cloudflare.ZeroTrustOrganization

Cloudflare v6.15.0, May 2 26

Viewing docs for Cloudflare v6.15.0
published on Saturday, May 2, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-cloudflare

Viewing docs for Cloudflare v6.15.0
published on Saturday, May 2, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-cloudflare

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

const exampleZeroTrustOrganization = new cloudflare.ZeroTrustOrganization("example_zero_trust_organization", {
    zoneId: "zone_id",
    allowAuthenticateViaWarp: true,
    authDomain: "test.cloudflareaccess.com",
    autoRedirectToIdentity: true,
    customPages: {
        forbidden: "699d98642c564d2e855e9661899b7252",
        identityDenied: "699d98642c564d2e855e9661899b7252",
    },
    denyUnmatchedRequests: true,
    denyUnmatchedRequestsExemptedZoneNames: ["example.com"],
    isUiReadOnly: true,
    loginDesign: {
        backgroundColor: "#c5ed1b",
        footerText: "This is an example description.",
        headerText: "This is an example description.",
        logoPath: "https://example.com/logo.png",
        textColor: "#c5ed1b",
    },
    mfaConfig: {
        allowedAuthenticators: [
            "totp",
            "biometrics",
            "security_key",
        ],
        amrMatchingSessionDuration: "12h",
        requiredAaguids: "2fc0579f-8113-47ea-b116-bb5a8db9202a",
        sessionDuration: "24h",
    },
    mfaRequiredForAllApps: false,
    mfaSshPivKeyRequirements: {
        pinPolicy: "always",
        requireFipsDevice: true,
        sshKeySizes: [
            256,
            2048,
        ],
        sshKeyTypes: [
            "ecdsa",
            "rsa",
        ],
        touchPolicy: "always",
    },
    name: "Widget Corps Internal Applications",
    sessionDuration: "24h",
    uiReadOnlyToggleReason: "Temporarily turn off the UI read only lock to make a change via the UI",
    userSeatExpirationInactiveTime: "730h",
    warpAuthSessionDuration: "24h",
});

import pulumi
import pulumi_cloudflare as cloudflare

example_zero_trust_organization = cloudflare.ZeroTrustOrganization("example_zero_trust_organization",
    zone_id="zone_id",
    allow_authenticate_via_warp=True,
    auth_domain="test.cloudflareaccess.com",
    auto_redirect_to_identity=True,
    custom_pages={
        "forbidden": "699d98642c564d2e855e9661899b7252",
        "identity_denied": "699d98642c564d2e855e9661899b7252",
    },
    deny_unmatched_requests=True,
    deny_unmatched_requests_exempted_zone_names=["example.com"],
    is_ui_read_only=True,
    login_design={
        "background_color": "#c5ed1b",
        "footer_text": "This is an example description.",
        "header_text": "This is an example description.",
        "logo_path": "https://example.com/logo.png",
        "text_color": "#c5ed1b",
    },
    mfa_config={
        "allowed_authenticators": [
            "totp",
            "biometrics",
            "security_key",
        ],
        "amr_matching_session_duration": "12h",
        "required_aaguids": "2fc0579f-8113-47ea-b116-bb5a8db9202a",
        "session_duration": "24h",
    },
    mfa_required_for_all_apps=False,
    mfa_ssh_piv_key_requirements={
        "pin_policy": "always",
        "require_fips_device": True,
        "ssh_key_sizes": [
            256,
            2048,
        ],
        "ssh_key_types": [
            "ecdsa",
            "rsa",
        ],
        "touch_policy": "always",
    },
    name="Widget Corps Internal Applications",
    session_duration="24h",
    ui_read_only_toggle_reason="Temporarily turn off the UI read only lock to make a change via the UI",
    user_seat_expiration_inactive_time="730h",
    warp_auth_session_duration="24h")

package main

import (
	"github.com/pulumi/pulumi-cloudflare/sdk/v6/go/cloudflare"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := cloudflare.NewZeroTrustOrganization(ctx, "example_zero_trust_organization", &cloudflare.ZeroTrustOrganizationArgs{
			ZoneId:                   pulumi.String("zone_id"),
			AllowAuthenticateViaWarp: pulumi.Bool(true),
			AuthDomain:               pulumi.String("test.cloudflareaccess.com"),
			AutoRedirectToIdentity:   pulumi.Bool(true),
			CustomPages: &cloudflare.ZeroTrustOrganizationCustomPagesArgs{
				Forbidden:      pulumi.String("699d98642c564d2e855e9661899b7252"),
				IdentityDenied: pulumi.String("699d98642c564d2e855e9661899b7252"),
			},
			DenyUnmatchedRequests: pulumi.Bool(true),
			DenyUnmatchedRequestsExemptedZoneNames: pulumi.StringArray{
				pulumi.String("example.com"),
			},
			IsUiReadOnly: pulumi.Bool(true),
			LoginDesign: &cloudflare.ZeroTrustOrganizationLoginDesignArgs{
				BackgroundColor: pulumi.String("#c5ed1b"),
				FooterText:      pulumi.String("This is an example description."),
				HeaderText:      pulumi.String("This is an example description."),
				LogoPath:        pulumi.String("https://example.com/logo.png"),
				TextColor:       pulumi.String("#c5ed1b"),
			},
			MfaConfig: &cloudflare.ZeroTrustOrganizationMfaConfigArgs{
				AllowedAuthenticators: pulumi.StringArray{
					pulumi.String("totp"),
					pulumi.String("biometrics"),
					pulumi.String("security_key"),
				},
				AmrMatchingSessionDuration: pulumi.String("12h"),
				RequiredAaguids:            pulumi.String("2fc0579f-8113-47ea-b116-bb5a8db9202a"),
				SessionDuration:            pulumi.String("24h"),
			},
			MfaRequiredForAllApps: pulumi.Bool(false),
			MfaSshPivKeyRequirements: &cloudflare.ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs{
				PinPolicy:         pulumi.String("always"),
				RequireFipsDevice: pulumi.Bool(true),
				SshKeySizes: pulumi.IntArray{
					pulumi.Int(256),
					pulumi.Int(2048),
				},
				SshKeyTypes: pulumi.StringArray{
					pulumi.String("ecdsa"),
					pulumi.String("rsa"),
				},
				TouchPolicy: pulumi.String("always"),
			},
			Name:                           pulumi.String("Widget Corps Internal Applications"),
			SessionDuration:                pulumi.String("24h"),
			UiReadOnlyToggleReason:         pulumi.String("Temporarily turn off the UI read only lock to make a change via the UI"),
			UserSeatExpirationInactiveTime: pulumi.String("730h"),
			WarpAuthSessionDuration:        pulumi.String("24h"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

