import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; export interface AccessApplicationCorsHeaders { /** * Allows all HTTP request headers. */ allowAllHeaders?: pulumi.Input; /** * Allows all HTTP request methods. */ allowAllMethods?: pulumi.Input; /** * Allows all origins. */ allowAllOrigins?: pulumi.Input; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. */ allowCredentials?: pulumi.Input; /** * Allowed HTTP request headers. */ allowedHeaders?: pulumi.Input[]>; /** * Allowed HTTP request methods. */ allowedMethods?: pulumi.Input[]>; /** * Allowed origins. */ allowedOrigins?: pulumi.Input[]>; /** * The maximum number of seconds the results of a preflight request can be cached. */ maxAge?: pulumi.Input; } export interface AccessApplicationDestination { /** * The CIDR range of the destination. Single IPs will be computed as /32. */ cidr?: pulumi.Input; /** * The hostname of the destination. Matches a valid SNI served by an HTTPS origin. */ hostname?: pulumi.Input; /** * The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. * Available values: "tcp", "udp". */ l4Protocol?: pulumi.Input; /** * A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. */ mcpServerId?: pulumi.Input; /** * The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. */ portRange?: pulumi.Input; /** * Available values: "public", "private". */ type?: pulumi.Input; /** * The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). */ uri?: pulumi.Input; /** * The VNET ID to match the destination. When omitted, all VNETs will match. */ vnetId?: pulumi.Input; } export interface AccessApplicationFooterLink { /** * The hypertext in the footer link. */ name: pulumi.Input; /** * the hyperlink in the footer link. */ url: pulumi.Input; } export interface AccessApplicationLandingPageDesign { /** * The background color of the log in button on the landing page. */ buttonColor?: pulumi.Input; /** * The color of the text in the log in button on the landing page. */ buttonTextColor?: pulumi.Input; /** * The URL of the image shown on the landing page. */ imageUrl?: pulumi.Input; /** * The message shown on the landing page. */ message?: pulumi.Input; /** * The title shown on the landing page. */ title?: pulumi.Input; } export interface AccessApplicationPolicy { /** * The rules that define how users may connect to the targets secured by your application. */ connectionRules?: pulumi.Input; /** * The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. * Available values: "allow", "deny", "nonIdentity", "bypass". */ decision?: pulumi.Input; /** * Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. */ excludes?: pulumi.Input[]>; /** * The UUID of the policy */ id?: pulumi.Input; /** * Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. */ includes?: pulumi.Input[]>; /** * The name of the Access policy. */ name?: pulumi.Input; /** * The order of execution for this policy. Must be unique for each policy within an app. */ precedence?: pulumi.Input; /** * Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. */ requires?: pulumi.Input[]>; } export interface AccessApplicationPolicyConnectionRules { /** * The RDP-specific rules that define clipboard behavior for RDP connections. */ rdp?: pulumi.Input; /** * The SSH-specific rules that define how users may connect to the targets secured by your application. */ ssh?: pulumi.Input; } export interface AccessApplicationPolicyConnectionRulesRdp { /** * Clipboard formats allowed when copying from local machine to remote RDP session. */ allowedClipboardLocalToRemoteFormats?: pulumi.Input[]>; /** * Clipboard formats allowed when copying from remote RDP session to local machine. */ allowedClipboardRemoteToLocalFormats?: pulumi.Input[]>; } export interface AccessApplicationPolicyConnectionRulesSsh { /** * Enables using Identity Provider email alias as SSH username. */ allowEmailAlias?: pulumi.Input; /** * Contains the Unix usernames that may be used when connecting over SSH. */ usernames: pulumi.Input[]>; } export interface AccessApplicationPolicyExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessApplicationPolicyExcludeAnyValidServiceToken { } export interface AccessApplicationPolicyExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessApplicationPolicyExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyExcludeCertificate { } export interface AccessApplicationPolicyExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessApplicationPolicyExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessApplicationPolicyExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessApplicationPolicyExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessApplicationPolicyExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessApplicationPolicyExcludeEveryone { } export interface AccessApplicationPolicyExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessApplicationPolicyExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessApplicationPolicyExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessApplicationPolicyExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessApplicationPolicyExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessApplicationPolicyExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessApplicationPolicyExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessApplicationPolicyExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessApplicationPolicyExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessApplicationPolicyExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessApplicationPolicyInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessApplicationPolicyIncludeAnyValidServiceToken { } export interface AccessApplicationPolicyIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessApplicationPolicyIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyIncludeCertificate { } export interface AccessApplicationPolicyIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessApplicationPolicyIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessApplicationPolicyIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessApplicationPolicyIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessApplicationPolicyIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessApplicationPolicyIncludeEveryone { } export interface AccessApplicationPolicyIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessApplicationPolicyIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessApplicationPolicyIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessApplicationPolicyIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessApplicationPolicyIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessApplicationPolicyIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessApplicationPolicyIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessApplicationPolicyIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessApplicationPolicyIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessApplicationPolicyIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessApplicationPolicyRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessApplicationPolicyRequireAnyValidServiceToken { } export interface AccessApplicationPolicyRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessApplicationPolicyRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyRequireCertificate { } export interface AccessApplicationPolicyRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessApplicationPolicyRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessApplicationPolicyRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessApplicationPolicyRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessApplicationPolicyRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessApplicationPolicyRequireEveryone { } export interface AccessApplicationPolicyRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessApplicationPolicyRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessApplicationPolicyRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessApplicationPolicyRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessApplicationPolicyRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessApplicationPolicyRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessApplicationPolicyRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessApplicationPolicyRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessApplicationPolicyRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessApplicationPolicyRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessApplicationSaasApp { /** * The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. */ accessTokenLifetime?: pulumi.Input; /** * If client secret should be required on the token endpoint when authorization*code*with_pkce grant is used. */ allowPkceWithoutClientSecret?: pulumi.Input; /** * The URL where this applications tile redirects users */ appLauncherUrl?: pulumi.Input; /** * Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" * Available values: "saml", "oidc". */ authType?: pulumi.Input; /** * The application client id */ clientId?: pulumi.Input; /** * The application client secret, only returned on POST request. */ clientSecret?: pulumi.Input; /** * The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. */ consumerServiceUrl?: pulumi.Input; customAttributes?: pulumi.Input[]>; customClaims?: pulumi.Input[]>; /** * The URL that the user will be redirected to after a successful login for IDP initiated logins. */ defaultRelayState?: pulumi.Input; /** * The OIDC flows supported by this application */ grantTypes?: pulumi.Input[]>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint */ groupFilterRegex?: pulumi.Input; hybridAndImplicitOptions?: pulumi.Input; /** * The unique identifier for your SaaS application. */ idpEntityId?: pulumi.Input; /** * The format of the name identifier sent to the SaaS application. * Available values: "id", "email". */ nameIdFormat?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `nameIdFormat` setting. */ nameIdTransformJsonata?: pulumi.Input; /** * The Access public certificate that will be used to verify your identity. */ publicKey?: pulumi.Input; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens */ redirectUris?: pulumi.Input[]>; refreshTokenOptions?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml*attributes or oidc*fields of the identity provider used to authenticate. The output of this expression must be a JSON object. */ samlAttributeTransformJsonata?: pulumi.Input; /** * Define the user information shared with access, "offlineAccess" scope will be automatically enabled if refresh tokens are enabled */ scopes?: pulumi.Input[]>; /** * A globally unique name for an identity or service provider. */ spEntityId?: pulumi.Input; /** * The endpoint where your SaaS application will send login requests. */ ssoEndpoint?: pulumi.Input; } export interface AccessApplicationSaasAppCustomAttribute { /** * The SAML FriendlyName of the attribute. */ friendlyName?: pulumi.Input; /** * The name of the attribute. */ name?: pulumi.Input; /** * A globally unique name for an identity or service provider. * Available values: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri". */ nameFormat?: pulumi.Input; /** * If the attribute is required when building a SAML assertion. */ required?: pulumi.Input; source?: pulumi.Input; } export interface AccessApplicationSaasAppCustomAttributeSource { /** * The name of the IdP attribute. */ name?: pulumi.Input; /** * A mapping from IdP ID to attribute name. */ nameByIdps?: pulumi.Input[]>; } export interface AccessApplicationSaasAppCustomAttributeSourceNameByIdp { /** * The UID of the IdP. */ idpId?: pulumi.Input; /** * The name of the IdP provided attribute. */ sourceName?: pulumi.Input; } export interface AccessApplicationSaasAppCustomClaim { /** * The name of the claim. */ name?: pulumi.Input; /** * If the claim is required when building an OIDC token. */ required?: pulumi.Input; /** * The scope of the claim. * Available values: "groups", "profile", "email", "openid". */ scope?: pulumi.Input; source?: pulumi.Input; } export interface AccessApplicationSaasAppCustomClaimSource { /** * The name of the IdP claim. */ name?: pulumi.Input; /** * A mapping from IdP ID to claim name. */ nameByIdp?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface AccessApplicationSaasAppHybridAndImplicitOptions { /** * If an Access Token should be returned from the OIDC Authorization endpoint */ returnAccessTokenFromAuthorizationEndpoint?: pulumi.Input; /** * If an ID Token should be returned from the OIDC Authorization endpoint */ returnIdTokenFromAuthorizationEndpoint?: pulumi.Input; } export interface AccessApplicationSaasAppRefreshTokenOptions { /** * How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. */ lifetime?: pulumi.Input; } export interface AccessApplicationScimConfig { /** * Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. */ authentication?: pulumi.Input; /** * If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. */ deactivateOnDelete?: pulumi.Input; /** * Whether SCIM provisioning is turned on for this application. */ enabled?: pulumi.Input; /** * The UID of the IdP to use as the source for SCIM resources to provision to this application. */ idpUid: pulumi.Input; /** * A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. */ mappings?: pulumi.Input[]>; /** * The base URI for the application's SCIM-compatible API. */ remoteUri: pulumi.Input; } export interface AccessApplicationScimConfigAuthentication { /** * URL used to generate the auth code used during token generation. */ authorizationUrl?: pulumi.Input; /** * Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. */ clientId?: pulumi.Input; /** * Secret used to authenticate when generating a token for authenticating with the remove SCIM service. */ clientSecret?: pulumi.Input; /** * Password used to authenticate with the remote SCIM service. */ password?: pulumi.Input; /** * The authentication scheme to use when making SCIM requests to this application. * Available values: "httpbasic", "oauthbearertoken", "oauth2", "access*service*token". */ scheme: pulumi.Input; /** * The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. */ scopes?: pulumi.Input[]>; /** * Token used to authenticate with the remote SCIM service. */ token?: pulumi.Input; /** * URL used to generate the token used to authenticate with the remote SCIM service. */ tokenUrl?: pulumi.Input; /** * User name used to authenticate with the remote SCIM service. */ user?: pulumi.Input; } export interface AccessApplicationScimConfigMapping { /** * Whether or not this mapping is enabled. */ enabled?: pulumi.Input; /** * A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. */ filter?: pulumi.Input; /** * Whether or not this mapping applies to creates, updates, or deletes. */ operations?: pulumi.Input; /** * Which SCIM resource type this mapping applies to. */ schema: pulumi.Input; /** * The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. * Available values: "strict", "passthrough". */ strictness?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. */ transformJsonata?: pulumi.Input; } export interface AccessApplicationScimConfigMappingOperations { /** * Whether or not this mapping applies to create (POST) operations. */ create?: pulumi.Input; /** * Whether or not this mapping applies to DELETE operations. */ delete?: pulumi.Input; /** * Whether or not this mapping applies to update (PATCH/PUT) operations. */ update?: pulumi.Input; } export interface AccessApplicationTargetCriteria { /** * The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. */ port: pulumi.Input; /** * The communication protocol your application secures. * Available values: "SSH", "RDP". */ protocol: pulumi.Input; /** * Contains a map of target attribute keys to target attribute values. */ targetAttributes: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; } export interface AccessGroupExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessGroupExcludeAnyValidServiceToken { } export interface AccessGroupExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessGroupExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupExcludeCertificate { } export interface AccessGroupExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessGroupExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessGroupExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessGroupExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessGroupExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessGroupExcludeEveryone { } export interface AccessGroupExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessGroupExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessGroupExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessGroupExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessGroupExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessGroupExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessGroupExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessGroupExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessGroupExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessGroupExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessGroupInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessGroupIncludeAnyValidServiceToken { } export interface AccessGroupIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessGroupIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupIncludeCertificate { } export interface AccessGroupIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessGroupIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessGroupIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessGroupIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessGroupIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessGroupIncludeEveryone { } export interface AccessGroupIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessGroupIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessGroupIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessGroupIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessGroupIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessGroupIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessGroupIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessGroupIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessGroupIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessGroupIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessGroupRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessGroupRequireAnyValidServiceToken { } export interface AccessGroupRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessGroupRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupRequireCertificate { } export interface AccessGroupRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessGroupRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessGroupRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessGroupRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessGroupRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessGroupRequireEveryone { } export interface AccessGroupRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessGroupRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessGroupRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessGroupRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessGroupRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessGroupRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessGroupRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessGroupRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessGroupRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessGroupRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessIdentityProviderConfig { /** * Your companies TLD */ appsDomain?: pulumi.Input; /** * A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. */ attributes?: pulumi.Input[]>; /** * The authorizationEndpoint URL of your IdP */ authUrl?: pulumi.Input; /** * Your okta authorization server id */ authorizationServerId?: pulumi.Input; /** * Your centrify account url */ centrifyAccount?: pulumi.Input; /** * Your centrify app id */ centrifyAppId?: pulumi.Input; /** * The jwksUri endpoint of your IdP to allow the IdP keys to sign the tokens */ certsUrl?: pulumi.Input; /** * Custom claims */ claims?: pulumi.Input[]>; /** * Your OAuth Client ID */ clientId?: pulumi.Input; /** * Your OAuth Client Secret */ clientSecret?: pulumi.Input; /** * Should Cloudflare try to load authentication contexts from your account */ conditionalAccessEnabled?: pulumi.Input; /** * Your Azure directory uuid */ directoryId?: pulumi.Input; /** * The attribute name for email in the SAML response. */ emailAttributeName?: pulumi.Input; /** * The claim name for email in the idToken response. */ emailClaimName?: pulumi.Input; /** * Add a list of attribute names that will be returned in the response header from the Access callback. */ headerAttributes?: pulumi.Input[]>; /** * X509 certificate to verify the signature in the SAML authentication response */ idpPublicCerts?: pulumi.Input[]>; /** * IdP Entity ID or Issuer URL */ issuerUrl?: pulumi.Input; /** * Your okta account url */ oktaAccount?: pulumi.Input; /** * Your OneLogin account url */ oneloginAccount?: pulumi.Input; /** * Your PingOne environment identifier */ pingEnvId?: pulumi.Input; /** * Enable Proof Key for Code Exchange (PKCE) */ pkceEnabled?: pulumi.Input; /** * Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction*required error. prompt=select*account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. * Available values: "login", "selectAccount", "none". */ prompt?: pulumi.Input; redirectUrl?: pulumi.Input; /** * OAuth scopes */ scopes?: pulumi.Input[]>; /** * Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. */ signRequest?: pulumi.Input; /** * URL to send the SAML authentication requests to */ ssoTargetUrl?: pulumi.Input; /** * Should Cloudflare try to load groups from your account */ supportGroups?: pulumi.Input; /** * The tokenEndpoint URL of your IdP */ tokenUrl?: pulumi.Input; } export interface AccessIdentityProviderConfigHeaderAttribute { /** * attribute name from the IDP */ attributeName?: pulumi.Input; /** * header that will be added on the request to the origin */ headerName?: pulumi.Input; } export interface AccessIdentityProviderScimConfig { /** * A flag to enable or disable SCIM for the identity provider. */ enabled?: pulumi.Input; /** * Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no*action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. * Available values: "automatic", "reauth", "no*action". */ identityUpdateBehavior?: pulumi.Input; /** * The base URL of Cloudflare's SCIM V2.0 API endpoint. */ scimBaseUrl?: pulumi.Input; /** * A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless userDeprovision is also enabled. */ seatDeprovision?: pulumi.Input; /** * A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity*providers/:idpID/refresh*scim_secret. */ secret?: pulumi.Input; /** * A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. */ userDeprovision?: pulumi.Input; } export interface AccessMutualTlsHostnameSettingsSetting { /** * Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. */ chinaNetwork: pulumi.Input; /** * Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. */ clientCertificateForwarding: pulumi.Input; /** * The hostname that these settings apply to. */ hostname: pulumi.Input; } export interface AccessOrganizationCustomPages { /** * The uid of the custom page to use when a user is denied access after failing a non-identity rule. */ forbidden?: pulumi.Input; /** * The uid of the custom page to use when a user is denied access. */ identityDenied?: pulumi.Input; } export interface AccessOrganizationLoginDesign { /** * The background color on your login page. */ backgroundColor?: pulumi.Input; /** * The text at the bottom of your login page. */ footerText?: pulumi.Input; /** * The text at the top of your login page. */ headerText?: pulumi.Input; /** * The URL of the logo on your login page. */ logoPath?: pulumi.Input; /** * The text color on your login page. */ textColor?: pulumi.Input; } export interface AccessOrganizationMfaConfig { /** * Lists the MFA methods that users can authenticate with. */ allowedAuthenticators?: pulumi.Input[]>; /** * Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. */ sessionDuration?: pulumi.Input; } export interface AccessPolicyApprovalGroup { /** * The number of approvals needed to obtain access. */ approvalsNeeded: pulumi.Input; /** * A list of emails that can approve the access request. */ emailAddresses?: pulumi.Input[]>; /** * The UUID of an re-usable email list. */ emailListUuid?: pulumi.Input; } export interface AccessPolicyConnectionRules { /** * The RDP-specific rules that define clipboard behavior for RDP connections. */ rdp?: pulumi.Input; } export interface AccessPolicyConnectionRulesRdp { /** * Clipboard formats allowed when copying from local machine to remote RDP session. */ allowedClipboardLocalToRemoteFormats?: pulumi.Input[]>; /** * Clipboard formats allowed when copying from remote RDP session to local machine. */ allowedClipboardRemoteToLocalFormats?: pulumi.Input[]>; } export interface AccessPolicyExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessPolicyExcludeAnyValidServiceToken { } export interface AccessPolicyExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessPolicyExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyExcludeCertificate { } export interface AccessPolicyExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessPolicyExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessPolicyExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessPolicyExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessPolicyExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessPolicyExcludeEveryone { } export interface AccessPolicyExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessPolicyExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessPolicyExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessPolicyExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessPolicyExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessPolicyExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessPolicyExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessPolicyExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessPolicyExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessPolicyExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessPolicyInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessPolicyIncludeAnyValidServiceToken { } export interface AccessPolicyIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessPolicyIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyIncludeCertificate { } export interface AccessPolicyIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessPolicyIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessPolicyIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessPolicyIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessPolicyIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessPolicyIncludeEveryone { } export interface AccessPolicyIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessPolicyIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessPolicyIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessPolicyIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessPolicyIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessPolicyIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessPolicyIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessPolicyIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessPolicyIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessPolicyIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessPolicyMfaConfig { /** * Lists the MFA methods that users can authenticate with. */ allowedAuthenticators?: pulumi.Input[]>; /** * Indicates whether to bypass MFA for this resource. This option is available at the application and policy level. */ mfaBypass?: pulumi.Input; /** * Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. */ sessionDuration?: pulumi.Input; } export interface AccessPolicyRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessPolicyRequireAnyValidServiceToken { } export interface AccessPolicyRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessPolicyRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyRequireCertificate { } export interface AccessPolicyRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessPolicyRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessPolicyRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessPolicyRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessPolicyRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessPolicyRequireEveryone { } export interface AccessPolicyRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessPolicyRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessPolicyRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessPolicyRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessPolicyRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessPolicyRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessPolicyRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessPolicyRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessPolicyRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessPolicyRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessRuleConfiguration { /** * The configuration target. You must set the target to `ip` when specifying an IP address in the rule. * Available values: "ip", "ip6", "ipRange", "asn", "country". */ target?: pulumi.Input; /** * The IP address to match. This address will be compared to the IP address of incoming requests. */ value?: pulumi.Input; } export interface AccessRuleScope { /** * The contact email address of the user. */ email?: pulumi.Input; /** * Defines an identifier. */ id?: pulumi.Input; /** * Defines the scope of the rule. * Available values: "user", "organization". */ type?: pulumi.Input; } export interface AccountDnsSettingsZoneDefaults { /** * Whether to flatten all CNAME records in the zone. Note that, due to DNS limitations, a CNAME record at the zone apex will always be flattened. */ flattenAllCnames?: pulumi.Input; /** * Whether to enable Foundation DNS Advanced Nameservers on the zone. */ foundationDns?: pulumi.Input; /** * Settings for this internal zone. */ internalDns?: pulumi.Input; /** * Whether to enable multi-provider DNS, which causes Cloudflare to activate the zone even when non-Cloudflare NS records exist, and to respect NS records at the zone apex during outbound zone transfers. */ multiProvider?: pulumi.Input; /** * Settings determining the nameservers through which the zone should be available. */ nameservers?: pulumi.Input; /** * The time to live (TTL) of the zone's nameserver (NS) records. */ nsTtl?: pulumi.Input; /** * Allows a Secondary DNS zone to use (proxied) override records and CNAME flattening at the zone apex. */ secondaryOverrides?: pulumi.Input; /** * Components of the zone's SOA record. */ soa?: pulumi.Input; /** * Whether the zone mode is a regular or CDN/DNS only zone. * Available values: "standard", "cdn*only", "dns*only". */ zoneMode?: pulumi.Input; } export interface AccountDnsSettingsZoneDefaultsInternalDns { /** * The ID of the zone to fallback to. */ referenceZoneId?: pulumi.Input; } export interface AccountDnsSettingsZoneDefaultsNameservers { /** * Nameserver type * Available values: "cloudflare.standard", "cloudflare.standard.random", "custom.account", "custom.tenant". */ type?: pulumi.Input; } export interface AccountDnsSettingsZoneDefaultsSoa { /** * Time in seconds of being unable to query the primary server after which secondary servers should stop serving the zone. */ expire?: pulumi.Input; /** * The time to live (TTL) for negative caching of records within the zone. */ minTtl?: pulumi.Input; /** * The primary nameserver, which may be used for outbound zone transfers. If null, a Cloudflare-assigned value will be used. */ mname?: pulumi.Input; /** * Time in seconds after which secondary servers should re-check the SOA record to see if the zone has been updated. */ refresh?: pulumi.Input; /** * Time in seconds after which secondary servers should retry queries after the primary server was unresponsive. */ retry?: pulumi.Input; /** * The email address of the zone administrator, with the first label representing the local part of the email address. */ rname?: pulumi.Input; /** * The time to live (TTL) of the SOA record itself. */ ttl?: pulumi.Input; } export interface AccountManagedBy { /** * ID of the parent Organization, if one exists */ parentOrgId?: pulumi.Input; /** * Name of the parent Organization, if one exists */ parentOrgName?: pulumi.Input; } export interface AccountMemberPolicy { /** * Allow or deny operations against the resources. * Available values: "allow", "deny". */ access: pulumi.Input; /** * A set of permission groups that are specified to the policy. */ permissionGroups: pulumi.Input[]>; /** * A list of resource groups that the policy applies to. */ resourceGroups: pulumi.Input[]>; } export interface AccountMemberPolicyPermissionGroup { /** * Identifier of the group. */ id: pulumi.Input; } export interface AccountMemberPolicyResourceGroup { /** * Identifier of the group. */ id: pulumi.Input; } export interface AccountMemberUser { /** * The contact email address of the user. */ email?: pulumi.Input; /** * User's first name */ firstName?: pulumi.Input; /** * Identifier */ id?: pulumi.Input; /** * User's last name */ lastName?: pulumi.Input; /** * Indicates whether two-factor authentication is enabled for the user account. Does not apply to API authentication. */ twoFactorAuthenticationEnabled?: pulumi.Input; } export interface AccountSettings { /** * Sets an abuse contact email to notify for abuse reports. */ abuseContactEmail?: pulumi.Input; /** * Indicates whether membership in this account requires that * Two-Factor Authentication is enabled */ enforceTwofactor?: pulumi.Input; } export interface AccountSubscriptionRatePlan { /** * The currency applied to the rate plan subscription. */ currency?: pulumi.Input; /** * Whether this rate plan is managed externally from Cloudflare. */ externallyManaged?: pulumi.Input; /** * The ID of the rate plan. */ id?: pulumi.Input; /** * Whether a rate plan is enterprise-based (or newly adopted term contract). */ isContract?: pulumi.Input; /** * The full name of the rate plan. */ publicName?: pulumi.Input; /** * The scope that this rate plan applies to. */ scope?: pulumi.Input; /** * The list of sets this rate plan applies to. Returns array of strings. */ sets?: pulumi.Input[]>; } export interface AccountTokenCondition { /** * Client IP restrictions. */ requestIp?: pulumi.Input; } export interface AccountTokenConditionRequestIp { /** * List of IPv4/IPv6 CIDR addresses. */ ins?: pulumi.Input[]>; /** * List of IPv4/IPv6 CIDR addresses. */ notIns?: pulumi.Input[]>; } export interface AccountTokenPolicy { /** * Allow or deny operations against the resources. * Available values: "allow", "deny". */ effect: pulumi.Input; /** * A set of permission groups that are specified to the policy. */ permissionGroups: pulumi.Input[]>; /** * A json object representing the resources that are specified to the policy. */ resources: pulumi.Input; } export interface AccountTokenPolicyPermissionGroup { /** * Identifier of the permission group. */ id: pulumi.Input; } export interface AccountUnit { /** * Tenant unit ID */ id?: pulumi.Input; } export interface AddressMapMembership { /** * The identifier for the membership (eg. a zone or account tag). */ identifier?: pulumi.Input; /** * The type of the membership. * Available values: "zone", "account". */ kind?: pulumi.Input; } export interface AiSearchInstanceCustomMetadata { /** * Available values: "text", "number", "boolean". */ dataType: pulumi.Input; fieldName: pulumi.Input; } export interface AiSearchInstanceMetadata { createdFromAisearchWizard?: pulumi.Input; workerDomain?: pulumi.Input; } export interface AiSearchInstancePublicEndpointParams { authorizedHosts?: pulumi.Input[]>; chatCompletionsEndpoint?: pulumi.Input; enabled?: pulumi.Input; mcp?: pulumi.Input; rateLimit?: pulumi.Input; searchEndpoint?: pulumi.Input; } export interface AiSearchInstancePublicEndpointParamsChatCompletionsEndpoint { /** * Disable chat completions endpoint for this public endpoint */ disabled?: pulumi.Input; } export interface AiSearchInstancePublicEndpointParamsMcp { description?: pulumi.Input; /** * Disable MCP endpoint for this public endpoint */ disabled?: pulumi.Input; } export interface AiSearchInstancePublicEndpointParamsRateLimit { periodMs?: pulumi.Input; requests?: pulumi.Input; /** * Available values: "fixed", "sliding". */ technique?: pulumi.Input; } export interface AiSearchInstancePublicEndpointParamsSearchEndpoint { /** * Disable search endpoint for this public endpoint */ disabled?: pulumi.Input; } export interface AiSearchInstanceRetrievalOptions { /** * Controls how keyword search terms are matched. exact*match requires all terms to appear (AND); fuzzy*match returns results containing any term (OR). Defaults to exact*match. * Available values: "exact*match", "fuzzyMatch". */ keywordMatchMode?: pulumi.Input; } export interface AiSearchInstanceSourceParams { /** * List of path patterns to exclude. Uses micromatch glob syntax: * matches within a path segment, ** matches across path segments (e.g., /admin/** matches /admin/users and /admin/settings/advanced) */ excludeItems?: pulumi.Input[]>; /** * List of path patterns to include. Uses micromatch glob syntax: * matches within a path segment, ** matches across path segments (e.g., /blog/** matches /blog/post and /blog/2024/post) */ includeItems?: pulumi.Input[]>; prefix?: pulumi.Input; r2Jurisdiction?: pulumi.Input; webCrawler?: pulumi.Input; } export interface AiSearchInstanceSourceParamsWebCrawler { parseOptions?: pulumi.Input; /** * Available values: "sitemap", "feed-rss". */ parseType?: pulumi.Input; storeOptions?: pulumi.Input; } export interface AiSearchInstanceSourceParamsWebCrawlerParseOptions { includeHeaders?: pulumi.Input<{ [key: string]: pulumi.Input; }>; includeImages?: pulumi.Input; /** * List of specific sitemap URLs to use for crawling. Only valid when parseType is 'sitemap'. */ specificSitemaps?: pulumi.Input[]>; useBrowserRendering?: pulumi.Input; } export interface AiSearchInstanceSourceParamsWebCrawlerStoreOptions { r2Jurisdiction?: pulumi.Input; storageId: pulumi.Input; /** * Available values: "r2". */ storageType?: pulumi.Input; } export interface ApiShieldAuthIdCharacteristic { /** * The name of the characteristic field, i.e., the header or cookie name. When using type "jwt", this must be a claim location expressed as `$(token_config_id):$(json_path)`, where `tokenConfigId` is the ID of the token configuration used in validating the JWT, and `jsonPath` is a RFC 9535 JSONPath expression. */ name: pulumi.Input; /** * The type of characteristic. * Available values: "header", "cookie", "jwt". */ type: pulumi.Input; } export interface ApiShieldOperationFeatures { /** * API Routing settings on endpoint. */ apiRouting?: pulumi.Input; confidenceIntervals?: pulumi.Input; parameterSchemas?: pulumi.Input; schemaInfo?: pulumi.Input; thresholds?: pulumi.Input; } export interface ApiShieldOperationFeaturesApiRouting { lastUpdated?: pulumi.Input; /** * Target route. */ route?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervals { lastUpdated?: pulumi.Input; suggestedThreshold?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervalsSuggestedThreshold { confidenceIntervals?: pulumi.Input; /** * Suggested threshold. */ mean?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervalsSuggestedThresholdConfidenceIntervals { /** * Upper and lower bound for percentile estimate */ p90?: pulumi.Input; /** * Upper and lower bound for percentile estimate */ p95?: pulumi.Input; /** * Upper and lower bound for percentile estimate */ p99?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervalsSuggestedThresholdConfidenceIntervalsP90 { /** * Lower bound for percentile estimate */ lower?: pulumi.Input; /** * Upper bound for percentile estimate */ upper?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervalsSuggestedThresholdConfidenceIntervalsP95 { /** * Lower bound for percentile estimate */ lower?: pulumi.Input; /** * Upper bound for percentile estimate */ upper?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervalsSuggestedThresholdConfidenceIntervalsP99 { /** * Lower bound for percentile estimate */ lower?: pulumi.Input; /** * Upper bound for percentile estimate */ upper?: pulumi.Input; } export interface ApiShieldOperationFeaturesParameterSchemas { lastUpdated?: pulumi.Input; /** * An operation schema object containing a response. */ parameterSchemas?: pulumi.Input; } export interface ApiShieldOperationFeaturesParameterSchemasParameterSchemas { /** * An array containing the learned parameter schemas. */ parameters?: pulumi.Input[]>; /** * An empty response object. This field is required to yield a valid operation schema. */ responses?: pulumi.Input; } export interface ApiShieldOperationFeaturesSchemaInfo { /** * Schema active on endpoint. */ activeSchema?: pulumi.Input; /** * True if a Cloudflare-provided learned schema is available for this endpoint. */ learnedAvailable?: pulumi.Input; /** * Action taken on requests failing validation. * Available values: "none", "log", "block". */ mitigationAction?: pulumi.Input; } export interface ApiShieldOperationFeaturesSchemaInfoActiveSchema { createdAt?: pulumi.Input; /** * UUID. */ id?: pulumi.Input; /** * True if schema is Cloudflare-provided. */ isLearned?: pulumi.Input; /** * Schema file name. */ name?: pulumi.Input; } export interface ApiShieldOperationFeaturesThresholds { /** * The total number of auth-ids seen across this calculation. */ authIdTokens?: pulumi.Input; /** * The number of data points used for the threshold suggestion calculation. */ dataPoints?: pulumi.Input; lastUpdated?: pulumi.Input; /** * The p50 quantile of requests (in period_seconds). */ p50?: pulumi.Input; /** * The p90 quantile of requests (in period_seconds). */ p90?: pulumi.Input; /** * The p99 quantile of requests (in period_seconds). */ p99?: pulumi.Input; /** * The period over which this threshold is suggested. */ periodSeconds?: pulumi.Input; /** * The estimated number of requests covered by these calculations. */ requests?: pulumi.Input; /** * The suggested threshold in requests done by the same auth*id or period*seconds. */ suggestedThreshold?: pulumi.Input; } export interface ApiShieldSchemaSchema { createdAt?: pulumi.Input; /** * Kind of schema * Available values: "openapiV3". */ kind?: pulumi.Input; /** * Name of the schema */ name?: pulumi.Input; /** * UUID. */ schemaId?: pulumi.Input; /** * Source of the schema */ source?: pulumi.Input; /** * Flag whether schema is enabled for validation. */ validationEnabled?: pulumi.Input; } export interface ApiShieldSchemaUploadDetails { /** * Diagnostic warning events that occurred during processing. These events are non-critical errors found within the schema. */ warnings?: pulumi.Input[]>; } export interface ApiShieldSchemaUploadDetailsWarning { /** * Code that identifies the event that occurred. */ code?: pulumi.Input; /** * JSONPath location(s) in the schema where these events were encountered. See [https://goessner.net/articles/JsonPath/](https://goessner.net/articles/JsonPath/) for JSONPath specification. */ locations?: pulumi.Input[]>; /** * Diagnostic message that describes the event. */ message?: pulumi.Input; } export interface ApiTokenCondition { /** * Client IP restrictions. */ requestIp?: pulumi.Input; } export interface ApiTokenConditionRequestIp { /** * List of IPv4/IPv6 CIDR addresses. */ ins?: pulumi.Input[]>; /** * List of IPv4/IPv6 CIDR addresses. */ notIns?: pulumi.Input[]>; } export interface ApiTokenPolicy { /** * Allow or deny operations against the resources. * Available values: "allow", "deny". */ effect: pulumi.Input; /** * A set of permission groups that are specified to the policy. */ permissionGroups: pulumi.Input[]>; /** * A json object representing the resources that are specified to the policy. */ resources: pulumi.Input; } export interface ApiTokenPolicyPermissionGroup { /** * Identifier of the permission group. */ id: pulumi.Input; } export interface AuthenticatedOriginPullsConfig { /** * Certificate identifier tag. */ certId?: pulumi.Input; /** * Indicates whether hostname-level authenticated origin pulls is enabled. A null value voids the association. */ enabled?: pulumi.Input; /** * The hostname on the origin for which the client certificate uploaded will be used. */ hostname?: pulumi.Input; } export interface BotManagementStaleZoneConfiguration { /** * Indicates that the zone's Bot Fight Mode is turned on. */ fightMode?: pulumi.Input; /** * Indicates that the zone's wordpress optimization for SBFM is turned on. */ optimizeWordpress?: pulumi.Input; /** * Indicates that the zone's definitely automated requests are being blocked or challenged. */ sbfmDefinitelyAutomated?: pulumi.Input; /** * Indicates that the zone's likely automated requests are being blocked or challenged. */ sbfmLikelyAutomated?: pulumi.Input; /** * Indicates that the zone's static resource protection is turned on. */ sbfmStaticResourceProtection?: pulumi.Input; /** * Indicates that the zone's verified bot requests are being blocked. */ sbfmVerifiedBots?: pulumi.Input; /** * Indicates that the zone's session score tracking is disabled. */ suppressSessionScore?: pulumi.Input; } export interface CertificatePackCertificate { /** * Certificate bundle method. */ bundleMethod?: pulumi.Input; /** * When the certificate from the authority expires. */ expiresOn?: pulumi.Input; /** * Specify the region where your private key can be held locally. */ geoRestrictions?: pulumi.Input; /** * Hostnames covered by this certificate. */ hosts?: pulumi.Input[]>; /** * Certificate identifier. */ id?: pulumi.Input; /** * The certificate authority that issued the certificate. */ issuer?: pulumi.Input; /** * When the certificate was last modified. */ modifiedOn?: pulumi.Input; /** * The order/priority in which the certificate will be used. */ priority?: pulumi.Input; /** * The type of hash used for the certificate. */ signature?: pulumi.Input; /** * Certificate status. */ status?: pulumi.Input; /** * When the certificate was uploaded to Cloudflare. */ uploadedOn?: pulumi.Input; /** * Identifier. */ zoneId?: pulumi.Input; } export interface CertificatePackCertificateGeoRestrictions { /** * Available values: "us", "eu", "highestSecurity". */ label?: pulumi.Input; } export interface CertificatePackDcvDelegationRecord { /** * The CNAME record hostname for DCV delegation. */ cname?: pulumi.Input; /** * The CNAME record target value for DCV delegation. */ cnameTarget?: pulumi.Input; /** * The set of email addresses that the certificate authority (CA) will use to complete domain validation. */ emails?: pulumi.Input[]>; /** * The content that the certificate authority (CA) will expect to find at the httpUrl during the domain validation. */ httpBody?: pulumi.Input; /** * The url that will be checked during domain validation. */ httpUrl?: pulumi.Input; /** * Status of the validation record. */ status?: pulumi.Input; /** * The hostname that the certificate authority (CA) will check for a TXT record during domain validation . */ txtName?: pulumi.Input; /** * The TXT record that the certificate authority (CA) will check during domain validation. */ txtValue?: pulumi.Input; } export interface CertificatePackValidationError { /** * A domain validation error. */ message?: pulumi.Input; } export interface CertificatePackValidationRecord { /** * The CNAME record hostname for DCV delegation. */ cname?: pulumi.Input; /** * The CNAME record target value for DCV delegation. */ cnameTarget?: pulumi.Input; /** * The set of email addresses that the certificate authority (CA) will use to complete domain validation. */ emails?: pulumi.Input[]>; /** * The content that the certificate authority (CA) will expect to find at the httpUrl during the domain validation. */ httpBody?: pulumi.Input; /** * The url that will be checked during domain validation. */ httpUrl?: pulumi.Input; /** * Status of the validation record. */ status?: pulumi.Input; /** * The hostname that the certificate authority (CA) will check for a TXT record during domain validation . */ txtName?: pulumi.Input; /** * The TXT record that the certificate authority (CA) will check during domain validation. */ txtValue?: pulumi.Input; } export interface ClientCertificateCertificateAuthority { id?: pulumi.Input; name?: pulumi.Input; } export interface CloudConnectorRulesRule { description?: pulumi.Input; enabled?: pulumi.Input; expression?: pulumi.Input; id?: pulumi.Input; /** * Parameters of Cloud Connector Rule */ parameters?: pulumi.Input; /** * Cloud Provider type * Available values: "aws*s3", "cloudflare*r2", "gcp*storage", "azure*storage". */ provider?: pulumi.Input; } export interface CloudConnectorRulesRuleParameters { /** * Host to perform Cloud Connection to */ host?: pulumi.Input; } export interface ConnectivityDirectoryServiceHost { hostname?: pulumi.Input; ipv4?: pulumi.Input; ipv6?: pulumi.Input; network?: pulumi.Input; resolverNetwork?: pulumi.Input; } export interface ConnectivityDirectoryServiceHostNetwork { tunnelId: pulumi.Input; } export interface ConnectivityDirectoryServiceHostResolverNetwork { resolverIps?: pulumi.Input[]>; tunnelId: pulumi.Input; } export interface ContentScanningExpressionBody { /** * Defines the ruleset expression to use in matching content objects. */ payload: pulumi.Input; } export interface CustomHostnameOwnershipVerification { /** * DNS Name for record. */ name?: pulumi.Input; /** * DNS Record type. * Available values: "txt". */ type?: pulumi.Input; /** * Content for the record. */ value?: pulumi.Input; } export interface CustomHostnameOwnershipVerificationHttp { /** * Token to be served. */ httpBody?: pulumi.Input; /** * The HTTP URL that will be checked during custom hostname verification and where the customer should host the token. */ httpUrl?: pulumi.Input; } export interface CustomHostnameSsl { /** * A ubiquitous bundle has the highest probability of being verified everywhere, even by clients using outdated or unusual trust stores. An optimal bundle uses the shortest chain and newest intermediates. And the force bundle verifies the chain, but does not otherwise modify it. * Available values: "ubiquitous", "optimal", "force". */ bundleMethod?: pulumi.Input; /** * The Certificate Authority that will issue the certificate * Available values: "digicert", "google", "lets*encrypt", "ssl*com". */ certificateAuthority?: pulumi.Input; /** * Whether or not to add Cloudflare Branding for the order. This will add a subdomain of sni.cloudflaressl.com as the Common Name if set to true */ cloudflareBranding?: pulumi.Input; /** * Array of custom certificate and key pairs (1 or 2 pairs allowed) */ customCertBundles?: pulumi.Input[]>; /** * If a custom uploaded certificate is used. */ customCertificate?: pulumi.Input; /** * The key for a custom uploaded certificate. */ customKey?: pulumi.Input; /** * Domain control validation (DCV) method used for this hostname. * Available values: "http", "txt", "email". */ method?: pulumi.Input; /** * SSL specific settings. */ settings?: pulumi.Input; /** * Level of validation to be used for this hostname. Domain validation (dv) must be used. * Available values: "dv". */ type?: pulumi.Input; /** * Indicates whether the certificate covers a wildcard. */ wildcard?: pulumi.Input; } export interface CustomHostnameSslCustomCertBundle { /** * If a custom uploaded certificate is used. */ customCertificate: pulumi.Input; /** * The key for a custom uploaded certificate. */ customKey: pulumi.Input; } export interface CustomHostnameSslSettings { /** * An allowlist of ciphers for TLS termination. These ciphers must be in the BoringSSL format. */ ciphers?: pulumi.Input[]>; /** * Whether or not Early Hints is enabled. * Available values: "on", "off". */ earlyHints?: pulumi.Input; /** * Whether or not HTTP2 is enabled. * Available values: "on", "off". */ http2?: pulumi.Input; /** * The minimum TLS version supported. * Available values: "1.0", "1.1", "1.2", "1.3". */ minTlsVersion?: pulumi.Input; /** * Whether or not TLS 1.3 is enabled. * Available values: "on", "off". */ tls13?: pulumi.Input; } export interface CustomSslGeoRestrictions { /** * Available values: "us", "eu", "highestSecurity". */ label?: pulumi.Input; } export interface CustomSslKeylessServer { /** * When the Keyless SSL was created. */ createdOn?: pulumi.Input; /** * Whether or not the Keyless SSL is on or off. */ enabled?: pulumi.Input; /** * The keyless SSL name. */ host?: pulumi.Input; /** * Keyless certificate identifier tag. */ id?: pulumi.Input; /** * When the Keyless SSL was last modified. */ modifiedOn?: pulumi.Input; /** * The keyless SSL name. */ name?: pulumi.Input; /** * Available permissions for the Keyless SSL for the current user requesting the item. */ permissions?: pulumi.Input[]>; /** * The keyless SSL port used to communicate between Cloudflare and the client's Keyless SSL server. */ port?: pulumi.Input; /** * Status of the Keyless SSL. * Available values: "active", "deleted". */ status?: pulumi.Input; /** * Configuration for using Keyless SSL through a Cloudflare Tunnel */ tunnel?: pulumi.Input; } export interface CustomSslKeylessServerTunnel { /** * Private IP of the Key Server Host */ privateIp?: pulumi.Input; /** * Cloudflare Tunnel Virtual Network ID */ vnetId?: pulumi.Input; } export interface D1DatabaseReadReplication { /** * The read replication mode for the database. Use 'auto' to create replicas and allow D1 automatically place them around the world, or 'disabled' to not use any database replicas (it can take a few hours for all replicas to be deleted). * Available values: "auto", "disabled". */ mode: pulumi.Input; } export interface DeviceManagedNetworksConfig { /** * The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. */ sha256?: pulumi.Input; /** * A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. */ tlsSockaddr: pulumi.Input; } export interface DevicePostureIntegrationConfig { /** * If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `apiUrl`. */ accessClientId?: pulumi.Input; /** * If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `apiUrl`. */ accessClientSecret?: pulumi.Input; /** * The Workspace One API URL provided in the Workspace One Admin Dashboard. */ apiUrl?: pulumi.Input; /** * The Workspace One Authorization URL depending on your region. */ authUrl?: pulumi.Input; /** * The Workspace One client ID provided in the Workspace One Admin Dashboard. */ clientId?: pulumi.Input; /** * The Uptycs client secret. */ clientKey?: pulumi.Input; /** * The Workspace One client secret provided in the Workspace One Admin Dashboard. */ clientSecret?: pulumi.Input; /** * The Crowdstrike customer ID. */ customerId?: pulumi.Input; } export interface DevicePostureRuleInput { /** * The Number of active threats. */ activeThreats?: pulumi.Input; /** * UUID of Cloudflare managed certificate. */ certificateId?: pulumi.Input; /** * List of volume names to be checked for encryption. */ checkDisks?: pulumi.Input[]>; /** * Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. */ checkPrivateKey?: pulumi.Input; /** * Common Name that is protected by the certificate. */ cn?: pulumi.Input; /** * Compliance Status. * Available values: "compliant", "noncompliant", "unknown", "notapplicable", "ingraceperiod", "error". */ complianceStatus?: pulumi.Input; /** * Posture Integration ID. */ connectionId?: pulumi.Input; /** * Count Operator. * Available values: "<", "<=", ">", ">=", "==". */ countOperator?: pulumi.Input; /** * Domain. */ domain?: pulumi.Input; /** * For more details on eid last seen, refer to the Tanium documentation. */ eidLastSeen?: pulumi.Input; /** * Enabled. */ enabled?: pulumi.Input; /** * Whether or not file exists. */ exists?: pulumi.Input; /** * List of values indicating purposes for which the certificate public key can be used. */ extendedKeyUsages?: pulumi.Input[]>; /** * List ID. */ id?: pulumi.Input; /** * Whether device is infected. */ infected?: pulumi.Input; /** * Whether device is active. */ isActive?: pulumi.Input; /** * The Number of Issues. */ issueCount?: pulumi.Input; /** * For more details on last seen, please refer to the Crowdstrike documentation. */ lastSeen?: pulumi.Input; locations?: pulumi.Input; /** * Network status of device. * Available values: "connected", "disconnected", "disconnecting", "connecting". */ networkStatus?: pulumi.Input; /** * Operating system. * Available values: "windows", "linux", "mac", "android", "ios", "chromeos". */ operatingSystem?: pulumi.Input; /** * Agent operational state. * Available values: "na", "partially*disabled", "auto*fully*disabled", "fully*disabled", "auto*partially*disabled", "disabled*error", "db*corruption". */ operationalState?: pulumi.Input; /** * Operator. * Available values: "<", "<=", ">", ">=", "==". */ operator?: pulumi.Input; /** * Os Version. */ os?: pulumi.Input; /** * Operating System Distribution Name (linux only). */ osDistroName?: pulumi.Input; /** * Version of OS Distribution (linux only). */ osDistroRevision?: pulumi.Input; /** * Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. */ osVersionExtra?: pulumi.Input; /** * Overall. */ overall?: pulumi.Input; /** * File path. */ path?: pulumi.Input; /** * Whether to check all disks for encryption. */ requireAll?: pulumi.Input; /** * For more details on risk level, refer to the Tanium documentation. * Available values: "low", "medium", "high", "critical". */ riskLevel?: pulumi.Input; /** * A value between 0-100 assigned to devices set by the 3rd party posture provider. */ score?: pulumi.Input; /** * Score Operator. * Available values: "<", "<=", ">", ">=", "==". */ scoreOperator?: pulumi.Input; /** * SensorConfig. */ sensorConfig?: pulumi.Input; /** * SHA-256. */ sha256?: pulumi.Input; /** * For more details on state, please refer to the Crowdstrike documentation. * Available values: "online", "offline", "unknown". */ state?: pulumi.Input; /** * List of certificate Subject Alternative Names. */ subjectAlternativeNames?: pulumi.Input[]>; /** * Signing certificate thumbprint. */ thumbprint?: pulumi.Input; /** * For more details on total score, refer to the Tanium documentation. */ totalScore?: pulumi.Input; /** * Number of days that the antivirus should be updated within. */ updateWindowDays?: pulumi.Input; /** * Version of OS. */ version?: pulumi.Input; /** * Version Operator. * Available values: "<", "<=", ">", ">=", "==". */ versionOperator?: pulumi.Input; } export interface DevicePostureRuleInputLocations { /** * List of paths to check for client certificate on linux. */ paths?: pulumi.Input[]>; /** * List of trust stores to check for client certificate. */ trustStores?: pulumi.Input[]>; } export interface DevicePostureRuleMatch { /** * Available values: "windows", "mac", "linux", "android", "ios", "chromeos". */ platform?: pulumi.Input; } export interface DlpCustomProfileContextAwareness { /** * If true, scan the context of predefined entries to only return matches surrounded by keywords. */ enabled?: pulumi.Input; /** * Content types to exclude from context analysis and return all matches. */ skip?: pulumi.Input; } export interface DlpCustomProfileContextAwarenessSkip { /** * If the content type is a file, skip context analysis and return all matches. */ files?: pulumi.Input; } export interface DlpCustomProfileEntry { description?: pulumi.Input; enabled: pulumi.Input; entryId?: pulumi.Input; name: pulumi.Input; pattern: pulumi.Input; } export interface DlpCustomProfileEntryPattern { regex: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface DlpCustomProfileSharedEntry { enabled: pulumi.Input; entryId: pulumi.Input; /** * Available values: "custom", "predefined", "integration", "exact*data", "document*fingerprint". */ entryType: pulumi.Input; } export interface DlpPredefinedProfileEntry { enabled: pulumi.Input; id: pulumi.Input; } export interface DnsFirewallAttackMitigation { /** * When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers */ enabled?: pulumi.Input; /** * Only mitigate attacks when upstream servers seem unhealthy */ onlyWhenUpstreamUnhealthy?: pulumi.Input; } export interface DnsRecordData { /** * Algorithm. */ algorithm?: pulumi.Input; /** * Altitude of location in meters. */ altitude?: pulumi.Input; /** * Certificate. */ certificate?: pulumi.Input; /** * Digest. */ digest?: pulumi.Input; /** * Digest Type. */ digestType?: pulumi.Input; /** * Fingerprint. */ fingerprint?: pulumi.Input; /** * Flags for the CAA record. */ flags?: any; /** * Key Tag. */ keyTag?: pulumi.Input; /** * Degrees of latitude. */ latDegrees?: pulumi.Input; /** * Latitude direction. * Available values: "N", "S". */ latDirection?: pulumi.Input; /** * Minutes of latitude. */ latMinutes?: pulumi.Input; /** * Seconds of latitude. */ latSeconds?: pulumi.Input; /** * Degrees of longitude. */ longDegrees?: pulumi.Input; /** * Longitude direction. * Available values: "E", "W". */ longDirection?: pulumi.Input; /** * Minutes of longitude. */ longMinutes?: pulumi.Input; /** * Seconds of longitude. */ longSeconds?: pulumi.Input; /** * Matching Type. */ matchingType?: pulumi.Input; /** * Order. */ order?: pulumi.Input; /** * The port of the service. */ port?: pulumi.Input; /** * Horizontal precision of location. */ precisionHorz?: pulumi.Input; /** * Vertical precision of location. */ precisionVert?: pulumi.Input; /** * Preference. */ preference?: pulumi.Input; /** * Priority. */ priority?: pulumi.Input; /** * Protocol. */ protocol?: pulumi.Input; /** * Public Key. */ publicKey?: pulumi.Input; /** * Regex. */ regex?: pulumi.Input; /** * Replacement. */ replacement?: pulumi.Input; /** * Selector. */ selector?: pulumi.Input; /** * Service. */ service?: pulumi.Input; /** * Size of location in meters. */ size?: pulumi.Input; /** * Name of the property controlled by this record (e.g.: issue, issuewild, iodef). */ tag?: pulumi.Input; /** * Target. */ target?: pulumi.Input; /** * Type. */ type?: pulumi.Input; /** * Usage. */ usage?: pulumi.Input; /** * Value of the record. This field's semantics depend on the chosen tag. */ value?: pulumi.Input; /** * The record weight. */ weight?: pulumi.Input; } export interface DnsRecordSettings { /** * If enabled, causes the CNAME record to be resolved externally and the resulting address records (e.g., A and AAAA) to be returned instead of the CNAME record itself. This setting is unavailable for proxied records, since they are always flattened. */ flattenCname?: pulumi.Input; /** * When enabled, only A records will be generated, and AAAA records will not be created. This setting is intended for exceptional cases. Note that this option only applies to proxied records and it has no effect on whether Cloudflare communicates with the origin using IPv4 or IPv6. */ ipv4Only?: pulumi.Input; /** * When enabled, only AAAA records will be generated, and A records will not be created. This setting is intended for exceptional cases. Note that this option only applies to proxied records and it has no effect on whether Cloudflare communicates with the origin using IPv4 or IPv6. */ ipv6Only?: pulumi.Input; } export interface EmailRoutingCatchAllAction { /** * Type of action for catch-all rule. * Available values: "drop", "forward", "worker". */ type: pulumi.Input; values?: pulumi.Input[]>; } export interface EmailRoutingCatchAllMatcher { /** * Type of matcher. Default is 'all'. * Available values: "all". */ type: pulumi.Input; } export interface EmailRoutingDnsError { code?: pulumi.Input; documentationUrl?: pulumi.Input; message?: pulumi.Input; source?: pulumi.Input; } export interface EmailRoutingDnsErrorSource { pointer?: pulumi.Input; } export interface EmailRoutingDnsMessage { code?: pulumi.Input; documentationUrl?: pulumi.Input; message?: pulumi.Input; source?: pulumi.Input; } export interface EmailRoutingDnsMessageSource { pointer?: pulumi.Input; } export interface EmailRoutingDnsResult { /** * DNS record content. */ content?: pulumi.Input; errors?: pulumi.Input[]>; /** * DNS record name (or @ for the zone apex). */ name?: pulumi.Input; /** * Required for MX, SRV and URI records. Unused by other record types. Records with lower priorities are preferred. */ priority?: pulumi.Input; records?: pulumi.Input[]>; /** * Time to live, in seconds, of the DNS record. Must be between 60 and 86400, or 1 for 'automatic'. */ ttl?: pulumi.Input; /** * DNS record type. * Available values: "A", "AAAA", "CNAME", "HTTPS", "TXT", "SRV", "LOC", "MX", "NS", "CERT", "DNSKEY", "DS", "NAPTR", "SMIMEA", "SSHFP", "SVCB", "TLSA", "URI". */ type?: pulumi.Input; } export interface EmailRoutingDnsResultError { code?: pulumi.Input; /** * List of records needed to enable an Email Routing zone. */ missing?: pulumi.Input; } export interface EmailRoutingDnsResultErrorMissing { /** * DNS record content. */ content?: pulumi.Input; /** * DNS record name (or @ for the zone apex). */ name?: pulumi.Input; /** * Required for MX, SRV and URI records. Unused by other record types. Records with lower priorities are preferred. */ priority?: pulumi.Input; /** * Time to live, in seconds, of the DNS record. Must be between 60 and 86400, or 1 for 'automatic'. */ ttl?: pulumi.Input; /** * DNS record type. * Available values: "A", "AAAA", "CNAME", "HTTPS", "TXT", "SRV", "LOC", "MX", "NS", "CERT", "DNSKEY", "DS", "NAPTR", "SMIMEA", "SSHFP", "SVCB", "TLSA", "URI". */ type?: pulumi.Input; } export interface EmailRoutingDnsResultInfo { /** * Total number of results for the requested service. */ emailRoutingDnsCount?: pulumi.Input; /** * Current page within paginated list of results. */ page?: pulumi.Input; /** * Number of results per page of results. */ perPage?: pulumi.Input; /** * Total results available without any search parameters. */ totalCount?: pulumi.Input; } export interface EmailRoutingDnsResultRecord { /** * DNS record content. */ content?: pulumi.Input; /** * DNS record name (or @ for the zone apex). */ name?: pulumi.Input; /** * Required for MX, SRV and URI records. Unused by other record types. Records with lower priorities are preferred. */ priority?: pulumi.Input; /** * Time to live, in seconds, of the DNS record. Must be between 60 and 86400, or 1 for 'automatic'. */ ttl?: pulumi.Input; /** * DNS record type. * Available values: "A", "AAAA", "CNAME", "HTTPS", "TXT", "SRV", "LOC", "MX", "NS", "CERT", "DNSKEY", "DS", "NAPTR", "SMIMEA", "SSHFP", "SVCB", "TLSA", "URI". */ type?: pulumi.Input; } export interface EmailRoutingRuleAction { /** * Type of supported action. * Available values: "drop", "forward", "worker". */ type: pulumi.Input; values?: pulumi.Input[]>; } export interface EmailRoutingRuleMatcher { /** * Field for type matcher. * Available values: "to". */ field?: pulumi.Input; /** * Type of matcher. * Available values: "all", "literal". */ type: pulumi.Input; /** * Value for matcher. */ value?: pulumi.Input; } export interface EmailSecurityTrustedDomainsBody { comments?: pulumi.Input; /** * Select to prevent recently registered domains from triggering a * Suspicious or Malicious disposition. */ isRecent: pulumi.Input; isRegex: pulumi.Input; /** * Select for partner or other approved domains that have similar * spelling to your connected domains. Prevents listed domains from * triggering a Spoof disposition. */ isSimilarity: pulumi.Input; pattern: pulumi.Input; } export interface FilterBody { /** * An informative summary of the filter. */ description?: pulumi.Input; /** * The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). */ expression?: pulumi.Input; /** * The unique identifier of the filter. */ id?: pulumi.Input; /** * When true, indicates that the filter is currently paused. */ paused?: pulumi.Input; /** * A short reference tag. Allows you to select related filters. */ ref?: pulumi.Input; } export interface FirewallRuleAction { /** * The action to perform. * Available values: "simulate", "ban", "challenge", "js*challenge", "managed*challenge". */ mode?: pulumi.Input; /** * A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. * Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed*challenge", or "js*challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. */ response?: pulumi.Input; /** * The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. * Notes: If "mode" is "challenge", "managed*challenge", or "js*challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. */ timeout?: pulumi.Input; } export interface FirewallRuleActionResponse { /** * The response body to return. The value must conform to the configured content type. */ body?: pulumi.Input; /** * The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. */ contentType?: pulumi.Input; } export interface FirewallRuleFilter { /** * An informative summary of the filter. */ description?: pulumi.Input; /** * The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). */ expression?: pulumi.Input; /** * The unique identifier of the filter. */ id?: pulumi.Input; /** * When true, indicates that the filter is currently paused. */ paused?: pulumi.Input; /** * A short reference tag. Allows you to select related filters. */ ref?: pulumi.Input; } export interface GetAccessRuleFilter { configuration?: inputs.GetAccessRuleFilterConfiguration; /** * Defines the direction used to sort returned rules. * Available values: "asc", "desc". */ direction?: string; /** * Defines the search requirements. When set to `all`, all the search requirements must match. When set to `any`, only one of the search requirements has to match. * Available values: "any", "all". */ match?: string; /** * The action to apply to a matched request. * Available values: "block", "challenge", "whitelist", "js*challenge", "managed*challenge". */ mode?: string; /** * Defines the string to search for in the notes of existing IP Access rules. * Notes: For example, the string 'attack' would match IP Access rules with notes 'Attack 26/02' and 'Attack 27/02'. The search is case insensitive. */ notes?: string; /** * Defines the field used to sort returned rules. * Available values: "configuration.target", "configuration.value", "mode". */ order?: string; } export interface GetAccessRuleFilterArgs { configuration?: pulumi.Input; /** * Defines the direction used to sort returned rules. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Defines the search requirements. When set to `all`, all the search requirements must match. When set to `any`, only one of the search requirements has to match. * Available values: "any", "all". */ match?: pulumi.Input; /** * The action to apply to a matched request. * Available values: "block", "challenge", "whitelist", "js*challenge", "managed*challenge". */ mode?: pulumi.Input; /** * Defines the string to search for in the notes of existing IP Access rules. * Notes: For example, the string 'attack' would match IP Access rules with notes 'Attack 26/02' and 'Attack 27/02'. The search is case insensitive. */ notes?: pulumi.Input; /** * Defines the field used to sort returned rules. * Available values: "configuration.target", "configuration.value", "mode". */ order?: pulumi.Input; } export interface GetAccessRuleFilterConfiguration { /** * Defines the target to search in existing rules. * Available values: "ip", "ipRange", "asn", "country". */ target?: string; /** * Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided `configuration.target`. * Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code. */ value?: string; } export interface GetAccessRuleFilterConfigurationArgs { /** * Defines the target to search in existing rules. * Available values: "ip", "ipRange", "asn", "country". */ target?: pulumi.Input; /** * Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided `configuration.target`. * Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code. */ value?: pulumi.Input; } export interface GetAccessRulesConfiguration { /** * Defines the target to search in existing rules. * Available values: "ip", "ipRange", "asn", "country". */ target?: string; /** * Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided `configuration.target`. * Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code. */ value?: string; } export interface GetAccessRulesConfigurationArgs { /** * Defines the target to search in existing rules. * Available values: "ip", "ipRange", "asn", "country". */ target?: pulumi.Input; /** * Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided `configuration.target`. * Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code. */ value?: pulumi.Input; } export interface GetAccountDnsSettingsInternalViewFilter { /** * Direction to order DNS views in. * Available values: "asc", "desc". */ direction?: string; /** * Whether to match all search requirements or at least one (any). If set to `all`, acts like a logical AND between filters. If set to `any`, acts like a logical OR instead. * Available values: "any", "all". */ match?: string; name?: inputs.GetAccountDnsSettingsInternalViewFilterName; /** * Field to order DNS views by. * Available values: "name", "created*on", "modified*on". */ order?: string; /** * A zone ID that exists in the zones list for the view. */ zoneId?: string; /** * A zone name that exists in the zones list for the view. */ zoneName?: string; } export interface GetAccountDnsSettingsInternalViewFilterArgs { /** * Direction to order DNS views in. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Whether to match all search requirements or at least one (any). If set to `all`, acts like a logical AND between filters. If set to `any`, acts like a logical OR instead. * Available values: "any", "all". */ match?: pulumi.Input; name?: pulumi.Input; /** * Field to order DNS views by. * Available values: "name", "created*on", "modified*on". */ order?: pulumi.Input; /** * A zone ID that exists in the zones list for the view. */ zoneId?: pulumi.Input; /** * A zone name that exists in the zones list for the view. */ zoneName?: pulumi.Input; } export interface GetAccountDnsSettingsInternalViewFilterName { /** * Substring of the DNS view name. */ contains?: string; /** * Suffix of the DNS view name. */ endswith?: string; /** * Exact value of the DNS view name. */ exact?: string; /** * Prefix of the DNS view name. */ startswith?: string; } export interface GetAccountDnsSettingsInternalViewFilterNameArgs { /** * Substring of the DNS view name. */ contains?: pulumi.Input; /** * Suffix of the DNS view name. */ endswith?: pulumi.Input; /** * Exact value of the DNS view name. */ exact?: pulumi.Input; /** * Prefix of the DNS view name. */ startswith?: pulumi.Input; } export interface GetAccountDnsSettingsInternalViewsName { /** * Substring of the DNS view name. */ contains?: string; /** * Suffix of the DNS view name. */ endswith?: string; /** * Exact value of the DNS view name. */ exact?: string; /** * Prefix of the DNS view name. */ startswith?: string; } export interface GetAccountDnsSettingsInternalViewsNameArgs { /** * Substring of the DNS view name. */ contains?: pulumi.Input; /** * Suffix of the DNS view name. */ endswith?: pulumi.Input; /** * Exact value of the DNS view name. */ exact?: pulumi.Input; /** * Prefix of the DNS view name. */ startswith?: pulumi.Input; } export interface GetAccountFilter { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: string; /** * Name of the account. */ name?: string; } export interface GetAccountFilterArgs { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Name of the account. */ name?: pulumi.Input; } export interface GetAccountMemberFilter { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: string; /** * Field to order results by. * Available values: "user.first*name", "user.last*name", "user.email", "status". */ order?: string; /** * A member's status in the account. * Available values: "accepted", "pending", "rejected". */ status?: string; } export interface GetAccountMemberFilterArgs { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Field to order results by. * Available values: "user.first*name", "user.last*name", "user.email", "status". */ order?: pulumi.Input; /** * A member's status in the account. * Available values: "accepted", "pending", "rejected". */ status?: pulumi.Input; } export interface GetAccountTokenFilter { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: string; } export interface GetAccountTokenFilterArgs { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: pulumi.Input; } export interface GetAiSearchInstanceFilter { /** * Search by id */ search?: string; } export interface GetAiSearchInstanceFilterArgs { /** * Search by id */ search?: pulumi.Input; } export interface GetApiShieldOperationFilter { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: string; /** * Filter results to only include endpoints containing this pattern. */ endpoint?: string; /** * Add feature(s) to the results. The feature name that is given here corresponds to the resulting feature object. Have a look at the top-level object description for more details on the specific meaning. */ features?: string[]; /** * Filter results to only include the specified hosts. */ hosts?: string[]; /** * Filter results to only include the specified HTTP methods. */ methods?: string[]; /** * Field to order by. When requesting a feature, the feature keys are available for ordering as well, e.g., `thresholds.suggested_threshold`. * Available values: "method", "host", "endpoint", "thresholds.$key". */ order?: string; } export interface GetApiShieldOperationFilterArgs { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Filter results to only include endpoints containing this pattern. */ endpoint?: pulumi.Input; /** * Add feature(s) to the results. The feature name that is given here corresponds to the resulting feature object. Have a look at the top-level object description for more details on the specific meaning. */ features?: pulumi.Input[]>; /** * Filter results to only include the specified hosts. */ hosts?: pulumi.Input[]>; /** * Filter results to only include the specified HTTP methods. */ methods?: pulumi.Input[]>; /** * Field to order by. When requesting a feature, the feature keys are available for ordering as well, e.g., `thresholds.suggested_threshold`. * Available values: "method", "host", "endpoint", "thresholds.$key". */ order?: pulumi.Input; } export interface GetApiTokenFilter { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: string; } export interface GetApiTokenFilterArgs { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: pulumi.Input; } export interface GetCertificatePackFilter { /** * Specify the deployment environment for the certificate packs. * Available values: "staging", "production". */ deploy?: string; /** * Include Certificate Packs of all statuses, not just active ones. * Available values: "all". */ status?: string; } export interface GetCertificatePackFilterArgs { /** * Specify the deployment environment for the certificate packs. * Available values: "staging", "production". */ deploy?: pulumi.Input; /** * Include Certificate Packs of all statuses, not just active ones. * Available values: "all". */ status?: pulumi.Input; } export interface GetClientCertificateFilter { /** * Limit to the number of records returned. */ limit?: number; /** * Offset the results */ offset?: number; /** * Client Certitifcate Status to filter results by. * Available values: "all", "active", "pending*reactivation", "pending*revocation", "revoked". */ status?: string; } export interface GetClientCertificateFilterArgs { /** * Limit to the number of records returned. */ limit?: pulumi.Input; /** * Offset the results */ offset?: pulumi.Input; /** * Client Certitifcate Status to filter results by. * Available values: "all", "active", "pending*reactivation", "pending*revocation", "revoked". */ status?: pulumi.Input; } export interface GetCloudforceOneRequestFilter { /** * Retrieve requests completed after this time. */ completedAfter?: string; /** * Retrieve requests completed before this time. */ completedBefore?: string; /** * Retrieve requests created after this time. */ createdAfter?: string; /** * Retrieve requests created before this time. */ createdBefore?: string; /** * Page number of results. */ page: number; /** * Number of results per page. */ perPage: number; /** * Requested information from request. */ requestType?: string; /** * Field to sort results by. */ sortBy?: string; /** * Sort order (asc or desc). * Available values: "asc", "desc". */ sortOrder?: string; /** * Request Status. * Available values: "open", "accepted", "reported", "approved", "completed", "declined". */ status?: string; } export interface GetCloudforceOneRequestFilterArgs { /** * Retrieve requests completed after this time. */ completedAfter?: pulumi.Input; /** * Retrieve requests completed before this time. */ completedBefore?: pulumi.Input; /** * Retrieve requests created after this time. */ createdAfter?: pulumi.Input; /** * Retrieve requests created before this time. */ createdBefore?: pulumi.Input; /** * Page number of results. */ page: pulumi.Input; /** * Number of results per page. */ perPage: pulumi.Input; /** * Requested information from request. */ requestType?: pulumi.Input; /** * Field to sort results by. */ sortBy?: pulumi.Input; /** * Sort order (asc or desc). * Available values: "asc", "desc". */ sortOrder?: pulumi.Input; /** * Request Status. * Available values: "open", "accepted", "reported", "approved", "completed", "declined". */ status?: pulumi.Input; } export interface GetConnectivityDirectoryServiceFilter { /** * Available values: "http". */ type?: string; } export interface GetConnectivityDirectoryServiceFilterArgs { /** * Available values: "http". */ type?: pulumi.Input; } export interface GetCustomHostnameFilter { /** * Direction to order hostnames. * Available values: "asc", "desc". */ direction?: string; /** * Fully qualified domain name to match against. This parameter cannot be used with the 'id' parameter. */ hostname?: string; /** * Hostname ID to match against. This ID was generated and returned during the initial customHostname creation. This parameter cannot be used with the 'hostname' parameter. */ id?: string; /** * Field to order hostnames by. * Available values: "ssl", "sslStatus". */ order?: string; /** * Whether to filter hostnames based on if they have SSL enabled. * Available values: 0, 1. */ ssl?: number; } export interface GetCustomHostnameFilterArgs { /** * Direction to order hostnames. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Fully qualified domain name to match against. This parameter cannot be used with the 'id' parameter. */ hostname?: pulumi.Input; /** * Hostname ID to match against. This ID was generated and returned during the initial customHostname creation. This parameter cannot be used with the 'hostname' parameter. */ id?: pulumi.Input; /** * Field to order hostnames by. * Available values: "ssl", "sslStatus". */ order?: pulumi.Input; /** * Whether to filter hostnames based on if they have SSL enabled. * Available values: 0, 1. */ ssl?: pulumi.Input; } export interface GetCustomOriginTrustStoreFilter { /** * Limit to the number of records returned. */ limit?: number; /** * Offset the results */ offset?: number; } export interface GetCustomOriginTrustStoreFilterArgs { /** * Limit to the number of records returned. */ limit?: pulumi.Input; /** * Offset the results */ offset?: pulumi.Input; } export interface GetCustomSslFilter { /** * Whether to match all search requirements or at least one (any). * Available values: "any", "all". */ match?: string; /** * Status of the zone's custom SSL. * Available values: "active", "expired", "deleted", "pending", "initializing". */ status?: string; } export interface GetCustomSslFilterArgs { /** * Whether to match all search requirements or at least one (any). * Available values: "any", "all". */ match?: pulumi.Input; /** * Status of the zone's custom SSL. * Available values: "active", "expired", "deleted", "pending", "initializing". */ status?: pulumi.Input; } export interface GetD1DatabaseFilter { /** * a database name to search for. */ name?: string; } export interface GetD1DatabaseFilterArgs { /** * a database name to search for. */ name?: pulumi.Input; } export interface GetDnsRecordFilter { comment?: inputs.GetDnsRecordFilterComment; content?: inputs.GetDnsRecordFilterContent; /** * Direction to order DNS records in. * Available values: "asc", "desc". */ direction?: string; /** * Whether to match all search requirements or at least one (any). If set to `all`, acts like a logical AND between filters. If set to `any`, acts like a logical OR instead. Note that the interaction between tag filters is controlled by the `tag-match` parameter instead. * Available values: "any", "all". */ match?: string; name?: inputs.GetDnsRecordFilterName; /** * Field to order DNS records by. * Available values: "type", "name", "content", "ttl", "proxied". */ order?: string; /** * Whether the record is receiving the performance and security benefits of Cloudflare. */ proxied?: boolean; /** * Allows searching in multiple properties of a DNS record simultaneously. This parameter is intended for human users, not automation. Its exact behavior is intentionally left unspecified and is subject to change in the future. This parameter works independently of the `match` setting. For automated searches, please use the other available parameters. */ search?: string; tag?: inputs.GetDnsRecordFilterTag; /** * Whether to match all tag search requirements or at least one (any). If set to `all`, acts like a logical AND between tag filters. If set to `any`, acts like a logical OR instead. Note that the regular `match` parameter is still used to combine the resulting condition with other filters that aren't related to tags. * Available values: "any", "all". */ tagMatch?: string; /** * Record type. * Available values: "A", "AAAA", "CAA", "CERT", "CNAME", "DNSKEY", "DS", "HTTPS", "LOC", "MX", "NAPTR", "NS", "OPENPGPKEY", "PTR", "SMIMEA", "SRV", "SSHFP", "SVCB", "TLSA", "TXT", "URI". */ type?: string; } export interface GetDnsRecordFilterArgs { comment?: pulumi.Input; content?: pulumi.Input; /** * Direction to order DNS records in. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Whether to match all search requirements or at least one (any). If set to `all`, acts like a logical AND between filters. If set to `any`, acts like a logical OR instead. Note that the interaction between tag filters is controlled by the `tag-match` parameter instead. * Available values: "any", "all". */ match?: pulumi.Input; name?: pulumi.Input; /** * Field to order DNS records by. * Available values: "type", "name", "content", "ttl", "proxied". */ order?: pulumi.Input; /** * Whether the record is receiving the performance and security benefits of Cloudflare. */ proxied?: pulumi.Input; /** * Allows searching in multiple properties of a DNS record simultaneously. This parameter is intended for human users, not automation. Its exact behavior is intentionally left unspecified and is subject to change in the future. This parameter works independently of the `match` setting. For automated searches, please use the other available parameters. */ search?: pulumi.Input; tag?: pulumi.Input; /** * Whether to match all tag search requirements or at least one (any). If set to `all`, acts like a logical AND between tag filters. If set to `any`, acts like a logical OR instead. Note that the regular `match` parameter is still used to combine the resulting condition with other filters that aren't related to tags. * Available values: "any", "all". */ tagMatch?: pulumi.Input; /** * Record type. * Available values: "A", "AAAA", "CAA", "CERT", "CNAME", "DNSKEY", "DS", "HTTPS", "LOC", "MX", "NAPTR", "NS", "OPENPGPKEY", "PTR", "SMIMEA", "SRV", "SSHFP", "SVCB", "TLSA", "TXT", "URI". */ type?: pulumi.Input; } export interface GetDnsRecordFilterComment { /** * If this parameter is present, only records *without* a comment are returned. */ absent?: string; /** * Substring of the DNS record comment. Comment filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record comment. Comment filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record comment. Comment filters are case-insensitive. */ exact?: string; /** * If this parameter is present, only records *with* a comment are returned. */ present?: string; /** * Prefix of the DNS record comment. Comment filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordFilterCommentArgs { /** * If this parameter is present, only records *without* a comment are returned. */ absent?: pulumi.Input; /** * Substring of the DNS record comment. Comment filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record comment. Comment filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record comment. Comment filters are case-insensitive. */ exact?: pulumi.Input; /** * If this parameter is present, only records *with* a comment are returned. */ present?: pulumi.Input; /** * Prefix of the DNS record comment. Comment filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordFilterContent { /** * Substring of the DNS record content. Content filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record content. Content filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record content. Content filters are case-insensitive. */ exact?: string; /** * Prefix of the DNS record content. Content filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordFilterContentArgs { /** * Substring of the DNS record content. Content filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record content. Content filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record content. Content filters are case-insensitive. */ exact?: pulumi.Input; /** * Prefix of the DNS record content. Content filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordFilterName { /** * Substring of the DNS record name. Name filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record name. Name filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record name. Name filters are case-insensitive. */ exact?: string; /** * Prefix of the DNS record name. Name filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordFilterNameArgs { /** * Substring of the DNS record name. Name filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record name. Name filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record name. Name filters are case-insensitive. */ exact?: pulumi.Input; /** * Prefix of the DNS record name. Name filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordFilterTag { /** * Name of a tag which must *not* be present on the DNS record. Tag filters are case-insensitive. */ absent?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value contains ``. Tag filters are case-insensitive. */ contains?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value ends with ``. Tag filters are case-insensitive. */ endswith?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value is ``. Tag filters are case-insensitive. */ exact?: string; /** * Name of a tag which must be present on the DNS record. Tag filters are case-insensitive. */ present?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value starts with ``. Tag filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordFilterTagArgs { /** * Name of a tag which must *not* be present on the DNS record. Tag filters are case-insensitive. */ absent?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value contains ``. Tag filters are case-insensitive. */ contains?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value ends with ``. Tag filters are case-insensitive. */ endswith?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value is ``. Tag filters are case-insensitive. */ exact?: pulumi.Input; /** * Name of a tag which must be present on the DNS record. Tag filters are case-insensitive. */ present?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value starts with ``. Tag filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordsComment { /** * If this parameter is present, only records *without* a comment are returned. */ absent?: string; /** * Substring of the DNS record comment. Comment filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record comment. Comment filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record comment. Comment filters are case-insensitive. */ exact?: string; /** * If this parameter is present, only records *with* a comment are returned. */ present?: string; /** * Prefix of the DNS record comment. Comment filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordsCommentArgs { /** * If this parameter is present, only records *without* a comment are returned. */ absent?: pulumi.Input; /** * Substring of the DNS record comment. Comment filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record comment. Comment filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record comment. Comment filters are case-insensitive. */ exact?: pulumi.Input; /** * If this parameter is present, only records *with* a comment are returned. */ present?: pulumi.Input; /** * Prefix of the DNS record comment. Comment filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordsContent { /** * Substring of the DNS record content. Content filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record content. Content filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record content. Content filters are case-insensitive. */ exact?: string; /** * Prefix of the DNS record content. Content filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordsContentArgs { /** * Substring of the DNS record content. Content filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record content. Content filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record content. Content filters are case-insensitive. */ exact?: pulumi.Input; /** * Prefix of the DNS record content. Content filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordsName { /** * Substring of the DNS record name. Name filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record name. Name filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record name. Name filters are case-insensitive. */ exact?: string; /** * Prefix of the DNS record name. Name filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordsNameArgs { /** * Substring of the DNS record name. Name filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record name. Name filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record name. Name filters are case-insensitive. */ exact?: pulumi.Input; /** * Prefix of the DNS record name. Name filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordsTag { /** * Name of a tag which must *not* be present on the DNS record. Tag filters are case-insensitive. */ absent?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value contains ``. Tag filters are case-insensitive. */ contains?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value ends with ``. Tag filters are case-insensitive. */ endswith?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value is ``. Tag filters are case-insensitive. */ exact?: string; /** * Name of a tag which must be present on the DNS record. Tag filters are case-insensitive. */ present?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value starts with ``. Tag filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordsTagArgs { /** * Name of a tag which must *not* be present on the DNS record. Tag filters are case-insensitive. */ absent?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value contains ``. Tag filters are case-insensitive. */ contains?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value ends with ``. Tag filters are case-insensitive. */ endswith?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value is ``. Tag filters are case-insensitive. */ exact?: pulumi.Input; /** * Name of a tag which must be present on the DNS record. Tag filters are case-insensitive. */ present?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value starts with ``. Tag filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetEmailRoutingAddressFilter { /** * Sorts results in an ascending or descending order. * Available values: "asc", "desc". */ direction?: string; /** * Filter by verified destination addresses. */ verified?: boolean; } export interface GetEmailRoutingAddressFilterArgs { /** * Sorts results in an ascending or descending order. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Filter by verified destination addresses. */ verified?: pulumi.Input; } export interface GetEmailRoutingRuleFilter { /** * Filter by enabled routing rules. */ enabled?: boolean; } export interface GetEmailRoutingRuleFilterArgs { /** * Filter by enabled routing rules. */ enabled?: pulumi.Input; } export interface GetEmailSecurityBlockSenderFilter { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: string; /** * The field to sort by. * Available values: "pattern", "createdAt". */ order?: string; pattern?: string; /** * Available values: "EMAIL", "DOMAIN", "IP", "UNKNOWN". */ patternType?: string; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: string; } export interface GetEmailSecurityBlockSenderFilterArgs { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * The field to sort by. * Available values: "pattern", "createdAt". */ order?: pulumi.Input; pattern?: pulumi.Input; /** * Available values: "EMAIL", "DOMAIN", "IP", "UNKNOWN". */ patternType?: pulumi.Input; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: pulumi.Input; } export interface GetEmailSecurityImpersonationRegistryFilter { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: string; /** * The field to sort by. * Available values: "name", "email", "createdAt". */ order?: string; /** * Available values: "A1S*INTERNAL", "SNOOPY-CASB*OFFICE*365", "SNOOPY-OFFICE*365", "SNOOPY-GOOGLE_DIRECTORY". */ provenance?: string; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: string; } export interface GetEmailSecurityImpersonationRegistryFilterArgs { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * The field to sort by. * Available values: "name", "email", "createdAt". */ order?: pulumi.Input; /** * Available values: "A1S*INTERNAL", "SNOOPY-CASB*OFFICE*365", "SNOOPY-OFFICE*365", "SNOOPY-GOOGLE_DIRECTORY". */ provenance?: pulumi.Input; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: pulumi.Input; } export interface GetEmailSecurityTrustedDomainsFilter { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: string; isRecent?: boolean; isSimilarity?: boolean; /** * The field to sort by. * Available values: "pattern", "createdAt". */ order?: string; pattern?: string; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: string; } export interface GetEmailSecurityTrustedDomainsFilterArgs { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: pulumi.Input; isRecent?: pulumi.Input; isSimilarity?: pulumi.Input; /** * The field to sort by. * Available values: "pattern", "createdAt". */ order?: pulumi.Input; pattern?: pulumi.Input; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: pulumi.Input; } export interface GetFilterFilter { /** * A case-insensitive string to find in the description. */ description?: string; /** * A case-insensitive string to find in the expression. */ expression?: string; /** * The unique identifier of the filter. */ id?: string; /** * When true, indicates that the filter is currently paused. */ paused?: boolean; /** * The filter ref (a short reference tag) to search for. Must be an exact match. */ ref?: string; } export interface GetFilterFilterArgs { /** * A case-insensitive string to find in the description. */ description?: pulumi.Input; /** * A case-insensitive string to find in the expression. */ expression?: pulumi.Input; /** * The unique identifier of the filter. */ id?: pulumi.Input; /** * When true, indicates that the filter is currently paused. */ paused?: pulumi.Input; /** * The filter ref (a short reference tag) to search for. Must be an exact match. */ ref?: pulumi.Input; } export interface GetLoadBalancerPoolFilter { /** * The ID of the Monitor to use for checking the health of origins within this pool. */ monitor?: string; } export interface GetLoadBalancerPoolFilterArgs { /** * The ID of the Monitor to use for checking the health of origins within this pool. */ monitor?: pulumi.Input; } export interface GetMagicTransitSiteFilter { /** * Identifier */ connectorid?: string; } export interface GetMagicTransitSiteFilterArgs { /** * Identifier */ connectorid?: pulumi.Input; } export interface GetOrganizationFilter { containing?: inputs.GetOrganizationFilterContaining; /** * Only return organizations with the specified IDs (ex. id=foo&id=bar). Send multiple elements * by repeating the query value. */ ids?: string[]; name?: inputs.GetOrganizationFilterName; /** * The amount of items to return. Defaults to 10. */ pageSize?: number; /** * An opaque token returned from the last list response that when * provided will retrieve the next page. */ pageToken?: string; parent?: inputs.GetOrganizationFilterParent; } export interface GetOrganizationFilterArgs { containing?: pulumi.Input; /** * Only return organizations with the specified IDs (ex. id=foo&id=bar). Send multiple elements * by repeating the query value. */ ids?: pulumi.Input[]>; name?: pulumi.Input; /** * The amount of items to return. Defaults to 10. */ pageSize?: pulumi.Input; /** * An opaque token returned from the last list response that when * provided will retrieve the next page. */ pageToken?: pulumi.Input; parent?: pulumi.Input; } export interface GetOrganizationFilterContaining { /** * Filter the list of organizations to the ones that contain this particular * account. */ account?: string; /** * Filter the list of organizations to the ones that contain this particular * organization. */ organization?: string; /** * Filter the list of organizations to the ones that contain this particular * user. */ user?: string; } export interface GetOrganizationFilterContainingArgs { /** * Filter the list of organizations to the ones that contain this particular * account. */ account?: pulumi.Input; /** * Filter the list of organizations to the ones that contain this particular * organization. */ organization?: pulumi.Input; /** * Filter the list of organizations to the ones that contain this particular * user. */ user?: pulumi.Input; } export interface GetOrganizationFilterName { /** * (case-insensitive) Filter the list of organizations to where the name contains a particular * string. */ contains?: string; /** * (case-insensitive) Filter the list of organizations to where the name ends with a particular * string. */ endsWith?: string; /** * (case-insensitive) Filter the list of organizations to where the name starts with a * particular string. */ startsWith?: string; } export interface GetOrganizationFilterNameArgs { /** * (case-insensitive) Filter the list of organizations to where the name contains a particular * string. */ contains?: pulumi.Input; /** * (case-insensitive) Filter the list of organizations to where the name ends with a particular * string. */ endsWith?: pulumi.Input; /** * (case-insensitive) Filter the list of organizations to where the name starts with a * particular string. */ startsWith?: pulumi.Input; } export interface GetOrganizationFilterParent { /** * Filter the list of organizations to the ones that are a sub-organization * of the specified organization. */ id?: string; } export interface GetOrganizationFilterParentArgs { /** * Filter the list of organizations to the ones that are a sub-organization * of the specified organization. */ id?: pulumi.Input; } export interface GetOrganizationsContaining { /** * Filter the list of organizations to the ones that contain this particular * account. */ account?: string; /** * Filter the list of organizations to the ones that contain this particular * organization. */ organization?: string; /** * Filter the list of organizations to the ones that contain this particular * user. */ user?: string; } export interface GetOrganizationsContainingArgs { /** * Filter the list of organizations to the ones that contain this particular * account. */ account?: pulumi.Input; /** * Filter the list of organizations to the ones that contain this particular * organization. */ organization?: pulumi.Input; /** * Filter the list of organizations to the ones that contain this particular * user. */ user?: pulumi.Input; } export interface GetOrganizationsName { /** * (case-insensitive) Filter the list of organizations to where the name contains a particular * string. */ contains?: string; /** * (case-insensitive) Filter the list of organizations to where the name ends with a particular * string. */ endsWith?: string; /** * (case-insensitive) Filter the list of organizations to where the name starts with a * particular string. */ startsWith?: string; } export interface GetOrganizationsNameArgs { /** * (case-insensitive) Filter the list of organizations to where the name contains a particular * string. */ contains?: pulumi.Input; /** * (case-insensitive) Filter the list of organizations to where the name ends with a particular * string. */ endsWith?: pulumi.Input; /** * (case-insensitive) Filter the list of organizations to where the name starts with a * particular string. */ startsWith?: pulumi.Input; } export interface GetOrganizationsParent { /** * Filter the list of organizations to the ones that are a sub-organization * of the specified organization. */ id?: string; } export interface GetOrganizationsParentArgs { /** * Filter the list of organizations to the ones that are a sub-organization * of the specified organization. */ id?: pulumi.Input; } export interface GetOriginCaCertificateFilter { /** * Limit to the number of records returned. */ limit?: number; /** * Offset the results */ offset?: number; /** * Identifier. */ zoneId: string; } export interface GetOriginCaCertificateFilterArgs { /** * Limit to the number of records returned. */ limit?: pulumi.Input; /** * Offset the results */ offset?: pulumi.Input; /** * Identifier. */ zoneId: pulumi.Input; } export interface GetSchemaValidationSchemasFilter { /** * Filter for enabled schemas */ validationEnabled?: boolean; } export interface GetSchemaValidationSchemasFilterArgs { /** * Filter for enabled schemas */ validationEnabled?: pulumi.Input; } export interface GetSpectrumApplicationFilter { /** * Sets the direction by which results are ordered. * Available values: "asc", "desc". */ direction?: string; /** * Application field by which results are ordered. * Available values: "protocol", "app*id", "created*on", "modifiedOn", "dns". */ order?: string; } export interface GetSpectrumApplicationFilterArgs { /** * Sets the direction by which results are ordered. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Application field by which results are ordered. * Available values: "protocol", "app*id", "created*on", "modifiedOn", "dns". */ order?: pulumi.Input; } export interface GetTokenValidationRulesFilter { /** * Action to take on requests that match operations included in `selector` and fail `expression`. * Available values: "log", "block". */ action?: string; /** * Toggle rule on or off. */ enabled?: boolean; /** * Select rules with this host in `include`. */ host?: string; /** * Select rules with this host in `include`. */ hostname?: string; /** * Select rules with these IDs. */ id?: string; /** * Select rules using any of these token configurations. */ tokenConfigurations?: string[]; } export interface GetTokenValidationRulesFilterArgs { /** * Action to take on requests that match operations included in `selector` and fail `expression`. * Available values: "log", "block". */ action?: pulumi.Input; /** * Toggle rule on or off. */ enabled?: pulumi.Input; /** * Select rules with this host in `include`. */ host?: pulumi.Input; /** * Select rules with this host in `include`. */ hostname?: pulumi.Input; /** * Select rules with these IDs. */ id?: pulumi.Input; /** * Select rules using any of these token configurations. */ tokenConfigurations?: pulumi.Input[]>; } export interface GetTurnstileWidgetFilter { /** * Direction to order widgets. * Available values: "asc", "desc". */ direction?: string; /** * Filter widgets by field using case-insensitive substring matching. * Format: `field:value` */ filter?: string; /** * Field to order widgets by. * Available values: "id", "sitekey", "name", "createdOn", "modifiedOn". */ order?: string; } export interface GetTurnstileWidgetFilterArgs { /** * Direction to order widgets. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Filter widgets by field using case-insensitive substring matching. * Format: `field:value` */ filter?: pulumi.Input; /** * Field to order widgets by. * Available values: "id", "sitekey", "name", "createdOn", "modifiedOn". */ order?: pulumi.Input; } export interface GetUserAgentBlockingRuleFilter { /** * A string to search for in the description of existing rules. */ description?: string; /** * When true, indicates that the rule is currently paused. */ paused?: boolean; /** * A string to search for in the user agent values of existing rules. */ userAgent?: string; } export interface GetUserAgentBlockingRuleFilterArgs { /** * A string to search for in the description of existing rules. */ description?: pulumi.Input; /** * When true, indicates that the rule is currently paused. */ paused?: pulumi.Input; /** * A string to search for in the user agent values of existing rules. */ userAgent?: pulumi.Input; } export interface GetWebAnalyticsSiteFilter { /** * The property used to sort the list of results. * Available values: "host", "created". */ orderBy?: string; } export interface GetWebAnalyticsSiteFilterArgs { /** * The property used to sort the list of results. * Available values: "host", "created". */ orderBy?: pulumi.Input; } export interface GetWorkersCustomDomainFilter { /** * Worker environment associated with the zone and hostname. */ environment?: string; /** * Hostname of the Worker Domain. */ hostname?: string; /** * Worker service associated with the zone and hostname. */ service?: string; /** * Identifier of the zone. */ zoneId?: string; /** * Name of the zone. */ zoneName?: string; } export interface GetWorkersCustomDomainFilterArgs { /** * Worker environment associated with the zone and hostname. */ environment?: pulumi.Input; /** * Hostname of the Worker Domain. */ hostname?: pulumi.Input; /** * Worker service associated with the zone and hostname. */ service?: pulumi.Input; /** * Identifier of the zone. */ zoneId?: pulumi.Input; /** * Name of the zone. */ zoneName?: pulumi.Input; } export interface GetWorkersKvNamespaceFilter { /** * Direction to order namespaces. * Available values: "asc", "desc". */ direction?: string; /** * Field to order results by. * Available values: "id", "title". */ order?: string; } export interface GetWorkersKvNamespaceFilterArgs { /** * Direction to order namespaces. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Field to order results by. * Available values: "id", "title". */ order?: pulumi.Input; } export interface GetWorkersScriptFilter { /** * Filter scripts by tags. Format: comma-separated list of tag:allowed pairs where allowed is 'yes' or 'no'. */ tags?: string; } export interface GetWorkersScriptFilterArgs { /** * Filter scripts by tags. Format: comma-separated list of tag:allowed pairs where allowed is 'yes' or 'no'. */ tags?: pulumi.Input; } export interface GetWorkflowFilter { /** * Allows filtering workflows` name. */ search?: string; } export interface GetWorkflowFilterArgs { /** * Allows filtering workflows` name. */ search?: pulumi.Input; } export interface GetZeroTrustAccessAiControlsMcpPortalFilter { /** * Search by id, name, hostname */ search?: string; } export interface GetZeroTrustAccessAiControlsMcpPortalFilterArgs { /** * Search by id, name, hostname */ search?: pulumi.Input; } export interface GetZeroTrustAccessAiControlsMcpServerFilter { /** * Search by id, name */ search?: string; } export interface GetZeroTrustAccessAiControlsMcpServerFilterArgs { /** * Search by id, name */ search?: pulumi.Input; } export interface GetZeroTrustAccessApplicationFilter { /** * The aud of the app. */ aud?: string; /** * The domain of the app. */ domain?: string; /** * True for only exact string matches against passed name/domain query parameters. */ exact?: boolean; /** * The name of the app. */ name?: string; /** * Search for apps by other listed query parameters. */ search?: string; } export interface GetZeroTrustAccessApplicationFilterArgs { /** * The aud of the app. */ aud?: pulumi.Input; /** * The domain of the app. */ domain?: pulumi.Input; /** * True for only exact string matches against passed name/domain query parameters. */ exact?: pulumi.Input; /** * The name of the app. */ name?: pulumi.Input; /** * Search for apps by other listed query parameters. */ search?: pulumi.Input; } export interface GetZeroTrustAccessGroupFilter { /** * The name of the group. */ name?: string; /** * Search for groups by other listed query parameters. */ search?: string; } export interface GetZeroTrustAccessGroupFilterArgs { /** * The name of the group. */ name?: pulumi.Input; /** * Search for groups by other listed query parameters. */ search?: pulumi.Input; } export interface GetZeroTrustAccessIdentityProviderFilter { /** * Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled. */ scimEnabled?: string; } export interface GetZeroTrustAccessIdentityProviderFilterArgs { /** * Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled. */ scimEnabled?: pulumi.Input; } export interface GetZeroTrustAccessInfrastructureTargetFilter { /** * Date and time at which the target was created after (inclusive) */ createdAfter?: string; /** * Date and time at which the target was created before (inclusive) */ createdBefore?: string; /** * The sorting direction. * Available values: "asc", "desc". */ direction?: string; /** * Hostname of a target */ hostname?: string; /** * Partial match to the hostname of a target */ hostnameContains?: string; /** * Filters for targets whose IP addresses look like the specified string. * Supports `*` as a wildcard character */ ipLike?: string; /** * IPv4 address of the target */ ipV4?: string; /** * IPv6 address of the target */ ipV6?: string; /** * Filters for targets that have any of the following IP addresses. Specify * `ips` multiple times in query parameter to build list of candidates. */ ips?: string[]; /** * Defines an IPv4 filter range's ending value (inclusive). Requires * `ipv4Start` to be specified as well. */ ipv4End?: string; /** * Defines an IPv4 filter range's starting value (inclusive). Requires * `ipv4End` to be specified as well. */ ipv4Start?: string; /** * Defines an IPv6 filter range's ending value (inclusive). Requires * `ipv6Start` to be specified as well. */ ipv6End?: string; /** * Defines an IPv6 filter range's starting value (inclusive). Requires * `ipv6End` to be specified as well. */ ipv6Start?: string; /** * Date and time at which the target was modified after (inclusive) */ modifiedAfter?: string; /** * Date and time at which the target was modified before (inclusive) */ modifiedBefore?: string; /** * The field to sort by. * Available values: "hostname", "createdAt". */ order?: string; /** * Filters for targets that have any of the following UUIDs. Specify * `targetIds` multiple times in query parameter to build list of * candidates. */ targetIds?: string[]; /** * Private virtual network identifier of the target */ virtualNetworkId?: string; } export interface GetZeroTrustAccessInfrastructureTargetFilterArgs { /** * Date and time at which the target was created after (inclusive) */ createdAfter?: pulumi.Input; /** * Date and time at which the target was created before (inclusive) */ createdBefore?: pulumi.Input; /** * The sorting direction. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Hostname of a target */ hostname?: pulumi.Input; /** * Partial match to the hostname of a target */ hostnameContains?: pulumi.Input; /** * Filters for targets whose IP addresses look like the specified string. * Supports `*` as a wildcard character */ ipLike?: pulumi.Input; /** * IPv4 address of the target */ ipV4?: pulumi.Input; /** * IPv6 address of the target */ ipV6?: pulumi.Input; /** * Filters for targets that have any of the following IP addresses. Specify * `ips` multiple times in query parameter to build list of candidates. */ ips?: pulumi.Input[]>; /** * Defines an IPv4 filter range's ending value (inclusive). Requires * `ipv4Start` to be specified as well. */ ipv4End?: pulumi.Input; /** * Defines an IPv4 filter range's starting value (inclusive). Requires * `ipv4End` to be specified as well. */ ipv4Start?: pulumi.Input; /** * Defines an IPv6 filter range's ending value (inclusive). Requires * `ipv6Start` to be specified as well. */ ipv6End?: pulumi.Input; /** * Defines an IPv6 filter range's starting value (inclusive). Requires * `ipv6End` to be specified as well. */ ipv6Start?: pulumi.Input; /** * Date and time at which the target was modified after (inclusive) */ modifiedAfter?: pulumi.Input; /** * Date and time at which the target was modified before (inclusive) */ modifiedBefore?: pulumi.Input; /** * The field to sort by. * Available values: "hostname", "createdAt". */ order?: pulumi.Input; /** * Filters for targets that have any of the following UUIDs. Specify * `targetIds` multiple times in query parameter to build list of * candidates. */ targetIds?: pulumi.Input[]>; /** * Private virtual network identifier of the target */ virtualNetworkId?: pulumi.Input; } export interface GetZeroTrustAccessServiceTokenFilter { /** * The name of the service token. */ name?: string; /** * Search for service tokens by other listed query parameters. */ search?: string; } export interface GetZeroTrustAccessServiceTokenFilterArgs { /** * The name of the service token. */ name?: pulumi.Input; /** * Search for service tokens by other listed query parameters. */ search?: pulumi.Input; } export interface GetZeroTrustDexTestFilter { /** * Filter by test type * Available values: "http", "traceroute". */ kind?: string; /** * Filter by test name */ testName?: string; } export interface GetZeroTrustDexTestFilterArgs { /** * Filter by test type * Available values: "http", "traceroute". */ kind?: pulumi.Input; /** * Filter by test name */ testName?: pulumi.Input; } export interface GetZeroTrustDexTestTargetPolicy { /** * Whether the DEX rule is the account default */ default?: boolean; /** * API Resource UUID tag. */ id?: string; /** * The name of the DEX rule */ name?: string; } export interface GetZeroTrustDexTestTargetPolicyArgs { /** * Whether the DEX rule is the account default */ default?: pulumi.Input; /** * API Resource UUID tag. */ id?: pulumi.Input; /** * The name of the DEX rule */ name?: pulumi.Input; } export interface GetZeroTrustListFilter { /** * Specify the list type. * Available values: "SERIAL", "URL", "DOMAIN", "EMAIL", "IP", "CATEGORY", "LOCATION", "DEVICE". */ type?: string; } export interface GetZeroTrustListFilterArgs { /** * Specify the list type. * Available values: "SERIAL", "URL", "DOMAIN", "EMAIL", "IP", "CATEGORY", "LOCATION", "DEVICE". */ type?: pulumi.Input; } export interface GetZeroTrustNetworkHostnameRouteFilter { /** * If set, only list hostname routes with the given comment. */ comment?: string; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: string; /** * If set, only list hostname routes that contain a substring of the given value, the filter is case-insensitive. */ hostname?: string; /** * The hostname route ID. */ id?: string; /** * If `true`, only return deleted hostname routes. If `false`, exclude deleted hostname routes. */ isDeleted?: boolean; /** * If set, only list hostname routes that point to a specific tunnel. */ tunnelId?: string; } export interface GetZeroTrustNetworkHostnameRouteFilterArgs { /** * If set, only list hostname routes with the given comment. */ comment?: pulumi.Input; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: pulumi.Input; /** * If set, only list hostname routes that contain a substring of the given value, the filter is case-insensitive. */ hostname?: pulumi.Input; /** * The hostname route ID. */ id?: pulumi.Input; /** * If `true`, only return deleted hostname routes. If `false`, exclude deleted hostname routes. */ isDeleted?: pulumi.Input; /** * If set, only list hostname routes that point to a specific tunnel. */ tunnelId?: pulumi.Input; } export interface GetZeroTrustTunnelCloudflaredFilter { excludePrefix?: string; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: string; includePrefix?: string; /** * If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. */ isDeleted?: boolean; /** * A user-friendly name for a tunnel. */ name?: string; /** * The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). * Available values: "inactive", "degraded", "healthy", "down". */ status?: string; /** * UUID of the tunnel. */ uuid?: string; wasActiveAt?: string; wasInactiveAt?: string; } export interface GetZeroTrustTunnelCloudflaredFilterArgs { excludePrefix?: pulumi.Input; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: pulumi.Input; includePrefix?: pulumi.Input; /** * If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. */ isDeleted?: pulumi.Input; /** * A user-friendly name for a tunnel. */ name?: pulumi.Input; /** * The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). * Available values: "inactive", "degraded", "healthy", "down". */ status?: pulumi.Input; /** * UUID of the tunnel. */ uuid?: pulumi.Input; wasActiveAt?: pulumi.Input; wasInactiveAt?: pulumi.Input; } export interface GetZeroTrustTunnelCloudflaredRouteFilter { /** * Optional remark describing the route. */ comment?: string; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: string; /** * If `true`, only include deleted routes. If `false`, exclude deleted routes. If empty, all routes will be included. */ isDeleted?: boolean; /** * If set, only list routes that are contained within this IP range. */ networkSubset?: string; /** * If set, only list routes that contain this IP range. */ networkSuperset?: string; /** * The types of tunnels to filter by, separated by commas. */ tunTypes?: string[]; /** * UUID of the tunnel. */ tunnelId?: string; /** * UUID of the virtual network. */ virtualNetworkId?: string; } export interface GetZeroTrustTunnelCloudflaredRouteFilterArgs { /** * Optional remark describing the route. */ comment?: pulumi.Input; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: pulumi.Input; /** * If `true`, only include deleted routes. If `false`, exclude deleted routes. If empty, all routes will be included. */ isDeleted?: pulumi.Input; /** * If set, only list routes that are contained within this IP range. */ networkSubset?: pulumi.Input; /** * If set, only list routes that contain this IP range. */ networkSuperset?: pulumi.Input; /** * The types of tunnels to filter by, separated by commas. */ tunTypes?: pulumi.Input[]>; /** * UUID of the tunnel. */ tunnelId?: pulumi.Input; /** * UUID of the virtual network. */ virtualNetworkId?: pulumi.Input; } export interface GetZeroTrustTunnelCloudflaredVirtualNetworkFilter { /** * UUID of the virtual network. */ id?: string; /** * If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. */ isDefault?: boolean; /** * If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. */ isDefaultNetwork?: boolean; /** * If `true`, only include deleted virtual networks. If `false`, exclude deleted virtual networks. If empty, all virtual networks will be included. */ isDeleted?: boolean; /** * A user-friendly name for the virtual network. */ name?: string; } export interface GetZeroTrustTunnelCloudflaredVirtualNetworkFilterArgs { /** * UUID of the virtual network. */ id?: pulumi.Input; /** * If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. */ isDefault?: pulumi.Input; /** * If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. */ isDefaultNetwork?: pulumi.Input; /** * If `true`, only include deleted virtual networks. If `false`, exclude deleted virtual networks. If empty, all virtual networks will be included. */ isDeleted?: pulumi.Input; /** * A user-friendly name for the virtual network. */ name?: pulumi.Input; } export interface GetZeroTrustTunnelWarpConnectorFilter { excludePrefix?: string; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: string; includePrefix?: string; /** * If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. */ isDeleted?: boolean; /** * A user-friendly name for the tunnel. */ name?: string; /** * The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). * Available values: "inactive", "degraded", "healthy", "down". */ status?: string; /** * UUID of the tunnel. */ uuid?: string; wasActiveAt?: string; wasInactiveAt?: string; } export interface GetZeroTrustTunnelWarpConnectorFilterArgs { excludePrefix?: pulumi.Input; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: pulumi.Input; includePrefix?: pulumi.Input; /** * If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. */ isDeleted?: pulumi.Input; /** * A user-friendly name for the tunnel. */ name?: pulumi.Input; /** * The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). * Available values: "inactive", "degraded", "healthy", "down". */ status?: pulumi.Input; /** * UUID of the tunnel. */ uuid?: pulumi.Input; wasActiveAt?: pulumi.Input; wasInactiveAt?: pulumi.Input; } export interface GetZoneFilter { account?: inputs.GetZoneFilterAccount; /** * Direction to order zones. * Available values: "asc", "desc". */ direction?: string; /** * Whether to match all search requirements or at least one (any). * Available values: "any", "all". */ match?: string; /** * A domain name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: string; /** * Field to order zones by. * Available values: "name", "status", "account.id", "account.name", "plan.id". */ order?: string; /** * Specify a zone status to filter by. * Available values: "initializing", "pending", "active", "moved". */ status?: string; } export interface GetZoneFilterArgs { account?: pulumi.Input; /** * Direction to order zones. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Whether to match all search requirements or at least one (any). * Available values: "any", "all". */ match?: pulumi.Input; /** * A domain name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: pulumi.Input; /** * Field to order zones by. * Available values: "name", "status", "account.id", "account.name", "plan.id". */ order?: pulumi.Input; /** * Specify a zone status to filter by. * Available values: "initializing", "pending", "active", "moved". */ status?: pulumi.Input; } export interface GetZoneFilterAccount { /** * Filter by an account ID. */ id?: string; /** * An account Name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: string; } export interface GetZoneFilterAccountArgs { /** * Filter by an account ID. */ id?: pulumi.Input; /** * An account Name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: pulumi.Input; } export interface GetZoneLockdownFilter { /** * The timestamp of when the rule was created. */ createdOn?: string; /** * A string to search for in the description of existing rules. */ description?: string; /** * A string to search for in the description of existing rules. */ descriptionSearch?: string; /** * A single IP address to search for in existing rules. */ ip?: string; /** * A single IP address range to search for in existing rules. */ ipRangeSearch?: string; /** * A single IP address to search for in existing rules. */ ipSearch?: string; /** * The timestamp of when the rule was last modified. */ modifiedOn?: string; /** * The priority of the rule to control the processing order. A lower number indicates higher priority. If not provided, any rules with a configured priority will be processed before rules without a priority. */ priority?: number; /** * A single URI to search for in the list of URLs of existing rules. */ uriSearch?: string; } export interface GetZoneLockdownFilterArgs { /** * The timestamp of when the rule was created. */ createdOn?: pulumi.Input; /** * A string to search for in the description of existing rules. */ description?: pulumi.Input; /** * A string to search for in the description of existing rules. */ descriptionSearch?: pulumi.Input; /** * A single IP address to search for in existing rules. */ ip?: pulumi.Input; /** * A single IP address range to search for in existing rules. */ ipRangeSearch?: pulumi.Input; /** * A single IP address to search for in existing rules. */ ipSearch?: pulumi.Input; /** * The timestamp of when the rule was last modified. */ modifiedOn?: pulumi.Input; /** * The priority of the rule to control the processing order. A lower number indicates higher priority. If not provided, any rules with a configured priority will be processed before rules without a priority. */ priority?: pulumi.Input; /** * A single URI to search for in the list of URLs of existing rules. */ uriSearch?: pulumi.Input; } export interface GetZonesAccount { /** * Filter by an account ID. */ id?: string; /** * An account Name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: string; } export interface GetZonesAccountArgs { /** * Filter by an account ID. */ id?: pulumi.Input; /** * An account Name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: pulumi.Input; } export interface HealthcheckHttpConfig { /** * Do not validate the certificate when the health check uses HTTPS. */ allowInsecure?: pulumi.Input; /** * A case-insensitive sub-string to look for in the response body. If this string is not found, the origin will be marked as unhealthy. */ expectedBody?: pulumi.Input; /** * The expected HTTP response codes (e.g. "200") or code ranges (e.g. "2xx" for all codes starting with 2) of the health check. */ expectedCodes?: pulumi.Input[]>; /** * Follow redirects if the origin returns a 3xx status code. */ followRedirects?: pulumi.Input; /** * The HTTP request headers to send in the health check. It is recommended you set a Host header by default. The User-Agent header cannot be overridden. */ header?