ApiToken
Provides a resource which manages Cloudflare API tokens.
Read more about permission groups and their applicable scopes in the official documentation.
Example Usage
User Permissions
using Pulumi;
using Cloudflare = Pulumi.Cloudflare;
class MyStack : Stack
{
public MyStack()
{
var all = Output.Create(Cloudflare.GetApiTokenPermissionGroups.InvokeAsync());
// Token allowed to create new tokens.
// Can only be used from specific ip range.
var apiTokenCreate = new Cloudflare.ApiToken("apiTokenCreate", new Cloudflare.ApiTokenArgs
{
Name = "api_token_create",
Policies =
{
new Cloudflare.Inputs.ApiTokenPolicyArgs
{
PermissionGroups =
{
all.Apply(all => all.Permissions.API_Tokens_Write),
},
Resources =
{
{ $"com.cloudflare.api.user.{@var.User_id}", "*" },
},
},
},
Condition = new Cloudflare.Inputs.ApiTokenConditionArgs
{
RequestIp = new Cloudflare.Inputs.ApiTokenConditionRequestIpArgs
{
Ins =
{
"192.0.2.1/32",
},
NotIns =
{
"198.51.100.1/32",
},
},
},
});
}
}
Coming soon!
import pulumi
import pulumi_cloudflare as cloudflare
all = cloudflare.get_api_token_permission_groups()
# Token allowed to create new tokens.
# Can only be used from specific ip range.
api_token_create = cloudflare.ApiToken("apiTokenCreate",
name="api_token_create",
policies=[cloudflare.ApiTokenPolicyArgs(
permission_groups=[all.permissions["API Tokens Write"]],
resources={
f"com.cloudflare.api.user.{var['user_id']}": "*",
},
)],
condition=cloudflare.ApiTokenConditionArgs(
request_ip=cloudflare.ApiTokenConditionRequestIpArgs(
ins=["192.0.2.1/32"],
not_ins=["198.51.100.1/32"],
),
))
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";
const all = cloudflare.getApiTokenPermissionGroups({});
// Token allowed to create new tokens.
// Can only be used from specific ip range.
const apiTokenCreate = new cloudflare.ApiToken("apiTokenCreate", {
name: "api_token_create",
policies: [{
permissionGroups: [all.then(all => all.permissions["API Tokens Write"])],
resources: {
`com.cloudflare.api.user.${_var.user_id}`: "*",
},
}],
condition: {
requestIp: {
ins: ["192.0.2.1/32"],
notIns: ["198.51.100.1/32"],
},
},
});
Account permissions
using Pulumi;
using Cloudflare = Pulumi.Cloudflare;
class MyStack : Stack
{
public MyStack()
{
var all = Output.Create(Cloudflare.GetApiTokenPermissionGroups.InvokeAsync());
// Token allowed to read audit logs from all accounts.
var logsAccountAll = new Cloudflare.ApiToken("logsAccountAll", new Cloudflare.ApiTokenArgs
{
Name = "logs_account_all",
Policies =
{
new Cloudflare.Inputs.ApiTokenPolicyArgs
{
PermissionGroups =
{
all.Apply(all => all.Permissions.Access__Audit_Logs_Read),
},
Resources =
{
{ "com.cloudflare.api.account.*", "*" },
},
},
},
});
// Token allowed to read audit logs from specific account.
var logsAccount = new Cloudflare.ApiToken("logsAccount", new Cloudflare.ApiTokenArgs
{
Name = "logs_account",
Policies =
{
new Cloudflare.Inputs.ApiTokenPolicyArgs
{
PermissionGroups =
{
all.Apply(all => all.Permissions.Access__Audit_Logs_Read),
},
Resources =
{
{ $"com.cloudflare.api.account.{@var.Account_id}", "*" },
},
},
},
});
}
}
Coming soon!
import pulumi
import pulumi_cloudflare as cloudflare
all = cloudflare.get_api_token_permission_groups()
# Token allowed to read audit logs from all accounts.
logs_account_all = cloudflare.ApiToken("logsAccountAll",
name="logs_account_all",
policies=[cloudflare.ApiTokenPolicyArgs(
permission_groups=[all.permissions["Access: Audit Logs Read"]],
resources={
"com.cloudflare.api.account.*": "*",
},
)])
# Token allowed to read audit logs from specific account.
logs_account = cloudflare.ApiToken("logsAccount",
name="logs_account",
policies=[cloudflare.ApiTokenPolicyArgs(
permission_groups=[all.permissions["Access: Audit Logs Read"]],
resources={
f"com.cloudflare.api.account.{var['account_id']}": "*",
},
)])
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";
const all = cloudflare.getApiTokenPermissionGroups({});
// Token allowed to read audit logs from all accounts.
