Ready to level-up your engineering skills? Join a Pulumi Workshop. Register Now

RateLimit

Provides a Cloudflare rate limit resource for a given zone. This can be used to limit the traffic you receive zone-wide, or matching more specific types of requests/responses.

Example Usage

using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Cloudflare.RateLimit("example", new Cloudflare.RateLimitArgs
        {
            ZoneId = @var.Cloudflare_zone_id,
            Threshold = 2000,
            Period = 2,
            Match = new Cloudflare.Inputs.RateLimitMatchArgs
            {
                Request = new Cloudflare.Inputs.RateLimitMatchRequestArgs
                {
                    UrlPattern = $"{@var.Cloudflare_zone}/*",
                    Schemes = 
                    {
                        "HTTP",
                        "HTTPS",
                    },
                    Methods = 
                    {
                        "GET",
                        "POST",
                        "PUT",
                        "DELETE",
                        "PATCH",
                        "HEAD",
                    },
                },
                Response = new Cloudflare.Inputs.RateLimitMatchResponseArgs
                {
                    Statuses = 
                    {
                        200,
                        201,
                        202,
                        301,
                        429,
                    },
                    OriginTraffic = false,
                    Headers = 
                    {
                        
                        {
                            { "name", "Host" },
                            { "op", "eq" },
                            { "value", "localhost" },
                        },
                        
                        {
                            { "name", "X-Example" },
                            { "op", "ne" },
                            { "value", "my-example" },
                        },
                    },
                },
            },
            Action = new Cloudflare.Inputs.RateLimitActionArgs
            {
                Mode = "simulate",
                Timeout = 43200,
                Response = new Cloudflare.Inputs.RateLimitActionResponseArgs
                {
                    ContentType = "text/plain",
                    Body = "custom response body",
                },
            },
            Correlate = new Cloudflare.Inputs.RateLimitCorrelateArgs
            {
                By = "nat",
            },
            Disabled = false,
            Description = "example rate limit for a zone",
            BypassUrlPatterns = 
            {
                $"{@var.Cloudflare_zone}/bypass1",
                $"{@var.Cloudflare_zone}/bypass2",
            },
        });
    }

}

Coming soon!

import pulumi
import pulumi_cloudflare as cloudflare

example = cloudflare.RateLimit("example",
    zone_id=var["cloudflare_zone_id"],
    threshold=2000,
    period=2,
    match=cloudflare.RateLimitMatchArgs(
        request=cloudflare.RateLimitMatchRequestArgs(
            url_pattern=f"{var['cloudflare_zone']}/*",
            schemes=[
                "HTTP",
                "HTTPS",
            ],
            methods=[
                "GET",
                "POST",
                "PUT",
                "DELETE",
                "PATCH",
                "HEAD",
            ],
        ),
        response=cloudflare.RateLimitMatchResponseArgs(
            statuses=[
                200,
                201,
                202,
                301,
                429,
            ],
            origin_traffic=False,
            headers=[
                {
                    "name": "Host",
                    "op": "eq",
                    "value": "localhost",
                },
                {
                    "name": "X-Example",
                    "op": "ne",
                    "value": "my-example",
                },
            ],
        ),
    ),
    action=cloudflare.RateLimitActionArgs(
        mode="simulate",
        timeout=43200,
        response=cloudflare.RateLimitActionResponseArgs(
            content_type="text/plain",
            body="custom response body",
        ),
    ),
    correlate=cloudflare.RateLimitCorrelateArgs(
        by="nat",
    ),
    disabled=False,
    description="example rate limit for a zone",
    bypass_url_patterns=[
        f"{var['cloudflare_zone']}/bypass1",
        f"{var['cloudflare_zone']}/bypass2",
    ])
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

const example = new cloudflare.RateLimit("example", {
    zoneId: _var.cloudflare_zone_id,
    threshold: 2000,
    period: 2,
    match: {
        request: {
            urlPattern: `${_var.cloudflare_zone}/*`,
            schemes: [
                "HTTP",
                "HTTPS",
            ],
            methods: [
                "GET",
                "POST",
                "PUT",
                "DELETE",
                "PATCH",
                "HEAD",
            ],
        },
        response: {
            statuses: [
                200,
                201,
                202,
                301,
                429,
            ],
            originTraffic: false,
            headers: [
                {
                    name: "Host",
                    op: "eq",
                    value: "localhost",
                },
                {
                    name: "X-Example",
                    op: "ne",
                    value: "my-example",
                },
            ],
        },
    },
    action: {
        mode: "simulate",
        timeout: 43200,
        response: {
            contentType: "text/plain",
            body: "custom response body",
        },
    },
    correlate: {
        by: "nat",
    },
    disabled: false,
    description: "example rate limit for a zone",
    bypassUrlPatterns: [
        `${_var.cloudflare_zone}/bypass1`,
        `${_var.cloudflare_zone}/bypass2`,
    ],
});

