is enabled. Only applies when `version == "v2"`.
+     * Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     keyboard?: string;
     /**
-     * Configure whether pasting is enabled or not. When set with "remote*only", pasting content from the user's local clipboard into isolated pages is disabled. When absent, paste is enabled. Only applies when `version == "v2"`.
+     * Configure paste behavior. If set to remote*only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled", "remote*only".
      */
     paste?: string;
     /**
-     * Configure whether printing is enabled or not. When absent, printing is enabled. Only applies when `version == "v2"`.
+     * Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     printing?: string;
     /**
-     * Configure whether uploading is enabled or not. When absent, uploading is enabled. Only applies when `version == "v2"`.
+     * Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".
      * Available values: "enabled", "disabled".
      */
     upload?: string;
     /**
-     * Indicates which version of the browser isolation controls should apply.
+     * Indicate which version of the browser isolation controls should apply.
      * Available values: "v1", "v2".
      */
     version: string;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsBlockPage {
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to pass the context information as query parameters.
      */
     includeContext?: boolean;
     /**
-     * URI to which the user will be redirected.
+     * Specify the URI to which the user is redirected.
      */
     targetUri: string;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsCheckSession {
+    /**
+     * Sets the required session freshness threshold. The API returns a normalized version of this value.
+     */
     duration?: string;
     /**
-     * Set to true to enable session enforcement.
+     * Enable session enforcement.
      */
     enforce?: boolean;
 }
@@ -35125,71 +35383,71 @@ export interface ZeroTrustGatewayPolicyRuleSettingsDnsResolvers {
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsDnsResolversIpv4 {
     /**
-     * IPv4 address of upstream resolver.
+     * Specify the IPv4 address of the upstream resolver.
      */
     ip: string;
     /**
-     * A port number to use for upstream resolver. Defaults to 53 if unspecified.
+     * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.
      */
     port?: number;
     /**
-     * Whether to connect to this resolver over a private network. Must be set when vnetId is set.
+     * Indicate whether to connect to this resolver over a private network. Must set when vnetId set.
      */
     routeThroughPrivateNetwork?: boolean;
     /**
-     * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted.
+     * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.
      */
     vnetId?: string;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsDnsResolversIpv6 {
     /**
-     * IPv6 address of upstream resolver.
+     * Specify the IPv6 address of the upstream resolver.
      */
     ip: string;
     /**
-     * A port number to use for upstream resolver. Defaults to 53 if unspecified.
+     * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.
      */
     port?: number;
     /**
-     * Whether to connect to this resolver over a private network. Must be set when vnetId is set.
+     * Indicate whether to connect to this resolver over a private network. Must set when vnetId set.
      */
     routeThroughPrivateNetwork?: boolean;
     /**
-     * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted.
+     * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.
      */
     vnetId?: string;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsEgress {
     /**
-     * The IPv4 address to be used for egress.
+     * Specify the IPv4 address to use for egress.
      */
     ipv4?: string;
     /**
-     * The fallback IPv4 address to be used for egress in the event of an error egressing with the primary IPv4. Can be '0.0.0.0' to indicate local egress via WARP IPs.
+     * Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.
      */
     ipv4Fallback?: string;
     /**
-     * The IPv6 range to be used for egress.
+     * Specify the IPv6 range to use for egress.
      */
     ipv6?: string;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsL4override {
     /**
-     * IPv4 or IPv6 address.
+     * Defines the IPv4 or IPv6 address.
      */
     ip?: string;
     /**
-     * A port number to use for TCP/UDP overrides.
+     * Defines a port number to use for TCP/UDP overrides.
      */
     port?: number;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsNotificationSettings {
     /**
-     * Set notification on.
+     * Enable notification.
      */
     enabled?: boolean;
     /**
-     * If true, context information will be passed as query parameters.
+     * Indicates whether to pass the context information as query parameters.
      */
     includeContext?: boolean;
     /**
@@ -35197,360 +35455,337 @@ export interface ZeroTrustGatewayPolicyRuleSettingsNotificationSettings {
      */
     msg?: string;
     /**
-     * Optional URL to direct users to additional information. If not set, the notification will open a block page.
