Skip to content
Cloudflare Docs

Terraform configuration examples

The following Terraform configuration examples address common scenarios for managing, configuring, and using leaked credentials detection.

For more information, refer to the Terraform Cloudflare provider documentation.

If you are using the Cloudflare API, refer to Common API calls.

Enable leaked credentials detection

Use the cloudflare_leaked_credential_check resource to enable leaked credentials detection for a zone. For example:

resource "cloudflare_leaked_credential_check" "zone_lcc_example" {
  zone_id = "<ZONE_ID>"
  enabled = true
}

Configure a custom detection location

Use the cloudflare_leaked_credential_check_rule resource to add a custom detection location. For example:

resource "cloudflare_leaked_credential_check_rule" "custom_location_example" {
  zone_id = "<ZONE_ID>"
  username = "lookup_json_string(http.request.body.raw, \"user\")"
  password = "lookup_json_string(http.request.body.raw, \"secret\")"
}

You only need to provide an expression for the username in custom detection locations.

Add a custom rule to challenge requests with leaked credentials

This example adds a custom rule that challenges requests with leaked credentials by using one of the leaked credentials fields in the rule expression.

To use the cf.waf.credential_check.username_and_password_leaked field you must enable leaked credentials detection.

resource "cloudflare_ruleset" "zone_custom_firewall_leaked_creds" {
  zone_id     = "<ZONE_ID>"
  name        = "Phase entry point ruleset for custom rules in my zone"
  description = ""
  kind        = "zone"
  phase       = "http_request_firewall_custom"


  rules {
    ref         = "challenge_leaked_username_password"
    description = "Challenge requests with a leaked username and password"
    expression  = "(cf.waf.credential_check.username_and_password_leaked)"
    action      = "managed_challenge"
  }
}

More resources

For additional Terraform configuration examples, refer to WAF custom rules configuration using Terraform.