return await Deployment.RunAsync(() => 
{
    var exampleZeroTrustOrganization = new Cloudflare.Index.ZeroTrustOrganization("example_zero_trust_organization", new()
    {
        ZoneId = "zone_id",
        AllowAuthenticateViaWarp = true,
        AuthDomain = "test.cloudflareaccess.com",
        AutoRedirectToIdentity = true,
        CustomPages = new Cloudflare.Inputs.ZeroTrustOrganizationCustomPagesArgs
        {
            Forbidden = "699d98642c564d2e855e9661899b7252",
            IdentityDenied = "699d98642c564d2e855e9661899b7252",
        },
        DenyUnmatchedRequests = true,
        DenyUnmatchedRequestsExemptedZoneNames = new[]
        {
            "example.com",
        },
        IsUiReadOnly = true,
        LoginDesign = new Cloudflare.Inputs.ZeroTrustOrganizationLoginDesignArgs
        {
            BackgroundColor = "#c5ed1b",
            FooterText = "This is an example description.",
            HeaderText = "This is an example description.",
            LogoPath = "https://example.com/logo.png",
            TextColor = "#c5ed1b",
        },
        MfaConfig = new Cloudflare.Inputs.ZeroTrustOrganizationMfaConfigArgs
        {
            AllowedAuthenticators = new[]
            {
                "totp",
                "biometrics",
                "security_key",
            },
            AmrMatchingSessionDuration = "12h",
            RequiredAaguids = "2fc0579f-8113-47ea-b116-bb5a8db9202a",
            SessionDuration = "24h",
        },
        MfaRequiredForAllApps = false,
        MfaSshPivKeyRequirements = new Cloudflare.Inputs.ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs
        {
            PinPolicy = "always",
            RequireFipsDevice = true,
            SshKeySizes = new[]
            {
                256,
                2048,
            },
            SshKeyTypes = new[]
            {
                "ecdsa",
                "rsa",
            },
            TouchPolicy = "always",
        },
        Name = "Widget Corps Internal Applications",
        SessionDuration = "24h",
        UiReadOnlyToggleReason = "Temporarily turn off the UI read only lock to make a change via the UI",
        UserSeatExpirationInactiveTime = "730h",
        WarpAuthSessionDuration = "24h",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudflare.ZeroTrustOrganization;
import com.pulumi.cloudflare.ZeroTrustOrganizationArgs;
import com.pulumi.cloudflare.inputs.ZeroTrustOrganizationCustomPagesArgs;
import com.pulumi.cloudflare.inputs.ZeroTrustOrganizationLoginDesignArgs;
import com.pulumi.cloudflare.inputs.ZeroTrustOrganizationMfaConfigArgs;
import com.pulumi.cloudflare.inputs.ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var exampleZeroTrustOrganization = new ZeroTrustOrganization("exampleZeroTrustOrganization", ZeroTrustOrganizationArgs.builder()
            .zoneId("zone_id")
            .allowAuthenticateViaWarp(true)
            .authDomain("test.cloudflareaccess.com")
            .autoRedirectToIdentity(true)
            .customPages(ZeroTrustOrganizationCustomPagesArgs.builder()
                .forbidden("699d98642c564d2e855e9661899b7252")
                .identityDenied("699d98642c564d2e855e9661899b7252")
                .build())
            .denyUnmatchedRequests(true)
            .denyUnmatchedRequestsExemptedZoneNames("example.com")
            .isUiReadOnly(true)
            .loginDesign(ZeroTrustOrganizationLoginDesignArgs.builder()
                .backgroundColor("#c5ed1b")
                .footerText("This is an example description.")
                .headerText("This is an example description.")
                .logoPath("https://example.com/logo.png")
                .textColor("#c5ed1b")
                .build())
            .mfaConfig(ZeroTrustOrganizationMfaConfigArgs.builder()
                .allowedAuthenticators(                
                    "totp",
                    "biometrics",
                    "security_key")
                .amrMatchingSessionDuration("12h")
                .requiredAaguids("2fc0579f-8113-47ea-b116-bb5a8db9202a")
                .sessionDuration("24h")
                .build())
            .mfaRequiredForAllApps(false)
            .mfaSshPivKeyRequirements(ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs.builder()
                .pinPolicy("always")
                .requireFipsDevice(true)
                .sshKeySizes(                
                    256,
                    2048)
                .sshKeyTypes(                
                    "ecdsa",
                    "rsa")
                .touchPolicy("always")
                .build())
            .name("Widget Corps Internal Applications")
            .sessionDuration("24h")
            .uiReadOnlyToggleReason("Temporarily turn off the UI read only lock to make a change via the UI")
            .userSeatExpirationInactiveTime("730h")
            .warpAuthSessionDuration("24h")
            .build());

    }
}

resources:
  exampleZeroTrustOrganization:
    type: cloudflare:ZeroTrustOrganization
    name: example_zero_trust_organization
    properties:
      zoneId: zone_id
      allowAuthenticateViaWarp: true
      authDomain: test.cloudflareaccess.com
      autoRedirectToIdentity: true
      customPages:
        forbidden: 699d98642c564d2e855e9661899b7252
        identityDenied: 699d98642c564d2e855e9661899b7252
      denyUnmatchedRequests: true
      denyUnmatchedRequestsExemptedZoneNames:
        - example.com
      isUiReadOnly: true
      loginDesign:
        backgroundColor: '#c5ed1b'
        footerText: This is an example description.
        headerText: This is an example description.
        logoPath: https://example.com/logo.png
        textColor: '#c5ed1b'
      mfaConfig:
        allowedAuthenticators:
          - totp
          - biometrics
          - security_key
        amrMatchingSessionDuration: 12h
        requiredAaguids: 2fc0579f-8113-47ea-b116-bb5a8db9202a
        sessionDuration: 24h
      mfaRequiredForAllApps: false
      mfaSshPivKeyRequirements:
        pinPolicy: always
        requireFipsDevice: true
        sshKeySizes:
          - 256
          - 2048
        sshKeyTypes:
          - ecdsa
          - rsa
        touchPolicy: always
      name: Widget Corps Internal Applications
      sessionDuration: 24h
      uiReadOnlyToggleReason: Temporarily turn off the UI read only lock to make a change via the UI
      userSeatExpirationInactiveTime: 730h
      warpAuthSessionDuration: 24h

Example coming soon!