+     * Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.
      */
     supportUrl?: string;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsPayloadLog {
     /**
-     * Set to true to enable DLP payload logging for this rule.
+     * Enable DLP payload logging for this rule.
      */
     enabled?: boolean;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsQuarantine {
     /**
-     * Types of files to sandbox.
+     * Specify the types of files to sandbox.
      */
     fileTypes?: string[];
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsRedirect {
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to pass the context information as query parameters.
      */
     includeContext?: boolean;
     /**
-     * If true, the path and query parameters from the original request will be appended to target_uri.
+     * Specify whether to append the path and query parameters from the original request to target_uri.
      */
     preservePathAndQuery?: boolean;
     /**
-     * URI to which the user will be redirected.
+     * Specify the URI to which the user is redirected.
      */
     targetUri: string;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsResolveDnsInternally {
     /**
-     * The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries.
+     * Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.
      * Available values: "none", "publicDns".
      */
     fallback?: string;
     /**
-     * The internal DNS view identifier that's passed to the internal DNS service.
+     * Specify the internal DNS view identifier to pass to the internal DNS service.
      */
     viewId?: string;
 }
 export interface ZeroTrustGatewayPolicyRuleSettingsUntrustedCert {
     /**
-     * The action performed when an untrusted certificate is seen. The default action is an error with HTTP code 526.
+     * Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.
      * Available values: "passThrough", "block", "error".
      */
     action?: string;
 }
 export interface ZeroTrustGatewayPolicySchedule {
-    /**
-     * The time intervals when the rule will be active on Fridays, in increasing order from 00:00-24:00.  If this parameter is omitted, the rule will be deactivated on Fridays.
-     */
     fri?: string;
-    /**
-     * The time intervals when the rule will be active on Mondays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Mondays.
-     */
     mon?: string;
-    /**
-     * The time intervals when the rule will be active on Saturdays, in increasing order from 00:00-24:00.  If this parameter is omitted, the rule will be deactivated on Saturdays.
-     */
     sat?: string;
-    /**
-     * The time intervals when the rule will be active on Sundays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Sundays.
-     */
     sun?: string;
-    /**
-     * The time intervals when the rule will be active on Thursdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Thursdays.
-     */
     thu?: string;
     /**
-     * The time zone the rule will be evaluated against. If a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway will always use the current time at that time zone. If this parameter is omitted, then Gateway will use the time zone inferred from the user's source IP to evaluate the rule. If Gateway cannot determine the time zone from the IP, we will fall back to the time zone of the user's connected data center.
+     * Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.
      */
     timeZone?: string;
-    /**
-     * The time intervals when the rule will be active on Tuesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Tuesdays.
-     */
     tue?: string;
-    /**
-     * The time intervals when the rule will be active on Wednesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Wednesdays.
-     */
     wed?: string;
 }
 export interface ZeroTrustGatewaySettingsSettings {
     /**
-     * Activity log settings.
+     * Specify activity log settings.
      */
     activityLog?: outputs.ZeroTrustGatewaySettingsSettingsActivityLog;
     /**
-     * Anti-virus settings.
+     * Specify anti-virus settings.
      */
     antivirus?: outputs.ZeroTrustGatewaySettingsSettingsAntivirus;
     /**
-     * Block page layout settings.
+     * Specify block page layout settings.
      */
     blockPage?: outputs.ZeroTrustGatewaySettingsSettingsBlockPage;
     /**
-     * DLP body scanning settings.
+     * Specify the DLP inspection mode.
      */
     bodyScanning?: outputs.ZeroTrustGatewaySettingsSettingsBodyScanning;
     /**
-     * Browser isolation settings.
+     * Specify Clientless Browser Isolation settings.
      */
     browserIsolation?: outputs.ZeroTrustGatewaySettingsSettingsBrowserIsolation;
     /**
-     * Certificate settings for Gateway TLS interception. If not specified, the Cloudflare Root CA will be used.
+     * Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.
      */
     certificate?: outputs.ZeroTrustGatewaySettingsSettingsCertificate;
     /**
-     * Custom certificate settings for BYO-PKI. (deprecated and replaced by `certificate`).
+     * Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead.
