API Reference

Zero Trust

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Organizations

resource cloudflare_zero_trust_organization

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

auth_domain?: String

The unique subdomain assigned to your Zero Trust organization.

deny_unmatched_requests?: Bool

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

name?: String

The name of your Zero Trust organization.

session_duration?: String

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

user_seat_expiration_inactive_time?: String

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

warp_auth_session_duration?: String

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

deny_unmatched_requests_exempted_zone_names?: List[String]

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

custom_pages?: Attributes

forbidden?: String

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

identity_denied?: String

The uid of the custom page to use when a user is denied access.

login_design?: Attributes

background_color?: String

The background color on your login page.

footer_text?: String

The text at the bottom of your login page.

header_text?: String

The text at the top of your login page.

logo_path?: String

The URL of the logo on your login page.

text_color?: String

The text color on your login page.

mfa_config?: Attributes

Configures multi-factor authentication (MFA) settings for an organization.

allowed_authenticators?: List[String]

Lists the MFA methods that users can authenticate with.

session_duration?: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

allow_authenticate_via_warp?: Bool

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

auto_redirect_to_identity?: Bool

When set to true, users skip the identity provider selection step during login.

is_ui_read_only?: Bool

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

mfa_required_for_all_apps?: Bool

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

ui_read_only_toggle_reason?: String

A description of the reason why the UI read only field is being toggled.

computed Expand Collapse

created_at: Time

updated_at: Time

cloudflare_zero_trust_organization

Terraform

HTTP

TypeScript

Python

Go

Terraform

resource "cloudflare_zero_trust_organization" "example_zero_trust_organization" {
  zone_id = "zone_id"
  allow_authenticate_via_warp = true
  auth_domain = "test.cloudflareaccess.com"
  auto_redirect_to_identity = true
  custom_pages = {
    forbidden = "699d98642c564d2e855e9661899b7252"
    identity_denied = "699d98642c564d2e855e9661899b7252"
  }
  deny_unmatched_requests = true
  deny_unmatched_requests_exempted_zone_names = ["example.com"]
  is_ui_read_only = true
  login_design = {
    background_color = "#c5ed1b"
    footer_text = "This is an example description."
    header_text = "This is an example description."
    logo_path = "https://example.com/logo.png"
    text_color = "#c5ed1b"
  }
  mfa_config = {
    allowed_authenticators = ["totp", "biometrics", "security_key"]
    session_duration = "24h"
  }
  mfa_required_for_all_apps = false
  name = "Widget Corps Internal Applications"
  session_duration = "24h"
  ui_read_only_toggle_reason = "Temporarily turn off the UI read only lock to make a change via the UI"
  user_seat_expiration_inactive_time = "730h"
  warp_auth_session_duration = "24h"
}

data cloudflare_zero_trust_organization

optional Expand Collapse

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse

allow_authenticate_via_warp: Bool

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

auth_domain: String

The unique subdomain assigned to your Zero Trust organization.

auto_redirect_to_identity: Bool

When set to true, users skip the identity provider selection step during login.

created_at: Time

deny_unmatched_requests: Bool

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

is_ui_read_only: Bool

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

mfa_required_for_all_apps: Bool

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

name: String

The name of your Zero Trust organization.

session_duration: String

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

ui_read_only_toggle_reason: String

A description of the reason why the UI read only field is being toggled.

updated_at: Time

user_seat_expiration_inactive_time: String

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

warp_auth_session_duration: String

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

deny_unmatched_requests_exempted_zone_names: List[String]

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

custom_pages: Attributes

forbidden: String

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

identity_denied: String

The uid of the custom page to use when a user is denied access.

login_design: Attributes

background_color: String

The background color on your login page.

footer_text: String

The text at the bottom of your login page.

header_text: String

The text at the top of your login page.

logo_path: String

The URL of the logo on your login page.

text_color: String

The text color on your login page.

mfa_config: Attributes

Configures multi-factor authentication (MFA) settings for an organization.

allowed_authenticators: List[String]

Lists the MFA methods that users can authenticate with.

session_duration: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

cloudflare_zero_trust_organization

Terraform

HTTP

TypeScript

Python

Go

Terraform

data "cloudflare_zero_trust_organization" "example_zero_trust_organization" {
  account_id = "account_id"
  zone_id = "zone_id"
}