cloudflare.AccessApplication (v4)

Cloudflare v4.16.0 (4.x), Mar 9 26

Viewing docs for Cloudflare v4.16.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-cloudflare

Viewing docs for Cloudflare v4.16.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-cloudflare

It’s required that an account_id or zone_id is provided and in most cases using either is fine. However, if you’re using a scoped access token, you must provide the argument that matches the token’s scope. For example, an access token that is scoped to the “example.com” zone needs to use the zone_id argument.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Cloudflare = Pulumi.Cloudflare;

return await Deployment.RunAsync(() => 
{
    // With CORS configuration
    var stagingApp = new Cloudflare.AccessApplication("stagingApp", new()
    {
        CorsHeaders = new[]
        {
            new Cloudflare.Inputs.AccessApplicationCorsHeaderArgs
            {
                AllowCredentials = true,
                AllowedMethods = new[]
                {
                    "GET",
                    "POST",
                    "OPTIONS",
                },
                AllowedOrigins = new[]
                {
                    "https://example.com",
                },
                MaxAge = 10,
            },
        },
        Domain = "staging.example.com",
        Name = "staging application",
        SessionDuration = "24h",
        Type = "self_hosted",
        ZoneId = "0da42c8d2132a9ddaf714f9e7c920711",
    });

});

package main

import (
	"github.com/pulumi/pulumi-cloudflare/sdk/v4/go/cloudflare"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := cloudflare.NewAccessApplication(ctx, "stagingApp", &cloudflare.AccessApplicationArgs{
			CorsHeaders: cloudflare.AccessApplicationCorsHeaderArray{
				&cloudflare.AccessApplicationCorsHeaderArgs{
					AllowCredentials: pulumi.Bool(true),
					AllowedMethods: pulumi.StringArray{
						pulumi.String("GET"),
						pulumi.String("POST"),
						pulumi.String("OPTIONS"),
					},
					AllowedOrigins: pulumi.StringArray{
						pulumi.String("https://example.com"),
					},
					MaxAge: pulumi.Int(10),
				},
			},
			Domain:          pulumi.String("staging.example.com"),
			Name:            pulumi.String("staging application"),
			SessionDuration: pulumi.String("24h"),
			Type:            pulumi.String("self_hosted"),
			ZoneId:          pulumi.String("0da42c8d2132a9ddaf714f9e7c920711"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudflare.AccessApplication;
import com.pulumi.cloudflare.AccessApplicationArgs;
import com.pulumi.cloudflare.inputs.AccessApplicationCorsHeaderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var stagingApp = new AccessApplication("stagingApp", AccessApplicationArgs.builder()        
            .corsHeaders(AccessApplicationCorsHeaderArgs.builder()
                .allowCredentials(true)
                .allowedMethods(                
                    "GET",
                    "POST",
                    "OPTIONS")
                .allowedOrigins("https://example.com")
                .maxAge(10)
                .build())
            .domain("staging.example.com")
            .name("staging application")
            .sessionDuration("24h")
            .type("self_hosted")
            .zoneId("0da42c8d2132a9ddaf714f9e7c920711")
            .build());

    }
}

import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

// With CORS configuration
const stagingApp = new cloudflare.AccessApplication("stagingApp", {
    corsHeaders: [{
        allowCredentials: true,
        allowedMethods: [
            "GET",
            "POST",
            "OPTIONS",
        ],
        allowedOrigins: ["https://example.com"],
        maxAge: 10,
    }],
    domain: "staging.example.com",
    name: "staging application",
    sessionDuration: "24h",
    type: "self_hosted",
    zoneId: "0da42c8d2132a9ddaf714f9e7c920711",
});

import pulumi
import pulumi_cloudflare as cloudflare

# With CORS configuration
staging_app = cloudflare.AccessApplication("stagingApp",
    cors_headers=[cloudflare.AccessApplicationCorsHeaderArgs(
        allow_credentials=True,
        allowed_methods=[
            "GET",
            "POST",
            "OPTIONS",
        ],
        allowed_origins=["https://example.com"],
        max_age=10,
    )],
    domain="staging.example.com",
    name="staging application",
    session_duration="24h",
    type="self_hosted",
    zone_id="0da42c8d2132a9ddaf714f9e7c920711")

resources:
  # With CORS configuration
  stagingApp:
    type: cloudflare:AccessApplication
    properties:
      corsHeaders:
        - allowCredentials: true
          allowedMethods:
            - GET
            - POST
            - OPTIONS
          allowedOrigins:
            - https://example.com
          maxAge: 10
      domain: staging.example.com
      name: staging application
      sessionDuration: 24h
      type: self_hosted
      zoneId: 0da42c8d2132a9ddaf714f9e7c920711

