AccessApplication

Provides a Cloudflare Access Application resource. Access Applications are used to restrict access to a whole application using an authorisation gateway managed by Cloudflare.

Example Usage

using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

class MyStack : Stack
{
    public MyStack()
    {
        // With CORS configuration
        var stagingApp = new Cloudflare.AccessApplication("stagingApp", new Cloudflare.AccessApplicationArgs
        {
            CorsHeaders = 
            {
                new Cloudflare.Inputs.AccessApplicationCorsHeaderArgs
                {
                    AllowCredentials = true,
                    AllowedMethods = 
                    {
                        "GET",
                        "POST",
                        "OPTIONS",
                    },
                    AllowedOrigins = 
                    {
                        "https://example.com",
                    },
                    MaxAge = 10,
                },
            },
            Domain = "staging.example.com",
            Name = "staging application",
            SessionDuration = "24h",
            ZoneId = "1d5fdc9e88c8a8c4518b068cd94331fe",
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-cloudflare/sdk/v2/go/cloudflare"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := cloudflare.NewAccessApplication(ctx, "stagingApp", &cloudflare.AccessApplicationArgs{
            CorsHeaders: cloudflare.AccessApplicationCorsHeaderArray{
                &cloudflare.AccessApplicationCorsHeaderArgs{
                    AllowCredentials: pulumi.Bool(true),
                    AllowedMethods: pulumi.StringArray{
                        pulumi.String("GET"),
                        pulumi.String("POST"),
                        pulumi.String("OPTIONS"),
                    },
                    AllowedOrigins: pulumi.StringArray{
                        pulumi.String("https://example.com"),
                    },
                    MaxAge: pulumi.Int(10),
                },
            },
            Domain:          pulumi.String("staging.example.com"),
            Name:            pulumi.String("staging application"),
            SessionDuration: pulumi.String("24h"),
            ZoneId:          pulumi.String("1d5fdc9e88c8a8c4518b068cd94331fe"),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_cloudflare as cloudflare

# With CORS configuration
staging_app = cloudflare.AccessApplication("stagingApp",
    cors_headers=[cloudflare.AccessApplicationCorsHeaderArgs(
        allow_credentials=True,
        allowed_methods=[
            "GET",
            "POST",
            "OPTIONS",
        ],
        allowed_origins=["https://example.com"],
        max_age=10,
    )],
    domain="staging.example.com",
    name="staging application",
    session_duration="24h",
    zone_id="1d5fdc9e88c8a8c4518b068cd94331fe")

import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

// With CORS configuration
const stagingApp = new cloudflare.AccessApplication("staging_app", {
    corsHeaders: [{
        allowCredentials: true,
        allowedMethods: [
            "GET",
            "POST",
            "OPTIONS",
        ],
        allowedOrigins: ["https://example.com"],
        maxAge: 10,
    }],
    domain: "staging.example.com",
    name: "staging application",
    sessionDuration: "24h",
    zoneId: "1d5fdc9e88c8a8c4518b068cd94331fe",
});

Create a AccessApplication Resource

new AccessApplication(name: string, args: AccessApplicationArgs, opts?: CustomResourceOptions);

def AccessApplication(resource_name: str, opts: Optional[ResourceOptions] = None, account_id: Optional[str] = None, allowed_idps: Optional[Sequence[str]] = None, auto_redirect_to_identity: Optional[bool] = None, cors_headers: Optional[Sequence[AccessApplicationCorsHeaderArgs]] = None, custom_deny_message: Optional[str] = None, custom_deny_url: Optional[str] = None, domain: Optional[str] = None, enable_binding_cookie: Optional[bool] = None, name: Optional[str] = None, session_duration: Optional[str] = None, zone_id: Optional[str] = None)

func NewAccessApplication(ctx *Context, name string, args AccessApplicationArgs, opts ...ResourceOption) (*AccessApplication, error)

public AccessApplication(string name, AccessApplicationArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

AccessApplication Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The AccessApplication resource accepts the following input properties:

Domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
Name string: Friendly name of the Access Application.
AccountId string: The account to which the access application should be added. Conflicts with zone_id.
AllowedIdps List<string>: The identity providers selected for the application.
AutoRedirectToIdentity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false (disabled).
CorsHeaders List<AccessApplicationCorsHeaderArgs>: CORS configuration for the Access Application. See below for reference structure.
CustomDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
CustomDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
EnableBindingCookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional “binding” cookie on requests. Defaults to false.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format "48h" or "2h45m". Valid time units are ns, us (or µs), ms, s, m, h. Defaults to 24h.
ZoneId string: The DNS zone to which the access application should be added. Conflicts with account_id.

Domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
Name string: Friendly name of the Access Application.
AccountId string: The account to which the access application should be added. Conflicts with zone_id.
AllowedIdps []string: The identity providers selected for the application.
AutoRedirectToIdentity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false (disabled).
CorsHeaders []AccessApplicationCorsHeader: CORS configuration for the Access Application. See below for reference structure.
CustomDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
CustomDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
EnableBindingCookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional “binding” cookie on requests. Defaults to false.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format "48h" or "2h45m". Valid time units are ns, us (or µs), ms, s, m, h. Defaults to 24h.
ZoneId string: The DNS zone to which the access application should be added. Conflicts with account_id.

domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
name string: Friendly name of the Access Application.
accountId string: The account to which the access application should be added. Conflicts with zone_id.
allowedIdps string[]: The identity providers selected for the application.
autoRedirectToIdentity boolean: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false (disabled).
corsHeaders AccessApplicationCorsHeader[]: CORS configuration for the Access Application. See below for reference structure.
customDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
customDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
enableBindingCookie boolean: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional “binding” cookie on requests. Defaults to false.
sessionDuration string: How often a user will be forced to re-authorise. Must be in the format "48h" or "2h45m". Valid time units are ns, us (or µs), ms, s, m, h. Defaults to 24h.
zoneId string: The DNS zone to which the access application should be added. Conflicts with account_id.

domain str: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
name str: Friendly name of the Access Application.
account_id str: The account to which the access application should be added. Conflicts with zone_id.
allowed_idps Sequence[str]: The identity providers selected for the application.
auto_redirect_to_identity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false (disabled).
cors_headers Sequence[AccessApplicationCorsHeaderArgs]: CORS configuration for the Access Application. See below for reference structure.
custom_deny_message str: Option that returns a custom error message when a user is denied access to the application.
custom_deny_url str: Option that redirects to a custom URL when a user is denied access to the application.
enable_binding_cookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional “binding” cookie on requests. Defaults to false.
session_duration str: How often a user will be forced to re-authorise. Must be in the format "48h" or "2h45m". Valid time units are ns, us (or µs), ms, s, m, h. Defaults to 24h.
zone_id str: The DNS zone to which the access application should be added. Conflicts with account_id.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessApplication resource produces the following output properties:

Aud string: Application Audience (AUD) Tag of the application
Id string: The provider-assigned unique ID for this managed resource.

Aud string: Application Audience (AUD) Tag of the application
Id string: The provider-assigned unique ID for this managed resource.

aud string: Application Audience (AUD) Tag of the application
id string: The provider-assigned unique ID for this managed resource.

aud str: Application Audience (AUD) Tag of the application
id str: The provider-assigned unique ID for this managed resource.

Look up an Existing AccessApplication Resource

Get an existing AccessApplication resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessApplicationState, opts?: CustomResourceOptions): AccessApplication

@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, account_id: Optional[str] = None, allowed_idps: Optional[Sequence[str]] = None, aud: Optional[str] = None, auto_redirect_to_identity: Optional[bool] = None, cors_headers: Optional[Sequence[AccessApplicationCorsHeaderArgs]] = None, custom_deny_message: Optional[str] = None, custom_deny_url: Optional[str] = None, domain: Optional[str] = None, enable_binding_cookie: Optional[bool] = None, name: Optional[str] = None, session_duration: Optional[str] = None, zone_id: Optional[str] = None) -> AccessApplication

func GetAccessApplication(ctx *Context, name string, id IDInput, state *AccessApplicationState, opts ...ResourceOption) (*AccessApplication, error)

public static AccessApplication Get(string name, Input<string> id, AccessApplicationState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountId string: The account to which the access application should be added. Conflicts with zone_id.
AllowedIdps List<string>: The identity providers selected for the application.
Aud string: Application Audience (AUD) Tag of the application
AutoRedirectToIdentity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false (disabled).
CorsHeaders List<AccessApplicationCorsHeaderArgs>: CORS configuration for the Access Application. See below for reference structure.
CustomDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
CustomDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
Domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
EnableBindingCookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional “binding” cookie on requests. Defaults to false.
Name string: Friendly name of the Access Application.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format "48h" or "2h45m". Valid time units are ns, us (or µs), ms, s, m, h. Defaults to 24h.
ZoneId string: The DNS zone to which the access application should be added. Conflicts with account_id.

