Skip to content
Cloudflare API
Start here
API Reference
Zero Trust

Access

AccessAI ControlsMcpPortals

resource cloudflare_zero_trust_access_ai_controls_mcp_portal

required Expand Collapse
id: String

portal id

account_id: String
hostname: String
name: String
optional Expand Collapse
description?: String
allow_code_mode?: Bool

Allow remote code execution in Dynamic Workers (beta)

secure_web_gateway?: Bool

Route outbound MCP traffic through Zero Trust Secure Web Gateway

servers?: List[Attributes]
server_id: String

server id

default_disabled?: Bool
on_behalf?: Bool
updated_prompts?: List[Attributes]
name: String
alias?: String
description?: String
enabled?: Bool
updated_tools?: List[Attributes]
name: String
alias?: String
description?: String
enabled?: Bool
computed Expand Collapse
created_at: Time
created_by: String
modified_at: Time
modified_by: String

cloudflare_zero_trust_access_ai_controls_mcp_portal

resource "cloudflare_zero_trust_access_ai_controls_mcp_portal" "example_zero_trust_access_ai_controls_mcp_portal" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-portal"
  hostname = "exmaple.com"
  name = "My MCP Portal"
  allow_code_mode = true
  description = "This is my custom MCP Portal"
  secure_web_gateway = false
  servers = [{
    server_id = "my-mcp-server"
    default_disabled = true
    on_behalf = true
    updated_prompts = [{
      name = "name"
      alias = "my-custom-alias"
      description = "description"
      enabled = true
    }]
    updated_tools = [{
      name = "name"
      alias = "my-custom-alias"
      description = "description"
      enabled = true
    }]
  }]
}

data cloudflare_zero_trust_access_ai_controls_mcp_portal

required Expand Collapse
account_id: String
optional Expand Collapse
id?: String

portal id

filter?: Attributes
computed Expand Collapse
allow_code_mode: Bool

Allow remote code execution in Dynamic Workers (beta)

created_at: Time
created_by: String
description: String
hostname: String
modified_at: Time
modified_by: String
name: String
secure_web_gateway: Bool

Route outbound MCP traffic through Zero Trust Secure Web Gateway

servers: List[Attributes]
id: String

server id

auth_type: String
hostname: String
name: String
prompts: List[Map[JSON]]
tools: List[Map[JSON]]
updated_prompts: Dynamic
updated_tools: Dynamic
created_at: Time
created_by: String
default_disabled: Bool
description: String
error: String
last_successful_sync: Time
last_synced: Time
modified_at: Time
modified_by: String
on_behalf: Bool
status: String

cloudflare_zero_trust_access_ai_controls_mcp_portal

data "cloudflare_zero_trust_access_ai_controls_mcp_portal" "example_zero_trust_access_ai_controls_mcp_portal" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-portal"
}

data cloudflare_zero_trust_access_ai_controls_mcp_portals

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

portal id

hostname: String
name: String
servers: List[Attributes]
id: String

server id

auth_type: String
hostname: String
name: String
prompts: List[Map[JSON]]
tools: List[Map[JSON]]
updated_prompts: Dynamic
updated_tools: Dynamic
created_at: Time
created_by: String
default_disabled: Bool
description: String
error: String
last_successful_sync: Time
last_synced: Time
modified_at: Time
modified_by: String
on_behalf: Bool
status: String
allow_code_mode: Bool

Allow remote code execution in Dynamic Workers (beta)

created_at: Time
created_by: String
description: String
modified_at: Time
modified_by: String
secure_web_gateway: Bool

Route outbound MCP traffic through Zero Trust Secure Web Gateway

cloudflare_zero_trust_access_ai_controls_mcp_portals

data "cloudflare_zero_trust_access_ai_controls_mcp_portals" "example_zero_trust_access_ai_controls_mcp_portals" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  search = "search"
}

