AccessPolicy

Provides a Cloudflare Access Policy resource. Access Policies are used in conjunction with Access Applications to restrict access to a particular resource.

It’s required that an account_id or zone_id is provided and in most cases using either is fine. However, if you’re using a scoped access token, you must provide the argument that matches the token’s scope. For example, an access token that is scoped to the “example.com” zone needs to use the zone_id argument.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

return await Deployment.RunAsync(() => 
{
    // Allowing access to `test@example.com` email address only
    var testPolicyAccessPolicy = new Cloudflare.AccessPolicy("testPolicyAccessPolicy", new()
    {
        ApplicationId = "cb029e245cfdd66dc8d2e570d5dd3322",
        ZoneId = "0da42c8d2132a9ddaf714f9e7c920711",
        Name = "staging policy",
        Precedence = 1,
        Decision = "allow",
        Includes = new[]
        {
            new Cloudflare.Inputs.AccessPolicyIncludeArgs
            {
                Emails = new[]
                {
                    "test@example.com",
                },
            },
        },
        Requires = new[]
        {
            new Cloudflare.Inputs.AccessPolicyRequireArgs
            {
                Emails = new[]
                {
                    "test@example.com",
                },
            },
        },
    });

    // Allowing `test@example.com` to access but only when coming from a
    // specific IP.
    var testPolicyIndex_accessPolicyAccessPolicy = new Cloudflare.AccessPolicy("testPolicyIndex/accessPolicyAccessPolicy", new()
    {
        ApplicationId = "cb029e245cfdd66dc8d2e570d5dd3322",
        ZoneId = "0da42c8d2132a9ddaf714f9e7c920711",
        Name = "staging policy",
        Precedence = 1,
        Decision = "allow",
        Includes = new[]
        {
            new Cloudflare.Inputs.AccessPolicyIncludeArgs
            {
                Emails = new[]
                {
                    "test@example.com",
                },
            },
        },
        Requires = new[]
        {
            new Cloudflare.Inputs.AccessPolicyRequireArgs
            {
                Ips = new[]
                {
                    @var.Office_ip,
                },
            },
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-cloudflare/sdk/v4/go/cloudflare"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := cloudflare.NewAccessPolicy(ctx, "testPolicyAccessPolicy", &cloudflare.AccessPolicyArgs{
			ApplicationId: pulumi.String("cb029e245cfdd66dc8d2e570d5dd3322"),
			ZoneId:        pulumi.String("0da42c8d2132a9ddaf714f9e7c920711"),
			Name:          pulumi.String("staging policy"),
			Precedence:    pulumi.Int(1),
			Decision:      pulumi.String("allow"),
			Includes: AccessPolicyIncludeArray{
				&AccessPolicyIncludeArgs{
					Emails: pulumi.StringArray{
						pulumi.String("test@example.com"),
					},
				},
			},
			Requires: AccessPolicyRequireArray{
				&AccessPolicyRequireArgs{
					Emails: pulumi.StringArray{
						pulumi.String("test@example.com"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = cloudflare.NewAccessPolicy(ctx, "testPolicyIndex/accessPolicyAccessPolicy", &cloudflare.AccessPolicyArgs{
			ApplicationId: pulumi.String("cb029e245cfdd66dc8d2e570d5dd3322"),
			ZoneId:        pulumi.String("0da42c8d2132a9ddaf714f9e7c920711"),
			Name:          pulumi.String("staging policy"),
			Precedence:    pulumi.Int(1),
			Decision:      pulumi.String("allow"),
			Includes: AccessPolicyIncludeArray{
				&AccessPolicyIncludeArgs{
					Emails: pulumi.StringArray{
						pulumi.String("test@example.com"),
					},
				},
			},
			Requires: AccessPolicyRequireArray{
				&AccessPolicyRequireArgs{
					Ips: pulumi.StringArray{
						_var.Office_ip,
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudflare.AccessPolicy;
import com.pulumi.cloudflare.AccessPolicyArgs;
import com.pulumi.cloudflare.inputs.AccessPolicyIncludeArgs;
import com.pulumi.cloudflare.inputs.AccessPolicyRequireArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var testPolicyAccessPolicy = new AccessPolicy("testPolicyAccessPolicy", AccessPolicyArgs.builder()        
            .applicationId("cb029e245cfdd66dc8d2e570d5dd3322")
            .zoneId("0da42c8d2132a9ddaf714f9e7c920711")
            .name("staging policy")
            .precedence("1")
            .decision("allow")
            .includes(AccessPolicyIncludeArgs.builder()
                .emails("test@example.com")
                .build())
            .requires(AccessPolicyRequireArgs.builder()
                .emails("test@example.com")
                .build())
            .build());

