diff --git a/README.md b/README.md
index 9ebafb7..f74c044 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ Use a hard-wired connection to your controller to use this provider.
## Features
- Manage UniFi network resources using Infrastructure as Code
-- Support for UniFi Controller version 6.x and later
+- Support for **UniFi Controller version 6.x and later**
- Compatible with UDM, UDM-Pro, UCG, and standard controller deployments
- Comprehensive resource management including:
- Network/WLAN configuration
@@ -33,7 +33,7 @@ terraform {
required_providers {
unifi = {
source = "filipowm/unifi"
- version = "~> 0.0.1" # Use the latest version
+ version = "~> 1.0.0" # Use the latest version
}
}
}
@@ -104,16 +104,17 @@ Comprehensive documentation is available on the [Terraform Registry](https://reg
## Plans
-- [ ] Add support for zone-based firewalls
+- [x] Add support for zone-based firewalls
- [x] Add support for DNS records
- [ ] Add support for traffic management
-- [ ] Add support for more setting resources (eg. guest access, connectivity, country, IPS/IDS, etc.)
+- [x] Add support for more setting resources (eg. guest access, connectivity, country, IPS/IDS, etc.)
- [x] Support API key authentication
- [x] Improve documentation
-- [ ] Switch to Terraform Plugin Framework from Terraform Plugin SDK v2
+- [ ] Allow muxing of Terraform Plugin Framework resources with Terraform Plugin SDK v2 resources
+- [ ] Migrate all resources to the Terraform Plugin Framework
- [x] Fix flaky tests
-- [ ] Implement validation for fields and structures
-- [ ] Increase test coverage and make tests more reliable
+- [x] Implement validation for fields and structures
+- [x] Increase test coverage and make tests more reliable
- [x] Update all dependencies to the latest versions
- [x] Switch to [filipowm/go-unifi](https://github.com/filipowm/go-unifi) SDK
- [x] Support newest controller versions (9.x)
diff --git a/docs/data-sources/dns_record.md b/docs/data-sources/dns_record.md
new file mode 100644
index 0000000..7e9d71e
--- /dev/null
+++ b/docs/data-sources/dns_record.md
@@ -0,0 +1,42 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_dns_record Data Source - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Retrieves information about a specific DNS record configured in your UniFi network. This data source allows you to look up DNS records by either their name or record content. It's particularly useful for validating existing DNS configurations or referencing DNS records in other resources.
+---
+
+# unifi_dns_record (Data Source)
+
+Retrieves information about a specific DNS record configured in your UniFi network. This data source allows you to look up DNS records by either their name or record content. It's particularly useful for validating existing DNS configurations or referencing DNS records in other resources.
+
+## Example Usage
+
+```terraform
+data "unifi_dns_record" "by_name" {
+ name = "example.mydomain.com"
+}
+
+data "unifi_dns_record" "by_record" {
+ record = "192.168.0.1"
+}
+```
+
+
+## Schema
+
+### Optional
+
+- `name` (String) DNS record name.
+- `record` (String) DNS record content.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `enabled` (Boolean) Whether the DNS record is enabled.
+- `id` (String) The unique identifier of this resource.
+- `port` (Number) The port of the DNS record.
+- `priority` (Number) Priority of the DNS records. Present only for MX and SRV records; unused by other record types.
+- `ttl` (Number) Time To Live (TTL) of the DNS record in seconds. Setting to 0 means 'automatic'.
+- `type` (String) The type of the DNS record.
+- `weight` (Number) A numeric value indicating the relative weight of the record.
diff --git a/docs/data-sources/dns_records.md b/docs/data-sources/dns_records.md
new file mode 100644
index 0000000..b5416c2
--- /dev/null
+++ b/docs/data-sources/dns_records.md
@@ -0,0 +1,48 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_dns_records Data Source - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Retrieves information about a all DNS records.
+---
+
+# unifi_dns_records (Data Source)
+
+Retrieves information about a all DNS records.
+
+## Example Usage
+
+```terraform
+data "unifi_dns_records" "default" {
+}
+```
+
+
+## Schema
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `result` (Attributes List) The list of DNS records. (see [below for nested schema](#nestedatt--result))
+
+
+### Nested Schema for `result`
+
+Optional:
+
+- `name` (String) DNS record name.
+- `record` (String) DNS record content.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+Read-Only:
+
+- `enabled` (Boolean) Whether the DNS record is enabled.
+- `id` (String) The unique identifier of this resource.
+- `port` (Number) The port of the DNS record.
+- `priority` (Number) Priority of the DNS records. Present only for MX and SRV records; unused by other record types.
+- `ttl` (Number) Time To Live (TTL) of the DNS record in seconds. Setting to 0 means 'automatic'.
+- `type` (String) The type of the DNS record.
+- `weight` (Number) A numeric value indicating the relative weight of the record.
diff --git a/docs/data-sources/firewall_zone.md b/docs/data-sources/firewall_zone.md
new file mode 100644
index 0000000..cff3333
--- /dev/null
+++ b/docs/data-sources/firewall_zone.md
@@ -0,0 +1,29 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_firewall_zone Data Source - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ The unifi_firewall_zone datsources allows retrieving existing firewall zone details from the UniFi controller by the zone name.
+---
+
+# unifi_firewall_zone (Data Source)
+
+The `unifi_firewall_zone` datsources allows retrieving existing firewall zone details from the UniFi controller by the zone name.
+
+
+
+
+## Schema
+
+### Required
+
+- `name` (String) The name of the firewall zone.
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
+- `networks` (List of String) List of network IDs that this firewall zone contains.
diff --git a/docs/data-sources/user.md b/docs/data-sources/user.md
index 9fe4ff2..9732788 100644
--- a/docs/data-sources/user.md
+++ b/docs/data-sources/user.md
@@ -33,7 +33,7 @@ data "unifi_user" "client" {
- `blocked` (Boolean) Specifies whether this user should be blocked from the network.
- `dev_id_override` (Number) Override the device fingerprint.
-- `fixed_ip` (String) fixed IPv4 address set for this user.
+- `fixed_ip` (String) Fixed IPv4 address set for this user.
- `hostname` (String) The hostname of the user.
- `id` (String) The ID of the user.
- `ip` (String) The IP address of the user.
diff --git a/docs/index.md b/docs/index.md
index 98bbcb9..c951964 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -11,16 +11,17 @@ The UniFi provider enables infrastructure-as-code management of [Ubiquiti's UniF
## Supported Features
-The provider supports management of:
-
-* Networks and VLANs
-* Wireless Networks (WLANs)
-* Firewall Rules and Groups
-* Port Forwarding
-* DNS Records
-* User Management
-* Device Configuration
-* And more...
+- Manage UniFi network resources using Infrastructure as Code
+- Support for UniFi Controller version 6.x and later
+- Compatible with UDM, UDM-Pro, UCG, and standard controller deployments
+- Comprehensive resource management including:
+ - Network/WLAN configuration
+ - Firewall rules and groups
+ - Port forwarding
+ - DNS records
+ - User management
+ - Device management
+ - And more...
## Supported Platforms
@@ -105,3 +106,139 @@ provider "unifi" {
- `username` (String) Local user name for the Unifi controller API. Can be specified with the `UNIFI_USERNAME` environment variable.
## Migrating from paultyng/terraform-provider-unifi
+
+This provider is a fork of the original [paultyng/terraform-provider-unifi](https://github.com/paultyng/terraform-provider-unifi) with significant enhancements, improvements, and additional features. If you're currently using the original provider, this guide will help you migrate to this enhanced version.
+
+### Key Differences and Improvements
+
+| Feature | paultyng/unifi | filipowm/unifi |
+|---------|---------------|----------------|
+| Framework | Terraform SDK v2 | Terraform Plugin Framework |
+| Controller Support | UniFi Controller v6.x | UniFi Controller v6.x and later (including v9.x) |
+| Authentication | Username/Password | Username/Password and API Key |
+| Resource Organization | Flat structure | Organized by domain (settings, dns, etc.) |
+| Validation | Basic | Enhanced with custom validators |
+| Documentation | Basic | Comprehensive with examples |
+| Settings Resources | Limited | Expanded (IPS, Guest Access, etc.) |
+| DNS Management | Limited | Enhanced with dedicated resources |
+
+### Migration Steps
+
+1. **Update Provider Configuration**
+
+ Change your provider source from `paultyng/unifi` to `filipowm/unifi`:
+
+ ```hcl
+ terraform {
+ required_providers {
+ unifi = {
+ source = "filipowm/unifi"
+ version = "~> 0.0.1" # Use the latest version
+ }
+ }
+ }
+ ```
+
+2. **Authentication Updates**
+
+ The provider configuration remains compatible, but now offers API Key authentication as an alternative to username/password:
+
+ ```hcl
+ # Using API Key (recommended for newer controllers)
+ provider "unifi" {
+ api_key = var.api_key
+ api_url = var.api_url
+ allow_insecure = var.insecure
+ }
+
+ # Using Username/Password (backward compatible)
+ provider "unifi" {
+ username = var.username
+ password = var.password
+ api_url = var.api_url
+ allow_insecure = var.insecure
+ }
+ ```
+
+3. **Resource State Migration**
+
+ Most resources maintain backward compatibility, so your existing state should migrate seamlessly. However, for resources with enhanced functionality, you may need to run `terraform import` to reconcile state differences.
+
+ ```bash
+ # Example: Re-importing a network resource
+ terraform import unifi_network.my_network 5dc28e5e9106d105bdc87217
+ ```
+
+4. **Enhanced Resource Configuration**
+
+ Take advantage of new validation and configuration options:
+
+ - Use the new validators for attributes like URLs, emails, and hostnames
+ - Leverage nested attributes for more organized configuration
+ - Utilize new settings resources for comprehensive network management
+
+### New and Enhanced Resources
+
+#### New Settings Resources
+
+- `unifi_setting_auto_speedtest` - Manage automatic speed test configuration
+- `unifi_setting_country` - Configure country settings
+- `unifi_setting_dpi` - Manage Deep Packet Inspection settings
+- `unifi_setting_guest_access` - Configure guest network access settings
+- `unifi_setting_ips` - Manage Intrusion Prevention System settings
+- `unifi_setting_lcd_monitor` - Configure LCD monitor settings for devices
+- `unifi_setting_locale` - Set locale preferences
+- `unifi_setting_magic_site_to_site_vpn` - Configure site-to-site VPN
+- `unifi_setting_mgmt` - Manage management settings
+- `unifi_setting_network_optimization` - Configure network optimization
+- `unifi_setting_ntp` - Manage NTP server settings
+- `unifi_setting_radius` - Configure RADIUS server settings
+- `unifi_setting_rsyslogd` - Manage remote syslog settings
+- `unifi_setting_ssl_inspection` - Configure SSL inspection
+- `unifi_setting_teleport` - Manage Teleport settings
+- `unifi_setting_usg` - Configure UniFi Security Gateway settings
+- `unifi_setting_usw` - Manage UniFi Switch settings
+
+#### Enhanced DNS Management
+
+- `unifi_dns_record` - Create and manage DNS records
+
+#### Other Improvements
+
+- Enhanced validation for all resources
+- Better error messages and diagnostics
+- Improved documentation with comprehensive examples
+- Support for the latest UniFi Controller features
+
+### Developer-Focused Improvements
+
+For developers extending or customizing the provider:
+
+1. **Framework Migration**
+ - Migrated from Terraform SDK v2 to Terraform Plugin Framework
+ - Better type safety and validation capabilities
+ - Enhanced testing infrastructure
+
+2. **Code Organization**
+ - Resources organized by domain in separate packages
+ - Base types and utilities for consistent implementation
+ - Custom validators for common validation patterns
+
+3. **Testing**
+ - Comprehensive acceptance tests
+ - Test helpers and utilities
+ - Improved test stability
+
+### Compatibility Notes
+
+- The provider maintains backward compatibility with existing configurations where possible
+- Some advanced features may require updates to your configuration
+- The provider follows semantic versioning for releases
+
+### Getting Help
+
+If you encounter issues during migration:
+
+1. Check the [documentation](https://registry.terraform.io/providers/filipowm/unifi/latest/docs)
+2. Review examples in the [GitHub repository](https://github.com/filipowm/terraform-provider-unifi)
+3. Open an issue on GitHub for assistance
diff --git a/docs/resources/dns_record.md b/docs/resources/dns_record.md
new file mode 100644
index 0000000..45f3180
--- /dev/null
+++ b/docs/resources/dns_record.md
@@ -0,0 +1,71 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_dns_record Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ The unifi_dns_record resource manages DNS records in the UniFi controller's DNS server.
+ This resource allows you to configure various types of DNS records for local name resolution. Common use cases include:
+ Creating A records for local servers and devicesSetting up CNAME aliases for internal servicesConfiguring MX records for local mail serversAdding TXT records for service verification
+---
+
+# unifi_dns_record (Resource)
+
+The `unifi_dns_record` resource manages DNS records in the UniFi controller's DNS server.
+
+This resource allows you to configure various types of DNS records for local name resolution. Common use cases include:
+ * Creating A records for local servers and devices
+ * Setting up CNAME aliases for internal services
+ * Configuring MX records for local mail servers
+ * Adding TXT records for service verification
+
+## Example Usage
+
+```terraform
+resource "unifi_dns_record" "a_record" {
+ name = "example.mydomain.com"
+ type = "A"
+ record = "192.168.1.190"
+}
+
+resource "unifi_dns_record" "cname_record" {
+ name = "example.mydomain.com"
+ type = "CNAME"
+ record = "example.com"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `name` (String) DNS record name.
+- `record` (String) The content of the DNS record. The expected value depends on the record type:
+ * For A records: IPv4 address (e.g., '192.168.1.10')
+ * For AAAA records: IPv6 address
+ * For CNAME records: Canonical name (e.g., 'server1.example.com')
+ * For MX records: Mail server hostname
+ * For TXT records: Text content (e.g., 'v=spf1 include:_spf.example.com ~all')
+- `type` (String) The type of DNS record. Valid values are:
+ * `A` - Maps a hostname to IPv4 address
+ * `AAAA` - Maps a hostname to IPv6 address
+ * `CNAME` - Creates an alias for another domain name
+ * `MX` - Specifies mail servers for the domain
+ * `NS` - Delegates a subdomain to a set of name servers
+ * `PTR` - Creates a pointer to a canonical name (reverse DNS)
+ * `SOA` - Specifies authoritative information about the domain
+ * `SRV` - Specifies location of services (hostname and port)
+ * `TXT` - Holds descriptive text
+
+### Optional
+
+- `enabled` (Boolean) Whether the DNS record is active. Defaults to true. Set to false to temporarily disable resolution without removing the record.
+- `port` (Number) The port number for SRV records. Valid values are between 1 and 65535. Only used with SRV records.
+- `priority` (Number) Priority value for MX and SRV records. Lower values indicate higher priority. Required for MX and SRV records, ignored for other types.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+- `ttl` (Number) Time To Live (TTL) in seconds, determines how long DNS resolvers should cache this record. Set to 0 for automatic TTL. Common values: 300 (5 minutes), 3600 (1 hour), 86400 (1 day).
+- `weight` (Number) A relative weight for SRV records with the same priority. Higher values get proportionally more traffic. Only used with SRV records.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/firewall_zone.md b/docs/resources/firewall_zone.md
new file mode 100644
index 0000000..77e7b64
--- /dev/null
+++ b/docs/resources/firewall_zone.md
@@ -0,0 +1,61 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_firewall_zone Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ The unifi_firewall_zone resource manages firewall zones in the UniFi controller.
