Ready to level-up your engineering skills? Join a Pulumi Workshop. Register Now
  1. Docs
  2. Reference
  3. API
  4. Cloudflare
  5. AccessPolicy

AccessPolicy

Provides a Cloudflare Access Policy resource. Access Policies are used in conjunction with Access Applications to restrict access to a particular resource.

Example Usage

using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

class MyStack : Stack
{
    public MyStack()
    {
        // Allowing access to `test@example.com` email address only
        var testPolicyAccessPolicy = new Cloudflare.AccessPolicy("testPolicyAccessPolicy", new Cloudflare.AccessPolicyArgs
        {
            ApplicationId = "cb029e245cfdd66dc8d2e570d5dd3322",
            ZoneId = "d41d8cd98f00b204e9800998ecf8427e",
            Name = "staging policy",
            Precedence = 1,
            Decision = "allow",
            Includes = 
            {
                new Cloudflare.Inputs.AccessPolicyIncludeArgs
                {
                    Emails = 
                    {
                        "test@example.com",
                    },
                },
            },
        });
        // Allowing `test@example.com` to access but only when coming from a
        // specific IP.
        var testPolicyIndex_accessPolicyAccessPolicy = new Cloudflare.AccessPolicy("testPolicyIndex/accessPolicyAccessPolicy", new Cloudflare.AccessPolicyArgs
        {
            ApplicationId = "cb029e245cfdd66dc8d2e570d5dd3322",
            ZoneId = "d41d8cd98f00b204e9800998ecf8427e",
            Name = "staging policy",
            Precedence = 1,
            Decision = "allow",
            Includes = 
            {
                new Cloudflare.Inputs.AccessPolicyIncludeArgs
                {
                    Emails = 
                    {
                        "test@example.com",
                    },
                },
            },
            Requires = 
            {
                { "ips", 
                {
                    @var.Office_ip,
                } },
            },
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-cloudflare/sdk/v2/go/cloudflare"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := cloudflare.NewAccessPolicy(ctx, "testPolicyAccessPolicy", &cloudflare.AccessPolicyArgs{
            ApplicationId: pulumi.String("cb029e245cfdd66dc8d2e570d5dd3322"),
            ZoneId:        pulumi.String("d41d8cd98f00b204e9800998ecf8427e"),
            Name:          pulumi.String("staging policy"),
            Precedence:    pulumi.Int(1),
            Decision:      pulumi.String("allow"),
            Includes: cloudflare.AccessPolicyIncludeArray{
                &cloudflare.AccessPolicyIncludeArgs{
                    Emails: pulumi.StringArray{
                        pulumi.String("test@example.com"),
                    },
                },
            },
        })
        if err != nil {
            return err
        }
        _, err = cloudflare.NewAccessPolicy(ctx, "testPolicyIndex_accessPolicyAccessPolicy", &cloudflare.AccessPolicyArgs{
            ApplicationId: pulumi.String("cb029e245cfdd66dc8d2e570d5dd3322"),
            ZoneId:        pulumi.String("d41d8cd98f00b204e9800998ecf8427e"),
            Name:          pulumi.String("staging policy"),
            Precedence:    pulumi.Int(1),
            Decision:      pulumi.String("allow"),
            Includes: cloudflare.AccessPolicyIncludeArray{
                &cloudflare.AccessPolicyIncludeArgs{
                    Emails: pulumi.StringArray{
                        pulumi.String("test@example.com"),
                    },
                },
            },
            Requires: cloudflare.AccessPolicyRequireArray{
                Ips: cloudflare.AccessPolicyRequireArgs{
                    pulumi.Any(_var.Office_ip),
                },
            },
        })
        if err != nil {
            return err
        }
        return nil
    })
}
import pulumi
import pulumi_cloudflare as cloudflare