      *
      * @deprecated This attribute is deprecated.
      */
     customCertificate?: outputs.ZeroTrustGatewaySettingsSettingsCustomCertificate;
     /**
-     * Extended e-mail matching settings.
+     * Specify user email settings for the firewall policies. When this is enabled, we standardize the email addresses in the identity part of the rule, so that they match the extended email variants in the firewall policies. When this setting is turned off, the email addresses in the identity part of the rule will be matched exactly as provided. If your email has `.` or `+` modifiers, you should enable this setting.
      */
     extendedEmailMatching?: outputs.ZeroTrustGatewaySettingsSettingsExtendedEmailMatching;
     /**
-     * FIPS settings.
+     * Specify FIPS settings.
      */
     fips?: outputs.ZeroTrustGatewaySettingsSettingsFips;
     /**
-     * Setting to enable host selector in egress policies.
+     * Enable host selection in egress policies.
      */
     hostSelector?: outputs.ZeroTrustGatewaySettingsSettingsHostSelector;
     /**
-     * Setting to define inspection settings.
+     * Define the proxy inspection mode.
      */
     inspection?: outputs.ZeroTrustGatewaySettingsSettingsInspection;
     /**
-     * Protocol Detection settings.
+     * Specify whether to detect protocols from the initial bytes of client traffic.
      */
     protocolDetection?: outputs.ZeroTrustGatewaySettingsSettingsProtocolDetection;
     /**
-     * Sandbox settings.
+     * Specify whether to enable the sandbox.
      */
     sandbox?: outputs.ZeroTrustGatewaySettingsSettingsSandbox;
     /**
-     * TLS interception settings.
+     * Specify whether to inspect encrypted HTTP traffic.
      */
     tlsDecrypt?: outputs.ZeroTrustGatewaySettingsSettingsTlsDecrypt;
 }
 export interface ZeroTrustGatewaySettingsSettingsActivityLog {
     /**
-     * Enable activity logging.
+     * Specify whether to log activity.
      */
     enabled?: boolean;
 }
 export interface ZeroTrustGatewaySettingsSettingsAntivirus {
     /**
-     * Enable anti-virus scanning on downloads.
+     * Specify whether to enable anti-virus scanning on downloads.
      */
     enabledDownloadPhase: boolean;
     /**
-     * Enable anti-virus scanning on uploads.
+     * Specify whether to enable anti-virus scanning on uploads.
      */
     enabledUploadPhase: boolean;
     /**
-     * Block requests for files that cannot be scanned.
+     * Specify whether to block requests for unscannable files.
      */
     failClosed: boolean;
     /**
-     * Configure a message to display on the user's device when an antivirus search is performed.
+     * Configure the message the user's device shows during an antivirus scan.
      */
     notificationSettings: outputs.ZeroTrustGatewaySettingsSettingsAntivirusNotificationSettings;
 }
 export interface ZeroTrustGatewaySettingsSettingsAntivirusNotificationSettings {
     /**
-     * Set notification on.
+     * Specify whether to enable notifications.
      */
     enabled?: boolean;
     /**
-     * If true, context information will be passed as query parameters.
+     * Specify whether to include context information as query parameters.
      */
     includeContext?: boolean;
     /**
-     * Customize the message shown in the notification.
+     * Specify the message to show in the notification.
      */
     msg?: string;
     /**
-     * Optional URL to direct users to additional information. If not set, the notification will open a block page.
+     * Specify a URL that directs users to more information. If unset, the notification opens a block page.
      */
     supportUrl?: string;
 }
 export interface ZeroTrustGatewaySettingsSettingsBlockPage {
     /**
-     * If mode is customized_block_page: block page background color in #rrggbb format.
+     * Specify the block page background color in `#rrggbb` format when the mode is customized*block*page.
      */
     backgroundColor?: string;
     /**
-     * Enable only cipher suites and TLS versions compliant with FIPS. 140-2.
+     * Specify whether to enable the custom block page.
      */
     enabled?: boolean;
     /**
-     * If mode is customized_block_page: block page footer text.
+     * Specify the block page footer text when the mode is customized*block*page.
