API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Zero Trust

Zero TrustDevicesDEX Tests

resource cloudflare_zero_trust_dex_test

required Expand Collapse

account_id: String

enabled: Bool

Determines whether or not the test is active.

interval: String

How often the test will run.

name: String

The name of the DEX test. Must be unique.

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method?: String

The HTTP request method type.

optional Expand Collapse

description?: String

Additional details about the test.

target_policies?: List[Attributes]

DEX rules targeted by this test

id: String

API Resource UUID tag.

default: Bool

Whether the DEX rule is the account default

name: String

The name of the DEX rule

computed Expand Collapse

id: String

The unique identifier for the test.

test_id: String

The unique identifier for the test.

targeted: Bool

cloudflare_zero_trust_dex_test

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_dex_test" "example_zero_trust_dex_test" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  data = {
    host = "https://dash.cloudflare.com"
    kind = "http"
    method = "GET"
  }
  enabled = true
  interval = "30m"
  name = "HTTP dash health check"
  description = "Checks the dash endpoint every 30 minutes"
  target_policies = [{
    id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    default = true
    name = "name"
  }]
}

data cloudflare_zero_trust_dex_test

required Expand Collapse

account_id: String

optional Expand Collapse

dex_test_id?: String

The unique identifier for the test.

filter?: Attributes

kind?: String

Filter by test type

test_name?: String

Filter by test name

computed Expand Collapse

id: String

The unique identifier for the test.

description: String

Additional details about the test.

enabled: Bool

Determines whether or not the test is active.

interval: String

How often the test will run.

name: String

The name of the DEX test. Must be unique.

targeted: Bool

test_id: String

The unique identifier for the test.

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

target_policies: List[Attributes]

DEX rules targeted by this test

id: String

API Resource UUID tag.

default: Bool

Whether the DEX rule is the account default

name: String

The name of the DEX rule

cloudflare_zero_trust_dex_test

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dex_test" "example_zero_trust_dex_test" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  dex_test_id = "372e67954025e0ba6aaa6d586b9e0b59"
}

data cloudflare_zero_trust_dex_tests

required Expand Collapse

account_id: String

optional Expand Collapse

kind?: String

Filter by test type

test_name?: String

Filter by test name

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The unique identifier for the test.

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

enabled: Bool

Determines whether or not the test is active.

interval: String

How often the test will run.

name: String

The name of the DEX test. Must be unique.

description: String

Additional details about the test.

target_policies: List[Attributes]

DEX rules targeted by this test

id: String

API Resource UUID tag.

default: Bool

Whether the DEX rule is the account default

name: String

The name of the DEX rule

targeted: Bool

test_id: String

The unique identifier for the test.

cloudflare_zero_trust_dex_tests

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dex_tests" "example_zero_trust_dex_tests" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  kind = "http"
  test_name = "testName"
}

Zero TrustDevicesIP Profiles

resource cloudflare_zero_trust_device_ip_profile

required Expand Collapse

account_id: String

match: String

The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes".

name: String

A user-friendly name for the Device IP profile.

precedence: Int64

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: String

The ID of the Subnet.

optional Expand Collapse

description?: String

An optional description of the Device IP profile.

enabled?: Bool

Whether the Device IP profile will be applied to matching devices.

computed Expand Collapse

id: String

The ID of the Device IP profile.

created_at: String

The RFC3339Nano timestamp when the Device IP profile was created.

updated_at: String

The RFC3339Nano timestamp when the Device IP profile was last updated.

cloudflare_zero_trust_device_ip_profile

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_ip_profile" "example_zero_trust_device_ip_profile" {
  account_id = "account_id"
  match = "identity.email == \"test@cloudflare.com\""
  name = "IPv4 Cloudflare Source IPs"
  precedence = 100
  subnet_id = "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  description = "example comment"
  enabled = true
}

data cloudflare_zero_trust_device_ip_profile

required Expand Collapse

account_id: String

optional Expand Collapse

profile_id?: String

filter?: Attributes

per_page?: Int64

The number of IP profiles to return per page.

computed Expand Collapse

id: String

created_at: String

The RFC3339Nano timestamp when the Device IP profile was created.

description: String

An optional description of the Device IP profile.

enabled: Bool

Whether the Device IP profile is enabled.

match: String

The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes".

name: String

A user-friendly name for the Device IP profile.

precedence: Int64

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: String

The ID of the Subnet.

updated_at: String

The RFC3339Nano timestamp when the Device IP profile was last updated.

cloudflare_zero_trust_device_ip_profile

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_ip_profile" "example_zero_trust_device_ip_profile" {
  account_id = "account_id"
  profile_id = "profile_id"
}

data cloudflare_zero_trust_device_ip_profiles

required Expand Collapse

account_id: String

optional Expand Collapse

per_page?: Int64

The number of IP profiles to return per page.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The ID of the Device IP profile.

created_at: String

The RFC3339Nano timestamp when the Device IP profile was created.

description: String

An optional description of the Device IP profile.

enabled: Bool

Whether the Device IP profile is enabled.

match: String

The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes".

name: String

A user-friendly name for the Device IP profile.

precedence: Int64

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: String

The ID of the Subnet.

updated_at: String

The RFC3339Nano timestamp when the Device IP profile was last updated.

cloudflare_zero_trust_device_ip_profiles

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_ip_profiles" "example_zero_trust_device_ip_profiles" {
  account_id = "account_id"
}

Zero TrustDevicesNetworks

resource cloudflare_zero_trust_device_managed_networks

required Expand Collapse

account_id: String

name: String

The name of the device managed network. This name must be unique.

type: String

The type of device managed network.

config: Attributes

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: String

A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host.

sha256?: String

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

computed Expand Collapse

id: String

API UUID.

network_id: String

API UUID.

cloudflare_zero_trust_device_managed_networks

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_managed_networks" "example_zero_trust_device_managed_networks" {
  account_id = "699d98642c564d2e855e9661899b7252"
  config = {
    tls_sockaddr = "foo.bar:1234"
    sha256 = "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c"
  }
  name = "managed-network-1"
  type = "tls"
}

data cloudflare_zero_trust_device_managed_networks

required Expand Collapse

network_id: String

API UUID.

account_id: String

computed Expand Collapse

id: String

API UUID.

name: String

The name of the device managed network. This name must be unique.

type: String

The type of device managed network.

config: Attributes

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: String

A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host.

sha256: String

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

cloudflare_zero_trust_device_managed_networks

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_managed_networks" "example_zero_trust_device_managed_networks" {
  account_id = "699d98642c564d2e855e9661899b7252"
  network_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_managed_networks_list

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

API UUID.

config: Attributes

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: String

A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host.

sha256: String

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

name: String

The name of the device managed network. This name must be unique.

network_id: String

API UUID.

type: String

The type of device managed network.

cloudflare_zero_trust_device_managed_networks_list

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_managed_networks_list" "example_zero_trust_device_managed_networks_list" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPoliciesDefault

resource cloudflare_zero_trust_device_default_profile

required Expand Collapse

account_id: String

optional Expand Collapse

lan_allow_minutes?: Float64

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size?: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

allow_mode_switch?: Bool

Whether to allow the user to switch WARP between modes.

allow_updates?: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: Bool

Whether to allow devices to leave the organization.

auto_connect?: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: Float64

Turn on the captive portal after the specified amount of time.

disable_auto_fallback?: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

exclude_office_ips?: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

register_interface_ip_with_dns?: Bool

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url?: String

The URL to launch when the Send Feedback button is clicked.

switch_locked?: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol?: String

Determines which tunnel protocol to use.

exclude?: List[Attributes]

List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request.

address?: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

include?: List[Attributes]

List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request.

address?: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2?: Attributes

mode?: String

The mode to run the WARP client under.

port?: Float64

The port number when used with proxy mode.

computed Expand Collapse

id: String

default: Bool

Whether the policy will be applied to matching devices.

enabled: Bool

Whether the policy will be applied to matching devices.

gateway_unique_id: String

fallback_domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

cloudflare_zero_trust_device_default_profile

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_default_profile" "example_zero_trust_device_default_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  allow_mode_switch = true
  allow_updates = true
  allowed_to_leave = true
  auto_connect = 0
  captive_portal = 180
  disable_auto_fallback = true
  exclude = [{
    address = "192.0.2.0/24"
    description = "Exclude testing domains from the tunnel"
  }]
  exclude_office_ips = true
  include = [{
    address = "192.0.2.0/24"
    description = "Include testing domains in the tunnel"
  }]
  lan_allow_minutes = 30
  lan_allow_subnet_size = 24
  register_interface_ip_with_dns = true
  sccm_vpn_boundary_support = false
  service_mode_v2 = {
    mode = "proxy"
    port = 3000
  }
  support_url = "https://1.1.1.1/help"
  switch_locked = true
  tunnel_protocol = "wireguard"
}

data cloudflare_zero_trust_device_default_profile

required Expand Collapse

account_id: String

computed Expand Collapse

id: String

allow_mode_switch: Bool

Whether to allow the user to switch WARP between modes.

allow_updates: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Bool

Whether to allow devices to leave the organization.

auto_connect: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Float64

Turn on the captive portal after the specified amount of time.

default: Bool

Whether the policy will be applied to matching devices.

disable_auto_fallback: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Bool

Whether the policy will be applied to matching devices.

exclude_office_ips: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

gateway_unique_id: String

register_interface_ip_with_dns: Bool

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url: String

The URL to launch when the Send Feedback button is clicked.

switch_locked: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: String

Determines which tunnel protocol to use.

exclude: List[Attributes]

List of routes excluded in the WARP client's tunnel.

address: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

fallback_domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

include: List[Attributes]

List of routes included in the WARP client's tunnel.

address: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2: Attributes

mode: String

The mode to run the WARP client under.

port: Float64

The port number when used with proxy mode.

cloudflare_zero_trust_device_default_profile

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_default_profile" "example_zero_trust_device_default_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPoliciesDefaultFallback Domains

resource cloudflare_zero_trust_device_default_profile_local_domain_fallback

required Expand Collapse

account_id: String

domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description?: String

A description of the fallback domain, displayed in the client UI.

dns_server?: List[String]

A list of IP addresses to handle domain resolution.

computed Expand Collapse

id: String

cloudflare_zero_trust_device_default_profile_local_domain_fallback

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_default_profile_local_domain_fallback" "example_zero_trust_device_default_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
  domains = [{
    suffix = "example.com"
    description = "Domain bypass for local development"
    dns_server = ["1.1.1.1"]
  }]
}

data cloudflare_zero_trust_device_default_profile_local_domain_fallback

required Expand Collapse

account_id: String

computed Expand Collapse

id: String

description: String

A description of the fallback domain, displayed in the client UI.

suffix: String

The domain suffix to match when resolving locally.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

cloudflare_zero_trust_device_default_profile_local_domain_fallback

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_default_profile_local_domain_fallback" "example_zero_trust_device_default_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPoliciesDefaultCertificates

resource cloudflare_zero_trust_device_default_profile_certificates

required Expand Collapse

zone_id: String

enabled: Bool

The current status of the device policy certificate provisioning feature for WARP clients.

cloudflare_zero_trust_device_default_profile_certificates

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_default_profile_certificates" "example_zero_trust_device_default_profile_certificates" {
  zone_id = "699d98642c564d2e855e9661899b7252"
  enabled = true
}

data cloudflare_zero_trust_device_default_profile_certificates

required Expand Collapse

zone_id: String

computed Expand Collapse

enabled: Bool

The current status of the device policy certificate provisioning feature for WARP clients.

cloudflare_zero_trust_device_default_profile_certificates

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_default_profile_certificates" "example_zero_trust_device_default_profile_certificates" {
  zone_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPoliciesCustom

resource cloudflare_zero_trust_device_custom_profile

required Expand Collapse

account_id: String

match: String

The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version".

name: String

The name of the device settings profile.

precedence: Float64

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

optional Expand Collapse

lan_allow_minutes?: Float64

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size?: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

allow_mode_switch?: Bool

Whether to allow the user to switch WARP between modes.

allow_updates?: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: Bool

Whether to allow devices to leave the organization.

auto_connect?: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: Float64

Turn on the captive portal after the specified amount of time.

description?: String

A description of the policy.

disable_auto_fallback?: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled?: Bool

Whether the policy will be applied to matching devices.

exclude_office_ips?: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

register_interface_ip_with_dns?: Bool

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url?: String

The URL to launch when the Send Feedback button is clicked.

switch_locked?: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol?: String

Determines which tunnel protocol to use.

exclude?: List[Attributes]

List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request.

address?: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

include?: List[Attributes]

List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request.

address?: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2?: Attributes

mode?: String

The mode to run the WARP client under.

port?: Float64

The port number when used with proxy mode.

computed Expand Collapse

id: String

policy_id: String

default: Bool

Whether the policy is the default policy for an account.

gateway_unique_id: String

fallback_domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

target_tests: List[Attributes]

id: String

The id of the DEX test targeting this policy.

name: String

The name of the DEX test targeting this policy.

cloudflare_zero_trust_device_custom_profile

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_custom_profile" "example_zero_trust_device_custom_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  match = "identity.email == \"test@cloudflare.com\""
  name = "Allow Developers"
  precedence = 100
  allow_mode_switch = true
  allow_updates = true
  allowed_to_leave = true
  auto_connect = 0
  captive_portal = 180
  description = "Policy for test teams."
  disable_auto_fallback = true
  enabled = true
  exclude = [{
    address = "192.0.2.0/24"
    description = "Exclude testing domains from the tunnel"
  }]
  exclude_office_ips = true
  include = [{
    address = "192.0.2.0/24"
    description = "Include testing domains in the tunnel"
  }]
  lan_allow_minutes = 30
  lan_allow_subnet_size = 24
  register_interface_ip_with_dns = true
  sccm_vpn_boundary_support = false
  service_mode_v2 = {
    mode = "proxy"
    port = 3000
  }
  support_url = "https://1.1.1.1/help"
  switch_locked = true
  tunnel_protocol = "wireguard"
}

data cloudflare_zero_trust_device_custom_profile

required Expand Collapse

policy_id: String

account_id: String

computed Expand Collapse

id: String

allow_mode_switch: Bool

Whether to allow the user to switch WARP between modes.

allow_updates: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Bool

Whether to allow devices to leave the organization.

auto_connect: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Float64

Turn on the captive portal after the specified amount of time.

default: Bool

Whether the policy is the default policy for an account.

description: String

A description of the policy.

disable_auto_fallback: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Bool

Whether the policy will be applied to matching devices.

exclude_office_ips: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

gateway_unique_id: String

lan_allow_minutes: Float64

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: String

The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version".

name: String

The name of the device settings profile.

precedence: Float64

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: Bool

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url: String

The URL to launch when the Send Feedback button is clicked.

switch_locked: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: String

Determines which tunnel protocol to use.

exclude: List[Attributes]

List of routes excluded in the WARP client's tunnel.

address: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

fallback_domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

include: List[Attributes]

List of routes included in the WARP client's tunnel.

address: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2: Attributes

mode: String

The mode to run the WARP client under.

port: Float64

The port number when used with proxy mode.

target_tests: List[Attributes]

id: String

The id of the DEX test targeting this policy.

name: String

The name of the DEX test targeting this policy.

cloudflare_zero_trust_device_custom_profile

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_custom_profile" "example_zero_trust_device_custom_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_custom_profiles

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

allow_mode_switch: Bool

Whether to allow the user to switch WARP between modes.

allow_updates: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Bool

Whether to allow devices to leave the organization.

auto_connect: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Float64

Turn on the captive portal after the specified amount of time.

default: Bool

Whether the policy is the default policy for an account.

description: String

A description of the policy.

disable_auto_fallback: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Bool

Whether the policy will be applied to matching devices.

exclude: List[Attributes]

List of routes excluded in the WARP client's tunnel.

address: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

exclude_office_ips: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

gateway_unique_id: String

include: List[Attributes]

List of routes included in the WARP client's tunnel.

address: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to include in the tunnel. If host is present, address must not be present.

lan_allow_minutes: Float64

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: String

The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version".

name: String

The name of the device settings profile.

policy_id: String

precedence: Float64

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: Bool

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Attributes

mode: String

The mode to run the WARP client under.

port: Float64

The port number when used with proxy mode.

support_url: String

The URL to launch when the Send Feedback button is clicked.

switch_locked: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests: List[Attributes]

id: String

The id of the DEX test targeting this policy.

name: String

The name of the DEX test targeting this policy.

tunnel_protocol: String

Determines which tunnel protocol to use.

cloudflare_zero_trust_device_custom_profiles

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_custom_profiles" "example_zero_trust_device_custom_profiles" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPoliciesCustomFallback Domains

resource cloudflare_zero_trust_device_custom_profile_local_domain_fallback

required Expand Collapse

policy_id: String

account_id: String

domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description?: String

A description of the fallback domain, displayed in the client UI.

dns_server?: List[String]

A list of IP addresses to handle domain resolution.

computed Expand Collapse

id: String

cloudflare_zero_trust_device_custom_profile_local_domain_fallback

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_custom_profile_local_domain_fallback" "example_zero_trust_device_custom_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  domains = [{
    suffix = "example.com"
    description = "Domain bypass for local development"
    dns_server = ["1.1.1.1"]
  }]
}

data cloudflare_zero_trust_device_custom_profile_local_domain_fallback

required Expand Collapse

policy_id: String

account_id: String

computed Expand Collapse

id: String

description: String

A description of the fallback domain, displayed in the client UI.

suffix: String

The domain suffix to match when resolving locally.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

cloudflare_zero_trust_device_custom_profile_local_domain_fallback

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_custom_profile_local_domain_fallback" "example_zero_trust_device_custom_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

Zero TrustDevicesPosture

resource cloudflare_zero_trust_device_posture_rule

required Expand Collapse

account_id: String

name: String

The name of the device posture rule.

type: String

The type of device posture rule.

optional Expand Collapse

description?: String

The description of the device posture rule.

expiration?: String

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

schedule?: String

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

input?: Attributes

The value to be checked against.

operating_system?: String

Operating system.

path?: String

File path.

exists?: Bool

Whether or not file exists.

sha256?: String

SHA-256.

thumbprint?: String

Signing certificate thumbprint.

id?: String

List ID.

domain?: String

Domain.

operator?: String

Operator.

version?: String

Version of OS.

os_distro_name?: String

Operating System Distribution Name (linux only).

os_distro_revision?: String

Version of OS Distribution (linux only).

os_version_extra?: String

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

enabled?: Bool

Enabled.

check_disks?: List[String]

List of volume names to be checked for encryption.

require_all?: Bool

Whether to check all disks for encryption.

certificate_id?: String

UUID of Cloudflare managed certificate.

cn?: String

Common Name that is protected by the certificate.

check_private_key?: Bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

extended_key_usage?: List[String]

List of values indicating purposes for which the certificate public key can be used.

locations?: Attributes

paths?: List[String]

List of paths to check for client certificate on linux.

trust_stores?: List[String]

List of trust stores to check for client certificate.

subject_alternative_names?: List[String]

List of certificate Subject Alternative Names.

update_window_days?: Float64

Number of days that the antivirus should be updated within.

compliance_status?: String

Compliance Status.

connection_id?: String

Posture Integration ID.

last_seen?: String

For more details on last seen, please refer to the Crowdstrike documentation.

os?: String

Os Version.

overall?: String

Overall.

sensor_config?: String

SensorConfig.

state?: String

For more details on state, please refer to the Crowdstrike documentation.

version_operator?: String

Version Operator.

count_operator?: String

Count Operator.

issue_count?: String

The Number of Issues.

eid_last_seen?: String

For more details on eid last seen, refer to the Tanium documentation.

