Terraform

Requirements
Terraform ↗ installed on your machine
The Cloudflare provider ↗ properly configured

Terraform ↗ is a tool for building, changing, and versioning infrastructure, and provides components and documentation for building Cloudflare resources ↗. Listed below are examples to help you get started with building Access with Terraform. For a more generalized guide on configuring Cloudflare and Terraform, visit our Getting Started with Terraform and Cloudflare ↗ blog post.

Create an application with Terraform

Create an application.

Here is an example configuration:

variable "domain" {
  default = "example.com"
}

variable "zone_id" {
  default = <CLOUDFLARE_ZONE_ID>
}

resource "cloudflare_access_application" "cf_app" {
  zone_id          = var.zone_id
  name             = "My Example App"
  domain           = var.domain
  session_duration = "24h"
}

Next, we need to export our environment variables and secrets:

export CLOUDFLARE_EMAIL=<CLOUDFLARE_EMAIL>
export CLOUDFLARE_API_KEY=<CLOUDFLARE_API_KEY>

Now we can run a terraform plan which will output any proposed changes. Make sure to review the plan carefully:

terraform plan

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # cloudflare_access_application.cf_app will be created
  + resource "cloudflare_access_application" "cf_app" {
      + aud              = (known after apply)
      + domain           = "example.com"
      + id               = (known after apply)
      + name             = "My Example App"
      + session_duration = "24h"
      + zone_id          = "1ce82492016e71df631bf4af9c02587f"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

Apply these changes using the apply command, once they look accurate and you're comfortable moving forward:

terraform apply --auto-approve

cloudflare_access_application.cf_app: Creating...
cloudflare_access_application.cf_app: Creation complete after 2s [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Create a policy

After you've created an application, you can start creating policies and attaching them to applications:

   resource "cloudflare_access_policy" "cf_policy" {
     application_id = cloudflare_access_application.cf_app.id
     zone_id        = var.zone_id
     name           = "Example Policy"
     precedence     = "1"
     decision       = "allow"

     include {
       email = ["test@example.com"]
     }
   }

To do so:

Run a terraform plan:

terraform plan

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

cloudflare_access_application.cf_app: Refreshing state... [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
 + create

Terraform will perform the following actions:

 # cloudflare_access_policy.cf_policy will be created
 + resource "cloudflare_access_policy" "cf_policy" {
     + application_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
     + decision       = "allow"
     + id             = (known after apply)
     + name           = "My Example Policy"
     + precedence     = 1
     + zone_id        = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

     + include {
         + email = [
             + "test@example.com",
           ]
       }
   }

Plan: 1 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

Next, apply these changes using the apply command, once they look accurate and you're comfortable moving forward:
Terminal window
```
terraform apply --auto-approve
```

Configuring an identity provider

The example below shows how you can configure an identity provider and attach it to a policy:

resource "cloudflare_access_identity_provider" "github_oauth" {
  account_id = <CLOUDFLARE_ACCOUNT_ID>
  name       = "GitHub OAuth"
  type       = "github"
  config {
    client_id     = <GITHUB_CLIENT_ID>
    client_secret = <GITHUB_CLIENT_SECRET>
  }
}

resource "cloudflare_access_policy" "cf_policy" {
  application_id = cloudflare_access_application.cf_app.id
  zone_id        = var.zone_id
  name           = "My Example Policy"
  precedence     = "1"
  decision       = "allow"

  include {
    email = ["test@example.com"]
    github {
      name                 = "My GitHub Org"
      identity_provider_id = cloudflare_access_identity_provider.github_oauth.id
    }
  }
}

These are the basics to get up and running with Access and Terraform. Refer to our API documentation for other endpoints that can be managed via Terraform.

Was this helpful?

Community
X
Discord
YouTube
GitHub