@pulumi/cloudflare 6.3.1 → 6.4.0-alpha.1752588923

package/types/output.d.ts

@@ -1000,7 +1000,7 @@ export interface AccessApplicationTargetCriteria {
     port: number;
     /**
      * The communication protocol your application secures.
-     * Available values: "ssh".
+     * Available values: "SSH".
      */
     protocol: string;
     /**
@@ -1617,10 +1617,6 @@ export interface AccessIdentityProviderConfig {
      * Your OAuth Client ID
      */
     clientId?: string;
-    /**
-     * Your OAuth Client Secret
-     */
-    clientSecret?: string;
     /**
      * Should Cloudflare try to load authentication contexts from your account
      */
@@ -1678,7 +1674,7 @@ export interface AccessIdentityProviderConfig {
     /**
      * Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.
      */
-    signRequest: boolean;
+    signRequest?: boolean;
     /**
      * URL to send the SAML authentication requests to
      */
@@ -1706,12 +1702,12 @@ export interface AccessIdentityProviderScimConfig {
     /**
      * A flag to enable or disable SCIM for the identity provider.
      */
-    enabled?: boolean;
+    enabled: boolean;
     /**
      * Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no*action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
      * Available values: "automatic", "reauth", "no*action".
      */
-    identityUpdateBehavior?: string;
+    identityUpdateBehavior: string;
     /**
      * The base URL of Cloudflare's SCIM V2.0 API endpoint.
      */
@@ -1719,7 +1715,7 @@ export interface AccessIdentityProviderScimConfig {
     /**
      * A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider.  This cannot be enabled unless userDeprovision is also enabled.
      */
-    seatDeprovision?: boolean;
+    seatDeprovision: boolean;
     /**
      * A read-only token generated when the SCIM integration is enabled for the first time.  It is redacted on subsequent requests.  If you lose this you will need to refresh it at /access/identity*providers/:idpID/refresh*scim_secret.
      */
@@ -1727,7 +1723,7 @@ export interface AccessIdentityProviderScimConfig {
     /**
      * A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.
      */
-    userDeprovision?: boolean;
+    userDeprovision: boolean;
 }
 export interface AccessMutualTlsHostnameSettingsSetting {
     /**
@@ -2601,7 +2597,7 @@ export interface AccountTokenPolicy {
 }
 export interface AccountTokenPolicyPermissionGroup {
     /**
-     * Identifier of the group.
+     * Identifier of the permission group.
      */
     id: string;
     /**
@@ -2609,7 +2605,7 @@ export interface AccountTokenPolicyPermissionGroup {
      */
     meta: outputs.AccountTokenPolicyPermissionGroupMeta;
     /**
-     * Name of the group.
+     * Name of the permission group.
      */
     name: string;
 }
@@ -2905,7 +2901,7 @@ export interface ApiTokenPolicy {
 }
 export interface ApiTokenPolicyPermissionGroup {
     /**
-     * Identifier of the group.
+     * Identifier of the permission group.
      */
     id: string;
     /**
@@ -2913,7 +2909,7 @@ export interface ApiTokenPolicyPermissionGroup {
      */
     meta?: outputs.ApiTokenPolicyPermissionGroupMeta;
     /**
-     * Name of the group.
+     * Name of the permission group.
      */
     name: string;
 }
@@ -2976,7 +2972,7 @@ export interface CloudConnectorRulesRule {
     parameters?: outputs.CloudConnectorRulesRuleParameters;
     /**
      * Cloud Provider type
-     * Available values: "aws*s3", "r2", "gcp*storage", "azureStorage".
+     * Available values: "aws*s3", "cloudflare*r2", "gcp*storage", "azure*storage".
      */
     provider?: string;
 }
@@ -3360,6 +3356,10 @@ export interface DevicePostureRuleInput {
      * Available values: "online", "offline", "unknown".
      */
     state?: string;
+    /**
+     * List of certificate Subject Alternative Names.
+     */
+    subjectAlternativeNames?: string[];
     /**
      * Signing certificate thumbprint.
      */
@@ -3425,68 +3425,6 @@ export interface DlpCustomProfileEntryPattern {
      */
     validation?: string;
 }
-export interface DlpCustomProfileProfile {
-    aiContextEnabled?: boolean;
-    /**
-     * Related DLP policies will trigger when the match count exceeds the number set.
-     */
-    allowedMatchCount: number;
-    confidenceThreshold?: string;
-    /**
-     * Scan the context of predefined entries to only return matches surrounded by keywords.
-     */
-    contextAwareness?: outputs.DlpCustomProfileProfileContextAwareness;
-    /**
-     * The description of the profile.
-     */
-    description?: string;
-    entries: outputs.DlpCustomProfileProfileEntry[];
-    name: string;
-    ocrEnabled?: boolean;
-    /**
-     * Entries from other profiles (e.g. pre-defined Cloudflare profiles, or your Microsoft Information Protection profiles).
-     */
-    sharedEntries?: outputs.DlpCustomProfileProfileSharedEntry[];
-}
-export interface DlpCustomProfileProfileContextAwareness {
-    /**
-     * If true, scan the context of predefined entries to only return matches surrounded by keywords.
-     */
-    enabled: boolean;
-    /**
-     * Content types to exclude from context analysis and return all matches.
-     */
-    skip: outputs.DlpCustomProfileProfileContextAwarenessSkip;
-}
-export interface DlpCustomProfileProfileContextAwarenessSkip {
-    /**
-     * If the content type is a file, skip context analysis and return all matches.
-     */
-    files: boolean;
-}
-export interface DlpCustomProfileProfileEntry {
-    enabled: boolean;
-    name: string;
-    pattern?: outputs.DlpCustomProfileProfileEntryPattern;
-    words?: string[];
-}
-export interface DlpCustomProfileProfileEntryPattern {
-    regex: string;
-    /**
-     * Available values: "luhn".
-     *
-     * @deprecated This attribute is deprecated.
-     */
-    validation?: string;
-}
-export interface DlpCustomProfileProfileSharedEntry {
-    enabled: boolean;
-    entryId: string;
-    /**
-     * Available values: "custom", "predefined", "integration", "exactData".
-     */
-    entryType: string;
-}
 export interface DlpCustomProfileSharedEntry {
     enabled: boolean;
     entryId: string;
@@ -4273,7 +4211,7 @@ export interface GetAccountMemberPolicy {
 }
 export interface GetAccountMemberPolicyPermissionGroup {
     /**
-     * Identifier of the group.
+     * Identifier of the permission group.
      */
     id: string;
     /**
@@ -4281,7 +4219,7 @@ export interface GetAccountMemberPolicyPermissionGroup {
      */
     meta: outputs.GetAccountMemberPolicyPermissionGroupMeta;
     /**
-     * Name of the group.
+     * Name of the permission group.
      */
     name: string;
 }
@@ -4291,7 +4229,7 @@ export interface GetAccountMemberPolicyPermissionGroupMeta {
 }
 export interface GetAccountMemberPolicyResourceGroup {
     /**
-     * Identifier of the group.
+     * Identifier of the resource group.
