AccessGroup
Provides a Cloudflare Access Group resource. Access Groups are used in conjunction with Access Policies to restrict access to a particular resource based on group membership.
Conditions
require
, exclude
and include
arguments share the available
conditions which can be applied. The conditions are:
ip
- (Optional) A list of IP addresses or ranges. Example:ip = ["1.2.3.4", "10.0.0.0/2"]
email
- (Optional) A list of email addresses. Example:email = ["test@example.com"]
email_domain
- (Optional) A list of email domains. Example:email_domain = ["example.com"]
service_token
- (Optional) A list of service token ids. Example:service_token = [cloudflare_access_service_token.demo.id]
any_valid_service_token
- (Optional) Boolean indicating if allow all tokens to be granted. Example:any_valid_service_token = true
group
- (Optional) A list of access group ids. Example:group = [cloudflare_access_group.demo.id]
everyone
- (Optional) Boolean indicating permitting access for all requests. Example:everyone = true
certificate
- (Optional) Whether to use mTLS certificate authentication.common_name
- (Optional) Use a certificate common name to authenticate with.auth_method
- (Optional) A string identifying the authentication method code. The list of codes are listed here: https://tools.ietf.org/html/rfc8176#section-2. Custom values are also supported.geo
- (Optional) A list of country codes. Example:geo = ["US"]
gsuite
- (Optional) Use GSuite as the authentication mechanism. Example:
# ... other configuration
include {
gsuite {
email = ["admins@example.com"]
identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
}
}
github
- (Optional) Use a GitHub organization as theinclude
condition. Example:
# ... other configuration
include {
github {
name = "my-github-org-name" # (Required) GitHub organization name
team = ["my-github-team-name"] # (Optional) GitHub teams
identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
}
}
azure
- (Optional) Use Azure AD as theinclude
condition. Example:
# ... other configuration
include {
azure {
id = ["86773093-5feb-48dd-814b-7ccd3676ff50e"]
identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
}
}
okta
- (Optional) Use Okta as theinclude
condition. Example:
# ... other configuration
include {
okta {
name = ["admins"]
identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
}
}
saml
- (Optional) Use an external SAML setup as theinclude
condition. Example:
# ... other configuration
include {
saml {
attribute_name = "group"
attribute_value = "admins"
identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
}
}
Example Usage
using Pulumi;
using Cloudflare = Pulumi.Cloudflare;
class MyStack : Stack
{
public MyStack()
{
// Allowing access to `test@example.com` email address only
var testGroupAccessGroup = new Cloudflare.AccessGroup("testGroupAccessGroup", new Cloudflare.AccessGroupArgs
{
AccountId = "975ecf5a45e3bcb680dba0722a420ad9",
Name = "staging group",
Includes =
{
new Cloudflare.Inputs.AccessGroupIncludeArgs
{
Emails =
{
"test@example.com",
},
},
},
});
// Allowing `test@example.com` to access but only when coming from a
// specific IP.
var testGroupIndex_accessGroupAccessGroup = new Cloudflare.AccessGroup("testGroupIndex/accessGroupAccessGroup", new Cloudflare.AccessGroupArgs
{
AccountId = "975ecf5a45e3bcb680dba0722a420ad9",
Name = "staging group",
Includes =
{
new Cloudflare.Inputs.AccessGroupIncludeArgs
{
Emails =
{
"test@example.com",
},
},
},
Requires =
{
{ "ips",
{
@var.Office_ip,
} },
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-cloudflare/sdk/v2/go/cloudflare"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudflare.NewAccessGroup(ctx, "testGroupAccessGroup", &cloudflare.AccessGroupArgs{
AccountId: pulumi.String("975ecf5a45e3bcb680dba0722a420ad9"),
Name: pulumi.String("staging group"),
Includes: cloudflare.AccessGroupIncludeArray{
&cloudflare.AccessGroupIncludeArgs{
Emails: pulumi.StringArray{
pulumi.String("test@example.com"),
},
},
},
})
if err != nil {
return err
}
_, err = cloudflare.NewAccessGroup(ctx, "testGroupIndex_accessGroupAccessGroup", &cloudflare.AccessGroupArgs{
AccountId: pulumi.String("975ecf5a45e3bcb680dba0722a420ad9"),
Name: pulumi.String("staging group"),
Includes: cloudflare.AccessGroupIncludeArray{
&cloudflare.AccessGroupIncludeArgs{
Emails: pulumi.StringArray{
pulumi.String("test@example.com"),
},
},
},
Requires: cloudflare.AccessGroupRequireArray{
Ips: cloudflare.AccessGroupRequireArgs{
pulumi.Any(_var.Office_ip),
},
},
})
if err != nil {
return err
}
return nil
})
}
import pulumi
import pulumi_cloudflare as cloudflare
# Allowing access to `test@example.com` email address only
test_group_access_group = cloudflare.AccessGroup("testGroupAccessGroup",
account_id="975ecf5a45e3bcb680dba0722a420ad9",
name="staging group",
includes=[cloudflare.AccessGroupIncludeArgs(
emails=["test@example.com"],
)])