risk_level?: String

For more details on risk level, refer to the Tanium documentation.

score_operator?: String

Score Operator.

total_score?: Float64

For more details on total score, refer to the Tanium documentation.

active_threats?: Float64

The Number of active threats.

infected?: Bool

Whether device is infected.

is_active?: Bool

Whether device is active.

network_status?: String

Network status of device.

operational_state?: String

Agent operational state.

score?: Float64

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match?: List[Attributes]

The conditions that the client must match to run the rule.

platform?: String

computed Expand Collapse

id: String

API UUID.

cloudflare_zero_trust_device_posture_rule

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_posture_rule" "example_zero_trust_device_posture_rule" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "Admin Serial Numbers"
  type = "file"
  description = "The rule for admin serial numbers"
  expiration = "1h"
  input = {
    operating_system = "linux"
    path = "/bin/cat"
    exists = true
    sha256 = "https://api.us-2.crowdstrike.com"
    thumbprint = "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e"
  }
  match = [{
    platform = "windows"
  }]
  schedule = "1h"
}

data cloudflare_zero_trust_device_posture_rule

required Expand Collapse

rule_id: String

API UUID.

account_id: String

computed Expand Collapse

id: String

API UUID.

description: String

The description of the device posture rule.

expiration: String

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

name: String

The name of the device posture rule.

schedule: String

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type: String

The type of device posture rule.

input: Attributes

The value to be checked against.

operating_system: String

Operating system.

path: String

File path.

exists: Bool

Whether or not file exists.

sha256: String

SHA-256.

thumbprint: String

Signing certificate thumbprint.

id: String

List ID.

domain: String

Domain.

operator: String

Operator.

version: String

Version of OS.

os_distro_name: String

Operating System Distribution Name (linux only).

os_distro_revision: String

Version of OS Distribution (linux only).

os_version_extra: String

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

enabled: Bool

Enabled.

check_disks: List[String]

List of volume names to be checked for encryption.

require_all: Bool

Whether to check all disks for encryption.

certificate_id: String

UUID of Cloudflare managed certificate.

cn: String

Common Name that is protected by the certificate.

check_private_key: Bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

extended_key_usage: List[String]

List of values indicating purposes for which the certificate public key can be used.

locations: Attributes

paths: List[String]

List of paths to check for client certificate on linux.

trust_stores: List[String]

List of trust stores to check for client certificate.

subject_alternative_names: List[String]

List of certificate Subject Alternative Names.

update_window_days: Float64

Number of days that the antivirus should be updated within.

compliance_status: String

Compliance Status.

connection_id: String

Posture Integration ID.

last_seen: String

For more details on last seen, please refer to the Crowdstrike documentation.

os: String

Os Version.

overall: String

Overall.

sensor_config: String

SensorConfig.

state: String

For more details on state, please refer to the Crowdstrike documentation.

version_operator: String

Version Operator.

count_operator: String

Count Operator.

issue_count: String

The Number of Issues.

eid_last_seen: String

For more details on eid last seen, refer to the Tanium documentation.

risk_level: String

For more details on risk level, refer to the Tanium documentation.

score_operator: String

Score Operator.

total_score: Float64

For more details on total score, refer to the Tanium documentation.

active_threats: Float64

The Number of active threats.

infected: Bool

Whether device is infected.

is_active: Bool

Whether device is active.

network_status: String

Network status of device.

operational_state: String

Agent operational state.

score: Float64

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match: List[Attributes]

The conditions that the client must match to run the rule.

platform: String

cloudflare_zero_trust_device_posture_rule

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_posture_rule" "example_zero_trust_device_posture_rule" {
  account_id = "699d98642c564d2e855e9661899b7252"
  rule_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_posture_rules

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

API UUID.

description: String

The description of the device posture rule.

expiration: String

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input: Attributes

The value to be checked against.

operating_system: String

Operating system.

path: String

File path.

exists: Bool

Whether or not file exists.

sha256: String

SHA-256.

thumbprint: String

Signing certificate thumbprint.

id: String

List ID.

domain: String

Domain.

operator: String

Operator.

version: String

Version of OS.

os_distro_name: String

Operating System Distribution Name (linux only).

os_distro_revision: String

Version of OS Distribution (linux only).

os_version_extra: String

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

enabled: Bool

Enabled.

check_disks: List[String]

List of volume names to be checked for encryption.

require_all: Bool

Whether to check all disks for encryption.

certificate_id: String

UUID of Cloudflare managed certificate.

cn: String

Common Name that is protected by the certificate.

check_private_key: Bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

extended_key_usage: List[String]

List of values indicating purposes for which the certificate public key can be used.

locations: Attributes

paths: List[String]

List of paths to check for client certificate on linux.

trust_stores: List[String]

List of trust stores to check for client certificate.

subject_alternative_names: List[String]

List of certificate Subject Alternative Names.

update_window_days: Float64

Number of days that the antivirus should be updated within.

compliance_status: String

Compliance Status.

connection_id: String

Posture Integration ID.

last_seen: String

For more details on last seen, please refer to the Crowdstrike documentation.

os: String

Os Version.

overall: String

Overall.

sensor_config: String

SensorConfig.

state: String

For more details on state, please refer to the Crowdstrike documentation.

version_operator: String

Version Operator.

count_operator: String

Count Operator.

issue_count: String

The Number of Issues.

eid_last_seen: String

For more details on eid last seen, refer to the Tanium documentation.

risk_level: String

For more details on risk level, refer to the Tanium documentation.

score_operator: String

Score Operator.

total_score: Float64

For more details on total score, refer to the Tanium documentation.

active_threats: Float64

The Number of active threats.

infected: Bool

Whether device is infected.

is_active: Bool

Whether device is active.

network_status: String

Network status of device.

operational_state: String

Agent operational state.

score: Float64

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match: List[Attributes]

The conditions that the client must match to run the rule.

platform: String

name: String

The name of the device posture rule.

schedule: String

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type: String

The type of device posture rule.

cloudflare_zero_trust_device_posture_rules

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_posture_rules" "example_zero_trust_device_posture_rules" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPostureIntegrations

resource cloudflare_zero_trust_device_posture_integration

required Expand Collapse

account_id: String

interval: String

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

name: String

The name of the device posture integration.

type: String

The type of device posture integration.

config: Attributes

The configuration object containing third-party integration information.

api_url?: String

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url?: String

The Workspace One Authorization URL depending on your region.

client_id?: String

The Workspace One client ID provided in the Workspace One Admin Dashboard.

client_secret?: String

The Workspace One client secret provided in the Workspace One Admin Dashboard.

customer_id?: String

The Crowdstrike customer ID.

client_key?: String

The Uptycs client secret.

access_client_id?: String

If present, this id will be passed in the CF-Access-Client-ID header when hitting the api_url.

access_client_secret?: String

If present, this secret will be passed in the CF-Access-Client-Secret header when hitting the api_url.

computed Expand Collapse

id: String

API UUID.

cloudflare_zero_trust_device_posture_integration

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_posture_integration" "example_zero_trust_device_posture_integration" {
  account_id = "699d98642c564d2e855e9661899b7252"
  config = {
    api_url = "https://as123.awmdm.com/API"
    auth_url = "https://na.uemauth.workspaceone.com/connect/token"
    client_id = "example client id"
    client_secret = "example client secret"
  }
  interval = "10m"
  name = "My Workspace One Integration"
  type = "workspace_one"
}

data cloudflare_zero_trust_device_posture_integration

required Expand Collapse

integration_id: String

API UUID.

account_id: String

computed Expand Collapse

id: String

API UUID.

interval: String

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

name: String

The name of the device posture integration.

type: String

The type of device posture integration.

config: Attributes

The configuration object containing third-party integration information.

api_url: String

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url: String

The Workspace One Authorization URL depending on your region.

client_id: String

The Workspace One client ID provided in the Workspace One Admin Dashboard.

cloudflare_zero_trust_device_posture_integration

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_posture_integration" "example_zero_trust_device_posture_integration" {
  account_id = "699d98642c564d2e855e9661899b7252"
  integration_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_posture_integrations

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

API UUID.

config: Attributes

The configuration object containing third-party integration information.

api_url: String

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url: String

The Workspace One Authorization URL depending on your region.

client_id: String

The Workspace One client ID provided in the Workspace One Admin Dashboard.

interval: String

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

name: String

The name of the device posture integration.

type: String

The type of device posture integration.

cloudflare_zero_trust_device_posture_integrations

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_posture_integrations" "example_zero_trust_device_posture_integrations" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesSettings

resource cloudflare_zero_trust_device_settings

required Expand Collapse

account_id: String

optional Expand Collapse

disable_for_time?: Float64

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

external_emergency_signal_enabled?: Bool

Controls whether the external emergency disconnect feature is enabled.

external_emergency_signal_fingerprint?: String

The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value.

external_emergency_signal_interval?: String

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds.

external_emergency_signal_url?: String

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

gateway_proxy_enabled?: Bool

Enable gateway proxy filtering on TCP.

gateway_udp_proxy_enabled?: Bool

Enable gateway proxy filtering on UDP.

root_certificate_installation_enabled?: Bool

Enable installation of cloudflare managed root certificate.

use_zt_virtual_ip?: Bool

Enable using CGNAT virtual IPv4.

cloudflare_zero_trust_device_settings

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_settings" "example_zero_trust_device_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
  disable_for_time = 0
  external_emergency_signal_enabled = true
  external_emergency_signal_fingerprint = "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234"
  external_emergency_signal_interval = "5m"
  external_emergency_signal_url = "https://192.0.2.1/signal"
  gateway_proxy_enabled = true
  gateway_udp_proxy_enabled = true
  root_certificate_installation_enabled = true
  use_zt_virtual_ip = true
}

data cloudflare_zero_trust_device_settings

required Expand Collapse

account_id: String

computed Expand Collapse

disable_for_time: Float64

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

external_emergency_signal_enabled: Bool

Controls whether the external emergency disconnect feature is enabled.

external_emergency_signal_fingerprint: String

The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value.

external_emergency_signal_interval: String

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds.

external_emergency_signal_url: String

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

gateway_proxy_enabled: Bool

Enable gateway proxy filtering on TCP.

gateway_udp_proxy_enabled: Bool

Enable gateway proxy filtering on UDP.

root_certificate_installation_enabled: Bool

Enable installation of cloudflare managed root certificate.

use_zt_virtual_ip: Bool

Enable using CGNAT virtual IPv4.

cloudflare_zero_trust_device_settings

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_settings" "example_zero_trust_device_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustIdentity Providers

resource cloudflare_zero_trust_access_identity_provider

required Expand Collapse

name: String

The name of the identity provider, shown to users on the login page.

type: String

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

config: Attributes

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: List[String]

Custom claims

client_id?: String

Your OAuth Client ID

client_secret?: String

Your OAuth Client Secret

conditional_access_enabled?: Bool

Should Cloudflare try to load authentication contexts from your account

directory_id?: String

Your Azure directory uuid

email_claim_name?: String

The claim name for email in the id_token response.

prompt?: String

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

support_groups?: Bool

Should Cloudflare try to load groups from your account

centrify_account?: String

Your centrify account url

centrify_app_id?: String

Your centrify app id

apps_domain?: String

Your companies TLD

auth_url?: String

The authorization_endpoint URL of your IdP

certs_url?: String

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

pkce_enabled?: Bool

Enable Proof Key for Code Exchange (PKCE)

scopes?: List[String]

OAuth scopes

token_url?: String

The token_endpoint URL of your IdP

authorization_server_id?: String

Your okta authorization server id

okta_account?: String

Your okta account url

onelogin_account?: String

Your OneLogin account url

ping_env_id?: String

Your PingOne environment identifier

attributes?: List[String]

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name?: String

The attribute name for email in the SAML response.

header_attributes?: List[Attributes]

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name?: String

attribute name from the IDP

header_name?: String

header that will be added on the request to the origin

idp_public_certs?: List[String]

X509 certificate to verify the signature in the SAML authentication response

issuer_url?: String

IdP Entity ID or Issuer URL

sign_request?: Bool

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url?: String

URL to send the SAML authentication requests to

redirect_url: String

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

scim_config?: Attributes

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: Bool

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: String

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

scim_base_url: String

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision?: Bool

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: String

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: Bool

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

computed Expand Collapse

id: String

UUID.

cloudflare_zero_trust_access_identity_provider

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_identity_provider" "example_zero_trust_access_identity_provider" {
  config = {
    claims = ["email_verified", "preferred_username", "custom_claim_name"]
    client_id = "<your client id>"
    client_secret = "<your client secret>"
    conditional_access_enabled = true
    directory_id = "<your azure directory uuid>"
    email_claim_name = "custom_claim_name"
    prompt = "login"
    support_groups = true
  }
  name = "Widget Corps IDP"
  type = "onetimepin"
  zone_id = "zone_id"
  scim_config = {
    enabled = true
    identity_update_behavior = "automatic"
    seat_deprovision = true
    user_deprovision = true
  }
}

data cloudflare_zero_trust_access_identity_provider

optional Expand Collapse

identity_provider_id?: String

UUID.

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

filter?: Attributes

scim_enabled?: String

Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled.

computed Expand Collapse

id: String

UUID.

name: String

The name of the identity provider, shown to users on the login page.

type: String

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

config: Attributes

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: List[String]

Custom claims

client_id: String

Your OAuth Client ID

client_secret: String

Your OAuth Client Secret

conditional_access_enabled: Bool

Should Cloudflare try to load authentication contexts from your account

directory_id: String

Your Azure directory uuid

email_claim_name: String

The claim name for email in the id_token response.

prompt: String

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

support_groups: Bool

Should Cloudflare try to load groups from your account

centrify_account: String

Your centrify account url

centrify_app_id: String

Your centrify app id

apps_domain: String

Your companies TLD

auth_url: String

The authorization_endpoint URL of your IdP

certs_url: String

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

pkce_enabled: Bool

Enable Proof Key for Code Exchange (PKCE)

scopes: List[String]

OAuth scopes

token_url: String

The token_endpoint URL of your IdP

authorization_server_id: String

Your okta authorization server id

okta_account: String

Your okta account url

onelogin_account: String

Your OneLogin account url

ping_env_id: String

Your PingOne environment identifier

attributes: List[String]

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name: String

The attribute name for email in the SAML response.

header_attributes: List[Attributes]

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name: String

attribute name from the IDP

header_name: String

header that will be added on the request to the origin

idp_public_certs: List[String]

X509 certificate to verify the signature in the SAML authentication response

issuer_url: String

IdP Entity ID or Issuer URL

sign_request: Bool

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url: String

URL to send the SAML authentication requests to

redirect_url: String

scim_config: Attributes

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Bool

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: String

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

scim_base_url: String

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision: Bool

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: String

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Bool

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

cloudflare_zero_trust_access_identity_provider

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_identity_provider" "example_zero_trust_access_identity_provider" {
  identity_provider_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_identity_providers

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

scim_enabled?: String

Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

config: Attributes

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: List[String]

Custom claims

client_id: String

Your OAuth Client ID

client_secret: String

Your OAuth Client Secret

conditional_access_enabled: Bool

Should Cloudflare try to load authentication contexts from your account

directory_id: String

Your Azure directory uuid

email_claim_name: String

The claim name for email in the id_token response.

prompt: String

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

support_groups: Bool

Should Cloudflare try to load groups from your account

centrify_account: String

Your centrify account url

centrify_app_id: String

Your centrify app id

apps_domain: String

Your companies TLD

auth_url: String

The authorization_endpoint URL of your IdP

certs_url: String

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

pkce_enabled: Bool

Enable Proof Key for Code Exchange (PKCE)

scopes: List[String]

OAuth scopes

token_url: String

The token_endpoint URL of your IdP

authorization_server_id: String

Your okta authorization server id

okta_account: String

Your okta account url

onelogin_account: String

Your OneLogin account url

ping_env_id: String

Your PingOne environment identifier

attributes: List[String]

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name: String

The attribute name for email in the SAML response.

header_attributes: List[Attributes]

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name: String

attribute name from the IDP

header_name: String

header that will be added on the request to the origin

idp_public_certs: List[String]

X509 certificate to verify the signature in the SAML authentication response

issuer_url: String

IdP Entity ID or Issuer URL

sign_request: Bool

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url: String

URL to send the SAML authentication requests to

name: String

The name of the identity provider, shown to users on the login page.

type: String

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: String

UUID.

scim_config: Attributes

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Bool

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: String

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

scim_base_url: String

The base URL of Cloudflare's SCIM V2.0 API endpoint.

seat_deprovision: Bool

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: String

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Bool

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

cloudflare_zero_trust_access_identity_providers

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_identity_providers" "example_zero_trust_access_identity_providers" {
  account_id = "account_id"
  zone_id = "zone_id"
  scim_enabled = "scim_enabled"
}

Zero TrustOrganizations

resource cloudflare_zero_trust_organization

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

auth_domain?: String

The unique subdomain assigned to your Zero Trust organization.

deny_unmatched_requests?: Bool

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

name?: String

The name of your Zero Trust organization.

session_duration?: String

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

user_seat_expiration_inactive_time?: String

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

warp_auth_session_duration?: String

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

deny_unmatched_requests_exempted_zone_names?: List[String]

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

custom_pages?: Attributes

forbidden?: String

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

identity_denied?: String

The uid of the custom page to use when a user is denied access.

login_design?: Attributes

background_color?: String

The background color on your login page.

footer_text?: String

The text at the bottom of your login page.

header_text?: String

The text at the top of your login page.

logo_path?: String

The URL of the logo on your login page.

text_color?: String

The text color on your login page.

mfa_config?: Attributes

Configures multi-factor authentication (MFA) settings for an organization.

allowed_authenticators?: List[String]

Lists the MFA methods that users can authenticate with.

session_duration?: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

allow_authenticate_via_warp?: Bool

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

auto_redirect_to_identity?: Bool

When set to true, users skip the identity provider selection step during login.

is_ui_read_only?: Bool

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

mfa_required_for_all_apps?: Bool

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

ui_read_only_toggle_reason?: String

A description of the reason why the UI read only field is being toggled.

computed Expand Collapse

created_at: Time

updated_at: Time

cloudflare_zero_trust_organization

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_organization" "example_zero_trust_organization" {
  zone_id = "zone_id"
  allow_authenticate_via_warp = true
  auth_domain = "test.cloudflareaccess.com"
  auto_redirect_to_identity = true
  custom_pages = {
    forbidden = "699d98642c564d2e855e9661899b7252"
    identity_denied = "699d98642c564d2e855e9661899b7252"
  }
  deny_unmatched_requests = true
  deny_unmatched_requests_exempted_zone_names = ["example.com"]
  is_ui_read_only = true
  login_design = {
    background_color = "#c5ed1b"
    footer_text = "This is an example description."
    header_text = "This is an example description."
    logo_path = "https://example.com/logo.png"
    text_color = "#c5ed1b"
  }
  mfa_config = {
    allowed_authenticators = ["totp", "biometrics", "security_key"]
    session_duration = "24h"
  }
  mfa_required_for_all_apps = false
  name = "Widget Corps Internal Applications"
  session_duration = "24h"
  ui_read_only_toggle_reason = "Temporarily turn off the UI read only lock to make a change via the UI"
  user_seat_expiration_inactive_time = "730h"
  warp_auth_session_duration = "24h"
}

data cloudflare_zero_trust_organization

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse

allow_authenticate_via_warp: Bool

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

auth_domain: String

The unique subdomain assigned to your Zero Trust organization.

auto_redirect_to_identity: Bool

When set to true, users skip the identity provider selection step during login.

