Provides a Cloudflare Access Group resource. Access Groups are used in conjunction with Access Policies to restrict access to a particular resource based on group membership.
# Allowing access to `test@example.com` email address only
resource "cloudflare_access_group" "example" {
account_id = "f037e56e89293a057740de681ac9abbe"
name = "staging group"
include {
email = ["test@example.com"]
}
}
# Allowing `test@example.com` to access but only when coming from a
# specific IP.
resource "cloudflare_access_group" "example" {
account_id = "f037e56e89293a057740de681ac9abbe"
name = "staging group"
include {
email = ["test@example.com"]
}
require {
ip = [var.office_ip]
}
}
# Allow members of an Azure Group. The ID is the group UUID (id) in Azure.
resource "cloudflare_access_group" "example" {
account_id = "f037e56e89293a057740de681ac9abbe"
name = "test_group"
include {
azure {
identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
id = ["86773093-5feb-48dd-814b-7ccd3676ff50"]
}
}
}
include
(Block List, Min: 1) (see below for nested schema)name
(String)account_id
(String) The account identifier to target for the resource. Conflicts with zone_id
. Modifying this attribute will force creation of a new resource.exclude
(Block List) (see below for nested schema)require
(Block List) (see below for nested schema)zone_id
(String) The zone identifier to target for the resource. Conflicts with account_id
.id
(String) The ID of this resource.include
Optional:
any_valid_service_token
(Boolean)auth_context
(Block List) (see below for nested schema)auth_method
(String)azure
(Block List) (see below for nested schema)certificate
(Boolean)common_name
(String)common_names
(List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.device_posture
(List of String)email
(List of String)email_domain
(List of String)everyone
(Boolean)external_evaluation
(Block List, Max: 1) (see below for nested schema)geo
(List of String)github
(Block List) (see below for nested schema)group
(List of String)gsuite
(Block List) (see below for nested schema)ip
(List of String) An IPv4 or IPv6 CIDR block.ip_list
(List of String) The ID of an existing IP list to reference.login_method
(List of String)okta
(Block List) (see below for nested schema)saml
(Block List) (see below for nested schema)service_token
(List of String)include.auth_context
Required:
ac_id
(String) The ACID of the Authentication Context.id
(String) The ID of the Authentication Context.identity_provider_id
(String) The ID of the Azure Identity provider.include.azure
Optional:
id
(List of String) The ID of the Azure group or user.identity_provider_id
(String) The ID of the Azure Identity provider.include.external_evaluation
Optional:
evaluate_url
(String)keys_url
(String)include.github
Optional:
identity_provider_id
(String)name
(String)teams
(List of String)include.gsuite
Optional:
email
(List of String)identity_provider_id
(String)include.okta
Optional:
identity_provider_id
(String)name
(List of String)include.saml
Optional:
attribute_name
(String)attribute_value
(String)identity_provider_id
(String)exclude
Optional:
any_valid_service_token
(Boolean)auth_context
(Block List) (see below for nested schema)auth_method
(String)azure
(Block List) (see below for nested schema)certificate
(Boolean)common_name
(String)common_names
(List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.device_posture
(List of String)email
(List of String)email_domain
(List of String)everyone
(Boolean)external_evaluation
(Block List, Max: 1) (see below for nested schema)geo
(List of String)github
(Block List) (see below for nested schema)group
(List of String)gsuite
(Block List) (see below for nested schema)ip
(List of String) An IPv4 or IPv6 CIDR block.ip_list
(List of String) The ID of an existing IP list to reference.login_method
(List of String)okta
(Block List) (see below for nested schema)saml
(Block List) (see below for nested schema)service_token
(List of String)exclude.auth_context
Required:
ac_id
(String) The ACID of the Authentication Context.id
(String) The ID of the Authentication Context.identity_provider_id
(String) The ID of the Azure Identity provider.exclude.azure
Optional:
id
(List of String) The ID of the Azure group or user.identity_provider_id
(String) The ID of the Azure Identity provider.exclude.external_evaluation
Optional:
evaluate_url
(String)keys_url
(String)exclude.github
Optional:
identity_provider_id
(String)name
(String)teams
(List of String)exclude.gsuite
Optional:
email
(List of String)identity_provider_id
(String)exclude.okta
Optional:
identity_provider_id
(String)name
(List of String)exclude.saml
Optional:
attribute_name
(String)attribute_value
(String)identity_provider_id
(String)require
Optional:
any_valid_service_token
(Boolean)auth_context
(Block List) (see below for nested schema)auth_method
(String)azure
(Block List) (see below for nested schema)certificate
(Boolean)common_name
(String)common_names
(List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.device_posture
(List of String)email
(List of String)email_domain
(List of String)everyone
(Boolean)external_evaluation
(Block List, Max: 1) (see below for nested schema)geo
(List of String)github
(Block List) (see below for nested schema)group
(List of String)gsuite
(Block List) (see below for nested schema)ip
(List of String) An IPv4 or IPv6 CIDR block.ip_list
(List of String) The ID of an existing IP list to reference.login_method
(List of String)okta
(Block List) (see below for nested schema)saml
(Block List) (see below for nested schema)service_token
(List of String)require.auth_context
Required:
ac_id
(String) The ACID of the Authentication Context.id
(String) The ID of the Authentication Context.identity_provider_id
(String) The ID of the Azure Identity provider.require.azure
Optional:
id
(List of String) The ID of the Azure group or user.identity_provider_id
(String) The ID of the Azure Identity provider.require.external_evaluation
Optional:
evaluate_url
(String)keys_url
(String)require.github
Optional:
identity_provider_id
(String)name
(String)teams
(List of String)require.gsuite
Optional:
email
(List of String)identity_provider_id
(String)require.okta
Optional:
identity_provider_id
(String)name
(List of String)require.saml
Optional:
attribute_name
(String)attribute_value
(String)identity_provider_id
(String)Import is supported using the following syntax:
$ terraform import cloudflare_access_group.example <account_id>/<group_id>