Ready to level-up your engineering skills? Join a Pulumi Workshop. Register Now

ApiToken

Provides a resource which manages Cloudflare API tokens.

Read more about permission groups and their applicable scopes in the official documentation.

Example Usage

User Permissions

using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

class MyStack : Stack
{
    public MyStack()
    {
        var all = Output.Create(Cloudflare.GetApiTokenPermissionGroups.InvokeAsync());
        // Token allowed to create new tokens.
        // Can only be used from specific ip range.
        var apiTokenCreate = new Cloudflare.ApiToken("apiTokenCreate", new Cloudflare.ApiTokenArgs
        {
            Name = "api_token_create",
            Policies = 
            {
                new Cloudflare.Inputs.ApiTokenPolicyArgs
                {
                    PermissionGroups = 
                    {
                        all.Apply(all => all.Permissions.API_Tokens_Write),
                    },
                    Resources = 
                    {
                        { $"com.cloudflare.api.user.{@var.User_id}", "*" },
                    },
                },
            },
            Condition = new Cloudflare.Inputs.ApiTokenConditionArgs
            {
                RequestIp = new Cloudflare.Inputs.ApiTokenConditionRequestIpArgs
                {
                    Ins = 
                    {
                        "192.0.2.1/32",
                    },
                    NotIns = 
                    {
                        "198.51.100.1/32",
                    },
                },
            },
        });
    }

}

Coming soon!

import pulumi
import pulumi_cloudflare as cloudflare

all = cloudflare.get_api_token_permission_groups()
# Token allowed to create new tokens.
# Can only be used from specific ip range.
api_token_create = cloudflare.ApiToken("apiTokenCreate",
    name="api_token_create",
    policies=[cloudflare.ApiTokenPolicyArgs(
        permission_groups=[all.permissions["API Tokens Write"]],
        resources={
            f"com.cloudflare.api.user.{var['user_id']}": "*",
        },
    )],
    condition=cloudflare.ApiTokenConditionArgs(
        request_ip=cloudflare.ApiTokenConditionRequestIpArgs(
            ins=["192.0.2.1/32"],
            not_ins=["198.51.100.1/32"],
        ),
    ))
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

const all = cloudflare.getApiTokenPermissionGroups({});
// Token allowed to create new tokens.
// Can only be used from specific ip range.
const apiTokenCreate = new cloudflare.ApiToken("apiTokenCreate", {
    name: "api_token_create",
    policies: [{
        permissionGroups: [all.then(all => all.permissions["API Tokens Write"])],
        resources: {
            `com.cloudflare.api.user.${_var.user_id}`: "*",
        },
    }],
    condition: {
        requestIp: {
            ins: ["192.0.2.1/32"],
            notIns: ["198.51.100.1/32"],
        },
    },
});

Account permissions

using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

class MyStack : Stack
{
    public MyStack()
    {
        var all = Output.Create(Cloudflare.GetApiTokenPermissionGroups.InvokeAsync());
        // Token allowed to read audit logs from all accounts.
        var logsAccountAll = new Cloudflare.ApiToken("logsAccountAll", new Cloudflare.ApiTokenArgs
        {
            Name = "logs_account_all",
            Policies = 
            {
                new Cloudflare.Inputs.ApiTokenPolicyArgs
                {
                    PermissionGroups = 
                    {
                        all.Apply(all => all.Permissions.Access__Audit_Logs_Read),
                    },
                    Resources = 
                    {
                        { "com.cloudflare.api.account.*", "*" },
                    },
                },
            },
        });
        // Token allowed to read audit logs from specific account.
        var logsAccount = new Cloudflare.ApiToken("logsAccount", new Cloudflare.ApiTokenArgs
        {
            Name = "logs_account",
            Policies = 
            {
                new Cloudflare.Inputs.ApiTokenPolicyArgs
                {
                    PermissionGroups = 
                    {
                        all.Apply(all => all.Permissions.Access__Audit_Logs_Read),
                    },
                    Resources = 
                    {
                        { $"com.cloudflare.api.account.{@var.Account_id}", "*" },
                    },
                },
            },
        });
    }

}

Coming soon!

