Cloudflare v5.49.1, Feb 18 25

Cloudflare v5.49.1 published on Tuesday, Feb 18, 2025 by Pulumi

cloudflare.ZeroTrustAccessPolicy

Explore with Pulumi AI

Cloudflare v5.49.1 published on Tuesday, Feb 18, 2025 by Pulumi

It’s required that an account_id or zone_id is provided and in most cases using either is fine. However, if you’re using a scoped access token, you must provide the argument that matches the token’s scope. For example, an access token that is scoped to the “example.com” zone needs to use the zone_id argument. If ‘application_id’ is omitted, the policy created can be reused by multiple access applications. Any cloudflare.AccessApplication resource can reference reusable policies through its policies argument. To destroy a reusable policy and remove it from all applications’ policies lists on the same apply, preemptively set the lifecycle option create_before_destroy to true on the ‘cloudflare_access_policy’ resource.

Create ZeroTrustAccessPolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new ZeroTrustAccessPolicy(name: string, args: ZeroTrustAccessPolicyArgs, opts?: CustomResourceOptions);

@overload
def ZeroTrustAccessPolicy(resource_name: str,
                          args: ZeroTrustAccessPolicyArgs,
                          opts: Optional[ResourceOptions] = None)

@overload
def ZeroTrustAccessPolicy(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          decision: Optional[str] = None,
                          name: Optional[str] = None,
                          includes: Optional[Sequence[ZeroTrustAccessPolicyIncludeArgs]] = None,
                          isolation_required: Optional[bool] = None,
                          connection_rules: Optional[ZeroTrustAccessPolicyConnectionRulesArgs] = None,
                          approval_required: Optional[bool] = None,
                          excludes: Optional[Sequence[ZeroTrustAccessPolicyExcludeArgs]] = None,
                          approval_groups: Optional[Sequence[ZeroTrustAccessPolicyApprovalGroupArgs]] = None,
                          account_id: Optional[str] = None,
                          application_id: Optional[str] = None,
                          precedence: Optional[int] = None,
                          purpose_justification_prompt: Optional[str] = None,
                          purpose_justification_required: Optional[bool] = None,
                          requires: Optional[Sequence[ZeroTrustAccessPolicyRequireArgs]] = None,
                          session_duration: Optional[str] = None,
                          zone_id: Optional[str] = None)

func NewZeroTrustAccessPolicy(ctx *Context, name string, args ZeroTrustAccessPolicyArgs, opts ...ResourceOption) (*ZeroTrustAccessPolicy, error)

public ZeroTrustAccessPolicy(string name, ZeroTrustAccessPolicyArgs args, CustomResourceOptions? opts = null)

public ZeroTrustAccessPolicy(String name, ZeroTrustAccessPolicyArgs args)
public ZeroTrustAccessPolicy(String name, ZeroTrustAccessPolicyArgs args, CustomResourceOptions options)

type: cloudflare:ZeroTrustAccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ZeroTrustAccessPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ZeroTrustAccessPolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ZeroTrustAccessPolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ZeroTrustAccessPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ZeroTrustAccessPolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var zeroTrustAccessPolicyResource = new Cloudflare.ZeroTrustAccessPolicy("zeroTrustAccessPolicyResource", new()
{
    Decision = "string",
    Name = "string",
    Includes = new[]
    {
        new Cloudflare.Inputs.ZeroTrustAccessPolicyIncludeArgs
        {
            AnyValidServiceToken = false,
            AuthContexts = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyIncludeAuthContextArgs
                {
                    AcId = "string",
                    Id = "string",
                    IdentityProviderId = "string",
                },
            },
            AuthMethod = "string",
            Azures = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyIncludeAzureArgs
                {
                    IdentityProviderId = "string",
                    Ids = new[]
                    {
                        "string",
                    },
                },
            },
            Certificate = false,
            CommonName = "string",
            CommonNames = new[]
            {
                "string",
            },
            DevicePostures = new[]
            {
                "string",
            },
            EmailDomains = new[]
            {
                "string",
            },
            EmailLists = new[]
            {
                "string",
            },
            Emails = new[]
            {
                "string",
            },
            Everyone = false,
            ExternalEvaluations = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyIncludeExternalEvaluationArgs
                {
                    EvaluateUrl = "string",
                    KeysUrl = "string",
                },
            },
            Geos = new[]
            {
                "string",
            },
            Githubs = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyIncludeGithubArgs
                {
                    IdentityProviderId = "string",
                    Name = "string",
                    Teams = new[]
                    {
                        "string",
                    },
                },
            },
            Groups = new[]
            {
                "string",
            },
            Gsuites = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyIncludeGsuiteArgs
                {
                    Emails = new[]
                    {
                        "string",
                    },
                    IdentityProviderId = "string",
                },
            },
            IpLists = new[]
            {
                "string",
            },
            Ips = new[]
            {
                "string",
            },
            LoginMethods = new[]
            {
                "string",
            },
            Oktas = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyIncludeOktaArgs
                {
                    IdentityProviderId = "string",
                    Names = new[]
                    {
                        "string",
                    },
                },
            },
            Samls = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyIncludeSamlArgs
                {
                    AttributeName = "string",
                    AttributeValue = "string",
                    IdentityProviderId = "string",
                },
            },
            ServiceTokens = new[]
            {
                "string",
            },
        },
    },
    IsolationRequired = false,
    ConnectionRules = new Cloudflare.Inputs.ZeroTrustAccessPolicyConnectionRulesArgs
    {
        Ssh = new Cloudflare.Inputs.ZeroTrustAccessPolicyConnectionRulesSshArgs
        {
            Usernames = new[]
            {
                "string",
            },
            AllowEmailAlias = false,
        },
    },
    ApprovalRequired = false,
    Excludes = new[]
    {
        new Cloudflare.Inputs.ZeroTrustAccessPolicyExcludeArgs
        {
            AnyValidServiceToken = false,
            AuthContexts = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyExcludeAuthContextArgs
                {
                    AcId = "string",
                    Id = "string",
                    IdentityProviderId = "string",
                },
            },
            AuthMethod = "string",
            Azures = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyExcludeAzureArgs
                {
                    IdentityProviderId = "string",
                    Ids = new[]
                    {
                        "string",
                    },
                },
            },
            Certificate = false,
            CommonName = "string",
            CommonNames = new[]
            {
                "string",
            },
            DevicePostures = new[]
            {
                "string",
            },
            EmailDomains = new[]
            {
                "string",
            },
            EmailLists = new[]
            {
                "string",
            },
            Emails = new[]
            {
                "string",
            },
            Everyone = false,
            ExternalEvaluations = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyExcludeExternalEvaluationArgs
                {
                    EvaluateUrl = "string",
                    KeysUrl = "string",
                },
            },
            Geos = new[]
            {
                "string",
            },
            Githubs = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyExcludeGithubArgs
                {
                    IdentityProviderId = "string",
                    Name = "string",
                    Teams = new[]
                    {
                        "string",
                    },
                },
            },
            Groups = new[]
            {
                "string",
            },
            Gsuites = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyExcludeGsuiteArgs
                {
                    Emails = new[]
                    {
                        "string",
                    },
                    IdentityProviderId = "string",
                },
            },
            IpLists = new[]
            {
                "string",
            },
            Ips = new[]
            {
                "string",
            },
            LoginMethods = new[]
            {
                "string",
            },
            Oktas = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyExcludeOktaArgs
                {
                    IdentityProviderId = "string",
                    Names = new[]
                    {
                        "string",
                    },
                },
            },
            Samls = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyExcludeSamlArgs
                {
                    AttributeName = "string",
                    AttributeValue = "string",
                    IdentityProviderId = "string",
                },
            },
            ServiceTokens = new[]
            {
                "string",
            },
        },
    },
    ApprovalGroups = new[]
    {
        new Cloudflare.Inputs.ZeroTrustAccessPolicyApprovalGroupArgs
        {
            ApprovalsNeeded = 0,
            EmailAddresses = new[]
            {
                "string",
            },
            EmailListUuid = "string",
        },
    },
    AccountId = "string",
    ApplicationId = "string",
    Precedence = 0,
    PurposeJustificationPrompt = "string",
    PurposeJustificationRequired = false,
    Requires = new[]
    {
        new Cloudflare.Inputs.ZeroTrustAccessPolicyRequireArgs
        {
            AnyValidServiceToken = false,
            AuthContexts = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyRequireAuthContextArgs
                {
                    AcId = "string",
                    Id = "string",
                    IdentityProviderId = "string",
                },
            },
            AuthMethod = "string",
            Azures = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyRequireAzureArgs
                {
                    IdentityProviderId = "string",
                    Ids = new[]
                    {
                        "string",
                    },
                },
            },
            Certificate = false,
            CommonName = "string",
            CommonNames = new[]
            {
                "string",
            },
            DevicePostures = new[]
            {
                "string",
            },
            EmailDomains = new[]
            {
                "string",
            },
            EmailLists = new[]
            {
                "string",
            },
            Emails = new[]
            {
                "string",
            },
            Everyone = false,
            ExternalEvaluations = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyRequireExternalEvaluationArgs
                {
                    EvaluateUrl = "string",
                    KeysUrl = "string",
                },
            },
            Geos = new[]
            {
                "string",
            },
            Githubs = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyRequireGithubArgs
                {
                    IdentityProviderId = "string",
                    Name = "string",
                    Teams = new[]
                    {
                        "string",
                    },
                },
            },
            Groups = new[]
            {
                "string",
            },
            Gsuites = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyRequireGsuiteArgs
                {
                    Emails = new[]
                    {
                        "string",
                    },
                    IdentityProviderId = "string",
                },
            },
            IpLists = new[]
            {
                "string",
            },
            Ips = new[]
            {
                "string",
            },
            LoginMethods = new[]
            {
                "string",
            },
            Oktas = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyRequireOktaArgs
                {
                    IdentityProviderId = "string",
                    Names = new[]
                    {
                        "string",
                    },
                },
            },
            Samls = new[]
            {
                new Cloudflare.Inputs.ZeroTrustAccessPolicyRequireSamlArgs
                {
                    AttributeName = "string",
                    AttributeValue = "string",
                    IdentityProviderId = "string",
                },
            },
            ServiceTokens = new[]
            {
                "string",
            },
        },
    },
    SessionDuration = "string",
    ZoneId = "string",
});