      */
     id: string;
     /**
@@ -4470,7 +4408,7 @@ export interface GetAccountMembersResultPolicy {
 }
 export interface GetAccountMembersResultPolicyPermissionGroup {
     /**
-     * Identifier of the group.
+     * Identifier of the permission group.
      */
     id: string;
     /**
@@ -4478,7 +4416,7 @@ export interface GetAccountMembersResultPolicyPermissionGroup {
      */
     meta: outputs.GetAccountMembersResultPolicyPermissionGroupMeta;
     /**
-     * Name of the group.
+     * Name of the permission group.
      */
     name: string;
 }
@@ -4488,7 +4426,7 @@ export interface GetAccountMembersResultPolicyPermissionGroupMeta {
 }
 export interface GetAccountMembersResultPolicyResourceGroup {
     /**
-     * Identifier of the group.
+     * Identifier of the resource group.
      */
     id: string;
     /**
@@ -4629,7 +4567,7 @@ export interface GetAccountPermissionGroupMeta {
 }
 export interface GetAccountPermissionGroupsResult {
     /**
-     * Identifier of the group.
+     * Identifier of the permission group.
      */
     id: string;
     /**
@@ -4637,7 +4575,7 @@ export interface GetAccountPermissionGroupsResult {
      */
     meta: outputs.GetAccountPermissionGroupsResultMeta;
     /**
-     * Name of the group.
+     * Name of the permission group.
      */
     name: string;
 }
@@ -4872,7 +4810,7 @@ export interface GetAccountTokenPolicy {
 }
 export interface GetAccountTokenPolicyPermissionGroup {
     /**
-     * Identifier of the group.
+     * Identifier of the permission group.
      */
     id: string;
     /**
@@ -4880,7 +4818,7 @@ export interface GetAccountTokenPolicyPermissionGroup {
      */
     meta: outputs.GetAccountTokenPolicyPermissionGroupMeta;
     /**
-     * Name of the group.
+     * Name of the permission group.
      */
     name: string;
 }
@@ -4967,7 +4905,7 @@ export interface GetAccountTokensResultPolicy {
 }
 export interface GetAccountTokensResultPolicyPermissionGroup {
     /**
-     * Identifier of the group.
+     * Identifier of the permission group.
      */
     id: string;
     /**
@@ -4975,7 +4913,7 @@ export interface GetAccountTokensResultPolicyPermissionGroup {
      */
     meta: outputs.GetAccountTokensResultPolicyPermissionGroupMeta;
     /**
-     * Name of the group.
+     * Name of the permission group.
      */
     name: string;
 }
@@ -5562,7 +5500,7 @@ export interface GetApiTokenPolicy {
 }
 export interface GetApiTokenPolicyPermissionGroup {
     /**
-     * Identifier of the group.
+     * Identifier of the permission group.
      */
     id: string;
     /**
@@ -5570,7 +5508,7 @@ export interface GetApiTokenPolicyPermissionGroup {
      */
     meta: outputs.GetApiTokenPolicyPermissionGroupMeta;
     /**
-     * Name of the group.
+     * Name of the permission group.
      */
     name: string;
 }
@@ -5657,7 +5595,7 @@ export interface GetApiTokensResultPolicy {
 }
 export interface GetApiTokensResultPolicyPermissionGroup {
     /**
-     * Identifier of the group.
+     * Identifier of the permission group.
      */
     id: string;
     /**
@@ -5665,7 +5603,7 @@ export interface GetApiTokensResultPolicyPermissionGroup {
      */
     meta: outputs.GetApiTokensResultPolicyPermissionGroupMeta;
     /**
-     * Name of the group.
+     * Name of the permission group.
      */
     name: string;
 }
@@ -5839,7 +5777,7 @@ export interface GetCloudConnectorRulesRule {
     parameters: outputs.GetCloudConnectorRulesRuleParameters;
     /**
      * Cloud Provider type
-     * Available values: "aws*s3", "r2", "gcp*storage", "azureStorage".
+     * Available values: "aws*s3", "cloudflare*r2", "gcp*storage", "azure*storage".
      */
     provider: string;
 }
@@ -7038,7 +6976,7 @@ export interface GetDnsRecordsResult {
     ttl: number;
     /**
      * Record type.
-     * Available values: "A", "AAAA", "CAA", "CERT", "CNAME", "DNSKEY", "DS", "HTTPS", "LOC", "MX", "NAPTR", "NS", "OPENPGPKEY", "PTR", "SMIMEA", "SRV", "SSHFP", "SVCB", "TLSA", "TXT", "URI".
+     * Available values: "A", "AAAA", "CNAME", "MX", "NS", "OPENPGPKEY", "PTR", "TXT", "CAA", "CERT", "DNSKEY", "DS", "HTTPS", "LOC", "NAPTR", "SMIMEA", "SRV", "SSHFP", "SVCB", "TLSA", "URI".
      */
     type: string;
 }
@@ -11923,56 +11861,31 @@ export interface GetR2BucketCorsRuleAllowed {
      */
     origins: string[];
 }
-export interface GetR2BucketEventNotificationAbortMultipartUploadsTransition {
-    /**
-     * Condition for lifecycle transitions to apply after an object reaches an age in seconds.
-     */
-    condition: outputs.GetR2BucketEventNotificationAbortMultipartUploadsTransitionCondition;
-}
-export interface GetR2BucketEventNotificationAbortMultipartUploadsTransitionCondition {
-    maxAge: number;
-    /**
-     * Available values: "Age".
-     */
-    type: string;
-}
-export interface GetR2BucketEventNotificationConditions {
+export interface GetR2BucketEventNotificationRule {
     /**
-     * Transitions will only apply to objects/uploads in the bucket that start with the given prefix, an empty prefix can be provided to scope rule to all objects/uploads.
+     * Array of R2 object actions that will trigger notifications.
      */
-    prefix: string;
-}
-export interface GetR2BucketEventNotificationDeleteObjectsTransition {
+    actions: string[];
     /**
-     * Condition for lifecycle transitions to apply after an object reaches an age in seconds.
+     * Timestamp when the rule was created.
      */
-    condition: outputs.GetR2BucketEventNotificationDeleteObjectsTransitionCondition;
-}
-export interface GetR2BucketEventNotificationDeleteObjectsTransitionCondition {
-    date: string;
-    maxAge: number;
+    createdAt: string;
     /**
-     * Available values: "Age", "Date".
+     * A description that can be used to identify the event notification rule after creation.
      */
-    type: string;
-}
-export interface GetR2BucketEventNotificationStorageClassTransition {
+    description: string;
     /**
-     * Condition for lifecycle transitions to apply after an object reaches an age in seconds.
+     * Notifications will be sent only for objects with this prefix.
      */
-    condition: outputs.GetR2BucketEventNotificationStorageClassTransitionCondition;
+    prefix: string;
     /**
-     * Available values: "InfrequentAccess".
+     * Rule ID.
      */
-    storageClass: string;
-}
-export interface GetR2BucketEventNotificationStorageClassTransitionCondition {
-    date: string;
-    maxAge: number;
+    ruleId: string;
     /**
-     * Available values: "Age", "Date".
+     * Notifications will be sent only for objects with this suffix.