Create ZeroTrustOrganization Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ZeroTrustOrganization(name: string, args?: ZeroTrustOrganizationArgs, opts?: CustomResourceOptions);

@overload
def ZeroTrustOrganization(resource_name: str,
                          args: Optional[ZeroTrustOrganizationArgs] = None,
                          opts: Optional[ResourceOptions] = None)

@overload
def ZeroTrustOrganization(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          account_id: Optional[str] = None,
                          allow_authenticate_via_warp: Optional[bool] = None,
                          auth_domain: Optional[str] = None,
                          auto_redirect_to_identity: Optional[bool] = None,
                          custom_pages: Optional[ZeroTrustOrganizationCustomPagesArgs] = None,
                          deny_unmatched_requests: Optional[bool] = None,
                          deny_unmatched_requests_exempted_zone_names: Optional[Sequence[str]] = None,
                          is_ui_read_only: Optional[bool] = None,
                          login_design: Optional[ZeroTrustOrganizationLoginDesignArgs] = None,
                          mfa_config: Optional[ZeroTrustOrganizationMfaConfigArgs] = None,
                          mfa_configuration_allowed: Optional[bool] = None,
                          mfa_required_for_all_apps: Optional[bool] = None,
                          mfa_ssh_piv_key_requirements: Optional[ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs] = None,
                          name: Optional[str] = None,
                          session_duration: Optional[str] = None,
                          ui_read_only_toggle_reason: Optional[str] = None,
                          user_seat_expiration_inactive_time: Optional[str] = None,
                          warp_auth_session_duration: Optional[str] = None,
                          zone_id: Optional[str] = None)

func NewZeroTrustOrganization(ctx *Context, name string, args *ZeroTrustOrganizationArgs, opts ...ResourceOption) (*ZeroTrustOrganization, error)

public ZeroTrustOrganization(string name, ZeroTrustOrganizationArgs? args = null, CustomResourceOptions? opts = null)

public ZeroTrustOrganization(String name, ZeroTrustOrganizationArgs args)
public ZeroTrustOrganization(String name, ZeroTrustOrganizationArgs args, CustomResourceOptions options)

type: cloudflare:ZeroTrustOrganization
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

resource "cloudflare_zerotrustorganization" "name" {
    # resource properties
}

Parameters

name string: The unique name of the resource.
args ZeroTrustOrganizationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ZeroTrustOrganizationArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ZeroTrustOrganizationArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ZeroTrustOrganizationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ZeroTrustOrganizationArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var zeroTrustOrganizationResource = new Cloudflare.ZeroTrustOrganization("zeroTrustOrganizationResource", new()
{
    AccountId = "string",
    AllowAuthenticateViaWarp = false,
    AuthDomain = "string",
    AutoRedirectToIdentity = false,
    CustomPages = new Cloudflare.Inputs.ZeroTrustOrganizationCustomPagesArgs
    {
        Forbidden = "string",
        IdentityDenied = "string",
    },
    DenyUnmatchedRequests = false,
    DenyUnmatchedRequestsExemptedZoneNames = new[]
    {
        "string",
    },
    IsUiReadOnly = false,
    LoginDesign = new Cloudflare.Inputs.ZeroTrustOrganizationLoginDesignArgs
    {
        BackgroundColor = "string",
        FooterText = "string",
        HeaderText = "string",
        LogoPath = "string",
        TextColor = "string",
    },
    MfaConfig = new Cloudflare.Inputs.ZeroTrustOrganizationMfaConfigArgs
    {
        AllowedAuthenticators = new[]
        {
            "string",
        },
        AmrMatchingSessionDuration = "string",
        RequiredAaguids = "string",
        SessionDuration = "string",
    },
    MfaConfigurationAllowed = false,
    MfaRequiredForAllApps = false,
    MfaSshPivKeyRequirements = new Cloudflare.Inputs.ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs
    {
        PinPolicy = "string",
        RequireFipsDevice = false,
        SshKeySizes = new[]
        {
            0,
        },
        SshKeyTypes = new[]
        {
            "string",
        },
        TouchPolicy = "string",
    },
    Name = "string",
    SessionDuration = "string",
    UiReadOnlyToggleReason = "string",
    UserSeatExpirationInactiveTime = "string",
    WarpAuthSessionDuration = "string",
    ZoneId = "string",
});

example, err := cloudflare.NewZeroTrustOrganization(ctx, "zeroTrustOrganizationResource", &cloudflare.ZeroTrustOrganizationArgs{
	AccountId:                pulumi.String("string"),
	AllowAuthenticateViaWarp: pulumi.Bool(false),
	AuthDomain:               pulumi.String("string"),
	AutoRedirectToIdentity:   pulumi.Bool(false),
	CustomPages: &cloudflare.ZeroTrustOrganizationCustomPagesArgs{
		Forbidden:      pulumi.String("string"),
		IdentityDenied: pulumi.String("string"),
	},
	DenyUnmatchedRequests: pulumi.Bool(false),
	DenyUnmatchedRequestsExemptedZoneNames: pulumi.StringArray{
		pulumi.String("string"),
	},
	IsUiReadOnly: pulumi.Bool(false),
	LoginDesign: &cloudflare.ZeroTrustOrganizationLoginDesignArgs{
		BackgroundColor: pulumi.String("string"),
		FooterText:      pulumi.String("string"),
		HeaderText:      pulumi.String("string"),
		LogoPath:        pulumi.String("string"),
		TextColor:       pulumi.String("string"),
	},
	MfaConfig: &cloudflare.ZeroTrustOrganizationMfaConfigArgs{
		AllowedAuthenticators: pulumi.StringArray{
			pulumi.String("string"),
		},
		AmrMatchingSessionDuration: pulumi.String("string"),
		RequiredAaguids:            pulumi.String("string"),
		SessionDuration:            pulumi.String("string"),
	},
	MfaConfigurationAllowed: pulumi.Bool(false),
	MfaRequiredForAllApps:   pulumi.Bool(false),
	MfaSshPivKeyRequirements: &cloudflare.ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs{
		PinPolicy:         pulumi.String("string"),
		RequireFipsDevice: pulumi.Bool(false),
		SshKeySizes: pulumi.IntArray{
			pulumi.Int(0),
		},
		SshKeyTypes: pulumi.StringArray{
			pulumi.String("string"),
		},
		TouchPolicy: pulumi.String("string"),
	},
	Name:                           pulumi.String("string"),
	SessionDuration:                pulumi.String("string"),
	UiReadOnlyToggleReason:         pulumi.String("string"),
	UserSeatExpirationInactiveTime: pulumi.String("string"),
	WarpAuthSessionDuration:        pulumi.String("string"),
	ZoneId:                         pulumi.String("string"),
})

