Provides a Cloudflare IP Firewall Access Rule resource. Access control can be applied on basis of IP addresses, IP ranges, AS numbers or countries.
# Challenge requests coming from known Tor exit nodes.
resource "cloudflare_access_rule" "tor_exit_nodes" {
zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
notes = "Requests coming from known Tor exit nodes"
mode = "challenge"
configuration {
target = "country"
value = "T1"
}
}
# Allowlist requests coming from Antarctica, but only for single zone.
resource "cloudflare_access_rule" "antarctica" {
zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
notes = "Requests coming from Antarctica"
mode = "whitelist"
configuration {
target = "country"
value = "AQ"
}
}
# Allowlist office's network IP ranges on all account zones (or other lists of
# resources).
variable "my_office" {
type = list(string)
default = ["192.0.2.0/24", "198.51.100.0/24", "2001:db8::/56"]
}
resource "cloudflare_access_rule" "office_network" {
account_id = "f037e56e89293a057740de681ac9abbe"
count = length(var.my_office)
notes = "Requests coming from office network"
mode = "whitelist"
configuration {
target = "ip_range"
value = element(var.my_office, count.index)
}
}
configuration
(Block List, Min: 1, Max: 1) Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource. (see below for nested schema)mode
(String) The action to apply to a matched request. Available values: block
, challenge
, whitelist
, js_challenge
, managed_challenge
.account_id
(String) The account identifier to target for the resource. Must provide only one of account_id
, zone_id
. Modifying this attribute will force creation of a new resource.notes
(String) A personal note about the rule. Typically used as a reminder or explanation for the rule.zone_id
(String) The zone identifier to target for the resource. Must provide only one of account_id
, zone_id
. Modifying this attribute will force creation of a new resource.id
(String) The ID of this resource.configuration
Required:
target
(String) The request property to target. Available values: ip
, ip6
, ip_range
, asn
, country
. Modifying this attribute will force creation of a new resource.value
(String) The value to target. Depends on target's type. Modifying this attribute will force creation of a new resource.Import is supported using the following syntax:
# User level access rule import.
$ terraform import cloudflare_access_rule.default user/<user_id>/<rule_id>
# Zone level access rule import.
$ terraform import cloudflare_access_rule.default zone/<zone_id>/<rule_id>
# Account level access rule import.
$ terraform import cloudflare_access_rule.default account/<account_id>/<rule_id>