      */
-    type: string;
+    suffix: string;
 }
 export interface GetR2BucketLifecycleRule {
     /**
@@ -12484,7 +12397,7 @@ export interface GetResourceGroupScopeObject {
 }
 export interface GetResourceGroupsResult {
     /**
-     * Identifier of the group.
+     * Identifier of the resource group.
      */
     id: string;
     /**
@@ -12692,7 +12605,7 @@ export interface GetRulesetRuleActionParameters {
      */
     originCacheControl: boolean;
     /**
-     * Generate Cloudflare error pages from issues sent from the origin server. When on, error pages will trigger for issues from the origin
+     * Generate Cloudflare error pages from issues sent from the origin server. When on, error pages will trigger for issues from the origin.
      */
     originErrorPagePassthru: boolean;
     /**
@@ -12705,7 +12618,7 @@ export interface GetRulesetRuleActionParameters {
     phases: string[];
     /**
      * Configure the Polish level.
-     * Available values: "off", "lossless", "lossy".
+     * Available values: "off", "lossless", "lossy", "webp".
      */
     polish: string;
     /**
@@ -12737,7 +12650,7 @@ export interface GetRulesetRuleActionParameters {
      */
     responseFields: outputs.GetRulesetRuleActionParametersResponseField[];
     /**
-     * Turn on or off Rocket Loader
+     * Turn on or off Rocket Loader.
      */
     rocketLoader: boolean;
     /**
@@ -12828,11 +12741,11 @@ export interface GetRulesetRuleActionParametersBrowserTtl {
 }
 export interface GetRulesetRuleActionParametersCacheKey {
     /**
-     * Separate cached content based on the visitor’s device type
+     * Separate cached content based on the visitor’s device type.
      */
     cacheByDeviceType: boolean;
     /**
-     * Protect from web cache deception attacks while allowing static assets to be cached
+     * Protect from web cache deception attacks while allowing static assets to be cached.
      */
     cacheDeceptionArmor: boolean;
     /**
@@ -12962,12 +12875,12 @@ export interface GetRulesetRuleActionParametersEdgeTtl {
      */
     default: number;
     /**
-     * edge ttl options
+     * Edge TTL options.
      * Available values: "respect*origin", "bypass*by*default", "override*origin".
      */
     mode: string;
     /**
-     * List of single status codes, or status code ranges to apply the selected mode
+     * List of single status codes, or status code ranges to apply the selected mode.
      */
     statusCodeTtls: outputs.GetRulesetRuleActionParametersEdgeTtlStatusCodeTtl[];
 }
@@ -12977,7 +12890,7 @@ export interface GetRulesetRuleActionParametersEdgeTtlStatusCodeTtl {
      */
     statusCodeRange: outputs.GetRulesetRuleActionParametersEdgeTtlStatusCodeTtlStatusCodeRange;
     /**
-     * Set the ttl for responses with this specific status code
+     * Set the TTL for responses with this specific status code.
      */
     statusCodeValue: number;
     /**
@@ -12987,11 +12900,11 @@ export interface GetRulesetRuleActionParametersEdgeTtlStatusCodeTtl {
 }
 export interface GetRulesetRuleActionParametersEdgeTtlStatusCodeTtlStatusCodeRange {
     /**
-     * response status code lower bound
+     * Response status code lower bound.
      */
     from: number;
     /**
-     * response status code upper bound
+     * Response status code upper bound.
      */
     to: number;
 }
@@ -13287,6 +13200,55 @@ export interface GetRulesetsResult {
      */
     phase: string;
 }
+export interface GetSchemaValidationOperationSettingsListResult {
+    /**
+     * When set, this applies a mitigation action to this operation which supersedes a global schema validation setting just for this operation
+     *
+     *   - `"log"` - log request when request does not conform to schema for this operation
+     *   - `"block"` - deny access to the site when request does not conform to schema for this operation
+     *   - `"none"` - will skip mitigation for this operation
+     * Available values: "log", "block", "none".
+     */
+    mitigationAction: string;
+    /**
+     * UUID.
+     */
+    operationId: string;
+}
+export interface GetSchemaValidationSchemasFilter {
+    /**
+     * Omit the source-files of schemas and only retrieve their meta-data.
+     */
+    omitSource: boolean;
+    /**
+     * Filter for enabled schemas
+     */
+    validationEnabled?: boolean;
+}
+export interface GetSchemaValidationSchemasListResult {
+    createdAt: string;
+    /**
+     * The kind of the schema
+     * Available values: "openapiV3".
+     */
+    kind: string;
+    /**
+     * A human-readable name for the schema
+     */
+    name: string;
+    /**
+     * A unique identifier of this schema
+     */
+    schemaId: string;
+    /**
+     * The raw schema, e.g., the OpenAPI schema, either as JSON or YAML
+     */
+    source: string;
+    /**
+     * An indicator if this schema is enabled
+     */
+    validationEnabled: boolean;
+}
 export interface GetSnippetRulesListResult {
     description: string;
     enabled: boolean;
@@ -13833,6 +13795,29 @@ export interface GetUserAgentBlockingRulesResultConfiguration {
      */
     value: string;
 }
+export interface GetUserOrganization {
+    /**
+     * Identifier
+     */
+    id: string;
+    /**
+     * Organization name.
+     */
+    name: string;
+    /**
+     * Access permissions for this User.
+     */
+    permissions: string[];
+    /**
+     * List of roles that a user has within an organization.
+     */
+    roles: string[];
+    /**
+     * Whether the user is a member of the organization or has an invitation pending.
+     * Available values: "member", "invited".
+     */
+    status: string;
+}
 export interface GetWaitingRoomAdditionalRoute {
     /**
      * The hostname to which this waiting room will be applied (no wildcards). The hostname must be the primary domain, subdomain, or custom hostname (if using SSL for SaaS) of this zone. Please do not include the scheme (http:// or https://).
@@ -15582,7 +15567,7 @@ export interface GetZeroTrustAccessApplicationTargetCriteria {
     port: number;
     /**
      * The communication protocol your application secures.
-     * Available values: "ssh".
+     * Available values: "SSH".
      */
     protocol: string;
     /**
@@ -15740,6 +15725,7 @@ export interface GetZeroTrustAccessApplicationsResult {
     targetCriterias: outputs.GetZeroTrustAccessApplicationsResultTargetCriteria[];
     /**
      * The application type.
+     * Available values: "self*hosted", "saas", "ssh", "vnc", "app*launcher", "warp", "biso", "bookmark", "dashSso", "infrastructure", "rdp".
      */
     type: string;
     updatedAt: string;
@@ -16785,7 +16771,7 @@ export interface GetZeroTrustAccessApplicationsResultTargetCriteria {
     port: number;
     /**
      * The communication protocol your application secures.
-     * Available values: "ssh".
+     * Available values: "SSH".
      */
     protocol: string;
     /**
@@ -20683,6 +20669,10 @@ export interface GetZeroTrustDevicePostureRuleInput {
      * Available values: "online", "offline", "unknown".
      */
     state: string;
+    /**
+     * List of certificate Subject Alternative Names.
+     */
+    subjectAlternativeNames: string[];
     /**
      * Signing certificate thumbprint.