import pulumi
import pulumi_cloudflare as cloudflare

all = cloudflare.get_api_token_permission_groups()
# Token allowed to read audit logs from all accounts.
logs_account_all = cloudflare.ApiToken("logsAccountAll",
    name="logs_account_all",
    policies=[cloudflare.ApiTokenPolicyArgs(
        permission_groups=[all.permissions["Access: Audit Logs Read"]],
        resources={
            "com.cloudflare.api.account.*": "*",
        },
    )])
# Token allowed to read audit logs from specific account.
logs_account = cloudflare.ApiToken("logsAccount",
    name="logs_account",
    policies=[cloudflare.ApiTokenPolicyArgs(
        permission_groups=[all.permissions["Access: Audit Logs Read"]],
        resources={
            f"com.cloudflare.api.account.{var['account_id']}": "*",
        },
    )])
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

const all = cloudflare.getApiTokenPermissionGroups({});
// Token allowed to read audit logs from all accounts.
const logsAccountAll = new cloudflare.ApiToken("logsAccountAll", {
    name: "logs_account_all",
    policies: [{
        permissionGroups: [all.then(all => all.permissions["Access: Audit Logs Read"])],
        resources: {
            "com.cloudflare.api.account.*": "*",
        },
    }],
});
// Token allowed to read audit logs from specific account.
const logsAccount = new cloudflare.ApiToken("logsAccount", {
    name: "logs_account",
    policies: [{
        permissionGroups: [all.then(all => all.permissions["Access: Audit Logs Read"])],
        resources: {
            `com.cloudflare.api.account.${_var.account_id}`: "*",
        },
    }],
});

Zone Permissions

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

class MyStack : Stack
{
    public MyStack()
    {
        var all = Output.Create(Cloudflare.GetApiTokenPermissionGroups.InvokeAsync());
        // Token allowed to edit DNS entries and TLS certs for specific zone.
        var dnsTlsEdit = new Cloudflare.ApiToken("dnsTlsEdit", new Cloudflare.ApiTokenArgs
        {
            Name = "dns_tls_edit",
            Policies = 
            {
                new Cloudflare.Inputs.ApiTokenPolicyArgs
                {
                    PermissionGroups = 
                    {
                        all.Apply(all => all.Permissions.DNS_Write),
                        all.Apply(all => all.Permissions.SSL_and_Certificates_Write),
                    },
                    Resources = 
                    {
                        { $"com.cloudflare.api.account.zone.{@var.Zone_id}", "*" },
                    },
                },
            },
        });
        // Token allowed to edit DNS entries for all zones except one.
        var dnsTlsEditAllExceptOne = new Cloudflare.ApiToken("dnsTlsEditAllExceptOne", new Cloudflare.ApiTokenArgs
        {
            Name = "dns_tls_edit_all_except_one",
            Policies = 
            {
                new Cloudflare.Inputs.ApiTokenPolicyArgs
                {
                    PermissionGroups = 
                    {
                        all.Apply(all => all.Permissions.DNS_Write),
                    },
                    Resources = 
                    {
                        { "com.cloudflare.api.account.zone.*", "*" },
                    },
                },
                new Cloudflare.Inputs.ApiTokenPolicyArgs
                {
                    PermissionGroups = 
                    {
                        all.Apply(all => all.Permissions.DNS_Write),
                    },
                    Resources = 
                    {
                        { $"com.cloudflare.api.account.zone.{@var.Zone_id}", "*" },
                    },
                    Effect = "deny",
                },
            },
        });
        // Token allowed to edit DNS entries for all zones from specific account.
        var dnsEditAllAccount = new Cloudflare.ApiToken("dnsEditAllAccount", new Cloudflare.ApiTokenArgs
        {
            Name = "dns_edit_all_account",
            Policies = 
            {
                new Cloudflare.Inputs.ApiTokenPolicyArgs
                {
                    PermissionGroups = 
                    {
                        all.Apply(all => all.Permissions.DNS_Write),
                    },
                    Resources = 
                    {
                        { $"com.cloudflare.api.account.{@var.Account_id}", JsonSerializer.Serialize(new Dictionary<string, object?>
                        {
                            { "com.cloudflare.api.account.zone.*", "*" },
                        }) },
                    },
                },
            },
        });
    }

}

Coming soon!

import pulumi
import json
import pulumi_cloudflare as cloudflare

all = cloudflare.get_api_token_permission_groups()
# Token allowed to edit DNS entries and TLS certs for specific zone.
dns_tls_edit = cloudflare.ApiToken("dnsTlsEdit",
    name="dns_tls_edit",
    policies=[cloudflare.ApiTokenPolicyArgs(
        permission_groups=[
            all.permissions["DNS Write"],
            all.permissions["SSL and Certificates Write"],
        ],
        resources={
            f"com.cloudflare.api.account.zone.{var['zone_id']}": "*",
        },
    )])
# Token allowed to edit DNS entries for all zones except one.
dns_tls_edit_all_except_one = cloudflare.ApiToken("dnsTlsEditAllExceptOne",
    name="dns_tls_edit_all_except_one",
    policies=[
        cloudflare.ApiTokenPolicyArgs(
            permission_groups=[all.permissions["DNS Write"]],
            resources={
                "com.cloudflare.api.account.zone.*": "*",
            },
        ),
        cloudflare.ApiTokenPolicyArgs(
            permission_groups=[all.permissions["DNS Write"]],
            resources={
                f"com.cloudflare.api.account.zone.{var['zone_id']}": "*",
            },
            effect="deny",
        ),
    ])
# Token allowed to edit DNS entries for all zones from specific account.
dns_edit_all_account = cloudflare.ApiToken("dnsEditAllAccount",
    name="dns_edit_all_account",
    policies=[cloudflare.ApiTokenPolicyArgs(
        permission_groups=[all.permissions["DNS Write"]],
        resources={
            f"com.cloudflare.api.account.{var['account_id']}": json.dumps({
                "com.cloudflare.api.account.zone.*": "*",
            }),
        },
    )])
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