example, err := cloudflare.NewZeroTrustAccessPolicy(ctx, "zeroTrustAccessPolicyResource", &cloudflare.ZeroTrustAccessPolicyArgs{
	Decision: pulumi.String("string"),
	Name:     pulumi.String("string"),
	Includes: cloudflare.ZeroTrustAccessPolicyIncludeArray{
		&cloudflare.ZeroTrustAccessPolicyIncludeArgs{
			AnyValidServiceToken: pulumi.Bool(false),
			AuthContexts: cloudflare.ZeroTrustAccessPolicyIncludeAuthContextArray{
				&cloudflare.ZeroTrustAccessPolicyIncludeAuthContextArgs{
					AcId:               pulumi.String("string"),
					Id:                 pulumi.String("string"),
					IdentityProviderId: pulumi.String("string"),
				},
			},
			AuthMethod: pulumi.String("string"),
			Azures: cloudflare.ZeroTrustAccessPolicyIncludeAzureArray{
				&cloudflare.ZeroTrustAccessPolicyIncludeAzureArgs{
					IdentityProviderId: pulumi.String("string"),
					Ids: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			Certificate: pulumi.Bool(false),
			CommonName:  pulumi.String("string"),
			CommonNames: pulumi.StringArray{
				pulumi.String("string"),
			},
			DevicePostures: pulumi.StringArray{
				pulumi.String("string"),
			},
			EmailDomains: pulumi.StringArray{
				pulumi.String("string"),
			},
			EmailLists: pulumi.StringArray{
				pulumi.String("string"),
			},
			Emails: pulumi.StringArray{
				pulumi.String("string"),
			},
			Everyone: pulumi.Bool(false),
			ExternalEvaluations: cloudflare.ZeroTrustAccessPolicyIncludeExternalEvaluationArray{
				&cloudflare.ZeroTrustAccessPolicyIncludeExternalEvaluationArgs{
					EvaluateUrl: pulumi.String("string"),
					KeysUrl:     pulumi.String("string"),
				},
			},
			Geos: pulumi.StringArray{
				pulumi.String("string"),
			},
			Githubs: cloudflare.ZeroTrustAccessPolicyIncludeGithubArray{
				&cloudflare.ZeroTrustAccessPolicyIncludeGithubArgs{
					IdentityProviderId: pulumi.String("string"),
					Name:               pulumi.String("string"),
					Teams: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			Groups: pulumi.StringArray{
				pulumi.String("string"),
			},
			Gsuites: cloudflare.ZeroTrustAccessPolicyIncludeGsuiteArray{
				&cloudflare.ZeroTrustAccessPolicyIncludeGsuiteArgs{
					Emails: pulumi.StringArray{
						pulumi.String("string"),
					},
					IdentityProviderId: pulumi.String("string"),
				},
			},
			IpLists: pulumi.StringArray{
				pulumi.String("string"),
			},
			Ips: pulumi.StringArray{
				pulumi.String("string"),
			},
			LoginMethods: pulumi.StringArray{
				pulumi.String("string"),
			},
			Oktas: cloudflare.ZeroTrustAccessPolicyIncludeOktaArray{
				&cloudflare.ZeroTrustAccessPolicyIncludeOktaArgs{
					IdentityProviderId: pulumi.String("string"),
					Names: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			Samls: cloudflare.ZeroTrustAccessPolicyIncludeSamlArray{
				&cloudflare.ZeroTrustAccessPolicyIncludeSamlArgs{
					AttributeName:      pulumi.String("string"),
					AttributeValue:     pulumi.String("string"),
					IdentityProviderId: pulumi.String("string"),
				},
			},
			ServiceTokens: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	IsolationRequired: pulumi.Bool(false),
	ConnectionRules: &cloudflare.ZeroTrustAccessPolicyConnectionRulesArgs{
		Ssh: &cloudflare.ZeroTrustAccessPolicyConnectionRulesSshArgs{
			Usernames: pulumi.StringArray{
				pulumi.String("string"),
			},
			AllowEmailAlias: pulumi.Bool(false),
		},
	},
	ApprovalRequired: pulumi.Bool(false),
	Excludes: cloudflare.ZeroTrustAccessPolicyExcludeArray{
		&cloudflare.ZeroTrustAccessPolicyExcludeArgs{
			AnyValidServiceToken: pulumi.Bool(false),
			AuthContexts: cloudflare.ZeroTrustAccessPolicyExcludeAuthContextArray{
				&cloudflare.ZeroTrustAccessPolicyExcludeAuthContextArgs{
					AcId:               pulumi.String("string"),
					Id:                 pulumi.String("string"),
					IdentityProviderId: pulumi.String("string"),
				},
			},
			AuthMethod: pulumi.String("string"),
			Azures: cloudflare.ZeroTrustAccessPolicyExcludeAzureArray{
				&cloudflare.ZeroTrustAccessPolicyExcludeAzureArgs{
					IdentityProviderId: pulumi.String("string"),
					Ids: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			Certificate: pulumi.Bool(false),
			CommonName:  pulumi.String("string"),
			CommonNames: pulumi.StringArray{
				pulumi.String("string"),
			},
			DevicePostures: pulumi.StringArray{
				pulumi.String("string"),
			},
			EmailDomains: pulumi.StringArray{
				pulumi.String("string"),
			},
			EmailLists: pulumi.StringArray{
				pulumi.String("string"),
			},
			Emails: pulumi.StringArray{
				pulumi.String("string"),
			},
			Everyone: pulumi.Bool(false),
			ExternalEvaluations: cloudflare.ZeroTrustAccessPolicyExcludeExternalEvaluationArray{
				&cloudflare.ZeroTrustAccessPolicyExcludeExternalEvaluationArgs{
					EvaluateUrl: pulumi.String("string"),
					KeysUrl:     pulumi.String("string"),
				},
			},
			Geos: pulumi.StringArray{
				pulumi.String("string"),
			},
			Githubs: cloudflare.ZeroTrustAccessPolicyExcludeGithubArray{
				&cloudflare.ZeroTrustAccessPolicyExcludeGithubArgs{
					IdentityProviderId: pulumi.String("string"),
					Name:               pulumi.String("string"),
					Teams: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			Groups: pulumi.StringArray{
				pulumi.String("string"),
			},
			Gsuites: cloudflare.ZeroTrustAccessPolicyExcludeGsuiteArray{
				&cloudflare.ZeroTrustAccessPolicyExcludeGsuiteArgs{
					Emails: pulumi.StringArray{
						pulumi.String("string"),
					},
					IdentityProviderId: pulumi.String("string"),
				},
			},
			IpLists: pulumi.StringArray{
				pulumi.String("string"),
			},
			Ips: pulumi.StringArray{
				pulumi.String("string"),
			},
			LoginMethods: pulumi.StringArray{
				pulumi.String("string"),
			},
			Oktas: cloudflare.ZeroTrustAccessPolicyExcludeOktaArray{
				&cloudflare.ZeroTrustAccessPolicyExcludeOktaArgs{
					IdentityProviderId: pulumi.String("string"),
					Names: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			Samls: cloudflare.ZeroTrustAccessPolicyExcludeSamlArray{
				&cloudflare.ZeroTrustAccessPolicyExcludeSamlArgs{
					AttributeName:      pulumi.String("string"),
					AttributeValue:     pulumi.String("string"),
					IdentityProviderId: pulumi.String("string"),
				},
			},
			ServiceTokens: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	ApprovalGroups: cloudflare.ZeroTrustAccessPolicyApprovalGroupArray{
		&cloudflare.ZeroTrustAccessPolicyApprovalGroupArgs{
			ApprovalsNeeded: pulumi.Int(0),
			EmailAddresses: pulumi.StringArray{
				pulumi.String("string"),
			},
			EmailListUuid: pulumi.String("string"),
		},
	},
	AccountId:                    pulumi.String("string"),
	ApplicationId:                pulumi.String("string"),
	Precedence:                   pulumi.Int(0),
	PurposeJustificationPrompt:   pulumi.String("string"),
	PurposeJustificationRequired: pulumi.Bool(false),
	Requires: cloudflare.ZeroTrustAccessPolicyRequireArray{
		&cloudflare.ZeroTrustAccessPolicyRequireArgs{
			AnyValidServiceToken: pulumi.Bool(false),
			AuthContexts: cloudflare.ZeroTrustAccessPolicyRequireAuthContextArray{
				&cloudflare.ZeroTrustAccessPolicyRequireAuthContextArgs{
					AcId:               pulumi.String("string"),
					Id:                 pulumi.String("string"),
					IdentityProviderId: pulumi.String("string"),
				},
			},
			AuthMethod: pulumi.String("string"),
			Azures: cloudflare.ZeroTrustAccessPolicyRequireAzureArray{
				&cloudflare.ZeroTrustAccessPolicyRequireAzureArgs{
					IdentityProviderId: pulumi.String("string"),
					Ids: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			Certificate: pulumi.Bool(false),
			CommonName:  pulumi.String("string"),
			CommonNames: pulumi.StringArray{
				pulumi.String("string"),
			},
			DevicePostures: pulumi.StringArray{
				pulumi.String("string"),
			},
			EmailDomains: pulumi.StringArray{
				pulumi.String("string"),
			},
			EmailLists: pulumi.StringArray{
				pulumi.String("string"),
			},
			Emails: pulumi.StringArray{
				pulumi.String("string"),
			},
			Everyone: pulumi.Bool(false),
			ExternalEvaluations: cloudflare.ZeroTrustAccessPolicyRequireExternalEvaluationArray{
				&cloudflare.ZeroTrustAccessPolicyRequireExternalEvaluationArgs{
					EvaluateUrl: pulumi.String("string"),
					KeysUrl:     pulumi.String("string"),
				},
			},
			Geos: pulumi.StringArray{
				pulumi.String("string"),
			},
			Githubs: cloudflare.ZeroTrustAccessPolicyRequireGithubArray{
				&cloudflare.ZeroTrustAccessPolicyRequireGithubArgs{
					IdentityProviderId: pulumi.String("string"),
					Name:               pulumi.String("string"),
					Teams: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			Groups: pulumi.StringArray{
				pulumi.String("string"),
			},
			Gsuites: cloudflare.ZeroTrustAccessPolicyRequireGsuiteArray{
				&cloudflare.ZeroTrustAccessPolicyRequireGsuiteArgs{
					Emails: pulumi.StringArray{
						pulumi.String("string"),
					},
					IdentityProviderId: pulumi.String("string"),
				},
			},
			IpLists: pulumi.StringArray{
				pulumi.String("string"),
			},
			Ips: pulumi.StringArray{
				pulumi.String("string"),
			},
			LoginMethods: pulumi.StringArray{
				pulumi.String("string"),
			},
			Oktas: cloudflare.ZeroTrustAccessPolicyRequireOktaArray{
				&cloudflare.ZeroTrustAccessPolicyRequireOktaArgs{
					IdentityProviderId: pulumi.String("string"),
					Names: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
			},
			Samls: cloudflare.ZeroTrustAccessPolicyRequireSamlArray{
				&cloudflare.ZeroTrustAccessPolicyRequireSamlArgs{
					AttributeName:      pulumi.String("string"),
					AttributeValue:     pulumi.String("string"),
					IdentityProviderId: pulumi.String("string"),
				},
			},
			ServiceTokens: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	SessionDuration: pulumi.String("string"),
	ZoneId:          pulumi.String("string"),
})

var zeroTrustAccessPolicyResource = new ZeroTrustAccessPolicy("zeroTrustAccessPolicyResource", ZeroTrustAccessPolicyArgs.builder()
    .decision("string")
    .name("string")
    .includes(ZeroTrustAccessPolicyIncludeArgs.builder()
        .anyValidServiceToken(false)
        .authContexts(ZeroTrustAccessPolicyIncludeAuthContextArgs.builder()
            .acId("string")
            .id("string")
            .identityProviderId("string")
            .build())
        .authMethod("string")
        .azures(ZeroTrustAccessPolicyIncludeAzureArgs.builder()
            .identityProviderId("string")
            .ids("string")
            .build())
        .certificate(false)
        .commonName("string")
        .commonNames("string")
        .devicePostures("string")
        .emailDomains("string")
        .emailLists("string")
        .emails("string")
        .everyone(false)
        .externalEvaluations(ZeroTrustAccessPolicyIncludeExternalEvaluationArgs.builder()
            .evaluateUrl("string")
            .keysUrl("string")
            .build())
        .geos("string")
        .githubs(ZeroTrustAccessPolicyIncludeGithubArgs.builder()
            .identityProviderId("string")
            .name("string")
            .teams("string")
            .build())
        .groups("string")
        .gsuites(ZeroTrustAccessPolicyIncludeGsuiteArgs.builder()
            .emails("string")
            .identityProviderId("string")
            .build())
        .ipLists("string")
        .ips("string")
        .loginMethods("string")
        .oktas(ZeroTrustAccessPolicyIncludeOktaArgs.builder()
            .identityProviderId("string")
            .names("string")
            .build())
        .samls(ZeroTrustAccessPolicyIncludeSamlArgs.builder()
            .attributeName("string")
            .attributeValue("string")
            .identityProviderId("string")
            .build())
        .serviceTokens("string")
        .build())
    .isolationRequired(false)
    .connectionRules(ZeroTrustAccessPolicyConnectionRulesArgs.builder()
        .ssh(ZeroTrustAccessPolicyConnectionRulesSshArgs.builder()
            .usernames("string")
            .allowEmailAlias(false)
            .build())
        .build())
    .approvalRequired(false)
    .excludes(ZeroTrustAccessPolicyExcludeArgs.builder()
        .anyValidServiceToken(false)
        .authContexts(ZeroTrustAccessPolicyExcludeAuthContextArgs.builder()
            .acId("string")
            .id("string")
            .identityProviderId("string")
            .build())
        .authMethod("string")
        .azures(ZeroTrustAccessPolicyExcludeAzureArgs.builder()
            .identityProviderId("string")
            .ids("string")
            .build())
        .certificate(false)
        .commonName("string")
        .commonNames("string")
        .devicePostures("string")
        .emailDomains("string")
        .emailLists("string")
        .emails("string")
        .everyone(false)
        .externalEvaluations(ZeroTrustAccessPolicyExcludeExternalEvaluationArgs.builder()
            .evaluateUrl("string")
            .keysUrl("string")
            .build())
        .geos("string")
        .githubs(ZeroTrustAccessPolicyExcludeGithubArgs.builder()
            .identityProviderId("string")
            .name("string")
            .teams("string")
            .build())
        .groups("string")
        .gsuites(ZeroTrustAccessPolicyExcludeGsuiteArgs.builder()
            .emails("string")
            .identityProviderId("string")
            .build())
        .ipLists("string")
        .ips("string")
        .loginMethods("string")
        .oktas(ZeroTrustAccessPolicyExcludeOktaArgs.builder()
            .identityProviderId("string")
            .names("string")
            .build())
        .samls(ZeroTrustAccessPolicyExcludeSamlArgs.builder()
            .attributeName("string")
            .attributeValue("string")
            .identityProviderId("string")
            .build())
        .serviceTokens("string")
        .build())
    .approvalGroups(ZeroTrustAccessPolicyApprovalGroupArgs.builder()
        .approvalsNeeded(0)
        .emailAddresses("string")
        .emailListUuid("string")
        .build())
    .accountId("string")
    .applicationId("string")
    .precedence(0)
    .purposeJustificationPrompt("string")
    .purposeJustificationRequired(false)
    .requires(ZeroTrustAccessPolicyRequireArgs.builder()
        .anyValidServiceToken(false)
        .authContexts(ZeroTrustAccessPolicyRequireAuthContextArgs.builder()
            .acId("string")
            .id("string")
            .identityProviderId("string")
            .build())
        .authMethod("string")
        .azures(ZeroTrustAccessPolicyRequireAzureArgs.builder()
            .identityProviderId("string")
            .ids("string")
            .build())
        .certificate(false)
        .commonName("string")
        .commonNames("string")
        .devicePostures("string")
        .emailDomains("string")
        .emailLists("string")
        .emails("string")
        .everyone(false)
        .externalEvaluations(ZeroTrustAccessPolicyRequireExternalEvaluationArgs.builder()
            .evaluateUrl("string")
            .keysUrl("string")
            .build())
        .geos("string")
        .githubs(ZeroTrustAccessPolicyRequireGithubArgs.builder()
            .identityProviderId("string")
            .name("string")
            .teams("string")
            .build())
        .groups("string")
        .gsuites(ZeroTrustAccessPolicyRequireGsuiteArgs.builder()
            .emails("string")
            .identityProviderId("string")
            .build())
        .ipLists("string")
        .ips("string")
        .loginMethods("string")
        .oktas(ZeroTrustAccessPolicyRequireOktaArgs.builder()
            .identityProviderId("string")
            .names("string")
            .build())
        .samls(ZeroTrustAccessPolicyRequireSamlArgs.builder()
            .attributeName("string")
            .attributeValue("string")
            .identityProviderId("string")
            .build())
        .serviceTokens("string")
        .build())
    .sessionDuration("string")
    .zoneId("string")
    .build());