      */
@@ -20903,6 +20893,10 @@ export interface GetZeroTrustDevicePostureRulesResultInput {
      * Available values: "online", "offline", "unknown".
      */
     state: string;
+    /**
+     * List of certificate Subject Alternative Names.
+     */
+    subjectAlternativeNames: string[];
     /**
      * Signing certificate thumbprint.
      */
@@ -21056,7 +21050,7 @@ export interface GetZeroTrustDlpCustomProfileEntry {
     profileId: string;
     secret: boolean;
     /**
-     * Available values: "custom", "predefined", "integration", "exact*data", "word*list".
+     * Available values: "custom", "predefined", "integration", "exact*data", "document*template", "wordList".
      */
     type: string;
     updatedAt: string;
@@ -21154,7 +21148,7 @@ export interface GetZeroTrustDlpEntriesResult {
     profileId: string;
     secret: boolean;
     /**
-     * Available values: "custom", "predefined", "integration", "exact*data", "word*list".
+     * Available values: "custom", "predefined", "integration", "exact*data", "document*template", "wordList".
      */
     type: string;
     updatedAt: string;
@@ -21230,7 +21224,7 @@ export interface GetZeroTrustDlpPredefinedProfileEntry {
     profileId: string;
     secret: boolean;
     /**
-     * Available values: "custom", "predefined", "integration", "exact*data", "word*list".
+     * Available values: "custom", "predefined", "integration", "exact*data", "document*template", "wordList".
      */
     type: string;
     updatedAt: string;
@@ -21650,6 +21644,10 @@ export interface GetZeroTrustGatewayPoliciesResult {
      * version number of the rule
      */
     version: number;
+    /**
+     * Warning for a misconfigured rule, if any.
+     */
+    warningStatus: string;
 }
 export interface GetZeroTrustGatewayPoliciesResultExpiration {
     /**
@@ -21795,8 +21793,8 @@ export interface GetZeroTrustGatewayPoliciesResultRuleSettingsBisoAdminControls
      */
     dk: boolean;
     /**
-     * Configure whether downloading enabled or not. When absent, downloading is enabled. Only applies when `version == "v2"`.
-     * Available values: "enabled", "disabled".
+     * Configure whether downloading enabled or not. When set with "remote*only", downloads are only available for viewing. Only applies when `version == "v2"`.
+     * Available values: "enabled", "disabled", "remote*only".
      */
     download: string;
     /**
@@ -22157,8 +22155,8 @@ export interface GetZeroTrustGatewayPolicyRuleSettingsBisoAdminControls {
      */
     dk: boolean;
     /**
-     * Configure whether downloading enabled or not. When absent, downloading is enabled. Only applies when `version == "v2"`.
-     * Available values: "enabled", "disabled".
+     * Configure whether downloading enabled or not. When set with "remote*only", downloads are only available for viewing. Only applies when `version == "v2"`.
+     * Available values: "enabled", "disabled", "remote*only".
      */
     download: string;
     /**
@@ -22384,6 +22382,10 @@ export interface GetZeroTrustGatewaySettingsSettings {
      * Anti-virus settings.
      */
     antivirus: outputs.GetZeroTrustGatewaySettingsSettingsAntivirus;
+    /**
+     * Setting to enable App Control
+     */
+    appControlSettings: outputs.GetZeroTrustGatewaySettingsSettingsAppControlSettings;
     /**
      * Block page layout settings.
      */
@@ -22473,6 +22475,12 @@ export interface GetZeroTrustGatewaySettingsSettingsAntivirusNotificationSetting
      */
     supportUrl: string;
 }
+export interface GetZeroTrustGatewaySettingsSettingsAppControlSettings {
+    /**
+     * Enable App Control
+     */
+    enabled: boolean;
+}
 export interface GetZeroTrustGatewaySettingsSettingsBlockPage {
     /**
      * If mode is customized*block*page: block page background color in #rrggbb format.
@@ -23103,6 +23111,8 @@ export interface GetZeroTrustTunnelCloudflaredsResult {
     accountTag: string;
     /**
      * The Cloudflare Tunnel connections between your origin and Cloudflare's edge.
+     *
+     * @deprecated This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint `/accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections`
      */
     connections: outputs.GetZeroTrustTunnelCloudflaredsResultConnection[];
     /**
@@ -23188,7 +23198,7 @@ export interface GetZoneAccount {
      */
     id: string;
     /**
-     * The name of the account
+     * The name of the account.
      */
     name: string;
 }
@@ -23269,14 +23279,14 @@ export interface GetZoneFilter {
      */
     order?: string;
     /**
-     * A zone status
+     * Specify a zone status to filter by.
      * Available values: "initializing", "pending", "active", "moved".
      */
     status?: string;
 }
 export interface GetZoneFilterAccount {
     /**
-     * An account ID
+     * Filter by an account ID.
      */
     id?: string;
     /**
@@ -23384,27 +23394,27 @@ export interface GetZoneLockdownsResultConfiguration {
 }
 export interface GetZoneMeta {
     /**
-     * The zone is only configured for CDN
+     * The zone is only configured for CDN.
      */
     cdnOnly: boolean;
     /**
-     * Number of Custom Certificates the zone can have
+     * Number of Custom Certificates the zone can have.
      */
     customCertificateQuota: number;
     /**
-     * The zone is only configured for DNS
+     * The zone is only configured for DNS.
      */
     dnsOnly: boolean;
     /**
-     * The zone is setup with Foundation DNS
+     * The zone is setup with Foundation DNS.
      */
     foundationDns: boolean;
     /**
-     * Number of Page Rules a zone can have
+     * Number of Page Rules a zone can have.
      */
     pageRuleQuota: number;
     /**
-     * The zone has been flagged for phishing
+     * The zone has been flagged for phishing.
      */
     phishingDetected: boolean;
     step: number;
@@ -23415,11 +23425,11 @@ export interface GetZoneOwner {
      */
     id: string;
     /**
-     * Name of the owner
+     * Name of the owner.
      */
     name: string;
     /**
-     * The type of owner
+     * The type of owner.
      */
     type: string;
 }
@@ -23457,7 +23467,7 @@ export interface GetZonePlan {
      */
     legacyId: string;
     /**
-     * Name of the owner
+     * Name of the owner.
      */
     name: string;
     /**
@@ -23465,6 +23475,37 @@ export interface GetZonePlan {
      */
     price: number;
 }
+export interface GetZoneSubscriptionRatePlan {
+    /**
+     * The currency applied to the rate plan subscription.
+     */
+    currency: string;
+    /**
+     * Whether this rate plan is managed externally from Cloudflare.
+     */
+    externallyManaged: boolean;
+    /**
+     * The ID of the rate plan.
+     * Available values: "free", "lite", "pro", "pro*plus", "business", "enterprise", "partners*free", "partners*pro", "partners*business", "partnersEnterprise".
+     */
+    id: string;
+    /**
+     * Whether a rate plan is enterprise-based (or newly adopted term contract).
+     */
+    isContract: boolean;
+    /**
+     * The full name of the rate plan.
+     */
+    publicName: string;
+    /**
+     * The scope that this rate plan applies to.
+     */
+    scope: string;
+    /**
+     * The list of sets this rate plan applies to.
