1. Packages
  2. Cloudflare Provider
  3. API Docs
  4. AccessRule
Cloudflare v5.43.0 published on Wednesday, Nov 13, 2024 by Pulumi

cloudflare.AccessRule

Explore with Pulumi AI

cloudflare logo
Cloudflare v5.43.0 published on Wednesday, Nov 13, 2024 by Pulumi

    Provides a Cloudflare IP Firewall Access Rule resource. Access control can be applied on basis of IP addresses, IP ranges, AS numbers or countries.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as cloudflare from "@pulumi/cloudflare";
    
    // Challenge requests coming from known Tor exit nodes.
    const torExitNodes = new cloudflare.AccessRule("tor_exit_nodes", {
        zoneId: "0da42c8d2132a9ddaf714f9e7c920711",
        notes: "Requests coming from known Tor exit nodes",
        mode: "challenge",
        configuration: {
            target: "country",
            value: "T1",
        },
    });
    // Allowlist requests coming from Antarctica, but only for single zone.
    const antarctica = new cloudflare.AccessRule("antarctica", {
        zoneId: "0da42c8d2132a9ddaf714f9e7c920711",
        notes: "Requests coming from Antarctica",
        mode: "whitelist",
        configuration: {
            target: "country",
            value: "AQ",
        },
    });
    const config = new pulumi.Config();
    const myOffice = config.getObject<Array<string>>("myOffice") || [
        "192.0.2.0/24",
        "198.51.100.0/24",
        "2001:db8::/56",
    ];
    const officeNetwork: cloudflare.AccessRule[] = [];
    for (const range = {value: 0}; range.value < myOffice.length; range.value++) {
        officeNetwork.push(new cloudflare.AccessRule(`office_network-${range.value}`, {
            accountId: "f037e56e89293a057740de681ac9abbe",
            notes: "Requests coming from office network",
            mode: "whitelist",
            configuration: {
                target: "ip_range",
                value: myOffice[range.value],
            },
        }));
    }
    
    import pulumi
    import pulumi_cloudflare as cloudflare
    
    # Challenge requests coming from known Tor exit nodes.
    tor_exit_nodes = cloudflare.AccessRule("tor_exit_nodes",
        zone_id="0da42c8d2132a9ddaf714f9e7c920711",
        notes="Requests coming from known Tor exit nodes",
        mode="challenge",
        configuration={
            "target": "country",
            "value": "T1",
        })
    # Allowlist requests coming from Antarctica, but only for single zone.
    antarctica = cloudflare.AccessRule("antarctica",
        zone_id="0da42c8d2132a9ddaf714f9e7c920711",
        notes="Requests coming from Antarctica",
        mode="whitelist",
        configuration={
            "target": "country",
            "value": "AQ",
        })
    config = pulumi.Config()
    my_office = config.get_object("myOffice")
    if my_office is None:
        my_office = [
            "192.0.2.0/24",
            "198.51.100.0/24",
            "2001:db8::/56",
        ]
    office_network = []
    for range in [{"value": i} for i in range(0, len(my_office))]:
        office_network.append(cloudflare.AccessRule(f"office_network-{range['value']}",
            account_id="f037e56e89293a057740de681ac9abbe",
            notes="Requests coming from office network",
            mode="whitelist",
            configuration={
                "target": "ip_range",
                "value": my_office[range["value"]],
            }))
    
    Coming soon!
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Cloudflare = Pulumi.Cloudflare;
    
    return await Deployment.RunAsync(() => 
    {
        // Challenge requests coming from known Tor exit nodes.
        var torExitNodes = new Cloudflare.AccessRule("tor_exit_nodes", new()
        {
            ZoneId = "0da42c8d2132a9ddaf714f9e7c920711",
            Notes = "Requests coming from known Tor exit nodes",
            Mode = "challenge",
            Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
            {
                Target = "country",
                Value = "T1",
            },
        });
    
        // Allowlist requests coming from Antarctica, but only for single zone.
        var antarctica = new Cloudflare.AccessRule("antarctica", new()
        {
            ZoneId = "0da42c8d2132a9ddaf714f9e7c920711",
            Notes = "Requests coming from Antarctica",
            Mode = "whitelist",
            Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
            {
                Target = "country",
                Value = "AQ",
            },
        });
    
        var config = new Config();
        var myOffice = config.GetObject<string[]>("myOffice") ?? new[]
        {
            "192.0.2.0/24",
            "198.51.100.0/24",
            "2001:db8::/56",
        };
        var officeNetwork = new List<Cloudflare.AccessRule>();
        for (var rangeIndex = 0; rangeIndex < myOffice.Length; rangeIndex++)
        {
            var range = new { Value = rangeIndex };
            officeNetwork.Add(new Cloudflare.AccessRule($"office_network-{range.Value}", new()
            {
                AccountId = "f037e56e89293a057740de681ac9abbe",
                Notes = "Requests coming from office network",
                Mode = "whitelist",
                Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
                {
                    Target = "ip_range",
                    Value = myOffice[range.Value],
                },
            }));
        }
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.cloudflare.AccessRule;
    import com.pulumi.cloudflare.AccessRuleArgs;
    import com.pulumi.cloudflare.inputs.AccessRuleConfigurationArgs;
    import com.pulumi.codegen.internal.KeyedValue;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var config = ctx.config();
            // Challenge requests coming from known Tor exit nodes.
            var torExitNodes = new AccessRule("torExitNodes", AccessRuleArgs.builder()
                .zoneId("0da42c8d2132a9ddaf714f9e7c920711")
                .notes("Requests coming from known Tor exit nodes")
                .mode("challenge")
                .configuration(AccessRuleConfigurationArgs.builder()
                    .target("country")
                    .value("T1")
                    .build())
                .build());
    