zero_trust_access_policy_resource = cloudflare.ZeroTrustAccessPolicy("zeroTrustAccessPolicyResource",
    decision="string",
    name="string",
    includes=[{
        "any_valid_service_token": False,
        "auth_contexts": [{
            "ac_id": "string",
            "id": "string",
            "identity_provider_id": "string",
        }],
        "auth_method": "string",
        "azures": [{
            "identity_provider_id": "string",
            "ids": ["string"],
        }],
        "certificate": False,
        "common_name": "string",
        "common_names": ["string"],
        "device_postures": ["string"],
        "email_domains": ["string"],
        "email_lists": ["string"],
        "emails": ["string"],
        "everyone": False,
        "external_evaluations": [{
            "evaluate_url": "string",
            "keys_url": "string",
        }],
        "geos": ["string"],
        "githubs": [{
            "identity_provider_id": "string",
            "name": "string",
            "teams": ["string"],
        }],
        "groups": ["string"],
        "gsuites": [{
            "emails": ["string"],
            "identity_provider_id": "string",
        }],
        "ip_lists": ["string"],
        "ips": ["string"],
        "login_methods": ["string"],
        "oktas": [{
            "identity_provider_id": "string",
            "names": ["string"],
        }],
        "samls": [{
            "attribute_name": "string",
            "attribute_value": "string",
            "identity_provider_id": "string",
        }],
        "service_tokens": ["string"],
    }],
    isolation_required=False,
    connection_rules={
        "ssh": {
            "usernames": ["string"],
            "allow_email_alias": False,
        },
    },
    approval_required=False,
    excludes=[{
        "any_valid_service_token": False,
        "auth_contexts": [{
            "ac_id": "string",
            "id": "string",
            "identity_provider_id": "string",
        }],
        "auth_method": "string",
        "azures": [{
            "identity_provider_id": "string",
            "ids": ["string"],
        }],
        "certificate": False,
        "common_name": "string",
        "common_names": ["string"],
        "device_postures": ["string"],
        "email_domains": ["string"],
        "email_lists": ["string"],
        "emails": ["string"],
        "everyone": False,
        "external_evaluations": [{
            "evaluate_url": "string",
            "keys_url": "string",
        }],
        "geos": ["string"],
        "githubs": [{
            "identity_provider_id": "string",
            "name": "string",
            "teams": ["string"],
        }],
        "groups": ["string"],
        "gsuites": [{
            "emails": ["string"],
            "identity_provider_id": "string",
        }],
        "ip_lists": ["string"],
        "ips": ["string"],
        "login_methods": ["string"],
        "oktas": [{
            "identity_provider_id": "string",
            "names": ["string"],
        }],
        "samls": [{
            "attribute_name": "string",
            "attribute_value": "string",
            "identity_provider_id": "string",
        }],
        "service_tokens": ["string"],
    }],
    approval_groups=[{
        "approvals_needed": 0,
        "email_addresses": ["string"],
        "email_list_uuid": "string",
    }],
    account_id="string",
    application_id="string",
    precedence=0,
    purpose_justification_prompt="string",
    purpose_justification_required=False,
    requires=[{
        "any_valid_service_token": False,
        "auth_contexts": [{
            "ac_id": "string",
            "id": "string",
            "identity_provider_id": "string",
        }],
        "auth_method": "string",
        "azures": [{
            "identity_provider_id": "string",
            "ids": ["string"],
        }],
        "certificate": False,
        "common_name": "string",
        "common_names": ["string"],
        "device_postures": ["string"],
        "email_domains": ["string"],
        "email_lists": ["string"],
        "emails": ["string"],
        "everyone": False,
        "external_evaluations": [{
            "evaluate_url": "string",
            "keys_url": "string",
        }],
        "geos": ["string"],
        "githubs": [{
            "identity_provider_id": "string",
            "name": "string",
            "teams": ["string"],
        }],
        "groups": ["string"],
        "gsuites": [{
            "emails": ["string"],
            "identity_provider_id": "string",
        }],
        "ip_lists": ["string"],
        "ips": ["string"],
        "login_methods": ["string"],
        "oktas": [{
            "identity_provider_id": "string",
            "names": ["string"],
        }],
        "samls": [{
            "attribute_name": "string",
            "attribute_value": "string",
            "identity_provider_id": "string",
        }],
        "service_tokens": ["string"],
    }],
    session_duration="string",
    zone_id="string")

const zeroTrustAccessPolicyResource = new cloudflare.ZeroTrustAccessPolicy("zeroTrustAccessPolicyResource", {
    decision: "string",
    name: "string",
    includes: [{
        anyValidServiceToken: false,
        authContexts: [{
            acId: "string",
            id: "string",
            identityProviderId: "string",
        }],
        authMethod: "string",
        azures: [{
            identityProviderId: "string",
            ids: ["string"],
        }],
        certificate: false,
        commonName: "string",
        commonNames: ["string"],
        devicePostures: ["string"],
        emailDomains: ["string"],
        emailLists: ["string"],
        emails: ["string"],
        everyone: false,
        externalEvaluations: [{
            evaluateUrl: "string",
            keysUrl: "string",
        }],
        geos: ["string"],
        githubs: [{
            identityProviderId: "string",
            name: "string",
            teams: ["string"],
        }],
        groups: ["string"],
        gsuites: [{
            emails: ["string"],
            identityProviderId: "string",
        }],
        ipLists: ["string"],
        ips: ["string"],
        loginMethods: ["string"],
        oktas: [{
            identityProviderId: "string",
            names: ["string"],
        }],
        samls: [{
            attributeName: "string",
            attributeValue: "string",
            identityProviderId: "string",
        }],
        serviceTokens: ["string"],
    }],
    isolationRequired: false,
    connectionRules: {
        ssh: {
            usernames: ["string"],
            allowEmailAlias: false,
        },
    },
    approvalRequired: false,
    excludes: [{
        anyValidServiceToken: false,
        authContexts: [{
            acId: "string",
            id: "string",
            identityProviderId: "string",
        }],
        authMethod: "string",
        azures: [{
            identityProviderId: "string",
            ids: ["string"],
        }],
        certificate: false,
        commonName: "string",
        commonNames: ["string"],
        devicePostures: ["string"],
        emailDomains: ["string"],
        emailLists: ["string"],
        emails: ["string"],
        everyone: false,
        externalEvaluations: [{
            evaluateUrl: "string",
            keysUrl: "string",
        }],
        geos: ["string"],
        githubs: [{
            identityProviderId: "string",
            name: "string",
            teams: ["string"],
        }],
        groups: ["string"],
        gsuites: [{
            emails: ["string"],
            identityProviderId: "string",
        }],
        ipLists: ["string"],
        ips: ["string"],
        loginMethods: ["string"],
        oktas: [{
            identityProviderId: "string",
            names: ["string"],
        }],
        samls: [{
            attributeName: "string",
            attributeValue: "string",
            identityProviderId: "string",
        }],
        serviceTokens: ["string"],
    }],
    approvalGroups: [{
        approvalsNeeded: 0,
        emailAddresses: ["string"],
        emailListUuid: "string",
    }],
    accountId: "string",
    applicationId: "string",
    precedence: 0,
    purposeJustificationPrompt: "string",
    purposeJustificationRequired: false,
    requires: [{
        anyValidServiceToken: false,
        authContexts: [{
            acId: "string",
            id: "string",
            identityProviderId: "string",
        }],
        authMethod: "string",
        azures: [{
            identityProviderId: "string",
            ids: ["string"],
        }],
        certificate: false,
        commonName: "string",
        commonNames: ["string"],
        devicePostures: ["string"],
        emailDomains: ["string"],
        emailLists: ["string"],
        emails: ["string"],
        everyone: false,
        externalEvaluations: [{
            evaluateUrl: "string",
            keysUrl: "string",
        }],
        geos: ["string"],
        githubs: [{
            identityProviderId: "string",
            name: "string",
            teams: ["string"],
        }],
        groups: ["string"],
        gsuites: [{
            emails: ["string"],
            identityProviderId: "string",
        }],
        ipLists: ["string"],
        ips: ["string"],
        loginMethods: ["string"],
        oktas: [{
            identityProviderId: "string",
            names: ["string"],
        }],
        samls: [{
            attributeName: "string",
            attributeValue: "string",
            identityProviderId: "string",
        }],
        serviceTokens: ["string"],
    }],
    sessionDuration: "string",
    zoneId: "string",
});

type: cloudflare:ZeroTrustAccessPolicy
properties:
    accountId: string
    applicationId: string
    approvalGroups:
        - approvalsNeeded: 0
          emailAddresses:
            - string
          emailListUuid: string
    approvalRequired: false
    connectionRules:
        ssh:
            allowEmailAlias: false
            usernames:
                - string
    decision: string
    excludes:
        - anyValidServiceToken: false
          authContexts:
            - acId: string
              id: string
              identityProviderId: string
          authMethod: string
          azures:
            - identityProviderId: string
              ids:
                - string
          certificate: false
          commonName: string
          commonNames:
            - string
          devicePostures:
            - string
          emailDomains:
            - string
          emailLists:
            - string
          emails:
            - string
          everyone: false
          externalEvaluations:
            - evaluateUrl: string
              keysUrl: string
          geos:
            - string
          githubs:
            - identityProviderId: string
              name: string
              teams:
                - string
          groups:
            - string
          gsuites:
            - emails:
                - string
              identityProviderId: string
          ipLists:
            - string
          ips:
            - string
          loginMethods:
            - string
          oktas:
            - identityProviderId: string
              names:
                - string
          samls:
            - attributeName: string
              attributeValue: string
              identityProviderId: string
          serviceTokens:
            - string
    includes:
        - anyValidServiceToken: false
          authContexts:
            - acId: string
              id: string
              identityProviderId: string
          authMethod: string
          azures:
            - identityProviderId: string
              ids:
                - string
          certificate: false
          commonName: string
          commonNames:
            - string
          devicePostures:
            - string
          emailDomains:
            - string
          emailLists:
            - string
          emails:
            - string
          everyone: false
          externalEvaluations:
            - evaluateUrl: string
              keysUrl: string
          geos:
            - string
          githubs:
            - identityProviderId: string
              name: string
              teams:
                - string
          groups:
            - string
          gsuites:
            - emails:
                - string
              identityProviderId: string
          ipLists:
            - string
          ips:
            - string
          loginMethods:
            - string
          oktas:
            - identityProviderId: string
              names:
                - string
          samls:
            - attributeName: string
              attributeValue: string
              identityProviderId: string
          serviceTokens:
            - string
    isolationRequired: false
    name: string
    precedence: 0
    purposeJustificationPrompt: string
    purposeJustificationRequired: false
    requires:
        - anyValidServiceToken: false
          authContexts:
            - acId: string
              id: string
              identityProviderId: string
          authMethod: string
          azures:
            - identityProviderId: string
              ids:
                - string
          certificate: false
          commonName: string
          commonNames:
            - string
          devicePostures:
            - string
          emailDomains:
            - string
          emailLists:
            - string
          emails:
            - string
          everyone: false
          externalEvaluations:
            - evaluateUrl: string
              keysUrl: string
          geos:
            - string
          githubs:
            - identityProviderId: string
              name: string
              teams:
                - string
          groups:
            - string
          gsuites:
            - emails:
                - string
              identityProviderId: string
          ipLists:
            - string
          ips:
            - string
          loginMethods:
            - string
          oktas:
            - identityProviderId: string
              names:
                - string
          samls:
            - attributeName: string
              attributeValue: string
              identityProviderId: string
          serviceTokens:
            - string
    sessionDuration: string
    zoneId: string

ZeroTrustAccessPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ZeroTrustAccessPolicy resource accepts the following input properties:

Decision string: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
Includes List<ZeroTrustAccessPolicyInclude>: A series of access conditions, see Access Groups.
Name string: Friendly name of the Access Policy.
AccountId string: The account identifier to target for the resource. Conflicts with zone_id.
ApplicationId string: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
ApprovalGroups List<ZeroTrustAccessPolicyApprovalGroup>
ApprovalRequired bool
ConnectionRules ZeroTrustAccessPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
Excludes List<ZeroTrustAccessPolicyExclude>: A series of access conditions, see Access Groups.
IsolationRequired bool: Require this application to be served in an isolated browser for users matching this policy.
Precedence int: The unique precedence for policies on a single application. Required when using application_id.
PurposeJustificationPrompt string: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
PurposeJustificationRequired bool: Whether to prompt the user for a justification for accessing the resource.
Requires List<ZeroTrustAccessPolicyRequire>: A series of access conditions, see Access Groups.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
ZoneId string: The zone identifier to target for the resource. Conflicts with account_id.

