Skip to content
Cloudflare API
Start here
API Reference

Zero Trust

Zero TrustDevicesDEX Tests

resource cloudflare_zero_trust_dex_test

required Expand Collapse
account_id: String

Unique identifier linked to an account.

enabled: Bool

Determines whether or not the test is active.

interval: String

How often the test will run.

name: String

The name of the DEX test. Must be unique.

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method?: String

The HTTP request method type.

optional Expand Collapse
description?: String

Additional details about the test.

target_policies?: List[Attributes]

DEX rules targeted by this test

id: String

The id of the DEX rule.

default: Bool

Whether the DEX rule is the account default.

name: String

The name of the DEX rule.

computed Expand Collapse
id: String

The unique identifier for the test.

test_id: String

The unique identifier for the test.

targeted: Bool

cloudflare_zero_trust_dex_test

resource "cloudflare_zero_trust_dex_test" "example_zero_trust_dex_test" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  data = {
    host = "https://dash.cloudflare.com"
    kind = "http"
    method = "GET"
  }
  enabled = true
  interval = "30m"
  name = "HTTP dash health check"
  description = "Checks the dash endpoint every 30 minutes"
  target_policies = [{
    id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
    default = true
    name = "name"
  }]
}

data cloudflare_zero_trust_dex_test

required Expand Collapse
account_id: String

Unique identifier linked to an account.

optional Expand Collapse
dex_test_id?: String

The unique identifier for the test.

filter?: Attributes
kind?: String

Filter by test type.

test_name?: String

Filter by test name.

computed Expand Collapse
id: String

The unique identifier for the test.

description: String

Additional details about the test.

enabled: Bool

Determines whether or not the test is active.

interval: String

How often the test will run.

name: String

The name of the DEX test. Must be unique.

targeted: Bool
test_id: String

The unique identifier for the test.

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

target_policies: List[Attributes]

DEX rules targeted by this test

id: String

The id of the DEX rule.

default: Bool

Whether the DEX rule is the account default.

name: String

The name of the DEX rule.

cloudflare_zero_trust_dex_test

data "cloudflare_zero_trust_dex_test" "example_zero_trust_dex_test" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  dex_test_id = "372e67954025e0ba6aaa6d586b9e0b59"
}

data cloudflare_zero_trust_dex_tests

required Expand Collapse
account_id: String

Unique identifier linked to an account.

optional Expand Collapse
kind?: String

Filter by test type.

test_name?: String

Filter by test name.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The unique identifier for the test.

data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

enabled: Bool

Determines whether or not the test is active.

interval: String

How often the test will run.

name: String

The name of the DEX test. Must be unique.

description: String

Additional details about the test.

target_policies: List[Attributes]

DEX rules targeted by this test

id: String

The id of the DEX rule.

default: Bool

Whether the DEX rule is the account default.

name: String

The name of the DEX rule.

targeted: Bool
test_id: String

The unique identifier for the test.

cloudflare_zero_trust_dex_tests

data "cloudflare_zero_trust_dex_tests" "example_zero_trust_dex_tests" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  kind = "http"
  test_name = "testName"
}

Zero TrustDevicesIP Profiles

resource cloudflare_zero_trust_device_ip_profile

required Expand Collapse
account_id: String
match: String

The wirefilter expression to match registrations. Available values: “identity.name”, “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.saml_attributes”.

name: String

A user-friendly name for the Device IP profile.

precedence: Int64

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: String

The ID of the Subnet.

optional Expand Collapse
description?: String

An optional description of the Device IP profile.

enabled?: Bool

Whether the Device IP profile will be applied to matching devices.

computed Expand Collapse
id: String

The ID of the Device IP profile.

created_at: String

The RFC3339Nano timestamp when the Device IP profile was created.

updated_at: String

The RFC3339Nano timestamp when the Device IP profile was last updated.

cloudflare_zero_trust_device_ip_profile

resource "cloudflare_zero_trust_device_ip_profile" "example_zero_trust_device_ip_profile" {
  account_id = "account_id"
  match = "identity.email == \"test@cloudflare.com\""
  name = "IPv4 Cloudflare Source IPs"
  precedence = 100
  subnet_id = "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  description = "example comment"
  enabled = true
}

data cloudflare_zero_trust_device_ip_profile

required Expand Collapse
profile_id: String
account_id: String
computed Expand Collapse
id: String
created_at: String

The RFC3339Nano timestamp when the Device IP profile was created.

description: String

An optional description of the Device IP profile.

enabled: Bool

Whether the Device IP profile is enabled.

match: String

The wirefilter expression to match registrations. Available values: “identity.name”, “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.saml_attributes”.

name: String

A user-friendly name for the Device IP profile.

precedence: Int64

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: String

The ID of the Subnet.

updated_at: String

The RFC3339Nano timestamp when the Device IP profile was last updated.

cloudflare_zero_trust_device_ip_profile

data "cloudflare_zero_trust_device_ip_profile" "example_zero_trust_device_ip_profile" {
  account_id = "account_id"
  profile_id = "profile_id"
}

data cloudflare_zero_trust_device_ip_profiles

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The ID of the Device IP profile.

created_at: String

The RFC3339Nano timestamp when the Device IP profile was created.

description: String

An optional description of the Device IP profile.

enabled: Bool

Whether the Device IP profile is enabled.

match: String

The wirefilter expression to match registrations. Available values: “identity.name”, “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.saml_attributes”.

name: String

A user-friendly name for the Device IP profile.

precedence: Int64

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

subnet_id: String

The ID of the Subnet.

updated_at: String

The RFC3339Nano timestamp when the Device IP profile was last updated.

cloudflare_zero_trust_device_ip_profiles

data "cloudflare_zero_trust_device_ip_profiles" "example_zero_trust_device_ip_profiles" {
  account_id = "account_id"
}

Zero TrustDevicesDeployment Groups

resource cloudflare_zero_trust_device_deployment_groups

required Expand Collapse
account_id: String
name: String

A user-friendly name for the deployment group.

version_config: List[Attributes]

Contains at least one version configuration.

target_environment: String

The target environment for the client version (e.g., windows, macos).

version: String

The specific client version to deploy.

optional Expand Collapse
policy_ids?: List[String]

Contains an optional list of policy IDs assigned to a group.

computed Expand Collapse
id: String

The ID of the deployment group.

created_at: String

The RFC3339Nano timestamp when the deployment group was created.

updated_at: String

The RFC3339Nano timestamp when the deployment group was last updated.

cloudflare_zero_trust_device_deployment_groups

resource "cloudflare_zero_trust_device_deployment_groups" "example_zero_trust_device_deployment_groups" {
  account_id = "account_id"
  name = "Engineering Ring 0"
  version_config = [{
    target_environment = "windows"
    version = "2026.6.234.0"
  }]
  policy_ids = ["string"]
}

data cloudflare_zero_trust_device_deployment_groups

required Expand Collapse
group_id: String
account_id: String
computed Expand Collapse
id: String
created_at: String

The RFC3339Nano timestamp when the deployment group was created.

name: String

A user-friendly name for the deployment group.

updated_at: String

The RFC3339Nano timestamp when the deployment group was last updated.

policy_ids: List[String]

Contains a list of policy IDs assigned to this deployment group.

version_config: List[Attributes]

Contains version configurations for different target environments.

target_environment: String

The target environment for the client version (e.g., windows, macos).

version: String

The specific client version to deploy.

cloudflare_zero_trust_device_deployment_groups

data "cloudflare_zero_trust_device_deployment_groups" "example_zero_trust_device_deployment_groups" {
  account_id = "account_id"
  group_id = "group_id"
}

data cloudflare_zero_trust_device_deployment_groups_list

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The ID of the deployment group.

created_at: String

The RFC3339Nano timestamp when the deployment group was created.

name: String

A user-friendly name for the deployment group.

updated_at: String

The RFC3339Nano timestamp when the deployment group was last updated.

version_config: List[Attributes]

Contains version configurations for different target environments.

target_environment: String

The target environment for the client version (e.g., windows, macos).

version: String

The specific client version to deploy.

policy_ids: List[String]

Contains a list of policy IDs assigned to this deployment group.

cloudflare_zero_trust_device_deployment_groups_list

data "cloudflare_zero_trust_device_deployment_groups_list" "example_zero_trust_device_deployment_groups_list" {
  account_id = "account_id"
}

Zero TrustDevicesNetworks

resource cloudflare_zero_trust_device_managed_networks

required Expand Collapse
account_id: String
name: String

The name of the device managed network. This name must be unique.

type: String

The type of device managed network.

config: Attributes

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: String

A network address of the form “host:port” that the WARP client will use to detect the presence of a TLS host.

sha256?: String

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

computed Expand Collapse
id: String

API UUID.

network_id: String

API UUID.

cloudflare_zero_trust_device_managed_networks

resource "cloudflare_zero_trust_device_managed_networks" "example_zero_trust_device_managed_networks" {
  account_id = "699d98642c564d2e855e9661899b7252"
  config = {
    tls_sockaddr = "foo.bar:1234"
    sha256 = "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c"
  }
  name = "managed-network-1"
  type = "tls"
}

data cloudflare_zero_trust_device_managed_networks

required Expand Collapse
network_id: String

API UUID.

account_id: String
computed Expand Collapse
id: String

API UUID.

name: String

The name of the device managed network. This name must be unique.

type: String

The type of device managed network.

config: Attributes

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: String

A network address of the form “host:port” that the WARP client will use to detect the presence of a TLS host.

sha256: String

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

cloudflare_zero_trust_device_managed_networks

data "cloudflare_zero_trust_device_managed_networks" "example_zero_trust_device_managed_networks" {
  account_id = "699d98642c564d2e855e9661899b7252"
  network_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_managed_networks_list

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

API UUID.

config: Attributes

The configuration object containing information for the WARP client to detect the managed network.

tls_sockaddr: String

A network address of the form “host:port” that the WARP client will use to detect the presence of a TLS host.

sha256: String

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

name: String

The name of the device managed network. This name must be unique.

network_id: String

API UUID.

type: String

The type of device managed network.

cloudflare_zero_trust_device_managed_networks_list

data "cloudflare_zero_trust_device_managed_networks_list" "example_zero_trust_device_managed_networks_list" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPoliciesDefault

resource cloudflare_zero_trust_device_default_profile

required Expand Collapse
account_id: String
optional Expand Collapse
lan_allow_minutes?: Float64

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size?: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

global_acceleration?: Attributes

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: List[String]

IP:port entries for the API endpoints.

enabled: Bool

Global acceleration settings are used only when “enabled”.

masque_endpoints: List[String]

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: List[String]

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

virtual_networks?: Attributes

Virtual network access settings for the device.

allowed: List[String]

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: String

The default virtual network ID. Must be included in the allowed list.

allow_mode_switch?: Bool

Whether to allow the user to switch WARP between modes.

allow_updates?: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: Bool

Whether to allow devices to leave the organization.

auto_connect?: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: Float64

Turn on the captive portal after the specified amount of time.

disable_auto_fallback?: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

exclude_office_ips?: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

register_interface_ip_with_dns?: Bool

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url?: String

The URL to launch when the Send Feedback button is clicked.

switch_locked?: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol?: String

Determines which tunnel protocol to use.

dns_search_suffixes?: List[Attributes]

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: String

The DNS search suffix to append when resolving short hostnames.

description?: String

A description of the DNS search suffix.

exclude?: List[Attributes]

List of routes excluded in the WARP client’s tunnel. Both ‘exclude’ and ‘include’ cannot be set in the same request.

address?: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

include?: List[Attributes]

List of routes included in the WARP client’s tunnel. Both ‘exclude’ and ‘include’ cannot be set in the same request.

address?: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2?: Attributes
mode?: String

The mode to run the WARP client under.

port?: Float64

The port number when used with proxy mode.

computed Expand Collapse
id: String
default: Bool

Whether the policy will be applied to matching devices.

enabled: Bool

Whether the policy will be applied to matching devices.

gateway_unique_id: String
policy_id: String
fallback_domains: List[Attributes]
suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

cloudflare_zero_trust_device_default_profile

resource "cloudflare_zero_trust_device_default_profile" "example_zero_trust_device_default_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  allow_mode_switch = true
  allow_updates = true
  allowed_to_leave = true
  auto_connect = 0
  captive_portal = 180
  disable_auto_fallback = true
  dns_search_suffixes = [{
    suffix = "internal.corp"
    description = "Example internal domains"
  }]
  exclude = [{
    address = "192.0.2.0/24"
    description = "Exclude testing domains from the tunnel"
  }]
  exclude_office_ips = true
  global_acceleration = {
    api_endpoints = ["198.51.100.1:443"]
    enabled = true
    masque_endpoints = ["198.51.100.1:443"]
    wireguard_endpoints = ["198.51.100.1:2408"]
  }
  include = [{
    address = "192.0.2.0/24"
    description = "Include testing domains in the tunnel"
  }]
  lan_allow_minutes = 30
  lan_allow_subnet_size = 24
  register_interface_ip_with_dns = true
  sccm_vpn_boundary_support = false
  service_mode_v2 = {
    mode = "proxy"
    port = 3000
  }
  support_url = "https://1.1.1.1/help"
  switch_locked = true
  tunnel_protocol = "wireguard"
  virtual_networks = {
    allowed = ["f174e90a-fafe-4643-bbbc-4a0ed4fc8415"]
    default = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  }
}

data cloudflare_zero_trust_device_default_profile

required Expand Collapse
account_id: String
computed Expand Collapse
id: String
allow_mode_switch: Bool

Whether to allow the user to switch WARP between modes.

allow_updates: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Bool

Whether to allow devices to leave the organization.

auto_connect: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Float64

Turn on the captive portal after the specified amount of time.

default: Bool

Whether the policy will be applied to matching devices.

disable_auto_fallback: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Bool

Whether the policy will be applied to matching devices.

exclude_office_ips: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

gateway_unique_id: String
policy_id: String
register_interface_ip_with_dns: Bool

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url: String

The URL to launch when the Send Feedback button is clicked.

switch_locked: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: String

Determines which tunnel protocol to use.

dns_search_suffixes: List[Attributes]

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: String

The DNS search suffix to append when resolving short hostnames.

description: String

A description of the DNS search suffix.

exclude: List[Attributes]

List of routes excluded in the WARP client’s tunnel.

address: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

fallback_domains: List[Attributes]
suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

global_acceleration: Attributes

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: List[String]

IP:port entries for the API endpoints.

enabled: Bool

Global acceleration settings are used only when “enabled”.

masque_endpoints: List[String]

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: List[String]

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include: List[Attributes]

List of routes included in the WARP client’s tunnel.

address: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2: Attributes
mode: String

The mode to run the WARP client under.

port: Float64

The port number when used with proxy mode.

virtual_networks: Attributes

Virtual network access settings for the device.

allowed: List[String]

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: String

The default virtual network ID. Must be included in the allowed list.

cloudflare_zero_trust_device_default_profile

data "cloudflare_zero_trust_device_default_profile" "example_zero_trust_device_default_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPoliciesDefaultFallback Domains

resource cloudflare_zero_trust_device_default_profile_local_domain_fallback

required Expand Collapse
account_id: String
domains: List[Attributes]
suffix: String

The domain suffix to match when resolving locally.

description?: String

A description of the fallback domain, displayed in the client UI.

dns_server?: List[String]

A list of IP addresses to handle domain resolution.

computed Expand Collapse
id: String

cloudflare_zero_trust_device_default_profile_local_domain_fallback

resource "cloudflare_zero_trust_device_default_profile_local_domain_fallback" "example_zero_trust_device_default_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
  domains = [{
    suffix = "example.com"
    description = "Domain bypass for local development"
    dns_server = ["1.1.1.1"]
  }]
}

data cloudflare_zero_trust_device_default_profile_local_domain_fallback

required Expand Collapse
account_id: String
computed Expand Collapse
id: String
description: String

A description of the fallback domain, displayed in the client UI.

suffix: String

The domain suffix to match when resolving locally.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

cloudflare_zero_trust_device_default_profile_local_domain_fallback

data "cloudflare_zero_trust_device_default_profile_local_domain_fallback" "example_zero_trust_device_default_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPoliciesDefaultCertificates

resource cloudflare_zero_trust_device_default_profile_certificates

required Expand Collapse
zone_id: String
enabled: Bool

The current status of the device policy certificate provisioning feature for WARP clients.

cloudflare_zero_trust_device_default_profile_certificates

resource "cloudflare_zero_trust_device_default_profile_certificates" "example_zero_trust_device_default_profile_certificates" {
  zone_id = "699d98642c564d2e855e9661899b7252"
  enabled = true
}

data cloudflare_zero_trust_device_default_profile_certificates

required Expand Collapse
zone_id: String
computed Expand Collapse
enabled: Bool

The current status of the device policy certificate provisioning feature for WARP clients.

cloudflare_zero_trust_device_default_profile_certificates

data "cloudflare_zero_trust_device_default_profile_certificates" "example_zero_trust_device_default_profile_certificates" {
  zone_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPoliciesCustom

resource cloudflare_zero_trust_device_custom_profile

required Expand Collapse
account_id: String
match: String

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

name: String

The name of the device settings profile.

precedence: Float64

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

optional Expand Collapse
lan_allow_minutes?: Float64

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size?: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

global_acceleration?: Attributes

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: List[String]

IP:port entries for the API endpoints.

enabled: Bool

Global acceleration settings are used only when “enabled”.

masque_endpoints: List[String]

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: List[String]

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

virtual_networks?: Attributes

Virtual network access settings for the device.

allowed: List[String]

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: String

The default virtual network ID. Must be included in the allowed list.

allow_mode_switch?: Bool

Whether to allow the user to switch WARP between modes.

allow_updates?: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave?: Bool

Whether to allow devices to leave the organization.

auto_connect?: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal?: Float64

Turn on the captive portal after the specified amount of time.

description?: String

A description of the policy.

disable_auto_fallback?: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled?: Bool

Whether the policy will be applied to matching devices.

exclude_office_ips?: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

register_interface_ip_with_dns?: Bool

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support?: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url?: String

The URL to launch when the Send Feedback button is clicked.

switch_locked?: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol?: String

Determines which tunnel protocol to use.

dns_search_suffixes?: List[Attributes]

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: String

The DNS search suffix to append when resolving short hostnames.

description?: String

A description of the DNS search suffix.

exclude?: List[Attributes]

List of routes excluded in the WARP client’s tunnel. Both ‘exclude’ and ‘include’ cannot be set in the same request.

address?: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

include?: List[Attributes]

List of routes included in the WARP client’s tunnel. Both ‘exclude’ and ‘include’ cannot be set in the same request.

address?: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description?: String

A description of the Split Tunnel item, displayed in the client UI.

host?: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2?: Attributes
mode?: String

The mode to run the WARP client under.

port?: Float64

The port number when used with proxy mode.