+     */
+    sets: string[];
+}
 export interface GetZoneTenant {
     /**
      * Identifier
@@ -23483,7 +23524,7 @@ export interface GetZoneTenantUnit {
 }
 export interface GetZonesAccount {
     /**
-     * An account ID
+     * Filter by an account ID.
      */
     id?: string;
     /**
@@ -23501,12 +23542,12 @@ export interface GetZonesAccount {
 }
 export interface GetZonesResult {
     /**
-     * The account the zone belongs to
+     * The account the zone belongs to.
      */
     account: outputs.GetZonesResultAccount;
     /**
      * The last time proof of ownership was detected and the zone was made
-     * active
+     * active.
      */
     activatedOn: string;
     /**
@@ -23515,7 +23556,7 @@ export interface GetZonesResult {
      */
     cnameSuffix: string;
     /**
-     * When the zone was created
+     * When the zone was created.
      */
     createdOn: string;
     /**
@@ -23529,35 +23570,35 @@ export interface GetZonesResult {
      */
     id: string;
     /**
-     * Metadata about the zone
+     * Metadata about the zone.
      */
     meta: outputs.GetZonesResultMeta;
     /**
-     * When the zone was last modified
+     * When the zone was last modified.
      */
     modifiedOn: string;
     /**
-     * The domain name
+     * The domain name.
      */
     name: string;
     /**
-     * The name servers Cloudflare assigns to a zone
+     * The name servers Cloudflare assigns to a zone.
      */
     nameServers: string[];
     /**
-     * DNS host at the time of switching to Cloudflare
+     * DNS host at the time of switching to Cloudflare.
      */
     originalDnshost: string;
     /**
-     * Original name servers before moving to Cloudflare
+     * Original name servers before moving to Cloudflare.
      */
     originalNameServers: string[];
     /**
-     * Registrar for the domain at the time of switching to Cloudflare
+     * Registrar for the domain at the time of switching to Cloudflare.
      */
     originalRegistrar: string;
     /**
-     * The owner of the zone
+     * The owner of the zone.
      */
     owner: outputs.GetZonesResultOwner;
     /**
@@ -23612,33 +23653,33 @@ export interface GetZonesResultAccount {
      */
     id: string;
     /**
-     * The name of the account
+     * The name of the account.
      */
     name: string;
 }
 export interface GetZonesResultMeta {
     /**
-     * The zone is only configured for CDN
+     * The zone is only configured for CDN.
      */
     cdnOnly: boolean;
     /**
-     * Number of Custom Certificates the zone can have
+     * Number of Custom Certificates the zone can have.
      */
     customCertificateQuota: number;
     /**
-     * The zone is only configured for DNS
+     * The zone is only configured for DNS.
      */
     dnsOnly: boolean;
     /**
-     * The zone is setup with Foundation DNS
+     * The zone is setup with Foundation DNS.
      */
     foundationDns: boolean;
     /**
-     * Number of Page Rules a zone can have
+     * Number of Page Rules a zone can have.
      */
     pageRuleQuota: number;
     /**
-     * The zone has been flagged for phishing
+     * The zone has been flagged for phishing.
      */
     phishingDetected: boolean;
     step: number;
@@ -23649,11 +23690,11 @@ export interface GetZonesResultOwner {
      */
     id: string;
     /**
-     * Name of the owner
+     * Name of the owner.
      */
     name: string;
     /**
-     * The type of owner
+     * The type of owner.
      */
     type: string;
 }
@@ -23691,7 +23732,7 @@ export interface GetZonesResultPlan {
      */
     legacyId: string;
     /**
-     * Name of the owner
+     * Name of the owner.
      */
     name: string;
     /**
@@ -25392,7 +25433,9 @@ export interface PageRuleActions {
     cacheKeyFields?: outputs.PageRuleActionsCacheKeyFields;
     cacheLevel?: string;
     cacheOnCookie?: string;
-    cacheTtlByStatus?: any;
+    cacheTtlByStatus?: {
+        [key: string]: string;
+    };
     disableApps?: boolean;
     disablePerformance?: boolean;
     disableSecurity?: boolean;
@@ -26355,43 +26398,6 @@ export interface R2BucketCorsRuleAllowed {
      */
     origins: string[];
 }
-export interface R2BucketEventNotificationQueue {
-    /**
-     * Queue ID.
-     */
-    queueId: string;
-    /**
-     * Name of the queue.
-     */
-    queueName: string;
-    rules: outputs.R2BucketEventNotificationQueueRule[];
-}
-export interface R2BucketEventNotificationQueueRule {
-    /**
-     * Array of R2 object actions that will trigger notifications.
-     */
-    actions: string[];
-    /**
-     * Timestamp when the rule was created.
-     */
-    createdAt: string;
-    /**
-     * A description that can be used to identify the event notification rule after creation.
-     */
-    description: string;
-    /**
-     * Notifications will be sent only for objects with this prefix.
-     */
-    prefix: string;
-    /**
-     * Rule ID.
-     */
-    ruleId: string;
-    /**
-     * Notifications will be sent only for objects with this suffix.
-     */
-    suffix: string;
-}
 export interface R2BucketEventNotificationRule {
     /**
      * Array of R2 object actions that will trigger notifications.
@@ -26995,7 +27001,7 @@ export interface RulesetRuleActionParameters {
      */
     originCacheControl?: boolean;
     /**
-     * Generate Cloudflare error pages from issues sent from the origin server. When on, error pages will trigger for issues from the origin
+     * Generate Cloudflare error pages from issues sent from the origin server. When on, error pages will trigger for issues from the origin.
      */
     originErrorPagePassthru?: boolean;
     /**
@@ -27008,7 +27014,7 @@ export interface RulesetRuleActionParameters {
     phases?: string[];
     /**
      * Configure the Polish level.
-     * Available values: "off", "lossless", "lossy".
+     * Available values: "off", "lossless", "lossy", "webp".
      */
     polish?: string;
     /**
@@ -27040,7 +27046,7 @@ export interface RulesetRuleActionParameters {
      */
     responseFields?: outputs.RulesetRuleActionParametersResponseField[];
     /**
-     * Turn on or off Rocket Loader
+     * Turn on or off Rocket Loader.
      */
     rocketLoader?: boolean;
     /**
@@ -27131,11 +27137,11 @@ export interface RulesetRuleActionParametersBrowserTtl {
 }
 export interface RulesetRuleActionParametersCacheKey {
     /**
-     * Separate cached content based on the visitor’s device type
+     * Separate cached content based on the visitor’s device type.
      */
     cacheByDeviceType?: boolean;
     /**
-     * Protect from web cache deception attacks while allowing static assets to be cached
+     * Protect from web cache deception attacks while allowing static assets to be cached.
      */
     cacheDeceptionArmor?: boolean;
     /**
@@ -27265,18 +27271,18 @@ export interface RulesetRuleActionParametersEdgeTtl {
      */
     default?: number;
     /**
-     * edge ttl options
+     * Edge TTL options.
      * Available values: "respect*origin", "bypass*by*default", "override*origin".