const logsAccountAll = new cloudflare.ApiToken("logsAccountAll", {
name: "logs_account_all",
policies: [{
permissionGroups: [all.then(all => all.permissions["Access: Audit Logs Read"])],
resources: {
"com.cloudflare.api.account.*": "*",
},
}],
});
// Token allowed to read audit logs from specific account.
const logsAccount = new cloudflare.ApiToken("logsAccount", {
name: "logs_account",
policies: [{
permissionGroups: [all.then(all => all.permissions["Access: Audit Logs Read"])],
resources: {
`com.cloudflare.api.account.${_var.account_id}`: "*",
},
}],
});
Zone Permissions
using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Cloudflare = Pulumi.Cloudflare;
class MyStack : Stack
{
public MyStack()
{
var all = Output.Create(Cloudflare.GetApiTokenPermissionGroups.InvokeAsync());
// Token allowed to edit DNS entries and TLS certs for specific zone.
var dnsTlsEdit = new Cloudflare.ApiToken("dnsTlsEdit", new Cloudflare.ApiTokenArgs
{
Name = "dns_tls_edit",
Policies =
{
new Cloudflare.Inputs.ApiTokenPolicyArgs
{
PermissionGroups =
{
all.Apply(all => all.Permissions.DNS_Write),
all.Apply(all => all.Permissions.SSL_and_Certificates_Write),
},
Resources =
{
{ $"com.cloudflare.api.account.zone.{@var.Zone_id}", "*" },
},
},
},
});
// Token allowed to edit DNS entries for all zones except one.
var dnsTlsEditAllExceptOne = new Cloudflare.ApiToken("dnsTlsEditAllExceptOne", new Cloudflare.ApiTokenArgs
{
Name = "dns_tls_edit_all_except_one",
Policies =
{
new Cloudflare.Inputs.ApiTokenPolicyArgs
{
PermissionGroups =
{
all.Apply(all => all.Permissions.DNS_Write),
},
Resources =
{
{ "com.cloudflare.api.account.zone.*", "*" },
},
},
new Cloudflare.Inputs.ApiTokenPolicyArgs
{
PermissionGroups =
{
all.Apply(all => all.Permissions.DNS_Write),
},
Resources =
{
{ $"com.cloudflare.api.account.zone.{@var.Zone_id}", "*" },
},
Effect = "deny",
},
},
});
// Token allowed to edit DNS entries for all zones from specific account.
var dnsEditAllAccount = new Cloudflare.ApiToken("dnsEditAllAccount", new Cloudflare.ApiTokenArgs
{
Name = "dns_edit_all_account",
Policies =
{
new Cloudflare.Inputs.ApiTokenPolicyArgs
{
PermissionGroups =
{
all.Apply(all => all.Permissions.DNS_Write),
},
Resources =
{
{ $"com.cloudflare.api.account.{@var.Account_id}", JsonSerializer.Serialize(new Dictionary<string, object?>
{
{ "com.cloudflare.api.account.zone.*", "*" },
}) },
},
},
},
});
}
}
Coming soon!
import pulumi
import json
import pulumi_cloudflare as cloudflare
all = cloudflare.get_api_token_permission_groups()
# Token allowed to edit DNS entries and TLS certs for specific zone.
dns_tls_edit = cloudflare.ApiToken("dnsTlsEdit",
name="dns_tls_edit",
policies=[cloudflare.ApiTokenPolicyArgs(
permission_groups=[
all.permissions["DNS Write"],
all.permissions["SSL and Certificates Write"],
],
resources={
f"com.cloudflare.api.account.zone.{var['zone_id']}": "*",
},
)])
# Token allowed to edit DNS entries for all zones except one.
dns_tls_edit_all_except_one = cloudflare.ApiToken("dnsTlsEditAllExceptOne",
name="dns_tls_edit_all_except_one",
policies=[
cloudflare.ApiTokenPolicyArgs(
permission_groups=[all.permissions["DNS Write"]],
resources={
"com.cloudflare.api.account.zone.*": "*",
},
),
cloudflare.ApiTokenPolicyArgs(
permission_groups=[all.permissions["DNS Write"]],
resources={
f"com.cloudflare.api.account.zone.{var['zone_id']}": "*",
},
effect="deny",
),
])