        var testPolicyIndex_accessPolicyAccessPolicy = new AccessPolicy("testPolicyIndex/accessPolicyAccessPolicy", AccessPolicyArgs.builder()        
            .applicationId("cb029e245cfdd66dc8d2e570d5dd3322")
            .zoneId("0da42c8d2132a9ddaf714f9e7c920711")
            .name("staging policy")
            .precedence("1")
            .decision("allow")
            .includes(AccessPolicyIncludeArgs.builder()
                .emails("test@example.com")
                .build())
            .requires(AccessPolicyRequireArgs.builder()
                .ips(var_.office_ip())
                .build())
            .build());

    }
}
import pulumi
import pulumi_cloudflare as cloudflare

# Allowing access to `test@example.com` email address only
test_policy_access_policy = cloudflare.AccessPolicy("testPolicyAccessPolicy",
    application_id="cb029e245cfdd66dc8d2e570d5dd3322",
    zone_id="0da42c8d2132a9ddaf714f9e7c920711",
    name="staging policy",
    precedence=1,
    decision="allow",
    includes=[cloudflare.AccessPolicyIncludeArgs(
        emails=["test@example.com"],
    )],
    requires=[cloudflare.AccessPolicyRequireArgs(
        emails=["test@example.com"],
    )])
# Allowing `test@example.com` to access but only when coming from a
# specific IP.
test_policy_index_access_policy_access_policy = cloudflare.AccessPolicy("testPolicyIndex/accessPolicyAccessPolicy",
    application_id="cb029e245cfdd66dc8d2e570d5dd3322",
    zone_id="0da42c8d2132a9ddaf714f9e7c920711",
    name="staging policy",
    precedence=1,
    decision="allow",
    includes=[cloudflare.AccessPolicyIncludeArgs(
        emails=["test@example.com"],
    )],
    requires=[cloudflare.AccessPolicyRequireArgs(
        ips=[var["office_ip"]],
    )])
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

// Allowing access to `test@example.com` email address only
const testPolicyAccessPolicy = new cloudflare.AccessPolicy("testPolicyAccessPolicy", {
    applicationId: "cb029e245cfdd66dc8d2e570d5dd3322",
    zoneId: "0da42c8d2132a9ddaf714f9e7c920711",
    name: "staging policy",
    precedence: 1,
    decision: "allow",
    includes: [{
        emails: ["test@example.com"],
    }],
    requires: [{
        emails: ["test@example.com"],
    }],
});
// Allowing `test@example.com` to access but only when coming from a
// specific IP.
const testPolicyIndex_accessPolicyAccessPolicy = new cloudflare.AccessPolicy("testPolicyIndex/accessPolicyAccessPolicy", {
    applicationId: "cb029e245cfdd66dc8d2e570d5dd3322",
    zoneId: "0da42c8d2132a9ddaf714f9e7c920711",
    name: "staging policy",
    precedence: 1,
    decision: "allow",
    includes: [{
        emails: ["test@example.com"],
    }],
    requires: [{
        ips: [_var.office_ip],
    }],
});
resources:
  # Allowing access to `test@example.com` email address only
  testPolicyAccessPolicy:
    type: cloudflare:AccessPolicy
    properties:
      applicationId: cb029e245cfdd66dc8d2e570d5dd3322
      zoneId: 0da42c8d2132a9ddaf714f9e7c920711
      name: staging policy
      precedence: '1'
      decision: allow
      includes:
        - emails:
            - test@example.com
      requires:
        - emails:
            - test@example.com
  # Allowing `test@example.com` to access but only when coming from a
  # specific IP.
  testPolicyIndex/accessPolicyAccessPolicy:
    type: cloudflare:AccessPolicy
    properties:
      applicationId: cb029e245cfdd66dc8d2e570d5dd3322
      zoneId: 0da42c8d2132a9ddaf714f9e7c920711
      name: staging policy
      precedence: '1'
      decision: allow
      includes:
        - emails:
            - test@example.com
      requires:
        - ips:
            - ${var.office_ip}

