Provides a Cloudflare Tunnel configuration resource.
resource "cloudflare_tunnel" "example_tunnel" {
account_id = "f037e56e89293a057740de681ac9abbe"
name = "example_tunnel"
secret = "<32 character secret>"
}
resource "cloudflare_tunnel_config" "example_config" {
account_id = "f037e56e89293a057740de681ac9abbe"
tunnel_id = cloudflare_tunnel.example_tunnel.id
config {
warp_routing {
enabled = true
}
origin_request {
connect_timeout = "1m0s"
tls_timeout = "1m0s"
tcp_keep_alive = "1m0s"
no_happy_eyeballs = false
keep_alive_connections = 1024
keep_alive_timeout = "1m0s"
http_host_header = "baz"
origin_server_name = "foobar"
ca_pool = "/path/to/unsigned/ca/pool"
no_tls_verify = false
disable_chunked_encoding = false
bastion_mode = false
proxy_address = "10.0.0.1"
proxy_port = "8123"
proxy_type = "socks"
ip_rules {
prefix = "/web"
ports = [80, 443]
allow = false
}
}
ingress_rule {
hostname = "foo"
path = "/bar"
service = "http://10.0.0.2:8080"
origin_request {
connect_timeout = "2m0s"
access {
required = true
team_name = "terraform"
aud_tag = ["AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"]
}
}
}
ingress_rule {
service = "https://10.0.0.3:8081"
}
}
}
account_id
(String) The account identifier to target for the resource.config
(Block List, Min: 1, Max: 1) Configuration block for Tunnel Configuration. (see below for nested schema)tunnel_id
(String) Identifier of the Tunnel to target for this configuration.id
(String) The ID of this resource.config
Required:
ingress_rule
(Block List, Min: 1) Each incoming request received by cloudflared causes cloudflared to send a request to a local service. This section configures the rules that determine which requests are sent to which local services. Read more. (see below for nested schema)Optional:
origin_request
(Block List, Max: 1) (see below for nested schema)warp_routing
(Block List, Max: 1) If you're exposing a private network, you need to add the warp-routing
key and set it to true
. (see below for nested schema)config.ingress_rule
Required:
service
(String) Name of the service to which the request will be sent.Optional:
hostname
(String) Hostname to match the incoming request with. If the hostname matches, the request will be sent to the service.origin_request
(Block List, Max: 1) (see below for nested schema)path
(String) Path of the incoming request. If the path matches, the request will be sent to the local service.config.ingress_rule.origin_request
Optional:
access
(Block List, Max: 1) Access rules for the ingress service. (see below for nested schema)bastion_mode
(Boolean) Runs as jump host.ca_pool
(String) Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. Defaults to ""
.connect_timeout
(String) Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout
. Defaults to 30s
.disable_chunked_encoding
(Boolean) Disables chunked transfer encoding. Useful if you are running a Web Server Gateway Interface (WSGI) server. Defaults to false
.http2_origin
(Boolean) Enables HTTP/2 support for the origin connection. Defaults to false
.http_host_header
(String) Sets the HTTP Host header on requests sent to the local service. Defaults to ""
.ip_rules
(Block Set) IP rules for the proxy service. (see below for nested schema)keep_alive_connections
(Number) Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. Defaults to 100
.keep_alive_timeout
(String) Timeout after which an idle keepalive connection can be discarded. Defaults to 1m30s
.no_happy_eyeballs
(Boolean) Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. Defaults to false
.no_tls_verify
(Boolean) Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Defaults to false
.origin_server_name
(String) Hostname that cloudflared should expect from your origin server certificate. Defaults to ""
.proxy_address
(String) cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen address for that proxy. Defaults to 127.0.0.1
.proxy_port
(Number) cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen port for that proxy. If set to zero, an unused port will randomly be chosen. Defaults to 0
.proxy_type
(String) cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Available values: ""
, socks
. Defaults to ""
.tcp_keep_alive
(String) The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. Defaults to 30s
.tls_timeout
(String) Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. Defaults to 10s
.config.ingress_rule.origin_request.access
Optional:
aud_tag
(Set of String) Audience tags of the access rule.required
(Boolean) Whether the access rule is required.team_name
(String) Name of the team to which the access rule applies.config.ingress_rule.origin_request.ip_rules
Optional:
allow
(Boolean) Whether to allow the IP prefix.ports
(List of Number) Ports to use within the IP rule.prefix
(String) IP rule prefix.config.origin_request
Optional:
access
(Block List, Max: 1) Access rules for the ingress service. (see below for nested schema)bastion_mode
(Boolean) Runs as jump host.ca_pool
(String) Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. Defaults to ""
.connect_timeout
(String) Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout
. Defaults to 30s
.disable_chunked_encoding
(Boolean) Disables chunked transfer encoding. Useful if you are running a Web Server Gateway Interface (WSGI) server. Defaults to false
.http2_origin
(Boolean) Enables HTTP/2 support for the origin connection. Defaults to false
.http_host_header
(String) Sets the HTTP Host header on requests sent to the local service. Defaults to ""
.ip_rules
(Block Set) IP rules for the proxy service. (see below for nested schema)keep_alive_connections
(Number) Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. Defaults to 100
.keep_alive_timeout
(String) Timeout after which an idle keepalive connection can be discarded. Defaults to 1m30s
.no_happy_eyeballs
(Boolean) Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. Defaults to false
.no_tls_verify
(Boolean) Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Defaults to false
.origin_server_name
(String) Hostname that cloudflared should expect from your origin server certificate. Defaults to ""
.proxy_address
(String) cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen address for that proxy. Defaults to 127.0.0.1
.proxy_port
(Number) cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen port for that proxy. If set to zero, an unused port will randomly be chosen. Defaults to 0
.proxy_type
(String) cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Available values: ""
, socks
. Defaults to ""
.tcp_keep_alive
(String) The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. Defaults to 30s
.tls_timeout
(String) Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. Defaults to 10s
.config.origin_request.access
Optional:
aud_tag
(Set of String) Audience tags of the access rule.required
(Boolean) Whether the access rule is required.team_name
(String) Name of the team to which the access rule applies.config.origin_request.ip_rules
Optional:
allow
(Boolean) Whether to allow the IP prefix.ports
(List of Number) Ports to use within the IP rule.prefix
(String) IP rule prefix.config.warp_routing
Optional:
enabled
(Boolean) Whether WARP routing is enabled.Import is supported using the following syntax:
$ terraform import cloudflare_tunnel_config.example <account_id>/<tunnel_id>