All packages

Cloudflare

Pulumi Official
Package maintained by Pulumi
v4.6.0 published on Tuesday, Apr 5, 2022 by Pulumi
Source code
  1. Pulumi Registry
  2. Cloudflare
  3. Cloudflare
  4. AccessGroup

AccessGroup

Provides a Cloudflare Access Group resource. Access Groups are used in conjunction with Access Policies to restrict access to a particular resource based on group membership.

Conditions

require, exclude and include arguments share the available conditions which can be applied. The conditions are:

  • ip - (Optional) A list of IP addresses or ranges. Example: ip = ["1.2.3.4", "10.0.0.0/2"]

  • email - (Optional) A list of email addresses. Example: email = ["test@example.com"]

  • email_domain - (Optional) A list of email domains. Example: email_domain = ["example.com"]

  • service_token - (Optional) A list of service token ids. Example: service_token = [cloudflare_access_service_token.demo.id]

  • any_valid_service_token - (Optional) Boolean indicating if allow all tokens to be granted. Example: any_valid_service_token = true

  • group - (Optional) A list of access group ids. Example: group = [cloudflare_access_group.demo.id]

  • everyone - (Optional) Boolean indicating permitting access for all requests. Example: everyone = true

  • certificate - (Optional) Whether to use mTLS certificate authentication.

  • common_name - (Optional) Use a certificate common name to authenticate with.

  • auth_method - (Optional) A string identifying the authentication method code. The list of codes are listed here: https://tools.ietf.org/html/rfc8176#section-2. Custom values are also supported. Example: auth_method = ["swk"]

  • geo - (Optional) A list of country codes. Example: geo = ["US"]

  • login_method - (Optional) A list of identity provider ids. Example: login_method = [cloudflare_access_identity_provider.my_idp.id]

  • device_posture - (Optional) A list of device_posture integration_uids. Example: device_posture = [cloudflare_device_posture_rule.my_posture_rule.id]

  • gsuite - (Optional) Use GSuite as the authentication mechanism. Example:

    # ... other configuration
include {
  gsuite {
    email = ["admins@example.com"]
    identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
  }
}

  • github - (Optional) Use a GitHub organization as the include condition. Example:

    # ... other configuration
include {
  github {
    name = "my-github-org-name" # (Required) GitHub organization name
    teams = ["my-github-team-name"] # (Optional) GitHub teams
    identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
  }
}

  • azure - (Optional) Use Azure AD as the include condition. Example:

    # ... other configuration
include {
  azure {
    id = ["86773093-5feb-48dd-814b-7ccd3676ff50e"]
    identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
  }
}

  • okta - (Optional) Use Okta as the include condition. Example:

    # ... other configuration
include {
  okta {
    name = ["admins"]
    identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
  }
}

  • saml - (Optional) Use an external SAML setup as the include condition. Example:

    # ... other configuration
include {
  saml {
    attribute_name = "group"
    attribute_value = "admins"
    identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
  }
}

Example Usage

using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

class MyStack : Stack
{
    public MyStack()
    {
        // Allowing access to `test@example.com` email address only
        var testGroupAccessGroup = new Cloudflare.AccessGroup("testGroupAccessGroup", new Cloudflare.AccessGroupArgs
        {
            AccountId = "975ecf5a45e3bcb680dba0722a420ad9",
            Name = "staging group",
            Includes = 
            {
                new Cloudflare.Inputs.AccessGroupIncludeArgs
                {
                    Emails = 
                    {
                        "test@example.com",
                    },
                },
            },
        });
        // Allowing `test@example.com` to access but only when coming from a
        // specific IP.
        var testGroupIndex_accessGroupAccessGroup = new Cloudflare.AccessGroup("testGroupIndex/accessGroupAccessGroup", new Cloudflare.AccessGroupArgs
        {
            AccountId = "975ecf5a45e3bcb680dba0722a420ad9",
            Name = "staging group",
            Includes = 
            {
                new Cloudflare.Inputs.AccessGroupIncludeArgs
                {
                    Emails = 
                    {
                        "test@example.com",
                    },
                },
            },
            Requires = 
            {
                { "ips", 
                {
                    @var.Office_ip,
                } },
            },
        });
    }

}

package main

import (
	"github.com/pulumi/pulumi-cloudflare/sdk/v4/go/cloudflare"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := cloudflare.NewAccessGroup(ctx, "testGroupAccessGroup", &cloudflare.AccessGroupArgs{
			AccountId: pulumi.String("975ecf5a45e3bcb680dba0722a420ad9"),
			Name:      pulumi.String("staging group"),
			Includes: AccessGroupIncludeArray{
				&AccessGroupIncludeArgs{
					Emails: pulumi.StringArray{
						pulumi.String("test@example.com"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = cloudflare.NewAccessGroup(ctx, "testGroupIndex/accessGroupAccessGroup", &cloudflare.AccessGroupArgs{
			AccountId: pulumi.String("975ecf5a45e3bcb680dba0722a420ad9"),
			Name:      pulumi.String("staging group"),
			Includes: AccessGroupIncludeArray{
				&AccessGroupIncludeArgs{
					Emails: pulumi.StringArray{
						pulumi.String("test@example.com"),
					},
				},
			},
			Requires: AccessGroupRequireArray{
				Ips: AccessGroupRequireArgs{
					_var.Office_ip,
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