resource "cloudflare_zerotrustorganization" "zeroTrustOrganizationResource" {
  account_id                  = "string"
  allow_authenticate_via_warp = false
  auth_domain                 = "string"
  auto_redirect_to_identity   = false
  custom_pages = {
    forbidden       = "string"
    identity_denied = "string"
  }
  deny_unmatched_requests                     = false
  deny_unmatched_requests_exempted_zone_names = ["string"]
  is_ui_read_only                             = false
  login_design = {
    background_color = "string"
    footer_text      = "string"
    header_text      = "string"
    logo_path        = "string"
    text_color       = "string"
  }
  mfa_config = {
    allowed_authenticators        = ["string"]
    amr_matching_session_duration = "string"
    required_aaguids              = "string"
    session_duration              = "string"
  }
  mfa_configuration_allowed = false
  mfa_required_for_all_apps = false
  mfa_ssh_piv_key_requirements = {
    pin_policy          = "string"
    require_fips_device = false
    ssh_key_sizes       = [0]
    ssh_key_types       = ["string"]
    touch_policy        = "string"
  }
  name                               = "string"
  session_duration                   = "string"
  ui_read_only_toggle_reason         = "string"
  user_seat_expiration_inactive_time = "string"
  warp_auth_session_duration         = "string"
  zone_id                            = "string"
}

var zeroTrustOrganizationResource = new ZeroTrustOrganization("zeroTrustOrganizationResource", ZeroTrustOrganizationArgs.builder()
    .accountId("string")
    .allowAuthenticateViaWarp(false)
    .authDomain("string")
    .autoRedirectToIdentity(false)
    .customPages(ZeroTrustOrganizationCustomPagesArgs.builder()
        .forbidden("string")
        .identityDenied("string")
        .build())
    .denyUnmatchedRequests(false)
    .denyUnmatchedRequestsExemptedZoneNames("string")
    .isUiReadOnly(false)
    .loginDesign(ZeroTrustOrganizationLoginDesignArgs.builder()
        .backgroundColor("string")
        .footerText("string")
        .headerText("string")
        .logoPath("string")
        .textColor("string")
        .build())
    .mfaConfig(ZeroTrustOrganizationMfaConfigArgs.builder()
        .allowedAuthenticators("string")
        .amrMatchingSessionDuration("string")
        .requiredAaguids("string")
        .sessionDuration("string")
        .build())
    .mfaConfigurationAllowed(false)
    .mfaRequiredForAllApps(false)
    .mfaSshPivKeyRequirements(ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs.builder()
        .pinPolicy("string")
        .requireFipsDevice(false)
        .sshKeySizes(0)
        .sshKeyTypes("string")
        .touchPolicy("string")
        .build())
    .name("string")
    .sessionDuration("string")
    .uiReadOnlyToggleReason("string")
    .userSeatExpirationInactiveTime("string")
    .warpAuthSessionDuration("string")
    .zoneId("string")
    .build());

zero_trust_organization_resource = cloudflare.ZeroTrustOrganization("zeroTrustOrganizationResource",
    account_id="string",
    allow_authenticate_via_warp=False,
    auth_domain="string",
    auto_redirect_to_identity=False,
    custom_pages={
        "forbidden": "string",
        "identity_denied": "string",
    },
    deny_unmatched_requests=False,
    deny_unmatched_requests_exempted_zone_names=["string"],
    is_ui_read_only=False,
    login_design={
        "background_color": "string",
        "footer_text": "string",
        "header_text": "string",
        "logo_path": "string",
        "text_color": "string",
    },
    mfa_config={
        "allowed_authenticators": ["string"],
        "amr_matching_session_duration": "string",
        "required_aaguids": "string",
        "session_duration": "string",
    },
    mfa_configuration_allowed=False,
    mfa_required_for_all_apps=False,
    mfa_ssh_piv_key_requirements={
        "pin_policy": "string",
        "require_fips_device": False,
        "ssh_key_sizes": [0],
        "ssh_key_types": ["string"],
        "touch_policy": "string",
    },
    name="string",
    session_duration="string",
    ui_read_only_toggle_reason="string",
    user_seat_expiration_inactive_time="string",
    warp_auth_session_duration="string",
    zone_id="string")

const zeroTrustOrganizationResource = new cloudflare.ZeroTrustOrganization("zeroTrustOrganizationResource", {
    accountId: "string",
    allowAuthenticateViaWarp: false,
    authDomain: "string",
    autoRedirectToIdentity: false,
    customPages: {
        forbidden: "string",
        identityDenied: "string",
    },
    denyUnmatchedRequests: false,
    denyUnmatchedRequestsExemptedZoneNames: ["string"],
    isUiReadOnly: false,
    loginDesign: {
        backgroundColor: "string",
        footerText: "string",
        headerText: "string",
        logoPath: "string",
        textColor: "string",
    },
    mfaConfig: {
        allowedAuthenticators: ["string"],
        amrMatchingSessionDuration: "string",
        requiredAaguids: "string",
        sessionDuration: "string",
    },
    mfaConfigurationAllowed: false,
    mfaRequiredForAllApps: false,
    mfaSshPivKeyRequirements: {
        pinPolicy: "string",
        requireFipsDevice: false,
        sshKeySizes: [0],
        sshKeyTypes: ["string"],
        touchPolicy: "string",
    },
    name: "string",
    sessionDuration: "string",
    uiReadOnlyToggleReason: "string",
    userSeatExpirationInactiveTime: "string",
    warpAuthSessionDuration: "string",
    zoneId: "string",
});

type: cloudflare:ZeroTrustOrganization
properties:
    accountId: string
    allowAuthenticateViaWarp: false
    authDomain: string
    autoRedirectToIdentity: false
    customPages:
        forbidden: string
        identityDenied: string
    denyUnmatchedRequests: false
    denyUnmatchedRequestsExemptedZoneNames:
        - string
    isUiReadOnly: false
    loginDesign:
        backgroundColor: string
        footerText: string
        headerText: string
        logoPath: string
        textColor: string
    mfaConfig:
        allowedAuthenticators:
            - string
        amrMatchingSessionDuration: string
        requiredAaguids: string
        sessionDuration: string
    mfaConfigurationAllowed: false
    mfaRequiredForAllApps: false
    mfaSshPivKeyRequirements:
        pinPolicy: string
        requireFipsDevice: false
        sshKeySizes:
            - 0
        sshKeyTypes:
            - string
        touchPolicy: string
    name: string
    sessionDuration: string
    uiReadOnlyToggleReason: string
    userSeatExpirationInactiveTime: string
    warpAuthSessionDuration: string
    zoneId: string