Create a RateLimit Resource

new RateLimit(name: string, args: RateLimitArgs, opts?: CustomResourceOptions);
def RateLimit(resource_name: str, opts: Optional[ResourceOptions] = None, action: Optional[RateLimitActionArgs] = None, bypass_url_patterns: Optional[Sequence[str]] = None, correlate: Optional[RateLimitCorrelateArgs] = None, description: Optional[str] = None, disabled: Optional[bool] = None, match: Optional[RateLimitMatchArgs] = None, period: Optional[int] = None, threshold: Optional[int] = None, zone_id: Optional[str] = None)
func NewRateLimit(ctx *Context, name string, args RateLimitArgs, opts ...ResourceOption) (*RateLimit, error)
public RateLimit(string name, RateLimitArgs args, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args RateLimitArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
opts ResourceOptions
A bag of options that control this resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args RateLimitArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args RateLimitArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

RateLimit Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The RateLimit resource accepts the following input properties:

Action RateLimitActionArgs

The action to be performed when the threshold of matched traffic within the period defined is exceeded.

Period int

The time in seconds to count matching traffic. If the count exceeds threshold within this period the action will be performed (min: 1, max: 86,400).

Threshold int

The threshold that triggers the rate limit mitigations, combine with period. i.e. threshold per period (min: 2, max: 1,000,000).

ZoneId string

The DNS zone ID to apply rate limiting to.

BypassUrlPatterns List<string>

URLs matching the patterns specified here will be excluded from rate limiting.

Correlate RateLimitCorrelateArgs

Determines how rate limiting is applied. By default if not specified, rate limiting applies to the clients IP address.

Description string

A note that you can use to describe the reason for a rate limit. This value is sanitized and all tags are removed.

Disabled bool

Whether this ratelimit is currently disabled. Default: false.

Match RateLimitMatchArgs

Determines which traffic the rate limit counts towards the threshold. By default matches all traffic in the zone. See definition below.

Action RateLimitAction

The action to be performed when the threshold of matched traffic within the period defined is exceeded.

Period int

The time in seconds to count matching traffic. If the count exceeds threshold within this period the action will be performed (min: 1, max: 86,400).

Threshold int

The threshold that triggers the rate limit mitigations, combine with period. i.e. threshold per period (min: 2, max: 1,000,000).

ZoneId string

The DNS zone ID to apply rate limiting to.

BypassUrlPatterns []string

URLs matching the patterns specified here will be excluded from rate limiting.

Correlate RateLimitCorrelate

Determines how rate limiting is applied. By default if not specified, rate limiting applies to the clients IP address.

Description string

A note that you can use to describe the reason for a rate limit. This value is sanitized and all tags are removed.

Disabled bool

Whether this ratelimit is currently disabled. Default: false.

Match RateLimitMatch

Determines which traffic the rate limit counts towards the threshold. By default matches all traffic in the zone. See definition below.

action RateLimitAction

The action to be performed when the threshold of matched traffic within the period defined is exceeded.

period number

The time in seconds to count matching traffic. If the count exceeds threshold within this period the action will be performed (min: 1, max: 86,400).

threshold number

The threshold that triggers the rate limit mitigations, combine with period. i.e. threshold per period (min: 2, max: 1,000,000).

zoneId string

The DNS zone ID to apply rate limiting to.

bypassUrlPatterns string[]

URLs matching the patterns specified here will be excluded from rate limiting.

correlate RateLimitCorrelate

Determines how rate limiting is applied. By default if not specified, rate limiting applies to the clients IP address.

description string

A note that you can use to describe the reason for a rate limit. This value is sanitized and all tags are removed.

disabled boolean

Whether this ratelimit is currently disabled. Default: false.

match RateLimitMatch

Determines which traffic the rate limit counts towards the threshold. By default matches all traffic in the zone. See definition below.

action RateLimitActionArgs

The action to be performed when the threshold of matched traffic within the period defined is exceeded.

period int

The time in seconds to count matching traffic. If the count exceeds threshold within this period the action will be performed (min: 1, max: 86,400).

