Devices

DevicesDEX Tests

resource cloudflare_zero_trust_dex_test

required Expand Collapse

account_id: String

enabled: Bool

Determines whether or not the test is active.

interval: String

How often the test will run.

The name of the DEX test. Must be unique.

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method?: String

The HTTP request method type.

optional Expand Collapse

description?: String

Additional details about the test.

target_policies?: List[Attributes]

DEX rules targeted by this test

id: String

API Resource UUID tag.

default: Bool

Whether the DEX rule is the account default

The name of the DEX rule

computed Expand Collapse

id: String

The unique identifier for the test.

test_id: String

The unique identifier for the test.

targeted: Bool

cloudflare_zero_trust_dex_test

resource "cloudflare_zero_trust_dex_test" "example_zero_trust_dex_test" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  data = {
    host = "https://dash.cloudflare.com"
    kind = "http"
    method = "GET"
  }
  enabled = true
  interval = "30m"
  name = "HTTP dash health check"
  description = "Checks the dash endpoint every 30 minutes"
  target_policies = [{
    id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    default = true
    name = "name"
  }]
}

data cloudflare_zero_trust_dex_test

required Expand Collapse

account_id: String

optional Expand Collapse

dex_test_id?: String

The unique identifier for the test.

filter?: Attributes

kind?: String

Filter by test type

test_name?: String

Filter by test name

computed Expand Collapse

id: String

The unique identifier for the test.

description: String

Additional details about the test.

enabled: Bool

Determines whether or not the test is active.

interval: String

How often the test will run.

The name of the DEX test. Must be unique.

targeted: Bool

test_id: String

The unique identifier for the test.

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

target_policies: List[Attributes]

DEX rules targeted by this test

id: String

API Resource UUID tag.

default: Bool

Whether the DEX rule is the account default

The name of the DEX rule

cloudflare_zero_trust_dex_test

data "cloudflare_zero_trust_dex_test" "example_zero_trust_dex_test" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  dex_test_id = "372e67954025e0ba6aaa6d586b9e0b59"
}

data cloudflare_zero_trust_dex_tests

required Expand Collapse

account_id: String

optional Expand Collapse

kind?: String

Filter by test type

test_name?: String

Filter by test name

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The unique identifier for the test.

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

enabled: Bool

Determines whether or not the test is active.

interval: String

How often the test will run.

The name of the DEX test. Must be unique.

description: String

Additional details about the test.

target_policies: List[Attributes]

DEX rules targeted by this test

id: String

API Resource UUID tag.

default: Bool

Whether the DEX rule is the account default

The name of the DEX rule

targeted: Bool

test_id: String

The unique identifier for the test.

cloudflare_zero_trust_dex_tests

data "cloudflare_zero_trust_dex_tests" "example_zero_trust_dex_tests" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  kind = "http"
  test_name = "testName"
}

DevicesIP Profiles

resource cloudflare_zero_trust_device_ip_profile

required Expand Collapse

account_id: String

match: String

The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes".

A user-friendly name for the Device IP profile.

precedence: Int64

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: String

The ID of the Subnet.

optional Expand Collapse

description?: String

An optional description of the Device IP profile.

enabled?: Bool

Whether the Device IP profile will be applied to matching devices.

computed Expand Collapse

id: String

The ID of the Device IP profile.

created_at: String

The RFC3339Nano timestamp when the Device IP profile was created.

updated_at: String

The RFC3339Nano timestamp when the Device IP profile was last updated.

cloudflare_zero_trust_device_ip_profile

resource "cloudflare_zero_trust_device_ip_profile" "example_zero_trust_device_ip_profile" {
  account_id = "account_id"
  match = "identity.email == \"test@cloudflare.com\""
  name = "IPv4 Cloudflare Source IPs"
  precedence = 100
  subnet_id = "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  description = "example comment"
  enabled = true
}

data cloudflare_zero_trust_device_ip_profile

required Expand Collapse

account_id: String

optional Expand Collapse

profile_id?: String

filter?: Attributes

per_page?: Int64

The number of IP profiles to return per page.