      */
     mode: string;
     /**
-     * List of single status codes, or status code ranges to apply the selected mode
+     * List of single status codes, or status code ranges to apply the selected mode.
      */
     statusCodeTtls?: outputs.RulesetRuleActionParametersEdgeTtlStatusCodeTtl[];
 }
 export interface RulesetRuleActionParametersEdgeTtlStatusCodeTtl {
     /**
-     * Set the ttl for responses with this specific status code
+     * Set the TTL for responses with this specific status code.
      */
     statusCode?: number;
     /**
@@ -27290,11 +27296,11 @@ export interface RulesetRuleActionParametersEdgeTtlStatusCodeTtl {
 }
 export interface RulesetRuleActionParametersEdgeTtlStatusCodeTtlStatusCodeRange {
     /**
-     * response status code lower bound
+     * Response status code lower bound.
      */
     from?: number;
     /**
-     * response status code upper bound
+     * Response status code upper bound.
      */
     to?: number;
 }
@@ -27906,6 +27912,10 @@ export interface TeamsAccountSettings {
      * Anti-virus settings.
      */
     antivirus?: outputs.TeamsAccountSettingsAntivirus;
+    /**
+     * Setting to enable App Control
+     */
+    appControlSettings?: outputs.TeamsAccountSettingsAppControlSettings;
     /**
      * Block page layout settings.
      */
@@ -27995,6 +28005,12 @@ export interface TeamsAccountSettingsAntivirusNotificationSettings {
      */
     supportUrl?: string;
 }
+export interface TeamsAccountSettingsAppControlSettings {
+    /**
+     * Enable App Control
+     */
+    enabled?: boolean;
+}
 export interface TeamsAccountSettingsBlockPage {
     /**
      * If mode is customized*block*page: block page background color in #rrggbb format.
@@ -28349,8 +28365,8 @@ export interface TeamsRuleRuleSettingsBisoAdminControls {
      */
     dk: boolean;
     /**
-     * Configure whether downloading enabled or not. When absent, downloading is enabled. Only applies when `version == "v2"`.
-     * Available values: "enabled", "disabled".
+     * Configure whether downloading enabled or not. When set with "remote*only", downloads are only available for viewing. Only applies when `version == "v2"`.
+     * Available values: "enabled", "disabled", "remote*only".
      */
     download?: string;
     /**
@@ -28571,11 +28587,11 @@ export interface TunnelConfigConfig {
     /**
      * List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.
      */
-    ingresses: outputs.TunnelConfigConfigIngress[];
+    ingresses?: outputs.TunnelConfigConfigIngress[];
     /**
      * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
      */
-    originRequest: outputs.TunnelConfigConfigOriginRequest;
+    originRequest?: outputs.TunnelConfigConfigOriginRequest;
     /**
      * Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.
      */
@@ -28589,11 +28605,11 @@ export interface TunnelConfigConfigIngress {
     /**
      * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
      */
-    originRequest: outputs.TunnelConfigConfigIngressOriginRequest;
+    originRequest?: outputs.TunnelConfigConfigIngressOriginRequest;
     /**
      * Requests with this path route to this public hostname.
      */
-    path: string;
+    path?: string;
     /**
      * Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http*status:[code] e.g. 'http*status:404'.
      */
@@ -28603,15 +28619,15 @@ export interface TunnelConfigConfigIngressOriginRequest {
     /**
      * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
      */
-    access: outputs.TunnelConfigConfigIngressOriginRequestAccess;
+    access?: outputs.TunnelConfigConfigIngressOriginRequestAccess;
     /**
      * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
      */
-    caPool: string;
+    caPool?: string;
     /**
      * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
      */
-    connectTimeout: number;
+    connectTimeout?: number;
     /**
      * Disables chunked transfer encoding. Useful if you are running a WSGI server.
      */
@@ -28627,35 +28643,35 @@ export interface TunnelConfigConfigIngressOriginRequest {
     /**
      * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
      */
-    keepAliveConnections: number;
+    keepAliveConnections?: number;
     /**
      * Timeout after which an idle keepalive connection can be discarded.
      */
-    keepAliveTimeout: number;
+    keepAliveTimeout?: number;
     /**
      * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
      */
-    noHappyEyeballs: boolean;
+    noHappyEyeballs?: boolean;
     /**
      * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
      */
-    noTlsVerify: boolean;
+    noTlsVerify?: boolean;
     /**
      * Hostname that cloudflared should expect from your origin server certificate.
      */
-    originServerName: string;
+    originServerName?: string;
     /**
      * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
      */
-    proxyType: string;
+    proxyType?: string;
     /**
      * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
      */
-    tcpKeepAlive: number;
+    tcpKeepAlive?: number;
     /**
      * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.
      */
-    tlsTimeout: number;
+    tlsTimeout?: number;
 }
 export interface TunnelConfigConfigIngressOriginRequestAccess {
     /**
@@ -28665,22 +28681,22 @@ export interface TunnelConfigConfigIngressOriginRequestAccess {
     /**
      * Deny traffic that has not fulfilled Access authorization.
      */
-    required: boolean;
+    required?: boolean;
     teamName: string;
 }
 export interface TunnelConfigConfigOriginRequest {
     /**
      * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
      */
-    access: outputs.TunnelConfigConfigOriginRequestAccess;
+    access?: outputs.TunnelConfigConfigOriginRequestAccess;
     /**
      * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
      */
-    caPool: string;
+    caPool?: string;
     /**
      * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
      */
-    connectTimeout: number;
+    connectTimeout?: number;
     /**
      * Disables chunked transfer encoding. Useful if you are running a WSGI server.
      */
@@ -28696,35 +28712,35 @@ export interface TunnelConfigConfigOriginRequest {
     /**
      * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
      */
-    keepAliveConnections: number;
+    keepAliveConnections?: number;
     /**
      * Timeout after which an idle keepalive connection can be discarded.
      */
-    keepAliveTimeout: number;
+    keepAliveTimeout?: number;
     /**
      * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
      */
-    noHappyEyeballs: boolean;
+    noHappyEyeballs?: boolean;
     /**
      * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
      */
-    noTlsVerify: boolean;
+    noTlsVerify?: boolean;
     /**
      * Hostname that cloudflared should expect from your origin server certificate.
      */
-    originServerName: string;
+    originServerName?: string;
     /**
      * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
      */
-    proxyType: string;
+    proxyType?: string;
     /**
      * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
      */
-    tcpKeepAlive: number;
+    tcpKeepAlive?: number;
     /**
      * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.
      */
-    tlsTimeout: number;
+    tlsTimeout?: number;
 }
 export interface TunnelConfigConfigOriginRequestAccess {
     /**
@@ -28734,7 +28750,7 @@ export interface TunnelConfigConfigOriginRequestAccess {
     /**
      * Deny traffic that has not fulfilled Access authorization.
      */
-    required: boolean;
+    required?: boolean;
     teamName: string;
 }
 export interface TunnelConfigConfigWarpRouting {
@@ -28776,15 +28792,38 @@ export interface TunnelConnection {
 }
 export interface UserAgentBlockingRuleConfiguration {
     /**
-     * The configuration target. You must set the target to `ip` when specifying an IP address in the rule.
-     * Available values: "ip", "ip6", "ipRange", "asn", "country".