threshold int

The threshold that triggers the rate limit mitigations, combine with period. i.e. threshold per period (min: 2, max: 1,000,000).

zone_id str

The DNS zone ID to apply rate limiting to.

bypass_url_patterns Sequence[str]

URLs matching the patterns specified here will be excluded from rate limiting.

correlate RateLimitCorrelateArgs

Determines how rate limiting is applied. By default if not specified, rate limiting applies to the clients IP address.

description str

A note that you can use to describe the reason for a rate limit. This value is sanitized and all tags are removed.

disabled bool

Whether this ratelimit is currently disabled. Default: false.

match RateLimitMatchArgs

Determines which traffic the rate limit counts towards the threshold. By default matches all traffic in the zone. See definition below.

Outputs

All input properties are implicitly available as output properties. Additionally, the RateLimit resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing RateLimit Resource

Get an existing RateLimit resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RateLimitState, opts?: CustomResourceOptions): RateLimit
@staticmethod
def get(resource_name: str, id: str, opts: Optional[ResourceOptions] = None, action: Optional[RateLimitActionArgs] = None, bypass_url_patterns: Optional[Sequence[str]] = None, correlate: Optional[RateLimitCorrelateArgs] = None, description: Optional[str] = None, disabled: Optional[bool] = None, match: Optional[RateLimitMatchArgs] = None, period: Optional[int] = None, threshold: Optional[int] = None, zone_id: Optional[str] = None) -> RateLimit
func GetRateLimit(ctx *Context, name string, id IDInput, state *RateLimitState, opts ...ResourceOption) (*RateLimit, error)
public static RateLimit Get(string name, Input<string> id, RateLimitState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Action RateLimitActionArgs

The action to be performed when the threshold of matched traffic within the period defined is exceeded.

BypassUrlPatterns List<string>

URLs matching the patterns specified here will be excluded from rate limiting.

Correlate RateLimitCorrelateArgs

Determines how rate limiting is applied. By default if not specified, rate limiting applies to the clients IP address.

Description string

A note that you can use to describe the reason for a rate limit. This value is sanitized and all tags are removed.

Disabled bool

Whether this ratelimit is currently disabled. Default: false.

Match RateLimitMatchArgs

Determines which traffic the rate limit counts towards the threshold. By default matches all traffic in the zone. See definition below.

Period int

The time in seconds to count matching traffic. If the count exceeds threshold within this period the action will be performed (min: 1, max: 86,400).

Threshold int

The threshold that triggers the rate limit mitigations, combine with period. i.e. threshold per period (min: 2, max: 1,000,000).

ZoneId string

The DNS zone ID to apply rate limiting to.

Action RateLimitAction

The action to be performed when the threshold of matched traffic within the period defined is exceeded.

BypassUrlPatterns []string

URLs matching the patterns specified here will be excluded from rate limiting.

Correlate RateLimitCorrelate

Determines how rate limiting is applied. By default if not specified, rate limiting applies to the clients IP address.

Description string

A note that you can use to describe the reason for a rate limit. This value is sanitized and all tags are removed.

Disabled bool

Whether this ratelimit is currently disabled. Default: false.

Match RateLimitMatch

Determines which traffic the rate limit counts towards the threshold. By default matches all traffic in the zone. See definition below.

Period int

The time in seconds to count matching traffic. If the count exceeds threshold within this period the action will be performed (min: 1, max: 86,400).

Threshold int

The threshold that triggers the rate limit mitigations, combine with period. i.e. threshold per period (min: 2, max: 1,000,000).

ZoneId string

The DNS zone ID to apply rate limiting to.

action RateLimitAction

The action to be performed when the threshold of matched traffic within the period defined is exceeded.

bypassUrlPatterns string[]

URLs matching the patterns specified here will be excluded from rate limiting.

correlate RateLimitCorrelate

Determines how rate limiting is applied. By default if not specified, rate limiting applies to the clients IP address.

description string

A note that you can use to describe the reason for a rate limit. This value is sanitized and all tags are removed.

disabled boolean

Whether this ratelimit is currently disabled. Default: false.

match RateLimitMatch

Determines which traffic the rate limit counts towards the threshold. By default matches all traffic in the zone. See definition below.

period number

The time in seconds to count matching traffic. If the count exceeds threshold within this period the action will be performed (min: 1, max: 86,400).

threshold number

The threshold that triggers the rate limit mitigations, combine with period. i.e. threshold per period (min: 2, max: 1,000,000).

zoneId string

The DNS zone ID to apply rate limiting to.

