Gateway

GatewayCategories

data cloudflare_zero_trust_gateway_categories_list

required Expand Collapse

account_id: String

Provide the identifier string.

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: Int64

Identify this category. Only one category per ID.

beta: Bool

Indicate whether the category is in beta and subject to change.

Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.

description: String

Provide a short summary of domains in the category.

Specify the category name.

subcategories: List[Attributes]

Provide all subcategories for this category.

id: Int64

Identify this category. Only one category per ID.

beta: Bool

Indicate whether the category is in beta and subject to change.

description: String

Provide a short summary of domains in the category.

Specify the category name.

cloudflare_zero_trust_gateway_categories_list

data "cloudflare_zero_trust_gateway_categories_list" "example_zero_trust_gateway_categories_list" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

GatewayApp Types

data cloudflare_zero_trust_gateway_app_types_list

required Expand Collapse

account_id: String

Provide the identifier string.

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: Int64

Identify this application. Only one application per ID.

application_type_id: Int64

Identify the type of this application. Multiple applications can share the same type. Refers to the id of a returned application type.

created_at: Time

Specify the name of the application or application type.

description: String

Provide a short summary of applications with this type.

cloudflare_zero_trust_gateway_app_types_list

data "cloudflare_zero_trust_gateway_app_types_list" "example_zero_trust_gateway_app_types_list" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

GatewayConfigurations

resource cloudflare_zero_trust_gateway_settings

required Expand Collapse

account_id: String

optional Expand Collapse

settings?: Attributes

Specify account settings.

activity_log?: Attributes

Specify activity log settings.

enabled?: Bool

Specify whether to log activity.

antivirus?: Attributes

Specify anti-virus settings.

enabled_download_phase?: Bool

Specify whether to enable anti-virus scanning on downloads.

enabled_upload_phase?: Bool

Specify whether to enable anti-virus scanning on uploads.

fail_closed?: Bool

Specify whether to block requests for unscannable files.

notification_settings?: Attributes

Configure the message the user's device shows during an antivirus scan.

enabled?: Bool

Specify whether to enable notifications.

include_context?: Bool

Specify whether to include context information as query parameters.

msg?: String

Specify the message to show in the notification.

support_url?: String

Specify a URL that directs users to more information. If unset, the notification opens a block page.

block_page?: Attributes

Specify block page layout settings.

background_color?: String

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

enabled?: Bool

Specify whether to enable the custom block page.

footer_text?: String

Specify the block page footer text when the mode is customized_block_page.

header_text?: String

Specify the block page header text when the mode is customized_block_page.

include_context?: Bool

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

logo_path?: String

Specify the full URL to the logo file when the mode is customized_block_page.

mailto_address?: String

Specify the admin email for users to contact when the mode is customized_block_page.

mailto_subject?: String

Specify the subject line for emails created from the block page when the mode is customized_block_page.

mode?: String

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

name?: String

Specify the block page title when the mode is customized_block_page.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

suppress_footer?: Bool

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

target_uri?: String

Specify the URI to redirect users to when the mode is redirect_uri.

version: Int64

Indicate the version number of the setting.

body_scanning?: Attributes

Specify the DLP inspection mode.

inspection_mode?: String

Specify the inspection mode as either deep or shallow.

browser_isolation?: Attributes

Specify Clientless Browser Isolation settings.

non_identity_enabled?: Bool

Specify whether to enable non-identity onramp support for Browser Isolation.

url_browser_isolation_enabled?: Bool

Specify whether to enable Clientless Browser Isolation.

certificate?: Attributes

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

id: String

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.

Deprecatedcustom_certificate?: Attributes

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

enabled: Bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

id?: String

Specify the UUID of the certificate (ID from MTLS certificate store).

binding_status: String

Indicate the internal certificate status.

updated_at: Time

extended_email_matching?: Attributes

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

enabled?: Bool

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

read_only?: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account?: String

Indicate the account tag of the account that shared this setting.

version?: Int64

Indicate the version number of the setting.

fips?: Attributes

Specify FIPS settings.

tls?: Bool

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

host_selector?: Attributes

Enable host selection in egress policies.

enabled?: Bool

Specify whether to enable filtering via hosts for egress policies.

inspection?: Attributes

Define the proxy inspection mode.

mode?: String

Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.

protocol_detection?: Attributes

Specify whether to detect protocols from the initial bytes of client traffic.

enabled?: Bool

Specify whether to detect protocols from the initial bytes of client traffic.

sandbox?: Attributes

Specify whether to enable the sandbox.

enabled?: Bool

Specify whether to enable the sandbox.

fallback_action?: String

Specify the action to take when the system cannot scan the file.

tls_decrypt?: Attributes

Specify whether to inspect encrypted HTTP traffic.

enabled?: Bool

Specify whether to inspect encrypted HTTP traffic.