computed Expand Collapse
id: String
policy_id: String
default: Bool

Whether the policy is the default policy for an account.

gateway_unique_id: String
fallback_domains: List[Attributes]
suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

target_tests: List[Attributes]
id: String

The id of the DEX test targeting this policy.

name: String

The name of the DEX test targeting this policy.

cloudflare_zero_trust_device_custom_profile

resource "cloudflare_zero_trust_device_custom_profile" "example_zero_trust_device_custom_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  match = "identity.email == \"test@cloudflare.com\""
  name = "Allow Developers"
  precedence = 100
  allow_mode_switch = true
  allow_updates = true
  allowed_to_leave = true
  auto_connect = 0
  captive_portal = 180
  description = "Policy for test teams."
  disable_auto_fallback = true
  dns_search_suffixes = [{
    suffix = "internal.corp"
    description = "Example internal domains"
  }]
  enabled = true
  exclude = [{
    address = "192.0.2.0/24"
    description = "Exclude testing domains from the tunnel"
  }]
  exclude_office_ips = true
  global_acceleration = {
    api_endpoints = ["198.51.100.1:443"]
    enabled = true
    masque_endpoints = ["198.51.100.1:443"]
    wireguard_endpoints = ["198.51.100.1:2408"]
  }
  include = [{
    address = "192.0.2.0/24"
    description = "Include testing domains in the tunnel"
  }]
  lan_allow_minutes = 30
  lan_allow_subnet_size = 24
  register_interface_ip_with_dns = true
  sccm_vpn_boundary_support = false
  service_mode_v2 = {
    mode = "proxy"
    port = 3000
  }
  support_url = "https://1.1.1.1/help"
  switch_locked = true
  tunnel_protocol = "wireguard"
  virtual_networks = {
    allowed = ["f174e90a-fafe-4643-bbbc-4a0ed4fc8415"]
    default = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  }
}

data cloudflare_zero_trust_device_custom_profile

required Expand Collapse
policy_id: String
account_id: String
computed Expand Collapse
id: String
allow_mode_switch: Bool

Whether to allow the user to switch WARP between modes.

allow_updates: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Bool

Whether to allow devices to leave the organization.

auto_connect: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Float64

Turn on the captive portal after the specified amount of time.

default: Bool

Whether the policy is the default policy for an account.

description: String

A description of the policy.

disable_auto_fallback: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: Bool

Whether the policy will be applied to matching devices.

exclude_office_ips: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

gateway_unique_id: String
lan_allow_minutes: Float64

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: String

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

name: String

The name of the device settings profile.

precedence: Float64

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: Bool

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

support_url: String

The URL to launch when the Send Feedback button is clicked.

switch_locked: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: String

Determines which tunnel protocol to use.

dns_search_suffixes: List[Attributes]

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: String

The DNS search suffix to append when resolving short hostnames.

description: String

A description of the DNS search suffix.

exclude: List[Attributes]

List of routes excluded in the WARP client’s tunnel.

address: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

fallback_domains: List[Attributes]
suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

global_acceleration: Attributes

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: List[String]

IP:port entries for the API endpoints.

enabled: Bool

Global acceleration settings are used only when “enabled”.

masque_endpoints: List[String]

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: List[String]

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include: List[Attributes]

List of routes included in the WARP client’s tunnel.

address: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to include in the tunnel. If host is present, address must not be present.

service_mode_v2: Attributes
mode: String

The mode to run the WARP client under.

port: Float64

The port number when used with proxy mode.

target_tests: List[Attributes]
id: String

The id of the DEX test targeting this policy.

name: String

The name of the DEX test targeting this policy.

virtual_networks: Attributes

Virtual network access settings for the device.

allowed: List[String]

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: String

The default virtual network ID. Must be included in the allowed list.

cloudflare_zero_trust_device_custom_profile

data "cloudflare_zero_trust_device_custom_profile" "example_zero_trust_device_custom_profile" {
  account_id = "699d98642c564d2e855e9661899b7252"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_custom_profiles

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
allow_mode_switch: Bool

Whether to allow the user to switch WARP between modes.

allow_updates: Bool

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: Bool

Whether to allow devices to leave the organization.

auto_connect: Float64

The amount of time in seconds to reconnect after having been disabled.

captive_portal: Float64

Turn on the captive portal after the specified amount of time.

default: Bool

Whether the policy is the default policy for an account.

description: String

A description of the policy.

disable_auto_fallback: Bool

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

dns_search_suffixes: List[Attributes]

List of DNS search suffixes to apply to clients. Suffixes are evaluated in order. Use an empty array to clear.

suffix: String

The DNS search suffix to append when resolving short hostnames.

description: String

A description of the DNS search suffix.

enabled: Bool

Whether the policy will be applied to matching devices.

exclude: List[Attributes]

List of routes excluded in the WARP client’s tunnel.

address: String

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to exclude from the tunnel. If host is present, address must not be present.

exclude_office_ips: Bool

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: List[Attributes]
suffix: String

The domain suffix to match when resolving locally.

description: String

A description of the fallback domain, displayed in the client UI.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

gateway_unique_id: String
global_acceleration: Attributes

Global Acceleration settings for China. When configured, WARP clients connect to the Global Accelerator addresses instead of the default ones. Please contact your account representative to enable this feature on your account. See https://developers.cloudflare.com/china-network/concepts/global-acceleration/.

api_endpoints: List[String]

IP:port entries for the API endpoints.

enabled: Bool

Global acceleration settings are used only when “enabled”.

masque_endpoints: List[String]

IP:port entries for the MASQUE tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

wireguard_endpoints: List[String]

IP:port entries for the WireGuard tunnel endpoints. Either wireguard_endpoints or masque_endpoints must be provided.

include: List[Attributes]

List of routes included in the WARP client’s tunnel.

address: String

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: String

A description of the Split Tunnel item, displayed in the client UI.

host: String

The domain name to include in the tunnel. If host is present, address must not be present.

lan_allow_minutes: Float64

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: Float64

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: String

The wirefilter expression to match devices. Available values: “identity.email”, “identity.groups.id”, “identity.groups.name”, “identity.groups.email”, “identity.service_token_uuid”, “identity.saml_attributes”, “network”, “os.name”, “os.version”.

name: String

The name of the device settings profile.

policy_id: String
precedence: Float64

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: Bool

Determines if the operating system will register WARP’s local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: Bool

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: Attributes
mode: String

The mode to run the WARP client under.

port: Float64

The port number when used with proxy mode.

support_url: String

The URL to launch when the Send Feedback button is clicked.

switch_locked: Bool

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests: List[Attributes]
id: String

The id of the DEX test targeting this policy.

name: String

The name of the DEX test targeting this policy.

tunnel_protocol: String

Determines which tunnel protocol to use.

virtual_networks: Attributes

Virtual network access settings for the device.

allowed: List[String]

List of virtual network IDs the device is allowed to access. When virtual_networks is set, at least one entry is required.

default: String

The default virtual network ID. Must be included in the allowed list.

cloudflare_zero_trust_device_custom_profiles

data "cloudflare_zero_trust_device_custom_profiles" "example_zero_trust_device_custom_profiles" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPoliciesCustomFallback Domains

resource cloudflare_zero_trust_device_custom_profile_local_domain_fallback

required Expand Collapse
policy_id: String
account_id: String
domains: List[Attributes]
suffix: String

The domain suffix to match when resolving locally.

description?: String

A description of the fallback domain, displayed in the client UI.

dns_server?: List[String]

A list of IP addresses to handle domain resolution.

computed Expand Collapse
id: String

cloudflare_zero_trust_device_custom_profile_local_domain_fallback

resource "cloudflare_zero_trust_device_custom_profile_local_domain_fallback" "example_zero_trust_device_custom_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  domains = [{
    suffix = "example.com"
    description = "Domain bypass for local development"
    dns_server = ["1.1.1.1"]
  }]
}

data cloudflare_zero_trust_device_custom_profile_local_domain_fallback

required Expand Collapse
policy_id: String
account_id: String
computed Expand Collapse
id: String
description: String

A description of the fallback domain, displayed in the client UI.

suffix: String

The domain suffix to match when resolving locally.

dns_server: List[String]

A list of IP addresses to handle domain resolution.

cloudflare_zero_trust_device_custom_profile_local_domain_fallback

data "cloudflare_zero_trust_device_custom_profile_local_domain_fallback" "example_zero_trust_device_custom_profile_local_domain_fallback" {
  account_id = "699d98642c564d2e855e9661899b7252"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

Zero TrustDevicesPosture

resource cloudflare_zero_trust_device_posture_rule

required Expand Collapse
account_id: String
name: String

The name of the device posture rule.

type: String

The type of device posture rule.

optional Expand Collapse
description?: String

The description of the device posture rule.

expiration?: String

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

schedule?: String

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

input?: Attributes

The value to be checked against.

operating_system?: String

Operating system.

path?: String

File path.

exists?: Bool

Whether or not file exists.

sha256?: String

SHA-256.

thumbprint?: String

Signing certificate thumbprint.

id?: String

List ID.

domain?: String

Domain.

operator?: String

Operator.

version?: String

Version of OS.

os_distro_name?: String

Operating System Distribution Name (linux only).

os_distro_revision?: String

Version of OS Distribution (linux only).

os_version_extra?: String

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

enabled?: Bool

Enabled.

check_disks?: List[String]

List of volume names to be checked for encryption.

require_all?: Bool

Whether to check all disks for encryption.

certificate_id?: String

UUID of Cloudflare managed certificate.

cn?: String

Common Name that is protected by the certificate.

check_private_key?: Bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

extended_key_usage?: List[String]

List of values indicating purposes for which the certificate public key can be used.

locations?: Attributes
paths?: List[String]

List of paths to check for client certificate on linux.

trust_stores?: List[String]

List of trust stores to check for client certificate.

subject_alternative_names?: List[String]

List of certificate Subject Alternative Names.

update_window_days?: Float64

Number of days that the antivirus should be updated within.

compliance_status?: String

Compliance Status.

connection_id?: String

Posture Integration ID.

last_seen?: String

For more details on last seen, please refer to the Crowdstrike documentation.

os?: String

Os Version.

overall?: String

Overall.

sensor_config?: String

SensorConfig.

state?: String

For more details on state, please refer to the Crowdstrike documentation.

version_operator?: String

Version Operator.

auth_state?: List[String]

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

count_operator?: String

Count Operator.

issue_count?: String

The Number of Issues.

eid_last_seen?: String

For more details on eid last seen, refer to the Tanium documentation.

risk_level?: String

For more details on risk level, refer to the Tanium documentation.

score_operator?: String

Score Operator.

total_score?: Float64

For more details on total score, refer to the Tanium documentation.

active_threats?: Float64

The Number of active threats.

infected?: Bool

Whether device is infected.

is_active?: Bool

Whether device is active.

network_status?: String

Network status of device.

operational_state?: String

Agent operational state.

score?: Float64

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match?: List[Attributes]

The conditions that the client must match to run the rule.

platform?: String
computed Expand Collapse
id: String

API UUID.

cloudflare_zero_trust_device_posture_rule

resource "cloudflare_zero_trust_device_posture_rule" "example_zero_trust_device_posture_rule" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "Admin Serial Numbers"
  type = "file"
  description = "The rule for admin serial numbers"
  expiration = "1h"
  input = {
    operating_system = "linux"
    path = "/bin/cat"
    exists = true
    sha256 = "https://api.us-2.crowdstrike.com"
    thumbprint = "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e"
  }
  match = [{
    platform = "windows"
  }]
  schedule = "1h"
}

data cloudflare_zero_trust_device_posture_rule

required Expand Collapse
rule_id: String

API UUID.

account_id: String
computed Expand Collapse
id: String

API UUID.

description: String

The description of the device posture rule.

expiration: String

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

name: String

The name of the device posture rule.

schedule: String

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type: String

The type of device posture rule.

input: Attributes

The value to be checked against.

operating_system: String

Operating system.

path: String

File path.

exists: Bool

Whether or not file exists.

sha256: String

SHA-256.

thumbprint: String

Signing certificate thumbprint.

id: String

List ID.

domain: String

Domain.

operator: String

Operator.

version: String

Version of OS.

os_distro_name: String

Operating System Distribution Name (linux only).

os_distro_revision: String

Version of OS Distribution (linux only).

os_version_extra: String

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

enabled: Bool

Enabled.

check_disks: List[String]

List of volume names to be checked for encryption.

require_all: Bool

Whether to check all disks for encryption.

certificate_id: String

UUID of Cloudflare managed certificate.

cn: String

Common Name that is protected by the certificate.

check_private_key: Bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

extended_key_usage: List[String]

List of values indicating purposes for which the certificate public key can be used.

locations: Attributes
paths: List[String]

List of paths to check for client certificate on linux.

trust_stores: List[String]

List of trust stores to check for client certificate.

subject_alternative_names: List[String]

List of certificate Subject Alternative Names.

update_window_days: Float64

Number of days that the antivirus should be updated within.

compliance_status: String

Compliance Status.

connection_id: String

Posture Integration ID.

last_seen: String

For more details on last seen, please refer to the Crowdstrike documentation.

os: String

Os Version.

overall: String

Overall.

sensor_config: String

SensorConfig.

state: String

For more details on state, please refer to the Crowdstrike documentation.

version_operator: String

Version Operator.

auth_state: List[String]

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

count_operator: String

Count Operator.

issue_count: String

The Number of Issues.

eid_last_seen: String

For more details on eid last seen, refer to the Tanium documentation.

risk_level: String

For more details on risk level, refer to the Tanium documentation.

score_operator: String

Score Operator.

total_score: Float64

For more details on total score, refer to the Tanium documentation.

active_threats: Float64

The Number of active threats.

infected: Bool

Whether device is infected.

is_active: Bool

Whether device is active.

network_status: String

Network status of device.

operational_state: String

Agent operational state.

score: Float64

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match: List[Attributes]

The conditions that the client must match to run the rule.

platform: String

cloudflare_zero_trust_device_posture_rule

data "cloudflare_zero_trust_device_posture_rule" "example_zero_trust_device_posture_rule" {
  account_id = "699d98642c564d2e855e9661899b7252"
  rule_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_posture_rules

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

API UUID.

description: String

The description of the device posture rule.

expiration: String

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input: Attributes

The value to be checked against.

operating_system: String

Operating system.

path: String

File path.

exists: Bool

Whether or not file exists.

sha256: String

SHA-256.

thumbprint: String

Signing certificate thumbprint.

id: String

List ID.

domain: String

Domain.

operator: String

Operator.

version: String

Version of OS.

os_distro_name: String

Operating System Distribution Name (linux only).

os_distro_revision: String

Version of OS Distribution (linux only).

os_version_extra: String

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

enabled: Bool

Enabled.

check_disks: List[String]

List of volume names to be checked for encryption.

require_all: Bool

Whether to check all disks for encryption.

certificate_id: String

UUID of Cloudflare managed certificate.

cn: String

Common Name that is protected by the certificate.

check_private_key: Bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

extended_key_usage: List[String]

List of values indicating purposes for which the certificate public key can be used.

locations: Attributes
paths: List[String]

List of paths to check for client certificate on linux.

trust_stores: List[String]

List of trust stores to check for client certificate.

subject_alternative_names: List[String]

List of certificate Subject Alternative Names.

update_window_days: Float64

Number of days that the antivirus should be updated within.

compliance_status: String

Compliance Status.

connection_id: String

Posture Integration ID.

last_seen: String

For more details on last seen, please refer to the Crowdstrike documentation.

os: String

Os Version.

overall: String

Overall.

sensor_config: String

SensorConfig.

state: String

For more details on state, please refer to the Crowdstrike documentation.

version_operator: String

Version Operator.

auth_state: List[String]

The set of Kolide device authentication states that pass the posture check. Device must match one of the specified states.

count_operator: String

Count Operator.

issue_count: String

The Number of Issues.

eid_last_seen: String

For more details on eid last seen, refer to the Tanium documentation.

risk_level: String

For more details on risk level, refer to the Tanium documentation.

score_operator: String

Score Operator.

total_score: Float64

For more details on total score, refer to the Tanium documentation.

active_threats: Float64

The Number of active threats.

infected: Bool

Whether device is infected.

is_active: Bool

Whether device is active.

network_status: String

Network status of device.

operational_state: String

Agent operational state.

score: Float64

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match: List[Attributes]

The conditions that the client must match to run the rule.

platform: String
name: String

The name of the device posture rule.

schedule: String

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type: String

The type of device posture rule.

cloudflare_zero_trust_device_posture_rules

data "cloudflare_zero_trust_device_posture_rules" "example_zero_trust_device_posture_rules" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesPostureIntegrations

resource cloudflare_zero_trust_device_posture_integration

required Expand Collapse
account_id: String
interval: String

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

name: String

The name of the device posture integration.

type: String

The type of device posture integration.

config: Attributes

The configuration object containing third-party integration information.

api_url?: String

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url?: String

The Workspace One Authorization URL depending on your region.

client_id?: String

The Workspace One client ID provided in the Workspace One Admin Dashboard.

client_secret?: String

The Workspace One client secret provided in the Workspace One Admin Dashboard.

customer_id?: String

The Crowdstrike customer ID.

client_key?: String

The Uptycs client secret.

access_client_id?: String

If present, this id will be passed in the CF-Access-Client-ID header when hitting the api_url.

access_client_secret?: String

If present, this secret will be passed in the CF-Access-Client-Secret header when hitting the api_url.

computed Expand Collapse
id: String

API UUID.

cloudflare_zero_trust_device_posture_integration

resource "cloudflare_zero_trust_device_posture_integration" "example_zero_trust_device_posture_integration" {
  account_id = "699d98642c564d2e855e9661899b7252"
  config = {
    api_url = "https://as123.awmdm.com/API"
    auth_url = "https://na.uemauth.workspaceone.com/connect/token"
    client_id = "example client id"
    client_secret = "example client secret"
  }
  interval = "10m"
  name = "My Workspace One Integration"
  type = "workspace_one"
}

data cloudflare_zero_trust_device_posture_integration

required Expand Collapse
integration_id: String

API UUID.

account_id: String
computed Expand Collapse
id: String

API UUID.

interval: String

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

name: String

The name of the device posture integration.

type: String

The type of device posture integration.

config: Attributes

The configuration object containing third-party integration information.

api_url: String

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url: String

The Workspace One Authorization URL depending on your region.

client_id: String

The Workspace One client ID provided in the Workspace One Admin Dashboard.

cloudflare_zero_trust_device_posture_integration

data "cloudflare_zero_trust_device_posture_integration" "example_zero_trust_device_posture_integration" {
  account_id = "699d98642c564d2e855e9661899b7252"
  integration_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_device_posture_integrations

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

API UUID.

config: Attributes

The configuration object containing third-party integration information.

api_url: String

The Workspace One API URL provided in the Workspace One Admin Dashboard.

auth_url: String

The Workspace One Authorization URL depending on your region.

