Skip to content
Cloudflare API
Start here
API Reference

IAM

IAMPermission Groups

data cloudflare_account_permission_group

required Expand Collapse
account_id: String

Account identifier tag.

permission_group_id: String

Permission Group identifier tag.

computed Expand Collapse
id: String

Identifier of the permission group.

name: String

Name of the permission group.

meta: Attributes

Attributes associated to the permission group.

key: String
value: String

cloudflare_account_permission_group

data "cloudflare_account_permission_group" "example_account_permission_group" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  permission_group_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

data cloudflare_account_permission_groups

required Expand Collapse
account_id: String

Account identifier tag.

optional Expand Collapse
id?: String

ID of the permission group to be fetched.

label?: String

Label of the permission group to be fetched.

name?: String

Name of the permission group to be fetched.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

Identifier of the permission group.

meta: Attributes

Attributes associated to the permission group.

key: String
value: String
name: String

Name of the permission group.

cloudflare_account_permission_groups

data "cloudflare_account_permission_groups" "example_account_permission_groups" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  id = "6d7f2f5f5b1d4a0e9081fdc98d432fd1"
  label = "labelOfThePermissionGroup"
  name = "NameOfThePermissionGroup"
}

IAMResource Groups

data cloudflare_resource_group

required Expand Collapse
account_id: String

Account identifier tag.

resource_group_id: String

Resource Group identifier tag.

computed Expand Collapse
id: String

Identifier of the resource group.

name: String

Name of the resource group.

meta: Attributes

Attributes associated to the resource group.

key: String
value: String
scope: List[Attributes]

The scope associated to the resource group

key: String

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: List[Attributes]

A list of scope objects for additional context.

key: String

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

cloudflare_resource_group

data "cloudflare_resource_group" "example_resource_group" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  resource_group_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

data cloudflare_resource_groups

required Expand Collapse
account_id: String

Account identifier tag.

optional Expand Collapse
id?: String

ID of the resource group to be fetched.

name?: String

Name of the resource group to be fetched.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

Identifier of the resource group.

scope: List[Attributes]

The scope associated to the resource group

key: String

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: List[Attributes]

A list of scope objects for additional context.

key: String

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta: Attributes

Attributes associated to the resource group.

key: String
value: String
name: String

Name of the resource group.

cloudflare_resource_groups

data "cloudflare_resource_groups" "example_resource_groups" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  id = "023e105f4ecef8ad9ca31a8372d0c353"
  name = "NameOfTheResourceGroup"
}

IAMUser Groups

resource cloudflare_user_group

required Expand Collapse
account_id: String

Account identifier tag.

name: String

Name of the User group.

optional Expand Collapse
policies?: List[Attributes]

Policies attached to the User group

access: String

Allow or deny operations against the resources.

permission_groups: List[Attributes]

A set of permission groups that are specified to the policy.

id: String

Permission Group identifier tag.

resource_groups: List[Attributes]

A set of resource groups that are specified to the policy.

id: String

Resource Group identifier tag.

computed Expand Collapse
id: String

User Group identifier tag.

created_on: Time

Timestamp for the creation of the user group

modified_on: Time

Last time the user group was modified.

cloudflare_user_group

resource "cloudflare_user_group" "example_user_group" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  name = "My New User Group"
  policies = [{
    access = "allow"
    permission_groups = [{
      id = "c8fed203ed3043cba015a93ad1616f1f"
    }, {
      id = "82e64a83756745bbbb1c9c2701bf816b"
    }]
    resource_groups = [{
      id = "6d7f2f5f5b1d4a0e9081fdc98d432fd1"
    }]
  }]
}

data cloudflare_user_group

required Expand Collapse
account_id: String

Account identifier tag.

optional Expand Collapse
user_group_id?: String

User Group identifier tag.

filter?: Attributes
id?: String

ID of the user group to be fetched.

direction?: String

The sort order of returned user groups by name (ascending or descending).

fuzzy_name?: String

A string used for searching for user groups containing that substring.

name?: String

Name of the user group to be fetched.