AccountId string: The account to which the access application should be added. Conflicts with zone_id.
AllowedIdps []string: The identity providers selected for the application.
Aud string: Application Audience (AUD) Tag of the application
AutoRedirectToIdentity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false (disabled).
CorsHeaders []AccessApplicationCorsHeader: CORS configuration for the Access Application. See below for reference structure.
CustomDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
CustomDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
Domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
EnableBindingCookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional “binding” cookie on requests. Defaults to false.
Name string: Friendly name of the Access Application.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format "48h" or "2h45m". Valid time units are ns, us (or µs), ms, s, m, h. Defaults to 24h.
ZoneId string: The DNS zone to which the access application should be added. Conflicts with account_id.

accountId string: The account to which the access application should be added. Conflicts with zone_id.
allowedIdps string[]: The identity providers selected for the application.
aud string: Application Audience (AUD) Tag of the application
autoRedirectToIdentity boolean: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false (disabled).
corsHeaders AccessApplicationCorsHeader[]: CORS configuration for the Access Application. See below for reference structure.
customDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
customDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
enableBindingCookie boolean: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional “binding” cookie on requests. Defaults to false.
name string: Friendly name of the Access Application.
sessionDuration string: How often a user will be forced to re-authorise. Must be in the format "48h" or "2h45m". Valid time units are ns, us (or µs), ms, s, m, h. Defaults to 24h.
zoneId string: The DNS zone to which the access application should be added. Conflicts with account_id.

account_id str: The account to which the access application should be added. Conflicts with zone_id.
allowed_idps Sequence[str]: The identity providers selected for the application.
aud str: Application Audience (AUD) Tag of the application
auto_redirect_to_identity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false (disabled).
cors_headers Sequence[AccessApplicationCorsHeaderArgs]: CORS configuration for the Access Application. See below for reference structure.
custom_deny_message str: Option that returns a custom error message when a user is denied access to the application.
custom_deny_url str: Option that redirects to a custom URL when a user is denied access to the application.
domain str: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
enable_binding_cookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional “binding” cookie on requests. Defaults to false.
name str: Friendly name of the Access Application.
session_duration str: How often a user will be forced to re-authorise. Must be in the format "48h" or "2h45m". Valid time units are ns, us (or µs), ms, s, m, h. Defaults to 24h.
zone_id str: The DNS zone to which the access application should be added. Conflicts with account_id.

Supporting Types

AccessApplicationCorsHeader

AllowAllHeaders bool: Boolean value to determine whether all HTTP headers are exposed.
AllowAllMethods bool: Boolean value to determine whether all methods are exposed.
AllowAllOrigins bool: Boolean value to determine whether all origins are permitted to make CORS requests.
AllowCredentials bool: Boolean value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
AllowedHeaders List<string>: List of HTTP headers to expose via CORS.
AllowedMethods List<string>: List of methods to expose via CORS.
AllowedOrigins List<string>: List of origins permitted to make CORS requests.
MaxAge int: Integer representing the maximum time a preflight request will be cached.

AllowAllHeaders bool: Boolean value to determine whether all HTTP headers are exposed.
AllowAllMethods bool: Boolean value to determine whether all methods are exposed.
AllowAllOrigins bool: Boolean value to determine whether all origins are permitted to make CORS requests.
AllowCredentials bool: Boolean value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
AllowedHeaders []string: List of HTTP headers to expose via CORS.
AllowedMethods []string: List of methods to expose via CORS.
AllowedOrigins []string: List of origins permitted to make CORS requests.
MaxAge int: Integer representing the maximum time a preflight request will be cached.

allowAllHeaders boolean: Boolean value to determine whether all HTTP headers are exposed.
allowAllMethods boolean: Boolean value to determine whether all methods are exposed.
allowAllOrigins boolean: Boolean value to determine whether all origins are permitted to make CORS requests.
allowCredentials boolean: Boolean value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
allowedHeaders string[]: List of HTTP headers to expose via CORS.
allowedMethods string[]: List of methods to expose via CORS.
allowedOrigins string[]: List of origins permitted to make CORS requests.
maxAge number: Integer representing the maximum time a preflight request will be cached.

allow_all_headers bool: Boolean value to determine whether all HTTP headers are exposed.
allow_all_methods bool: Boolean value to determine whether all methods are exposed.
allow_all_origins bool: Boolean value to determine whether all origins are permitted to make CORS requests.
allow_credentials bool: Boolean value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
allowed_headers Sequence[str]: List of HTTP headers to expose via CORS.
allowed_methods Sequence[str]: List of methods to expose via CORS.
allowed_origins Sequence[str]: List of origins permitted to make CORS requests.
max_age int: Integer representing the maximum time a preflight request will be cached.

Import

Access Applications can be imported using a composite ID formed of zone ID and application ID.

 $ pulumi import cloudflare:index/accessApplication:AccessApplication staging cb029e245cfdd66dc8d2e570d5dd3322/d41d8cd98f00b204e9800998ecf8427e

Package Details

Repository: https://github.com/pulumi/pulumi-cloudflare
License: Apache-2.0
Notes: This Pulumi package is based on the cloudflare Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud