Cloudflare v6.10.1, Oct 22 25

Cloudflare v6.10.1 published on Wednesday, Oct 22, 2025 by Pulumi

cloudflare.AccessApplication

Cloudflare v6.10.1 published on Wednesday, Oct 22, 2025 by Pulumi

pulumi/pulumi-cloudflare

Example Usage

Create AccessApplication Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AccessApplication(name: string, args?: AccessApplicationArgs, opts?: CustomResourceOptions);

@overload
def AccessApplication(resource_name: str,
                      args: Optional[AccessApplicationArgs] = None,
                      opts: Optional[ResourceOptions] = None)

@overload
def AccessApplication(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      account_id: Optional[str] = None,
                      allow_authenticate_via_warp: Optional[bool] = None,
                      allow_iframe: Optional[bool] = None,
                      allowed_idps: Optional[Sequence[str]] = None,
                      app_launcher_logo_url: Optional[str] = None,
                      app_launcher_visible: Optional[bool] = None,
                      auto_redirect_to_identity: Optional[bool] = None,
                      bg_color: Optional[str] = None,
                      cors_headers: Optional[AccessApplicationCorsHeadersArgs] = None,
                      custom_deny_message: Optional[str] = None,
                      custom_deny_url: Optional[str] = None,
                      custom_non_identity_deny_url: Optional[str] = None,
                      custom_pages: Optional[Sequence[str]] = None,
                      destinations: Optional[Sequence[AccessApplicationDestinationArgs]] = None,
                      domain: Optional[str] = None,
                      enable_binding_cookie: Optional[bool] = None,
                      footer_links: Optional[Sequence[AccessApplicationFooterLinkArgs]] = None,
                      header_bg_color: Optional[str] = None,
                      http_only_cookie_attribute: Optional[bool] = None,
                      landing_page_design: Optional[AccessApplicationLandingPageDesignArgs] = None,
                      logo_url: Optional[str] = None,
                      name: Optional[str] = None,
                      options_preflight_bypass: Optional[bool] = None,
                      path_cookie_attribute: Optional[bool] = None,
                      policies: Optional[Sequence[AccessApplicationPolicyArgs]] = None,
                      read_service_tokens_from_header: Optional[str] = None,
                      saas_app: Optional[AccessApplicationSaasAppArgs] = None,
                      same_site_cookie_attribute: Optional[str] = None,
                      scim_config: Optional[AccessApplicationScimConfigArgs] = None,
                      self_hosted_domains: Optional[Sequence[str]] = None,
                      service_auth401_redirect: Optional[bool] = None,
                      session_duration: Optional[str] = None,
                      skip_app_launcher_login_page: Optional[bool] = None,
                      skip_interstitial: Optional[bool] = None,
                      tags: Optional[Sequence[str]] = None,
                      target_criterias: Optional[Sequence[AccessApplicationTargetCriteriaArgs]] = None,
                      type: Optional[str] = None,
                      zone_id: Optional[str] = None)

func NewAccessApplication(ctx *Context, name string, args *AccessApplicationArgs, opts ...ResourceOption) (*AccessApplication, error)

public AccessApplication(string name, AccessApplicationArgs? args = null, CustomResourceOptions? opts = null)

public AccessApplication(String name, AccessApplicationArgs args)
public AccessApplication(String name, AccessApplicationArgs args, CustomResourceOptions options)

type: cloudflare:AccessApplication
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

AccessApplication Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AccessApplication resource accepts the following input properties:

AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
AllowAuthenticateViaWarp bool: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
AllowIframe bool: Enables loading application content in an iFrame.
AllowedIdps List<string>: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
AppLauncherLogoUrl string: The image URL of the logo shown in the App Launcher header.
AppLauncherVisible bool: Displays the application in the App Launcher.
AutoRedirectToIdentity bool: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
BgColor string: The background color of the App Launcher page.
CorsHeaders AccessApplicationCorsHeaders
CustomDenyMessage string: The custom error message shown to a user when they are denied access to the application.
CustomDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
CustomNonIdentityDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
CustomPages List<string>: The custom pages that will be displayed when applicable for this application
Destinations List<AccessApplicationDestination>: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
Domain string: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
EnableBindingCookie bool: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
FooterLinks List<AccessApplicationFooterLink>: The links in the App Launcher footer.
HeaderBgColor string: The background color of the App Launcher header.
HttpOnlyCookieAttribute bool: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
LandingPageDesign AccessApplicationLandingPageDesign: The design of the App Launcher landing page shown to users when they log in.
LogoUrl string: The image URL for the logo shown in the App Launcher dashboard.
Name string: The name of the application.
OptionsPreflightBypass bool: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
PathCookieAttribute bool: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies List<AccessApplicationPolicy>: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
ReadServiceTokensFromHeader string: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
SaasApp AccessApplicationSaasApp
SameSiteCookieAttribute string: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
ScimConfig AccessApplicationScimConfig: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
SelfHostedDomains List<string>: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
ServiceAuth401Redirect bool: Returns a 401 status code when the request is blocked by a Service Auth policy.
SessionDuration string: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
SkipAppLauncherLoginPage bool: Determines when to skip the App Launcher landing page.
SkipInterstitial bool: Enables automatic authentication through cloudflared.
Tags List<string>: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
TargetCriterias List<AccessApplicationTargetCriteria>
Type string: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
AllowAuthenticateViaWarp bool: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
AllowIframe bool: Enables loading application content in an iFrame.
AllowedIdps []string: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
AppLauncherLogoUrl string: The image URL of the logo shown in the App Launcher header.
AppLauncherVisible bool: Displays the application in the App Launcher.
AutoRedirectToIdentity bool: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
BgColor string: The background color of the App Launcher page.
CorsHeaders AccessApplicationCorsHeadersArgs
CustomDenyMessage string: The custom error message shown to a user when they are denied access to the application.
CustomDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
CustomNonIdentityDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
CustomPages []string: The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationDestinationArgs: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
Domain string: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
EnableBindingCookie bool: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
FooterLinks []AccessApplicationFooterLinkArgs: The links in the App Launcher footer.
HeaderBgColor string: The background color of the App Launcher header.
HttpOnlyCookieAttribute bool: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
LandingPageDesign AccessApplicationLandingPageDesignArgs: The design of the App Launcher landing page shown to users when they log in.
LogoUrl string: The image URL for the logo shown in the App Launcher dashboard.
Name string: The name of the application.
OptionsPreflightBypass bool: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
PathCookieAttribute bool: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationPolicyArgs: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
ReadServiceTokensFromHeader string: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
SaasApp AccessApplicationSaasAppArgs
SameSiteCookieAttribute string: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
ScimConfig AccessApplicationScimConfigArgs: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
SelfHostedDomains []string: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
ServiceAuth401Redirect bool: Returns a 401 status code when the request is blocked by a Service Auth policy.
SessionDuration string: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
SkipAppLauncherLoginPage bool: Determines when to skip the App Launcher landing page.
SkipInterstitial bool: Enables automatic authentication through cloudflared.
Tags []string: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
TargetCriterias []AccessApplicationTargetCriteriaArgs
Type string: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp Boolean: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
allowIframe Boolean: Enables loading application content in an iFrame.
allowedIdps List<String>: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
appLauncherLogoUrl String: The image URL of the logo shown in the App Launcher header.
appLauncherVisible Boolean: Displays the application in the App Launcher.
autoRedirectToIdentity Boolean: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
bgColor String: The background color of the App Launcher page.
corsHeaders AccessApplicationCorsHeaders
customDenyMessage String: The custom error message shown to a user when they are denied access to the application.
customDenyUrl String: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
customNonIdentityDenyUrl String: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
customPages List<String>: The custom pages that will be displayed when applicable for this application
destinations List<AccessApplicationDestination>: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
domain String: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
enableBindingCookie Boolean: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
footerLinks List<AccessApplicationFooterLink>: The links in the App Launcher footer.
headerBgColor String: The background color of the App Launcher header.
httpOnlyCookieAttribute Boolean: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
landingPageDesign AccessApplicationLandingPageDesign: The design of the App Launcher landing page shown to users when they log in.
logoUrl String: The image URL for the logo shown in the App Launcher dashboard.
name String: The name of the application.
optionsPreflightBypass Boolean: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
pathCookieAttribute Boolean: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies List<AccessApplicationPolicy>: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
readServiceTokensFromHeader String: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
saasApp AccessApplicationSaasApp
sameSiteCookieAttribute String: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scimConfig AccessApplicationScimConfig: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
selfHostedDomains List<String>: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
serviceAuth401Redirect Boolean: Returns a 401 status code when the request is blocked by a Service Auth policy.
sessionDuration String: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
skipAppLauncherLoginPage Boolean: Determines when to skip the App Launcher landing page.
skipInterstitial Boolean: Enables automatic authentication through cloudflared.
tags List<String>: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
targetCriterias List<AccessApplicationTargetCriteria>
type String: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp boolean: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
allowIframe boolean: Enables loading application content in an iFrame.
allowedIdps string[]: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
appLauncherLogoUrl string: The image URL of the logo shown in the App Launcher header.
appLauncherVisible boolean: Displays the application in the App Launcher.
autoRedirectToIdentity boolean: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
bgColor string: The background color of the App Launcher page.
corsHeaders AccessApplicationCorsHeaders
customDenyMessage string: The custom error message shown to a user when they are denied access to the application.
customDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
customNonIdentityDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
customPages string[]: The custom pages that will be displayed when applicable for this application
destinations AccessApplicationDestination[]: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
domain string: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
enableBindingCookie boolean: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
footerLinks AccessApplicationFooterLink[]: The links in the App Launcher footer.
headerBgColor string: The background color of the App Launcher header.
httpOnlyCookieAttribute boolean: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
landingPageDesign AccessApplicationLandingPageDesign: The design of the App Launcher landing page shown to users when they log in.
logoUrl string: The image URL for the logo shown in the App Launcher dashboard.
name string: The name of the application.
optionsPreflightBypass boolean: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
pathCookieAttribute boolean: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies AccessApplicationPolicy[]: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
readServiceTokensFromHeader string: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
saasApp AccessApplicationSaasApp
sameSiteCookieAttribute string: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scimConfig AccessApplicationScimConfig: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
selfHostedDomains string[]: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
serviceAuth401Redirect boolean: Returns a 401 status code when the request is blocked by a Service Auth policy.
sessionDuration string: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
skipAppLauncherLoginPage boolean: Determines when to skip the App Launcher landing page.
skipInterstitial boolean: Enables automatic authentication through cloudflared.
tags string[]: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
targetCriterias AccessApplicationTargetCriteria[]
type string: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
zoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

account_id str: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allow_authenticate_via_warp bool: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
allow_iframe bool: Enables loading application content in an iFrame.
allowed_idps Sequence[str]: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
app_launcher_logo_url str: The image URL of the logo shown in the App Launcher header.
app_launcher_visible bool: Displays the application in the App Launcher.
auto_redirect_to_identity bool: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
bg_color str: The background color of the App Launcher page.
cors_headers AccessApplicationCorsHeadersArgs
custom_deny_message str: The custom error message shown to a user when they are denied access to the application.
custom_deny_url str: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
custom_non_identity_deny_url str: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
custom_pages Sequence[str]: The custom pages that will be displayed when applicable for this application
destinations Sequence[AccessApplicationDestinationArgs]: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
domain str: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
enable_binding_cookie bool: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
footer_links Sequence[AccessApplicationFooterLinkArgs]: The links in the App Launcher footer.
header_bg_color str: The background color of the App Launcher header.
http_only_cookie_attribute bool: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
landing_page_design AccessApplicationLandingPageDesignArgs: The design of the App Launcher landing page shown to users when they log in.
logo_url str: The image URL for the logo shown in the App Launcher dashboard.
name str: The name of the application.
options_preflight_bypass bool: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
path_cookie_attribute bool: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies Sequence[AccessApplicationPolicyArgs]: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
read_service_tokens_from_header str: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
saas_app AccessApplicationSaasAppArgs
same_site_cookie_attribute str: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config AccessApplicationScimConfigArgs: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
self_hosted_domains Sequence[str]: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
service_auth401_redirect bool: Returns a 401 status code when the request is blocked by a Service Auth policy.
session_duration str: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
skip_app_launcher_login_page bool: Determines when to skip the App Launcher landing page.
skip_interstitial bool: Enables automatic authentication through cloudflared.
tags Sequence[str]: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
target_criterias Sequence[AccessApplicationTargetCriteriaArgs]
type str: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
zone_id str: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp Boolean: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
allowIframe Boolean: Enables loading application content in an iFrame.
allowedIdps List<String>: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
appLauncherLogoUrl String: The image URL of the logo shown in the App Launcher header.
appLauncherVisible Boolean: Displays the application in the App Launcher.
autoRedirectToIdentity Boolean: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
bgColor String: The background color of the App Launcher page.
corsHeaders Property Map
customDenyMessage String: The custom error message shown to a user when they are denied access to the application.
customDenyUrl String: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
customNonIdentityDenyUrl String: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
customPages List<String>: The custom pages that will be displayed when applicable for this application
destinations List<Property Map>: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
domain String: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
enableBindingCookie Boolean: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
footerLinks List<Property Map>: The links in the App Launcher footer.
headerBgColor String: The background color of the App Launcher header.
httpOnlyCookieAttribute Boolean: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
landingPageDesign Property Map: The design of the App Launcher landing page shown to users when they log in.
logoUrl String: The image URL for the logo shown in the App Launcher dashboard.
name String: The name of the application.
optionsPreflightBypass Boolean: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
pathCookieAttribute Boolean: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies List<Property Map>: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
readServiceTokensFromHeader String: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
saasApp Property Map
sameSiteCookieAttribute String: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scimConfig Property Map: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
selfHostedDomains List<String>: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
serviceAuth401Redirect Boolean: Returns a 401 status code when the request is blocked by a Service Auth policy.
sessionDuration String: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
skipAppLauncherLoginPage Boolean: Determines when to skip the App Launcher landing page.
skipInterstitial Boolean: Enables automatic authentication through cloudflared.
tags List<String>: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
targetCriterias List<Property Map>
type String: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessApplication resource produces the following output properties:

Aud string: Audience tag.
Id string: The provider-assigned unique ID for this managed resource.

Aud string: Audience tag.
Id string: The provider-assigned unique ID for this managed resource.

aud String: Audience tag.
id String: The provider-assigned unique ID for this managed resource.

aud string: Audience tag.
id string: The provider-assigned unique ID for this managed resource.

aud str: Audience tag.
id str: The provider-assigned unique ID for this managed resource.

aud String: Audience tag.
id String: The provider-assigned unique ID for this managed resource.