computed Expand Collapse
id: String

User Group identifier tag.

created_on: Time

Timestamp for the creation of the user group

modified_on: Time

Last time the user group was modified.

name: String

Name of the user group.

policies: List[Attributes]

Policies attached to the User group

id: String

Policy identifier.

access: String

Allow or deny operations against the resources.

permission_groups: List[Attributes]

A set of permission groups that are specified to the policy.

id: String

Identifier of the permission group.

meta: Attributes

Attributes associated to the permission group.

key: String
value: String
name: String

Name of the permission group.

resource_groups: List[Attributes]

A list of resource groups that the policy applies to.

id: String

Identifier of the resource group.

scope: List[Attributes]

The scope associated to the resource group

key: String

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: List[Attributes]

A list of scope objects for additional context.

key: String

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta: Attributes

Attributes associated to the resource group.

key: String
value: String
name: String

Name of the resource group.

cloudflare_user_group

data "cloudflare_user_group" "example_user_group" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  user_group_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

data cloudflare_user_groups

required Expand Collapse
account_id: String

Account identifier tag.

optional Expand Collapse
fuzzy_name?: String

A string used for searching for user groups containing that substring.

id?: String

ID of the user group to be fetched.

name?: String

Name of the user group to be fetched.

direction?: String

The sort order of returned user groups by name (ascending or descending).

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

User Group identifier tag.

created_on: Time

Timestamp for the creation of the user group

modified_on: Time

Last time the user group was modified.

name: String

Name of the user group.

policies: List[Attributes]

Policies attached to the User group

id: String

Policy identifier.

access: String

Allow or deny operations against the resources.

permission_groups: List[Attributes]

A set of permission groups that are specified to the policy.

id: String

Identifier of the permission group.

meta: Attributes

Attributes associated to the permission group.

key: String
value: String
name: String

Name of the permission group.

resource_groups: List[Attributes]

A list of resource groups that the policy applies to.

id: String

Identifier of the resource group.

scope: List[Attributes]

The scope associated to the resource group

key: String

This is a combination of pre-defined resource name and identifier (like Account ID etc.)

objects: List[Attributes]

A list of scope objects for additional context.

key: String

This is a combination of pre-defined resource name and identifier (like Zone ID etc.)

meta: Attributes

Attributes associated to the resource group.

key: String
value: String
name: String

Name of the resource group.

cloudflare_user_groups

data "cloudflare_user_groups" "example_user_groups" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  id = "023e105f4ecef8ad9ca31a8372d0c353"
  fuzzy_name = "Foo"
  name = "NameOfTheUserGroup"
}

IAMUser GroupsMembers

resource cloudflare_user_group_members

required Expand Collapse
user_group_id: String

User Group identifier tag.

account_id: String

Account identifier tag.

members: List[Attributes]
id: String

The identifier of an existing account Member.

computed Expand Collapse
id: String

User Group identifier tag.

cloudflare_user_group_members

resource "cloudflare_user_group_members" "example_user_group_members" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  user_group_id = "023e105f4ecef8ad9ca31a8372d0c353"
  members = [{
    id = "023e105f4ecef8ad9ca31a8372d0c353"
  }]
}

data cloudflare_user_group_members

required Expand Collapse
user_group_id: String

User Group identifier tag.

account_id: String

Account identifier tag.

optional Expand Collapse
fuzzy_email?: String

A string used for filtering members by partial email match.

direction?: String

The sort order of returned user group members by email.

computed Expand Collapse
id: String

User Group identifier tag.

email: String

The contact email address of the user.

status: String

The member’s status in the account.

cloudflare_user_group_members

data "cloudflare_user_group_members" "example_user_group_members" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  user_group_id = "023e105f4ecef8ad9ca31a8372d0c353"
  direction = "asc"
  fuzzy_email = "user@"
}

IAMSSO

resource cloudflare_sso_connector

required Expand Collapse
account_id: String

Account identifier tag.

