AccessGroup

Provides a Cloudflare Access Group resource. Access Groups are used in conjunction with Access Policies to restrict access to a particular resource based on group membership.

Conditions

require, exclude and include arguments share the available conditions which can be applied. The conditions are:

ip - (Optional) A list of IP addresses or ranges. Example: ip = ["1.2.3.4", "10.0.0.0/2"]
email - (Optional) A list of email addresses. Example: email = ["test@example.com"]
email_domain - (Optional) A list of email domains. Example: email_domain = ["example.com"]
service_token - (Optional) A list of service token ids. Example: service_token = [cloudflare_access_service_token.demo.id]
any_valid_service_token - (Optional) Boolean indicating if allow all tokens to be granted. Example: any_valid_service_token = true
group - (Optional) A list of access group ids. Example: group = [cloudflare_access_group.demo.id]
everyone - (Optional) Boolean indicating permitting access for all requests. Example: everyone = true
certificate - (Optional) Whether to use mTLS certificate authentication.
common_name - (Optional) Use a certificate common name to authenticate with.
gsuite - (Optional) Use GSuite as the authentication mechanism. Example:

  # ... other configuration
  include {
    gsuite {
      email = "admins@example.com"
      identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
    }
  }

github - (Optional) Use a GitHub team as the include condition. Example:

  # ... other configuration
  include {
    github {
      name = "my-github-team-name"
      identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
    }
  }

azure - (Optional) Use Azure AD as the include condition. Example:

  # ... other configuration
  include {
    azure {
      id = "86773093-5feb-48dd-814b-7ccd3676ff50e"
      identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
    }
  }

okta - (Optional) Use Okta as the include condition. Example:

  # ... other configuration
  include {
    okta {
      name = "admins"
      identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
    }
  }

saml - (Optional) Use an external SAML setup as the include condition. Example:

  # ... other configuration
  include {
    saml {
      attribute_name = "group"
      attribute_value = "admins"
      identity_provider_id = "ca298b82-93b5-41bf-bc2d-10493f09b761"
    }
  }

Create a AccessGroup Resource

new AccessGroup(name: string, args: AccessGroupArgs, opts?: CustomResourceOptions);

def AccessGroup(resource_name, opts=None, account_id=None, excludes=None, includes=None, name=None, requires=None, __props__=None);

func NewAccessGroup(ctx *Context, name string, args AccessGroupArgs, opts ...ResourceOption) (*AccessGroup, error)

public AccessGroup(string name, AccessGroupArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args AccessGroupArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AccessGroupArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AccessGroupArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

AccessGroup Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The AccessGroup resource accepts the following input properties:

AccountId string: The ID of the account the group is associated with.
Includes List<AccessGroupIncludeArgs>: A series of access conditions, see below for full list.
Name string: Friendly name of the Access Group.
Excludes List<AccessGroupExcludeArgs>: A series of access conditions, see below for full list.
Requires List<AccessGroupRequireArgs>: A series of access conditions, see below for full list.

AccountId string: The ID of the account the group is associated with.
Includes []AccessGroupInclude: A series of access conditions, see below for full list.
Name string: Friendly name of the Access Group.
Excludes []AccessGroupExclude: A series of access conditions, see below for full list.
Requires []AccessGroupRequire: A series of access conditions, see below for full list.

accountId string: The ID of the account the group is associated with.
includes AccessGroupInclude[]: A series of access conditions, see below for full list.
name string: Friendly name of the Access Group.
excludes AccessGroupExclude[]: A series of access conditions, see below for full list.
requires AccessGroupRequire[]: A series of access conditions, see below for full list.

account_id str: The ID of the account the group is associated with.
includes List[AccessGroupInclude]: A series of access conditions, see below for full list.
name str: Friendly name of the Access Group.
excludes List[AccessGroupExclude]: A series of access conditions, see below for full list.
requires List[AccessGroupRequire]: A series of access conditions, see below for full list.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccessGroup resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

Look up an Existing AccessGroup Resource

Get an existing AccessGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AccessGroupState, opts?: CustomResourceOptions): AccessGroup

static get(resource_name, id, opts=None, account_id=None, excludes=None, includes=None, name=None, requires=None, __props__=None);

func GetAccessGroup(ctx *Context, name string, id IDInput, state *AccessGroupState, opts ...ResourceOption) (*AccessGroup, error)

public static AccessGroup Get(string name, Input<string> id, AccessGroupState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountId string: The ID of the account the group is associated with.
Excludes List<AccessGroupExcludeArgs>: A series of access conditions, see below for full list.
Includes List<AccessGroupIncludeArgs>: A series of access conditions, see below for full list.
Name string: Friendly name of the Access Group.
Requires List<AccessGroupRequireArgs>: A series of access conditions, see below for full list.

AccountId string: The ID of the account the group is associated with.
Excludes []AccessGroupExclude: A series of access conditions, see below for full list.
Includes []AccessGroupInclude: A series of access conditions, see below for full list.
Name string: Friendly name of the Access Group.
Requires []AccessGroupRequire: A series of access conditions, see below for full list.

accountId string: The ID of the account the group is associated with.
excludes AccessGroupExclude[]: A series of access conditions, see below for full list.
includes AccessGroupInclude[]: A series of access conditions, see below for full list.
name string: Friendly name of the Access Group.
requires AccessGroupRequire[]: A series of access conditions, see below for full list.

account_id str: The ID of the account the group is associated with.
excludes List[AccessGroupExclude]: A series of access conditions, see below for full list.
includes List[AccessGroupInclude]: A series of access conditions, see below for full list.
name str: Friendly name of the Access Group.
requires List[AccessGroupRequire]: A series of access conditions, see below for full list.