            // Allowlist requests coming from Antarctica, but only for single zone.
            var antarctica = new AccessRule("antarctica", AccessRuleArgs.builder()
                .zoneId("0da42c8d2132a9ddaf714f9e7c920711")
                .notes("Requests coming from Antarctica")
                .mode("whitelist")
                .configuration(AccessRuleConfigurationArgs.builder()
                    .target("country")
                    .value("AQ")
                    .build())
                .build());
    
            final var myOffice = config.get("myOffice").orElse(        
                "192.0.2.0/24",
                "198.51.100.0/24",
                "2001:db8::/56");
            for (var i = 0; i < myOffice.length(); i++) {
                new AccessRule("officeNetwork-" + i, AccessRuleArgs.builder()
                    .accountId("f037e56e89293a057740de681ac9abbe")
                    .notes("Requests coming from office network")
                    .mode("whitelist")
                    .configuration(AccessRuleConfigurationArgs.builder()
                        .target("ip_range")
                        .value(myOffice[range.value()])
                        .build())
                    .build());
    
            
    }
        }
    }
    
    configuration:
      # Allowlist office's network IP ranges on all account zones (or other lists of
      # resources).
      myOffice:
        type: list(string)
        default:
          - 192.0.2.0/24
          - 198.51.100.0/24
          - 2001:db8::/56
    resources:
      # Challenge requests coming from known Tor exit nodes.
      torExitNodes:
        type: cloudflare:AccessRule
        name: tor_exit_nodes
        properties:
          zoneId: 0da42c8d2132a9ddaf714f9e7c920711
          notes: Requests coming from known Tor exit nodes
          mode: challenge
          configuration:
            target: country
            value: T1
      # Allowlist requests coming from Antarctica, but only for single zone.
      antarctica:
        type: cloudflare:AccessRule
        properties:
          zoneId: 0da42c8d2132a9ddaf714f9e7c920711
          notes: Requests coming from Antarctica
          mode: whitelist
          configuration:
            target: country
            value: AQ
      officeNetwork:
        type: cloudflare:AccessRule
        name: office_network
        properties:
          accountId: f037e56e89293a057740de681ac9abbe
          notes: Requests coming from office network
          mode: whitelist
          configuration:
            target: ip_range
            value:
              fn::select:
                - ${range.value}
                - ${myOffice}
        options: {}
    

    Create AccessRule Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new AccessRule(name: string, args: AccessRuleArgs, opts?: CustomResourceOptions);
    @overload
    def AccessRule(resource_name: str,
                   args: AccessRuleArgs,
                   opts: Optional[ResourceOptions] = None)
    
    @overload
    def AccessRule(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   configuration: Optional[AccessRuleConfigurationArgs] = None,
                   mode: Optional[str] = None,
                   account_id: Optional[str] = None,
                   notes: Optional[str] = None,
                   zone_id: Optional[str] = None)
    func NewAccessRule(ctx *Context, name string, args AccessRuleArgs, opts ...ResourceOption) (*AccessRule, error)
    public AccessRule(string name, AccessRuleArgs args, CustomResourceOptions? opts = null)
    public AccessRule(String name, AccessRuleArgs args)
    public AccessRule(String name, AccessRuleArgs args, CustomResourceOptions options)
    
    type: cloudflare:AccessRule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args AccessRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AccessRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AccessRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AccessRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AccessRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var accessRuleResource = new Cloudflare.AccessRule("accessRuleResource", new()
    {
        Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
        {
            Target = "string",
            Value = "string",
        },
        Mode = "string",
        AccountId = "string",
        Notes = "string",
        ZoneId = "string",
    });
    
    example, err := cloudflare.NewAccessRule(ctx, "accessRuleResource", &cloudflare.AccessRuleArgs{
    	Configuration: &cloudflare.AccessRuleConfigurationArgs{
    		Target: pulumi.String("string"),
    		Value:  pulumi.String("string"),
    	},
    	Mode:      pulumi.String("string"),
    	AccountId: pulumi.String("string"),
    	Notes:     pulumi.String("string"),
    	ZoneId:    pulumi.String("string"),
    })
    
    var accessRuleResource = new AccessRule("accessRuleResource", AccessRuleArgs.builder()
        .configuration(AccessRuleConfigurationArgs.builder()
            .target("string")
            .value("string")
            .build())
        .mode("string")
        .accountId("string")
        .notes("string")
        .zoneId("string")
        .build());
    
    access_rule_resource = cloudflare.AccessRule("accessRuleResource",
        configuration={
            "target": "string",
            "value": "string",
        },
        mode="string",
        account_id="string",
        notes="string",
        zone_id="string")
    
    const accessRuleResource = new cloudflare.AccessRule("accessRuleResource", {
        configuration: {
            target: "string",
            value: "string",
        },
        mode: "string",
        accountId: "string",
        notes: "string",
        zoneId: "string",
    });
    
    type: cloudflare:AccessRule
    properties:
        accountId: string
        configuration:
            target: string
            value: string
        mode: string
        notes: string
        zoneId: string
    

    AccessRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The AccessRule resource accepts the following input properties:

    Configuration AccessRuleConfiguration
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    Mode string
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    AccountId string
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    Notes string
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    ZoneId string
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    Configuration AccessRuleConfigurationArgs
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    Mode string
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    AccountId string
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    Notes string
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    ZoneId string
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    configuration AccessRuleConfiguration
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    mode String
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    accountId String
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    notes String
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    zoneId String
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    configuration AccessRuleConfiguration
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    mode string
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    accountId string
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    notes string
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    zoneId string
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    configuration AccessRuleConfigurationArgs
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    mode str
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    account_id str
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    notes str
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    zone_id str
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    configuration Property Map
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    mode String
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    accountId String
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    notes String
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    zoneId String
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AccessRule resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing AccessRule Resource

    Get an existing AccessRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AccessRuleState, opts?: CustomResourceOptions): AccessRule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            account_id: Optional[str] = None,
            configuration: Optional[AccessRuleConfigurationArgs] = None,
            mode: Optional[str] = None,
            notes: Optional[str] = None,
            zone_id: Optional[str] = None) -> AccessRule
    func GetAccessRule(ctx *Context, name string, id IDInput, state *AccessRuleState, opts ...ResourceOption) (*AccessRule, error)
    public static AccessRule Get(string name, Input<string> id, AccessRuleState? state, CustomResourceOptions? opts = null)
    public static AccessRule get(String name, Output<String> id, AccessRuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccountId string
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    Configuration AccessRuleConfiguration
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    Mode string
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    Notes string
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    ZoneId string
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    AccountId string
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    Configuration AccessRuleConfigurationArgs
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    Mode string
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    Notes string
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    ZoneId string
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    accountId String
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    configuration AccessRuleConfiguration
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    mode String
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    notes String
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    zoneId String
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    accountId string
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    configuration AccessRuleConfiguration
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    mode string
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    notes string
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    zoneId string
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    account_id str
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    configuration AccessRuleConfigurationArgs
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    mode str
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    notes str
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    zone_id str
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    accountId String
    The account identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.
    configuration Property Map
    Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
    mode String
    The action to apply to a matched request. Available values: block, challenge, whitelist, js_challenge, managed_challenge.
    notes String
    A personal note about the rule. Typically used as a reminder or explanation for the rule.
    zoneId String
    The zone identifier to target for the resource. Must provide only one of account_id, zone_id. Modifying this attribute will force creation of a new resource.

    Supporting Types

    AccessRuleConfiguration, AccessRuleConfigurationArgs

    Target string
    The request property to target. Available values: ip, ip6, ip_range, asn, country. Modifying this attribute will force creation of a new resource.
    Value string
    The value to target. Depends on target's type. Modifying this attribute will force creation of a new resource.
    Target string
    The request property to target. Available values: ip, ip6, ip_range, asn, country. Modifying this attribute will force creation of a new resource.
    Value string
    The value to target. Depends on target's type. Modifying this attribute will force creation of a new resource.
    target String
    The request property to target. Available values: ip, ip6, ip_range, asn, country. Modifying this attribute will force creation of a new resource.
    value String
    The value to target. Depends on target's type. Modifying this attribute will force creation of a new resource.
    target string
    The request property to target. Available values: ip, ip6, ip_range, asn, country. Modifying this attribute will force creation of a new resource.
    value string
    The value to target. Depends on target's type. Modifying this attribute will force creation of a new resource.
    target str
    The request property to target. Available values: ip, ip6, ip_range, asn, country. Modifying this attribute will force creation of a new resource.
    value str
    The value to target. Depends on target's type. Modifying this attribute will force creation of a new resource.
    target String
    The request property to target. Available values: ip, ip6, ip_range, asn, country. Modifying this attribute will force creation of a new resource.
    value String
    The value to target. Depends on target's type. Modifying this attribute will force creation of a new resource.

    Import

    User level access rule import.

    $ pulumi import cloudflare:index/accessRule:AccessRule default user/<user_id>/<rule_id>
    

    Zone level access rule import.

    $ pulumi import cloudflare:index/accessRule:AccessRule default zone/<zone_id>/<rule_id>
    

    Account level access rule import.

    $ pulumi import cloudflare:index/accessRule:AccessRule default account/<account_id>/<rule_id>
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Cloudflare pulumi/pulumi-cloudflare
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the cloudflare Terraform Provider.
    cloudflare logo
    Cloudflare v5.43.0 published on Wednesday, Nov 13, 2024 by Pulumi