+ Firewall zones allow you to group networks together for firewall rule application. This resource allows you to create, update, and delete firewall zones.
+ !> This is experimental feature, that requires UniFi OS 9.0.0 or later and Zone Based Firewall feature enabled. Check official documentation https://help.ui.com/hc/en-us/articles/28223082254743-Migrating-to-Zone-Based-Firewalls-in-UniFi how to migate to Zone-Based firewalls.
+---
+
+# unifi_firewall_zone (Resource)
+
+The `unifi_firewall_zone` resource manages firewall zones in the UniFi controller.
+
+Firewall zones allow you to group networks together for firewall rule application. This resource allows you to create, update, and delete firewall zones.
+
+!> This is experimental feature, that requires UniFi OS 9.0.0 or later and Zone Based Firewall feature enabled. Check [official documentation](https://help.ui.com/hc/en-us/articles/28223082254743-Migrating-to-Zone-Based-Firewalls-in-UniFi) how to migate to Zone-Based firewalls.
+
+## Example Usage
+
+```terraform
+resource "unifi_network" "network" {
+ name = "my-network"
+ purpose = "corporate"
+ subnet = "10.0.10.0/24"
+ vlan_id = "400"
+}
+
+resource "unifi_firewall_zone" "zone" {
+ name = "my-zone"
+ networks = [unifi_network.network.id]
+}
+```
+
+
+## Schema
+
+### Required
+
+- `name` (String) The name of the firewall zone.
+
+### Optional
+
+- `networks` (List of String) List of network IDs to include in this firewall zone.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# import from provider configured site
+terraform import unifi_firewall_zone.myzone 5dc28e5e9106d105bdc87217
+
+# import from another site
+terraform import unifi_firewall_zone.myzone another-site:5dc28e5e9106d105bdc87217
+```
diff --git a/docs/resources/firewall_zone_policy.md b/docs/resources/firewall_zone_policy.md
new file mode 100644
index 0000000..61b5cb4
--- /dev/null
+++ b/docs/resources/firewall_zone_policy.md
@@ -0,0 +1,181 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_firewall_zone_policy Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ The unifi_firewall_zone_policy resource manages firewall policies between zones in the UniFi controller. This resource allows you to create, update, and delete policies that define allowed or blocked traffic between zones.
+ !> This is experimental feature, that requires UniFi OS 9.0.0 or later and Zone Based Firewall feature enabled. Check official documentation https://help.ui.com/hc/en-us/articles/28223082254743-Migrating-to-Zone-Based-Firewalls-in-UniFi how to migate to Zone-Based firewalls.
+---
+
+# unifi_firewall_zone_policy (Resource)
+
+The `unifi_firewall_zone_policy` resource manages firewall policies between zones in the UniFi controller. This resource allows you to create, update, and delete policies that define allowed or blocked traffic between zones.
+
+!> This is experimental feature, that requires UniFi OS 9.0.0 or later and Zone Based Firewall feature enabled. Check [official documentation](https://help.ui.com/hc/en-us/articles/28223082254743-Migrating-to-Zone-Based-Firewalls-in-UniFi) how to migate to Zone-Based firewalls.
+
+## Example Usage
+
+```terraform
+resource "unifi_network" "network" {
+ name = "my-network"
+ purpose = "corporate"
+ subnet = "10.0.10.0/24"
+ vlan_id = "400"
+}
+
+resource "unifi_firewall_zone" "src" {
+ name = "my-source-zone"
+ networks = [unifi_network.network.id]
+}
+
+resource "unifi_firewall_zone" "dst" {
+ name = "my-destination-zone"
+}
+
+# Allow TCP/UDP traffic from any ip and port other than 192.168.1.1 and 443 in `src` zone to `dst` zone
+resource "unifi_firewall_zone_policy" "policy" {
+ name = "my-zone-policy"
+ action = "ALLOW"
+ protocol = "tcp_udp"
+
+ source = {
+ zone_id = unifi_firewall_zone.src.id
+ ips = ["192.168.1.1"]
+ port = "443"
+ match_opposite_ips = true
+ match_opposite_ports = true
+ }
+
+ destination = {
+ zone_id = unifi_firewall_zone.dst.id
+ }
+
+ schedule = {
+ mode = "EVERY_DAY"
+ time_all_day = false
+ time_from = "08:00"
+ time_to = "17:00"
+ }
+}
+
+resource "unifi_firewall_group" "web-ports" {
+ name = "web-apps"
+ type = "port-group"
+ members = ["80", "443"]
+}
+
+# Block TCP/UDP traffic from any ip and port in `src` zone to `dst` zone ports 80 and 443 defined in port group
+resource "unifi_firewall_zone_policy" "policy2" {
+ name = "my-policy-2"
+ action = "BLOCK"
+ protocol = "tcp_udp"
+
+ source = {
+ zone_id = unifi_firewall_zone.src.id
+ }
+
+ destination = {
+ zone_id = unifi_firewall_zone.dst.id
+ port_group_id = unifi_firewall_group.web-ports.id
+ }
+}
+```
+
+
+## Schema
+
+### Required
+
+- `action` (String) Determines which action to take on matching traffic. Must be one of `BLOCK`, `ALLOW`, or `REJECT`.
+- `destination` (Attributes) The zone matching the destination of the traffic. Optionally match on a specific destination inside the zone. (see [below for nested schema](#nestedatt--destination))
+- `name` (String) The name of the firewall zone policy.
+- `source` (Attributes) The zone matching the source of the traffic. Optionally match on a specific source inside the zone. (see [below for nested schema](#nestedatt--source))
+
+### Optional
+
+- `auto_allow_return_traffic` (Boolean) Creates a built-in policy for the opposite Zone Pair to automatically allow the return traffic. If disabled, return traffic must be manually allowed
+- `connection_state_type` (String) Optionally match on a firewall connection state such as traffic associated with an already existing connection. Valid values are `ALL`, `RESPOND_ONLY`, or `CUSTOM`.
+- `connection_states` (List of String) Connection states to match when `connection_state_type` is `CUSTOM`. Valid values include `ESTABLISHED`, `NEW`, `RELATED`, and `INVALID`.
+- `description` (String) Description of the firewall zone policy.
+- `enabled` (Boolean) Enable the policy
+- `index` (Number) Priority index for the policy.
+- `ip_version` (String) Optionally match on only IPv4 or IPv6. Valid values are `BOTH`, `IPV4`, or `IPV6`.
+- `logging` (Boolean) Enable to generate syslog entries when traffic is matched.
+- `match_ip_sec_type` (String) Optionally match on traffic encrypted by IPsec. This is typically used for Ipsec Policy-Based VPNs. Valid values are `MATCH_IP_SEC` or `MATCH_NON_IP_SEC`.
+- `match_opposite_protocol` (Boolean) Whether to match the opposite protocol.
+- `protocol` (String) Optionally match a specific protocol. Valid values include: `all`, `tcp_udp`, `tcp`, `udp`, etc.
+- `schedule` (Attributes) Enforce this policy at specific times. (see [below for nested schema](#nestedatt--schedule))
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
+
+
+### Nested Schema for `destination`
+
+Required:
+
+- `zone_id` (String) ID of the firewall zone.
+
+Optional:
+
+- `app_category_ids` (List of String) List of application category IDs.
+- `app_ids` (List of String) List of application IDs.
+- `ip_group_id` (String) ID of the source IP group.
+- `ips` (List of String) List of source IPs.
+- `match_opposite_ips` (Boolean) Whether to match opposite IPs.
+- `match_opposite_ports` (Boolean) Whether to match opposite ports.
+- `port` (Number) Source port.
+- `port_group_id` (String) ID of the source port group.
+- `regions` (List of String) List of regions.
+- `web_domains` (List of String) List of web domains.
+
+
+
+### Nested Schema for `source`
+
+Required:
+
+- `zone_id` (String) ID of the firewall zone.
+
+Optional:
+
+- `client_macs` (List of String) List of client MAC addresses.
+- `ip_group_id` (String) ID of the source IP group.
+- `ips` (List of String) List of source IPs.
+- `mac` (String) Source MAC address.
+- `macs` (List of String) List of MAC addresses.
+- `match_opposite_ips` (Boolean) Whether to match opposite IPs.
+- `match_opposite_networks` (Boolean) Whether to match opposite networks.
+- `match_opposite_ports` (Boolean) Whether to match opposite ports.
+- `network_ids` (List of String) List of network IDs.
+- `port` (Number) Source port.
+- `port_group_id` (String) ID of the source port group.
+
+
+
+### Nested Schema for `schedule`
+
+Optional:
+
+- `date` (String) Date for the schedule.
+- `date_end` (String) End date for the schedule.
+- `date_start` (String) Start date for the schedule.
+- `mode` (String) Schedule mode. Valid values are `ALWAYS`, `EVERY_DAY`, `EVERY_WEEK`, `ONE_TIME_ONLY`, or `CUSTOM`.
+- `repeat_on_days` (List of String) Days of the week when schedule repeats. Valid values include `mon`, `tue`, `wed`, `thu`, `fri`, `sat`, and `sun`.
+- `time_all_day` (Boolean) Whether the schedule applies all day.
+- `time_from` (String) Schedule starting time in 24-hour format (HH:MM).
+- `time_to` (String) Schedule ending time in 24-hour format (HH:MM).
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# import from provider configured site
+terraform import unifi_network.mynetwork 5dc28e5e9106d105bdc87217
+
+# import from another site
+terraform import unifi_network.mynetwork zone:5dc28e5e9106d105bdc87217
+```
diff --git a/docs/resources/portal_file.md b/docs/resources/portal_file.md
new file mode 100644
index 0000000..5c4d91e
--- /dev/null
+++ b/docs/resources/portal_file.md
@@ -0,0 +1,43 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_portal_file Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ The unifi_portal_file resource manages files uploaded to the UniFi guest portal. This resource allows you to upload images that can be used in customizing the UniFi guest portal interface.
+ Note: This resource uploads files to the UniFi controller. The file must exist on the local filesystem where Terraform is executed.
+---
+
+# unifi_portal_file (Resource)
+
+The `unifi_portal_file` resource manages files uploaded to the UniFi guest portal. This resource allows you to upload images that can be used in customizing the UniFi guest portal interface.
+
+**Note:** This resource uploads files to the UniFi controller. The file must exist on the local filesystem where Terraform is executed.
+
+## Example Usage
+
+```terraform
+resource "unifi_portal_file" "file" {
+ file_path = "/Users/username/Downloads/portal.png"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `file_path` (String) Path to the file on the local filesystem to upload to the UniFi controller. The file must exist and be readable.
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `content_type` (String) MIME type of the file.
+- `file_size` (Number) Size of the file in bytes.
+- `filename` (String) Name of the file as stored in the UniFi controller.
+- `id` (String) The unique identifier of this resource.
+- `last_modified` (Number) Timestamp when the file was last modified.
+- `md5` (String) MD5 hash of the file content.
+- `url` (String) URL where the file can be accessed on the UniFi controller.
diff --git a/docs/resources/setting_auto_speedtest.md b/docs/resources/setting_auto_speedtest.md
new file mode 100644
index 0000000..799e024
--- /dev/null
+++ b/docs/resources/setting_auto_speedtest.md
@@ -0,0 +1,46 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_auto_speedtest Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ The unifi_setting_auto_speedtest resource manages the automatic speedtest settings in the UniFi controller.Automatic speedtests can be scheduled to run at regular intervals to monitor the network performance.
+ NOTE: Automatic speedtests where not verified and tested on all UniFi controller versions due to limitations of controller used in acceptance testing.
+---
+
+# unifi_setting_auto_speedtest (Resource)
+
+The `unifi_setting_auto_speedtest` resource manages the automatic speedtest settings in the UniFi controller.Automatic speedtests can be scheduled to run at regular intervals to monitor the network performance.
+
+**NOTE:** Automatic speedtests where not verified and tested on all UniFi controller versions due to limitations of controller used in acceptance testing.
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_auto_speedtest" "example" {
+ # Enable automatic speedtest functionality
+ enabled = true
+
+ # Schedule for running speedtests using cron syntax
+ # This example runs at midnight every day
+ cron = "0 0 * * *"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `enabled` (Boolean) Whether the automatic speedtest is enabled.
+
+### Optional
+
+- `cron` (String) Cron expression defining the schedule for automatic speedtests.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_country.md b/docs/resources/setting_country.md
new file mode 100644
index 0000000..768d2b4
--- /dev/null
+++ b/docs/resources/setting_country.md
@@ -0,0 +1,40 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_country Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ The unifi_setting_country resource allows you to configure the country settings for your UniFi network.
+---
+
+# unifi_setting_country (Resource)
+
+The `unifi_setting_country` resource allows you to configure the country settings for your UniFi network.
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_country" "example" {
+ # Set the country code using ISO 3166-1 alpha-2 format
+ # This example sets the country to United States
+ code = "US"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `code` (String) The country code to set for the UniFi site. The country code must be a valid ISO 3166-1 alpha-2 code.
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `code_numeric` (Number) The numeric representation in ISO 3166-1 of the country code.
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_dpi.md b/docs/resources/setting_dpi.md
new file mode 100644
index 0000000..ef20fdf
--- /dev/null
+++ b/docs/resources/setting_dpi.md
@@ -0,0 +1,42 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_dpi Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Manages Deep Packet Inspection (DPI) settings for a UniFi site. DPI is a feature that allows the UniFi controller to analyze network traffic and identify applications and services being used on the network.
+---
+
+# unifi_setting_dpi (Resource)
+
+Manages Deep Packet Inspection (DPI) settings for a UniFi site. DPI is a feature that allows the UniFi controller to analyze network traffic and identify applications and services being used on the network.
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_dpi" "example" {
+ # Enable Deep Packet Inspection
+ enabled = true
+
+ # Enable DPI fingerprinting for more accurate application identification
+ fingerprinting_enabled = true
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `enabled` (Boolean) Whether Deep Packet Inspection is enabled.
+- `fingerprinting_enabled` (Boolean) Whether DPI fingerprinting is enabled. Fingerprinting allows the controller to identify applications and services based on traffic patterns.
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_guest_access.md b/docs/resources/setting_guest_access.md
new file mode 100644
index 0000000..be5a035
--- /dev/null
+++ b/docs/resources/setting_guest_access.md
@@ -0,0 +1,376 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_guest_access Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ The unifi_setting_guest_access resource manages the guest access settings in the UniFi controller.
+ This resource allows you to configure all aspects of guest network access including authentication methods, portal customization, and payment options.
+---
+
+# unifi_setting_guest_access (Resource)
+
+The `unifi_setting_guest_access` resource manages the guest access settings in the UniFi controller.
+
+This resource allows you to configure all aspects of guest network access including authentication methods, portal customization, and payment options.