# Allowing `test@example.com` to access but only when coming from a
# specific IP.
test_group_index_access_group_access_group = cloudflare.AccessGroup("testGroupIndex/accessGroupAccessGroup",
account_id="975ecf5a45e3bcb680dba0722a420ad9",
name="staging group",
includes=[cloudflare.AccessGroupIncludeArgs(
emails=["test@example.com"],
)],
requires={
"ips": [var["office_ip"]],
})
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";
// Allowing access to `test@example.com` email address only
const testGroupAccessGroup = new cloudflare.AccessGroup("testGroupAccessGroup", {
accountId: "975ecf5a45e3bcb680dba0722a420ad9",
name: "staging group",
includes: [{
emails: ["test@example.com"],
}],
});
// Allowing `test@example.com` to access but only when coming from a
// specific IP.
const testGroupIndex_accessGroupAccessGroup = new cloudflare.AccessGroup("testGroupIndex/accessGroupAccessGroup", {
accountId: "975ecf5a45e3bcb680dba0722a420ad9",
name: "staging group",
includes: [{
emails: ["test@example.com"],
}],
requires: {
ips: [_var.office_ip],
},
});
Create a AccessGroup Resource
new AccessGroup(name: string, args: AccessGroupArgs, opts?: CustomResourceOptions);
def AccessGroup(resource_name: str, opts: Optional[ResourceOptions] = None, account_id: Optional[str] = None, excludes: Optional[Sequence[AccessGroupExcludeArgs]] = None, includes: Optional[Sequence[AccessGroupIncludeArgs]] = None, name: Optional[str] = None, requires: Optional[Sequence[AccessGroupRequireArgs]] = None, zone_id: Optional[str] = None)
func NewAccessGroup(ctx *Context, name string, args AccessGroupArgs, opts ...ResourceOption) (*AccessGroup, error)
public AccessGroup(string name, AccessGroupArgs args, CustomResourceOptions? opts = null)
- name string
- The unique name of the resource.
- args AccessGroupArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AccessGroupArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AccessGroupArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
AccessGroup Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The AccessGroup resource accepts the following input properties:
- Includes
List<Access
Group Include Args> A series of access conditions, see below for full list.
- Name string
Friendly name of the Access Group.
- Account
Id string The ID of the account the group is associated with. Conflicts with
zone_id
.- Excludes
List<Access
Group Exclude Args> A series of access conditions, see below for full list.
- Requires
List<Access
Group Require Args> A series of access conditions, see below for full list.
- Zone
Id string The ID of the zone the group is associated with. Conflicts with
account_id
.
- Includes
[]Access
Group Include A series of access conditions, see below for full list.
- Name string
Friendly name of the Access Group.
- Account
Id string The ID of the account the group is associated with. Conflicts with
zone_id
.- Excludes
[]Access
Group Exclude A series of access conditions, see below for full list.
- Requires
[]Access
Group Require A series of access conditions, see below for full list.
- Zone
Id string The ID of the zone the group is associated with. Conflicts with
account_id
.
- includes
Access
Group Include[] A series of access conditions, see below for full list.
- name string
Friendly name of the Access Group.
- account
Id string The ID of the account the group is associated with. Conflicts with
zone_id
.- excludes
Access
Group Exclude[] A series of access conditions, see below for full list.
- requires
Access
Group Require[] A series of access conditions, see below for full list.
- zone
Id string The ID of the zone the group is associated with. Conflicts with
account_id
.
- includes
Sequence[Access
Group Include Args] A series of access conditions, see below for full list.
- name str
Friendly name of the Access Group.
- account_
id str The ID of the account the group is associated with. Conflicts with
zone_id
.- excludes
Sequence[Access
Group Exclude Args] A series of access conditions, see below for full list.
- requires
Sequence[Access
Group Require Args] A series of access conditions, see below for full list.
- zone_
id str The ID of the zone the group is associated with. Conflicts with
account_id
.