Create AccessPolicy Resource

new AccessPolicy(name: string, args: AccessPolicyArgs, opts?: CustomResourceOptions);
@overload
def AccessPolicy(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 account_id: Optional[str] = None,
                 application_id: Optional[str] = None,
                 approval_groups: Optional[Sequence[AccessPolicyApprovalGroupArgs]] = None,
                 approval_required: Optional[bool] = None,
                 decision: Optional[str] = None,
                 excludes: Optional[Sequence[AccessPolicyExcludeArgs]] = None,
                 includes: Optional[Sequence[AccessPolicyIncludeArgs]] = None,
                 name: Optional[str] = None,
                 precedence: Optional[int] = None,
                 purpose_justification_prompt: Optional[str] = None,
                 purpose_justification_required: Optional[bool] = None,
                 requires: Optional[Sequence[AccessPolicyRequireArgs]] = None,
                 zone_id: Optional[str] = None)
@overload
def AccessPolicy(resource_name: str,
                 args: AccessPolicyArgs,
                 opts: Optional[ResourceOptions] = None)
func NewAccessPolicy(ctx *Context, name string, args AccessPolicyArgs, opts ...ResourceOption) (*AccessPolicy, error)
public AccessPolicy(string name, AccessPolicyArgs args, CustomResourceOptions? opts = null)
public AccessPolicy(String name, AccessPolicyArgs args)
public AccessPolicy(String name, AccessPolicyArgs args, CustomResourceOptions options)
type: cloudflare:AccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AccessPolicyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AccessPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AccessPolicy resource accepts the following input properties:

ApplicationId string

The ID of the application the policy is associated with.

Decision string

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

Includes List<AccessPolicyIncludeArgs>

A series of access conditions, see Access Groups.

Name string

Friendly name of the Access Policy.

Precedence int

The unique precedence for policies on a single application.

AccountId string

The account identifier to target for the resource. Conflicts with zone_id.

ApprovalGroups List<AccessPolicyApprovalGroupArgs>
ApprovalRequired bool
Excludes List<AccessPolicyExcludeArgs>

A series of access conditions, see Access Groups.

PurposeJustificationPrompt string

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

PurposeJustificationRequired bool

Whether to prompt the user for a justification for accessing the resource.

Requires List<AccessPolicyRequireArgs>

A series of access conditions, see Access Groups.

ZoneId string

The zone identifier to target for the resource. Conflicts with account_id.

ApplicationId string

The ID of the application the policy is associated with.

Decision string

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

Includes []AccessPolicyIncludeArgs

A series of access conditions, see Access Groups.

Name string

Friendly name of the Access Policy.

Precedence int

The unique precedence for policies on a single application.

AccountId string

The account identifier to target for the resource. Conflicts with zone_id.

ApprovalGroups []AccessPolicyApprovalGroupArgs
ApprovalRequired bool
Excludes []AccessPolicyExcludeArgs

A series of access conditions, see Access Groups.

PurposeJustificationPrompt string

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

PurposeJustificationRequired bool

Whether to prompt the user for a justification for accessing the resource.

Requires []AccessPolicyRequireArgs

A series of access conditions, see Access Groups.