# Allowing access to `test@example.com` email address only
test_policy_access_policy = cloudflare.AccessPolicy("testPolicyAccessPolicy",
    application_id="cb029e245cfdd66dc8d2e570d5dd3322",
    zone_id="d41d8cd98f00b204e9800998ecf8427e",
    name="staging policy",
    precedence=1,
    decision="allow",
    includes=[cloudflare.AccessPolicyIncludeArgs(
        emails=["test@example.com"],
    )])
# Allowing `test@example.com` to access but only when coming from a
# specific IP.
test_policy_index_access_policy_access_policy = cloudflare.AccessPolicy("testPolicyIndex/accessPolicyAccessPolicy",
    application_id="cb029e245cfdd66dc8d2e570d5dd3322",
    zone_id="d41d8cd98f00b204e9800998ecf8427e",
    name="staging policy",
    precedence=1,
    decision="allow",
    includes=[cloudflare.AccessPolicyIncludeArgs(
        emails=["test@example.com"],
    )],
    requires={
        "ips": [var["office_ip"]],
    })
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

// Allowing access to `test@example.com` email address only
const testPolicyAccessPolicy = new cloudflare.AccessPolicy("testPolicyAccessPolicy", {
    applicationId: "cb029e245cfdd66dc8d2e570d5dd3322",
    zoneId: "d41d8cd98f00b204e9800998ecf8427e",
    name: "staging policy",
    precedence: "1",
    decision: "allow",
    includes: [{
        emails: ["test@example.com"],
    }],
});
// Allowing `test@example.com` to access but only when coming from a
// specific IP.
const testPolicyIndex_accessPolicyAccessPolicy = new cloudflare.AccessPolicy("testPolicyIndex/accessPolicyAccessPolicy", {
    applicationId: "cb029e245cfdd66dc8d2e570d5dd3322",
    zoneId: "d41d8cd98f00b204e9800998ecf8427e",
    name: "staging policy",
    precedence: "1",
    decision: "allow",
    includes: [{
        emails: ["test@example.com"],
    }],
    requires: {
        ips: [_var.office_ip],
    },
});

Create a AccessPolicy Resource

new AccessPolicy(name: string, args: AccessPolicyArgs, opts?: CustomResourceOptions);
def AccessPolicy(resource_name: str, opts: Optional[ResourceOptions] = None, account_id: Optional[str] = None, application_id: Optional[str] = None, decision: Optional[str] = None, excludes: Optional[Sequence[AccessPolicyExcludeArgs]] = None, includes: Optional[Sequence[AccessPolicyIncludeArgs]] = None, name: Optional[str] = None, precedence: Optional[int] = None, requires: Optional[Sequence[AccessPolicyRequireArgs]] = None, zone_id: Optional[str] = None)
func NewAccessPolicy(ctx *Context, name string, args AccessPolicyArgs, opts ...ResourceOption) (*AccessPolicy, error)
public AccessPolicy(string name, AccessPolicyArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
opts ResourceOptions
A bag of options that control this resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

AccessPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The AccessPolicy resource accepts the following input properties:

ApplicationId string

The ID of the application the policy is associated with.

Decision string

Defines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass

Includes List<AccessPolicyIncludeArgs>

A series of access conditions, see Access Groups.

Name string

Friendly name of the Access Application.

AccountId string

The account to which the access rule should be added. Conflicts with zone_id.

Excludes List<AccessPolicyExcludeArgs>

A series of access conditions, see Access Groups.

Precedence int

The unique precedence for policies on a single application. Integer.

Requires List<AccessPolicyRequireArgs>

A series of access conditions, see Access Groups.

ZoneId string

The DNS zone to which the access rule should be added. Conflicts with account_id.

ApplicationId string

The ID of the application the policy is associated with.

Decision string

Defines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass

Includes []AccessPolicyInclude

A series of access conditions, see Access Groups.

Name string

Friendly name of the Access Application.

AccountId string

The account to which the access rule should be added. Conflicts with zone_id.

Excludes []AccessPolicyExclude

A series of access conditions, see Access Groups.

Precedence int

The unique precedence for policies on a single application. Integer.

Requires []AccessPolicyRequire

A series of access conditions, see Access Groups.

