### Install tf-migrate CLI Tool Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/guides/version-5-migration.md Install the tf-migrate CLI tool for automatic HCL configuration changes. This example shows installation for macOS (ARM64). ```bash curl -LO https://github.com/cloudflare/tf-migrate/releases/download/v1.0.0/tf-migrate_1.0.0_darwin_arm64.tar.gz tar -xzf tf-migrate_1.0.0_darwin_arm64.tar.gz chmod +x tf-migrate sudo mv tf-migrate /usr/local/bin/ ``` ```bash git clone https://github.com/cloudflare/tf-migrate.git cd tf-migrate make # Binary available at ./bin/tf-migrate ``` -------------------------------- ### Example Usage Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/resources/api_shield.md A basic example demonstrating the configuration of the `cloudflare_api_shield` resource. ```APIDOC ## cloudflare_api_shield Resource ### Description This resource is used to configure API Shield settings for a zone, specifically for defining how session identifiers are extracted. ### Resource Configuration #### `zone_id` - **Type**: String - **Description**: Identifier for the zone. - **Required**: Yes #### `auth_id_characteristics` - **Type**: List of Objects - **Description**: Defines the characteristics used to identify API consumers. - **Required**: Yes ##### Nested Schema for `auth_id_characteristics`: - **`name`** (String) - Required - The name of the characteristic field (e.g., header or cookie name). For type `jwt`, this must be a claim location expressed as `$(token_config_id):$(json_path)`. - **`type`** (String) - Required - The type of characteristic. Available values: `header`, `cookie`, `jwt`. ### Example Usage ```terraform resource "cloudflare_api_shield" "example_api_shield" { zone_id = "023e105f4ecef8ad9ca31a8372d0c353" auth_id_characteristics = [{ name = "authorization" type = "header" }] } ``` ``` -------------------------------- ### Example Usage Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/magic_transit_site_wans.md An example of how to configure the `cloudflare_magic_transit_site_wans` data source in Terraform. ```APIDOC ## cloudflare_magic_transit_site_wans (Data Source) ### Description Provides information about Cloudflare Magic Transit Site WANs. ### Example Usage ```terraform data "cloudflare_magic_transit_site_wans" "example_magic_transit_site_wans" { account_id = "023e105f4ecef8ad9ca31a8372d0c353" site_id = "023e105f4ecef8ad9ca31a8372d0c353" } ``` ### Schema ### Required - `site_id` (String) Identifier ### Optional - `account_id` (String) Identifier - `max_items` (Number) Max items to fetch, default: 1000 ### Read-Only - `result` (Attributes List) The items returned by the data source (see [below for nested schema](#nestedatt--result)) ### Nested Schema for `result` Read-Only: - `health_check_rate` (String) Magic WAN health check rate for tunnels created on this link. The default value is `mid`. Available values: "low", "mid", "high". - `id` (String) Identifier - `name` (String) - `physport` (Number) - `priority` (Number) Priority of WAN for traffic loadbalancing. - `site_id` (String) Identifier - `static_addressing` (Attributes) (optional) if omitted, use DHCP. Submit secondary_address when site is in high availability mode. (see [below for nested schema](#nestedatt--result--static_addressing)) - `vlan_tag` (Number) VLAN ID. Use zero for untagged. ### Nested Schema for `result.static_addressing` Read-Only: - `address` (String) A valid CIDR notation representing an IP range. - `gateway_address` (String) A valid IPv4 address. - `secondary_address` (String) A valid CIDR notation representing an IP range. ``` -------------------------------- ### cloudflare_zone Resource Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/resources/zone.md This example demonstrates how to create a new Cloudflare zone resource. ```APIDOC ## cloudflare_zone (Resource) ### Description Manages Cloudflare zones, which represent your domains and their associated DNS records and security settings. ### Schema #### Required - `account` (Attributes) - The Cloudflare account to which the zone belongs. - `name` (String) - The domain name. Per [RFC 1035](https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.4) the overall zone name can be up to 253 characters, with each segment ("label") not exceeding 63 characters. #### Optional - `paused` (Boolean) - Indicates whether the zone is only using Cloudflare DNS services. A true value means the zone will not receive security or performance benefits. - `type` (String) - A full zone implies that DNS is hosted with Cloudflare. A partial zone is typically a partner-hosted zone or a CNAME setup. Available values: "full", "partial", "secondary", "internal". - `vanity_name_servers` (List of String) - An array of domains used for custom name servers. This is only available