Provides a Cloudflare Teams rule resource. Teams rules comprise secure web gateway policies.
resource "cloudflare_teams_rule" "example" {
account_id = "f037e56e89293a057740de681ac9abbe"
name = "office"
description = "desc"
precedence = 1
action = "block"
filters = ["http"]
traffic = "http.request.uri == \"https://www.example.com/malicious\""
rule_settings {
block_page_enabled = true
block_page_reason = "access not permitted"
}
}
account_id
(String) The account identifier to target for the resource.action
(String) The action executed by matched teams rule. Available values: allow
, block
, safesearch
, ytrestricted
, on
, off
, scan
, noscan
, isolate
, noisolate
, override
, l4_override
, egress
, audit_ssh
, resolve
.description
(String) The description of the teams rule.name
(String) The name of the teams rule.precedence
(Number) The evaluation precedence of the teams rule.device_posture
(String) The wirefilter expression to be used for device_posture check matching.enabled
(Boolean) Indicator of rule enablement.filters
(List of String) The protocol or layer to evaluate the traffic and identity expressions.identity
(String) The wirefilter expression to be used for identity matching.rule_settings
(Block List, Max: 1) Additional rule settings. (see below for nested schema)traffic
(String) The wirefilter expression to be used for traffic matching.id
(String) The ID of this resource.version
(Number)rule_settings
Optional:
add_headers
(Map of String) Add custom headers to allowed requests in the form of key-value pairs.allow_child_bypass
(Boolean) Allow parent MSP accounts to enable bypass their children's rules.audit_ssh
(Block List, Max: 1) Settings for auditing SSH usage. (see below for nested schema)biso_admin_controls
(Block List, Max: 1) Configure how browser isolation behaves. (see below for nested schema)block_page_enabled
(Boolean) Indicator of block page enablement.block_page_reason
(String) The displayed reason for a user being blocked.bypass_parent_rule
(Boolean) Allow child MSP accounts to bypass their parent's rule.check_session
(Block List, Max: 1) Configure how session check behaves. (see below for nested schema)dns_resolvers
(Block List, Max: 1) Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when resolve_dns_through_cloudflare is set. DNS queries will route to the address closest to their origin. (see below for nested schema)egress
(Block List, Max: 1) Configure how Proxy traffic egresses. Can be set for rules with Egress action and Egress filter. Can be omitted to indicate local egress via Warp IPs. (see below for nested schema)insecure_disable_dnssec_validation
(Boolean) Disable DNSSEC validation (must be Allow rule).ip_categories
(Boolean) Turns on IP category based filter on dns if the rule contains dns category checks.l4override
(Block List, Max: 1) Settings to forward layer 4 traffic. (see below for nested schema)notification_settings
(Block List, Max: 1) Notification settings on a block rule. (see below for nested schema)override_host
(String) The host to override matching DNS queries with.override_ips
(List of String) The IPs to override matching DNS queries with.payload_log
(Block List, Max: 1) Configure DLP Payload Logging settings for this rule. (see below for nested schema)resolve_dns_through_cloudflare
(Boolean) Enable sending queries that match the resolver policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when dns_resolvers
are specified.untrusted_cert
(Block List, Max: 1) Configure untrusted certificate settings for this rule. (see below for nested schema)rule_settings.audit_ssh
Required:
command_logging
(Boolean) Log all SSH commands.rule_settings.biso_admin_controls
Optional:
disable_copy_paste
(Boolean) Disable copy-paste.disable_download
(Boolean) Disable download.disable_keyboard
(Boolean) Disable keyboard usage.disable_printing
(Boolean) Disable printing.disable_upload
(Boolean) Disable upload.rule_settings.check_session
Required:
duration
(String) Configure how fresh the session needs to be to be considered valid.enforce
(Boolean) Enable session enforcement for this rule.rule_settings.dns_resolvers
Optional:
ipv4
(Block List) IPv4 resolvers. (see below for nested schema)ipv6
(Block List) IPv6 resolvers. (see below for nested schema)rule_settings.dns_resolvers.ipv4
Required:
ip
(String) The IPv4 or IPv6 address of the upstream resolver.Optional:
port
(Number) A port number to use for the upstream resolver. Defaults to 53
.route_through_private_network
(Boolean) Whether to connect to this resolver over a private network. Must be set when vnet_id
is set.vnet_id
(String) specify a virtual network for this resolver. Uses default virtual network id if omitted.rule_settings.dns_resolvers.ipv6
Required:
ip
(String) The IPv4 or IPv6 address of the upstream resolver.Optional:
port
(Number) A port number to use for the upstream resolver. Defaults to 53
.route_through_private_network
(Boolean) Whether to connect to this resolver over a private network. Must be set when vnet_id
is set.vnet_id
(String) specify a virtual network for this resolver. Uses default virtual network id if omitted.rule_settings.egress
Required:
ipv4
(String) The IPv4 address to be used for egress.ipv6
(String) The IPv6 range to be used for egress.Optional:
ipv4_fallback
(String) The IPv4 address to be used for egress in the event of an error egressing with the primary IPv4. Can be '0.0.0.0' to indicate local egreass via Warp IPs.rule_settings.l4override
Required:
ip
(String) Override IP to forward traffic to.port
(Number) Override Port to forward traffic to.rule_settings.notification_settings
Optional:
enabled
(Boolean) Enable notification settings.message
(String) Notification content.support_url
(String) Support URL to show in the notification.rule_settings.payload_log
Required:
enabled
(Boolean) Enable or disable DLP Payload Logging for this rule.rule_settings.untrusted_cert
Optional:
action
(String) Action to be taken when the SSL certificate of upstream is invalid. Available values: pass_through
, block
, error
.Import is supported using the following syntax:
$ terraform import cloudflare_teams_rule.example <account_id>/<teams_rule_id>