Create AccessApplication Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AccessApplication(name: string, args: AccessApplicationArgs, opts?: CustomResourceOptions);

@overload
def AccessApplication(resource_name: str,
                      args: AccessApplicationArgs,
                      opts: Optional[ResourceOptions] = None)

@overload
def AccessApplication(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      name: Optional[str] = None,
                      enable_binding_cookie: Optional[bool] = None,
                      allowed_idps: Optional[Sequence[str]] = None,
                      auto_redirect_to_identity: Optional[bool] = None,
                      cors_headers: Optional[Sequence[AccessApplicationCorsHeaderArgs]] = None,
                      custom_deny_message: Optional[str] = None,
                      custom_deny_url: Optional[str] = None,
                      domain: Optional[str] = None,
                      account_id: Optional[str] = None,
                      app_launcher_visible: Optional[bool] = None,
                      http_only_cookie_attribute: Optional[bool] = None,
                      logo_url: Optional[str] = None,
                      saas_app: Optional[AccessApplicationSaasAppArgs] = None,
                      same_site_cookie_attribute: Optional[str] = None,
                      service_auth401_redirect: Optional[bool] = None,
                      session_duration: Optional[str] = None,
                      skip_interstitial: Optional[bool] = None,
                      type: Optional[str] = None,
                      zone_id: Optional[str] = None)

func NewAccessApplication(ctx *Context, name string, args AccessApplicationArgs, opts ...ResourceOption) (*AccessApplication, error)

public AccessApplication(string name, AccessApplicationArgs args, CustomResourceOptions? opts = null)

public AccessApplication(String name, AccessApplicationArgs args)
public AccessApplication(String name, AccessApplicationArgs args, CustomResourceOptions options)

type: cloudflare:AccessApplication
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AccessApplicationArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var accessApplicationResource = new Cloudflare.AccessApplication("accessApplicationResource", new()
{
    Name = "string",
    EnableBindingCookie = false,
    AllowedIdps = new[]
    {
        "string",
    },
    AutoRedirectToIdentity = false,
    CorsHeaders = new[]
    {
        new Cloudflare.Inputs.AccessApplicationCorsHeaderArgs
        {
            AllowAllHeaders = false,
            AllowAllMethods = false,
            AllowAllOrigins = false,
            AllowCredentials = false,
            AllowedHeaders = new[]
            {
                "string",
            },
            AllowedMethods = new[]
            {
                "string",
            },
            AllowedOrigins = new[]
            {
                "string",
            },
            MaxAge = 0,
        },
    },
    CustomDenyMessage = "string",
    CustomDenyUrl = "string",
    Domain = "string",
    AccountId = "string",
    AppLauncherVisible = false,
    HttpOnlyCookieAttribute = false,
    LogoUrl = "string",
    SaasApp = new Cloudflare.Inputs.AccessApplicationSaasAppArgs
    {
        ConsumerServiceUrl = "string",
        SpEntityId = "string",
        NameIdFormat = "string",
    },
    SameSiteCookieAttribute = "string",
    ServiceAuth401Redirect = false,
    SessionDuration = "string",
    SkipInterstitial = false,
    Type = "string",
    ZoneId = "string",
});

example, err := cloudflare.NewAccessApplication(ctx, "accessApplicationResource", &cloudflare.AccessApplicationArgs{
	Name:                pulumi.String("string"),
	EnableBindingCookie: pulumi.Bool(false),
	AllowedIdps: pulumi.StringArray{
		pulumi.String("string"),
	},
	AutoRedirectToIdentity: pulumi.Bool(false),
	CorsHeaders: cloudflare.AccessApplicationCorsHeaderArray{
		&cloudflare.AccessApplicationCorsHeaderArgs{
			AllowAllHeaders:  pulumi.Bool(false),
			AllowAllMethods:  pulumi.Bool(false),
			AllowAllOrigins:  pulumi.Bool(false),
			AllowCredentials: pulumi.Bool(false),
			AllowedHeaders: pulumi.StringArray{
				pulumi.String("string"),
			},
			AllowedMethods: pulumi.StringArray{
				pulumi.String("string"),
			},
			AllowedOrigins: pulumi.StringArray{
				pulumi.String("string"),
			},
			MaxAge: pulumi.Int(0),
		},
	},
	CustomDenyMessage:       pulumi.String("string"),
	CustomDenyUrl:           pulumi.String("string"),
	Domain:                  pulumi.String("string"),
	AccountId:               pulumi.String("string"),
	AppLauncherVisible:      pulumi.Bool(false),
	HttpOnlyCookieAttribute: pulumi.Bool(false),
	LogoUrl:                 pulumi.String("string"),
	SaasApp: &cloudflare.AccessApplicationSaasAppArgs{
		ConsumerServiceUrl: pulumi.String("string"),
		SpEntityId:         pulumi.String("string"),
		NameIdFormat:       pulumi.String("string"),
	},
	SameSiteCookieAttribute: pulumi.String("string"),
	ServiceAuth401Redirect:  pulumi.Bool(false),
	SessionDuration:         pulumi.String("string"),
	SkipInterstitial:        pulumi.Bool(false),
	Type:                    pulumi.String("string"),
	ZoneId:                  pulumi.String("string"),
})

