add Terraform examples (#17640)

src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx

@@ -47,29 +47,13 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
 
 <Render file="access/add-infrastructure-app" />
 
-## 3. Add a policy
-
-<Render file="access/add-infrastructure-policy" />
-
-### Selectors
-
-The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications:
-
-- Email
-- Emails ending in
-- SAML group
-- Country
-- Authentication method
-- Device posture
-- Entra group, GitHub organization, Google Workspace group, Okta group
-
-## 4. Configure the server
+## 3. Configure the server
 
 Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:
 
 - [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#7-configure-ssh-server)
 
-## Connect as a user
+## 4. Connect as a user
 
 Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname.
 
@@ -116,3 +100,15 @@ warp-cli target list
 ## Revoke a user's session
 
 To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
+
+## Infrastructure policy selectors
+
+The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications:
+
+- Email
+- Emails ending in
+- SAML group
+- Country
+- Authentication method
+- Device posture
+- Entra group, GitHub organization, Google Workspace group, Okta group

src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx

@@ -40,11 +40,7 @@ To connect your devices to Cloudflare:
 
 <Render file="access/add-infrastructure-app" />
 
-## 6. Add a policy
-
-<Render file="access/add-infrastructure-policy" />
-
-## 7. Configure SSH server
+## 6. Configure SSH server
 
 Next, configure your SSH server to trust the Cloudflare SSH CA. This allows Access to authenticate using short-lived certificates instead of traditional SSH keys.
 
@@ -65,7 +61,7 @@ To generate a Cloudflare SSH CA and get its public key:
 ### Restart your SSH server
 <Render file="ssh/restart-server" />
 
-## 8. Connect as a user
+## 7. Connect as a user
 
 Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is [connected to that virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) before initiating the connection. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal:
 

src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx

@@ -15,57 +15,115 @@ import { Tabs, TabItem, Render } from "~/components"
 5. In **Target criteria**, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future.
 6. Enter the **Protocol** and **Port** that will be used to connect to the server.
 7. (Optional) If a protocol runs on more than one port, select **Add new target criteria** and reconfigure the same target hostname and protocol with a different port number.
+	:::note
+	Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.
+	:::
 8. Select **Next**.
+9. To secure your targets, configure a policy that defines who can connect and how they can connect:
+	1. Enter any name for your policy.
+	2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/policies/access/) and review the list of [infrastructure policy selectors](/cloudflare-one/applications/non-http/infrastructure-apps/#infrastructure-policy-selectors).
+	3. In **Connection context**, enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`).
+4. Select **Add application**.
 </TabItem>
 <TabItem label="API">
 