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * The HTTP method to use for the health check. * Available values: "GET", "HEAD". */ method?: pulumi.Input; /** * The endpoint path to health check against. */ path?: pulumi.Input; /** * Port number to connect to for the health check. Defaults to 80 if type is HTTP or 443 if type is HTTPS. */ port?: pulumi.Input; } export interface HealthcheckTcpConfig { /** * The TCP connection method to use for the health check. * Available values: "connectionEstablished". */ method?: pulumi.Input; /** * Port number to connect to for the health check. Defaults to 80. */ port?: pulumi.Input; } export interface HyperdriveConfigCaching { /** * Set to true to disable caching of SQL responses. Default is false. */ disabled?: pulumi.Input; /** * Specify the maximum duration (in seconds) items should persist in the cache. Defaults to 60 seconds if not specified. */ maxAge?: pulumi.Input; /** * Specify the number of seconds the cache may serve a stale response. Defaults to 15 seconds if not specified. */ staleWhileRevalidate?: pulumi.Input; } export interface HyperdriveConfigMtls { /** * Define CA certificate ID obtained after uploading CA cert. */ caCertificateId?: pulumi.Input; /** * Define mTLS certificate ID obtained after uploading client cert. */ mtlsCertificateId?: pulumi.Input; /** * Set SSL mode to 'require', 'verify-ca', or 'verify-full' to verify the CA. */ sslmode?: pulumi.Input; } export interface HyperdriveConfigOrigin { /** * Defines the Client ID of the Access token to use when connecting to the origin database. */ accessClientId?: pulumi.Input; /** * Defines the Client Secret of the Access Token to use when connecting to the origin database. The API never returns this write-only value. */ accessClientSecret?: pulumi.Input; /** * Set the name of your origin database. */ database: pulumi.Input; /** * Defines the host (hostname or IP) of your origin database. */ host: pulumi.Input; /** * Set the password needed to access your origin database. The API never returns this write-only value. */ password: pulumi.Input; /** * Defines the port of your origin database. Defaults to 5432 for PostgreSQL or 3306 for MySQL if not specified. */ port?: pulumi.Input; /** * Specifies the URL scheme used to connect to your origin database. * Available values: "postgres", "postgresql", "mysql". */ scheme: pulumi.Input; /** * Set the user of your origin database. */ user: pulumi.Input; } export interface ImageVariantOptions { /** * The fit property describes how the width and height dimensions should be interpreted. * Available values: "scale-down", "contain", "cover", "crop", "pad". */ fit: pulumi.Input; /** * Maximum height in image pixels. */ height: pulumi.Input; /** * What EXIF data should be preserved in the output image. * Available values: "keep", "copyright", "none". */ metadata: pulumi.Input; /** * Maximum width in image pixels. */ width: pulumi.Input; } export interface ImageVariantVariant { id?: pulumi.Input; /** * Indicates whether the variant can access an image without a signature, regardless of image access control. */ neverRequireSignedUrls?: pulumi.Input; /** * Allows you to define image resizing sizes for different use cases. */ options?: pulumi.Input; } export interface ImageVariantVariantOptions { /** * The fit property describes how the width and height dimensions should be interpreted. * Available values: "scale-down", "contain", "cover", "crop", "pad". */ fit?: pulumi.Input; /** * Maximum height in image pixels. */ height?: pulumi.Input; /** * What EXIF data should be preserved in the output image. * Available values: "keep", "copyright", "none". */ metadata?: pulumi.Input; /** * Maximum width in image pixels. */ width?: pulumi.Input; } export interface KeylessCertificateTunnel { /** * Private IP of the Key Server Host */ privateIp: pulumi.Input; /** * Cloudflare Tunnel Virtual Network ID */ vnetId: pulumi.Input; } export interface ListItem { /** * A non-negative 32 bit integer */ asn?: pulumi.Input; /** * An informative summary of the list item. */ comment?: pulumi.Input; /** * Valid characters for hostnames are ASCII(7) letters from a to z, the digits from 0 to 9, wildcards (*), and the hyphen (-). */ hostname?: pulumi.Input; /** * An IPv4 address, an IPv4 CIDR, an IPv6 address, or an IPv6 CIDR. */ ip?: pulumi.Input; /** * The definition of the redirect. */ redirect?: pulumi.Input; } export interface ListItemHostname { /** * Only applies to wildcard hostnames (e.g., *.example.com). When true (default), only subdomains are blocked. When false, both the root domain and subdomains are blocked. */ excludeExactHostname?: pulumi.Input; urlHostname: pulumi.Input; } export interface ListItemRedirect { includeSubdomains?: pulumi.Input; preservePathSuffix?: pulumi.Input; preserveQueryString?: pulumi.Input; sourceUrl: pulumi.Input; /** * Available values: 301, 302, 307, 308. */ statusCode?: pulumi.Input; subpathMatching?: pulumi.Input; targetUrl: pulumi.Input; } export interface LoadBalancerAdaptiveRouting { /** * Extends zero-downtime failover of requests to healthy origins from alternate pools, when no healthy alternate exists in the same pool, according to the failover order defined by traffic and origin steering. When set false (the default) zero-downtime failover will only occur between origins within the same pool. See `sessionAffinityAttributes` for control over when sessions are broken or reassigned. */ failoverAcrossPools?: pulumi.Input; } export interface LoadBalancerLocationStrategy { /** * Determines the authoritative location when ECS is not preferred, does not exist in the request, or its GeoIP lookup is unsuccessful. */ mode?: pulumi.Input; /** * Whether the EDNS Client Subnet (ECS) GeoIP should be preferred as the authoritative location. */ preferEcs?: pulumi.Input; } export interface LoadBalancerPoolLoadShedding { /** * The percent of traffic to shed from the pool, according to the default policy. Applies to new sessions and traffic without session affinity. */ defaultPercent?: pulumi.Input; /** * The default policy to use when load shedding. A random policy randomly sheds a given percent of requests. A hash policy computes a hash over the CF-Connecting-IP address and sheds all requests originating from a percent of IPs. * Available values: "random", "hash". */ defaultPolicy?: pulumi.Input; /** * The percent of existing sessions to shed from the pool, according to the session policy. */ sessionPercent?: pulumi.Input; /** * Only the hash policy is supported for existing sessions (to avoid exponential decay). * Available values: "hash". */ sessionPolicy?: pulumi.Input; } export interface LoadBalancerPoolNotificationFilter { /** * Filter options for a particular resource type (pool or origin). Use null to reset. */ origin?: pulumi.Input; /** * Filter options for a particular resource type (pool or origin). Use null to reset. */ pool?: pulumi.Input; } export interface LoadBalancerPoolNotificationFilterOrigin { /** * If set true, disable notifications for this type of resource (pool or origin). */ disable?: pulumi.Input; /** * If present, send notifications only for this health status (e.g. false for only DOWN events). Use null to reset (all events). */ healthy?: pulumi.Input; } export interface LoadBalancerPoolNotificationFilterPool { /** * If set true, disable notifications for this type of resource (pool or origin). */ disable?: pulumi.Input; /** * If present, send notifications only for this health status (e.g. false for only DOWN events). Use null to reset (all events). */ healthy?: pulumi.Input; } export interface LoadBalancerPoolOrigin { /** * The IP address (IPv4 or IPv6) of the origin, or its publicly addressable hostname. Hostnames entered here should resolve directly to the origin, and not be a hostname proxied by Cloudflare. To set an internal/reserved address, virtual*network*id must also be set. */ address?: pulumi.Input; /** * This field shows up only if the origin is disabled. This field is set with the time the origin was disabled. */ disabledAt?: pulumi.Input; /** * Whether to enable (the default) this origin within the pool. Disabled origins will not receive traffic and are excluded from health checks. The origin will only be disabled for the current pool. */ enabled?: pulumi.Input; /** * The request header is used to pass additional information with an HTTP request. Currently supported header is 'Host'. */ header?: pulumi.Input; /** * A human-identifiable name for the origin. */ name?: pulumi.Input; /** * The port for upstream connections. A value of 0 means the default port for the protocol will be used. */ port?: pulumi.Input; /** * The virtual network subnet ID the origin belongs in. Virtual network must also belong to the account. */ virtualNetworkId?: pulumi.Input; /** * The weight of this origin relative to other origins in the pool. Based on the configured weight the total traffic is distributed among origins within the pool. */ weight?: pulumi.Input; } export interface LoadBalancerPoolOriginHeader { /** * The 'Host' header allows to override the hostname set in the HTTP request. Current support is 1 'Host' header override per origin. */ hosts?: pulumi.Input[]>; } export interface LoadBalancerPoolOriginSteering { /** * The type of origin steering policy to use. */ policy?: pulumi.Input; } export interface LoadBalancerRandomSteering { /** * The default weight for pools in the load balancer that are not specified in the poolWeights map. */ defaultWeight?: pulumi.Input; /** * A mapping of pool IDs to custom weights. The weight is relative to other pools in the load balancer. */ poolWeights?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface LoadBalancerRule { /** * The condition expressions to evaluate. If the condition evaluates to true, the overrides or fixedResponse in this rule will be applied. An empty condition is always true. For more details on condition expressions, please see https://developers.cloudflare.com/load-balancing/understand-basics/load-balancing-rules/expressions. */ condition?: pulumi.Input; /** * Disable this specific rule. It will no longer be evaluated by this load balancer. */ disabled?: pulumi.Input; /** * A collection of fields used to directly respond to the eyeball instead of routing to a pool. If a fixed*response is supplied the rule will be marked as terminates. */ fixedResponse?: pulumi.Input; /** * Name of this rule. Only used for human readability. */ name?: pulumi.Input; /** * A collection of overrides to apply to the load balancer when this rule's condition is true. All fields are optional. */ overrides?: pulumi.Input; /** * The order in which rules should be executed in relation to each other. Lower values are executed first. Values do not need to be sequential. If no value is provided for any rule the array order of the rules field will be used to assign a priority. */ priority?: pulumi.Input; /** * If this rule's condition is true, this causes rule evaluation to stop after processing this rule. */ terminates?: pulumi.Input; } export interface LoadBalancerRuleFixedResponse { /** * The http 'Content-Type' header to include in the response. */ contentType?: pulumi.Input; /** * The http 'Location' header to include in the response. */ location?: pulumi.Input; /** * Text to include as the http body. */ messageBody?: pulumi.Input; /** * The http status code to respond with. */ statusCode?: pulumi.Input; } export interface LoadBalancerRuleOverrides { /** * Controls features that modify the routing of requests to pools and origins in response to dynamic conditions, such as during the interval between active health monitoring requests. For example, zero-downtime failover occurs immediately when an origin becomes unavailable due to HTTP 521, 522, or 523 response codes. If there is another healthy origin in the same pool, the request is retried once against this alternate origin. */ adaptiveRouting?: pulumi.Input; /** * A mapping of country codes to a list of pool IDs (ordered by their failover priority) for the given country. Any country not explicitly defined will fall back to using the corresponding region*pool mapping if it exists else to default*pools. */ countryPools?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * A list of pool IDs ordered by their failover priority. Pools defined here are used by default, or when regionPools are not configured for a given region. */ defaultPools?: pulumi.Input[]>; /** * The pool ID to use when all other pools are detected as unhealthy. */ fallbackPool?: pulumi.Input; /** * Controls location-based steering for non-proxied requests. See `steeringPolicy` to learn how steering is affected. */ locationStrategy?: pulumi.Input; /** * Enterprise only: A mapping of Cloudflare PoP identifiers to a list of pool IDs (ordered by their failover priority) for the PoP (datacenter). Any PoPs not explicitly defined will fall back to using the corresponding country*pool, then region*pool mapping if it exists else to default_pools. */ popPools?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * Configures pool weights. */ randomSteering?: pulumi.Input; /** * A mapping of region codes to a list of pool IDs (ordered by their failover priority) for the given region. Any regions not explicitly defined will fall back to using default_pools. */ regionPools?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * Specifies the type of session affinity the load balancer should use unless specified as `"none"`. The supported types are: - `"cookie"`: On the first request to a proxied load balancer, a cookie is generated, encoding information of which origin the request will be forwarded to. Subsequent requests, by the same client to the same load balancer, will be sent to the origin server the cookie encodes, for the duration of the cookie and as long as the origin server remains healthy. If the cookie has expired or the origin server is unhealthy, then a new origin server is calculated and used. - `"ipCookie"`: Behaves the same as `"cookie"` except the initial origin selection is stable and based on the client's ip address. - `"header"`: On the first request to a proxied load balancer, a session key based on the configured HTTP headers (see `session_affinity_attributes.headers`) is generated, encoding the request headers used for storing in the load balancer session state which origin the request will be forwarded to. Subsequent requests to the load balancer with the same headers will be sent to the same origin server, for the duration of the session and as long as the origin server remains healthy. If the session has been idle for the duration of `sessionAffinityTtl` seconds or the origin server is unhealthy, then a new origin server is calculated and used. See `headers` in `sessionAffinityAttributes` for additional required configuration. * Available values: "none", "cookie", "ipCookie", "header". */ sessionAffinity?: pulumi.Input; /** * Configures attributes for session affinity. */ sessionAffinityAttributes?: pulumi.Input; /** * Time, in seconds, until a client's session expires after being created. Once the expiry time has been reached, subsequent requests may get sent to a different origin server. The accepted ranges per `sessionAffinity` policy are: - `"cookie"` / `"ipCookie"`: The current default of 23 hours will be used unless explicitly set. The accepted range of values is between [1800, 604800]. - `"header"`: The current default of 1800 seconds will be used unless explicitly set. The accepted range of values is between [30, 3600]. Note: With session affinity by header, sessions only expire after they haven't been used for the number of seconds specified. */ sessionAffinityTtl?: pulumi.Input; /** * Steering Policy for this load balancer. */ steeringPolicy?: pulumi.Input; /** * Time to live (TTL) of the DNS entry for the IP address returned by this load balancer. This only applies to gray-clouded (unproxied) load balancers. */ ttl?: pulumi.Input; } export interface LoadBalancerRuleOverridesAdaptiveRouting { /** * Extends zero-downtime failover of requests to healthy origins from alternate pools, when no healthy alternate exists in the same pool, according to the failover order defined by traffic and origin steering. When set false (the default) zero-downtime failover will only occur between origins within the same pool. See `sessionAffinityAttributes` for control over when sessions are broken or reassigned. */ failoverAcrossPools?: pulumi.Input; } export interface LoadBalancerRuleOverridesLocationStrategy { /** * Determines the authoritative location when ECS is not preferred, does not exist in the request, or its GeoIP lookup is unsuccessful. */ mode?: pulumi.Input; /** * Whether the EDNS Client Subnet (ECS) GeoIP should be preferred as the authoritative location. */ preferEcs?: pulumi.Input; } export interface LoadBalancerRuleOverridesRandomSteering { /** * The default weight for pools in the load balancer that are not specified in the poolWeights map. */ defaultWeight?: pulumi.Input; /** * A mapping of pool IDs to custom weights. The weight is relative to other pools in the load balancer. */ poolWeights?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface LoadBalancerRuleOverridesSessionAffinityAttributes { /** * Configures the drain duration in seconds. This field is only used when session affinity is enabled on the load balancer. */ drainDuration?: pulumi.Input; /** * Configures the names of HTTP headers to base session affinity on when header `sessionAffinity` is enabled. At least one HTTP header name must be provided. To specify the exact cookies to be used, include an item in the following format: `"cookie:,"` (example) where everything after the colon is a comma-separated list of cookie names. Providing only `"cookie"` will result in all cookies being used. The default max number of HTTP header names that can be provided depends on your plan: 5 for Enterprise, 1 for all other plans. */ headers?: pulumi.Input[]>; /** * When header `sessionAffinity` is enabled, this option can be used to specify how HTTP headers on load balancing requests will be used. The supported values are: - `"true"`: Load balancing requests must contain *all* of the HTTP headers specified by the `headers` session affinity attribute, otherwise sessions aren't created. - `"false"`: Load balancing requests must contain *at least one* of the HTTP headers specified by the `headers` session affinity attribute, otherwise sessions aren't created. */ requireAllHeaders?: pulumi.Input; /** * Configures the SameSite attribute on session affinity cookie. Value "Auto" will be translated to "Lax" or "None" depending if Always Use HTTPS is enabled. Note: when using value "None", the secure attribute can not be set to "Never". * Available values: "Auto", "Lax", "None", "Strict". */ samesite?: pulumi.Input; /** * Configures the Secure attribute on session affinity cookie. Value "Always" indicates the Secure attribute will be set in the Set-Cookie header, "Never" indicates the Secure attribute will not be set, and "Auto" will set the Secure attribute depending if Always Use HTTPS is enabled. * Available values: "Auto", "Always", "Never". */ secure?: pulumi.Input; /** * Configures the zero-downtime failover between origins within a pool when session affinity is enabled. This feature is currently incompatible with Argo, Tiered Cache, and Bandwidth Alliance. The supported values are: - `"none"`: No failover takes place for sessions pinned to the origin (default). - `"temporary"`: Traffic will be sent to another other healthy origin until the originally pinned origin is available; note that this can potentially result in heavy origin flapping. - `"sticky"`: The session affinity cookie is updated and subsequent requests are sent to the new origin. Note: Zero-downtime failover with sticky sessions is currently not supported for session affinity by header. * Available values: "none", "temporary", "sticky". */ zeroDowntimeFailover?: pulumi.Input; } export interface LoadBalancerSessionAffinityAttributes { /** * Configures the drain duration in seconds. This field is only used when session affinity is enabled on the load balancer. */ drainDuration?: pulumi.Input; /** * Configures the names of HTTP headers to base session affinity on when header `sessionAffinity` is enabled. At least one HTTP header name must be provided. To specify the exact cookies to be used, include an item in the following format: `"cookie:,"` (example) where everything after the colon is a comma-separated list of cookie names. Providing only `"cookie"` will result in all cookies being used. The default max number of HTTP header names that can be provided depends on your plan: 5 for Enterprise, 1 for all other plans. */ headers?: pulumi.Input[]>; /** * When header `sessionAffinity` is enabled, this option can be used to specify how HTTP headers on load balancing requests will be used. The supported values are: - `"true"`: Load balancing requests must contain *all* of the HTTP headers specified by the `headers` session affinity attribute, otherwise sessions aren't created. - `"false"`: Load balancing requests must contain *at least one* of the HTTP headers specified by the `headers` session affinity attribute, otherwise sessions aren't created. */ requireAllHeaders?: pulumi.Input; /** * Configures the SameSite attribute on session affinity cookie. Value "Auto" will be translated to "Lax" or "None" depending if Always Use HTTPS is enabled. Note: when using value "None", the secure attribute can not be set to "Never". * Available values: "Auto", "Lax", "None", "Strict". */ samesite?: pulumi.Input; /** * Configures the Secure attribute on session affinity cookie. Value "Always" indicates the Secure attribute will be set in the Set-Cookie header, "Never" indicates the Secure attribute will not be set, and "Auto" will set the Secure attribute depending if Always Use HTTPS is enabled. * Available values: "Auto", "Always", "Never". */ secure?: pulumi.Input; /** * Configures the zero-downtime failover between origins within a pool when session affinity is enabled. This feature is currently incompatible with Argo, Tiered Cache, and Bandwidth Alliance. The supported values are: - `"none"`: No failover takes place for sessions pinned to the origin (default). - `"temporary"`: Traffic will be sent to another other healthy origin until the originally pinned origin is available; note that this can potentially result in heavy origin flapping. - `"sticky"`: The session affinity cookie is updated and subsequent requests are sent to the new origin. Note: Zero-downtime failover with sticky sessions is currently not supported for session affinity by header. * Available values: "none", "temporary", "sticky". */ zeroDowntimeFailover?: pulumi.Input; } export interface LogpushJobOutputOptions { /** * String to be prepended before each batch. */ batchPrefix?: pulumi.Input; /** * String to be appended after each batch. */ batchSuffix?: pulumi.Input; /** * If set to true, will cause all occurrences of `${` in the generated files to be replaced with `x{`. */ cve202144228?: pulumi.Input; /** * String to join fields. This field be ignored when `recordTemplate` is set. */ fieldDelimiter?: pulumi.Input; /** * List of field names to be included in the Logpush output. For the moment, there is no option to add all fields at once, so you must specify all the fields names you are interested in. */ fieldNames?: pulumi.Input[]>; /** * Specifies the output type, such as `ndjson` or `csv`. This sets default values for the rest of the settings, depending on the chosen output type. Some formatting rules, like string quoting, are different between output types. * Available values: "ndjson", "csv". */ outputType?: pulumi.Input; /** * String to be inserted in-between the records as separator. */ recordDelimiter?: pulumi.Input; /** * String to be prepended before each record. */ recordPrefix?: pulumi.Input; /** * String to be appended after each record. */ recordSuffix?: pulumi.Input; /** * String to use as template for each record instead of the default json key value mapping. All fields used in the template must be present in `fieldNames` as well, otherwise they will end up as null. Format as a Go `text/template` without any standard functions, like conditionals, loops, sub-templates, etc. */ recordTemplate?: pulumi.Input; /** * Floating number to specify sampling rate. Sampling is applied on top of filtering, and regardless of the current `sampleInterval` of the data. */ sampleRate?: pulumi.Input; /** * String to specify the format for timestamps, such as `unixnano`, `unix`, or `rfc3339`. * Available values: "unixnano", "unix", "rfc3339". */ timestampFormat?: pulumi.Input; } export interface MagicNetworkMonitoringConfigurationWarpDevice { /** * Unique identifier for the warp device. */ id: pulumi.Input; /** * Name of the warp device. */ name: pulumi.Input; /** * IPv4 CIDR of the router sourcing flow data associated with this warp device. Only /32 addresses are currently supported. */ routerIp: pulumi.Input; } export interface MagicTransitConnectorDevice { id?: pulumi.Input; /** * Set to true to provision a license key for this connector. Only used during resource creation. This is a write-only field that will not be stored in state. */ provisionLicense?: pulumi.Input; serialNumber?: pulumi.Input; } export interface MagicTransitSiteAclLan1 { /** * The identifier for the LAN you want to create an ACL policy with. */ lanId: pulumi.Input; /** * The name of the LAN based on the provided lan_id. */ lanName?: pulumi.Input; /** * Array of port ranges on the provided LAN that will be included in the ACL. If no ports or port rangess are provided, communication on any port on this LAN is allowed. */ portRanges?: pulumi.Input[]>; /** * Array of ports on the provided LAN that will be included in the ACL. If no ports or port ranges are provided, communication on any port on this LAN is allowed. */ ports?: pulumi.Input[]>; /** * Array of subnet IPs within the LAN that will be included in the ACL. If no subnets are provided, communication on any subnets on this LAN are allowed. */ subnets?: pulumi.Input[]>; } export interface MagicTransitSiteAclLan2 { /** * The identifier for the LAN you want to create an ACL policy with. */ lanId: pulumi.Input; /** * The name of the LAN based on the provided lan_id. */ lanName?: pulumi.Input; /** * Array of port ranges on the provided LAN that will be included in the ACL. If no ports or port rangess are provided, communication on any port on this LAN is allowed. */ portRanges?: pulumi.Input[]>; /** * Array of ports on the provided LAN that will be included in the ACL. If no ports or port ranges are provided, communication on any port on this LAN is allowed. */ ports?: pulumi.Input[]>; /** * Array of subnet IPs within the LAN that will be included in the ACL. If no subnets are provided, communication on any subnets on this LAN are allowed. */ subnets?: pulumi.Input[]>; } export interface MagicTransitSiteLanNat { /** * A valid CIDR notation representing an IP range. */ staticPrefix?: pulumi.Input; } export interface MagicTransitSiteLanRoutedSubnet { nat?: pulumi.Input; /** * A valid IPv4 address. */ nextHop: pulumi.Input; /** * A valid CIDR notation representing an IP range. */ prefix: pulumi.Input; } export interface MagicTransitSiteLanRoutedSubnetNat { /** * A valid CIDR notation representing an IP range. */ staticPrefix?: pulumi.Input; } export interface MagicTransitSiteLanStaticAddressing { /** * A valid CIDR notation representing an IP range. */ address: pulumi.Input; dhcpRelay?: pulumi.Input; dhcpServer?: pulumi.Input; /** * A valid CIDR notation representing an IP range. */ secondaryAddress?: pulumi.Input; /** * A valid CIDR notation representing an IP range. */ virtualAddress?: pulumi.Input; } export interface MagicTransitSiteLanStaticAddressingDhcpRelay { /** * List of DHCP server IPs. */ serverAddresses?: pulumi.Input[]>; } export interface MagicTransitSiteLanStaticAddressingDhcpServer { /** * A valid IPv4 address. */ dhcpPoolEnd?: pulumi.Input; /** * A valid IPv4 address. */ dhcpPoolStart?: pulumi.Input; /** * A valid IPv4 address. */ dnsServer?: pulumi.Input; dnsServers?: pulumi.Input[]>; /** * Mapping of MAC addresses to IP addresses */ reservations?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface MagicTransitSiteLocation { /** * Latitude */ lat?: pulumi.Input; /** * Longitude */ lon?: pulumi.Input; } export interface MagicTransitSiteWanStaticAddressing { /** * A valid CIDR notation representing an IP range. */ address: pulumi.Input; /** * A valid IPv4 address. */ gatewayAddress: pulumi.Input; /** * A valid CIDR notation representing an IP range. */ secondaryAddress?: pulumi.Input; } export interface MagicWanGreTunnelBgp { /** * ASN used on the customer end of the BGP session */ customerAsn: pulumi.Input; /** * Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table. */ extraPrefixes?: pulumi.Input[]>; /** * MD5 key to use for session authentication. */ md5Key?: pulumi.Input; } export interface MagicWanGreTunnelBgpStatus { bgpState?: pulumi.Input; cfSpeakerIp?: pulumi.Input; cfSpeakerPort?: pulumi.Input; customerSpeakerIp?: pulumi.Input; customerSpeakerPort?: pulumi.Input; /** * Available values: "BGP*DOWN", "BGP*UP", "BGP_ESTABLISHING". */ state?: pulumi.Input; tcpEstablished?: pulumi.Input; updatedAt?: pulumi.Input; } export interface MagicWanGreTunnelHealthCheck { /** * The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. * Available values: "unidirectional", "bidirectional". */ direction?: pulumi.Input; /** * Determines whether to run healthchecks for a tunnel. */ enabled?: pulumi.Input; /** * How frequent the health check is run. The default value is `mid`. * Available values: "low", "mid", "high". */ rate?: pulumi.Input; /** * The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customerGreEndpoint address`. This field is ignored for bidirectional healthchecks as the interface*address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. */ target?: pulumi.Input; /** * The type of healthcheck to run, reply or request. The default value is `reply`. * Available values: "reply", "request". */ type?: pulumi.Input; } export interface MagicWanGreTunnelHealthCheckTarget { /** * The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. */ effective?: pulumi.Input; /** * The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. */ saved?: pulumi.Input; } export interface MagicWanIpsecTunnelBgp { /** * ASN used on the customer end of the BGP session */ customerAsn: pulumi.Input; /** * Prefixes in this list will be advertised to the customer device, in addition to the routes in the Magic routing table. */ extraPrefixes?: pulumi.Input[]>; /** * MD5 key to use for session authentication. */ md5Key?: pulumi.Input; } export interface MagicWanIpsecTunnelBgpStatus { bgpState?: pulumi.Input; cfSpeakerIp?: pulumi.Input; cfSpeakerPort?: pulumi.Input; customerSpeakerIp?: pulumi.Input; customerSpeakerPort?: pulumi.Input; /** * Available values: "BGP*DOWN", "BGP*UP", "BGP_ESTABLISHING". */ state?: pulumi.Input; tcpEstablished?: pulumi.Input; updatedAt?: pulumi.Input; } export interface MagicWanIpsecTunnelCustomRemoteIdentities { /** * A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The * generated IKE IDs can still be used even if this custom value is specified. */ fqdnId?: pulumi.Input; } export interface MagicWanIpsecTunnelHealthCheck { /** * The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. * Available values: "unidirectional", "bidirectional". */ direction?: pulumi.Input; /** * Determines whether to run healthchecks for a tunnel. */ enabled?: pulumi.Input; /** * How frequent the health check is run. The default value is `mid`. * Available values: "low", "mid", "high". */ rate?: pulumi.Input; /** * The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customerGreEndpoint address`. This field is ignored for bidirectional healthchecks as the interface*address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. */ target?: pulumi.Input; /** * The type of healthcheck to run, reply or request. The default value is `reply`. * Available values: "reply", "request". */ type?: pulumi.Input; } export interface MagicWanIpsecTunnelHealthCheckTarget { /** * The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. */ effective?: pulumi.Input; /** * The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. */ saved?: pulumi.Input; } export interface MagicWanIpsecTunnelPskMetadata { /** * The date and time the tunnel was last modified. */ lastGeneratedOn?: pulumi.Input; } export interface MagicWanStaticRouteScope { /** * List of colo names for the ECMP scope. */ coloNames?: pulumi.Input[]>; /** * List of colo regions for the ECMP scope. */ coloRegions?: pulumi.Input[]>; } export interface ManagedHeadersManagedRequestHeader { /** * Whether the Managed Transform is enabled. */ enabled: pulumi.Input; /** * The human-readable identifier of the Managed Transform. */ id: pulumi.Input; } export interface ManagedHeadersManagedResponseHeader { /** * Whether the Managed Transform is enabled. */ enabled: pulumi.Input; /** * The human-readable identifier of the Managed Transform. */ id: pulumi.Input; } export interface ManagedTransformsManagedRequestHeader { /** * Whether the Managed Transform is enabled. */ enabled: pulumi.Input; /** * The human-readable identifier of the Managed Transform. */ id: pulumi.Input; } export interface ManagedTransformsManagedResponseHeader { /** * Whether the Managed Transform is enabled. */ enabled: pulumi.Input; /** * The human-readable identifier of the Managed Transform. */ id: pulumi.Input; } export interface NotificationPolicyFilters { /** * Usage depends on specific alert type */ actions?: pulumi.Input[]>; /** * Used for configuring radar_notification */ affectedAsns?: pulumi.Input[]>; /** * Used for configuring incident_alert */ affectedComponents?: pulumi.Input[]>; /** * Used for configuring radar_notification */ affectedLocations?: pulumi.Input[]>; /** * Used for configuring maintenance*event*notification */ airportCodes?: pulumi.Input[]>; /** * Usage depends on specific alert type */ alertTriggerPreferences?: pulumi.Input[]>; /** * Usage depends on specific alert type */ alertTriggerPreferencesValues?: pulumi.Input[]>; /** * Used for configuring load*balancing*pool*enablement*alert */ enableds?: pulumi.Input[]>; /** * Used for configuring pages*event*alert */ environments?: pulumi.Input[]>; /** * Used for configuring load*balancing*health_alert */ eventSources?: pulumi.Input[]>; /** * Usage depends on specific alert type */ eventTypes?: pulumi.Input[]>; /** * Used for configuring pages*event*alert */ events?: pulumi.Input[]>; /** * Usage depends on specific alert type */ groupBies?: pulumi.Input[]>; /** * Used for configuring health*check*status_notification */ healthCheckIds?: pulumi.Input[]>; /** * Used for configuring incident_alert */ incidentImpacts?: pulumi.Input[]>; /** * Used for configuring stream*live*notifications */ inputIds?: pulumi.Input[]>; /** * Used for configuring security*insights*alert */ insightClasses?: pulumi.Input[]>; /** * Used for configuring billing*usage*alert */ limits?: pulumi.Input[]>; /** * Used for configuring logo*match*alert */ logoTags?