AccessAI ControlsMcpServers

resource cloudflare_zero_trust_access_ai_controls_mcp_server

required Expand Collapse
id: String

server id

account_id: String
auth_type: String
hostname: String
name: String
optional Expand Collapse
auth_credentials?: String
description?: String
computed Expand Collapse
created_at: Time
created_by: String
error: String
last_successful_sync: Time
last_synced: Time
modified_at: Time
modified_by: String
status: String
prompts: List[Map[JSON]]
tools: List[Map[JSON]]

cloudflare_zero_trust_access_ai_controls_mcp_server

resource "cloudflare_zero_trust_access_ai_controls_mcp_server" "example_zero_trust_access_ai_controls_mcp_server" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-server"
  auth_type = "unauthenticated"
  hostname = "https://example.com/mcp"
  name = "My MCP Server"
  auth_credentials = "auth_credentials"
  description = "This is one remote mcp server"
}

data cloudflare_zero_trust_access_ai_controls_mcp_server

required Expand Collapse
account_id: String
optional Expand Collapse
id?: String

server id

filter?: Attributes
computed Expand Collapse
auth_type: String
created_at: Time
created_by: String
description: String
error: String
hostname: String
last_successful_sync: Time
last_synced: Time
modified_at: Time
modified_by: String
name: String
status: String
prompts: List[Map[JSON]]
tools: List[Map[JSON]]

cloudflare_zero_trust_access_ai_controls_mcp_server

data "cloudflare_zero_trust_access_ai_controls_mcp_server" "example_zero_trust_access_ai_controls_mcp_server" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-server"
}

data cloudflare_zero_trust_access_ai_controls_mcp_servers

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

server id

auth_type: String
hostname: String
name: String
prompts: List[Map[JSON]]
tools: List[Map[JSON]]
created_at: Time
created_by: String
description: String
error: String
last_successful_sync: Time
last_synced: Time
modified_at: Time
modified_by: String
status: String

cloudflare_zero_trust_access_ai_controls_mcp_servers

data "cloudflare_zero_trust_access_ai_controls_mcp_servers" "example_zero_trust_access_ai_controls_mcp_servers" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  search = "search"
}

AccessInfrastructureTargets

resource cloudflare_zero_trust_access_infrastructure_target

required Expand Collapse
account_id: String

Account identifier

hostname: String

A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character.

ip: Attributes

The IPv4/IPv6 address that identifies where to reach a target

ipv4?: Attributes

The target's IPv4 address

ip_addr?: String

IP address of the target

virtual_network_id?: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

ipv6?: Attributes

The target's IPv6 address

ip_addr?: String

IP address of the target

virtual_network_id?: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

computed Expand Collapse
id: String

Target identifier

created_at: Time

Date and time at which the target was created

modified_at: Time

Date and time at which the target was modified

cloudflare_zero_trust_access_infrastructure_target

resource "cloudflare_zero_trust_access_infrastructure_target" "example_zero_trust_access_infrastructure_target" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  hostname = "infra-access-target"
  ip = {
    ipv4 = {
      ip_addr = "187.26.29.249"
      virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
    }
    ipv6 = {
      ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
      virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
    }
  }
}

data cloudflare_zero_trust_access_infrastructure_target

required Expand Collapse
account_id: String

Account identifier

optional Expand Collapse
target_id?: String

Target identifier

filter?: Attributes
created_after?: Time

Date and time at which the target was created after (inclusive)

created_before?: Time

Date and time at which the target was created before (inclusive)

direction?: String

The sorting direction.

hostname?: String

Hostname of a target

hostname_contains?: String

Partial match to the hostname of a target

ip_like?: String

Filters for targets whose IP addresses look like the specified string. Supports * as a wildcard character

ip_v4?: String

IPv4 address of the target

ip_v6?: String

IPv6 address of the target

ips?: List[String]

Filters for targets that have any of the following IP addresses. Specify ips multiple times in query parameter to build list of candidates.

ipv4_end?: String

Defines an IPv4 filter range's ending value (inclusive). Requires ipv4_start to be specified as well.

ipv4_start?: String

Defines an IPv4 filter range's starting value (inclusive). Requires ipv4_end to be specified as well.

ipv6_end?: String

Defines an IPv6 filter range's ending value (inclusive). Requires ipv6_start to be specified as well.

ipv6_start?: String

Defines an IPv6 filter range's starting value (inclusive). Requires ipv6_end to be specified as well.

modified_after?: Time

Date and time at which the target was modified after (inclusive)

modified_before?: Time

Date and time at which the target was modified before (inclusive)

order?: String

The field to sort by.

target_ids?: List[String]

