Provides a Cloudflare Access Application resource. Access Applications are used to restrict access to a whole application using an authorisation gateway managed by Cloudflare.
resource "cloudflare_access_application" "staging_app" {
zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
name = "staging application"
domain = "staging.example.com"
type = "self_hosted"
session_duration = "24h"
auto_redirect_to_identity = false
}
# With CORS configuration
resource "cloudflare_access_application" "staging_app" {
zone_id = "0da42c8d2132a9ddaf714f9e7c920711"
name = "staging application"
domain = "staging.example.com"
type = "self_hosted"
session_duration = "24h"
cors_headers {
allowed_methods = ["GET", "POST", "OPTIONS"]
allowed_origins = ["https://example.com"]
allow_credentials = true
max_age = 10
}
}
account_id
(String) The account identifier to target for the resource. Conflicts with zone_id
.allow_authenticate_via_warp
(Boolean) When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.allowed_idps
(Set of String) The identity providers selected for the application.app_launcher_logo_url
(String) The logo URL of the app launcher.app_launcher_visible
(Boolean) Option to show/hide applications in App Launcher. Defaults to true
.auto_redirect_to_identity
(Boolean) Option to skip identity provider selection if only one is configured in allowed_idps
. Defaults to false
.bg_color
(String) The background color of the app launcher.cors_headers
(Block List) CORS configuration for the Access Application. See below for reference structure. (see below for nested schema)custom_deny_message
(String) Option that returns a custom error message when a user is denied access to the application.custom_deny_url
(String) Option that redirects to a custom URL when a user is denied access to the application via identity based rules.custom_non_identity_deny_url
(String) Option that redirects to a custom URL when a user is denied access to the application via non identity rules.custom_pages
(Set of String) The custom pages selected for the application.domain
(String) The primary hostname and path that Access will secure. If the app is visible in the App Launcher dashboard, this is the domain that will be displayed.enable_binding_cookie
(Boolean) Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false
.footer_links
(Block Set) The footer links of the app launcher. (see below for nested schema)header_bg_color
(String) The background color of the header bar in the app launcher.http_only_cookie_attribute
(Boolean) Option to add the HttpOnly
cookie flag to access tokens.landing_page_design
(Block List, Max: 1) The landing page design of the app launcher. (see below for nested schema)logo_url
(String) Image URL for the logo shown in the app launcher dashboard.name
(String) Friendly name of the Access Application.options_preflight_bypass
(Boolean) Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. Defaults to false
.saas_app
(Block List, Max: 1) SaaS configuration for the Access Application. (see below for nested schema)same_site_cookie_attribute
(String) Defines the same-site cookie setting for access tokens. Available values: none
, lax
, strict
.self_hosted_domains
(Set of String) List of domains that access will secure. Only present for self_hosted, vnc, and ssh applications. Always includes the value set as domain
.service_auth_401_redirect
(Boolean) Option to return a 401 status code in service authentication rules on failed requests. Defaults to false
.session_duration
(String) How often a user will be forced to re-authorise. Must be in the format 48h
or 2h45m
. Defaults to 24h
.skip_interstitial
(Boolean) Option to skip the authorization interstitial when using the CLI. Defaults to false
.tags
(Set of String) The itags associated with the application.type
(String) The application type. Available values: app_launcher
, bookmark
, biso
, dash_sso
, saas
, self_hosted
, ssh
, vnc
, warp
. Defaults to self_hosted
.zone_id
(String) The zone identifier to target for the resource. Conflicts with account_id
.scim_config
(Block List, Max: 1) Configuration for provisioning to the Access Application via SCIM. This is currently in closed beta. (see below for nested schema)aud
(String) Application Audience (AUD) Tag of the application.id
(String) The ID of this resource.cors_headers
Optional:
allow_all_headers
(Boolean) Value to determine whether all HTTP headers are exposed.allow_all_methods
(Boolean) Value to determine whether all methods are exposed.allow_all_origins
(Boolean) Value to determine whether all origins are permitted to make CORS requests.allow_credentials
(Boolean) Value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.allowed_headers
(Set of String) List of HTTP headers to expose via CORS.allowed_methods
(Set of String) List of methods to expose via CORS.allowed_origins
(Set of String) List of origins permitted to make CORS requests.max_age
(Number) The maximum time a preflight request will be cached.footer_links
Optional:
name
(String) The name of the footer link.url
(String) The URL of the footer link.landing_page_design
Optional:
button_color
