Cloudflare

v4.12.1 published on Thursday, Sep 22, 2022 by Pulumi

AccessRule

Provides a Cloudflare IP Firewall Access Rule resource. Access control can be applied on basis of IP addresses, IP ranges, AS numbers or countries.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

return await Deployment.RunAsync(() => 
{
    // Challenge requests coming from known Tor exit nodes.
    var torExitNodes = new Cloudflare.AccessRule("torExitNodes", new()
    {
        ZoneId = "0da42c8d2132a9ddaf714f9e7c920711",
        Notes = "Requests coming from known Tor exit nodes",
        Mode = "challenge",
        Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
        {
            Target = "country",
            Value = "T1",
        },
    });

    // Allowlist requests coming from Antarctica, but only for single zone.
    var antarctica = new Cloudflare.AccessRule("antarctica", new()
    {
        ZoneId = "0da42c8d2132a9ddaf714f9e7c920711",
        Notes = "Requests coming from Antarctica",
        Mode = "whitelist",
        Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
        {
            Target = "country",
            Value = "AQ",
        },
    });

    var config = new Config();
    var myOffice = config.GetObject<dynamic>("myOffice") ?? new[]
    {
        "192.0.2.0/24",
        "198.51.100.0/24",
        "2001:db8::/56",
    };
    var officeNetwork = new List<Cloudflare.AccessRule>();
    for (var rangeIndex = 0; rangeIndex < myOffice.Length; rangeIndex++)
    {
        var range = new { Value = rangeIndex };
        officeNetwork.Add(new Cloudflare.AccessRule($"officeNetwork-{range.Value}", new()
        {
            AccountId = "f037e56e89293a057740de681ac9abbe",
            Notes = "Requests coming from office network",
            Mode = "whitelist",
            Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
            {
                Target = "ip_range",
                Value = myOffice[count.Index],
            },
        }));
    }
});

Coming soon!

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudflare.AccessRule;
import com.pulumi.cloudflare.AccessRuleArgs;
import com.pulumi.cloudflare.inputs.AccessRuleConfigurationArgs;
import com.pulumi.codegen.internal.KeyedValue;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var config = ctx.config();
        var torExitNodes = new AccessRule("torExitNodes", AccessRuleArgs.builder()        
            .zoneId("0da42c8d2132a9ddaf714f9e7c920711")
            .notes("Requests coming from known Tor exit nodes")
            .mode("challenge")
            .configuration(AccessRuleConfigurationArgs.builder()
                .target("country")
                .value("T1")
                .build())
            .build());

        var antarctica = new AccessRule("antarctica", AccessRuleArgs.builder()        
            .zoneId("0da42c8d2132a9ddaf714f9e7c920711")
            .notes("Requests coming from Antarctica")
            .mode("whitelist")
            .configuration(AccessRuleConfigurationArgs.builder()
                .target("country")
                .value("AQ")
                .build())
            .build());

        final var myOffice = config.get("myOffice").orElse(        
            "192.0.2.0/24",
            "198.51.100.0/24",
            "2001:db8::/56");
        for (var i = 0; i < myOffice.length(); i++) {
            new AccessRule("officeNetwork-" + i, AccessRuleArgs.builder()            
                .accountId("f037e56e89293a057740de681ac9abbe")
                .notes("Requests coming from office network")
                .mode("whitelist")
                .configuration(AccessRuleConfigurationArgs.builder()
                    .target("ip_range")
                    .value(myOffice[count.index()])
                    .build())
                .build());

        
}
    }
}
import pulumi
import pulumi_cloudflare as cloudflare

# Challenge requests coming from known Tor exit nodes.
tor_exit_nodes = cloudflare.AccessRule("torExitNodes",
    zone_id="0da42c8d2132a9ddaf714f9e7c920711",
    notes="Requests coming from known Tor exit nodes",
    mode="challenge",
    configuration=cloudflare.AccessRuleConfigurationArgs(
        target="country",
        value="T1",
    ))
# Allowlist requests coming from Antarctica, but only for single zone.
antarctica = cloudflare.AccessRule("antarctica",
    zone_id="0da42c8d2132a9ddaf714f9e7c920711",
    notes="Requests coming from Antarctica",
    mode="whitelist",
    configuration=cloudflare.AccessRuleConfigurationArgs(
        target="country",
        value="AQ",
    ))
config = pulumi.Config()
my_office = config.get_object("myOffice")
if my_office is None:
    my_office = [
        "192.0.2.0/24",
        "198.51.100.0/24",
        "2001:db8::/56",
    ]
office_network = []
for range in [{"value": i} for i in range(0, len(my_office))]:
    office_network.append(cloudflare.AccessRule(f"officeNetwork-{range['value']}",
        account_id="f037e56e89293a057740de681ac9abbe",
        notes="Requests coming from office network",
        mode="whitelist",
        configuration=cloudflare.AccessRuleConfigurationArgs(
            target="ip_range",
            value=my_office[count["index"]],
        )))
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