email_domain: String

Email domain of the new SSO connector

optional Expand Collapse
begin_verification?: Bool

Begin the verification process after creation

enabled?: Bool

SSO Connector enabled state

use_fedramp_language?: Bool

Controls the display of FedRAMP language to the user during SSO login

computed Expand Collapse
id: String

SSO Connector identifier tag.

created_on: Time

Timestamp for the creation of the SSO connector

updated_on: Time

Timestamp for the last update of the SSO connector

verification: Attributes
code: String

DNS verification code. Add this entire string to the DNS TXT record of the email domain to validate ownership.

status: String

The status of the verification code from the verification process.

cloudflare_sso_connector

resource "cloudflare_sso_connector" "example_sso_connector" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  email_domain = "example.com"
  begin_verification = true
  use_fedramp_language = false
}

data cloudflare_sso_connector

required Expand Collapse
sso_connector_id: String

SSO Connector identifier tag.

account_id: String

Account identifier tag.

computed Expand Collapse
id: String

SSO Connector identifier tag.

created_on: Time

Timestamp for the creation of the SSO connector

email_domain: String
enabled: Bool
updated_on: Time

Timestamp for the last update of the SSO connector

use_fedramp_language: Bool

Controls the display of FedRAMP language to the user during SSO login

verification: Attributes
code: String

DNS verification code. Add this entire string to the DNS TXT record of the email domain to validate ownership.

status: String

The status of the verification code from the verification process.

cloudflare_sso_connector

data "cloudflare_sso_connector" "example_sso_connector" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  sso_connector_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

data cloudflare_sso_connectors

required Expand Collapse
account_id: String

Account identifier tag.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

SSO Connector identifier tag.

created_on: Time

Timestamp for the creation of the SSO connector

email_domain: String
enabled: Bool
updated_on: Time

Timestamp for the last update of the SSO connector

use_fedramp_language: Bool

Controls the display of FedRAMP language to the user during SSO login

verification: Attributes
code: String

DNS verification code. Add this entire string to the DNS TXT record of the email domain to validate ownership.

status: String

The status of the verification code from the verification process.

cloudflare_sso_connectors

data "cloudflare_sso_connectors" "example_sso_connectors" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

IAMOAuth Clients

resource cloudflare_oauth_client

required Expand Collapse
account_id: String

Account identifier tag.

client_name: String

Human-readable name of the OAuth client.

token_endpoint_auth_method: String

The authentication method the client uses at the token endpoint.

grant_types: List[String]

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

redirect_uris: List[String]

Array of allowed redirect URIs for the client.

response_types: List[String]

Array of OAuth response types the client is allowed to use.

scopes: List[String]

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

optional Expand Collapse
oauth_client_id?: String

The unique identifier for an OAuth client.

client_uri?: String

URL of the home page of the client.

logo_uri?: String

URL of the client’s logo.

policy_uri?: String

URL that points to a privacy policy document.

tos_uri?: String

URL that points to a terms of service document.

visibility?: String

Promote the OAuth client from private to public visibility. Only public is accepted; demotion to private is not supported. Promotion requires a non-empty client name, logo URI, verified client URI host, and at least one non-identity scope.

allowed_cors_origins?: List[String]

Array of allowed CORS origins.

post_logout_redirect_uris?: List[String]

Array of allowed post-logout redirect URIs.

computed Expand Collapse
client_id: String

The unique identifier for an OAuth client.

client_secret: String

The client secret. This is the only time the secret is returned in a response.

created_at: Time

Timestamp when the OAuth client was created.

has_rotated_secret: Bool

Indicates whether the client has a rotated secret that has not yet been deleted.

updated_at: Time

Timestamp when the OAuth client was last updated.

client_uri_verification: Attributes

Client URI domain control verification state.

status: String

Current verification status for the client URI host.