-To add an infrastructure application using the [API](/api/operations/access-applications-add-an-application):
-
-```sh
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
---header "Authorization: Bearer <API_TOKEN>" \
---header "Content-Type: application/json" \
---data '{
-	"name": "example app",
-	"type": "infrastructure",
-	"target_criteria": [
-		{
-			"target_attributes": {
-				"hostname": [
-					"infra-access-target"
-				]
-			},
-			"port": 22,
-			"protocol": "SSH"
-		}
-	],
-	"policies": [
-		{
-			"name": "Allow a specific email",
-			"decision": "allow",
-			"include": [
-				{
-					"email": {
-						"email": "[email protected]"
-					}
-				}
-			],
-			"connection_rules": {
-				"ssh": {
-					"usernames": [
-						"root",
-						"ec2-user"
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+		| Type    | Item             | Permission |
+		| ------- | ---------------- | ---------- |
+		| Account | Access: Apps & Policies  | Edit       |
+
+2. Make a `POST` request to the [Access applications](/api/operations/access-applications-add-an-application) endpoint:
+
+	```sh
+	curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
+	--header "Authorization: Bearer <API_TOKEN>" \
+	--header "Content-Type: application/json" \
+	--data '{
+		"name": "Example infrastructure app",
+		"type": "infrastructure",
+		"target_criteria": [
+			{
+				"target_attributes": {
+					"hostname": [
+						"infra-access-target"
 					]
+				},
+				"port": 22,
+				"protocol": "SSH"
+			}
+		],
+		"policies": [
+			{
+				"name": "Allow a specific email",
+				"decision": "allow",
+				"include": [
+					{
+						"email": {
+							"email": "[email protected]"
+						}
+					}
+				],
+				"connection_rules": {
+					"ssh": {
+						"usernames": [
+							"root",
+							"ec2-user"
+						]
+					}
 				}
 			}
+		]
+	}'
+	```
+
+</TabItem>
+<TabItem label="Terraform">
+
+1. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application:
+
+	```tf
+	resource "cloudflare_zero_trust_access_application" "infra-app" {
+		account_id = "f037e56e89293a057740de681ac9abbe"
+		name       = "Example infrastructure app"
+		type       = "infrastructure"
+
+		target_criteria {
+			port     = 22
+			protocol = "SSH"
+			target_attributes {
+				name = "hostname"
+				values = ["infra-access-target"]
+			}
+		}
+	}
+	```
+
+2. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application:
+
+	```tf
+	resource "cloudflare_zero_trust_access_policy" "infra-app-policy" {
+		application_id = cloudflare_zero_trust_access_application.infra-app.id
+		account_id = "f037e56e89293a057740de681ac9abbe"
+		name       = "Allow a specific email"
+		decision   = "allow"
+		precedence = 1
+
+		include {
+			email = ["[email protected]"]
 		}
-	]
-}'
-```
 
+		connection_rules {
+			ssh {
+				usernames = ["root", "ec2-user"]
+			}
+		}
+	}
+	```
 </TabItem>
 </Tabs>
 
+The targets in this application are now secured by your infrastructure policies.
+
 :::note
-Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.
+Gateway [network policies](/cloudflare-one/policies/gateway/network-policies/) take precedence over infrastructure policies. For example, if you block port `22` for all users in Gateway, then no one can SSH over port `22` to your targets.
 :::

src/content/partials/cloudflare-one/access/add-target.mdx

@@ -9,7 +9,7 @@ A target represents a single resource in your infrastructure (such as a server,
 
 To create a new target:
 
-<Tabs>
+<Tabs syncKey="dashPlusAPI">
 <TabItem label="Dashboard">
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Network** > **Targets**.
 2. Select **Add a target**.
@@ -30,22 +30,51 @@ To create a new target:
 </TabItem>
 <TabItem label="API">
 
-```sh
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
---header "Authorization: Bearer <API_TOKEN>" \
---data '{
-  "hostname": "infra-access-target",
-  "ip": {
-    "ipv4": {
-      "ip_addr": "187.26.29.249",
-      "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
-    },
-    "ipv6": {
-      "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
-      "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+		| Type    | Item             | Permission |
+		| ------- | ---------------- | ---------- |
+		| Account | Zero Trust       | Edit       |
+
+2. Make a `POST` request to the [Infrastructure Access Targets](/api/operations/infra-targets-post) endpoint:
+
+		```sh
+		curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
+		--header "Authorization: Bearer <API_TOKEN>" \
+		--data '{
+			"hostname": "infra-access-target",
+			"ip": {
+				"ipv4": {
+					"ip_addr": "187.26.29.249",
+					"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
+				},
+				"ipv6": {
+					"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
+					"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
+				}
+			}
+		}'
+		```
+
+</TabItem>
+<TabItem label="Terraform">
+
+Configure the [`cloudflare_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/infrastructure_access_target) resource:
+
+```tf
+resource "cloudflare_infrastructure_access_target" "infra-ssh-target" {
+  account_id = "f037e56e89293a057740de681ac9abbe"
+    hostname   = "infra-access-target"
+    ip = {
+			ipv4 = {
+         ip_addr = "187.26.29.249"
+         virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
+       }
+			ipv6 = {
+				ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
+				virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
+			}
     }
-  }
-}'
+}
 ```
 
 </TabItem>