computed Expand Collapse

id: String

created_at: Time

updated_at: Time

cloudflare_zero_trust_gateway_settings

resource "cloudflare_zero_trust_gateway_settings" "example_zero_trust_gateway_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
  settings = {
    activity_log = {
      enabled = true
    }
    antivirus = {
      enabled_download_phase = false
      enabled_upload_phase = false
      fail_closed = false
      notification_settings = {
        enabled = true
        include_context = true
        msg = "msg"
        support_url = "support_url"
      }
    }
    block_page = {
      background_color = "background_color"
      enabled = true
      footer_text = "--footer--"
      header_text = "--header--"
      include_context = true
      logo_path = "https://logos.com/a.png"
      mailto_address = "admin@example.com"
      mailto_subject = "Blocked User Inquiry"
      mode = ""
      name = "Cloudflare"
      suppress_footer = false
      target_uri = "https://example.com"
    }
    body_scanning = {
      inspection_mode = "deep"
    }
    browser_isolation = {
      non_identity_enabled = true
      url_browser_isolation_enabled = true
    }
    certificate = {
      id = "d1b364c5-1311-466e-a194-f0e943e0799f"
    }
    custom_certificate = {
      enabled = true
      id = "d1b364c5-1311-466e-a194-f0e943e0799f"
    }
    extended_email_matching = {
      enabled = true
    }
    fips = {
      tls = true
    }
    host_selector = {
      enabled = false
    }
    inspection = {
      mode = "static"
    }
    protocol_detection = {
      enabled = true
    }
    sandbox = {
      enabled = true
      fallback_action = "allow"
    }
    tls_decrypt = {
      enabled = true
    }
  }
}

data cloudflare_zero_trust_gateway_settings

required Expand Collapse

account_id: String

computed Expand Collapse

id: String

created_at: Time

updated_at: Time

settings: Attributes

Specify account settings.

activity_log: Attributes

Specify activity log settings.

enabled: Bool

Specify whether to log activity.

antivirus: Attributes

Specify anti-virus settings.

enabled_download_phase: Bool

Specify whether to enable anti-virus scanning on downloads.

enabled_upload_phase: Bool

Specify whether to enable anti-virus scanning on uploads.

fail_closed: Bool

Specify whether to block requests for unscannable files.

notification_settings: Attributes

Configure the message the user's device shows during an antivirus scan.

enabled: Bool

Specify whether to enable notifications.

include_context: Bool

Specify whether to include context information as query parameters.

msg: String

Specify the message to show in the notification.

support_url: String

Specify a URL that directs users to more information. If unset, the notification opens a block page.

block_page: Attributes

Specify block page layout settings.

background_color: String

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

enabled: Bool

Specify whether to enable the custom block page.

footer_text: String

Specify the block page footer text when the mode is customized_block_page.

header_text: String

Specify the block page header text when the mode is customized_block_page.

include_context: Bool

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

logo_path: String

Specify the full URL to the logo file when the mode is customized_block_page.

mailto_address: String

Specify the admin email for users to contact when the mode is customized_block_page.

mailto_subject: String

Specify the subject line for emails created from the block page when the mode is customized_block_page.

mode: String

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

Specify the block page title when the mode is customized_block_page.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

suppress_footer: Bool

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

target_uri: String

Specify the URI to redirect users to when the mode is redirect_uri.

version: Int64

Indicate the version number of the setting.

body_scanning: Attributes

Specify the DLP inspection mode.

inspection_mode: String

Specify the inspection mode as either deep or shallow.

browser_isolation: Attributes

Specify Clientless Browser Isolation settings.

non_identity_enabled: Bool

Specify whether to enable non-identity onramp support for Browser Isolation.

url_browser_isolation_enabled: Bool

Specify whether to enable Clientless Browser Isolation.

certificate: Attributes

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

id: String

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.

Deprecatedcustom_certificate: Attributes

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

enabled: Bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

id: String

Specify the UUID of the certificate (ID from MTLS certificate store).

binding_status: String

Indicate the internal certificate status.

updated_at: Time

extended_email_matching: Attributes

enabled: Bool

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

version: Int64

Indicate the version number of the setting.

fips: Attributes

Specify FIPS settings.

tls: Bool

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

host_selector: Attributes

Enable host selection in egress policies.

enabled: Bool

Specify whether to enable filtering via hosts for egress policies.

inspection: Attributes

Define the proxy inspection mode.

mode: String

protocol_detection: Attributes

Specify whether to detect protocols from the initial bytes of client traffic.

enabled: Bool

Specify whether to detect protocols from the initial bytes of client traffic.

sandbox: Attributes

Specify whether to enable the sandbox.

enabled: Bool

Specify whether to enable the sandbox.

fallback_action: String

Specify the action to take when the system cannot scan the file.

tls_decrypt: Attributes

Specify whether to inspect encrypted HTTP traffic.

enabled: Bool

Specify whether to inspect encrypted HTTP traffic.

cloudflare_zero_trust_gateway_settings

data "cloudflare_zero_trust_gateway_settings" "example_zero_trust_gateway_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

GatewayLists

resource cloudflare_zero_trust_list

required Expand Collapse

account_id: String

type: String

Specify the list type.

Specify the list name.

optional Expand Collapse

items?: Set[Attributes]

Add items to the list.

description?: String

Provide the list item description (optional).

value?: String

Specify the item value.

description?: String

Provide the list description.

computed Expand Collapse

id: String

Identify the API resource with a UUID.

created_at: Time

list_count: Float64

Indicate the number of items in the list.

updated_at: Time

cloudflare_zero_trust_list

resource "cloudflare_zero_trust_list" "example_zero_trust_list" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "Admin Serial Numbers"
  type = "SERIAL"
  description = "The serial numbers for administrators"
  items = [{
    description = "Austin office IP"
    value = "8GE8721REF"
  }]
}

data cloudflare_zero_trust_list

required Expand Collapse

account_id: String

optional Expand Collapse

list_id?: String

Identify the API resource with a UUID.

filter?: Attributes

type?: String

Specify the list type.

computed Expand Collapse

id: String

Identify the API resource with a UUID.

created_at: Time

description: String

Provide the list description.

list_count: Float64

Indicate the number of items in the list.

