Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Gateway

Configurations

resource cloudflare_zero_trust_gateway_settings

required Expand Collapse
account_id: String
optional Expand Collapse
settings?: Attributes

Specify account settings.

activity_log?: Attributes

Specify activity log settings.

enabled?: Bool

Specify whether to log activity.

antivirus?: Attributes

Specify anti-virus settings.

enabled_download_phase?: Bool

Specify whether to enable anti-virus scanning on downloads.

enabled_upload_phase?: Bool

Specify whether to enable anti-virus scanning on uploads.

fail_closed?: Bool

Specify whether to block requests for unscannable files.

notification_settings?: Attributes

Configure the message the user's device shows during an antivirus scan.

enabled?: Bool

Specify whether to enable notifications.

include_context?: Bool

Specify whether to include context information as query parameters.

msg?: String

Specify the message to show in the notification.

support_url?: String

Specify a URL that directs users to more information. If unset, the notification opens a block page.

block_page?: Attributes

Specify block page layout settings.

background_color?: String

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

enabled?: Bool

Specify whether to enable the custom block page.

footer_text?: String

Specify the block page footer text when the mode is customized_block_page.

header_text?: String

Specify the block page header text when the mode is customized_block_page.

include_context?: Bool

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

logo_path?: String

Specify the full URL to the logo file when the mode is customized_block_page.

mailto_address?: String

Specify the admin email for users to contact when the mode is customized_block_page.

mailto_subject?: String

Specify the subject line for emails created from the block page when the mode is customized_block_page.

mode?: String

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

name?: String

Specify the block page title when the mode is customized_block_page.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

suppress_footer?: Bool

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

target_uri?: String

Specify the URI to redirect users to when the mode is redirect_uri.

version: Int64

Indicate the version number of the setting.

body_scanning?: Attributes

Specify the DLP inspection mode.

inspection_mode?: String

Specify the inspection mode as either deep or shallow.

browser_isolation?: Attributes

Specify Clientless Browser Isolation settings.

non_identity_enabled?: Bool

Specify whether to enable non-identity onramp support for Browser Isolation.

url_browser_isolation_enabled?: Bool

Specify whether to enable Clientless Browser Isolation.

certificate?: Attributes

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

id: String

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.

Deprecatedcustom_certificate?: Attributes

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

enabled: Bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

id?: String

Specify the UUID of the certificate (ID from MTLS certificate store).

binding_status: String

Indicate the internal certificate status.

updated_at: Time
extended_email_matching?: Attributes

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

enabled?: Bool

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

read_only?: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account?: String

Indicate the account tag of the account that shared this setting.

version?: Int64

Indicate the version number of the setting.

fips?: Attributes

Specify FIPS settings.

tls?: Bool

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

host_selector?: Attributes

Enable host selection in egress policies.

enabled?: Bool

Specify whether to enable filtering via hosts for egress policies.

inspection?: Attributes

Define the proxy inspection mode.

mode?: String

Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.

protocol_detection?: Attributes

Specify whether to detect protocols from the initial bytes of client traffic.

enabled?: Bool

Specify whether to detect protocols from the initial bytes of client traffic.

sandbox?: Attributes

Specify whether to enable the sandbox.

enabled?: Bool

Specify whether to enable the sandbox.

fallback_action?: String

Specify the action to take when the system cannot scan the file.

tls_decrypt?: Attributes

Specify whether to inspect encrypted HTTP traffic.

enabled?: Bool

Specify whether to inspect encrypted HTTP traffic.