// Challenge requests coming from known Tor exit nodes.
const torExitNodes = new cloudflare.AccessRule("torExitNodes", {
    zoneId: "0da42c8d2132a9ddaf714f9e7c920711",
    notes: "Requests coming from known Tor exit nodes",
    mode: "challenge",
    configuration: {
        target: "country",
        value: "T1",
    },
});
// Allowlist requests coming from Antarctica, but only for single zone.
const antarctica = new cloudflare.AccessRule("antarctica", {
    zoneId: "0da42c8d2132a9ddaf714f9e7c920711",
    notes: "Requests coming from Antarctica",
    mode: "whitelist",
    configuration: {
        target: "country",
        value: "AQ",
    },
});
const config = new pulumi.Config();
const myOffice = config.getObject("myOffice") || [
    "192.0.2.0/24",
    "198.51.100.0/24",
    "2001:db8::/56",
];
const officeNetwork: cloudflare.AccessRule[];
for (const range = {value: 0}; range.value < myOffice.length; range.value++) {
    officeNetwork.push(new cloudflare.AccessRule(`officeNetwork-${range.value}`, {
        accountId: "f037e56e89293a057740de681ac9abbe",
        notes: "Requests coming from office network",
        mode: "whitelist",
        configuration: {
            target: "ip_range",
            value: myOffice[count.index],
        },
    }));
}
configuration:
  # Allowlist office's network IP ranges on all account zones (or other lists of
  # resources).
  myOffice:
    type: list(string)
    default:
      - 192.0.2.0/24
      - 198.51.100.0/24
      - 2001:db8::/56
resources:
  # Challenge requests coming from known Tor exit nodes.
  torExitNodes:
    type: cloudflare:AccessRule
    properties:
      zoneId: 0da42c8d2132a9ddaf714f9e7c920711
      notes: Requests coming from known Tor exit nodes
      mode: challenge
      configuration:
        target: country
        value: T1
  # Allowlist requests coming from Antarctica, but only for single zone.
  antarctica:
    type: cloudflare:AccessRule
    properties:
      zoneId: 0da42c8d2132a9ddaf714f9e7c920711
      notes: Requests coming from Antarctica
      mode: whitelist
      configuration:
        target: country
        value: AQ
  officeNetwork:
    type: cloudflare:AccessRule
    properties:
      accountId: f037e56e89293a057740de681ac9abbe
      notes: Requests coming from office network
      mode: whitelist
      configuration:
        target: ip_range
        value:
          Fn::Select:
            - ${count.index}
            - ${myOffice}
    options: {}

Create a AccessRule Resource

new AccessRule(name: string, args: AccessRuleArgs, opts?: CustomResourceOptions);
@overload
def AccessRule(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               account_id: Optional[str] = None,
               configuration: Optional[AccessRuleConfigurationArgs] = None,
               mode: Optional[str] = None,
               notes: Optional[str] = None,
               zone_id: Optional[str] = None)
@overload
def AccessRule(resource_name: str,
               args: AccessRuleArgs,
               opts: Optional[ResourceOptions] = None)
func NewAccessRule(ctx *Context, name string, args AccessRuleArgs, opts ...ResourceOption) (*AccessRule, error)
public AccessRule(string name, AccessRuleArgs args, CustomResourceOptions? opts = null)
public AccessRule(String name, AccessRuleArgs args)
public AccessRule(String name, AccessRuleArgs args, CustomResourceOptions options)
type: cloudflare:AccessRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AccessRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AccessRuleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AccessRuleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AccessRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AccessRuleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AccessRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AccessRule resource accepts the following input properties:

Configuration AccessRuleConfigurationArgs

Rule configuration to apply to a matched request.

Mode string

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

AccountId string

The account identifier to target for the resource.

Notes string

A personal note about the rule. Typically used as a reminder or explanation for the rule.

ZoneId string

The zone identifier to target for the resource.

Configuration AccessRuleConfigurationArgs

Rule configuration to apply to a matched request.

Mode string

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

AccountId string

The account identifier to target for the resource.

Notes string

A personal note about the rule. Typically used as a reminder or explanation for the rule.