Look up Existing AccessApplication Resource

Get an existing AccessApplication resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessApplicationState, opts?: CustomResourceOptions): AccessApplication

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_id: Optional[str] = None,
        allow_authenticate_via_warp: Optional[bool] = None,
        allow_iframe: Optional[bool] = None,
        allowed_idps: Optional[Sequence[str]] = None,
        app_launcher_logo_url: Optional[str] = None,
        app_launcher_visible: Optional[bool] = None,
        aud: Optional[str] = None,
        auto_redirect_to_identity: Optional[bool] = None,
        bg_color: Optional[str] = None,
        cors_headers: Optional[AccessApplicationCorsHeadersArgs] = None,
        custom_deny_message: Optional[str] = None,
        custom_deny_url: Optional[str] = None,
        custom_non_identity_deny_url: Optional[str] = None,
        custom_pages: Optional[Sequence[str]] = None,
        destinations: Optional[Sequence[AccessApplicationDestinationArgs]] = None,
        domain: Optional[str] = None,
        enable_binding_cookie: Optional[bool] = None,
        footer_links: Optional[Sequence[AccessApplicationFooterLinkArgs]] = None,
        header_bg_color: Optional[str] = None,
        http_only_cookie_attribute: Optional[bool] = None,
        landing_page_design: Optional[AccessApplicationLandingPageDesignArgs] = None,
        logo_url: Optional[str] = None,
        name: Optional[str] = None,
        options_preflight_bypass: Optional[bool] = None,
        path_cookie_attribute: Optional[bool] = None,
        policies: Optional[Sequence[AccessApplicationPolicyArgs]] = None,
        read_service_tokens_from_header: Optional[str] = None,
        saas_app: Optional[AccessApplicationSaasAppArgs] = None,
        same_site_cookie_attribute: Optional[str] = None,
        scim_config: Optional[AccessApplicationScimConfigArgs] = None,
        self_hosted_domains: Optional[Sequence[str]] = None,
        service_auth401_redirect: Optional[bool] = None,
        session_duration: Optional[str] = None,
        skip_app_launcher_login_page: Optional[bool] = None,
        skip_interstitial: Optional[bool] = None,
        tags: Optional[Sequence[str]] = None,
        target_criterias: Optional[Sequence[AccessApplicationTargetCriteriaArgs]] = None,
        type: Optional[str] = None,
        zone_id: Optional[str] = None) -> AccessApplication

func GetAccessApplication(ctx *Context, name string, id IDInput, state *AccessApplicationState, opts ...ResourceOption) (*AccessApplication, error)

public static AccessApplication Get(string name, Input<string> id, AccessApplicationState? state, CustomResourceOptions? opts = null)

public static AccessApplication get(String name, Output<String> id, AccessApplicationState state, CustomResourceOptions options)

resources:  _:    type: cloudflare:AccessApplication    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
AllowAuthenticateViaWarp bool: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
AllowIframe bool: Enables loading application content in an iFrame.
AllowedIdps List<string>: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
AppLauncherLogoUrl string: The image URL of the logo shown in the App Launcher header.
AppLauncherVisible bool: Displays the application in the App Launcher.
Aud string: Audience tag.
AutoRedirectToIdentity bool: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
BgColor string: The background color of the App Launcher page.
CorsHeaders AccessApplicationCorsHeaders
CustomDenyMessage string: The custom error message shown to a user when they are denied access to the application.
CustomDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
CustomNonIdentityDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
CustomPages List<string>: The custom pages that will be displayed when applicable for this application
Destinations List<AccessApplicationDestination>: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
Domain string: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
EnableBindingCookie bool: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
FooterLinks List<AccessApplicationFooterLink>: The links in the App Launcher footer.
HeaderBgColor string: The background color of the App Launcher header.
HttpOnlyCookieAttribute bool: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
LandingPageDesign AccessApplicationLandingPageDesign: The design of the App Launcher landing page shown to users when they log in.
LogoUrl string: The image URL for the logo shown in the App Launcher dashboard.
Name string: The name of the application.
OptionsPreflightBypass bool: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
PathCookieAttribute bool: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies List<AccessApplicationPolicy>: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
ReadServiceTokensFromHeader string: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
SaasApp AccessApplicationSaasApp
SameSiteCookieAttribute string: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
ScimConfig AccessApplicationScimConfig: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
SelfHostedDomains List<string>: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
ServiceAuth401Redirect bool: Returns a 401 status code when the request is blocked by a Service Auth policy.
SessionDuration string: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
SkipAppLauncherLoginPage bool: Determines when to skip the App Launcher landing page.
SkipInterstitial bool: Enables automatic authentication through cloudflared.
Tags List<string>: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
TargetCriterias List<AccessApplicationTargetCriteria>
Type string: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
AllowAuthenticateViaWarp bool: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
AllowIframe bool: Enables loading application content in an iFrame.
AllowedIdps []string: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
AppLauncherLogoUrl string: The image URL of the logo shown in the App Launcher header.
AppLauncherVisible bool: Displays the application in the App Launcher.
Aud string: Audience tag.
AutoRedirectToIdentity bool: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
BgColor string: The background color of the App Launcher page.
CorsHeaders AccessApplicationCorsHeadersArgs
CustomDenyMessage string: The custom error message shown to a user when they are denied access to the application.
CustomDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
CustomNonIdentityDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
CustomPages []string: The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationDestinationArgs: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
Domain string: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
EnableBindingCookie bool: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
FooterLinks []AccessApplicationFooterLinkArgs: The links in the App Launcher footer.
HeaderBgColor string: The background color of the App Launcher header.
HttpOnlyCookieAttribute bool: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
LandingPageDesign AccessApplicationLandingPageDesignArgs: The design of the App Launcher landing page shown to users when they log in.
LogoUrl string: The image URL for the logo shown in the App Launcher dashboard.
Name string: The name of the application.
OptionsPreflightBypass bool: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
PathCookieAttribute bool: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationPolicyArgs: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
ReadServiceTokensFromHeader string: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
SaasApp AccessApplicationSaasAppArgs
SameSiteCookieAttribute string: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
ScimConfig AccessApplicationScimConfigArgs: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
SelfHostedDomains []string: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
ServiceAuth401Redirect bool: Returns a 401 status code when the request is blocked by a Service Auth policy.
SessionDuration string: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
SkipAppLauncherLoginPage bool: Determines when to skip the App Launcher landing page.
SkipInterstitial bool: Enables automatic authentication through cloudflared.
Tags []string: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
TargetCriterias []AccessApplicationTargetCriteriaArgs
Type string: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp Boolean: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
allowIframe Boolean: Enables loading application content in an iFrame.
allowedIdps List<String>: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
appLauncherLogoUrl String: The image URL of the logo shown in the App Launcher header.
appLauncherVisible Boolean: Displays the application in the App Launcher.
aud String: Audience tag.
autoRedirectToIdentity Boolean: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
bgColor String: The background color of the App Launcher page.
corsHeaders AccessApplicationCorsHeaders
customDenyMessage String: The custom error message shown to a user when they are denied access to the application.
customDenyUrl String: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
customNonIdentityDenyUrl String: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
customPages List<String>: The custom pages that will be displayed when applicable for this application
destinations List<AccessApplicationDestination>: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
domain String: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
enableBindingCookie Boolean: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
footerLinks List<AccessApplicationFooterLink>: The links in the App Launcher footer.
headerBgColor String: The background color of the App Launcher header.
httpOnlyCookieAttribute Boolean: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
landingPageDesign AccessApplicationLandingPageDesign: The design of the App Launcher landing page shown to users when they log in.
logoUrl String: The image URL for the logo shown in the App Launcher dashboard.
name String: The name of the application.
optionsPreflightBypass Boolean: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
pathCookieAttribute Boolean: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies List<AccessApplicationPolicy>: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
readServiceTokensFromHeader String: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
saasApp AccessApplicationSaasApp
sameSiteCookieAttribute String: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scimConfig AccessApplicationScimConfig: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
selfHostedDomains List<String>: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
serviceAuth401Redirect Boolean: Returns a 401 status code when the request is blocked by a Service Auth policy.
sessionDuration String: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
skipAppLauncherLoginPage Boolean: Determines when to skip the App Launcher landing page.
skipInterstitial Boolean: Enables automatic authentication through cloudflared.
tags List<String>: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
targetCriterias List<AccessApplicationTargetCriteria>
type String: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp boolean: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
allowIframe boolean: Enables loading application content in an iFrame.
allowedIdps string[]: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
appLauncherLogoUrl string: The image URL of the logo shown in the App Launcher header.
appLauncherVisible boolean: Displays the application in the App Launcher.
aud string: Audience tag.
autoRedirectToIdentity boolean: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
bgColor string: The background color of the App Launcher page.
corsHeaders AccessApplicationCorsHeaders
customDenyMessage string: The custom error message shown to a user when they are denied access to the application.
customDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
customNonIdentityDenyUrl string: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
customPages string[]: The custom pages that will be displayed when applicable for this application
destinations AccessApplicationDestination[]: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
domain string: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
enableBindingCookie boolean: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
footerLinks AccessApplicationFooterLink[]: The links in the App Launcher footer.
headerBgColor string: The background color of the App Launcher header.
httpOnlyCookieAttribute boolean: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
landingPageDesign AccessApplicationLandingPageDesign: The design of the App Launcher landing page shown to users when they log in.
logoUrl string: The image URL for the logo shown in the App Launcher dashboard.
name string: The name of the application.
optionsPreflightBypass boolean: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
pathCookieAttribute boolean: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies AccessApplicationPolicy[]: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
readServiceTokensFromHeader string: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
saasApp AccessApplicationSaasApp
sameSiteCookieAttribute string: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scimConfig AccessApplicationScimConfig: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
selfHostedDomains string[]: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
serviceAuth401Redirect boolean: Returns a 401 status code when the request is blocked by a Service Auth policy.
sessionDuration string: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
skipAppLauncherLoginPage boolean: Determines when to skip the App Launcher landing page.
skipInterstitial boolean: Enables automatic authentication through cloudflared.
tags string[]: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
targetCriterias AccessApplicationTargetCriteria[]
type string: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
zoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

account_id str: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allow_authenticate_via_warp bool: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
allow_iframe bool: Enables loading application content in an iFrame.
allowed_idps Sequence[str]: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
app_launcher_logo_url str: The image URL of the logo shown in the App Launcher header.
app_launcher_visible bool: Displays the application in the App Launcher.
aud str: Audience tag.
auto_redirect_to_identity bool: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
bg_color str: The background color of the App Launcher page.
cors_headers AccessApplicationCorsHeadersArgs
custom_deny_message str: The custom error message shown to a user when they are denied access to the application.
custom_deny_url str: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
custom_non_identity_deny_url str: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
custom_pages Sequence[str]: The custom pages that will be displayed when applicable for this application
destinations Sequence[AccessApplicationDestinationArgs]: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
domain str: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
enable_binding_cookie bool: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
footer_links Sequence[AccessApplicationFooterLinkArgs]: The links in the App Launcher footer.
header_bg_color str: The background color of the App Launcher header.
http_only_cookie_attribute bool: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
landing_page_design AccessApplicationLandingPageDesignArgs: The design of the App Launcher landing page shown to users when they log in.
logo_url str: The image URL for the logo shown in the App Launcher dashboard.
name str: The name of the application.
options_preflight_bypass bool: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
path_cookie_attribute bool: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies Sequence[AccessApplicationPolicyArgs]: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
read_service_tokens_from_header str: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
saas_app AccessApplicationSaasAppArgs
same_site_cookie_attribute str: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config AccessApplicationScimConfigArgs: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
self_hosted_domains Sequence[str]: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
service_auth401_redirect bool: Returns a 401 status code when the request is blocked by a Service Auth policy.
session_duration str: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
skip_app_launcher_login_page bool: Determines when to skip the App Launcher landing page.
skip_interstitial bool: Enables automatic authentication through cloudflared.
tags Sequence[str]: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
target_criterias Sequence[AccessApplicationTargetCriteriaArgs]
type str: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
zone_id str: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp Boolean: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
allowIframe Boolean: Enables loading application content in an iFrame.
allowedIdps List<String>: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
appLauncherLogoUrl String: The image URL of the logo shown in the App Launcher header.
appLauncherVisible Boolean: Displays the application in the App Launcher.
aud String: Audience tag.
autoRedirectToIdentity Boolean: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
bgColor String: The background color of the App Launcher page.
corsHeaders Property Map
customDenyMessage String: The custom error message shown to a user when they are denied access to the application.
customDenyUrl String: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
customNonIdentityDenyUrl String: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
customPages List<String>: The custom pages that will be displayed when applicable for this application
destinations List<Property Map>: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
domain String: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
enableBindingCookie Boolean: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
footerLinks List<Property Map>: The links in the App Launcher footer.
headerBgColor String: The background color of the App Launcher header.
httpOnlyCookieAttribute Boolean: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
landingPageDesign Property Map: The design of the App Launcher landing page shown to users when they log in.
logoUrl String: The image URL for the logo shown in the App Launcher dashboard.
name String: The name of the application.
optionsPreflightBypass Boolean: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
pathCookieAttribute Boolean: Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies List<Property Map>: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
readServiceTokensFromHeader String: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
saasApp Property Map
sameSiteCookieAttribute String: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scimConfig Property Map: Configuration for provisioning to this application via SCIM. This is currently in closed beta.
selfHostedDomains List<String>: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Deprecated: This attribute is deprecated.
serviceAuth401Redirect Boolean: Returns a 401 status code when the request is blocked by a Service Auth policy.
sessionDuration String: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
skipAppLauncherLoginPage Boolean: Determines when to skip the App Launcher landing page.
skipInterstitial Boolean: Enables automatic authentication through cloudflared.
tags List<String>: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
targetCriterias List<Property Map>
type String: The application type. Available values: "selfhosted", "saas", "ssh", "vnc", "applauncher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp".
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

Supporting Types

AccessApplicationCorsHeaders, AccessApplicationCorsHeadersArgs

AllowAllHeaders bool: Allows all HTTP request headers.
AllowAllMethods bool: Allows all HTTP request methods.
AllowAllOrigins bool: Allows all origins.
AllowCredentials bool: When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
AllowedHeaders List<string>: Allowed HTTP request headers.
AllowedMethods List<string>: Allowed HTTP request methods.
AllowedOrigins List<string>: Allowed origins.
MaxAge double: The maximum number of seconds the results of a preflight request can be cached.

AllowAllHeaders bool: Allows all HTTP request headers.
AllowAllMethods bool: Allows all HTTP request methods.
AllowAllOrigins bool: Allows all origins.
AllowCredentials bool: When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
AllowedHeaders []string: Allowed HTTP request headers.
AllowedMethods []string: Allowed HTTP request methods.
AllowedOrigins []string: Allowed origins.
MaxAge float64: The maximum number of seconds the results of a preflight request can be cached.

allowAllHeaders Boolean: Allows all HTTP request headers.
allowAllMethods Boolean: Allows all HTTP request methods.
allowAllOrigins Boolean: Allows all origins.
allowCredentials Boolean: When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
allowedHeaders List<String>: Allowed HTTP request headers.
allowedMethods List<String>: Allowed HTTP request methods.
allowedOrigins List<String>: Allowed origins.
maxAge Double: The maximum number of seconds the results of a preflight request can be cached.

allowAllHeaders boolean: Allows all HTTP request headers.
allowAllMethods boolean: Allows all HTTP request methods.
allowAllOrigins boolean: Allows all origins.
allowCredentials boolean: When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
allowedHeaders string[]: Allowed HTTP request headers.
allowedMethods string[]: Allowed HTTP request methods.
allowedOrigins string[]: Allowed origins.
maxAge number: The maximum number of seconds the results of a preflight request can be cached.

allow_all_headers bool: Allows all HTTP request headers.
allow_all_methods bool: Allows all HTTP request methods.
allow_all_origins bool: Allows all origins.
allow_credentials bool: When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
allowed_headers Sequence[str]: Allowed HTTP request headers.
allowed_methods Sequence[str]: Allowed HTTP request methods.
allowed_origins Sequence[str]: Allowed origins.
max_age float: The maximum number of seconds the results of a preflight request can be cached.

allowAllHeaders Boolean: Allows all HTTP request headers.
allowAllMethods Boolean: Allows all HTTP request methods.
allowAllOrigins Boolean: Allows all origins.
allowCredentials Boolean: When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
allowedHeaders List<String>: Allowed HTTP request headers.
allowedMethods List<String>: Allowed HTTP request methods.
allowedOrigins List<String>: Allowed origins.
maxAge Number: The maximum number of seconds the results of a preflight request can be cached.

AccessApplicationDestination, AccessApplicationDestinationArgs

Cidr string: The CIDR range of the destination. Single IPs will be computed as /32.
Hostname string: The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol string: The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. Available values: "tcp", "udp".
PortRange string: The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
Type string: Available values: "public", "private".
Uri string: The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
VnetId string: The VNET ID to match the destination. When omitted, all VNETs will match.

Cidr string: The CIDR range of the destination. Single IPs will be computed as /32.
Hostname string: The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol string: The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. Available values: "tcp", "udp".
PortRange string: The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
Type string: Available values: "public", "private".
Uri string: The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
VnetId string: The VNET ID to match the destination. When omitted, all VNETs will match.

cidr String: The CIDR range of the destination. Single IPs will be computed as /32.
hostname String: The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4Protocol String: The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. Available values: "tcp", "udp".
portRange String: The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
type String: Available values: "public", "private".
uri String: The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
vnetId String: The VNET ID to match the destination. When omitted, all VNETs will match.

cidr string: The CIDR range of the destination. Single IPs will be computed as /32.
hostname string: The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4Protocol string: The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. Available values: "tcp", "udp".
portRange string: The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
type string: Available values: "public", "private".
uri string: The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
vnetId string: The VNET ID to match the destination. When omitted, all VNETs will match.

cidr str: The CIDR range of the destination. Single IPs will be computed as /32.
hostname str: The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol str: The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. Available values: "tcp", "udp".
port_range str: The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
type str: Available values: "public", "private".
uri str: The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
vnet_id str: The VNET ID to match the destination. When omitted, all VNETs will match.

cidr String: The CIDR range of the destination. Single IPs will be computed as /32.
hostname String: The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4Protocol String: The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. Available values: "tcp", "udp".
portRange String: The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
type String: Available values: "public", "private".
uri String: The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
vnetId String: The VNET ID to match the destination. When omitted, all VNETs will match.