Coming soon!

import pulumi
import pulumi_cloudflare as cloudflare

# Allowing access to `test@example.com` email address only
test_group_access_group = cloudflare.AccessGroup("testGroupAccessGroup",
    account_id="975ecf5a45e3bcb680dba0722a420ad9",
    name="staging group",
    includes=[cloudflare.AccessGroupIncludeArgs(
        emails=["test@example.com"],
    )])
# Allowing `test@example.com` to access but only when coming from a
# specific IP.
test_group_index_access_group_access_group = cloudflare.AccessGroup("testGroupIndex/accessGroupAccessGroup",
    account_id="975ecf5a45e3bcb680dba0722a420ad9",
    name="staging group",
    includes=[cloudflare.AccessGroupIncludeArgs(
        emails=["test@example.com"],
    )],
    requires={
        "ips": [var["office_ip"]],
    })

import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

// Allowing access to `test@example.com` email address only
const testGroupAccessGroup = new cloudflare.AccessGroup("testGroupAccessGroup", {
    accountId: "975ecf5a45e3bcb680dba0722a420ad9",
    name: "staging group",
    includes: [{
        emails: ["test@example.com"],
    }],
});
// Allowing `test@example.com` to access but only when coming from a
// specific IP.
const testGroupIndex_accessGroupAccessGroup = new cloudflare.AccessGroup("testGroupIndex/accessGroupAccessGroup", {
    accountId: "975ecf5a45e3bcb680dba0722a420ad9",
    name: "staging group",
    includes: [{
        emails: ["test@example.com"],
    }],
    requires: {
        ips: [_var.office_ip],
    },
});

Coming soon!

Create a AccessGroup Resource

new AccessGroup(name: string, args: AccessGroupArgs, opts?: CustomResourceOptions);
@overload
def AccessGroup(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                account_id: Optional[str] = None,
                excludes: Optional[Sequence[AccessGroupExcludeArgs]] = None,
                includes: Optional[Sequence[AccessGroupIncludeArgs]] = None,
                name: Optional[str] = None,
                requires: Optional[Sequence[AccessGroupRequireArgs]] = None,
                zone_id: Optional[str] = None)
@overload
def AccessGroup(resource_name: str,
                args: AccessGroupArgs,
                opts: Optional[ResourceOptions] = None)
func NewAccessGroup(ctx *Context, name string, args AccessGroupArgs, opts ...ResourceOption) (*AccessGroup, error)
public AccessGroup(string name, AccessGroupArgs args, CustomResourceOptions? opts = null)
public AccessGroup(String name, AccessGroupArgs args)
public AccessGroup(String name, AccessGroupArgs args, CustomResourceOptions options)

type: cloudflare:AccessGroup
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AccessGroupArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AccessGroupArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AccessGroupArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AccessGroupArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AccessGroupArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AccessGroup Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AccessGroup resource accepts the following input properties:

Includes List<AccessGroupIncludeArgs>

A series of access conditions, see below for full list.

Name string

Friendly name of the Access Group.

AccountId string

The ID of the account the group is associated with. Conflicts with zone_id.

Excludes List<AccessGroupExcludeArgs>

A series of access conditions, see below for full list.

Requires List<AccessGroupRequireArgs>

A series of access conditions, see below for full list.

ZoneId string

The ID of the zone the group is associated with. Conflicts with account_id.

Includes []AccessGroupIncludeArgs

A series of access conditions, see below for full list.

Name string

Friendly name of the Access Group.

AccountId string

The ID of the account the group is associated with. Conflicts with zone_id.

Excludes []AccessGroupExcludeArgs

A series of access conditions, see below for full list.

Requires []AccessGroupRequireArgs

A series of access conditions, see below for full list.