ZoneId string

The DNS zone to which the access rule should be added. Conflicts with account_id.

applicationId string

The ID of the application the policy is associated with.

decision string

Defines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass

includes AccessPolicyInclude[]

A series of access conditions, see Access Groups.

name string

Friendly name of the Access Application.

accountId string

The account to which the access rule should be added. Conflicts with zone_id.

excludes AccessPolicyExclude[]

A series of access conditions, see Access Groups.

precedence number

The unique precedence for policies on a single application. Integer.

requires AccessPolicyRequire[]

A series of access conditions, see Access Groups.

zoneId string

The DNS zone to which the access rule should be added. Conflicts with account_id.

application_id str

The ID of the application the policy is associated with.

decision str

Defines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass

includes Sequence[AccessPolicyIncludeArgs]

A series of access conditions, see Access Groups.

name str

Friendly name of the Access Application.

account_id str

The account to which the access rule should be added. Conflicts with zone_id.

excludes Sequence[AccessPolicyExcludeArgs]

A series of access conditions, see Access Groups.

precedence int

The unique precedence for policies on a single application. Integer.

requires Sequence[AccessPolicyRequireArgs]

A series of access conditions, see Access Groups.

zone_id str

The DNS zone to which the access rule should be added. Conflicts with account_id.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessPolicy resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing AccessPolicy Resource

Get an existing AccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessPolicyState, opts?: CustomResourceOptions): AccessPolicy
@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, account_id: Optional[str] = None, application_id: Optional[str] = None, decision: Optional[str] = None, excludes: Optional[Sequence[AccessPolicyExcludeArgs]] = None, includes: Optional[Sequence[AccessPolicyIncludeArgs]] = None, name: Optional[str] = None, precedence: Optional[int] = None, requires: Optional[Sequence[AccessPolicyRequireArgs]] = None, zone_id: Optional[str] = None) -> AccessPolicy
func GetAccessPolicy(ctx *Context, name string, id IDInput, state *AccessPolicyState, opts ...ResourceOption) (*AccessPolicy, error)
public static AccessPolicy Get(string name, Input<string> id, AccessPolicyState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountId string

The account to which the access rule should be added. Conflicts with zone_id.

ApplicationId string

The ID of the application the policy is associated with.

Decision string

Defines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass

Excludes List<AccessPolicyExcludeArgs>

A series of access conditions, see Access Groups.

Includes List<AccessPolicyIncludeArgs>

A series of access conditions, see Access Groups.

Name string

Friendly name of the Access Application.

Precedence int

The unique precedence for policies on a single application. Integer.

Requires List<AccessPolicyRequireArgs>

A series of access conditions, see Access Groups.

ZoneId string

The DNS zone to which the access rule should be added. Conflicts with account_id.

AccountId string

The account to which the access rule should be added. Conflicts with zone_id.

ApplicationId string

The ID of the application the policy is associated with.

Decision string

Defines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass

Excludes []AccessPolicyExclude

A series of access conditions, see Access Groups.

Includes []AccessPolicyInclude

A series of access conditions, see Access Groups.

Name string

Friendly name of the Access Application.

Precedence int

The unique precedence for policies on a single application. Integer.

Requires []AccessPolicyRequire

A series of access conditions, see Access Groups.

ZoneId string

The DNS zone to which the access rule should be added. Conflicts with account_id.

accountId string

The account to which the access rule should be added. Conflicts with zone_id.

applicationId string

The ID of the application the policy is associated with.

decision string

Defines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass

excludes AccessPolicyExclude[]

A series of access conditions, see Access Groups.

includes AccessPolicyInclude[]

A series of access conditions, see Access Groups.

name string

Friendly name of the Access Application.

precedence number

The unique precedence for policies on a single application. Integer.

requires AccessPolicyRequire[]

A series of access conditions, see Access Groups.

zoneId string

The DNS zone to which the access rule should be added. Conflicts with account_id.

account_id str

The account to which the access rule should be added. Conflicts with zone_id.

application_id str

The ID of the application the policy is associated with.

decision str

Defines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass

excludes Sequence[AccessPolicyExcludeArgs]

A series of access conditions, see Access Groups.

includes Sequence[AccessPolicyIncludeArgs]

A series of access conditions, see Access Groups.

name str

Friendly name of the Access Application.

precedence int

The unique precedence for policies on a single application. Integer.

requires Sequence[AccessPolicyRequireArgs]

A series of access conditions, see Access Groups.

zone_id str

The DNS zone to which the access rule should be added. Conflicts with account_id.