client_id: String

The Workspace One client ID provided in the Workspace One Admin Dashboard.

interval: String

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

name: String

The name of the device posture integration.

type: String

The type of device posture integration.

cloudflare_zero_trust_device_posture_integrations

data "cloudflare_zero_trust_device_posture_integrations" "example_zero_trust_device_posture_integrations" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustDevicesSettings

resource cloudflare_zero_trust_device_settings

required Expand Collapse
account_id: String
optional Expand Collapse
disable_for_time?: Float64

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

external_emergency_signal_enabled?: Bool

Controls whether the external emergency disconnect feature is enabled.

external_emergency_signal_fingerprint?: String

The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server’s identity. The device will ignore any response if the server’s certificate fingerprint does not exactly match this value.

external_emergency_signal_interval?: String

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., “5m”, “2m30s”, “1h”). Minimum 30 seconds.

external_emergency_signal_url?: String

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

gateway_proxy_enabled?: Bool

Enable gateway proxy filtering on TCP.

gateway_udp_proxy_enabled?: Bool

Enable gateway proxy filtering on UDP.

root_certificate_installation_enabled?: Bool

Enable installation of cloudflare managed root certificate.

use_zt_virtual_ip?: Bool

Enable using CGNAT virtual IPv4.

cloudflare_zero_trust_device_settings

resource "cloudflare_zero_trust_device_settings" "example_zero_trust_device_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
  disable_for_time = 0
  external_emergency_signal_enabled = true
  external_emergency_signal_fingerprint = "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234"
  external_emergency_signal_interval = "5m"
  external_emergency_signal_url = "https://192.0.2.1/signal"
  gateway_proxy_enabled = true
  gateway_udp_proxy_enabled = true
  root_certificate_installation_enabled = true
  use_zt_virtual_ip = true
}

data cloudflare_zero_trust_device_settings

required Expand Collapse
account_id: String
computed Expand Collapse
disable_for_time: Float64

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

external_emergency_signal_enabled: Bool

Controls whether the external emergency disconnect feature is enabled.

external_emergency_signal_fingerprint: String

The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server’s identity. The device will ignore any response if the server’s certificate fingerprint does not exactly match this value.

external_emergency_signal_interval: String

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., “5m”, “2m30s”, “1h”). Minimum 30 seconds.

external_emergency_signal_url: String

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

gateway_proxy_enabled: Bool

Enable gateway proxy filtering on TCP.

gateway_udp_proxy_enabled: Bool

Enable gateway proxy filtering on UDP.

root_certificate_installation_enabled: Bool

Enable installation of cloudflare managed root certificate.

use_zt_virtual_ip: Bool

Enable using CGNAT virtual IPv4.

cloudflare_zero_trust_device_settings

data "cloudflare_zero_trust_device_settings" "example_zero_trust_device_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
}

Zero TrustIdentity Providers

resource cloudflare_zero_trust_access_identity_provider

required Expand Collapse
name: String

The name of the identity provider, shown to users on the login page.

type: String

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

config: Attributes

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims?: List[String]

Custom claims

client_id?: String

Your OAuth Client ID

client_secret?: String

Your OAuth Client Secret

conditional_access_enabled?: Bool

Should Cloudflare try to load authentication contexts from your account

directory_id?: String

Your Azure directory uuid

email_claim_name?: String

The claim name for email in the id_token response.

prompt?: String

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

support_groups?: Bool

Should Cloudflare try to load groups from your account

centrify_account?: String

Your centrify account url

centrify_app_id?: String

Your centrify app id

apps_domain?: String

Your companies TLD

auth_url?: String

The authorization_endpoint URL of your IdP

certs_url?: String

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

pkce_enabled?: Bool

Enable Proof Key for Code Exchange (PKCE)

scopes?: List[String]

OAuth scopes

token_url?: String

The token_endpoint URL of your IdP

authorization_server_id?: String

Your okta authorization server id

okta_account?: String

Your okta account url

onelogin_account?: String

Your OneLogin account url

ping_env_id?: String

Your PingOne environment identifier

attributes?: List[String]

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name?: String

The attribute name for email in the SAML response.

enable_encryption?: Bool

Enable SAML assertion encryption. When enabled, the Identity Provider will encrypt SAML assertions using the certificate from the assigned certificate set.

To enable encryption:

  1. Create a certificate set via POST to /identity_providers/{id}/saml_certificate
  2. Set this field to true and include saml_certificate_set_id in the PUT request
  3. Configure the public certificate in your external Identity Provider

Note: Requires saml_certificate_set_id to be set when true.

header_attributes?: List[Attributes]

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name?: String

attribute name from the IDP

header_name?: String

header that will be added on the request to the origin

idp_public_certs?: List[String]

X509 certificate to verify the signature in the SAML authentication response

issuer_url?: String

IdP Entity ID or Issuer URL

sign_request?: Bool

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url?: String

URL to send the SAML authentication requests to

redirect_url: String
restrict_to_account_members?: Bool

When enabled, only users who are members of your Cloudflare account can authenticate through this identity provider. When disabled, any user with a Cloudflare account can authenticate, subject to your Access policies.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

saml_certificate_set_id?: String

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

scim_config?: Attributes

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled?: Bool

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior?: String

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

scim_base_url: String

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision?: Bool

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: String

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision?: Bool

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

computed Expand Collapse
id: String

UUID.

read_only: Bool

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set: Attributes

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: Time

Timestamp when the certificate set was created

uid: String

Unique identifier for the certificate set

updated_at: Time

Timestamp when the certificate set was last updated (e.g., during rotation)

current_certificate: Attributes

The currently active certificate used for encrypting SAML assertions

is_current: Bool

Indicates whether this is the currently active certificate

not_after: Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

public_certificate: String

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: String

Unique identifier for the certificate

previous_certificate: JSON

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

cloudflare_zero_trust_access_identity_provider

resource "cloudflare_zero_trust_access_identity_provider" "example_zero_trust_access_identity_provider" {
  config = {
    claims = ["email_verified", "preferred_username", "custom_claim_name"]
    client_id = "<your client id>"
    client_secret = "<your client secret>"
    conditional_access_enabled = true
    directory_id = "<your azure directory uuid>"
    email_claim_name = "custom_claim_name"
    prompt = "login"
    support_groups = true
  }
  name = "Widget Corps IDP"
  type = "onetimepin"
  zone_id = "zone_id"
  saml_certificate_set_id = "c409ef44-e72c-41c8-8c0b-278c8a6f4fd8"
  scim_config = {
    enabled = true
    identity_update_behavior = "automatic"
    seat_deprovision = true
    user_deprovision = true
  }
}

data cloudflare_zero_trust_access_identity_provider

optional Expand Collapse
identity_provider_id?: String

UUID.

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

filter?: Attributes
scim_enabled?: String

Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled.

computed Expand Collapse
id: String

UUID.

name: String

The name of the identity provider, shown to users on the login page.

read_only: Bool

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set_id: String

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

type: String

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

config: Attributes

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: List[String]

Custom claims

client_id: String

Your OAuth Client ID

client_secret: String

Your OAuth Client Secret

conditional_access_enabled: Bool

Should Cloudflare try to load authentication contexts from your account

directory_id: String

Your Azure directory uuid

email_claim_name: String

The claim name for email in the id_token response.

prompt: String

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

support_groups: Bool

Should Cloudflare try to load groups from your account

centrify_account: String

Your centrify account url

centrify_app_id: String

Your centrify app id

apps_domain: String

Your companies TLD

auth_url: String

The authorization_endpoint URL of your IdP

certs_url: String

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

pkce_enabled: Bool

Enable Proof Key for Code Exchange (PKCE)

scopes: List[String]

OAuth scopes

token_url: String

The token_endpoint URL of your IdP

authorization_server_id: String

Your okta authorization server id

okta_account: String

Your okta account url

onelogin_account: String

Your OneLogin account url

ping_env_id: String

Your PingOne environment identifier

attributes: List[String]

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name: String

The attribute name for email in the SAML response.

enable_encryption: Bool

Enable SAML assertion encryption. When enabled, the Identity Provider will encrypt SAML assertions using the certificate from the assigned certificate set.

To enable encryption:

  1. Create a certificate set via POST to /identity_providers/{id}/saml_certificate
  2. Set this field to true and include saml_certificate_set_id in the PUT request
  3. Configure the public certificate in your external Identity Provider

Note: Requires saml_certificate_set_id to be set when true.

header_attributes: List[Attributes]

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name: String

attribute name from the IDP

header_name: String

header that will be added on the request to the origin

idp_public_certs: List[String]

X509 certificate to verify the signature in the SAML authentication response

issuer_url: String

IdP Entity ID or Issuer URL

sign_request: Bool

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url: String

URL to send the SAML authentication requests to

redirect_url: String
restrict_to_account_members: Bool

When enabled, only users who are members of your Cloudflare account can authenticate through this identity provider. When disabled, any user with a Cloudflare account can authenticate, subject to your Access policies.

saml_certificate_set: Attributes

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: Time

Timestamp when the certificate set was created

uid: String

Unique identifier for the certificate set

updated_at: Time

Timestamp when the certificate set was last updated (e.g., during rotation)

current_certificate: Attributes

The currently active certificate used for encrypting SAML assertions

is_current: Bool

Indicates whether this is the currently active certificate

not_after: Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

public_certificate: String

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: String

Unique identifier for the certificate

previous_certificate: JSON

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

scim_config: Attributes

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Bool

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: String

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

scim_base_url: String

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Bool

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: String

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Bool

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

cloudflare_zero_trust_access_identity_provider

data "cloudflare_zero_trust_access_identity_provider" "example_zero_trust_access_identity_provider" {
  identity_provider_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_identity_providers

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

scim_enabled?: String

Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

config: Attributes

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

claims: List[String]

Custom claims

client_id: String

Your OAuth Client ID

client_secret: String

Your OAuth Client Secret

conditional_access_enabled: Bool

Should Cloudflare try to load authentication contexts from your account

directory_id: String

Your Azure directory uuid

email_claim_name: String

The claim name for email in the id_token response.

prompt: String

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn’t presented with any interactive prompt. If the request can’t be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

support_groups: Bool

Should Cloudflare try to load groups from your account

centrify_account: String

Your centrify account url

centrify_app_id: String

Your centrify app id

apps_domain: String

Your companies TLD

auth_url: String

The authorization_endpoint URL of your IdP

certs_url: String

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

pkce_enabled: Bool

Enable Proof Key for Code Exchange (PKCE)

scopes: List[String]

OAuth scopes

token_url: String

The token_endpoint URL of your IdP

authorization_server_id: String

Your okta authorization server id

okta_account: String

Your okta account url

onelogin_account: String

Your OneLogin account url

ping_env_id: String

Your PingOne environment identifier

attributes: List[String]

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

email_attribute_name: String

The attribute name for email in the SAML response.

enable_encryption: Bool

Enable SAML assertion encryption. When enabled, the Identity Provider will encrypt SAML assertions using the certificate from the assigned certificate set.

To enable encryption:

  1. Create a certificate set via POST to /identity_providers/{id}/saml_certificate
  2. Set this field to true and include saml_certificate_set_id in the PUT request
  3. Configure the public certificate in your external Identity Provider

Note: Requires saml_certificate_set_id to be set when true.

header_attributes: List[Attributes]

Add a list of attribute names that will be returned in the response header from the Access callback.

attribute_name: String

attribute name from the IDP

header_name: String

header that will be added on the request to the origin

idp_public_certs: List[String]

X509 certificate to verify the signature in the SAML authentication response

issuer_url: String

IdP Entity ID or Issuer URL

sign_request: Bool

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

sso_target_url: String

URL to send the SAML authentication requests to

redirect_url: String
restrict_to_account_members: Bool

When enabled, only users who are members of your Cloudflare account can authenticate through this identity provider. When disabled, any user with a Cloudflare account can authenticate, subject to your Access policies.

name: String

The name of the identity provider, shown to users on the login page.

type: String

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

id: String

UUID.

read_only: Bool

Indicates that the identity provider is immutable and cannot be updated or deleted via the API.

saml_certificate_set: Attributes

The SAML encryption certificate set details, including current and previous certificates. Only present for SAML identity providers with a certificate set assigned.

created_at: Time

Timestamp when the certificate set was created

uid: String

Unique identifier for the certificate set

updated_at: Time

Timestamp when the certificate set was last updated (e.g., during rotation)

current_certificate: Attributes

The currently active certificate used for encrypting SAML assertions

is_current: Bool

Indicates whether this is the currently active certificate

not_after: Time

Certificate expiration date. Certificates are automatically rotated 30 days before expiration.

public_certificate: String

PEM-encoded X.509 certificate containing the public key. Configure this certificate in your external SAML Identity Provider to enable encryption.

uid: String

Unique identifier for the certificate

previous_certificate: JSON

The previous certificate, maintained during rotation to ensure continuity. Null if no rotation has occurred. Mirrors the structure of saml_certificate.

saml_certificate_set_id: String

The UID of the SAML encryption certificate set assigned to this Identity Provider. Only present for SAML identity providers with encryption configured. Create a certificate set via POST to /identity_providers/{id}/saml_certificate.

scim_config: Attributes

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

enabled: Bool

A flag to enable or disable SCIM for the identity provider.

identity_update_behavior: String

Indicates how a SCIM event updates a user identity used for policy evaluation. Use “automatic” to automatically update a user’s identity and augment it with fields from the SCIM user resource. Use “reauth” to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With “reauth” identities will not contain fields from the SCIM user resource. With “no_action” identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

scim_base_url: String

The base URL of Cloudflare’s SCIM V2.0 API endpoint.

seat_deprovision: Bool

A flag to remove a user’s seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

secret: String

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

user_deprovision: Bool

A flag to enable revoking a user’s session in Access and Gateway when they have been deprovisioned in the Identity Provider.

cloudflare_zero_trust_access_identity_providers

data "cloudflare_zero_trust_access_identity_providers" "example_zero_trust_access_identity_providers" {
  account_id = "account_id"
  zone_id = "zone_id"
  scim_enabled = "scim_enabled"
}

Zero TrustOrganizations

resource cloudflare_zero_trust_organization

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

auth_domain?: String

The unique subdomain assigned to your Zero Trust organization.

deny_unmatched_requests?: Bool

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

name?: String

The name of your Zero Trust organization.

session_duration?: String

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

user_seat_expiration_inactive_time?: String

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

warp_auth_session_duration?: String

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

deny_unmatched_requests_exempted_zone_names?: List[String]

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

custom_pages?: Attributes
forbidden?: String

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

identity_denied?: String

The uid of the custom page to use when a user is denied access.

login_design?: Attributes
background_color?: String

The background color on your login page.

footer_text?: String

The text at the bottom of your login page.

header_text?: String

The text at the top of your login page.

logo_path?: String

The URL of the logo on your login page.

text_color?: String

The text color on your login page.

mfa_config?: Attributes

Configures multi-factor authentication (MFA) settings for an organization.

allowed_authenticators?: List[String]

Lists the MFA methods that users can authenticate with.

amr_matching_session_duration?: String

Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains “mfa”. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).

required_aaguids?: String

Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.

session_duration?: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

mfa_piv_key_requirements?: Attributes

Configures PIV key requirements for MFA using hardware security keys.

pin_policy?: String

Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use).

require_fips_device?: Bool

Requires the PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.

ssh_key_size?: List[Int64]

Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.

ssh_key_type?: List[String]

Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.

touch_policy?: String

Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds).

allow_authenticate_via_warp?: Bool

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

auto_redirect_to_identity?: Bool

When set to true, users skip the identity provider selection step during login.

is_ui_read_only?: Bool

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

mfa_required_for_all_apps?: Bool

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. Note: ‘allowed_authenticators’ cannot only contain ‘piv_key’ if the organization has any non-infrastructure applications because PIV keys are only compatible with infrastructure apps.

ui_read_only_toggle_reason?: String

A description of the reason why the UI read only field is being toggled.

computed Expand Collapse
created_at: Time
updated_at: Time

cloudflare_zero_trust_organization

resource "cloudflare_zero_trust_organization" "example_zero_trust_organization" {
  zone_id = "zone_id"
  allow_authenticate_via_warp = true
  auth_domain = "test.cloudflareaccess.com"
  auto_redirect_to_identity = true
  custom_pages = {
    forbidden = "699d98642c564d2e855e9661899b7252"
    identity_denied = "699d98642c564d2e855e9661899b7252"
  }
  deny_unmatched_requests = true
  deny_unmatched_requests_exempted_zone_names = ["example.com"]
  is_ui_read_only = true
  login_design = {
    background_color = "#c5ed1b"
    footer_text = "This is an example description."
    header_text = "This is an example description."
    logo_path = "https://example.com/logo.png"
    text_color = "#c5ed1b"
  }
  mfa_config = {
    allowed_authenticators = ["totp", "biometrics", "security_key"]
    amr_matching_session_duration = "12h"
    required_aaguids = "2fc0579f-8113-47ea-b116-bb5a8db9202a"
    session_duration = "24h"
  }
  mfa_piv_key_requirements = {
    pin_policy = "always"
    require_fips_device = true
    ssh_key_size = [256, 2048]
    ssh_key_type = ["ecdsa", "rsa"]
    touch_policy = "always"
  }
  mfa_required_for_all_apps = false
  name = "Widget Corps Internal Applications"
  session_duration = "24h"
  ui_read_only_toggle_reason = "Temporarily turn off the UI read only lock to make a change via the UI"
  user_seat_expiration_inactive_time = "730h"
  warp_auth_session_duration = "24h"
}

data cloudflare_zero_trust_organization

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
allow_authenticate_via_warp: Bool

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

auth_domain: String

The unique subdomain assigned to your Zero Trust organization.

auto_redirect_to_identity: Bool

When set to true, users skip the identity provider selection step during login.

created_at: Time
deny_unmatched_requests: Bool

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

is_ui_read_only: Bool

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

mfa_required_for_all_apps: Bool

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. Note: ‘allowed_authenticators’ cannot only contain ‘piv_key’ if the organization has any non-infrastructure applications because PIV keys are only compatible with infrastructure apps.

name: String

The name of your Zero Trust organization.

session_duration: String

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

ui_read_only_toggle_reason: String

A description of the reason why the UI read only field is being toggled.

updated_at: Time
user_seat_expiration_inactive_time: String

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

warp_auth_session_duration: String

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

deny_unmatched_requests_exempted_zone_names: List[String]

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

custom_pages: Attributes
forbidden: String

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

identity_denied: String

The uid of the custom page to use when a user is denied access.

login_design: Attributes
background_color: String

The background color on your login page.

footer_text: String

The text at the bottom of your login page.

header_text: String

The text at the top of your login page.

logo_path: String

The URL of the logo on your login page.

text_color: String

The text color on your login page.

mfa_config: Attributes

Configures multi-factor authentication (MFA) settings for an organization.

allowed_authenticators: List[String]