ZoneId string

The zone identifier to target for the resource. Conflicts with account_id.

applicationId String

The ID of the application the policy is associated with.

decision String

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

includes List<AccessPolicyIncludeArgs>

A series of access conditions, see Access Groups.

name String

Friendly name of the Access Policy.

precedence Integer

The unique precedence for policies on a single application.

accountId String

The account identifier to target for the resource. Conflicts with zone_id.

approvalGroups List<AccessPolicyApprovalGroupArgs>
approvalRequired Boolean
excludes List<AccessPolicyExcludeArgs>

A series of access conditions, see Access Groups.

purposeJustificationPrompt String

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

purposeJustificationRequired Boolean

Whether to prompt the user for a justification for accessing the resource.

requires List<AccessPolicyRequireArgs>

A series of access conditions, see Access Groups.

zoneId String

The zone identifier to target for the resource. Conflicts with account_id.

applicationId string

The ID of the application the policy is associated with.

decision string

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

includes AccessPolicyIncludeArgs[]

A series of access conditions, see Access Groups.

name string

Friendly name of the Access Policy.

precedence number

The unique precedence for policies on a single application.

accountId string

The account identifier to target for the resource. Conflicts with zone_id.

approvalGroups AccessPolicyApprovalGroupArgs[]
approvalRequired boolean
excludes AccessPolicyExcludeArgs[]

A series of access conditions, see Access Groups.

purposeJustificationPrompt string

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

purposeJustificationRequired boolean

Whether to prompt the user for a justification for accessing the resource.

requires AccessPolicyRequireArgs[]

A series of access conditions, see Access Groups.

zoneId string

The zone identifier to target for the resource. Conflicts with account_id.

application_id str

The ID of the application the policy is associated with.

decision str

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

includes Sequence[AccessPolicyIncludeArgs]

A series of access conditions, see Access Groups.

name str

Friendly name of the Access Policy.

precedence int

The unique precedence for policies on a single application.

account_id str

The account identifier to target for the resource. Conflicts with zone_id.

approval_groups Sequence[AccessPolicyApprovalGroupArgs]
approval_required bool
excludes Sequence[AccessPolicyExcludeArgs]

A series of access conditions, see Access Groups.

purpose_justification_prompt str

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

purpose_justification_required bool

Whether to prompt the user for a justification for accessing the resource.

requires Sequence[AccessPolicyRequireArgs]

A series of access conditions, see Access Groups.

zone_id str

The zone identifier to target for the resource. Conflicts with account_id.

applicationId String

The ID of the application the policy is associated with.

decision String

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

includes List<Property Map>

A series of access conditions, see Access Groups.

name String

Friendly name of the Access Policy.

precedence Number

The unique precedence for policies on a single application.

accountId String

The account identifier to target for the resource. Conflicts with zone_id.

approvalGroups List<Property Map>
approvalRequired Boolean
excludes List<Property Map>

A series of access conditions, see Access Groups.

purposeJustificationPrompt String

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

purposeJustificationRequired Boolean

Whether to prompt the user for a justification for accessing the resource.

requires List<Property Map>

A series of access conditions, see Access Groups.

zoneId String

The zone identifier to target for the resource. Conflicts with account_id.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessPolicy resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up Existing AccessPolicy Resource

Get an existing AccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessPolicyState, opts?: CustomResourceOptions): AccessPolicy
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_id: Optional[str] = None,
        application_id: Optional[str] = None,
        approval_groups: Optional[Sequence[AccessPolicyApprovalGroupArgs]] = None,
        approval_required: Optional[bool] = None,
        decision: Optional[str] = None,
        excludes: Optional[Sequence[AccessPolicyExcludeArgs]] = None,
        includes: Optional[Sequence[AccessPolicyIncludeArgs]] = None,
        name: Optional[str] = None,
        precedence: Optional[int] = None,
        purpose_justification_prompt: Optional[str] = None,
        purpose_justification_required: Optional[bool] = None,
        requires: Optional[Sequence[AccessPolicyRequireArgs]] = None,
        zone_id: Optional[str] = None) -> AccessPolicy
func GetAccessPolicy(ctx *Context, name string, id IDInput, state *AccessPolicyState, opts ...ResourceOption) (*AccessPolicy, error)
public static AccessPolicy Get(string name, Input<string> id, AccessPolicyState? state, CustomResourceOptions? opts = null)
public static AccessPolicy get(String name, Output<String> id, AccessPolicyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccountId string

The account identifier to target for the resource. Conflicts with zone_id.

