cloudflare.AccessRule
Explore with Pulumi AI
Provides a Cloudflare IP Firewall Access Rule resource. Access control can be applied on basis of IP addresses, IP ranges, AS numbers or countries.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";
// Challenge requests coming from known Tor exit nodes.
const torExitNodes = new cloudflare.AccessRule("tor_exit_nodes", {
zoneId: "0da42c8d2132a9ddaf714f9e7c920711",
notes: "Requests coming from known Tor exit nodes",
mode: "challenge",
configuration: {
target: "country",
value: "T1",
},
});
// Allowlist requests coming from Antarctica, but only for single zone.
const antarctica = new cloudflare.AccessRule("antarctica", {
zoneId: "0da42c8d2132a9ddaf714f9e7c920711",
notes: "Requests coming from Antarctica",
mode: "whitelist",
configuration: {
target: "country",
value: "AQ",
},
});
const config = new pulumi.Config();
const myOffice = config.getObject<Array<string>>("myOffice") || [
"192.0.2.0/24",
"198.51.100.0/24",
"2001:db8::/56",
];
const officeNetwork: cloudflare.AccessRule[] = [];
for (const range = {value: 0}; range.value < myOffice.length; range.value++) {
officeNetwork.push(new cloudflare.AccessRule(`office_network-${range.value}`, {
accountId: "f037e56e89293a057740de681ac9abbe",
notes: "Requests coming from office network",
mode: "whitelist",
configuration: {
target: "ip_range",
value: myOffice[range.value],
},
}));
}
import pulumi
import pulumi_cloudflare as cloudflare
# Challenge requests coming from known Tor exit nodes.
tor_exit_nodes = cloudflare.AccessRule("tor_exit_nodes",
zone_id="0da42c8d2132a9ddaf714f9e7c920711",
notes="Requests coming from known Tor exit nodes",
mode="challenge",
configuration={
"target": "country",
"value": "T1",
})
# Allowlist requests coming from Antarctica, but only for single zone.
antarctica = cloudflare.AccessRule("antarctica",
zone_id="0da42c8d2132a9ddaf714f9e7c920711",
notes="Requests coming from Antarctica",
mode="whitelist",
configuration={
"target": "country",
"value": "AQ",
})
config = pulumi.Config()
my_office = config.get_object("myOffice")
if my_office is None:
my_office = [
"192.0.2.0/24",
"198.51.100.0/24",
"2001:db8::/56",
]
office_network = []
for range in [{"value": i} for i in range(0, len(my_office))]:
office_network.append(cloudflare.AccessRule(f"office_network-{range['value']}",
account_id="f037e56e89293a057740de681ac9abbe",
notes="Requests coming from office network",
mode="whitelist",
configuration={
"target": "ip_range",
"value": my_office[range["value"]],
}))
Coming soon!
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Cloudflare = Pulumi.Cloudflare;
return await Deployment.RunAsync(() =>
{
// Challenge requests coming from known Tor exit nodes.
var torExitNodes = new Cloudflare.AccessRule("tor_exit_nodes", new()
{
ZoneId = "0da42c8d2132a9ddaf714f9e7c920711",
Notes = "Requests coming from known Tor exit nodes",
Mode = "challenge",
Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
{
Target = "country",
Value = "T1",
},
});
// Allowlist requests coming from Antarctica, but only for single zone.
var antarctica = new Cloudflare.AccessRule("antarctica", new()
{
ZoneId = "0da42c8d2132a9ddaf714f9e7c920711",
Notes = "Requests coming from Antarctica",
Mode = "whitelist",
Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
{
Target = "country",
Value = "AQ",
},
});
var config = new Config();
var myOffice = config.GetObject<string[]>("myOffice") ?? new[]
{
"192.0.2.0/24",
"198.51.100.0/24",
"2001:db8::/56",
};
var officeNetwork = new List<Cloudflare.AccessRule>();
for (var rangeIndex = 0; rangeIndex < myOffice.Length; rangeIndex++)
{
var range = new { Value = rangeIndex };
officeNetwork.Add(new Cloudflare.AccessRule($"office_network-{range.Value}", new()
{
AccountId = "f037e56e89293a057740de681ac9abbe",
Notes = "Requests coming from office network",
Mode = "whitelist",
Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
{
Target = "ip_range",
Value = myOffice[range.Value],
},
}));
}
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudflare.AccessRule;
import com.pulumi.cloudflare.AccessRuleArgs;
import com.pulumi.cloudflare.inputs.AccessRuleConfigurationArgs;
import com.pulumi.codegen.internal.KeyedValue;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var config = ctx.config();
// Challenge requests coming from known Tor exit nodes.