created_at: Time

deny_unmatched_requests: Bool

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

is_ui_read_only: Bool

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

mfa_required_for_all_apps: Bool

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

name: String

The name of your Zero Trust organization.

session_duration: String

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

ui_read_only_toggle_reason: String

A description of the reason why the UI read only field is being toggled.

updated_at: Time

user_seat_expiration_inactive_time: String

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

warp_auth_session_duration: String

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

deny_unmatched_requests_exempted_zone_names: List[String]

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

custom_pages: Attributes

forbidden: String

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

identity_denied: String

The uid of the custom page to use when a user is denied access.

login_design: Attributes

background_color: String

The background color on your login page.

footer_text: String

The text at the bottom of your login page.

header_text: String

The text at the top of your login page.

logo_path: String

The URL of the logo on your login page.

text_color: String

The text color on your login page.

mfa_config: Attributes

Configures multi-factor authentication (MFA) settings for an organization.

allowed_authenticators: List[String]

Lists the MFA methods that users can authenticate with.

session_duration: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

cloudflare_zero_trust_organization

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_organization" "example_zero_trust_organization" {
  account_id = "account_id"
  zone_id = "zone_id"
}

Zero TrustAccessAI ControlsMcpPortals

resource cloudflare_zero_trust_access_ai_controls_mcp_portal

required Expand Collapse

id: String

portal id

account_id: String

hostname: String

name: String

optional Expand Collapse

description?: String

allow_code_mode?: Bool

Allow remote code execution in Dynamic Workers (beta)

secure_web_gateway?: Bool

Route outbound MCP traffic through Zero Trust Secure Web Gateway

servers?: List[Attributes]

server_id: String

server id

default_disabled?: Bool

on_behalf?: Bool

updated_prompts?: List[Attributes]

name: String

alias?: String

description?: String

enabled?: Bool

updated_tools?: List[Attributes]

name: String

alias?: String

description?: String

enabled?: Bool

computed Expand Collapse

created_at: Time

created_by: String

modified_at: Time

modified_by: String

cloudflare_zero_trust_access_ai_controls_mcp_portal

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_ai_controls_mcp_portal" "example_zero_trust_access_ai_controls_mcp_portal" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-portal"
  hostname = "exmaple.com"
  name = "My MCP Portal"
  allow_code_mode = true
  description = "This is my custom MCP Portal"
  secure_web_gateway = false
  servers = [{
    server_id = "my-mcp-server"
    default_disabled = true
    on_behalf = true
    updated_prompts = [{
      name = "name"
      alias = "my-custom-alias"
      description = "description"
      enabled = true
    }]
    updated_tools = [{
      name = "name"
      alias = "my-custom-alias"
      description = "description"
      enabled = true
    }]
  }]
}

data cloudflare_zero_trust_access_ai_controls_mcp_portal

required Expand Collapse

account_id: String

optional Expand Collapse

id?: String

portal id

filter?: Attributes

search?: String

Search by id, name, hostname

computed Expand Collapse

allow_code_mode: Bool

Allow remote code execution in Dynamic Workers (beta)

created_at: Time

created_by: String

description: String

hostname: String

modified_at: Time

modified_by: String

name: String

secure_web_gateway: Bool

Route outbound MCP traffic through Zero Trust Secure Web Gateway

servers: List[Attributes]

id: String

server id

auth_type: String

hostname: String

name: String

prompts: List[Map[JSON]]

tools: List[Map[JSON]]

updated_prompts: Dynamic

updated_tools: Dynamic

created_at: Time

created_by: String

default_disabled: Bool

description: String

error: String

last_successful_sync: Time

last_synced: Time

modified_at: Time

modified_by: String

on_behalf: Bool

status: String

cloudflare_zero_trust_access_ai_controls_mcp_portal

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_ai_controls_mcp_portal" "example_zero_trust_access_ai_controls_mcp_portal" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-portal"
}

data cloudflare_zero_trust_access_ai_controls_mcp_portals

required Expand Collapse

account_id: String

optional Expand Collapse

search?: String

Search by id, name, hostname

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

portal id

hostname: String

name: String

servers: List[Attributes]

id: String

server id

auth_type: String

hostname: String

name: String

prompts: List[Map[JSON]]

tools: List[Map[JSON]]

updated_prompts: Dynamic

updated_tools: Dynamic

created_at: Time

created_by: String

default_disabled: Bool

description: String

error: String

last_successful_sync: Time

last_synced: Time

modified_at: Time

modified_by: String

on_behalf: Bool

status: String

allow_code_mode: Bool

Allow remote code execution in Dynamic Workers (beta)

created_at: Time

created_by: String

description: String

modified_at: Time

modified_by: String

secure_web_gateway: Bool

Route outbound MCP traffic through Zero Trust Secure Web Gateway

cloudflare_zero_trust_access_ai_controls_mcp_portals

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_ai_controls_mcp_portals" "example_zero_trust_access_ai_controls_mcp_portals" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  search = "search"
}

Zero TrustAccessAI ControlsMcpServers

resource cloudflare_zero_trust_access_ai_controls_mcp_server

required Expand Collapse

id: String

server id

account_id: String

auth_type: String

hostname: String

name: String

optional Expand Collapse

auth_credentials?: String

description?: String

computed Expand Collapse

created_at: Time

created_by: String

error: String

last_successful_sync: Time

last_synced: Time

modified_at: Time

modified_by: String

status: String

prompts: List[Map[JSON]]

tools: List[Map[JSON]]

cloudflare_zero_trust_access_ai_controls_mcp_server

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_ai_controls_mcp_server" "example_zero_trust_access_ai_controls_mcp_server" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-server"
  auth_type = "unauthenticated"
  hostname = "https://example.com/mcp"
  name = "My MCP Server"
  auth_credentials = "auth_credentials"
  description = "This is one remote mcp server"
}

data cloudflare_zero_trust_access_ai_controls_mcp_server

required Expand Collapse

account_id: String

optional Expand Collapse

id?: String

server id

filter?: Attributes

search?: String

Search by id, name

computed Expand Collapse

auth_type: String

created_at: Time

created_by: String

description: String

error: String

hostname: String

last_successful_sync: Time

last_synced: Time

modified_at: Time

modified_by: String

name: String

status: String

prompts: List[Map[JSON]]

tools: List[Map[JSON]]

cloudflare_zero_trust_access_ai_controls_mcp_server

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_ai_controls_mcp_server" "example_zero_trust_access_ai_controls_mcp_server" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-server"
}

data cloudflare_zero_trust_access_ai_controls_mcp_servers

required Expand Collapse

account_id: String

optional Expand Collapse

search?: String

Search by id, name

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

server id

auth_type: String

hostname: String

name: String

prompts: List[Map[JSON]]

tools: List[Map[JSON]]

created_at: Time

created_by: String

description: String

error: String

last_successful_sync: Time

last_synced: Time

modified_at: Time

modified_by: String

status: String

cloudflare_zero_trust_access_ai_controls_mcp_servers

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_ai_controls_mcp_servers" "example_zero_trust_access_ai_controls_mcp_servers" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  search = "search"
}

Zero TrustAccessInfrastructureTargets

resource cloudflare_zero_trust_access_infrastructure_target

required Expand Collapse

account_id: String

Account identifier

hostname: String

A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character.

ip: Attributes

The IPv4/IPv6 address that identifies where to reach a target

ipv4?: Attributes

The target's IPv4 address

ip_addr?: String

IP address of the target

virtual_network_id?: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

ipv6?: Attributes

The target's IPv6 address

ip_addr?: String

IP address of the target

virtual_network_id?: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

computed Expand Collapse

id: String

Target identifier

created_at: Time

Date and time at which the target was created

modified_at: Time

Date and time at which the target was modified

cloudflare_zero_trust_access_infrastructure_target

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_infrastructure_target" "example_zero_trust_access_infrastructure_target" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  hostname = "infra-access-target"
  ip = {
    ipv4 = {
      ip_addr = "187.26.29.249"
      virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
    }
    ipv6 = {
      ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
      virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
    }
  }
}

data cloudflare_zero_trust_access_infrastructure_target

required Expand Collapse

account_id: String

Account identifier

optional Expand Collapse

target_id?: String

Target identifier

filter?: Attributes

created_after?: Time

Date and time at which the target was created after (inclusive)

created_before?: Time

Date and time at which the target was created before (inclusive)

direction?: String

The sorting direction.

hostname?: String

Hostname of a target

hostname_contains?: String

Partial match to the hostname of a target

ip_like?: String

Filters for targets whose IP addresses look like the specified string. Supports * as a wildcard character

ip_v4?: String

IPv4 address of the target

ip_v6?: String

IPv6 address of the target

ips?: List[String]

Filters for targets that have any of the following IP addresses. Specify ips multiple times in query parameter to build list of candidates.

ipv4_end?: String

Defines an IPv4 filter range's ending value (inclusive). Requires ipv4_start to be specified as well.

ipv4_start?: String

Defines an IPv4 filter range's starting value (inclusive). Requires ipv4_end to be specified as well.

ipv6_end?: String

Defines an IPv6 filter range's ending value (inclusive). Requires ipv6_start to be specified as well.

ipv6_start?: String

Defines an IPv6 filter range's starting value (inclusive). Requires ipv6_end to be specified as well.

modified_after?: Time

Date and time at which the target was modified after (inclusive)

modified_before?: Time

Date and time at which the target was modified before (inclusive)

order?: String

The field to sort by.

target_ids?: List[String]

Filters for targets that have any of the following UUIDs. Specify target_ids multiple times in query parameter to build list of candidates.

virtual_network_id?: String

Private virtual network identifier of the target

computed Expand Collapse

id: String

Target identifier

created_at: Time

Date and time at which the target was created

hostname: String

A non-unique field that refers to a target

modified_at: Time

Date and time at which the target was modified

ip: Attributes

The IPv4/IPv6 address that identifies where to reach a target

ipv4: Attributes

The target's IPv4 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

ipv6: Attributes

The target's IPv6 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

cloudflare_zero_trust_access_infrastructure_target

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_infrastructure_target" "example_zero_trust_access_infrastructure_target" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  target_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_access_infrastructure_targets

required Expand Collapse

account_id: String

Account identifier

optional Expand Collapse

created_after?: Time

Date and time at which the target was created after (inclusive)

created_before?: Time

Date and time at which the target was created before (inclusive)

direction?: String

The sorting direction.

hostname?: String

Hostname of a target

hostname_contains?: String

Partial match to the hostname of a target

ip_like?: String

Filters for targets whose IP addresses look like the specified string. Supports * as a wildcard character

ip_v4?: String

IPv4 address of the target

ip_v6?: String

IPv6 address of the target

ipv4_end?: String

Defines an IPv4 filter range's ending value (inclusive). Requires ipv4_start to be specified as well.

ipv4_start?: String

Defines an IPv4 filter range's starting value (inclusive). Requires ipv4_end to be specified as well.

ipv6_end?: String

Defines an IPv6 filter range's ending value (inclusive). Requires ipv6_start to be specified as well.

ipv6_start?: String

Defines an IPv6 filter range's starting value (inclusive). Requires ipv6_end to be specified as well.

modified_after?: Time

Date and time at which the target was modified after (inclusive)

modified_before?: Time

Date and time at which the target was modified before (inclusive)

order?: String

The field to sort by.

virtual_network_id?: String

Private virtual network identifier of the target

ips?: List[String]

Filters for targets that have any of the following IP addresses. Specify ips multiple times in query parameter to build list of candidates.

target_ids?: List[String]

Filters for targets that have any of the following UUIDs. Specify target_ids multiple times in query parameter to build list of candidates.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

Target identifier

created_at: Time

Date and time at which the target was created

hostname: String

A non-unique field that refers to a target

ip: Attributes

The IPv4/IPv6 address that identifies where to reach a target

ipv4: Attributes

The target's IPv4 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

ipv6: Attributes

The target's IPv6 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

modified_at: Time

Date and time at which the target was modified

cloudflare_zero_trust_access_infrastructure_targets

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_infrastructure_targets" "example_zero_trust_access_infrastructure_targets" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  created_after = "2019-12-27T18:11:19.117Z"
  created_before = "2019-12-27T18:11:19.117Z"
  direction = "asc"
  hostname = "hostname"
  hostname_contains = "hostname_contains"
  ip_like = "ip_like"
  ip_v4 = "ip_v4"
  ip_v6 = "ip_v6"
  ips = ["string"]
  ipv4_end = "ipv4_end"
  ipv4_start = "ipv4_start"
  ipv6_end = "ipv6_end"
  ipv6_start = "ipv6_start"
  modified_after = "2019-12-27T18:11:19.117Z"
  modified_before = "2019-12-27T18:11:19.117Z"
  order = "hostname"
  target_ids = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
  virtual_network_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

Zero TrustAccessApplicationsCAs

resource cloudflare_zero_trust_access_short_lived_certificate

required Expand Collapse

app_id: String

UUID.

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse

id: String

UUID.

aud: String

The Application Audience (AUD) tag. Identifies the application associated with the CA.

public_key: String

The public key to add to your SSH server configuration.

cloudflare_zero_trust_access_short_lived_certificate

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_short_lived_certificate" "example_zero_trust_access_short_lived_certificate" {
  app_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_short_lived_certificate

required Expand Collapse

app_id: String

UUID.

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse

id: String

UUID.

aud: String

The Application Audience (AUD) tag. Identifies the application associated with the CA.

public_key: String

The public key to add to your SSH server configuration.

cloudflare_zero_trust_access_short_lived_certificate

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_short_lived_certificate" "example_zero_trust_access_short_lived_certificate" {
  app_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_short_lived_certificates

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The ID of the CA.

aud: String

The Application Audience (AUD) tag. Identifies the application associated with the CA.

public_key: String

The public key to add to your SSH server configuration.

cloudflare_zero_trust_access_short_lived_certificates

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_short_lived_certificates" "example_zero_trust_access_short_lived_certificates" {
  account_id = "account_id"
  zone_id = "zone_id"
}

Zero TrustAccessCertificates

resource cloudflare_zero_trust_access_mtls_certificate

required Expand Collapse

certificate: String

The certificate content.

name: String

The name of the certificate.

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

associated_hostnames?: List[String]

The hostnames of the applications that will use this certificate.

computed Expand Collapse

id: String

The ID of the application that will use this certificate.

created_at: Time

expires_on: Time

fingerprint: String

The MD5 fingerprint of the certificate.

updated_at: Time

cloudflare_zero_trust_access_mtls_certificate

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_mtls_certificate" "example_zero_trust_access_mtls_certificate" {
  certificate = <<EOT
  -----BEGIN CERTIFICATE-----
  MIIGAjCCA+qgAwIBAgIJAI7kymlF7CWT...N4RI7KKB7nikiuUf8vhULKy5IX10
  DrUtmu/B
  -----END CERTIFICATE-----
  EOT
  name = "Allow devs"
  zone_id = "zone_id"
  associated_hostnames = ["admin.example.com"]
}

data cloudflare_zero_trust_access_mtls_certificate

required Expand Collapse

certificate_id: String

UUID.

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse

id: String

UUID.

created_at: Time

expires_on: Time

fingerprint: String

The MD5 fingerprint of the certificate.

name: String

The name of the certificate.

updated_at: Time

associated_hostnames: List[String]

The hostnames of the applications that will use this certificate.

cloudflare_zero_trust_access_mtls_certificate

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_mtls_certificate" "example_zero_trust_access_mtls_certificate" {
  certificate_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_mtls_certificates

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The ID of the application that will use this certificate.

associated_hostnames: List[String]

The hostnames of the applications that will use this certificate.

created_at: Time

expires_on: Time

fingerprint: String

The MD5 fingerprint of the certificate.

name: String

The name of the certificate.

updated_at: Time

cloudflare_zero_trust_access_mtls_certificates

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_mtls_certificates" "example_zero_trust_access_mtls_certificates" {
  account_id = "account_id"
  zone_id = "zone_id"
}

Zero TrustAccessCertificatesSettings

resource cloudflare_zero_trust_access_mtls_hostname_settings

required Expand Collapse

settings: List[Attributes]

china_network: Bool

Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.

client_certificate_forwarding: Bool

Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.

hostname: String

The hostname that these settings apply to.

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse

china_network: Bool

Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.

client_certificate_forwarding: Bool

Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.

hostname: String

The hostname that these settings apply to.

cloudflare_zero_trust_access_mtls_hostname_settings

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_mtls_hostname_settings" "example_zero_trust_access_mtls_hostname_settings" {
  settings = [{
    china_network = false
    client_certificate_forwarding = true
    hostname = "admin.example.com"
  }]
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_mtls_hostname_settings

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse

china_network: Bool

Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.

client_certificate_forwarding: Bool

Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.

hostname: String

The hostname that these settings apply to.

cloudflare_zero_trust_access_mtls_hostname_settings

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_mtls_hostname_settings" "example_zero_trust_access_mtls_hostname_settings" {
  account_id = "account_id"
  zone_id = "zone_id"
}

Zero TrustAccessGroups

resource cloudflare_zero_trust_access_group

required Expand Collapse

name: String

The name of the Access group.

include: List[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group?: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes

common_name?: Attributes

common_name: String

The common name to match.

geo?: Attributes

country_code: String

The country code that should be matched.

device_posture?: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes

domain: String

The email domain to match.

email_list?: Attributes

id: String

The ID of a previously created email list.

email?: Attributes

email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes

id: String

The ID of an identity provider.

ip_list?: Attributes

id: String

The ID of a previously created IP list.

ip?: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes

token_id: String

The ID of a Service Token.

linked_app_token?: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

is_default?: Bool

Whether this is the default group

exclude?: List[Attributes]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

group?: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes

common_name?: Attributes

common_name: String

The common name to match.

geo?: Attributes

country_code: String

The country code that should be matched.

device_posture?: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes

domain: String

The email domain to match.

email_list?: Attributes

id: String

The ID of a previously created email list.

email?: Attributes

email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes

id: String

The ID of an identity provider.

ip_list?: Attributes

id: String

The ID of a previously created IP list.

ip?: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes

token_id: String

The ID of a Service Token.

linked_app_token?: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

require?: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group?: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes

common_name?: Attributes

common_name: String

The common name to match.

geo?: Attributes

country_code: String

The country code that should be matched.

device_posture?: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes

domain: String

The email domain to match.

email_list?: Attributes

id: String

The ID of a previously created email list.

email?: Attributes

email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes

id: String

The ID of an identity provider.

ip_list?: Attributes

id: String

The ID of a previously created IP list.

ip?: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes

token_id: String

The ID of a Service Token.

linked_app_token?: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

computed Expand Collapse

id: String

UUID.

created_at: Time

updated_at: Time

cloudflare_zero_trust_access_group

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_group" "example_zero_trust_access_group" {
  include = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
  name = "Allow devs"
  zone_id = "zone_id"
  exclude = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
  is_default = true
  require = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
}

data cloudflare_zero_trust_access_group

optional Expand Collapse

group_id?: String

UUID.

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

filter?: Attributes

name?: String

The name of the group.

search?: String

Search for groups by other listed query parameters.

computed Expand Collapse

id: String

UUID.

created_at: Time

name: String

The name of the Access group.

updated_at: Time

exclude: List[Attributes]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

include: List[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

is_default: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

require: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_zero_trust_access_group

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_group" "example_zero_trust_access_group" {
  group_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_groups

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

name?: String

The name of the group.

search?: String

Search for groups by other listed query parameters.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

UUID.

created_at: Time

exclude: List[Attributes]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

include: List[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

is_default: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

name: String

The name of the Access group.

require: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

updated_at: Time

cloudflare_zero_trust_access_groups

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_groups" "example_zero_trust_access_groups" {
  account_id = "account_id"
  zone_id = "zone_id"
  name = "name"
  search = "search"
}

Zero TrustAccessService Tokens

resource cloudflare_zero_trust_access_service_token

required Expand Collapse

name: String

The name of the service token.