ZeroTrustOrganization Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ZeroTrustOrganization resource accepts the following input properties:

AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
AllowAuthenticateViaWarp bool: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
AuthDomain string: The unique subdomain assigned to your Zero Trust organization.
AutoRedirectToIdentity bool: When set to true, users skip the identity provider selection step during login.
CustomPages ZeroTrustOrganizationCustomPages
DenyUnmatchedRequests bool: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
DenyUnmatchedRequestsExemptedZoneNames List<string>: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
IsUiReadOnly bool: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
LoginDesign ZeroTrustOrganizationLoginDesign
MfaConfig ZeroTrustOrganizationMfaConfig: Configures multi-factor authentication (MFA) settings for an organization.
MfaConfigurationAllowed bool: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
MfaRequiredForAllApps bool: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
MfaSshPivKeyRequirements ZeroTrustOrganizationMfaSshPivKeyRequirements: Configures SSH PIV key requirements for MFA using hardware security keys.
Name string: The name of your Zero Trust organization.
SessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
UiReadOnlyToggleReason string: A description of the reason why the UI read only field is being toggled.
UserSeatExpirationInactiveTime string: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
WarpAuthSessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
AllowAuthenticateViaWarp bool: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
AuthDomain string: The unique subdomain assigned to your Zero Trust organization.
AutoRedirectToIdentity bool: When set to true, users skip the identity provider selection step during login.
CustomPages ZeroTrustOrganizationCustomPagesArgs
DenyUnmatchedRequests bool: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
DenyUnmatchedRequestsExemptedZoneNames []string: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
IsUiReadOnly bool: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
LoginDesign ZeroTrustOrganizationLoginDesignArgs
MfaConfig ZeroTrustOrganizationMfaConfigArgs: Configures multi-factor authentication (MFA) settings for an organization.
MfaConfigurationAllowed bool: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
MfaRequiredForAllApps bool: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
MfaSshPivKeyRequirements ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs: Configures SSH PIV key requirements for MFA using hardware security keys.
Name string: The name of your Zero Trust organization.
SessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
UiReadOnlyToggleReason string: A description of the reason why the UI read only field is being toggled.
UserSeatExpirationInactiveTime string: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
WarpAuthSessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

account_id string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allow_authenticate_via_warp bool: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
auth_domain string: The unique subdomain assigned to your Zero Trust organization.
auto_redirect_to_identity bool: When set to true, users skip the identity provider selection step during login.
custom_pages object
deny_unmatched_requests bool: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
deny_unmatched_requests_exempted_zone_names list(string): Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
is_ui_read_only bool: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
login_design object
mfa_config object: Configures multi-factor authentication (MFA) settings for an organization.
mfa_configuration_allowed bool: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
mfa_required_for_all_apps bool: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfa_ssh_piv_key_requirements object: Configures SSH PIV key requirements for MFA using hardware security keys.
name string: The name of your Zero Trust organization.
session_duration string: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
ui_read_only_toggle_reason string: A description of the reason why the UI read only field is being toggled.
user_seat_expiration_inactive_time string: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
warp_auth_session_duration string: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
zone_id string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp Boolean: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
authDomain String: The unique subdomain assigned to your Zero Trust organization.
autoRedirectToIdentity Boolean: When set to true, users skip the identity provider selection step during login.
customPages ZeroTrustOrganizationCustomPages
denyUnmatchedRequests Boolean: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
denyUnmatchedRequestsExemptedZoneNames List<String>: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
isUiReadOnly Boolean: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
loginDesign ZeroTrustOrganizationLoginDesign
mfaConfig ZeroTrustOrganizationMfaConfig: Configures multi-factor authentication (MFA) settings for an organization.
mfaConfigurationAllowed Boolean: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
mfaRequiredForAllApps Boolean: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfaSshPivKeyRequirements ZeroTrustOrganizationMfaSshPivKeyRequirements: Configures SSH PIV key requirements for MFA using hardware security keys.
name String: The name of your Zero Trust organization.
sessionDuration String: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
uiReadOnlyToggleReason String: A description of the reason why the UI read only field is being toggled.
userSeatExpirationInactiveTime String: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
warpAuthSessionDuration String: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp boolean: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
authDomain string: The unique subdomain assigned to your Zero Trust organization.
autoRedirectToIdentity boolean: When set to true, users skip the identity provider selection step during login.
customPages ZeroTrustOrganizationCustomPages
denyUnmatchedRequests boolean: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
denyUnmatchedRequestsExemptedZoneNames string[]: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
isUiReadOnly boolean: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
loginDesign ZeroTrustOrganizationLoginDesign
mfaConfig ZeroTrustOrganizationMfaConfig: Configures multi-factor authentication (MFA) settings for an organization.
mfaConfigurationAllowed boolean: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
mfaRequiredForAllApps boolean: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfaSshPivKeyRequirements ZeroTrustOrganizationMfaSshPivKeyRequirements: Configures SSH PIV key requirements for MFA using hardware security keys.
name string: The name of your Zero Trust organization.
sessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
uiReadOnlyToggleReason string: A description of the reason why the UI read only field is being toggled.
userSeatExpirationInactiveTime string: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
warpAuthSessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
zoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