ApplicationId string

The ID of the application the policy is associated with.

ApprovalGroups List<AccessPolicyApprovalGroupArgs>
ApprovalRequired bool
Decision string

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

Excludes List<AccessPolicyExcludeArgs>

A series of access conditions, see Access Groups.

Includes List<AccessPolicyIncludeArgs>

A series of access conditions, see Access Groups.

Name string

Friendly name of the Access Policy.

Precedence int

The unique precedence for policies on a single application.

PurposeJustificationPrompt string

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

PurposeJustificationRequired bool

Whether to prompt the user for a justification for accessing the resource.

Requires List<AccessPolicyRequireArgs>

A series of access conditions, see Access Groups.

ZoneId string

The zone identifier to target for the resource. Conflicts with account_id.

AccountId string

The account identifier to target for the resource. Conflicts with zone_id.

ApplicationId string

The ID of the application the policy is associated with.

ApprovalGroups []AccessPolicyApprovalGroupArgs
ApprovalRequired bool
Decision string

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

Excludes []AccessPolicyExcludeArgs

A series of access conditions, see Access Groups.

Includes []AccessPolicyIncludeArgs

A series of access conditions, see Access Groups.

Name string

Friendly name of the Access Policy.

Precedence int

The unique precedence for policies on a single application.

PurposeJustificationPrompt string

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

PurposeJustificationRequired bool

Whether to prompt the user for a justification for accessing the resource.

Requires []AccessPolicyRequireArgs

A series of access conditions, see Access Groups.

ZoneId string

The zone identifier to target for the resource. Conflicts with account_id.

accountId String

The account identifier to target for the resource. Conflicts with zone_id.

applicationId String

The ID of the application the policy is associated with.

approvalGroups List<AccessPolicyApprovalGroupArgs>
approvalRequired Boolean
decision String

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

excludes List<AccessPolicyExcludeArgs>

A series of access conditions, see Access Groups.

includes List<AccessPolicyIncludeArgs>

A series of access conditions, see Access Groups.

name String

Friendly name of the Access Policy.

precedence Integer

The unique precedence for policies on a single application.

purposeJustificationPrompt String

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

purposeJustificationRequired Boolean

Whether to prompt the user for a justification for accessing the resource.

requires List<AccessPolicyRequireArgs>

A series of access conditions, see Access Groups.

zoneId String

The zone identifier to target for the resource. Conflicts with account_id.

accountId string

The account identifier to target for the resource. Conflicts with zone_id.

applicationId string

The ID of the application the policy is associated with.

approvalGroups AccessPolicyApprovalGroupArgs[]
approvalRequired boolean
decision string

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

excludes AccessPolicyExcludeArgs[]

A series of access conditions, see Access Groups.

includes AccessPolicyIncludeArgs[]

A series of access conditions, see Access Groups.

name string

Friendly name of the Access Policy.

precedence number

The unique precedence for policies on a single application.

purposeJustificationPrompt string

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

purposeJustificationRequired boolean

Whether to prompt the user for a justification for accessing the resource.

requires AccessPolicyRequireArgs[]

A series of access conditions, see Access Groups.

zoneId string

The zone identifier to target for the resource. Conflicts with account_id.

account_id str

The account identifier to target for the resource. Conflicts with zone_id.

application_id str

The ID of the application the policy is associated with.

approval_groups Sequence[AccessPolicyApprovalGroupArgs]
approval_required bool
decision str

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

excludes Sequence[AccessPolicyExcludeArgs]

A series of access conditions, see Access Groups.

includes Sequence[AccessPolicyIncludeArgs]

A series of access conditions, see Access Groups.

name str

Friendly name of the Access Policy.

precedence int

The unique precedence for policies on a single application.

purpose_justification_prompt str

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

purpose_justification_required bool

Whether to prompt the user for a justification for accessing the resource.

requires Sequence[AccessPolicyRequireArgs]

A series of access conditions, see Access Groups.

zone_id str

The zone identifier to target for the resource. Conflicts with account_id.