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

previous_client_secret_expires_at?: Time

The expiration of the previous client_secret. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise.

client_secret_version?: Float64

A version number identifying the current client_secret associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by previous_client_secret_expires_at.

duration?: String

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

computed Expand Collapse

id: String

The ID of the service token.

client_id: String

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

client_secret: String

The Client Secret for the service token. Access will check for this value in the CF-Access-Client-Secret request header.

created_at: Time

expires_at: Time

last_seen_at: Time

updated_at: Time

cloudflare_zero_trust_access_service_token

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_service_token" "example_zero_trust_access_service_token" {
  name = "CI/CD token"
  zone_id = "zone_id"
  client_secret_version = 0
  duration = "60m"
  previous_client_secret_expires_at = "2014-01-01T05:20:00.12345Z"
}

data cloudflare_zero_trust_access_service_token

optional Expand Collapse

service_token_id?: String

UUID.

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

filter?: Attributes

name?: String

The name of the service token.

search?: String

Search for service tokens by other listed query parameters.

computed Expand Collapse

id: String

UUID.

client_id: String

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

created_at: Time

duration: String

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

expires_at: Time

last_seen_at: Time

name: String

The name of the service token.

updated_at: Time

cloudflare_zero_trust_access_service_token

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_service_token" "example_zero_trust_access_service_token" {
  service_token_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_service_tokens

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

name?: String

The name of the service token.

search?: String

Search for service tokens by other listed query parameters.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The ID of the service token.

client_id: String

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

created_at: Time

duration: String

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

expires_at: Time

last_seen_at: Time

name: String

The name of the service token.

updated_at: Time

cloudflare_zero_trust_access_service_tokens

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_service_tokens" "example_zero_trust_access_service_tokens" {
  account_id = "account_id"
  zone_id = "zone_id"
  name = "name"
  search = "search"
}

Zero TrustAccessKeys

resource cloudflare_zero_trust_access_key_configuration

required Expand Collapse

account_id: String

Identifier.

key_rotation_interval_days: Float64

The number of days between key rotations.

computed Expand Collapse

id: String

Identifier.

days_until_next_rotation: Float64

The number of days until the next key rotation.

last_key_rotation_at: Time

The timestamp of the previous key rotation.

cloudflare_zero_trust_access_key_configuration

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_key_configuration" "example_zero_trust_access_key_configuration" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  key_rotation_interval_days = 30
}

data cloudflare_zero_trust_access_key_configuration

required Expand Collapse

account_id: String

Identifier.

computed Expand Collapse

id: String

Identifier.

days_until_next_rotation: Float64

The number of days until the next key rotation.

key_rotation_interval_days: Float64

The number of days between key rotations.

last_key_rotation_at: Time

The timestamp of the previous key rotation.

cloudflare_zero_trust_access_key_configuration

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_key_configuration" "example_zero_trust_access_key_configuration" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustAccessCustom Pages

resource cloudflare_zero_trust_access_custom_page

required Expand Collapse

account_id: String

Identifier.

custom_html: String

Custom page HTML.

name: String

Custom page name.

type: String

Custom page type.

optional Expand Collapse

app_count?: Int64

Number of apps the custom page is assigned to.

computed Expand Collapse

id: String

UUID.

uid: String

UUID.

created_at: Time

updated_at: Time

cloudflare_zero_trust_access_custom_page

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_custom_page" "example_zero_trust_access_custom_page" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  custom_html = "<html><body><h1>Access Denied</h1></body></html>"
  name = "name"
  type = "identity_denied"
}

data cloudflare_zero_trust_access_custom_page

required Expand Collapse

custom_page_id: String

UUID.

account_id: String

Identifier.

computed Expand Collapse

id: String

UUID.

app_count: Int64

Number of apps the custom page is assigned to.

created_at: Time

custom_html: String

Custom page HTML.

name: String

Custom page name.

type: String

Custom page type.

uid: String

UUID.

updated_at: Time

cloudflare_zero_trust_access_custom_page

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_custom_page" "example_zero_trust_access_custom_page" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  custom_page_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_access_custom_pages

required Expand Collapse

account_id: String

Identifier.

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

UUID.

name: String

Custom page name.

type: String

Custom page type.

app_count: Int64

Number of apps the custom page is assigned to.

created_at: Time

uid: String

UUID.

updated_at: Time

cloudflare_zero_trust_access_custom_pages

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_custom_pages" "example_zero_trust_access_custom_pages" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustAccessTags

resource cloudflare_zero_trust_access_tag

required Expand Collapse

name: String

The name of the tag

account_id: String

Identifier.

computed Expand Collapse

id: String

The name of the tag

app_count: Int64

The number of applications that have this tag

created_at: Time

updated_at: Time

cloudflare_zero_trust_access_tag

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_tag" "example_zero_trust_access_tag" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  name = "engineers"
}

data cloudflare_zero_trust_access_tag

required Expand Collapse

tag_name: String

The name of the tag

account_id: String

Identifier.

computed Expand Collapse

id: String

The name of the tag

app_count: Int64

The number of applications that have this tag

created_at: Time

name: String

The name of the tag

updated_at: Time

cloudflare_zero_trust_access_tag

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_tag" "example_zero_trust_access_tag" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  tag_name = "engineers"
}

data cloudflare_zero_trust_access_tags

required Expand Collapse

account_id: String

Identifier.

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The name of the tag

name: String

The name of the tag

app_count: Int64

The number of applications that have this tag

created_at: Time

updated_at: Time

cloudflare_zero_trust_access_tags

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_tags" "example_zero_trust_access_tags" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustAccessPolicies

resource cloudflare_zero_trust_access_policy

required Expand Collapse

account_id: String

Identifier.

decision: String

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

name: String

The name of the Access policy.

optional Expand Collapse

approval_required?: Bool

Requires the user to request access from an administrator at the start of each session.

isolation_required?: Bool

Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.

purpose_justification_prompt?: String

A custom message that will appear on the purpose justification screen.

purpose_justification_required?: Bool

Require users to enter a justification when they log in to the application.

approval_groups?: Set[Attributes]

Administrators who can approve a temporary authentication request.

approvals_needed: Float64

The number of approvals needed to obtain access.

email_addresses?: List[String]

A list of emails that can approve the access request.

email_list_uuid?: String

The UUID of an re-usable email list.

connection_rules?: Attributes

The rules that define how users may connect to targets secured by your application.

rdp?: Attributes

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats?: List[String]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats?: List[String]

Clipboard formats allowed when copying from remote RDP session to local machine.

mfa_config?: Attributes

Configures multi-factor authentication (MFA) settings.

allowed_authenticators?: List[String]

Lists the MFA methods that users can authenticate with.

mfa_disabled?: Bool

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration?: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

session_duration?: String

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

exclude?: Set[Attributes]

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

group?: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes

common_name?: Attributes

common_name: String

The common name to match.

geo?: Attributes

country_code: String

The country code that should be matched.

device_posture?: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes

domain: String

The email domain to match.

email_list?: Attributes

id: String

The ID of a previously created email list.

email?: Attributes

email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes

id: String

The ID of an identity provider.

ip_list?: Attributes

id: String

The ID of a previously created IP list.

ip?: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes

token_id: String

The ID of a Service Token.

linked_app_token?: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

include?: Set[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group?: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes

common_name?: Attributes

common_name: String

The common name to match.

geo?: Attributes

country_code: String

The country code that should be matched.

device_posture?: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes

domain: String

The email domain to match.

email_list?: Attributes

id: String

The ID of a previously created email list.

email?: Attributes

email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes

id: String

The ID of an identity provider.

ip_list?: Attributes

id: String

The ID of a previously created IP list.

ip?: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes

token_id: String

The ID of a Service Token.

linked_app_token?: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

require?: Set[Attributes]

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

group?: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes

common_name?: Attributes

common_name: String

The common name to match.

geo?: Attributes

country_code: String

The country code that should be matched.

device_posture?: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes

domain: String

The email domain to match.

email_list?: Attributes

id: String

The ID of a previously created email list.

email?: Attributes

email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes

id: String

The ID of an identity provider.

ip_list?: Attributes

id: String

The ID of a previously created IP list.

ip?: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes

token_id: String

The ID of a Service Token.

linked_app_token?: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

computed Expand Collapse

id: String

The UUID of the policy

app_count: Int64

Number of access applications currently using this policy.

created_at: Time

reusable: Bool

updated_at: Time

cloudflare_zero_trust_access_policy

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_access_policy" "example_zero_trust_access_policy" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  decision = "allow"
  include = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
  name = "Allow devs"
  approval_groups = [{
    approvals_needed = 1
    email_addresses = ["test1@cloudflare.com", "test2@cloudflare.com"]
    email_list_uuid = "email_list_uuid"
  }, {
    approvals_needed = 3
    email_addresses = ["test@cloudflare.com", "test2@cloudflare.com"]
    email_list_uuid = "597147a1-976b-4ef2-9af0-81d5d007fc34"
  }]
  approval_required = true
  connection_rules = {
    rdp = {
      allowed_clipboard_local_to_remote_formats = ["text"]
      allowed_clipboard_remote_to_local_formats = ["text"]
    }
  }
  exclude = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
  isolation_required = false
  mfa_config = {
    allowed_authenticators = ["totp", "biometrics", "security_key"]
    mfa_disabled = false
    session_duration = "24h"
  }
  purpose_justification_prompt = "Please enter a justification for entering this protected domain."
  purpose_justification_required = true
  require = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
  session_duration = "24h"
}

data cloudflare_zero_trust_access_policy

required Expand Collapse

policy_id: String

The UUID of the policy

account_id: String

Identifier.

computed Expand Collapse

id: String

The UUID of the policy

app_count: Int64

Number of access applications currently using this policy.

approval_required: Bool

Requires the user to request access from an administrator at the start of each session.

created_at: Time

decision: String

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

isolation_required: Bool

Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.

name: String

The name of the Access policy.

purpose_justification_prompt: String

A custom message that will appear on the purpose justification screen.

purpose_justification_required: Bool

Require users to enter a justification when they log in to the application.

reusable: Bool

session_duration: String

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

updated_at: Time

approval_groups: Set[Attributes]

Administrators who can approve a temporary authentication request.

approvals_needed: Float64

The number of approvals needed to obtain access.

email_addresses: List[String]

A list of emails that can approve the access request.

email_list_uuid: String

The UUID of an re-usable email list.

connection_rules: Attributes

The rules that define how users may connect to targets secured by your application.

rdp: Attributes

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats: List[String]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats: List[String]

Clipboard formats allowed when copying from remote RDP session to local machine.

exclude: Set[Attributes]

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

include: Set[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

mfa_config: Attributes

Configures multi-factor authentication (MFA) settings.

allowed_authenticators: List[String]

Lists the MFA methods that users can authenticate with.

mfa_disabled: Bool

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

require: Set[Attributes]

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_zero_trust_access_policy

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_policy" "example_zero_trust_access_policy" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_access_policies

required Expand Collapse

account_id: String

Identifier.

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The UUID of the policy

app_count: Int64

Number of access applications currently using this policy.

approval_groups: Set[Attributes]

Administrators who can approve a temporary authentication request.

approvals_needed: Float64

The number of approvals needed to obtain access.

email_addresses: List[String]

A list of emails that can approve the access request.

email_list_uuid: String

The UUID of an re-usable email list.

approval_required: Bool

Requires the user to request access from an administrator at the start of each session.

connection_rules: Attributes

The rules that define how users may connect to targets secured by your application.

rdp: Attributes

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats: List[String]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats: List[String]

Clipboard formats allowed when copying from remote RDP session to local machine.

created_at: Time

decision: String

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

exclude: Set[Attributes]

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

include: Set[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

isolation_required: Bool

Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.

mfa_config: Attributes

Configures multi-factor authentication (MFA) settings.

allowed_authenticators: List[String]

Lists the MFA methods that users can authenticate with.

mfa_disabled: Bool

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

name: String

The name of the Access policy.

purpose_justification_prompt: String

A custom message that will appear on the purpose justification screen.

purpose_justification_required: Bool

Require users to enter a justification when they log in to the application.

require: Set[Attributes]

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

group: Attributes

id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes

id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes

auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes

id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes

common_name: Attributes

common_name: String

The common name to match.

geo: Attributes

country_code: String

The country code that should be matched.

device_posture: Attributes

integration_uid: String

The ID of a device posture integration.

email_domain: Attributes

domain: String

The email domain to match.

email_list: Attributes

id: String

The ID of a previously created email list.

email: Attributes

email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes

evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes

identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes

email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes

id: String

The ID of an identity provider.

ip_list: Attributes

id: String

The ID of a previously created IP list.

ip: Attributes

ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes

identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes

attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes

claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes

token_id: String

The ID of a Service Token.

linked_app_token: Attributes

app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes

user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

reusable: Bool

session_duration: String

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

updated_at: Time

cloudflare_zero_trust_access_policies

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_access_policies" "example_zero_trust_access_policies" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustDEXRules

resource cloudflare_zero_trust_dex_rule

required Expand Collapse

account_id: String

match: String

The wirefilter expression to match.

name: String

The name of the Rule.

optional Expand Collapse

description?: String

computed Expand Collapse

id: String

API Resource UUID tag.

created_at: String

updated_at: String

targeted_tests: List[Attributes]

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

enabled: Bool

name: String

test_id: String

cloudflare_zero_trust_dex_rule

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_dex_rule" "example_zero_trust_dex_rule" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  match = "match"
  name = "name"
  description = "description"
}

data cloudflare_zero_trust_dex_rule

required Expand Collapse

rule_id: String

API Resource UUID tag.

account_id: String

computed Expand Collapse

id: String

API Resource UUID tag.

created_at: String

description: String

match: String

name: String

updated_at: String

targeted_tests: List[Attributes]

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

enabled: Bool

name: String

test_id: String

cloudflare_zero_trust_dex_rule

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dex_rule" "example_zero_trust_dex_rule" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  rule_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_dex_rules

required Expand Collapse

account_id: String

optional Expand Collapse

name?: String

Filter results by rule name

sort_by?: String

Which property to sort results by

sort_order?: String

Sort direction for sort_by property

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

rules: List[Attributes]

id: String

API Resource UUID tag.

created_at: String

match: String

name: String

description: String

targeted_tests: List[Attributes]

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

enabled: Bool

name: String

test_id: String

updated_at: String

cloudflare_zero_trust_dex_rules

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dex_rules" "example_zero_trust_dex_rules" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  name = "name"
}

Zero TrustTunnelsCloudflared

resource cloudflare_zero_trust_tunnel_cloudflared

required Expand Collapse

account_id: String

Cloudflare account ID

name: String

A user-friendly name for a tunnel.

optional Expand Collapse

config_src?: String

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel on the Zero Trust dashboard.

tunnel_secret?: String

Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string.

computed Expand Collapse

id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

Deprecatedremote_config: Bool

Use the config_src field instead.

If true, the tunnel can be configured remotely from the Zero Trust dashboard. If false, the tunnel must be configured locally on the origin machine.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint `/accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections`

The Cloudflare Tunnel connections between your origin and Cloudflare's edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

metadata: JSON

Metadata associated with the tunnel.

cloudflare_zero_trust_tunnel_cloudflared

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_tunnel_cloudflared" "example_zero_trust_tunnel_cloudflared" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "blog"
  config_src = "cloudflare"
  tunnel_secret = "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg="
}

data cloudflare_zero_trust_tunnel_cloudflared

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

tunnel_id?: String

UUID of the tunnel.

filter?: Attributes

exclude_prefix?: String

existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

include_prefix?: String

is_deleted?: Bool

If true, only include deleted tunnels. If false, exclude deleted tunnels. If empty, all tunnels will be included.

name?: String

A user-friendly name for a tunnel.

status?: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

uuid?: String

UUID of the tunnel.

was_active_at?: Time

was_inactive_at?: Time

computed Expand Collapse

id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

config_src: String

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel on the Zero Trust dashboard.

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

name: String

A user-friendly name for a tunnel.

Deprecatedremote_config: Bool

Use the config_src field instead.

If true, the tunnel can be configured remotely from the Zero Trust dashboard. If false, the tunnel must be configured locally on the origin machine.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint `/accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections`

The Cloudflare Tunnel connections between your origin and Cloudflare's edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

metadata: JSON

Metadata associated with the tunnel.

cloudflare_zero_trust_tunnel_cloudflared

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_cloudflared" "example_zero_trust_tunnel_cloudflared" {
  account_id = "699d98642c564d2e855e9661899b7252"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_tunnel_cloudflareds

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

exclude_prefix?: String

existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

include_prefix?: String

is_deleted?: Bool

If true, only include deleted tunnels. If false, exclude deleted tunnels. If empty, all tunnels will be included.

name?: String

A user-friendly name for a tunnel.

status?: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

uuid?: String

UUID of the tunnel.

was_active_at?: Time

was_inactive_at?: Time

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

config_src: String

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel on the Zero Trust dashboard.

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint `/accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections`

The Cloudflare Tunnel connections between your origin and Cloudflare's edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

metadata: JSON

Metadata associated with the tunnel.

name: String

A user-friendly name for a tunnel.

Deprecatedremote_config: Bool

Use the config_src field instead.

If true, the tunnel can be configured remotely from the Zero Trust dashboard. If false, the tunnel must be configured locally on the origin machine.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

cloudflare_zero_trust_tunnel_cloudflareds

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_cloudflareds" "example_zero_trust_tunnel_cloudflareds" {
  account_id = "699d98642c564d2e855e9661899b7252"
  exclude_prefix = "vpc1-"
  existed_at = "2019-10-12T07%3A20%3A50.52Z"
  include_prefix = "vpc1-"
  is_deleted = true
  name = "blog"
  status = "healthy"
  uuid = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  was_active_at = "2009-11-10T23:00:00Z"
  was_inactive_at = "2009-11-10T23:00:00Z"
}

Zero TrustTunnelsCloudflaredConfigurations

resource cloudflare_zero_trust_tunnel_cloudflared_config

required Expand Collapse

tunnel_id: String

UUID of the tunnel.

account_id: String

Identifier.

optional Expand Collapse

config?: Attributes

The tunnel configuration and ingress rules.

ingress?: List[Attributes]

List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.

hostname: String

Public hostname for this service.

service: String

Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'.

origin_request?: Attributes

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access?: Attributes

For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.

aud_tag: List[String]

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

team_name: String

required?: Bool

Deny traffic that has not fulfilled Access authorization.

ca_pool?: String

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connect_timeout?: Int64

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disable_chunked_encoding?: Bool

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2_origin?: Bool

Attempt to connect to origin using HTTP2. Origin must be configured as https.

http_host_header?: String

Sets the HTTP Host header on requests sent to the local service.

keep_alive_connections?: Int64

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keep_alive_timeout?: Int64

Timeout after which an idle keepalive connection can be discarded.

match_sn_ito_host?: Bool

Auto configure the Hostname on the origin server certificate.

no_happy_eyeballs?: Bool

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

no_tls_verify?: Bool

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

origin_server_name?: String

Hostname that cloudflared should expect from your origin server certificate.

proxy_type?: String

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.

tcp_keep_alive?: Int64

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tls_timeout?: Int64

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

path?: String

Requests with this path route to this public hostname.

origin_request?: Attributes

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access?: Attributes

For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.

aud_tag: List[String]

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

team_name: String

required?: Bool

Deny traffic that has not fulfilled Access authorization.

ca_pool?: String

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connect_timeout?: Int64

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disable_chunked_encoding?: Bool

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2_origin?: Bool

Attempt to connect to origin using HTTP2. Origin must be configured as https.

http_host_header?: String

Sets the HTTP Host header on requests sent to the local service.

keep_alive_connections?: Int64

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keep_alive_timeout?: Int64

Timeout after which an idle keepalive connection can be discarded.

match_sn_ito_host?: Bool

Auto configure the Hostname on the origin server certificate.

no_happy_eyeballs?: Bool

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

no_tls_verify?: Bool

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

origin_server_name?: String

Hostname that cloudflared should expect from your origin server certificate.

proxy_type?: String

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.

tcp_keep_alive?: Int64

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tls_timeout?: Int64

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

Deprecatedwarp_routing: Attributes

This field is ignored by cloudflared since version 2023.10.0.

Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.

enabled: Bool

computed Expand Collapse

id: String

UUID of the tunnel.

created_at: Time

source: String

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard.

version: Int64

The version of the Tunnel Configuration.

cloudflare_zero_trust_tunnel_cloudflared_config

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_tunnel_cloudflared_config" "example_zero_trust_tunnel_cloudflared_config" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  config = {
    ingress = [{
      hostname = "tunnel.example.com"
      service = "https://localhost:8001"
      origin_request = {
        access = {
          aud_tag = ["string"]
          team_name = "zero-trust-organization-name"
          required = false
        }
        ca_pool = "caPool"
        connect_timeout = 10
        disable_chunked_encoding = true
        http2_origin = true
        http_host_header = "httpHostHeader"
        keep_alive_connections = 100
        keep_alive_timeout = 90
        match_sn_ito_host = false
        no_happy_eyeballs = false
        no_tls_verify = false
        origin_server_name = "originServerName"
        proxy_type = "proxyType"
        tcp_keep_alive = 30
        tls_timeout = 10
      }
      path = "subpath"
    }]
    origin_request = {
      access = {
        aud_tag = ["string"]
        team_name = "zero-trust-organization-name"
        required = false
      }
      ca_pool = "caPool"
      connect_timeout = 10
      disable_chunked_encoding = true
      http2_origin = true
      http_host_header = "httpHostHeader"
      keep_alive_connections = 100
      keep_alive_timeout = 90
      match_sn_ito_host = false
      no_happy_eyeballs = false
      no_tls_verify = false
      origin_server_name = "originServerName"
      proxy_type = "proxyType"
      tcp_keep_alive = 30
      tls_timeout = 10
    }
  }
}

data cloudflare_zero_trust_tunnel_cloudflared_config

required Expand Collapse

account_id: String

Identifier.

tunnel_id: String

UUID of the tunnel.

computed Expand Collapse

created_at: Time

source: String

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard.

version: Int64

The version of the Tunnel Configuration.

config: Attributes

The tunnel configuration and ingress rules.

ingress: List[Attributes]

List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.

hostname: String

Public hostname for this service.

service: String

Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'.

origin_request: Attributes

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access: Attributes

For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.

aud_tag: List[String]

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

team_name: String

required: Bool

Deny traffic that has not fulfilled Access authorization.

ca_pool: String

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connect_timeout: Int64

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disable_chunked_encoding: Bool

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2_origin: Bool

Attempt to connect to origin using HTTP2. Origin must be configured as https.

http_host_header: String

Sets the HTTP Host header on requests sent to the local service.

keep_alive_connections: Int64

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keep_alive_timeout: Int64

Timeout after which an idle keepalive connection can be discarded.

match_sn_ito_host: Bool

Auto configure the Hostname on the origin server certificate.

no_happy_eyeballs: Bool

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

no_tls_verify: Bool

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

origin_server_name: String

Hostname that cloudflared should expect from your origin server certificate.

proxy_type: String

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.

tcp_keep_alive: Int64

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tls_timeout: Int64

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

path: String

Requests with this path route to this public hostname.

origin_request: Attributes

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access: Attributes

For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.

aud_tag: List[String]

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

team_name: String

required: Bool

Deny traffic that has not fulfilled Access authorization.

ca_pool: String

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connect_timeout: Int64

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disable_chunked_encoding: Bool

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2_origin: Bool

Attempt to connect to origin using HTTP2. Origin must be configured as https.

http_host_header: String

Sets the HTTP Host header on requests sent to the local service.

keep_alive_connections: Int64

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keep_alive_timeout: Int64

Timeout after which an idle keepalive connection can be discarded.

match_sn_ito_host: Bool

Auto configure the Hostname on the origin server certificate.

no_happy_eyeballs: Bool

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

no_tls_verify: Bool

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

origin_server_name: String

Hostname that cloudflared should expect from your origin server certificate.

proxy_type: String

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.

tcp_keep_alive: Int64

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tls_timeout: Int64

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

Deprecatedwarp_routing: Attributes

This field is ignored by cloudflared since version 2023.10.0.

Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.

enabled: Bool

cloudflare_zero_trust_tunnel_cloudflared_config

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_cloudflared_config" "example_zero_trust_tunnel_cloudflared_config" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

Zero TrustTunnelsCloudflaredToken

data cloudflare_zero_trust_tunnel_cloudflared_token

required Expand Collapse

account_id: String

Cloudflare account ID

tunnel_id: String

UUID of the tunnel.

computed Expand Collapse

token: String

The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel.

cloudflare_zero_trust_tunnel_cloudflared_token

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_cloudflared_token" "example_zero_trust_tunnel_cloudflared_token" {
  account_id = "699d98642c564d2e855e9661899b7252"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

Zero TrustTunnelsWARP Connector

resource cloudflare_zero_trust_tunnel_warp_connector

required Expand Collapse

account_id: String

Cloudflare account ID

name: String

A user-friendly name for a tunnel.

optional Expand Collapse

ha?: Bool

Indicates that the tunnel will be created to be highly available. If omitted, defaults to false.

tunnel_secret?: String

Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string.

computed Expand Collapse

id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint `/accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections`

The Cloudflare Tunnel connections between your origin and Cloudflare's edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

metadata: JSON

Metadata associated with the tunnel.

cloudflare_zero_trust_tunnel_warp_connector

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_tunnel_warp_connector" "example_zero_trust_tunnel_warp_connector" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "blog"
  ha = true
}

data cloudflare_zero_trust_tunnel_warp_connector

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

tunnel_id?: String

UUID of the tunnel.

filter?: Attributes

exclude_prefix?: String

existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

include_prefix?: String

is_deleted?: Bool

If true, only include deleted tunnels. If false, exclude deleted tunnels. If empty, all tunnels will be included.

name?: String

A user-friendly name for the tunnel.

status?: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

uuid?: String

UUID of the tunnel.

was_active_at?: Time

was_inactive_at?: Time

computed Expand Collapse

id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

name: String

A user-friendly name for a tunnel.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint `/accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections`

The Cloudflare Tunnel connections between your origin and Cloudflare's edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

metadata: JSON

Metadata associated with the tunnel.

cloudflare_zero_trust_tunnel_warp_connector

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_warp_connector" "example_zero_trust_tunnel_warp_connector" {
  account_id = "699d98642c564d2e855e9661899b7252"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_tunnel_warp_connectors

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

exclude_prefix?: String

existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

include_prefix?: String

is_deleted?: Bool

If true, only include deleted tunnels. If false, exclude deleted tunnels. If empty, all tunnels will be included.

name?: String

A user-friendly name for the tunnel.

status?: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

uuid?: String

UUID of the tunnel.

was_active_at?: Time

was_inactive_at?: Time

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint `/accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections`

The Cloudflare Tunnel connections between your origin and Cloudflare's edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

metadata: JSON

Metadata associated with the tunnel.

name: String

A user-friendly name for a tunnel.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

cloudflare_zero_trust_tunnel_warp_connectors

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_warp_connectors" "example_zero_trust_tunnel_warp_connectors" {
  account_id = "699d98642c564d2e855e9661899b7252"
  exclude_prefix = "vpc1-"
  existed_at = "2019-10-12T07%3A20%3A50.52Z"
  include_prefix = "vpc1-"
  is_deleted = true
  name = "blog"
  status = "healthy"
  uuid = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  was_active_at = "2009-11-10T23:00:00Z"
  was_inactive_at = "2009-11-10T23:00:00Z"
}

Zero TrustTunnelsWARP ConnectorToken

data cloudflare_zero_trust_tunnel_warp_connector_token

required Expand Collapse

account_id: String

Cloudflare account ID

tunnel_id: String

UUID of the tunnel.

computed Expand Collapse

token: String

The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel.

cloudflare_zero_trust_tunnel_warp_connector_token

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_warp_connector_token" "example_zero_trust_tunnel_warp_connector_token" {
  account_id = "699d98642c564d2e855e9661899b7252"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

Zero TrustDLPDatasets

resource cloudflare_zero_trust_dlp_dataset

required Expand Collapse

account_id: String

name: String

optional Expand Collapse

dataset_id?: String

encoding_version?: Int64

Dataset encoding version

Non-secret custom word lists with no header are always version 1. Secret EDM lists with no header are version 1. Multicolumn CSV with headers are version 2. Omitting this field provides the default value 0, which is interpreted the same as 1.

secret?: Bool

Generate a secret dataset.

If true, the response will include a secret to use with the EDM encoder. If false, the response has no secret and the dataset is uploaded in plaintext.

case_sensitive?: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true or undefined

description?: String

The description of the dataset.

computed Expand Collapse

created_at: Time

id: String

max_cells: Int64

num_cells: Int64

status: String

updated_at: Time

Stores when the dataset was last updated.

This includes name or description changes as well as uploads.

version: Int64

The version to use when uploading the dataset.

columns: List[Attributes]

entry_id: String

header_name: String

num_cells: Int64

upload_status: String

dataset: Attributes

id: String

columns: List[Attributes]

entry_id: String

header_name: String

num_cells: Int64

upload_status: String

created_at: Time

encoding_version: Int64

name: String

num_cells: Int64

secret: Bool

status: String

updated_at: Time

Stores when the dataset was last updated.

This includes name or description changes as well as uploads.

uploads: List[Attributes]

num_cells: Int64

status: String

version: Int64

case_sensitive: Bool

description: String

The description of the dataset.

uploads: List[Attributes]

num_cells: Int64

status: String

version: Int64

cloudflare_zero_trust_dlp_dataset

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_dlp_dataset" "example_zero_trust_dlp_dataset" {
  account_id = "account_id"
  name = "name"
  case_sensitive = true
  description = "description"
  encoding_version = 0
  secret = true
}

data cloudflare_zero_trust_dlp_dataset

required Expand Collapse

account_id: String

dataset_id: String

computed Expand Collapse

case_sensitive: Bool

created_at: Time

description: String

The description of the dataset.

encoding_version: Int64

id: String

name: String

num_cells: Int64

secret: Bool

status: String

updated_at: Time

Stores when the dataset was last updated.

This includes name or description changes as well as uploads.

columns: List[Attributes]

entry_id: String

header_name: String

num_cells: Int64

upload_status: String

uploads: List[Attributes]

num_cells: Int64

status: String

version: Int64

cloudflare_zero_trust_dlp_dataset

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_dataset" "example_zero_trust_dlp_dataset" {
  account_id = "account_id"
  dataset_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_datasets

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

columns: List[Attributes]

entry_id: String

header_name: String

num_cells: Int64

upload_status: String

created_at: Time

encoding_version: Int64

name: String

num_cells: Int64

secret: Bool

status: String

updated_at: Time

Stores when the dataset was last updated.

This includes name or description changes as well as uploads.

uploads: List[Attributes]

num_cells: Int64

status: String

version: Int64

case_sensitive: Bool

description: String

The description of the dataset.

cloudflare_zero_trust_dlp_datasets

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_datasets" "example_zero_trust_dlp_datasets" {
  account_id = "account_id"
}

Zero TrustDLPProfilesCustom

resource cloudflare_zero_trust_dlp_custom_profile

required Expand Collapse

account_id: String

name: String

optional Expand Collapse

description?: String

The description of the profile.

data_classes?: List[String]

Data class IDs to associate with the profile.

data_tags?: List[String]

Data tag IDs to associate with the profile.

sensitivity_levels?: List[List[String]]

Sensitivity levels to associate with the profile as (group_id, level_id) tuples.

Deprecatedcontext_awareness?: Attributes

Scan the context of predefined entries to only return matches surrounded by keywords.

enabled: Bool

If true, scan the context of predefined entries to only return matches surrounded by keywords.

skip: Attributes

Content types to exclude from context analysis and return all matches.

files: Bool

If the content type is a file, skip context analysis and return all matches.

entries?: List[Attributes]

enabled: Bool

name: String

pattern?: Attributes

regex: String

Deprecatedvalidation?: String

description?: String

words?: List[String]

shared_entries?: List[Attributes]

Entries from other profiles (e.g. pre-defined Cloudflare profiles, or your Microsoft Information Protection profiles).

enabled: Bool

entry_id: String

ai_context_enabled?: Bool

allowed_match_count?: Int64

Related DLP policies will trigger when the match count exceeds the number set.

confidence_threshold?: String

ocr_enabled?: Bool

computed Expand Collapse

id: String

The id of the profile (uuid).

created_at: Time

When the profile was created.

open_access: Bool

Whether this profile can be accessed by anyone.

type: String

updated_at: Time

When the profile was lasted updated.

cloudflare_zero_trust_dlp_custom_profile

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_dlp_custom_profile" "example_zero_trust_dlp_custom_profile" {
  account_id = "account_id"
  name = "name"
  ai_context_enabled = true
  allowed_match_count = 5
  confidence_threshold = "confidence_threshold"
  context_awareness = {
    enabled = true
    skip = {
      files = true
    }
  }
  data_classes = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
  data_tags = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
  description = "description"
  ocr_enabled = true
  sensitivity_levels = [["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]]
  shared_entries = [{
    enabled = true
    entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  }]
}

data cloudflare_zero_trust_dlp_custom_profile

required Expand Collapse

profile_id: String

account_id: String

computed Expand Collapse

id: String

ai_context_enabled: Bool

allowed_match_count: Int64

Related DLP policies will trigger when the match count exceeds the number set.

confidence_threshold: String

created_at: Time

When the profile was created.

description: String

The description of the profile.

name: String

The name of the profile.

ocr_enabled: Bool

open_access: Bool

Whether this profile can be accessed by anyone.

type: String

updated_at: Time

When the profile was lasted updated.

data_classes: List[String]

Data classes associated with this profile.

data_tags: List[String]

Data tags associated with this profile.

sensitivity_levels: List[List[String]]

Sensitivity levels associated with this profile as (group_id, level_id) tuples.

Deprecatedcontext_awareness: Attributes

Scan the context of predefined entries to only return matches surrounded by keywords.

enabled: Bool

If true, scan the context of predefined entries to only return matches surrounded by keywords.

skip: Attributes

Content types to exclude from context analysis and return all matches.

files: Bool

If the content type is a file, skip context analysis and return all matches.

Deprecatedentries: List[Attributes]

id: String

created_at: Time

enabled: Bool

name: String

pattern: Attributes

regex: String

Deprecatedvalidation: String

type: String

updated_at: Time

description: String

profile_id: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

topic_type: String

type: String

description: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool

word_list: JSON

shared_entries: List[Attributes]

id: String

created_at: Time

enabled: Bool

name: String

pattern: Attributes

regex: String

Deprecatedvalidation: String

type: String

updated_at: Time

description: String

profile_id: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

topic_type: String

type: String

description: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool

word_list: JSON

cloudflare_zero_trust_dlp_custom_profile

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_custom_profile" "example_zero_trust_dlp_custom_profile" {
  account_id = "account_id"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

Zero TrustDLPProfilesPredefined

resource cloudflare_zero_trust_dlp_predefined_profile

required Expand Collapse

profile_id: String

account_id: String

optional Expand Collapse

enabled_entries?: List[String]

ai_context_enabled?: Bool

allowed_match_count?: Int64

confidence_threshold?: String

ocr_enabled?: Bool

Deprecatedentries?: List[Attributes]

id: String

enabled: Bool

computed Expand Collapse

id: String

name: String

The name of the predefined profile.

open_access: Bool

Whether this profile can be accessed by anyone.

cloudflare_zero_trust_dlp_predefined_profile

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_dlp_predefined_profile" "example_zero_trust_dlp_predefined_profile" {
  account_id = "account_id"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  ai_context_enabled = true
  allowed_match_count = 5
  confidence_threshold = "confidence_threshold"
  enabled_entries = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
  entries = [{
    id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
    enabled = true
  }]
  ocr_enabled = true
}

data cloudflare_zero_trust_dlp_predefined_profile

required Expand Collapse

profile_id: String

account_id: String

computed Expand Collapse

id: String

ai_context_enabled: Bool

allowed_match_count: Int64

confidence_threshold: String

name: String

The name of the predefined profile.

ocr_enabled: Bool

open_access: Bool

Whether this profile can be accessed by anyone.

enabled_entries: List[String]

Entries to enable for this predefined profile. Any entries not provided will be disabled.