+     * The configuration target. You must set the target to `ua` when specifying a user agent in the rule.
+     * Available values: "ua".
      */
     target?: string;
     /**
-     * The IP address to match. This address will be compared to the IP address of incoming requests.
+     * the user agent to exactly match
      */
     value?: string;
 }
+export interface UserOrganization {
+    /**
+     * Identifier
+     */
+    id: string;
+    /**
+     * Organization name.
+     */
+    name: string;
+    /**
+     * Access permissions for this User.
+     */
+    permissions: string[];
+    /**
+     * List of roles that a user has within an organization.
+     */
+    roles: string[];
+    /**
+     * Whether the user is a member of the organization or has an invitation pending.
+     * Available values: "member", "invited".
+     */
+    status: string;
+}
 export interface WaitingRoomAdditionalRoute {
     /**
      * The hostname to which this waiting room will be applied (no wildcards). The hostname must be the primary domain, subdomain, or custom hostname (if using SSL for SaaS) of this zone. Please do not include the scheme (http:// or https://).
@@ -29013,6 +29052,10 @@ export interface WorkerScriptBinding {
      * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages).
      */
     usages?: string[];
+    /**
+     * Name of the Workflow to bind to.
+     */
+    workflowName?: string;
 }
 export interface WorkerScriptBindingOutbound {
     /**
@@ -29346,6 +29389,10 @@ export interface WorkersScriptBinding {
      * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages).
      */
     usages?: string[];
+    /**
+     * Name of the Workflow to bind to.
+     */
+    workflowName?: string;
 }
 export interface WorkersScriptBindingOutbound {
     /**
@@ -30500,7 +30547,7 @@ export interface ZeroTrustAccessApplicationTargetCriteria {
     port: number;
     /**
      * The communication protocol your application secures.
-     * Available values: "ssh".
+     * Available values: "SSH".
      */
     protocol: string;
     /**
@@ -31117,10 +31164,6 @@ export interface ZeroTrustAccessIdentityProviderConfig {
      * Your OAuth Client ID
      */
     clientId?: string;
-    /**
-     * Your OAuth Client Secret
-     */
-    clientSecret?: string;
     /**
      * Should Cloudflare try to load authentication contexts from your account
      */
@@ -31178,7 +31221,7 @@ export interface ZeroTrustAccessIdentityProviderConfig {
     /**
      * Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.
      */
-    signRequest: boolean;
+    signRequest?: boolean;
     /**
      * URL to send the SAML authentication requests to
      */
@@ -31206,12 +31249,12 @@ export interface ZeroTrustAccessIdentityProviderScimConfig {
     /**
      * A flag to enable or disable SCIM for the identity provider.
      */
-    enabled?: boolean;
+    enabled: boolean;
     /**
      * Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no*action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
      * Available values: "automatic", "reauth", "no*action".
      */
-    identityUpdateBehavior?: string;
+    identityUpdateBehavior: string;
     /**
      * The base URL of Cloudflare's SCIM V2.0 API endpoint.
      */
@@ -31219,7 +31262,7 @@ export interface ZeroTrustAccessIdentityProviderScimConfig {
     /**
      * A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider.  This cannot be enabled unless userDeprovision is also enabled.
      */
-    seatDeprovision?: boolean;
+    seatDeprovision: boolean;
     /**
      * A read-only token generated when the SCIM integration is enabled for the first time.  It is redacted on subsequent requests.  If you lose this you will need to refresh it at /access/identity*providers/:idpID/refresh*scim_secret.
      */
@@ -31227,7 +31270,7 @@ export interface ZeroTrustAccessIdentityProviderScimConfig {
     /**
      * A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.
      */
-    userDeprovision?: boolean;
+    userDeprovision: boolean;
 }
 export interface ZeroTrustAccessInfrastructureTargetIp {
     /**
@@ -32194,6 +32237,10 @@ export interface ZeroTrustDevicePostureRuleInput {
      * Available values: "online", "offline", "unknown".
      */
     state?: string;
+    /**
+     * List of certificate Subject Alternative Names.
+     */
+    subjectAlternativeNames?: string[];
     /**
      * Signing certificate thumbprint.
      */
@@ -32287,68 +32334,6 @@ export interface ZeroTrustDlpCustomProfileEntryPattern {
      */
     validation?: string;
 }
-export interface ZeroTrustDlpCustomProfileProfile {
-    aiContextEnabled?: boolean;
-    /**
-     * Related DLP policies will trigger when the match count exceeds the number set.
-     */
-    allowedMatchCount: number;
-    confidenceThreshold?: string;
-    /**
-     * Scan the context of predefined entries to only return matches surrounded by keywords.
-     */
-    contextAwareness?: outputs.ZeroTrustDlpCustomProfileProfileContextAwareness;
-    /**
-     * The description of the profile.
-     */
-    description?: string;
-    entries: outputs.ZeroTrustDlpCustomProfileProfileEntry[];
-    name: string;
-    ocrEnabled?: boolean;
-    /**
-     * Entries from other profiles (e.g. pre-defined Cloudflare profiles, or your Microsoft Information Protection profiles).
-     */
-    sharedEntries?: outputs.ZeroTrustDlpCustomProfileProfileSharedEntry[];
-}
-export interface ZeroTrustDlpCustomProfileProfileContextAwareness {
-    /**
-     * If true, scan the context of predefined entries to only return matches surrounded by keywords.
-     */
-    enabled: boolean;
-    /**
-     * Content types to exclude from context analysis and return all matches.
-     */
-    skip: outputs.ZeroTrustDlpCustomProfileProfileContextAwarenessSkip;
-}
-export interface ZeroTrustDlpCustomProfileProfileContextAwarenessSkip {
-    /**
-     * If the content type is a file, skip context analysis and return all matches.
-     */
-    files: boolean;
-}
-export interface ZeroTrustDlpCustomProfileProfileEntry {
-    enabled: boolean;
-    name: string;
-    pattern?: outputs.ZeroTrustDlpCustomProfileProfileEntryPattern;
-    words?: string[];
-}
-export interface ZeroTrustDlpCustomProfileProfileEntryPattern {
-    regex: string;
-    /**
-     * Available values: "luhn".
-     *
-     * @deprecated This attribute is deprecated.
-     */
-    validation?: string;
-}
-export interface ZeroTrustDlpCustomProfileProfileSharedEntry {
-    enabled: boolean;
-    entryId: string;
-    /**
-     * Available values: "custom", "predefined", "integration", "exactData".
-     */
-    entryType: string;
-}
 export interface ZeroTrustDlpCustomProfileSharedEntry {
     enabled: boolean;
     entryId: string;
@@ -32702,8 +32687,8 @@ export interface ZeroTrustGatewayPolicyRuleSettingsBisoAdminControls {
      */
     dk: boolean;
     /**
-     * Configure whether downloading enabled or not. When absent, downloading is enabled. Only applies when `version == "v2"`.
-     * Available values: "enabled", "disabled".
+     * Configure whether downloading enabled or not. When set with "remote*only", downloads are only available for viewing. Only applies when `version == "v2"`.
+     * Available values: "enabled", "disabled", "remote*only".
