Terraform
Requirements |
---|
Terraform installed on your machine |
The Cloudflare provider properly configured |
Terraform is a tool for building, changing, and versioning infrastructure, and provides components and documentation for building Cloudflare resources. Listed below are examples to help you get started with building Access with Terraform. For a more generalized guide on configuring Cloudflare and Terraform, visit our Getting Started with Terraform and Cloudflare blog post.
Create an application with Terraform
Create an application.
Here is an example configuration:
variable "domain" {default = "example.com"}variable "zone_id" {default = <CLOUDFLARE_ZONE_ID>}resource "cloudflare_access_application" "cf_app" {zone_id = var.zone_idname = "My Example App"domain = var.domainsession_duration = "24h"}Next, we need to export our environment variables and secrets:
$ export CLOUDFLARE_EMAIL=<CLOUDFLARE_EMAIL>$ export CLOUDFLARE_API_KEY=<CLOUDFLARE_API_KEY>Now we can run a
terraform plan
which will output any proposed changes. Make sure to review the plan carefully:$ terraform planRefreshing Terraform state in-memory prior to plan...The refreshed state will be used to calculate this plan, but will not bepersisted to local or remote state storage.------------------------------------------------------------------------An execution plan has been generated and is shown below.Resource actions are indicated with the following symbols:+ createTerraform will perform the following actions:# cloudflare_access_application.cf_app will be created+ resource "cloudflare_access_application" "cf_app" {+ aud = (known after apply)+ domain = "example.com"+ id = (known after apply)+ name = "My Example App"+ session_duration = "24h"+ zone_id = "1ce82492016e71df631bf4af9c02587f"}Plan: 1 to add, 0 to change, 0 to destroy.------------------------------------------------------------------------Note: You didn't specify an "-out" parameter to save this plan, so Terraformcan't guarantee that exactly these actions will be performed if"terraform apply" is subsequently run.Apply these changes using the
apply
command, once they look accurate and you’re comfortable moving forward:$ terraform apply --auto-approvecloudflare_access_application.cf_app: Creating...cloudflare_access_application.cf_app: Creation complete after 2s [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
Create a policy
After you’ve created an application, you can start creating policies and attaching them to applications:
resource "cloudflare_access_policy" "cf_policy" {application_id = cloudflare_access_application.cf_app.idzone_id = var.zone_idname = "Example Policy"precedence = "1"decision = "allow"include {email = ["test@example.com"]}}
To do so:
Run a
terraform plan
:$ terraform planRefreshing Terraform state in-memory prior to plan...The refreshed state will be used to calculate this plan, but will not bepersisted to local or remote state storage.cloudflare_access_application.cf_app: Refreshing state... [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]------------------------------------------------------------------------An execution plan has been generated and is shown below.Resource actions are indicated with the following symbols:+ createTerraform will perform the following actions:# cloudflare_access_policy.cf_policy will be created+ resource "cloudflare_access_policy" "cf_policy" {+ application_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"+ decision = "allow"+ id = (known after apply)+ name = "My Example Policy"+ precedence = 1+ zone_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"+ include {+ email = [+ "test@example.com",]}}Plan: 1 to add, 0 to change, 0 to destroy.------------------------------------------------------------------------Note: You didn't specify an "-out" parameter to save this plan, so Terraformcan't guarantee that exactly these actions will be performed if"terraform apply" is subsequently run.Next, apply these changes using the
apply
command, once they look accurate and you’re comfortable moving forward:$ terraform apply --auto-approve
Configuring an identity provider
The example below shows how you can configure an identity provider and attach it to a policy:
resource "cloudflare_access_identity_provider" "github_oauth" {account_id = <CLOUDFLARE_ACCOUNT_ID>name = "GitHub OAuth"type = "github"config {client_id = <GITHUB_CLIENT_ID>client_secret = <GITHUB_CLIENT_SECRET>}}resource "cloudflare_access_policy" "cf_policy" {application_id = cloudflare_access_application.cf_app.idzone_id = var.zone_idname = "My Example Policy"precedence = "1"decision = "allow"include {email = ["test@example.com"]github {name = "My GitHub Org"identity_provider_id = cloudflare_access_identity_provider.github_oauth.id}}}
These are the basics to get up and running with Access and Terraform. Refer to our API documentation for other endpoints that can be managed via Terraform.