var torExitNodes = new AccessRule("torExitNodes", AccessRuleArgs.builder()
.zoneId("0da42c8d2132a9ddaf714f9e7c920711")
.notes("Requests coming from known Tor exit nodes")
.mode("challenge")
.configuration(AccessRuleConfigurationArgs.builder()
.target("country")
.value("T1")
.build())
.build());
// Allowlist requests coming from Antarctica, but only for single zone.
var antarctica = new AccessRule("antarctica", AccessRuleArgs.builder()
.zoneId("0da42c8d2132a9ddaf714f9e7c920711")
.notes("Requests coming from Antarctica")
.mode("whitelist")
.configuration(AccessRuleConfigurationArgs.builder()
.target("country")
.value("AQ")
.build())
.build());
final var myOffice = config.get("myOffice").orElse(
"192.0.2.0/24",
"198.51.100.0/24",
"2001:db8::/56");
for (var i = 0; i < myOffice.length(); i++) {
new AccessRule("officeNetwork-" + i, AccessRuleArgs.builder()
.accountId("f037e56e89293a057740de681ac9abbe")
.notes("Requests coming from office network")
.mode("whitelist")
.configuration(AccessRuleConfigurationArgs.builder()
.target("ip_range")
.value(myOffice[range.value()])
.build())
.build());
}
}
}
configuration:
# Allowlist office's network IP ranges on all account zones (or other lists of
# resources).
myOffice:
type: list(string)
default:
- 192.0.2.0/24
- 198.51.100.0/24
- 2001:db8::/56
resources:
# Challenge requests coming from known Tor exit nodes.
torExitNodes:
type: cloudflare:AccessRule
name: tor_exit_nodes
properties:
zoneId: 0da42c8d2132a9ddaf714f9e7c920711
notes: Requests coming from known Tor exit nodes
mode: challenge
configuration:
target: country
value: T1
# Allowlist requests coming from Antarctica, but only for single zone.
antarctica:
type: cloudflare:AccessRule
properties:
zoneId: 0da42c8d2132a9ddaf714f9e7c920711
notes: Requests coming from Antarctica
mode: whitelist
configuration:
target: country
value: AQ
officeNetwork:
type: cloudflare:AccessRule
name: office_network
properties:
accountId: f037e56e89293a057740de681ac9abbe
notes: Requests coming from office network
mode: whitelist
configuration:
target: ip_range
value:
fn::select:
- ${range.value}
- ${myOffice}
options: {}
Create AccessRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AccessRule(name: string, args: AccessRuleArgs, opts?: CustomResourceOptions);
@overload
def AccessRule(resource_name: str,
args: AccessRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AccessRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
configuration: Optional[AccessRuleConfigurationArgs] = None,
mode: Optional[str] = None,
account_id: Optional[str] = None,
notes: Optional[str] = None,
zone_id: Optional[str] = None)
func NewAccessRule(ctx *Context, name string, args AccessRuleArgs, opts ...ResourceOption) (*AccessRule, error)
public AccessRule(string name, AccessRuleArgs args, CustomResourceOptions? opts = null)
public AccessRule(String name, AccessRuleArgs args)
public AccessRule(String name, AccessRuleArgs args, CustomResourceOptions options)
type: cloudflare:AccessRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AccessRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AccessRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AccessRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AccessRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AccessRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var accessRuleResource = new Cloudflare.AccessRule("accessRuleResource", new()
{
Configuration = new Cloudflare.Inputs.AccessRuleConfigurationArgs
{
Target = "string",
Value = "string",
},
Mode = "string",
AccountId = "string",
Notes = "string",
ZoneId = "string",
});
example, err := cloudflare.NewAccessRule(ctx, "accessRuleResource", &cloudflare.AccessRuleArgs{
Configuration: &cloudflare.AccessRuleConfigurationArgs{
Target: pulumi.String("string"),
Value: pulumi.String("string"),
},
Mode: pulumi.String("string"),
AccountId: pulumi.String("string"),
Notes: pulumi.String("string"),
ZoneId: pulumi.String("string"),
})
var accessRuleResource = new AccessRule("accessRuleResource", AccessRuleArgs.builder()
.configuration(AccessRuleConfigurationArgs.builder()
.target("string")
.value("string")
.build())
.mode("string")
.accountId("string")
.notes("string")
.zoneId("string")
.build());
access_rule_resource = cloudflare.AccessRule("accessRuleResource",
configuration={
"target": "string",
"value": "string",
},
mode="string",
account_id="string",
notes="string",
zone_id="string")
const accessRuleResource = new cloudflare.AccessRule("accessRuleResource", {
configuration: {
target: "string",
value: "string",
},
mode: "string",
accountId: "string",
notes: "string",
zoneId: "string",
});
type: cloudflare:AccessRule
properties:
accountId: string
configuration:
target: string
value: string
mode: string
notes: string
zoneId: string
AccessRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AccessRule resource accepts the following input properties:
- Configuration
Access
Rule Configuration - Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- Mode string
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - Account
Id string - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - Notes string
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- Zone
Id string - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
- Configuration
Access
Rule Configuration Args - Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- Mode string
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - Account
Id string - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - Notes string
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- Zone
Id string - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