+
+## Example Usage
+
+```terraform
+# Configure guest access settings for your UniFi network
+# This example demonstrates a comprehensive guest portal setup with various authentication options
+
+resource "unifi_portal_file" "logo" {
+ file_path = "logo.png"
+}
+
+resource "unifi_setting_guest_access" "guest_portal" {
+ # Basic configuration
+ auth = "hotspot" # Authentication type: none, hotspot, custom, or external
+ portal_enabled = true # Enable the guest portal
+ portal_use_hostname = true # Use hostname for the portal
+ portal_hostname = "guest.example.com" # Portal hostname
+ template_engine = "angular" # Portal template engine (angular or jsp)
+
+ # Expiration settings for guest access
+ expire = 1440 # Minutes until expiration
+ expire_number = 1 # Number of time units
+ expire_unit = 1440 # Time unit in minutes
+
+ # Enable external captive portal detection
+ ec_enabled = true
+
+ # Password protection for guest access
+ password = "guest-access-password"
+
+ # Google authentication
+ google {
+ client_id = "your-google-client-id"
+ client_secret = "your-google-client-secret"
+ domain = "example.com" # Optional: limit sign-ins to a specific domain
+ scope_email = true # Request email addresses during sign-in
+ }
+
+ # Payment option (PayPal)
+ payment_gateway = "paypal"
+ paypal {
+ username = "business@example.com"
+ password = "paypal-api-password"
+ signature = "paypal-api-signature"
+ use_sandbox = true # Set to false for production
+ }
+
+ # Redirecting guests after authentication
+ redirect {
+ url = "https://example.com/welcome"
+ use_https = true
+ to_https = true
+ }
+
+ # Restricted DNS for guests
+ restricted_dns_servers = [
+ "1.1.1.1",
+ "8.8.8.8"
+ ]
+
+ # Portal customization options
+ portal_customization {
+ customized = true
+
+ # Portal appearance
+ title = "Welcome to Our Guest Network"
+ welcome_text = "Thanks for visiting our location. Please enjoy our complimentary WiFi."
+ welcome_text_enabled = true
+ welcome_text_position = "top"
+
+ # Color scheme
+ bg_color = "#f5f5f5"
+ text_color = "#333333"
+ link_color = "#0078d4"
+
+ # Authentication dialog box
+ box_color = "#ffffff"
+ box_text_color = "#333333"
+ box_link_color = "#0078d4"
+ box_opacity = 90
+ box_radius = 5
+
+ # Logo
+ logo_file_id = unifi_portal_file.logo.id
+
+ # Button styling
+ button_color = "#0078d4"
+ button_text_color = "#ffffff"
+ button_text = "Connect"
+
+ # Legal information / Terms of Service
+ tos_enabled = true
+ tos = "By using this service, you agree to our terms and conditions. Unauthorized use is prohibited."
+
+ # Languages supported
+ languages = ["PL"]
+ }
+}
+```
+
+
+## Schema
+
+### Optional
+
+- `allowed_subnet` (String) Subnet allowed for guest access.
+- `auth` (String) Authentication method for guest access. Valid values are:
+* `none` - No authentication required
+* `hotspot` - Password authentication
+* `facebook_wifi` - Facebook auth entication
+* `custom` - Custom authentication
+
+For password authentication, set `auth` to `hotspot` and `password_enabled` to `true`.
+For voucher authentication, set `auth` to `hotspot` and `voucher_enabled` to `true`.
+For payment authentication, set `auth` to `hotspot` and `payment_enabled` to `true`.
+- `auth_url` (String) URL for authentication. Must be a valid URL including the protocol.
+- `authorize` (Attributes) Authorize.net payment settings. (see [below for nested schema](#nestedatt--authorize))
+- `custom_ip` (String) Custom IP address. Must be a valid IPv4 address (e.g., `192.168.1.1`).
+- `ec_enabled` (Boolean) Enable enterprise controller functionality.
+- `expire` (Number) Expiration time for guest access.
+- `expire_number` (Number) Number value for the expiration time.
+- `expire_unit` (Number) Unit for the expiration time. Valid values are:
+* `1` - Minute
+* `60` - Hour
+* `1440` - Day
+* `10080` - Week
+- `facebook` (Attributes) Facebook authentication settings. (see [below for nested schema](#nestedatt--facebook))
+- `facebook_wifi` (Attributes) Facebook WiFi authentication settings. (see [below for nested schema](#nestedatt--facebook_wifi))
+- `google` (Attributes) Google authentication settings. (see [below for nested schema](#nestedatt--google))
+- `ippay` (Attributes) IPpay Payments settings. (see [below for nested schema](#nestedatt--ippay))
+- `merchant_warrior` (Attributes) MerchantWarrior payment settings. (see [below for nested schema](#nestedatt--merchant_warrior))
+- `password` (String, Sensitive) Password for guest access.
+- `payment_gateway` (String) Payment gateway. Valid values are:
+* `paypal` - PayPal
+* `stripe` - Stripe
+* `authorize` - Authorize.net
+* `quickpay` - QuickPay
+* `merchantwarrior` - Merchant Warrior
+* `ippay` - IP Payments
+- `paypal` (Attributes) PayPal payment settings. (see [below for nested schema](#nestedatt--paypal))
+- `portal_customization` (Attributes) Portal customization settings. (see [below for nested schema](#nestedatt--portal_customization))
+- `portal_enabled` (Boolean) Enable the guest portal.
+- `portal_hostname` (String) Hostname to use for the captive portal.
+- `portal_use_hostname` (Boolean) Use a custom hostname for the portal.
+- `quickpay` (Attributes) QuickPay payment settings. (see [below for nested schema](#nestedatt--quickpay))
+- `radius` (Attributes) RADIUS authentication settings. (see [below for nested schema](#nestedatt--radius))
+- `redirect` (Attributes) Redirect after authentication settings. (see [below for nested schema](#nestedatt--redirect))
+- `restricted_dns_servers` (List of String) List of restricted DNS servers for guest networks. Each value must be a valid IPv4 address.
+- `restricted_subnet` (String) Subnet for restricted guest access.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+- `stripe` (Attributes) Stripe payment settings. (see [below for nested schema](#nestedatt--stripe))
+- `template_engine` (String) Template engine for the portal. Valid values are: `jsp`, `angular`.
+- `voucher_customized` (Boolean) Whether vouchers are customized.
+- `voucher_enabled` (Boolean) Enable voucher-based authentication for guest access.
+- `wechat` (Attributes) WeChat authentication settings. (see [below for nested schema](#nestedatt--wechat))
+
+### Read-Only
+
+- `facebook_enabled` (Boolean) Whether Facebook authentication for guest access is enabled.
+- `google_enabled` (Boolean) Whether Google authentication for guest access is enabled.
+- `id` (String) The unique identifier of this resource.
+- `password_enabled` (Boolean) Enable password authentication for guest access.
+- `payment_enabled` (Boolean) Enable payment for guest access.
+- `radius_enabled` (Boolean) Whether RADIUS authentication for guest access is enabled.
+- `redirect_enabled` (Boolean) Whether redirect after authentication is enabled.
+- `restricted_dns_enabled` (Boolean) Whether restricted DNS servers for guest networks are enabled.
+- `wechat_enabled` (Boolean) Whether WeChat authentication for guest access is enabled.
+
+
+### Nested Schema for `authorize`
+
+Required:
+
+- `login_id` (String) Authorize.net login ID for authentication.
+- `transaction_key` (String) Authorize.net transaction key for authentication.
+
+Optional:
+
+- `use_sandbox` (Boolean) Use sandbox mode for Authorize.net payments.
+
+
+
+### Nested Schema for `facebook`
+
+Required:
+
+- `app_id` (String) Facebook application ID for authentication.
+- `app_secret` (String, Sensitive) Facebook application secret for authentication.
+
+Optional:
+
+- `scope_email` (Boolean) Request email scope for Facebook authentication.
+
+
+
+### Nested Schema for `facebook_wifi`
+
+Required:
+
+- `gateway_id` (String) Facebook WiFi gateway ID.
+- `gateway_name` (String) Facebook WiFi gateway name.
+- `gateway_secret` (String, Sensitive) Facebook WiFi gateway secret.
+
+Optional:
+
+- `block_https` (Boolean) Mode HTTPS for Facebook WiFi.
+
+
+
+### Nested Schema for `google`
+
+Required:
+
+- `client_id` (String) Google client ID for authentication.
+- `client_secret` (String) Google client secret for authentication.
+
+Optional:
+
+- `domain` (String) Restrict Google authentication to specific domain.
+- `scope_email` (Boolean) Request email scope for Google authentication.
+
+
+
+### Nested Schema for `ippay`
+
+Required:
+
+- `terminal_id` (String, Sensitive) Terminal ID for IP Payments.
+
+Optional:
+
+- `use_sandbox` (Boolean) Whether to use sandbox mode for IPPay payments.
+
+
+
+### Nested Schema for `merchant_warrior`
+
+Required:
+
+- `api_key` (String, Sensitive) MerchantWarrior API key.
+- `api_passphrase` (String, Sensitive) MerchantWarrior API passphrase.
+- `merchant_uuid` (String, Sensitive) MerchantWarrior merchant UUID.
+
+Optional:
+
+- `use_sandbox` (Boolean) Whether to use sandbox mode for MerchantWarrior payments.
+
+
+
+### Nested Schema for `paypal`
+
+Required:
+
+- `password` (String, Sensitive) PayPal password.
+- `signature` (String, Sensitive) PayPal signature.
+- `username` (String, Sensitive) PayPal username. Must be a valid email address.
+
+Optional:
+
+- `use_sandbox` (Boolean) Whether to use sandbox mode for PayPal payments.
+
+
+
+### Nested Schema for `portal_customization`
+
+Optional:
+
+- `authentication_text` (String) Custom authentication text for the portal.
+- `bg_color` (String) Background color for the custom portal. Must be a valid hex color code (e.g., #FFF or #FFFFFF).
+- `bg_image_file_id` (String) ID of the background image portal file. File must exist in controller, use `unifi_portal_file` to manage it.
+- `bg_image_tile` (Boolean) Tile the background image.
+- `bg_type` (String) Type of portal background. Valid values are:
+* `color` - Solid color background
+* `image` - (not yet supported!) Custom image background
+* `gallery` - Image from Unsplash gallery
+- `box_color` (String) Color of the login box in the portal. Must be a valid hex color code (e.g., #FFF or #FFFFFF).
+- `box_link_color` (String) Color of links in the login box. Must be a valid hex color code (e.g., #FFF or #FFFFFF).
+- `box_opacity` (Number) Opacity of the login box (0-100).
+- `box_radius` (Number) Border radius of the login box in pixels.
+- `box_text_color` (String) Text color in the login box. Must be a valid hex color code (e.g., #FFF or #FFFFFF).
+- `button_color` (String) Button color in the portal. Must be a valid hex color code (e.g., #FFF or #FFFFFF).
+- `button_text` (String) Custom text for the login button.
+- `button_text_color` (String) Button text color. Must be a valid hex color code (e.g., #FFF or #FFFFFF).
+- `customized` (Boolean) Whether the portal is customized.
+- `languages` (List of String) List of enabled languages for the portal.
+- `link_color` (String) Color for links in the portal. Must be a valid hex color code (e.g., #FFF or #FFFFFF).
+- `logo_file_id` (String) ID of the logo image portal file. File must exist in controller, use `unifi_portal_file` to manage it.
+- `logo_position` (String) Position of the logo in the portal. Valid values are: left, center, right.
+- `logo_size` (Number) Size of the logo in pixels.
+- `success_text` (String) Text displayed after successful authentication.
+- `text_color` (String) Main text color for the portal. Must be a valid hex color code (e.g., #FFF or #FFFFFF).
+- `title` (String) Title of the portal page.
+- `tos` (String) Terms of service text.
+- `tos_enabled` (Boolean) Enable terms of service acceptance requirement.
+- `unsplash_author_name` (String) Name of the Unsplash author for gallery background.
+- `unsplash_author_username` (String) Username of the Unsplash author for gallery background.
+- `welcome_text` (String) Welcome text displayed on the portal.
+- `welcome_text_enabled` (Boolean) Enable welcome text display.
+- `welcome_text_position` (String) Position of the welcome text. Valid values are: `under_logo`, `above_boxes`.
+
+
+
+### Nested Schema for `quickpay`
+
+Required:
+
+- `agreement_id` (String, Sensitive) QuickPay agreement ID.
+- `api_key` (String, Sensitive) QuickPay API key.
+- `merchant_id` (String, Sensitive) QuickPay merchant ID.
+
+Optional:
+
+- `use_sandbox` (Boolean) Enable sandbox mode for QuickPay payments.
+
+
+
+### Nested Schema for `radius`
+
+Required:
+
+- `auth_type` (String) RADIUS authentication type. Valid values are: `chap`, `mschapv2`.
+- `profile_id` (String) ID of the RADIUS profile to use.
+
+Optional:
+
+- `disconnect_enabled` (Boolean) Enable RADIUS disconnect messages.
+- `disconnect_port` (Number) Port for RADIUS disconnect messages.
+
+
+
+### Nested Schema for `redirect`
+
+Required:
+
+- `url` (String) URL to redirect to after authentication. Must be a valid URL.
+
+Optional:
+
+- `to_https` (Boolean) Redirect HTTP requests to HTTPS.
+- `use_https` (Boolean) Use HTTPS for the redirect URL.
+
+
+
+### Nested Schema for `stripe`
+
+Required:
+
+- `api_key` (String, Sensitive) Stripe API key.
+
+
+
+### Nested Schema for `wechat`
+
+Required:
+
+- `app_id` (String) WeChat App ID for social authentication.
+- `app_secret` (String, Sensitive) WeChat App secret.
+- `secret_key` (String, Sensitive) WeChat secret key.
+
+Optional:
+
+- `shop_id` (String) WeChat Shop ID for payments.
diff --git a/docs/resources/setting_ips.md b/docs/resources/setting_ips.md
new file mode 100644
index 0000000..48c911d
--- /dev/null
+++ b/docs/resources/setting_ips.md
@@ -0,0 +1,199 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_ips Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ The unifi_setting_ips resource allows you to configure the Intrusion Prevention System (IPS) settings for your UniFi network. IPS provides network threat protection by monitoring, detecting, and preventing malicious traffic based on configured rules and policies. Requires controller version 7.4 or later
+---
+
+# unifi_setting_ips (Resource)
+
+The `unifi_setting_ips` resource allows you to configure the Intrusion Prevention System (IPS) settings for your UniFi network. IPS provides network threat protection by monitoring, detecting, and preventing malicious traffic based on configured rules and policies. Requires controller version 7.4 or later
+
+## Example Usage
+
+```terraform
+resource "unifi_network" "test" {
+ name = "My Network"
+ purpose = "corporate"
+ subnet = "192.168.1.0/24"
+ vlan_id = 10
+}
+
+resource "unifi_setting_ips" "example" {
+ # Set IPS mode to "ips" (Intrusion Prevention System)
+ # Other valid options: "ids" (Intrusion Detection System) or "disabled"
+ ips_mode = "ips"
+
+ # Networks on which IPS/IDS should be enabled
+ enabled_networks = [unifi_network.test.id]
+
+ # Advanced filtering preference
+ # Valid options: "disabled", "manual", or "auto"
+ advanced_filtering_preference = "manual"
+
+ # Categories of threats to detect/prevent
+ enabled_categories = [
+ "emerging-dos",
+ "emerging-exploit",
+ "emerging-malware"
+ ]
+
+ # Ad blocking configuration
+ ad_blocked_networks = [unifi_network.test.id]
+
+ # Honeypot configuration
+ honeypots = [
+ {
+ ip_address = "192.168.1.10"
+ network_id = unifi_network.test.id
+ }
+ ]
+
+ # DNS filtering configuration
+ dns_filters = [
+ {
+ name = "Work Filter"
+ filter = "work"
+ description = "Block non-work related sites"
+
+ # Sites that are always allowed
+ allowed_sites = [
+ "example.com",
+ "company.com"
+ ]
+
+ # Sites that are always blocked
+ blocked_sites = [
+ "gaming.example.com",
+ "social.example.com"
+ ]
+
+ # Top-level domains to block
+ blocked_tld = [
+ "xyz"
+ ]
+ }
+ ]
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Optional
+
+- `ad_blocked_networks` (List of String) List of network IDs to enable ad blocking for. If any networks are configured, ad blocking will be automatically enabled. Each entry should be a valid network ID from your UniFi configuration. Leave empty to disable ad blocking.