action RateLimitActionArgs

The action to be performed when the threshold of matched traffic within the period defined is exceeded.

bypass_url_patterns Sequence[str]

URLs matching the patterns specified here will be excluded from rate limiting.

correlate RateLimitCorrelateArgs

Determines how rate limiting is applied. By default if not specified, rate limiting applies to the clients IP address.

description str

A note that you can use to describe the reason for a rate limit. This value is sanitized and all tags are removed.

disabled bool

Whether this ratelimit is currently disabled. Default: false.

match RateLimitMatchArgs

Determines which traffic the rate limit counts towards the threshold. By default matches all traffic in the zone. See definition below.

period int

The time in seconds to count matching traffic. If the count exceeds threshold within this period the action will be performed (min: 1, max: 86,400).

threshold int

The threshold that triggers the rate limit mitigations, combine with period. i.e. threshold per period (min: 2, max: 1,000,000).

zone_id str

The DNS zone ID to apply rate limiting to.

Supporting Types

RateLimitAction

Mode string

The type of action to perform. Allowable values are ‘simulate’, ‘ban’, ‘challenge’ and ‘js_challenge’.

Response RateLimitActionResponseArgs

Custom content-type and body to return, this overrides the custom error for the zone. This field is not required. Omission will result in default HTML error page. Definition below.

Timeout int

The time in seconds as an integer to perform the mitigation action. This field is required if the mode is either simulate or ban. Must be the same or greater than the period (min: 1, max: 86400).

Mode string

The type of action to perform. Allowable values are ‘simulate’, ‘ban’, ‘challenge’ and ‘js_challenge’.

Response RateLimitActionResponse

Custom content-type and body to return, this overrides the custom error for the zone. This field is not required. Omission will result in default HTML error page. Definition below.

Timeout int

The time in seconds as an integer to perform the mitigation action. This field is required if the mode is either simulate or ban. Must be the same or greater than the period (min: 1, max: 86400).

mode string

The type of action to perform. Allowable values are ‘simulate’, ‘ban’, ‘challenge’ and ‘js_challenge’.

response RateLimitActionResponse

Custom content-type and body to return, this overrides the custom error for the zone. This field is not required. Omission will result in default HTML error page. Definition below.

timeout number

The time in seconds as an integer to perform the mitigation action. This field is required if the mode is either simulate or ban. Must be the same or greater than the period (min: 1, max: 86400).

mode str

The type of action to perform. Allowable values are ‘simulate’, ‘ban’, ‘challenge’ and ‘js_challenge’.

response RateLimitActionResponseArgs

Custom content-type and body to return, this overrides the custom error for the zone. This field is not required. Omission will result in default HTML error page. Definition below.

timeout int

The time in seconds as an integer to perform the mitigation action. This field is required if the mode is either simulate or ban. Must be the same or greater than the period (min: 1, max: 86400).

RateLimitActionResponse

Body string

The body to return, the content here should conform to the content_type.

ContentType string

The content-type of the body, must be one of: ‘text/plain’, ‘text/xml’, ‘application/json’.

Body string

The body to return, the content here should conform to the content_type.

ContentType string

The content-type of the body, must be one of: ‘text/plain’, ‘text/xml’, ‘application/json’.

body string

The body to return, the content here should conform to the content_type.

contentType string

The content-type of the body, must be one of: ‘text/plain’, ‘text/xml’, ‘application/json’.

body str

The body to return, the content here should conform to the content_type.

content_type str

The content-type of the body, must be one of: ‘text/plain’, ‘text/xml’, ‘application/json’.

RateLimitCorrelate

By string

If set to ‘nat’, NAT support will be enabled for rate limiting.

By string

If set to ‘nat’, NAT support will be enabled for rate limiting.

by string

If set to ‘nat’, NAT support will be enabled for rate limiting.

by str

If set to ‘nat’, NAT support will be enabled for rate limiting.

RateLimitMatch

Request RateLimitMatchRequestArgs

Matches HTTP requests (from the client to Cloudflare). See definition below.

Response RateLimitMatchResponseArgs

Custom content-type and body to return, this overrides the custom error for the zone. This field is not required. Omission will result in default HTML error page. Definition below.

Request RateLimitMatchRequest

Matches HTTP requests (from the client to Cloudflare). See definition below.