Decision string: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
Includes []ZeroTrustAccessPolicyIncludeArgs: A series of access conditions, see Access Groups.
Name string: Friendly name of the Access Policy.
AccountId string: The account identifier to target for the resource. Conflicts with zone_id.
ApplicationId string: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
ApprovalGroups []ZeroTrustAccessPolicyApprovalGroupArgs
ApprovalRequired bool
ConnectionRules ZeroTrustAccessPolicyConnectionRulesArgs: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
Excludes []ZeroTrustAccessPolicyExcludeArgs: A series of access conditions, see Access Groups.
IsolationRequired bool: Require this application to be served in an isolated browser for users matching this policy.
Precedence int: The unique precedence for policies on a single application. Required when using application_id.
PurposeJustificationPrompt string: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
PurposeJustificationRequired bool: Whether to prompt the user for a justification for accessing the resource.
Requires []ZeroTrustAccessPolicyRequireArgs: A series of access conditions, see Access Groups.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
ZoneId string: The zone identifier to target for the resource. Conflicts with account_id.

decision String: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
includes List<ZeroTrustAccessPolicyInclude>: A series of access conditions, see Access Groups.
name String: Friendly name of the Access Policy.
accountId String: The account identifier to target for the resource. Conflicts with zone_id.
applicationId String: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
approvalGroups List<ZeroTrustAccessPolicyApprovalGroup>
approvalRequired Boolean
connectionRules ZeroTrustAccessPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
excludes List<ZeroTrustAccessPolicyExclude>: A series of access conditions, see Access Groups.
isolationRequired Boolean: Require this application to be served in an isolated browser for users matching this policy.
precedence Integer: The unique precedence for policies on a single application. Required when using application_id.
purposeJustificationPrompt String: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
purposeJustificationRequired Boolean: Whether to prompt the user for a justification for accessing the resource.
requires List<ZeroTrustAccessPolicyRequire>: A series of access conditions, see Access Groups.
sessionDuration String: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
zoneId String: The zone identifier to target for the resource. Conflicts with account_id.

decision string: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
includes ZeroTrustAccessPolicyInclude[]: A series of access conditions, see Access Groups.
name string: Friendly name of the Access Policy.
accountId string: The account identifier to target for the resource. Conflicts with zone_id.
applicationId string: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
approvalGroups ZeroTrustAccessPolicyApprovalGroup[]
approvalRequired boolean
connectionRules ZeroTrustAccessPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
excludes ZeroTrustAccessPolicyExclude[]: A series of access conditions, see Access Groups.
isolationRequired boolean: Require this application to be served in an isolated browser for users matching this policy.
precedence number: The unique precedence for policies on a single application. Required when using application_id.
purposeJustificationPrompt string: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
purposeJustificationRequired boolean: Whether to prompt the user for a justification for accessing the resource.
requires ZeroTrustAccessPolicyRequire[]: A series of access conditions, see Access Groups.
sessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
zoneId string: The zone identifier to target for the resource. Conflicts with account_id.

decision str: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
includes Sequence[ZeroTrustAccessPolicyIncludeArgs]: A series of access conditions, see Access Groups.
name str: Friendly name of the Access Policy.
account_id str: The account identifier to target for the resource. Conflicts with zone_id.
application_id str: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
approval_groups Sequence[ZeroTrustAccessPolicyApprovalGroupArgs]
approval_required bool
connection_rules ZeroTrustAccessPolicyConnectionRulesArgs: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
excludes Sequence[ZeroTrustAccessPolicyExcludeArgs]: A series of access conditions, see Access Groups.
isolation_required bool: Require this application to be served in an isolated browser for users matching this policy.
precedence int: The unique precedence for policies on a single application. Required when using application_id.
purpose_justification_prompt str: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
purpose_justification_required bool: Whether to prompt the user for a justification for accessing the resource.
requires Sequence[ZeroTrustAccessPolicyRequireArgs]: A series of access conditions, see Access Groups.
session_duration str: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
zone_id str: The zone identifier to target for the resource. Conflicts with account_id.

decision String: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
includes List<Property Map>: A series of access conditions, see Access Groups.
name String: Friendly name of the Access Policy.
accountId String: The account identifier to target for the resource. Conflicts with zone_id.
applicationId String: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
approvalGroups List<Property Map>
approvalRequired Boolean
connectionRules Property Map: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
excludes List<Property Map>: A series of access conditions, see Access Groups.
isolationRequired Boolean: Require this application to be served in an isolated browser for users matching this policy.
precedence Number: The unique precedence for policies on a single application. Required when using application_id.
purposeJustificationPrompt String: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
purposeJustificationRequired Boolean: Whether to prompt the user for a justification for accessing the resource.
requires List<Property Map>: A series of access conditions, see Access Groups.
sessionDuration String: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
zoneId String: The zone identifier to target for the resource. Conflicts with account_id.

Outputs

All input properties are implicitly available as output properties. Additionally, the ZeroTrustAccessPolicy resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing ZeroTrustAccessPolicy Resource

Get an existing ZeroTrustAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: ZeroTrustAccessPolicyState, opts?: CustomResourceOptions): ZeroTrustAccessPolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_id: Optional[str] = None,
        application_id: Optional[str] = None,
        approval_groups: Optional[Sequence[ZeroTrustAccessPolicyApprovalGroupArgs]] = None,
        approval_required: Optional[bool] = None,
        connection_rules: Optional[ZeroTrustAccessPolicyConnectionRulesArgs] = None,
        decision: Optional[str] = None,
        excludes: Optional[Sequence[ZeroTrustAccessPolicyExcludeArgs]] = None,
        includes: Optional[Sequence[ZeroTrustAccessPolicyIncludeArgs]] = None,
        isolation_required: Optional[bool] = None,
        name: Optional[str] = None,
        precedence: Optional[int] = None,
        purpose_justification_prompt: Optional[str] = None,
        purpose_justification_required: Optional[bool] = None,
        requires: Optional[Sequence[ZeroTrustAccessPolicyRequireArgs]] = None,
        session_duration: Optional[str] = None,
        zone_id: Optional[str] = None) -> ZeroTrustAccessPolicy

func GetZeroTrustAccessPolicy(ctx *Context, name string, id IDInput, state *ZeroTrustAccessPolicyState, opts ...ResourceOption) (*ZeroTrustAccessPolicy, error)

public static ZeroTrustAccessPolicy Get(string name, Input<string> id, ZeroTrustAccessPolicyState? state, CustomResourceOptions? opts = null)

public static ZeroTrustAccessPolicy get(String name, Output<String> id, ZeroTrustAccessPolicyState state, CustomResourceOptions options)

resources:  _:    type: cloudflare:ZeroTrustAccessPolicy    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountId string: The account identifier to target for the resource. Conflicts with zone_id.
ApplicationId string: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
ApprovalGroups List<ZeroTrustAccessPolicyApprovalGroup>
ApprovalRequired bool
ConnectionRules ZeroTrustAccessPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
Decision string: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
Excludes List<ZeroTrustAccessPolicyExclude>: A series of access conditions, see Access Groups.
Includes List<ZeroTrustAccessPolicyInclude>: A series of access conditions, see Access Groups.
IsolationRequired bool: Require this application to be served in an isolated browser for users matching this policy.
Name string: Friendly name of the Access Policy.
Precedence int: The unique precedence for policies on a single application. Required when using application_id.
PurposeJustificationPrompt string: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
PurposeJustificationRequired bool: Whether to prompt the user for a justification for accessing the resource.
Requires List<ZeroTrustAccessPolicyRequire>: A series of access conditions, see Access Groups.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
ZoneId string: The zone identifier to target for the resource. Conflicts with account_id.

AccountId string: The account identifier to target for the resource. Conflicts with zone_id.
ApplicationId string: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
ApprovalGroups []ZeroTrustAccessPolicyApprovalGroupArgs
ApprovalRequired bool
ConnectionRules ZeroTrustAccessPolicyConnectionRulesArgs: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
Decision string: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
Excludes []ZeroTrustAccessPolicyExcludeArgs: A series of access conditions, see Access Groups.
Includes []ZeroTrustAccessPolicyIncludeArgs: A series of access conditions, see Access Groups.
IsolationRequired bool: Require this application to be served in an isolated browser for users matching this policy.
Name string: Friendly name of the Access Policy.
Precedence int: The unique precedence for policies on a single application. Required when using application_id.
PurposeJustificationPrompt string: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
PurposeJustificationRequired bool: Whether to prompt the user for a justification for accessing the resource.
Requires []ZeroTrustAccessPolicyRequireArgs: A series of access conditions, see Access Groups.
SessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
ZoneId string: The zone identifier to target for the resource. Conflicts with account_id.

accountId String: The account identifier to target for the resource. Conflicts with zone_id.
applicationId String: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
approvalGroups List<ZeroTrustAccessPolicyApprovalGroup>
approvalRequired Boolean
connectionRules ZeroTrustAccessPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
decision String: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
excludes List<ZeroTrustAccessPolicyExclude>: A series of access conditions, see Access Groups.
includes List<ZeroTrustAccessPolicyInclude>: A series of access conditions, see Access Groups.
isolationRequired Boolean: Require this application to be served in an isolated browser for users matching this policy.
name String: Friendly name of the Access Policy.
precedence Integer: The unique precedence for policies on a single application. Required when using application_id.
purposeJustificationPrompt String: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
purposeJustificationRequired Boolean: Whether to prompt the user for a justification for accessing the resource.
requires List<ZeroTrustAccessPolicyRequire>: A series of access conditions, see Access Groups.
sessionDuration String: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
zoneId String: The zone identifier to target for the resource. Conflicts with account_id.

accountId string: The account identifier to target for the resource. Conflicts with zone_id.
applicationId string: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
approvalGroups ZeroTrustAccessPolicyApprovalGroup[]
approvalRequired boolean
connectionRules ZeroTrustAccessPolicyConnectionRules: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
decision string: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
excludes ZeroTrustAccessPolicyExclude[]: A series of access conditions, see Access Groups.
includes ZeroTrustAccessPolicyInclude[]: A series of access conditions, see Access Groups.
isolationRequired boolean: Require this application to be served in an isolated browser for users matching this policy.
name string: Friendly name of the Access Policy.
precedence number: The unique precedence for policies on a single application. Required when using application_id.
purposeJustificationPrompt string: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
purposeJustificationRequired boolean: Whether to prompt the user for a justification for accessing the resource.
requires ZeroTrustAccessPolicyRequire[]: A series of access conditions, see Access Groups.
sessionDuration string: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
zoneId string: The zone identifier to target for the resource. Conflicts with account_id.

account_id str: The account identifier to target for the resource. Conflicts with zone_id.
application_id str: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
approval_groups Sequence[ZeroTrustAccessPolicyApprovalGroupArgs]
approval_required bool
connection_rules ZeroTrustAccessPolicyConnectionRulesArgs: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
decision str: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
excludes Sequence[ZeroTrustAccessPolicyExcludeArgs]: A series of access conditions, see Access Groups.
includes Sequence[ZeroTrustAccessPolicyIncludeArgs]: A series of access conditions, see Access Groups.
isolation_required bool: Require this application to be served in an isolated browser for users matching this policy.
name str: Friendly name of the Access Policy.
precedence int: The unique precedence for policies on a single application. Required when using application_id.
purpose_justification_prompt str: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
purpose_justification_required bool: Whether to prompt the user for a justification for accessing the resource.
requires Sequence[ZeroTrustAccessPolicyRequireArgs]: A series of access conditions, see Access Groups.
session_duration str: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
zone_id str: The zone identifier to target for the resource. Conflicts with account_id.

accountId String: The account identifier to target for the resource. Conflicts with zone_id.
applicationId String: The ID of the application the policy is associated with. Required when using precedence. Modifying this attribute will force creation of a new resource.
approvalGroups List<Property Map>
approvalRequired Boolean
connectionRules Property Map: The rules that define how users may connect to the targets secured by your application. Only applicable to Infrastructure Applications, in which case this field is required.
decision String: Defines the action Access will take if the policy matches the user. Available values: allow, deny, non_identity, bypass.
excludes List<Property Map>: A series of access conditions, see Access Groups.
includes List<Property Map>: A series of access conditions, see Access Groups.
isolationRequired Boolean: Require this application to be served in an isolated browser for users matching this policy.
name String: Friendly name of the Access Policy.
precedence Number: The unique precedence for policies on a single application. Required when using application_id.
purposeJustificationPrompt String: The prompt to display to the user for a justification for accessing the resource. Required when using purpose_justification_required.
purposeJustificationRequired Boolean: Whether to prompt the user for a justification for accessing the resource.
requires List<Property Map>: A series of access conditions, see Access Groups.
sessionDuration String: How often a user will be forced to re-authorise. Must be in the format 48h or 2h45m.
zoneId String: The zone identifier to target for the resource. Conflicts with account_id.