+- `advanced_filtering_preference` (String) The advanced filtering preference for IPS. Valid values are:
+ * `disabled` - Advanced filtering is disabled
+ * `manual` - Advanced filtering is enabled and manually configured
+- `dns_filters` (Attributes List) DNS filters configuration. If any filters are configured, DNS filtering will be automatically enabled. Each filter can be applied to a specific network and provides content filtering capabilities. (see [below for nested schema](#nestedatt--dns_filters))
+- `enabled_categories` (List of String) List of enabled IPS threat categories. Each entry enables detection and prevention for a specific type of threat. The list of valid categories includes common threats like malware, exploits, scanning, and policy violations. See the validator for the complete list of available categories.
+- `enabled_networks` (List of String) List of network IDs to enable IPS protection for. Each entry should be a valid network ID from your UniFi configuration. IPS will only monitor and protect traffic on these networks.
+- `honeypots` (Attributes List) Honeypots configuration. Honeypots are decoy systems designed to detect, deflect, or study hacking attempts. They appear as legitimate parts of the network but are isolated and monitored. (see [below for nested schema](#nestedatt--honeypots))
+- `ips_mode` (String) The IPS operation mode. Valid values are:
+ * `ids` - Intrusion Detection System mode (detect and log threats only)
+ * `ips` - Intrusion Prevention System mode (detect and block threats)
+ * `ipsInline` - Inline Intrusion Prevention System mode (more aggressive blocking)
+ * `disabled` - IPS functionality is completely disabled
+- `memory_optimized` (Boolean) Whether memory optimization is enabled for IPS. When set to `true`, the system will use less memory at the cost of potentially reduced detection capabilities. Useful for devices with limited resources. Defaults to `false`. Requires controller version 9.0 or later.
+- `restrict_torrents` (Boolean) Whether to restrict BitTorrent and other peer-to-peer file sharing traffic. When set to `true`, the system will block P2P traffic across the network. Defaults to `false`.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+- `suppression` (Attributes) Suppression configuration for IPS. This allows you to customize which alerts are suppressed or tracked, and define whitelisted traffic that should never trigger IPS alerts. (see [below for nested schema](#nestedatt--suppression))
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
+
+
+### Nested Schema for `dns_filters`
+
+Required:
+
+- `filter` (String) Filter type that determines the predefined filtering level. Valid values are:
+ * `none` - No predefined filtering
+ * `work` - Work-appropriate filtering that blocks adult content
+ * `family` - Family-friendly filtering that blocks adult content and other inappropriate sites
+- `name` (String) Name of the DNS filter. This is used to identify the filter in the UniFi interface.
+- `network_id` (String) Network ID this filter applies to. This should be a valid network ID from your UniFi configuration.
+
+Optional:
+
+- `allowed_sites` (List of String) List of allowed sites for this DNS filter. These domains will always be accessible regardless of other filtering rules. Each entry should be a valid domain name (e.g., `example.com`).
+- `blocked_sites` (List of String) List of blocked sites for this DNS filter. These domains will be blocked regardless of other filtering rules. Each entry should be a valid domain name (e.g., `example.com`).
+- `blocked_tld` (List of String) List of blocked top-level domains (TLDs) for this DNS filter. All domains with these TLDs will be blocked. Each entry should be a valid TLD without the dot prefix (e.g., `xyz`, `info`).
+- `description` (String) Description of the DNS filter. This is used for documentation purposes only and does not affect functionality.
+
+
+
+### Nested Schema for `honeypots`
+
+Required:
+
+- `ip_address` (String) IP address for the honeypot. This should be an unused IPv4 address within your network range that will be used as a decoy system.
+- `network_id` (String) Network ID for the honeypot. This should be a valid network ID from your UniFi configuration where the honeypot will be deployed.
+
+
+
+### Nested Schema for `suppression`
+
+Optional:
+
+- `alerts` (Attributes List) Alert suppressions. Each entry defines a specific IPS alert that should be suppressed or tracked differently from the default behavior. (see [below for nested schema](#nestedatt--suppression--alerts))
+- `whitelist` (Attributes List) Whitelist configuration. Each entry defines traffic that should never trigger IPS alerts, regardless of other rules. (see [below for nested schema](#nestedatt--suppression--whitelist))
+
+
+### Nested Schema for `suppression.alerts`
+
+Required:
+
+- `category` (String) Category of the alert to suppress. This should match one of the categories from the enabled_categories list.
+- `signature` (String) Signature name of the alert to suppress. This is a human-readable identifier for the alert in the IPS ruleset.
+- `type` (String) Type of suppression. Valid values are:
+ * `all` - Suppress all occurrences of this alert
+ * `track` - Only track this alert according to the tracking configuration
+
+Optional:
+
+- `tracking` (Attributes List) Tracking configuration for the alert. This defines how the system should track occurrences of this alert based on source/destination addresses. (see [below for nested schema](#nestedatt--suppression--alerts--tracking))
+
+
+### Nested Schema for `suppression.alerts.tracking`
+
+Required:
+
+- `direction` (String) Direction for tracking. Valid values are:
+ * `src` - Track by source address
+ * `dest` - Track by destination address
+ * `both` - Track by both source and destination addresses
+- `mode` (String) Mode for tracking. Valid values are:
+ * `ip` - Track by individual IP address
+ * `subnet` - Track by subnet
+ * `network` - Track by network ID
+- `value` (String) Value for tracking. The meaning depends on the mode:
+ * For `ip` mode: An IP address (e.g., `192.168.1.100`)
+ * For `subnet` mode: A CIDR notation subnet (e.g., `192.168.1.0/24`)
+ * For `network` mode: A network ID from your UniFi configuration
+
+
+
+
+### Nested Schema for `suppression.whitelist`
+
+Required:
+
+- `direction` (String) Direction for whitelist. Valid values are:
+ * `src` - Whitelist by source address
+ * `dst` - Whitelist by destination address
+ * `both` - Whitelist by both source and destination addresses
+- `mode` (String) Mode for whitelist. Valid values are:
+ * `ip` - Whitelist by individual IP address
+ * `subnet` - Whitelist by subnet
+ * `network` - Whitelist by network ID
+- `value` (String) Value for whitelist. The meaning depends on the mode:
+ * For `ip` mode: An IP address (e.g., `192.168.1.100`)
+ * For `subnet` mode: A CIDR notation subnet (e.g., `192.168.1.0/24`)
+ * For `network` mode: A network ID from your UniFi configuration
diff --git a/docs/resources/setting_lcd_monitor.md b/docs/resources/setting_lcd_monitor.md
new file mode 100644
index 0000000..4c9668e
--- /dev/null
+++ b/docs/resources/setting_lcd_monitor.md
@@ -0,0 +1,32 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_lcd_monitor Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Manages LCD Monitor (LCM) settings for UniFi devices with built-in displays, such as the UniFi Dream Machine Pro (UDM Pro) and UniFi Network Video Recorder (UNVR).
+---
+
+# unifi_setting_lcd_monitor (Resource)
+
+Manages LCD Monitor (LCM) settings for UniFi devices with built-in displays, such as the UniFi Dream Machine Pro (UDM Pro) and UniFi Network Video Recorder (UNVR).
+
+
+
+
+## Schema
+
+### Required
+
+- `enabled` (Boolean) Whether the LCD display is enabled.
+
+### Optional
+
+- `brightness` (Number) The brightness level of the LCD display. Valid values are 1-100.
+- `idle_timeout` (Number) The time in seconds after which the display turns off when idle. Valid values are 10-3600.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+- `sync` (Boolean) Whether to synchronize display settings across multiple devices.
+- `touch_event` (Boolean) Whether touch interactions with the display are enabled.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_locale.md b/docs/resources/setting_locale.md
new file mode 100644
index 0000000..9123abd
--- /dev/null
+++ b/docs/resources/setting_locale.md
@@ -0,0 +1,38 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_locale Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Manages locale settings for a UniFi site.
+---
+
+# unifi_setting_locale (Resource)
+
+Manages locale settings for a UniFi site.
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_locale" "example" {
+ # Set the timezone using IANA timezone identifier format
+ timezone = "America/New_York"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `timezone` (String) Timezone for the UniFi controller, e.g., `America/Los_Angeles`
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_magic_site_to_site_vpn.md b/docs/resources/setting_magic_site_to_site_vpn.md
new file mode 100644
index 0000000..ff1669f
--- /dev/null
+++ b/docs/resources/setting_magic_site_to_site_vpn.md
@@ -0,0 +1,38 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_magic_site_to_site_vpn Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Manages Magic Site to Site VPN settings for a UniFi site.
+---
+
+# unifi_setting_magic_site_to_site_vpn (Resource)
+
+Manages Magic Site to Site VPN settings for a UniFi site.
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_magic_site_to_site_vpn" "example" {
+ # Enable Magic Site-to-Site VPN functionality
+ enabled = true
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `enabled` (Boolean) Whether the Magic Site to Site VPN is enabled.
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_mgmt.md b/docs/resources/setting_mgmt.md
index 9cc837a..0ff92b9 100644
--- a/docs/resources/setting_mgmt.md
+++ b/docs/resources/setting_mgmt.md
@@ -32,8 +32,39 @@ resource "unifi_site" "example" {
}
resource "unifi_setting_mgmt" "example" {
- site = unifi_site.example.name
+ # Reference a specific site (optional, defaults to site configured in provider, otherwise "default")
+ site = unifi_site.example.name
+
+ # Auto upgrade settings
auto_upgrade = true
+ auto_upgrade_hour = 3
+
+ # Device management settings
+ advanced_feature_enabled = true
+ alert_enabled = true
+ boot_sound = false
+ debug_tools_enabled = true
+ direct_connect_enabled = false
+ led_enabled = true
+ outdoor_mode_enabled = false
+ unifi_idp_enabled = false
+ wifiman_enabled = true
+
+ # SSH access configuration
+ ssh_enabled = true
+ ssh_auth_password_enabled = true
+ ssh_bind_wildcard = false
+ ssh_username = "admin"
+
+ # Optional: SSH key configuration
+ ssh_key = [
+ {
+ name = "Admin Key"
+ type = "ssh-rsa"
+ key = "AAAAB3NzaC1yc2EAAAADAQABAAABAQCxxx..."
+ comment = "admin@example.com"
+ }
+ ]
}
```
@@ -42,14 +73,28 @@ resource "unifi_setting_mgmt" "example" {
### Optional
+- `advanced_feature_enabled` (Boolean) Enable advanced features for UniFi devices at this site.
+- `alert_enabled` (Boolean) Enable alerts for UniFi devices at this site.
- `auto_upgrade` (Boolean) Enable automatic firmware upgrades for all UniFi devices at this site. When enabled, devices will automatically update to the latest stable firmware version approved for your controller version.
-- `site` (String) The name of the UniFi site where these management settings should be applied. If not specified, the default site will be used.
+- `auto_upgrade_hour` (Number) The hour of the day (0-23) when automatic firmware upgrades will occur.
+- `boot_sound` (Boolean) Enable the boot sound for UniFi devices at this site.
+- `debug_tools_enabled` (Boolean) Enable debug tools for UniFi devices at this site. Requires controller version 7.3 or later.
+- `direct_connect_enabled` (Boolean) Enable direct connect for UniFi devices at this site.
+- `led_enabled` (Boolean) Enable the LED light for UniFi devices at this site.
+- `outdoor_mode_enabled` (Boolean) Enable outdoor mode for UniFi devices at this site.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+- `ssh_auth_password_enabled` (Boolean) Enable SSH password authentication for UniFi devices at this site.
+- `ssh_bind_wildcard` (Boolean) Enable SSH bind wildcard for UniFi devices at this site.
- `ssh_enabled` (Boolean) Enable SSH access to UniFi devices at this site. When enabled, you can connect to devices using SSH for advanced configuration and troubleshooting. It's recommended to only enable this temporarily when needed.
-- `ssh_key` (Block Set) List of SSH public keys that are allowed to connect to UniFi devices when SSH is enabled. Using SSH keys is more secure than password authentication. (see [below for nested schema](#nestedblock--ssh_key))
+- `ssh_key` (Block List) List of SSH public keys that are allowed to connect to UniFi devices when SSH is enabled. Using SSH keys is more secure than password authentication. (see [below for nested schema](#nestedblock--ssh_key))
+- `ssh_password` (String, Sensitive) The SSH password for UniFi devices at this site.
+- `ssh_username` (String) The SSH username for UniFi devices at this site.
+- `unifi_idp_enabled` (Boolean) Enable UniFi IDP for UniFi devices at this site.
+- `wifiman_enabled` (Boolean) Enable WiFiman for UniFi devices at this site.
### Read-Only
-- `id` (String) The unique identifier of the management settings configuration in the UniFi controller.
+- `id` (String) The unique identifier of this resource.
### Nested Schema for `ssh_key`
diff --git a/docs/resources/setting_network_optimization.md b/docs/resources/setting_network_optimization.md
new file mode 100644
index 0000000..0633fea
--- /dev/null
+++ b/docs/resources/setting_network_optimization.md
@@ -0,0 +1,38 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_network_optimization Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Manages Network Optimization settings for a UniFi site. UniFi network optimization is a feature designed to automatically enhance the performance of a UniFi network by making automatic adjustments to various settings such as channel selection, transmit power, or frequency usage
+---
+
+# unifi_setting_network_optimization (Resource)
+
+Manages Network Optimization settings for a UniFi site. UniFi network optimization is a feature designed to automatically enhance the performance of a UniFi network by making automatic adjustments to various settings such as channel selection, transmit power, or frequency usage
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_network_optimization" "example" {
+ # Enable network optimization features
+ enabled = true
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `enabled` (Boolean) Whether the Network Optimization is enabled.
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_ntp.md b/docs/resources/setting_ntp.md
new file mode 100644
index 0000000..dad6a90
--- /dev/null
+++ b/docs/resources/setting_ntp.md
@@ -0,0 +1,53 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_ntp Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ The unifi_setting_ntp resource allows you to configure Network Time Protocol (NTP) server settings for your UniFi network.
+ NTP servers provide time synchronization for your network devices. This resource supports both automatic and manual NTP configuration modes.
+---
+
+# unifi_setting_ntp (Resource)
+
+The `unifi_setting_ntp` resource allows you to configure Network Time Protocol (NTP) server settings for your UniFi network.
+
+NTP servers provide time synchronization for your network devices. This resource supports both automatic and manual NTP configuration modes.
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_ntp" "example" {
+ # Set NTP mode to manual to specify custom NTP servers
+ # Valid options: "auto" or "manual"
+ mode = "manual"
+
+ # Configure up to four NTP servers
+ ntp_server_1 = "time.cloudflare.com"
+ ntp_server_2 = "pool.ntp.org"
+ ntp_server_3 = "time.google.com"
+ ntp_server_4 = "0.pool.ntp.org"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Optional
+
+- `mode` (String) NTP server configuration mode. Valid values are:
+* `auto` - Use NTP servers configured on the controller
+* `manual` - Use custom NTP servers specified in this resource
+
+When set to `auto`, all NTP server fields will be cleared. When set to `manual`, at least one NTP server must be specified.
