Skip to content
Cloudflare API
Start here
API Reference

Firewall

FirewallLockdowns

resource cloudflare_zone_lockdown

required Expand Collapse
zone_id: String

Defines an identifier.

urls: List[String]

The URLs to include in the current WAF override. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns.

configurations: List[Attributes]

A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of ip or ip_range configurations.

target?: String

The configuration target. You must set the target to ip when specifying an IP address in the Zone Lockdown rule.

value?: String

The IP address to match. This address will be compared to the IP address of incoming requests.

optional Expand Collapse
description?: String

An informative summary of the rule. This value is sanitized and any tags will be removed.

priority?: Float64

The priority of the rule to control the processing order. A lower number indicates higher priority. If not provided, any rules with a configured priority will be processed before rules without a priority.

paused?: Bool

When true, indicates that the rule is currently paused.

computed Expand Collapse
id: String

The unique identifier of the Zone Lockdown rule.

created_on: Time

The timestamp of when the rule was created.

modified_on: Time

The timestamp of when the rule was last modified.

cloudflare_zone_lockdown

resource "cloudflare_zone_lockdown" "example_zone_lockdown" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  configurations = [{
    target = "ip"
    value = "198.51.100.4"
  }]
  urls = ["shop.example.com/*"]
  description = "Prevent multiple login failures to mitigate brute force attacks"
  paused = false
  priority = 5
}

data cloudflare_zone_lockdown

required Expand Collapse
zone_id: String

Defines an identifier.

optional Expand Collapse
lock_downs_id?: String

The unique identifier of the Zone Lockdown rule.

filter?: Attributes
created_on?: Time

The timestamp of when the rule was created.

description?: String

A string to search for in the description of existing rules.

ip?: String

A single IP address to search for in existing rules.

modified_on?: Time

The timestamp of when the rule was last modified.

priority?: Float64

The priority of the rule to control the processing order. A lower number indicates higher priority. If not provided, any rules with a configured priority will be processed before rules without a priority.

computed Expand Collapse
id: String

The unique identifier of the Zone Lockdown rule.

created_on: Time

The timestamp of when the rule was created.

description: String

An informative summary of the rule.

modified_on: Time

The timestamp of when the rule was last modified.

paused: Bool

When true, indicates that the rule is currently paused.

urls: List[String]

The URLs to include in the rule definition. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns.

configurations: List[Attributes]

A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of ip or ip_range configurations.

target: String

The configuration target. You must set the target to ip when specifying an IP address in the Zone Lockdown rule.

value: String

The IP address to match. This address will be compared to the IP address of incoming requests.

cloudflare_zone_lockdown

data "cloudflare_zone_lockdown" "example_zone_lockdown" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  lock_downs_id = "372e67954025e0ba6aaa6d586b9e0b59"
}

data cloudflare_zone_lockdowns

required Expand Collapse
zone_id: String

Defines an identifier.

optional Expand Collapse
created_on?: Time

The timestamp of when the rule was created.

description?: String

A string to search for in the description of existing rules.

ip?: String

A single IP address to search for in existing rules.

modified_on?: Time

The timestamp of when the rule was last modified.

priority?: Float64

The priority of the rule to control the processing order. A lower number indicates higher priority. If not provided, any rules with a configured priority will be processed before rules without a priority.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The unique identifier of the Zone Lockdown rule.

configurations: List[Attributes]

A list of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the Zone Lockdown rule. You can include any number of ip or ip_range configurations.

target: String

The configuration target. You must set the target to ip when specifying an IP address in the Zone Lockdown rule.

value: String

The IP address to match. This address will be compared to the IP address of incoming requests.

created_on: Time

The timestamp of when the rule was created.

description: String

An informative summary of the rule.

modified_on: Time

The timestamp of when the rule was last modified.

paused: Bool

When true, indicates that the rule is currently paused.

urls: List[String]