# Token allowed to edit DNS entries for all zones from specific account.
dns_edit_all_account = cloudflare.ApiToken("dnsEditAllAccount",
name="dns_edit_all_account",
policies=[cloudflare.ApiTokenPolicyArgs(
permission_groups=[all.permissions["DNS Write"]],
resources={
f"com.cloudflare.api.account.{var['account_id']}": json.dumps({
"com.cloudflare.api.account.zone.*": "*",
}),
},
)])
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";
const all = cloudflare.getApiTokenPermissionGroups({});
// Token allowed to edit DNS entries and TLS certs for specific zone.
const dnsTlsEdit = new cloudflare.ApiToken("dnsTlsEdit", {
name: "dns_tls_edit",
policies: [{
permissionGroups: [
all.then(all => all.permissions["DNS Write"]),
all.then(all => all.permissions["SSL and Certificates Write"]),
],
resources: {
`com.cloudflare.api.account.zone.${_var.zone_id}`: "*",
},
}],
});
// Token allowed to edit DNS entries for all zones except one.
const dnsTlsEditAllExceptOne = new cloudflare.ApiToken("dnsTlsEditAllExceptOne", {
name: "dns_tls_edit_all_except_one",
policies: [
{
permissionGroups: [all.then(all => all.permissions["DNS Write"])],
resources: {
"com.cloudflare.api.account.zone.*": "*",
},
},
{
permissionGroups: [all.then(all => all.permissions["DNS Write"])],
resources: {
`com.cloudflare.api.account.zone.${_var.zone_id}`: "*",
},
effect: "deny",
},
],
});
// Token allowed to edit DNS entries for all zones from specific account.
const dnsEditAllAccount = new cloudflare.ApiToken("dnsEditAllAccount", {
name: "dns_edit_all_account",
policies: [{
permissionGroups: [all.then(all => all.permissions["DNS Write"])],
resources: {
`com.cloudflare.api.account.${_var.account_id}`: JSON.stringify({
"com.cloudflare.api.account.zone.*": "*",
}),
},
}],
});
Create a ApiToken Resource
new ApiToken(name: string, args: ApiTokenArgs, opts?: CustomResourceOptions);
def ApiToken(resource_name: str, opts: Optional[ResourceOptions] = None, condition: Optional[ApiTokenConditionArgs] = None, name: Optional[str] = None, policies: Optional[Sequence[ApiTokenPolicyArgs]] = None)
func NewApiToken(ctx *Context, name string, args ApiTokenArgs, opts ...ResourceOption) (*ApiToken, error)
public ApiToken(string name, ApiTokenArgs args, CustomResourceOptions? opts = null)
- name string
- The unique name of the resource.
- args ApiTokenArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ApiTokenArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ApiTokenArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
ApiToken Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The ApiToken resource accepts the following input properties:
- Name string
Name of the APIToken.
- Policies
List<Api
Token Policy Args> Permissions policy. Multiple policy blocks can be defined. See the definition below.
- Condition
Api
Token Condition Args Condition block. See the definition below.
- Name string
Name of the APIToken.
- Policies
[]Api
Token Policy Permissions policy. Multiple policy blocks can be defined. See the definition below.
- Condition
Api
Token Condition Condition block. See the definition below.
- name string
Name of the APIToken.
- policies
Api
Token Policy[] Permissions policy. Multiple policy blocks can be defined. See the definition below.
- condition
Api
Token Condition Condition block. See the definition below.
- name str
Name of the APIToken.
- policies
Sequence[Api
Token Policy Args] Permissions policy. Multiple policy blocks can be defined. See the definition below.
- condition
Api
Token Condition Args Condition block. See the definition below.
Outputs
All input properties are implicitly available as output properties. Additionally, the ApiToken resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Issued
On string The RFC3339 timestamp of when the API Token was issued.
- Modified
On string The RFC3339 timestamp of when the API Token was last modified.
- Status string
- Value string
The value of the API Token.
- Id string
- The provider-assigned unique ID for this managed resource.
- Issued
On string The RFC3339 timestamp of when the API Token was issued.
- Modified
On string The RFC3339 timestamp of when the API Token was last modified.
- Status string
- Value string
The value of the API Token.
