Provides a Cloudflare DLP Profile resource. Data Loss Prevention profiles are a set of entries that can be matched in HTTP bodies or files. They are referenced in Zero Trust Gateway rules.
# Predefined profile must be imported, cannot be created
resource "cloudflare_dlp_profile" "creds" {
account_id = "f037e56e89293a057740de681ac9abbe"
name = "Credentials and Secrets"
type = "predefined"
allowed_match_count = 3
entry {
enabled = true
name = "Amazon AWS Access Key ID"
id = "d8fcfc9c-773c-405e-8426-21ecbb67ba93"
}
entry {
enabled = false
id = "2c0e33e1-71da-40c8-aad3-32e674ad3d96"
name = "Amazon AWS Secret Access Key"
}
entry {
enabled = true
id = "4e92c006-3802-4dff-bbe1-8e1513b1c92a"
name = "Microsoft Azure Client Secret"
}
entry {
enabled = false
id = "5c713294-2375-4904-abcf-e4a15be4d592"
name = "SSH Private Key"
}
entry {
enabled = true
id = "6c6579e4-d832-42d5-905c-8e53340930f2"
name = "Google GCP API Key"
}
}
# Custom profile
resource "cloudflare_dlp_profile" "example_custom" {
account_id = "f037e56e89293a057740de681ac9abbe"
name = "Example Custom Profile"
description = "A profile with example entries"
type = "custom"
allowed_match_count = 0
entry {
name = "Matches visa credit cards"
enabled = true
pattern {
regex = "4\\d{3}([-\\. ])?\\d{4}([-\\. ])?\\d{4}([-\\. ])?\\d{4}"
validation = "luhn"
}
}
entry {
name = "Matches diners club card"
enabled = true
pattern {
regex = "(?:0[0-5]|[68][0-9])[0-9]{11}"
validation = "luhn"
}
}
}
account_id
(String) The account identifier to target for the resource. Modifying this attribute will force creation of a new resource.allowed_match_count
(Number) Related DLP policies will trigger when the match count exceeds the number set.entry
(Block Set, Min: 1) List of entries to apply to the profile. (see below for nested schema)name
(String) Name of the profile. Modifying this attribute will force creation of a new resource.type
(String) The type of the profile. Available values: custom
, predefined
. Modifying this attribute will force creation of a new resource.context_awareness
(Block List, Max: 1) Scan the context of predefined entries to only return matches surrounded by keywords. (see below for nested schema)description
(String) Brief summary of the profile and its intended use.ocr_enabled
(Boolean) If true, scan images via OCR to determine if any text present matches filters.id
(String) The ID of this resource.entry
Required:
name
(String) Name of the entry to deploy.Optional:
enabled
(Boolean) Whether the entry is active. Defaults to false
.id
(String) Unique entry identifier.pattern
(Block List, Max: 1) (see below for nested schema)entry.pattern
Required:
regex
(String) The regex that defines the pattern.Optional:
validation
(String) The validation algorithm to apply with this pattern.context_awareness
Required:
enabled
(Boolean) Scan the context of predefined entries to only return matches surrounded by keywords.skip
(Block List, Min: 1, Max: 1) Content types to exclude from context analysis and return all matches. (see below for nested schema)context_awareness.skip
Required:
files
(Boolean) Return all matches, regardless of context analysis result, if the data is a file.Import is supported using the following syntax:
$ terraform import cloudflare_dlp_profile.example <account_id>/<dlp_profile_id>