Lists the MFA methods that users can authenticate with.

amr_matching_session_duration: String

Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains “mfa”. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).

required_aaguids: String

Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.

session_duration: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

mfa_piv_key_requirements: Attributes

Configures PIV key requirements for MFA using hardware security keys.

pin_policy: String

Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use).

require_fips_device: Bool

Requires the PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.

ssh_key_size: List[Int64]

Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.

ssh_key_type: List[String]

Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.

touch_policy: String

Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds).

cloudflare_zero_trust_organization

data "cloudflare_zero_trust_organization" "example_zero_trust_organization" {
  account_id = "account_id"
  zone_id = "zone_id"
}

Zero TrustAccessAI ControlsMcpPortals

resource cloudflare_zero_trust_access_ai_controls_mcp_portal

required Expand Collapse
id: String

portal id

account_id: String
hostname: String
name: String
optional Expand Collapse
description?: String
allow_code_mode?: Bool

Allow remote code execution in Dynamic Workers (beta)

secure_web_gateway?: Bool

Route outbound MCP traffic through Zero Trust Secure Web Gateway

servers?: List[Attributes]
server_id: String

server id

default_disabled?: Bool
on_behalf?: Bool
updated_prompts?: List[Attributes]
name: String
alias?: String
description?: String
enabled?: Bool
updated_tools?: List[Attributes]
name: String
alias?: String
description?: String
enabled?: Bool
computed Expand Collapse
created_at: Time
created_by: String
modified_at: Time
modified_by: String

cloudflare_zero_trust_access_ai_controls_mcp_portal

resource "cloudflare_zero_trust_access_ai_controls_mcp_portal" "example_zero_trust_access_ai_controls_mcp_portal" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-portal"
  hostname = "exmaple.com"
  name = "My MCP Portal"
  allow_code_mode = true
  description = "This is my custom MCP Portal"
  secure_web_gateway = false
  servers = [{
    server_id = "my-mcp-server"
    default_disabled = true
    on_behalf = true
    updated_prompts = [{
      name = "name"
      alias = "my-custom-alias"
      description = "description"
      enabled = true
    }]
    updated_tools = [{
      name = "name"
      alias = "my-custom-alias"
      description = "description"
      enabled = true
    }]
  }]
}

data cloudflare_zero_trust_access_ai_controls_mcp_portal

required Expand Collapse
account_id: String
optional Expand Collapse
id?: String

portal id

filter?: Attributes
computed Expand Collapse
allow_code_mode: Bool

Allow remote code execution in Dynamic Workers (beta)

created_at: Time
created_by: String
description: String
hostname: String
modified_at: Time
modified_by: String
name: String
secure_web_gateway: Bool

Route outbound MCP traffic through Zero Trust Secure Web Gateway

servers: List[Attributes]
id: String

server id

auth_type: String
hostname: String
name: String
prompts: List[Map[JSON]]
tools: List[Map[JSON]]
created_at: Time
created_by: String
default_disabled: Bool
description: String
error: String
error_details: Attributes
cause: String

Underlying error message

is_upstream: Bool

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: Float64

MCP protocol error code

retryable: Bool

Whether the error is transient and worth retrying

status_code: Float64

HTTP status code from the server

is_shared_oauth_callback_enabled: Bool

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: Time
last_synced: Time
modified_at: Time
modified_by: String
on_behalf: Bool
secure_web_gateway: Bool

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: String
updated_prompts: List[Attributes]
name: String
enabled: Bool
portal_alias: String
portal_description: String
server_alias: String
server_description: String
updated_tools: List[Attributes]
name: String
enabled: Bool
portal_alias: String
portal_description: String
server_alias: String
server_description: String

cloudflare_zero_trust_access_ai_controls_mcp_portal

data "cloudflare_zero_trust_access_ai_controls_mcp_portal" "example_zero_trust_access_ai_controls_mcp_portal" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-portal"
}

data cloudflare_zero_trust_access_ai_controls_mcp_portals

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

portal id

hostname: String
name: String
servers: List[Attributes]
id: String

server id

auth_type: String
hostname: String
name: String
prompts: List[Map[JSON]]
tools: List[Map[JSON]]
created_at: Time
created_by: String
default_disabled: Bool
description: String
error: String
error_details: Attributes
cause: String

Underlying error message

is_upstream: Bool

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: Float64

MCP protocol error code

retryable: Bool

Whether the error is transient and worth retrying

status_code: Float64

HTTP status code from the server

is_shared_oauth_callback_enabled: Bool

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: Time
last_synced: Time
modified_at: Time
modified_by: String
on_behalf: Bool
secure_web_gateway: Bool

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: String
updated_prompts: List[Attributes]
name: String
enabled: Bool
portal_alias: String
portal_description: String
server_alias: String
server_description: String
updated_tools: List[Attributes]
name: String
enabled: Bool
portal_alias: String
portal_description: String
server_alias: String
server_description: String
allow_code_mode: Bool

Allow remote code execution in Dynamic Workers (beta)

created_at: Time
created_by: String
description: String
modified_at: Time
modified_by: String
secure_web_gateway: Bool

Route outbound MCP traffic through Zero Trust Secure Web Gateway

cloudflare_zero_trust_access_ai_controls_mcp_portals

data "cloudflare_zero_trust_access_ai_controls_mcp_portals" "example_zero_trust_access_ai_controls_mcp_portals" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  search = "search"
}

Zero TrustAccessAI ControlsMcpServers

resource cloudflare_zero_trust_access_ai_controls_mcp_server

required Expand Collapse
id: String

server id

account_id: String
auth_type: String
hostname: String
name: String
optional Expand Collapse
auth_credentials?: String
description?: String
is_shared_oauth_callback_enabled?: Bool

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

updated_prompts?: List[Attributes]
name: String
alias?: String
description?: String
enabled?: Bool
updated_tools?: List[Attributes]
name: String
alias?: String
description?: String
enabled?: Bool
secure_web_gateway?: Bool

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

computed Expand Collapse
created_at: Time
created_by: String
error: String
last_successful_sync: Time
last_synced: Time
modified_at: Time
modified_by: String
status: String
prompts: List[Map[JSON]]
tools: List[Map[JSON]]
error_details: Attributes
cause: String

Underlying error message

is_upstream: Bool

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: Float64

MCP protocol error code

retryable: Bool

Whether the error is transient and worth retrying

status_code: Float64

HTTP status code from the server

cloudflare_zero_trust_access_ai_controls_mcp_server

resource "cloudflare_zero_trust_access_ai_controls_mcp_server" "example_zero_trust_access_ai_controls_mcp_server" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-server"
  auth_type = "unauthenticated"
  hostname = "https://example.com/mcp"
  name = "My MCP Server"
  auth_credentials = "auth_credentials"
  description = "This is one remote mcp server"
  is_shared_oauth_callback_enabled = true
  secure_web_gateway = false
  updated_prompts = [{
    name = "name"
    alias = "my-custom-alias"
    description = "description"
    enabled = true
  }]
  updated_tools = [{
    name = "name"
    alias = "my-custom-alias"
    description = "description"
    enabled = true
  }]
}

data cloudflare_zero_trust_access_ai_controls_mcp_server

required Expand Collapse
account_id: String
optional Expand Collapse
id?: String

server id

filter?: Attributes
computed Expand Collapse
auth_type: String
created_at: Time
created_by: String
description: String
error: String
hostname: String
is_shared_oauth_callback_enabled: Bool

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: Time
last_synced: Time
modified_at: Time
modified_by: String
name: String
secure_web_gateway: Bool

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: String
prompts: List[Map[JSON]]
tools: List[Map[JSON]]
error_details: Attributes
cause: String

Underlying error message

is_upstream: Bool

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: Float64

MCP protocol error code

retryable: Bool

Whether the error is transient and worth retrying

status_code: Float64

HTTP status code from the server

updated_prompts: List[Attributes]
name: String
alias: String
description: String
enabled: Bool
updated_tools: List[Attributes]
name: String
alias: String
description: String
enabled: Bool

cloudflare_zero_trust_access_ai_controls_mcp_server

data "cloudflare_zero_trust_access_ai_controls_mcp_server" "example_zero_trust_access_ai_controls_mcp_server" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  id = "my-mcp-server"
}

data cloudflare_zero_trust_access_ai_controls_mcp_servers

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

server id

auth_type: String
hostname: String
name: String
prompts: List[Map[JSON]]
tools: List[Map[JSON]]
created_at: Time
created_by: String
description: String
error: String
error_details: Attributes
cause: String

Underlying error message

is_upstream: Bool

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: Float64

MCP protocol error code

retryable: Bool

Whether the error is transient and worth retrying

status_code: Float64

HTTP status code from the server

is_shared_oauth_callback_enabled: Bool

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: Time
last_synced: Time
modified_at: Time
modified_by: String
secure_web_gateway: Bool

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: String
updated_prompts: List[Attributes]
name: String
alias: String
description: String
enabled: Bool
updated_tools: List[Attributes]
name: String
alias: String
description: String
enabled: Bool

cloudflare_zero_trust_access_ai_controls_mcp_servers

data "cloudflare_zero_trust_access_ai_controls_mcp_servers" "example_zero_trust_access_ai_controls_mcp_servers" {
  account_id = "a86a8f5c339544d7bdc89926de14fb8c"
  search = "search"
}

Zero TrustAccessInfrastructureTargets

resource cloudflare_zero_trust_access_infrastructure_target

required Expand Collapse
account_id: String

Account identifier

hostname: String

A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character.

ip: Attributes

The IPv4/IPv6 address that identifies where to reach a target

ipv4?: Attributes

The target’s IPv4 address

ip_addr?: String

IP address of the target

virtual_network_id?: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

ipv6?: Attributes

The target’s IPv6 address

ip_addr?: String

IP address of the target

virtual_network_id?: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

computed Expand Collapse
id: String

Target identifier

created_at: Time

Date and time at which the target was created

modified_at: Time

Date and time at which the target was modified

cloudflare_zero_trust_access_infrastructure_target

resource "cloudflare_zero_trust_access_infrastructure_target" "example_zero_trust_access_infrastructure_target" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  hostname = "infra-access-target"
  ip = {
    ipv4 = {
      ip_addr = "187.26.29.249"
      virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
    }
    ipv6 = {
      ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
      virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
    }
  }
}

data cloudflare_zero_trust_access_infrastructure_target

required Expand Collapse
account_id: String

Account identifier

optional Expand Collapse
target_id?: String

Target identifier

filter?: Attributes
created_after?: Time

Date and time at which the target was created after (inclusive)

created_before?: Time

Date and time at which the target was created before (inclusive)

direction?: String

The sorting direction.

hostname?: String

Hostname of a target

hostname_contains?: String

Partial match to the hostname of a target

ip_like?: String

Filters for targets whose IP addresses look like the specified string. Supports * as a wildcard character

ip_v4?: String

IPv4 address of the target

ip_v6?: String

IPv6 address of the target

ips?: List[String]

Filters for targets that have any of the following IP addresses. Specify ips multiple times in query parameter to build list of candidates.

ipv4_end?: String

Defines an IPv4 filter range’s ending value (inclusive). Requires ipv4_start to be specified as well.

ipv4_start?: String

Defines an IPv4 filter range’s starting value (inclusive). Requires ipv4_end to be specified as well.

ipv6_end?: String

Defines an IPv6 filter range’s ending value (inclusive). Requires ipv6_start to be specified as well.

ipv6_start?: String

Defines an IPv6 filter range’s starting value (inclusive). Requires ipv6_end to be specified as well.

modified_after?: Time

Date and time at which the target was modified after (inclusive)

modified_before?: Time

Date and time at which the target was modified before (inclusive)

order?: String

The field to sort by.

target_ids?: List[String]

Filters for targets that have any of the following UUIDs. Specify target_ids multiple times in query parameter to build list of candidates.

virtual_network_id?: String

Private virtual network identifier of the target

computed Expand Collapse
id: String

Target identifier

created_at: Time

Date and time at which the target was created

hostname: String

A non-unique field that refers to a target

modified_at: Time

Date and time at which the target was modified

ip: Attributes

The IPv4/IPv6 address that identifies where to reach a target

ipv4: Attributes

The target’s IPv4 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

ipv6: Attributes

The target’s IPv6 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

cloudflare_zero_trust_access_infrastructure_target

data "cloudflare_zero_trust_access_infrastructure_target" "example_zero_trust_access_infrastructure_target" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  target_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_access_infrastructure_targets

required Expand Collapse
account_id: String

Account identifier

optional Expand Collapse
created_after?: Time

Date and time at which the target was created after (inclusive)

created_before?: Time

Date and time at which the target was created before (inclusive)

direction?: String

The sorting direction.

hostname?: String

Hostname of a target

hostname_contains?: String

Partial match to the hostname of a target

ip_like?: String

Filters for targets whose IP addresses look like the specified string. Supports * as a wildcard character

ip_v4?: String

IPv4 address of the target

ip_v6?: String

IPv6 address of the target

ipv4_end?: String

Defines an IPv4 filter range’s ending value (inclusive). Requires ipv4_start to be specified as well.

ipv4_start?: String

Defines an IPv4 filter range’s starting value (inclusive). Requires ipv4_end to be specified as well.

ipv6_end?: String

Defines an IPv6 filter range’s ending value (inclusive). Requires ipv6_start to be specified as well.

ipv6_start?: String

Defines an IPv6 filter range’s starting value (inclusive). Requires ipv6_end to be specified as well.

modified_after?: Time

Date and time at which the target was modified after (inclusive)

modified_before?: Time

Date and time at which the target was modified before (inclusive)

order?: String

The field to sort by.

virtual_network_id?: String

Private virtual network identifier of the target

ips?: List[String]

Filters for targets that have any of the following IP addresses. Specify ips multiple times in query parameter to build list of candidates.

target_ids?: List[String]

Filters for targets that have any of the following UUIDs. Specify target_ids multiple times in query parameter to build list of candidates.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

Target identifier

created_at: Time

Date and time at which the target was created

hostname: String

A non-unique field that refers to a target

ip: Attributes

The IPv4/IPv6 address that identifies where to reach a target

ipv4: Attributes

The target’s IPv4 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

ipv6: Attributes

The target’s IPv6 address

ip_addr: String

IP address of the target

virtual_network_id: String

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

modified_at: Time

Date and time at which the target was modified

cloudflare_zero_trust_access_infrastructure_targets

data "cloudflare_zero_trust_access_infrastructure_targets" "example_zero_trust_access_infrastructure_targets" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  created_after = "2019-12-27T18:11:19.117Z"
  created_before = "2019-12-27T18:11:19.117Z"
  direction = "asc"
  hostname = "hostname"
  hostname_contains = "hostname_contains"
  ip_like = "ip_like"
  ip_v4 = "ip_v4"
  ip_v6 = "ip_v6"
  ips = ["string"]
  ipv4_end = "ipv4_end"
  ipv4_start = "ipv4_start"
  ipv6_end = "ipv6_end"
  ipv6_start = "ipv6_start"
  modified_after = "2019-12-27T18:11:19.117Z"
  modified_before = "2019-12-27T18:11:19.117Z"
  order = "hostname"
  target_ids = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
  virtual_network_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

Zero TrustAccessApplicationsCAs

resource cloudflare_zero_trust_access_short_lived_certificate

required Expand Collapse
app_id: String

UUID.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
id: String

UUID.

aud: String

The Application Audience (AUD) tag. Identifies the application associated with the CA.

public_key: String

The public key to add to your SSH server configuration.

cloudflare_zero_trust_access_short_lived_certificate

resource "cloudflare_zero_trust_access_short_lived_certificate" "example_zero_trust_access_short_lived_certificate" {
  app_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_short_lived_certificate

required Expand Collapse
app_id: String

UUID.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
id: String

UUID.

aud: String

The Application Audience (AUD) tag. Identifies the application associated with the CA.

public_key: String

The public key to add to your SSH server configuration.

cloudflare_zero_trust_access_short_lived_certificate

data "cloudflare_zero_trust_access_short_lived_certificate" "example_zero_trust_access_short_lived_certificate" {
  app_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_short_lived_certificates

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The ID of the CA.

aud: String

The Application Audience (AUD) tag. Identifies the application associated with the CA.

public_key: String

The public key to add to your SSH server configuration.

cloudflare_zero_trust_access_short_lived_certificates

data "cloudflare_zero_trust_access_short_lived_certificates" "example_zero_trust_access_short_lived_certificates" {
  account_id = "account_id"
  zone_id = "zone_id"
}

Zero TrustAccessCertificates

resource cloudflare_zero_trust_access_mtls_certificate

required Expand Collapse
certificate: String

The certificate content.

name: String

The name of the certificate.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

associated_hostnames?: List[String]

The hostnames of the applications that will use this certificate.

computed Expand Collapse
id: String

The ID of the application that will use this certificate.

created_at: Time
expires_on: Time
fingerprint: String

The MD5 fingerprint of the certificate.

updated_at: Time

cloudflare_zero_trust_access_mtls_certificate

resource "cloudflare_zero_trust_access_mtls_certificate" "example_zero_trust_access_mtls_certificate" {
  certificate = <<EOT
  -----BEGIN CERTIFICATE-----
  MIIGAjCCA+qgAwIBAgIJAI7kymlF7CWT...N4RI7KKB7nikiuUf8vhULKy5IX10
  DrUtmu/B
  -----END CERTIFICATE-----
  EOT
  name = "Allow devs"
  zone_id = "zone_id"
  associated_hostnames = ["admin.example.com"]
}

data cloudflare_zero_trust_access_mtls_certificate

required Expand Collapse
certificate_id: String

UUID.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
id: String

UUID.

created_at: Time
expires_on: Time
fingerprint: String

The MD5 fingerprint of the certificate.

name: String

The name of the certificate.

updated_at: Time
associated_hostnames: List[String]

The hostnames of the applications that will use this certificate.

cloudflare_zero_trust_access_mtls_certificate

data "cloudflare_zero_trust_access_mtls_certificate" "example_zero_trust_access_mtls_certificate" {
  certificate_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_mtls_certificates

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The ID of the application that will use this certificate.

associated_hostnames: List[String]

The hostnames of the applications that will use this certificate.

created_at: Time
expires_on: Time
fingerprint: String

The MD5 fingerprint of the certificate.

name: String

The name of the certificate.

updated_at: Time

cloudflare_zero_trust_access_mtls_certificates

data "cloudflare_zero_trust_access_mtls_certificates" "example_zero_trust_access_mtls_certificates" {
  account_id = "account_id"
  zone_id = "zone_id"
}

Zero TrustAccessCertificatesSettings

resource cloudflare_zero_trust_access_mtls_hostname_settings

required Expand Collapse
settings: List[Attributes]
china_network: Bool

Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.

client_certificate_forwarding: Bool

Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.

hostname: String

The hostname that these settings apply to.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
china_network: Bool

Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.

client_certificate_forwarding: Bool

Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.

hostname: String

The hostname that these settings apply to.

cloudflare_zero_trust_access_mtls_hostname_settings

resource "cloudflare_zero_trust_access_mtls_hostname_settings" "example_zero_trust_access_mtls_hostname_settings" {
  settings = [{
    china_network = false
    client_certificate_forwarding = true
    hostname = "admin.example.com"
  }]
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_mtls_hostname_settings

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

computed Expand Collapse
china_network: Bool

Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.

client_certificate_forwarding: Bool

Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.

hostname: String

The hostname that these settings apply to.

cloudflare_zero_trust_access_mtls_hostname_settings

data "cloudflare_zero_trust_access_mtls_hostname_settings" "example_zero_trust_access_mtls_hostname_settings" {
  account_id = "account_id"
  zone_id = "zone_id"
}

Zero TrustAccessGroups

resource cloudflare_zero_trust_access_group

required Expand Collapse
name: String

The name of the Access group.

include: List[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member?: Attributes
account_id?: String

Identifier.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

is_default?: Bool

Whether this is the default group

exclude?: List[Attributes]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member?: Attributes
account_id?: String

Identifier.

require?: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member?: Attributes
account_id?: String

Identifier.

computed Expand Collapse
id: String

UUID.

created_at: Time
updated_at: Time

cloudflare_zero_trust_access_group

resource "cloudflare_zero_trust_access_group" "example_zero_trust_access_group" {
  include = [{
    certificate = {

    }
  }]
  name = "Allow devs"
  zone_id = "zone_id"
  exclude = [{
    certificate = {

    }
  }]
  is_default = true
  require = [{
    certificate = {

    }
  }]
}

data cloudflare_zero_trust_access_group

optional Expand Collapse
group_id?: String

UUID.