computed Expand Collapse

id: String

created_at: String

The RFC3339Nano timestamp when the Device IP profile was created.

description: String

An optional description of the Device IP profile.

enabled: Bool

Whether the Device IP profile is enabled.

match: String

A user-friendly name for the Device IP profile.

precedence: Int64

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: String

The ID of the Subnet.

updated_at: String

The RFC3339Nano timestamp when the Device IP profile was last updated.

cloudflare_zero_trust_device_ip_profile

data "cloudflare_zero_trust_device_ip_profile" "example_zero_trust_device_ip_profile" {
  account_id = "account_id"
  profile_id = "profile_id"
}

data cloudflare_zero_trust_device_ip_profiles

required Expand Collapse

account_id: String

optional Expand Collapse

per_page?: Int64

The number of IP profiles to return per page.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

The ID of the Device IP profile.

created_at: String

The RFC3339Nano timestamp when the Device IP profile was created.

description: String

An optional description of the Device IP profile.

enabled: Bool

Whether the Device IP profile is enabled.

match: String

A user-friendly name for the Device IP profile.

precedence: Int64

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: String

The ID of the Subnet.

updated_at: String

The RFC3339Nano timestamp when the Device IP profile was last updated.

cloudflare_zero_trust_device_ip_profiles

data "cloudflare_zero_trust_device_ip_profiles" "example_zero_trust_device_ip_profiles" {
  account_id = "account_id"
}

DevicesNetworks

resource cloudflare_zero_trust_device_managed_networks

required Expand Collapse

account_id: String

The name of the device managed network. This name must be unique.

type: String

The type of device managed network.

config: Attributes

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: String

A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host.

sha256?: String

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

computed Expand Collapse

id: String

API UUID.

network_id: String

API UUID.

cloudflare_zero_trust_device_managed_networks

resource "cloudflare_zero_trust_device_managed_networks" "example_zero_trust_device_managed_networks" {
  account_id = "699d98642c564d2e855e9661899b7252"
  config = {
    tls_sockaddr = "foo.bar:1234"
    sha256 = "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c"
  }
  name = "managed-network-1"
  type = "tls"
}

data cloudflare_zero_trust_device_managed_networks

required Expand Collapse

network_id: String

API UUID.

account_id: String

computed Expand Collapse

id: String

API UUID.

The name of the device managed network. This name must be unique.

type: String

The type of device managed network.

config: Attributes

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: String

A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host.

sha256: String

cloudflare_zero_trust_device_managed_networks

data "cloudflare_zero_trust_device_managed_networks" "example_zero_trust_device_managed_networks" {
  account_id = "699d98642c564d2e855e9661899b7252"
  network_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_managed_networks_list

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

API UUID.

config: Attributes

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: String

A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host.

sha256: String

The name of the device managed network. This name must be unique.

network_id: String

API UUID.

type: String

The type of device managed network.

cloudflare_zero_trust_device_managed_networks_list

data "cloudflare_zero_trust_device_managed_networks_list" "example_zero_trust_device_managed_networks_list" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

DevicesPoliciesDefault

resource cloudflare_zero_trust_device_default_profile

required Expand Collapse

account_id: String

optional Expand Collapse

lan_allow_minutes?: Float64

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size?: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

allow_mode_switch?: Bool

Whether to allow the user to switch WARP between modes.

allow_updates?: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: Bool

Whether to allow devices to leave the organization.

auto_connect?: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: Float64

Turn on the captive portal after the specified amount of time.

disable_auto_fallback?: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

exclude_office_ips?: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

register_interface_ip_with_dns?: Bool

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url?: String

The URL to launch when the Send Feedback button is clicked.

switch_locked?: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol?: String

Determines which tunnel protocol to use.

exclude?: List[Attributes]

List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request.

address?: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

include?: List[Attributes]

List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request.

address?: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2?: Attributes

mode?: String

The mode to run the WARP client under.