const all = cloudflare.getApiTokenPermissionGroups({});
// Token allowed to edit DNS entries and TLS certs for specific zone.
const dnsTlsEdit = new cloudflare.ApiToken("dnsTlsEdit", {
    name: "dns_tls_edit",
    policies: [{
        permissionGroups: [
            all.then(all => all.permissions["DNS Write"]),
            all.then(all => all.permissions["SSL and Certificates Write"]),
        ],
        resources: {
            `com.cloudflare.api.account.zone.${_var.zone_id}`: "*",
        },
    }],
});
// Token allowed to edit DNS entries for all zones except one.
const dnsTlsEditAllExceptOne = new cloudflare.ApiToken("dnsTlsEditAllExceptOne", {
    name: "dns_tls_edit_all_except_one",
    policies: [
        {
            permissionGroups: [all.then(all => all.permissions["DNS Write"])],
            resources: {
                "com.cloudflare.api.account.zone.*": "*",
            },
        },
        {
            permissionGroups: [all.then(all => all.permissions["DNS Write"])],
            resources: {
                `com.cloudflare.api.account.zone.${_var.zone_id}`: "*",
            },
            effect: "deny",
        },
    ],
});
// Token allowed to edit DNS entries for all zones from specific account.
const dnsEditAllAccount = new cloudflare.ApiToken("dnsEditAllAccount", {
    name: "dns_edit_all_account",
    policies: [{
        permissionGroups: [all.then(all => all.permissions["DNS Write"])],
        resources: {
            `com.cloudflare.api.account.${_var.account_id}`: JSON.stringify({
                "com.cloudflare.api.account.zone.*": "*",
            }),
        },
    }],
});

Create a ApiToken Resource

new ApiToken(name: string, args: ApiTokenArgs, opts?: CustomResourceOptions);
def ApiToken(resource_name: str, opts: Optional[ResourceOptions] = None, condition: Optional[ApiTokenConditionArgs] = None, name: Optional[str] = None, policies: Optional[Sequence[ApiTokenPolicyArgs]] = None)
func NewApiToken(ctx *Context, name string, args ApiTokenArgs, opts ...ResourceOption) (*ApiToken, error)
public ApiToken(string name, ApiTokenArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args ApiTokenArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
opts ResourceOptions
A bag of options that control this resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ApiTokenArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ApiTokenArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

ApiToken Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The ApiToken resource accepts the following input properties:

Name string

Name of the APIToken.

Policies List<ApiTokenPolicyArgs>

Permissions policy. Multiple policy blocks can be defined. See the definition below.

Condition ApiTokenConditionArgs

Condition block. See the definition below.

Name string

Name of the APIToken.

Policies []ApiTokenPolicy

Permissions policy. Multiple policy blocks can be defined. See the definition below.

Condition ApiTokenCondition

Condition block. See the definition below.

name string

Name of the APIToken.

policies ApiTokenPolicy[]

Permissions policy. Multiple policy blocks can be defined. See the definition below.

condition ApiTokenCondition

Condition block. See the definition below.

name str

Name of the APIToken.

policies Sequence[ApiTokenPolicyArgs]

Permissions policy. Multiple policy blocks can be defined. See the definition below.

condition ApiTokenConditionArgs

Condition block. See the definition below.

Outputs

All input properties are implicitly available as output properties. Additionally, the ApiToken resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
IssuedOn string

The RFC3339 timestamp of when the API Token was issued.

ModifiedOn string

The RFC3339 timestamp of when the API Token was last modified.

Status string
Value string

The value of the API Token.

Id string
The provider-assigned unique ID for this managed resource.
IssuedOn string

The RFC3339 timestamp of when the API Token was issued.

ModifiedOn string

The RFC3339 timestamp of when the API Token was last modified.

Status string
Value string

The value of the API Token.

id string
The provider-assigned unique ID for this managed resource.
issuedOn string

The RFC3339 timestamp of when the API Token was issued.

modifiedOn string

The RFC3339 timestamp of when the API Token was last modified.

status string
value string

The value of the API Token.

id str
The provider-assigned unique ID for this managed resource.
issued_on str

The RFC3339 timestamp of when the API Token was issued.

modified_on str

The RFC3339 timestamp of when the API Token was last modified.

status str
value str

The value of the API Token.