for Business and Enterprise plans. #### Read-Only - `activated_on` (String) - The last time proof of ownership was detected and the zone was made active. - `cname_suffix` (String) - Allows the customer to use a custom apex. *Tenants Only Configuration*. - `created_on` (String) - When the zone was created. - `development_mode` (Number) - The interval (in seconds) from when development mode expires (positive integer) or last expired (negative integer) for the domain. If development mode has never been enabled, this value is 0. - `id` (String) - Identifier - `meta` (Attributes) - Metadata about the zone. - `modified_on` (String) - When the zone was last modified. - `name_servers` (List of String) - The name servers Cloudflare assigns to a zone. - `original_dnshost` (String) - DNS host at the time of switching to Cloudflare. - `original_name_servers` (List of String) - Original name servers before moving to Cloudflare. - `original_registrar` (String) - Registrar for the domain at the time of switching to Cloudflare. - `owner` (Attributes) - The owner of the zone. - `permissions` (List of String, Deprecated) - Legacy permissions based on legacy user membership information. - `plan` (Attributes, Deprecated) - A Zones subscription information. - `status` (String) - The zone status on Cloudflare. Available values: "initializing", "pending", "active", "moved". - `tenant` (Attributes) - The root organizational unit that this zone belongs to (such as a tenant or organization). - `tenant_unit` (Attributes) - The immediate parent organizational unit that this zone belongs to (such as under a tenant or sub-organization). - `verification_key` (String) - Verification key for partial zone setup. ### Example Usage ```terraform resource "cloudflare_zone" "example_zone" { account = { id = "023e105f4ecef8ad9ca31a8372d0c353" } name = "example.com" type = "full" } ``` ``` -------------------------------- ### cloudflare_zero_trust_dlp_settings Resource Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/resources/zero_trust_dlp_settings.md Example usage of the cloudflare_zero_trust_dlp_settings resource to configure DLP settings. ```APIDOC ## cloudflare_zero_trust_dlp_settings Resource ### Description Manages Zero Trust Data Loss Prevention (DLP) settings for an account. ### Schema #### Required - `account_id` (String) - The ID of the account. #### Optional - `ai_context_analysis` (Boolean) - Whether AI context analysis is enabled at the account level. - `ocr` (Boolean) - Whether OCR is enabled at the account level. - `payload_logging` (Attributes) - Request model for payload log settings within the DLP settings endpoint. Unlike the legacy endpoint, null and missing are treated identically here (both mean "not provided" for PATCH, "reset to default" for PUT). #### Read-Only - `id` (String) - The ID of this resource. ### Nested Schema for `payload_logging` Optional: - `masking_level` (String) - Masking level for payload logs. Available values: "full", "partial", "clear", "default". - `public_key` (String) - Base64-encoded public key for encrypting payload logs. - Set to a non-empty base64 string to enable payload logging with the given key. - Set to an empty string to disable payload logging. - Omit or set to null to leave unchanged (PATCH) or reset to disabled (PUT). ### Import Import is supported using the following syntax: ```shell $ terraform import cloudflare_zero_trust_dlp_settings.example '' ``` ``` -------------------------------- ### Example Usage Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/cloud_connector_rules.md An example of how to use the cloudflare_cloud_connector_rules data source to fetch rules for a specific zone. ```APIDOC ## cloudflare_cloud_connector_rules (Data Source) ### Description This data source retrieves Cloud Connector Rules associated with a given zone. It allows fetching rules that have been configured for cloud storage connections. ### Method `data` ### Endpoint Not applicable (Data Source) ### Parameters #### Optional - **zone_id** (String) - Required - Identifier for the zone to retrieve rules from. ### Read-Only Attributes - **id** (String) - Identifier for the data source instance. - **rules** (Attributes List) - A list of Cloud Connector Rules. - **description** (String) - Description of the rule. - **enabled** (Boolean) - Whether the rule is enabled. - **expression** (String) - The expression that defines the rule's conditions. - **id** (String) - Unique identifier for the rule. - **parameters** (Attributes) - Parameters specific to the Cloud Connector Rule. - **host** (String) - The host to perform the Cloud Connection to. - **provider** (String) - The type of cloud provider. Available values: "aws_s3", "cloudflare_r2", "gcp_storage", "azure_storage". ``` -------------------------------- ### Setup and Build Cloudflare Terraform Provider Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/CONTRIBUTING.md Installs dependencies and builds the provider binary. Ensure Go 1.22+ is installed manually if needed. ```shell #!