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

filter?: Attributes
name?: String

The name of the group.

computed Expand Collapse
id: String

UUID.

created_at: Time
name: String

The name of the Access group.

updated_at: Time
exclude: List[Attributes]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

include: List[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

is_default: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

require: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

cloudflare_zero_trust_access_group

data "cloudflare_zero_trust_access_group" "example_zero_trust_access_group" {
  group_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_groups

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

name?: String

The name of the group.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

UUID.

created_at: Time
exclude: List[Attributes]

Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

include: List[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

is_default: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

name: String

The name of the Access group.

require: List[Attributes]

Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

updated_at: Time

cloudflare_zero_trust_access_groups

data "cloudflare_zero_trust_access_groups" "example_zero_trust_access_groups" {
  account_id = "account_id"
  zone_id = "zone_id"
  name = "name"
  search = "search"
}

Zero TrustAccessService Tokens

resource cloudflare_zero_trust_access_service_token

required Expand Collapse
name: String

The name of the service token.

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

previous_client_secret_expires_at?: Time

The expiration of the previous client_secret. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise.

client_secret_version?: Float64

A version number identifying the current client_secret associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by previous_client_secret_expires_at.

duration?: String

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

computed Expand Collapse
id: String

The ID of the service token.

client_id: String

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

client_secret: String

The Client Secret for the service token. Access will check for this value in the CF-Access-Client-Secret request header.

created_at: Time
expires_at: Time
last_seen_at: Time
updated_at: Time

cloudflare_zero_trust_access_service_token

resource "cloudflare_zero_trust_access_service_token" "example_zero_trust_access_service_token" {
  name = "CI/CD token"
  zone_id = "zone_id"
  client_secret_version = 0
  duration = "60m"
  previous_client_secret_expires_at = "2014-01-01T05:20:00.12345Z"
}

data cloudflare_zero_trust_access_service_token

optional Expand Collapse
service_token_id?: String

UUID.

account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

filter?: Attributes
name?: String

The name of the service token.

computed Expand Collapse
id: String

UUID.

client_id: String

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

created_at: Time
duration: String

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

expires_at: Time
last_seen_at: Time
name: String

The name of the service token.

updated_at: Time

cloudflare_zero_trust_access_service_token

data "cloudflare_zero_trust_access_service_token" "example_zero_trust_access_service_token" {
  service_token_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
  account_id = "account_id"
  zone_id = "zone_id"
}

data cloudflare_zero_trust_access_service_tokens

optional Expand Collapse
account_id?: String

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

zone_id?: String

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

name?: String

The name of the service token.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The ID of the service token.

client_id: String

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

created_at: Time
duration: String

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

expires_at: Time
last_seen_at: Time
name: String

The name of the service token.

updated_at: Time

cloudflare_zero_trust_access_service_tokens

data "cloudflare_zero_trust_access_service_tokens" "example_zero_trust_access_service_tokens" {
  account_id = "account_id"
  zone_id = "zone_id"
  name = "name"
  search = "search"
}

Zero TrustAccessKeys

resource cloudflare_zero_trust_access_key_configuration

required Expand Collapse
account_id: String

Identifier.

key_rotation_interval_days: Float64

The number of days between key rotations.

computed Expand Collapse
id: String

Identifier.

days_until_next_rotation: Float64

The number of days until the next key rotation.

last_key_rotation_at: Time

The timestamp of the previous key rotation.

cloudflare_zero_trust_access_key_configuration

resource "cloudflare_zero_trust_access_key_configuration" "example_zero_trust_access_key_configuration" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  key_rotation_interval_days = 30
}

data cloudflare_zero_trust_access_key_configuration

required Expand Collapse
account_id: String

Identifier.

computed Expand Collapse
id: String

Identifier.

days_until_next_rotation: Float64

The number of days until the next key rotation.

key_rotation_interval_days: Float64

The number of days between key rotations.

last_key_rotation_at: Time

The timestamp of the previous key rotation.

cloudflare_zero_trust_access_key_configuration

data "cloudflare_zero_trust_access_key_configuration" "example_zero_trust_access_key_configuration" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustAccessCustom Pages

resource cloudflare_zero_trust_access_custom_page

required Expand Collapse
account_id: String

Identifier.

custom_html: String

Custom page HTML.

name: String

Custom page name.

type: String

Custom page type.

optional Expand Collapse
app_count?: Int64

Number of apps the custom page is assigned to.

computed Expand Collapse
id: String

UUID.

uid: String

UUID.

created_at: Time
updated_at: Time

cloudflare_zero_trust_access_custom_page

resource "cloudflare_zero_trust_access_custom_page" "example_zero_trust_access_custom_page" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  custom_html = "<html><body><h1>Access Denied</h1></body></html>"
  name = "name"
  type = "identity_denied"
}

data cloudflare_zero_trust_access_custom_page

required Expand Collapse
custom_page_id: String

UUID.

account_id: String

Identifier.

computed Expand Collapse
id: String

UUID.

app_count: Int64

Number of apps the custom page is assigned to.

created_at: Time
custom_html: String

Custom page HTML.

name: String

Custom page name.

type: String

Custom page type.

uid: String

UUID.

updated_at: Time

cloudflare_zero_trust_access_custom_page

data "cloudflare_zero_trust_access_custom_page" "example_zero_trust_access_custom_page" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  custom_page_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_access_custom_pages

required Expand Collapse
account_id: String

Identifier.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

UUID.

name: String

Custom page name.

type: String

Custom page type.

app_count: Int64

Number of apps the custom page is assigned to.

created_at: Time
uid: String

UUID.

updated_at: Time

cloudflare_zero_trust_access_custom_pages

data "cloudflare_zero_trust_access_custom_pages" "example_zero_trust_access_custom_pages" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustAccessTags

resource cloudflare_zero_trust_access_tag

required Expand Collapse
name: String

The name of the tag

account_id: String

Identifier.

computed Expand Collapse
id: String

The name of the tag

app_count: Int64

The number of applications that have this tag

created_at: Time
updated_at: Time

cloudflare_zero_trust_access_tag

resource "cloudflare_zero_trust_access_tag" "example_zero_trust_access_tag" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  name = "engineers"
}

data cloudflare_zero_trust_access_tag

required Expand Collapse
tag_name: String

The name of the tag

account_id: String

Identifier.

computed Expand Collapse
id: String

The name of the tag

app_count: Int64

The number of applications that have this tag

created_at: Time
name: String

The name of the tag

updated_at: Time

cloudflare_zero_trust_access_tag

data "cloudflare_zero_trust_access_tag" "example_zero_trust_access_tag" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  tag_name = "engineers"
}

data cloudflare_zero_trust_access_tags

required Expand Collapse
account_id: String

Identifier.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The name of the tag

name: String

The name of the tag

app_count: Int64

The number of applications that have this tag

created_at: Time
updated_at: Time

cloudflare_zero_trust_access_tags

data "cloudflare_zero_trust_access_tags" "example_zero_trust_access_tags" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustAccessPolicies

resource cloudflare_zero_trust_access_policy

required Expand Collapse
account_id: String

Identifier.

decision: String

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

name: String

The name of the Access policy.

optional Expand Collapse
approval_required?: Bool

Requires the user to request access from an administrator at the start of each session.

isolation_required?: Bool

Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.

purpose_justification_prompt?: String

A custom message that will appear on the purpose justification screen.

purpose_justification_required?: Bool

Require users to enter a justification when they log in to the application.

approval_groups?: Set[Attributes]

Administrators who can approve a temporary authentication request.

approvals_needed: Float64

The number of approvals needed to obtain access.

email_addresses?: List[String]

A list of emails that can approve the access request.

email_list_uuid?: String

The UUID of an re-usable email list.

connection_rules?: Attributes

The rules that define how users may connect to targets secured by your application.

rdp?: Attributes

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats?: List[String]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats?: List[String]

Clipboard formats allowed when copying from remote RDP session to local machine.

mfa_config?: Attributes

Configures multi-factor authentication (MFA) settings.

allowed_authenticators?: List[String]

Lists the MFA methods that users can authenticate with.

mfa_disabled?: Bool

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration?: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

session_duration?: String

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

exclude?: Set[Attributes]

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member?: Attributes
account_id?: String

Identifier.

include?: Set[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member?: Attributes
account_id?: String

Identifier.

require?: Set[Attributes]

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

group?: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token?: Attributes

An empty object which matches on all service tokens.

auth_context?: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method?: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad?: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate?: Attributes
common_name?: Attributes
common_name: String

The common name to match.

geo?: Attributes
country_code: String

The country code that should be matched.

device_posture?: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain?: Attributes
domain: String

The email domain to match.

email_list?: Attributes
id: String

The ID of a previously created email list.

email?: Attributes
email: String

The email of the user.

everyone?: Attributes

An empty object which matches on all users.

external_evaluation?: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization?: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team?: String

The name of the team

gsuite?: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method?: Attributes
id: String

The ID of an identity provider.

ip_list?: Attributes
id: String

The ID of a previously created IP list.

ip?: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta?: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml?: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc?: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token?: Attributes
token_id: String

The ID of a Service Token.

linked_app_token?: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score?: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member?: Attributes
account_id?: String

Identifier.

computed Expand Collapse
id: String

The UUID of the policy

app_count: Int64

Number of access applications currently using this policy.

created_at: Time
reusable: Bool
updated_at: Time

cloudflare_zero_trust_access_policy

resource "cloudflare_zero_trust_access_policy" "example_zero_trust_access_policy" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  decision = "allow"
  include = [{
    certificate = {

    }
  }]
  name = "Allow devs"
  approval_groups = [{
    approvals_needed = 1
    email_addresses = ["test1@cloudflare.com", "test2@cloudflare.com"]
    email_list_uuid = "email_list_uuid"
  }, {
    approvals_needed = 3
    email_addresses = ["test@cloudflare.com", "test2@cloudflare.com"]
    email_list_uuid = "597147a1-976b-4ef2-9af0-81d5d007fc34"
  }]
  approval_required = true
  connection_rules = {
    rdp = {
      allowed_clipboard_local_to_remote_formats = ["text"]
      allowed_clipboard_remote_to_local_formats = ["text"]
    }
  }
  exclude = [{
    certificate = {

    }
  }]
  isolation_required = false
  mfa_config = {
    allowed_authenticators = ["totp", "biometrics", "security_key"]
    mfa_disabled = false
    session_duration = "24h"
  }
  purpose_justification_prompt = "Please enter a justification for entering this protected domain."
  purpose_justification_required = true
  require = [{
    certificate = {

    }
  }]
  session_duration = "24h"
}

data cloudflare_zero_trust_access_policy

required Expand Collapse
policy_id: String

The UUID of the policy

account_id: String

Identifier.

computed Expand Collapse
id: String

The UUID of the policy

app_count: Int64

Number of access applications currently using this policy.

approval_required: Bool

Requires the user to request access from an administrator at the start of each session.

created_at: Time
decision: String

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

isolation_required: Bool

Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.

name: String

The name of the Access policy.

purpose_justification_prompt: String

A custom message that will appear on the purpose justification screen.

purpose_justification_required: Bool

Require users to enter a justification when they log in to the application.

reusable: Bool
session_duration: String

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

updated_at: Time
approval_groups: Set[Attributes]

Administrators who can approve a temporary authentication request.

approvals_needed: Float64

The number of approvals needed to obtain access.

email_addresses: List[String]

A list of emails that can approve the access request.

email_list_uuid: String

The UUID of an re-usable email list.

connection_rules: Attributes

The rules that define how users may connect to targets secured by your application.

rdp: Attributes

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats: List[String]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats: List[String]

Clipboard formats allowed when copying from remote RDP session to local machine.

exclude: Set[Attributes]

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

include: Set[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

mfa_config: Attributes

Configures multi-factor authentication (MFA) settings.

allowed_authenticators: List[String]

Lists the MFA methods that users can authenticate with.

mfa_disabled: Bool

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

require: Set[Attributes]

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

cloudflare_zero_trust_access_policy

data "cloudflare_zero_trust_access_policy" "example_zero_trust_access_policy" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  policy_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_access_policies

required Expand Collapse
account_id: String

Identifier.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

The UUID of the policy

app_count: Int64

Number of access applications currently using this policy.

approval_groups: Set[Attributes]

Administrators who can approve a temporary authentication request.

approvals_needed: Float64

The number of approvals needed to obtain access.

email_addresses: List[String]

A list of emails that can approve the access request.

email_list_uuid: String

The UUID of an re-usable email list.

approval_required: Bool

Requires the user to request access from an administrator at the start of each session.

connection_rules: Attributes

The rules that define how users may connect to targets secured by your application.

rdp: Attributes

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats: List[String]

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats: List[String]

Clipboard formats allowed when copying from remote RDP session to local machine.

created_at: Time
decision: String

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

exclude: Set[Attributes]

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

include: Set[Attributes]

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

isolation_required: Bool

Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.

mfa_config: Attributes

Configures multi-factor authentication (MFA) settings.

allowed_authenticators: List[String]

Lists the MFA methods that users can authenticate with.

mfa_disabled: Bool

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration: String

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

name: String

The name of the Access policy.

purpose_justification_prompt: String

A custom message that will appear on the purpose justification screen.

purpose_justification_required: Bool

Require users to enter a justification when they log in to the application.

require: Set[Attributes]

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

group: Attributes
id: String

The ID of a previously created Access group.

any_valid_service_token: Attributes

An empty object which matches on all service tokens.

auth_context: Attributes
id: String

The ID of an Authentication context.

ac_id: String

The ACID of an Authentication context.

identity_provider_id: String

The ID of your Azure identity provider.

auth_method: Attributes
auth_method: String

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

azure_ad: Attributes
id: String

The ID of an Azure group.

identity_provider_id: String

The ID of your Azure identity provider.

certificate: Attributes
common_name: Attributes
common_name: String

The common name to match.

geo: Attributes
country_code: String

The country code that should be matched.

device_posture: Attributes
integration_uid: String

The ID of a device posture integration.

email_domain: Attributes
domain: String

The email domain to match.

email_list: Attributes
id: String

The ID of a previously created email list.

email: Attributes
email: String

The email of the user.

everyone: Attributes

An empty object which matches on all users.

external_evaluation: Attributes
evaluate_url: String

The API endpoint containing your business logic.

keys_url: String

The API endpoint containing the key that Access uses to verify that the response came from your API.

github_organization: Attributes
identity_provider_id: String

The ID of your Github identity provider.

name: String

The name of the organization.

team: String

The name of the team

gsuite: Attributes
email: String

The email of the Google Workspace group.

identity_provider_id: String

The ID of your Google Workspace identity provider.

login_method: Attributes
id: String

The ID of an identity provider.

ip_list: Attributes
id: String

The ID of a previously created IP list.

ip: Attributes
ip: String

An IPv4 or IPv6 CIDR block.

okta: Attributes
identity_provider_id: String

The ID of your Okta identity provider.

name: String

The name of the Okta group.

saml: Attributes
attribute_name: String

The name of the SAML attribute.

attribute_value: String

The SAML attribute value to look for.

identity_provider_id: String

The ID of your SAML identity provider.

oidc: Attributes
claim_name: String

The name of the OIDC claim.

claim_value: String

The OIDC claim value to look for.

identity_provider_id: String

The ID of your OIDC identity provider.

service_token: Attributes
token_id: String

The ID of a Service Token.

linked_app_token: Attributes
app_uid: String

The ID of an Access OIDC SaaS application

user_risk_score: Attributes
user_risk_score: List[String]

A list of risk score levels to match. Values can be low, medium, high, or unscored.

cloudflare_account_member: Attributes
account_id: String

Identifier.

reusable: Bool
session_duration: String

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

updated_at: Time

cloudflare_zero_trust_access_policies

data "cloudflare_zero_trust_access_policies" "example_zero_trust_access_policies" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustDEXRules

resource cloudflare_zero_trust_dex_rule

required Expand Collapse
account_id: String

Unique identifier linked to an account.

match: String

The wirefilter expression to match.

name: String

The name of the Rule.

optional Expand Collapse
description?: String
computed Expand Collapse
id: String

API Resource UUID tag.

created_at: String
updated_at: String
targeted_tests: List[Attributes]
data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

enabled: Bool
name: String
test_id: String

cloudflare_zero_trust_dex_rule

resource "cloudflare_zero_trust_dex_rule" "example_zero_trust_dex_rule" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  match = "match"
  name = "name"
  description = "description"
}

data cloudflare_zero_trust_dex_rule

required Expand Collapse
rule_id: String

API Resource UUID tag.

account_id: String

Unique identifier linked to an account.

computed Expand Collapse
id: String

API Resource UUID tag.

created_at: String
description: String
match: String
name: String
updated_at: String
targeted_tests: List[Attributes]
data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

enabled: Bool
name: String
test_id: String

cloudflare_zero_trust_dex_rule

data "cloudflare_zero_trust_dex_rule" "example_zero_trust_dex_rule" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  rule_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_dex_rules

required Expand Collapse
account_id: String

Unique identifier linked to an account.

optional Expand Collapse
name?: String

Filter results by rule name.

sort_by?: String

Which property to sort results by.

sort_order?: String

Sort direction for sort_by property.