port?: Float64

The port number when used with proxy mode.

computed Expand Collapse

id: String

default: Bool

Whether the policy will be applied to matching devices.

enabled: Bool

Whether the policy will be applied to matching devices.

gateway_unique_id: String

fallback_domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

cloudflare_zero_trust_device_default_profile

resource "cloudflare_zero_trust_device_default_profile" "example_zero_trust_device_default_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  allow_mode_switch = true
  allow_updates = true
  allowed_to_leave = true
  auto_connect = 0
  captive_portal = 180
  disable_auto_fallback = true
  exclude = [{
    address = "192.0.2.0/24"
    description = "Exclude testing domains from the tunnel"
  }]
  exclude_office_ips = true
  include = [{
    address = "192.0.2.0/24"
    description = "Include testing domains in the tunnel"
  }]
  lan_allow_minutes = 30
  lan_allow_subnet_size = 24
  register_interface_ip_with_dns = true
  sccm_vpn_boundary_support = false
  service_mode_v2 = {
    mode = "proxy"
    port = 3000
  }
  support_url = "https://1.1.1.1/help"
  switch_locked = true
  tunnel_protocol = "wireguard"
}

data cloudflare_zero_trust_device_default_profile

required Expand Collapse

account_id: String

computed Expand Collapse

id: String

allow_mode_switch: Bool

Whether to allow the user to switch WARP between modes.

allow_updates: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Bool

Whether to allow devices to leave the organization.

auto_connect: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Float64

Turn on the captive portal after the specified amount of time.

default: Bool

Whether the policy will be applied to matching devices.

disable_auto_fallback: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Bool

Whether the policy will be applied to matching devices.

exclude_office_ips: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

gateway_unique_id: String

register_interface_ip_with_dns: Bool

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url: String

The URL to launch when the Send Feedback button is clicked.

switch_locked: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: String

Determines which tunnel protocol to use.

List of routes excluded in the WARP client's tunnel.

address: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

fallback_domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

include: List[Attributes]

List of routes included in the WARP client's tunnel.

address: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2: Attributes

mode: String

The mode to run the WARP client under.

port: Float64

The port number when used with proxy mode.

cloudflare_zero_trust_device_default_profile

data "cloudflare_zero_trust_device_default_profile" "example_zero_trust_device_default_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

DevicesPoliciesDefaultFallback Domains

resource cloudflare_zero_trust_device_default_profile_local_domain_fallback

required Expand Collapse

account_id: String

domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description?: String

A description of the fallback domain, displayed in the client UI.

dns_server?: List[String]

A list of IP addresses to handle domain resolution.

computed Expand Collapse

id: String

cloudflare_zero_trust_device_default_profile_local_domain_fallback

resource "cloudflare_zero_trust_device_default_profile_local_domain_fallback" "example_zero_trust_device_default_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
  domains = [{
    suffix = "example.com"
    description = "Domain bypass for local development"
    dns_server = ["1.1.1.1"]
  }]
}

data cloudflare_zero_trust_device_default_profile_local_domain_fallback

required Expand Collapse

account_id: String

computed Expand Collapse

id: String

description: String

A description of the fallback domain, displayed in the client UI.

suffix: String

The domain suffix to match when resolving locally.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

cloudflare_zero_trust_device_default_profile_local_domain_fallback

data "cloudflare_zero_trust_device_default_profile_local_domain_fallback" "example_zero_trust_device_default_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

DevicesPoliciesDefaultCertificates

resource cloudflare_zero_trust_device_default_profile_certificates

required Expand Collapse

zone_id: String

enabled: Bool

The current status of the device policy certificate provisioning feature for WARP clients.

cloudflare_zero_trust_device_default_profile_certificates

resource "cloudflare_zero_trust_device_default_profile_certificates" "example_zero_trust_device_default_profile_certificates" {
  zone_id = "699d98642c564d2e855e9661899b7252"
  enabled = true
}

data cloudflare_zero_trust_device_default_profile_certificates

required Expand Collapse

zone_id: String

computed Expand Collapse

enabled: Bool

The current status of the device policy certificate provisioning feature for WARP clients.

cloudflare_zero_trust_device_default_profile_certificates

data "cloudflare_zero_trust_device_default_profile_certificates" "example_zero_trust_device_default_profile_certificates" {
  zone_id = "699d98642c564d2e855e9661899b7252"
}

DevicesPoliciesCustom

resource cloudflare_zero_trust_device_custom_profile

required Expand Collapse

account_id: String

match: String

The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version".