The URLs to include in the rule definition. You can use wildcards. Each entered URL will be escaped before use, which means you can only use simple wildcard patterns.

cloudflare_zone_lockdowns

data "cloudflare_zone_lockdowns" "example_zone_lockdowns" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  created_on = "2014-01-01T05:20:00.12345Z"
  description = "endpoints"
  description_search = "endpoints"
  ip = "1.2.3.4"
  ip_range_search = "1.2.3.0/16"
  ip_search = "1.2.3.4"
  modified_on = "2014-01-01T05:20:00.12345Z"
  priority = 5
  uri_search = "/some/path"
}

FirewallRules

resource cloudflare_firewall_rule

required Expand Collapse
zone_id: String

Defines an identifier.

action: Attributes

The action to perform when the threshold of matched traffic within the configured period is exceeded.

mode?: String

The action to perform.

response?: Attributes

A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object.

body?: String

The response body to return. The value must conform to the configured content type.

content_type?: String

The content type of the body. Must be one of the following: text/plain, text/xml, or application/json.

timeout?: Float64

The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value.

filter: Attributes
id: String

The unique identifier of the filter.

description?: String

An informative summary of the filter.

expression?: String

The filter expression. For more information, refer to Expressions.

paused?: Bool

When true, indicates that the filter is currently paused.

ref?: String

A short reference tag. Allows you to select related filters.

computed Expand Collapse
id: String

The unique identifier of the firewall rule.

description: String

An informative summary of the firewall rule.

paused: Bool

When true, indicates that the firewall rule is currently paused.

priority: Float64

The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority.

ref: String

A short reference tag. Allows you to select related firewall rules.

products: List[String]

cloudflare_firewall_rule

resource "cloudflare_firewall_rule" "example_firewall_rule" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  action = {
    mode = "challenge"
    response = {
      body = "<error>This request has been rate-limited.</error>"
      content_type = "text/xml"
    }
    timeout = 86400
  }
  filter = {
    description = "Restrict access from these browsers on this address range."
    expression = "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.addr ne 172.16.22.155"
    paused = false
    ref = "FIL-100"
  }
}

data cloudflare_firewall_rule

required Expand Collapse
zone_id: String

Defines an identifier.

optional Expand Collapse
rule_id?: String

The unique identifier of the firewall rule.

computed Expand Collapse
id: String

The unique identifier of the firewall rule.

action: String

The action to apply to a matched request. The log action is only available on an Enterprise plan.

description: String

An informative summary of the firewall rule.

paused: Bool

When true, indicates that the firewall rule is currently paused.

priority: Float64

The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority.

ref: String

A short reference tag. Allows you to select related firewall rules.

products: List[String]

cloudflare_firewall_rule

data "cloudflare_firewall_rule" "example_firewall_rule" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  rule_id = "372e67954025e0ba6aaa6d586b9e0b60"
}

data cloudflare_firewall_rules

required Expand Collapse
zone_id: String

Defines an identifier.

optional Expand Collapse
action?: String

The action to search for. Must be an exact match.

description?: String

A case-insensitive string to find in the description.

id?: String

The unique identifier of the firewall rule.

paused?: Bool

When true, indicates that the firewall rule is currently paused.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The unique identifier of the firewall rule.

action: String

The action to apply to a matched request. The log action is only available on an Enterprise plan.

description: String

An informative summary of the firewall rule.

filter: Attributes
id: String

The unique identifier of the filter.

description: String

An informative summary of the filter.

expression: String

The filter expression. For more information, refer to Expressions.

paused: Bool

When true, indicates that the filter is currently paused.

ref: String

A short reference tag. Allows you to select related filters.

deleted: Bool

When true, indicates that the firewall rule was deleted.

paused: Bool

When true, indicates that the firewall rule is currently paused.

priority: Float64

The priority of the rule. Optional value used to define the processing order. A lower number indicates a higher priority. If not provided, rules with a defined priority will be processed before rules without a priority.