ZoneId string

The ID of the zone the group is associated with. Conflicts with account_id.

includes ListGroupIncludeArgs>

A series of access conditions, see below for full list.

name String

Friendly name of the Access Group.

accountId String

The ID of the account the group is associated with. Conflicts with zone_id.

excludes ListGroupExcludeArgs>

A series of access conditions, see below for full list.

requires ListGroupRequireArgs>

A series of access conditions, see below for full list.

zoneId String

The ID of the zone the group is associated with. Conflicts with account_id.

includes AccessGroupIncludeArgs[]

A series of access conditions, see below for full list.

name string

Friendly name of the Access Group.

accountId string

The ID of the account the group is associated with. Conflicts with zone_id.

excludes AccessGroupExcludeArgs[]

A series of access conditions, see below for full list.

requires AccessGroupRequireArgs[]

A series of access conditions, see below for full list.

zoneId string

The ID of the zone the group is associated with. Conflicts with account_id.

includes Sequence[AccessGroupIncludeArgs]

A series of access conditions, see below for full list.

name str

Friendly name of the Access Group.

account_id str

The ID of the account the group is associated with. Conflicts with zone_id.

excludes Sequence[AccessGroupExcludeArgs]

A series of access conditions, see below for full list.

requires Sequence[AccessGroupRequireArgs]

A series of access conditions, see below for full list.

zone_id str

The ID of the zone the group is associated with. Conflicts with account_id.

includes List

A series of access conditions, see below for full list.

name String

Friendly name of the Access Group.

accountId String

The ID of the account the group is associated with. Conflicts with zone_id.

excludes List

A series of access conditions, see below for full list.

requires List

A series of access conditions, see below for full list.

zoneId String

The ID of the zone the group is associated with. Conflicts with account_id.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessGroup resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up an Existing AccessGroup Resource

Get an existing AccessGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessGroupState, opts?: CustomResourceOptions): AccessGroup
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_id: Optional[str] = None,
        excludes: Optional[Sequence[AccessGroupExcludeArgs]] = None,
        includes: Optional[Sequence[AccessGroupIncludeArgs]] = None,
        name: Optional[str] = None,
        requires: Optional[Sequence[AccessGroupRequireArgs]] = None,
        zone_id: Optional[str] = None) -> AccessGroup
func GetAccessGroup(ctx *Context, name string, id IDInput, state *AccessGroupState, opts ...ResourceOption) (*AccessGroup, error)
public static AccessGroup Get(string name, Input<string> id, AccessGroupState? state, CustomResourceOptions? opts = null)
public static AccessGroup get(String name, Output<String> id, AccessGroupState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccountId string

The ID of the account the group is associated with. Conflicts with zone_id.

Excludes List<AccessGroupExcludeArgs>

A series of access conditions, see below for full list.

Includes List<AccessGroupIncludeArgs>

A series of access conditions, see below for full list.

Name string

Friendly name of the Access Group.

Requires List<AccessGroupRequireArgs>

A series of access conditions, see below for full list.

ZoneId string

The ID of the zone the group is associated with. Conflicts with account_id.

AccountId string

The ID of the account the group is associated with. Conflicts with zone_id.

Excludes []AccessGroupExcludeArgs

A series of access conditions, see below for full list.

Includes []AccessGroupIncludeArgs

A series of access conditions, see below for full list.

Name string

Friendly name of the Access Group.

Requires []AccessGroupRequireArgs

A series of access conditions, see below for full list.

ZoneId string

The ID of the zone the group is associated with. Conflicts with account_id.

accountId String

The ID of the account the group is associated with. Conflicts with zone_id.

excludes ListGroupExcludeArgs>

A series of access conditions, see below for full list.

includes ListGroupIncludeArgs>

A series of access conditions, see below for full list.

name String

Friendly name of the Access Group.

requires ListGroupRequireArgs>

A series of access conditions, see below for full list.

zoneId String

The ID of the zone the group is associated with. Conflicts with account_id.

accountId string

The ID of the account the group is associated with. Conflicts with zone_id.

excludes AccessGroupExcludeArgs[]

A series of access conditions, see below for full list.

includes AccessGroupIncludeArgs[]

A series of access conditions, see below for full list.

name string

Friendly name of the Access Group.

requires AccessGroupRequireArgs[]

A series of access conditions, see below for full list.

zoneId string

The ID of the zone the group is associated with. Conflicts with account_id.

account_id str

The ID of the account the group is associated with. Conflicts with zone_id.

excludes Sequence[AccessGroupExcludeArgs]

A series of access conditions, see below for full list.

includes Sequence[AccessGroupIncludeArgs]

A series of access conditions, see below for full list.

name str

Friendly name of the Access Group.

requires Sequence[AccessGroupRequireArgs]

A series of access conditions, see below for full list.

zone_id str

The ID of the zone the group is associated with. Conflicts with account_id.

accountId String

The ID of the account the group is associated with. Conflicts with zone_id.

excludes List

A series of access conditions, see below for full list.

includes List

A series of access conditions, see below for full list.

name String

Friendly name of the Access Group.

requires List

A series of access conditions, see below for full list.

zoneId String

The ID of the zone the group is associated with. Conflicts with account_id.