AccessApplicationFooterLink, AccessApplicationFooterLinkArgs

Name string: The hypertext in the footer link.
Url string: the hyperlink in the footer link.

Name string: The hypertext in the footer link.
Url string: the hyperlink in the footer link.

name String: The hypertext in the footer link.
url String: the hyperlink in the footer link.

name string: The hypertext in the footer link.
url string: the hyperlink in the footer link.

name str: The hypertext in the footer link.
url str: the hyperlink in the footer link.

name String: The hypertext in the footer link.
url String: the hyperlink in the footer link.

AccessApplicationLandingPageDesign, AccessApplicationLandingPageDesignArgs

ButtonColor string: The background color of the log in button on the landing page.
ButtonTextColor string: The color of the text in the log in button on the landing page.
ImageUrl string: The URL of the image shown on the landing page.
Message string: The message shown on the landing page.
Title string: The title shown on the landing page.

ButtonColor string: The background color of the log in button on the landing page.
ButtonTextColor string: The color of the text in the log in button on the landing page.
ImageUrl string: The URL of the image shown on the landing page.
Message string: The message shown on the landing page.
Title string: The title shown on the landing page.

buttonColor String: The background color of the log in button on the landing page.
buttonTextColor String: The color of the text in the log in button on the landing page.
imageUrl String: The URL of the image shown on the landing page.
message String: The message shown on the landing page.
title String: The title shown on the landing page.

buttonColor string: The background color of the log in button on the landing page.
buttonTextColor string: The color of the text in the log in button on the landing page.
imageUrl string: The URL of the image shown on the landing page.
message string: The message shown on the landing page.
title string: The title shown on the landing page.

button_color str: The background color of the log in button on the landing page.
button_text_color str: The color of the text in the log in button on the landing page.
image_url str: The URL of the image shown on the landing page.
message str: The message shown on the landing page.
title str: The title shown on the landing page.

buttonColor String: The background color of the log in button on the landing page.
buttonTextColor String: The color of the text in the log in button on the landing page.
imageUrl String: The URL of the image shown on the landing page.
message String: The message shown on the landing page.
title String: The title shown on the landing page.

AccessApplicationPolicy, AccessApplicationPolicyArgs

ConnectionRules AccessApplicationPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application.
Decision string: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. Available values: "allow", "deny", <span pulumi-lang-nodejs=""nonIdentity"" pulumi-lang-dotnet=""NonIdentity"" pulumi-lang-go=""nonIdentity"" pulumi-lang-python=""non_identity"" pulumi-lang-yaml=""nonIdentity"" pulumi-lang-java=""nonIdentity"">"non_identity", "bypass".
Excludes List<AccessApplicationPolicyExclude>: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Id string: The UUID of the policy
Includes List<AccessApplicationPolicyInclude>: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Name string: The name of the Access policy.
Precedence int: The order of execution for this policy. Must be unique for each policy within an app.
Requires List<AccessApplicationPolicyRequire>: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

ConnectionRules AccessApplicationPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application.
Decision string: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. Available values: "allow", "deny", <span pulumi-lang-nodejs=""nonIdentity"" pulumi-lang-dotnet=""NonIdentity"" pulumi-lang-go=""nonIdentity"" pulumi-lang-python=""non_identity"" pulumi-lang-yaml=""nonIdentity"" pulumi-lang-java=""nonIdentity"">"non_identity", "bypass".
Excludes []AccessApplicationPolicyExclude: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Id string: The UUID of the policy
Includes []AccessApplicationPolicyInclude: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Name string: The name of the Access policy.
Precedence int: The order of execution for this policy. Must be unique for each policy within an app.
Requires []AccessApplicationPolicyRequire: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

connectionRules AccessApplicationPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application.
decision String: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. Available values: "allow", "deny", <span pulumi-lang-nodejs=""nonIdentity"" pulumi-lang-dotnet=""NonIdentity"" pulumi-lang-go=""nonIdentity"" pulumi-lang-python=""non_identity"" pulumi-lang-yaml=""nonIdentity"" pulumi-lang-java=""nonIdentity"">"non_identity", "bypass".
excludes List<AccessApplicationPolicyExclude>: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
id String: The UUID of the policy
includes List<AccessApplicationPolicyInclude>: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
name String: The name of the Access policy.
precedence Integer: The order of execution for this policy. Must be unique for each policy within an app.
requires List<AccessApplicationPolicyRequire>: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

connectionRules AccessApplicationPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application.
decision string: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. Available values: "allow", "deny", <span pulumi-lang-nodejs=""nonIdentity"" pulumi-lang-dotnet=""NonIdentity"" pulumi-lang-go=""nonIdentity"" pulumi-lang-python=""non_identity"" pulumi-lang-yaml=""nonIdentity"" pulumi-lang-java=""nonIdentity"">"non_identity", "bypass".
excludes AccessApplicationPolicyExclude[]: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
id string: The UUID of the policy
includes AccessApplicationPolicyInclude[]: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
name string: The name of the Access policy.
precedence number: The order of execution for this policy. Must be unique for each policy within an app.
requires AccessApplicationPolicyRequire[]: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

connection_rules AccessApplicationPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application.
decision str: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. Available values: "allow", "deny", <span pulumi-lang-nodejs=""nonIdentity"" pulumi-lang-dotnet=""NonIdentity"" pulumi-lang-go=""nonIdentity"" pulumi-lang-python=""non_identity"" pulumi-lang-yaml=""nonIdentity"" pulumi-lang-java=""nonIdentity"">"non_identity", "bypass".
excludes Sequence[AccessApplicationPolicyExclude]: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
id str: The UUID of the policy
includes Sequence[AccessApplicationPolicyInclude]: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
name str: The name of the Access policy.
precedence int: The order of execution for this policy. Must be unique for each policy within an app.
requires Sequence[AccessApplicationPolicyRequire]: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

connectionRules Property Map: The rules that define how users may connect to the targets secured by your application.
decision String: The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. Available values: "allow", "deny", <span pulumi-lang-nodejs=""nonIdentity"" pulumi-lang-dotnet=""NonIdentity"" pulumi-lang-go=""nonIdentity"" pulumi-lang-python=""non_identity"" pulumi-lang-yaml=""nonIdentity"" pulumi-lang-java=""nonIdentity"">"non_identity", "bypass".
excludes List<Property Map>: Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
id String: The UUID of the policy
includes List<Property Map>: Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
name String: The name of the Access policy.
precedence Number: The order of execution for this policy. Must be unique for each policy within an app.
requires List<Property Map>: Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

AccessApplicationPolicyConnectionRules, AccessApplicationPolicyConnectionRulesArgs

Ssh AccessApplicationPolicyConnectionRulesSsh: The SSH-specific rules that define how users may connect to the targets secured by your application.

Ssh AccessApplicationPolicyConnectionRulesSsh: The SSH-specific rules that define how users may connect to the targets secured by your application.

ssh AccessApplicationPolicyConnectionRulesSsh: The SSH-specific rules that define how users may connect to the targets secured by your application.

ssh AccessApplicationPolicyConnectionRulesSsh: The SSH-specific rules that define how users may connect to the targets secured by your application.

ssh AccessApplicationPolicyConnectionRulesSsh: The SSH-specific rules that define how users may connect to the targets secured by your application.

ssh Property Map: The SSH-specific rules that define how users may connect to the targets secured by your application.

AccessApplicationPolicyConnectionRulesSsh, AccessApplicationPolicyConnectionRulesSshArgs

Usernames List<string>: Contains the Unix usernames that may be used when connecting over SSH.
AllowEmailAlias bool: Enables using Identity Provider email alias as SSH username.

Usernames []string: Contains the Unix usernames that may be used when connecting over SSH.
AllowEmailAlias bool: Enables using Identity Provider email alias as SSH username.

usernames List<String>: Contains the Unix usernames that may be used when connecting over SSH.
allowEmailAlias Boolean: Enables using Identity Provider email alias as SSH username.

usernames string[]: Contains the Unix usernames that may be used when connecting over SSH.
allowEmailAlias boolean: Enables using Identity Provider email alias as SSH username.

usernames Sequence[str]: Contains the Unix usernames that may be used when connecting over SSH.
allow_email_alias bool: Enables using Identity Provider email alias as SSH username.

usernames List<String>: Contains the Unix usernames that may be used when connecting over SSH.
allowEmailAlias Boolean: Enables using Identity Provider email alias as SSH username.

AccessApplicationPolicyExclude, AccessApplicationPolicyExcludeArgs

AnyValidServiceToken AccessApplicationPolicyExcludeAnyValidServiceToken: An empty object which matches on all service tokens.
AuthContext AccessApplicationPolicyExcludeAuthContext
AuthMethod AccessApplicationPolicyExcludeAuthMethod
AzureAd AccessApplicationPolicyExcludeAzureAd
Certificate AccessApplicationPolicyExcludeCertificate
CommonName AccessApplicationPolicyExcludeCommonName
DevicePosture AccessApplicationPolicyExcludeDevicePosture
Email AccessApplicationPolicyExcludeEmail
EmailDomain AccessApplicationPolicyExcludeEmailDomain
EmailList AccessApplicationPolicyExcludeEmailList
Everyone AccessApplicationPolicyExcludeEveryone: An empty object which matches on all users.
ExternalEvaluation AccessApplicationPolicyExcludeExternalEvaluation
Geo AccessApplicationPolicyExcludeGeo
GithubOrganization AccessApplicationPolicyExcludeGithubOrganization
Group AccessApplicationPolicyExcludeGroup
Gsuite AccessApplicationPolicyExcludeGsuite
Ip AccessApplicationPolicyExcludeIp
IpList AccessApplicationPolicyExcludeIpList
LinkedAppToken AccessApplicationPolicyExcludeLinkedAppToken
LoginMethod AccessApplicationPolicyExcludeLoginMethod
Oidc AccessApplicationPolicyExcludeOidc
Okta AccessApplicationPolicyExcludeOkta
Saml AccessApplicationPolicyExcludeSaml
ServiceToken AccessApplicationPolicyExcludeServiceToken

AnyValidServiceToken AccessApplicationPolicyExcludeAnyValidServiceToken: An empty object which matches on all service tokens.
AuthContext AccessApplicationPolicyExcludeAuthContext
AuthMethod AccessApplicationPolicyExcludeAuthMethod
AzureAd AccessApplicationPolicyExcludeAzureAd
Certificate AccessApplicationPolicyExcludeCertificate
CommonName AccessApplicationPolicyExcludeCommonName
DevicePosture AccessApplicationPolicyExcludeDevicePosture
Email AccessApplicationPolicyExcludeEmail
EmailDomain AccessApplicationPolicyExcludeEmailDomain
EmailList AccessApplicationPolicyExcludeEmailList
Everyone AccessApplicationPolicyExcludeEveryone: An empty object which matches on all users.
ExternalEvaluation AccessApplicationPolicyExcludeExternalEvaluation
Geo AccessApplicationPolicyExcludeGeo
GithubOrganization AccessApplicationPolicyExcludeGithubOrganization
Group AccessApplicationPolicyExcludeGroup
Gsuite AccessApplicationPolicyExcludeGsuite
Ip AccessApplicationPolicyExcludeIp
IpList AccessApplicationPolicyExcludeIpList
LinkedAppToken AccessApplicationPolicyExcludeLinkedAppToken
LoginMethod AccessApplicationPolicyExcludeLoginMethod
Oidc AccessApplicationPolicyExcludeOidc
Okta AccessApplicationPolicyExcludeOkta
Saml AccessApplicationPolicyExcludeSaml
ServiceToken AccessApplicationPolicyExcludeServiceToken

anyValidServiceToken AccessApplicationPolicyExcludeAnyValidServiceToken: An empty object which matches on all service tokens.
authContext AccessApplicationPolicyExcludeAuthContext
authMethod AccessApplicationPolicyExcludeAuthMethod
azureAd AccessApplicationPolicyExcludeAzureAd
certificate AccessApplicationPolicyExcludeCertificate
commonName AccessApplicationPolicyExcludeCommonName
devicePosture AccessApplicationPolicyExcludeDevicePosture
email AccessApplicationPolicyExcludeEmail
emailDomain AccessApplicationPolicyExcludeEmailDomain
emailList AccessApplicationPolicyExcludeEmailList
everyone AccessApplicationPolicyExcludeEveryone: An empty object which matches on all users.
externalEvaluation AccessApplicationPolicyExcludeExternalEvaluation
geo AccessApplicationPolicyExcludeGeo
githubOrganization AccessApplicationPolicyExcludeGithubOrganization
group AccessApplicationPolicyExcludeGroup
gsuite AccessApplicationPolicyExcludeGsuite
ip AccessApplicationPolicyExcludeIp
ipList AccessApplicationPolicyExcludeIpList
linkedAppToken AccessApplicationPolicyExcludeLinkedAppToken
loginMethod AccessApplicationPolicyExcludeLoginMethod
oidc AccessApplicationPolicyExcludeOidc
okta AccessApplicationPolicyExcludeOkta
saml AccessApplicationPolicyExcludeSaml
serviceToken AccessApplicationPolicyExcludeServiceToken

anyValidServiceToken AccessApplicationPolicyExcludeAnyValidServiceToken: An empty object which matches on all service tokens.
authContext AccessApplicationPolicyExcludeAuthContext
authMethod AccessApplicationPolicyExcludeAuthMethod
azureAd AccessApplicationPolicyExcludeAzureAd
certificate AccessApplicationPolicyExcludeCertificate
commonName AccessApplicationPolicyExcludeCommonName
devicePosture AccessApplicationPolicyExcludeDevicePosture
email AccessApplicationPolicyExcludeEmail
emailDomain AccessApplicationPolicyExcludeEmailDomain
emailList AccessApplicationPolicyExcludeEmailList
everyone AccessApplicationPolicyExcludeEveryone: An empty object which matches on all users.
externalEvaluation AccessApplicationPolicyExcludeExternalEvaluation
geo AccessApplicationPolicyExcludeGeo
githubOrganization AccessApplicationPolicyExcludeGithubOrganization
group AccessApplicationPolicyExcludeGroup
gsuite AccessApplicationPolicyExcludeGsuite
ip AccessApplicationPolicyExcludeIp
ipList AccessApplicationPolicyExcludeIpList
linkedAppToken AccessApplicationPolicyExcludeLinkedAppToken
loginMethod AccessApplicationPolicyExcludeLoginMethod
oidc AccessApplicationPolicyExcludeOidc
okta AccessApplicationPolicyExcludeOkta
saml AccessApplicationPolicyExcludeSaml
serviceToken AccessApplicationPolicyExcludeServiceToken

any_valid_service_token AccessApplicationPolicyExcludeAnyValidServiceToken: An empty object which matches on all service tokens.
auth_context AccessApplicationPolicyExcludeAuthContext
auth_method AccessApplicationPolicyExcludeAuthMethod
azure_ad AccessApplicationPolicyExcludeAzureAd
certificate AccessApplicationPolicyExcludeCertificate
common_name AccessApplicationPolicyExcludeCommonName
device_posture AccessApplicationPolicyExcludeDevicePosture
email AccessApplicationPolicyExcludeEmail
email_domain AccessApplicationPolicyExcludeEmailDomain
email_list AccessApplicationPolicyExcludeEmailList
everyone AccessApplicationPolicyExcludeEveryone: An empty object which matches on all users.
external_evaluation AccessApplicationPolicyExcludeExternalEvaluation
geo AccessApplicationPolicyExcludeGeo
github_organization AccessApplicationPolicyExcludeGithubOrganization
group AccessApplicationPolicyExcludeGroup
gsuite AccessApplicationPolicyExcludeGsuite
ip AccessApplicationPolicyExcludeIp
ip_list AccessApplicationPolicyExcludeIpList
linked_app_token AccessApplicationPolicyExcludeLinkedAppToken
login_method AccessApplicationPolicyExcludeLoginMethod
oidc AccessApplicationPolicyExcludeOidc
okta AccessApplicationPolicyExcludeOkta
saml AccessApplicationPolicyExcludeSaml
service_token AccessApplicationPolicyExcludeServiceToken

anyValidServiceToken Property Map: An empty object which matches on all service tokens.
authContext Property Map
authMethod Property Map
azureAd Property Map
certificate Property Map
commonName Property Map
devicePosture Property Map
email Property Map
emailDomain Property Map
emailList Property Map
everyone Property Map: An empty object which matches on all users.
externalEvaluation Property Map
geo Property Map
githubOrganization Property Map
group Property Map
gsuite Property Map
ip Property Map
ipList Property Map
linkedAppToken Property Map
loginMethod Property Map
oidc Property Map
okta Property Map
saml Property Map
serviceToken Property Map

AccessApplicationPolicyExcludeAuthContext, AccessApplicationPolicyExcludeAuthContextArgs

AcId string: The ACID of an Authentication context.
Id string: The ID of an Authentication context.
IdentityProviderId string: The ID of your Azure identity provider.