Outputs
All input properties are implicitly available as output properties. Additionally, the AccessGroup resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
Look up an Existing AccessGroup Resource
Get an existing AccessGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AccessGroupState, opts?: CustomResourceOptions): AccessGroup
@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, account_id: Optional[str] = None, excludes: Optional[Sequence[AccessGroupExcludeArgs]] = None, includes: Optional[Sequence[AccessGroupIncludeArgs]] = None, name: Optional[str] = None, requires: Optional[Sequence[AccessGroupRequireArgs]] = None, zone_id: Optional[str] = None) -> AccessGroup
func GetAccessGroup(ctx *Context, name string, id IDInput, state *AccessGroupState, opts ...ResourceOption) (*AccessGroup, error)
public static AccessGroup Get(string name, Input<string> id, AccessGroupState? state, CustomResourceOptions? opts = null)
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Account
Id string The ID of the account the group is associated with. Conflicts with
zone_id
.- Excludes
List<Access
Group Exclude Args> A series of access conditions, see below for full list.
- Includes
List<Access
Group Include Args> A series of access conditions, see below for full list.
- Name string
Friendly name of the Access Group.
- Requires
List<Access
Group Require Args> A series of access conditions, see below for full list.
- Zone
Id string The ID of the zone the group is associated with. Conflicts with
account_id
.
- Account
Id string The ID of the account the group is associated with. Conflicts with
zone_id
.- Excludes
[]Access
Group Exclude A series of access conditions, see below for full list.
- Includes
[]Access
Group Include A series of access conditions, see below for full list.
- Name string
Friendly name of the Access Group.
- Requires
[]Access
Group Require A series of access conditions, see below for full list.
- Zone
Id string The ID of the zone the group is associated with. Conflicts with
account_id
.
- account
Id string The ID of the account the group is associated with. Conflicts with
zone_id
.- excludes
Access
Group Exclude[] A series of access conditions, see below for full list.
- includes
Access
Group Include[] A series of access conditions, see below for full list.
- name string
Friendly name of the Access Group.
- requires
Access
Group Require[] A series of access conditions, see below for full list.
- zone
Id string The ID of the zone the group is associated with. Conflicts with
account_id
.
- account_
id str The ID of the account the group is associated with. Conflicts with
zone_id
.- excludes
Sequence[Access
Group Exclude Args] A series of access conditions, see below for full list.
- includes
Sequence[Access
Group Include Args] A series of access conditions, see below for full list.
- name str
Friendly name of the Access Group.
- requires
Sequence[Access
Group Require Args] A series of access conditions, see below for full list.
- zone_
id str The ID of the zone the group is associated with. Conflicts with
account_id
.
Supporting Types
AccessGroupExclude
- Any
Valid boolService Token - Auth
Method string - Azures
List<Access
Group Exclude Azure Args> - Certificate bool
- Common
Name string - Email
Domains List<string> - Emails List<string>
- Everyone bool
- Geos List<string>
- Githubs
List<Access
Group Exclude Github Args> - Groups List<string>
- Gsuites
List<Access
Group Exclude Gsuite Args> - Ips List<string>
- Oktas
List<Access
Group Exclude Okta Args> - Samls
List<Access
Group Exclude Saml Args> - Service
Tokens List<string>
- Any
Valid boolService Token - Auth
Method string - Azures
[]Access
Group Exclude Azure - Certificate bool
- Common
Name string - Email
Domains []string - Emails []string
- Everyone bool
- Geos []string
- Githubs
[]Access
Group Exclude Github - Groups []string
- Gsuites
[]Access
Group Exclude Gsuite - Ips []string
- Oktas
[]Access
Group Exclude Okta - Samls
[]Access
Group Exclude Saml - Service
Tokens []string
- any
Valid booleanService Token - auth
Method string - azures
Access
Group Exclude Azure[] - certificate boolean
- common
Name string - email
Domains string[] - emails string[]
- everyone boolean
- geos string[]
- githubs
Access
Group Exclude Github[] - groups string[]
- gsuites
Access
Group Exclude Gsuite[] - ips string[]
- oktas
Access
Group Exclude Okta[] - samls
Access
Group Exclude Saml[] - service
Tokens string[]
- any_
valid_ boolservice_ token - auth_
method str - azures
Sequence[Access
Group Exclude Azure Args] - certificate bool
- common_
name str - email_
domains Sequence[str] - emails Sequence[str]
- everyone bool
- geos Sequence[str]
- githubs
Sequence[Access
Group Exclude Github Args] - groups Sequence[str]
- gsuites
Sequence[Access
Group Exclude Gsuite Args] - ips Sequence[str]
- oktas
Sequence[Access
Group Exclude Okta Args] - samls
Sequence[Access
Group Exclude Saml Args] - service_
tokens Sequence[str]
AccessGroupExcludeAzure
- Identity
Provider stringId - Ids List<string>
- Identity
Provider stringId - Ids []string
- identity
Provider stringId - ids string[]
- identity_
provider_ strid - ids Sequence[str]
AccessGroupExcludeGithub
- Identity
Provider stringId - Name string
Friendly name of the Access Group.