Specify the list name.

type: String

Specify the list type.

updated_at: Time

items: Set[Attributes]

Provide the list items.

created_at: Time

description: String

Provide the list item description (optional).

value: String

Specify the item value.

cloudflare_zero_trust_list

data "cloudflare_zero_trust_list" "example_zero_trust_list" {
  account_id = "699d98642c564d2e855e9661899b7252"
  list_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_lists

required Expand Collapse

account_id: String

optional Expand Collapse

type?: String

Specify the list type.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

Identify the API resource with a UUID.

list_count: Float64

Indicate the number of items in the list.

created_at: Time

description: String

Provide the list description.

items: Set[Attributes]

Provide the list items.

created_at: Time

description: String

Provide the list item description (optional).

value: String

Specify the item value.

Specify the list name.

type: String

Specify the list type.

updated_at: Time

cloudflare_zero_trust_lists

data "cloudflare_zero_trust_lists" "example_zero_trust_lists" {
  account_id = "699d98642c564d2e855e9661899b7252"
  type = "SERIAL"
}

GatewayLocations

resource cloudflare_zero_trust_dns_location

required Expand Collapse

account_id: String

Specify the location name.

optional Expand Collapse

endpoints?: Attributes

Configure the destination endpoints for this location.

doh: Attributes

enabled?: Bool

Indicate whether the DOH endpoint is enabled for this location.

networks?: List[Attributes]

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IP address or IP CIDR.

require_token?: Bool

Specify whether the DOH endpoint requires user identity authentication.

dot: Attributes

enabled?: Bool

Indicate whether the DOT endpoint is enabled for this location.

networks?: List[Attributes]

network: String

Specify the IP address or IP CIDR.

ipv4: Attributes

enabled?: Bool

Indicate whether the IPv4 endpoint is enabled for this location.

ipv6: Attributes

enabled?: Bool

Indicate whether the IPV6 endpoint is enabled for this location.

networks?: List[Attributes]

Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

network: String

Specify the IPv6 address or IPv6 CIDR.

client_default?: Bool

Indicate whether this location is the default location.

dns_destination_ips_id?: String

Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged.

ecs_support?: Bool

Indicate whether the location must resolve EDNS queries.

networks?: List[Attributes]

Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location.

network: String

Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.

computed Expand Collapse

id: String

created_at: Time

dns_destination_ipv6_block_id: String

Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block.

doh_subdomain: String

Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.

ip: String

Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.

ipv4_destination: String

Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

ipv4_destination_backup: String

Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

updated_at: Time

cloudflare_zero_trust_dns_location

resource "cloudflare_zero_trust_dns_location" "example_zero_trust_dns_location" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "Austin Office Location"
  client_default = false
  dns_destination_ips_id = "0e4a32c6-6fb8-4858-9296-98f51631e8e6"
  ecs_support = false
  endpoints = {
    doh = {
      enabled = true
      networks = [{
        network = "2001:85a3::/64"
      }]
      require_token = true
    }
    dot = {
      enabled = true
      networks = [{
        network = "2001:85a3::/64"
      }]
    }
    ipv4 = {
      enabled = true
    }
    ipv6 = {
      enabled = true
      networks = [{
        network = "2001:85a3::/64"
      }]
    }
  }
  networks = [{
    network = "192.0.2.1/32"
  }]
}

data cloudflare_zero_trust_dns_location

required Expand Collapse

location_id: String

account_id: String

computed Expand Collapse

id: String

client_default: Bool

Indicate whether this location is the default location.

created_at: Time

dns_destination_ips_id: String

Indicate the identifier of the pair of IPv4 addresses assigned to this location.

dns_destination_ipv6_block_id: String

doh_subdomain: String

Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.

ecs_support: Bool

Indicate whether the location must resolve EDNS queries.

ip: String

Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.

ipv4_destination: String

Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

ipv4_destination_backup: String

Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

Specify the location name.

updated_at: Time

endpoints: Attributes

Configure the destination endpoints for this location.

doh: Attributes

enabled: Bool

Indicate whether the DOH endpoint is enabled for this location.

networks: List[Attributes]

network: String

Specify the IP address or IP CIDR.

require_token: Bool

Specify whether the DOH endpoint requires user identity authentication.

dot: Attributes

enabled: Bool

Indicate whether the DOT endpoint is enabled for this location.

networks: List[Attributes]

network: String

Specify the IP address or IP CIDR.

ipv4: Attributes

enabled: Bool

Indicate whether the IPv4 endpoint is enabled for this location.

ipv6: Attributes

enabled: Bool

Indicate whether the IPV6 endpoint is enabled for this location.

networks: List[Attributes]

network: String

Specify the IPv6 address or IPv6 CIDR.

networks: List[Attributes]

Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location.

network: String

Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.

cloudflare_zero_trust_dns_location

data "cloudflare_zero_trust_dns_location" "example_zero_trust_dns_location" {
  account_id = "699d98642c564d2e855e9661899b7252"
  location_id = "ed35569b41ce4d1facfe683550f54086"
}

data cloudflare_zero_trust_dns_locations

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

client_default: Bool

Indicate whether this location is the default location.