AcId string: The ACID of an Authentication context.
Id string: The ID of an Authentication context.
IdentityProviderId string: The ID of your Azure identity provider.

acId String: The ACID of an Authentication context.
id String: The ID of an Authentication context.
identityProviderId String: The ID of your Azure identity provider.

acId string: The ACID of an Authentication context.
id string: The ID of an Authentication context.
identityProviderId string: The ID of your Azure identity provider.

ac_id str: The ACID of an Authentication context.
id str: The ID of an Authentication context.
identity_provider_id str: The ID of your Azure identity provider.

acId String: The ACID of an Authentication context.
id String: The ID of an Authentication context.
identityProviderId String: The ID of your Azure identity provider.

AccessApplicationPolicyExcludeAuthMethod, AccessApplicationPolicyExcludeAuthMethodArgs

AuthMethod string: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AuthMethod string: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

authMethod String: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

authMethod string: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

auth_method str: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

authMethod String: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AccessApplicationPolicyExcludeAzureAd, AccessApplicationPolicyExcludeAzureAdArgs

Id string: The ID of an Azure group.
IdentityProviderId string: The ID of your Azure identity provider.

Id string: The ID of an Azure group.
IdentityProviderId string: The ID of your Azure identity provider.

id String: The ID of an Azure group.
identityProviderId String: The ID of your Azure identity provider.

id string: The ID of an Azure group.
identityProviderId string: The ID of your Azure identity provider.

id str: The ID of an Azure group.
identity_provider_id str: The ID of your Azure identity provider.

id String: The ID of an Azure group.
identityProviderId String: The ID of your Azure identity provider.

AccessApplicationPolicyExcludeCommonName, AccessApplicationPolicyExcludeCommonNameArgs

CommonName string: The common name to match.

CommonName string: The common name to match.

commonName String: The common name to match.

commonName string: The common name to match.

common_name str: The common name to match.

commonName String: The common name to match.

AccessApplicationPolicyExcludeDevicePosture, AccessApplicationPolicyExcludeDevicePostureArgs

IntegrationUid string: The ID of a device posture integration.

IntegrationUid string: The ID of a device posture integration.

integrationUid String: The ID of a device posture integration.

integrationUid string: The ID of a device posture integration.

integration_uid str: The ID of a device posture integration.

integrationUid String: The ID of a device posture integration.

AccessApplicationPolicyExcludeEmail, AccessApplicationPolicyExcludeEmailArgs

Email string: The email of the user.

Email string: The email of the user.

email String: The email of the user.

email string: The email of the user.

email str: The email of the user.

email String: The email of the user.

AccessApplicationPolicyExcludeEmailDomain, AccessApplicationPolicyExcludeEmailDomainArgs

Domain string: The email domain to match.

Domain string: The email domain to match.

domain String: The email domain to match.

domain string: The email domain to match.

domain str: The email domain to match.

domain String: The email domain to match.

AccessApplicationPolicyExcludeEmailList, AccessApplicationPolicyExcludeEmailListArgs

Id string: The ID of a previously created email list.

Id string: The ID of a previously created email list.

id String: The ID of a previously created email list.

id string: The ID of a previously created email list.

id str: The ID of a previously created email list.

id String: The ID of a previously created email list.

AccessApplicationPolicyExcludeExternalEvaluation, AccessApplicationPolicyExcludeExternalEvaluationArgs

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl string: The API endpoint containing your business logic.
keysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluate_url str: The API endpoint containing your business logic.
keys_url str: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

AccessApplicationPolicyExcludeGeo, AccessApplicationPolicyExcludeGeoArgs

CountryCode string: The country code that should be matched.

CountryCode string: The country code that should be matched.

countryCode String: The country code that should be matched.

countryCode string: The country code that should be matched.

country_code str: The country code that should be matched.

countryCode String: The country code that should be matched.

AccessApplicationPolicyExcludeGithubOrganization, AccessApplicationPolicyExcludeGithubOrganizationArgs

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Team string: The name of the team

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Team string: The name of the team

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
team String: The name of the team

identityProviderId string: The ID of your Github identity provider.
name string: The name of the organization.
team string: The name of the team

identity_provider_id str: The ID of your Github identity provider.
name str: The name of the organization.
team str: The name of the team

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
team String: The name of the team

AccessApplicationPolicyExcludeGroup, AccessApplicationPolicyExcludeGroupArgs

Id string: The ID of a previously created Access group.

Id string: The ID of a previously created Access group.

id String: The ID of a previously created Access group.

id string: The ID of a previously created Access group.

id str: The ID of a previously created Access group.

id String: The ID of a previously created Access group.

AccessApplicationPolicyExcludeGsuite, AccessApplicationPolicyExcludeGsuiteArgs

Email string: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

Email string: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

email String: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

email string: The email of the Google Workspace group.
identityProviderId string: The ID of your Google Workspace identity provider.

email str: The email of the Google Workspace group.
identity_provider_id str: The ID of your Google Workspace identity provider.

email String: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

AccessApplicationPolicyExcludeIp, AccessApplicationPolicyExcludeIpArgs

Ip string: An IPv4 or IPv6 CIDR block.

Ip string: An IPv4 or IPv6 CIDR block.

ip String: An IPv4 or IPv6 CIDR block.

ip string: An IPv4 or IPv6 CIDR block.

ip str: An IPv4 or IPv6 CIDR block.

ip String: An IPv4 or IPv6 CIDR block.

AccessApplicationPolicyExcludeIpList, AccessApplicationPolicyExcludeIpListArgs

Id string: The ID of a previously created IP list.

Id string: The ID of a previously created IP list.

id String: The ID of a previously created IP list.

id string: The ID of a previously created IP list.

id str: The ID of a previously created IP list.

id String: The ID of a previously created IP list.

AccessApplicationPolicyExcludeLinkedAppToken, AccessApplicationPolicyExcludeLinkedAppTokenArgs

AppUid string: The ID of an Access OIDC SaaS application

AppUid string: The ID of an Access OIDC SaaS application

appUid String: The ID of an Access OIDC SaaS application

appUid string: The ID of an Access OIDC SaaS application

app_uid str: The ID of an Access OIDC SaaS application

appUid String: The ID of an Access OIDC SaaS application

AccessApplicationPolicyExcludeLoginMethod, AccessApplicationPolicyExcludeLoginMethodArgs

Id string: The ID of an identity provider.

Id string: The ID of an identity provider.

id String: The ID of an identity provider.

id string: The ID of an identity provider.

id str: The ID of an identity provider.

id String: The ID of an identity provider.

AccessApplicationPolicyExcludeOidc, AccessApplicationPolicyExcludeOidcArgs

ClaimName string: The name of the OIDC claim.
ClaimValue string: The OIDC claim value to look for.
IdentityProviderId string: The ID of your OIDC identity provider.

ClaimName string: The name of the OIDC claim.
ClaimValue string: The OIDC claim value to look for.
IdentityProviderId string: The ID of your OIDC identity provider.

claimName String: The name of the OIDC claim.
claimValue String: The OIDC claim value to look for.
identityProviderId String: The ID of your OIDC identity provider.

claimName string: The name of the OIDC claim.
claimValue string: The OIDC claim value to look for.
identityProviderId string: The ID of your OIDC identity provider.

claim_name str: The name of the OIDC claim.
claim_value str: The OIDC claim value to look for.
identity_provider_id str: The ID of your OIDC identity provider.

claimName String: The name of the OIDC claim.
claimValue String: The OIDC claim value to look for.
identityProviderId String: The ID of your OIDC identity provider.

AccessApplicationPolicyExcludeOkta, AccessApplicationPolicyExcludeOktaArgs

IdentityProviderId string: The ID of your Okta identity provider.
Name string: The name of the Okta group.

IdentityProviderId string: The ID of your Okta identity provider.
Name string: The name of the Okta group.

identityProviderId String: The ID of your Okta identity provider.
name String: The name of the Okta group.

identityProviderId string: The ID of your Okta identity provider.
name string: The name of the Okta group.

identity_provider_id str: The ID of your Okta identity provider.
name str: The name of the Okta group.

identityProviderId String: The ID of your Okta identity provider.
name String: The name of the Okta group.

AccessApplicationPolicyExcludeSaml, AccessApplicationPolicyExcludeSamlArgs

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

attributeName string: The name of the SAML attribute.
attributeValue string: The SAML attribute value to look for.
identityProviderId string: The ID of your SAML identity provider.

attribute_name str: The name of the SAML attribute.
attribute_value str: The SAML attribute value to look for.
identity_provider_id str: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

AccessApplicationPolicyExcludeServiceToken, AccessApplicationPolicyExcludeServiceTokenArgs

TokenId string: The ID of a Service Token.

TokenId string: The ID of a Service Token.

tokenId String: The ID of a Service Token.

tokenId string: The ID of a Service Token.

token_id str: The ID of a Service Token.

tokenId String: The ID of a Service Token.

AccessApplicationPolicyInclude, AccessApplicationPolicyIncludeArgs

AnyValidServiceToken AccessApplicationPolicyIncludeAnyValidServiceToken: An empty object which matches on all service tokens.
AuthContext AccessApplicationPolicyIncludeAuthContext
AuthMethod AccessApplicationPolicyIncludeAuthMethod
AzureAd AccessApplicationPolicyIncludeAzureAd
Certificate AccessApplicationPolicyIncludeCertificate
CommonName AccessApplicationPolicyIncludeCommonName
DevicePosture AccessApplicationPolicyIncludeDevicePosture
Email AccessApplicationPolicyIncludeEmail
EmailDomain AccessApplicationPolicyIncludeEmailDomain
EmailList AccessApplicationPolicyIncludeEmailList
Everyone AccessApplicationPolicyIncludeEveryone: An empty object which matches on all users.
ExternalEvaluation AccessApplicationPolicyIncludeExternalEvaluation
Geo AccessApplicationPolicyIncludeGeo
GithubOrganization AccessApplicationPolicyIncludeGithubOrganization
Group AccessApplicationPolicyIncludeGroup
Gsuite AccessApplicationPolicyIncludeGsuite
Ip AccessApplicationPolicyIncludeIp
IpList AccessApplicationPolicyIncludeIpList
LinkedAppToken AccessApplicationPolicyIncludeLinkedAppToken
LoginMethod AccessApplicationPolicyIncludeLoginMethod
Oidc AccessApplicationPolicyIncludeOidc
Okta AccessApplicationPolicyIncludeOkta
Saml AccessApplicationPolicyIncludeSaml
ServiceToken AccessApplicationPolicyIncludeServiceToken

AnyValidServiceToken AccessApplicationPolicyIncludeAnyValidServiceToken: An empty object which matches on all service tokens.
AuthContext AccessApplicationPolicyIncludeAuthContext
AuthMethod AccessApplicationPolicyIncludeAuthMethod
AzureAd AccessApplicationPolicyIncludeAzureAd
Certificate AccessApplicationPolicyIncludeCertificate
CommonName AccessApplicationPolicyIncludeCommonName
DevicePosture AccessApplicationPolicyIncludeDevicePosture
Email AccessApplicationPolicyIncludeEmail
EmailDomain AccessApplicationPolicyIncludeEmailDomain
EmailList AccessApplicationPolicyIncludeEmailList
Everyone AccessApplicationPolicyIncludeEveryone: An empty object which matches on all users.
ExternalEvaluation AccessApplicationPolicyIncludeExternalEvaluation
Geo AccessApplicationPolicyIncludeGeo
GithubOrganization AccessApplicationPolicyIncludeGithubOrganization
Group AccessApplicationPolicyIncludeGroup
Gsuite AccessApplicationPolicyIncludeGsuite
Ip AccessApplicationPolicyIncludeIp
IpList AccessApplicationPolicyIncludeIpList
LinkedAppToken AccessApplicationPolicyIncludeLinkedAppToken
LoginMethod AccessApplicationPolicyIncludeLoginMethod
Oidc AccessApplicationPolicyIncludeOidc
Okta AccessApplicationPolicyIncludeOkta
Saml AccessApplicationPolicyIncludeSaml
ServiceToken AccessApplicationPolicyIncludeServiceToken

anyValidServiceToken AccessApplicationPolicyIncludeAnyValidServiceToken: An empty object which matches on all service tokens.
authContext AccessApplicationPolicyIncludeAuthContext
authMethod AccessApplicationPolicyIncludeAuthMethod
azureAd AccessApplicationPolicyIncludeAzureAd
certificate AccessApplicationPolicyIncludeCertificate
commonName AccessApplicationPolicyIncludeCommonName
devicePosture AccessApplicationPolicyIncludeDevicePosture
email AccessApplicationPolicyIncludeEmail
emailDomain AccessApplicationPolicyIncludeEmailDomain
emailList AccessApplicationPolicyIncludeEmailList
everyone AccessApplicationPolicyIncludeEveryone: An empty object which matches on all users.
externalEvaluation AccessApplicationPolicyIncludeExternalEvaluation
geo AccessApplicationPolicyIncludeGeo
githubOrganization AccessApplicationPolicyIncludeGithubOrganization
group AccessApplicationPolicyIncludeGroup
gsuite AccessApplicationPolicyIncludeGsuite
ip AccessApplicationPolicyIncludeIp
ipList AccessApplicationPolicyIncludeIpList
linkedAppToken AccessApplicationPolicyIncludeLinkedAppToken
loginMethod AccessApplicationPolicyIncludeLoginMethod
oidc AccessApplicationPolicyIncludeOidc
okta AccessApplicationPolicyIncludeOkta
saml AccessApplicationPolicyIncludeSaml
serviceToken AccessApplicationPolicyIncludeServiceToken

anyValidServiceToken AccessApplicationPolicyIncludeAnyValidServiceToken: An empty object which matches on all service tokens.
authContext AccessApplicationPolicyIncludeAuthContext
authMethod AccessApplicationPolicyIncludeAuthMethod
azureAd AccessApplicationPolicyIncludeAzureAd
certificate AccessApplicationPolicyIncludeCertificate
commonName AccessApplicationPolicyIncludeCommonName
devicePosture AccessApplicationPolicyIncludeDevicePosture
email AccessApplicationPolicyIncludeEmail
emailDomain AccessApplicationPolicyIncludeEmailDomain
emailList AccessApplicationPolicyIncludeEmailList
everyone AccessApplicationPolicyIncludeEveryone: An empty object which matches on all users.
externalEvaluation AccessApplicationPolicyIncludeExternalEvaluation
geo AccessApplicationPolicyIncludeGeo
githubOrganization AccessApplicationPolicyIncludeGithubOrganization
group AccessApplicationPolicyIncludeGroup
gsuite AccessApplicationPolicyIncludeGsuite
ip AccessApplicationPolicyIncludeIp
ipList AccessApplicationPolicyIncludeIpList
linkedAppToken AccessApplicationPolicyIncludeLinkedAppToken
loginMethod AccessApplicationPolicyIncludeLoginMethod
oidc AccessApplicationPolicyIncludeOidc
okta AccessApplicationPolicyIncludeOkta
saml AccessApplicationPolicyIncludeSaml
serviceToken AccessApplicationPolicyIncludeServiceToken

any_valid_service_token AccessApplicationPolicyIncludeAnyValidServiceToken: An empty object which matches on all service tokens.
auth_context AccessApplicationPolicyIncludeAuthContext
auth_method AccessApplicationPolicyIncludeAuthMethod
azure_ad AccessApplicationPolicyIncludeAzureAd
certificate AccessApplicationPolicyIncludeCertificate
common_name AccessApplicationPolicyIncludeCommonName
device_posture AccessApplicationPolicyIncludeDevicePosture
email AccessApplicationPolicyIncludeEmail
email_domain AccessApplicationPolicyIncludeEmailDomain
email_list AccessApplicationPolicyIncludeEmailList
everyone AccessApplicationPolicyIncludeEveryone: An empty object which matches on all users.
external_evaluation AccessApplicationPolicyIncludeExternalEvaluation
geo AccessApplicationPolicyIncludeGeo
github_organization AccessApplicationPolicyIncludeGithubOrganization
group AccessApplicationPolicyIncludeGroup
gsuite AccessApplicationPolicyIncludeGsuite
ip AccessApplicationPolicyIncludeIp
ip_list AccessApplicationPolicyIncludeIpList
linked_app_token AccessApplicationPolicyIncludeLinkedAppToken
login_method AccessApplicationPolicyIncludeLoginMethod
oidc AccessApplicationPolicyIncludeOidc
okta AccessApplicationPolicyIncludeOkta
saml AccessApplicationPolicyIncludeSaml
service_token AccessApplicationPolicyIncludeServiceToken

anyValidServiceToken Property Map: An empty object which matches on all service tokens.
authContext Property Map
authMethod Property Map
azureAd Property Map
certificate Property Map
commonName Property Map
devicePosture Property Map
email Property Map
emailDomain Property Map
emailList Property Map
everyone Property Map: An empty object which matches on all users.
externalEvaluation Property Map
geo Property Map
githubOrganization Property Map
group Property Map
gsuite Property Map
ip Property Map
ipList Property Map
linkedAppToken Property Map
loginMethod Property Map
oidc Property Map
okta Property Map
saml Property Map
serviceToken Property Map

AccessApplicationPolicyIncludeAuthContext, AccessApplicationPolicyIncludeAuthContextArgs

AcId string: The ACID of an Authentication context.
Id string: The ID of an Authentication context.
IdentityProviderId string: The ID of your Azure identity provider.

