Skip to content
Cloudflare API
Start here
API Reference

Rate Limits

resource cloudflare_rate_limit

required Expand Collapse
zone_id: String

Defines an identifier.

period: Float64

The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action.

threshold: Float64

The threshold that will trigger the configured mitigation action. Configure this value along with the period property to establish a threshold per period.

action: Attributes

The action to perform when the threshold of matched traffic within the configured period is exceeded.

mode?: String

The action to perform.

response?: Attributes

A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object.

body?: String

The response body to return. The value must conform to the configured content type.

content_type?: String

The content type of the body. Must be one of the following: text/plain, text/xml, or application/json.

timeout?: Float64

The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value.

match: Attributes

Determines which traffic the rate limit counts towards the threshold.

headers?: List[Attributes]
name?: String

The name of the response header to match.

op?: String

The operator used when matching: eq means "equal" and ne means "not equal".

value?: String

The value of the response header, which must match exactly.

request?: Attributes
methods?: List[String]

The HTTP methods to match. You can specify a subset (for example, ['POST','PUT']) or all methods (['_ALL_']). This field is optional when creating a rate limit.

schemes?: List[String]

The HTTP schemes to match. You can specify one scheme (['HTTPS']), both schemes (['HTTP','HTTPS']), or all schemes (['_ALL_']). This field is optional.

url?: String

The URL pattern to match, composed of a host and a path such as example.org/path*. Normalization is applied before the pattern is matched. * wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to * to match all traffic to your zone.

response?: Attributes
origin_traffic?: Bool

When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property.

computed Expand Collapse
id: String

The unique identifier of the rate limit.

description: String

An informative summary of the rule. This value is sanitized and any tags will be removed.

disabled: Bool

When true, indicates that the rate limit is currently disabled.

bypass: List[Attributes]

Criteria specifying when the current rate limit should be bypassed. You can specify that the rate limit should not apply to one or more URLs.

name: String
value: String

The URL to bypass.

cloudflare_rate_limit

resource "cloudflare_rate_limit" "example_rate_limit" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  action = {
    mode = "challenge"
    response = {
      body = "<error>This request has been rate-limited.</error>"
      content_type = "text/xml"
    }
    timeout = 86400
  }
  match = {
    headers = [{
      name = "Cf-Cache-Status"
      op = "ne"
      value = "HIT"
    }]
    request = {
      methods = ["GET", "POST"]
      schemes = ["HTTP", "HTTPS"]
      url = "*.example.org/path*"
    }
    response = {
      origin_traffic = true
    }
  }
  period = 900
  threshold = 60
}

data cloudflare_rate_limit

required Expand Collapse
rate_limit_id: String

Defines the unique identifier of the rate limit.

zone_id: String

Defines an identifier.

computed Expand Collapse
id: String

Defines the unique identifier of the rate limit.

description: String

An informative summary of the rule. This value is sanitized and any tags will be removed.

disabled: Bool

When true, indicates that the rate limit is currently disabled.

period: Float64

The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action.

threshold: Float64

The threshold that will trigger the configured mitigation action. Configure this value along with the period property to establish a threshold per period.

action: Attributes

The action to perform when the threshold of matched traffic within the configured period is exceeded.

mode: String

The action to perform.

response: Attributes

A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object.

body: String

The response body to return. The value must conform to the configured content type.

content_type: String

The content type of the body. Must be one of the following: text/plain, text/xml, or application/json.

timeout: Float64

The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value.

bypass: List[Attributes]

Criteria specifying when the current rate limit should be bypassed. You can specify that the rate limit should not apply to one or more URLs.

name: String
value: String

The URL to bypass.

match: Attributes

Determines which traffic the rate limit counts towards the threshold.

headers: List[Attributes]
name: String

The name of the response header to match.

op: String

The operator used when matching: eq means "equal" and ne means "not equal".

value: String

The value of the response header, which must match exactly.

request: Attributes
methods: List[String]

The HTTP methods to match. You can specify a subset (for example, ['POST','PUT']) or all methods (['_ALL_']). This field is optional when creating a rate limit.

schemes: List[String]

The HTTP schemes to match. You can specify one scheme (['HTTPS']), both schemes (['HTTP','HTTPS']), or all schemes (['_ALL_']). This field is optional.

url: String

The URL pattern to match, composed of a host and a path such as example.org/path*. Normalization is applied before the pattern is matched. * wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to * to match all traffic to your zone.

response: Attributes
origin_traffic: Bool

When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property.

cloudflare_rate_limit

data "cloudflare_rate_limit" "example_rate_limit" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  rate_limit_id = "372e67954025e0ba6aaa6d586b9e0b59"
}

data cloudflare_rate_limits

required Expand Collapse
zone_id: String

Defines an identifier.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The unique identifier of the rate limit.

action: Attributes

The action to perform when the threshold of matched traffic within the configured period is exceeded.

mode: String

The action to perform.

response: Attributes

A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object.

body: String

The response body to return. The value must conform to the configured content type.

content_type: String

The content type of the body. Must be one of the following: text/plain, text/xml, or application/json.

timeout: Float64

The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value.

bypass: List[Attributes]

Criteria specifying when the current rate limit should be bypassed. You can specify that the rate limit should not apply to one or more URLs.

name: String
value: String

The URL to bypass.

description: String

An informative summary of the rule. This value is sanitized and any tags will be removed.

disabled: Bool

When true, indicates that the rate limit is currently disabled.

match: Attributes

Determines which traffic the rate limit counts towards the threshold.

headers: List[Attributes]
name: String

The name of the response header to match.

op: String

The operator used when matching: eq means "equal" and ne means "not equal".

value: String

The value of the response header, which must match exactly.

request: Attributes
methods: List[String]

The HTTP methods to match. You can specify a subset (for example, ['POST','PUT']) or all methods (['_ALL_']). This field is optional when creating a rate limit.

schemes: List[String]

The HTTP schemes to match. You can specify one scheme (['HTTPS']), both schemes (['HTTP','HTTPS']), or all schemes (['_ALL_']). This field is optional.

url: String

The URL pattern to match, composed of a host and a path such as example.org/path*. Normalization is applied before the pattern is matched. * wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to * to match all traffic to your zone.

response: Attributes
origin_traffic: Bool

When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property.

period: Float64

The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action.

threshold: Float64

The threshold that will trigger the configured mitigation action. Configure this value along with the period property to establish a threshold per period.

cloudflare_rate_limits

data "cloudflare_rate_limits" "example_rate_limits" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
}