var accessApplicationResource = new AccessApplication("accessApplicationResource", AccessApplicationArgs.builder()
    .name("string")
    .enableBindingCookie(false)
    .allowedIdps("string")
    .autoRedirectToIdentity(false)
    .corsHeaders(AccessApplicationCorsHeaderArgs.builder()
        .allowAllHeaders(false)
        .allowAllMethods(false)
        .allowAllOrigins(false)
        .allowCredentials(false)
        .allowedHeaders("string")
        .allowedMethods("string")
        .allowedOrigins("string")
        .maxAge(0)
        .build())
    .customDenyMessage("string")
    .customDenyUrl("string")
    .domain("string")
    .accountId("string")
    .appLauncherVisible(false)
    .httpOnlyCookieAttribute(false)
    .logoUrl("string")
    .saasApp(AccessApplicationSaasAppArgs.builder()
        .consumerServiceUrl("string")
        .spEntityId("string")
        .nameIdFormat("string")
        .build())
    .sameSiteCookieAttribute("string")
    .serviceAuth401Redirect(false)
    .sessionDuration("string")
    .skipInterstitial(false)
    .type("string")
    .zoneId("string")
    .build());

access_application_resource = cloudflare.AccessApplication("accessApplicationResource",
    name="string",
    enable_binding_cookie=False,
    allowed_idps=["string"],
    auto_redirect_to_identity=False,
    cors_headers=[{
        "allow_all_headers": False,
        "allow_all_methods": False,
        "allow_all_origins": False,
        "allow_credentials": False,
        "allowed_headers": ["string"],
        "allowed_methods": ["string"],
        "allowed_origins": ["string"],
        "max_age": 0,
    }],
    custom_deny_message="string",
    custom_deny_url="string",
    domain="string",
    account_id="string",
    app_launcher_visible=False,
    http_only_cookie_attribute=False,
    logo_url="string",
    saas_app={
        "consumer_service_url": "string",
        "sp_entity_id": "string",
        "name_id_format": "string",
    },
    same_site_cookie_attribute="string",
    service_auth401_redirect=False,
    session_duration="string",
    skip_interstitial=False,
    type="string",
    zone_id="string")

const accessApplicationResource = new cloudflare.AccessApplication("accessApplicationResource", {
    name: "string",
    enableBindingCookie: false,
    allowedIdps: ["string"],
    autoRedirectToIdentity: false,
    corsHeaders: [{
        allowAllHeaders: false,
        allowAllMethods: false,
        allowAllOrigins: false,
        allowCredentials: false,
        allowedHeaders: ["string"],
        allowedMethods: ["string"],
        allowedOrigins: ["string"],
        maxAge: 0,
    }],
    customDenyMessage: "string",
    customDenyUrl: "string",
    domain: "string",
    accountId: "string",
    appLauncherVisible: false,
    httpOnlyCookieAttribute: false,
    logoUrl: "string",
    saasApp: {
        consumerServiceUrl: "string",
        spEntityId: "string",
        nameIdFormat: "string",
    },
    sameSiteCookieAttribute: "string",
    serviceAuth401Redirect: false,
    sessionDuration: "string",
    skipInterstitial: false,
    type: "string",
    zoneId: "string",
});

type: cloudflare:AccessApplication
properties:
    accountId: string
    allowedIdps:
        - string
    appLauncherVisible: false
    autoRedirectToIdentity: false
    corsHeaders:
        - allowAllHeaders: false
          allowAllMethods: false
          allowAllOrigins: false
          allowCredentials: false
          allowedHeaders:
            - string
          allowedMethods:
            - string
          allowedOrigins:
            - string
          maxAge: 0
    customDenyMessage: string
    customDenyUrl: string
    domain: string
    enableBindingCookie: false
    httpOnlyCookieAttribute: false
    logoUrl: string
    name: string
    saasApp:
        consumerServiceUrl: string
        nameIdFormat: string
        spEntityId: string
    sameSiteCookieAttribute: string
    serviceAuth401Redirect: false
    sessionDuration: string
    skipInterstitial: false
    type: string
    zoneId: string