Filters for targets that have any of the following UUIDs. Specify target_ids multiple times in query parameter to build list of candidates.

virtual_network_id?: String

Private virtual network identifier of the target

computed Expand Collapse
id: String

Target identifier

created_at: Time

Date and time at which the target was created

hostname: String

A non-unique field that refers to a target

modified_at: Time

Date and time at which the target was modified

ip: Attributes

The IPv4/IPv6 address that identifies where to reach a target

ipv4: Attributes

The target's IPv4 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

ipv6: Attributes

The target's IPv6 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

cloudflare_zero_trust_access_infrastructure_target

data "cloudflare_zero_trust_access_infrastructure_target" "example_zero_trust_access_infrastructure_target" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  target_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_access_infrastructure_targets

required Expand Collapse
account_id: String

Account identifier

optional Expand Collapse
created_after?: Time

Date and time at which the target was created after (inclusive)

created_before?: Time

Date and time at which the target was created before (inclusive)

direction?: String

The sorting direction.

hostname?: String

Hostname of a target

hostname_contains?: String

Partial match to the hostname of a target

ip_like?: String

Filters for targets whose IP addresses look like the specified string. Supports * as a wildcard character

ip_v4?: String

IPv4 address of the target

ip_v6?: String

IPv6 address of the target

ipv4_end?: String

Defines an IPv4 filter range's ending value (inclusive). Requires ipv4_start to be specified as well.

ipv4_start?: String

Defines an IPv4 filter range's starting value (inclusive). Requires ipv4_end to be specified as well.

ipv6_end?: String

Defines an IPv6 filter range's ending value (inclusive). Requires ipv6_start to be specified as well.

ipv6_start?: String

Defines an IPv6 filter range's starting value (inclusive). Requires ipv6_end to be specified as well.

modified_after?: Time

Date and time at which the target was modified after (inclusive)

modified_before?: Time

Date and time at which the target was modified before (inclusive)

order?: String

The field to sort by.

virtual_network_id?: String

Private virtual network identifier of the target

ips?: List[String]

Filters for targets that have any of the following IP addresses. Specify ips multiple times in query parameter to build list of candidates.

target_ids?: List[String]

Filters for targets that have any of the following UUIDs. Specify target_ids multiple times in query parameter to build list of candidates.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

Target identifier

created_at: Time

Date and time at which the target was created

hostname: String

A non-unique field that refers to a target

ip: Attributes

The IPv4/IPv6 address that identifies where to reach a target

ipv4: Attributes

The target's IPv4 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

ipv6: Attributes

The target's IPv6 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

modified_at: Time

Date and time at which the target was modified

cloudflare_zero_trust_access_infrastructure_targets

data "cloudflare_zero_trust_access_infrastructure_targets" "example_zero_trust_access_infrastructure_targets" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  created_after = "2019-12-27T18:11:19.117Z"
  created_before = "2019-12-27T18:11:19.117Z"
  direction = "asc"
  hostname = "hostname"
  hostname_contains = "hostname_contains"
  ip_like = "ip_like"
  ip_v4 = "ip_v4"
  ip_v6 = "ip_v6"
  ips = ["string"]
  ipv4_end = "ipv4_end"
  ipv4_start = "ipv4_start"
  ipv6_end = "ipv6_end"
  ipv6_start = "ipv6_start"
  modified_after = "2019-12-27T18:11:19.117Z"
  modified_before = "2019-12-27T18:11:19.117Z"
  order = "hostname"
  target_ids = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
  virtual_network_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

AccessApplicationsCAs

resource cloudflare_zero_trust_access_short_lived_certificate

required Expand Collapse
app_id: String

UUID.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
id: String

UUID.

aud: String

The Application Audience (AUD) tag. Identifies the application associated with the CA.

public_key: String

The public key to add to your SSH server configuration.

cloudflare_zero_trust_access_short_lived_certificate

resource "cloudflare_zero_trust_access_short_lived_certificate" "example_zero_trust_access_short_lived_certificate" {
  app_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_short_lived_certificate

required Expand Collapse
app_id: String

UUID.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
id: String

UUID.

aud: String

The Application Audience (AUD) tag. Identifies the application associated with the CA.

public_key: String

The public key to add to your SSH server configuration.