Look up an Existing ApiToken Resource

Get an existing ApiToken resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ApiTokenState, opts?: CustomResourceOptions): ApiToken
@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, condition: Optional[ApiTokenConditionArgs] = None, issued_on: Optional[str] = None, modified_on: Optional[str] = None, name: Optional[str] = None, policies: Optional[Sequence[ApiTokenPolicyArgs]] = None, status: Optional[str] = None, value: Optional[str] = None) -> ApiToken
func GetApiToken(ctx *Context, name string, id IDInput, state *ApiTokenState, opts ...ResourceOption) (*ApiToken, error)
public static ApiToken Get(string name, Input<string> id, ApiTokenState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Condition ApiTokenConditionArgs

Condition block. See the definition below.

IssuedOn string

The RFC3339 timestamp of when the API Token was issued.

ModifiedOn string

The RFC3339 timestamp of when the API Token was last modified.

Name string

Name of the APIToken.

Policies List<ApiTokenPolicyArgs>

Permissions policy. Multiple policy blocks can be defined. See the definition below.

Status string
Value string

The value of the API Token.

Condition ApiTokenCondition

Condition block. See the definition below.

IssuedOn string

The RFC3339 timestamp of when the API Token was issued.

ModifiedOn string

The RFC3339 timestamp of when the API Token was last modified.

Name string

Name of the APIToken.

Policies []ApiTokenPolicy

Permissions policy. Multiple policy blocks can be defined. See the definition below.

Status string
Value string

The value of the API Token.

condition ApiTokenCondition

Condition block. See the definition below.

issuedOn string

The RFC3339 timestamp of when the API Token was issued.

modifiedOn string

The RFC3339 timestamp of when the API Token was last modified.

name string

Name of the APIToken.

policies ApiTokenPolicy[]

Permissions policy. Multiple policy blocks can be defined. See the definition below.

status string
value string

The value of the API Token.

condition ApiTokenConditionArgs

Condition block. See the definition below.

issued_on str

The RFC3339 timestamp of when the API Token was issued.

modified_on str

The RFC3339 timestamp of when the API Token was last modified.

name str

Name of the APIToken.

policies Sequence[ApiTokenPolicyArgs]

Permissions policy. Multiple policy blocks can be defined. See the definition below.

status str
value str

The value of the API Token.

Supporting Types

ApiTokenCondition

RequestIp ApiTokenConditionRequestIpArgs

Request IP related conditions. See the definition below.

RequestIp ApiTokenConditionRequestIp

Request IP related conditions. See the definition below.

requestIp ApiTokenConditionRequestIp

Request IP related conditions. See the definition below.

request_ip ApiTokenConditionRequestIpArgs

Request IP related conditions. See the definition below.

ApiTokenConditionRequestIp

Ins List<string>

List of IPv4/IPv6 CIDR addresses where the Token can be used from.

NotIns List<string>

List of IPv4/IPv6 CIDR addresses where the Token cannot be used from.

Ins []string

List of IPv4/IPv6 CIDR addresses where the Token can be used from.

NotIns []string

List of IPv4/IPv6 CIDR addresses where the Token cannot be used from.

ins string[]

List of IPv4/IPv6 CIDR addresses where the Token can be used from.

notIns string[]

List of IPv4/IPv6 CIDR addresses where the Token cannot be used from.

ins Sequence[str]

List of IPv4/IPv6 CIDR addresses where the Token can be used from.

not_ins Sequence[str]

List of IPv4/IPv6 CIDR addresses where the Token cannot be used from.

ApiTokenPolicy

PermissionGroups List<string>

List of permissions groups ids (see official docs).

Resources Dictionary<string, string>

Map describes what operations against which resources are allowed or denied.

Effect string

Policy effect. Valid values are allow or deny. allow is set as default.

PermissionGroups []string

List of permissions groups ids (see official docs).

Resources map[string]string

Map describes what operations against which resources are allowed or denied.

Effect string

Policy effect. Valid values are allow or deny. allow is set as default.

permissionGroups string[]

List of permissions groups ids (see official docs).

resources {[key: string]: string}

Map describes what operations against which resources are allowed or denied.

effect string

Policy effect. Valid values are allow or deny. allow is set as default.

permission_groups Sequence[str]

List of permissions groups ids (see official docs).

resources Mapping[str, str]

Map describes what operations against which resources are allowed or denied.

effect str

Policy effect. Valid values are allow or deny. allow is set as default.

Package Details

Repository
https://github.com/pulumi/pulumi-cloudflare
License
Apache-2.0
Notes
This Pulumi package is based on the cloudflare Terraform Provider.