AcId string: The ACID of an Authentication context.
Id string: The ID of an Authentication context.
IdentityProviderId string: The ID of your Azure identity provider.

acId String: The ACID of an Authentication context.
id String: The ID of an Authentication context.
identityProviderId String: The ID of your Azure identity provider.

acId string: The ACID of an Authentication context.
id string: The ID of an Authentication context.
identityProviderId string: The ID of your Azure identity provider.

ac_id str: The ACID of an Authentication context.
id str: The ID of an Authentication context.
identity_provider_id str: The ID of your Azure identity provider.

acId String: The ACID of an Authentication context.
id String: The ID of an Authentication context.
identityProviderId String: The ID of your Azure identity provider.

AccessApplicationPolicyIncludeAuthMethod, AccessApplicationPolicyIncludeAuthMethodArgs

AuthMethod string: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AuthMethod string: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

authMethod String: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

authMethod string: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

auth_method str: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

authMethod String: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AccessApplicationPolicyIncludeAzureAd, AccessApplicationPolicyIncludeAzureAdArgs

Id string: The ID of an Azure group.
IdentityProviderId string: The ID of your Azure identity provider.

Id string: The ID of an Azure group.
IdentityProviderId string: The ID of your Azure identity provider.

id String: The ID of an Azure group.
identityProviderId String: The ID of your Azure identity provider.

id string: The ID of an Azure group.
identityProviderId string: The ID of your Azure identity provider.

id str: The ID of an Azure group.
identity_provider_id str: The ID of your Azure identity provider.

id String: The ID of an Azure group.
identityProviderId String: The ID of your Azure identity provider.

AccessApplicationPolicyIncludeCommonName, AccessApplicationPolicyIncludeCommonNameArgs

CommonName string: The common name to match.

CommonName string: The common name to match.

commonName String: The common name to match.

commonName string: The common name to match.

common_name str: The common name to match.

commonName String: The common name to match.

AccessApplicationPolicyIncludeDevicePosture, AccessApplicationPolicyIncludeDevicePostureArgs

IntegrationUid string: The ID of a device posture integration.

IntegrationUid string: The ID of a device posture integration.

integrationUid String: The ID of a device posture integration.

integrationUid string: The ID of a device posture integration.

integration_uid str: The ID of a device posture integration.

integrationUid String: The ID of a device posture integration.

AccessApplicationPolicyIncludeEmail, AccessApplicationPolicyIncludeEmailArgs

Email string: The email of the user.

Email string: The email of the user.

email String: The email of the user.

email string: The email of the user.

email str: The email of the user.

email String: The email of the user.

AccessApplicationPolicyIncludeEmailDomain, AccessApplicationPolicyIncludeEmailDomainArgs

Domain string: The email domain to match.

Domain string: The email domain to match.

domain String: The email domain to match.

domain string: The email domain to match.

domain str: The email domain to match.

domain String: The email domain to match.

AccessApplicationPolicyIncludeEmailList, AccessApplicationPolicyIncludeEmailListArgs

Id string: The ID of a previously created email list.

Id string: The ID of a previously created email list.

id String: The ID of a previously created email list.

id string: The ID of a previously created email list.

id str: The ID of a previously created email list.

id String: The ID of a previously created email list.

AccessApplicationPolicyIncludeExternalEvaluation, AccessApplicationPolicyIncludeExternalEvaluationArgs

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl string: The API endpoint containing your business logic.
keysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluate_url str: The API endpoint containing your business logic.
keys_url str: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

AccessApplicationPolicyIncludeGeo, AccessApplicationPolicyIncludeGeoArgs

CountryCode string: The country code that should be matched.

CountryCode string: The country code that should be matched.

countryCode String: The country code that should be matched.

countryCode string: The country code that should be matched.

country_code str: The country code that should be matched.

countryCode String: The country code that should be matched.

AccessApplicationPolicyIncludeGithubOrganization, AccessApplicationPolicyIncludeGithubOrganizationArgs

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Team string: The name of the team

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Team string: The name of the team

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
team String: The name of the team

identityProviderId string: The ID of your Github identity provider.
name string: The name of the organization.
team string: The name of the team

identity_provider_id str: The ID of your Github identity provider.
name str: The name of the organization.
team str: The name of the team

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
team String: The name of the team

AccessApplicationPolicyIncludeGroup, AccessApplicationPolicyIncludeGroupArgs

Id string: The ID of a previously created Access group.

Id string: The ID of a previously created Access group.

id String: The ID of a previously created Access group.

id string: The ID of a previously created Access group.

id str: The ID of a previously created Access group.

id String: The ID of a previously created Access group.

AccessApplicationPolicyIncludeGsuite, AccessApplicationPolicyIncludeGsuiteArgs

Email string: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

Email string: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

email String: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

email string: The email of the Google Workspace group.
identityProviderId string: The ID of your Google Workspace identity provider.

email str: The email of the Google Workspace group.
identity_provider_id str: The ID of your Google Workspace identity provider.

email String: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

AccessApplicationPolicyIncludeIp, AccessApplicationPolicyIncludeIpArgs

Ip string: An IPv4 or IPv6 CIDR block.

Ip string: An IPv4 or IPv6 CIDR block.

ip String: An IPv4 or IPv6 CIDR block.

ip string: An IPv4 or IPv6 CIDR block.

ip str: An IPv4 or IPv6 CIDR block.

ip String: An IPv4 or IPv6 CIDR block.

AccessApplicationPolicyIncludeIpList, AccessApplicationPolicyIncludeIpListArgs

Id string: The ID of a previously created IP list.

Id string: The ID of a previously created IP list.

id String: The ID of a previously created IP list.

id string: The ID of a previously created IP list.

id str: The ID of a previously created IP list.

id String: The ID of a previously created IP list.

AccessApplicationPolicyIncludeLinkedAppToken, AccessApplicationPolicyIncludeLinkedAppTokenArgs

AppUid string: The ID of an Access OIDC SaaS application

AppUid string: The ID of an Access OIDC SaaS application

appUid String: The ID of an Access OIDC SaaS application

appUid string: The ID of an Access OIDC SaaS application

app_uid str: The ID of an Access OIDC SaaS application

appUid String: The ID of an Access OIDC SaaS application

AccessApplicationPolicyIncludeLoginMethod, AccessApplicationPolicyIncludeLoginMethodArgs

Id string: The ID of an identity provider.

Id string: The ID of an identity provider.

id String: The ID of an identity provider.

id string: The ID of an identity provider.

id str: The ID of an identity provider.

id String: The ID of an identity provider.

AccessApplicationPolicyIncludeOidc, AccessApplicationPolicyIncludeOidcArgs

ClaimName string: The name of the OIDC claim.
ClaimValue string: The OIDC claim value to look for.
IdentityProviderId string: The ID of your OIDC identity provider.

ClaimName string: The name of the OIDC claim.
ClaimValue string: The OIDC claim value to look for.
IdentityProviderId string: The ID of your OIDC identity provider.

claimName String: The name of the OIDC claim.
claimValue String: The OIDC claim value to look for.
identityProviderId String: The ID of your OIDC identity provider.

claimName string: The name of the OIDC claim.
claimValue string: The OIDC claim value to look for.
identityProviderId string: The ID of your OIDC identity provider.

claim_name str: The name of the OIDC claim.
claim_value str: The OIDC claim value to look for.
identity_provider_id str: The ID of your OIDC identity provider.

claimName String: The name of the OIDC claim.
claimValue String: The OIDC claim value to look for.
identityProviderId String: The ID of your OIDC identity provider.

AccessApplicationPolicyIncludeOkta, AccessApplicationPolicyIncludeOktaArgs

IdentityProviderId string: The ID of your Okta identity provider.
Name string: The name of the Okta group.

IdentityProviderId string: The ID of your Okta identity provider.
Name string: The name of the Okta group.

identityProviderId String: The ID of your Okta identity provider.
name String: The name of the Okta group.

identityProviderId string: The ID of your Okta identity provider.
name string: The name of the Okta group.

identity_provider_id str: The ID of your Okta identity provider.
name str: The name of the Okta group.

identityProviderId String: The ID of your Okta identity provider.
name String: The name of the Okta group.

AccessApplicationPolicyIncludeSaml, AccessApplicationPolicyIncludeSamlArgs

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

attributeName string: The name of the SAML attribute.
attributeValue string: The SAML attribute value to look for.
identityProviderId string: The ID of your SAML identity provider.

attribute_name str: The name of the SAML attribute.
attribute_value str: The SAML attribute value to look for.
identity_provider_id str: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

AccessApplicationPolicyIncludeServiceToken, AccessApplicationPolicyIncludeServiceTokenArgs

TokenId string: The ID of a Service Token.

TokenId string: The ID of a Service Token.

tokenId String: The ID of a Service Token.

tokenId string: The ID of a Service Token.

token_id str: The ID of a Service Token.

tokenId String: The ID of a Service Token.

AccessApplicationPolicyRequire, AccessApplicationPolicyRequireArgs

AnyValidServiceToken AccessApplicationPolicyRequireAnyValidServiceToken: An empty object which matches on all service tokens.
AuthContext AccessApplicationPolicyRequireAuthContext
AuthMethod AccessApplicationPolicyRequireAuthMethod
AzureAd AccessApplicationPolicyRequireAzureAd
Certificate AccessApplicationPolicyRequireCertificate
CommonName AccessApplicationPolicyRequireCommonName
DevicePosture AccessApplicationPolicyRequireDevicePosture
Email AccessApplicationPolicyRequireEmail
EmailDomain AccessApplicationPolicyRequireEmailDomain
EmailList AccessApplicationPolicyRequireEmailList
Everyone AccessApplicationPolicyRequireEveryone: An empty object which matches on all users.
ExternalEvaluation AccessApplicationPolicyRequireExternalEvaluation
Geo AccessApplicationPolicyRequireGeo
GithubOrganization AccessApplicationPolicyRequireGithubOrganization
Group AccessApplicationPolicyRequireGroup
Gsuite AccessApplicationPolicyRequireGsuite
Ip AccessApplicationPolicyRequireIp
IpList AccessApplicationPolicyRequireIpList
LinkedAppToken AccessApplicationPolicyRequireLinkedAppToken
LoginMethod AccessApplicationPolicyRequireLoginMethod
Oidc AccessApplicationPolicyRequireOidc
Okta AccessApplicationPolicyRequireOkta
Saml AccessApplicationPolicyRequireSaml
ServiceToken AccessApplicationPolicyRequireServiceToken

AnyValidServiceToken AccessApplicationPolicyRequireAnyValidServiceToken: An empty object which matches on all service tokens.
AuthContext AccessApplicationPolicyRequireAuthContext
AuthMethod AccessApplicationPolicyRequireAuthMethod
AzureAd AccessApplicationPolicyRequireAzureAd
Certificate AccessApplicationPolicyRequireCertificate
CommonName AccessApplicationPolicyRequireCommonName
DevicePosture AccessApplicationPolicyRequireDevicePosture
Email AccessApplicationPolicyRequireEmail
EmailDomain AccessApplicationPolicyRequireEmailDomain
EmailList AccessApplicationPolicyRequireEmailList
Everyone AccessApplicationPolicyRequireEveryone: An empty object which matches on all users.
ExternalEvaluation AccessApplicationPolicyRequireExternalEvaluation
Geo AccessApplicationPolicyRequireGeo
GithubOrganization AccessApplicationPolicyRequireGithubOrganization
Group AccessApplicationPolicyRequireGroup
Gsuite AccessApplicationPolicyRequireGsuite
Ip AccessApplicationPolicyRequireIp
IpList AccessApplicationPolicyRequireIpList
LinkedAppToken AccessApplicationPolicyRequireLinkedAppToken
LoginMethod AccessApplicationPolicyRequireLoginMethod
Oidc AccessApplicationPolicyRequireOidc
Okta AccessApplicationPolicyRequireOkta
Saml AccessApplicationPolicyRequireSaml
ServiceToken AccessApplicationPolicyRequireServiceToken

anyValidServiceToken AccessApplicationPolicyRequireAnyValidServiceToken: An empty object which matches on all service tokens.
authContext AccessApplicationPolicyRequireAuthContext
authMethod AccessApplicationPolicyRequireAuthMethod
azureAd AccessApplicationPolicyRequireAzureAd
certificate AccessApplicationPolicyRequireCertificate
commonName AccessApplicationPolicyRequireCommonName
devicePosture AccessApplicationPolicyRequireDevicePosture
email AccessApplicationPolicyRequireEmail
emailDomain AccessApplicationPolicyRequireEmailDomain
emailList AccessApplicationPolicyRequireEmailList
everyone AccessApplicationPolicyRequireEveryone: An empty object which matches on all users.
externalEvaluation AccessApplicationPolicyRequireExternalEvaluation
geo AccessApplicationPolicyRequireGeo
githubOrganization AccessApplicationPolicyRequireGithubOrganization
group AccessApplicationPolicyRequireGroup
gsuite AccessApplicationPolicyRequireGsuite
ip AccessApplicationPolicyRequireIp
ipList AccessApplicationPolicyRequireIpList
linkedAppToken AccessApplicationPolicyRequireLinkedAppToken
loginMethod AccessApplicationPolicyRequireLoginMethod
oidc AccessApplicationPolicyRequireOidc
okta AccessApplicationPolicyRequireOkta
saml AccessApplicationPolicyRequireSaml
serviceToken AccessApplicationPolicyRequireServiceToken