computed Expand Collapse
id: String
created_at: Time
updated_at: Time

cloudflare_zero_trust_gateway_settings

resource "cloudflare_zero_trust_gateway_settings" "example_zero_trust_gateway_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
  settings = {
    activity_log = {
      enabled = true
    }
    antivirus = {
      enabled_download_phase = false
      enabled_upload_phase = false
      fail_closed = false
      notification_settings = {
        enabled = true
        include_context = true
        msg = "msg"
        support_url = "support_url"
      }
    }
    block_page = {
      background_color = "background_color"
      enabled = true
      footer_text = "--footer--"
      header_text = "--header--"
      include_context = true
      logo_path = "https://logos.com/a.png"
      mailto_address = "admin@example.com"
      mailto_subject = "Blocked User Inquiry"
      mode = ""
      name = "Cloudflare"
      suppress_footer = false
      target_uri = "https://example.com"
    }
    body_scanning = {
      inspection_mode = "deep"
    }
    browser_isolation = {
      non_identity_enabled = true
      url_browser_isolation_enabled = true
    }
    certificate = {
      id = "d1b364c5-1311-466e-a194-f0e943e0799f"
    }
    custom_certificate = {
      enabled = true
      id = "d1b364c5-1311-466e-a194-f0e943e0799f"
    }
    extended_email_matching = {
      enabled = true
    }
    fips = {
      tls = true
    }
    host_selector = {
      enabled = false
    }
    inspection = {
      mode = "static"
    }
    protocol_detection = {
      enabled = true
    }
    sandbox = {
      enabled = true
      fallback_action = "allow"
    }
    tls_decrypt = {
      enabled = true
    }
  }
}

data cloudflare_zero_trust_gateway_settings

required Expand Collapse
account_id: String
computed Expand Collapse
id: String
created_at: Time
updated_at: Time
settings: Attributes

Specify account settings.

activity_log: Attributes

Specify activity log settings.

enabled: Bool

Specify whether to log activity.

antivirus: Attributes

Specify anti-virus settings.

enabled_download_phase: Bool

Specify whether to enable anti-virus scanning on downloads.

enabled_upload_phase: Bool

Specify whether to enable anti-virus scanning on uploads.

fail_closed: Bool

Specify whether to block requests for unscannable files.

notification_settings: Attributes

Configure the message the user's device shows during an antivirus scan.

enabled: Bool

Specify whether to enable notifications.

include_context: Bool

Specify whether to include context information as query parameters.

msg: String

Specify the message to show in the notification.

support_url: String

Specify a URL that directs users to more information. If unset, the notification opens a block page.

block_page: Attributes

Specify block page layout settings.

background_color: String

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

enabled: Bool

Specify whether to enable the custom block page.

footer_text: String

Specify the block page footer text when the mode is customized_block_page.

header_text: String

Specify the block page header text when the mode is customized_block_page.

include_context: Bool

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

logo_path: String

Specify the full URL to the logo file when the mode is customized_block_page.

mailto_address: String

Specify the admin email for users to contact when the mode is customized_block_page.

mailto_subject: String

Specify the subject line for emails created from the block page when the mode is customized_block_page.

mode: String

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

name: String

Specify the block page title when the mode is customized_block_page.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

suppress_footer: Bool

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

target_uri: String

Specify the URI to redirect users to when the mode is redirect_uri.

version: Int64

Indicate the version number of the setting.

body_scanning: Attributes

Specify the DLP inspection mode.

inspection_mode: String

Specify the inspection mode as either deep or shallow.

browser_isolation: Attributes

Specify Clientless Browser Isolation settings.

non_identity_enabled: Bool

Specify whether to enable non-identity onramp support for Browser Isolation.

url_browser_isolation_enabled: Bool

Specify whether to enable Clientless Browser Isolation.

certificate: Attributes

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

id: String

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.

Deprecatedcustom_certificate: Attributes

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

enabled: Bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

id: String

Specify the UUID of the certificate (ID from MTLS certificate store).

binding_status: String

Indicate the internal certificate status.

updated_at: Time
extended_email_matching: Attributes

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

enabled: Bool

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

version: Int64

Indicate the version number of the setting.

fips: Attributes

Specify FIPS settings.

tls: Bool

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

host_selector: Attributes

Enable host selection in egress policies.

enabled: Bool

Specify whether to enable filtering via hosts for egress policies.

inspection: Attributes

Define the proxy inspection mode.

mode: String

Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.

protocol_detection: Attributes

Specify whether to detect protocols from the initial bytes of client traffic.

enabled: Bool

Specify whether to detect protocols from the initial bytes of client traffic.

sandbox: Attributes

Specify whether to enable the sandbox.

enabled: Bool

Specify whether to enable the sandbox.

fallback_action: String

Specify the action to take when the system cannot scan the file.

tls_decrypt: Attributes

Specify whether to inspect encrypted HTTP traffic.

enabled: Bool

Specify whether to inspect encrypted HTTP traffic.

cloudflare_zero_trust_gateway_settings

data "cloudflare_zero_trust_gateway_settings" "example_zero_trust_gateway_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
}