+- `ntp_server_1` (String) Primary NTP server hostname or IP address. Must be a valid hostname (e.g., `pool.ntp.org`) or IPv4 address. Only applicable when `mode` is set to `manual`.
+- `ntp_server_2` (String) Secondary NTP server hostname or IP address. Must be a valid hostname (e.g., `time.google.com`) or IPv4 address. Only applicable when `mode` is set to `manual`.
+- `ntp_server_3` (String) Tertiary NTP server hostname or IP address. Must be a valid hostname or IPv4 address. Only applicable when `mode` is set to `manual`.
+- `ntp_server_4` (String) Quaternary NTP server hostname or IP address. Must be a valid hostname or IPv4 address. Only applicable when `mode` is set to `manual`.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_radius.md b/docs/resources/setting_radius.md
index 0722750..38cddbd 100644
--- a/docs/resources/setting_radius.md
+++ b/docs/resources/setting_radius.md
@@ -27,7 +27,27 @@ The RADIUS server is commonly used for:
When enabled, the RADIUS server can authenticate clients using the UniFi user database or external authentication sources.
+## Example Usage
+```terraform
+resource "unifi_setting_radius" "example" {
+ # Enable RADIUS functionality
+ enabled = true
+
+ # RADIUS server secret
+ secret = "your-secure-secret"
+
+ # Optional: Enable RADIUS accounting
+ accounting_enabled = true
+
+ # Optional: Configure custom ports
+ auth_port = 1812
+ accounting_port = 1813
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
## Schema
diff --git a/docs/resources/setting_rsyslogd.md b/docs/resources/setting_rsyslogd.md
new file mode 100644
index 0000000..f141d01
--- /dev/null
+++ b/docs/resources/setting_rsyslogd.md
@@ -0,0 +1,66 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_rsyslogd Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Manages Remote Syslog (rsyslogd) settings for UniFi devices. Controller version 8.5 or later is required.
+---
+
+# unifi_setting_rsyslogd (Resource)
+
+Manages Remote Syslog (rsyslogd) settings for UniFi devices. Controller version 8.5 or later is required.
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_rsyslogd" "example" {
+ # Enable remote syslog functionality
+ enabled = true
+
+ # Remote syslog server IP address
+ ip = "192.168.1.200"
+
+ # Remote syslog server port
+ port = 514
+
+ # Types of log content to send
+ # Valid options: "device", "client", "admin_activity"
+ contents = ["device", "client", "admin_activity"]
+
+ # Enable debug logging
+ debug = true
+
+ # Netconsole configuration (optional)
+ netconsole_enabled = true
+ netconsole_host = "192.168.1.150"
+ netconsole_port = 1514
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `enabled` (Boolean) Whether remote syslog is enabled.
+
+### Optional
+
+- `contents` (List of String) List of log types to include in the remote syslog. Valid values: device, client, firewall_default_policy, triggers, updates, admin_activity, critical, security_detections, vpn.
+- `debug` (Boolean) Whether debug logging is enabled.
+- `ip` (String) IP address of the remote syslog server.
+- `log_all_contents` (Boolean) Whether to log all content types.
+- `netconsole_enabled` (Boolean) Whether netconsole logging is enabled.
+- `netconsole_host` (String) Hostname or IP address of the netconsole server.
+- `netconsole_port` (Number) Port number for the netconsole server. Valid values: 1-65535.
+- `port` (Number) Port number for the remote syslog server. Valid values: 1-65535.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+- `this_controller` (Boolean) Whether to use this controller as the syslog server.
+- `this_controller_encrypted_only` (Boolean) Whether to only use encrypted connections to this controller for syslog.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_ssl_inspection.md b/docs/resources/setting_ssl_inspection.md
new file mode 100644
index 0000000..ebf5f90
--- /dev/null
+++ b/docs/resources/setting_ssl_inspection.md
@@ -0,0 +1,39 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_ssl_inspection Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Manages SSL Inspection settings for a UniFi site. SSL inspection is a security feature that allows the UniFi Security Gateway (USG) to inspect encrypted traffic for security threats.
+---
+
+# unifi_setting_ssl_inspection (Resource)
+
+Manages SSL Inspection settings for a UniFi site. SSL inspection is a security feature that allows the UniFi Security Gateway (USG) to inspect encrypted traffic for security threats.
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_ssl_inspection" "example" {
+ # Configure SSL inspection state
+ # Valid options: "off", "simple", "advanced"
+ state = "advanced"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `state` (String) The mode of SSL inspection. Valid values are: `off`, `simple`, or `advanced`.
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_teleport.md b/docs/resources/setting_teleport.md
new file mode 100644
index 0000000..84c54fc
--- /dev/null
+++ b/docs/resources/setting_teleport.md
@@ -0,0 +1,43 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_teleport Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Manages Teleport settings for a UniFi site. Teleport is a secure remote access technology that allows authorized users to connect to UniFi devices from anywhere.
+---
+
+# unifi_setting_teleport (Resource)
+
+Manages Teleport settings for a UniFi site. Teleport is a secure remote access technology that allows authorized users to connect to UniFi devices from anywhere.
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_teleport" "example" {
+ # Enable Teleport remote access functionality
+ enabled = true
+
+ # Optional subnet configuration for Teleport
+ # Specify a CIDR notation subnet for Teleport to use
+ subnet = "192.168.100.0/24"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `enabled` (Boolean) Whether Teleport is enabled.
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+- `subnet` (String) The subnet CIDR for Teleport (e.g., `192.168.1.0/24`). Can be empty but must be set explicitly.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/docs/resources/setting_usg.md b/docs/resources/setting_usg.md
index 31a5f28..0d0b899 100644
--- a/docs/resources/setting_usg.md
+++ b/docs/resources/setting_usg.md
@@ -5,10 +5,8 @@ subcategory: ""
description: |-
The unifi_setting_usg resource manages advanced settings for UniFi Security Gateways (USG) and UniFi Dream Machines (UDM/UDM-Pro).
This resource allows you to configure gateway-specific features including:
- Multicast DNS (mDNS) for service discoveryDHCP relay for forwarding DHCP requests to external servers
- These settings are particularly useful for:
- Enabling device discovery across VLANs (using mDNS)Centralizing DHCP management in enterprise environmentsIntegration with existing network infrastructure
- Note: Some settings may not be available on all controller versions. For example, multicast_dns_enabled is not supported on UniFi OS v7+.
+ Multicast DNS (mDNS) for cross-VLAN service discoveryDHCP relay for forwarding DHCP requests to external serversGeo IP filtering for country-based traffic controlUPNP/NAT-PMP for automatic port forwardingProtocol helpers for FTP, GRE, H323, PPTP, SIP, and TFTPTCP/UDP timeout settings for connection trackingSecurity features like SYN cookies and ICMP redirect controlsMSS clamping for optimizing MTU issues
+ Note: Some settings may not be available on all controller versions. For example, multicast_dns_enabled is not supported on UniFi OS v7+. Changes to certain attributes may not be reflected in the plan unless explicitly modified in the configuration.
---
# unifi_setting_usg (Resource)
@@ -16,27 +14,254 @@ description: |-
The `unifi_setting_usg` resource manages advanced settings for UniFi Security Gateways (USG) and UniFi Dream Machines (UDM/UDM-Pro).
This resource allows you to configure gateway-specific features including:
- * Multicast DNS (mDNS) for service discovery
+ * Multicast DNS (mDNS) for cross-VLAN service discovery
* DHCP relay for forwarding DHCP requests to external servers
+ * Geo IP filtering for country-based traffic control
+ * UPNP/NAT-PMP for automatic port forwarding
+ * Protocol helpers for FTP, GRE, H323, PPTP, SIP, and TFTP
+ * TCP/UDP timeout settings for connection tracking
+ * Security features like SYN cookies and ICMP redirect controls
+ * MSS clamping for optimizing MTU issues
-These settings are particularly useful for:
- * Enabling device discovery across VLANs (using mDNS)
- * Centralizing DHCP management in enterprise environments
- * Integration with existing network infrastructure
+Note: Some settings may not be available on all controller versions. For example, multicast_dns_enabled is not supported on UniFi OS v7+. Changes to certain attributes may not be reflected in the plan unless explicitly modified in the configuration.
-Note: Some settings may not be available on all controller versions. For example, multicast_dns_enabled is not supported on UniFi OS v7+.
+## Example Usage
+```terraform
+resource "unifi_setting_usg" "example" {
+ # Geo IP Filtering Configuration
+ geo_ip_filtering = {
+ block = "block" # Options: "block" or "allow"
+ countries = ["UK", "CN", "AU"]
+ traffic_direction = "both" # Options: "both", "ingress", or "egress"
+ }
+ # UPNP Configuration
+ upnp = {
+ nat_pmp_enabled = true
+ secure_mode = true
+ wan_interface = "WAN"
+ }
+
+ # DNS Verification Settings
+ dns_verification = {
+ domain = "example.com"
+ primary_dns_server = "1.1.1.1"
+ secondary_dns_server = "1.0.0.1"
+ setting_preference = "manual" # Options: "auto" or "manual"
+ }
+
+ # TCP Timeout Settings
+ tcp_timeouts = {
+ close_timeout = 10
+ established_timeout = 3600
+ close_wait_timeout = 20
+ fin_wait_timeout = 30
+ last_ack_timeout = 30
+ syn_recv_timeout = 60
+ syn_sent_timeout = 120
+ time_wait_timeout = 120
+ }
+
+ # ARP Cache Configuration
+ arp_cache_timeout = "custom" # Options: "auto" or "custom"
+ arp_cache_base_reachable = 60
+
+ # DHCP Configuration
+ broadcast_ping = true
+ dhcpd_hostfile_update = true
+ dhcpd_use_dnsmasq = true
+ dnsmasq_all_servers = true
+
+ # DHCP Relay Configuration
+ dhcp_relay = {
+ agents_packets = "forward" # Options: "forward" or "replace"
+ hop_count = 5
+ }
+ dhcp_relay_servers = ["10.1.2.3", "10.1.2.4"]
+
+ # Network Tools
+ echo_server = "echo.example.com"
+
+ # Protocol Modules
+ ftp_module = true
+ gre_module = true
+ tftp_module = true
+
+ # ICMP & LLDP Settings
+ icmp_timeout = 20
+ lldp_enable_all = true
+
+ # MSS Clamp Settings
+ mss_clamp = "auto" # Options: "auto" or "custom"
+ mss_clamp_mss = 1452
+
+ # Offload Settings
+ offload_accounting = true
+ offload_l2_blocking = true
+ offload_scheduling = false
+
+ # Timeout Settings
+ other_timeout = 600
+ timeout_setting_preference = "auto" # Options: "auto" or "custom"
+
+ # Security Settings
+ receive_redirects = false
+ send_redirects = true
+ syn_cookies = true
+
+ # UDP Timeout Settings
+ udp_other_timeout = 30
+ udp_stream_timeout = 120
+
+ # Specify the site (optional)
+ # site = "default"
+}
+```
## Schema
### Optional
-- `dhcp_relay_servers` (List of String) List of up to 5 DHCP relay servers (specified by IP address) that will receive forwarded DHCP requests. This is useful when you want to use external DHCP servers instead of the built-in DHCP server. Example: ['192.168.1.5', '192.168.2.5']
-- `multicast_dns_enabled` (Boolean) Enable multicast DNS (mDNS/Bonjour/Avahi) forwarding across VLANs. This allows devices to discover services (like printers, Chromecasts, etc.) even when they are on different networks. Note: Not supported on UniFi OS v7+.
-- `site` (String) The name of the UniFi site where these USG settings should be applied. If not specified, the default site will be used.
+- `arp_cache_base_reachable` (Number) The base reachable timeout (in seconds) for ARP cache entries. This controls how long the gateway considers a MAC-to-IP mapping valid without needing to refresh it. Higher values reduce network traffic but may cause stale entries if devices change IP addresses frequently.
+- `arp_cache_timeout` (String) The timeout strategy for ARP cache entries. Valid values are:
+ * `normal` - Use system default timeouts
+ * `min-dhcp-lease` - Set ARP timeout to match the minimum DHCP lease time
+ * `custom` - Use the custom timeout value specified in `arp_cache_base_reachable`
+
+This setting determines how long MAC-to-IP mappings are stored in the ARP cache before being refreshed.
+- `broadcast_ping` (Boolean) Enable responding to broadcast ping requests (ICMP echo requests sent to the broadcast address). When enabled, the gateway will respond to pings sent to the broadcast address of the network (e.g., 192.168.1.255). This can be useful for network diagnostics but may also be used in certain denial-of-service attacks.
+- `dhcp_relay` (Attributes) Advanced DHCP relay configuration settings. Controls how the gateway forwards DHCP requests to external servers and manages DHCP relay agent behavior. Use this block to fine-tune DHCP relay functionality beyond simply specifying relay servers. (see [below for nested schema](#nestedatt--dhcp_relay))
+- `dhcp_relay_servers` (List of String, Deprecated) List of up to 5 DHCP relay servers (specified by IP address) that will receive forwarded DHCP requests. This is useful when you want to use external DHCP servers instead of the built-in DHCP server on the USG/UDM. When configured, the gateway will forward DHCP discovery packets from clients to these external servers, allowing centralized IP address management across multiple networks. Example: `['192.168.1.5', '192.168.2.5']`
+- `dhcpd_hostfile_update` (Boolean) Enable updating the gateway's host files with DHCP client information. When enabled, the gateway will automatically add entries to its host file for each DHCP client, allowing hostname resolution for devices that receive IP addresses via DHCP. This improves name resolution on the local network.
+- `dhcpd_use_dnsmasq` (Boolean) Use dnsmasq for DHCP services instead of the default DHCP server. Dnsmasq provides integrated DNS and DHCP functionality with additional features like DNS caching, DHCP static leases, and local domain name resolution. This can improve DNS resolution performance and provide more flexible DHCP options.
+- `dns_verification` (Attributes) DNS verification settings for validating DNS responses. This feature helps detect and prevent DNS spoofing attacks by verifying DNS responses against trusted DNS servers. When configured, the gateway can compare DNS responses with those from known trusted servers to identify potential tampering or poisoning attempts. Requires controller version 8.5 or later. (see [below for nested schema](#nestedatt--dns_verification))
+- `dnsmasq_all_servers` (Boolean) When enabled, dnsmasq will query all configured DNS servers simultaneously and use the fastest response. This can improve DNS resolution speed but may increase DNS traffic. By default, dnsmasq queries servers sequentially, only trying the next server if the current one fails to respond.
+- `echo_server` (String) The hostname or IP address of a server to use for network echo tests. Echo tests send packets to this server and measure response times to evaluate network connectivity and performance. This can be used for network diagnostics and monitoring.
+- `ftp_module` (Boolean) Enable the FTP (File Transfer Protocol) helper module. This module allows the gateway to properly handle FTP connections through NAT by tracking the control channel and dynamically opening required data ports. Without this helper, passive FTP connections may fail when clients are behind NAT.
+- `geo_ip_filtering` (Attributes) Geographic IP filtering configuration that allows blocking or allowing traffic based on country of origin. This feature uses IP geolocation databases to identify the country associated with IP addresses and apply filtering rules. Useful for implementing country-specific access policies or blocking traffic from high-risk regions. Requires controller version 7.0 or later. (see [below for nested schema](#nestedatt--geo_ip_filtering))
+- `gre_module` (Boolean) Enable the GRE (Generic Routing Encapsulation) protocol helper module. This module allows proper handling of GRE tunneling protocol through the gateway's firewall. GRE is commonly used for VPN tunnels and other encapsulation needs. Required if you plan to use PPTP VPNs (see `pptp_module`).