anyValidServiceToken AccessApplicationPolicyRequireAnyValidServiceToken: An empty object which matches on all service tokens.
authContext AccessApplicationPolicyRequireAuthContext
authMethod AccessApplicationPolicyRequireAuthMethod
azureAd AccessApplicationPolicyRequireAzureAd
certificate AccessApplicationPolicyRequireCertificate
commonName AccessApplicationPolicyRequireCommonName
devicePosture AccessApplicationPolicyRequireDevicePosture
email AccessApplicationPolicyRequireEmail
emailDomain AccessApplicationPolicyRequireEmailDomain
emailList AccessApplicationPolicyRequireEmailList
everyone AccessApplicationPolicyRequireEveryone: An empty object which matches on all users.
externalEvaluation AccessApplicationPolicyRequireExternalEvaluation
geo AccessApplicationPolicyRequireGeo
githubOrganization AccessApplicationPolicyRequireGithubOrganization
group AccessApplicationPolicyRequireGroup
gsuite AccessApplicationPolicyRequireGsuite
ip AccessApplicationPolicyRequireIp
ipList AccessApplicationPolicyRequireIpList
linkedAppToken AccessApplicationPolicyRequireLinkedAppToken
loginMethod AccessApplicationPolicyRequireLoginMethod
oidc AccessApplicationPolicyRequireOidc
okta AccessApplicationPolicyRequireOkta
saml AccessApplicationPolicyRequireSaml
serviceToken AccessApplicationPolicyRequireServiceToken

any_valid_service_token AccessApplicationPolicyRequireAnyValidServiceToken: An empty object which matches on all service tokens.
auth_context AccessApplicationPolicyRequireAuthContext
auth_method AccessApplicationPolicyRequireAuthMethod
azure_ad AccessApplicationPolicyRequireAzureAd
certificate AccessApplicationPolicyRequireCertificate
common_name AccessApplicationPolicyRequireCommonName
device_posture AccessApplicationPolicyRequireDevicePosture
email AccessApplicationPolicyRequireEmail
email_domain AccessApplicationPolicyRequireEmailDomain
email_list AccessApplicationPolicyRequireEmailList
everyone AccessApplicationPolicyRequireEveryone: An empty object which matches on all users.
external_evaluation AccessApplicationPolicyRequireExternalEvaluation
geo AccessApplicationPolicyRequireGeo
github_organization AccessApplicationPolicyRequireGithubOrganization
group AccessApplicationPolicyRequireGroup
gsuite AccessApplicationPolicyRequireGsuite
ip AccessApplicationPolicyRequireIp
ip_list AccessApplicationPolicyRequireIpList
linked_app_token AccessApplicationPolicyRequireLinkedAppToken
login_method AccessApplicationPolicyRequireLoginMethod
oidc AccessApplicationPolicyRequireOidc
okta AccessApplicationPolicyRequireOkta
saml AccessApplicationPolicyRequireSaml
service_token AccessApplicationPolicyRequireServiceToken

anyValidServiceToken Property Map: An empty object which matches on all service tokens.
authContext Property Map
authMethod Property Map
azureAd Property Map
certificate Property Map
commonName Property Map
devicePosture Property Map
email Property Map
emailDomain Property Map
emailList Property Map
everyone Property Map: An empty object which matches on all users.
externalEvaluation Property Map
geo Property Map
githubOrganization Property Map
group Property Map
gsuite Property Map
ip Property Map
ipList Property Map
linkedAppToken Property Map
loginMethod Property Map
oidc Property Map
okta Property Map
saml Property Map
serviceToken Property Map

AccessApplicationPolicyRequireAuthContext, AccessApplicationPolicyRequireAuthContextArgs

AcId string: The ACID of an Authentication context.
Id string: The ID of an Authentication context.
IdentityProviderId string: The ID of your Azure identity provider.

AcId string: The ACID of an Authentication context.
Id string: The ID of an Authentication context.
IdentityProviderId string: The ID of your Azure identity provider.

acId String: The ACID of an Authentication context.
id String: The ID of an Authentication context.
identityProviderId String: The ID of your Azure identity provider.

acId string: The ACID of an Authentication context.
id string: The ID of an Authentication context.
identityProviderId string: The ID of your Azure identity provider.

ac_id str: The ACID of an Authentication context.
id str: The ID of an Authentication context.
identity_provider_id str: The ID of your Azure identity provider.

acId String: The ACID of an Authentication context.
id String: The ID of an Authentication context.
identityProviderId String: The ID of your Azure identity provider.

AccessApplicationPolicyRequireAuthMethod, AccessApplicationPolicyRequireAuthMethodArgs

AuthMethod string: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AuthMethod string: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

authMethod String: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

authMethod string: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

auth_method str: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

authMethod String: The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AccessApplicationPolicyRequireAzureAd, AccessApplicationPolicyRequireAzureAdArgs

Id string: The ID of an Azure group.
IdentityProviderId string: The ID of your Azure identity provider.

Id string: The ID of an Azure group.
IdentityProviderId string: The ID of your Azure identity provider.

id String: The ID of an Azure group.
identityProviderId String: The ID of your Azure identity provider.

id string: The ID of an Azure group.
identityProviderId string: The ID of your Azure identity provider.

id str: The ID of an Azure group.
identity_provider_id str: The ID of your Azure identity provider.

id String: The ID of an Azure group.
identityProviderId String: The ID of your Azure identity provider.

AccessApplicationPolicyRequireCommonName, AccessApplicationPolicyRequireCommonNameArgs

CommonName string: The common name to match.

CommonName string: The common name to match.

commonName String: The common name to match.

commonName string: The common name to match.

common_name str: The common name to match.

commonName String: The common name to match.

AccessApplicationPolicyRequireDevicePosture, AccessApplicationPolicyRequireDevicePostureArgs

IntegrationUid string: The ID of a device posture integration.

IntegrationUid string: The ID of a device posture integration.

integrationUid String: The ID of a device posture integration.

integrationUid string: The ID of a device posture integration.

integration_uid str: The ID of a device posture integration.

integrationUid String: The ID of a device posture integration.

AccessApplicationPolicyRequireEmail, AccessApplicationPolicyRequireEmailArgs

Email string: The email of the user.

Email string: The email of the user.

email String: The email of the user.

email string: The email of the user.

email str: The email of the user.

email String: The email of the user.

AccessApplicationPolicyRequireEmailDomain, AccessApplicationPolicyRequireEmailDomainArgs

Domain string: The email domain to match.

Domain string: The email domain to match.

domain String: The email domain to match.

domain string: The email domain to match.

domain str: The email domain to match.

domain String: The email domain to match.

AccessApplicationPolicyRequireEmailList, AccessApplicationPolicyRequireEmailListArgs

Id string: The ID of a previously created email list.

Id string: The ID of a previously created email list.

id String: The ID of a previously created email list.

id string: The ID of a previously created email list.

id str: The ID of a previously created email list.

id String: The ID of a previously created email list.

AccessApplicationPolicyRequireExternalEvaluation, AccessApplicationPolicyRequireExternalEvaluationArgs

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl string: The API endpoint containing your business logic.
keysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluate_url str: The API endpoint containing your business logic.
keys_url str: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

AccessApplicationPolicyRequireGeo, AccessApplicationPolicyRequireGeoArgs

CountryCode string: The country code that should be matched.

CountryCode string: The country code that should be matched.

countryCode String: The country code that should be matched.

countryCode string: The country code that should be matched.

country_code str: The country code that should be matched.

countryCode String: The country code that should be matched.

AccessApplicationPolicyRequireGithubOrganization, AccessApplicationPolicyRequireGithubOrganizationArgs

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Team string: The name of the team

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Team string: The name of the team

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
team String: The name of the team

identityProviderId string: The ID of your Github identity provider.
name string: The name of the organization.
team string: The name of the team

identity_provider_id str: The ID of your Github identity provider.
name str: The name of the organization.
team str: The name of the team

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
team String: The name of the team

AccessApplicationPolicyRequireGroup, AccessApplicationPolicyRequireGroupArgs

Id string: The ID of a previously created Access group.

Id string: The ID of a previously created Access group.

id String: The ID of a previously created Access group.

id string: The ID of a previously created Access group.

id str: The ID of a previously created Access group.

id String: The ID of a previously created Access group.

AccessApplicationPolicyRequireGsuite, AccessApplicationPolicyRequireGsuiteArgs

Email string: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

Email string: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

email String: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

email string: The email of the Google Workspace group.
identityProviderId string: The ID of your Google Workspace identity provider.

email str: The email of the Google Workspace group.
identity_provider_id str: The ID of your Google Workspace identity provider.

email String: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

AccessApplicationPolicyRequireIp, AccessApplicationPolicyRequireIpArgs

Ip string: An IPv4 or IPv6 CIDR block.

Ip string: An IPv4 or IPv6 CIDR block.

ip String: An IPv4 or IPv6 CIDR block.

ip string: An IPv4 or IPv6 CIDR block.

ip str: An IPv4 or IPv6 CIDR block.

ip String: An IPv4 or IPv6 CIDR block.

AccessApplicationPolicyRequireIpList, AccessApplicationPolicyRequireIpListArgs

Id string: The ID of a previously created IP list.

Id string: The ID of a previously created IP list.

id String: The ID of a previously created IP list.

id string: The ID of a previously created IP list.

id str: The ID of a previously created IP list.

id String: The ID of a previously created IP list.

AccessApplicationPolicyRequireLinkedAppToken, AccessApplicationPolicyRequireLinkedAppTokenArgs

AppUid string: The ID of an Access OIDC SaaS application

AppUid string: The ID of an Access OIDC SaaS application

appUid String: The ID of an Access OIDC SaaS application

appUid string: The ID of an Access OIDC SaaS application

app_uid str: The ID of an Access OIDC SaaS application

appUid String: The ID of an Access OIDC SaaS application

AccessApplicationPolicyRequireLoginMethod, AccessApplicationPolicyRequireLoginMethodArgs

Id string: The ID of an identity provider.

Id string: The ID of an identity provider.

id String: The ID of an identity provider.

id string: The ID of an identity provider.

id str: The ID of an identity provider.

id String: The ID of an identity provider.

AccessApplicationPolicyRequireOidc, AccessApplicationPolicyRequireOidcArgs

ClaimName string: The name of the OIDC claim.
ClaimValue string: The OIDC claim value to look for.
IdentityProviderId string: The ID of your OIDC identity provider.

ClaimName string: The name of the OIDC claim.
ClaimValue string: The OIDC claim value to look for.
IdentityProviderId string: The ID of your OIDC identity provider.

claimName String: The name of the OIDC claim.
claimValue String: The OIDC claim value to look for.
identityProviderId String: The ID of your OIDC identity provider.

claimName string: The name of the OIDC claim.
claimValue string: The OIDC claim value to look for.
identityProviderId string: The ID of your OIDC identity provider.

claim_name str: The name of the OIDC claim.
claim_value str: The OIDC claim value to look for.
identity_provider_id str: The ID of your OIDC identity provider.

claimName String: The name of the OIDC claim.
claimValue String: The OIDC claim value to look for.
identityProviderId String: The ID of your OIDC identity provider.

AccessApplicationPolicyRequireOkta, AccessApplicationPolicyRequireOktaArgs

IdentityProviderId string: The ID of your Okta identity provider.
Name string: The name of the Okta group.

IdentityProviderId string: The ID of your Okta identity provider.
Name string: The name of the Okta group.

identityProviderId String: The ID of your Okta identity provider.
name String: The name of the Okta group.

identityProviderId string: The ID of your Okta identity provider.
name string: The name of the Okta group.

identity_provider_id str: The ID of your Okta identity provider.
name str: The name of the Okta group.

identityProviderId String: The ID of your Okta identity provider.
name String: The name of the Okta group.

AccessApplicationPolicyRequireSaml, AccessApplicationPolicyRequireSamlArgs

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

attributeName string: The name of the SAML attribute.
attributeValue string: The SAML attribute value to look for.
identityProviderId string: The ID of your SAML identity provider.

attribute_name str: The name of the SAML attribute.
attribute_value str: The SAML attribute value to look for.
identity_provider_id str: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

AccessApplicationPolicyRequireServiceToken, AccessApplicationPolicyRequireServiceTokenArgs

TokenId string: The ID of a Service Token.

TokenId string: The ID of a Service Token.

tokenId String: The ID of a Service Token.

tokenId string: The ID of a Service Token.

token_id str: The ID of a Service Token.

tokenId String: The ID of a Service Token.

AccessApplicationSaasApp, AccessApplicationSaasAppArgs

AccessTokenLifetime string: The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
AllowPkceWithoutClientSecret bool: If client secret should be required on the token endpoint when authorizationcodewith_pkce grant is used.
AppLauncherUrl string: The URL where this applications tile redirects users
AuthType string: Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" Available values: "saml", "oidc".
ClientId string: The application client id
ClientSecret string: The application client secret, only returned on POST request.
ConsumerServiceUrl string: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
CustomAttributes List<AccessApplicationSaasAppCustomAttribute>
CustomClaims List<AccessApplicationSaasAppCustomClaim>
DefaultRelayState string: The URL that the user will be redirected to after a successful login for IDP initiated logins.
GrantTypes List<string>: The OIDC flows supported by this application
GroupFilterRegex string: A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
HybridAndImplicitOptions AccessApplicationSaasAppHybridAndImplicitOptions
IdpEntityId string: The unique identifier for your SaaS application.
NameIdFormat string: The format of the name identifier sent to the SaaS application. Available values: "id", "email".
NameIdTransformJsonata string: A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
PublicKey string: The Access public certificate that will be used to verify your identity.
RedirectUris List<string>: The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
RefreshTokenOptions AccessApplicationSaasAppRefreshTokenOptions
SamlAttributeTransformJsonata string: A JSONata expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the samlattributes or oidcfields of the identity provider used to authenticate. The output of this expression must be a JSON object.
Scopes List<string>: Define the user information shared with access, <span pulumi-lang-nodejs=""offlineAccess"" pulumi-lang-dotnet=""OfflineAccess"" pulumi-lang-go=""offlineAccess"" pulumi-lang-python=""offline_access"" pulumi-lang-yaml=""offlineAccess"" pulumi-lang-java=""offlineAccess"">"offline_access" scope will be automatically enabled if refresh tokens are enabled
SpEntityId string: A globally unique name for an identity or service provider.
SsoEndpoint string: The endpoint where your SaaS application will send login requests.

AccessTokenLifetime string: The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
AllowPkceWithoutClientSecret bool: If client secret should be required on the token endpoint when authorizationcodewith_pkce grant is used.
AppLauncherUrl string: The URL where this applications tile redirects users
AuthType string: Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" Available values: "saml", "oidc".
ClientId string: The application client id
ClientSecret string: The application client secret, only returned on POST request.
ConsumerServiceUrl string: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
CustomAttributes []AccessApplicationSaasAppCustomAttribute
CustomClaims []AccessApplicationSaasAppCustomClaim
DefaultRelayState string: The URL that the user will be redirected to after a successful login for IDP initiated logins.
GrantTypes []string: The OIDC flows supported by this application
GroupFilterRegex string: A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
HybridAndImplicitOptions AccessApplicationSaasAppHybridAndImplicitOptions
IdpEntityId string: The unique identifier for your SaaS application.
NameIdFormat string: The format of the name identifier sent to the SaaS application. Available values: "id", "email".
NameIdTransformJsonata string: A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
PublicKey string: The Access public certificate that will be used to verify your identity.
RedirectUris []string: The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
RefreshTokenOptions AccessApplicationSaasAppRefreshTokenOptions
SamlAttributeTransformJsonata string: A JSONata expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the samlattributes or oidcfields of the identity provider used to authenticate. The output of this expression must be a JSON object.
Scopes []string: Define the user information shared with access, <span pulumi-lang-nodejs=""offlineAccess"" pulumi-lang-dotnet=""OfflineAccess"" pulumi-lang-go=""offlineAccess"" pulumi-lang-python=""offline_access"" pulumi-lang-yaml=""offlineAccess"" pulumi-lang-java=""offlineAccess"">"offline_access" scope will be automatically enabled if refresh tokens are enabled
SpEntityId string: A globally unique name for an identity or service provider.
SsoEndpoint string: The endpoint where your SaaS application will send login requests.