Response RateLimitMatchResponse

Custom content-type and body to return, this overrides the custom error for the zone. This field is not required. Omission will result in default HTML error page. Definition below.

request RateLimitMatchRequest

Matches HTTP requests (from the client to Cloudflare). See definition below.

response RateLimitMatchResponse

Custom content-type and body to return, this overrides the custom error for the zone. This field is not required. Omission will result in default HTML error page. Definition below.

request RateLimitMatchRequestArgs

Matches HTTP requests (from the client to Cloudflare). See definition below.

response RateLimitMatchResponseArgs

Custom content-type and body to return, this overrides the custom error for the zone. This field is not required. Omission will result in default HTML error page. Definition below.

RateLimitMatchRequest

Methods List<string>

HTTP Methods, can be a subset [‘POST’,‘PUT’] or all [’_ALL_’]. Default: [’_ALL_’].

Schemes List<string>

HTTP Schemes, can be one [‘HTTPS’], both [‘HTTP’,‘HTTPS’] or all [’_ALL_’]. Default: [’_ALL_’].

UrlPattern string

The URL pattern to match comprised of the host and path, i.e. example.org/path. Wildcard are expanded to match applicable traffic, query strings are not matched. Use * for all traffic to your zone. Default: ‘*‘.

Methods []string

HTTP Methods, can be a subset [‘POST’,‘PUT’] or all [’_ALL_’]. Default: [’_ALL_’].

Schemes []string

HTTP Schemes, can be one [‘HTTPS’], both [‘HTTP’,‘HTTPS’] or all [’_ALL_’]. Default: [’_ALL_’].

UrlPattern string

The URL pattern to match comprised of the host and path, i.e. example.org/path. Wildcard are expanded to match applicable traffic, query strings are not matched. Use * for all traffic to your zone. Default: ‘*‘.

methods string[]

HTTP Methods, can be a subset [‘POST’,‘PUT’] or all [’_ALL_’]. Default: [’_ALL_’].

schemes string[]

HTTP Schemes, can be one [‘HTTPS’], both [‘HTTP’,‘HTTPS’] or all [’_ALL_’]. Default: [’_ALL_’].

urlPattern string

The URL pattern to match comprised of the host and path, i.e. example.org/path. Wildcard are expanded to match applicable traffic, query strings are not matched. Use * for all traffic to your zone. Default: ‘*‘.

methods Sequence[str]

HTTP Methods, can be a subset [‘POST’,‘PUT’] or all [’_ALL_’]. Default: [’_ALL_’].

schemes Sequence[str]

HTTP Schemes, can be one [‘HTTPS’], both [‘HTTP’,‘HTTPS’] or all [’_ALL_’]. Default: [’_ALL_’].

url_pattern str

The URL pattern to match comprised of the host and path, i.e. example.org/path. Wildcard are expanded to match applicable traffic, query strings are not matched. Use * for all traffic to your zone. Default: ‘*‘.

RateLimitMatchResponse

Headers List<ImmutableDictionary<string, string>>

block is a list of maps with the following attributes:

OriginTraffic bool

Only count traffic that has come from your origin servers. If true, cached items that Cloudflare serve will not count towards rate limiting. Default: true.

Statuses List<int>

HTTP Status codes, can be one [403], many [401,403] or indicate all by not providing this value.

Headers []map[string]string

block is a list of maps with the following attributes:

OriginTraffic bool

Only count traffic that has come from your origin servers. If true, cached items that Cloudflare serve will not count towards rate limiting. Default: true.

Statuses []int

HTTP Status codes, can be one [403], many [401,403] or indicate all by not providing this value.

headers {[key: string]: string}[]

block is a list of maps with the following attributes:

originTraffic boolean

Only count traffic that has come from your origin servers. If true, cached items that Cloudflare serve will not count towards rate limiting. Default: true.

statuses number[]

HTTP Status codes, can be one [403], many [401,403] or indicate all by not providing this value.

headers Sequence[Mapping[str, str]]

block is a list of maps with the following attributes:

origin_traffic bool

Only count traffic that has come from your origin servers. If true, cached items that Cloudflare serve will not count towards rate limiting. Default: true.

statuses Sequence[int]

HTTP Status codes, can be one [403], many [401,403] or indicate all by not providing this value.

Import

Rate limits can be imported using a composite ID formed of zone name and rate limit ID, e.g.

 $ pulumi import cloudflare:index/rateLimit:RateLimit default d41d8cd98f00b204e9800998ecf8427e/ch8374ftwdghsif43

Package Details

Repository
https://github.com/pulumi/pulumi-cloudflare
License
Apache-2.0
Notes
This Pulumi package is based on the cloudflare Terraform Provider.