account_id str: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allow_authenticate_via_warp bool: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
auth_domain str: The unique subdomain assigned to your Zero Trust organization.
auto_redirect_to_identity bool: When set to true, users skip the identity provider selection step during login.
custom_pages ZeroTrustOrganizationCustomPagesArgs
deny_unmatched_requests bool: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
deny_unmatched_requests_exempted_zone_names Sequence[str]: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
is_ui_read_only bool: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
login_design ZeroTrustOrganizationLoginDesignArgs
mfa_config ZeroTrustOrganizationMfaConfigArgs: Configures multi-factor authentication (MFA) settings for an organization.
mfa_configuration_allowed bool: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
mfa_required_for_all_apps bool: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfa_ssh_piv_key_requirements ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs: Configures SSH PIV key requirements for MFA using hardware security keys.
name str: The name of your Zero Trust organization.
session_duration str: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
ui_read_only_toggle_reason str: A description of the reason why the UI read only field is being toggled.
user_seat_expiration_inactive_time str: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
warp_auth_session_duration str: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
zone_id str: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp Boolean: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
authDomain String: The unique subdomain assigned to your Zero Trust organization.
autoRedirectToIdentity Boolean: When set to true, users skip the identity provider selection step during login.
customPages Property Map
denyUnmatchedRequests Boolean: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
denyUnmatchedRequestsExemptedZoneNames List<String>: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
isUiReadOnly Boolean: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
loginDesign Property Map
mfaConfig Property Map: Configures multi-factor authentication (MFA) settings for an organization.
mfaConfigurationAllowed Boolean: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
mfaRequiredForAllApps Boolean: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfaSshPivKeyRequirements Property Map: Configures SSH PIV key requirements for MFA using hardware security keys.
name String: The name of your Zero Trust organization.
sessionDuration String: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
uiReadOnlyToggleReason String: A description of the reason why the UI read only field is being toggled.
userSeatExpirationInactiveTime String: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
warpAuthSessionDuration String: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

Outputs

All input properties are implicitly available as output properties. Additionally, the ZeroTrustOrganization resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing ZeroTrustOrganization Resource

Get an existing ZeroTrustOrganization resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ZeroTrustOrganizationState, opts?: CustomResourceOptions): ZeroTrustOrganization

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_id: Optional[str] = None,
        allow_authenticate_via_warp: Optional[bool] = None,
        auth_domain: Optional[str] = None,
        auto_redirect_to_identity: Optional[bool] = None,
        custom_pages: Optional[ZeroTrustOrganizationCustomPagesArgs] = None,
        deny_unmatched_requests: Optional[bool] = None,
        deny_unmatched_requests_exempted_zone_names: Optional[Sequence[str]] = None,
        is_ui_read_only: Optional[bool] = None,
        login_design: Optional[ZeroTrustOrganizationLoginDesignArgs] = None,
        mfa_config: Optional[ZeroTrustOrganizationMfaConfigArgs] = None,
        mfa_configuration_allowed: Optional[bool] = None,
        mfa_required_for_all_apps: Optional[bool] = None,
        mfa_ssh_piv_key_requirements: Optional[ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs] = None,
        name: Optional[str] = None,
        session_duration: Optional[str] = None,
        ui_read_only_toggle_reason: Optional[str] = None,
        user_seat_expiration_inactive_time: Optional[str] = None,
        warp_auth_session_duration: Optional[str] = None,
        zone_id: Optional[str] = None) -> ZeroTrustOrganization

func GetZeroTrustOrganization(ctx *Context, name string, id IDInput, state *ZeroTrustOrganizationState, opts ...ResourceOption) (*ZeroTrustOrganization, error)

public static ZeroTrustOrganization Get(string name, Input<string> id, ZeroTrustOrganizationState? state, CustomResourceOptions? opts = null)

public static ZeroTrustOrganization get(String name, Output<String> id, ZeroTrustOrganizationState state, CustomResourceOptions options)

resources:  _:    type: cloudflare:ZeroTrustOrganization    get:      id: ${id}

import {
  to = cloudflare_zerotrustorganization.example
  id = "${id}"
}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
AllowAuthenticateViaWarp bool: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
AuthDomain string: The unique subdomain assigned to your Zero Trust organization.
AutoRedirectToIdentity bool: When set to true, users skip the identity provider selection step during login.
CustomPages ZeroTrustOrganizationCustomPages
DenyUnmatchedRequests bool: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
DenyUnmatchedRequestsExemptedZoneNames List<string>: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
IsUiReadOnly bool: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
LoginDesign ZeroTrustOrganizationLoginDesign
MfaConfig ZeroTrustOrganizationMfaConfig: Configures multi-factor authentication (MFA) settings for an organization.
MfaConfigurationAllowed bool: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
MfaRequiredForAllApps bool: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
MfaSshPivKeyRequirements ZeroTrustOrganizationMfaSshPivKeyRequirements: Configures SSH PIV key requirements for MFA using hardware security keys.
Name string: The name of your Zero Trust organization.
SessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
UiReadOnlyToggleReason string: A description of the reason why the UI read only field is being toggled.
UserSeatExpirationInactiveTime string: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
WarpAuthSessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

AccountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
AllowAuthenticateViaWarp bool: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
AuthDomain string: The unique subdomain assigned to your Zero Trust organization.
AutoRedirectToIdentity bool: When set to true, users skip the identity provider selection step during login.
CustomPages ZeroTrustOrganizationCustomPagesArgs
DenyUnmatchedRequests bool: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
DenyUnmatchedRequestsExemptedZoneNames []string: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
IsUiReadOnly bool: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
LoginDesign ZeroTrustOrganizationLoginDesignArgs
MfaConfig ZeroTrustOrganizationMfaConfigArgs: Configures multi-factor authentication (MFA) settings for an organization.
MfaConfigurationAllowed bool: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
MfaRequiredForAllApps bool: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
MfaSshPivKeyRequirements ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs: Configures SSH PIV key requirements for MFA using hardware security keys.
Name string: The name of your Zero Trust organization.
SessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
UiReadOnlyToggleReason string: A description of the reason why the UI read only field is being toggled.
UserSeatExpirationInactiveTime string: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
WarpAuthSessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
ZoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