      */
     download?: string;
     /**
@@ -32929,6 +32914,10 @@ export interface ZeroTrustGatewaySettingsSettings {
      * Anti-virus settings.
      */
     antivirus?: outputs.ZeroTrustGatewaySettingsSettingsAntivirus;
+    /**
+     * Setting to enable App Control
+     */
+    appControlSettings?: outputs.ZeroTrustGatewaySettingsSettingsAppControlSettings;
     /**
      * Block page layout settings.
      */
@@ -33018,6 +33007,12 @@ export interface ZeroTrustGatewaySettingsSettingsAntivirusNotificationSettings {
      */
     supportUrl?: string;
 }
+export interface ZeroTrustGatewaySettingsSettingsAppControlSettings {
+    /**
+     * Enable App Control
+     */
+    enabled?: boolean;
+}
 export interface ZeroTrustGatewaySettingsSettingsBlockPage {
     /**
      * If mode is customized*block*page: block page background color in #rrggbb format.
@@ -33215,11 +33210,11 @@ export interface ZeroTrustTunnelCloudflaredConfigConfig {
     /**
      * List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.
      */
-    ingresses: outputs.ZeroTrustTunnelCloudflaredConfigConfigIngress[];
+    ingresses?: outputs.ZeroTrustTunnelCloudflaredConfigConfigIngress[];
     /**
      * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
      */
-    originRequest: outputs.ZeroTrustTunnelCloudflaredConfigConfigOriginRequest;
+    originRequest?: outputs.ZeroTrustTunnelCloudflaredConfigConfigOriginRequest;
     /**
      * Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.
      */
@@ -33233,11 +33228,11 @@ export interface ZeroTrustTunnelCloudflaredConfigConfigIngress {
     /**
      * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
      */
-    originRequest: outputs.ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequest;
+    originRequest?: outputs.ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequest;
     /**
      * Requests with this path route to this public hostname.
      */
-    path: string;
+    path?: string;
     /**
      * Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http*status:[code] e.g. 'http*status:404'.
      */
@@ -33247,15 +33242,15 @@ export interface ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequest {
     /**
      * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
      */
-    access: outputs.ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequestAccess;
+    access?: outputs.ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequestAccess;
     /**
      * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
      */
-    caPool: string;
+    caPool?: string;
     /**
      * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
      */
-    connectTimeout: number;
+    connectTimeout?: number;
     /**
      * Disables chunked transfer encoding. Useful if you are running a WSGI server.
      */
@@ -33271,35 +33266,35 @@ export interface ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequest {
     /**
      * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
      */
-    keepAliveConnections: number;
+    keepAliveConnections?: number;
     /**
      * Timeout after which an idle keepalive connection can be discarded.
      */
-    keepAliveTimeout: number;
+    keepAliveTimeout?: number;
     /**
      * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
      */
-    noHappyEyeballs: boolean;
+    noHappyEyeballs?: boolean;
     /**
      * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
      */
-    noTlsVerify: boolean;
+    noTlsVerify?: boolean;
     /**
      * Hostname that cloudflared should expect from your origin server certificate.
      */
-    originServerName: string;
+    originServerName?: string;
     /**
      * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
      */
-    proxyType: string;
+    proxyType?: string;
     /**
      * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
      */
-    tcpKeepAlive: number;
+    tcpKeepAlive?: number;
     /**
      * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.
      */
-    tlsTimeout: number;
+    tlsTimeout?: number;
 }
 export interface ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequestAccess {
     /**
@@ -33309,22 +33304,22 @@ export interface ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequestAcces
     /**
      * Deny traffic that has not fulfilled Access authorization.
      */
-    required: boolean;
+    required?: boolean;
     teamName: string;
 }
 export interface ZeroTrustTunnelCloudflaredConfigConfigOriginRequest {
     /**
      * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
      */
-    access: outputs.ZeroTrustTunnelCloudflaredConfigConfigOriginRequestAccess;
+    access?: outputs.ZeroTrustTunnelCloudflaredConfigConfigOriginRequestAccess;
     /**
      * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
      */
-    caPool: string;
+    caPool?: string;
     /**
      * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
      */
-    connectTimeout: number;
+    connectTimeout?: number;
     /**
      * Disables chunked transfer encoding. Useful if you are running a WSGI server.
      */
@@ -33340,35 +33335,35 @@ export interface ZeroTrustTunnelCloudflaredConfigConfigOriginRequest {
     /**
      * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
      */
-    keepAliveConnections: number;
+    keepAliveConnections?: number;
     /**
      * Timeout after which an idle keepalive connection can be discarded.
      */
-    keepAliveTimeout: number;
+    keepAliveTimeout?: number;
     /**
      * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
      */
-    noHappyEyeballs: boolean;
+    noHappyEyeballs?: boolean;
     /**
      * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
      */
-    noTlsVerify: boolean;
+    noTlsVerify?: boolean;
     /**
      * Hostname that cloudflared should expect from your origin server certificate.
      */
-    originServerName: string;
+    originServerName?: string;
     /**
      * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
      */
-    proxyType: string;
+    proxyType?: string;
     /**
      * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
      */
-    tcpKeepAlive: number;
+    tcpKeepAlive?: number;
     /**
      * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.
      */
-    tlsTimeout: number;
+    tlsTimeout?: number;
 }
 export interface ZeroTrustTunnelCloudflaredConfigConfigOriginRequestAccess {
     /**
@@ -33378,7 +33373,7 @@ export interface ZeroTrustTunnelCloudflaredConfigConfigOriginRequestAccess {
     /**
      * Deny traffic that has not fulfilled Access authorization.
      */
-    required: boolean;
+    required?: boolean;
     teamName: string;
 }
 export interface ZeroTrustTunnelCloudflaredConfigConfigWarpRouting {
@@ -33530,27 +33525,27 @@ export interface ZoneLockdownConfiguration {
 }
 export interface ZoneMeta {
     /**
-     * The zone is only configured for CDN
+     * The zone is only configured for CDN.
      */
     cdnOnly: boolean;
     /**
-     * Number of Custom Certificates the zone can have
+     * Number of Custom Certificates the zone can have.
      */
     customCertificateQuota: number;
     /**
-     * The zone is only configured for DNS
+     * The zone is only configured for DNS.
      */
     dnsOnly: boolean;
     /**
-     * The zone is setup with Foundation DNS
+     * The zone is setup with Foundation DNS.
      */
     foundationDns: boolean;
     /**
-     * Number of Page Rules a zone can have
+     * Number of Page Rules a zone can have.
      */
     pageRuleQuota: number;
     /**
-     * The zone has been flagged for phishing
+     * The zone has been flagged for phishing.
      */
     phishingDetected: boolean;
     step: number;
@@ -33561,11 +33556,11 @@ export interface ZoneOwner {
      */
     id: string;
     /**
-     * Name of the owner
+     * Name of the owner.
      */
     name: string;
     /**
-     * The type of owner
+     * The type of owner.
      */
     type: string;
 }
@@ -33603,7 +33598,7 @@ export interface ZonePlan {
      */
     legacyId: string;
     /**
-     * Name of the owner
+     * Name of the owner.
      */
     name: string;
     /**