created_at: Time

dns_destination_ips_id: String

Indicate the identifier of the pair of IPv4 addresses assigned to this location.

dns_destination_ipv6_block_id: String

doh_subdomain: String

Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.

ecs_support: Bool

Indicate whether the location must resolve EDNS queries.

endpoints: Attributes

Configure the destination endpoints for this location.

doh: Attributes

enabled: Bool

Indicate whether the DOH endpoint is enabled for this location.

networks: List[Attributes]

network: String

Specify the IP address or IP CIDR.

require_token: Bool

Specify whether the DOH endpoint requires user identity authentication.

dot: Attributes

enabled: Bool

Indicate whether the DOT endpoint is enabled for this location.

networks: List[Attributes]

network: String

Specify the IP address or IP CIDR.

ipv4: Attributes

enabled: Bool

Indicate whether the IPv4 endpoint is enabled for this location.

ipv6: Attributes

enabled: Bool

Indicate whether the IPV6 endpoint is enabled for this location.

networks: List[Attributes]

network: String

Specify the IPv6 address or IPv6 CIDR.

ip: String

Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.

ipv4_destination: String

Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

ipv4_destination_backup: String

Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

Specify the location name.

networks: List[Attributes]

Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location.

network: String

Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.

updated_at: Time

cloudflare_zero_trust_dns_locations

data "cloudflare_zero_trust_dns_locations" "example_zero_trust_dns_locations" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

GatewayLogging

resource cloudflare_zero_trust_gateway_logging

required Expand Collapse

account_id: String

optional Expand Collapse

redact_pii?: Bool

Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent).

settings_by_rule_type?: Attributes

Configure logging settings for each rule type.

dns?: Attributes

Configure logging settings for DNS firewall.

log_all?: Bool

Specify whether to log all requests to this service.

log_blocks?: Bool

Specify whether to log only blocking requests to this service.

http?: Attributes

Configure logging settings for HTTP/HTTPS firewall.

log_all?: Bool

Specify whether to log all requests to this service.

log_blocks?: Bool

Specify whether to log only blocking requests to this service.

l4?: Attributes

Configure logging settings for Network firewall.

log_all?: Bool

Specify whether to log all requests to this service.

log_blocks?: Bool

Specify whether to log only blocking requests to this service.

computed Expand Collapse

id: String

cloudflare_zero_trust_gateway_logging

resource "cloudflare_zero_trust_gateway_logging" "example_zero_trust_gateway_logging" {
  account_id = "699d98642c564d2e855e9661899b7252"
  redact_pii = true
  settings_by_rule_type = {
    dns = {
      log_all = false
      log_blocks = true
    }
    http = {
      log_all = false
      log_blocks = true
    }
    l4 = {
      log_all = false
      log_blocks = true
    }
  }
}

data cloudflare_zero_trust_gateway_logging

required Expand Collapse

account_id: String

computed Expand Collapse

id: String

redact_pii: Bool

Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent).

settings_by_rule_type: Attributes

Configure logging settings for each rule type.

dns: Attributes

Configure logging settings for DNS firewall.

log_all: Bool

Specify whether to log all requests to this service.

log_blocks: Bool

Specify whether to log only blocking requests to this service.

http: Attributes

Configure logging settings for HTTP/HTTPS firewall.

log_all: Bool

Specify whether to log all requests to this service.

log_blocks: Bool

Specify whether to log only blocking requests to this service.

l4: Attributes

Configure logging settings for Network firewall.

log_all: Bool

Specify whether to log all requests to this service.

log_blocks: Bool

Specify whether to log only blocking requests to this service.

cloudflare_zero_trust_gateway_logging

data "cloudflare_zero_trust_gateway_logging" "example_zero_trust_gateway_logging" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

GatewayProxy Endpoints

resource cloudflare_zero_trust_gateway_proxy_endpoint

required Expand Collapse

account_id: String

Specify the name of the proxy endpoint.

optional Expand Collapse

kind?: String

The proxy endpoint kind

ips?: List[String]

Specify the list of CIDRs to restrict ingress connections.

computed Expand Collapse

id: String

created_at: Time

subdomain: String

Specify the subdomain to use as the destination in the proxy client.

updated_at: Time

cloudflare_zero_trust_gateway_proxy_endpoint

resource "cloudflare_zero_trust_gateway_proxy_endpoint" "example_zero_trust_gateway_proxy_endpoint" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "Devops team"
  kind = "ip"
}

data cloudflare_zero_trust_gateway_proxy_endpoint

required Expand Collapse

proxy_endpoint_id: String

account_id: String

computed Expand Collapse

id: String

created_at: Time

kind: String

The proxy endpoint kind

Specify the name of the proxy endpoint.

subdomain: String

Specify the subdomain to use as the destination in the proxy client.

updated_at: Time

ips: List[String]

Specify the list of CIDRs to restrict ingress connections.

cloudflare_zero_trust_gateway_proxy_endpoint

data "cloudflare_zero_trust_gateway_proxy_endpoint" "example_zero_trust_gateway_proxy_endpoint" {
  account_id = "699d98642c564d2e855e9661899b7252"
  proxy_endpoint_id = "ed35569b41ce4d1facfe683550f54086"
}

data cloudflare_zero_trust_gateway_proxy_endpoints

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

ips: List[String]

Specify the list of CIDRs to restrict ingress connections.