products: List[String]
ref: String

A short reference tag. Allows you to select related firewall rules.

cloudflare_firewall_rules

data "cloudflare_firewall_rules" "example_firewall_rules" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  id = "372e67954025e0ba6aaa6d586b9e0b60"
  action = "block"
  description = "mir"
  paused = false
}

FirewallAccess Rules

resource cloudflare_access_rule

required Expand Collapse
mode: String

The action to apply to a matched request.

configuration: Attributes

The rule configuration.

target?: String

The configuration target. You must set the target to ip when specifying an IP address in the rule.

value?: String

The IP address to match. This address will be compared to the IP address of incoming requests.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

notes?: String

An informative summary of the rule, typically used as a reminder or explanation.

computed Expand Collapse
id: String

The unique identifier of the IP Access rule.

created_on: Time

The timestamp of when the rule was created.

modified_on: Time

The timestamp of when the rule was last modified.

allowed_modes: List[String]

The available actions that a rule can apply to a matched request.

scope: Attributes

All zones owned by the user will have the rule applied.

id: String

Defines an identifier.

email: String

The contact email address of the user.

type: String

Defines the scope of the rule.

cloudflare_access_rule

resource "cloudflare_access_rule" "example_access_rule" {
  configuration = {
    target = "ip"
    value = "198.51.100.4"
  }
  mode = "challenge"
  zone_id = "zone_id"
  notes = "This rule is enabled because of an event that occurred on date X."
}

data cloudflare_access_rule

optional Expand Collapse
rule_id?: String

Unique identifier for a rule.

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

filter?: Attributes
configuration?: Attributes
target?: String

Defines the target to search in existing rules.

value?: String

Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided configuration.target. Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code.

direction?: String

Defines the direction used to sort returned rules.

match?: String

Defines the search requirements. When set to all, all the search requirements must match. When set to any, only one of the search requirements has to match.

mode?: String

The action to apply to a matched request.

notes?: String

Defines the string to search for in the notes of existing IP Access rules. Notes: For example, the string 'attack' would match IP Access rules with notes 'Attack 26/02' and 'Attack 27/02'. The search is case insensitive.

order?: String

Defines the field used to sort returned rules.

computed Expand Collapse
id: String

Unique identifier for a rule.

created_on: Time

The timestamp of when the rule was created.

mode: String

The action to apply to a matched request.

modified_on: Time

The timestamp of when the rule was last modified.

notes: String

An informative summary of the rule, typically used as a reminder or explanation.

allowed_modes: List[String]

The available actions that a rule can apply to a matched request.

configuration: Attributes

The rule configuration.

target: String

The configuration target. You must set the target to ip when specifying an IP address in the rule.

value: String

The IP address to match. This address will be compared to the IP address of incoming requests.

scope: Attributes

All zones owned by the user will have the rule applied.

id: String

Defines an identifier.

email: String

The contact email address of the user.

type: String

Defines the scope of the rule.

cloudflare_access_rule

data "cloudflare_access_rule" "example_access_rule" {
  rule_id = "023e105f4ecef8ad9ca31a8372d0c353"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_access_rules

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

direction?: String

Defines the direction used to sort returned rules.

mode?: String

The action to apply to a matched request.

notes?: String

Defines the string to search for in the notes of existing IP Access rules. Notes: For example, the string 'attack' would match IP Access rules with notes 'Attack 26/02' and 'Attack 27/02'. The search is case insensitive.

order?: String

Defines the field used to sort returned rules.

configuration?: Attributes
target?: String

Defines the target to search in existing rules.

value?: String

Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided configuration.target. Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code.

match?: String

Defines the search requirements. When set to all, all the search requirements must match. When set to any, only one of the search requirements has to match.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The unique identifier of the IP Access rule.

allowed_modes: List[String]

The available actions that a rule can apply to a matched request.