- Teams List<string>
- Identity
Provider stringId - Name string
Friendly name of the Access Group.
- Teams []string
- identity
Provider stringId - name string
Friendly name of the Access Group.
- teams string[]
- identity_
provider_ strid - name str
Friendly name of the Access Group.
- teams Sequence[str]
AccessGroupExcludeGsuite
- Emails List<string>
- Identity
Provider stringId
- Emails []string
- Identity
Provider stringId
- emails string[]
- identity
Provider stringId
- emails Sequence[str]
- identity_
provider_ strid
AccessGroupExcludeOkta
- Identity
Provider stringId - Names List<string>
Friendly name of the Access Group.
- Identity
Provider stringId - Names []string
Friendly name of the Access Group.
- identity
Provider stringId - names string[]
Friendly name of the Access Group.
- identity_
provider_ strid - names Sequence[str]
Friendly name of the Access Group.
AccessGroupExcludeSaml
- Attribute
Name string - Attribute
Value string - Identity
Provider stringId
- Attribute
Name string - Attribute
Value string - Identity
Provider stringId
- attribute
Name string - attribute
Value string - identity
Provider stringId
AccessGroupInclude
- Any
Valid boolService Token - Auth
Method string - Azures
List<Access
Group Include Azure Args> - Certificate bool
- Common
Name string - Email
Domains List<string> - Emails List<string>
- Everyone bool
- Geos List<string>
- Githubs
List<Access
Group Include Github Args> - Groups List<string>
- Gsuites
List<Access
Group Include Gsuite Args> - Ips List<string>
- Oktas
List<Access
Group Include Okta Args> - Samls
List<Access
Group Include Saml Args> - Service
Tokens List<string>
- Any
Valid boolService Token - Auth
Method string - Azures
[]Access
Group Include Azure - Certificate bool
- Common
Name string - Email
Domains []string - Emails []string
- Everyone bool
- Geos []string
- Githubs
[]Access
Group Include Github - Groups []string
- Gsuites
[]Access
Group Include Gsuite - Ips []string
- Oktas
[]Access
Group Include Okta - Samls
[]Access
Group Include Saml - Service
Tokens []string
- any
Valid booleanService Token - auth
Method string - azures
Access
Group Include Azure[] - certificate boolean
- common
Name string - email
Domains string[] - emails string[]
- everyone boolean
- geos string[]
- githubs
Access
Group Include Github[] - groups string[]
- gsuites
Access
Group Include Gsuite[] - ips string[]
- oktas
Access
Group Include Okta[] - samls
Access
Group Include Saml[] - service
Tokens string[]
- any_
valid_ boolservice_ token - auth_
method str - azures
Sequence[Access
Group Include Azure Args] - certificate bool
- common_
name str - email_
domains Sequence[str] - emails Sequence[str]
- everyone bool
- geos Sequence[str]
- githubs
Sequence[Access
Group Include Github Args] - groups Sequence[str]
- gsuites
Sequence[Access
Group Include Gsuite Args] - ips Sequence[str]
- oktas
Sequence[Access
Group Include Okta Args] - samls
Sequence[Access
Group Include Saml Args] - service_
tokens Sequence[str]
AccessGroupIncludeAzure
- Identity
Provider stringId - Ids List<string>
- Identity
Provider stringId - Ids []string
- identity
Provider stringId - ids string[]
- identity_
provider_ strid - ids Sequence[str]
AccessGroupIncludeGithub
- Identity
Provider stringId - Name string
Friendly name of the Access Group.
- Teams List<string>
- Identity
Provider stringId - Name string
Friendly name of the Access Group.
- Teams []string
- identity
Provider stringId - name string
Friendly name of the Access Group.
- teams string[]
- identity_
provider_ strid - name str
Friendly name of the Access Group.
- teams Sequence[str]
AccessGroupIncludeGsuite
- Emails List<string>
- Identity
Provider stringId
- Emails []string
- Identity
Provider stringId
- emails string[]
- identity
Provider stringId
- emails Sequence[str]
- identity_
provider_ strid
AccessGroupIncludeOkta
- Identity
Provider stringId - Names List<string>
Friendly name of the Access Group.