The name of the device settings profile.

precedence: Float64

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

optional Expand Collapse

lan_allow_minutes?: Float64

lan_allow_subnet_size?: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

allow_mode_switch?: Bool

Whether to allow the user to switch WARP between modes.

allow_updates?: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: Bool

Whether to allow devices to leave the organization.

auto_connect?: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: Float64

Turn on the captive portal after the specified amount of time.

description?: String

A description of the policy.

disable_auto_fallback?: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled?: Bool

Whether the policy will be applied to matching devices.

exclude_office_ips?: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

register_interface_ip_with_dns?: Bool

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url?: String

The URL to launch when the Send Feedback button is clicked.

switch_locked?: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol?: String

Determines which tunnel protocol to use.

exclude?: List[Attributes]

List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request.

address?: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

include?: List[Attributes]

List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request.

address?: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2?: Attributes

mode?: String

The mode to run the WARP client under.

port?: Float64

The port number when used with proxy mode.

computed Expand Collapse

id: String

policy_id: String

default: Bool

Whether the policy is the default policy for an account.

gateway_unique_id: String

fallback_domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

target_tests: List[Attributes]

id: String

The id of the DEX test targeting this policy.

The name of the DEX test targeting this policy.

cloudflare_zero_trust_device_custom_profile

resource "cloudflare_zero_trust_device_custom_profile" "example_zero_trust_device_custom_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  match = "identity.email == \"test@cloudflare.com\""
  name = "Allow Developers"
  precedence = 100
  allow_mode_switch = true
  allow_updates = true
  allowed_to_leave = true
  auto_connect = 0
  captive_portal = 180
  description = "Policy for test teams."
  disable_auto_fallback = true
  enabled = true
  exclude = [{
    address = "192.0.2.0/24"
    description = "Exclude testing domains from the tunnel"
  }]
  exclude_office_ips = true
  include = [{
    address = "192.0.2.0/24"
    description = "Include testing domains in the tunnel"
  }]
  lan_allow_minutes = 30
  lan_allow_subnet_size = 24
  register_interface_ip_with_dns = true
  sccm_vpn_boundary_support = false
  service_mode_v2 = {
    mode = "proxy"
    port = 3000
  }
  support_url = "https://1.1.1.1/help"
  switch_locked = true
  tunnel_protocol = "wireguard"
}

data cloudflare_zero_trust_device_custom_profile

required Expand Collapse

policy_id: String

account_id: String

computed Expand Collapse

id: String

allow_mode_switch: Bool

Whether to allow the user to switch WARP between modes.

allow_updates: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Bool

Whether to allow devices to leave the organization.

auto_connect: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Float64

Turn on the captive portal after the specified amount of time.

default: Bool

Whether the policy is the default policy for an account.

description: String

A description of the policy.

disable_auto_fallback: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Bool

Whether the policy will be applied to matching devices.

exclude_office_ips: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

gateway_unique_id: String

lan_allow_minutes: Float64

lan_allow_subnet_size: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: String

The name of the device settings profile.

precedence: Float64

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: Bool

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url: String

The URL to launch when the Send Feedback button is clicked.

switch_locked: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: String

Determines which tunnel protocol to use.

List of routes excluded in the WARP client's tunnel.

address: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

fallback_domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

include: List[Attributes]

List of routes included in the WARP client's tunnel.

address: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2: Attributes

mode: String

The mode to run the WARP client under.

port: Float64

The port number when used with proxy mode.

target_tests: List[Attributes]

id: String

The id of the DEX test targeting this policy.