accessTokenLifetime String: The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
allowPkceWithoutClientSecret Boolean: If client secret should be required on the token endpoint when authorizationcodewith_pkce grant is used.
appLauncherUrl String: The URL where this applications tile redirects users
authType String: Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" Available values: "saml", "oidc".
clientId String: The application client id
clientSecret String: The application client secret, only returned on POST request.
consumerServiceUrl String: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
customAttributes List<AccessApplicationSaasAppCustomAttribute>
customClaims List<AccessApplicationSaasAppCustomClaim>
defaultRelayState String: The URL that the user will be redirected to after a successful login for IDP initiated logins.
grantTypes List<String>: The OIDC flows supported by this application
groupFilterRegex String: A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
hybridAndImplicitOptions AccessApplicationSaasAppHybridAndImplicitOptions
idpEntityId String: The unique identifier for your SaaS application.
nameIdFormat String: The format of the name identifier sent to the SaaS application. Available values: "id", "email".
nameIdTransformJsonata String: A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
publicKey String: The Access public certificate that will be used to verify your identity.
redirectUris List<String>: The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
refreshTokenOptions AccessApplicationSaasAppRefreshTokenOptions
samlAttributeTransformJsonata String: A JSONata expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the samlattributes or oidcfields of the identity provider used to authenticate. The output of this expression must be a JSON object.
scopes List<String>: Define the user information shared with access, <span pulumi-lang-nodejs=""offlineAccess"" pulumi-lang-dotnet=""OfflineAccess"" pulumi-lang-go=""offlineAccess"" pulumi-lang-python=""offline_access"" pulumi-lang-yaml=""offlineAccess"" pulumi-lang-java=""offlineAccess"">"offline_access" scope will be automatically enabled if refresh tokens are enabled
spEntityId String: A globally unique name for an identity or service provider.
ssoEndpoint String: The endpoint where your SaaS application will send login requests.

accessTokenLifetime string: The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
allowPkceWithoutClientSecret boolean: If client secret should be required on the token endpoint when authorizationcodewith_pkce grant is used.
appLauncherUrl string: The URL where this applications tile redirects users
authType string: Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" Available values: "saml", "oidc".
clientId string: The application client id
clientSecret string: The application client secret, only returned on POST request.
consumerServiceUrl string: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
customAttributes AccessApplicationSaasAppCustomAttribute[]
customClaims AccessApplicationSaasAppCustomClaim[]
defaultRelayState string: The URL that the user will be redirected to after a successful login for IDP initiated logins.
grantTypes string[]: The OIDC flows supported by this application
groupFilterRegex string: A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
hybridAndImplicitOptions AccessApplicationSaasAppHybridAndImplicitOptions
idpEntityId string: The unique identifier for your SaaS application.
nameIdFormat string: The format of the name identifier sent to the SaaS application. Available values: "id", "email".
nameIdTransformJsonata string: A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
publicKey string: The Access public certificate that will be used to verify your identity.
redirectUris string[]: The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
refreshTokenOptions AccessApplicationSaasAppRefreshTokenOptions
samlAttributeTransformJsonata string: A JSONata expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the samlattributes or oidcfields of the identity provider used to authenticate. The output of this expression must be a JSON object.
scopes string[]: Define the user information shared with access, <span pulumi-lang-nodejs=""offlineAccess"" pulumi-lang-dotnet=""OfflineAccess"" pulumi-lang-go=""offlineAccess"" pulumi-lang-python=""offline_access"" pulumi-lang-yaml=""offlineAccess"" pulumi-lang-java=""offlineAccess"">"offline_access" scope will be automatically enabled if refresh tokens are enabled
spEntityId string: A globally unique name for an identity or service provider.
ssoEndpoint string: The endpoint where your SaaS application will send login requests.

access_token_lifetime str: The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
allow_pkce_without_client_secret bool: If client secret should be required on the token endpoint when authorizationcodewith_pkce grant is used.
app_launcher_url str: The URL where this applications tile redirects users
auth_type str: Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" Available values: "saml", "oidc".
client_id str: The application client id
client_secret str: The application client secret, only returned on POST request.
consumer_service_url str: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
custom_attributes Sequence[AccessApplicationSaasAppCustomAttribute]
custom_claims Sequence[AccessApplicationSaasAppCustomClaim]
default_relay_state str: The URL that the user will be redirected to after a successful login for IDP initiated logins.
grant_types Sequence[str]: The OIDC flows supported by this application
group_filter_regex str: A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
hybrid_and_implicit_options AccessApplicationSaasAppHybridAndImplicitOptions
idp_entity_id str: The unique identifier for your SaaS application.
name_id_format str: The format of the name identifier sent to the SaaS application. Available values: "id", "email".
name_id_transform_jsonata str: A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
public_key str: The Access public certificate that will be used to verify your identity.
redirect_uris Sequence[str]: The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
refresh_token_options AccessApplicationSaasAppRefreshTokenOptions
saml_attribute_transform_jsonata str: A JSONata expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the samlattributes or oidcfields of the identity provider used to authenticate. The output of this expression must be a JSON object.
scopes Sequence[str]: Define the user information shared with access, <span pulumi-lang-nodejs=""offlineAccess"" pulumi-lang-dotnet=""OfflineAccess"" pulumi-lang-go=""offlineAccess"" pulumi-lang-python=""offline_access"" pulumi-lang-yaml=""offlineAccess"" pulumi-lang-java=""offlineAccess"">"offline_access" scope will be automatically enabled if refresh tokens are enabled
sp_entity_id str: A globally unique name for an identity or service provider.
sso_endpoint str: The endpoint where your SaaS application will send login requests.

accessTokenLifetime String: The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
allowPkceWithoutClientSecret Boolean: If client secret should be required on the token endpoint when authorizationcodewith_pkce grant is used.
appLauncherUrl String: The URL where this applications tile redirects users
authType String: Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" Available values: "saml", "oidc".
clientId String: The application client id
clientSecret String: The application client secret, only returned on POST request.
consumerServiceUrl String: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
customAttributes List<Property Map>
customClaims List<Property Map>
defaultRelayState String: The URL that the user will be redirected to after a successful login for IDP initiated logins.
grantTypes List<String>: The OIDC flows supported by this application
groupFilterRegex String: A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
hybridAndImplicitOptions Property Map
idpEntityId String: The unique identifier for your SaaS application.
nameIdFormat String: The format of the name identifier sent to the SaaS application. Available values: "id", "email".
nameIdTransformJsonata String: A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
publicKey String: The Access public certificate that will be used to verify your identity.
redirectUris List<String>: The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
refreshTokenOptions Property Map
samlAttributeTransformJsonata String: A JSONata expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the samlattributes or oidcfields of the identity provider used to authenticate. The output of this expression must be a JSON object.
scopes List<String>: Define the user information shared with access, <span pulumi-lang-nodejs=""offlineAccess"" pulumi-lang-dotnet=""OfflineAccess"" pulumi-lang-go=""offlineAccess"" pulumi-lang-python=""offline_access"" pulumi-lang-yaml=""offlineAccess"" pulumi-lang-java=""offlineAccess"">"offline_access" scope will be automatically enabled if refresh tokens are enabled
spEntityId String: A globally unique name for an identity or service provider.
ssoEndpoint String: The endpoint where your SaaS application will send login requests.

AccessApplicationSaasAppCustomAttribute, AccessApplicationSaasAppCustomAttributeArgs

FriendlyName string: The SAML FriendlyName of the attribute.
Name string: The name of the attribute.
NameFormat string: A globally unique name for an identity or service provider. Available values: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri".
Required bool: If the attribute is required when building a SAML assertion.
Source AccessApplicationSaasAppCustomAttributeSource

FriendlyName string: The SAML FriendlyName of the attribute.
Name string: The name of the attribute.
NameFormat string: A globally unique name for an identity or service provider. Available values: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri".
Required bool: If the attribute is required when building a SAML assertion.
Source AccessApplicationSaasAppCustomAttributeSource

friendlyName String: The SAML FriendlyName of the attribute.
name String: The name of the attribute.
nameFormat String: A globally unique name for an identity or service provider. Available values: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri".
required Boolean: If the attribute is required when building a SAML assertion.
source AccessApplicationSaasAppCustomAttributeSource

friendlyName string: The SAML FriendlyName of the attribute.
name string: The name of the attribute.
nameFormat string: A globally unique name for an identity or service provider. Available values: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri".
required boolean: If the attribute is required when building a SAML assertion.
source AccessApplicationSaasAppCustomAttributeSource

friendly_name str: The SAML FriendlyName of the attribute.
name str: The name of the attribute.
name_format str: A globally unique name for an identity or service provider. Available values: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri".
required bool: If the attribute is required when building a SAML assertion.
source AccessApplicationSaasAppCustomAttributeSource

friendlyName String: The SAML FriendlyName of the attribute.
name String: The name of the attribute.
nameFormat String: A globally unique name for an identity or service provider. Available values: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri".
required Boolean: If the attribute is required when building a SAML assertion.
source Property Map

AccessApplicationSaasAppCustomAttributeSource, AccessApplicationSaasAppCustomAttributeSourceArgs

Name string: The name of the IdP attribute.
NameByIdps List<AccessApplicationSaasAppCustomAttributeSourceNameByIdp>: A mapping from IdP ID to attribute name.

Name string: The name of the IdP attribute.
NameByIdps []AccessApplicationSaasAppCustomAttributeSourceNameByIdp: A mapping from IdP ID to attribute name.

name String: The name of the IdP attribute.
nameByIdps List<AccessApplicationSaasAppCustomAttributeSourceNameByIdp>: A mapping from IdP ID to attribute name.

name string: The name of the IdP attribute.
nameByIdps AccessApplicationSaasAppCustomAttributeSourceNameByIdp[]: A mapping from IdP ID to attribute name.

name str: The name of the IdP attribute.
name_by_idps Sequence[AccessApplicationSaasAppCustomAttributeSourceNameByIdp]: A mapping from IdP ID to attribute name.

name String: The name of the IdP attribute.
nameByIdps List<Property Map>: A mapping from IdP ID to attribute name.

AccessApplicationSaasAppCustomAttributeSourceNameByIdp, AccessApplicationSaasAppCustomAttributeSourceNameByIdpArgs

IdpId string: The UID of the IdP.
SourceName string: The name of the IdP provided attribute.

IdpId string: The UID of the IdP.
SourceName string: The name of the IdP provided attribute.

idpId String: The UID of the IdP.
sourceName String: The name of the IdP provided attribute.

idpId string: The UID of the IdP.
sourceName string: The name of the IdP provided attribute.

idp_id str: The UID of the IdP.
source_name str: The name of the IdP provided attribute.

idpId String: The UID of the IdP.
sourceName String: The name of the IdP provided attribute.

AccessApplicationSaasAppCustomClaim, AccessApplicationSaasAppCustomClaimArgs

Name string: The name of the claim.
Required bool: If the claim is required when building an OIDC token.
Scope string: The scope of the claim. Available values: "groups", "profile", "email", "openid".
Source AccessApplicationSaasAppCustomClaimSource

Name string: The name of the claim.
Required bool: If the claim is required when building an OIDC token.
Scope string: The scope of the claim. Available values: "groups", "profile", "email", "openid".
Source AccessApplicationSaasAppCustomClaimSource

name String: The name of the claim.
required Boolean: If the claim is required when building an OIDC token.
scope String: The scope of the claim. Available values: "groups", "profile", "email", "openid".
source AccessApplicationSaasAppCustomClaimSource

name string: The name of the claim.
required boolean: If the claim is required when building an OIDC token.
scope string: The scope of the claim. Available values: "groups", "profile", "email", "openid".
source AccessApplicationSaasAppCustomClaimSource

name str: The name of the claim.
required bool: If the claim is required when building an OIDC token.
scope str: The scope of the claim. Available values: "groups", "profile", "email", "openid".
source AccessApplicationSaasAppCustomClaimSource

name String: The name of the claim.
required Boolean: If the claim is required when building an OIDC token.
scope String: The scope of the claim. Available values: "groups", "profile", "email", "openid".
source Property Map

AccessApplicationSaasAppCustomClaimSource, AccessApplicationSaasAppCustomClaimSourceArgs

Name string: The name of the IdP claim.
NameByIdp Dictionary<string, string>: A mapping from IdP ID to claim name.

Name string: The name of the IdP claim.
NameByIdp map[string]string: A mapping from IdP ID to claim name.

name String: The name of the IdP claim.
nameByIdp Map<String,String>: A mapping from IdP ID to claim name.

name string: The name of the IdP claim.
nameByIdp {[key: string]: string}: A mapping from IdP ID to claim name.

name str: The name of the IdP claim.
name_by_idp Mapping[str, str]: A mapping from IdP ID to claim name.

name String: The name of the IdP claim.
nameByIdp Map<String>: A mapping from IdP ID to claim name.

AccessApplicationSaasAppHybridAndImplicitOptions, AccessApplicationSaasAppHybridAndImplicitOptionsArgs

ReturnAccessTokenFromAuthorizationEndpoint bool: If an Access Token should be returned from the OIDC Authorization endpoint
ReturnIdTokenFromAuthorizationEndpoint bool: If an ID Token should be returned from the OIDC Authorization endpoint

ReturnAccessTokenFromAuthorizationEndpoint bool: If an Access Token should be returned from the OIDC Authorization endpoint
ReturnIdTokenFromAuthorizationEndpoint bool: If an ID Token should be returned from the OIDC Authorization endpoint

returnAccessTokenFromAuthorizationEndpoint Boolean: If an Access Token should be returned from the OIDC Authorization endpoint
returnIdTokenFromAuthorizationEndpoint Boolean: If an ID Token should be returned from the OIDC Authorization endpoint

returnAccessTokenFromAuthorizationEndpoint boolean: If an Access Token should be returned from the OIDC Authorization endpoint
returnIdTokenFromAuthorizationEndpoint boolean: If an ID Token should be returned from the OIDC Authorization endpoint

return_access_token_from_authorization_endpoint bool: If an Access Token should be returned from the OIDC Authorization endpoint
return_id_token_from_authorization_endpoint bool: If an ID Token should be returned from the OIDC Authorization endpoint

returnAccessTokenFromAuthorizationEndpoint Boolean: If an Access Token should be returned from the OIDC Authorization endpoint
returnIdTokenFromAuthorizationEndpoint Boolean: If an ID Token should be returned from the OIDC Authorization endpoint

AccessApplicationSaasAppRefreshTokenOptions, AccessApplicationSaasAppRefreshTokenOptionsArgs

Lifetime string: How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.

Lifetime string: How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.

lifetime String: How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.

lifetime string: How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.

lifetime str: How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.

lifetime String: How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.

AccessApplicationScimConfig, AccessApplicationScimConfigArgs

IdpUid string: The UID of the IdP to use as the source for SCIM resources to provision to this application.
RemoteUri string: The base URI for the application's SCIM-compatible API.
Authentication AccessApplicationScimConfigAuthentication: Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
DeactivateOnDelete bool: If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
Enabled bool: Whether SCIM provisioning is turned on for this application.
Mappings List<AccessApplicationScimConfigMapping>: A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.

IdpUid string: The UID of the IdP to use as the source for SCIM resources to provision to this application.
RemoteUri string: The base URI for the application's SCIM-compatible API.
Authentication AccessApplicationScimConfigAuthentication: Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
DeactivateOnDelete bool: If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
Enabled bool: Whether SCIM provisioning is turned on for this application.
Mappings []AccessApplicationScimConfigMapping: A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.

idpUid String: The UID of the IdP to use as the source for SCIM resources to provision to this application.
remoteUri String: The base URI for the application's SCIM-compatible API.
authentication AccessApplicationScimConfigAuthentication: Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
deactivateOnDelete Boolean: If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
enabled Boolean: Whether SCIM provisioning is turned on for this application.
mappings List<AccessApplicationScimConfigMapping>: A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.

idpUid string: The UID of the IdP to use as the source for SCIM resources to provision to this application.
remoteUri string: The base URI for the application's SCIM-compatible API.
authentication AccessApplicationScimConfigAuthentication: Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
deactivateOnDelete boolean: If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
enabled boolean: Whether SCIM provisioning is turned on for this application.
mappings AccessApplicationScimConfigMapping[]: A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.

idp_uid str: The UID of the IdP to use as the source for SCIM resources to provision to this application.
remote_uri str: The base URI for the application's SCIM-compatible API.
authentication AccessApplicationScimConfigAuthentication: Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
deactivate_on_delete bool: If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
enabled bool: Whether SCIM provisioning is turned on for this application.
mappings Sequence[AccessApplicationScimConfigMapping]: A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.

idpUid String: The UID of the IdP to use as the source for SCIM resources to provision to this application.
remoteUri String: The base URI for the application's SCIM-compatible API.
authentication Property Map: Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
deactivateOnDelete Boolean: If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
enabled Boolean: Whether SCIM provisioning is turned on for this application.
mappings List<Property Map>: A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.