AccessApplication Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AccessApplication resource accepts the following input properties:

Name string: Friendly name of the Access Application.
AccountId string: The account identifier to target for the resource. Conflicts with zone_id.
AllowedIdps List<string>: The identity providers selected for the application.
AppLauncherVisible bool: Option to show/hide applications in App Launcher. Defaults to true.
AutoRedirectToIdentity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
CorsHeaders List<AccessApplicationCorsHeader>: CORS configuration for the Access Application. See below for reference structure.
CustomDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
CustomDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
Domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
EnableBindingCookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
HttpOnlyCookieAttribute bool: Option to add the HttpOnly cookie flag to access tokens.
LogoUrl string: Image URL for the logo shown in the app launcher dashboard.
SaasApp AccessApplicationSaasApp: SaaS configuration for the Access Application.
SameSiteCookieAttribute string: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
ServiceAuth401Redirect bool: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
SkipInterstitial bool: Option to skip the authorization interstitial when using the CLI. Defaults to false.
Type string: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
ZoneId string: The zone identifier to target for the resource. Conflicts with account_id.

Name string: Friendly name of the Access Application.
AccountId string: The account identifier to target for the resource. Conflicts with zone_id.
AllowedIdps []string: The identity providers selected for the application.
AppLauncherVisible bool: Option to show/hide applications in App Launcher. Defaults to true.
AutoRedirectToIdentity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
CorsHeaders []AccessApplicationCorsHeaderArgs: CORS configuration for the Access Application. See below for reference structure.
CustomDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
CustomDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
Domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
EnableBindingCookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
HttpOnlyCookieAttribute bool: Option to add the HttpOnly cookie flag to access tokens.
LogoUrl string: Image URL for the logo shown in the app launcher dashboard.
SaasApp AccessApplicationSaasAppArgs: SaaS configuration for the Access Application.
SameSiteCookieAttribute string: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
ServiceAuth401Redirect bool: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
SkipInterstitial bool: Option to skip the authorization interstitial when using the CLI. Defaults to false.
Type string: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
ZoneId string: The zone identifier to target for the resource. Conflicts with account_id.

name String: Friendly name of the Access Application.
accountId String: The account identifier to target for the resource. Conflicts with zone_id.
allowedIdps List<String>: The identity providers selected for the application.
appLauncherVisible Boolean: Option to show/hide applications in App Launcher. Defaults to true.
autoRedirectToIdentity Boolean: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
corsHeaders List<AccessApplicationCorsHeader>: CORS configuration for the Access Application. See below for reference structure.
customDenyMessage String: Option that returns a custom error message when a user is denied access to the application.
customDenyUrl String: Option that redirects to a custom URL when a user is denied access to the application.
domain String: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
enableBindingCookie Boolean: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
httpOnlyCookieAttribute Boolean: Option to add the HttpOnly cookie flag to access tokens.
logoUrl String: Image URL for the logo shown in the app launcher dashboard.
saasApp AccessApplicationSaasApp: SaaS configuration for the Access Application.
sameSiteCookieAttribute String: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
serviceAuth401Redirect Boolean: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
sessionDuration String: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
skipInterstitial Boolean: Option to skip the authorization interstitial when using the CLI. Defaults to false.
type String: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
zoneId String: The zone identifier to target for the resource. Conflicts with account_id.

name string: Friendly name of the Access Application.
accountId string: The account identifier to target for the resource. Conflicts with zone_id.
allowedIdps string[]: The identity providers selected for the application.
appLauncherVisible boolean: Option to show/hide applications in App Launcher. Defaults to true.
autoRedirectToIdentity boolean: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
corsHeaders AccessApplicationCorsHeader[]: CORS configuration for the Access Application. See below for reference structure.
customDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
customDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
enableBindingCookie boolean: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
httpOnlyCookieAttribute boolean: Option to add the HttpOnly cookie flag to access tokens.
logoUrl string: Image URL for the logo shown in the app launcher dashboard.
saasApp AccessApplicationSaasApp: SaaS configuration for the Access Application.
sameSiteCookieAttribute string: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
serviceAuth401Redirect boolean: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
sessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
skipInterstitial boolean: Option to skip the authorization interstitial when using the CLI. Defaults to false.
type string: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
zoneId string: The zone identifier to target for the resource. Conflicts with account_id.