The name of the DEX test targeting this policy.

cloudflare_zero_trust_device_custom_profile

data "cloudflare_zero_trust_device_custom_profile" "example_zero_trust_device_custom_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_custom_profiles

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

allow_mode_switch: Bool

Whether to allow the user to switch WARP between modes.

allow_updates: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Bool

Whether to allow devices to leave the organization.

auto_connect: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Float64

Turn on the captive portal after the specified amount of time.

default: Bool

Whether the policy is the default policy for an account.

description: String

A description of the policy.

disable_auto_fallback: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Bool

Whether the policy will be applied to matching devices.

List of routes excluded in the WARP client's tunnel.

address: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

exclude_office_ips: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

gateway_unique_id: String

include: List[Attributes]

List of routes included in the WARP client's tunnel.

address: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to include in the tunnel. If host is present, address must not be present.

lan_allow_minutes: Float64

lan_allow_subnet_size: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: String

The name of the device settings profile.

policy_id: String

precedence: Float64

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: Bool

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Attributes

mode: String

The mode to run the WARP client under.

port: Float64

The port number when used with proxy mode.

support_url: String

The URL to launch when the Send Feedback button is clicked.

switch_locked: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests: List[Attributes]

id: String

The id of the DEX test targeting this policy.

The name of the DEX test targeting this policy.

tunnel_protocol: String

Determines which tunnel protocol to use.

cloudflare_zero_trust_device_custom_profiles

data "cloudflare_zero_trust_device_custom_profiles" "example_zero_trust_device_custom_profiles" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

DevicesPoliciesCustomFallback Domains

resource cloudflare_zero_trust_device_custom_profile_local_domain_fallback

required Expand Collapse

policy_id: String

account_id: String

domains: List[Attributes]

suffix: String

The domain suffix to match when resolving locally.

description?: String

A description of the fallback domain, displayed in the client UI.

dns_server?: List[String]

A list of IP addresses to handle domain resolution.

computed Expand Collapse

id: String

cloudflare_zero_trust_device_custom_profile_local_domain_fallback

resource "cloudflare_zero_trust_device_custom_profile_local_domain_fallback" "example_zero_trust_device_custom_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  domains = [{
    suffix = "example.com"
    description = "Domain bypass for local development"
    dns_server = ["1.1.1.1"]
  }]
}

data cloudflare_zero_trust_device_custom_profile_local_domain_fallback

required Expand Collapse

policy_id: String

account_id: String

computed Expand Collapse

id: String

description: String

A description of the fallback domain, displayed in the client UI.

suffix: String

The domain suffix to match when resolving locally.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

cloudflare_zero_trust_device_custom_profile_local_domain_fallback

data "cloudflare_zero_trust_device_custom_profile_local_domain_fallback" "example_zero_trust_device_custom_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

DevicesPosture

resource cloudflare_zero_trust_device_posture_rule

required Expand Collapse

account_id: String

The name of the device posture rule.

type: String

The type of device posture rule.

optional Expand Collapse

description?: String

The description of the device posture rule.

expiration?: String

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

schedule?: String

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

input?: Attributes

The value to be checked against.

operating_system?: String

Operating system.

path?: String

File path.

exists?: Bool

Whether or not file exists.

sha256?: String

SHA-256.

thumbprint?: String

Signing certificate thumbprint.

id?: String

List ID.

domain?: String

Domain.

operator?: String

Operator.

version?: String

Version of OS.

os_distro_name?: String

Operating System Distribution Name (linux only).

os_distro_revision?: String

Version of OS Distribution (linux only).

os_version_extra?: String

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

enabled?: Bool

Enabled.

check_disks?: List[String]

List of volume names to be checked for encryption.

require_all?: Bool

Whether to check all disks for encryption.

certificate_id?: String

UUID of Cloudflare managed certificate.

cn?: String

Common Name that is protected by the certificate.