/bin/bash ./scripts/bootstrap ./scripts/build ``` -------------------------------- ### Example Usage Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/magic_network_monitoring_rules.md This example demonstrates how to use the `cloudflare_magic_network_monitoring_rules` data source to fetch monitoring rules for a specific account. ```APIDOC ## cloudflare_magic_network_monitoring_rules (Data Source) ### Description This data source can be used to query for Magic Network Monitoring rules within your account. Magic Network Monitoring allows you to monitor traffic on your network and receive alerts when certain thresholds are breached. ### Example Usage ```terraform data "cloudflare_magic_network_monitoring_rules" "example_magic_network_monitoring_rules" { account_id = "6f91088a406011ed95aed352566e8d4c" } ``` ### Schema #### Optional - `account_id` (String) - The ID of the account to retrieve rules from. - `max_items` (Number) - Max items to fetch, default: 1000. #### Read-Only - `result` (Attributes List) - The items returned by the data source. ##### Nested Schema for `result` - `automatic_advertisement` (Boolean) - Toggle on if you would like Cloudflare to automatically advertise the IP Prefixes within the rule via Magic Transit when the rule is triggered. Only available for users of Magic Transit. - `bandwidth_threshold` (Number) - The number of bits per second for the rule. When this value is exceeded for the set duration, an alert notification is sent. Minimum of 1 and no maximum. - `duration` (String) - The amount of time that the rule threshold must be exceeded to send an alert notification. Available values: "1m", "5m", "10m", "15m", "20m", "30m", "45m", "60m". - `id` (String) - The id of the rule. Must be unique. - `name` (String) - The name of the rule. Must be unique. Supports characters A-Z, a-z, 0-9, underscore (_), dash (-), period (.), and tilde (~). You can’t have a space in the rule name. Max 256 characters. - `packet_threshold` (Number) - The number of packets per second for the rule. When this value is exceeded for the set duration, an alert notification is sent. Minimum of 1 and no maximum. - `prefix_match` (String) - Prefix match type to be applied for a prefix auto advertisement when using an advanced_ddos rule. Available values: "exact", "subnet", "supernet". - `prefixes` (List of String) - List of prefixes associated with the rule. - `type` (String) - MNM rule type. Available values: "threshold", "zscore", "advanced_ddos". - `zscore_sensitivity` (String) - Level of sensitivity set for zscore rules. Available values: "low", "medium", "high". - `zscore_target` (String) - Target of the zscore rule analysis. Available values: "bits", "packets". ``` -------------------------------- ### Example Usage of cloudflare_web_analytics_sites Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/web_analytics_sites.md This example demonstrates how to fetch a list of Web Analytics sites, ordering them by host. Ensure you have the necessary permissions. ```terraform data "cloudflare_web_analytics_sites" "example_web_analytics_sites" { account_id = "023e105f4ecef8ad9ca31a8372d0c353" order_by = "host" } ``` -------------------------------- ### Example Usage Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/notification_policy_webhooks_list.md Use this data source to get a list of notification webhook destinations. You must provide the account ID. ```terraform data "cloudflare_notification_policy_webhooks_list" "example_notification_policy_webhooks_list" { account_id = "023e105f4ecef8ad9ca31a8372d0c353" } ``` -------------------------------- ### cloudflare_waiting_room Resource Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/resources/waiting_room.md This example demonstrates how to configure a basic waiting room with essential settings like zone ID, host, name, user limits, and additional routes. It also shows optional configurations for cookie attributes, custom HTML pages, and queueing methods. ```terraform resource "cloudflare_waiting_room" "example_waiting_room" { zone_id = "023e105f4ecef8ad9ca31a8372d0c353" host = "shop.example.com" name = "production_webinar" new_users_per_minute = 200 total_active_users = 200 additional_routes = [{ host = "shop2.example.com" path = "/shop2/checkout" }] cookie_attributes = { samesite = "auto" secure = "auto" } cookie_suffix = "abcd" custom_page_html = "{{#waitTimeKnown}} {{waitTime}} mins {{/waitTimeKnown}} {{^waitTimeKnown}} Queue all enabled {{/waitTimeKnown}}" default_template_language = "es-ES" description = "Production - DO NOT