name str: Friendly name of the Access Application.
account_id str: The account identifier to target for the resource. Conflicts with zone_id.
allowed_idps Sequence[str]: The identity providers selected for the application.
app_launcher_visible bool: Option to show/hide applications in App Launcher. Defaults to true.
auto_redirect_to_identity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
cors_headers Sequence[AccessApplicationCorsHeaderArgs]: CORS configuration for the Access Application. See below for reference structure.
custom_deny_message str: Option that returns a custom error message when a user is denied access to the application.
custom_deny_url str: Option that redirects to a custom URL when a user is denied access to the application.
domain str: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
enable_binding_cookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
http_only_cookie_attribute bool: Option to add the HttpOnly cookie flag to access tokens.
logo_url str: Image URL for the logo shown in the app launcher dashboard.
saas_app AccessApplicationSaasAppArgs: SaaS configuration for the Access Application.
same_site_cookie_attribute str: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
service_auth401_redirect bool: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
session_duration str: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
skip_interstitial bool: Option to skip the authorization interstitial when using the CLI. Defaults to false.
type str: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
zone_id str: The zone identifier to target for the resource. Conflicts with account_id.

name String: Friendly name of the Access Application.
accountId String: The account identifier to target for the resource. Conflicts with zone_id.
allowedIdps List<String>: The identity providers selected for the application.
appLauncherVisible Boolean: Option to show/hide applications in App Launcher. Defaults to true.
autoRedirectToIdentity Boolean: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
corsHeaders List<Property Map>: CORS configuration for the Access Application. See below for reference structure.
customDenyMessage String: Option that returns a custom error message when a user is denied access to the application.
customDenyUrl String: Option that redirects to a custom URL when a user is denied access to the application.
domain String: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
enableBindingCookie Boolean: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
httpOnlyCookieAttribute Boolean: Option to add the HttpOnly cookie flag to access tokens.
logoUrl String: Image URL for the logo shown in the app launcher dashboard.
saasApp Property Map: SaaS configuration for the Access Application.
sameSiteCookieAttribute String: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
serviceAuth401Redirect Boolean: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
sessionDuration String: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
skipInterstitial Boolean: Option to skip the authorization interstitial when using the CLI. Defaults to false.
type String: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
zoneId String: The zone identifier to target for the resource. Conflicts with account_id.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessApplication resource produces the following output properties:

Aud string: Application Audience (AUD) Tag of the application.
Id string: The provider-assigned unique ID for this managed resource.

Aud string: Application Audience (AUD) Tag of the application.
Id string: The provider-assigned unique ID for this managed resource.

aud String: Application Audience (AUD) Tag of the application.
id String: The provider-assigned unique ID for this managed resource.

aud string: Application Audience (AUD) Tag of the application.
id string: The provider-assigned unique ID for this managed resource.

aud str: Application Audience (AUD) Tag of the application.
id str: The provider-assigned unique ID for this managed resource.

aud String: Application Audience (AUD) Tag of the application.
id String: The provider-assigned unique ID for this managed resource.

Look up Existing AccessApplication Resource

Get an existing AccessApplication resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessApplicationState, opts?: CustomResourceOptions): AccessApplication

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_id: Optional[str] = None,
        allowed_idps: Optional[Sequence[str]] = None,
        app_launcher_visible: Optional[bool] = None,
        aud: Optional[str] = None,
        auto_redirect_to_identity: Optional[bool] = None,
        cors_headers: Optional[Sequence[AccessApplicationCorsHeaderArgs]] = None,
        custom_deny_message: Optional[str] = None,
        custom_deny_url: Optional[str] = None,
        domain: Optional[str] = None,
        enable_binding_cookie: Optional[bool] = None,
        http_only_cookie_attribute: Optional[bool] = None,
        logo_url: Optional[str] = None,
        name: Optional[str] = None,
        saas_app: Optional[AccessApplicationSaasAppArgs] = None,
        same_site_cookie_attribute: Optional[str] = None,
        service_auth401_redirect: Optional[bool] = None,
        session_duration: Optional[str] = None,
        skip_interstitial: Optional[bool] = None,
        type: Optional[str] = None,
        zone_id: Optional[str] = None) -> AccessApplication