check_private_key?: Bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

extended_key_usage?: List[String]

List of values indicating purposes for which the certificate public key can be used.

locations?: Attributes

paths?: List[String]

List of paths to check for client certificate on linux.

trust_stores?: List[String]

List of trust stores to check for client certificate.

subject_alternative_names?: List[String]

List of certificate Subject Alternative Names.

update_window_days?: Float64

Number of days that the antivirus should be updated within.

compliance_status?: String

Compliance Status.

connection_id?: String

Posture Integration ID.

last_seen?: String

For more details on last seen, please refer to the Crowdstrike documentation.

os?: String

Os Version.

overall?: String

Overall.

sensor_config?: String

SensorConfig.

state?: String

For more details on state, please refer to the Crowdstrike documentation.

version_operator?: String

Version Operator.

count_operator?: String

Count Operator.

issue_count?: String

The Number of Issues.

eid_last_seen?: String

For more details on eid last seen, refer to the Tanium documentation.

risk_level?: String

For more details on risk level, refer to the Tanium documentation.

score_operator?: String

Score Operator.

total_score?: Float64

For more details on total score, refer to the Tanium documentation.

active_threats?: Float64

The Number of active threats.

infected?: Bool

Whether device is infected.

is_active?: Bool

Whether device is active.

network_status?: String

Network status of device.

operational_state?: String

Agent operational state.

score?: Float64

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match?: List[Attributes]

The conditions that the client must match to run the rule.

platform?: String

computed Expand Collapse

id: String

API UUID.

cloudflare_zero_trust_device_posture_rule

resource "cloudflare_zero_trust_device_posture_rule" "example_zero_trust_device_posture_rule" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "Admin Serial Numbers"
  type = "file"
  description = "The rule for admin serial numbers"
  expiration = "1h"
  input = {
    operating_system = "linux"
    path = "/bin/cat"
    exists = true
    sha256 = "https://api.us-2.crowdstrike.com"
    thumbprint = "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e"
  }
  match = [{
    platform = "windows"
  }]
  schedule = "1h"
}

data cloudflare_zero_trust_device_posture_rule

required Expand Collapse

rule_id: String

API UUID.

account_id: String

computed Expand Collapse

id: String

API UUID.

description: String

The description of the device posture rule.

expiration: String

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

The name of the device posture rule.

schedule: String

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type: String

The type of device posture rule.

input: Attributes

The value to be checked against.

operating_system: String

Operating system.

path: String

File path.

exists: Bool

Whether or not file exists.

sha256: String

SHA-256.

thumbprint: String

Signing certificate thumbprint.

id: String

List ID.

domain: String

Domain.

operator: String

Operator.

version: String

Version of OS.

os_distro_name: String

Operating System Distribution Name (linux only).

os_distro_revision: String

Version of OS Distribution (linux only).

os_version_extra: String

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

enabled: Bool

Enabled.

check_disks: List[String]

List of volume names to be checked for encryption.

require_all: Bool

Whether to check all disks for encryption.

certificate_id: String

UUID of Cloudflare managed certificate.

cn: String

Common Name that is protected by the certificate.

check_private_key: Bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

extended_key_usage: List[String]

List of values indicating purposes for which the certificate public key can be used.

locations: Attributes

paths: List[String]

List of paths to check for client certificate on linux.

trust_stores: List[String]

List of trust stores to check for client certificate.

subject_alternative_names: List[String]

List of certificate Subject Alternative Names.

update_window_days: Float64

Number of days that the antivirus should be updated within.

compliance_status: String

Compliance Status.

connection_id: String

Posture Integration ID.

last_seen: String

For more details on last seen, please refer to the Crowdstrike documentation.

os: String

Os Version.

overall: String

Overall.

sensor_config: String

SensorConfig.

state: String

For more details on state, please refer to the Crowdstrike documentation.

version_operator: String

Version Operator.

count_operator: String

Count Operator.

issue_count: String

The Number of Issues.

eid_last_seen: String

For more details on eid last seen, refer to the Tanium documentation.