Supporting Types

ZeroTrustAccessPolicyApprovalGroup
, ZeroTrustAccessPolicyApprovalGroupArgs

ApprovalsNeeded int: Number of approvals needed.
EmailAddresses List<string>: List of emails to request approval from.
EmailListUuid string

ApprovalsNeeded int: Number of approvals needed.
EmailAddresses []string: List of emails to request approval from.
EmailListUuid string

approvalsNeeded Integer: Number of approvals needed.
emailAddresses List<String>: List of emails to request approval from.
emailListUuid String

approvalsNeeded number: Number of approvals needed.
emailAddresses string[]: List of emails to request approval from.
emailListUuid string

approvals_needed int: Number of approvals needed.
email_addresses Sequence[str]: List of emails to request approval from.
email_list_uuid str

approvalsNeeded Number: Number of approvals needed.
emailAddresses List<String>: List of emails to request approval from.
emailListUuid String

ZeroTrustAccessPolicyConnectionRules
, ZeroTrustAccessPolicyConnectionRulesArgs

Ssh ZeroTrustAccessPolicyConnectionRulesSsh: The SSH-specific rules that define how users may connect to the targets secured by your application.

Ssh ZeroTrustAccessPolicyConnectionRulesSsh: The SSH-specific rules that define how users may connect to the targets secured by your application.

ssh ZeroTrustAccessPolicyConnectionRulesSsh: The SSH-specific rules that define how users may connect to the targets secured by your application.

ssh ZeroTrustAccessPolicyConnectionRulesSsh: The SSH-specific rules that define how users may connect to the targets secured by your application.

ssh ZeroTrustAccessPolicyConnectionRulesSsh: The SSH-specific rules that define how users may connect to the targets secured by your application.

ssh Property Map: The SSH-specific rules that define how users may connect to the targets secured by your application.

ZeroTrustAccessPolicyConnectionRulesSsh
, ZeroTrustAccessPolicyConnectionRulesSshArgs

Usernames List<string>: Contains the Unix usernames that may be used when connecting over SSH.
AllowEmailAlias bool: Allows connecting to Unix username that matches the authenticating email prefix.

Usernames []string: Contains the Unix usernames that may be used when connecting over SSH.
AllowEmailAlias bool: Allows connecting to Unix username that matches the authenticating email prefix.

usernames List<String>: Contains the Unix usernames that may be used when connecting over SSH.
allowEmailAlias Boolean: Allows connecting to Unix username that matches the authenticating email prefix.

usernames string[]: Contains the Unix usernames that may be used when connecting over SSH.
allowEmailAlias boolean: Allows connecting to Unix username that matches the authenticating email prefix.

usernames Sequence[str]: Contains the Unix usernames that may be used when connecting over SSH.
allow_email_alias bool: Allows connecting to Unix username that matches the authenticating email prefix.

usernames List<String>: Contains the Unix usernames that may be used when connecting over SSH.
allowEmailAlias Boolean: Allows connecting to Unix username that matches the authenticating email prefix.

ZeroTrustAccessPolicyExclude
, ZeroTrustAccessPolicyExcludeArgs

AnyValidServiceToken bool: Matches any valid Access service token.
AuthContexts List<ZeroTrustAccessPolicyExcludeAuthContext>
AuthMethod string: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
Azures List<ZeroTrustAccessPolicyExcludeAzure>: Matches an Azure group. Requires an Azure identity provider.
Certificate bool: Matches any valid client certificate.
CommonName string: Matches a valid client certificate common name.
CommonNames List<string>: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
DevicePostures List<string>: The ID of a device posture integration.
EmailDomains List<string>: The email domain to match.
EmailLists List<string>: The ID of a previously created email list.
Emails List<string>: The email of the user.
Everyone bool: Matches everyone.
ExternalEvaluations List<ZeroTrustAccessPolicyExcludeExternalEvaluation>: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
Geos List<string>: Matches a specific country.
Githubs List<ZeroTrustAccessPolicyExcludeGithub>: Matches a Github organization. Requires a Github identity provider.
Groups List<string>: The ID of a previously created Access group.
Gsuites List<ZeroTrustAccessPolicyExcludeGsuite>: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
IpLists List<string>: The ID of a previously created IP list.
Ips List<string>: An IPv4 or IPv6 CIDR block.
LoginMethods List<string>: The ID of a configured identity provider.
Oktas List<ZeroTrustAccessPolicyExcludeOkta>: Matches an Okta group. Requires an Okta identity provider.
Samls List<ZeroTrustAccessPolicyExcludeSaml>: Matches a SAML group. Requires a SAML identity provider.
ServiceTokens List<string>: The ID of an Access service token.

AnyValidServiceToken bool: Matches any valid Access service token.
AuthContexts []ZeroTrustAccessPolicyExcludeAuthContext
AuthMethod string: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
Azures []ZeroTrustAccessPolicyExcludeAzure: Matches an Azure group. Requires an Azure identity provider.
Certificate bool: Matches any valid client certificate.
CommonName string: Matches a valid client certificate common name.
CommonNames []string: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
DevicePostures []string: The ID of a device posture integration.
EmailDomains []string: The email domain to match.
EmailLists []string: The ID of a previously created email list.
Emails []string: The email of the user.
Everyone bool: Matches everyone.
ExternalEvaluations []ZeroTrustAccessPolicyExcludeExternalEvaluation: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
Geos []string: Matches a specific country.
Githubs []ZeroTrustAccessPolicyExcludeGithub: Matches a Github organization. Requires a Github identity provider.
Groups []string: The ID of a previously created Access group.
Gsuites []ZeroTrustAccessPolicyExcludeGsuite: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
IpLists []string: The ID of a previously created IP list.
Ips []string: An IPv4 or IPv6 CIDR block.
LoginMethods []string: The ID of a configured identity provider.
Oktas []ZeroTrustAccessPolicyExcludeOkta: Matches an Okta group. Requires an Okta identity provider.
Samls []ZeroTrustAccessPolicyExcludeSaml: Matches a SAML group. Requires a SAML identity provider.
ServiceTokens []string: The ID of an Access service token.

anyValidServiceToken Boolean: Matches any valid Access service token.
authContexts List<ZeroTrustAccessPolicyExcludeAuthContext>
authMethod String: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures List<ZeroTrustAccessPolicyExcludeAzure>: Matches an Azure group. Requires an Azure identity provider.
certificate Boolean: Matches any valid client certificate.
commonName String: Matches a valid client certificate common name.
commonNames List<String>: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
devicePostures List<String>: The ID of a device posture integration.
emailDomains List<String>: The email domain to match.
emailLists List<String>: The ID of a previously created email list.
emails List<String>: The email of the user.
everyone Boolean: Matches everyone.
externalEvaluations List<ZeroTrustAccessPolicyExcludeExternalEvaluation>: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos List<String>: Matches a specific country.
githubs List<ZeroTrustAccessPolicyExcludeGithub>: Matches a Github organization. Requires a Github identity provider.
groups List<String>: The ID of a previously created Access group.
gsuites List<ZeroTrustAccessPolicyExcludeGsuite>: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ipLists List<String>: The ID of a previously created IP list.
ips List<String>: An IPv4 or IPv6 CIDR block.
loginMethods List<String>: The ID of a configured identity provider.
oktas List<ZeroTrustAccessPolicyExcludeOkta>: Matches an Okta group. Requires an Okta identity provider.
samls List<ZeroTrustAccessPolicyExcludeSaml>: Matches a SAML group. Requires a SAML identity provider.
serviceTokens List<String>: The ID of an Access service token.

anyValidServiceToken boolean: Matches any valid Access service token.
authContexts ZeroTrustAccessPolicyExcludeAuthContext[]
authMethod string: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures ZeroTrustAccessPolicyExcludeAzure[]: Matches an Azure group. Requires an Azure identity provider.
certificate boolean: Matches any valid client certificate.
commonName string: Matches a valid client certificate common name.
commonNames string[]: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
devicePostures string[]: The ID of a device posture integration.
emailDomains string[]: The email domain to match.
emailLists string[]: The ID of a previously created email list.
emails string[]: The email of the user.
everyone boolean: Matches everyone.
externalEvaluations ZeroTrustAccessPolicyExcludeExternalEvaluation[]: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos string[]: Matches a specific country.
githubs ZeroTrustAccessPolicyExcludeGithub[]: Matches a Github organization. Requires a Github identity provider.
groups string[]: The ID of a previously created Access group.
gsuites ZeroTrustAccessPolicyExcludeGsuite[]: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ipLists string[]: The ID of a previously created IP list.
ips string[]: An IPv4 or IPv6 CIDR block.
loginMethods string[]: The ID of a configured identity provider.
oktas ZeroTrustAccessPolicyExcludeOkta[]: Matches an Okta group. Requires an Okta identity provider.
samls ZeroTrustAccessPolicyExcludeSaml[]: Matches a SAML group. Requires a SAML identity provider.
serviceTokens string[]: The ID of an Access service token.

any_valid_service_token bool: Matches any valid Access service token.
auth_contexts Sequence[ZeroTrustAccessPolicyExcludeAuthContext]
auth_method str: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures Sequence[ZeroTrustAccessPolicyExcludeAzure]: Matches an Azure group. Requires an Azure identity provider.
certificate bool: Matches any valid client certificate.
common_name str: Matches a valid client certificate common name.
common_names Sequence[str]: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
device_postures Sequence[str]: The ID of a device posture integration.
email_domains Sequence[str]: The email domain to match.
email_lists Sequence[str]: The ID of a previously created email list.
emails Sequence[str]: The email of the user.
everyone bool: Matches everyone.
external_evaluations Sequence[ZeroTrustAccessPolicyExcludeExternalEvaluation]: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos Sequence[str]: Matches a specific country.
githubs Sequence[ZeroTrustAccessPolicyExcludeGithub]: Matches a Github organization. Requires a Github identity provider.
groups Sequence[str]: The ID of a previously created Access group.
gsuites Sequence[ZeroTrustAccessPolicyExcludeGsuite]: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ip_lists Sequence[str]: The ID of a previously created IP list.
ips Sequence[str]: An IPv4 or IPv6 CIDR block.
login_methods Sequence[str]: The ID of a configured identity provider.
oktas Sequence[ZeroTrustAccessPolicyExcludeOkta]: Matches an Okta group. Requires an Okta identity provider.
samls Sequence[ZeroTrustAccessPolicyExcludeSaml]: Matches a SAML group. Requires a SAML identity provider.
service_tokens Sequence[str]: The ID of an Access service token.

anyValidServiceToken Boolean: Matches any valid Access service token.
authContexts List<Property Map>
authMethod String: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures List<Property Map>: Matches an Azure group. Requires an Azure identity provider.
certificate Boolean: Matches any valid client certificate.
commonName String: Matches a valid client certificate common name.
commonNames List<String>: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
devicePostures List<String>: The ID of a device posture integration.
emailDomains List<String>: The email domain to match.
emailLists List<String>: The ID of a previously created email list.
emails List<String>: The email of the user.
everyone Boolean: Matches everyone.
externalEvaluations List<Property Map>: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos List<String>: Matches a specific country.
githubs List<Property Map>: Matches a Github organization. Requires a Github identity provider.
groups List<String>: The ID of a previously created Access group.
gsuites List<Property Map>: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ipLists List<String>: The ID of a previously created IP list.
ips List<String>: An IPv4 or IPv6 CIDR block.
loginMethods List<String>: The ID of a configured identity provider.
oktas List<Property Map>: Matches an Okta group. Requires an Okta identity provider.
samls List<Property Map>: Matches a SAML group. Requires a SAML identity provider.
serviceTokens List<String>: The ID of an Access service token.