accountId String

The account identifier to target for the resource. Conflicts with zone_id.

applicationId String

The ID of the application the policy is associated with.

approvalGroups List<Property Map>
approvalRequired Boolean
decision String

Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.

excludes List<Property Map>

A series of access conditions, see Access Groups.

includes List<Property Map>

A series of access conditions, see Access Groups.

name String

Friendly name of the Access Policy.

precedence Number

The unique precedence for policies on a single application.

purposeJustificationPrompt String

The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.

purposeJustificationRequired Boolean

Whether to prompt the user for a justification for accessing the resource.

requires List<Property Map>

A series of access conditions, see Access Groups.

zoneId String

The zone identifier to target for the resource. Conflicts with account_id.

Supporting Types

AccessPolicyApprovalGroup

ApprovalsNeeded int

Number of approvals needed.

EmailAddresses List<string>

List of emails to request approval from.

EmailListUuid string
ApprovalsNeeded int

Number of approvals needed.

EmailAddresses []string

List of emails to request approval from.

EmailListUuid string
approvalsNeeded Integer

Number of approvals needed.

emailAddresses List<String>

List of emails to request approval from.

emailListUuid String
approvalsNeeded number

Number of approvals needed.

emailAddresses string[]

List of emails to request approval from.

emailListUuid string
approvals_needed int

Number of approvals needed.

email_addresses Sequence[str]

List of emails to request approval from.

email_list_uuid str
approvalsNeeded Number

Number of approvals needed.

emailAddresses List<String>

List of emails to request approval from.

emailListUuid String

AccessPolicyExclude

AccessPolicyExcludeAzure

IdentityProviderId string
Ids List<string>

The ID of this resource.

IdentityProviderId string
Ids []string

The ID of this resource.

identityProviderId String
ids List<String>

The ID of this resource.

identityProviderId string
ids string[]

The ID of this resource.

identity_provider_id str
ids Sequence[str]

The ID of this resource.

identityProviderId String
ids List<String>

The ID of this resource.

AccessPolicyExcludeExternalEvaluation

EvaluateUrl string
KeysUrl string
EvaluateUrl string
KeysUrl string
evaluateUrl String
keysUrl String
evaluateUrl string
keysUrl string
evaluateUrl String
keysUrl String

AccessPolicyExcludeGithub

IdentityProviderId string
Name string

Friendly name of the Access Policy.

Teams List<string>
IdentityProviderId string
Name string

Friendly name of the Access Policy.

Teams []string
identityProviderId String
name String

Friendly name of the Access Policy.

teams List<String>
identityProviderId string
name string

Friendly name of the Access Policy.

teams string[]
identity_provider_id str
name str

Friendly name of the Access Policy.

teams Sequence[str]
identityProviderId String
name String

Friendly name of the Access Policy.

teams List<String>

AccessPolicyExcludeGsuite

Emails List<string>
IdentityProviderId string
Emails []string
IdentityProviderId string
emails List<String>
identityProviderId String
emails string[]
identityProviderId string
emails Sequence[str]
identity_provider_id str
emails List<String>
identityProviderId String

AccessPolicyExcludeOkta

IdentityProviderId string
Names List<string>

Friendly name of the Access Policy.

IdentityProviderId string
Names []string

Friendly name of the Access Policy.

identityProviderId String
names List<String>

Friendly name of the Access Policy.

identityProviderId string
names string[]

Friendly name of the Access Policy.

identity_provider_id str
names Sequence[str]

Friendly name of the Access Policy.

identityProviderId String
names List<String>

Friendly name of the Access Policy.

AccessPolicyExcludeSaml

AccessPolicyInclude

AccessPolicyIncludeAzure

IdentityProviderId string
Ids List<string>

The ID of this resource.

IdentityProviderId string
Ids []string

The ID of this resource.

identityProviderId String
ids List<String>

The ID of this resource.

identityProviderId string
ids string[]

The ID of this resource.

identity_provider_id str
ids Sequence[str]

The ID of this resource.

identityProviderId String
ids List<String>

The ID of this resource.