account_id string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allow_authenticate_via_warp bool: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
auth_domain string: The unique subdomain assigned to your Zero Trust organization.
auto_redirect_to_identity bool: When set to true, users skip the identity provider selection step during login.
custom_pages object
deny_unmatched_requests bool: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
deny_unmatched_requests_exempted_zone_names list(string): Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
is_ui_read_only bool: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
login_design object
mfa_config object: Configures multi-factor authentication (MFA) settings for an organization.
mfa_configuration_allowed bool: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
mfa_required_for_all_apps bool: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfa_ssh_piv_key_requirements object: Configures SSH PIV key requirements for MFA using hardware security keys.
name string: The name of your Zero Trust organization.
session_duration string: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
ui_read_only_toggle_reason string: A description of the reason why the UI read only field is being toggled.
user_seat_expiration_inactive_time string: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
warp_auth_session_duration string: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
zone_id string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp Boolean: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
authDomain String: The unique subdomain assigned to your Zero Trust organization.
autoRedirectToIdentity Boolean: When set to true, users skip the identity provider selection step during login.
customPages ZeroTrustOrganizationCustomPages
denyUnmatchedRequests Boolean: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
denyUnmatchedRequestsExemptedZoneNames List<String>: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
isUiReadOnly Boolean: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
loginDesign ZeroTrustOrganizationLoginDesign
mfaConfig ZeroTrustOrganizationMfaConfig: Configures multi-factor authentication (MFA) settings for an organization.
mfaConfigurationAllowed Boolean: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
mfaRequiredForAllApps Boolean: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfaSshPivKeyRequirements ZeroTrustOrganizationMfaSshPivKeyRequirements: Configures SSH PIV key requirements for MFA using hardware security keys.
name String: The name of your Zero Trust organization.
sessionDuration String: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
uiReadOnlyToggleReason String: A description of the reason why the UI read only field is being toggled.
userSeatExpirationInactiveTime String: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
warpAuthSessionDuration String: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId string: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp boolean: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
authDomain string: The unique subdomain assigned to your Zero Trust organization.
autoRedirectToIdentity boolean: When set to true, users skip the identity provider selection step during login.
customPages ZeroTrustOrganizationCustomPages
denyUnmatchedRequests boolean: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
denyUnmatchedRequestsExemptedZoneNames string[]: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
isUiReadOnly boolean: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
loginDesign ZeroTrustOrganizationLoginDesign
mfaConfig ZeroTrustOrganizationMfaConfig: Configures multi-factor authentication (MFA) settings for an organization.
mfaConfigurationAllowed boolean: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
mfaRequiredForAllApps boolean: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfaSshPivKeyRequirements ZeroTrustOrganizationMfaSshPivKeyRequirements: Configures SSH PIV key requirements for MFA using hardware security keys.
name string: The name of your Zero Trust organization.
sessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
uiReadOnlyToggleReason string: A description of the reason why the UI read only field is being toggled.
userSeatExpirationInactiveTime string: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
warpAuthSessionDuration string: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
zoneId string: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

account_id str: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allow_authenticate_via_warp bool: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
auth_domain str: The unique subdomain assigned to your Zero Trust organization.
auto_redirect_to_identity bool: When set to true, users skip the identity provider selection step during login.
custom_pages ZeroTrustOrganizationCustomPagesArgs
deny_unmatched_requests bool: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
deny_unmatched_requests_exempted_zone_names Sequence[str]: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
is_ui_read_only bool: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
login_design ZeroTrustOrganizationLoginDesignArgs
mfa_config ZeroTrustOrganizationMfaConfigArgs: Configures multi-factor authentication (MFA) settings for an organization.
mfa_configuration_allowed bool: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
mfa_required_for_all_apps bool: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfa_ssh_piv_key_requirements ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs: Configures SSH PIV key requirements for MFA using hardware security keys.
name str: The name of your Zero Trust organization.
session_duration str: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
ui_read_only_toggle_reason str: A description of the reason why the UI read only field is being toggled.
user_seat_expiration_inactive_time str: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
warp_auth_session_duration str: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
zone_id str: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

accountId String: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
allowAuthenticateViaWarp Boolean: When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
authDomain String: The unique subdomain assigned to your Zero Trust organization.
autoRedirectToIdentity Boolean: When set to true, users skip the identity provider selection step during login.
customPages Property Map
denyUnmatchedRequests Boolean: Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the denyUnmatchedRequestsExemptedZoneNames array.
denyUnmatchedRequestsExemptedZoneNames List<String>: Contains zone names to exempt from the denyUnmatchedRequests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
isUiReadOnly Boolean: Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
loginDesign Property Map
mfaConfig Property Map: Configures multi-factor authentication (MFA) settings for an organization.
mfaConfigurationAllowed Boolean: Indicates if this organization can enforce multi-factor authentication (MFA) requirements at the application and policy level.
mfaRequiredForAllApps Boolean: Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfaSshPivKeyRequirements Property Map: Configures SSH PIV key requirements for MFA using hardware security keys.
name String: The name of your Zero Trust organization.
sessionDuration String: The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
uiReadOnlyToggleReason String: A description of the reason why the UI read only field is being toggled.
userSeatExpirationInactiveTime String: The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
warpAuthSessionDuration String: The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.
zoneId String: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

Supporting Types

ZeroTrustOrganizationCustomPages, ZeroTrustOrganizationCustomPagesArgs

Forbidden string: The uid of the custom page to use when a user is denied access after failing a non-identity rule.
IdentityDenied string: The uid of the custom page to use when a user is denied access.

Forbidden string: The uid of the custom page to use when a user is denied access after failing a non-identity rule.
IdentityDenied string: The uid of the custom page to use when a user is denied access.

forbidden string: The uid of the custom page to use when a user is denied access after failing a non-identity rule.
identity_denied string: The uid of the custom page to use when a user is denied access.

forbidden String: The uid of the custom page to use when a user is denied access after failing a non-identity rule.
identityDenied String: The uid of the custom page to use when a user is denied access.

forbidden string: The uid of the custom page to use when a user is denied access after failing a non-identity rule.
identityDenied string: The uid of the custom page to use when a user is denied access.

forbidden str: The uid of the custom page to use when a user is denied access after failing a non-identity rule.
identity_denied str: The uid of the custom page to use when a user is denied access.

forbidden String: The uid of the custom page to use when a user is denied access after failing a non-identity rule.
identityDenied String: The uid of the custom page to use when a user is denied access.

ZeroTrustOrganizationLoginDesign, ZeroTrustOrganizationLoginDesignArgs

BackgroundColor string: The background color on your login page.
FooterText string: The text at the bottom of your login page.
HeaderText string: The text at the top of your login page.
LogoPath string: The URL of the logo on your login page.
TextColor string: The text color on your login page.