ZeroTrustAccessPolicyExcludeAuthContext
, ZeroTrustAccessPolicyExcludeAuthContextArgs

AcId string: The ACID of the Authentication Context.
Id string: The ID of the Authentication Context.
IdentityProviderId string: The ID of the Azure identity provider.

AcId string: The ACID of the Authentication Context.
Id string: The ID of the Authentication Context.
IdentityProviderId string: The ID of the Azure identity provider.

acId String: The ACID of the Authentication Context.
id String: The ID of the Authentication Context.
identityProviderId String: The ID of the Azure identity provider.

acId string: The ACID of the Authentication Context.
id string: The ID of the Authentication Context.
identityProviderId string: The ID of the Azure identity provider.

ac_id str: The ACID of the Authentication Context.
id str: The ID of the Authentication Context.
identity_provider_id str: The ID of the Azure identity provider.

acId String: The ACID of the Authentication Context.
id String: The ID of the Authentication Context.
identityProviderId String: The ID of the Azure identity provider.

ZeroTrustAccessPolicyExcludeAzure
, ZeroTrustAccessPolicyExcludeAzureArgs

IdentityProviderId string: The ID of the Azure identity provider.
Ids List<string>: The ID of the Azure group or user.

IdentityProviderId string: The ID of the Azure identity provider.
Ids []string: The ID of the Azure group or user.

identityProviderId String: The ID of the Azure identity provider.
ids List<String>: The ID of the Azure group or user.

identityProviderId string: The ID of the Azure identity provider.
ids string[]: The ID of the Azure group or user.

identity_provider_id str: The ID of the Azure identity provider.
ids Sequence[str]: The ID of the Azure group or user.

identityProviderId String: The ID of the Azure identity provider.
ids List<String>: The ID of the Azure group or user.

ZeroTrustAccessPolicyExcludeExternalEvaluation
, ZeroTrustAccessPolicyExcludeExternalEvaluationArgs

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl string: The API endpoint containing your business logic.
keysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluate_url str: The API endpoint containing your business logic.
keys_url str: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

ZeroTrustAccessPolicyExcludeGithub
, ZeroTrustAccessPolicyExcludeGithubArgs

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Teams List<string>: The teams that should be matched.

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Teams []string: The teams that should be matched.

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
teams List<String>: The teams that should be matched.

identityProviderId string: The ID of your Github identity provider.
name string: The name of the organization.
teams string[]: The teams that should be matched.

identity_provider_id str: The ID of your Github identity provider.
name str: The name of the organization.
teams Sequence[str]: The teams that should be matched.

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
teams List<String>: The teams that should be matched.

ZeroTrustAccessPolicyExcludeGsuite
, ZeroTrustAccessPolicyExcludeGsuiteArgs

Emails List<string>: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

Emails []string: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

emails List<String>: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

emails string[]: The email of the Google Workspace group.
identityProviderId string: The ID of your Google Workspace identity provider.

emails Sequence[str]: The email of the Google Workspace group.
identity_provider_id str: The ID of your Google Workspace identity provider.

emails List<String>: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

ZeroTrustAccessPolicyExcludeOkta
, ZeroTrustAccessPolicyExcludeOktaArgs

IdentityProviderId string: The ID of your Okta identity provider.
Names List<string>: The name of the Okta Group.

IdentityProviderId string: The ID of your Okta identity provider.
Names []string: The name of the Okta Group.

identityProviderId String: The ID of your Okta identity provider.
names List<String>: The name of the Okta Group.

identityProviderId string: The ID of your Okta identity provider.
names string[]: The name of the Okta Group.

identity_provider_id str: The ID of your Okta identity provider.
names Sequence[str]: The name of the Okta Group.

identityProviderId String: The ID of your Okta identity provider.
names List<String>: The name of the Okta Group.

ZeroTrustAccessPolicyExcludeSaml
, ZeroTrustAccessPolicyExcludeSamlArgs

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

attributeName string: The name of the SAML attribute.
attributeValue string: The SAML attribute value to look for.
identityProviderId string: The ID of your SAML identity provider.

attribute_name str: The name of the SAML attribute.
attribute_value str: The SAML attribute value to look for.
identity_provider_id str: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

ZeroTrustAccessPolicyInclude
, ZeroTrustAccessPolicyIncludeArgs

AnyValidServiceToken bool: Matches any valid Access service token.
AuthContexts List<ZeroTrustAccessPolicyIncludeAuthContext>
AuthMethod string: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
Azures List<ZeroTrustAccessPolicyIncludeAzure>: Matches an Azure group. Requires an Azure identity provider.
Certificate bool: Matches any valid client certificate.
CommonName string: Matches a valid client certificate common name.
CommonNames List<string>: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
DevicePostures List<string>: The ID of a device posture integration.
EmailDomains List<string>: The email domain to match.
EmailLists List<string>: The ID of a previously created email list.
Emails List<string>: The email of the user.
Everyone bool: Matches everyone.
ExternalEvaluations List<ZeroTrustAccessPolicyIncludeExternalEvaluation>: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
Geos List<string>: Matches a specific country.
Githubs List<ZeroTrustAccessPolicyIncludeGithub>: Matches a Github organization. Requires a Github identity provider.
Groups List<string>: The ID of a previously created Access group.
Gsuites List<ZeroTrustAccessPolicyIncludeGsuite>: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
IpLists List<string>: The ID of a previously created IP list.
Ips List<string>: An IPv4 or IPv6 CIDR block.
LoginMethods List<string>: The ID of a configured identity provider.
Oktas List<ZeroTrustAccessPolicyIncludeOkta>: Matches an Okta group. Requires an Okta identity provider.
Samls List<ZeroTrustAccessPolicyIncludeSaml>: Matches a SAML group. Requires a SAML identity provider.
ServiceTokens List<string>: The ID of an Access service token.

AnyValidServiceToken bool: Matches any valid Access service token.
AuthContexts []ZeroTrustAccessPolicyIncludeAuthContext
AuthMethod string: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
Azures []ZeroTrustAccessPolicyIncludeAzure: Matches an Azure group. Requires an Azure identity provider.
Certificate bool: Matches any valid client certificate.
CommonName string: Matches a valid client certificate common name.
CommonNames []string: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
DevicePostures []string: The ID of a device posture integration.
EmailDomains []string: The email domain to match.
EmailLists []string: The ID of a previously created email list.
Emails []string: The email of the user.
Everyone bool: Matches everyone.
ExternalEvaluations []ZeroTrustAccessPolicyIncludeExternalEvaluation: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
Geos []string: Matches a specific country.
Githubs []ZeroTrustAccessPolicyIncludeGithub: Matches a Github organization. Requires a Github identity provider.
Groups []string: The ID of a previously created Access group.
Gsuites []ZeroTrustAccessPolicyIncludeGsuite: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
IpLists []string: The ID of a previously created IP list.
Ips []string: An IPv4 or IPv6 CIDR block.
LoginMethods []string: The ID of a configured identity provider.
Oktas []ZeroTrustAccessPolicyIncludeOkta: Matches an Okta group. Requires an Okta identity provider.
Samls []ZeroTrustAccessPolicyIncludeSaml: Matches a SAML group. Requires a SAML identity provider.
ServiceTokens []string: The ID of an Access service token.

anyValidServiceToken Boolean: Matches any valid Access service token.
authContexts List<ZeroTrustAccessPolicyIncludeAuthContext>
authMethod String: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures List<ZeroTrustAccessPolicyIncludeAzure>: Matches an Azure group. Requires an Azure identity provider.
certificate Boolean: Matches any valid client certificate.
commonName String: Matches a valid client certificate common name.
commonNames List<String>: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
devicePostures List<String>: The ID of a device posture integration.
emailDomains List<String>: The email domain to match.
emailLists List<String>: The ID of a previously created email list.
emails List<String>: The email of the user.
everyone Boolean: Matches everyone.
externalEvaluations List<ZeroTrustAccessPolicyIncludeExternalEvaluation>: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos List<String>: Matches a specific country.
githubs List<ZeroTrustAccessPolicyIncludeGithub>: Matches a Github organization. Requires a Github identity provider.
groups List<String>: The ID of a previously created Access group.
gsuites List<ZeroTrustAccessPolicyIncludeGsuite>: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ipLists List<String>: The ID of a previously created IP list.
ips List<String>: An IPv4 or IPv6 CIDR block.
loginMethods List<String>: The ID of a configured identity provider.
oktas List<ZeroTrustAccessPolicyIncludeOkta>: Matches an Okta group. Requires an Okta identity provider.
samls List<ZeroTrustAccessPolicyIncludeSaml>: Matches a SAML group. Requires a SAML identity provider.
serviceTokens List<String>: The ID of an Access service token.

anyValidServiceToken boolean: Matches any valid Access service token.
authContexts ZeroTrustAccessPolicyIncludeAuthContext[]
authMethod string: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures ZeroTrustAccessPolicyIncludeAzure[]: Matches an Azure group. Requires an Azure identity provider.
certificate boolean: Matches any valid client certificate.
commonName string: Matches a valid client certificate common name.
commonNames string[]: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
devicePostures string[]: The ID of a device posture integration.
emailDomains string[]: The email domain to match.
emailLists string[]: The ID of a previously created email list.
emails string[]: The email of the user.
everyone boolean: Matches everyone.
externalEvaluations ZeroTrustAccessPolicyIncludeExternalEvaluation[]: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos string[]: Matches a specific country.
githubs ZeroTrustAccessPolicyIncludeGithub[]: Matches a Github organization. Requires a Github identity provider.
groups string[]: The ID of a previously created Access group.
gsuites ZeroTrustAccessPolicyIncludeGsuite[]: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ipLists string[]: The ID of a previously created IP list.
ips string[]: An IPv4 or IPv6 CIDR block.
loginMethods string[]: The ID of a configured identity provider.
oktas ZeroTrustAccessPolicyIncludeOkta[]: Matches an Okta group. Requires an Okta identity provider.
samls ZeroTrustAccessPolicyIncludeSaml[]: Matches a SAML group. Requires a SAML identity provider.
serviceTokens string[]: The ID of an Access service token.

any_valid_service_token bool: Matches any valid Access service token.
auth_contexts Sequence[ZeroTrustAccessPolicyIncludeAuthContext]
auth_method str: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures Sequence[ZeroTrustAccessPolicyIncludeAzure]: Matches an Azure group. Requires an Azure identity provider.
certificate bool: Matches any valid client certificate.
common_name str: Matches a valid client certificate common name.
common_names Sequence[str]: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
device_postures Sequence[str]: The ID of a device posture integration.
email_domains Sequence[str]: The email domain to match.
email_lists Sequence[str]: The ID of a previously created email list.
emails Sequence[str]: The email of the user.
everyone bool: Matches everyone.
external_evaluations Sequence[ZeroTrustAccessPolicyIncludeExternalEvaluation]: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos Sequence[str]: Matches a specific country.
githubs Sequence[ZeroTrustAccessPolicyIncludeGithub]: Matches a Github organization. Requires a Github identity provider.
groups Sequence[str]: The ID of a previously created Access group.
gsuites Sequence[ZeroTrustAccessPolicyIncludeGsuite]: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ip_lists Sequence[str]: The ID of a previously created IP list.
ips Sequence[str]: An IPv4 or IPv6 CIDR block.
login_methods Sequence[str]: The ID of a configured identity provider.
oktas Sequence[ZeroTrustAccessPolicyIncludeOkta]: Matches an Okta group. Requires an Okta identity provider.
samls Sequence[ZeroTrustAccessPolicyIncludeSaml]: Matches a SAML group. Requires a SAML identity provider.
service_tokens Sequence[str]: The ID of an Access service token.

anyValidServiceToken Boolean: Matches any valid Access service token.
authContexts List<Property Map>
authMethod String: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures List<Property Map>: Matches an Azure group. Requires an Azure identity provider.
certificate Boolean: Matches any valid client certificate.
commonName String: Matches a valid client certificate common name.
commonNames List<String>: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
devicePostures List<String>: The ID of a device posture integration.
emailDomains List<String>: The email domain to match.
emailLists List<String>: The ID of a previously created email list.
emails List<String>: The email of the user.
everyone Boolean: Matches everyone.
externalEvaluations List<Property Map>: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos List<String>: Matches a specific country.
githubs List<Property Map>: Matches a Github organization. Requires a Github identity provider.
groups List<String>: The ID of a previously created Access group.
gsuites List<Property Map>: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ipLists List<String>: The ID of a previously created IP list.
ips List<String>: An IPv4 or IPv6 CIDR block.
loginMethods List<String>: The ID of a configured identity provider.
oktas List<Property Map>: Matches an Okta group. Requires an Okta identity provider.
samls List<Property Map>: Matches a SAML group. Requires a SAML identity provider.
serviceTokens List<String>: The ID of an Access service token.