cloudflare_zero_trust_access_short_lived_certificate

data "cloudflare_zero_trust_access_short_lived_certificate" "example_zero_trust_access_short_lived_certificate" {
  app_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_short_lived_certificates

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The ID of the CA.

aud: String

The Application Audience (AUD) tag. Identifies the application associated with the CA.

public_key: String

The public key to add to your SSH server configuration.

cloudflare_zero_trust_access_short_lived_certificates

data "cloudflare_zero_trust_access_short_lived_certificates" "example_zero_trust_access_short_lived_certificates" {
  account_id = "account_id"
  zone_id = "zone_id"
}

AccessCertificates

resource cloudflare_zero_trust_access_mtls_certificate

required Expand Collapse
certificate: String

The certificate content.

name: String

The name of the certificate.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

associated_hostnames?: List[String]

The hostnames of the applications that will use this certificate.

computed Expand Collapse
id: String

The ID of the application that will use this certificate.

created_at: Time
expires_on: Time
fingerprint: String

The MD5 fingerprint of the certificate.

updated_at: Time

cloudflare_zero_trust_access_mtls_certificate

resource "cloudflare_zero_trust_access_mtls_certificate" "example_zero_trust_access_mtls_certificate" {
  certificate = <<EOT
  -----BEGIN CERTIFICATE-----
  MIIGAjCCA+qgAwIBAgIJAI7kymlF7CWT...N4RI7KKB7nikiuUf8vhULKy5IX10
  DrUtmu/B
  -----END CERTIFICATE-----
  EOT
  name = "Allow devs"
  zone_id = "zone_id"
  associated_hostnames = ["admin.example.com"]
}

data cloudflare_zero_trust_access_mtls_certificate

required Expand Collapse
certificate_id: String

UUID.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
id: String

UUID.

created_at: Time
expires_on: Time
fingerprint: String

The MD5 fingerprint of the certificate.

name: String

The name of the certificate.

updated_at: Time
associated_hostnames: List[String]

The hostnames of the applications that will use this certificate.

cloudflare_zero_trust_access_mtls_certificate

data "cloudflare_zero_trust_access_mtls_certificate" "example_zero_trust_access_mtls_certificate" {
  certificate_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_mtls_certificates

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The ID of the application that will use this certificate.

associated_hostnames: List[String]

The hostnames of the applications that will use this certificate.

created_at: Time
expires_on: Time
fingerprint: String

The MD5 fingerprint of the certificate.

name: String

The name of the certificate.

updated_at: Time

cloudflare_zero_trust_access_mtls_certificates

data "cloudflare_zero_trust_access_mtls_certificates" "example_zero_trust_access_mtls_certificates" {
  account_id = "account_id"
  zone_id = "zone_id"
}

AccessCertificatesSettings

resource cloudflare_zero_trust_access_mtls_hostname_settings

required Expand Collapse
settings: List[Attributes]
china_network: Bool

Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.

client_certificate_forwarding: Bool

Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.

hostname: String

The hostname that these settings apply to.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
china_network: Bool

Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.

client_certificate_forwarding: Bool

Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.

hostname: String

The hostname that these settings apply to.

cloudflare_zero_trust_access_mtls_hostname_settings

resource "cloudflare_zero_trust_access_mtls_hostname_settings" "example_zero_trust_access_mtls_hostname_settings" {
  settings = [{
    china_network = false
    client_certificate_forwarding = true
    hostname = "admin.example.com"
  }]
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_mtls_hostname_settings

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
china_network: Bool

Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.

client_certificate_forwarding: Bool

Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.

hostname: String

The hostname that these settings apply to.

cloudflare_zero_trust_access_mtls_hostname_settings

data "cloudflare_zero_trust_access_mtls_hostname_settings" "example_zero_trust_access_mtls_hostname_settings" {
  account_id = "account_id"
  zone_id = "zone_id"
}

AccessGroups

resource cloudflare_zero_trust_access_group

required Expand Collapse
name: String

The name of the Access group.

include: List[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

is_default?: Bool

Whether this is the default group

exclude?: List[Attributes]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

require?: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

computed Expand Collapse
id: String

UUID.

created_at: Time
updated_at: Time

cloudflare_zero_trust_access_group

resource "cloudflare_zero_trust_access_group" "example_zero_trust_access_group" {
  include = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
  name = "Allow devs"
  zone_id = "zone_id"
  exclude = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
  is_default = true
  require = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
}

data cloudflare_zero_trust_access_group

optional Expand Collapse
group_id?: String

UUID.