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

rules: List[Attributes]
id: String

API Resource UUID tag.

created_at: String
match: String
name: String
description: String
targeted_tests: List[Attributes]
data: Attributes

The configuration object which contains the details for the WARP client to conduct the test.

host: String

The desired endpoint to test.

kind: String

The type of test.

method: String

The HTTP request method type.

enabled: Bool
name: String
test_id: String
updated_at: String

cloudflare_zero_trust_dex_rules

data "cloudflare_zero_trust_dex_rules" "example_zero_trust_dex_rules" {
  account_id = "01a7362d577a6c3019a474fd6f485823"
  name = "name"
}

Zero TrustTunnelsCloudflared

resource cloudflare_zero_trust_tunnel_cloudflared

required Expand Collapse
account_id: String

Cloudflare account ID

name: String

A user-friendly name for a tunnel.

optional Expand Collapse
config_src?: String

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel on the Zero Trust dashboard.

tunnel_secret?: String

Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string.

computed Expand Collapse
id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare’s edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare’s edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

Deprecatedremote_config: Bool

Use the config_src field instead.

If true, the tunnel can be configured remotely from the Zero Trust dashboard. If false, the tunnel must be configured locally on the origin machine.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint /accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections

The Cloudflare Tunnel connections between your origin and Cloudflare’s edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

metadata: JSON

Metadata associated with the tunnel.

cloudflare_zero_trust_tunnel_cloudflared

resource "cloudflare_zero_trust_tunnel_cloudflared" "example_zero_trust_tunnel_cloudflared" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "blog"
  config_src = "cloudflare"
  tunnel_secret = "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg="
}

data cloudflare_zero_trust_tunnel_cloudflared

required Expand Collapse
account_id: String

Cloudflare account ID

optional Expand Collapse
tunnel_id?: String

UUID of the tunnel.

filter?: Attributes
exclude_prefix?: String
existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

include_prefix?: String
is_deleted?: Bool

If true, only include deleted tunnels. If false, exclude deleted tunnels. If empty, all tunnels will be included.

name?: String

A user-friendly name for a tunnel.

status?: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

uuid?: String

UUID of the tunnel.

was_active_at?: Time
was_inactive_at?: Time
computed Expand Collapse
id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

config_src: String

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel on the Zero Trust dashboard.

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare’s edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare’s edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

name: String

A user-friendly name for a tunnel.

Deprecatedremote_config: Bool

Use the config_src field instead.

If true, the tunnel can be configured remotely from the Zero Trust dashboard. If false, the tunnel must be configured locally on the origin machine.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint /accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections

The Cloudflare Tunnel connections between your origin and Cloudflare’s edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

metadata: JSON

Metadata associated with the tunnel.

cloudflare_zero_trust_tunnel_cloudflared

data "cloudflare_zero_trust_tunnel_cloudflared" "example_zero_trust_tunnel_cloudflared" {
  account_id = "699d98642c564d2e855e9661899b7252"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_tunnel_cloudflareds

required Expand Collapse
account_id: String

Cloudflare account ID

optional Expand Collapse
exclude_prefix?: String
existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

include_prefix?: String
is_deleted?: Bool

If true, only include deleted tunnels. If false, exclude deleted tunnels. If empty, all tunnels will be included.

name?: String

A user-friendly name for a tunnel.

status?: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

uuid?: String

UUID of the tunnel.

was_active_at?: Time
was_inactive_at?: Time
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

config_src: String

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel on the Zero Trust dashboard.

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint /accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections

The Cloudflare Tunnel connections between your origin and Cloudflare’s edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare’s edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare’s edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

metadata: JSON

Metadata associated with the tunnel.

name: String

A user-friendly name for a tunnel.

Deprecatedremote_config: Bool

Use the config_src field instead.

If true, the tunnel can be configured remotely from the Zero Trust dashboard. If false, the tunnel must be configured locally on the origin machine.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

cloudflare_zero_trust_tunnel_cloudflareds

data "cloudflare_zero_trust_tunnel_cloudflareds" "example_zero_trust_tunnel_cloudflareds" {
  account_id = "699d98642c564d2e855e9661899b7252"
  exclude_prefix = "vpc1-"
  existed_at = "2019-10-12T07%3A20%3A50.52Z"
  include_prefix = "vpc1-"
  is_deleted = true
  name = "blog"
  status = "healthy"
  uuid = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  was_active_at = "2009-11-10T23:00:00Z"
  was_inactive_at = "2009-11-10T23:00:00Z"
}

Zero TrustTunnelsCloudflaredConfigurations

resource cloudflare_zero_trust_tunnel_cloudflared_config

required Expand Collapse
tunnel_id: String

UUID of the tunnel.

account_id: String

Identifier.

optional Expand Collapse
config?: Attributes

The tunnel configuration and ingress rules.

ingress?: List[Attributes]

List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.

hostname: String

Public hostname for this service.

service: String

Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. ‘http_status:404’.

origin_request?: Attributes

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access?: Attributes

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

aud_tag: List[String]

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

team_name: String
required?: Bool

Deny traffic that has not fulfilled Access authorization.

ca_pool?: String

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connect_timeout?: Int64

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disable_chunked_encoding?: Bool

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2_origin?: Bool

Attempt to connect to origin using HTTP2. Origin must be configured as https.

http_host_header?: String

Sets the HTTP Host header on requests sent to the local service.

keep_alive_connections?: Int64

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keep_alive_timeout?: Int64

Timeout after which an idle keepalive connection can be discarded.

match_sn_ito_host?: Bool

Auto configure the Hostname on the origin server certificate.

no_happy_eyeballs?: Bool

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

no_tls_verify?: Bool

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

origin_server_name?: String

Hostname that cloudflared should expect from your origin server certificate.

proxy_type?: String

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcp_keep_alive?: Int64

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tls_timeout?: Int64

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

path?: String

Requests with this path route to this public hostname.

origin_request?: Attributes

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access?: Attributes

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

aud_tag: List[String]

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

team_name: String
required?: Bool

Deny traffic that has not fulfilled Access authorization.

ca_pool?: String

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connect_timeout?: Int64

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disable_chunked_encoding?: Bool

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2_origin?: Bool

Attempt to connect to origin using HTTP2. Origin must be configured as https.

http_host_header?: String

Sets the HTTP Host header on requests sent to the local service.

keep_alive_connections?: Int64

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keep_alive_timeout?: Int64

Timeout after which an idle keepalive connection can be discarded.

match_sn_ito_host?: Bool

Auto configure the Hostname on the origin server certificate.

no_happy_eyeballs?: Bool

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

no_tls_verify?: Bool

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

origin_server_name?: String

Hostname that cloudflared should expect from your origin server certificate.

proxy_type?: String

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcp_keep_alive?: Int64

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tls_timeout?: Int64

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

Deprecatedwarp_routing: Attributes

This field is ignored by cloudflared since version 2023.10.0.

Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.

enabled: Bool
computed Expand Collapse
id: String

UUID of the tunnel.

created_at: Time
source: String

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel’s configuration on the Zero Trust dashboard.

version: Int64

The version of the Tunnel Configuration.

cloudflare_zero_trust_tunnel_cloudflared_config

resource "cloudflare_zero_trust_tunnel_cloudflared_config" "example_zero_trust_tunnel_cloudflared_config" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  config = {
    ingress = [{
      hostname = "tunnel.example.com"
      service = "https://localhost:8001"
      origin_request = {
        access = {
          aud_tag = ["string"]
          team_name = "zero-trust-organization-name"
          required = false
        }
        ca_pool = "caPool"
        connect_timeout = 10
        disable_chunked_encoding = true
        http2_origin = true
        http_host_header = "httpHostHeader"
        keep_alive_connections = 100
        keep_alive_timeout = 90
        match_sn_ito_host = false
        no_happy_eyeballs = false
        no_tls_verify = false
        origin_server_name = "originServerName"
        proxy_type = "proxyType"
        tcp_keep_alive = 30
        tls_timeout = 10
      }
      path = "subpath"
    }]
    origin_request = {
      access = {
        aud_tag = ["string"]
        team_name = "zero-trust-organization-name"
        required = false
      }
      ca_pool = "caPool"
      connect_timeout = 10
      disable_chunked_encoding = true
      http2_origin = true
      http_host_header = "httpHostHeader"
      keep_alive_connections = 100
      keep_alive_timeout = 90
      match_sn_ito_host = false
      no_happy_eyeballs = false
      no_tls_verify = false
      origin_server_name = "originServerName"
      proxy_type = "proxyType"
      tcp_keep_alive = 30
      tls_timeout = 10
    }
  }
}

data cloudflare_zero_trust_tunnel_cloudflared_config

required Expand Collapse
account_id: String

Identifier.

tunnel_id: String

UUID of the tunnel.

computed Expand Collapse
created_at: Time
source: String

Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel’s configuration on the Zero Trust dashboard.

version: Int64

The version of the Tunnel Configuration.

config: Attributes

The tunnel configuration and ingress rules.

ingress: List[Attributes]

List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.

hostname: String

Public hostname for this service.

service: String

Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. ‘http_status:404’.

origin_request: Attributes

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access: Attributes

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

aud_tag: List[String]

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

team_name: String
required: Bool

Deny traffic that has not fulfilled Access authorization.

ca_pool: String

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connect_timeout: Int64

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disable_chunked_encoding: Bool

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2_origin: Bool

Attempt to connect to origin using HTTP2. Origin must be configured as https.

http_host_header: String

Sets the HTTP Host header on requests sent to the local service.

keep_alive_connections: Int64

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keep_alive_timeout: Int64

Timeout after which an idle keepalive connection can be discarded.

match_sn_ito_host: Bool

Auto configure the Hostname on the origin server certificate.

no_happy_eyeballs: Bool

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

no_tls_verify: Bool

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

origin_server_name: String

Hostname that cloudflared should expect from your origin server certificate.

proxy_type: String

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcp_keep_alive: Int64

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tls_timeout: Int64

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

path: String

Requests with this path route to this public hostname.

origin_request: Attributes

Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.

access: Attributes

For all L7 requests to this hostname, cloudflared will validate each request’s Cf-Access-Jwt-Assertion request header.

aud_tag: List[String]

Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.

team_name: String
required: Bool

Deny traffic that has not fulfilled Access authorization.

ca_pool: String

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

connect_timeout: Int64

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

disable_chunked_encoding: Bool

Disables chunked transfer encoding. Useful if you are running a WSGI server.

http2_origin: Bool

Attempt to connect to origin using HTTP2. Origin must be configured as https.

http_host_header: String

Sets the HTTP Host header on requests sent to the local service.

keep_alive_connections: Int64

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

keep_alive_timeout: Int64

Timeout after which an idle keepalive connection can be discarded.

match_sn_ito_host: Bool

Auto configure the Hostname on the origin server certificate.

no_happy_eyeballs: Bool

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

no_tls_verify: Bool

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

origin_server_name: String

Hostname that cloudflared should expect from your origin server certificate.

proxy_type: String

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and “socks” for a SOCKS5 proxy.

tcp_keep_alive: Int64

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

tls_timeout: Int64

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

Deprecatedwarp_routing: Attributes

This field is ignored by cloudflared since version 2023.10.0.

Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.

enabled: Bool

cloudflare_zero_trust_tunnel_cloudflared_config

data "cloudflare_zero_trust_tunnel_cloudflared_config" "example_zero_trust_tunnel_cloudflared_config" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

Zero TrustTunnelsCloudflaredToken

data cloudflare_zero_trust_tunnel_cloudflared_token

required Expand Collapse
account_id: String

Cloudflare account ID

tunnel_id: String

UUID of the tunnel.

computed Expand Collapse
token: String

The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel.

cloudflare_zero_trust_tunnel_cloudflared_token

data "cloudflare_zero_trust_tunnel_cloudflared_token" "example_zero_trust_tunnel_cloudflared_token" {
  account_id = "699d98642c564d2e855e9661899b7252"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

Zero TrustTunnelsWARP Connector

resource cloudflare_zero_trust_tunnel_warp_connector

required Expand Collapse
account_id: String

Cloudflare account ID

name: String

A user-friendly name for a tunnel.

optional Expand Collapse
ha?: Bool

Indicates that the tunnel will be created to be highly available. If omitted, defaults to false.

tunnel_secret?: String

Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string.

computed Expand Collapse
id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare’s edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare’s edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint /accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections

The Cloudflare Tunnel connections between your origin and Cloudflare’s edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

metadata: JSON

Metadata associated with the tunnel.

cloudflare_zero_trust_tunnel_warp_connector

resource "cloudflare_zero_trust_tunnel_warp_connector" "example_zero_trust_tunnel_warp_connector" {
  account_id = "699d98642c564d2e855e9661899b7252"
  name = "blog"
  ha = true
}

data cloudflare_zero_trust_tunnel_warp_connector

required Expand Collapse
account_id: String

Cloudflare account ID

optional Expand Collapse
tunnel_id?: String

UUID of the tunnel.

filter?: Attributes
exclude_prefix?: String
existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

include_prefix?: String
is_deleted?: Bool

If true, only include deleted tunnels. If false, exclude deleted tunnels. If empty, all tunnels will be included.

name?: String

A user-friendly name for the tunnel.

status?: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

uuid?: String

UUID of the tunnel.

was_active_at?: Time
was_inactive_at?: Time
computed Expand Collapse
id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare’s edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare’s edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

name: String

A user-friendly name for a tunnel.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint /accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections

The Cloudflare Tunnel connections between your origin and Cloudflare’s edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

metadata: JSON

Metadata associated with the tunnel.

cloudflare_zero_trust_tunnel_warp_connector

data "cloudflare_zero_trust_tunnel_warp_connector" "example_zero_trust_tunnel_warp_connector" {
  account_id = "699d98642c564d2e855e9661899b7252"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

data cloudflare_zero_trust_tunnel_warp_connectors

required Expand Collapse
account_id: String

Cloudflare account ID

optional Expand Collapse
exclude_prefix?: String
existed_at?: String

If provided, include only resources that were created (and not deleted) before this time. URL encoded.

include_prefix?: String
is_deleted?: Bool

If true, only include deleted tunnels. If false, exclude deleted tunnels. If empty, all tunnels will be included.

name?: String

A user-friendly name for the tunnel.

status?: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

uuid?: String

UUID of the tunnel.

was_active_at?: Time
was_inactive_at?: Time
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

UUID of the tunnel.

account_tag: String

Cloudflare account ID

Deprecatedconnections: List[Attributes]

This field will start returning an empty array. To fetch the connections of a given tunnel, please use the dedicated endpoint /accounts/{account_id}/{tunnel_type}/{tunnel_id}/connections

The Cloudflare Tunnel connections between your origin and Cloudflare’s edge.

id: String

UUID of the Cloudflare Tunnel connection.

client_id: String

UUID of the Cloudflare Tunnel connector.

client_version: String

The cloudflared version used to establish this connection.

colo_name: String

The Cloudflare data center used for this connection.

is_pending_reconnect: Bool

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

opened_at: Time

Timestamp of when the connection was established.

origin_ip: String

The public IP address of the host running cloudflared.

uuid: String

UUID of the Cloudflare Tunnel connection.

conns_active_at: Time

Timestamp of when the tunnel established at least one connection to Cloudflare’s edge. If null, the tunnel is inactive.

conns_inactive_at: Time

Timestamp of when the tunnel became inactive (no connections to Cloudflare’s edge). If null, the tunnel is active.

created_at: Time

Timestamp of when the resource was created.

deleted_at: Time

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

metadata: JSON

Metadata associated with the tunnel.

name: String

A user-friendly name for a tunnel.

status: String

The status of the tunnel. Valid values are inactive (tunnel has never been run), degraded (tunnel is active and able to serve traffic but in an unhealthy state), healthy (tunnel is active and able to serve traffic), or down (tunnel can not serve traffic as it has no connections to the Cloudflare Edge).

tun_type: String

The type of tunnel.

cloudflare_zero_trust_tunnel_warp_connectors

data "cloudflare_zero_trust_tunnel_warp_connectors" "example_zero_trust_tunnel_warp_connectors" {
  account_id = "699d98642c564d2e855e9661899b7252"
  exclude_prefix = "vpc1-"
  existed_at = "2019-10-12T07%3A20%3A50.52Z"
  include_prefix = "vpc1-"
  is_deleted = true
  name = "blog"
  status = "healthy"
  uuid = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  was_active_at = "2009-11-10T23:00:00Z"
  was_inactive_at = "2009-11-10T23:00:00Z"
}

Zero TrustTunnelsWARP ConnectorToken

data cloudflare_zero_trust_tunnel_warp_connector_token

required Expand Collapse
account_id: String

Cloudflare account ID

tunnel_id: String

UUID of the tunnel.

computed Expand Collapse
token: String

The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel.

cloudflare_zero_trust_tunnel_warp_connector_token

data "cloudflare_zero_trust_tunnel_warp_connector_token" "example_zero_trust_tunnel_warp_connector_token" {
  account_id = "699d98642c564d2e855e9661899b7252"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

Zero TrustTunnelsWARP ConnectorConfigurations

resource cloudflare_zero_trust_tunnel_warp_connector_config

required Expand Collapse
tunnel_id: String

UUID of the tunnel.

account_id: String

Identifier.

ha_mode: String

High-availability mode for the WARP Connector tunnel. none means HA is enabled but no provider is configured yet (newly created tunnels default to this). disabled means HA is explicitly turned off. aws uses AWS ENI move for failover. local uses virtual IPs (VIPs) on the local interface.

optional Expand Collapse
config?: Attributes

Provider-specific configuration. Required shape depends on ha_mode. For aws, must contain fnr_id. For local, must contain vips. For none and disabled, must be empty or omitted.

fnr_id?: String

Floating Network Resource ID — the secondary ENI that is moved between nodes on failover.

vips?: List[Attributes]

VIPs to assign on the CloudflareWARP interface.

address: String

Virtual IP address (IPv4 or IPv6).

vips_previous?: List[Attributes]

VIPs to clean up on demotion or version drift.

address: String

Virtual IP address (IPv4 or IPv6).

computed Expand Collapse
id: String

UUID of the tunnel.

configuration_version: Int64

Monotonically increasing configuration version, incremented on each PUT.

created_at: Time

Timestamp of when the resource was created.

updated_at: Time

Timestamp of the last update. Null if never updated.

cloudflare_zero_trust_tunnel_warp_connector_config

resource "cloudflare_zero_trust_tunnel_warp_connector_config" "example_zero_trust_tunnel_warp_connector_config" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
  ha_mode = "aws"
  config = {
    fnr_id = "eni-0123456789abcdef0"
  }
}

data cloudflare_zero_trust_tunnel_warp_connector_config

required Expand Collapse
account_id: String

Identifier.

tunnel_id: String

UUID of the tunnel.

computed Expand Collapse
configuration_version: Int64

Monotonically increasing configuration version, incremented on each PUT.

created_at: Time

Timestamp of when the resource was created.

ha_mode: String

High-availability mode for the WARP Connector tunnel. none means HA is enabled but no provider is configured yet (newly created tunnels default to this). disabled means HA is explicitly turned off. aws uses AWS ENI move for failover. local uses virtual IPs (VIPs) on the local interface.

updated_at: Time

Timestamp of the last update. Null if never updated.

config: Attributes

Provider-specific configuration. Present for aws and local modes.

fnr_id: String

Floating Network Resource ID — the secondary ENI that is moved between nodes on failover.

vips: List[Attributes]

VIPs to assign on the CloudflareWARP interface.

address: String

Virtual IP address (IPv4 or IPv6).

vips_previous: List[Attributes]

VIPs to clean up on demotion or version drift.

address: String

Virtual IP address (IPv4 or IPv6).

cloudflare_zero_trust_tunnel_warp_connector_config

data "cloudflare_zero_trust_tunnel_warp_connector_config" "example_zero_trust_tunnel_warp_connector_config" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
  tunnel_id = "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415"
}

Zero TrustDLPCustom Prompt Topics

data cloudflare_zero_trust_dlp_custom_prompt_topic

required Expand Collapse
account_id: String
entry_id: String
computed Expand Collapse
created_at: Time
description: String
Deprecatedenabled: Bool
id: String
name: String
Deprecatedprofile_id: String
topic: String
updated_at: Time

cloudflare_zero_trust_dlp_custom_prompt_topic

data "cloudflare_zero_trust_dlp_custom_prompt_topic" "example_zero_trust_dlp_custom_prompt_topic" {
  account_id = "account_id"
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_custom_prompt_topics

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
created_at: Time
Deprecatedenabled: Bool
name: String
topic: String
updated_at: Time
description: String
Deprecatedprofile_id: String

cloudflare_zero_trust_dlp_custom_prompt_topics

data "cloudflare_zero_trust_dlp_custom_prompt_topics" "example_zero_trust_dlp_custom_prompt_topics" {
  account_id = "account_id"
}

Zero TrustDLPDatasets

resource cloudflare_zero_trust_dlp_dataset

required Expand Collapse
account_id: String
name: String
optional Expand Collapse
dataset_id?: String
encoding_version?: Int64

Dataset encoding version

Non-secret custom word lists with no header are always version 1. Secret EDM lists with no header are version 1. Multicolumn CSV with headers are version 2. Omitting this field provides the default value 0, which is interpreted the same as 1.

secret?: Bool

Generate a secret dataset.

If true, the response will include a secret to use with the EDM encoder. If false, the response has no secret and the dataset is uploaded in plaintext.

case_sensitive?: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true or undefined

description?: String

The description of the dataset.

computed Expand Collapse
created_at: Time
id: String
max_cells: Int64
num_cells: Int64
status: String
updated_at: Time

Stores when the dataset was last updated.

This includes name or description changes as well as uploads.

version: Int64

The version to use when uploading the dataset.

columns: List[Attributes]
entry_id: String
header_name: String
num_cells: Int64
upload_status: String
dataset: Attributes
id: String
columns: List[Attributes]
entry_id: String
header_name: String
num_cells: Int64
upload_status: String
created_at: Time
encoding_version: Int64
name: String
num_cells: Int64
secret: Bool
status: String
updated_at: Time

Stores when the dataset was last updated.

This includes name or description changes as well as uploads.

uploads: List[Attributes]
num_cells: Int64
status: String
version: Int64
case_sensitive: Bool
description: String

The description of the dataset.

uploads: List[Attributes]
num_cells: Int64
status: String
version: Int64

cloudflare_zero_trust_dlp_dataset

resource "cloudflare_zero_trust_dlp_dataset" "example_zero_trust_dlp_dataset" {
  account_id = "account_id"
  name = "name"
  case_sensitive = true
  description = "description"
  encoding_version = 0
  secret = true
}

data cloudflare_zero_trust_dlp_dataset

required Expand Collapse
account_id: String
dataset_id: String
computed Expand Collapse
case_sensitive: Bool
created_at: Time
description: String

The description of the dataset.

encoding_version: Int64
id: String
name: String
num_cells: Int64
secret: Bool
status: String
updated_at: Time

Stores when the dataset was last updated.

This includes name or description changes as well as uploads.

columns: List[Attributes]
entry_id: String
header_name: String
num_cells: Int64
upload_status: String
uploads: List[Attributes]
num_cells: Int64
status: String
version: Int64

cloudflare_zero_trust_dlp_dataset

data "cloudflare_zero_trust_dlp_dataset" "example_zero_trust_dlp_dataset" {
  account_id = "account_id"
  dataset_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_datasets

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
columns: List[Attributes]
entry_id: String
header_name: String
num_cells: Int64
upload_status: String
created_at: Time
encoding_version: Int64
name: String
num_cells: Int64
secret: Bool
status: String
updated_at: Time

Stores when the dataset was last updated.

This includes name or description changes as well as uploads.

uploads: List[Attributes]
num_cells: Int64
status: String
version: Int64
case_sensitive: Bool
description: String

The description of the dataset.

cloudflare_zero_trust_dlp_datasets

data "cloudflare_zero_trust_dlp_datasets" "example_zero_trust_dlp_datasets" {
  account_id = "account_id"
}

Zero TrustDLPSettings

resource cloudflare_zero_trust_dlp_settings

required Expand Collapse
account_id: String
optional Expand Collapse
ai_context_analysis?: Bool

Whether AI context analysis is enabled at the account level.

ocr?: Bool

Whether OCR is enabled at the account level.

payload_logging?: Attributes

Request model for payload log settings within the DLP settings endpoint. Unlike the legacy endpoint, null and missing are treated identically here (both mean “not provided” for PATCH, “reset to default” for PUT).

masking_level?: String

Masking level for payload logs.

  • full: The entire payload is masked.
  • partial: Only partial payload content is masked.
  • clear: No masking is applied to the payload content.
  • default: DLP uses its default masking behavior.
public_key?: String

Base64-encoded public key for encrypting payload logs.

  • Set to a non-empty base64 string to enable payload logging with the given key.
  • Set to an empty string to disable payload logging.
  • Omit or set to null to leave unchanged (PATCH) or reset to disabled (PUT).
computed Expand Collapse
id: String

cloudflare_zero_trust_dlp_settings

resource "cloudflare_zero_trust_dlp_settings" "example_zero_trust_dlp_settings" {
  account_id = "account_id"
  ai_context_analysis = true
  ocr = true
  payload_logging = {
    masking_level = "full"
    public_key = "public_key"
  }
}

data cloudflare_zero_trust_dlp_settings

required Expand Collapse
account_id: String
computed Expand Collapse
id: String
ai_context_analysis: Bool

Whether AI context analysis is enabled at the account level.

ocr: Bool

Whether OCR is enabled at the account level.

payload_logging: Attributes
updated_at: Time
masking_level: String

Masking level for payload logs.

  • full: The entire payload is masked.
  • partial: Only partial payload content is masked.
  • clear: No masking is applied to the payload content.
  • default: DLP uses its default masking behavior.
public_key: String

Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled.

cloudflare_zero_trust_dlp_settings

data "cloudflare_zero_trust_dlp_settings" "example_zero_trust_dlp_settings" {
  account_id = "account_id"
}

Zero TrustDLPProfilesCustom

resource cloudflare_zero_trust_dlp_custom_profile

required Expand Collapse
account_id: String
name: String
optional Expand Collapse
description?: String

The description of the profile.

data_classes?: List[String]

Data class IDs to associate with the profile.

data_tags?: List[String]

Data tag IDs to associate with the profile.

Deprecatedcontext_awareness?: Attributes

Scan the context of predefined entries to only return matches surrounded by keywords.

enabled: Bool

If true, scan the context of predefined entries to only return matches surrounded by keywords.

entries?: List[Attributes]
enabled: Bool
name: String
pattern?: Attributes
regex: String
Deprecatedvalidation?: String
description?: String
words?: List[String]
sensitivity_levels?: List[Attributes]

Sensitivity levels to associate with the profile.

group_id: String
level_id: String
shared_entries?: List[Attributes]

Entries from other profiles (e.g. pre-defined Cloudflare profiles, or your Microsoft Information Protection profiles).

enabled: Bool
entry_id: String
ai_context_enabled?: Bool
allowed_match_count?: Int64

Related DLP policies will trigger when the match count exceeds the number set.

confidence_threshold?: String
ocr_enabled?: Bool
computed Expand Collapse
id: String

The id of the profile (uuid).

created_at: Time

When the profile was created.

open_access: Bool

Whether this profile can be accessed by anyone.

type: String
updated_at: Time

When the profile was lasted updated.

cloudflare_zero_trust_dlp_custom_profile

resource "cloudflare_zero_trust_dlp_custom_profile" "example_zero_trust_dlp_custom_profile" {
  account_id = "account_id"
  name = "name"
  ai_context_enabled = true
  allowed_match_count = 5
  confidence_threshold = "confidence_threshold"
  context_awareness = {
    enabled = true
    skip = {
      files = true
    }
  }
  data_classes = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
  data_tags = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
  description = "description"
  ocr_enabled = true
  sensitivity_levels = [{
    group_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
    level_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  }]
  shared_entries = [{
    enabled = true
    entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  }]
}

data cloudflare_zero_trust_dlp_custom_profile

required Expand Collapse
profile_id: String
account_id: String
computed Expand Collapse
id: String
ai_context_enabled: Bool
allowed_match_count: Int64

Related DLP policies will trigger when the match count exceeds the number set.

confidence_threshold: String
created_at: Time

When the profile was created.

description: String

The description of the profile.

name: String

The name of the profile.

ocr_enabled: Bool
open_access: Bool

Whether this profile can be accessed by anyone.

type: String
updated_at: Time

When the profile was lasted updated.

data_classes: List[String]

Data classes associated with this profile.

data_tags: List[String]

Data tags associated with this profile.

Deprecatedcontext_awareness: Attributes

Scan the context of predefined entries to only return matches surrounded by keywords.

enabled: Bool

If true, scan the context of predefined entries to only return matches surrounded by keywords.

Deprecatedentries: List[Attributes]
id: String
created_at: Time
enabled: Bool
name: String
pattern: Attributes
regex: String
Deprecatedvalidation: String
type: String
updated_at: Time
description: String
profile_id: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool
word_list: JSON
sensitivity_levels: List[Attributes]

Sensitivity levels associated with this profile.

group_id: String
level_id: String
shared_entries: List[Attributes]
id: String
created_at: Time
enabled: Bool
name: String
pattern: Attributes
regex: String
Deprecatedvalidation: String
type: String
updated_at: Time
description: String
profile_id: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool
word_list: JSON

cloudflare_zero_trust_dlp_custom_profile

data "cloudflare_zero_trust_dlp_custom_profile" "example_zero_trust_dlp_custom_profile" {
  account_id = "account_id"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

Zero TrustDLPProfilesPredefined

resource cloudflare_zero_trust_dlp_predefined_profile

required Expand Collapse
profile_id: String
account_id: String
optional Expand Collapse
enabled_entries?: List[String]
ai_context_enabled?: Bool
allowed_match_count?: Int64
confidence_threshold?: String
ocr_enabled?: Bool
Deprecatedentries?: List[Attributes]
id: String
enabled: Bool
computed Expand Collapse
id: String
name: String

The name of the predefined profile.

open_access: Bool

Whether this profile can be accessed by anyone.

cloudflare_zero_trust_dlp_predefined_profile

resource "cloudflare_zero_trust_dlp_predefined_profile" "example_zero_trust_dlp_predefined_profile" {
  account_id = "account_id"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  ai_context_enabled = true
  allowed_match_count = 5
  confidence_threshold = "confidence_threshold"
  enabled_entries = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
  entries = [{
    id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
    enabled = true
  }]
  ocr_enabled = true
}

data cloudflare_zero_trust_dlp_predefined_profile

required Expand Collapse
profile_id: String
account_id: String
computed Expand Collapse
id: String
ai_context_enabled: Bool
allowed_match_count: Int64
confidence_threshold: String
name: String

The name of the predefined profile.

ocr_enabled: Bool
open_access: Bool

Whether this profile can be accessed by anyone.

enabled_entries: List[String]

Entries to enable for this predefined profile. Any entries not provided will be disabled.

Deprecatedentries: List[Attributes]

This field has been deprecated for enabled_entries.

id: String
created_at: Time
enabled: Bool
name: String
pattern: Attributes
regex: String
Deprecatedvalidation: String
type: String
updated_at: Time
description: String
profile_id: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool
word_list: JSON

cloudflare_zero_trust_dlp_predefined_profile

data "cloudflare_zero_trust_dlp_predefined_profile" "example_zero_trust_dlp_predefined_profile" {
  account_id = "account_id"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

Zero TrustDLPEntries

resource cloudflare_zero_trust_dlp_entry

required Expand Collapse
account_id: String
enabled: Bool
name: String
pattern: Attributes
regex: String
Deprecatedvalidation?: String
optional Expand Collapse
profile_id?: String
description?: String
type?: String
computed Expand Collapse
id: String
case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time
secret: Bool
updated_at: Time
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

profiles: List[Attributes]
id: String
name: String
variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

word_list: JSON

cloudflare_zero_trust_dlp_entry

resource "cloudflare_zero_trust_dlp_entry" "example_zero_trust_dlp_entry" {
  account_id = "account_id"
  enabled = true
  name = "name"
  pattern = {
    regex = "regex"
    validation = "luhn"
  }
  description = "description"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_entry

required Expand Collapse
entry_id: String
account_id: String
computed Expand Collapse
id: String
case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time
description: String
enabled: Bool
name: String
profile_id: String
secret: Bool
type: String
updated_at: Time
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes
regex: String
Deprecatedvalidation: String
profiles: List[Attributes]
id: String
name: String
variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

word_list: JSON

cloudflare_zero_trust_dlp_entry

data "cloudflare_zero_trust_dlp_entry" "example_zero_trust_dlp_entry" {
  account_id = "account_id"
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_entries

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
created_at: Time
enabled: Bool
name: String
pattern: Attributes
regex: String
Deprecatedvalidation: String
type: String
updated_at: Time
description: String
profile_id: String
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool
word_list: JSON

cloudflare_zero_trust_dlp_entries

data "cloudflare_zero_trust_dlp_entries" "example_zero_trust_dlp_entries" {
  account_id = "account_id"
}

Zero TrustDLPEntriesCustom

resource cloudflare_zero_trust_dlp_custom_entry

required Expand Collapse
account_id: String
enabled: Bool
name: String
pattern: Attributes
regex: String
Deprecatedvalidation?: String
optional Expand Collapse
profile_id?: String
description?: String
computed Expand Collapse
id: String
case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time
secret: Bool
type: String
updated_at: Time
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

profiles: List[Attributes]
id: String
name: String
variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

word_list: JSON

cloudflare_zero_trust_dlp_custom_entry

resource "cloudflare_zero_trust_dlp_custom_entry" "example_zero_trust_dlp_custom_entry" {
  account_id = "account_id"
  enabled = true
  name = "name"
  pattern = {
    regex = "regex"
    validation = "luhn"
  }
  description = "description"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_custom_entry

required Expand Collapse
entry_id: String
account_id: String
computed Expand Collapse
id: String
case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time
description: String
enabled: Bool
name: String
profile_id: String
secret: Bool
type: String
updated_at: Time
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes
regex: String
Deprecatedvalidation: String
profiles: List[Attributes]
id: String
name: String
variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

word_list: JSON

cloudflare_zero_trust_dlp_custom_entry

data "cloudflare_zero_trust_dlp_custom_entry" "example_zero_trust_dlp_custom_entry" {
  account_id = "account_id"
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_custom_entries

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
created_at: Time
enabled: Bool
name: String
pattern: Attributes
regex: String
Deprecatedvalidation: String
type: String
updated_at: Time
description: String
profile_id: String
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool
word_list: JSON

cloudflare_zero_trust_dlp_custom_entries

data "cloudflare_zero_trust_dlp_custom_entries" "example_zero_trust_dlp_custom_entries" {
  account_id = "account_id"
}

Zero TrustDLPEntriesPredefined

resource cloudflare_zero_trust_dlp_predefined_entry

required Expand Collapse
account_id: String
entry_id: String
enabled: Bool
optional Expand Collapse
profile_id?: String

This field is not used as the owning profile. For predefined entries it is already set to a predefined profile.

computed Expand Collapse
id: String
case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time
description: String
name: String
secret: Bool
type: String
updated_at: Time
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes
regex: String
Deprecatedvalidation: String
profiles: List[Attributes]
id: String
name: String
variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

word_list: JSON

cloudflare_zero_trust_dlp_predefined_entry

resource "cloudflare_zero_trust_dlp_predefined_entry" "example_zero_trust_dlp_predefined_entry" {
  account_id = "account_id"
  enabled = true
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_predefined_entry

required Expand Collapse
entry_id: String
account_id: String
computed Expand Collapse
id: String
case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time
description: String
enabled: Bool
name: String
profile_id: String
secret: Bool
type: String
updated_at: Time
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes
regex: String
Deprecatedvalidation: String
profiles: List[Attributes]
id: String
name: String
variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

word_list: JSON

cloudflare_zero_trust_dlp_predefined_entry

data "cloudflare_zero_trust_dlp_predefined_entry" "example_zero_trust_dlp_predefined_entry" {
  account_id = "account_id"
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_predefined_entries

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
created_at: Time
enabled: Bool
name: String
pattern: Attributes
regex: String
Deprecatedvalidation: String
type: String
updated_at: Time
description: String
profile_id: String
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool
word_list: JSON

cloudflare_zero_trust_dlp_predefined_entries

data "cloudflare_zero_trust_dlp_predefined_entries" "example_zero_trust_dlp_predefined_entries" {
  account_id = "account_id"
}

Zero TrustDLPEntriesIntegration

resource cloudflare_zero_trust_dlp_integration_entry

required Expand Collapse
account_id: String
entry_id: String
enabled: Bool
optional Expand Collapse
profile_id?: String

This field is not used as the owning profile. For predefined entries it is already set to a predefined profile.

computed Expand Collapse
id: String
case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time
description: String
name: String
secret: Bool
type: String
updated_at: Time
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes
regex: String
Deprecatedvalidation: String
profiles: List[Attributes]
id: String
name: String
variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

word_list: JSON

cloudflare_zero_trust_dlp_integration_entry

resource "cloudflare_zero_trust_dlp_integration_entry" "example_zero_trust_dlp_integration_entry" {
  account_id = "account_id"
  enabled = true
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  profile_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_integration_entry

required Expand Collapse
entry_id: String
account_id: String
computed Expand Collapse
id: String
case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

created_at: Time
description: String
enabled: Bool
name: String
profile_id: String
secret: Bool
type: String
updated_at: Time
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

pattern: Attributes
regex: String
Deprecatedvalidation: String
profiles: List[Attributes]
id: String
name: String
variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

word_list: JSON

cloudflare_zero_trust_dlp_integration_entry

data "cloudflare_zero_trust_dlp_integration_entry" "example_zero_trust_dlp_integration_entry" {
  account_id = "account_id"
  entry_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_integration_entries