(String) The button color of the landing page.button_text_color
(String) The button text color of the landing page.image_url
(String) The URL of the image to be displayed in the landing page.message
(String) The message of the landing page.title
(String) The title of the landing page.saas_app
Optional:
app_launcher_url
(String) The URL where this applications tile redirects users.auth_type
(String)consumer_service_url
(String) The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.custom_attribute
(Block List) Custom attribute mapped from IDPs. (see below for nested schema)default_relay_state
(String) The relay state used if not provided by the identity provider.grant_types
(Set of String) The OIDC flows supported by this application.group_filter_regex
(String) A regex to filter Cloudflare groups returned in ID token and userinfo endpoint.name_id_format
(String) The format of the name identifier sent to the SaaS application.name_id_transform_jsonata
(String) A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format
setting.redirect_uris
(Set of String) The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens.saml_attribute_transform_jsonata
(String) A JSONata expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.scopes
(Set of String) Define the user information shared with access.sp_entity_id
(String) A globally unique name for an identity or service provider.Read-Only:
client_id
(String) The application client id.client_secret
(String, Sensitive) The application client secret, only returned on initial apply.idp_entity_id
(String) The unique identifier for the SaaS application.public_key
(String) The public certificate that will be used to verify identities.sso_endpoint
(String) The endpoint where the SaaS application will send login requests.saas_app.custom_attribute
Required:
source
(Block List, Min: 1, Max: 1) (see below for nested schema)Optional:
friendly_name
(String) A friendly name for the attribute as provided to the SaaS app.name
(String) The name of the attribute as provided to the SaaS app.name_format
(String) A globally unique name for an identity or service provider.required
(Boolean) True if the attribute must be always present.saas_app.custom_attribute.source
Required:
name
(String) The name of the attribute as provided by the IDP.scim_config
Required:
idp_uid
(String) The ID of the Access IDP to be used as the source for SCIM resources to provision to this application.remote_uri
(String) The base URI for the application's SCIM-compatible API.Optional:
enabled
(Boolean) Whether SCIM provisioning is turned on for this application.deactivate_on_delete
(Boolean) If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.authentication
(Block List, Max: 1) Configuration for authenticating with the application's SCIM API. Allowed configurations are HTTP Basic, OAuth Bearer Token, and OAuth 2.mappings
(Block List) A list of filters and transformations to apply to SCIM resources before provisioning them to the application. See below for nested schema.scim_config.authentication
using HTTP Basic authenticationRequired:
scheme
(String) The authentication scheme to use. For HTTP Basic authentication, this value should be httpbasic
user
(String) The username used to authenticate with the remote SCIM service.password
(String) The password used to authenticate with the remote SCIM service.scim_config.authentication
using OAuth Bearer Token authenticationRequired:
scheme
(String) The authentication scheme to use. For OAuth Bearer Token authentication, this value should be oauthbearertoken
token
(String) The token used to authenticate with the remote SCIM service.scim_config.authentication
using OAuth 2 authenticationRequired:
scheme
(String) The authentication scheme to use. For OAuth 2 authentication, this value should be oauth2
client_id
(String) Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.client_secret
(String) Secret used to authenticate when generating a token for authenticating with the remove SCIM service.authorization_url
(String) URL used to generate the auth code used during token generation.token_url
(String) URL used to generate the token used to authenticate with the remote SCIM service.Optional:
scopes
(Set of String) The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.scim_config.mappings
Required:
schema
(String) Which SCIM resource type this mapping applies to.Optional:
enabled
(Boolean) Whether this mapping is enabled.filter
(String) A SCIM filter expression that matches resources that should be provisioned to this application.transform_jsonata
(String) A JSONata expression that transforms the resource before provisioning it in the application.operations
(Block List, Max: 1) Whether this mapping applies to creates, updates, or deletes. See below for nested schemascim_config.mappings.operations
Optional:
create
(Boolean) Whether the mapping applies to create (POST) operations.update
(Boolean) Whether the mapping applies to update (PATCH/PUT) operations.delete
(Boolean) Whether the mapping applies to DELETE operations.Import is supported using the following syntax:
$ terraform import cloudflare_access_application.example <account_id>/<application_id>