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l4*alert */ megabitsPerSeconds?: pulumi.Input[]>; /** * Used for configuring load*balancing*health_alert */ newHealths?: pulumi.Input[]>; /** * Used for configuring tunnel*health*event */ newStatuses?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l4*alert */ packetsPerSeconds?: pulumi.Input[]>; /** * Usage depends on specific alert type */ poolIds?: pulumi.Input[]>; /** * Usage depends on specific alert type */ popNames?: pulumi.Input[]>; /** * Used for configuring billing*usage*alert */ products?: pulumi.Input[]>; /** * Used for configuring pages*event*alert */ projectIds?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l4*alert */ protocols?: pulumi.Input[]>; /** * Usage depends on specific alert type */ queryTags?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l7*alert */ requestsPerSeconds?: pulumi.Input[]>; /** * Usage depends on specific alert type */ selectors?: pulumi.Input[]>; /** * Used for configuring clickhouse*alert*fw*ent*anomaly */ services?: pulumi.Input[]>; /** * Usage depends on specific alert type */ slos?: pulumi.Input[]>; /** * Used for configuring health*check*status_notification */ statuses?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l7*alert */ targetHostnames?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l4*alert */ targetIps?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l7*alert */ targetZoneNames?: pulumi.Input[]>; /** * Used for configuring traffic*anomalies*alert */ trafficExclusions?: pulumi.Input[]>; /** * Used for configuring tunnel*health*event */ tunnelIds?: pulumi.Input[]>; /** * Usage depends on specific alert type */ tunnelNames?: pulumi.Input[]>; /** * Usage depends on specific alert type */ types?: pulumi.Input[]>; /** * Usage depends on specific alert type */ wheres?: pulumi.Input[]>; /** * Usage depends on specific alert type */ zones?: pulumi.Input[]>; } export interface NotificationPolicyMechanisms { emails?: pulumi.Input[]>; pagerduties?: pulumi.Input[]>; webhooks?: pulumi.Input[]>; } export interface NotificationPolicyMechanismsEmail { /** * The email address */ id?: pulumi.Input; } export interface NotificationPolicyMechanismsPagerduty { /** * UUID */ id?: pulumi.Input; } export interface NotificationPolicyMechanismsWebhook { /** * UUID */ id?: pulumi.Input; } export interface ObservatoryScheduledTestSchedule { /** * The frequency of the test. * Available values: "DAILY", "WEEKLY". */ frequency?: pulumi.Input; /** * A test region. * Available values: "asia-east1", "asia-northeast1", "asia-northeast2", "asia-south1", "asia-southeast1", "australia-southeast1", "europe-north1", "europe-southwest1", "europe-west1", "europe-west2", "europe-west3", "europe-west4", "europe-west8", "europe-west9", "me-west1", "southamerica-east1", "us-central1", "us-east1", "us-east4", "us-south1", "us-west1". */ region?: pulumi.Input; /** * A URL. */ url?: pulumi.Input; } export interface ObservatoryScheduledTestTest { date?: pulumi.Input; /** * The Lighthouse report. */ desktopReport?: pulumi.Input; /** * UUID. */ id?: pulumi.Input; /** * The Lighthouse report. */ mobileReport?: pulumi.Input; /** * A test region with a label. */ region?: pulumi.Input; /** * The frequency of the test. * Available values: "DAILY", "WEEKLY". */ scheduleFrequency?: pulumi.Input; /** * A URL. */ url?: pulumi.Input; } export interface ObservatoryScheduledTestTestDesktopReport { /** * Cumulative Layout Shift. */ cls?: pulumi.Input; /** * The type of device. * Available values: "DESKTOP", "MOBILE". */ deviceType?: pulumi.Input; error?: pulumi.Input; /** * First Contentful Paint. */ fcp?: pulumi.Input; /** * The URL to the full Lighthouse JSON report. */ jsonReportUrl?: pulumi.Input; /** * Largest Contentful Paint. */ lcp?: pulumi.Input; /** * The Lighthouse performance score. */ performanceScore?: pulumi.Input; /** * Speed Index. */ si?: pulumi.Input; /** * The state of the Lighthouse report. * Available values: "RUNNING", "COMPLETE", "FAILED". */ state?: pulumi.Input; /** * Total Blocking Time. */ tbt?: pulumi.Input; /** * Time To First Byte. */ ttfb?: pulumi.Input; /** * Time To Interactive. */ tti?: pulumi.Input; } export interface ObservatoryScheduledTestTestDesktopReportError { /** * The error code of the Lighthouse result. * Available values: "NOT*REACHABLE", "DNS*FAILURE", "NOT*HTML", "LIGHTHOUSE*TIMEOUT", "UNKNOWN". */ code?: pulumi.Input; /** * Detailed error message. */ detail?: pulumi.Input; /** * The final URL displayed to the user. */ finalDisplayedUrl?: pulumi.Input; } export interface ObservatoryScheduledTestTestMobileReport { /** * Cumulative Layout Shift. */ cls?: pulumi.Input; /** * The type of device. * Available values: "DESKTOP", "MOBILE". */ deviceType?: pulumi.Input; error?: pulumi.Input; /** * First Contentful Paint. */ fcp?: pulumi.Input; /** * The URL to the full Lighthouse JSON report. */ jsonReportUrl?: pulumi.Input; /** * Largest Contentful Paint. */ lcp?: pulumi.Input; /** * The Lighthouse performance score. */ performanceScore?: pulumi.Input; /** * Speed Index. */ si?: pulumi.Input; /** * The state of the Lighthouse report. * Available values: "RUNNING", "COMPLETE", "FAILED". */ state?: pulumi.Input; /** * Total Blocking Time. */ tbt?: pulumi.Input; /** * Time To First Byte. */ ttfb?: pulumi.Input; /** * Time To Interactive. */ tti?: pulumi.Input; } export interface ObservatoryScheduledTestTestMobileReportError { /** * The error code of the Lighthouse result. * Available values: "NOT*REACHABLE", "DNS*FAILURE", "NOT*HTML", "LIGHTHOUSE*TIMEOUT", "UNKNOWN". */ code?: pulumi.Input; /** * Detailed error message. */ detail?: pulumi.Input; /** * The final URL displayed to the user. */ finalDisplayedUrl?: pulumi.Input; } export interface ObservatoryScheduledTestTestRegion { label?: pulumi.Input; /** * A test region. * Available values: "asia-east1", "asia-northeast1", "asia-northeast2", "asia-south1", "asia-southeast1", "australia-southeast1", "europe-north1", "europe-southwest1", "europe-west1", "europe-west2", "europe-west3", "europe-west4", "europe-west8", "europe-west9", "me-west1", "southamerica-east1", "us-central1", "us-east1", "us-east4", "us-south1", "us-west1". */ value?: pulumi.Input; } export interface OrganizationMeta { /** * Enable features for Organizations. */ flags?: pulumi.Input; managedBy?: pulumi.Input; } export interface OrganizationMetaFlags { accountCreation?: pulumi.Input; accountDeletion?: pulumi.Input; accountMigration?: pulumi.Input; accountMobility?: pulumi.Input; subOrgCreation?: pulumi.Input; } export interface OrganizationParent { id: pulumi.Input; name?: pulumi.Input; } export interface OrganizationProfile { businessAddress: pulumi.Input; businessEmail: pulumi.Input; businessName: pulumi.Input; businessPhone: pulumi.Input; externalMetadata: pulumi.Input; } export interface PageRuleActions { alwaysUseHttps?: pulumi.Input; automaticHttpsRewrites?: pulumi.Input; browserCacheTtl?: pulumi.Input; browserCheck?: pulumi.Input; bypassCacheOnCookie?: pulumi.Input; cacheByDeviceType?: pulumi.Input; cacheDeceptionArmor?: pulumi.Input; cacheKeyFields?: pulumi.Input; cacheLevel?: pulumi.Input; cacheOnCookie?: pulumi.Input; cacheTtlByStatus?: pulumi.Input<{ [key: string]: pulumi.Input; }>; disableApps?: pulumi.Input; disablePerformance?: pulumi.Input; disableSecurity?: pulumi.Input; disableZaraz?: pulumi.Input; edgeCacheTtl?: pulumi.Input; emailObfuscation?: pulumi.Input; explicitCacheControl?: pulumi.Input; forwardingUrl?: pulumi.Input; hostHeaderOverride?: pulumi.Input; ipGeolocation?: pulumi.Input; mirage?: pulumi.Input; opportunisticEncryption?: pulumi.Input; originErrorPagePassThru?: pulumi.Input; polish?: pulumi.Input; resolveOverride?: pulumi.Input; respectStrongEtag?: pulumi.Input; responseBuffering?: pulumi.Input; rocketLoader?: pulumi.Input; securityLevel?: pulumi.Input; sortQueryStringForCache?: pulumi.Input; ssl?: pulumi.Input; trueClientIpHeader?: pulumi.Input; waf?: pulumi.Input; } export interface PageRuleActionsCacheKeyFields { cookie?: pulumi.Input; header?: pulumi.Input; host?: pulumi.Input; queryString?: pulumi.Input; user?: pulumi.Input; } export interface PageRuleActionsCacheKeyFieldsCookie { checkPresences?: pulumi.Input[]>; includes?: pulumi.Input[]>; } export interface PageRuleActionsCacheKeyFieldsHeader { checkPresences?: pulumi.Input[]>; excludes?: pulumi.Input[]>; includes?: pulumi.Input[]>; } export interface PageRuleActionsCacheKeyFieldsHost { resolved?: pulumi.Input; } export interface PageRuleActionsCacheKeyFieldsQueryString { excludes?: pulumi.Input[]>; includes?: pulumi.Input[]>; } export interface PageRuleActionsCacheKeyFieldsUser { deviceType?: pulumi.Input; geo?: pulumi.Input; lang?: pulumi.Input; } export interface PageRuleActionsForwardingUrl { statusCode: pulumi.Input; url: pulumi.Input; } export interface PagesDomainValidationData { errorMessage?: pulumi.Input; /** * Available values: "http", "txt". */ method?: pulumi.Input; /** * Available values: "initializing", "pending", "active", "deactivated", "error". */ status?: pulumi.Input; txtName?: pulumi.Input; txtValue?: pulumi.Input; } export interface PagesDomainVerificationData { errorMessage?: pulumi.Input; /** * Available values: "pending", "active", "deactivated", "blocked", "error". */ status?: pulumi.Input; } export interface PagesProjectBuildConfig { /** * Enable build caching for the project. */ buildCaching?: pulumi.Input; /** * Command used to build project. */ buildCommand?: pulumi.Input; /** * Output directory of the build. */ destinationDir?: pulumi.Input; /** * Directory to run the command. */ rootDir?: pulumi.Input; /** * The classifying tag for analytics. */ webAnalyticsTag?: pulumi.Input; /** * The auth token for analytics. */ webAnalyticsToken?: pulumi.Input; } export interface PagesProjectCanonicalDeployment { /** * A list of alias URLs pointing to this deployment. */ aliases?: pulumi.Input[]>; /** * Configs for the project build process. */ buildConfig?: pulumi.Input; /** * When the deployment was created. */ createdOn?: pulumi.Input; /** * Info about what caused the deployment. */ deploymentTrigger?: pulumi.Input; /** * Environment variables used for builds and Pages Functions. */ envVars?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Type of deploy. * Available values: "preview", "production". */ environment?: pulumi.Input; /** * Id of the deployment. */ id?: pulumi.Input; /** * If the deployment has been skipped. */ isSkipped?: pulumi.Input; /** * The status of the deployment. */ latestStage?: pulumi.Input; /** * When the deployment was last modified. */ modifiedOn?: pulumi.Input; /** * Id of the project. */ projectId?: pulumi.Input; /** * Name of the project. */ projectName?: pulumi.Input; /** * Short Id (8 character) of the deployment. */ shortId?: pulumi.Input; /** * Configs for the project source control. */ source?: pulumi.Input; /** * List of past stages. */ stages?: pulumi.Input[]>; /** * The live URL to view this deployment. */ url?: pulumi.Input; /** * Whether the deployment uses functions. */ usesFunctions?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentBuildConfig { /** * Enable build caching for the project. */ buildCaching?: pulumi.Input; /** * Command used to build project. */ buildCommand?: pulumi.Input; /** * Assets output directory of the build. */ destinationDir?: pulumi.Input; /** * Directory to run the command. */ rootDir?: pulumi.Input; /** * The classifying tag for analytics. */ webAnalyticsTag?: pulumi.Input; /** * The auth token for analytics. */ webAnalyticsToken?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentDeploymentTrigger { /** * Additional info about the trigger. */ metadata?: pulumi.Input; /** * What caused the deployment. * Available values: "github:push", "ad*hoc", "deploy*hook". */ type?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentDeploymentTriggerMetadata { /** * Where the trigger happened. */ branch?: pulumi.Input; /** * Whether the deployment trigger commit was dirty. */ commitDirty?: pulumi.Input; /** * Hash of the deployment trigger commit. */ commitHash?: pulumi.Input; /** * Message of the deployment trigger commit. */ commitMessage?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentEnvVars { /** * Available values: "plain*text", "secret*text". */ type?: pulumi.Input; /** * Environment variable value. */ value?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentLatestStage { /** * When the stage ended. */ endedOn?: pulumi.Input; /** * The current build stage. * Available values: "queued", "initialize", "cloneRepo", "build", "deploy". */ name?: pulumi.Input; /** * When the stage started. */ startedOn?: pulumi.Input; /** * State of the current stage. * Available values: "success", "idle", "active", "failure", "canceled". */ status?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentSource { config?: pulumi.Input; /** * The source control management provider. * Available values: "github", "gitlab". */ type?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentSourceConfig { /** * Whether to enable automatic deployments when pushing to the source repository. * When disabled, no deployments (production or preview) will be triggered automatically. * * @deprecated Use `productionDeploymentsEnabled` and `previewDeploymentSetting` for more granular control. */ deploymentsEnabled?: pulumi.Input; /** * The owner of the repository. */ owner?: pulumi.Input; /** * The owner ID of the repository. */ ownerId?: pulumi.Input; /** * A list of paths that should be excluded from triggering a preview deployment. Wildcard syntax (`*`) is supported. */ pathExcludes?: pulumi.Input[]>; /** * A list of paths that should be watched to trigger a preview deployment. Wildcard syntax (`*`) is supported. */ pathIncludes?: pulumi.Input[]>; /** * Whether to enable PR comments. */ prCommentsEnabled?: pulumi.Input; /** * A list of branches that should not trigger a preview deployment. Wildcard syntax (`*`) is supported. Must be used with `previewDeploymentSetting` set to `custom`. */ previewBranchExcludes?: pulumi.Input[]>; /** * A list of branches that should trigger a preview deployment. Wildcard syntax (`*`) is supported. Must be used with `previewDeploymentSetting` set to `custom`. */ previewBranchIncludes?: pulumi.Input[]>; /** * Controls whether commits to preview branches trigger a preview deployment. * Available values: "all", "none", "custom". */ previewDeploymentSetting?: pulumi.Input; /** * The production branch of the repository. */ productionBranch?: pulumi.Input; /** * Whether to trigger a production deployment on commits to the production branch. */ productionDeploymentsEnabled?: pulumi.Input; /** * The ID of the repository. */ repoId?: pulumi.Input; /** * The name of the repository. */ repoName?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentStage { /** * When the stage ended. */ endedOn?: pulumi.Input; /** * The current build stage. * Available values: "queued", "initialize", "cloneRepo", "build", "deploy". */ name?: pulumi.Input; /** * When the stage started. */ startedOn?: pulumi.Input; /** * State of the current stage. * Available values: "success", "idle", "active", "failure", "canceled". */ status?: pulumi.Input; } export interface PagesProjectDeploymentConfigs { /** * Configs for preview deploys. */ preview?: pulumi.Input; /** * Configs for production deploys. */ production?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreview { /** * Constellation bindings used for Pages Functions. */ aiBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Whether to always use the latest compatibility date for Pages Functions. */ alwaysUseLatestCompatibilityDate?: pulumi.Input; /** * Analytics Engine bindings used for Pages Functions. */ analyticsEngineDatasets?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Browser bindings used for Pages Functions. */ browsers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The major version of the build image to use for Pages Functions. */ buildImageMajorVersion?: pulumi.Input; /** * Compatibility date used for Pages Functions. */ compatibilityDate?: pulumi.Input; /** * Compatibility flags used for Pages Functions. */ compatibilityFlags?: pulumi.Input[]>; /** * D1 databases used for Pages Functions. */ d1Databases?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Durable Object namespaces used for Pages Functions. */ durableObjectNamespaces?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Environment variables used for builds and Pages Functions. */ envVars?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Whether to fail open when the deployment config cannot be applied. */ failOpen?: pulumi.Input; /** * Hyperdrive bindings used for Pages Functions. */ hyperdriveBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * KV namespaces used for Pages Functions. */ kvNamespaces?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Limits for Pages Functions. */ limits?: pulumi.Input; /** * mTLS bindings used for Pages Functions. */ mtlsCertificates?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Placement setting used for Pages Functions. */ placement?: pulumi.Input; /** * Queue Producer bindings used for Pages Functions. */ queueProducers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * R2 buckets used for Pages Functions. */ r2Buckets?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Services used for Pages Functions. */ services?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The usage model for Pages Functions. * Available values: "standard", "bundled", "unbound". * * @deprecated All new projects now use the Standard usage model. */ usageModel?: pulumi.Input; /** * Vectorize bindings used for Pages Functions. */ vectorizeBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Hash of the Wrangler configuration used for the deployment. */ wranglerConfigHash?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewAiBindings { projectId: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewAnalyticsEngineDatasets { /** * Name of the dataset. */ dataset: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewBrowsers { } export interface PagesProjectDeploymentConfigsPreviewD1Databases { /** * UUID of the D1 database. */ id: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewDurableObjectNamespaces { /** * ID of the Durable Object namespace. */ namespaceId: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewEnvVars { /** * Available values: "plain*text", "secret*text". */ type: pulumi.Input; /** * Environment variable value. */ value: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewHyperdriveBindings { id: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewKvNamespaces { /** * ID of the KV namespace. */ namespaceId: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewLimits { /** * CPU time limit in milliseconds. */ cpuMs: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewMtlsCertificates { certificateId: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewPlacement { /** * Placement mode. */ mode?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewQueueProducers { /** * Name of the Queue. */ name: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewR2Buckets { /** * Jurisdiction of the R2 bucket. */ jurisdiction?: pulumi.Input; /** * Name of the R2 bucket. */ name: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewServices { /** * The entrypoint to bind to. */ entrypoint?: pulumi.Input; /** * The Service environment. */ environment?: pulumi.Input; /** * The Service name. */ service: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewVectorizeBindings { indexName: pulumi.Input; } export interface PagesProjectDeploymentConfigsProduction { /** * Constellation bindings used for Pages Functions. */ aiBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Whether to always use the latest compatibility date for Pages Functions. */ alwaysUseLatestCompatibilityDate?: pulumi.Input; /** * Analytics Engine bindings used for Pages Functions. */ analyticsEngineDatasets?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Browser bindings used for Pages Functions. */ browsers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The major version of the build image to use for Pages Functions. */ buildImageMajorVersion?: pulumi.Input; /** * Compatibility date used for Pages Functions. */ compatibilityDate?: pulumi.Input; /** * Compatibility flags used for Pages Functions. */ compatibilityFlags?: pulumi.Input[]>; /** * D1 databases used for Pages Functions. */ d1Databases?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Durable Object namespaces used for Pages Functions. */ durableObjectNamespaces?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Environment variables used for builds and Pages Functions. */ envVars?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Whether to fail open when the deployment config cannot be applied. */ failOpen?: pulumi.Input; /** * Hyperdrive bindings used for Pages Functions. */ hyperdriveBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * KV namespaces used for Pages Functions. */ kvNamespaces?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Limits for Pages Functions. */ limits?: pulumi.Input; /** * mTLS bindings used for Pages Functions. */ mtlsCertificates?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Placement setting used for Pages Functions. */ placement?: pulumi.Input; /** * Queue Producer bindings used for Pages Functions. */ queueProducers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * R2 buckets used for Pages Functions. */ r2Buckets?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Services used for Pages Functions. */ services?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The usage model for Pages Functions. * Available values: "standard", "bundled", "unbound". * * @deprecated All new projects now use the Standard usage model. */ usageModel?: pulumi.Input; /** * Vectorize bindings used for Pages Functions. */ vectorizeBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Hash of the Wrangler configuration used for the deployment. */ wranglerConfigHash?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionAiBindings { projectId: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionAnalyticsEngineDatasets { /** * Name of the dataset. */ dataset: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionBrowsers { } export interface PagesProjectDeploymentConfigsProductionD1Databases { /** * UUID of the D1 database. */ id: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionDurableObjectNamespaces { /** * ID of the Durable Object namespace. */ namespaceId: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionEnvVars { /** * Available values: "plain*text", "secret*text". */ type: pulumi.Input; /** * Environment variable value. */ value: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionHyperdriveBindings { id: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionKvNamespaces { /** * ID of the KV namespace. */ namespaceId: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionLimits { /** * CPU time limit in milliseconds. */ cpuMs: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionMtlsCertificates { certificateId: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionPlacement { /** * Placement mode. */ mode?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionQueueProducers { /** * Name of the Queue. */ name: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionR2Buckets { /** * Jurisdiction of the R2 bucket. */ jurisdiction?: pulumi.Input; /** * Name of the R2 bucket. */ name: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionServices { /** * The entrypoint to bind to. */ entrypoint?: pulumi.Input; /** * The Service environment. */ environment?: pulumi.Input; /** * The Service name. */ service: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionVectorizeBindings { indexName: pulumi.Input; } export interface PagesProjectLatestDeployment { /** * A list of alias URLs pointing to this deployment. */ aliases?: pulumi.Input[]>; /** * Configs for the project build process. */ buildConfig?: pulumi.Input; /** * When the deployment was created. */ createdOn?: pulumi.Input; /** * Info about what caused the deployment. */ deploymentTrigger?: pulumi.Input; /** * Environment variables used for builds and Pages Functions. */ envVars?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Type of deploy. * Available values: "preview", "production". */ environment?: pulumi.Input; /** * Id of the deployment. */ id?: pulumi.Input; /** * If the deployment has been skipped. */ isSkipped?: pulumi.Input; /** * The status of the deployment. */ latestStage?: pulumi.Input; /** * When the deployment was last modified. */ modifiedOn?: pulumi.Input; /** * Id of the project. */ projectId?: pulumi.Input; /** * Name of the project. */ projectName?: pulumi.Input; /** * Short Id (8 character) of the deployment. */ shortId?: pulumi.Input; /** * Configs for the project source control. */ source?: pulumi.Input; /** * List of past stages. */ stages?: pulumi.Input[]>; /** * The live URL to view this deployment. */ url?: pulumi.Input; /** * Whether the deployment uses functions. */ usesFunctions?: pulumi.Input; } export interface PagesProjectLatestDeploymentBuildConfig { /** * Enable build caching for the project. */ buildCaching?: pulumi.Input; /** * Command used to build project. */ buildCommand?: pulumi.Input; /** * Assets output directory of the build. */ destinationDir?: pulumi.Input; /** * Directory to run the command. */ rootDir?: pulumi.Input; /** * The classifying tag for analytics. */ webAnalyticsTag?: pulumi.Input; /** * The auth token for analytics. */ webAnalyticsToken?: pulumi.Input; } export interface PagesProjectLatestDeploymentDeploymentTrigger { /** * Additional info about the trigger. */ metadata?: pulumi.Input; /** * What caused the deployment. * Available values: "github:push", "ad*hoc", "deploy*hook". */ type?: pulumi.Input; } export interface PagesProjectLatestDeploymentDeploymentTriggerMetadata { /** * Where the trigger happened. */ branch?: pulumi.Input; /** * Whether the deployment trigger commit was dirty. */ commitDirty?: pulumi.Input; /** * Hash of the deployment trigger commit. */ commitHash?: pulumi.Input; /** * Message of the deployment trigger commit. */ commitMessage?: pulumi.Input; } export interface PagesProjectLatestDeploymentEnvVars { /** * Available values: "plain*text", "secret*text". */ type?: pulumi.Input; /** * Environment variable value. */ value?: pulumi.Input; } export interface PagesProjectLatestDeploymentLatestStage { /** * When the stage ended. */ endedOn?: pulumi.Input; /** * The current build stage. * Available values: "queued", "initialize", "cloneRepo", "build", "deploy". */ name?: pulumi.Input; /** * When the stage started. */ startedOn?: pulumi.Input; /** * State of the current stage. * Available values: "success", "idle", "active", "failure", "canceled". */ status?: pulumi.Input; } export interface PagesProjectLatestDeploymentSource { config?: pulumi.Input; /** * The source control management provider. * Available values: "github", "gitlab". */ type?: pulumi.Input; } export interface PagesProjectLatestDeploymentSourceConfig { /** * Whether to enable automatic deployments when pushing to the source repository. * When disabled, no deployments (production or preview) will be triggered automatically. * * @deprecated Use `productionDeploymentsEnabled` and `previewDeploymentSetting` for more granular control. */ deploymentsEnabled?: pulumi.Input; /** * The owner of the repository. */ owner?: pulumi.Input; /** * The owner ID of the repository. */ ownerId?: pulumi.Input; /** * A list of paths that should be excluded from triggering a preview deployment. Wildcard syntax (`*`) is supported. */ pathExcludes?: pulumi.Input[]>; /** * A list of paths that should be watched to trigger a preview deployment. Wildcard syntax (`*`) is supported. */ pathIncludes?: pulumi.Input[]>; /** * Whether to enable PR comments. */ prCommentsEnabled?: pulumi.Input; /** * A list of branches that should not trigger a preview deployment. Wildcard syntax (`*`) is supported. Must be used with `previewDeploymentSetting` set to `custom`. */ previewBranchExcludes?: pulumi.Input[]>; /** * A list of branches that should trigger a preview deployment. Wildcard syntax (`*`) is supported. Must be used with `previewDeploymentSetting` set to `custom`. */ previewBranchIncludes?: pulumi.Input[]>; /** * Controls whether commits to preview branches trigger a preview deployment. * Available values: "all", "none", "custom". */ previewDeploymentSetting?: pulumi.Input; /** * The production branch of the repository. */ productionBranch?: pulumi.Input; /** * Whether to trigger a production deployment on commits to the production branch. */ productionDeploymentsEnabled?: pulumi.Input; /** * The ID of the repository. */ repoId?: pulumi.Input; /** * The name of the repository. */ repoName?: pulumi.Input; } export interface PagesProjectLatestDeploymentStage { /** * When the stage ended. */ endedOn?: pulumi.Input; /** * The current build stage. * Available values: "queued", "initialize", "cloneRepo", "build", "deploy". */ name?: pulumi.Input; /** * When the stage started. */ startedOn?: pulumi.Input; /** * State of the current stage. * Available values: "success", "idle", "active", "failure", "canceled". */ status?: pulumi.Input; } export interface PagesProjectSource { config: pulumi.Input; /** * The source control management provider. * Available values: "github", "gitlab". */ type: pulumi.Input; } export interface PagesProjectSourceConfig { /** * Whether to enable automatic deployments when pushing to the source repository. * When disabled, no deployments (production or preview) will be triggered automatically. * * @deprecated Use `productionDeploymentsEnabled` and `previewDeploymentSetting` for more granular control. */ deploymentsEnabled?: pulumi.Input; /** * The owner of the repository. */ owner?: pulumi.Input; /** * The owner ID of the repository. */ ownerId?: pulumi.Input; /** * A list of paths that should be excluded from triggering a preview deployment. Wildcard syntax (`*`) is supported. */ pathExcludes?: pulumi.Input[]>; /** * A list of paths that should be watched to trigger a preview deployment. Wildcard syntax (`*`) is supported. */ pathIncludes?: pulumi.Input[]>; /** * Whether to enable PR comments. */ prCommentsEnabled?: pulumi.Input; /** * A list of branches that should not trigger a preview deployment. Wildcard syntax (`*`) is supported. Must be used with `previewDeploymentSetting` set to `custom`. */ previewBranchExcludes?: pulumi.Input[]>; /** * A list of branches that should trigger a preview deployment. Wildcard syntax (`*`) is supported. Must be used with `previewDeploymentSetting` set to `custom`. */ previewBranchIncludes?: pulumi.Input[]>; /** * Controls whether commits to preview branches trigger a preview deployment. * Available values: "all", "none", "custom". */ previewDeploymentSetting?: pulumi.Input; /** * The production branch of the repository. */ productionBranch?: pulumi.Input; /** * Whether to trigger a production deployment on commits to the production branch. */ productionDeploymentsEnabled?: pulumi.Input; /** * The ID of the repository. */ repoId?: pulumi.Input; /** * The name of the repository. */ repoName?: pulumi.Input; } export interface QueueConsumer { /** * A Resource identifier. */ consumerId?: pulumi.Input; createdOn?: pulumi.Input; /** * Name of the dead letter queue, or empty string if not configured */ deadLetterQueue?: pulumi.Input; queueName?: pulumi.Input; /** * Name of a Worker */ scriptName?: pulumi.Input; settings?: pulumi.Input; /** * Available values: "worker", "httpPull". */ type?: pulumi.Input; } export interface QueueConsumerSettings { /** * The maximum number of messages to include in a batch. */ batchSize?: pulumi.Input; /** * Maximum number of concurrent consumers that may consume from this Queue. Set to `null` to automatically opt in to the platform's maximum (recommended). */ maxConcurrency?: pulumi.Input; /** * The maximum number of retries */ maxRetries?: pulumi.Input; /** * The number of milliseconds to wait for a batch to fill up before attempting to deliver it */ maxWaitTimeMs?: pulumi.Input; /** * The number of seconds to delay before making the message available for another attempt. */ retryDelay?: pulumi.Input; /** * The number of milliseconds that a message is exclusively leased. After the timeout, the message becomes available for another attempt. */ visibilityTimeoutMs?: pulumi.Input; } export interface QueueProducer { bucketName?: pulumi.Input; script?: pulumi.Input; /** * Available values: "worker", "r2Bucket". */ type?: pulumi.Input; } export interface QueueSettings { /** * Number of seconds to delay delivery of all messages to consumers. */ deliveryDelay?: pulumi.Input; /** * Indicates if message delivery to consumers is currently paused. */ deliveryPaused?: pulumi.Input; /** * Number of seconds after which an unconsumed message will be delayed. */ messageRetentionPeriod?: pulumi.Input; } export interface R2BucketCorsRule { /** * Object specifying allowed origins, methods and headers for this CORS rule. */ allowed: pulumi.Input; /** * Specifies the headers that can be exposed back, and accessed by, the JavaScript making the cross-origin request. If you need to access headers beyond the safelisted response headers, such as Content-Encoding or cf-cache-status, you must specify it here. */ exposeHeaders?: pulumi.Input[]>; /** * Identifier for this rule. */ id?: pulumi.Input; /** * Specifies the amount of time (in seconds) browsers are allowed to cache CORS preflight responses. Browsers may limit this to 2 hours or less, even if the maximum value (86400) is specified. */ maxAgeSeconds?: pulumi.Input; } export interface R2BucketCorsRuleAllowed { /** * Specifies the value for the Access-Control-Allow-Headers header R2 sets when requesting objects in this bucket from a browser. Cross-origin requests that include custom headers (e.g. x-user-id) should specify these headers as AllowedHeaders. */ headers?: pulumi.Input[]>; /** * Specifies the value for the Access-Control-Allow-Methods header R2 sets when requesting objects in a bucket from a browser. */ methods: pulumi.Input[]>; /** * Specifies the value for the Access-Control-Allow-Origin header R2 sets when requesting objects in a bucket from a browser. */ origins: pulumi.Input[]>; } export interface R2BucketEventNotificationRule { /** * Array of R2 object actions that will trigger notifications. */ actions: pulumi.Input[]>; /** * A description that can be used to identify the event notification rule after creation. */ description?: pulumi.Input; /** * Notifications will be sent only for objects with this prefix. */ prefix?: pulumi.Input; /** * Notifications will be sent only for objects with this suffix. */ suffix?: pulumi.Input; } export interface R2BucketLifecycleRule { /** * Transition to abort ongoing multipart uploads. */ abortMultipartUploadsTransition?: pulumi.Input; /** * Conditions that apply to all transitions of this rule. */ conditions: pulumi.Input; /** * Transition to delete objects. */ deleteObjectsTransition?: pulumi.Input; /** * Whether or not this rule is in effect. */ enabled: pulumi.Input; /** * Unique identifier for this rule. */ id: pulumi.Input; /** * Transitions to change the storage class of objects. */ storageClassTransitions?: pulumi.Input[]>; } export interface R2BucketLifecycleRuleAbortMultipartUploadsTransition { /** * Condition for lifecycle transitions to apply after an object reaches an age in seconds. */ condition?: pulumi.Input; } export interface R2BucketLifecycleRuleAbortMultipartUploadsTransitionCondition { maxAge: pulumi.Input; /** * Available values: "Age". */ type: pulumi.Input; } export interface R2BucketLifecycleRuleConditions { /** * Transitions will only apply to objects/uploads in the bucket that start with the given prefix, an empty prefix can be provided to scope rule to all objects/uploads. */ prefix: pulumi.Input; } export interface R2BucketLifecycleRuleDeleteObjectsTransition { /** * Condition for lifecycle transitions to apply after an object reaches an age in seconds. */ condition?: pulumi.Input; } export interface R2BucketLifecycleRuleDeleteObjectsTransitionCondition { date?: pulumi.Input; maxAge?: pulumi.Input; /** * Available values: "Age", "Date". */ type: pulumi.Input; } export interface R2BucketLifecycleRuleStorageClassTransition { /** * Condition for lifecycle transitions to apply after an object reaches an age in seconds. */ condition: pulumi.Input; /** * Available values: "InfrequentAccess". */ storageClass: pulumi.Input; } export interface R2BucketLifecycleRuleStorageClassTransitionCondition { date?: pulumi.Input; maxAge?: pulumi.Input; /** * Available values: "Age", "Date". */ type: pulumi.Input; } export interface R2BucketLockRule { /** * Condition to apply a lock rule to an object for how long in seconds. */ condition: pulumi.Input; /** * Whether or not this rule is in effect. */ enabled: pulumi.Input; /** * Unique identifier for this rule. */ id: pulumi.Input; /** * Rule will only apply to objects/uploads in the bucket that start with the given prefix, an empty prefix can be provided to scope rule to all objects/uploads. */ prefix?: pulumi.Input; } export interface R2BucketLockRuleCondition { date?: pulumi.Input; maxAgeSeconds?: pulumi.Input; /** * Available values: "Age", "Date", "Indefinite". */ type: pulumi.Input; } export interface R2BucketSippyDestination { /** * ID of a Cloudflare API token. * This is the value labelled "Access Key ID" when creating an API. * token from the [R2 dashboard](https://dash.cloudflare.com/?to=/:account/r2/api-tokens). */ accessKeyId?: pulumi.Input; /** * Available values: "r2". */ cloudProvider?: pulumi.Input; /** * Value of a Cloudflare API token. * This is the value labelled "Secret Access Key" when creating an API. * token from the [R2 dashboard](https://dash.cloudflare.com/?to=/:account/r2/api-tokens). * * Sippy will use this token when writing objects to R2, so it is * best to scope this token to the bucket you're enabling Sippy for. */ secretAccessKey?: pulumi.Input; } export interface R2BucketSippySource { /** * Access Key ID of an IAM credential (ideally scoped to a single S3 bucket). */ accessKeyId?: pulumi.Input; /** * Name of the AWS S3 bucket. */ bucket?: pulumi.Input; /** * URL to the S3-compatible API of the bucket. */ bucketUrl?: pulumi.Input; /** * Client email of an IAM credential (ideally scoped to a single GCS bucket). */ clientEmail?: pulumi.Input; /** * Available values: "aws", "gcs", "s3". */ cloudProvider?: pulumi.Input; /** * Private Key of an IAM credential (ideally scoped to a single GCS bucket). */ privateKey?: pulumi.Input; /** * Name of the AWS availability zone. */ region?: pulumi.Input; /** * Secret Access Key of an IAM credential (ideally scoped to a single S3 bucket). */ secretAccessKey?: pulumi.Input; } export interface R2CustomDomainStatus { /** * Ownership status of the domain. * Available values: "pending", "active", "deactivated", "blocked", "error", "unknown". */ ownership?: pulumi.Input; /** * SSL certificate status. * Available values: "initializing", "pending", "active", "deactivated", "error", "unknown". */ ssl?: pulumi.Input; } export interface RateLimitAction { /** * The action to perform. * Available values: "simulate", "ban", "challenge", "js*challenge", "managed*challenge". */ mode?: pulumi.Input; /** * A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. * Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed*challenge", or "js*challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. */ response?: pulumi.Input; /** * The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. * Notes: If "mode" is "challenge", "managed*challenge", or "js*challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. */ timeout?: pulumi.Input; } export interface RateLimitActionResponse { /** * The response body to return. The value must conform to the configured content type. */ body?: pulumi.Input; /** * The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. */ contentType?: pulumi.Input; } export interface RateLimitBypass { /** * Available values: "url". */ name?: pulumi.Input; /** * The URL to bypass. */ value?: pulumi.Input; } export interface RateLimitMatch { headers?: pulumi.Input[]>; request?: pulumi.Input; response?: pulumi.Input; } export interface RateLimitMatchHeader { /** * The name of the response header to match. */ name?: pulumi.Input; /** * The operator used when matching: `eq` means "equal" and `ne` means "not equal". * Available values: "eq", "ne". */ op?: pulumi.Input; /** * The value of the response header, which must match exactly. */ value?: pulumi.Input; } export interface RateLimitMatchRequest { /** * The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. */ methods?: pulumi.Input[]>; /** * The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. */ schemes?: pulumi.Input[]>; /** * The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. */ url?: pulumi.Input; } export interface RateLimitMatchResponse { /** * When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. * Notes: This field is deprecated. Instead, use response headers and set "origin*traffic" to "false" to avoid legacy behaviour interacting with the "response*headers" property. */ originTraffic?: pulumi.Input; } export interface RecordData { /** * Algorithm. */ algorithm?: pulumi.Input; /** * Altitude of location in meters. */ altitude?: pulumi.Input; /** * Certificate. */ certificate?: pulumi.Input; /** * Digest. */ digest?: pulumi.Input; /** * Digest Type. */ digestType?: pulumi.Input; /** * Fingerprint. */ fingerprint?: pulumi.Input; /** * Flags for the CAA record. */ flags?: any; /** * Key Tag. */ keyTag?: pulumi.Input; /** * Degrees of latitude. */ latDegrees?: pulumi.Input; /** * Latitude direction. * Available values: "N", "S". */ latDirection?: pulumi.Input; /** * Minutes of latitude. */ latMinutes?: pulumi.Input; /** * Seconds of latitude. */ latSeconds?: pulumi.Input; /** * Degrees of longitude. */ longDegrees?: pulumi.Input; /** * Longitude direction. * Available values: "E", "W". */ longDirection?: pulumi.Input; /** * Minutes of longitude. */ longMinutes?: pulumi.Input; /** * Seconds of longitude. */ longSeconds?: pulumi.Input; /** * Matching Type. */ matchingType?: pulumi.Input; /** * Order. */ order?: pulumi.Input; /** * The port of the service. */ port?: pulumi.Input; /** * Horizontal precision of location. */ precisionHorz?: pulumi.Input; /** * Vertical precision of location. */ precisionVert?: pulumi.Input; /** * Preference. */ preference?: pulumi.Input; /** * Priority. */ priority?: pulumi.Input; /** * Protocol. */ protocol?: pulumi.Input; /** * Public Key. */ publicKey?: pulumi.Input; /** * Regex. */ regex?: pulumi.Input; /** * Replacement. */ replacement?: pulumi.Input; /** * Selector. */ selector?: pulumi.Input; /** * Service. */ service?: pulumi.Input; /** * Size of location in meters. */ size?: pulumi.Input; /** * Name of the property controlled by this record (e.g.: issue, issuewild, iodef). */ tag?: pulumi.Input; /** * Target. */ target?: pulumi.Input; /** * Type. */ type?: pulumi.Input; /** * Usage. */ usage?: pulumi.Input; /** * Value of the record. This field's semantics depend on the chosen tag. */ value?: pulumi.Input; /** * The record weight. */ weight?: pulumi.Input; } export interface RecordSettings { /** * If enabled, causes the CNAME record to be resolved externally and the resulting address records (e.g., A and AAAA) to be returned instead of the CNAME record itself. This setting is unavailable for proxied records, since they are always flattened. */ flattenCname?: pulumi.Input; /** * When enabled, only A records will be generated, and AAAA records will not be created. This setting is intended for exceptional cases. Note that this option only applies to proxied records and it has no effect on whether Cloudflare communicates with the origin using IPv4 or IPv6. */ ipv4Only?: pulumi.Input; /** * When enabled, only AAAA records will be generated, and A records will not be created. This setting is intended for exceptional cases. Note that this option only applies to proxied records and it has no effect on whether Cloudflare communicates with the origin using IPv4 or IPv6. */ ipv6Only?: pulumi.Input; } export interface RiskBehaviorBehaviors { enabled: pulumi.Input; /** * Available values: "low", "medium", "high". */ riskLevel: pulumi.Input; } export interface RulesetRule { /** * The action to perform when the rule matches. * Available values: "block", "challenge", "compress*response", "ddos*dynamic", "execute", "force*connection*close", "js*challenge", "log", "log*custom*field", "managed*challenge", "redirect", "rewrite", "route", "score", "serve*error", "set*cache*control", "set*cache*settings", "set*cache*tags", "set*config", "skip". */ action: pulumi.Input; /** * The parameters configuring the rule's action. */ actionParameters?: pulumi.Input; /** * An informative description of the rule. */ description?: pulumi.Input; /** * Whether the rule should be executed. */ enabled?: pulumi.Input; /** * Configuration for exposed credential checking. */ exposedCredentialCheck?: pulumi.Input; /** * The expression defining which traffic will match the rule. */ expression: pulumi.Input; /** * The unique ID of the rule. */ id?: pulumi.Input; /** * An object configuring the rule's logging behavior. */ logging?: pulumi.Input; /** * An object configuring the rule's rate limit behavior. */ ratelimit?: pulumi.Input; /** * The reference of the rule (the rule's ID by default). */ ref?: pulumi.Input; } export interface RulesetRuleActionParameters { /** * A list of additional ports that caching should be enabled on. */ additionalCacheablePorts?: pulumi.Input[]>; /** * Custom order for compression algorithms. */ algorithms?: pulumi.Input[]>; /** * The name of a custom asset to serve as the response. */ assetName?: pulumi.Input; /** * Whether to enable Automatic HTTPS Rewrites. */ automaticHttpsRewrites?: pulumi.Input; /** * Which file extensions to minify automatically. */ autominify?: pulumi.Input; /** * Whether to enable Browser Integrity Check (BIC). */ bic?: pulumi.Input; /** * How long client browsers should cache the response. Cloudflare cache purge will not purge content cached on client browsers, so high browser TTLs may lead to stale content. */ browserTtl?: pulumi.Input; /** * Whether the request's response from the origin is eligible for caching. Caching itself will still depend on the cache control header and your other caching configurations. */ cache?: pulumi.Input; /** * Which components of the request are included in or excluded from the cache key Cloudflare uses to store the response in cache. */ cacheKey?: pulumi.Input; /** * Settings to determine whether the request's response from origin is eligible for Cache Reserve (requires a Cache Reserve add-on plan). */ cacheReserve?: pulumi.Input; /** * The response content. */ content?: pulumi.Input; /** * The content type header to set with the error response. * Available values: "application/json", "text/html", "text/plain", "text/xml". */ contentType?: pulumi.Input; /** * The cookie fields to log. */ cookieFields?: pulumi.Input[]>; /** * Whether to disable Cloudflare Apps. */ disableApps?: pulumi.Input; /** * Whether to disable Real User Monitoring (RUM). */ disableRum?: pulumi.Input; /** * Whether to disable Zaraz. */ disableZaraz?: pulumi.Input; /** * How long the Cloudflare edge network should cache the response. */ edgeTtl?: pulumi.Input; /** * Whether to enable Email Obfuscation. */ emailObfuscation?: pulumi.Input; /** * An expression to generate cache tags for set*cache*tags action. */ expression?: pulumi.Input; /** * Whether to enable Cloudflare Fonts. */ fonts?: pulumi.Input; /** * A redirect based on a bulk list lookup. */ fromList?: pulumi.Input; /** * A redirect based on the request properties. */ fromValue?: pulumi.Input; /** * A map of headers to rewrite. */ headers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * A value to rewrite the HTTP host header to. */ hostHeader?: pulumi.Input; /** * Whether to enable Hotlink Protection. */ hotlinkProtection?: pulumi.Input; /** * The ID of the ruleset to execute. */ id?: pulumi.Input; /** * Set the immutable cache control directive. */ immutable?: pulumi.Input; /** * A delta to change the score by, which can be either positive or negative. */ increment?: pulumi.Input; /** * The configuration to use for matched data logging. */ matchedData?: pulumi.Input; /** * Set the max-age cache control directive. */ maxAge?: pulumi.Input; /** * Whether to enable Mirage. */ mirage?: pulumi.Input; /** * Set the must-revalidate cache control directive. */ mustRevalidate?: pulumi.Input; /** * Set the must-understand cache control directive. */ mustUnderstand?: pulumi.Input; /** * Set the no-cache cache control directive. */ noCache?: pulumi.Input; /** * Set the no-store cache control directive. */ noStore?: pulumi.Input; /** * Set the no-transform cache control directive. */ noTransform?: pulumi.Input; /** * The operation to perform for set*cache*tags action. * Available values: "set", "add", "remove". */ operation?: pulumi.Input; /** * Whether to enable Opportunistic Encryption. */ opportunisticEncryption?: pulumi.Input; /** * An origin to route to. */ origin?: pulumi.Input; /** * Whether Cloudflare will aim to strictly adhere to RFC 7234. */ originCacheControl?: pulumi.Input; /** * Whether to generate Cloudflare error pages for issues from the origin server. */ originErrorPagePassthru?: pulumi.Input; /** * A set of overrides to apply to the target ruleset. */ overrides?: pulumi.Input; /** * A list of phases to skip the execution of. This option is incompatible with the rulesets option. * Available values: "ddos*l4", "ddos*l7", "http*config*settings", "http*custom*errors", "http*log*custom*fields", "http*ratelimit", "http*request*cache*settings", "http*request*dynamic*redirect", "http*request*firewall*custom", "http*request*firewall*managed", "http*request*late*transform", "http*request*origin", "http*request*redirect", "http*request*sanitize", "http*request*sbfm", "http*request*transform", "http*response*cache*settings", "http*response*compression", "http*response*firewall*managed", "http*response*headers*transform", "magic*transit", "magic*transit*ids*managed", "magic*transit*managed", "magic*transit*ratelimit". */ phases?: pulumi.Input[]>; /** * The Polish level to configure. * Available values: "off", "lossless", "lossy", "webp". */ polish?: pulumi.Input; /** * Set the private cache control directive. */ private?: pulumi.Input; /** * A list of legacy security products to skip the execution of. * Available values: "bic", "hot", "rateLimit", "securityLevel", "uaBlock", "waf", "zoneLockdown". */ products?: pulumi.Input[]>; /** * Set the proxy-revalidate cache control directive. */ proxyRevalidate?: pulumi.Input; /** * Set the public cache control directive. */ public?: pulumi.Input; /** * The raw response fields to log. */ rawResponseFields?: pulumi.Input[]>; /** * A timeout value between two successive read operations to use for your origin server. Historically, the timeout value between two read options from Cloudflare to an origin server is 100 seconds. If you are attempting to reduce HTTP 524 errors because of timeouts from an origin server, try increasing this timeout value. */ readTimeout?: pulumi.Input; /** * The request body buffering mode to configure. * Available values: "none", "standard", "full". */ requestBodyBuffering?: pulumi.Input; /** * The raw request fields to log. */ requestFields?: pulumi.Input[]>; /** * Whether Cloudflare should respect strong ETag (entity tag) headers. If false, Cloudflare converts strong ETag headers to weak ETag headers. */ respectStrongEtags?: pulumi.Input; /** * The response to show when the block is applied. */ response?: pulumi.Input; /** * The response body buffering mode to configure. * Available values: "none", "standard". */ responseBodyBuffering?: pulumi.Input; /** * The transformed response fields to log. */ responseFields?: pulumi.Input[]>; /** * Whether to enable Rocket Loader. */ rocketLoader?: pulumi.Input; /** * A mapping of ruleset IDs to a list of rule IDs in that ruleset to skip the execution of. This option is incompatible with the ruleset option. */ rules?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * A ruleset to skip the execution of. This option is incompatible with the rulesets option. * Available values: "current". */ ruleset?: pulumi.Input; /** * A list of ruleset IDs to skip the execution of. This option is incompatible with the ruleset and phases options. */ rulesets?: pulumi.Input[]>; /** * Set the s-maxage cache control directive. */ sMaxage?: pulumi.Input; /** * The Security Level to configure. * Available values: "off", "essentially*off", "low", "medium", "high", "under*attack". */ securityLevel?: pulumi.Input; /** * When to serve stale content from cache. */ serveStale?: pulumi.Input; /** * Whether to enable Server-Side Excludes. */ serverSideExcludes?: pulumi.Input; /** * A Server Name Indication (SNI) override. */ sni?: pulumi.Input; /** * The SSL level to configure. * Available values: "off", "flexible", "full", "strict", "originPull". */ ssl?: pulumi.Input; /** * Set the stale-if-error cache control directive. */ staleIfError?: pulumi.Input; /** * Set the stale-while-revalidate cache control directive. */ staleWhileRevalidate?: pulumi.Input; /** * The status code to use for the error. */ statusCode?: pulumi.Input; /** * Whether to strip the ETag header from the response. */ stripEtags?: pulumi.Input; /** * Whether to strip the Last-Modified header from the response. */ stripLastModified?: pulumi.Input; /** * Whether to strip the Set-Cookie header from the response. */ stripSetCookie?: pulumi.Input; /** * Whether to enable Signed Exchanges (SXG). */ sxg?: pulumi.Input; /** * The transformed request fields to log. */ transformedRequestFields?: pulumi.Input[]>; /** * A URI rewrite. */ uri?: pulumi.Input; /** * The cache tag values for set*cache*tags action. */ values?: pulumi.Input[]>; } export interface RulesetRuleActionParametersAlgorithm { /** * Name of the compression algorithm to enable. * Available values: "none", "auto", "default", "gzip", "brotli", "zstd". */ name?: pulumi.Input; } export interface RulesetRuleActionParametersAutominify { /** * Whether to minify CSS files. */ css?: pulumi.Input; /** * Whether to minify HTML files. */ html?: pulumi.Input; /** * Whether to minify JavaScript files. */ js?: pulumi.Input; } export interface RulesetRuleActionParametersBrowserTtl { /** * The browser TTL (in seconds) if you choose the "overrideOrigin" mode. */ default?: pulumi.Input; /** * The browser TTL mode. * Available values: "respect*origin", "bypass*by*default", "override*origin", "bypass". */ mode: pulumi.Input; } export interface RulesetRuleActionParametersCacheKey { /** * Whether to separate cached content based on the visitor's device type. */ cacheByDeviceType?: pulumi.Input; /** * Whether to protect from web cache deception attacks, while allowing static assets to be cached. */ cacheDeceptionArmor?: pulumi.Input; /** * Which components of the request are included or excluded from the cache key. */ customKey?: pulumi.Input; /** * Whether to treat requests with the same query parameters the same, regardless of the order those query parameters are in. */ ignoreQueryStringsOrder?: pulumi.Input; } export interface RulesetRuleActionParametersCacheKeyCustomKey { /** * Which cookies to include in the cache key. */ cookie?: pulumi.Input; /** * Which headers to include in the cache key. */ header?: pulumi.Input; /** * How to use the host in the cache key. */ host?: pulumi.Input; /** * Which query string parameters to include in or exclude from the cache key. */ queryString?: pulumi.Input; /** * How to use characteristics of the request user agent in the cache key. */ user?: pulumi.Input; } export interface RulesetRuleActionParametersCacheKeyCustomKeyCookie { /** * A list of cookies to check for the presence of. The presence of these cookies is included in the cache key. */ checkPresences?: pulumi.Input[]>; /** * A list of cookies to include in the cache key. */ includes?: pulumi.Input[]>; } export interface RulesetRuleActionParametersCacheKeyCustomKeyHeader { /** * A list of headers to check for the presence of. The presence of these headers is included in the cache key. */ checkPresences?: pulumi.Input[]>; /** * A mapping of header names to a list of values. If a header is present in the request and contains any of the values provided, its value is included in the cache key. */ contains?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * Whether to exclude the origin header in the cache key. */ excludeOrigin?: pulumi.Input; /** * A list of headers to include in the cache key. */ includes?: pulumi.Input[]>; } export interface RulesetRuleActionParametersCacheKeyCustomKeyHost { /** * Whether to use the resolved host in the cache key. */ resolved?: pulumi.Input; } export interface RulesetRuleActionParametersCacheKeyCustomKeyQueryString { /** * Which query string parameters to exclude from the cache key. */ exclude?: pulumi.Input; /** * Which query string parameters to include in the cache key. */ include?: pulumi.Input; } export interface RulesetRuleActionParametersCacheKeyCustomKeyQueryStringExclude { /** * Whether to exclude all query string parameters from the cache key. */ all?: pulumi.Input; /** * A list of query string parameters to exclude from the cache key. */ lists?: pulumi.Input[]>; } export interface RulesetRuleActionParametersCacheKeyCustomKeyQueryStringInclude { /** * Whether to include all query string parameters in the cache key. */ all?: pulumi.Input; /** * A list of query string parameters to include in the cache key. */ lists?: pulumi.Input[]>; } export interface RulesetRuleActionParametersCacheKeyCustomKeyUser { /** * Whether to use the user agent's device type in the cache key. */ deviceType?: pulumi.Input; /** * Whether to use the user agents's country in the cache key. */ geo?: pulumi.Input; /** * Whether to use the user agent's language in the cache key. */ lang?: pulumi.Input; } export interface RulesetRuleActionParametersCacheReserve { /** * Whether Cache Reserve is enabled. If this is true and a request meets eligibility criteria, Cloudflare will write the resource to Cache Reserve. */ eligible: pulumi.Input; /** * The minimum file size eligible for storage in Cache Reserve. */ minimumFileSize?: pulumi.Input; } export interface RulesetRuleActionParametersCookieField { /** * The name of the cookie. */ name: pulumi.Input; } export interface RulesetRuleActionParametersEdgeTtl { /** * The edge TTL (in seconds) if you choose the "overrideOrigin" mode. */ default?: pulumi.Input; /** * The edge TTL mode. * Available values: "respect*origin", "bypass*by*default", "override*origin". */ mode: pulumi.Input; /** * A list of TTLs to apply to specific status codes or status code ranges. */ statusCodeTtls?: pulumi.Input[]>; } export interface RulesetRuleActionParametersEdgeTtlStatusCodeTtl { /** * A single status code to apply the TTL to. */ statusCode?: pulumi.Input; /** * A range of status codes to apply the TTL to. */ statusCodeRange?: pulumi.Input; /** * The time to cache the response for (in seconds). A value of 0 is equivalent to setting the cache control header with the value "no-cache". A value of -1 is equivalent to setting the cache control header with the value of "no-store". */ value: pulumi.Input; } export interface RulesetRuleActionParametersEdgeTtlStatusCodeTtlStatusCodeRange { /** * The lower bound of the range. */ from?: pulumi.Input; /** * The upper bound of the range. */ to?: pulumi.Input; } export interface RulesetRuleActionParametersFromList { /** * An expression that evaluates to the list lookup key. */ key: pulumi.Input; /** * The name of the list to match against. */ name: pulumi.Input; } export interface RulesetRuleActionParametersFromValue { /** * Whether to keep the query string of the original request. */ preserveQueryString?: pulumi.Input; /** * The status code to use for the redirect. */ statusCode?: pulumi.Input; /** * A URL to redirect the request to. */ targetUrl: pulumi.Input; } export interface RulesetRuleActionParametersFromValueTargetUrl { /** * An expression that evaluates to a URL to redirect the request to. */ expression?: pulumi.Input; /** * A URL to redirect the request to. */ value?: pulumi.Input; } export interface RulesetRuleActionParametersHeaders { /** * An expression that evaluates to a value for the header. */ expression?: pulumi.Input; /** * The operation to perform on the header. * Available values: "add", "set", "remove". */ operation: pulumi.Input; /** * A static value for the header. */ value?: pulumi.Input; } export interface RulesetRuleActionParametersImmutable { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; } export interface RulesetRuleActionParametersMatchedData { /** * The public key to encrypt matched data logs with. */ publicKey: pulumi.Input; } export interface RulesetRuleActionParametersMaxAge { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; /** * The value for the directive in seconds. */ value?: pulumi.Input; } export interface RulesetRuleActionParametersMustRevalidate { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; } export interface RulesetRuleActionParametersMustUnderstand { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; } export interface RulesetRuleActionParametersNoCache { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; /** * The qualifiers for the directive. */ qualifiers?: pulumi.Input[]>; } export interface RulesetRuleActionParametersNoStore { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; } export interface RulesetRuleActionParametersNoTransform { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; } export interface RulesetRuleActionParametersOrigin { /** * A resolved host to route to. */ host?: pulumi.Input; /** * A destination port to route to. */ port?: pulumi.Input; } export interface RulesetRuleActionParametersOverrides { /** * An action to override all rules with. This option has lower precedence than rule and category overrides. */ action?: pulumi.Input; /** * A list of category-level overrides. This option has the second-highest precedence after rule-level overrides. */ categories?: pulumi.Input[]>; /** * Whether to enable execution of all rules. This option has lower precedence than rule and category overrides. */ enabled?: pulumi.Input; /** * A list of rule-level overrides. This option has the highest precedence. */ rules?: pulumi.Input[]>; /** * A sensitivity level to set for all rules. This option has lower precedence than rule and category overrides and is only applicable for DDoS phases. * Available values: "default", "medium", "low", "eoff". */ sensitivityLevel?: pulumi.Input; } export interface RulesetRuleActionParametersOverridesCategory { /** * The action to override rules in the category with. */ action?: pulumi.Input; /** * The name of the category to override. */ category: pulumi.Input; /** * Whether to enable execution of rules in the category. */ enabled?: pulumi.Input; /** * The sensitivity level to use for rules in the category. This option is only applicable for DDoS phases. * Available values: "default", "medium", "low", "eoff". */ sensitivityLevel?: pulumi.Input; } export interface RulesetRuleActionParametersOverridesRule { /** * The action to override the rule with. */ action?: pulumi.Input; /** * Whether to enable execution of the rule. */ enabled?: pulumi.Input; /** * The ID of the rule to override. */ id: pulumi.Input; /** * The score threshold to use for the rule. */ scoreThreshold?: pulumi.Input; /** * The sensitivity level to use for the rule. This option is only applicable for DDoS phases. * Available values: "default", "medium", "low", "eoff". */ sensitivityLevel?: pulumi.Input; } export interface RulesetRuleActionParametersPrivate { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; /** * The qualifiers for the directive. */ qualifiers?: pulumi.Input[]>; } export interface RulesetRuleActionParametersProxyRevalidate { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; } export interface RulesetRuleActionParametersPublic { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; } export interface RulesetRuleActionParametersRawResponseField { /** * The name of the response header. */ name: pulumi.Input; /** * Whether to log duplicate values of