+- `h323_module` (Boolean) Enable the H.323 protocol helper module. H.323 is a standard for multimedia communications (audio, video, and data) over packet-based networks. This helper allows H.323-based applications like video conferencing systems to work properly through NAT by tracking connection details and opening required ports.
+- `icmp_timeout` (Number) ICMP timeout in seconds for connection tracking. This controls how long the gateway maintains state information for ICMP (ping) packets in its connection tracking table. Higher values maintain ICMP connection state longer, while lower values reclaim resources more quickly but may affect some diagnostic tools.
+- `lldp_enable_all` (Boolean) Enable Link Layer Discovery Protocol (LLDP) on all interfaces. LLDP is a vendor-neutral protocol that allows network devices to advertise their identity, capabilities, and neighbors on a local network. When enabled, the gateway will both send and receive LLDP packets, facilitating network discovery and management tools.
+- `mss_clamp` (String) TCP Maximum Segment Size (MSS) clamping mode. MSS clamping adjusts the maximum segment size of TCP packets to prevent fragmentation issues when packets traverse networks with different MTU sizes. Valid values include:
+ * `auto` - Automatically determine appropriate MSS values based on interface MTUs
+ * `custom` - Use the custom MSS value specified in `mss_clamp_mss`
+ * `disabled` - Do not perform MSS clamping
+
+This setting is particularly important for VPN connections and networks with non-standard MTU sizes.
+- `mss_clamp_mss` (Number) Custom TCP Maximum Segment Size (MSS) value in bytes. This value is used when `mss_clamp` is set to `custom`. The MSS value should typically be set to the path MTU minus 40 bytes (for IPv4) or minus 60 bytes (for IPv6) to account for TCP/IP header overhead. Valid values range from 100 to 9999, with common values being 1460 (for standard 1500 MTU) or 1400 (for VPN tunnels).
+- `multicast_dns_enabled` (Boolean) Enable multicast DNS (mDNS/Bonjour/Avahi) forwarding across VLANs. This allows devices to discover services (like printers, Chromecasts, Apple devices, etc.) even when they are on different networks or VLANs. When enabled, the gateway will forward mDNS packets between networks, facilitating cross-VLAN service discovery. Note: This setting is not supported on UniFi OS v7+ as it has been replaced by mDNS settings in the network configuration.
+- `offload_accounting` (Boolean) Enable hardware accounting offload. When enabled, the gateway will use hardware acceleration for traffic accounting functions, reducing CPU load and potentially improving throughput for high-traffic environments. This setting may not be supported on all hardware models.
+- `offload_l2_blocking` (Boolean) Enable hardware offload for Layer 2 (L2) blocking functions. When enabled, the gateway will use hardware acceleration for blocking traffic at the data link layer (MAC address level), which can improve performance when implementing MAC-based filtering or isolation. This setting may not be supported on all hardware models.
+- `offload_sch` (Boolean) Enable hardware scheduling offload. When enabled, the gateway will use hardware acceleration for packet scheduling functions, which can improve QoS (Quality of Service) performance and throughput for prioritized traffic. This setting may not be supported on all hardware models and may affect other hardware offload capabilities.
+- `other_timeout` (Number) Timeout (in seconds) for connection tracking of protocols other than TCP, UDP, and ICMP. This controls how long the gateway maintains state information for connections using other protocols. Higher values maintain connection state longer, while lower values reclaim resources more quickly but may affect some applications using non-standard protocols.
+- `pptp_module` (Boolean) Enable the PPTP (Point-to-Point Tunneling Protocol) helper module. This module allows PPTP VPN connections to work properly through the gateway's firewall and NAT. PPTP uses GRE for tunneling, so the `gre_module` must also be enabled for PPTP to function correctly. Note that PPTP has known security vulnerabilities and more secure VPN protocols are generally recommended.
+- `receive_redirects` (Boolean) Enable accepting ICMP redirect messages. ICMP redirects are messages sent by routers to inform hosts of better routes to specific destinations. When enabled, the gateway will update its routing table based on these messages. While useful for route optimization, this can potentially be exploited for man-in-the-middle attacks, so it's often disabled in security-sensitive environments.
+- `send_redirects` (Boolean) Enable sending ICMP redirect messages. When enabled, the gateway will send ICMP redirect messages to hosts on the local network to inform them of better routes to specific destinations. This can help optimize network traffic but is typically only needed when the gateway has multiple interfaces on the same subnet or in complex routing scenarios.
+- `sip_module` (Boolean) Enable the SIP (Session Initiation Protocol) helper module. SIP is used for initiating, maintaining, and terminating real-time sessions for voice, video, and messaging applications (VoIP, video conferencing). This helper allows SIP-based applications to work correctly through NAT by tracking SIP connections and dynamically opening the necessary ports for media streams.
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+- `syn_cookies` (Boolean) Enable SYN cookies to protect against SYN flood attacks. SYN cookies are a technique that helps mitigate TCP SYN flood attacks by avoiding the need to track incomplete connections in a backlog queue. When enabled, the gateway can continue to establish legitimate connections even when under a SYN flood attack. This is a recommended security setting for internet-facing gateways.
+- `tcp_timeouts` (Attributes) TCP connection timeout settings for various TCP connection states. These settings control how long the gateway maintains state information for TCP connections in different states before removing them from the connection tracking table. Proper timeout values balance resource usage with connection reliability. These settings are particularly relevant when `timeout_setting_preference` is set to `manual`. (see [below for nested schema](#nestedatt--tcp_timeouts))
+- `tftp_module` (Boolean) Enable the TFTP (Trivial File Transfer Protocol) helper module. This module allows TFTP connections to work properly through the gateway's firewall and NAT. TFTP is commonly used for firmware updates, configuration file transfers, and network booting of devices. The helper tracks TFTP connections and ensures return traffic is properly handled.
+- `timeout_setting_preference` (String) Determines how connection timeout values are configured. Valid values are:
+ * `auto` - The gateway will automatically determine appropriate timeout values based on system defaults
+ * `manual` - Use the manually specified timeout values for various connection types
+
+When set to `manual`, you should specify values for the various timeout settings like `tcp_timeouts`, `udp_stream_timeout`, `udp_other_timeout`, `icmp_timeout`, and `other_timeout`. Requires controller version 7.0 or later.
+- `udp_other_timeout` (Number) Timeout (in seconds) for general UDP connections. Since UDP is connectionless, this timeout determines how long the gateway maintains state information for UDP packets that don't match the criteria for stream connections. This applies to most short-lived UDP communications like DNS queries. Lower values free resources more quickly but may affect some applications that expect longer session persistence.
+- `udp_stream_timeout` (Number) Timeout (in seconds) for UDP stream connections. This applies to UDP traffic patterns that resemble ongoing streams, such as VoIP calls, video streaming, or online gaming. The gateway identifies these based on traffic patterns and maintains state information longer than for regular UDP traffic. Higher values improve reliability for streaming applications but consume more connection tracking resources.
+- `unbind_wan_monitors` (Boolean) Unbind WAN monitors to prevent unnecessary traffic. When enabled, the gateway will stop certain monitoring processes that periodically check WAN connectivity. This can reduce unnecessary traffic on metered connections or in environments where the monitoring traffic might trigger security alerts. However, disabling these monitors may affect the gateway's ability to detect and respond to WAN connectivity issues. Requires controller version 9.0 or later.
+- `upnp` (Attributes) UPNP (Universal Plug and Play) configuration settings. UPNP allows compatible applications and devices to automatically configure port forwarding rules on the gateway without manual intervention. This is commonly used by gaming consoles, media servers, VoIP applications, and other network services that require incoming connections. (see [below for nested schema](#nestedatt--upnp))
### Read-Only
-- `id` (String) The unique identifier of the USG settings configuration in the UniFi controller.
+- `geo_ip_filtering_enabled` (Boolean) Whether Geo IP Filtering is enabled. When enabled, the gateway will apply the specified country-based
+- `id` (String) The unique identifier of this resource.
+- `upnp_enabled` (Boolean) Whether UPNP is enabled. When enabled, the gateway will automatically forward ports for UPNP-compatible devices
+
+
+### Nested Schema for `dhcp_relay`
+
+Optional:
+
+- `agents_packets` (String) Specifies how to handle DHCP relay agent information in packets. Valid values are:
+ * `append` - Add relay agent information to packets that may already contain it
+ * `discard` - Drop packets that already contain relay agent information
+ * `forward` - Forward packets regardless of relay agent information
+ * `replace` - Replace existing relay agent information with the gateway's information
+- `hop_count` (Number) Maximum number of relay agents that can forward the DHCP packet before it is discarded. This prevents DHCP packets from being forwarded indefinitely in complex network topologies. Valid values range from 1 to 255, with lower values recommended for simpler networks.
+- `max_size` (Number) Maximum size (in bytes) of DHCP relay packets that will be forwarded. Packets exceeding this size will be truncated or dropped. Valid values range from 64 to 1400 bytes. The default is typically sufficient for most DHCP implementations, but may need adjustment if using extensive DHCP options or vendor-specific information.
+- `port` (Number) UDP port number for the DHCP relay service to listen on. The standard DHCP server port is 67, but this can be customized if needed for specific network configurations. Valid values range from 1 to 65535. Ensure this doesn't conflict with other services running on the gateway.
+
+
+
+### Nested Schema for `dns_verification`
+
+Optional:
+
+- `domain` (String) The domain name to use for DNS verification tests. The gateway will query this domain when testing DNS server responses. This should be a reliable domain that is unlikely to change frequently. Required when `setting_preference` is set to `manual`.
+- `primary_dns_server` (String) The IP address of the primary trusted DNS server to use for verification. DNS responses will be compared against responses from this server to detect potential DNS spoofing. Required when `setting_preference` is set to `manual`. Must be a valid IPv4 address.
+- `secondary_dns_server` (String) The IP address of the secondary trusted DNS server to use for verification. This server will be used if the primary server is unavailable. Optional even when `setting_preference` is set to `manual`. Must be a valid IPv4 address if specified.
+- `setting_preference` (String) Determines how DNS verification servers are configured. Valid values are:
+ * `auto` - The gateway will automatically select DNS servers for verification
+ * `manual` - Use the manually specified `primary_dns_server` and optionally `secondary_dns_server`
+
+When set to `manual`, you must also specify `primary_dns_server` and `domain` values.
+
+
+
+### Nested Schema for `geo_ip_filtering`
+
+Required:
+
+- `countries` (List of String) List of two-letter ISO 3166-1 alpha-2 country codes to block or allow, depending on the `block` setting. Must contain at least one country code when geo IP filtering is enabled. Country codes are case-insensitive but are typically written in uppercase.
+
+Examples:
+ * `['US', 'CA', 'MX']` - United States, Canada, and Mexico
+ * `['CN', 'RU', 'IR']` - China, Russia, and Iran
+ * `['GB', 'DE', 'FR']` - United Kingdom, Germany, and France
+
+Optional:
+
+- `mode` (String) Specifies whether the selected countries should be blocked or allowed. Valid values are:
+ * `block` (default) - Traffic from the specified countries will be blocked, while traffic from all other countries will be allowed
+ * `allow` - Only traffic from the specified countries will be allowed, while traffic from all other countries will be blocked
+
+This setting effectively determines whether the `countries` list functions as a blocklist or an allowlist.
+- `traffic_direction` (String) Specifies which traffic direction the geo IP filtering applies to. Valid values are:
+ * `both` (default) - Filters traffic in both directions (incoming and outgoing)
+ * `ingress` - Filters only incoming traffic (from WAN to LAN)
+ * `egress` - Filters only outgoing traffic (from LAN to WAN)
+
+This setting is useful for creating more granular filtering policies. For example, you might want to block incoming traffic from certain countries while still allowing outgoing connections to those same countries.
+
+
+
+### Nested Schema for `tcp_timeouts`
+
+Optional:
+
+- `close_timeout` (Number) Timeout (in seconds) for TCP connections in the CLOSE state. The CLOSE state occurs when a connection is being terminated but may still have packets in transit. Lower values reclaim resources more quickly, while higher values ensure all packets are properly processed during connection termination.
+- `close_wait_timeout` (Number) Timeout (in seconds) for TCP connections in the CLOSE_WAIT state. The CLOSE_WAIT state occurs when the remote end has initiated connection termination, but the local application hasn't closed the connection yet. This timeout prevents resources from being held indefinitely if a local application fails to properly close its connection.
+- `established_timeout` (Number) Timeout (in seconds) for TCP connections in the ESTABLISHED state. This is the most important TCP timeout as it determines how long idle but established connections are maintained in the connection tracking table. Higher values (e.g., 86400 = 24 hours) are suitable for long-lived connections, while lower values conserve resources but may cause issues with applications that maintain idle connections.
+- `fin_wait_timeout` (Number) Timeout (in seconds) for TCP connections in the FIN_WAIT state. The FIN_WAIT states occur during the normal TCP connection termination process after a FIN packet has been sent. This timeout prevents resources from being held if the connection termination process doesn't complete properly.
+- `last_ack_timeout` (Number) Timeout (in seconds) for TCP connections in the LAST_ACK state. The LAST_ACK state occurs during connection termination when the remote end has sent a FIN, the local end has responded with a FIN and ACK, and is waiting for the final ACK from the remote end to complete the connection termination.
+- `syn_recv_timeout` (Number) Timeout (in seconds) for TCP connections in the SYN_RECV state. This state occurs during connection establishment after receiving a SYN packet and sending a SYN-ACK, but before receiving the final ACK to complete the three-way handshake. A lower timeout helps mitigate SYN flood attacks by releasing resources for incomplete connections more quickly.
+- `syn_sent_timeout` (Number) Timeout (in seconds) for TCP connections in the SYN_SENT state. This state occurs during connection establishment after sending a SYN packet but before receiving a SYN-ACK response. This timeout determines how long the system will wait for a response to connection attempts before giving up.
+- `time_wait_timeout` (Number) Timeout (in seconds) for TCP connections in the TIME_WAIT state. The TIME_WAIT state occurs after a connection has been closed but is maintained to ensure any delayed packets are properly handled. The standard recommendation is 2 minutes (120 seconds), but can be reduced in high-connection environments to free resources more quickly at the risk of potential connection issues if delayed packets arrive.
+
+
+
+### Nested Schema for `upnp`
+
+Optional:
+
+- `nat_pmp_enabled` (Boolean) Enable NAT-PMP (NAT Port Mapping Protocol) support alongside UPNP. NAT-PMP is Apple's alternative to UPNP, providing similar automatic port mapping capabilities. When enabled, Apple devices like Macs, iPhones, and iPads can automatically configure port forwarding for services like AirPlay, FaceTime, iMessage, and other Apple services. Defaults to `false`.
+- `secure_mode` (Boolean) Enable secure mode for UPNP. In secure mode, the gateway only forwards ports to the device that specifically requested them, enhancing security. This prevents malicious applications from redirecting ports to different devices than intended. It's strongly recommended to enable this setting when using UPNP to minimize security risks. Defaults to `false`.