Supporting Types

AccessPolicyExclude

AccessPolicyExcludeAzure

IdentityProviderId string
Ids List<string>
IdentityProviderId string
Ids []string
identityProviderId string
ids string[]
identity_provider_id str
ids Sequence[str]

AccessPolicyExcludeGithub

IdentityProviderId string
Name string

Friendly name of the Access Application.

Teams List<string>
IdentityProviderId string
Name string

Friendly name of the Access Application.

Teams []string
identityProviderId string
name string

Friendly name of the Access Application.

teams string[]
identity_provider_id str
name str

Friendly name of the Access Application.

teams Sequence[str]

AccessPolicyExcludeGsuite

Emails List<string>
IdentityProviderId string
Emails []string
IdentityProviderId string
emails string[]
identityProviderId string
emails Sequence[str]
identity_provider_id str

AccessPolicyExcludeOkta

IdentityProviderId string
Names List<string>

Friendly name of the Access Application.

IdentityProviderId string
Names []string

Friendly name of the Access Application.

identityProviderId string
names string[]

Friendly name of the Access Application.

identity_provider_id str
names Sequence[str]

Friendly name of the Access Application.

AccessPolicyExcludeSaml

AccessPolicyInclude

AccessPolicyIncludeAzure

IdentityProviderId string
Ids List<string>
IdentityProviderId string
Ids []string
identityProviderId string
ids string[]
identity_provider_id str
ids Sequence[str]

AccessPolicyIncludeGithub

IdentityProviderId string
Name string

Friendly name of the Access Application.

Teams List<string>
IdentityProviderId string
Name string

Friendly name of the Access Application.

Teams []string
identityProviderId string
name string

Friendly name of the Access Application.

teams string[]
identity_provider_id str
name str

Friendly name of the Access Application.

teams Sequence[str]

AccessPolicyIncludeGsuite

Emails List<string>
IdentityProviderId string
Emails []string
IdentityProviderId string
emails string[]
identityProviderId string
emails Sequence[str]
identity_provider_id str

AccessPolicyIncludeOkta

IdentityProviderId string
Names List<string>

Friendly name of the Access Application.

IdentityProviderId string
Names []string

Friendly name of the Access Application.

identityProviderId string
names string[]

Friendly name of the Access Application.

identity_provider_id str
names Sequence[str]

Friendly name of the Access Application.

AccessPolicyIncludeSaml

AccessPolicyRequire

AccessPolicyRequireAzure

IdentityProviderId string
Ids List<string>
IdentityProviderId string
Ids []string
identityProviderId string
ids string[]
identity_provider_id str
ids Sequence[str]

AccessPolicyRequireGithub

IdentityProviderId string
Name string

Friendly name of the Access Application.

Teams List<string>
IdentityProviderId string
Name string

Friendly name of the Access Application.

Teams []string
identityProviderId string
name string

Friendly name of the Access Application.

teams string[]
identity_provider_id str
name str

Friendly name of the Access Application.

teams Sequence[str]

AccessPolicyRequireGsuite

Emails List<string>
IdentityProviderId string
Emails []string
IdentityProviderId string
emails string[]
identityProviderId string
emails Sequence[str]
identity_provider_id str

AccessPolicyRequireOkta

IdentityProviderId string
Names List<string>

Friendly name of the Access Application.

IdentityProviderId string
Names []string

Friendly name of the Access Application.

identityProviderId string
names string[]

Friendly name of the Access Application.

identity_provider_id str
names Sequence[str]

Friendly name of the Access Application.

AccessPolicyRequireSaml

Import

Access Policies can be imported using a composite ID formed of zone ID, application ID and policy ID.

 $ pulumi import cloudflare:index/accessPolicy:AccessPolicy staging cb029e245cfdd66dc8d2e570d5dd3322/d41d8cd98f00b204e9800998ecf8427e/67ea780ce4982c1cfbe6b7293afc765d

where * cb029e245cfdd66dc8d2e570d5dd3322 - Zone ID * d41d8cd98f00b204e9800998ecf8427e - Access Application ID * 67ea780ce4982c1cfbe6b7293afc765d - Access Policy ID

Package Details

Repository
https://github.com/pulumi/pulumi-cloudflare
License
Apache-2.0
Notes
This Pulumi package is based on the cloudflare Terraform Provider.