func GetAccessApplication(ctx *Context, name string, id IDInput, state *AccessApplicationState, opts ...ResourceOption) (*AccessApplication, error)

public static AccessApplication Get(string name, Input<string> id, AccessApplicationState? state, CustomResourceOptions? opts = null)

public static AccessApplication get(String name, Output<String> id, AccessApplicationState state, CustomResourceOptions options)

resources:  _:    type: cloudflare:AccessApplication    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountId string: The account identifier to target for the resource. Conflicts with zone_id.
AllowedIdps List<string>: The identity providers selected for the application.
AppLauncherVisible bool: Option to show/hide applications in App Launcher. Defaults to true.
Aud string: Application Audience (AUD) Tag of the application.
AutoRedirectToIdentity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
CorsHeaders List<AccessApplicationCorsHeader>: CORS configuration for the Access Application. See below for reference structure.
CustomDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
CustomDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
Domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
EnableBindingCookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
HttpOnlyCookieAttribute bool: Option to add the HttpOnly cookie flag to access tokens.
LogoUrl string: Image URL for the logo shown in the app launcher dashboard.
Name string: Friendly name of the Access Application.
SaasApp AccessApplicationSaasApp: SaaS configuration for the Access Application.
SameSiteCookieAttribute string: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
ServiceAuth401Redirect bool: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
SkipInterstitial bool: Option to skip the authorization interstitial when using the CLI. Defaults to false.
Type string: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
ZoneId string: The zone identifier to target for the resource. Conflicts with account_id.

AccountId string: The account identifier to target for the resource. Conflicts with zone_id.
AllowedIdps []string: The identity providers selected for the application.
AppLauncherVisible bool: Option to show/hide applications in App Launcher. Defaults to true.
Aud string: Application Audience (AUD) Tag of the application.
AutoRedirectToIdentity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
CorsHeaders []AccessApplicationCorsHeaderArgs: CORS configuration for the Access Application. See below for reference structure.
CustomDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
CustomDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
Domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
EnableBindingCookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
HttpOnlyCookieAttribute bool: Option to add the HttpOnly cookie flag to access tokens.
LogoUrl string: Image URL for the logo shown in the app launcher dashboard.
Name string: Friendly name of the Access Application.
SaasApp AccessApplicationSaasAppArgs: SaaS configuration for the Access Application.
SameSiteCookieAttribute string: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
ServiceAuth401Redirect bool: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
SkipInterstitial bool: Option to skip the authorization interstitial when using the CLI. Defaults to false.
Type string: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
ZoneId string: The zone identifier to target for the resource. Conflicts with account_id.

accountId String: The account identifier to target for the resource. Conflicts with zone_id.
allowedIdps List<String>: The identity providers selected for the application.
appLauncherVisible Boolean: Option to show/hide applications in App Launcher. Defaults to true.
aud String: Application Audience (AUD) Tag of the application.
autoRedirectToIdentity Boolean: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
corsHeaders List<AccessApplicationCorsHeader>: CORS configuration for the Access Application. See below for reference structure.
customDenyMessage String: Option that returns a custom error message when a user is denied access to the application.
customDenyUrl String: Option that redirects to a custom URL when a user is denied access to the application.
domain String: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
enableBindingCookie Boolean: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
httpOnlyCookieAttribute Boolean: Option to add the HttpOnly cookie flag to access tokens.
logoUrl String: Image URL for the logo shown in the app launcher dashboard.
name String: Friendly name of the Access Application.
saasApp AccessApplicationSaasApp: SaaS configuration for the Access Application.
sameSiteCookieAttribute String: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
serviceAuth401Redirect Boolean: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
sessionDuration String: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
skipInterstitial Boolean: Option to skip the authorization interstitial when using the CLI. Defaults to false.
type String: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
zoneId String: The zone identifier to target for the resource. Conflicts with account_id.