+- `wan_interface` (String) Specify which WAN interface to use for UPNP service. Valid values are:
+ * `WAN` (default) - Use the primary WAN interface for UPNP port forwarding
+ * `WAN2` - Use the secondary WAN interface for UPNP port forwarding (if available)
+
+This setting is particularly relevant for dual-WAN setups where you may want to direct UPNP traffic through a specific WAN connection. If your gateway only has a single WAN interface, use the default `WAN` setting.
diff --git a/docs/resources/setting_usw.md b/docs/resources/setting_usw.md
new file mode 100644
index 0000000..d40f570
--- /dev/null
+++ b/docs/resources/setting_usw.md
@@ -0,0 +1,38 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "unifi_setting_usw Resource - terraform-provider-unifi"
+subcategory: ""
+description: |-
+ Manages UniFi Switch (USW) settings for a UniFi site. These settings control global switch behaviors such as DHCP snooping.
+---
+
+# unifi_setting_usw (Resource)
+
+Manages UniFi Switch (USW) settings for a UniFi site. These settings control global switch behaviors such as DHCP snooping.
+
+## Example Usage
+
+```terraform
+resource "unifi_setting_usw" "example" {
+ # Enable DHCP snooping to protect against rogue DHCP servers
+ dhcp_snoop = true
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
+```
+
+
+## Schema
+
+### Required
+
+- `dhcp_snoop` (Boolean) Whether DHCP snooping is enabled. DHCP snooping is a security feature that filters untrusted DHCP messages and builds a binding database of valid hosts.
+
+### Optional
+
+- `site` (String) The name of the UniFi site where this resource should be applied. If not specified, the default site will be used.
+
+### Read-Only
+
+- `id` (String) The unique identifier of this resource.
diff --git a/examples/data-sources/unifi_dns_record/data-source.tf b/examples/data-sources/unifi_dns_record/data-source.tf
index 25e0e3c..a568893 100644
--- a/examples/data-sources/unifi_dns_record/data-source.tf
+++ b/examples/data-sources/unifi_dns_record/data-source.tf
@@ -1,11 +1,7 @@
data "unifi_dns_record" "by_name" {
- filter {
- name = "example.mydomain.com"
- }
+ name = "example.mydomain.com"
}
data "unifi_dns_record" "by_record" {
- filter {
- record = "192.168.0.1"
- }
+ record = "192.168.0.1"
}
\ No newline at end of file
diff --git a/examples/resources/unifi_firewall_zone/import.sh b/examples/resources/unifi_firewall_zone/import.sh
new file mode 100644
index 0000000..de162f9
--- /dev/null
+++ b/examples/resources/unifi_firewall_zone/import.sh
@@ -0,0 +1,5 @@
+# import from provider configured site
+terraform import unifi_firewall_zone.myzone 5dc28e5e9106d105bdc87217
+
+# import from another site
+terraform import unifi_firewall_zone.myzone another-site:5dc28e5e9106d105bdc87217
diff --git a/examples/resources/unifi_firewall_zone/resource.tf b/examples/resources/unifi_firewall_zone/resource.tf
new file mode 100644
index 0000000..eca918c
--- /dev/null
+++ b/examples/resources/unifi_firewall_zone/resource.tf
@@ -0,0 +1,11 @@
+resource "unifi_network" "network" {
+ name = "my-network"
+ purpose = "corporate"
+ subnet = "10.0.10.0/24"
+ vlan_id = "400"
+}
+
+resource "unifi_firewall_zone" "zone" {
+ name = "my-zone"
+ networks = [unifi_network.network.id]
+}
\ No newline at end of file
diff --git a/examples/resources/unifi_firewall_zone_policy/import.sh b/examples/resources/unifi_firewall_zone_policy/import.sh
new file mode 100644
index 0000000..f24d5c9
--- /dev/null
+++ b/examples/resources/unifi_firewall_zone_policy/import.sh
@@ -0,0 +1,5 @@
+# import from provider configured site
+terraform import unifi_network.mynetwork 5dc28e5e9106d105bdc87217
+
+# import from another site
+terraform import unifi_network.mynetwork zone:5dc28e5e9106d105bdc87217
diff --git a/examples/resources/unifi_firewall_zone_policy/resource.tf b/examples/resources/unifi_firewall_zone_policy/resource.tf
new file mode 100644
index 0000000..df70cba
--- /dev/null
+++ b/examples/resources/unifi_firewall_zone_policy/resource.tf
@@ -0,0 +1,63 @@
+resource "unifi_network" "network" {
+ name = "my-network"
+ purpose = "corporate"
+ subnet = "10.0.10.0/24"
+ vlan_id = "400"
+}
+
+resource "unifi_firewall_zone" "src" {
+ name = "my-source-zone"
+ networks = [unifi_network.network.id]
+}
+
+resource "unifi_firewall_zone" "dst" {
+ name = "my-destination-zone"
+}
+
+# Allow TCP/UDP traffic from any ip and port other than 192.168.1.1 and 443 in `src` zone to `dst` zone
+resource "unifi_firewall_zone_policy" "policy" {
+ name = "my-zone-policy"
+ action = "ALLOW"
+ protocol = "tcp_udp"
+
+ source = {
+ zone_id = unifi_firewall_zone.src.id
+ ips = ["192.168.1.1"]
+ port = "443"
+ match_opposite_ips = true
+ match_opposite_ports = true
+ }
+
+ destination = {
+ zone_id = unifi_firewall_zone.dst.id
+ }
+
+ schedule = {
+ mode = "EVERY_DAY"
+ time_all_day = false
+ time_from = "08:00"
+ time_to = "17:00"
+ }
+}
+
+resource "unifi_firewall_group" "web-ports" {
+ name = "web-apps"
+ type = "port-group"
+ members = ["80", "443"]
+}
+
+# Block TCP/UDP traffic from any ip and port in `src` zone to `dst` zone ports 80 and 443 defined in port group
+resource "unifi_firewall_zone_policy" "policy2" {
+ name = "my-policy-2"
+ action = "BLOCK"
+ protocol = "tcp_udp"
+
+ source = {
+ zone_id = unifi_firewall_zone.src.id
+ }
+
+ destination = {
+ zone_id = unifi_firewall_zone.dst.id
+ port_group_id = unifi_firewall_group.web-ports.id
+ }
+}
\ No newline at end of file
diff --git a/examples/resources/unifi_portal_file/resource.tf b/examples/resources/unifi_portal_file/resource.tf
new file mode 100644
index 0000000..c3c4a13
--- /dev/null
+++ b/examples/resources/unifi_portal_file/resource.tf
@@ -0,0 +1,3 @@
+resource "unifi_portal_file" "file" {
+ file_path = "/Users/username/Downloads/portal.png"
+}
\ No newline at end of file
diff --git a/examples/resources/unifi_setting_auto_speedtest/resource.tf b/examples/resources/unifi_setting_auto_speedtest/resource.tf
new file mode 100644
index 0000000..2e6b3cb
--- /dev/null
+++ b/examples/resources/unifi_setting_auto_speedtest/resource.tf
@@ -0,0 +1,11 @@
+resource "unifi_setting_auto_speedtest" "example" {
+ # Enable automatic speedtest functionality
+ enabled = true
+
+ # Schedule for running speedtests using cron syntax
+ # This example runs at midnight every day
+ cron = "0 0 * * *"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_country/resource.tf b/examples/resources/unifi_setting_country/resource.tf
new file mode 100644
index 0000000..ba1491c
--- /dev/null
+++ b/examples/resources/unifi_setting_country/resource.tf
@@ -0,0 +1,8 @@
+resource "unifi_setting_country" "example" {
+ # Set the country code using ISO 3166-1 alpha-2 format
+ # This example sets the country to United States
+ code = "US"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_dpi/resource.tf b/examples/resources/unifi_setting_dpi/resource.tf
new file mode 100644
index 0000000..3bd42b4
--- /dev/null
+++ b/examples/resources/unifi_setting_dpi/resource.tf
@@ -0,0 +1,10 @@
+resource "unifi_setting_dpi" "example" {
+ # Enable Deep Packet Inspection
+ enabled = true
+
+ # Enable DPI fingerprinting for more accurate application identification
+ fingerprinting_enabled = true
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_guest_access/resource.tf b/examples/resources/unifi_setting_guest_access/resource.tf
new file mode 100644
index 0000000..39434c8
--- /dev/null
+++ b/examples/resources/unifi_setting_guest_access/resource.tf
@@ -0,0 +1,94 @@
+# Configure guest access settings for your UniFi network
+# This example demonstrates a comprehensive guest portal setup with various authentication options
+
+resource "unifi_portal_file" "logo" {
+ file_path = "logo.png"
+}
+
+resource "unifi_setting_guest_access" "guest_portal" {
+ # Basic configuration
+ auth = "hotspot" # Authentication type: none, hotspot, custom, or external
+ portal_enabled = true # Enable the guest portal
+ portal_use_hostname = true # Use hostname for the portal
+ portal_hostname = "guest.example.com" # Portal hostname
+ template_engine = "angular" # Portal template engine (angular or jsp)
+
+ # Expiration settings for guest access
+ expire = 1440 # Minutes until expiration
+ expire_number = 1 # Number of time units
+ expire_unit = 1440 # Time unit in minutes
+
+ # Enable external captive portal detection
+ ec_enabled = true
+
+ # Password protection for guest access
+ password = "guest-access-password"
+
+ # Google authentication
+ google {
+ client_id = "your-google-client-id"
+ client_secret = "your-google-client-secret"
+ domain = "example.com" # Optional: limit sign-ins to a specific domain
+ scope_email = true # Request email addresses during sign-in
+ }
+
+ # Payment option (PayPal)
+ payment_gateway = "paypal"
+ paypal {
+ username = "business@example.com"
+ password = "paypal-api-password"
+ signature = "paypal-api-signature"
+ use_sandbox = true # Set to false for production
+ }
+
+ # Redirecting guests after authentication
+ redirect {
+ url = "https://example.com/welcome"
+ use_https = true
+ to_https = true
+ }
+
+ # Restricted DNS for guests
+ restricted_dns_servers = [
+ "1.1.1.1",
+ "8.8.8.8"
+ ]
+
+ # Portal customization options
+ portal_customization {
+ customized = true
+
+ # Portal appearance
+ title = "Welcome to Our Guest Network"
+ welcome_text = "Thanks for visiting our location. Please enjoy our complimentary WiFi."
+ welcome_text_enabled = true
+ welcome_text_position = "top"
+
+ # Color scheme
+ bg_color = "#f5f5f5"
+ text_color = "#333333"
+ link_color = "#0078d4"
+
+ # Authentication dialog box
+ box_color = "#ffffff"
+ box_text_color = "#333333"
+ box_link_color = "#0078d4"
+ box_opacity = 90
+ box_radius = 5
+
+ # Logo
+ logo_file_id = unifi_portal_file.logo.id
+
+ # Button styling
+ button_color = "#0078d4"
+ button_text_color = "#ffffff"
+ button_text = "Connect"
+
+ # Legal information / Terms of Service
+ tos_enabled = true
+ tos = "By using this service, you agree to our terms and conditions. Unauthorized use is prohibited."
+
+ # Languages supported
+ languages = ["PL"]
+ }
+}
diff --git a/examples/resources/unifi_setting_ips/resource.tf b/examples/resources/unifi_setting_ips/resource.tf
new file mode 100644
index 0000000..44c1034
--- /dev/null
+++ b/examples/resources/unifi_setting_ips/resource.tf
@@ -0,0 +1,67 @@
+
+resource "unifi_network" "test" {
+ name = "My Network"
+ purpose = "corporate"
+ subnet = "192.168.1.0/24"
+ vlan_id = 10
+}
+
+resource "unifi_setting_ips" "example" {
+ # Set IPS mode to "ips" (Intrusion Prevention System)
+ # Other valid options: "ids" (Intrusion Detection System) or "disabled"
+ ips_mode = "ips"
+
+ # Networks on which IPS/IDS should be enabled
+ enabled_networks = [unifi_network.test.id]
+
+ # Advanced filtering preference
+ # Valid options: "disabled", "manual", or "auto"
+ advanced_filtering_preference = "manual"
+
+ # Categories of threats to detect/prevent
+ enabled_categories = [
+ "emerging-dos",
+ "emerging-exploit",
+ "emerging-malware"
+ ]
+
+ # Ad blocking configuration
+ ad_blocked_networks = [unifi_network.test.id]
+
+ # Honeypot configuration
+ honeypots = [
+ {
+ ip_address = "192.168.1.10"
+ network_id = unifi_network.test.id
+ }
+ ]
+
+ # DNS filtering configuration
+ dns_filters = [
+ {
+ name = "Work Filter"
+ filter = "work"
+ description = "Block non-work related sites"
+
+ # Sites that are always allowed
+ allowed_sites = [
+ "example.com",
+ "company.com"
+ ]
+
+ # Sites that are always blocked
+ blocked_sites = [
+ "gaming.example.com",
+ "social.example.com"
+ ]
+
+ # Top-level domains to block
+ blocked_tld = [
+ "xyz"
+ ]
+ }
+ ]
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_lcm/resource.tf b/examples/resources/unifi_setting_lcm/resource.tf
new file mode 100644
index 0000000..8ccb59f
--- /dev/null
+++ b/examples/resources/unifi_setting_lcm/resource.tf
@@ -0,0 +1,19 @@
+resource "unifi_setting_lcd_monitor" "example" {
+ # Enable LCD monitor functionality
+ enabled = true
+
+ # Set the brightness level (0-100)
+ brightness = 75
+
+ # Set the idle timeout in seconds before the display dims
+ idle_timeout = 300
+
+ # Enable synchronization of settings across all devices
+ sync = true
+
+ # Enable touch events on the LCD screen
+ touch_event = true
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_locale/resource.tf b/examples/resources/unifi_setting_locale/resource.tf
new file mode 100644
index 0000000..ff37c0e
--- /dev/null
+++ b/examples/resources/unifi_setting_locale/resource.tf
@@ -0,0 +1,7 @@
+resource "unifi_setting_locale" "example" {
+ # Set the timezone using IANA timezone identifier format
+ timezone = "America/New_York"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_magic_site_to_site_vpn/resource.tf b/examples/resources/unifi_setting_magic_site_to_site_vpn/resource.tf
new file mode 100644
index 0000000..1808f1d
--- /dev/null
+++ b/examples/resources/unifi_setting_magic_site_to_site_vpn/resource.tf
@@ -0,0 +1,7 @@
+resource "unifi_setting_magic_site_to_site_vpn" "example" {
+ # Enable Magic Site-to-Site VPN functionality
+ enabled = true
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_mgmt/resource.tf b/examples/resources/unifi_setting_mgmt/resource.tf
index 4f4e2f4..6963e67 100644
--- a/examples/resources/unifi_setting_mgmt/resource.tf
+++ b/examples/resources/unifi_setting_mgmt/resource.tf
@@ -3,6 +3,37 @@ resource "unifi_site" "example" {
}
resource "unifi_setting_mgmt" "example" {
- site = unifi_site.example.name
+ # Reference a specific site (optional, defaults to site configured in provider, otherwise "default")
+ site = unifi_site.example.name
+
+ # Auto upgrade settings
auto_upgrade = true
+ auto_upgrade_hour = 3
+
+ # Device management settings
+ advanced_feature_enabled = true
+ alert_enabled = true
+ boot_sound = false
+ debug_tools_enabled = true
+ direct_connect_enabled = false
+ led_enabled = true
+ outdoor_mode_enabled = false
+ unifi_idp_enabled = false
+ wifiman_enabled = true
+
+ # SSH access configuration
+ ssh_enabled = true
+ ssh_auth_password_enabled = true
+ ssh_bind_wildcard = false
+ ssh_username = "admin"
+
+ # Optional: SSH key configuration
+ ssh_key = [
+ {
+ name = "Admin Key"
+ type = "ssh-rsa"
+ key = "AAAAB3NzaC1yc2EAAAADAQABAAABAQCxxx..."