AccessPolicyIncludeExternalEvaluation

EvaluateUrl string
KeysUrl string
EvaluateUrl string
KeysUrl string
evaluateUrl String
keysUrl String
evaluateUrl string
keysUrl string
evaluateUrl String
keysUrl String

AccessPolicyIncludeGithub

IdentityProviderId string
Name string

Friendly name of the Access Policy.

Teams List<string>
IdentityProviderId string
Name string

Friendly name of the Access Policy.

Teams []string
identityProviderId String
name String

Friendly name of the Access Policy.

teams List<String>
identityProviderId string
name string

Friendly name of the Access Policy.

teams string[]
identity_provider_id str
name str

Friendly name of the Access Policy.

teams Sequence[str]
identityProviderId String
name String

Friendly name of the Access Policy.

teams List<String>

AccessPolicyIncludeGsuite

Emails List<string>
IdentityProviderId string
Emails []string
IdentityProviderId string
emails List<String>
identityProviderId String
emails string[]
identityProviderId string
emails Sequence[str]
identity_provider_id str
emails List<String>
identityProviderId String

AccessPolicyIncludeOkta

IdentityProviderId string
Names List<string>

Friendly name of the Access Policy.

IdentityProviderId string
Names []string

Friendly name of the Access Policy.

identityProviderId String
names List<String>

Friendly name of the Access Policy.

identityProviderId string
names string[]

Friendly name of the Access Policy.

identity_provider_id str
names Sequence[str]

Friendly name of the Access Policy.

identityProviderId String
names List<String>

Friendly name of the Access Policy.

AccessPolicyIncludeSaml

AccessPolicyRequire

AccessPolicyRequireAzure

IdentityProviderId string
Ids List<string>

The ID of this resource.

IdentityProviderId string
Ids []string

The ID of this resource.

identityProviderId String
ids List<String>

The ID of this resource.

identityProviderId string
ids string[]

The ID of this resource.

identity_provider_id str
ids Sequence[str]

The ID of this resource.

identityProviderId String
ids List<String>

The ID of this resource.

AccessPolicyRequireExternalEvaluation

EvaluateUrl string
KeysUrl string
EvaluateUrl string
KeysUrl string
evaluateUrl String
keysUrl String
evaluateUrl string
keysUrl string
evaluateUrl String
keysUrl String

AccessPolicyRequireGithub

IdentityProviderId string
Name string

Friendly name of the Access Policy.

Teams List<string>
IdentityProviderId string
Name string

Friendly name of the Access Policy.

Teams []string
identityProviderId String
name String

Friendly name of the Access Policy.

teams List<String>
identityProviderId string
name string

Friendly name of the Access Policy.

teams string[]
identity_provider_id str
name str

Friendly name of the Access Policy.

teams Sequence[str]
identityProviderId String
name String

Friendly name of the Access Policy.

teams List<String>

AccessPolicyRequireGsuite

Emails List<string>
IdentityProviderId string
Emails []string
IdentityProviderId string
emails List<String>
identityProviderId String
emails string[]
identityProviderId string
emails Sequence[str]
identity_provider_id str
emails List<String>
identityProviderId String

AccessPolicyRequireOkta

IdentityProviderId string
Names List<string>

Friendly name of the Access Policy.

IdentityProviderId string
Names []string

Friendly name of the Access Policy.

identityProviderId String
names List<String>

Friendly name of the Access Policy.

identityProviderId string
names string[]

Friendly name of the Access Policy.

identity_provider_id str
names Sequence[str]

Friendly name of the Access Policy.

identityProviderId String
names List<String>

Friendly name of the Access Policy.

AccessPolicyRequireSaml

Import

Account level import.

 $ pulumi import cloudflare:index/accessPolicy:AccessPolicy example account/<account_id>/<application_id>/<policy_id>

Zone level import.

 $ pulumi import cloudflare:index/accessPolicy:AccessPolicy example zone/<zone_id>/<application_id>/<policy_id>

Package Details

Repository
https://github.com/pulumi/pulumi-cloudflare
License
Apache-2.0
Notes

This Pulumi package is based on the cloudflare Terraform Provider.