ZoneId string

The zone identifier to target for the resource.

configuration AccessRuleConfigurationArgs

Rule configuration to apply to a matched request.

mode String

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

accountId String

The account identifier to target for the resource.

notes String

A personal note about the rule. Typically used as a reminder or explanation for the rule.

zoneId String

The zone identifier to target for the resource.

configuration AccessRuleConfigurationArgs

Rule configuration to apply to a matched request.

mode string

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

accountId string

The account identifier to target for the resource.

notes string

A personal note about the rule. Typically used as a reminder or explanation for the rule.

zoneId string

The zone identifier to target for the resource.

configuration AccessRuleConfigurationArgs

Rule configuration to apply to a matched request.

mode str

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

account_id str

The account identifier to target for the resource.

notes str

A personal note about the rule. Typically used as a reminder or explanation for the rule.

zone_id str

The zone identifier to target for the resource.

configuration Property Map

Rule configuration to apply to a matched request.

mode String

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

accountId String

The account identifier to target for the resource.

notes String

A personal note about the rule. Typically used as a reminder or explanation for the rule.

zoneId String

The zone identifier to target for the resource.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessRule resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up an Existing AccessRule Resource

Get an existing AccessRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessRuleState, opts?: CustomResourceOptions): AccessRule
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_id: Optional[str] = None,
        configuration: Optional[AccessRuleConfigurationArgs] = None,
        mode: Optional[str] = None,
        notes: Optional[str] = None,
        zone_id: Optional[str] = None) -> AccessRule
func GetAccessRule(ctx *Context, name string, id IDInput, state *AccessRuleState, opts ...ResourceOption) (*AccessRule, error)
public static AccessRule Get(string name, Input<string> id, AccessRuleState? state, CustomResourceOptions? opts = null)
public static AccessRule get(String name, Output<String> id, AccessRuleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccountId string

The account identifier to target for the resource.

Configuration AccessRuleConfigurationArgs

Rule configuration to apply to a matched request.

Mode string

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

Notes string

A personal note about the rule. Typically used as a reminder or explanation for the rule.

ZoneId string

The zone identifier to target for the resource.

AccountId string

The account identifier to target for the resource.

Configuration AccessRuleConfigurationArgs

Rule configuration to apply to a matched request.

Mode string

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

Notes string

A personal note about the rule. Typically used as a reminder or explanation for the rule.

ZoneId string

The zone identifier to target for the resource.

accountId String

The account identifier to target for the resource.

configuration AccessRuleConfigurationArgs

Rule configuration to apply to a matched request.

mode String

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

notes String

A personal note about the rule. Typically used as a reminder or explanation for the rule.

zoneId String

The zone identifier to target for the resource.

accountId string

The account identifier to target for the resource.

configuration AccessRuleConfigurationArgs

Rule configuration to apply to a matched request.

mode string

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

notes string

A personal note about the rule. Typically used as a reminder or explanation for the rule.

zoneId string

The zone identifier to target for the resource.

account_id str

The account identifier to target for the resource.

configuration AccessRuleConfigurationArgs

Rule configuration to apply to a matched request.

mode str

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

notes str

A personal note about the rule. Typically used as a reminder or explanation for the rule.

zone_id str

The zone identifier to target for the resource.

accountId String

The account identifier to target for the resource.

configuration Property Map

Rule configuration to apply to a matched request.

mode String

The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.

notes String

A personal note about the rule. Typically used as a reminder or explanation for the rule.

zoneId String

The zone identifier to target for the resource.

Supporting Types

AccessRuleConfiguration

Target string

The request property to target. Available values: ip, ip6, ip_range, asn, country.

Value string

The value to target. Depends on target's type.

Target string

The request property to target. Available values: ip, ip6, ip_range, asn, country.

Value string

The value to target. Depends on target's type.

target String

The request property to target. Available values: ip, ip6, ip_range, asn, country.

value String

The value to target. Depends on target's type.

target string

The request property to target. Available values: ip, ip6, ip_range, asn, country.

value string

The value to target. Depends on target's type.

target str

The request property to target. Available values: ip, ip6, ip_range, asn, country.

value str

The value to target. Depends on target's type.

target String

The request property to target. Available values: ip, ip6, ip_range, asn, country.

value String

The value to target. Depends on target's type.

Import

User level access rule import.

 $ pulumi import cloudflare:index/accessRule:AccessRule default user/<user_id>/<rule_id>

Zone level access rule import.

 $ pulumi import cloudflare:index/accessRule:AccessRule default zone/<zone_id>/<rule_id>

Account level access rule import.

 $ pulumi import cloudflare:index/accessRule:AccessRule default account/<account_id>/<rule_id>

Package Details

Repository
https://github.com/pulumi/pulumi-cloudflare
License
Apache-2.0
Notes

This Pulumi package is based on the cloudflare Terraform Provider.