+ comment = "admin@example.com"
+ }
+ ]
}
diff --git a/examples/resources/unifi_setting_network_optimization/resource.tf b/examples/resources/unifi_setting_network_optimization/resource.tf
new file mode 100644
index 0000000..f474709
--- /dev/null
+++ b/examples/resources/unifi_setting_network_optimization/resource.tf
@@ -0,0 +1,7 @@
+resource "unifi_setting_network_optimization" "example" {
+ # Enable network optimization features
+ enabled = true
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_ntp/resource.tf b/examples/resources/unifi_setting_ntp/resource.tf
new file mode 100644
index 0000000..e43946c
--- /dev/null
+++ b/examples/resources/unifi_setting_ntp/resource.tf
@@ -0,0 +1,14 @@
+resource "unifi_setting_ntp" "example" {
+ # Set NTP mode to manual to specify custom NTP servers
+ # Valid options: "auto" or "manual"
+ mode = "manual"
+
+ # Configure up to four NTP servers
+ ntp_server_1 = "time.cloudflare.com"
+ ntp_server_2 = "pool.ntp.org"
+ ntp_server_3 = "time.google.com"
+ ntp_server_4 = "0.pool.ntp.org"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_radius/resource.tf b/examples/resources/unifi_setting_radius/resource.tf
new file mode 100644
index 0000000..2acb9eb
--- /dev/null
+++ b/examples/resources/unifi_setting_radius/resource.tf
@@ -0,0 +1,17 @@
+resource "unifi_setting_radius" "example" {
+ # Enable RADIUS functionality
+ enabled = true
+
+ # RADIUS server secret
+ secret = "your-secure-secret"
+
+ # Optional: Enable RADIUS accounting
+ accounting_enabled = true
+
+ # Optional: Configure custom ports
+ auth_port = 1812
+ accounting_port = 1813
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_rsyslogd/resource.tf b/examples/resources/unifi_setting_rsyslogd/resource.tf
new file mode 100644
index 0000000..400222d
--- /dev/null
+++ b/examples/resources/unifi_setting_rsyslogd/resource.tf
@@ -0,0 +1,25 @@
+resource "unifi_setting_rsyslogd" "example" {
+ # Enable remote syslog functionality
+ enabled = true
+
+ # Remote syslog server IP address
+ ip = "192.168.1.200"
+
+ # Remote syslog server port
+ port = 514
+
+ # Types of log content to send
+ # Valid options: "device", "client", "admin_activity"
+ contents = ["device", "client", "admin_activity"]
+
+ # Enable debug logging
+ debug = true
+
+ # Netconsole configuration (optional)
+ netconsole_enabled = true
+ netconsole_host = "192.168.1.150"
+ netconsole_port = 1514
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_ssl_inspection/resource.tf b/examples/resources/unifi_setting_ssl_inspection/resource.tf
new file mode 100644
index 0000000..97c9a8c
--- /dev/null
+++ b/examples/resources/unifi_setting_ssl_inspection/resource.tf
@@ -0,0 +1,8 @@
+resource "unifi_setting_ssl_inspection" "example" {
+ # Configure SSL inspection state
+ # Valid options: "off", "simple", "advanced"
+ state = "advanced"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_teleport/resource.tf b/examples/resources/unifi_setting_teleport/resource.tf
new file mode 100644
index 0000000..e9e9ab8
--- /dev/null
+++ b/examples/resources/unifi_setting_teleport/resource.tf
@@ -0,0 +1,11 @@
+resource "unifi_setting_teleport" "example" {
+ # Enable Teleport remote access functionality
+ enabled = true
+
+ # Optional subnet configuration for Teleport
+ # Specify a CIDR notation subnet for Teleport to use
+ subnet = "192.168.100.0/24"
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_usg/resource.tf b/examples/resources/unifi_setting_usg/resource.tf
new file mode 100644
index 0000000..3562764
--- /dev/null
+++ b/examples/resources/unifi_setting_usg/resource.tf
@@ -0,0 +1,89 @@
+resource "unifi_setting_usg" "example" {
+ # Geo IP Filtering Configuration
+ geo_ip_filtering = {
+ block = "block" # Options: "block" or "allow"
+ countries = ["UK", "CN", "AU"]
+ traffic_direction = "both" # Options: "both", "ingress", or "egress"
+ }
+
+ # UPNP Configuration
+ upnp = {
+ nat_pmp_enabled = true
+ secure_mode = true
+ wan_interface = "WAN"
+ }
+
+ # DNS Verification Settings
+ dns_verification = {
+ domain = "example.com"
+ primary_dns_server = "1.1.1.1"
+ secondary_dns_server = "1.0.0.1"
+ setting_preference = "manual" # Options: "auto" or "manual"
+ }
+
+ # TCP Timeout Settings
+ tcp_timeouts = {
+ close_timeout = 10
+ established_timeout = 3600
+ close_wait_timeout = 20
+ fin_wait_timeout = 30
+ last_ack_timeout = 30
+ syn_recv_timeout = 60
+ syn_sent_timeout = 120
+ time_wait_timeout = 120
+ }
+
+ # ARP Cache Configuration
+ arp_cache_timeout = "custom" # Options: "auto" or "custom"
+ arp_cache_base_reachable = 60
+
+ # DHCP Configuration
+ broadcast_ping = true
+ dhcpd_hostfile_update = true
+ dhcpd_use_dnsmasq = true
+ dnsmasq_all_servers = true
+
+ # DHCP Relay Configuration
+ dhcp_relay = {
+ agents_packets = "forward" # Options: "forward" or "replace"
+ hop_count = 5
+ }
+ dhcp_relay_servers = ["10.1.2.3", "10.1.2.4"]
+
+ # Network Tools
+ echo_server = "echo.example.com"
+
+ # Protocol Modules
+ ftp_module = true
+ gre_module = true
+ tftp_module = true
+
+ # ICMP & LLDP Settings
+ icmp_timeout = 20
+ lldp_enable_all = true
+
+ # MSS Clamp Settings
+ mss_clamp = "auto" # Options: "auto" or "custom"
+ mss_clamp_mss = 1452
+
+ # Offload Settings
+ offload_accounting = true
+ offload_l2_blocking = true
+ offload_scheduling = false
+
+ # Timeout Settings
+ other_timeout = 600
+ timeout_setting_preference = "auto" # Options: "auto" or "custom"
+
+ # Security Settings
+ receive_redirects = false
+ send_redirects = true
+ syn_cookies = true
+
+ # UDP Timeout Settings
+ udp_other_timeout = 30
+ udp_stream_timeout = 120
+
+ # Specify the site (optional)
+ # site = "default"
+}
diff --git a/examples/resources/unifi_setting_usw/resource.tf b/examples/resources/unifi_setting_usw/resource.tf
new file mode 100644
index 0000000..661c681
--- /dev/null
+++ b/examples/resources/unifi_setting_usw/resource.tf
@@ -0,0 +1,7 @@
+resource "unifi_setting_usw" "example" {
+ # Enable DHCP snooping to protect against rogue DHCP servers
+ dhcp_snoop = true
+
+ # Specify the site (optional, defaults to site configured in provider, otherwise "default")
+ # site = "default"
+}
diff --git a/internal/provider/firewall/resource_firewall_zone.go b/internal/provider/firewall/resource_firewall_zone.go
index ddcffd4..94487e1 100644
--- a/internal/provider/firewall/resource_firewall_zone.go
+++ b/internal/provider/firewall/resource_firewall_zone.go
@@ -108,7 +108,9 @@ func (r *firewallZoneResource) Schema(_ context.Context, _ resource.SchemaReques
resp.Schema = schema.Schema{
MarkdownDescription: "The `unifi_firewall_zone` resource manages firewall zones in the UniFi controller.\n\n" +
"Firewall zones allow you to group networks together for firewall rule application. " +
- "This resource allows you to create, update, and delete firewall zones.",
+ "This resource allows you to create, update, and delete firewall zones.\n\n" +
+ "!> This is experimental feature, that requires UniFi OS 9.0.0 or later and Zone Based Firewall feature enabled. " +
+ "Check [official documentation](https://help.ui.com/hc/en-us/articles/28223082254743-Migrating-to-Zone-Based-Firewalls-in-UniFi) how to migate to Zone-Based firewalls.",
Attributes: map[string]schema.Attribute{
"id": ut.ID(),
diff --git a/internal/provider/firewall/resource_firewall_zone_policy.go b/internal/provider/firewall/resource_firewall_zone_policy.go
index 59f73be..8535272 100644
--- a/internal/provider/firewall/resource_firewall_zone_policy.go
+++ b/internal/provider/firewall/resource_firewall_zone_policy.go
@@ -600,9 +600,10 @@ func NewFirewallZonePolicyResource() resource.Resource {
// Schema defines the schema for the resource
func (r *firewallZonePolicyResource) Schema(ctx context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
resp.Schema = schema.Schema{
- MarkdownDescription: "The `unifi_firewall_zone_policy` resource manages firewall policies between zones in the UniFi controller.\n\n" +
- "Firewall zone policies control traffic flow between different firewall zones. " +
- "This resource allows you to create, update, and delete policies that define allowed or blocked traffic between zones.",
+ MarkdownDescription: "The `unifi_firewall_zone_policy` resource manages firewall policies between zones in the UniFi controller. " +
+ "This resource allows you to create, update, and delete policies that define allowed or blocked traffic between zones.\n\n" +
+ "!> This is experimental feature, that requires UniFi OS 9.0.0 or later and Zone Based Firewall feature enabled. " +
+ "Check [official documentation](https://help.ui.com/hc/en-us/articles/28223082254743-Migrating-to-Zone-Based-Firewalls-in-UniFi) how to migate to Zone-Based firewalls.",
Attributes: map[string]schema.Attribute{
"id": ut.ID(),
"site": ut.SiteAttribute(),
diff --git a/templates/index.md.tmpl b/templates/index.md.tmpl
index 2f9793d..9be6779 100644
--- a/templates/index.md.tmpl
+++ b/templates/index.md.tmpl
@@ -71,3 +71,139 @@ Using Username/Password authentication:
{{ .SchemaMarkdown | trimspace }}
## Migrating from paultyng/terraform-provider-unifi
+
+This provider is a fork of the original [paultyng/terraform-provider-unifi](https://github.com/paultyng/terraform-provider-unifi) with significant enhancements, improvements, and additional features. If you're currently using the original provider, this guide will help you migrate to this enhanced version.
+
+### Key Differences and Improvements
+
+| Feature | paultyng/unifi | filipowm/unifi |
+|---------|---------------|----------------|
+| Framework | Terraform SDK v2 | Terraform Plugin Framework |
+| Controller Support | UniFi Controller v6.x | UniFi Controller v6.x and later (including v9.x) |
+| Authentication | Username/Password | Username/Password and API Key |
+| Resource Organization | Flat structure | Organized by domain (settings, dns, etc.) |
+| Validation | Basic | Enhanced with custom validators |
+| Documentation | Basic | Comprehensive with examples |
+| Settings Resources | Limited | Expanded (IPS, Guest Access, etc.) |
+| DNS Management | Limited | Enhanced with dedicated resources |
+
+### Migration Steps
+
+1. **Update Provider Configuration**
+
+ Change your provider source from `paultyng/unifi` to `filipowm/unifi`:
+
+ ```hcl
+ terraform {
+ required_providers {
+ unifi = {
+ source = "filipowm/unifi"
+ version = "~> 0.0.1" # Use the latest version
+ }
+ }
+ }
+ ```
+
+2. **Authentication Updates**
+
+ The provider configuration remains compatible, but now offers API Key authentication as an alternative to username/password:
+
+ ```hcl
+ # Using API Key (recommended for newer controllers)
+ provider "unifi" {
+ api_key = var.api_key
+ api_url = var.api_url
+ allow_insecure = var.insecure
+ }
+
+ # Using Username/Password (backward compatible)
+ provider "unifi" {
+ username = var.username
+ password = var.password
+ api_url = var.api_url
+ allow_insecure = var.insecure
+ }
+ ```
+
+3. **Resource State Migration**
+
+ Most resources maintain backward compatibility, so your existing state should migrate seamlessly. However, for resources with enhanced functionality, you may need to run `terraform import` to reconcile state differences.
+
+ ```bash
+ # Example: Re-importing a network resource
+ terraform import unifi_network.my_network 5dc28e5e9106d105bdc87217
+ ```
+
+4. **Enhanced Resource Configuration**
+
+ Take advantage of new validation and configuration options:
+
+ - Use the new validators for attributes like URLs, emails, and hostnames
+ - Leverage nested attributes for more organized configuration
+ - Utilize new settings resources for comprehensive network management
+
+### New and Enhanced Resources
+
+#### New Settings Resources
+
+- `unifi_setting_auto_speedtest` - Manage automatic speed test configuration
+- `unifi_setting_country` - Configure country settings
+- `unifi_setting_dpi` - Manage Deep Packet Inspection settings
+- `unifi_setting_guest_access` - Configure guest network access settings
+- `unifi_setting_ips` - Manage Intrusion Prevention System settings
+- `unifi_setting_lcd_monitor` - Configure LCD monitor settings for devices
+- `unifi_setting_locale` - Set locale preferences
+- `unifi_setting_magic_site_to_site_vpn` - Configure site-to-site VPN
+- `unifi_setting_mgmt` - Manage management settings
+- `unifi_setting_network_optimization` - Configure network optimization
+- `unifi_setting_ntp` - Manage NTP server settings
+- `unifi_setting_radius` - Configure RADIUS server settings
+- `unifi_setting_rsyslogd` - Manage remote syslog settings
+- `unifi_setting_ssl_inspection` - Configure SSL inspection
+- `unifi_setting_teleport` - Manage Teleport settings
+- `unifi_setting_usg` - Configure UniFi Security Gateway settings
+- `unifi_setting_usw` - Manage UniFi Switch settings
+
+#### Enhanced DNS Management
+
+- `unifi_dns_record` - Create and manage DNS records
+
+#### Other Improvements
+
+- Enhanced validation for all resources
+- Better error messages and diagnostics
+- Improved documentation with comprehensive examples
+- Support for the latest UniFi Controller features
+
+### Developer-Focused Improvements
+
+For developers extending or customizing the provider:
+
+1. **Framework Migration**
+ - Migrated from Terraform SDK v2 to Terraform Plugin Framework
+ - Better type safety and validation capabilities
+ - Enhanced testing infrastructure
+
+2. **Code Organization**
+ - Resources organized by domain in separate packages
+ - Base types and utilities for consistent implementation
+ - Custom validators for common validation patterns
+
+3. **Testing**
+ - Comprehensive acceptance tests
+ - Test helpers and utilities
+ - Improved test stability
+
+### Compatibility Notes
+
+- The provider maintains backward compatibility with existing configurations where possible
+- Some advanced features may require updates to your configuration
+- The provider follows semantic versioning for releases
+
+### Getting Help
+
+If you encounter issues during migration:
+
+1. Check the [documentation](https://registry.terraform.io/providers/filipowm/unifi/latest/docs)
+2. Review examples in the [GitHub repository](https://github.com/filipowm/terraform-provider-unifi)
+3. Open an issue on GitHub for assistance