text: String

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

cloudflare_oauth_client

resource "cloudflare_oauth_client" "example_oauth_client" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  client_name = "My OAuth App"
  grant_types = ["authorization_code", "refresh_token"]
  redirect_uris = ["https://example.com/callback"]
  response_types = ["code"]
  scopes = ["account.read"]
  token_endpoint_auth_method = "client_secret_post"
  allowed_cors_origins = ["https://example.com"]
  client_uri = "https://example.com"
  logo_uri = "https://example.com/logo.png"
  policy_uri = "https://example.com/privacy"
  post_logout_redirect_uris = ["https://example.com/logout"]
  tos_uri = "https://example.com/tos"
}

data cloudflare_oauth_client

required Expand Collapse
account_id: String

Account identifier tag.

oauth_client_id: String

The unique identifier for an OAuth client.

computed Expand Collapse
client_id: String

The unique identifier for an OAuth client.

client_name: String

Human-readable name of the OAuth client.

client_uri: String

URL of the home page of the client.

created_at: Time

Timestamp when the OAuth client was created.

has_rotated_secret: Bool

Indicates whether the client has a rotated secret that has not yet been deleted.

logo_uri: String

URL of the client’s logo.

policy_uri: String

URL that points to a privacy policy document.

token_endpoint_auth_method: String

The authentication method the client uses at the token endpoint.

tos_uri: String

URL that points to a terms of service document.

updated_at: Time

Timestamp when the OAuth client was last updated.

visibility: String

Visibility of the OAuth client.

allowed_cors_origins: List[String]

Array of allowed CORS origins.

grant_types: List[String]

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

post_logout_redirect_uris: List[String]

Array of allowed post-logout redirect URIs.

redirect_uris: List[String]

Array of allowed redirect URIs for the client.

response_types: List[String]

Array of OAuth response types the client is allowed to use.

scopes: List[String]

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

client_uri_verification: Attributes

Client URI domain control verification state.

status: String

Current verification status for the client URI host.

text: String

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

cloudflare_oauth_client

data "cloudflare_oauth_client" "example_oauth_client" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  oauth_client_id = "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4"
}

data cloudflare_oauth_clients

required Expand Collapse
account_id: String

Account identifier tag.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

client_id: String

The unique identifier for an OAuth client.

visibility: String

Visibility of the OAuth client.

allowed_cors_origins: List[String]

Array of allowed CORS origins.

client_name: String

Human-readable name of the OAuth client.

client_uri: String

URL of the home page of the client.

client_uri_verification: Attributes

Client URI domain control verification state.

status: String

Current verification status for the client URI host.

text: String

Exact TXT record value that must be added to DNS to prove ownership of the client URI host.

created_at: Time

Timestamp when the OAuth client was created.

grant_types: List[String]

Array of OAuth grant types the client is allowed to use. authorization_code is required; refresh_token may be included optionally.

has_rotated_secret: Bool

Indicates whether the client has a rotated secret that has not yet been deleted.

logo_uri: String

URL of the client’s logo.

policy_uri: String

URL that points to a privacy policy document.

post_logout_redirect_uris: List[String]

Array of allowed post-logout redirect URIs.

redirect_uris: List[String]

Array of allowed redirect URIs for the client.

response_types: List[String]

Array of OAuth response types the client is allowed to use.

scopes: List[String]

Array of OAuth scopes the client is allowed to request. Colon-delimited scopes are not accepted. Dot-delimited scopes are validated against available OAuth API scopes; simple identity scopes are allowed. Protocol scopes offline_access and openid are added or removed automatically based on grant_types and response_types.

token_endpoint_auth_method: String

The authentication method the client uses at the token endpoint.

tos_uri: String

URL that points to a terms of service document.

updated_at: Time

Timestamp when the OAuth client was last updated.

cloudflare_oauth_clients

data "cloudflare_oauth_clients" "example_oauth_clients" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

IAMOAuth Scopes

data cloudflare_oauth_scopes

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The scope label to use in the scopes array when creating or updating an OAuth client.

name: String

Human-readable name of the OAuth scope.

category: String

Category for grouping scopes in the UI.

scopes: List[String]

The underlying resource scopes (Bach scopes) that define which resources this OAuth scope can act upon.

cloudflare_oauth_scopes

data "cloudflare_oauth_scopes" "example_oauth_scopes" {

}