ZeroTrustAccessPolicyIncludeAuthContext
, ZeroTrustAccessPolicyIncludeAuthContextArgs

AcId string: The ACID of the Authentication Context.
Id string: The ID of the Authentication Context.
IdentityProviderId string: The ID of the Azure identity provider.

AcId string: The ACID of the Authentication Context.
Id string: The ID of the Authentication Context.
IdentityProviderId string: The ID of the Azure identity provider.

acId String: The ACID of the Authentication Context.
id String: The ID of the Authentication Context.
identityProviderId String: The ID of the Azure identity provider.

acId string: The ACID of the Authentication Context.
id string: The ID of the Authentication Context.
identityProviderId string: The ID of the Azure identity provider.

ac_id str: The ACID of the Authentication Context.
id str: The ID of the Authentication Context.
identity_provider_id str: The ID of the Azure identity provider.

acId String: The ACID of the Authentication Context.
id String: The ID of the Authentication Context.
identityProviderId String: The ID of the Azure identity provider.

ZeroTrustAccessPolicyIncludeAzure
, ZeroTrustAccessPolicyIncludeAzureArgs

IdentityProviderId string: The ID of the Azure identity provider.
Ids List<string>: The ID of the Azure group or user.

IdentityProviderId string: The ID of the Azure identity provider.
Ids []string: The ID of the Azure group or user.

identityProviderId String: The ID of the Azure identity provider.
ids List<String>: The ID of the Azure group or user.

identityProviderId string: The ID of the Azure identity provider.
ids string[]: The ID of the Azure group or user.

identity_provider_id str: The ID of the Azure identity provider.
ids Sequence[str]: The ID of the Azure group or user.

identityProviderId String: The ID of the Azure identity provider.
ids List<String>: The ID of the Azure group or user.

ZeroTrustAccessPolicyIncludeExternalEvaluation
, ZeroTrustAccessPolicyIncludeExternalEvaluationArgs

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl string: The API endpoint containing your business logic.
keysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluate_url str: The API endpoint containing your business logic.
keys_url str: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

ZeroTrustAccessPolicyIncludeGithub
, ZeroTrustAccessPolicyIncludeGithubArgs

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Teams List<string>: The teams that should be matched.

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Teams []string: The teams that should be matched.

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
teams List<String>: The teams that should be matched.

identityProviderId string: The ID of your Github identity provider.
name string: The name of the organization.
teams string[]: The teams that should be matched.

identity_provider_id str: The ID of your Github identity provider.
name str: The name of the organization.
teams Sequence[str]: The teams that should be matched.

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
teams List<String>: The teams that should be matched.

ZeroTrustAccessPolicyIncludeGsuite
, ZeroTrustAccessPolicyIncludeGsuiteArgs

Emails List<string>: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

Emails []string: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

emails List<String>: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

emails string[]: The email of the Google Workspace group.
identityProviderId string: The ID of your Google Workspace identity provider.

emails Sequence[str]: The email of the Google Workspace group.
identity_provider_id str: The ID of your Google Workspace identity provider.

emails List<String>: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

ZeroTrustAccessPolicyIncludeOkta
, ZeroTrustAccessPolicyIncludeOktaArgs

IdentityProviderId string: The ID of your Okta identity provider.
Names List<string>: The name of the Okta Group.

IdentityProviderId string: The ID of your Okta identity provider.
Names []string: The name of the Okta Group.

identityProviderId String: The ID of your Okta identity provider.
names List<String>: The name of the Okta Group.

identityProviderId string: The ID of your Okta identity provider.
names string[]: The name of the Okta Group.

identity_provider_id str: The ID of your Okta identity provider.
names Sequence[str]: The name of the Okta Group.

identityProviderId String: The ID of your Okta identity provider.
names List<String>: The name of the Okta Group.

ZeroTrustAccessPolicyIncludeSaml
, ZeroTrustAccessPolicyIncludeSamlArgs

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

attributeName string: The name of the SAML attribute.
attributeValue string: The SAML attribute value to look for.
identityProviderId string: The ID of your SAML identity provider.

attribute_name str: The name of the SAML attribute.
attribute_value str: The SAML attribute value to look for.
identity_provider_id str: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

ZeroTrustAccessPolicyRequire
, ZeroTrustAccessPolicyRequireArgs

AnyValidServiceToken bool: Matches any valid Access service token.
AuthContexts List<ZeroTrustAccessPolicyRequireAuthContext>
AuthMethod string: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
Azures List<ZeroTrustAccessPolicyRequireAzure>: Matches an Azure group. Requires an Azure identity provider.
Certificate bool: Matches any valid client certificate.
CommonName string: Matches a valid client certificate common name.
CommonNames List<string>: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
DevicePostures List<string>: The ID of a device posture integration.
EmailDomains List<string>: The email domain to match.
EmailLists List<string>: The ID of a previously created email list.
Emails List<string>: The email of the user.
Everyone bool: Matches everyone.
ExternalEvaluations List<ZeroTrustAccessPolicyRequireExternalEvaluation>: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
Geos List<string>: Matches a specific country.
Githubs List<ZeroTrustAccessPolicyRequireGithub>: Matches a Github organization. Requires a Github identity provider.
Groups List<string>: The ID of a previously created Access group.
Gsuites List<ZeroTrustAccessPolicyRequireGsuite>: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
IpLists List<string>: The ID of a previously created IP list.
Ips List<string>: An IPv4 or IPv6 CIDR block.
LoginMethods List<string>: The ID of a configured identity provider.
Oktas List<ZeroTrustAccessPolicyRequireOkta>: Matches an Okta group. Requires an Okta identity provider.
Samls List<ZeroTrustAccessPolicyRequireSaml>: Matches a SAML group. Requires a SAML identity provider.
ServiceTokens List<string>: The ID of an Access service token.

AnyValidServiceToken bool: Matches any valid Access service token.
AuthContexts []ZeroTrustAccessPolicyRequireAuthContext
AuthMethod string: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
Azures []ZeroTrustAccessPolicyRequireAzure: Matches an Azure group. Requires an Azure identity provider.
Certificate bool: Matches any valid client certificate.
CommonName string: Matches a valid client certificate common name.
CommonNames []string: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
DevicePostures []string: The ID of a device posture integration.
EmailDomains []string: The email domain to match.
EmailLists []string: The ID of a previously created email list.
Emails []string: The email of the user.
Everyone bool: Matches everyone.
ExternalEvaluations []ZeroTrustAccessPolicyRequireExternalEvaluation: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
Geos []string: Matches a specific country.
Githubs []ZeroTrustAccessPolicyRequireGithub: Matches a Github organization. Requires a Github identity provider.
Groups []string: The ID of a previously created Access group.
Gsuites []ZeroTrustAccessPolicyRequireGsuite: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
IpLists []string: The ID of a previously created IP list.
Ips []string: An IPv4 or IPv6 CIDR block.
LoginMethods []string: The ID of a configured identity provider.
Oktas []ZeroTrustAccessPolicyRequireOkta: Matches an Okta group. Requires an Okta identity provider.
Samls []ZeroTrustAccessPolicyRequireSaml: Matches a SAML group. Requires a SAML identity provider.
ServiceTokens []string: The ID of an Access service token.

anyValidServiceToken Boolean: Matches any valid Access service token.
authContexts List<ZeroTrustAccessPolicyRequireAuthContext>
authMethod String: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures List<ZeroTrustAccessPolicyRequireAzure>: Matches an Azure group. Requires an Azure identity provider.
certificate Boolean: Matches any valid client certificate.
commonName String: Matches a valid client certificate common name.
commonNames List<String>: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
devicePostures List<String>: The ID of a device posture integration.
emailDomains List<String>: The email domain to match.
emailLists List<String>: The ID of a previously created email list.
emails List<String>: The email of the user.
everyone Boolean: Matches everyone.
externalEvaluations List<ZeroTrustAccessPolicyRequireExternalEvaluation>: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos List<String>: Matches a specific country.
githubs List<ZeroTrustAccessPolicyRequireGithub>: Matches a Github organization. Requires a Github identity provider.
groups List<String>: The ID of a previously created Access group.
gsuites List<ZeroTrustAccessPolicyRequireGsuite>: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ipLists List<String>: The ID of a previously created IP list.
ips List<String>: An IPv4 or IPv6 CIDR block.
loginMethods List<String>: The ID of a configured identity provider.
oktas List<ZeroTrustAccessPolicyRequireOkta>: Matches an Okta group. Requires an Okta identity provider.
samls List<ZeroTrustAccessPolicyRequireSaml>: Matches a SAML group. Requires a SAML identity provider.
serviceTokens List<String>: The ID of an Access service token.

anyValidServiceToken boolean: Matches any valid Access service token.
authContexts ZeroTrustAccessPolicyRequireAuthContext[]
authMethod string: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures ZeroTrustAccessPolicyRequireAzure[]: Matches an Azure group. Requires an Azure identity provider.
certificate boolean: Matches any valid client certificate.
commonName string: Matches a valid client certificate common name.
commonNames string[]: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
devicePostures string[]: The ID of a device posture integration.
emailDomains string[]: The email domain to match.
emailLists string[]: The ID of a previously created email list.
emails string[]: The email of the user.
everyone boolean: Matches everyone.
externalEvaluations ZeroTrustAccessPolicyRequireExternalEvaluation[]: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos string[]: Matches a specific country.
githubs ZeroTrustAccessPolicyRequireGithub[]: Matches a Github organization. Requires a Github identity provider.
groups string[]: The ID of a previously created Access group.
gsuites ZeroTrustAccessPolicyRequireGsuite[]: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ipLists string[]: The ID of a previously created IP list.
ips string[]: An IPv4 or IPv6 CIDR block.
loginMethods string[]: The ID of a configured identity provider.
oktas ZeroTrustAccessPolicyRequireOkta[]: Matches an Okta group. Requires an Okta identity provider.
samls ZeroTrustAccessPolicyRequireSaml[]: Matches a SAML group. Requires a SAML identity provider.
serviceTokens string[]: The ID of an Access service token.

any_valid_service_token bool: Matches any valid Access service token.
auth_contexts Sequence[ZeroTrustAccessPolicyRequireAuthContext]
auth_method str: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures Sequence[ZeroTrustAccessPolicyRequireAzure]: Matches an Azure group. Requires an Azure identity provider.
certificate bool: Matches any valid client certificate.
common_name str: Matches a valid client certificate common name.
common_names Sequence[str]: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
device_postures Sequence[str]: The ID of a device posture integration.
email_domains Sequence[str]: The email domain to match.
email_lists Sequence[str]: The ID of a previously created email list.
emails Sequence[str]: The email of the user.
everyone bool: Matches everyone.
external_evaluations Sequence[ZeroTrustAccessPolicyRequireExternalEvaluation]: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos Sequence[str]: Matches a specific country.
githubs Sequence[ZeroTrustAccessPolicyRequireGithub]: Matches a Github organization. Requires a Github identity provider.
groups Sequence[str]: The ID of a previously created Access group.
gsuites Sequence[ZeroTrustAccessPolicyRequireGsuite]: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ip_lists Sequence[str]: The ID of a previously created IP list.
ips Sequence[str]: An IPv4 or IPv6 CIDR block.
login_methods Sequence[str]: The ID of a configured identity provider.
oktas Sequence[ZeroTrustAccessPolicyRequireOkta]: Matches an Okta group. Requires an Okta identity provider.
samls Sequence[ZeroTrustAccessPolicyRequireSaml]: Matches a SAML group. Requires a SAML identity provider.
service_tokens Sequence[str]: The ID of an Access service token.

anyValidServiceToken Boolean: Matches any valid Access service token.
authContexts List<Property Map>
authMethod String: The type of authentication method. Refer to https://datatracker.ietf.org/doc/html/rfc8176#section-2 for possible types.
azures List<Property Map>: Matches an Azure group. Requires an Azure identity provider.
certificate Boolean: Matches any valid client certificate.
commonName String: Matches a valid client certificate common name.
commonNames List<String>: Overflow field if you need to have multiple commonname rules in a single policy. Use in place of the singular commonname field.
devicePostures List<String>: The ID of a device posture integration.
emailDomains List<String>: The email domain to match.
emailLists List<String>: The ID of a previously created email list.
emails List<String>: The email of the user.
everyone Boolean: Matches everyone.
externalEvaluations List<Property Map>: Create Allow or Block policies which evaluate the user based on custom criteria. https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/.
geos List<String>: Matches a specific country.
githubs List<Property Map>: Matches a Github organization. Requires a Github identity provider.
groups List<String>: The ID of a previously created Access group.
gsuites List<Property Map>: Matches a group in Google Workspace. Requires a Google Workspace identity provider.
ipLists List<String>: The ID of a previously created IP list.
ips List<String>: An IPv4 or IPv6 CIDR block.
loginMethods List<String>: The ID of a configured identity provider.
oktas List<Property Map>: Matches an Okta group. Requires an Okta identity provider.
samls List<Property Map>: Matches a SAML group. Requires a SAML identity provider.
serviceTokens List<String>: The ID of an Access service token.