Specify the name of the proxy endpoint.

id: String

created_at: Time

kind: String

The proxy endpoint kind

subdomain: String

Specify the subdomain to use as the destination in the proxy client.

updated_at: Time

cloudflare_zero_trust_gateway_proxy_endpoints

data "cloudflare_zero_trust_gateway_proxy_endpoints" "example_zero_trust_gateway_proxy_endpoints" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

GatewayRules

resource cloudflare_zero_trust_gateway_policy

required Expand Collapse

account_id: String

action: String

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

Specify the rule name.

optional Expand Collapse

description?: String

Specify the rule description.

filters?: List[String]

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

device_posture?: String

Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

enabled?: Bool

Specify whether the rule is enabled.

identity?: String

Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

precedence?: Int64

Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.

traffic?: String

Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

expiration?: Attributes

Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.

expires_at: Time

Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.

duration?: Int64

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

expired: Bool

Indicates whether the policy is expired.

rule_settings?: Attributes

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

add_headers?: Map[List[String]]

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

allow_child_bypass?: Bool

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

audit_ssh?: Attributes

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

command_logging?: Bool

Enable SSH command logging.

biso_admin_controls?: Attributes

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

copy?: String

Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".

dcp?: Bool

Set to false to enable copy-pasting. Only applies when version == "v1".

dd?: Bool

Set to false to enable downloading. Only applies when version == "v1".

dk?: Bool

Set to false to enable keyboard usage. Only applies when version == "v1".

download?: String

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2".

dp?: Bool

Set to false to enable printing. Only applies when version == "v1".

du?: Bool

Set to false to enable uploading. Only applies when version == "v1".

keyboard?: String

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".

paste?: String

Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".

printing?: String

Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".

upload?: String

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".

version?: String

Indicate which version of the browser isolation controls should apply.

block_page?: Attributes

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

target_uri: String

Specify the URI to which the user is redirected.

include_context?: Bool

Specify whether to pass the context information as query parameters.

block_page_enabled?: Bool

Enable the custom block page. Settable only for dns rules with action block.

block_reason?: String

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

bypass_parent_rule?: Bool

Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.

check_session?: Attributes

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

duration?: String

Sets the required session freshness threshold. The API returns a normalized version of this value.

enforce?: Bool

Enable session enforcement.

dns_resolvers?: Attributes

Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

ipv4?: List[Attributes]

ip: String

Specify the IPv4 address of the upstream resolver.

port?: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network?: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id?: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

ipv6?: List[Attributes]

ip: String

Specify the IPv6 address of the upstream resolver.

port?: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network?: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id?: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

egress?: Attributes

Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.

ipv4?: String

Specify the IPv4 address to use for egress.

ipv4_fallback?: String

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.

ipv6?: String

Specify the IPv6 range to use for egress.

forensic_copy?: Attributes

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

enabled?: Bool

Enable sending the copy to storage.

ignore_cname_category_matches?: Bool

Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.

insecure_disable_dnssec_validation?: Bool

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

ip_categories?: Bool

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

ip_indicator_feeds?: Bool

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

l4override?: Attributes

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

ip?: String

Defines the IPv4 or IPv6 address.

port?: Int64

Defines a port number to use for TCP/UDP overrides.

notification_settings?: Attributes

Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to block.

enabled?: Bool

Enable notification.

include_context?: Bool

Indicates whether to pass the context information as query parameters.

msg?: String

Customize the message shown in the notification.

support_url?: String

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

override_host?: String

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

override_ips?: List[String]

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

payload_log?: Attributes

Configure DLP payload logging. Settable only for http rules.

enabled?: Bool

Enable DLP payload logging for this rule.

quarantine?: Attributes

Configure settings that apply to quarantine rules. Settable only for http rules.

file_types?: List[String]

Specify the types of files to sandbox.

redirect?: Attributes

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

target_uri: String

Specify the URI to which the user is redirected.

include_context?: Bool

Specify whether to pass the context information as query parameters.

preserve_path_and_query?: Bool

Specify whether to append the path and query parameters from the original request to target_uri.

resolve_dns_internally?: Attributes

Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

fallback?: String

Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.

view_id?: String

Specify the internal DNS view identifier to pass to the internal DNS service.

resolve_dns_through_cloudflare?: Bool

Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

untrusted_cert?: Attributes

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

action?: String

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

schedule?: Attributes

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

fri?: String

Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

mon?: String

Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sat?: String

Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

sun?: String

Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

thu?: String

Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

time_zone?: String

Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.

tue?: String

Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

wed?: String

Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

computed Expand Collapse

id: String

Identify the API resource with a UUID.

created_at: Time

deleted_at: Time

Indicate the date of deletion, if any.

read_only: Bool

Indicate that this rule is shared via the Orgs API and read only.

sharable: Bool

Indicate that this rule is sharable via the Orgs API.

source_account: String

Provide the account tag of the account that created the rule.

updated_at: Time

version: Int64

Indicate the version number of the rule(read-only).

warning_status: String

Indicate a warning for a misconfigured rule, if any.