Deprecatedentries: List[Attributes]

This field has been deprecated for enabled_entries.

id: String

created_at: Time

enabled: Bool

name: String

pattern: Attributes

regex: String

Deprecatedvalidation: String

type: String

updated_at: Time

description: String

profile_id: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

topic_type: String

type: String

description: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool

word_list: JSON

cloudflare_zero_trust_dlp_predefined_profile

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_predefined_profile" "example_zero_trust_dlp_predefined_profile" {
  account_id = "account_id"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

Zero TrustDLPEntries

resource cloudflare_zero_trust_dlp_entry

required Expand Collapse

account_id: String

enabled: Bool

name: String

pattern: Attributes

regex: String

Deprecatedvalidation?: String

optional Expand Collapse

profile_id?: String

description?: String

type?: String

computed Expand Collapse

id: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time

secret: Bool

updated_at: Time

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

profiles: List[Attributes]

id: String

name: String

variant: Attributes

topic_type: String

type: String

description: String

word_list: JSON

cloudflare_zero_trust_dlp_entry

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_dlp_entry" "example_zero_trust_dlp_entry" {
  account_id = "account_id"
  enabled = true
  name = "name"
  pattern = {
    regex = "regex"
    validation = "luhn"
  }
  description = "description"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_entry

required Expand Collapse

entry_id: String

account_id: String

computed Expand Collapse

id: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time

description: String

enabled: Bool

name: String

profile_id: String

secret: Bool

type: String

updated_at: Time

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes

regex: String

Deprecatedvalidation: String

profiles: List[Attributes]

id: String

name: String

variant: Attributes

topic_type: String

type: String

description: String

word_list: JSON

cloudflare_zero_trust_dlp_entry

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_entry" "example_zero_trust_dlp_entry" {
  account_id = "account_id"
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_entries

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

created_at: Time

enabled: Bool

name: String

pattern: Attributes

regex: String

Deprecatedvalidation: String

type: String

updated_at: Time

description: String

profile_id: String

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

topic_type: String

type: String

description: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool

word_list: JSON

cloudflare_zero_trust_dlp_entries

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_entries" "example_zero_trust_dlp_entries" {
  account_id = "account_id"
}

Zero TrustDLPEntriesCustom

resource cloudflare_zero_trust_dlp_custom_entry

required Expand Collapse

account_id: String

enabled: Bool

name: String

pattern: Attributes

regex: String

Deprecatedvalidation?: String

optional Expand Collapse

profile_id?: String

description?: String

computed Expand Collapse

id: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time

secret: Bool

type: String

updated_at: Time

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

profiles: List[Attributes]

id: String

name: String

variant: Attributes

topic_type: String

type: String

description: String

word_list: JSON

cloudflare_zero_trust_dlp_custom_entry

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_dlp_custom_entry" "example_zero_trust_dlp_custom_entry" {
  account_id = "account_id"
  enabled = true
  name = "name"
  pattern = {
    regex = "regex"
    validation = "luhn"
  }
  description = "description"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_custom_entry

required Expand Collapse

entry_id: String

account_id: String

computed Expand Collapse

id: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time

description: String

enabled: Bool

name: String

profile_id: String

secret: Bool

type: String

updated_at: Time

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes

regex: String

Deprecatedvalidation: String

profiles: List[Attributes]

id: String

name: String

variant: Attributes

topic_type: String

type: String

description: String

word_list: JSON

cloudflare_zero_trust_dlp_custom_entry

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_custom_entry" "example_zero_trust_dlp_custom_entry" {
  account_id = "account_id"
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_custom_entries

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

created_at: Time

enabled: Bool

name: String

pattern: Attributes

regex: String

Deprecatedvalidation: String

type: String

updated_at: Time

description: String

profile_id: String

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

topic_type: String

type: String

description: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool

word_list: JSON

cloudflare_zero_trust_dlp_custom_entries

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_custom_entries" "example_zero_trust_dlp_custom_entries" {
  account_id = "account_id"
}

Zero TrustDLPEntriesPredefined

resource cloudflare_zero_trust_dlp_predefined_entry

required Expand Collapse

account_id: String

entry_id: String

enabled: Bool

optional Expand Collapse

profile_id?: String

This field is not used as the owning profile. For predefined entries it is already set to a predefined profile.

computed Expand Collapse

id: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time

description: String

name: String

secret: Bool

type: String

updated_at: Time

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes

regex: String

Deprecatedvalidation: String

profiles: List[Attributes]

id: String

name: String

variant: Attributes

topic_type: String

type: String

description: String

word_list: JSON

cloudflare_zero_trust_dlp_predefined_entry

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_dlp_predefined_entry" "example_zero_trust_dlp_predefined_entry" {
  account_id = "account_id"
  enabled = true
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_predefined_entry

required Expand Collapse

entry_id: String

account_id: String

computed Expand Collapse

id: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time

description: String

enabled: Bool

name: String

profile_id: String

secret: Bool

type: String

updated_at: Time

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes

regex: String

Deprecatedvalidation: String

profiles: List[Attributes]

id: String

name: String

variant: Attributes

topic_type: String

type: String

description: String

word_list: JSON

cloudflare_zero_trust_dlp_predefined_entry

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_predefined_entry" "example_zero_trust_dlp_predefined_entry" {
  account_id = "account_id"
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_predefined_entries

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

created_at: Time

enabled: Bool

name: String

pattern: Attributes

regex: String

Deprecatedvalidation: String

type: String

updated_at: Time

description: String

profile_id: String

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

topic_type: String

type: String

description: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool

word_list: JSON

cloudflare_zero_trust_dlp_predefined_entries

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_predefined_entries" "example_zero_trust_dlp_predefined_entries" {
  account_id = "account_id"
}

Zero TrustDLPEntriesIntegration

resource cloudflare_zero_trust_dlp_integration_entry

required Expand Collapse

account_id: String

entry_id: String

enabled: Bool

optional Expand Collapse

profile_id?: String

This field is not used as the owning profile. For predefined entries it is already set to a predefined profile.

computed Expand Collapse

id: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time

description: String

name: String

secret: Bool

type: String

updated_at: Time

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes

regex: String

Deprecatedvalidation: String

profiles: List[Attributes]

id: String

name: String

variant: Attributes

topic_type: String

type: String

description: String

word_list: JSON

cloudflare_zero_trust_dlp_integration_entry

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_dlp_integration_entry" "example_zero_trust_dlp_integration_entry" {
  account_id = "account_id"
  enabled = true
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_integration_entry

required Expand Collapse

entry_id: String

account_id: String

computed Expand Collapse

id: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time

description: String

enabled: Bool

name: String

profile_id: String

secret: Bool

type: String

updated_at: Time

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes

regex: String

Deprecatedvalidation: String

profiles: List[Attributes]

id: String

name: String

variant: Attributes

topic_type: String

type: String

description: String

word_list: JSON

cloudflare_zero_trust_dlp_integration_entry

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_integration_entry" "example_zero_trust_dlp_integration_entry" {
  account_id = "account_id"
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_integration_entries

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

created_at: Time

enabled: Bool

name: String

pattern: Attributes

regex: String

Deprecatedvalidation: String

type: String

updated_at: Time

description: String

profile_id: String

upload_status: String

confidence: Attributes

ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

topic_type: String

type: String

description: String

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool

word_list: JSON

cloudflare_zero_trust_dlp_integration_entries

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dlp_integration_entries" "example_zero_trust_dlp_integration_entries" {
  account_id = "account_id"
}

Zero TrustGatewayCategories

data cloudflare_zero_trust_gateway_categories_list

required Expand Collapse

account_id: String

Provide the identifier string.

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: Int64

Identify this category. Only one category per ID.

beta: Bool

Indicate whether the category is in beta and subject to change.

class: String

Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.

description: String

Provide a short summary of domains in the category.

name: String

Specify the category name.

subcategories: List[Attributes]

Provide all subcategories for this category.

id: Int64

Identify this category. Only one category per ID.

beta: Bool

Indicate whether the category is in beta and subject to change.

class: String

Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.

description: String

Provide a short summary of domains in the category.

name: String

Specify the category name.

cloudflare_zero_trust_gateway_categories_list

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_categories_list" "example_zero_trust_gateway_categories_list" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustGatewayApp Types

data cloudflare_zero_trust_gateway_app_types_list

required Expand Collapse

account_id: String

Provide the identifier string.

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: Int64

Identify this application. Only one application per ID.

application_type_id: Int64

Identify the type of this application. Multiple applications can share the same type. Refers to the id of a returned application type.

created_at: Time

name: String

Specify the name of the application or application type.

description: String

Provide a short summary of applications with this type.

cloudflare_zero_trust_gateway_app_types_list

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_app_types_list" "example_zero_trust_gateway_app_types_list" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustGatewayConfigurations

resource cloudflare_zero_trust_gateway_settings

required Expand Collapse

account_id: String

optional Expand Collapse

settings?: Attributes

Specify account settings.

activity_log?: Attributes

Specify activity log settings.

enabled?: Bool

Specify whether to log activity.

antivirus?: Attributes

Specify anti-virus settings.

enabled_download_phase?: Bool

Specify whether to enable anti-virus scanning on downloads.

enabled_upload_phase?: Bool

Specify whether to enable anti-virus scanning on uploads.

fail_closed?: Bool

Specify whether to block requests for unscannable files.

notification_settings?: Attributes

Configure the message the user's device shows during an antivirus scan.

enabled?: Bool

Specify whether to enable notifications.

include_context?: Bool

Specify whether to include context information as query parameters.

msg?: String

Specify the message to show in the notification.

support_url?: String

Specify a URL that directs users to more information. If unset, the notification opens a block page.

block_page?: Attributes

Specify block page layout settings.

background_color?: String

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

enabled?: Bool

Specify whether to enable the custom block page.

footer_text?: String

Specify the block page footer text when the mode is customized_block_page.

header_text?: String

Specify the block page header text when the mode is customized_block_page.

include_context?: Bool

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

logo_path?: String

Specify the full URL to the logo file when the mode is customized_block_page.

mailto_address?: String

Specify the admin email for users to contact when the mode is customized_block_page.

mailto_subject?: String

Specify the subject line for emails created from the block page when the mode is customized_block_page.

mode?: String

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

name?: String

Specify the block page title when the mode is customized_block_page.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

suppress_footer?: Bool

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

target_uri?: String

Specify the URI to redirect users to when the mode is redirect_uri.

version: Int64

Indicate the version number of the setting.

body_scanning?: Attributes

Specify the DLP inspection mode.

inspection_mode?: String

Specify the inspection mode as either deep or shallow.

browser_isolation?: Attributes

Specify Clientless Browser Isolation settings.

non_identity_enabled?: Bool

Specify whether to enable non-identity onramp support for Browser Isolation.

url_browser_isolation_enabled?: Bool

Specify whether to enable Clientless Browser Isolation.

certificate?: Attributes

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

id: String

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.

Deprecatedcustom_certificate?: Attributes

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

enabled: Bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

id?: String

Specify the UUID of the certificate (ID from MTLS certificate store).

binding_status: String

Indicate the internal certificate status.

updated_at: Time

extended_email_matching?: Attributes

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

enabled?: Bool

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

read_only?: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account?: String

Indicate the account tag of the account that shared this setting.

version?: Int64

Indicate the version number of the setting.

fips?: Attributes

Specify FIPS settings.

tls?: Bool

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

host_selector?: Attributes

Enable host selection in egress policies.

enabled?: Bool

Specify whether to enable filtering via hosts for egress policies.

inspection?: Attributes

Define the proxy inspection mode.

mode?: String

Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.

protocol_detection?: Attributes

Specify whether to detect protocols from the initial bytes of client traffic.

enabled?: Bool

Specify whether to detect protocols from the initial bytes of client traffic.

sandbox?: Attributes

Specify whether to enable the sandbox.

enabled?: Bool

Specify whether to enable the sandbox.

fallback_action?: String

Specify the action to take when the system cannot scan the file.

tls_decrypt?: Attributes

Specify whether to inspect encrypted HTTP traffic.

enabled?: Bool

Specify whether to inspect encrypted HTTP traffic.

computed Expand Collapse

id: String

created_at: Time

updated_at: Time

cloudflare_zero_trust_gateway_settings

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_gateway_settings" "example_zero_trust_gateway_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
  settings = {
    activity_log = {
      enabled = true
    }
    antivirus = {
      enabled_download_phase = false
      enabled_upload_phase = false
      fail_closed = false
      notification_settings = {
        enabled = true
        include_context = true
        msg = "msg"
        support_url = "support_url"
      }
    }
    block_page = {
      background_color = "background_color"
      enabled = true
      footer_text = "--footer--"
      header_text = "--header--"
      include_context = true
      logo_path = "https://logos.com/a.png"
      mailto_address = "admin@example.com"
      mailto_subject = "Blocked User Inquiry"
      mode = ""
      name = "Cloudflare"
      suppress_footer = false
      target_uri = "https://example.com"
    }
    body_scanning = {
      inspection_mode = "deep"
    }
    browser_isolation = {
      non_identity_enabled = true
      url_browser_isolation_enabled = true
    }
    certificate = {
      id = "d1b364c5-1311-466e-a194-f0e943e0799f"
    }
    custom_certificate = {
      enabled = true
      id = "d1b364c5-1311-466e-a194-f0e943e0799f"
    }
    extended_email_matching = {
      enabled = true
    }
    fips = {
      tls = true
    }
    host_selector = {
      enabled = false
    }
    inspection = {
      mode = "static"
    }
    protocol_detection = {
      enabled = true
    }
    sandbox = {
      enabled = true
      fallback_action = "allow"
    }
    tls_decrypt = {
      enabled = true
    }
  }
}

data cloudflare_zero_trust_gateway_settings

required Expand Collapse

account_id: String

computed Expand Collapse

id: String

created_at: Time

updated_at: Time

settings: Attributes

Specify account settings.

activity_log: Attributes

Specify activity log settings.

enabled: Bool

Specify whether to log activity.

antivirus: Attributes

Specify anti-virus settings.

enabled_download_phase: Bool

Specify whether to enable anti-virus scanning on downloads.

enabled_upload_phase: Bool

Specify whether to enable anti-virus scanning on uploads.

fail_closed: Bool

Specify whether to block requests for unscannable files.

notification_settings: Attributes

Configure the message the user's device shows during an antivirus scan.

enabled: Bool

Specify whether to enable notifications.

include_context: Bool

Specify whether to include context information as query parameters.

msg: String

Specify the message to show in the notification.

support_url: String

Specify a URL that directs users to more information. If unset, the notification opens a block page.

block_page: Attributes

Specify block page layout settings.

background_color: String

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

enabled: Bool

Specify whether to enable the custom block page.

footer_text: String

Specify the block page footer text when the mode is customized_block_page.

header_text: String

Specify the block page header text when the mode is customized_block_page.

include_context: Bool

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

logo_path: String

Specify the full URL to the logo file when the mode is customized_block_page.

mailto_address: String

Specify the admin email for users to contact when the mode is customized_block_page.

mailto_subject: String

Specify the subject line for emails created from the block page when the mode is customized_block_page.

mode: String

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

name: String

Specify the block page title when the mode is customized_block_page.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

suppress_footer: Bool

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

target_uri: String

Specify the URI to redirect users to when the mode is redirect_uri.

version: Int64

Indicate the version number of the setting.

body_scanning: Attributes

Specify the DLP inspection mode.

inspection_mode: String

Specify the inspection mode as either deep or shallow.

browser_isolation: Attributes

Specify Clientless Browser Isolation settings.

non_identity_enabled: Bool

Specify whether to enable non-identity onramp support for Browser Isolation.

url_browser_isolation_enabled: Bool

Specify whether to enable Clientless Browser Isolation.

certificate: Attributes

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

id: String

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.

Deprecatedcustom_certificate: Attributes

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

enabled: Bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

id: String

Specify the UUID of the certificate (ID from MTLS certificate store).

binding_status: String

Indicate the internal certificate status.

updated_at: Time

extended_email_matching: Attributes

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

enabled: Bool

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

version: Int64

Indicate the version number of the setting.

fips: Attributes

Specify FIPS settings.

tls: Bool

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

host_selector: Attributes

Enable host selection in egress policies.

enabled: Bool

Specify whether to enable filtering via hosts for egress policies.

inspection: Attributes

Define the proxy inspection mode.

mode: String

Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.

protocol_detection: Attributes

Specify whether to detect protocols from the initial bytes of client traffic.

enabled: Bool

Specify whether to detect protocols from the initial bytes of client traffic.

sandbox: Attributes

Specify whether to enable the sandbox.

enabled: Bool

Specify whether to enable the sandbox.

fallback_action: String

Specify the action to take when the system cannot scan the file.

tls_decrypt: Attributes

Specify whether to inspect encrypted HTTP traffic.

enabled: Bool

Specify whether to inspect encrypted HTTP traffic.

cloudflare_zero_trust_gateway_settings

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_settings" "example_zero_trust_gateway_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustGatewayLists

resource cloudflare_zero_trust_list

required Expand Collapse

account_id: String

type: String

Specify the list type.

name: String

Specify the list name.

optional Expand Collapse

items?: Set[Attributes]

Add items to the list.

description?: String

Provide the list item description (optional).

value?: String

Specify the item value.

description?: String

Provide the list description.

computed Expand Collapse

id: String

Identify the API resource with a UUID.

created_at: Time

list_count: Float64

Indicate the number of items in the list.

updated_at: Time

cloudflare_zero_trust_list

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_list" "example_zero_trust_list" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "Admin Serial Numbers"
  type = "SERIAL"
  description = "The serial numbers for administrators"
  items = [{
    description = "Austin office IP"
    value = "8GE8721REF"
  }]
}

data cloudflare_zero_trust_list

required Expand Collapse

account_id: String

optional Expand Collapse

list_id?: String

Identify the API resource with a UUID.

filter?: Attributes

type?: String

Specify the list type.

computed Expand Collapse

id: String

Identify the API resource with a UUID.

created_at: Time

description: String

Provide the list description.

list_count: Float64

Indicate the number of items in the list.

name: String

Specify the list name.

type: String

Specify the list type.

updated_at: Time

items: Set[Attributes]

Provide the list items.

created_at: Time

description: String

Provide the list item description (optional).

value: String

Specify the item value.

cloudflare_zero_trust_list

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_list" "example_zero_trust_list" {
  account_id = "699d98642c564d2e855e9661899b7252"
  list_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_lists

required Expand Collapse

account_id: String

optional Expand Collapse

type?: String

Specify the list type.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

Identify the API resource with a UUID.

list_count: Float64

Indicate the number of items in the list.

created_at: Time

description: String

Provide the list description.

items: Set[Attributes]

Provide the list items.

created_at: Time

description: String

Provide the list item description (optional).

value: String

Specify the item value.

name: String

Specify the list name.

type: String

Specify the list type.

updated_at: Time

cloudflare_zero_trust_lists

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_lists" "example_zero_trust_lists" {
  account_id = "699d98642c564d2e855e9661899b7252"
  type = "SERIAL"
}

Zero TrustGatewayLocations

resource cloudflare_zero_trust_dns_location

required Expand Collapse

account_id: String

name: String

Specify the location name.

optional Expand Collapse

endpoints?: Attributes

Configure the destination endpoints for this location.

doh: Attributes

enabled?: Bool

Indicate whether the DOH endpoint is enabled for this location.

networks?: List[Attributes]

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IP address or IP CIDR.

require_token?: Bool

Specify whether the DOH endpoint requires user identity authentication.

dot: Attributes

enabled?: Bool

Indicate whether the DOT endpoint is enabled for this location.

networks?: List[Attributes]

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IP address or IP CIDR.

ipv4: Attributes

enabled?: Bool

Indicate whether the IPv4 endpoint is enabled for this location.

ipv6: Attributes

enabled?: Bool

Indicate whether the IPV6 endpoint is enabled for this location.

networks?: List[Attributes]

Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IPv6 address or IPv6 CIDR.

client_default?: Bool

Indicate whether this location is the default location.

dns_destination_ips_id?: String

Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged.

ecs_support?: Bool

Indicate whether the location must resolve EDNS queries.

networks?: List[Attributes]

Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location.

network: String

Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.

computed Expand Collapse

id: String

created_at: Time

dns_destination_ipv6_block_id: String

Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block.

doh_subdomain: String

Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.

ip: String

Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.

ipv4_destination: String

Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

ipv4_destination_backup: String

Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

updated_at: Time

cloudflare_zero_trust_dns_location

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_dns_location" "example_zero_trust_dns_location" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "Austin Office Location"
  client_default = false
  dns_destination_ips_id = "0e4a32c6-6fb8-4858-9296-98f51631e8e6"
  ecs_support = false
  endpoints = {
    doh = {
      enabled = true
      networks = [{
        network = "2001:85a3::/64"
      }]
      require_token = true
    }
    dot = {
      enabled = true
      networks = [{
        network = "2001:85a3::/64"
      }]
    }
    ipv4 = {
      enabled = true
    }
    ipv6 = {
      enabled = true
      networks = [{
        network = "2001:85a3::/64"
      }]
    }
  }
  networks = [{
    network = "192.0.2.1/32"
  }]
}

data cloudflare_zero_trust_dns_location

required Expand Collapse

location_id: String

account_id: String

computed Expand Collapse

id: String

client_default: Bool

Indicate whether this location is the default location.

created_at: Time

dns_destination_ips_id: String

Indicate the identifier of the pair of IPv4 addresses assigned to this location.

dns_destination_ipv6_block_id: String

Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block.

doh_subdomain: String

Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.

ecs_support: Bool

Indicate whether the location must resolve EDNS queries.

ip: String

Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.

ipv4_destination: String

Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

ipv4_destination_backup: String

Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

name: String

Specify the location name.

updated_at: Time

endpoints: Attributes

Configure the destination endpoints for this location.

doh: Attributes

enabled: Bool

Indicate whether the DOH endpoint is enabled for this location.

networks: List[Attributes]

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IP address or IP CIDR.

require_token: Bool

Specify whether the DOH endpoint requires user identity authentication.

dot: Attributes

enabled: Bool

Indicate whether the DOT endpoint is enabled for this location.

networks: List[Attributes]

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IP address or IP CIDR.

ipv4: Attributes

enabled: Bool

Indicate whether the IPv4 endpoint is enabled for this location.