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
created_at: Time
enabled: Bool
name: String
pattern: Attributes
regex: String
Deprecatedvalidation: String
type: String
updated_at: Time
description: String
profile_id: String
upload_status: String
confidence: Attributes
ai_context_available: Bool

Indicates whether this entry has AI remote service validation.

available: Bool

Indicates whether this entry has any form of validation that is not an AI remote service.

variant: Attributes

A Predefined AI prompt classification topic entry.

topic_type: String
type: String
description: String

A customer-facing explanation of what this predefined AI prompt topic represents.

case_sensitive: Bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

secret: Bool
word_list: JSON

cloudflare_zero_trust_dlp_integration_entries

data "cloudflare_zero_trust_dlp_integration_entries" "example_zero_trust_dlp_integration_entries" {
  account_id = "account_id"
}

Zero TrustDLPSensitivity Groups

resource cloudflare_zero_trust_dlp_sensitivity_group

required Expand Collapse
account_id: String
name: String
optional Expand Collapse
template_id?: String
description?: String
levels?: List[Attributes]

Levels to create with the group. Mutually exclusive with template_id.

name: String
description?: String
computed Expand Collapse
id: String
created_at: Time
updated_at: Time

cloudflare_zero_trust_dlp_sensitivity_group

resource "cloudflare_zero_trust_dlp_sensitivity_group" "example_zero_trust_dlp_sensitivity_group" {
  account_id = "account_id"
  name = "name"
  description = "description"
}

data cloudflare_zero_trust_dlp_sensitivity_group

required Expand Collapse
sensitivity_group_id: String
account_id: String
computed Expand Collapse
id: String
created_at: Time
description: String
name: String
template_id: String
updated_at: Time
levels: List[Attributes]
id: String
created_at: Time
name: String
updated_at: Time
description: String

cloudflare_zero_trust_dlp_sensitivity_group

data "cloudflare_zero_trust_dlp_sensitivity_group" "example_zero_trust_dlp_sensitivity_group" {
  account_id = "account_id"
  sensitivity_group_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_sensitivity_groups

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
created_at: Time
levels: List[Attributes]
id: String
created_at: Time
name: String
updated_at: Time
description: String
name: String
updated_at: Time
description: String
template_id: String

cloudflare_zero_trust_dlp_sensitivity_groups

data "cloudflare_zero_trust_dlp_sensitivity_groups" "example_zero_trust_dlp_sensitivity_groups" {
  account_id = "account_id"
}

Zero TrustDLPSensitivity GroupsLevels

resource cloudflare_zero_trust_dlp_sensitivity_level

required Expand Collapse
account_id: String
sensitivity_group_id: String
name: String
optional Expand Collapse
description?: String
computed Expand Collapse
id: String
created_at: Time
updated_at: Time

cloudflare_zero_trust_dlp_sensitivity_level

resource "cloudflare_zero_trust_dlp_sensitivity_level" "example_zero_trust_dlp_sensitivity_level" {
  account_id = "account_id"
  sensitivity_group_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  name = "name"
  description = "description"
}

data cloudflare_zero_trust_dlp_sensitivity_level

required Expand Collapse
sensitivity_level_id: String
account_id: String
sensitivity_group_id: String
computed Expand Collapse
id: String
created_at: Time
description: String
name: String
updated_at: Time

cloudflare_zero_trust_dlp_sensitivity_level

data "cloudflare_zero_trust_dlp_sensitivity_level" "example_zero_trust_dlp_sensitivity_level" {
  account_id = "account_id"
  sensitivity_group_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  sensitivity_level_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_sensitivity_levels

required Expand Collapse
account_id: String
sensitivity_group_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
created_at: Time
name: String
updated_at: Time
description: String

cloudflare_zero_trust_dlp_sensitivity_levels

data "cloudflare_zero_trust_dlp_sensitivity_levels" "example_zero_trust_dlp_sensitivity_levels" {
  account_id = "account_id"
  sensitivity_group_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

Zero TrustDLPSensitivity GroupsLevelsOrder

resource cloudflare_zero_trust_dlp_sensitivity_level_order

required Expand Collapse
sensitivity_group_id: String
account_id: String
level_ids: List[String]
computed Expand Collapse
id: String

cloudflare_zero_trust_dlp_sensitivity_level_order

resource "cloudflare_zero_trust_dlp_sensitivity_level_order" "example_zero_trust_dlp_sensitivity_level_order" {
  account_id = "account_id"
  sensitivity_group_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  level_ids = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
}

data cloudflare_zero_trust_dlp_sensitivity_level_order

required Expand Collapse
sensitivity_group_id: String
account_id: String
computed Expand Collapse
id: String
level_ids: List[String]

cloudflare_zero_trust_dlp_sensitivity_level_order

data "cloudflare_zero_trust_dlp_sensitivity_level_order" "example_zero_trust_dlp_sensitivity_level_order" {
  account_id = "account_id"
  sensitivity_group_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

Zero TrustDLPData Tag Categories

resource cloudflare_zero_trust_dlp_data_tag_category

required Expand Collapse
account_id: String
name: String
optional Expand Collapse
template_id?: String
description?: String
tags?: List[Attributes]

Tags to create with the category. Mutually exclusive with template_id.

name: String
description?: String
computed Expand Collapse
id: String
created_at: Time
updated_at: Time

cloudflare_zero_trust_dlp_data_tag_category

resource "cloudflare_zero_trust_dlp_data_tag_category" "example_zero_trust_dlp_data_tag_category" {
  account_id = "account_id"
  name = "name"
  description = "description"
}

data cloudflare_zero_trust_dlp_data_tag_category

required Expand Collapse
category_id: String
account_id: String
computed Expand Collapse
id: String
created_at: Time
description: String
name: String
template_id: String
updated_at: Time
tags: List[Attributes]
id: String
created_at: Time
name: String
updated_at: Time
description: String

cloudflare_zero_trust_dlp_data_tag_category

data "cloudflare_zero_trust_dlp_data_tag_category" "example_zero_trust_dlp_data_tag_category" {
  account_id = "account_id"
  category_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_data_tag_categories

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
created_at: Time
name: String
tags: List[Attributes]
id: String
created_at: Time
name: String
updated_at: Time
description: String
updated_at: Time
description: String
template_id: String

cloudflare_zero_trust_dlp_data_tag_categories

data "cloudflare_zero_trust_dlp_data_tag_categories" "example_zero_trust_dlp_data_tag_categories" {
  account_id = "account_id"
}

Zero TrustDLPData Tag CategoriesData Tags

resource cloudflare_zero_trust_dlp_data_tag

required Expand Collapse
account_id: String
category_id: String
name: String
optional Expand Collapse
description?: String
computed Expand Collapse
id: String
created_at: Time
updated_at: Time

cloudflare_zero_trust_dlp_data_tag

resource "cloudflare_zero_trust_dlp_data_tag" "example_zero_trust_dlp_data_tag" {
  account_id = "account_id"
  category_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  name = "name"
  description = "description"
}

data cloudflare_zero_trust_dlp_data_tag

required Expand Collapse
tag_id: String
account_id: String
category_id: String
computed Expand Collapse
id: String
created_at: Time
description: String
name: String
updated_at: Time

cloudflare_zero_trust_dlp_data_tag

data "cloudflare_zero_trust_dlp_data_tag" "example_zero_trust_dlp_data_tag" {
  account_id = "account_id"
  category_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  tag_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_data_tags

required Expand Collapse
account_id: String
category_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
created_at: Time
name: String
updated_at: Time
description: String

cloudflare_zero_trust_dlp_data_tags

data "cloudflare_zero_trust_dlp_data_tags" "example_zero_trust_dlp_data_tags" {
  account_id = "account_id"
  category_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

Zero TrustDLPData Classes

resource cloudflare_zero_trust_dlp_data_class

required Expand Collapse
account_id: String
expression: String
name: String
data_tags: List[String]
sensitivity_levels: List[Attributes]
group_id: String
level_id: String
optional Expand Collapse
description?: String
computed Expand Collapse
id: String
created_at: Time
updated_at: Time

cloudflare_zero_trust_dlp_data_class

resource "cloudflare_zero_trust_dlp_data_class" "example_zero_trust_dlp_data_class" {
  account_id = "account_id"
  data_tags = ["182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"]
  expression = "expression"
  name = "name"
  sensitivity_levels = [{
    group_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
    level_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
  }]
  description = "description"
}

data cloudflare_zero_trust_dlp_data_class

required Expand Collapse
data_class_id: String
account_id: String
computed Expand Collapse
id: String
created_at: Time
description: String
expression: String
name: String
updated_at: Time
data_tags: List[String]
sensitivity_levels: List[Attributes]
group_id: String
level_id: String

cloudflare_zero_trust_dlp_data_class

data "cloudflare_zero_trust_dlp_data_class" "example_zero_trust_dlp_data_class" {
  account_id = "account_id"
  data_class_id = "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
}

data cloudflare_zero_trust_dlp_data_classes

required Expand Collapse
account_id: String
optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String
created_at: Time
data_tags: List[String]
expression: String
name: String
sensitivity_levels: List[Attributes]
group_id: String
level_id: String
updated_at: Time
description: String

cloudflare_zero_trust_dlp_data_classes

data "cloudflare_zero_trust_dlp_data_classes" "example_zero_trust_dlp_data_classes" {
  account_id = "account_id"
}

Zero TrustGatewayCategories

data cloudflare_zero_trust_gateway_categories_list

required Expand Collapse
account_id: String

Provide the identifier string.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: Int64

Identify this category. Only one category per ID.

beta: Bool

Indicate whether the category is in beta and subject to change.

class: String

Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.

description: String

Provide a short summary of domains in the category.

name: String

Specify the category name.

subcategories: List[Attributes]

Provide all subcategories for this category.

id: Int64

Identify this category. Only one category per ID.

beta: Bool

Indicate whether the category is in beta and subject to change.

class: String

Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.

description: String

Provide a short summary of domains in the category.

name: String

Specify the category name.

cloudflare_zero_trust_gateway_categories_list

data "cloudflare_zero_trust_gateway_categories_list" "example_zero_trust_gateway_categories_list" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustGatewayApp Types

data cloudflare_zero_trust_gateway_app_types_list

required Expand Collapse
account_id: String

Provide the identifier string.

optional Expand Collapse
max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: Int64

Identify this application. Only one application per ID.

application_type_id: Int64

Identify the type of this application. Multiple applications can share the same type. Refers to the id of a returned application type.

created_at: Time
name: String

Specify the name of the application or application type.

description: String

Provide a short summary of applications with this type.

cloudflare_zero_trust_gateway_app_types_list

data "cloudflare_zero_trust_gateway_app_types_list" "example_zero_trust_gateway_app_types_list" {
  account_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Zero TrustGatewayConfigurations

resource cloudflare_zero_trust_gateway_settings

required Expand Collapse
account_id: String
optional Expand Collapse
settings?: Attributes

Specify account settings.

activity_log?: Attributes

Specify activity log settings.

enabled?: Bool

Specify whether to log activity.

antivirus?: Attributes

Specify anti-virus settings.

enabled_download_phase?: Bool

Specify whether to enable anti-virus scanning on downloads.

enabled_upload_phase?: Bool

Specify whether to enable anti-virus scanning on uploads.

fail_closed?: Bool

Specify whether to block requests for unscannable files.

notification_settings?: Attributes

Configure the message the user’s device shows during an antivirus scan.

enabled?: Bool

Specify whether to enable notifications.

include_context?: Bool

Specify whether to include context information as query parameters.

msg?: String

Specify the message to show in the notification.

support_url?: String

Specify a URL that directs users to more information. If unset, the notification opens a block page.

block_page?: Attributes

Specify block page layout settings.

background_color?: String

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

enabled?: Bool

Specify whether to enable the custom block page.

footer_text?: String

Specify the block page footer text when the mode is customized_block_page.

header_text?: String

Specify the block page header text when the mode is customized_block_page.

include_context?: Bool

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

logo_path?: String

Specify the full URL to the logo file when the mode is customized_block_page.

mailto_address?: String

Specify the admin email for users to contact when the mode is customized_block_page.

mailto_subject?: String

Specify the subject line for emails created from the block page when the mode is customized_block_page.

mode?: String

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

name?: String

Specify the block page title when the mode is customized_block_page.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

suppress_footer?: Bool

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

target_uri?: String

Specify the URI to redirect users to when the mode is redirect_uri.

version: Int64

Indicate the version number of the setting.

body_scanning?: Attributes

Specify the DLP inspection mode.

inspection_mode?: String

Specify the inspection mode as either deep or shallow.

browser_isolation?: Attributes

Specify Clientless Browser Isolation settings.

non_identity_enabled?: Bool

Specify whether to enable non-identity onramp support for Browser Isolation.

url_browser_isolation_enabled?: Bool

Specify whether to enable Clientless Browser Isolation.

certificate?: Attributes

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

id: String

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called ‘active’). A nil UUID directs Cloudflare to use the Root CA.

Deprecatedcustom_certificate?: Attributes

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

enabled: Bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

id?: String

Specify the UUID of the certificate (ID from MTLS certificate store).

binding_status: String

Indicate the internal certificate status.

updated_at: Time
extended_email_matching?: Attributes

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

enabled?: Bool

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

version: Int64

Indicate the version number of the setting.

fips?: Attributes

Specify FIPS settings.

tls?: Bool

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

host_selector?: Attributes

Enable host selection in egress policies.

enabled?: Bool

Specify whether to enable filtering via hosts for egress policies.

inspection?: Attributes

Define the proxy inspection mode.

mode?: String

Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.

max_ttl_secs?: Int64

Set the account-level DNS TTL cap, in seconds. Gateway rewrites DNS responses so returned record TTLs do not exceed this value. DNS locations can inherit, override, or disable this cap.

protocol_detection?: Attributes

Specify whether to detect protocols from the initial bytes of client traffic.

enabled?: Bool

Specify whether to detect protocols from the initial bytes of client traffic.

sandbox?: Attributes

Specify whether to enable the sandbox.

enabled?: Bool

Specify whether to enable the sandbox.

fallback_action?: String

Specify the action to take when the system cannot scan the file.

tls_decrypt?: Attributes

Specify whether to inspect encrypted HTTP traffic.

enabled?: Bool

Specify whether to inspect encrypted HTTP traffic.

computed Expand Collapse
id: String
created_at: Time
updated_at: Time

cloudflare_zero_trust_gateway_settings

resource "cloudflare_zero_trust_gateway_settings" "example_zero_trust_gateway_settings" {
  account_id = "699d98642c564d2e855e9661899b7252"
  settings = {
    activity_log = {
      enabled = true
    }
    antivirus = {
      enabled_download_phase = false
      enabled_upload_phase = false
      fail_closed = false
      notification_settings = {
        enabled = true
        include_context = true
        msg = "msg"
        support_url = "support_url"
      }
    }
    block_page = {
      background_color = "background_color"
      enabled = true
      footer_text = "--footer--"
      header_text = "--header--"
      include_context = true
      logo_path = "https://logos.com/a.png"
      mailto_address = "admin@example.com"
      mailto_subject = "Blocked User Inquiry"
      mode = ""
      name = "Cloudflare"
      suppress_footer = false
      target_uri = "https://example.com"
    }
    body_scanning = {
      inspection_mode = "deep"
    }
    browser_isolation = {
      non_identity_enabled = true
      url_browser_isolation_enabled = true
    }
    certificate = {
      id = "d1b364c5-1311-466e-a194-f0e943e0799f"
    }
    custom_certificate = {
      enabled = true
      id = "d1b364c5-1311-466e-a194-f0e943e0799f"
    }
    extended_email_matching = {
      enabled = true
    }
    fips = {
      tls = true
    }
    host_selector = {
      enabled = false
    }
    inspection = {
      mode = "static"
    }
    max_ttl_secs = 3600
    protocol_detection = {
      enabled = true
    }
    sandbox = {
      enabled = true
      fallback_action = "allow"
    }
    tls_decrypt = {
      enabled = true
    }
  }
}

data cloudflare_zero_trust_gateway_settings

required Expand Collapse
account_id: String
computed Expand Collapse
id: String
created_at: Time
updated_at: Time
settings: Attributes

Specify account settings.

activity_log: Attributes

Specify activity log settings.

enabled: Bool

Specify whether to log activity.

antivirus: Attributes

Specify anti-virus settings.

enabled_download_phase: Bool

Specify whether to enable anti-virus scanning on downloads.

enabled_upload_phase: Bool

Specify whether to enable anti-virus scanning on uploads.

fail_closed: Bool

Specify whether to block requests for unscannable files.

notification_settings: Attributes

Configure the message the user’s device shows during an antivirus scan.

enabled: Bool

Specify whether to enable notifications.

include_context: Bool

Specify whether to include context information as query parameters.

msg: String

Specify the message to show in the notification.

support_url: String

Specify a URL that directs users to more information. If unset, the notification opens a block page.

block_page: Attributes

Specify block page layout settings.

background_color: String

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

enabled: Bool

Specify whether to enable the custom block page.

footer_text: String

Specify the block page footer text when the mode is customized_block_page.

header_text: String

Specify the block page header text when the mode is customized_block_page.

include_context: Bool

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

logo_path: String

Specify the full URL to the logo file when the mode is customized_block_page.

mailto_address: String

Specify the admin email for users to contact when the mode is customized_block_page.

mailto_subject: String

Specify the subject line for emails created from the block page when the mode is customized_block_page.

mode: String

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

name: String

Specify the block page title when the mode is customized_block_page.

read_only: Bool

Indicate that this setting was shared via the Orgs API and read only for the current account.

source_account: String

Indicate the account tag of the account that shared this setting.

suppress_footer: Bool

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

target_uri: String

Specify the URI to redirect users to when the mode is redirect_uri.

version: Int64

Indicate the version number of the setting.

body_scanning: Attributes

Specify the DLP inspection mode.

inspection_mode: String

Specify the inspection mode as either deep or shallow.

browser_isolation: Attributes

Specify Clientless Browser Isolation settings.

non_identity_enabled: Bool

Specify whether to enable non-identity onramp support for Browser Isolation.

url_browser_isolation_enabled: Bool

Specify whether to enable Clientless Browser Isolation.

certificate: Attributes

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

id: String

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called ‘active’). A nil UUID directs Cloudflare to use the Root CA.

Deprecatedcustom_certificate: Attributes

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

enabled: Bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

id: String

Specify the UUID of the certificate (ID from MTLS certificate store).

binding_status: String

Indicate the internal certificate status.

updated_at: Time