- id string
- The provider-assigned unique ID for this managed resource.
- issued
On string The RFC3339 timestamp of when the API Token was issued.
- modified
On string The RFC3339 timestamp of when the API Token was last modified.
- status string
- value string
The value of the API Token.
- id str
- The provider-assigned unique ID for this managed resource.
- issued_
on str The RFC3339 timestamp of when the API Token was issued.
- modified_
on str The RFC3339 timestamp of when the API Token was last modified.
- status str
- value str
The value of the API Token.
Look up an Existing ApiToken Resource
Get an existing ApiToken resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ApiTokenState, opts?: CustomResourceOptions): ApiToken
@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, condition: Optional[ApiTokenConditionArgs] = None, issued_on: Optional[str] = None, modified_on: Optional[str] = None, name: Optional[str] = None, policies: Optional[Sequence[ApiTokenPolicyArgs]] = None, status: Optional[str] = None, value: Optional[str] = None) -> ApiToken
func GetApiToken(ctx *Context, name string, id IDInput, state *ApiTokenState, opts ...ResourceOption) (*ApiToken, error)
public static ApiToken Get(string name, Input<string> id, ApiTokenState? state, CustomResourceOptions? opts = null)
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Condition
Api
Token Condition Args Condition block. See the definition below.
- Issued
On string The RFC3339 timestamp of when the API Token was issued.
- Modified
On string The RFC3339 timestamp of when the API Token was last modified.
- Name string
Name of the APIToken.
- Policies
List<Api
Token Policy Args> Permissions policy. Multiple policy blocks can be defined. See the definition below.
- Status string
- Value string
The value of the API Token.
- Condition
Api
Token Condition Condition block. See the definition below.
- Issued
On string The RFC3339 timestamp of when the API Token was issued.
- Modified
On string The RFC3339 timestamp of when the API Token was last modified.
- Name string
Name of the APIToken.
- Policies
[]Api
Token Policy Permissions policy. Multiple policy blocks can be defined. See the definition below.
- Status string
- Value string
The value of the API Token.
- condition
Api
Token Condition Condition block. See the definition below.
- issued
On string The RFC3339 timestamp of when the API Token was issued.
- modified
On string The RFC3339 timestamp of when the API Token was last modified.
- name string
Name of the APIToken.
- policies
Api
Token Policy[] Permissions policy. Multiple policy blocks can be defined. See the definition below.
- status string
- value string
The value of the API Token.
- condition
Api
Token Condition Args Condition block. See the definition below.
- issued_
on str The RFC3339 timestamp of when the API Token was issued.
- modified_
on str The RFC3339 timestamp of when the API Token was last modified.
- name str
Name of the APIToken.
- policies
Sequence[Api
Token Policy Args] Permissions policy. Multiple policy blocks can be defined. See the definition below.
- status str
- value str
The value of the API Token.
Supporting Types
ApiTokenCondition
- Request
Ip ApiToken Condition Request Ip Args Request IP related conditions. See the definition below.
- Request
Ip ApiToken Condition Request Ip Request IP related conditions. See the definition below.
- request
Ip ApiToken Condition Request Ip Request IP related conditions. See the definition below.
- request_
ip ApiToken Condition Request Ip Args Request IP related conditions. See the definition below.
ApiTokenConditionRequestIp
ApiTokenPolicy
- Permission
Groups List<string> List of permissions groups ids (see official docs).
- Resources Dictionary<string, string>
Map describes what operations against which resources are allowed or denied.
- Effect string
Policy effect. Valid values are
allow
ordeny
.allow
is set as default.
- Permission
Groups []string List of permissions groups ids (see official docs).
- Resources map[string]string
Map describes what operations against which resources are allowed or denied.
- Effect string
Policy effect. Valid values are
allow
ordeny
.allow
is set as default.
- permission
Groups string[] List of permissions groups ids (see official docs).
- resources {[key: string]: string}
Map describes what operations against which resources are allowed or denied.
- effect string
Policy effect. Valid values are
allow
ordeny
.allow
is set as default.
- permission_
groups Sequence[str] List of permissions groups ids (see official docs).
- resources Mapping[str, str]
Map describes what operations against which resources are allowed or denied.
- effect str
Policy effect. Valid values are
allow
ordeny
.allow
is set as default.
Package Details
- Repository
- https://github.com/pulumi/pulumi-cloudflare
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
cloudflare
Terraform Provider.