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

filter?: Attributes
name?: String

The name of the group.

computed Expand Collapse
id: String

UUID.

created_at: Time
name: String

The name of the Access group.

updated_at: Time
exclude: List[Attributes]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

include: List[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

is_default: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

require: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_zero_trust_access_group

data "cloudflare_zero_trust_access_group" "example_zero_trust_access_group" {
  group_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_groups

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

name?: String

The name of the group.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

UUID.

created_at: Time
exclude: List[Attributes]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

include: List[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

is_default: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

name: String

The name of the Access group.

require: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

updated_at: Time

cloudflare_zero_trust_access_groups

data "cloudflare_zero_trust_access_groups" "example_zero_trust_access_groups" {
  account_id = "account_id"
  zone_id = "zone_id"
  name = "name"
  search = "search"
}

AccessService Tokens

resource cloudflare_zero_trust_access_service_token

required Expand Collapse
name: String

The name of the service token.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

previous_client_secret_expires_at?: Time

The expiration of the previous client_secret. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise.

client_secret_version?: Float64

A version number identifying the current client_secret associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by previous_client_secret_expires_at.

duration?: String

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

computed Expand Collapse
id: String

The ID of the service token.

client_id: String

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

client_secret: String

The Client Secret for the service token. Access will check for this value in the CF-Access-Client-Secret request header.

created_at: Time
expires_at: Time
last_seen_at: Time
updated_at: Time

cloudflare_zero_trust_access_service_token

resource "cloudflare_zero_trust_access_service_token" "example_zero_trust_access_service_token" {
  name = "CI/CD token"
  zone_id = "zone_id"
  client_secret_version = 0
  duration = "60m"
  previous_client_secret_expires_at = "2014-01-01T05:20:00.12345Z"
}

data cloudflare_zero_trust_access_service_token

optional Expand Collapse
service_token_id?: String

UUID.

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

filter?: Attributes
name?: String

The name of the service token.

computed Expand Collapse
id: String

UUID.

client_id: String

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

created_at: Time
duration: String

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

expires_at: Time
last_seen_at: Time
name: String

The name of the service token.

updated_at: Time

cloudflare_zero_trust_access_service_token

data "cloudflare_zero_trust_access_service_token" "example_zero_trust_access_service_token" {
  service_token_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_service_tokens

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

name?: String

The name of the service token.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The ID of the service token.

client_id: String

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

created_at: Time
duration: String

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

expires_at: Time
last_seen_at: Time
name: String

The name of the service token.

updated_at: Time

cloudflare_zero_trust_access_service_tokens

data "cloudflare_zero_trust_access_service_tokens" "example_zero_trust_access_service_tokens" {
  account_id = "account_id"
  zone_id = "zone_id"
  name = "name"
  search = "search"
}

AccessKeys

resource cloudflare_zero_trust_access_key_configuration

required Expand Collapse
account_id: String

Identifier.

key_rotation_interval_days: Float64

The number of days between key rotations.

computed Expand Collapse
id: String

Identifier.

days_until_next_rotation: Float64

The number of days until the next key rotation.

last_key_rotation_at: Time

The timestamp of the previous key rotation.

cloudflare_zero_trust_access_key_configuration

resource "cloudflare_zero_trust_access_key_configuration" "example_zero_trust_access_key_configuration" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  key_rotation_interval_days = 30
}

data cloudflare_zero_trust_access_key_configuration

required Expand Collapse
account_id: String

Identifier.

computed Expand Collapse
id: String

Identifier.

days_until_next_rotation: Float64

The number of days until the next key rotation.

key_rotation_interval_days: Float64

The number of days between key rotations.

last_key_rotation_at: Time

The timestamp of the previous key rotation.

cloudflare_zero_trust_access_key_configuration

data "cloudflare_zero_trust_access_key_configuration" "example_zero_trust_access_key_configuration" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

AccessCustom Pages

resource cloudflare_zero_trust_access_custom_page

required Expand Collapse
account_id: String

Identifier.