Supporting Types

AccessGroupExclude

AccessGroupExcludeAzure

IdentityProviderId string
Ids List<string>
IdentityProviderId string
Ids []string
identityProviderId string
ids string[]
identity_provider_id str
ids Sequence[str]

AccessGroupExcludeGithub

IdentityProviderId string
Name string

Friendly name of the Access Group.

Teams List<string>
IdentityProviderId string
Name string

Friendly name of the Access Group.

Teams []string
identityProviderId String
name String

Friendly name of the Access Group.

teams List
identityProviderId string
name string

Friendly name of the Access Group.

teams string[]
identity_provider_id str
name str

Friendly name of the Access Group.

teams Sequence[str]
identityProviderId String
name String

Friendly name of the Access Group.

teams List

AccessGroupExcludeGsuite

Emails List<string>
IdentityProviderId string
Emails []string
IdentityProviderId string
emails string[]
identityProviderId string
emails Sequence[str]
identity_provider_id str

AccessGroupExcludeOkta

IdentityProviderId string
Names List<string>

Friendly name of the Access Group.

IdentityProviderId string
Names []string

Friendly name of the Access Group.

identityProviderId String
names List

Friendly name of the Access Group.

identityProviderId string
names string[]

Friendly name of the Access Group.

identity_provider_id str
names Sequence[str]

Friendly name of the Access Group.

identityProviderId String
names List

Friendly name of the Access Group.

AccessGroupExcludeSaml

AccessGroupInclude

AccessGroupIncludeAzure

IdentityProviderId string
Ids List<string>
IdentityProviderId string
Ids []string
identityProviderId string
ids string[]
identity_provider_id str
ids Sequence[str]

AccessGroupIncludeGithub

IdentityProviderId string
Name string

Friendly name of the Access Group.

Teams List<string>
IdentityProviderId string
Name string

Friendly name of the Access Group.

Teams []string
identityProviderId String
name String

Friendly name of the Access Group.

teams List
identityProviderId string
name string

Friendly name of the Access Group.

teams string[]
identity_provider_id str
name str

Friendly name of the Access Group.

teams Sequence[str]
identityProviderId String
name String

Friendly name of the Access Group.

teams List

AccessGroupIncludeGsuite

Emails List<string>
IdentityProviderId string
Emails []string
IdentityProviderId string
emails string[]
identityProviderId string
emails Sequence[str]
identity_provider_id str

AccessGroupIncludeOkta

IdentityProviderId string
Names List<string>

Friendly name of the Access Group.

IdentityProviderId string
Names []string

Friendly name of the Access Group.

identityProviderId String
names List

Friendly name of the Access Group.

identityProviderId string
names string[]

Friendly name of the Access Group.

identity_provider_id str
names Sequence[str]

Friendly name of the Access Group.

identityProviderId String
names List

Friendly name of the Access Group.

AccessGroupIncludeSaml

AccessGroupRequire

AccessGroupRequireAzure

IdentityProviderId string
Ids List<string>
IdentityProviderId string
Ids []string
identityProviderId string
ids string[]
identity_provider_id str
ids Sequence[str]

AccessGroupRequireGithub

IdentityProviderId string
Name string

Friendly name of the Access Group.

Teams List<string>
IdentityProviderId string
Name string

Friendly name of the Access Group.

Teams []string
identityProviderId String
name String

Friendly name of the Access Group.

teams List
identityProviderId string
name string

Friendly name of the Access Group.

teams string[]
identity_provider_id str
name str

Friendly name of the Access Group.

teams Sequence[str]
identityProviderId String
name String

Friendly name of the Access Group.

teams List

AccessGroupRequireGsuite

Emails List<string>
IdentityProviderId string
Emails []string
IdentityProviderId string
emails string[]
identityProviderId string
emails Sequence[str]
identity_provider_id str

AccessGroupRequireOkta

IdentityProviderId string
Names List<string>

Friendly name of the Access Group.

IdentityProviderId string
Names []string

Friendly name of the Access Group.

identityProviderId String
names List

Friendly name of the Access Group.

identityProviderId string
names string[]

Friendly name of the Access Group.

identity_provider_id str
names Sequence[str]

Friendly name of the Access Group.

identityProviderId String
names List

Friendly name of the Access Group.

AccessGroupRequireSaml

Import

Access Groups can be imported using a composite ID formed of account ID and group ID.

 $ pulumi import cloudflare:index/accessGroup:AccessGroup staging 975ecf5a45e3bcb680dba0722a420ad9/67ea780ce4982c1cfbe6b7293afc765d

where * 975ecf5a45e3bcb680dba0722a420ad9 - Account ID * 67ea780ce4982c1cfbe6b7293afc765d - Access Group ID

Package Details

Repository
https://github.com/pulumi/pulumi-cloudflare
License
Apache-2.0
Notes

This Pulumi package is based on the cloudflare Terraform Provider.