Provides a Cloudflare Access Policy resource. Access Policies are used in conjunction with Access Applications to restrict access to a particular resource.
# Allowing access to `test@example.com` email address only
resource "cloudflare_access_policy" "test_policy" {
application_id = "cb029e245cfdd66dc8d2e570d5dd3322"
zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
name = "staging policy"
precedence = "1"
decision = "allow"
include {
email = ["test@example.com"]
}
require {
email = ["test@example.com"]
}
}
# Allowing `test@example.com` to access but only when coming from a
# specific IP.
resource "cloudflare_access_policy" "test_policy" {
application_id = "cb029e245cfdd66dc8d2e570d5dd3322"
zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
name = "staging policy"
precedence = "1"
decision = "allow"
include {
email = ["test@example.com"]
}
require {
ip = [var.office_ip]
}
}
application_id
(String) The ID of the application the policy is associated with.decision
(String) Defines the action Access will take if the policy matches the user. Available values: allow
, deny
, non_identity
, bypass
.include
(Block List, Min: 1) A series of access conditions, see Access Groups. (see below for nested schema)name
(String) Friendly name of the Access Policy.precedence
(Number) The unique precedence for policies on a single application.account_id
(String) The account identifier to target for the resource. Conflicts with zone_id
.approval_group
(Block List) (see below for nested schema)approval_required
(Boolean)exclude
(Block List) A series of access conditions, see Access Groups. (see below for nested schema)isolation_required
(Boolean) Require this application to be served in an isolated browser for users matching this policy.purpose_justification_prompt
(String) The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required
.purpose_justification_required
(Boolean) Whether to prompt the user for a justification for accessing the resource.require
(Block List) A series of access conditions, see Access Groups. (see below for nested schema)session_duration
(String) How often a user will be forced to re-authorise. Must be in the format 48h
or 2h45m
.zone_id
(String) The zone identifier to target for the resource. Conflicts with account_id
.id
(String) The ID of this resource.include
Optional:
any_valid_service_token
(Boolean)auth_context
(Block List) (see below for nested schema)auth_method
(String)azure
(Block List) (see below for nested schema)certificate
(Boolean)common_name
(String)common_names
(List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.device_posture
(List of String)email
(List of String)email_domain
(List of String)everyone
(Boolean)external_evaluation
(Block List, Max: 1) (see below for nested schema)geo
(List of String)github
(Block List) (see below for nested schema)group
(List of String)gsuite
(Block List) (see below for nested schema)ip
(List of String) An IPv4 or IPv6 CIDR block.ip_list
(List of String) The ID of an existing IP list to reference.login_method
(List of String)okta
(Block List) (see below for nested schema)saml
(Block List) (see below for nested schema)service_token
(List of String)include.auth_context
Required:
ac_id
(String) The ACID of the Authentication Context.id
(String) The ID of the Authentication Context.identity_provider_id
(String) The ID of the Azure Identity provider.include.azure
Optional:
id
(List of String) The ID of the Azure group or user.identity_provider_id
(String) The ID of the Azure Identity provider.include.external_evaluation
Optional:
evaluate_url
(String)keys_url
(String)include.github
Optional:
identity_provider_id
(String)name
(String)teams
(List of String)include.gsuite
Optional:
email
(List of String)identity_provider_id
(String)include.okta
Optional:
identity_provider_id
(String)name
(List of String)include.saml
Optional:
attribute_name
(String)attribute_value
(String)identity_provider_id
(String)approval_group
Required:
approvals_needed
(Number) Number of approvals needed.Optional:
email_addresses
(List of String) List of emails to request approval from.email_list_uuid
(String)exclude
Optional:
any_valid_service_token
(Boolean)auth_context
(Block List) (see below for nested schema)auth_method
(String)azure
(Block List) (see below for nested schema)certificate
(Boolean)common_name
(String)common_names
(List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.device_posture
(List of String)email
(List of String)email_domain
(List of String)everyone
(Boolean)external_evaluation
(Block List, Max: 1) (see below for nested schema)geo
(List of String)github
(Block List) (see below for nested schema)group
(List of String)gsuite
(Block List) (see below for nested schema)ip
(List of String) An IPv4 or IPv6 CIDR block.ip_list
(List of String) The ID of an existing IP list to reference.login_method
(List of String)okta
(Block List) (see below for nested schema)saml
(Block List) (see below for nested schema)service_token
(List of String)exclude.auth_context
Required:
ac_id
(String) The ACID of the Authentication Context.id
(String) The ID of the Authentication Context.identity_provider_id
(String) The ID of the Azure Identity provider.exclude.azure
Optional:
id
(List of String) The ID of the Azure group or user.identity_provider_id
(String) The ID of the Azure Identity provider.exclude.external_evaluation
Optional:
evaluate_url
(String)keys_url
(String)exclude.github
Optional:
identity_provider_id
(String)name
(String)teams
(List of String)exclude.gsuite
Optional:
email
(List of String)identity_provider_id
(String)exclude.okta
Optional:
identity_provider_id
(String)name
(List of String)exclude.saml
Optional:
attribute_name
(String)attribute_value
(String)identity_provider_id
(String)require
Optional:
any_valid_service_token
(Boolean)auth_context
(Block List) (see below for nested schema)auth_method
(String)azure
(Block List) (see below for nested schema)certificate
(Boolean)common_name
(String)common_names
(List of String) Overflow field if you need to have multiple common_name rules in a single policy. Use in place of the singular common_name field.device_posture
(List of String)email
(List of String)email_domain
(List of String)everyone
(Boolean)external_evaluation
(Block List, Max: 1) (see below for nested schema)geo
(List of String)github
(Block List) (see below for nested schema)group
(List of String)gsuite
(Block List) (see below for nested schema)ip
(List of String) An IPv4 or IPv6 CIDR block.ip_list
(List of String) The ID of an existing IP list to reference.login_method
(List of String)okta
(Block List) (see below for nested schema)saml
(Block List) (see below for nested schema)service_token
(List of String)require.auth_context
Required:
ac_id
(String) The ACID of the Authentication Context.id
(String) The ID of the Authentication Context.identity_provider_id
(String) The ID of the Azure Identity provider.require.azure
Optional:
id
(List of String) The ID of the Azure group or user.identity_provider_id
(String) The ID of the Azure Identity provider.require.external_evaluation
Optional:
evaluate_url
(String)keys_url
(String)require.github
Optional:
identity_provider_id
(String)name
(String)teams
(List of String)require.gsuite
Optional:
email
(List of String)identity_provider_id
(String)require.okta
Optional:
identity_provider_id
(String)name
(List of String)require.saml
Optional:
attribute_name
(String)attribute_value
(String)identity_provider_id
(String)Import is supported using the following syntax:
# Account level import.
$ terraform import cloudflare_access_policy.example account/<account_id>/<application_id>/<policy_id>
# Zone level import.
$ terraform import cloudflare_access_policy.example zone/<zone_id>/<application_id>/<policy_id>