BackgroundColor string: The background color on your login page.
FooterText string: The text at the bottom of your login page.
HeaderText string: The text at the top of your login page.
LogoPath string: The URL of the logo on your login page.
TextColor string: The text color on your login page.

background_color string: The background color on your login page.
footer_text string: The text at the bottom of your login page.
header_text string: The text at the top of your login page.
logo_path string: The URL of the logo on your login page.
text_color string: The text color on your login page.

backgroundColor String: The background color on your login page.
footerText String: The text at the bottom of your login page.
headerText String: The text at the top of your login page.
logoPath String: The URL of the logo on your login page.
textColor String: The text color on your login page.

backgroundColor string: The background color on your login page.
footerText string: The text at the bottom of your login page.
headerText string: The text at the top of your login page.
logoPath string: The URL of the logo on your login page.
textColor string: The text color on your login page.

background_color str: The background color on your login page.
footer_text str: The text at the bottom of your login page.
header_text str: The text at the top of your login page.
logo_path str: The URL of the logo on your login page.
text_color str: The text color on your login page.

backgroundColor String: The background color on your login page.
footerText String: The text at the bottom of your login page.
headerText String: The text at the top of your login page.
logoPath String: The URL of the logo on your login page.
textColor String: The text color on your login page.

ZeroTrustOrganizationMfaConfig, ZeroTrustOrganizationMfaConfigArgs

AllowedAuthenticators List<string>: Lists the MFA methods that users can authenticate with. sshPivKey is only relevant for infrastructure applications.
AmrMatchingSessionDuration string: Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).
RequiredAaguids string: Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.
SessionDuration string: Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

AllowedAuthenticators []string: Lists the MFA methods that users can authenticate with. sshPivKey is only relevant for infrastructure applications.
AmrMatchingSessionDuration string: Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).
RequiredAaguids string: Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.
SessionDuration string: Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

allowed_authenticators list(string): Lists the MFA methods that users can authenticate with. sshPivKey is only relevant for infrastructure applications.
amr_matching_session_duration string: Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).
required_aaguids string: Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.
session_duration string: Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

allowedAuthenticators List<String>: Lists the MFA methods that users can authenticate with. sshPivKey is only relevant for infrastructure applications.
amrMatchingSessionDuration String: Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).
requiredAaguids String: Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.
sessionDuration String: Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

allowedAuthenticators string[]: Lists the MFA methods that users can authenticate with. sshPivKey is only relevant for infrastructure applications.
amrMatchingSessionDuration string: Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).
requiredAaguids string: Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.
sessionDuration string: Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

allowed_authenticators Sequence[str]: Lists the MFA methods that users can authenticate with. sshPivKey is only relevant for infrastructure applications.
amr_matching_session_duration str: Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).
required_aaguids str: Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.
session_duration str: Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

allowedAuthenticators List<String>: Lists the MFA methods that users can authenticate with. sshPivKey is only relevant for infrastructure applications.
amrMatchingSessionDuration String: Allows a user to skip MFA via Authentication Method Reference (AMR) matching when the AMR claim provided by the IdP the user used to authenticate contains "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days).
requiredAaguids String: Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs.
sessionDuration String: Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

ZeroTrustOrganizationMfaSshPivKeyRequirements, ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs

PinPolicy string: Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use). Available values: "never", "once", "always".
RequireFipsDevice bool: Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.
SshKeySizes List<int>: Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.
SshKeyTypes List<string>: Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.
TouchPolicy string: Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds). Available values: "never", "always", "cached".

PinPolicy string: Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use). Available values: "never", "once", "always".
RequireFipsDevice bool: Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.
SshKeySizes []int: Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.
SshKeyTypes []string: Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.
TouchPolicy string: Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds). Available values: "never", "always", "cached".

pin_policy string: Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use). Available values: "never", "once", "always".
require_fips_device bool: Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.
ssh_key_sizes list(number): Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.
ssh_key_types list(string): Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.
touch_policy string: Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds). Available values: "never", "always", "cached".

pinPolicy String: Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use). Available values: "never", "once", "always".
requireFipsDevice Boolean: Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.
sshKeySizes List<Integer>: Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.
sshKeyTypes List<String>: Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.
touchPolicy String: Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds). Available values: "never", "always", "cached".

pinPolicy string: Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use). Available values: "never", "once", "always".
requireFipsDevice boolean: Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.
sshKeySizes number[]: Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.
sshKeyTypes string[]: Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.
touchPolicy string: Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds). Available values: "never", "always", "cached".

pin_policy str: Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use). Available values: "never", "once", "always".
require_fips_device bool: Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.
ssh_key_sizes Sequence[int]: Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.
ssh_key_types Sequence[str]: Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.
touch_policy str: Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds). Available values: "never", "always", "cached".

pinPolicy String: Defines when a PIN is required to use the SSH key. Valid values: never (no PIN required), once (PIN required once per session), always (PIN required for each use). Available values: "never", "once", "always".
requireFipsDevice Boolean: Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher validated device.
sshKeySizes List<Number>: Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. Ed25519 has a fixed key size and does not accept this parameter.
sshKeyTypes List<String>: Specifies the allowed SSH key types. Valid values are ecdsa, ed25519, and rsa.
touchPolicy String: Defines when physical touch is required to use the SSH key. Valid values: never (no touch required), always (touch required for each use), cached (touch cached for 15 seconds). Available values: "never", "always", "cached".

Import

This resource does not currently support pulumi import.

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Cloudflare pulumi/pulumi-cloudflare
License: Apache-2.0
Notes: This Pulumi package is based on the cloudflare Terraform Provider.

Viewing docs for Cloudflare v6.15.0
published on Saturday, May 2, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-cloudflare

cloudflare.ZeroTrustOrganization

On this page

On this page

Example Usage

Create ZeroTrustOrganization Resource

Constructor syntax

Parameters

Constructor example

ZeroTrustOrganization Resource Properties

Inputs

Outputs

Look up Existing ZeroTrustOrganization Resource

Supporting Types

ZeroTrustOrganizationCustomPages, ZeroTrustOrganizationCustomPagesArgs

ZeroTrustOrganizationLoginDesign, ZeroTrustOrganizationLoginDesignArgs

ZeroTrustOrganizationMfaConfig, ZeroTrustOrganizationMfaConfigArgs

ZeroTrustOrganizationMfaSshPivKeyRequirements, ZeroTrustOrganizationMfaSshPivKeyRequirementsArgs

Import

Package Details

On this page

On this page