MODIFY" disable_session_renewal = false enabled_origin_commands = ["revoke"] json_response_enabled = false path = "/shop/checkout" queue_all = true queueing_method = "fifo" queueing_status_code = 202 session_duration = 1 suspended = true turnstile_action = "log" turnstile_mode = "off" } ``` -------------------------------- ### Get Zero Trust Organization Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/zero_trust_organization.md Example of how to retrieve a Zero Trust organization's configuration using its account and zone ID. ```terraform data "cloudflare_zero_trust_organization" "example_zero_trust_organization" { account_id = "account_id" zone_id = "zone_id" } ``` -------------------------------- ### Get Zero Trust Device Posture Rule Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/zero_trust_device_posture_rule.md Example of how to retrieve a device posture rule using its ID and the account ID. ```terraform data "cloudflare_zero_trust_device_posture_rule" "example_zero_trust_device_posture_rule" { account_id = "699d98642c564d2e855e9661899b7252" rule_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ``` -------------------------------- ### Example Usage Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/url_normalization_settings.md An example of how to use the `cloudflare_url_normalization_settings` data source to retrieve URL normalization settings for a specific zone. ```APIDOC ## cloudflare_url_normalization_settings (Data Source) ### Description This data source retrieves the URL normalization settings for a given zone. It allows you to fetch details about how Cloudflare normalizes URLs, including the scope and type of normalization. ### Schema #### Optional - `zone_id` (String) - Required - The unique ID of the zone for which to retrieve URL normalization settings. #### Read-Only - `id` (String) - The unique ID of the zone. - `scope` (String) - The scope of the URL normalization. Available values: "incoming", "both", "none". - `type` (String) - The type of URL normalization performed by Cloudflare. Available values: "cloudflare", "rfc3986". ### Example Usage ```terraform data "cloudflare_url_normalization_settings" "example_url_normalization_settings" { zone_id = "9f1839b6152d298aca64c4e906b6d074" } ``` ``` -------------------------------- ### cloudflare_zero_trust_device_settings Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/resources/zero_trust_device_settings.md Configure Zero Trust device settings for an account, including enabling external emergency signals, gateway proxy, and root certificate installation. ```terraform resource "cloudflare_zero_trust_device_settings" "example_zero_trust_device_settings" { account_id = "699d98642c564d2e855e9661899b7252" disable_for_time = 0 external_emergency_signal_enabled = true external_emergency_signal_fingerprint = "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234" external_emergency_signal_interval = "5m" external_emergency_signal_url = "https://192.0.2.1/signal" gateway_proxy_enabled = true gateway_udp_proxy_enabled = true root_certificate_installation_enabled = true use_zt_virtual_ip = true } ``` -------------------------------- ### Example Usage of cloudflare_page_shield_connections Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/page_shield_connections.md Use this data source to get information about a specific Page Shield connection. Ensure you have the correct zone ID and connection ID. ```terraform data "cloudflare_page_shield_connections" "example_page_shield_connections" { zone_id = "023e105f4ecef8ad9ca31a8372d0c353" connection_id = "023e105f4ecef8ad9ca31a8372d0c353" } ``` -------------------------------- ### Manual Resource Migration Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/guides/migrating-renamed-resources.md Example HCL configuration showing an old resource 'cloudflare_old' and a dependent resource 'cloudflare_dependant_thing'. This is used as a basis for manual migration steps. ```hcl resource "cloudflare_dependant_thing" "example" { zone_id = var.staging_zone_id name = "Example Thing" enabled = true } resource "cloudflare_old" "example" { name = "Example" other_thing_id = cloudflare_dependant_thing.example.id } ``` -------------------------------- ### Leaked Credential Check Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/leaked_credential_check.md Use this data source to get the status of Leaked Credential Checks for a specific zone. Ensure you have the zone ID available. ```terraform data "cloudflare_leaked_credential_check" "example_leaked_credential_check" { zone_id = "023e105f4ecef8ad9ca31a8372d0c353" } ``` -------------------------------- ### Cloudflare Zone Setting Data Source Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/zone_setting.md Use this data source to get the value of a zone