ZeroTrustAccessPolicyRequireAuthContext
, ZeroTrustAccessPolicyRequireAuthContextArgs

AcId string: The ACID of the Authentication Context.
Id string: The ID of the Authentication Context.
IdentityProviderId string: The ID of the Azure identity provider.

AcId string: The ACID of the Authentication Context.
Id string: The ID of the Authentication Context.
IdentityProviderId string: The ID of the Azure identity provider.

acId String: The ACID of the Authentication Context.
id String: The ID of the Authentication Context.
identityProviderId String: The ID of the Azure identity provider.

acId string: The ACID of the Authentication Context.
id string: The ID of the Authentication Context.
identityProviderId string: The ID of the Azure identity provider.

ac_id str: The ACID of the Authentication Context.
id str: The ID of the Authentication Context.
identity_provider_id str: The ID of the Azure identity provider.

acId String: The ACID of the Authentication Context.
id String: The ID of the Authentication Context.
identityProviderId String: The ID of the Azure identity provider.

ZeroTrustAccessPolicyRequireAzure
, ZeroTrustAccessPolicyRequireAzureArgs

IdentityProviderId string: The ID of the Azure identity provider.
Ids List<string>: The ID of the Azure group or user.

IdentityProviderId string: The ID of the Azure identity provider.
Ids []string: The ID of the Azure group or user.

identityProviderId String: The ID of the Azure identity provider.
ids List<String>: The ID of the Azure group or user.

identityProviderId string: The ID of the Azure identity provider.
ids string[]: The ID of the Azure group or user.

identity_provider_id str: The ID of the Azure identity provider.
ids Sequence[str]: The ID of the Azure group or user.

identityProviderId String: The ID of the Azure identity provider.
ids List<String>: The ID of the Azure group or user.

ZeroTrustAccessPolicyRequireExternalEvaluation
, ZeroTrustAccessPolicyRequireExternalEvaluationArgs

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

EvaluateUrl string: The API endpoint containing your business logic.
KeysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl string: The API endpoint containing your business logic.
keysUrl string: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluate_url str: The API endpoint containing your business logic.
keys_url str: The API endpoint containing the key that Access uses to verify that the response came from your API.

evaluateUrl String: The API endpoint containing your business logic.
keysUrl String: The API endpoint containing the key that Access uses to verify that the response came from your API.

ZeroTrustAccessPolicyRequireGithub
, ZeroTrustAccessPolicyRequireGithubArgs

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Teams List<string>: The teams that should be matched.

IdentityProviderId string: The ID of your Github identity provider.
Name string: The name of the organization.
Teams []string: The teams that should be matched.

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
teams List<String>: The teams that should be matched.

identityProviderId string: The ID of your Github identity provider.
name string: The name of the organization.
teams string[]: The teams that should be matched.

identity_provider_id str: The ID of your Github identity provider.
name str: The name of the organization.
teams Sequence[str]: The teams that should be matched.

identityProviderId String: The ID of your Github identity provider.
name String: The name of the organization.
teams List<String>: The teams that should be matched.

ZeroTrustAccessPolicyRequireGsuite
, ZeroTrustAccessPolicyRequireGsuiteArgs

Emails List<string>: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

Emails []string: The email of the Google Workspace group.
IdentityProviderId string: The ID of your Google Workspace identity provider.

emails List<String>: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

emails string[]: The email of the Google Workspace group.
identityProviderId string: The ID of your Google Workspace identity provider.

emails Sequence[str]: The email of the Google Workspace group.
identity_provider_id str: The ID of your Google Workspace identity provider.

emails List<String>: The email of the Google Workspace group.
identityProviderId String: The ID of your Google Workspace identity provider.

ZeroTrustAccessPolicyRequireOkta
, ZeroTrustAccessPolicyRequireOktaArgs

IdentityProviderId string: The ID of your Okta identity provider.
Names List<string>: The name of the Okta Group.

IdentityProviderId string: The ID of your Okta identity provider.
Names []string: The name of the Okta Group.

identityProviderId String: The ID of your Okta identity provider.
names List<String>: The name of the Okta Group.

identityProviderId string: The ID of your Okta identity provider.
names string[]: The name of the Okta Group.

identity_provider_id str: The ID of your Okta identity provider.
names Sequence[str]: The name of the Okta Group.

identityProviderId String: The ID of your Okta identity provider.
names List<String>: The name of the Okta Group.

ZeroTrustAccessPolicyRequireSaml
, ZeroTrustAccessPolicyRequireSamlArgs

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

AttributeName string: The name of the SAML attribute.
AttributeValue string: The SAML attribute value to look for.
IdentityProviderId string: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

attributeName string: The name of the SAML attribute.
attributeValue string: The SAML attribute value to look for.
identityProviderId string: The ID of your SAML identity provider.

attribute_name str: The name of the SAML attribute.
attribute_value str: The SAML attribute value to look for.
identity_provider_id str: The ID of your SAML identity provider.

attributeName String: The name of the SAML attribute.
attributeValue String: The SAML attribute value to look for.
identityProviderId String: The ID of your SAML identity provider.

Import

$ pulumi import cloudflare:index/zeroTrustAccessPolicy:ZeroTrustAccessPolicy example account/<account_id>/<application_id>/<policy_id>

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Cloudflare pulumi/pulumi-cloudflare
License: Apache-2.0
Notes: This Pulumi package is based on the cloudflare Terraform Provider.

Cloudflare v5.49.1 published on Tuesday, Feb 18, 2025 by Pulumi

pulumi/pulumi-cloudflare

cloudflare.ZeroTrustAccessPolicy

On this page

On this page

Create ZeroTrustAccessPolicy Resource

Constructor syntax

Parameters

Constructor example

ZeroTrustAccessPolicy Resource Properties

Inputs

Outputs

Look up Existing ZeroTrustAccessPolicy Resource

Supporting Types

ZeroTrustAccessPolicyApprovalGroup, ZeroTrustAccessPolicyApprovalGroupArgs

ZeroTrustAccessPolicyConnectionRules, ZeroTrustAccessPolicyConnectionRulesArgs

ZeroTrustAccessPolicyConnectionRulesSsh, ZeroTrustAccessPolicyConnectionRulesSshArgs

ZeroTrustAccessPolicyExclude, ZeroTrustAccessPolicyExcludeArgs

ZeroTrustAccessPolicyExcludeAuthContext, ZeroTrustAccessPolicyExcludeAuthContextArgs

ZeroTrustAccessPolicyExcludeAzure, ZeroTrustAccessPolicyExcludeAzureArgs

ZeroTrustAccessPolicyExcludeExternalEvaluation, ZeroTrustAccessPolicyExcludeExternalEvaluationArgs

ZeroTrustAccessPolicyExcludeGithub, ZeroTrustAccessPolicyExcludeGithubArgs

ZeroTrustAccessPolicyExcludeGsuite, ZeroTrustAccessPolicyExcludeGsuiteArgs

ZeroTrustAccessPolicyExcludeOkta, ZeroTrustAccessPolicyExcludeOktaArgs

ZeroTrustAccessPolicyExcludeSaml, ZeroTrustAccessPolicyExcludeSamlArgs

ZeroTrustAccessPolicyInclude, ZeroTrustAccessPolicyIncludeArgs

ZeroTrustAccessPolicyIncludeAuthContext, ZeroTrustAccessPolicyIncludeAuthContextArgs

ZeroTrustAccessPolicyIncludeAzure, ZeroTrustAccessPolicyIncludeAzureArgs

ZeroTrustAccessPolicyIncludeExternalEvaluation, ZeroTrustAccessPolicyIncludeExternalEvaluationArgs

ZeroTrustAccessPolicyIncludeGithub, ZeroTrustAccessPolicyIncludeGithubArgs

ZeroTrustAccessPolicyIncludeGsuite, ZeroTrustAccessPolicyIncludeGsuiteArgs

ZeroTrustAccessPolicyIncludeOkta, ZeroTrustAccessPolicyIncludeOktaArgs

ZeroTrustAccessPolicyIncludeSaml, ZeroTrustAccessPolicyIncludeSamlArgs

ZeroTrustAccessPolicyRequire, ZeroTrustAccessPolicyRequireArgs

ZeroTrustAccessPolicyRequireAuthContext, ZeroTrustAccessPolicyRequireAuthContextArgs

ZeroTrustAccessPolicyRequireAzure, ZeroTrustAccessPolicyRequireAzureArgs

ZeroTrustAccessPolicyRequireExternalEvaluation, ZeroTrustAccessPolicyRequireExternalEvaluationArgs

ZeroTrustAccessPolicyRequireGithub, ZeroTrustAccessPolicyRequireGithubArgs

ZeroTrustAccessPolicyRequireGsuite, ZeroTrustAccessPolicyRequireGsuiteArgs

ZeroTrustAccessPolicyRequireOkta, ZeroTrustAccessPolicyRequireOktaArgs

ZeroTrustAccessPolicyRequireSaml, ZeroTrustAccessPolicyRequireSamlArgs

Import

Package Details

On this page

On this page

ZeroTrustAccessPolicyApprovalGroup
, ZeroTrustAccessPolicyApprovalGroupArgs

ZeroTrustAccessPolicyConnectionRules
, ZeroTrustAccessPolicyConnectionRulesArgs

ZeroTrustAccessPolicyConnectionRulesSsh
, ZeroTrustAccessPolicyConnectionRulesSshArgs

ZeroTrustAccessPolicyExclude
, ZeroTrustAccessPolicyExcludeArgs

ZeroTrustAccessPolicyExcludeAuthContext
, ZeroTrustAccessPolicyExcludeAuthContextArgs

ZeroTrustAccessPolicyExcludeAzure
, ZeroTrustAccessPolicyExcludeAzureArgs

ZeroTrustAccessPolicyExcludeExternalEvaluation
, ZeroTrustAccessPolicyExcludeExternalEvaluationArgs

ZeroTrustAccessPolicyExcludeGithub
, ZeroTrustAccessPolicyExcludeGithubArgs

ZeroTrustAccessPolicyExcludeGsuite
, ZeroTrustAccessPolicyExcludeGsuiteArgs

ZeroTrustAccessPolicyExcludeOkta
, ZeroTrustAccessPolicyExcludeOktaArgs

ZeroTrustAccessPolicyExcludeSaml
, ZeroTrustAccessPolicyExcludeSamlArgs

ZeroTrustAccessPolicyInclude
, ZeroTrustAccessPolicyIncludeArgs

ZeroTrustAccessPolicyIncludeAuthContext
, ZeroTrustAccessPolicyIncludeAuthContextArgs

ZeroTrustAccessPolicyIncludeAzure
, ZeroTrustAccessPolicyIncludeAzureArgs

ZeroTrustAccessPolicyIncludeExternalEvaluation
, ZeroTrustAccessPolicyIncludeExternalEvaluationArgs

ZeroTrustAccessPolicyIncludeGithub
, ZeroTrustAccessPolicyIncludeGithubArgs

ZeroTrustAccessPolicyIncludeGsuite
, ZeroTrustAccessPolicyIncludeGsuiteArgs

ZeroTrustAccessPolicyIncludeOkta
, ZeroTrustAccessPolicyIncludeOktaArgs

ZeroTrustAccessPolicyIncludeSaml
, ZeroTrustAccessPolicyIncludeSamlArgs

ZeroTrustAccessPolicyRequire
, ZeroTrustAccessPolicyRequireArgs

ZeroTrustAccessPolicyRequireAuthContext
, ZeroTrustAccessPolicyRequireAuthContextArgs

ZeroTrustAccessPolicyRequireAzure
, ZeroTrustAccessPolicyRequireAzureArgs

ZeroTrustAccessPolicyRequireExternalEvaluation
, ZeroTrustAccessPolicyRequireExternalEvaluationArgs

ZeroTrustAccessPolicyRequireGithub
, ZeroTrustAccessPolicyRequireGithubArgs

ZeroTrustAccessPolicyRequireGsuite
, ZeroTrustAccessPolicyRequireGsuiteArgs

ZeroTrustAccessPolicyRequireOkta
, ZeroTrustAccessPolicyRequireOktaArgs

ZeroTrustAccessPolicyRequireSaml
, ZeroTrustAccessPolicyRequireSamlArgs