ipv6: Attributes

enabled: Bool

Indicate whether the IPV6 endpoint is enabled for this location.

networks: List[Attributes]

Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IPv6 address or IPv6 CIDR.

networks: List[Attributes]

Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location.

network: String

Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.

cloudflare_zero_trust_dns_location

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dns_location" "example_zero_trust_dns_location" {
  account_id = "699d98642c564d2e855e9661899b7252"
  location_id = "ed35569b41ce4d1facfe683550f54086"
}

data cloudflare_zero_trust_dns_locations

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

client_default: Bool

Indicate whether this location is the default location.

created_at: Time

dns_destination_ips_id: String

Indicate the identifier of the pair of IPv4 addresses assigned to this location.

dns_destination_ipv6_block_id: String

Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block.

doh_subdomain: String

Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.

ecs_support: Bool

Indicate whether the location must resolve EDNS queries.

endpoints: Attributes

Configure the destination endpoints for this location.

doh: Attributes

enabled: Bool

Indicate whether the DOH endpoint is enabled for this location.

networks: List[Attributes]

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IP address or IP CIDR.

require_token: Bool

Specify whether the DOH endpoint requires user identity authentication.

dot: Attributes

enabled: Bool

Indicate whether the DOT endpoint is enabled for this location.

networks: List[Attributes]

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IP address or IP CIDR.

ipv4: Attributes

enabled: Bool

Indicate whether the IPv4 endpoint is enabled for this location.

ipv6: Attributes

enabled: Bool

Indicate whether the IPV6 endpoint is enabled for this location.

networks: List[Attributes]

Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IPv6 address or IPv6 CIDR.

ip: String

Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.

ipv4_destination: String

Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

ipv4_destination_backup: String

Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

name: String

Specify the location name.

networks: List[Attributes]

Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location.

network: String

Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.

updated_at: Time

cloudflare_zero_trust_dns_locations

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_dns_locations" "example_zero_trust_dns_locations" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustGatewayLogging

resource cloudflare_zero_trust_gateway_logging

required Expand Collapse

account_id: String

optional Expand Collapse

redact_pii?: Bool

Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent).

settings_by_rule_type?: Attributes

Configure logging settings for each rule type.

dns?: Attributes

Configure logging settings for DNS firewall.

log_all?: Bool

Specify whether to log all requests to this service.

log_blocks?: Bool

Specify whether to log only blocking requests to this service.

http?: Attributes

Configure logging settings for HTTP/HTTPS firewall.

log_all?: Bool

Specify whether to log all requests to this service.

log_blocks?: Bool

Specify whether to log only blocking requests to this service.

l4?: Attributes

Configure logging settings for Network firewall.

log_all?: Bool

Specify whether to log all requests to this service.

log_blocks?: Bool

Specify whether to log only blocking requests to this service.

computed Expand Collapse

id: String

cloudflare_zero_trust_gateway_logging

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_gateway_logging" "example_zero_trust_gateway_logging" {
  account_id = "699d98642c564d2e855e9661899b7252"
  redact_pii = true
  settings_by_rule_type = {
    dns = {
      log_all = false
      log_blocks = true
    }
    http = {
      log_all = false
      log_blocks = true
    }
    l4 = {
      log_all = false
      log_blocks = true
    }
  }
}

data cloudflare_zero_trust_gateway_logging

required Expand Collapse

account_id: String

computed Expand Collapse

id: String

redact_pii: Bool

Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent).

settings_by_rule_type: Attributes

Configure logging settings for each rule type.

dns: Attributes

Configure logging settings for DNS firewall.

log_all: Bool

Specify whether to log all requests to this service.

log_blocks: Bool

Specify whether to log only blocking requests to this service.

http: Attributes

Configure logging settings for HTTP/HTTPS firewall.

log_all: Bool

Specify whether to log all requests to this service.

log_blocks: Bool

Specify whether to log only blocking requests to this service.

l4: Attributes

Configure logging settings for Network firewall.

log_all: Bool

Specify whether to log all requests to this service.

log_blocks: Bool

Specify whether to log only blocking requests to this service.

cloudflare_zero_trust_gateway_logging

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_logging" "example_zero_trust_gateway_logging" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustGatewayProxy Endpoints

resource cloudflare_zero_trust_gateway_proxy_endpoint

required Expand Collapse

account_id: String

name: String

Specify the name of the proxy endpoint.

optional Expand Collapse

kind?: String

The proxy endpoint kind

ips?: List[String]

Specify the list of CIDRs to restrict ingress connections.

computed Expand Collapse

id: String

created_at: Time

subdomain: String

Specify the subdomain to use as the destination in the proxy client.

updated_at: Time

cloudflare_zero_trust_gateway_proxy_endpoint

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_gateway_proxy_endpoint" "example_zero_trust_gateway_proxy_endpoint" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "Devops team"
  kind = "ip"
}

data cloudflare_zero_trust_gateway_proxy_endpoint

required Expand Collapse

proxy_endpoint_id: String

account_id: String

computed Expand Collapse

id: String

created_at: Time

kind: String

The proxy endpoint kind

name: String

Specify the name of the proxy endpoint.

subdomain: String

Specify the subdomain to use as the destination in the proxy client.

updated_at: Time

ips: List[String]

Specify the list of CIDRs to restrict ingress connections.

cloudflare_zero_trust_gateway_proxy_endpoint

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_proxy_endpoint" "example_zero_trust_gateway_proxy_endpoint" {
  account_id = "699d98642c564d2e855e9661899b7252"
  proxy_endpoint_id = "ed35569b41ce4d1facfe683550f54086"
}

data cloudflare_zero_trust_gateway_proxy_endpoints

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

ips: List[String]

Specify the list of CIDRs to restrict ingress connections.

name: String

Specify the name of the proxy endpoint.

id: String

created_at: Time

kind: String

The proxy endpoint kind

subdomain: String

Specify the subdomain to use as the destination in the proxy client.

updated_at: Time

cloudflare_zero_trust_gateway_proxy_endpoints

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_proxy_endpoints" "example_zero_trust_gateway_proxy_endpoints" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustGatewayRules

resource cloudflare_zero_trust_gateway_policy

required Expand Collapse

account_id: String

action: String

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

name: String

Specify the rule name.

optional Expand Collapse

description?: String

Specify the rule description.

filters?: List[String]

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

device_posture?: String

Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

enabled?: Bool

Specify whether the rule is enabled.

identity?: String

Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

precedence?: Int64

Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.

traffic?: String

Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

expiration?: Attributes

Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.

expires_at: Time

Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.

duration?: Int64

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

expired: Bool

Indicates whether the policy is expired.

rule_settings?: Attributes

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

add_headers?: Map[List[String]]

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

allow_child_bypass?: Bool

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

audit_ssh?: Attributes

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

command_logging?: Bool

Enable SSH command logging.

biso_admin_controls?: Attributes

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

copy?: String

Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".

dcp?: Bool

Set to false to enable copy-pasting. Only applies when version == "v1".

dd?: Bool

Set to false to enable downloading. Only applies when version == "v1".

dk?: Bool

Set to false to enable keyboard usage. Only applies when version == "v1".

download?: String

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2".

dp?: Bool

Set to false to enable printing. Only applies when version == "v1".

du?: Bool

Set to false to enable uploading. Only applies when version == "v1".

keyboard?: String

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".

paste?: String

Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".

printing?: String

Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".

upload?: String

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".

version?: String

Indicate which version of the browser isolation controls should apply.

block_page?: Attributes

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

target_uri: String

Specify the URI to which the user is redirected.

include_context?: Bool

Specify whether to pass the context information as query parameters.

block_page_enabled?: Bool

Enable the custom block page. Settable only for dns rules with action block.

block_reason?: String

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

bypass_parent_rule?: Bool

Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.

check_session?: Attributes

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

duration?: String

Sets the required session freshness threshold. The API returns a normalized version of this value.

enforce?: Bool

Enable session enforcement.

dns_resolvers?: Attributes

Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

ipv4?: List[Attributes]

ip: String

Specify the IPv4 address of the upstream resolver.

port?: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network?: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id?: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

ipv6?: List[Attributes]

ip: String

Specify the IPv6 address of the upstream resolver.

port?: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network?: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id?: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

egress?: Attributes

Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.

ipv4?: String

Specify the IPv4 address to use for egress.

ipv4_fallback?: String

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.

ipv6?: String

Specify the IPv6 range to use for egress.

forensic_copy?: Attributes

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

enabled?: Bool

Enable sending the copy to storage.

ignore_cname_category_matches?: Bool

Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.

insecure_disable_dnssec_validation?: Bool

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

ip_categories?: Bool

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

ip_indicator_feeds?: Bool

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

l4override?: Attributes

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

ip?: String

Defines the IPv4 or IPv6 address.

port?: Int64

Defines a port number to use for TCP/UDP overrides.

notification_settings?: Attributes

Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to block.

enabled?: Bool

Enable notification.

include_context?: Bool

Indicates whether to pass the context information as query parameters.

msg?: String

Customize the message shown in the notification.

support_url?: String

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

override_host?: String

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

override_ips?: List[String]

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

payload_log?: Attributes

Configure DLP payload logging. Settable only for http rules.

enabled?: Bool

Enable DLP payload logging for this rule.

quarantine?: Attributes

Configure settings that apply to quarantine rules. Settable only for http rules.

file_types?: List[String]

Specify the types of files to sandbox.

redirect?: Attributes

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

target_uri: String

Specify the URI to which the user is redirected.

include_context?: Bool

Specify whether to pass the context information as query parameters.

preserve_path_and_query?: Bool

Specify whether to append the path and query parameters from the original request to target_uri.

resolve_dns_internally?: Attributes

Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

fallback?: String

Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.

view_id?: String

Specify the internal DNS view identifier to pass to the internal DNS service.

resolve_dns_through_cloudflare?: Bool

Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

untrusted_cert?: Attributes

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

action?: String

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

schedule?: Attributes

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

fri?: String

Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

mon?: String

Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sat?: String

Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sun?: String

Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

thu?: String

Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

time_zone?: String

Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.

tue?: String

Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

wed?: String

Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

computed Expand Collapse

id: String

Identify the API resource with a UUID.

created_at: Time

deleted_at: Time

Indicate the date of deletion, if any.

read_only: Bool

Indicate that this rule is shared via the Orgs API and read only.

sharable: Bool

Indicate that this rule is sharable via the Orgs API.

source_account: String

Provide the account tag of the account that created the rule.

updated_at: Time

version: Int64

Indicate the version number of the rule(read-only).

warning_status: String

Indicate a warning for a misconfigured rule, if any.

cloudflare_zero_trust_gateway_policy

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_gateway_policy" "example_zero_trust_gateway_policy" {
  account_id = "699d98642c564d2e855e9661899b7252"
  action = "allow"
  name = "block bad websites"
  description = "Block bad websites based on their host name."
  device_posture = "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})"
  enabled = true
  expiration = {
    expires_at = "2014-01-01T05:20:20Z"
    duration = 10
  }
  filters = ["http"]
  identity = "any(identity.groups.name[*] in {\"finance\"})"
  precedence = 0
  rule_settings = {
    add_headers = {
      My-Next-Header = ["foo", "bar"]
      X-Custom-Header-Name = ["somecustomvalue"]
    }
    allow_child_bypass = false
    audit_ssh = {
      command_logging = false
    }
    biso_admin_controls = {
      copy = "remote_only"
      dcp = true
      dd = true
      dk = true
      download = "enabled"
      dp = false
      du = true
      keyboard = "enabled"
      paste = "enabled"
      printing = "enabled"
      upload = "enabled"
      version = "v1"
    }
    block_page = {
      target_uri = "https://example.com"
      include_context = true
    }
    block_page_enabled = true
    block_reason = "This website is a security risk"
    bypass_parent_rule = false
    check_session = {
      duration = "300s"
      enforce = true
    }
    dns_resolvers = {
      ipv4 = [{
        ip = "2.2.2.2"
        port = 5053
        route_through_private_network = true
        vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
      }]
      ipv6 = [{
        ip = "2001:DB8::"
        port = 5053
        route_through_private_network = true
        vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
      }]
    }
    egress = {
      ipv4 = "192.0.2.2"
      ipv4_fallback = "192.0.2.3"
      ipv6 = "2001:DB8::/64"
    }
    forensic_copy = {
      enabled = true
    }
    ignore_cname_category_matches = true
    insecure_disable_dnssec_validation = false
    ip_categories = true
    ip_indicator_feeds = true
    l4override = {
      ip = "1.1.1.1"
      port = 0
    }
    notification_settings = {
      enabled = true
      include_context = true
      msg = "msg"
      support_url = "support_url"
    }
    override_host = "example.com"
    override_ips = ["1.1.1.1", "2.2.2.2"]
    payload_log = {
      enabled = true
    }
    quarantine = {
      file_types = ["exe"]
    }
    redirect = {
      target_uri = "https://example.com"
      include_context = true
      preserve_path_and_query = true
    }
    resolve_dns_internally = {
      fallback = "none"
      view_id = "view_id"
    }
    resolve_dns_through_cloudflare = true
    untrusted_cert = {
      action = "error"
    }
  }
  schedule = {
    fri = "08:00-12:30,13:30-17:00"
    mon = "08:00-12:30,13:30-17:00"
    sat = "08:00-12:30,13:30-17:00"
    sun = "08:00-12:30,13:30-17:00"
    thu = "08:00-12:30,13:30-17:00"
    time_zone = "America/New York"
    tue = "08:00-12:30,13:30-17:00"
    wed = "08:00-12:30,13:30-17:00"
  }
  traffic = "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10"
}

data cloudflare_zero_trust_gateway_policy

required Expand Collapse

rule_id: String

Identify the API resource with a UUID.

account_id: String

computed Expand Collapse

id: String

Identify the API resource with a UUID.

action: String

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

created_at: Time

deleted_at: Time

Indicate the date of deletion, if any.

description: String

Specify the rule description.

device_posture: String

Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

enabled: Bool

Specify whether the rule is enabled.

identity: String

Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

name: String

Specify the rule name.

precedence: Int64

Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.

read_only: Bool

Indicate that this rule is shared via the Orgs API and read only.

sharable: Bool

Indicate that this rule is sharable via the Orgs API.

source_account: String

Provide the account tag of the account that created the rule.

traffic: String

Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

updated_at: Time

version: Int64

Indicate the version number of the rule(read-only).

warning_status: String

Indicate a warning for a misconfigured rule, if any.

filters: List[String]

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

expiration: Attributes

Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.

expires_at: Time

Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.

duration: Int64

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

expired: Bool

Indicates whether the policy is expired.

rule_settings: Attributes

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

add_headers: Map[List[String]]

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

allow_child_bypass: Bool

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

audit_ssh: Attributes

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

command_logging: Bool

Enable SSH command logging.

biso_admin_controls: Attributes

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

copy: String

Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".

dcp: Bool

Set to false to enable copy-pasting. Only applies when version == "v1".

dd: Bool

Set to false to enable downloading. Only applies when version == "v1".

dk: Bool

Set to false to enable keyboard usage. Only applies when version == "v1".

download: String

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2".

dp: Bool

Set to false to enable printing. Only applies when version == "v1".

du: Bool

Set to false to enable uploading. Only applies when version == "v1".

keyboard: String

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".

paste: String

Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".

printing: String

Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".

upload: String

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".

version: String

Indicate which version of the browser isolation controls should apply.

block_page: Attributes

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

target_uri: String

Specify the URI to which the user is redirected.

include_context: Bool

Specify whether to pass the context information as query parameters.

block_page_enabled: Bool

Enable the custom block page. Settable only for dns rules with action block.

block_reason: String

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

bypass_parent_rule: Bool

Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.

check_session: Attributes

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

duration: String

Sets the required session freshness threshold. The API returns a normalized version of this value.

enforce: Bool

Enable session enforcement.

dns_resolvers: Attributes

Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

ipv4: List[Attributes]

ip: String

Specify the IPv4 address of the upstream resolver.

port: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

ipv6: List[Attributes]

ip: String

Specify the IPv6 address of the upstream resolver.

port: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

egress: Attributes

Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.

ipv4: String

Specify the IPv4 address to use for egress.

ipv4_fallback: String

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.

ipv6: String

Specify the IPv6 range to use for egress.

forensic_copy: Attributes

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

enabled: Bool

Enable sending the copy to storage.

ignore_cname_category_matches: Bool

Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.

insecure_disable_dnssec_validation: Bool

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

ip_categories: Bool

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

ip_indicator_feeds: Bool

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

l4override: Attributes

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

ip: String

Defines the IPv4 or IPv6 address.

port: Int64

Defines a port number to use for TCP/UDP overrides.

notification_settings: Attributes

Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to block.

enabled: Bool

Enable notification.

include_context: Bool

Indicates whether to pass the context information as query parameters.

msg: String

Customize the message shown in the notification.

support_url: String

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

override_host: String

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

override_ips: List[String]

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

payload_log: Attributes

Configure DLP payload logging. Settable only for http rules.

enabled: Bool

Enable DLP payload logging for this rule.

quarantine: Attributes

Configure settings that apply to quarantine rules. Settable only for http rules.

file_types: List[String]

Specify the types of files to sandbox.

redirect: Attributes

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

target_uri: String

Specify the URI to which the user is redirected.

include_context: Bool

Specify whether to pass the context information as query parameters.

preserve_path_and_query: Bool

Specify whether to append the path and query parameters from the original request to target_uri.

resolve_dns_internally: Attributes

Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

fallback: String

Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.

view_id: String

Specify the internal DNS view identifier to pass to the internal DNS service.

resolve_dns_through_cloudflare: Bool

Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

untrusted_cert: Attributes

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

action: String

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

schedule: Attributes

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

fri: String

Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

mon: String

Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sat: String

Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sun: String

Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

thu: String

Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

time_zone: String

Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.

tue: String

Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

wed: String

Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

cloudflare_zero_trust_gateway_policy

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_policy" "example_zero_trust_gateway_policy" {
  account_id = "699d98642c564d2e855e9661899b7252"
  rule_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_gateway_policies

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

action: String

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

enabled: Bool

Specify whether the rule is enabled.

filters: List[String]

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

name: String

Specify the rule name.

precedence: Int64

Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.

traffic: String

Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

id: String

Identify the API resource with a UUID.

created_at: Time

deleted_at: Time

Indicate the date of deletion, if any.

description: String

Specify the rule description.

device_posture: String

Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

expiration: Attributes

Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.

expires_at: Time

Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.

duration: Int64

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

expired: Bool

Indicates whether the policy is expired.

identity: String

Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

read_only: Bool

Indicate that this rule is shared via the Orgs API and read only.

rule_settings: Attributes

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

add_headers: Map[List[String]]

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

allow_child_bypass: Bool

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

audit_ssh: Attributes

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

command_logging: Bool

Enable SSH command logging.

biso_admin_controls: Attributes

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

copy: String

Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".

dcp: Bool

Set to false to enable copy-pasting. Only applies when version == "v1".

dd: Bool

Set to false to enable downloading. Only applies when version == "v1".

dk: Bool

Set to false to enable keyboard usage. Only applies when version == "v1".

download: String

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2".

dp: Bool

Set to false to enable printing. Only applies when version == "v1".

du: Bool

Set to false to enable uploading. Only applies when version == "v1".

keyboard: String

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".

paste: String

Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".

printing: String

Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".

upload: String

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".

version: String

Indicate which version of the browser isolation controls should apply.

block_page: Attributes

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

target_uri: String

Specify the URI to which the user is redirected.

include_context: Bool

Specify whether to pass the context information as query parameters.

block_page_enabled: Bool

Enable the custom block page. Settable only for dns rules with action block.

block_reason: String

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

bypass_parent_rule: Bool

Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.

check_session: Attributes

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

duration: String

Sets the required session freshness threshold. The API returns a normalized version of this value.