- configuration
Access
Rule Configuration - Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- mode String
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - account
Id String - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - notes String
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- zone
Id String - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
- configuration
Access
Rule Configuration - Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- mode string
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - account
Id string - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - notes string
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- zone
Id string - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
- configuration
Access
Rule Configuration Args - Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- mode str
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - account_
id str - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - notes str
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- zone_
id str - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
- configuration Property Map
- Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- mode String
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - account
Id String - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - notes String
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- zone
Id String - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
Outputs
All input properties are implicitly available as output properties. Additionally, the AccessRule resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing AccessRule Resource
Get an existing AccessRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AccessRuleState, opts?: CustomResourceOptions): AccessRule
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
account_id: Optional[str] = None,
configuration: Optional[AccessRuleConfigurationArgs] = None,
mode: Optional[str] = None,
notes: Optional[str] = None,
zone_id: Optional[str] = None) -> AccessRule
func GetAccessRule(ctx *Context, name string, id IDInput, state *AccessRuleState, opts ...ResourceOption) (*AccessRule, error)
public static AccessRule Get(string name, Input<string> id, AccessRuleState? state, CustomResourceOptions? opts = null)
public static AccessRule get(String name, Output<String> id, AccessRuleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Account
Id string - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - Configuration
Access
Rule Configuration - Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- Mode string
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - Notes string
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- Zone
Id string - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
- Account
Id string - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - Configuration
Access
Rule Configuration Args - Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- Mode string
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - Notes string
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- Zone
Id string - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
- account
Id String - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - configuration
Access
Rule Configuration - Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- mode String
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - notes String
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- zone
Id String - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
- account
Id string - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - configuration
Access
Rule Configuration - Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- mode string
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - notes string
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- zone
Id string - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
- account_
id str - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - configuration
Access
Rule Configuration Args - Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- mode str
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - notes str
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- zone_
id str - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
- account
Id String - The account identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource. - configuration Property Map
- Rule configuration to apply to a matched request. Modifying this attribute will force creation of a new resource.
- mode String
- The action to apply to a matched request. Available values:
block
,challenge
,whitelist
,js_challenge
,managed_challenge
. - notes String
- A personal note about the rule. Typically used as a reminder or explanation for the rule.
- zone
Id String - The zone identifier to target for the resource. Must provide only one of
account_id
,zone_id
. Modifying this attribute will force creation of a new resource.
Supporting Types
AccessRuleConfiguration, AccessRuleConfigurationArgs
Import
User level access rule import.
$ pulumi import cloudflare:index/accessRule:AccessRule default user/<user_id>/<rule_id>
Zone level access rule import.
$ pulumi import cloudflare:index/accessRule:AccessRule default zone/<zone_id>/<rule_id>
Account level access rule import.
$ pulumi import cloudflare:index/accessRule:AccessRule default account/<account_id>/<rule_id>
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Cloudflare pulumi/pulumi-cloudflare
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
cloudflare
Terraform Provider.