custom_html: String

Custom page HTML.

name: String

Custom page name.

type: String

Custom page type.

optional Expand Collapse
app_count?: Int64

Number of apps the custom page is assigned to.

computed Expand Collapse
id: String

UUID.

uid: String

UUID.

created_at: Time
updated_at: Time

cloudflare_zero_trust_access_custom_page

resource "cloudflare_zero_trust_access_custom_page" "example_zero_trust_access_custom_page" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  custom_html = "<html><body><h1>Access Denied</h1></body></html>"
  name = "name"
  type = "identity_denied"
}

data cloudflare_zero_trust_access_custom_page

required Expand Collapse
custom_page_id: String

UUID.

account_id: String

Identifier.

computed Expand Collapse
id: String

UUID.

app_count: Int64

Number of apps the custom page is assigned to.

created_at: Time
custom_html: String

Custom page HTML.

name: String

Custom page name.

type: String

Custom page type.

uid: String

UUID.

updated_at: Time

cloudflare_zero_trust_access_custom_page

data "cloudflare_zero_trust_access_custom_page" "example_zero_trust_access_custom_page" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  custom_page_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_access_custom_pages

required Expand Collapse
account_id: String

Identifier.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

UUID.

name: String

Custom page name.

type: String

Custom page type.

app_count: Int64

Number of apps the custom page is assigned to.

created_at: Time
uid: String

UUID.

updated_at: Time

cloudflare_zero_trust_access_custom_pages

data "cloudflare_zero_trust_access_custom_pages" "example_zero_trust_access_custom_pages" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

AccessTags

resource cloudflare_zero_trust_access_tag

required Expand Collapse
name: String

The name of the tag

account_id: String

Identifier.

computed Expand Collapse
id: String

The name of the tag

app_count: Int64

The number of applications that have this tag

created_at: Time
updated_at: Time

cloudflare_zero_trust_access_tag

resource "cloudflare_zero_trust_access_tag" "example_zero_trust_access_tag" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  name = "engineers"
}

data cloudflare_zero_trust_access_tag

required Expand Collapse
tag_name: String

The name of the tag

account_id: String

Identifier.

computed Expand Collapse
id: String

The name of the tag

app_count: Int64

The number of applications that have this tag

created_at: Time
name: String

The name of the tag

updated_at: Time

cloudflare_zero_trust_access_tag

data "cloudflare_zero_trust_access_tag" "example_zero_trust_access_tag" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  tag_name = "engineers"
}

data cloudflare_zero_trust_access_tags

required Expand Collapse
account_id: String

Identifier.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The name of the tag

name: String

The name of the tag

app_count: Int64

The number of applications that have this tag

created_at: Time
updated_at: Time

cloudflare_zero_trust_access_tags

data "cloudflare_zero_trust_access_tags" "example_zero_trust_access_tags" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

AccessPolicies

resource cloudflare_zero_trust_access_policy

required Expand Collapse
account_id: String

Identifier.

decision: String

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

name: String

The name of the Access policy.

optional Expand Collapse
approval_required?: Bool

Requires the user to request access from an administrator at the start of each session.

isolation_required?: Bool

Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.

purpose_justification_prompt?: String

A custom message that will appear on the purpose justification screen.

purpose_justification_required?: Bool

Require users to enter a justification when they log in to the application.

approval_groups?: Set[Attributes]

Administrators who can approve a temporary authentication request.

approvals_needed: Float64

The number of approvals needed to obtain access.

email_addresses?: List[String]

A list of emails that can approve the access request.

email_list_uuid?: String

The UUID of an re-usable email list.

connection_rules?: Attributes

The rules that define how users may connect to targets secured by your application.

rdp?: Attributes

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats?: List[String]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats?: List[String]

Clipboard formats allowed when copying from remote RDP session to local machine.

mfa_config?: Attributes

Configures multi-factor authentication (MFA) settings.

allowed_authenticators?: List[String]

Lists the MFA methods that users can authenticate with.

mfa_disabled?: Bool

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration?: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

session_duration?: String

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

exclude?: Set[Attributes]

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

include?: Set[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

require?: Set[Attributes]

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

computed Expand Collapse
id: String

The UUID of the policy

app_count: Int64

Number of access applications currently using this policy.