cloudflare_zero_trust_gateway_policy

resource "cloudflare_zero_trust_gateway_policy" "example_zero_trust_gateway_policy" {
  account_id = "699d98642c564d2e855e9661899b7252"
  action = "allow"
  name = "block bad websites"
  description = "Block bad websites based on their host name."
  device_posture = "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})"
  enabled = true
  expiration = {
    expires_at = "2014-01-01T05:20:20Z"
    duration = 10
  }
  filters = ["http"]
  identity = "any(identity.groups.name[*] in {\"finance\"})"
  precedence = 0
  rule_settings = {
    add_headers = {
      My-Next-Header = ["foo", "bar"]
      X-Custom-Header-Name = ["somecustomvalue"]
    }
    allow_child_bypass = false
    audit_ssh = {
      command_logging = false
    }
    biso_admin_controls = {
      copy = "remote_only"
      dcp = true
      dd = true
      dk = true
      download = "enabled"
      dp = false
      du = true
      keyboard = "enabled"
      paste = "enabled"
      printing = "enabled"
      upload = "enabled"
      version = "v1"
    }
    block_page = {
      target_uri = "https://example.com"
      include_context = true
    }
    block_page_enabled = true
    block_reason = "This website is a security risk"
    bypass_parent_rule = false
    check_session = {
      duration = "300s"
      enforce = true
    }
    dns_resolvers = {
      ipv4 = [{
        ip = "2.2.2.2"
        port = 5053
        route_through_private_network = true
        vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
      }]
      ipv6 = [{
        ip = "2001:DB8::"
        port = 5053
        route_through_private_network = true
        vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
      }]
    }
    egress = {
      ipv4 = "192.0.2.2"
      ipv4_fallback = "192.0.2.3"
      ipv6 = "2001:DB8::/64"
    }
    forensic_copy = {
      enabled = true
    }
    ignore_cname_category_matches = true
    insecure_disable_dnssec_validation = false
    ip_categories = true
    ip_indicator_feeds = true
    l4override = {
      ip = "1.1.1.1"
      port = 0
    }
    notification_settings = {
      enabled = true
      include_context = true
      msg = "msg"
      support_url = "support_url"
    }
    override_host = "example.com"
    override_ips = ["1.1.1.1", "2.2.2.2"]
    payload_log = {
      enabled = true
    }
    quarantine = {
      file_types = ["exe"]
    }
    redirect = {
      target_uri = "https://example.com"
      include_context = true
      preserve_path_and_query = true
    }
    resolve_dns_internally = {
      fallback = "none"
      view_id = "view_id"
    }
    resolve_dns_through_cloudflare = true
    untrusted_cert = {
      action = "error"
    }
  }
  schedule = {
    fri = "08:00-12:30,13:30-17:00"
    mon = "08:00-12:30,13:30-17:00"
    sat = "08:00-12:30,13:30-17:00"
    sun = "08:00-12:30,13:30-17:00"
    thu = "08:00-12:30,13:30-17:00"
    time_zone = "America/New York"
    tue = "08:00-12:30,13:30-17:00"
    wed = "08:00-12:30,13:30-17:00"
  }
  traffic = "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10"
}

data cloudflare_zero_trust_gateway_policy

required Expand Collapse

rule_id: String

Identify the API resource with a UUID.

account_id: String

computed Expand Collapse

id: String

Identify the API resource with a UUID.

action: String

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

created_at: Time

deleted_at: Time

Indicate the date of deletion, if any.

description: String

Specify the rule description.

device_posture: String

enabled: Bool

Specify whether the rule is enabled.

identity: String

Specify the rule name.

precedence: Int64

read_only: Bool

Indicate that this rule is shared via the Orgs API and read only.

sharable: Bool

Indicate that this rule is sharable via the Orgs API.

source_account: String

Provide the account tag of the account that created the rule.

traffic: String

updated_at: Time

version: Int64

Indicate the version number of the rule(read-only).

warning_status: String

Indicate a warning for a misconfigured rule, if any.

filters: List[String]

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

expiration: Attributes

expires_at: Time

duration: Int64

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

expired: Bool

Indicates whether the policy is expired.

rule_settings: Attributes

add_headers: Map[List[String]]

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

allow_child_bypass: Bool

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

audit_ssh: Attributes

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

command_logging: Bool

Enable SSH command logging.

biso_admin_controls: Attributes

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

copy: String

dcp: Bool

Set to false to enable copy-pasting. Only applies when version == "v1".

dd: Bool

Set to false to enable downloading. Only applies when version == "v1".

dk: Bool

Set to false to enable keyboard usage. Only applies when version == "v1".

download: String

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2".

dp: Bool

Set to false to enable printing. Only applies when version == "v1".

du: Bool

Set to false to enable uploading. Only applies when version == "v1".

keyboard: String

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".

paste: String

printing: String

Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".

upload: String

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".

version: String

Indicate which version of the browser isolation controls should apply.

block_page: Attributes

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

target_uri: String

Specify the URI to which the user is redirected.

include_context: Bool

Specify whether to pass the context information as query parameters.

block_page_enabled: Bool

Enable the custom block page. Settable only for dns rules with action block.

block_reason: String

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

bypass_parent_rule: Bool

Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.

check_session: Attributes

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

duration: String

Sets the required session freshness threshold. The API returns a normalized version of this value.

enforce: Bool

Enable session enforcement.

dns_resolvers: Attributes

ipv4: List[Attributes]

ip: String

Specify the IPv4 address of the upstream resolver.

port: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

ipv6: List[Attributes]

ip: String

Specify the IPv6 address of the upstream resolver.

port: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

egress: Attributes

ipv4: String

Specify the IPv4 address to use for egress.