configuration: Attributes

The rule configuration.

target: String

The configuration target. You must set the target to ip when specifying an IP address in the rule.

value: String

The IP address to match. This address will be compared to the IP address of incoming requests.

mode: String

The action to apply to a matched request.

created_on: Time

The timestamp of when the rule was created.

modified_on: Time

The timestamp of when the rule was last modified.

notes: String

An informative summary of the rule, typically used as a reminder or explanation.

scope: Attributes

All zones owned by the user will have the rule applied.

id: String

Defines an identifier.

email: String

The contact email address of the user.

type: String

Defines the scope of the rule.

cloudflare_access_rules

data "cloudflare_access_rules" "example_access_rules" {
  account_id = "account_id"
  zone_id = "zone_id"
  configuration = {
    target = "ip"
    value = "198.51.100.4"
  }
  direction = "desc"
  mode = "challenge"
  notes = "my note"
  order = "mode"
}

FirewallUA Rules

resource cloudflare_user_agent_blocking_rule

required Expand Collapse
zone_id: String

Defines an identifier.

mode: String

The action to apply to a matched request.

configuration: Attributes
target?: String

The configuration target. You must set the target to ua when specifying a user agent in the rule.

value?: String

the user agent to exactly match

optional Expand Collapse
description?: String

An informative summary of the rule. This value is sanitized and any tags will be removed.

paused?: Bool

When true, indicates that the rule is currently paused.

computed Expand Collapse
id: String

The unique identifier of the User Agent Blocking rule.

cloudflare_user_agent_blocking_rule

resource "cloudflare_user_agent_blocking_rule" "example_user_agent_blocking_rule" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  configuration = {
    target = "ua"
    value = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
  }
  mode = "challenge"
  description = "Prevent multiple login failures to mitigate brute force attacks"
  paused = false
}

data cloudflare_user_agent_blocking_rule

required Expand Collapse
zone_id: String

Defines an identifier.

optional Expand Collapse
ua_rule_id?: String

The unique identifier of the User Agent Blocking rule.

filter?: Attributes
description?: String

A string to search for in the description of existing rules.

paused?: Bool

When true, indicates that the rule is currently paused.

user_agent?: String

A string to search for in the user agent values of existing rules.

computed Expand Collapse
id: String

The unique identifier of the User Agent Blocking rule.

description: String

An informative summary of the rule.

mode: String

The action to apply to a matched request.

paused: Bool

When true, indicates that the rule is currently paused.

configuration: Attributes

The configuration object for the current rule.

target: String

The configuration target for this rule. You must set the target to ua for User Agent Blocking rules.

value: String

The exact user agent string to match. This value will be compared to the received User-Agent HTTP header value.

cloudflare_user_agent_blocking_rule

data "cloudflare_user_agent_blocking_rule" "example_user_agent_blocking_rule" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  ua_rule_id = "372e67954025e0ba6aaa6d586b9e0b59"
}

data cloudflare_user_agent_blocking_rules

required Expand Collapse
zone_id: String

Defines an identifier.

optional Expand Collapse
description?: String

A string to search for in the description of existing rules.

paused?: Bool

When true, indicates that the rule is currently paused.

user_agent?: String

A string to search for in the user agent values of existing rules.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The unique identifier of the User Agent Blocking rule.

configuration: Attributes

The configuration object for the current rule.

target: String

The configuration target for this rule. You must set the target to ua for User Agent Blocking rules.

value: String

The exact user agent string to match. This value will be compared to the received User-Agent HTTP header value.

description: String

An informative summary of the rule.

mode: String

The action to apply to a matched request.

paused: Bool

When true, indicates that the rule is currently paused.

cloudflare_user_agent_blocking_rules

data "cloudflare_user_agent_blocking_rules" "example_user_agent_blocking_rules" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  description = "abusive"
  paused = false
  user_agent = "Safari"
}