setting. The `zone_id` and `setting_id` are required to fetch the specific setting. ```terraform data "cloudflare_zone_setting" "example_zone_setting" { zone_id = "023e105f4ecef8ad9ca31a8372d0c353" setting_id = "always_online" } ``` -------------------------------- ### cloudflare_zero_trust_device_posture_integrations Data Source Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/zero_trust_device_posture_integrations.md Example usage of the cloudflare_zero_trust_device_posture_integrations data source to fetch device posture integration details. ```APIDOC ## cloudflare_zero_trust_device_posture_integrations (Data Source) ### Description Use this data source to access information about Zero Trust device posture integrations. ### Example Usage ```terraform data "cloudflare_zero_trust_device_posture_integrations" "example_zero_trust_device_posture_integrations" { account_id = "699d98642c564d2e855e9661899b7252" } ``` ### Schema #### Optional - `account_id` (String): The ID of the Cloudflare account. - `max_items` (Number): Maximum number of items to fetch. Defaults to 1000. #### Read-Only - `result` (Attributes List): A list of device posture integration configurations. - `config` (Attributes): The configuration object containing third-party integration information. - `api_url` (String): The API URL for the integration (e.g., Workspace One). - `auth_url` (String): The authorization URL for the integration (e.g., Workspace One). - `client_id` (String): The client ID for the integration (e.g., Workspace One). - `id` (String): The unique identifier (UUID) of the integration. - `interval` (String): The interval for posture checks (e.g., `5m`, `12h`). - `name` (String): The name of the device posture integration. - `type` (String): The type of the device posture integration. Available values: "workspace_one", "crowdstrike_s2s", "uptycs", "intune", "kolide", "tanium_s2s", "sentinelone_s2s", "custom_s2s". ``` -------------------------------- ### Example Logpush Dataset Job Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/logpush_dataset_job.md Use this data source to get information about a Logpush dataset job. You must provide either an account ID or a zone ID. ```terraform data "cloudflare_logpush_dataset_job" "example_logpush_dataset_job" { dataset_id = "gateway_dns" account_id = "account_id" zone_id = "zone_id" } ``` -------------------------------- ### Conventional Commit Example for Cloudflare Terraform Provider Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/CONTRIBUTING.md Demonstrates the conventional commit format, including scope for resource-specific changes. ```git commit fix(account_member): fix detected drift in post-import refresh plan ``` -------------------------------- ### Import cloudflare_zero_trust_dlp_sensitivity_level Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/resources/zero_trust_dlp_sensitivity_level.md Example of how to import an existing Zero Trust DLP sensitivity level resource. ```shell $ terraform import cloudflare_zero_trust_dlp_sensitivity_level.example '//' ``` -------------------------------- ### cloudflare_stream_audio_track Data Source Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/stream_audio_track.md Use this data source to get information about a specific audio track for a video. You need to provide the account ID and the media item's identifier. ```terraform data "cloudflare_stream_audio_track" "example_stream_audio_track" { account_id = "023e105f4ecef8ad9ca31a8372d0c353" identifier = "ea95132c15732412d22c1476fa83f27a" } ``` -------------------------------- ### Migration Process Overview Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/guides/version-5-migration.md Illustrates the workflow for migrating from v4 to v5, showing how HCL configuration, state migration, and resource renames are handled. ```plaintext HCL Configuration ──> tf-migrate rewrites .tf files State Migration ──> Provider state upgraders (automatic on plan/apply) Resource Renames ──> moved blocks (Terraform 1.8+) ``` -------------------------------- ### Get Page Shield Policy Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/page_shield_policy.md Use this data source to retrieve information about a specific Page Shield policy within a zone. It requires both the zone ID and the policy ID. ```terraform data "cloudflare_page_shield_policy" "example_page_shield_policy" { zone_id = "023e105f4ecef8ad9ca31a8372d0c353" policy_id = "023e105f4ecef8ad9ca31a8372d0c353" } ``` -------------------------------- ### Example Usage of cloudflare_workers_script_subdomain Data Source Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/workers_script_subdomain.md Use this data source to get information about a specific Workers script, including its subdomain availability. Ensure you have the correct account ID