accountId string: The account identifier to target for the resource. Conflicts with zone_id.
allowedIdps string[]: The identity providers selected for the application.
appLauncherVisible boolean: Option to show/hide applications in App Launcher. Defaults to true.
aud string: Application Audience (AUD) Tag of the application.
autoRedirectToIdentity boolean: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
corsHeaders AccessApplicationCorsHeader[]: CORS configuration for the Access Application. See below for reference structure.
customDenyMessage string: Option that returns a custom error message when a user is denied access to the application.
customDenyUrl string: Option that redirects to a custom URL when a user is denied access to the application.
domain string: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
enableBindingCookie boolean: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
httpOnlyCookieAttribute boolean: Option to add the HttpOnly cookie flag to access tokens.
logoUrl string: Image URL for the logo shown in the app launcher dashboard.
name string: Friendly name of the Access Application.
saasApp AccessApplicationSaasApp: SaaS configuration for the Access Application.
sameSiteCookieAttribute string: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
serviceAuth401Redirect boolean: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
sessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
skipInterstitial boolean: Option to skip the authorization interstitial when using the CLI. Defaults to false.
type string: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
zoneId string: The zone identifier to target for the resource. Conflicts with account_id.

account_id str: The account identifier to target for the resource. Conflicts with zone_id.
allowed_idps Sequence[str]: The identity providers selected for the application.
app_launcher_visible bool: Option to show/hide applications in App Launcher. Defaults to true.
aud str: Application Audience (AUD) Tag of the application.
auto_redirect_to_identity bool: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
cors_headers Sequence[AccessApplicationCorsHeaderArgs]: CORS configuration for the Access Application. See below for reference structure.
custom_deny_message str: Option that returns a custom error message when a user is denied access to the application.
custom_deny_url str: Option that redirects to a custom URL when a user is denied access to the application.
domain str: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
enable_binding_cookie bool: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
http_only_cookie_attribute bool: Option to add the HttpOnly cookie flag to access tokens.
logo_url str: Image URL for the logo shown in the app launcher dashboard.
name str: Friendly name of the Access Application.
saas_app AccessApplicationSaasAppArgs: SaaS configuration for the Access Application.
same_site_cookie_attribute str: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
service_auth401_redirect bool: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
session_duration str: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
skip_interstitial bool: Option to skip the authorization interstitial when using the CLI. Defaults to false.
type str: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
zone_id str: The zone identifier to target for the resource. Conflicts with account_id.

accountId String: The account identifier to target for the resource. Conflicts with zone_id.
allowedIdps List<String>: The identity providers selected for the application.
appLauncherVisible Boolean: Option to show/hide applications in App Launcher. Defaults to true.
aud String: Application Audience (AUD) Tag of the application.
autoRedirectToIdentity Boolean: Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false.
corsHeaders List<Property Map>: CORS configuration for the Access Application. See below for reference structure.
customDenyMessage String: Option that returns a custom error message when a user is denied access to the application.
customDenyUrl String: Option that redirects to a custom URL when a user is denied access to the application.
domain String: The complete URL of the asset you wish to put Cloudflare Access in front of. Can include subdomains or paths. Or both.
enableBindingCookie Boolean: Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false.
httpOnlyCookieAttribute Boolean: Option to add the HttpOnly cookie flag to access tokens.
logoUrl String: Image URL for the logo shown in the app launcher dashboard.
name String: Friendly name of the Access Application.
saasApp Property Map: SaaS configuration for the Access Application.
sameSiteCookieAttribute String: Defines the same-site cookie setting for access tokens. Available values: none, lax, strict.
serviceAuth401Redirect Boolean: Option to return a 401 status code in service authentication rules on failed requests. Defaults to false.
sessionDuration String: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m. Defaults to 24h.
skipInterstitial Boolean: Option to skip the authorization interstitial when using the CLI. Defaults to false.
type String: The application type. Available values: app_launcher, bookmark, biso, dash_sso, saas, self_hosted, ssh, vnc, warp. Defaults to self_hosted.
zoneId String: The zone identifier to target for the resource. Conflicts with account_id.

Supporting Types

AccessApplicationCorsHeader, AccessApplicationCorsHeaderArgs

AllowAllHeaders bool: Value to determine whether all HTTP headers are exposed.
AllowAllMethods bool: Value to determine whether all methods are exposed.
AllowAllOrigins bool: Value to determine whether all origins are permitted to make CORS requests.
AllowCredentials bool: Value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
AllowedHeaders List<string>: List of HTTP headers to expose via CORS.
AllowedMethods List<string>: List of methods to expose via CORS.
AllowedOrigins List<string>: List of origins permitted to make CORS requests.
MaxAge int: The maximum time a preflight request will be cached.