ipv4_fallback: String

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.

ipv6: String

Specify the IPv6 range to use for egress.

forensic_copy: Attributes

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

enabled: Bool

Enable sending the copy to storage.

ignore_cname_category_matches: Bool

insecure_disable_dnssec_validation: Bool

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

ip_categories: Bool

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

ip_indicator_feeds: Bool

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

l4override: Attributes

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

ip: String

Defines the IPv4 or IPv6 address.

port: Int64

Defines a port number to use for TCP/UDP overrides.

notification_settings: Attributes

Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to block.

enabled: Bool

Enable notification.

include_context: Bool

Indicates whether to pass the context information as query parameters.

msg: String

Customize the message shown in the notification.

support_url: String

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

override_host: String

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

override_ips: List[String]

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

payload_log: Attributes

Configure DLP payload logging. Settable only for http rules.

enabled: Bool

Enable DLP payload logging for this rule.

quarantine: Attributes

Configure settings that apply to quarantine rules. Settable only for http rules.

file_types: List[String]

Specify the types of files to sandbox.

redirect: Attributes

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

target_uri: String

Specify the URI to which the user is redirected.

include_context: Bool

Specify whether to pass the context information as query parameters.

preserve_path_and_query: Bool

Specify whether to append the path and query parameters from the original request to target_uri.

resolve_dns_internally: Attributes

fallback: String

Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.

view_id: String

Specify the internal DNS view identifier to pass to the internal DNS service.

resolve_dns_through_cloudflare: Bool

untrusted_cert: Attributes

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

action: String

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

schedule: Attributes

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

fri: String

mon: String

sat: String

sun: String

thu: String

time_zone: String

tue: String

wed: String

cloudflare_zero_trust_gateway_policy

data "cloudflare_zero_trust_gateway_policy" "example_zero_trust_gateway_policy" {
  account_id = "699d98642c564d2e855e9661899b7252"
  rule_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_gateway_policies

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

action: String

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

enabled: Bool

Specify whether the rule is enabled.

filters: List[String]

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

Specify the rule name.

precedence: Int64

traffic: String

id: String

Identify the API resource with a UUID.

created_at: Time

deleted_at: Time

Indicate the date of deletion, if any.

description: String

Specify the rule description.

device_posture: String

expiration: Attributes

expires_at: Time

duration: Int64

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

expired: Bool

Indicates whether the policy is expired.

identity: String

read_only: Bool

Indicate that this rule is shared via the Orgs API and read only.

rule_settings: Attributes

add_headers: Map[List[String]]

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

allow_child_bypass: Bool

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

audit_ssh: Attributes

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

command_logging: Bool

Enable SSH command logging.

biso_admin_controls: Attributes

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

copy: String

dcp: Bool

Set to false to enable copy-pasting. Only applies when version == "v1".

dd: Bool

Set to false to enable downloading. Only applies when version == "v1".

dk: Bool

Set to false to enable keyboard usage. Only applies when version == "v1".

download: String

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2".

dp: Bool

Set to false to enable printing. Only applies when version == "v1".

du: Bool

Set to false to enable uploading. Only applies when version == "v1".

keyboard: String

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".

paste: String

printing: String

Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".

upload: String

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".

version: String

Indicate which version of the browser isolation controls should apply.

block_page: Attributes

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

target_uri: String

Specify the URI to which the user is redirected.

include_context: Bool

Specify whether to pass the context information as query parameters.

block_page_enabled: Bool

Enable the custom block page. Settable only for dns rules with action block.

block_reason: String

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

bypass_parent_rule: Bool

Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.

check_session: Attributes

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

duration: String

Sets the required session freshness threshold. The API returns a normalized version of this value.

enforce: Bool

Enable session enforcement.

dns_resolvers: Attributes

ipv4: List[Attributes]

ip: String

Specify the IPv4 address of the upstream resolver.

port: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

ipv6: List[Attributes]

ip: String

Specify the IPv6 address of the upstream resolver.

port: Int64

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

route_through_private_network: Bool

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

vnet_id: String

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

egress: Attributes

ipv4: String

Specify the IPv4 address to use for egress.

ipv4_fallback: String

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.

ipv6: String

Specify the IPv6 range to use for egress.

forensic_copy: Attributes

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

enabled: Bool

Enable sending the copy to storage.

ignore_cname_category_matches: Bool

insecure_disable_dnssec_validation: Bool

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

ip_categories: Bool

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

ip_indicator_feeds: Bool

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

l4override: Attributes

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

ip: String

Defines the IPv4 or IPv6 address.

port: Int64

Defines a port number to use for TCP/UDP overrides.

notification_settings: Attributes

Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to block.

enabled: Bool

Enable notification.

include_context: Bool

Indicates whether to pass the context information as query parameters.

msg: String

Customize the message shown in the notification.

support_url: String

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

override_host: String

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

override_ips: List[String]

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

payload_log: Attributes

Configure DLP payload logging. Settable only for http rules.

enabled: Bool

Enable DLP payload logging for this rule.

quarantine: Attributes

Configure settings that apply to quarantine rules. Settable only for http rules.

file_types: List[String]

Specify the types of files to sandbox.

redirect: Attributes

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

target_uri: String

Specify the URI to which the user is redirected.

include_context: Bool

Specify whether to pass the context information as query parameters.

preserve_path_and_query: Bool

Specify whether to append the path and query parameters from the original request to target_uri.