created_at: Time
reusable: Bool
updated_at: Time

cloudflare_zero_trust_access_policy

resource "cloudflare_zero_trust_access_policy" "example_zero_trust_access_policy" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  decision = "allow"
  include = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
  name = "Allow devs"
  approval_groups = [{
    approvals_needed = 1
    email_addresses = ["test1@cloudflare.com", "test2@cloudflare.com"]
    email_list_uuid = "email_list_uuid"
  }, {
    approvals_needed = 3
    email_addresses = ["test@cloudflare.com", "test2@cloudflare.com"]
    email_list_uuid = "597147a1-976b-4ef2-9af0-81d5d007fc34"
  }]
  approval_required = true
  connection_rules = {
    rdp = {
      allowed_clipboard_local_to_remote_formats = ["text"]
      allowed_clipboard_remote_to_local_formats = ["text"]
    }
  }
  exclude = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
  isolation_required = false
  mfa_config = {
    allowed_authenticators = ["totp", "biometrics", "security_key"]
    mfa_disabled = false
    session_duration = "24h"
  }
  purpose_justification_prompt = "Please enter a justification for entering this protected domain."
  purpose_justification_required = true
  require = [{
    group = {
      id = "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
    }
  }]
  session_duration = "24h"
}

data cloudflare_zero_trust_access_policy

required Expand Collapse
policy_id: String

The UUID of the policy

account_id: String

Identifier.

computed Expand Collapse
id: String

The UUID of the policy

app_count: Int64

Number of access applications currently using this policy.

approval_required: Bool

Requires the user to request access from an administrator at the start of each session.

created_at: Time
decision: String

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

isolation_required: Bool

Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.

name: String

The name of the Access policy.

purpose_justification_prompt: String

A custom message that will appear on the purpose justification screen.

purpose_justification_required: Bool

Require users to enter a justification when they log in to the application.

reusable: Bool
session_duration: String

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

updated_at: Time
approval_groups: Set[Attributes]

Administrators who can approve a temporary authentication request.

approvals_needed: Float64

The number of approvals needed to obtain access.

email_addresses: List[String]

A list of emails that can approve the access request.

email_list_uuid: String

The UUID of an re-usable email list.

connection_rules: Attributes

The rules that define how users may connect to targets secured by your application.

rdp: Attributes

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats: List[String]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats: List[String]

Clipboard formats allowed when copying from remote RDP session to local machine.

exclude: Set[Attributes]

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

include: Set[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

mfa_config: Attributes

Configures multi-factor authentication (MFA) settings.

allowed_authenticators: List[String]

Lists the MFA methods that users can authenticate with.

mfa_disabled: Bool

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

require: Set[Attributes]

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_zero_trust_access_policy

data "cloudflare_zero_trust_access_policy" "example_zero_trust_access_policy" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_access_policies

required Expand Collapse
account_id: String

Identifier.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The UUID of the policy

app_count: Int64

Number of access applications currently using this policy.

approval_groups: Set[Attributes]

Administrators who can approve a temporary authentication request.

approvals_needed: Float64

The number of approvals needed to obtain access.

email_addresses: List[String]

A list of emails that can approve the access request.

email_list_uuid: String

The UUID of an re-usable email list.

approval_required: Bool

Requires the user to request access from an administrator at the start of each session.

connection_rules: Attributes

The rules that define how users may connect to targets secured by your application.

rdp: Attributes

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats: List[String]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats: List[String]

Clipboard formats allowed when copying from remote RDP session to local machine.

created_at: Time
decision: String

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

exclude: Set[Attributes]

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

include: Set[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

isolation_required: Bool

Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.

mfa_config: Attributes

Configures multi-factor authentication (MFA) settings.

allowed_authenticators: List[String]

Lists the MFA methods that users can authenticate with.

mfa_disabled: Bool

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

name: String

The name of the Access policy.

purpose_justification_prompt: String

A custom message that will appear on the purpose justification screen.

purpose_justification_required: Bool

Require users to enter a justification when they log in to the application.

require: Set[Attributes]

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

reusable: Bool
session_duration: String

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

updated_at: Time

cloudflare_zero_trust_access_policies

data "cloudflare_zero_trust_access_policies" "example_zero_trust_access_policies" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}