AllowAllHeaders bool: Value to determine whether all HTTP headers are exposed.
AllowAllMethods bool: Value to determine whether all methods are exposed.
AllowAllOrigins bool: Value to determine whether all origins are permitted to make CORS requests.
AllowCredentials bool: Value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
AllowedHeaders []string: List of HTTP headers to expose via CORS.
AllowedMethods []string: List of methods to expose via CORS.
AllowedOrigins []string: List of origins permitted to make CORS requests.
MaxAge int: The maximum time a preflight request will be cached.

allowAllHeaders Boolean: Value to determine whether all HTTP headers are exposed.
allowAllMethods Boolean: Value to determine whether all methods are exposed.
allowAllOrigins Boolean: Value to determine whether all origins are permitted to make CORS requests.
allowCredentials Boolean: Value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
allowedHeaders List<String>: List of HTTP headers to expose via CORS.
allowedMethods List<String>: List of methods to expose via CORS.
allowedOrigins List<String>: List of origins permitted to make CORS requests.
maxAge Integer: The maximum time a preflight request will be cached.

allowAllHeaders boolean: Value to determine whether all HTTP headers are exposed.
allowAllMethods boolean: Value to determine whether all methods are exposed.
allowAllOrigins boolean: Value to determine whether all origins are permitted to make CORS requests.
allowCredentials boolean: Value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
allowedHeaders string[]: List of HTTP headers to expose via CORS.
allowedMethods string[]: List of methods to expose via CORS.
allowedOrigins string[]: List of origins permitted to make CORS requests.
maxAge number: The maximum time a preflight request will be cached.

allow_all_headers bool: Value to determine whether all HTTP headers are exposed.
allow_all_methods bool: Value to determine whether all methods are exposed.
allow_all_origins bool: Value to determine whether all origins are permitted to make CORS requests.
allow_credentials bool: Value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
allowed_headers Sequence[str]: List of HTTP headers to expose via CORS.
allowed_methods Sequence[str]: List of methods to expose via CORS.
allowed_origins Sequence[str]: List of origins permitted to make CORS requests.
max_age int: The maximum time a preflight request will be cached.

allowAllHeaders Boolean: Value to determine whether all HTTP headers are exposed.
allowAllMethods Boolean: Value to determine whether all methods are exposed.
allowAllOrigins Boolean: Value to determine whether all origins are permitted to make CORS requests.
allowCredentials Boolean: Value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
allowedHeaders List<String>: List of HTTP headers to expose via CORS.
allowedMethods List<String>: List of methods to expose via CORS.
allowedOrigins List<String>: List of origins permitted to make CORS requests.
maxAge Number: The maximum time a preflight request will be cached.

AccessApplicationSaasApp, AccessApplicationSaasAppArgs

ConsumerServiceUrl string: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
SpEntityId string: A globally unique name for an identity or service provider.
NameIdFormat string: The format of the name identifier sent to the SaaS application. Defaults to email.

ConsumerServiceUrl string: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
SpEntityId string: A globally unique name for an identity or service provider.
NameIdFormat string: The format of the name identifier sent to the SaaS application. Defaults to email.

consumerServiceUrl String: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
spEntityId String: A globally unique name for an identity or service provider.
nameIdFormat String: The format of the name identifier sent to the SaaS application. Defaults to email.

consumerServiceUrl string: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
spEntityId string: A globally unique name for an identity or service provider.
nameIdFormat string: The format of the name identifier sent to the SaaS application. Defaults to email.

consumer_service_url str: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
sp_entity_id str: A globally unique name for an identity or service provider.
name_id_format str: The format of the name identifier sent to the SaaS application. Defaults to email.

consumerServiceUrl String: The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
spEntityId String: A globally unique name for an identity or service provider.
nameIdFormat String: The format of the name identifier sent to the SaaS application. Defaults to email.

Import

 $ pulumi import cloudflare:index/accessApplication:AccessApplication example <account_id>/<application_id>

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Cloudflare pulumi/pulumi-cloudflare
License: Apache-2.0
Notes: This Pulumi package is based on the cloudflare Terraform Provider.

Viewing docs for Cloudflare v4.16.0 (Older version)
published on Monday, Mar 9, 2026 by Pulumi

Go to latest version

Schema (JSON)

pulumi/pulumi-cloudflare

cloudflare.AccessApplication

On this page

On this page

Example Usage

Create AccessApplication Resource

Constructor syntax

Parameters

Constructor example

AccessApplication Resource Properties

Inputs

Outputs

Look up Existing AccessApplication Resource

Supporting Types

AccessApplicationCorsHeader, AccessApplicationCorsHeaderArgs

AccessApplicationSaasApp, AccessApplicationSaasAppArgs

Import

Package Details

On this page

On this page