resolve_dns_internally: Attributes

fallback: String

Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.

view_id: String

Specify the internal DNS view identifier to pass to the internal DNS service.

resolve_dns_through_cloudflare: Bool

untrusted_cert: Attributes

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

action: String

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

schedule: Attributes

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

fri: String

mon: String

sat: String

sun: String

thu: String

time_zone: String

tue: String

wed: String

sharable: Bool

Indicate that this rule is sharable via the Orgs API.

source_account: String

Provide the account tag of the account that created the rule.

updated_at: Time

version: Int64

Indicate the version number of the rule(read-only).

warning_status: String

Indicate a warning for a misconfigured rule, if any.

cloudflare_zero_trust_gateway_policies

data "cloudflare_zero_trust_gateway_policies" "example_zero_trust_gateway_policies" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

GatewayCertificates

resource cloudflare_zero_trust_gateway_certificate

required Expand Collapse

account_id: String

optional Expand Collapse

validity_period_days?: Int64

Sets the certificate validity period in days (range: 1-10,950 days / ~30 years). Defaults to 1,825 days (5 years). Important: This field is only settable during the certificate creation. Certificates becomes immutable after creation - use the /activate and /deactivate endpoints to manage certificate lifecycle.

computed Expand Collapse

id: String

Identify the certificate with a UUID.

binding_status: String

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

certificate: String

Provide the CA certificate (read-only).

created_at: Time

expires_on: Time

fingerprint: String

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Bool

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: String

Indicate the organization that issued the certificate (read-only).

issuer_raw: String

Provide the entire issuer field of the certificate (read-only).

type: String

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

updated_at: Time

uploaded_on: Time

cloudflare_zero_trust_gateway_certificate

resource "cloudflare_zero_trust_gateway_certificate" "example_zero_trust_gateway_certificate" {
  account_id = "699d98642c564d2e855e9661899b7252"
  validity_period_days = 1826
}

data cloudflare_zero_trust_gateway_certificate

required Expand Collapse

certificate_id: String

Identify the certificate with a UUID.

account_id: String

computed Expand Collapse

id: String

Identify the certificate with a UUID.

binding_status: String

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

certificate: String

Provide the CA certificate (read-only).

created_at: Time

expires_on: Time

fingerprint: String

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Bool

issuer_org: String

Indicate the organization that issued the certificate (read-only).

issuer_raw: String

Provide the entire issuer field of the certificate (read-only).

type: String

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

updated_at: Time

uploaded_on: Time

cloudflare_zero_trust_gateway_certificate

data "cloudflare_zero_trust_gateway_certificate" "example_zero_trust_gateway_certificate" {
  account_id = "699d98642c564d2e855e9661899b7252"
  certificate_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_gateway_certificates

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

Identify the certificate with a UUID.

binding_status: String

Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state.

certificate: String

Provide the CA certificate (read-only).

created_at: Time

expires_on: Time

fingerprint: String

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: Bool

issuer_org: String

Indicate the organization that issued the certificate (read-only).

issuer_raw: String

Provide the entire issuer field of the certificate (read-only).

type: String

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

updated_at: Time

uploaded_on: Time

cloudflare_zero_trust_gateway_certificates

data "cloudflare_zero_trust_gateway_certificates" "example_zero_trust_gateway_certificates" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

GatewayPacfiles

resource cloudflare_zero_trust_gateway_pacfile

required Expand Collapse

account_id: String

contents: String

Actual contents of the PAC file

Name of the PAC file.

optional Expand Collapse

slug?: String

URL-friendly version of the PAC file name. If not provided, it will be auto-generated

description?: String

Detailed description of the PAC file.

computed Expand Collapse

id: String

created_at: Time

updated_at: Time

url: String

Unique URL to download the PAC file.

cloudflare_zero_trust_gateway_pacfile

resource "cloudflare_zero_trust_gateway_pacfile" "example_zero_trust_gateway_pacfile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  contents = "function FindProxyForURL(url, host) { return \"DIRECT\"; }"
  name = "Devops team"
  description = "PAC file for Devops team"
  slug = "pac_devops"
}

data cloudflare_zero_trust_gateway_pacfile

required Expand Collapse

pacfile_id: String

account_id: String

computed Expand Collapse

id: String

contents: String

Actual contents of the PAC file

created_at: Time

description: String

Detailed description of the PAC file.

Name of the PAC file.

slug: String

URL-friendly version of the PAC file name.

updated_at: Time

url: String

Unique URL to download the PAC file.

cloudflare_zero_trust_gateway_pacfile

data "cloudflare_zero_trust_gateway_pacfile" "example_zero_trust_gateway_pacfile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  pacfile_id = "ed35569b41ce4d1facfe683550f54086"
}

data cloudflare_zero_trust_gateway_pacfiles

required Expand Collapse

account_id: String

optional Expand Collapse

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse

result: List[Attributes]

The items returned by the data source

id: String

created_at: Time

description: String

Detailed description of the PAC file.

Name of the PAC file.

slug: String

URL-friendly version of the PAC file name.

updated_at: Time

url: String

Unique URL to download the PAC file.

cloudflare_zero_trust_gateway_pacfiles

data "cloudflare_zero_trust_gateway_pacfiles" "example_zero_trust_gateway_pacfiles" {
  account_id = "699d98642c564d2e855e9661899b7252"
}