      */
     footerText?: string;
     /**
-     * If mode is customized_block_page: block page header text.
+     * Specify the block page header text when the mode is customized*block*page.
      */
     headerText?: string;
     /**
-     * If mode is redirect_uri: when enabled, context will be appended to targetUri as query parameters.
+     * Specify whether to append context to target*uri as query parameters. This applies only when the mode is redirect*uri.
      */
     includeContext?: boolean;
     /**
-     * If mode is customized_block_page: full URL to the logo file.
+     * Specify the full URL to the logo file when the mode is customized*block*page.
      */
     logoPath?: string;
     /**
-     * If mode is customized_block_page: admin email for users to contact.
+     * Specify the admin email for users to contact when the mode is customized*block*page.
      */
     mailtoAddress?: string;
     /**
-     * If mode is customized_block_page: subject line for emails created from block page.
+     * Specify the subject line for emails created from the block page when the mode is customized*block*page.
      */
     mailtoSubject?: string;
     /**
-     * Controls whether the user is redirected to a Cloudflare-hosted block page or to a customer-provided URI.
-     * Available values: "", "customizedBlockPage", "redirectUri".
+     * Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.
+     * Available values: "", "customized*block*page", "redirectUri".
      */
     mode?: string;
     /**
-     * If mode is customized_block_page: block page title.
+     * Specify the block page title when the mode is customized*block*page.
      */
     name?: string;
     /**
-     * This setting was shared via the Orgs API and cannot be edited by the current account.
+     * Indicate that this setting was shared via the Orgs API and read only for the current account.
      */
     readOnly: boolean;
     /**
-     * Account tag of account that shared this setting.
+     * Indicate the account tag of the account that shared this setting.
      */
     sourceAccount: string;
     /**
-     * If mode is customized_block_page: suppress detailed info at the bottom of the block page.
+     * Specify whether to suppress detailed information at the bottom of the block page when the mode is customized*block*page.
      */
     suppressFooter?: boolean;
     /**
-     * If mode is redirect_uri: URI to which the user should be redirected.
+     * Specify the URI to redirect users to when the mode is redirect_uri.
      */
     targetUri?: string;
     /**
-     * Version number of the setting.
+     * Indicate the version number of the setting.
      */
     version: number;
 }
 export interface ZeroTrustGatewaySettingsSettingsBodyScanning {
     /**
-     * Set the inspection mode to either `deep` or `shallow`.
+     * Specify the inspection mode as either `deep` or `shallow`.
      * Available values: "deep", "shallow".
      */
     inspectionMode?: string;
 }
 export interface ZeroTrustGatewaySettingsSettingsBrowserIsolation {
     /**
-     * Enable non-identity onramp support for Browser Isolation.
+     * Specify whether to enable non-identity onramp support for Browser Isolation.
      */
     nonIdentityEnabled?: boolean;
     /**
-     * Enable Clientless Browser Isolation.
+     * Specify whether to enable Clientless Browser Isolation.
      */
     urlBrowserIsolationEnabled?: boolean;
 }
 export interface ZeroTrustGatewaySettingsSettingsCertificate {
     /**
-     * UUID of certificate to be used for interception. Certificate must be available (previously called 'active') on the edge. A nil UUID will indicate the Cloudflare Root CA should be used.
+     * Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.
      */
     id: string;
 }
 export interface ZeroTrustGatewaySettingsSettingsCustomCertificate {
     /**
-     * Certificate status (internal).
+     * Indicate the internal certificate status.
      */
     bindingStatus: string;
     /**
-     * Enable use of custom certificate authority for signing Gateway. traffic.
+     * Specify whether to enable a custom certificate authority for signing Gateway traffic.
      */
     enabled: boolean;
     /**
-     * UUID of certificate (ID from MTLS certificate store).
+     * Specify the UUID of the certificate (ID from MTLS certificate store).
      */
     id?: string;
     updatedAt: string;
 }
 export interface ZeroTrustGatewaySettingsSettingsExtendedEmailMatching {
     /**
-     * Enable matching all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.
+     * Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.
      */
     enabled?: boolean;
     /**
-     * This setting was shared via the Orgs API and cannot be edited by the current account.
