Provides a Cloudflare rate limit resource for a given zone. This can be used to limit the traffic you receive zone-wide, or matching more specific types of requests/responses.
resource "cloudflare_rate_limit" "example" {
zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
threshold = 2000
period = 2
match {
request {
url_pattern = "${var.cloudflare_zone}/*"
schemes = ["HTTP", "HTTPS"]
methods = ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD"]
}
response {
statuses = [200, 201, 202, 301, 429]
origin_traffic = false
headers = [
{
name = "Host"
op = "eq"
value = "localhost"
},
{
name = "X-Example"
op = "ne"
value = "my-example"
}
]
}
}
action {
mode = "simulate"
timeout = 43200
response {
content_type = "text/plain"
body = "custom response body"
}
}
correlate {
by = "nat"
}
disabled = false
description = "example rate limit for a zone"
bypass_url_patterns = ["example.com/bypass1", "example.com/bypass2"]
}
action
(Block List, Min: 1, Max: 1) The action to be performed when the threshold of matched traffic within the period defined is exceeded. (see below for nested schema)period
(Number) The time in seconds to count matching traffic. If the count exceeds threshold within this period the action will be performed.threshold
(Number) The threshold that triggers the rate limit mitigations, combine with period.zone_id
(String) The zone identifier to target for the resource. Modifying this attribute will force creation of a new resource.bypass_url_patterns
(Set of String)correlate
(Block List, Max: 1) Determines how rate limiting is applied. By default if not specified, rate limiting applies to the clients IP address. (see below for nested schema)description
(String) A note that you can use to describe the reason for a rate limit. This value is sanitized and all tags are removed.disabled
(Boolean) Whether this ratelimit is currently disabled. Defaults to false
.match
(Block List, Max: 1) Determines which traffic the rate limit counts towards the threshold. By default matches all traffic in the zone. (see below for nested schema)id
(String) The ID of this resource.action
Required:
mode
(String) The type of action to perform. Available values: simulate
, ban
, challenge
, js_challenge
, managed_challenge
.Optional:
response
(Block List, Max: 1) Custom content-type and body to return, this overrides the custom error for the zone. This field is not required. Omission will result in default HTML error page. (see below for nested schema)timeout
(Number) The time in seconds as an integer to perform the mitigation action. This field is required if the mode
is either simulate
or ban
. Must be the same or greater than the period.action.response
Required:
body
(String) The body to return, the content here should conform to the content_type
.content_type
(String) The content-type of the body. Available values: text/plain
, text/xml
, application/json
.correlate
Optional:
by
(String) If set to 'nat', NAT support will be enabled for rate limiting. Available values: nat
.match
Optional:
request
(Block List, Max: 1) Matches HTTP requests (from the client to Cloudflare). (see below for nested schema)response
(Block List, Max: 1) Matches HTTP responses before they are returned to the client from Cloudflare. If this is defined, then the entire counting of traffic occurs at this stage. (see below for nested schema)match.request
Optional:
methods
(Set of String) HTTP Methods to match traffic on. Available values: GET
, POST
, PUT
, DELETE
, PATCH
, HEAD
, _ALL_
.schemes
(Set of String) HTTP schemes to match traffic on. Available values: HTTP
, HTTPS
, _ALL_
.url_pattern
(String) The URL pattern to match comprised of the host and path, i.e. example.org/path. Wildcard are expanded to match applicable traffic, query strings are not matched. Use _ for all traffic to your zone.match.response
Optional:
headers
(List of Map of String) List of HTTP headers maps to match the origin response on.origin_traffic
(Boolean) Only count traffic that has come from your origin servers. If true, cached items that Cloudflare serve will not count towards rate limiting.statuses
(Set of Number) HTTP Status codes, can be one, many or indicate all by not providing this value.Import is supported using the following syntax:
$ terraform import cloudflare_rate_limit.example <zone_id>/<rate_limit_id>