enforce: Bool

Enable session enforcement.

dns_resolvers: Attributes

Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

ipv4: List[Attributes]

ip: String

Specify the IPv4 address of the upstream resolver.

port: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

ipv6: List[Attributes]

ip: String

Specify the IPv6 address of the upstream resolver.

port: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

egress: Attributes

Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.

ipv4: String

Specify the IPv4 address to use for egress.

ipv4_fallback: String

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.

ipv6: String

Specify the IPv6 range to use for egress.

forensic_copy: Attributes

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

enabled: Bool

Enable sending the copy to storage.

ignore_cname_category_matches: Bool

Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.

insecure_disable_dnssec_validation: Bool

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

ip_categories: Bool

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

ip_indicator_feeds: Bool

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

l4override: Attributes

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

ip: String

Defines the IPv4 or IPv6 address.

port: Int64

Defines a port number to use for TCP/UDP overrides.

notification_settings: Attributes

Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to block.

enabled: Bool

Enable notification.

include_context: Bool

Indicates whether to pass the context information as query parameters.

msg: String

Customize the message shown in the notification.

support_url: String

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

override_host: String

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

override_ips: List[String]

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

payload_log: Attributes

Configure DLP payload logging. Settable only for http rules.

enabled: Bool

Enable DLP payload logging for this rule.

quarantine: Attributes

Configure settings that apply to quarantine rules. Settable only for http rules.

file_types: List[String]

Specify the types of files to sandbox.

redirect: Attributes

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

target_uri: String

Specify the URI to which the user is redirected.

include_context: Bool

Specify whether to pass the context information as query parameters.

preserve_path_and_query: Bool

Specify whether to append the path and query parameters from the original request to target_uri.

resolve_dns_internally: Attributes

Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

fallback: String

Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.

view_id: String

Specify the internal DNS view identifier to pass to the internal DNS service.

resolve_dns_through_cloudflare: Bool

Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

untrusted_cert: Attributes

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

action: String

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

schedule: Attributes

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

fri: String

Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

mon: String

Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sat: String

Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sun: String

Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

thu: String

Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

time_zone: String

Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.

tue: String

Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

wed: String

Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sharable: Bool

Indicate that this rule is sharable via the Orgs API.

source_account: String

Provide the account tag of the account that created the rule.

updated_at: Time

version: Int64

Indicate the version number of the rule(read-only).

warning_status: String

Indicate a warning for a misconfigured rule, if any.

cloudflare_zero_trust_gateway_policies

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_policies" "example_zero_trust_gateway_policies" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustGatewayCertificates

resource cloudflare_zero_trust_gateway_certificate

required Expand Collapse

account_id: String

optional Expand Collapse

validity_period_days?: Int64

Sets the certificate validity period in days (range: 1-10,950 days / ~30 years). Defaults to 1,825 days (5 years). Important: This field is only settable during the certificate creation. Certificates becomes immutable after creation - use the /activate and /deactivate endpoints to manage certificate lifecycle.

computed Expand Collapse

id: String

Identify the certificate with a UUID.

binding_status: String

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

certificate: String

Provide the CA certificate (read-only).

created_at: Time

expires_on: Time

fingerprint: String

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Bool

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: String

Indicate the organization that issued the certificate (read-only).

issuer_raw: String

Provide the entire issuer field of the certificate (read-only).

type: String

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

updated_at: Time

uploaded_on: Time

cloudflare_zero_trust_gateway_certificate

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_gateway_certificate" "example_zero_trust_gateway_certificate" {
  account_id = "699d98642c564d2e855e9661899b7252"
  validity_period_days = 1826
}

data cloudflare_zero_trust_gateway_certificate

required Expand Collapse

certificate_id: String

Identify the certificate with a UUID.

account_id: String

computed Expand Collapse

id: String

Identify the certificate with a UUID.

binding_status: String

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

certificate: String

Provide the CA certificate (read-only).

created_at: Time

expires_on: Time

fingerprint: String

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Bool

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: String

Indicate the organization that issued the certificate (read-only).

issuer_raw: String

Provide the entire issuer field of the certificate (read-only).

type: String

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

updated_at: Time

uploaded_on: Time

cloudflare_zero_trust_gateway_certificate

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_certificate" "example_zero_trust_gateway_certificate" {
  account_id = "699d98642c564d2e855e9661899b7252"
  certificate_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_gateway_certificates

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

Identify the certificate with a UUID.

binding_status: String

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

certificate: String

Provide the CA certificate (read-only).

created_at: Time

expires_on: Time

fingerprint: String

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Bool

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: String

Indicate the organization that issued the certificate (read-only).

issuer_raw: String

Provide the entire issuer field of the certificate (read-only).

type: String

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

updated_at: Time

uploaded_on: Time

cloudflare_zero_trust_gateway_certificates

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_certificates" "example_zero_trust_gateway_certificates" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustGatewayPacfiles

resource cloudflare_zero_trust_gateway_pacfile

required Expand Collapse

account_id: String

contents: String

Actual contents of the PAC file

name: String

Name of the PAC file.

optional Expand Collapse

slug?: String

URL-friendly version of the PAC file name. If not provided, it will be auto-generated

description?: String

Detailed description of the PAC file.

computed Expand Collapse

id: String

created_at: Time

updated_at: Time

url: String

Unique URL to download the PAC file.

cloudflare_zero_trust_gateway_pacfile

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_gateway_pacfile" "example_zero_trust_gateway_pacfile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  contents = "function FindProxyForURL(url, host) { return \"DIRECT\"; }"
  name = "Devops team"
  description = "PAC file for Devops team"
  slug = "pac_devops"
}

data cloudflare_zero_trust_gateway_pacfile

required Expand Collapse

pacfile_id: String

account_id: String

computed Expand Collapse

id: String

contents: String

Actual contents of the PAC file

created_at: Time

description: String

Detailed description of the PAC file.

name: String

Name of the PAC file.

slug: String

URL-friendly version of the PAC file name.

updated_at: Time

url: String

Unique URL to download the PAC file.

cloudflare_zero_trust_gateway_pacfile

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_pacfile" "example_zero_trust_gateway_pacfile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  pacfile_id = "ed35569b41ce4d1facfe683550f54086"
}

data cloudflare_zero_trust_gateway_pacfiles

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

created_at: Time

description: String

Detailed description of the PAC file.

name: String

Name of the PAC file.

slug: String

URL-friendly version of the PAC file name.

updated_at: Time

url: String

Unique URL to download the PAC file.

cloudflare_zero_trust_gateway_pacfiles

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_gateway_pacfiles" "example_zero_trust_gateway_pacfiles" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustNetworksRoutes

resource cloudflare_zero_trust_tunnel_cloudflared_route

required Expand Collapse

account_id: String

Cloudflare account ID

network: String

The private IPv4 or IPv6 range connected by the route, in CIDR notation.

tunnel_id: String

UUID of the tunnel.

optional Expand Collapse

comment?: String

Optional remark describing the route.

virtual_network_id?: String

UUID of the virtual network.

computed Expand Collapse

id: String

UUID of the route.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

cloudflare_zero_trust_tunnel_cloudflared_route

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_tunnel_cloudflared_route" "example_zero_trust_tunnel_cloudflared_route" {
  account_id = "699d98642c564d2e855e9661899b7252"
  network = "172.16.0.0/16"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  comment = "Example comment for this route."
  virtual_network_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_tunnel_cloudflared_route

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

route_id?: String

UUID of the route.

filter?: Attributes

comment?: String

Optional remark describing the route.

existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

is_deleted?: Bool

If true, only include deleted routes. If false, exclude deleted routes. If empty, all routes will be included.

network_subset?: String

If set, only list routes that are contained within this IP range.

network_superset?: String

If set, only list routes that contain this IP range.

tun_types?: List[String]

The types of tunnels to filter by, separated by commas.

tunnel_id?: String

UUID of the tunnel.

virtual_network_id?: String

UUID of the virtual network.

computed Expand Collapse

id: String

UUID of the route.

comment: String

Optional remark describing the route.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

network: String

The private IPv4 or IPv6 range connected by the route, in CIDR notation.

tunnel_id: String

UUID of the tunnel.

virtual_network_id: String

UUID of the virtual network.

cloudflare_zero_trust_tunnel_cloudflared_route

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_cloudflared_route" "example_zero_trust_tunnel_cloudflared_route" {
  account_id = "699d98642c564d2e855e9661899b7252"
  route_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_tunnel_cloudflared_routes

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

is_deleted?: Bool

If true, only include deleted routes. If false, exclude deleted routes. If empty, all routes will be included.

network_subset?: String

If set, only list routes that are contained within this IP range.

network_superset?: String

If set, only list routes that contain this IP range.

route_id?: String

UUID of the route.

tunnel_id?: String

UUID of the tunnel.

virtual_network_id?: String

UUID of the virtual network.

tun_types?: List[String]

The types of tunnels to filter by, separated by commas.

comment?: String

Optional remark describing the route.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

UUID of the route.

comment: String

Optional remark describing the route.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

network: String

The private IPv4 or IPv6 range connected by the route, in CIDR notation.

tun_type: String

The type of tunnel.

tunnel_id: String

UUID of the tunnel.

tunnel_name: String

A user-friendly name for a tunnel.

virtual_network_id: String

UUID of the virtual network.

virtual_network_name: String

A user-friendly name for the virtual network.

cloudflare_zero_trust_tunnel_cloudflared_routes

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_cloudflared_routes" "example_zero_trust_tunnel_cloudflared_routes" {
  account_id = "699d98642c564d2e855e9661899b7252"
  existed_at = "2019-10-12T07%3A20%3A50.52Z"
  is_deleted = true
  network_subset = "172.16.0.0/16"
  network_superset = "172.16.0.0/16"
  route_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  tun_types = ["cfd_tunnel"]
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  virtual_network_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

Zero TrustNetworksVirtual Networks

resource cloudflare_zero_trust_tunnel_cloudflared_virtual_network

required Expand Collapse

account_id: String

Cloudflare account ID

name: String

A user-friendly name for the virtual network.

optional Expand Collapse

Deprecatedis_default?: Bool

Use the is_default_network property instead.

If true, this virtual network is the default for the account.

comment?: String

Optional remark describing the virtual network.

is_default_network?: Bool

If true, this virtual network is the default for the account.

computed Expand Collapse

id: String

UUID of the virtual network.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

cloudflare_zero_trust_tunnel_cloudflared_virtual_network

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_tunnel_cloudflared_virtual_network" "example_zero_trust_tunnel_cloudflared_virtual_network" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "us-east-1-vpc"
  comment = "Staging VPC for data science"
  is_default = true
  is_default_network = false
}

data cloudflare_zero_trust_tunnel_cloudflared_virtual_network

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

virtual_network_id?: String

UUID of the virtual network.

filter?: Attributes

id?: String

UUID of the virtual network.

is_default?: Bool

If true, only include the default virtual network. If false, exclude the default virtual network. If empty, all virtual networks will be included.

is_default_network?: Bool

If true, only include the default virtual network. If false, exclude the default virtual network. If empty, all virtual networks will be included.

is_deleted?: Bool

If true, only include deleted virtual networks. If false, exclude deleted virtual networks. If empty, all virtual networks will be included.

name?: String

A user-friendly name for the virtual network.

computed Expand Collapse

id: String

UUID of the virtual network.

comment: String

Optional remark describing the virtual network.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

is_default_network: Bool

If true, this virtual network is the default for the account.

name: String

A user-friendly name for the virtual network.

cloudflare_zero_trust_tunnel_cloudflared_virtual_network

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_cloudflared_virtual_network" "example_zero_trust_tunnel_cloudflared_virtual_network" {
  account_id = "699d98642c564d2e855e9661899b7252"
  virtual_network_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_tunnel_cloudflared_virtual_networks

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

id?: String

UUID of the virtual network.

is_default?: Bool

If true, only include the default virtual network. If false, exclude the default virtual network. If empty, all virtual networks will be included.

is_default_network?: Bool

If true, only include the default virtual network. If false, exclude the default virtual network. If empty, all virtual networks will be included.

is_deleted?: Bool

If true, only include deleted virtual networks. If false, exclude deleted virtual networks. If empty, all virtual networks will be included.

name?: String

A user-friendly name for the virtual network.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

UUID of the virtual network.

comment: String

Optional remark describing the virtual network.

created_at: Time

Timestamp of when the resource was created.

is_default_network: Bool

If true, this virtual network is the default for the account.

name: String

A user-friendly name for the virtual network.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

cloudflare_zero_trust_tunnel_cloudflared_virtual_networks

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_tunnel_cloudflared_virtual_networks" "example_zero_trust_tunnel_cloudflared_virtual_networks" {
  account_id = "699d98642c564d2e855e9661899b7252"
  id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  is_default = true
  is_default_network = true
  is_deleted = true
  name = "us-east-1-vpc"
}

Zero TrustNetworksSubnetsWARP

resource cloudflare_zero_trust_device_subnet

required Expand Collapse

account_id: String

Cloudflare account ID

name: String

A user-friendly name for the subnet.

network: String

The private IPv4 or IPv6 range defining the subnet, in CIDR notation.

optional Expand Collapse

comment?: String

An optional description of the subnet.

is_default_network?: Bool

If true, this is the default subnet for the account. There can only be one default subnet per account.

computed Expand Collapse

id: String

The UUID of the subnet.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

subnet_type: String

The type of subnet.

cloudflare_zero_trust_device_subnet

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_device_subnet" "example_zero_trust_device_subnet" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "IPv4 Cloudflare Source IPs"
  network = "100.64.0.0/12"
  comment = "example comment"
  is_default_network = true
}

data cloudflare_zero_trust_device_subnet

required Expand Collapse

subnet_id: String

The UUID of the subnet.

account_id: String

Cloudflare account ID

computed Expand Collapse

id: String

The UUID of the subnet.

comment: String

An optional description of the subnet.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

is_default_network: Bool

If true, this is the default subnet for the account. There can only be one default subnet per account.

name: String

A user-friendly name for the subnet.

network: String

The private IPv4 or IPv6 range defining the subnet, in CIDR notation.

subnet_type: String

The type of subnet.

cloudflare_zero_trust_device_subnet

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_device_subnet" "example_zero_trust_device_subnet" {
  account_id = "699d98642c564d2e855e9661899b7252"
  subnet_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

Zero TrustNetworksHostname Routes

resource cloudflare_zero_trust_network_hostname_route

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

comment?: String

An optional description of the hostname route.

hostname?: String

The hostname of the route.

tunnel_id?: String

UUID of the tunnel.

computed Expand Collapse

id: String

The hostname route ID.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

tunnel_name: String

A user-friendly name for a tunnel.

cloudflare_zero_trust_network_hostname_route

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_network_hostname_route" "example_zero_trust_network_hostname_route" {
  account_id = "699d98642c564d2e855e9661899b7252"
  comment = "example comment"
  hostname = "office-1.local"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_network_hostname_route

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

hostname_route_id?: String

The hostname route ID.

filter?: Attributes

id?: String

The hostname route ID.

comment?: String

If set, only list hostname routes with the given comment.

existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

hostname?: String

If set, only list hostname routes that contain a substring of the given value, the filter is case-insensitive.

is_deleted?: Bool

If true, only return deleted hostname routes. If false, exclude deleted hostname routes.

tunnel_id?: String

If set, only list hostname routes that point to a specific tunnel.

computed Expand Collapse

id: String

The hostname route ID.

comment: String

An optional description of the hostname route.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

hostname: String

The hostname of the route.

tunnel_id: String

UUID of the tunnel.

tunnel_name: String

A user-friendly name for a tunnel.

cloudflare_zero_trust_network_hostname_route

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_network_hostname_route" "example_zero_trust_network_hostname_route" {
  account_id = "699d98642c564d2e855e9661899b7252"
  hostname_route_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_network_hostname_routes

required Expand Collapse

account_id: String

Cloudflare account ID

optional Expand Collapse

comment?: String

If set, only list hostname routes with the given comment.

existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

hostname?: String

If set, only list hostname routes that contain a substring of the given value, the filter is case-insensitive.

id?: String

The hostname route ID.

tunnel_id?: String

If set, only list hostname routes that point to a specific tunnel.

is_deleted?: Bool

If true, only return deleted hostname routes. If false, exclude deleted hostname routes.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The hostname route ID.

comment: String

An optional description of the hostname route.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

hostname: String

The hostname of the route.

tunnel_id: String

UUID of the tunnel.

tunnel_name: String

A user-friendly name for a tunnel.

cloudflare_zero_trust_network_hostname_routes

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_network_hostname_routes" "example_zero_trust_network_hostname_routes" {
  account_id = "699d98642c564d2e855e9661899b7252"
  id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  comment = "example%20comment"
  existed_at = "2019-10-12T07%3A20%3A50.52Z"
  hostname = "office-1.local"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

Zero TrustRisk ScoringBehaviours

resource cloudflare_zero_trust_risk_behavior

required Expand Collapse

account_id: String

behaviors: Map[Attributes]

enabled: Bool

risk_level: String

cloudflare_zero_trust_risk_behavior

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_risk_behavior" "example_zero_trust_risk_behavior" {
  account_id = "account_id"
  behaviors = {
    foo = {
      enabled = true
      risk_level = "low"
    }
  }
}

data cloudflare_zero_trust_risk_behavior

required Expand Collapse

account_id: String

computed Expand Collapse

behaviors: Map[Attributes]

description: String

enabled: Bool

name: String

risk_level: String

cloudflare_zero_trust_risk_behavior

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_risk_behavior" "example_zero_trust_risk_behavior" {
  account_id = "account_id"
}

Zero TrustRisk ScoringIntegrations

resource cloudflare_zero_trust_risk_scoring_integration

required Expand Collapse

account_id: String

integration_type: String

tenant_url: String

The base url of the tenant, e.g. "https://tenant.okta.com".

optional Expand Collapse

active?: Bool

Whether this integration is enabled. If disabled, no risk changes will be exported to the third-party.

reference_id?: String

A reference id that can be supplied by the client. Currently this should be set to the Access-Okta IDP ID (a UUIDv4). https://developers.cloudflare.com/api/operations/access-identity-providers-get-an-access-identity-provider

computed Expand Collapse

id: String

The id of the integration, a UUIDv4.

account_tag: String

The Cloudflare account tag.

created_at: Time

When the integration was created in RFC3339 format.

well_known_url: String

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

cloudflare_zero_trust_risk_scoring_integration

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_risk_scoring_integration" "example_zero_trust_risk_scoring_integration" {
  account_id = "account_id"
  integration_type = "Okta"
  tenant_url = "https://example.com"
  reference_id = "reference_id"
}

data cloudflare_zero_trust_risk_scoring_integration

required Expand Collapse

integration_id: String

account_id: String

computed Expand Collapse

id: String

account_tag: String

The Cloudflare account tag.

active: Bool

Whether this integration is enabled and should export changes in risk score.

created_at: Time

When the integration was created in RFC3339 format.

integration_type: String

reference_id: String

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: String

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: String

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

cloudflare_zero_trust_risk_scoring_integration

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_risk_scoring_integration" "example_zero_trust_risk_scoring_integration" {
  account_id = "account_id"
  integration_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_risk_scoring_integrations

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The id of the integration, a UUIDv4.

account_tag: String

The Cloudflare account tag.

active: Bool

Whether this integration is enabled and should export changes in risk score.

created_at: Time

When the integration was created in RFC3339 format.

integration_type: String

reference_id: String

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: String

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: String

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

cloudflare_zero_trust_risk_scoring_integrations

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_risk_scoring_integrations" "example_zero_trust_risk_scoring_integrations" {
  account_id = "account_id"
}