+     * Indicate that this setting was shared via the Orgs API and read only for the current account.
      */
     readOnly: boolean;
     /**
-     * Account tag of account that shared this setting.
+     * Indicate the account tag of the account that shared this setting.
      */
     sourceAccount: string;
     /**
-     * Version number of the setting.
+     * Indicate the version number of the setting.
      */
     version: number;
 }
 export interface ZeroTrustGatewaySettingsSettingsFips {
     /**
-     * Enable only cipher suites and TLS versions compliant with FIPS. 140-2.
+     * Enforce cipher suites and TLS versions compliant with FIPS 140-2.
      */
     tls?: boolean;
 }
 export interface ZeroTrustGatewaySettingsSettingsHostSelector {
     /**
-     * Enable filtering via hosts for egress policies.
+     * Specify whether to enable filtering via hosts for egress policies.
      */
     enabled?: boolean;
 }
 export interface ZeroTrustGatewaySettingsSettingsInspection {
     /**
-     * Defines the mode of inspection the proxy will use.
-     * - static: Gateway will use static inspection to inspect HTTP on TCP(80). If TLS decryption is on, Gateway will inspect HTTPS traffic on TCP(443) & UDP(443).
-     * - dynamic: Gateway will use protocol detection to dynamically inspect HTTP and HTTPS traffic on any port. TLS decryption must be on to inspect HTTPS traffic.
+     * Define the proxy inspection mode.   1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443).   2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.
      * Available values: "static", "dynamic".
      */
     mode?: string;
 }
 export interface ZeroTrustGatewaySettingsSettingsProtocolDetection {
     /**
-     * Enable detecting protocol on initial bytes of client traffic.
+     * Specify whether to detect protocols from the initial bytes of client traffic.
      */
     enabled?: boolean;
 }
 export interface ZeroTrustGatewaySettingsSettingsSandbox {
     /**
-     * Enable sandbox.
+     * Specify whether to enable the sandbox.
      */
     enabled?: boolean;
     /**
-     * Action to take when the file cannot be scanned.
+     * Specify the action to take when the system cannot scan the file.
      * Available values: "allow", "block".
      */
     fallbackAction?: string;
 }
 export interface ZeroTrustGatewaySettingsSettingsTlsDecrypt {
     /**
-     * Enable inspecting encrypted HTTP traffic.
+     * Specify whether to inspect encrypted HTTP traffic.
      */
     enabled?: boolean;
 }
 export interface ZeroTrustListItem {
     /**
-     * The description of the list item, if present.
+     * Provide the list item description (optional).
      */
     description?: string;
     /**
-     * The value of the item in a list.
+     * Specify the item value.
      */
     value?: string;
 }
@@ -35915,37 +36150,37 @@ export interface ZoneDnsSettingsNameservers {
      * Nameserver type
      * Available values: "cloudflare.standard", "custom.account", "custom.tenant", "custom.zone".
      */
-    type: string;
+    type?: string;
 }
 export interface ZoneDnsSettingsSoa {
     /**
      * Time in seconds of being unable to query the primary server after which secondary servers should stop serving the zone.
      */
-    expire: number;
+    expire?: number;
     /**
      * The time to live (TTL) for negative caching of records within the zone.
      */
-    minTtl: number;
+    minTtl?: number;
     /**
-     * The primary nameserver, which may be used for outbound zone transfers.
+     * The primary nameserver, which may be used for outbound zone transfers. If null, a Cloudflare-assigned value will be used.
      */
-    mname: string;
+    mname?: string;
     /**
      * Time in seconds after which secondary servers should re-check the SOA record to see if the zone has been updated.
      */
-    refresh: number;
+    refresh?: number;
     /**
      * Time in seconds after which secondary servers should retry queries after the primary server was unresponsive.
      */
-    retry: number;
+    retry?: number;
     /**
      * The email address of the zone administrator, with the first label representing the local part of the email address.
      */
-    rname: string;
+    rname?: string;
     /**
      * The time to live (TTL) of the SOA record itself.
      */
-    ttl: number;
+    ttl?: number;
 }
 export interface ZoneLockdownConfiguration {
     /**