and script name. ```terraform data "cloudflare_workers_script_subdomain" "example_workers_script_subdomain" { account_id = "023e105f4ecef8ad9ca31a8372d0c353" script_name = "this-is_my_script-01" } ``` -------------------------------- ### Example Usage of Account DNS Settings Internal Views Data Source Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/account_dns_settings_internal_views.md This example demonstrates how to fetch DNS view settings using the data source, filtering by account ID, name patterns, order, and zone information. ```terraform data "cloudflare_account_dns_settings_internal_views" "example_account_dns_settings_internal_views" { account_id = "023e105f4ecef8ad9ca31a8372d0c353" name = { contains = "view" endswith = "ew" exact = "my view" startswith = "my" } order = "name" zone_id = "ae29bea30e2e427ba9cd8d78b628177b" zone_name = "www.example.com" } ``` -------------------------------- ### Import cloudflare_account_dns_settings_internal_view Resource Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/resources/account_dns_settings_internal_view.md How to import an existing account DNS settings internal view resource. ```shell $ terraform import cloudflare_account_dns_settings_internal_view.example '/' ``` -------------------------------- ### Spectrum Application Configuration Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/resources/spectrum_application.md Example of how to configure a Spectrum application with direct traffic type, TCP protocol, and specific origin settings. Ensure 'zone_id' is valid and other parameters match your network setup. ```terraform resource "cloudflare_spectrum_application" "example_spectrum_application" { zone_id = "023e105f4ecef8ad9ca31a8372d0c353" dns = { name = "ssh.example.com" type = "CNAME" } protocol = "tcp/22" traffic_type = "direct" argo_smart_routing = true edge_ips = { connectivity = "all" type = "dynamic" } ip_firewall = false origin_direct = ["tcp://127.0.0.1:8080"] origin_dns = { name = "origin.example.com" ttl = 600 type = "" } origin_port = 22 proxy_protocol = "off" tls = "off" } ``` -------------------------------- ### Get cloudflare_r2_custom_domain Data Source Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/r2_custom_domain.md Use the cloudflare_r2_custom_domain data source to retrieve information about an R2 custom domain. This is useful for referencing existing custom domain configurations within your Terraform setup. ```terraform data "cloudflare_r2_custom_domain" "example_r2_custom_domain" { account_id = "023e105f4ecef8ad9ca31a8372d0c353" bucket_name = "example-bucket" domain = "example-domain/custom-domain.com" } ``` -------------------------------- ### Create an IP List Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/resources/list.md Example of how to create an IP list with inline items. Note that using `items` and `cloudflare_list_item` resources on the same list is not supported. ```terraform resource "cloudflare_list" "example_list" { account_id = "023e105f4ecef8ad9ca31a8372d0c353" kind = "ip" name = "list1" description = "This is a note" items = [ { ip = "1.1.1.1" }, { ip = "1.1.1.2" } { ip = "1.1.1.3" } ] } ``` -------------------------------- ### Example Usage of cloudflare_account Data Source Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/account.md Use the cloudflare_account data source to fetch account details by providing the account ID. This is useful for referencing account-specific configurations within your Terraform setup. ```terraform data "cloudflare_account" "example_account" { account_id = "023e105f4ecef8ad9ca31a8372d0c353" } ``` -------------------------------- ### cloudflare_zero_trust_device_posture_rules Data Source Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/zero_trust_device_posture_rules.md Example usage of the cloudflare_zero_trust_device_posture_rules data source to fetch device posture rules for a given account. ```APIDOC ## cloudflare_zero_trust_device_posture_rules Data Source ### Description This data source retrieves a list of device posture rules configured for an account. ### Usage ```terraform data "cloudflare_zero_trust_device_posture_rules" "example_zero_trust_device_posture_rules" { account_id = "699d98642c564d2e855e9661899b7252" } ``` ### Parameters #### Optional - `account_id` (String) - The ID of the Cloudflare account. - `max_items` (Number) - Maximum number of items to fetch. Defaults to 1000. ### Read-Only Attributes - `result` (Attributes List) - A list of device posture rules. Each rule contains: - `description` (String) - The description of the device posture rule. - `expiration` (String) - Sets the expiration time for a posture check result. - `id` (String) - API UUID of the rule. - `input` (Attributes) - The value to be checked against. - `match` (Attributes