- Identity
Provider stringId - Names []string
Friendly name of the Access Group.
- identity
Provider stringId - names string[]
Friendly name of the Access Group.
- identity_
provider_ strid - names Sequence[str]
Friendly name of the Access Group.
AccessGroupIncludeSaml
- Attribute
Name string - Attribute
Value string - Identity
Provider stringId
- Attribute
Name string - Attribute
Value string - Identity
Provider stringId
- attribute
Name string - attribute
Value string - identity
Provider stringId
AccessGroupRequire
- Any
Valid boolService Token - Auth
Method string - Azures
List<Access
Group Require Azure Args> - Certificate bool
- Common
Name string - Email
Domains List<string> - Emails List<string>
- Everyone bool
- Geos List<string>
- Githubs
List<Access
Group Require Github Args> - Groups List<string>
- Gsuites
List<Access
Group Require Gsuite Args> - Ips List<string>
- Oktas
List<Access
Group Require Okta Args> - Samls
List<Access
Group Require Saml Args> - Service
Tokens List<string>
- Any
Valid boolService Token - Auth
Method string - Azures
[]Access
Group Require Azure - Certificate bool
- Common
Name string - Email
Domains []string - Emails []string
- Everyone bool
- Geos []string
- Githubs
[]Access
Group Require Github - Groups []string
- Gsuites
[]Access
Group Require Gsuite - Ips []string
- Oktas
[]Access
Group Require Okta - Samls
[]Access
Group Require Saml - Service
Tokens []string
- any
Valid booleanService Token - auth
Method string - azures
Access
Group Require Azure[] - certificate boolean
- common
Name string - email
Domains string[] - emails string[]
- everyone boolean
- geos string[]
- githubs
Access
Group Require Github[] - groups string[]
- gsuites
Access
Group Require Gsuite[] - ips string[]
- oktas
Access
Group Require Okta[] - samls
Access
Group Require Saml[] - service
Tokens string[]
- any_
valid_ boolservice_ token - auth_
method str - azures
Sequence[Access
Group Require Azure Args] - certificate bool
- common_
name str - email_
domains Sequence[str] - emails Sequence[str]
- everyone bool
- geos Sequence[str]
- githubs
Sequence[Access
Group Require Github Args] - groups Sequence[str]
- gsuites
Sequence[Access
Group Require Gsuite Args] - ips Sequence[str]
- oktas
Sequence[Access
Group Require Okta Args] - samls
Sequence[Access
Group Require Saml Args] - service_
tokens Sequence[str]
AccessGroupRequireAzure
- Identity
Provider stringId - Ids List<string>
- Identity
Provider stringId - Ids []string
- identity
Provider stringId - ids string[]
- identity_
provider_ strid - ids Sequence[str]
AccessGroupRequireGithub
- Identity
Provider stringId - Name string
Friendly name of the Access Group.
- Teams List<string>
- Identity
Provider stringId - Name string
Friendly name of the Access Group.
- Teams []string
- identity
Provider stringId - name string
Friendly name of the Access Group.
- teams string[]
- identity_
provider_ strid - name str
Friendly name of the Access Group.
- teams Sequence[str]
AccessGroupRequireGsuite
- Emails List<string>
- Identity
Provider stringId
- Emails []string
- Identity
Provider stringId
- emails string[]
- identity
Provider stringId
- emails Sequence[str]
- identity_
provider_ strid
AccessGroupRequireOkta
- Identity
Provider stringId - Names List<string>
Friendly name of the Access Group.
- Identity
Provider stringId - Names []string
Friendly name of the Access Group.
- identity
Provider stringId - names string[]
Friendly name of the Access Group.
- identity_
provider_ strid - names Sequence[str]
Friendly name of the Access Group.
AccessGroupRequireSaml
- Attribute
Name string - Attribute
Value string - Identity
Provider stringId
- Attribute
Name string - Attribute
Value string - Identity
Provider stringId
- attribute
Name string - attribute
Value string - identity
Provider stringId
Import
Access Groups can be imported using a composite ID formed of account ID and group ID.
$ pulumi import cloudflare:index/accessGroup:AccessGroup staging 975ecf5a45e3bcb680dba0722a420ad9/67ea780ce4982c1cfbe6b7293afc765d
where * 975ecf5a45e3bcb680dba0722a420ad9
- Account ID * 67ea780ce4982c1cfbe6b7293afc765d
- Access Group ID
Package Details
- Repository
- https://github.com/pulumi/pulumi-cloudflare
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
cloudflare
Terraform Provider.