risk_level: String

For more details on risk level, refer to the Tanium documentation.

score_operator: String

Score Operator.

total_score: Float64

For more details on total score, refer to the Tanium documentation.

active_threats: Float64

The Number of active threats.

infected: Bool

Whether device is infected.

is_active: Bool

Whether device is active.

network_status: String

Network status of device.

operational_state: String

Agent operational state.

score: Float64

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match: List[Attributes]

The conditions that the client must match to run the rule.

platform: String

cloudflare_zero_trust_device_posture_rule

data "cloudflare_zero_trust_device_posture_rule" "example_zero_trust_device_posture_rule" {
  account_id = "699d98642c564d2e855e9661899b7252"
  rule_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_posture_rules

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

API UUID.

description: String

The description of the device posture rule.

expiration: String

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input: Attributes

The value to be checked against.

operating_system: String

Operating system.

path: String

File path.

exists: Bool

Whether or not file exists.

sha256: String

SHA-256.

thumbprint: String

Signing certificate thumbprint.

id: String

List ID.

domain: String

Domain.

operator: String

Operator.

version: String

Version of OS.

os_distro_name: String

Operating System Distribution Name (linux only).

os_distro_revision: String

Version of OS Distribution (linux only).

os_version_extra: String

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

enabled: Bool

Enabled.

check_disks: List[String]

List of volume names to be checked for encryption.

require_all: Bool

Whether to check all disks for encryption.

certificate_id: String

UUID of Cloudflare managed certificate.

cn: String

Common Name that is protected by the certificate.

check_private_key: Bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

extended_key_usage: List[String]

List of values indicating purposes for which the certificate public key can be used.

locations: Attributes

paths: List[String]

List of paths to check for client certificate on linux.

trust_stores: List[String]

List of trust stores to check for client certificate.

subject_alternative_names: List[String]

List of certificate Subject Alternative Names.

update_window_days: Float64

Number of days that the antivirus should be updated within.

compliance_status: String

Compliance Status.

connection_id: String

Posture Integration ID.

last_seen: String

For more details on last seen, please refer to the Crowdstrike documentation.

os: String

Os Version.

overall: String

Overall.

sensor_config: String

SensorConfig.

state: String

For more details on state, please refer to the Crowdstrike documentation.

version_operator: String

Version Operator.

count_operator: String

Count Operator.

issue_count: String

The Number of Issues.

eid_last_seen: String

For more details on eid last seen, refer to the Tanium documentation.

risk_level: String

For more details on risk level, refer to the Tanium documentation.

score_operator: String

Score Operator.

total_score: Float64

For more details on total score, refer to the Tanium documentation.

active_threats: Float64

The Number of active threats.

infected: Bool

Whether device is infected.

is_active: Bool

Whether device is active.

network_status: String

Network status of device.

operational_state: String

Agent operational state.

score: Float64

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match: List[Attributes]

The conditions that the client must match to run the rule.

platform: String

The name of the device posture rule.

schedule: String

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type: String

The type of device posture rule.

cloudflare_zero_trust_device_posture_rules

data "cloudflare_zero_trust_device_posture_rules" "example_zero_trust_device_posture_rules" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

DevicesPostureIntegrations

resource cloudflare_zero_trust_device_posture_integration

required Expand Collapse

account_id: String

interval: String

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

The name of the device posture integration.

type: String

The type of device posture integration.

config: Attributes

The configuration object containing third-party integration information.

api_url?: String

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url?: String

The Workspace One Authorization URL depending on your region.

client_id?: String

The Workspace One client ID provided in the Workspace One Admin Dashboard.

client_secret?: String

The Workspace One client secret provided in the Workspace One Admin Dashboard.

customer_id?: String

The Crowdstrike customer ID.

client_key?: String

The Uptycs client secret.

access_client_id?: String

If present, this id will be passed in the CF-Access-Client-ID header when hitting the api_url.

access_client_secret?: String

If present, this secret will be passed in the CF-Access-Client-Secret header when hitting the api_url.

computed Expand Collapse

id: String

API UUID.

cloudflare_zero_trust_device_posture_integration

resource "cloudflare_zero_trust_device_posture_integration" "example_zero_trust_device_posture_integration" {
  account_id = "699d98642c564d2e855e9661899b7252"
  config = {
    api_url = "https://as123.awmdm.com/API"
    auth_url = "https://na.uemauth.workspaceone.com/connect/token"
    client_id = "example client id"
    client_secret = "example client secret"
  }
  interval = "10m"
  name = "My Workspace One Integration"
  type = "workspace_one"
}

data cloudflare_zero_trust_device_posture_integration

required Expand Collapse

integration_id: String

API UUID.

account_id: String

computed Expand Collapse

id: String

API UUID.

interval: String

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

The name of the device posture integration.

type: String

The type of device posture integration.

config: Attributes

The configuration object containing third-party integration information.

api_url: String

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url: String

The Workspace One Authorization URL depending on your region.

client_id: String

The Workspace One client ID provided in the Workspace One Admin Dashboard.

cloudflare_zero_trust_device_posture_integration

data "cloudflare_zero_trust_device_posture_integration" "example_zero_trust_device_posture_integration" {
  account_id = "699d98642c564d2e855e9661899b7252"
  integration_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_posture_integrations

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

API UUID.

config: Attributes

The configuration object containing third-party integration information.

api_url: String

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url: String

The Workspace One Authorization URL depending on your region.

client_id: String

The Workspace One client ID provided in the Workspace One Admin Dashboard.

interval: String

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

The name of the device posture integration.

type: String

The type of device posture integration.

cloudflare_zero_trust_device_posture_integrations

data "cloudflare_zero_trust_device_posture_integrations" "example_zero_trust_device_posture_integrations" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

DevicesSettings

resource cloudflare_zero_trust_device_settings

required Expand Collapse

account_id: String

optional Expand Collapse

disable_for_time?: Float64

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

external_emergency_signal_enabled?: Bool

Controls whether the external emergency disconnect feature is enabled.

external_emergency_signal_fingerprint?: String

The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value.

external_emergency_signal_interval?: String

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds.

external_emergency_signal_url?: String

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

gateway_proxy_enabled?: Bool

Enable gateway proxy filtering on TCP.

gateway_udp_proxy_enabled?: Bool

Enable gateway proxy filtering on UDP.

root_certificate_installation_enabled?: Bool

Enable installation of cloudflare managed root certificate.

use_zt_virtual_ip?: Bool

Enable using CGNAT virtual IPv4.

cloudflare_zero_trust_device_settings

resource "cloudflare_zero_trust_device_settings" "example_zero_trust_device_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
  disable_for_time = 0
  external_emergency_signal_enabled = true
  external_emergency_signal_fingerprint = "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234"
  external_emergency_signal_interval = "5m"
  external_emergency_signal_url = "https://192.0.2.1/signal"
  gateway_proxy_enabled = true
  gateway_udp_proxy_enabled = true
  root_certificate_installation_enabled = true
  use_zt_virtual_ip = true
}

data cloudflare_zero_trust_device_settings

required Expand Collapse

account_id: String

computed Expand Collapse

disable_for_time: Float64

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

external_emergency_signal_enabled: Bool

Controls whether the external emergency disconnect feature is enabled.

external_emergency_signal_fingerprint: String

external_emergency_signal_interval: String

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds.

external_emergency_signal_url: String

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

gateway_proxy_enabled: Bool

Enable gateway proxy filtering on TCP.

gateway_udp_proxy_enabled: Bool

Enable gateway proxy filtering on UDP.

root_certificate_installation_enabled: Bool

Enable installation of cloudflare managed root certificate.

use_zt_virtual_ip: Bool

Enable using CGNAT virtual IPv4.

cloudflare_zero_trust_device_settings

data "cloudflare_zero_trust_device_settings" "example_zero_trust_device_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
}