AccessApplicationScimConfigAuthentication, AccessApplicationScimConfigAuthenticationArgs

Scheme string: The authentication scheme to use when making SCIM requests to this application. Available values: "httpbasic", "oauthbearertoken", "oauth2", "accessservicetoken".
AuthorizationUrl string: URL used to generate the auth code used during token generation.
ClientId string: Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
ClientSecret string: Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
Password string: Password used to authenticate with the remote SCIM service.
Scopes List<string>: The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
Token string: Token used to authenticate with the remote SCIM service.
TokenUrl string: URL used to generate the token used to authenticate with the remote SCIM service.
User string: User name used to authenticate with the remote SCIM service.

Scheme string: The authentication scheme to use when making SCIM requests to this application. Available values: "httpbasic", "oauthbearertoken", "oauth2", "accessservicetoken".
AuthorizationUrl string: URL used to generate the auth code used during token generation.
ClientId string: Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
ClientSecret string: Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
Password string: Password used to authenticate with the remote SCIM service.
Scopes []string: The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
Token string: Token used to authenticate with the remote SCIM service.
TokenUrl string: URL used to generate the token used to authenticate with the remote SCIM service.
User string: User name used to authenticate with the remote SCIM service.

scheme String: The authentication scheme to use when making SCIM requests to this application. Available values: "httpbasic", "oauthbearertoken", "oauth2", "accessservicetoken".
authorizationUrl String: URL used to generate the auth code used during token generation.
clientId String: Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
clientSecret String: Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
password String: Password used to authenticate with the remote SCIM service.
scopes List<String>: The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
token String: Token used to authenticate with the remote SCIM service.
tokenUrl String: URL used to generate the token used to authenticate with the remote SCIM service.
user String: User name used to authenticate with the remote SCIM service.

scheme string: The authentication scheme to use when making SCIM requests to this application. Available values: "httpbasic", "oauthbearertoken", "oauth2", "accessservicetoken".
authorizationUrl string: URL used to generate the auth code used during token generation.
clientId string: Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
clientSecret string: Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
password string: Password used to authenticate with the remote SCIM service.
scopes string[]: The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
token string: Token used to authenticate with the remote SCIM service.
tokenUrl string: URL used to generate the token used to authenticate with the remote SCIM service.
user string: User name used to authenticate with the remote SCIM service.

scheme str: The authentication scheme to use when making SCIM requests to this application. Available values: "httpbasic", "oauthbearertoken", "oauth2", "accessservicetoken".
authorization_url str: URL used to generate the auth code used during token generation.
client_id str: Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
client_secret str: Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
password str: Password used to authenticate with the remote SCIM service.
scopes Sequence[str]: The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
token str: Token used to authenticate with the remote SCIM service.
token_url str: URL used to generate the token used to authenticate with the remote SCIM service.
user str: User name used to authenticate with the remote SCIM service.

scheme String: The authentication scheme to use when making SCIM requests to this application. Available values: "httpbasic", "oauthbearertoken", "oauth2", "accessservicetoken".
authorizationUrl String: URL used to generate the auth code used during token generation.
clientId String: Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
clientSecret String: Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
password String: Password used to authenticate with the remote SCIM service.
scopes List<String>: The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
token String: Token used to authenticate with the remote SCIM service.
tokenUrl String: URL used to generate the token used to authenticate with the remote SCIM service.
user String: User name used to authenticate with the remote SCIM service.

AccessApplicationScimConfigMapping, AccessApplicationScimConfigMappingArgs

Schema string: Which SCIM resource type this mapping applies to.
Enabled bool: Whether or not this mapping is enabled.
Filter string: A SCIM filter expression that matches resources that should be provisioned to this application.
Operations AccessApplicationScimConfigMappingOperations: Whether or not this mapping applies to creates, updates, or deletes.
Strictness string: The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. Available values: "strict", "passthrough".
TransformJsonata string: A JSONata expression that transforms the resource before provisioning it in the application.

Schema string: Which SCIM resource type this mapping applies to.
Enabled bool: Whether or not this mapping is enabled.
Filter string: A SCIM filter expression that matches resources that should be provisioned to this application.
Operations AccessApplicationScimConfigMappingOperations: Whether or not this mapping applies to creates, updates, or deletes.
Strictness string: The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. Available values: "strict", "passthrough".
TransformJsonata string: A JSONata expression that transforms the resource before provisioning it in the application.

schema String: Which SCIM resource type this mapping applies to.
enabled Boolean: Whether or not this mapping is enabled.
filter String: A SCIM filter expression that matches resources that should be provisioned to this application.
operations AccessApplicationScimConfigMappingOperations: Whether or not this mapping applies to creates, updates, or deletes.
strictness String: The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. Available values: "strict", "passthrough".
transformJsonata String: A JSONata expression that transforms the resource before provisioning it in the application.

schema string: Which SCIM resource type this mapping applies to.
enabled boolean: Whether or not this mapping is enabled.
filter string: A SCIM filter expression that matches resources that should be provisioned to this application.
operations AccessApplicationScimConfigMappingOperations: Whether or not this mapping applies to creates, updates, or deletes.
strictness string: The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. Available values: "strict", "passthrough".
transformJsonata string: A JSONata expression that transforms the resource before provisioning it in the application.

schema str: Which SCIM resource type this mapping applies to.
enabled bool: Whether or not this mapping is enabled.
filter str: A SCIM filter expression that matches resources that should be provisioned to this application.
operations AccessApplicationScimConfigMappingOperations: Whether or not this mapping applies to creates, updates, or deletes.
strictness str: The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. Available values: "strict", "passthrough".
transform_jsonata str: A JSONata expression that transforms the resource before provisioning it in the application.

schema String: Which SCIM resource type this mapping applies to.
enabled Boolean: Whether or not this mapping is enabled.
filter String: A SCIM filter expression that matches resources that should be provisioned to this application.
operations Property Map: Whether or not this mapping applies to creates, updates, or deletes.
strictness String: The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. Available values: "strict", "passthrough".
transformJsonata String: A JSONata expression that transforms the resource before provisioning it in the application.

AccessApplicationScimConfigMappingOperations, AccessApplicationScimConfigMappingOperationsArgs

Create bool: Whether or not this mapping applies to create (POST) operations.
Delete bool: Whether or not this mapping applies to DELETE operations.
Update bool: Whether or not this mapping applies to update (PATCH/PUT) operations.

Create bool: Whether or not this mapping applies to create (POST) operations.
Delete bool: Whether or not this mapping applies to DELETE operations.
Update bool: Whether or not this mapping applies to update (PATCH/PUT) operations.

create Boolean: Whether or not this mapping applies to create (POST) operations.
delete Boolean: Whether or not this mapping applies to DELETE operations.
update Boolean: Whether or not this mapping applies to update (PATCH/PUT) operations.

create boolean: Whether or not this mapping applies to create (POST) operations.
delete boolean: Whether or not this mapping applies to DELETE operations.
update boolean: Whether or not this mapping applies to update (PATCH/PUT) operations.

create bool: Whether or not this mapping applies to create (POST) operations.
delete bool: Whether or not this mapping applies to DELETE operations.
update bool: Whether or not this mapping applies to update (PATCH/PUT) operations.

create Boolean: Whether or not this mapping applies to create (POST) operations.
delete Boolean: Whether or not this mapping applies to DELETE operations.
update Boolean: Whether or not this mapping applies to update (PATCH/PUT) operations.

AccessApplicationTargetCriteria, AccessApplicationTargetCriteriaArgs

Port int: The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
Protocol string: The communication protocol your application secures. Available values: "SSH", "RDP".
TargetAttributes Dictionary<string, ImmutableArray<string>>: Contains a map of target attribute keys to target attribute values.

Port int: The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
Protocol string: The communication protocol your application secures. Available values: "SSH", "RDP".
TargetAttributes map[string][]string: Contains a map of target attribute keys to target attribute values.

port Integer: The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
protocol String: The communication protocol your application secures. Available values: "SSH", "RDP".
targetAttributes Map<String,List<String>>: Contains a map of target attribute keys to target attribute values.

port number: The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
protocol string: The communication protocol your application secures. Available values: "SSH", "RDP".
targetAttributes {[key: string]: string[]}: Contains a map of target attribute keys to target attribute values.

port int: The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
protocol str: The communication protocol your application secures. Available values: "SSH", "RDP".
target_attributes Mapping[str, Sequence[str]]: Contains a map of target attribute keys to target attribute values.

port Number: The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
protocol String: The communication protocol your application secures. Available values: "SSH", "RDP".
targetAttributes Map<List<String>>: Contains a map of target attribute keys to target attribute values.

Import

$ pulumi import cloudflare:index/accessApplication:AccessApplication example '<{accounts|zones}/{account_id|zone_id}>/<app_id>'

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Cloudflare pulumi/pulumi-cloudflare
License: Apache-2.0
Notes: This Pulumi package is based on the cloudflare Terraform Provider.

Cloudflare v6.10.1 published on Wednesday, Oct 22, 2025 by Pulumi

pulumi/pulumi-cloudflare

cloudflare.AccessApplication

On this page

On this page

Example Usage

Create AccessApplication Resource

Constructor syntax

Parameters

AccessApplication Resource Properties

Inputs

Outputs

Look up Existing AccessApplication Resource

Supporting Types

AccessApplicationCorsHeaders, AccessApplicationCorsHeadersArgs

AccessApplicationDestination, AccessApplicationDestinationArgs

AccessApplicationFooterLink, AccessApplicationFooterLinkArgs

AccessApplicationLandingPageDesign, AccessApplicationLandingPageDesignArgs

AccessApplicationPolicy, AccessApplicationPolicyArgs

AccessApplicationPolicyConnectionRules, AccessApplicationPolicyConnectionRulesArgs

AccessApplicationPolicyConnectionRulesSsh, AccessApplicationPolicyConnectionRulesSshArgs

AccessApplicationPolicyExclude, AccessApplicationPolicyExcludeArgs

AccessApplicationPolicyExcludeAuthContext, AccessApplicationPolicyExcludeAuthContextArgs

AccessApplicationPolicyExcludeAuthMethod, AccessApplicationPolicyExcludeAuthMethodArgs

AccessApplicationPolicyExcludeAzureAd, AccessApplicationPolicyExcludeAzureAdArgs

AccessApplicationPolicyExcludeCommonName, AccessApplicationPolicyExcludeCommonNameArgs

AccessApplicationPolicyExcludeDevicePosture, AccessApplicationPolicyExcludeDevicePostureArgs

AccessApplicationPolicyExcludeEmail, AccessApplicationPolicyExcludeEmailArgs

AccessApplicationPolicyExcludeEmailDomain, AccessApplicationPolicyExcludeEmailDomainArgs

AccessApplicationPolicyExcludeEmailList, AccessApplicationPolicyExcludeEmailListArgs

AccessApplicationPolicyExcludeExternalEvaluation, AccessApplicationPolicyExcludeExternalEvaluationArgs

AccessApplicationPolicyExcludeGeo, AccessApplicationPolicyExcludeGeoArgs

AccessApplicationPolicyExcludeGithubOrganization, AccessApplicationPolicyExcludeGithubOrganizationArgs

AccessApplicationPolicyExcludeGroup, AccessApplicationPolicyExcludeGroupArgs

AccessApplicationPolicyExcludeGsuite, AccessApplicationPolicyExcludeGsuiteArgs

AccessApplicationPolicyExcludeIp, AccessApplicationPolicyExcludeIpArgs

AccessApplicationPolicyExcludeIpList, AccessApplicationPolicyExcludeIpListArgs

AccessApplicationPolicyExcludeLinkedAppToken, AccessApplicationPolicyExcludeLinkedAppTokenArgs

AccessApplicationPolicyExcludeLoginMethod, AccessApplicationPolicyExcludeLoginMethodArgs

AccessApplicationPolicyExcludeOidc, AccessApplicationPolicyExcludeOidcArgs

AccessApplicationPolicyExcludeOkta, AccessApplicationPolicyExcludeOktaArgs

AccessApplicationPolicyExcludeSaml, AccessApplicationPolicyExcludeSamlArgs

AccessApplicationPolicyExcludeServiceToken, AccessApplicationPolicyExcludeServiceTokenArgs

AccessApplicationPolicyInclude, AccessApplicationPolicyIncludeArgs

AccessApplicationPolicyIncludeAuthContext, AccessApplicationPolicyIncludeAuthContextArgs

AccessApplicationPolicyIncludeAuthMethod, AccessApplicationPolicyIncludeAuthMethodArgs

AccessApplicationPolicyIncludeAzureAd, AccessApplicationPolicyIncludeAzureAdArgs

AccessApplicationPolicyIncludeCommonName, AccessApplicationPolicyIncludeCommonNameArgs

AccessApplicationPolicyIncludeDevicePosture, AccessApplicationPolicyIncludeDevicePostureArgs

AccessApplicationPolicyIncludeEmail, AccessApplicationPolicyIncludeEmailArgs

AccessApplicationPolicyIncludeEmailDomain, AccessApplicationPolicyIncludeEmailDomainArgs

AccessApplicationPolicyIncludeEmailList, AccessApplicationPolicyIncludeEmailListArgs

AccessApplicationPolicyIncludeExternalEvaluation, AccessApplicationPolicyIncludeExternalEvaluationArgs

AccessApplicationPolicyIncludeGeo, AccessApplicationPolicyIncludeGeoArgs

AccessApplicationPolicyIncludeGithubOrganization, AccessApplicationPolicyIncludeGithubOrganizationArgs

AccessApplicationPolicyIncludeGroup, AccessApplicationPolicyIncludeGroupArgs

AccessApplicationPolicyIncludeGsuite, AccessApplicationPolicyIncludeGsuiteArgs

AccessApplicationPolicyIncludeIp, AccessApplicationPolicyIncludeIpArgs

AccessApplicationPolicyIncludeIpList, AccessApplicationPolicyIncludeIpListArgs

AccessApplicationPolicyIncludeLinkedAppToken, AccessApplicationPolicyIncludeLinkedAppTokenArgs

AccessApplicationPolicyIncludeLoginMethod, AccessApplicationPolicyIncludeLoginMethodArgs

AccessApplicationPolicyIncludeOidc, AccessApplicationPolicyIncludeOidcArgs

AccessApplicationPolicyIncludeOkta, AccessApplicationPolicyIncludeOktaArgs

AccessApplicationPolicyIncludeSaml, AccessApplicationPolicyIncludeSamlArgs

AccessApplicationPolicyIncludeServiceToken, AccessApplicationPolicyIncludeServiceTokenArgs

AccessApplicationPolicyRequire, AccessApplicationPolicyRequireArgs

AccessApplicationPolicyRequireAuthContext, AccessApplicationPolicyRequireAuthContextArgs

AccessApplicationPolicyRequireAuthMethod, AccessApplicationPolicyRequireAuthMethodArgs

AccessApplicationPolicyRequireAzureAd, AccessApplicationPolicyRequireAzureAdArgs

AccessApplicationPolicyRequireCommonName, AccessApplicationPolicyRequireCommonNameArgs

AccessApplicationPolicyRequireDevicePosture, AccessApplicationPolicyRequireDevicePostureArgs

AccessApplicationPolicyRequireEmail, AccessApplicationPolicyRequireEmailArgs

AccessApplicationPolicyRequireEmailDomain, AccessApplicationPolicyRequireEmailDomainArgs

AccessApplicationPolicyRequireEmailList, AccessApplicationPolicyRequireEmailListArgs

AccessApplicationPolicyRequireExternalEvaluation, AccessApplicationPolicyRequireExternalEvaluationArgs

AccessApplicationPolicyRequireGeo, AccessApplicationPolicyRequireGeoArgs

AccessApplicationPolicyRequireGithubOrganization, AccessApplicationPolicyRequireGithubOrganizationArgs

AccessApplicationPolicyRequireGroup, AccessApplicationPolicyRequireGroupArgs

AccessApplicationPolicyRequireGsuite, AccessApplicationPolicyRequireGsuiteArgs

AccessApplicationPolicyRequireIp, AccessApplicationPolicyRequireIpArgs

AccessApplicationPolicyRequireIpList, AccessApplicationPolicyRequireIpListArgs

AccessApplicationPolicyRequireLinkedAppToken, AccessApplicationPolicyRequireLinkedAppTokenArgs