List) - The conditions that the client must match to run the rule. - `name` (String) - The name of the device posture rule. - `schedule` (String) - Polling frequency for the WARP client posture check. Defaults to `5m`. - `type` (String) - The type of device posture rule. Possible values include: `file`, `application`, `tanium`, `gateway`, `warp`, `disk_encryption`, `serial_number`, `sentinelone`, `carbonblack`, `firewall`, `os_version`, `domain_joined`, `client_certificate`, `client_certificate_v2`, `antivirus`, `unique_client_id`, `kolide`, `tanium_s2s`, `crowdstrike_s2s`, `intune`, `workspace_one`, `sentinelone_s2s`, `custom_s2s`. ``` -------------------------------- ### Install tf-migrate Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/guides/migrating-renamed-resources.md Install the tf-migrate tool using Go. This is the official Cloudflare Terraform Provider migration tool. ```bash go install github.com/cloudflare/tf-migrate/cmd/tf-migrate@latest ``` -------------------------------- ### Example Usage of cloudflare_hyperdrive_config Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/hyperdrive_config.md Use this data source to retrieve Hyperdrive configuration details by providing either the account ID or the Hyperdrive ID. This is useful for fetching existing configurations to reference in your Terraform setup. ```terraform data "cloudflare_hyperdrive_config" "example_hyperdrive_config" { account_id = "023e105f4ecef8ad9ca31a8372d0c353" hyperdrive_id = "023e105f4ecef8ad9ca31a8372d0c353" } ``` -------------------------------- ### Configure Local Cloudflare Terraform Provider Override Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/CONTRIBUTING.md Allows local development by overriding the default provider installation. Edit or create ~/.terraformrc to point to your local repository. ```hcl provider_installation { dev_overrides { "cloudflare/cloudflare" = "/local/path/to/this/repo" } direct {} } ``` -------------------------------- ### Example Usage of Zero Trust Device Posture Integration Data Source Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/zero_trust_device_posture_integration.md Use this data source to fetch details of an existing device posture integration by providing its ID and the account ID. This is typically used to reference integration configurations within your Terraform setup. ```terraform data "cloudflare_zero_trust_device_posture_integration" "example_zero_trust_device_posture_integration" { account_id = "699d98642c564d2e855e9661899b7252" integration_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ``` -------------------------------- ### cloudflare_zero_trust_gateway_policies Data Source Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/zero_trust_gateway_policies.md An example of how to use the cloudflare_zero_trust_gateway_policies data source to fetch gateway policies for a given account ID. ```APIDOC ## cloudflare_zero_trust_gateway_policies (Data Source) ### Description This data source can be used to query for Zero Trust Gateway Policies within an account. ### Example Usage ```terraform data "cloudflare_zero_trust_gateway_policies" "example_zero_trust_gateway_policies" { account_id = "699d98642c564d2e855e9661899b7252" } ``` ### Schema #### Optional - `account_id` (String) - `max_items` (Number) Max items to fetch, default: 1000 #### Read-Only - `result` (Attributes List) The items returned by the data source (see [below for nested schema](#nestedatt--result)) ### Nested Schema for `result` Read-Only: - `action` (String) Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. Available values: "on", "off", "allow", "block", "scan", "noscan", "safesearch", "ytrestricted", "isolate", "noisolate", "override", "l4_override", "egress", "resolve", "quarantine", "redirect". - `created_at` (String) - `deleted_at` (String) Indicate the date of deletion, if any. - `description` (String) Specify the rule description. - `device_posture` (String) Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `enabled` (Boolean) Specify whether the rule is enabled. - `expiration` (Attributes) Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. (see [below for nested schema](#nestedatt--result--expiration)) - `filters` (List of String) Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `id` (String) Identify the API resource with a UUID. - `identity` (String) Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `name` (String) Specify the rule name. - `precedence` (Number) Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `read_only` (Boolean) Indicate that this rule is shared via the Orgs API and read only. - `rule_settings` (Attributes) Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. (see [below for nested schema](#nestedatt--result--rule_settings)) - `schedule` (Attributes) Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. (see [below for nested schema](#nestedatt--result--schedule)) - `sharable` (Boolean) Indicate that this rule is sharable via the Orgs API. - `source_account` (String) Provide the account tag of the account that created the rule. - `traffic` (String) Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `updated_at` (String) - `version` (Number) Indicate the version number of the rule(read-only). - `warning_status` (String) Indicate a warning for a misconfigured rule, if any. ### Nested Schema for `result.expiration` Read-Only: - `duration` (Number) Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired` (Boolean) Indicates whether the policy is expired. - `expires_at` (String) Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. ### Nested Schema for `result.rule_settings` (Schema details for `rule_settings` are not provided in the source text.) ### Nested Schema for `result.schedule` (Schema details for `schedule` are not provided in the source text.) ``` -------------------------------- ### cloudflare_zero_trust_access_service_token Resource Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/resources/zero_trust_access_service_token.md Example usage of the cloudflare_zero_trust_access_service_token resource in Terraform. ```APIDOC ## cloudflare_zero_trust_access_service_token (Resource) Accepted Permissions - `Access: Service Tokens Read` - `Access: Service Tokens Write` ### Example Usage ```terraform resource "cloudflare_zero_trust_access_service_token" "example_zero_trust_access_service_token" { name = "CI/CD token" zone_id = "zone_id" client_secret_version = 0 duration = "60m" previous_client_secret_expires_at = "2014-01-01T05:20:00.12345Z" } ``` ## Schema ### Required - `name` (String) The name of the service token. ### Optional - `account_id` (String) The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `client_secret_version` (Number) A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`. - `duration` (String) The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `previous_client_secret_expires_at` (String) The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise. - `zone_id` (String) The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Read-Only - `client_id` (String) The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret` (String, Sensitive) The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `expires_at` (String) - `id` (String) The ID of the service token. ## Import Import is supported using the following syntax: ```shell $ terraform import cloudflare_zero_trust_access_service_token.example '<{accounts|zones}/{account_id|zone_id}>/' ``` ``` -------------------------------- ### cloudflare_zero_trust_gateway_logging Data Source Example Source: https://github.com/cloudflare/terraform-provider-cloudflare/blob/main/docs/data-sources/zero_trust_gateway_logging.md Example usage of the cloudflare_zero_trust_gateway_logging data source to retrieve logging settings for a given account. ```APIDOC ## Data Source: cloudflare_zero_trust_gateway_logging ### Description Provides information about Cloudflare Zero Trust Gateway Logging settings. ### Example Usage ```terraform data "cloudflare_zero_trust_gateway_logging" "example_zero_trust_gateway_logging" { account_id = "699d98642c564d2e855e9661899b7252" } ``` ### Schema #### Optional - `account_id` (String) #### Read-Only - `id` (String) The ID of this resource. - `redact_pii` (Boolean) Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type` (Attributes) Configure logging settings for each rule type. (see [below for nested schema](#nestedatt--settings_by_rule_type)) ### Nested Schema for `settings_by_rule_type` Read-Only: - `dns` (Attributes) Configure logging settings for DNS firewall. (see [below for nested schema](#nestedatt--settings_by_rule_type--dns)) - `http` (Attributes) Configure logging settings for HTTP/HTTPS firewall. (see [below for nested schema](#nestedatt--settings_by_rule_type--http)) - `l4` (Attributes) Configure logging settings for Network firewall. (see [below for nested schema](#nestedatt--settings_by_rule_type--l4)) ### Nested Schema for `settings_by_rule_type.dns` Read-Only: - `log_all` (Boolean) Specify whether to log all requests to this service. - `log_blocks` (Boolean) Specify whether to log only blocking requests to this service. ### Nested Schema for `settings_by_rule_type.http` Read-Only: - `log_all` (Boolean) Specify whether to log all requests to this service. - `log_blocks` (Boolean) Specify whether to log only blocking requests to this service. ### Nested Schema for `settings_by_rule_type.l4` Read-Only: - `log_all` (Boolean) Specify whether to log all requests to this service. - `log_blocks` (Boolean) Specify whether to log only blocking requests to this service. ```