the same header. */ preserveDuplicates?: pulumi.Input; } export interface RulesetRuleActionParametersRequestField { /** * The name of the header. */ name: pulumi.Input; } export interface RulesetRuleActionParametersResponse { /** * The content to return. */ content: pulumi.Input; /** * The type of the content to return. */ contentType: pulumi.Input; /** * The status code to return. */ statusCode: pulumi.Input; } export interface RulesetRuleActionParametersResponseField { /** * The name of the response header. */ name: pulumi.Input; /** * Whether to log duplicate values of the same header. */ preserveDuplicates?: pulumi.Input; } export interface RulesetRuleActionParametersSMaxage { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; /** * The value for the directive in seconds. */ value?: pulumi.Input; } export interface RulesetRuleActionParametersServeStale { /** * Whether Cloudflare should disable serving stale content while getting the latest content from the origin. */ disableStaleWhileUpdating?: pulumi.Input; } export interface RulesetRuleActionParametersSni { /** * A value to override the SNI to. */ value: pulumi.Input; } export interface RulesetRuleActionParametersStaleIfError { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; /** * The value for the directive in seconds. */ value?: pulumi.Input; } export interface RulesetRuleActionParametersStaleWhileRevalidate { /** * Whether to apply the directive only to Cloudflare's cache. */ cloudflareOnly?: pulumi.Input; /** * The operation to perform. * Available values: "set", "remove". */ operation: pulumi.Input; /** * The value for the directive in seconds. */ value?: pulumi.Input; } export interface RulesetRuleActionParametersTransformedRequestField { /** * The name of the header. */ name: pulumi.Input; } export interface RulesetRuleActionParametersUri { /** * A URI path rewrite. */ path?: pulumi.Input; /** * A URI query rewrite. */ query?: pulumi.Input; } export interface RulesetRuleActionParametersUriPath { /** * An expression that evaluates to a value to rewrite the URI path to. */ expression?: pulumi.Input; /** * A value to rewrite the URI path to. */ value?: pulumi.Input; } export interface RulesetRuleActionParametersUriQuery { /** * An expression that evaluates to a value to rewrite the URI query to. */ expression?: pulumi.Input; /** * A value to rewrite the URI query to. */ value?: pulumi.Input; } export interface RulesetRuleExposedCredentialCheck { /** * An expression that selects the password used in the credentials check. */ passwordExpression: pulumi.Input; /** * An expression that selects the user ID used in the credentials check. */ usernameExpression: pulumi.Input; } export interface RulesetRuleLogging { /** * Whether to generate a log when the rule matches. */ enabled?: pulumi.Input; } export interface RulesetRuleRatelimit { /** * Characteristics of the request on which the rate limit counter will be incremented. */ characteristics: pulumi.Input[]>; /** * An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression. */ countingExpression?: pulumi.Input; /** * Period of time in seconds after which the action will be disabled following its first execution. */ mitigationTimeout?: pulumi.Input; /** * Period in seconds over which the counter is being incremented. */ period: pulumi.Input; /** * The threshold of requests per period after which the action will be executed for the first time. */ requestsPerPeriod?: pulumi.Input; /** * Whether counting is only performed when an origin is reached. */ requestsToOrigin?: pulumi.Input; /** * The score threshold per period for which the action will be executed the first time. */ scorePerPeriod?: pulumi.Input; /** * A response header name provided by the origin, which contains the score to increment rate limit counter with. */ scoreResponseHeaderName?: pulumi.Input; } export interface SnippetFile { content: pulumi.Input; name: pulumi.Input; } export interface SnippetMetadata { /** * Specify the name of the file that contains the main module of the snippet. */ mainModule: pulumi.Input; } export interface SnippetRulesRule { /** * Provide an informative description of the rule. */ description?: pulumi.Input; /** * Indicate whether to execute the rule. */ enabled?: pulumi.Input; /** * Define the expression that determines which traffic matches the rule. */ expression: pulumi.Input; /** * Specify the unique ID of the rule. */ id?: pulumi.Input; /** * Specify the timestamp of when the rule was last modified. */ lastUpdated?: pulumi.Input; /** * Identify the snippet. */ snippetName: pulumi.Input; } export interface SnippetsMetadata { /** * Name of the file that contains the main module of the snippet. */ mainModule: pulumi.Input; } export interface SpectrumApplicationDns { /** * The name of the DNS record associated with the application. */ name?: pulumi.Input; /** * The type of DNS record associated with the application. * Available values: "CNAME", "ADDRESS". */ type?: pulumi.Input; } export interface SpectrumApplicationEdgeIps { /** * The IP versions supported for inbound connections on Spectrum anycast IPs. * Available values: "all", "ipv4", "ipv6". */ connectivity?: pulumi.Input; /** * The array of customer owned IPs we broadcast via anycast for this hostname and application. */ ips?: pulumi.Input[]>; /** * The type of edge IP configuration specified. Dynamically allocated edge IPs use Spectrum anycast IPs in accordance with the connectivity you specify. Only valid with CNAME DNS names. * Available values: "dynamic", "static". */ type?: pulumi.Input; } export interface SpectrumApplicationOriginDns { /** * The name of the DNS record associated with the origin. */ name?: pulumi.Input; /** * The TTL of our resolution of your DNS record in seconds. */ ttl?: pulumi.Input; /** * The type of DNS record associated with the origin. "" is used to specify a combination of A/AAAA records. * Available values: "", "A", "AAAA", "SRV". */ type?: pulumi.Input; } export interface SsoConnectorVerification { /** * DNS verification code. Add this entire string to the DNS TXT record of the email domain to validate ownership. */ code?: pulumi.Input; /** * The status of the verification code from the verification process. * Available values: "awaiting", "pending", "failed", "verified". */ status?: pulumi.Input; } export interface StaticRouteScope { /** * List of colo names for the ECMP scope. */ coloNames?: pulumi.Input[]>; /** * List of colo regions for the ECMP scope. */ coloRegions?: pulumi.Input[]>; } export interface StreamInput { /** * The video height in pixels. A value of `-1` means the height is unknown. The value becomes available after the upload and before the video is ready. */ height?: pulumi.Input; /** * The video width in pixels. A value of `-1` means the width is unknown. The value becomes available after the upload and before the video is ready. */ width?: pulumi.Input; } export interface StreamLiveInputRecording { /** * Lists the origins allowed to display videos created with this input. Enter allowed origin domains in an array and use `*` for wildcard subdomains. An empty array allows videos to be viewed on any origin. */ allowedOrigins?: pulumi.Input[]>; /** * Disables reporting the number of live viewers when this property is set to `true`. */ hideLiveViewerCount?: pulumi.Input; /** * Specifies the recording behavior for the live input. Set this value to `off` to prevent a recording. Set the value to `automatic` to begin a recording and transition to on-demand after Stream Live stops receiving input. * Available values: "off", "automatic". */ mode?: pulumi.Input; /** * Indicates if a video using the live input has the `requireSignedURLs` property set. Also enforces access controls on any video recording of the livestream with the live input. */ requireSignedUrls?: pulumi.Input; /** * Determines the amount of time a live input configured in `automatic` mode should wait before a recording transitions from live to on-demand. `0` is recommended for most use cases and indicates the platform default should be used. */ timeoutSeconds?: pulumi.Input; } export interface StreamLiveInputRtmps { /** * The secret key to use when streaming via RTMPS to a live input. */ streamKey?: pulumi.Input; /** * The RTMPS URL you provide to the broadcaster, which they stream live video to. */ url?: pulumi.Input; } export interface StreamLiveInputRtmpsPlayback { /** * The secret key to use for playback via RTMPS. */ streamKey?: pulumi.Input; /** * The URL used to play live video over RTMPS. */ url?: pulumi.Input; } export interface StreamLiveInputSrt { /** * The secret key to use when streaming via SRT to a live input. */ passphrase?: pulumi.Input; /** * The identifier of the live input to use when streaming via SRT. */ streamId?: pulumi.Input; /** * The SRT URL you provide to the broadcaster, which they stream live video to. */ url?: pulumi.Input; } export interface StreamLiveInputSrtPlayback { /** * The secret key to use for playback via SRT. */ passphrase?: pulumi.Input; /** * The identifier of the live input to use for playback via SRT. */ streamId?: pulumi.Input; /** * The URL used to play live video over SRT. */ url?: pulumi.Input; } export interface StreamLiveInputWebRtc { /** * The WebRTC URL you provide to the broadcaster, which they stream live video to. */ url?: pulumi.Input; } export interface StreamLiveInputWebRtcPlayback { /** * The URL used to play live video over WebRTC. */ url?: pulumi.Input; } export interface StreamPlayback { /** * DASH Media Presentation Description for the video. */ dash?: pulumi.Input; /** * The HLS manifest for the video. */ hls?: pulumi.Input; } export interface StreamStatus { /** * Specifies why the video failed to encode. This field is empty if the video is not in an `error` state. Preferred for programmatic use. */ errorReasonCode?: pulumi.Input; /** * Specifies why the video failed to encode using a human readable error message in English. This field is empty if the video is not in an `error` state. */ errorReasonText?: pulumi.Input; /** * Indicates the size of the entire upload in bytes. The value must be a non-negative integer. */ pctComplete?: pulumi.Input; /** * Specifies the processing status for all quality levels for a video. * Available values: "pendingupload", "downloading", "queued", "inprogress", "ready", "error", "live-inprogress". */ state?: pulumi.Input; } export interface StreamWatermark { /** * The date and a time a watermark profile was created. */ created?: pulumi.Input; /** * The source URL for a downloaded image. If the watermark profile was created via direct upload, this field is null. */ downloadedFrom?: pulumi.Input; /** * The height of the image in pixels. */ height?: pulumi.Input; /** * A short description of the watermark profile. */ name?: pulumi.Input; /** * The translucency of the image. A value of `0.0` makes the image completely transparent, and `1.0` makes the image completely opaque. Note that if the image is already semi-transparent, setting this to `1.0` will not make the image completely opaque. */ opacity?: pulumi.Input; /** * The whitespace between the adjacent edges (determined by position) of the video and the image. `0.0` indicates no padding, and `1.0` indicates a fully padded video width or length, as determined by the algorithm. */ padding?: pulumi.Input; /** * The location of the image. Valid positions are: `upperRight`, `upperLeft`, `lowerLeft`, `lowerRight`, and `center`. Note that `center` ignores the `padding` parameter. */ position?: pulumi.Input; /** * The size of the image relative to the overall size of the video. This parameter will adapt to horizontal and vertical videos automatically. `0.0` indicates no scaling (use the size of the image as-is), and `1.0`fills the entire video. */ scale?: pulumi.Input; /** * The size of the image in bytes. */ size?: pulumi.Input; /** * The unique identifier for a watermark profile. */ uid?: pulumi.Input; /** * The width of the image in pixels. */ width?: pulumi.Input; } export interface TeamsAccountSettings { /** * Specify activity log settings. */ activityLog?: pulumi.Input; /** * Specify anti-virus settings. */ antivirus?: pulumi.Input; /** * Specify block page layout settings. */ blockPage?: pulumi.Input; /** * Specify the DLP inspection mode. */ bodyScanning?: pulumi.Input; /** * Specify Clientless Browser Isolation settings. */ browserIsolation?: pulumi.Input; /** * Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. */ certificate?: pulumi.Input; /** * Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. * * @deprecated This attribute is deprecated. */ customCertificate?: pulumi.Input; /** * Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. */ extendedEmailMatching?: pulumi.Input; /** * Specify FIPS settings. */ fips?: pulumi.Input; /** * Enable host selection in egress policies. */ hostSelector?: pulumi.Input; /** * Define the proxy inspection mode. */ inspection?: pulumi.Input; /** * Specify whether to detect protocols from the initial bytes of client traffic. */ protocolDetection?: pulumi.Input; /** * Specify whether to enable the sandbox. */ sandbox?: pulumi.Input; /** * Specify whether to inspect encrypted HTTP traffic. */ tlsDecrypt?: pulumi.Input; } export interface TeamsAccountSettingsActivityLog { /** * Specify whether to log activity. */ enabled?: pulumi.Input; } export interface TeamsAccountSettingsAntivirus { /** * Specify whether to enable anti-virus scanning on downloads. */ enabledDownloadPhase?: pulumi.Input; /** * Specify whether to enable anti-virus scanning on uploads. */ enabledUploadPhase?: pulumi.Input; /** * Specify whether to block requests for unscannable files. */ failClosed?: pulumi.Input; /** * Configure the message the user's device shows during an antivirus scan. */ notificationSettings?: pulumi.Input; } export interface TeamsAccountSettingsAntivirusNotificationSettings { /** * Specify whether to enable notifications. */ enabled?: pulumi.Input; /** * Specify whether to include context information as query parameters. */ includeContext?: pulumi.Input; /** * Specify the message to show in the notification. */ msg?: pulumi.Input; /** * Specify a URL that directs users to more information. If unset, the notification opens a block page. */ supportUrl?: pulumi.Input; } export interface TeamsAccountSettingsBlockPage { /** * Specify the block page background color in `#rrggbb` format when the mode is customized*block*page. */ backgroundColor?: pulumi.Input; /** * Specify whether to enable the custom block page. */ enabled?: pulumi.Input; /** * Specify the block page footer text when the mode is customized*block*page. */ footerText?: pulumi.Input; /** * Specify the block page header text when the mode is customized*block*page. */ headerText?: pulumi.Input; /** * Specify whether to append context to target*uri as query parameters. This applies only when the mode is redirect*uri. */ includeContext?: pulumi.Input; /** * Specify the full URL to the logo file when the mode is customized*block*page. */ logoPath?: pulumi.Input; /** * Specify the admin email for users to contact when the mode is customized*block*page. */ mailtoAddress?: pulumi.Input; /** * Specify the subject line for emails created from the block page when the mode is customized*block*page. */ mailtoSubject?: pulumi.Input; /** * Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. * Available values: "", "customized*block*page", "redirectUri". */ mode?: pulumi.Input; /** * Specify the block page title when the mode is customized*block*page. */ name?: pulumi.Input; /** * Indicate that this setting was shared via the Orgs API and read only for the current account. */ readOnly?: pulumi.Input; /** * Indicate the account tag of the account that shared this setting. */ sourceAccount?: pulumi.Input; /** * Specify whether to suppress detailed information at the bottom of the block page when the mode is customized*block*page. */ suppressFooter?: pulumi.Input; /** * Specify the URI to redirect users to when the mode is redirect_uri. */ targetUri?: pulumi.Input; /** * Indicate the version number of the setting. */ version?: pulumi.Input; } export interface TeamsAccountSettingsBodyScanning { /** * Specify the inspection mode as either `deep` or `shallow`. * Available values: "deep", "shallow". */ inspectionMode?: pulumi.Input; } export interface TeamsAccountSettingsBrowserIsolation { /** * Specify whether to enable non-identity onramp support for Browser Isolation. */ nonIdentityEnabled?: pulumi.Input; /** * Specify whether to enable Clientless Browser Isolation. */ urlBrowserIsolationEnabled?: pulumi.Input; } export interface TeamsAccountSettingsCertificate { /** * Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. */ id: pulumi.Input; } export interface TeamsAccountSettingsCustomCertificate { /** * Indicate the internal certificate status. */ bindingStatus?: pulumi.Input; /** * Specify whether to enable a custom certificate authority for signing Gateway traffic. */ enabled: pulumi.Input; /** * Specify the UUID of the certificate (ID from MTLS certificate store). */ id?: pulumi.Input; updatedAt?: pulumi.Input; } export interface TeamsAccountSettingsExtendedEmailMatching { /** * Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. */ enabled?: pulumi.Input; /** * Indicate that this setting was shared via the Orgs API and read only for the current account. */ readOnly?: pulumi.Input; /** * Indicate the account tag of the account that shared this setting. */ sourceAccount?: pulumi.Input; /** * Indicate the version number of the setting. */ version?: pulumi.Input; } export interface TeamsAccountSettingsFips { /** * Enforce cipher suites and TLS versions compliant with FIPS 140-2. */ tls?: pulumi.Input; } export interface TeamsAccountSettingsHostSelector { /** * Specify whether to enable filtering via hosts for egress policies. */ enabled?: pulumi.Input; } export interface TeamsAccountSettingsInspection { /** * Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. * Available values: "static", "dynamic". */ mode?: pulumi.Input; } export interface TeamsAccountSettingsProtocolDetection { /** * Specify whether to detect protocols from the initial bytes of client traffic. */ enabled?: pulumi.Input; } export interface TeamsAccountSettingsSandbox { /** * Specify whether to enable the sandbox. */ enabled?: pulumi.Input; /** * Specify the action to take when the system cannot scan the file. * Available values: "allow", "block". */ fallbackAction?: pulumi.Input; } export interface TeamsAccountSettingsTlsDecrypt { /** * Specify whether to inspect encrypted HTTP traffic. */ enabled?: pulumi.Input; } export interface TeamsListItem { /** * Provide the list item description (optional). */ description?: pulumi.Input; /** * Specify the item value. */ value?: pulumi.Input; } export interface TeamsLocationEndpoints { doh: pulumi.Input; dot: pulumi.Input; ipv4: pulumi.Input; ipv6: pulumi.Input; } export interface TeamsLocationEndpointsDoh { /** * Indicate whether the DOH endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; /** * Specify whether the DOH endpoint requires user identity authentication. */ requireToken?: pulumi.Input; } export interface TeamsLocationEndpointsDohNetwork { /** * Specify the IP address or IP CIDR. */ network: pulumi.Input; } export interface TeamsLocationEndpointsDot { /** * Indicate whether the DOT endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; } export interface TeamsLocationEndpointsDotNetwork { /** * Specify the IP address or IP CIDR. */ network: pulumi.Input; } export interface TeamsLocationEndpointsIpv4 { /** * Indicate whether the IPv4 endpoint is enabled for this location. */ enabled?: pulumi.Input; } export interface TeamsLocationEndpointsIpv6 { /** * Indicate whether the IPV6 endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; } export interface TeamsLocationEndpointsIpv6Network { /** * Specify the IPv6 address or IPv6 CIDR. */ network: pulumi.Input; } export interface TeamsLocationNetwork { /** * Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. */ network: pulumi.Input; } export interface TeamsRuleExpiration { /** * Defines the default duration a policy active in minutes. Must set in order to use the `resetExpiration` endpoint on this rule. */ duration?: pulumi.Input; /** * Indicates whether the policy is expired. */ expired?: pulumi.Input; /** * Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expiresAt time. */ expiresAt: pulumi.Input; } export interface TeamsRuleRuleSettings { /** * Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. */ addHeaders?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. */ allowChildBypass?: pulumi.Input; /** * Define the settings for the Audit SSH action. Settable only for `l4` rules with `auditSsh` action. */ auditSsh?: pulumi.Input; /** * Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. */ bisoAdminControls?: pulumi.Input; /** * Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. */ blockPage?: pulumi.Input; /** * Enable the custom block page. Settable only for `dns` rules with action `block`. */ blockPageEnabled?: pulumi.Input; /** * Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. */ blockReason?: pulumi.Input; /** * Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. */ bypassParentRule?: pulumi.Input; /** * Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. */ checkSession?: pulumi.Input; /** * Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules. */ dnsResolvers?: pulumi.Input; /** * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. */ egress?: pulumi.Input; /** * Configure whether a copy of the HTTP request will be sent to storage when the rule matches. */ forensicCopy?: pulumi.Input; /** * Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dnsResolver` rules. */ ignoreCnameCategoryMatches?: pulumi.Input; /** * Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. */ insecureDisableDnssecValidation?: pulumi.Input; /** * Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dnsResolver` rules. */ ipCategories?: pulumi.Input; /** * Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dnsResolver` rules. */ ipIndicatorFeeds?: pulumi.Input; /** * Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4Override`. */ l4override?: pulumi.Input; /** * Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. */ notificationSettings?: pulumi.Input; /** * Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. */ overrideHost?: pulumi.Input; /** * Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. */ overrideIps?: pulumi.Input[]>; /** * Configure DLP payload logging. Settable only for `http` rules. */ payloadLog?: pulumi.Input; /** * Configure settings that apply to quarantine rules. Settable only for `http` rules. */ quarantine?: pulumi.Input; /** * Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. */ redirect?: pulumi.Input; /** * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Not used when 'dns*resolvers' is specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules. */ resolveDnsInternally?: pulumi.Input; /** * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns*resolvers' specified or 'resolve*dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules. */ resolveDnsThroughCloudflare?: pulumi.Input; /** * Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. */ untrustedCert?: pulumi.Input; } export interface TeamsRuleRuleSettingsAuditSsh { /** * Enable SSH command logging. */ commandLogging?: pulumi.Input; } export interface TeamsRuleRuleSettingsBisoAdminControls { /** * Configure copy behavior. If set to remote*only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". * Available values: "enabled", "disabled", "remote*only". */ copy?: pulumi.Input; /** * Set to false to enable copy-pasting. Only applies when `version == "v1"`. */ dcp?: pulumi.Input; /** * Set to false to enable downloading. Only applies when `version == "v1"`. */ dd?: pulumi.Input; /** * Set to false to enable keyboard usage. Only applies when `version == "v1"`. */ dk?: pulumi.Input; /** * Configure download behavior. When set to remote*only, users can view downloads but cannot save them. Applies only when version == "v2". * Available values: "enabled", "disabled", "remote*only". */ download?: pulumi.Input; /** * Set to false to enable printing. Only applies when `version == "v1"`. */ dp?: pulumi.Input; /** * Set to false to enable uploading. Only applies when `version == "v1"`. */ du?: pulumi.Input; /** * Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". * Available values: "enabled", "disabled". */ keyboard?: pulumi.Input; /** * Configure paste behavior. If set to remote*only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". * Available values: "enabled", "disabled", "remote*only". */ paste?: pulumi.Input; /** * Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". * Available values: "enabled", "disabled". */ printing?: pulumi.Input; /** * Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". * Available values: "enabled", "disabled". */ upload?: pulumi.Input; /** * Indicate which version of the browser isolation controls should apply. * Available values: "v1", "v2". */ version?: pulumi.Input; } export interface TeamsRuleRuleSettingsBlockPage { /** * Specify whether to pass the context information as query parameters. */ includeContext?: pulumi.Input; /** * Specify the URI to which the user is redirected. */ targetUri: pulumi.Input; } export interface TeamsRuleRuleSettingsCheckSession { /** * Sets the required session freshness threshold. The API returns a normalized version of this value. */ duration?: pulumi.Input; /** * Enable session enforcement. */ enforce?: pulumi.Input; } export interface TeamsRuleRuleSettingsDnsResolvers { ipv4s?: pulumi.Input[]>; ipv6s?: pulumi.Input[]>; } export interface TeamsRuleRuleSettingsDnsResolversIpv4 { /** * Specify the IPv4 address of the upstream resolver. */ ip: pulumi.Input; /** * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. */ port?: pulumi.Input; /** * Indicate whether to connect to this resolver over a private network. Must set when vnetId set. */ routeThroughPrivateNetwork?: pulumi.Input; /** * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. */ vnetId?: pulumi.Input; } export interface TeamsRuleRuleSettingsDnsResolversIpv6 { /** * Specify the IPv6 address of the upstream resolver. */ ip: pulumi.Input; /** * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. */ port?: pulumi.Input; /** * Indicate whether to connect to this resolver over a private network. Must set when vnetId set. */ routeThroughPrivateNetwork?: pulumi.Input; /** * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. */ vnetId?: pulumi.Input; } export interface TeamsRuleRuleSettingsEgress { /** * Specify the IPv4 address to use for egress. */ ipv4?: pulumi.Input; /** * Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. */ ipv4Fallback?: pulumi.Input; /** * Specify the IPv6 range to use for egress. */ ipv6?: pulumi.Input; } export interface TeamsRuleRuleSettingsForensicCopy { /** * Enable sending the copy to storage. */ enabled?: pulumi.Input; } export interface TeamsRuleRuleSettingsL4override { /** * Defines the IPv4 or IPv6 address. */ ip?: pulumi.Input; /** * Defines a port number to use for TCP/UDP overrides. */ port?: pulumi.Input; } export interface TeamsRuleRuleSettingsNotificationSettings { /** * Enable notification. */ enabled?: pulumi.Input; /** * Indicates whether to pass the context information as query parameters. */ includeContext?: pulumi.Input; /** * Customize the message shown in the notification. */ msg?: pulumi.Input; /** * Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. */ supportUrl?: pulumi.Input; } export interface TeamsRuleRuleSettingsPayloadLog { /** * Enable DLP payload logging for this rule. */ enabled?: pulumi.Input; } export interface TeamsRuleRuleSettingsQuarantine { /** * Specify the types of files to sandbox. */ fileTypes?: pulumi.Input[]>; } export interface TeamsRuleRuleSettingsRedirect { /** * Specify whether to pass the context information as query parameters. */ includeContext?: pulumi.Input; /** * Specify whether to append the path and query parameters from the original request to target_uri. */ preservePathAndQuery?: pulumi.Input; /** * Specify the URI to which the user is redirected. */ targetUri: pulumi.Input; } export interface TeamsRuleRuleSettingsResolveDnsInternally { /** * Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. * Available values: "none", "publicDns". */ fallback?: pulumi.Input; /** * Specify the internal DNS view identifier to pass to the internal DNS service. */ viewId?: pulumi.Input; } export interface TeamsRuleRuleSettingsUntrustedCert { /** * Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. * Available values: "passThrough", "block", "error". */ action?: pulumi.Input; } export interface TeamsRuleSchedule { /** * Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ fri?: pulumi.Input; /** * Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ mon?: pulumi.Input; /** * Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ sat?: pulumi.Input; /** * Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ sun?: pulumi.Input; /** * Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ thu?: pulumi.Input; /** * Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. */ timeZone?: pulumi.Input; /** * Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ tue?: pulumi.Input; /** * Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ wed?: pulumi.Input; } export interface TokenValidationConfigCredentials { keys: pulumi.Input[]>; } export interface TokenValidationConfigCredentialsKey { /** * Algorithm * Available values: "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384". */ alg: pulumi.Input; /** * Curve * Available values: "P-256", "P-384". */ crv?: pulumi.Input; /** * RSA exponent */ e?: pulumi.Input; /** * Key ID */ kid: pulumi.Input; /** * Key Type * Available values: "RSA", "EC". */ kty: pulumi.Input; /** * RSA modulus */ n?: pulumi.Input; /** * X EC coordinate */ x?: pulumi.Input; /** * Y EC coordinate */ y?: pulumi.Input; } export interface TokenValidationRulesPosition { /** * Move rule to after rule with this ID. */ after?: pulumi.Input; /** * Move rule to before rule with this ID. */ before?: pulumi.Input; /** * Move rule to this position */ index?: pulumi.Input; } export interface TokenValidationRulesSelector { /** * Ignore operations that were otherwise included by `include`. */ excludes?: pulumi.Input[]>; /** * Select all matching operations. */ includes?: pulumi.Input[]>; } export interface TokenValidationRulesSelectorExclude { /** * Excluded operation IDs. */ operationIds?: pulumi.Input[]>; } export interface TokenValidationRulesSelectorInclude { /** * Included hostnames. */ hosts?: pulumi.Input[]>; } export interface TunnelConfigConfig { /** * List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. */ ingresses?: pulumi.Input[]>; /** * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. */ originRequest?: pulumi.Input; } export interface TunnelConfigConfigIngress { /** * Public hostname for this service. */ hostname?: pulumi.Input; /** * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. */ originRequest?: pulumi.Input; /** * Requests with this path route to this public hostname. */ path?: pulumi.Input; /** * Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http*status:[code] e.g. 'http*status:404'. */ service: pulumi.Input; } export interface TunnelConfigConfigIngressOriginRequest { /** * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. */ access?: pulumi.Input; /** * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. */ caPool?: pulumi.Input; /** * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. */ connectTimeout?: pulumi.Input; /** * Disables chunked transfer encoding. Useful if you are running a WSGI server. */ disableChunkedEncoding?: pulumi.Input; /** * Attempt to connect to origin using HTTP2. Origin must be configured as https. */ http2Origin?: pulumi.Input; /** * Sets the HTTP Host header on requests sent to the local service. */ httpHostHeader?: pulumi.Input; /** * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. */ keepAliveConnections?: pulumi.Input; /** * Timeout after which an idle keepalive connection can be discarded. */ keepAliveTimeout?: pulumi.Input; /** * Auto configure the Hostname on the origin server certificate. */ matchSnItoHost?: pulumi.Input; /** * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. */ noHappyEyeballs?: pulumi.Input; /** * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. */ noTlsVerify?: pulumi.Input; /** * Hostname that cloudflared should expect from your origin server certificate. */ originServerName?: pulumi.Input; /** * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. */ proxyType?: pulumi.Input; /** * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. */ tcpKeepAlive?: pulumi.Input; /** * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. */ tlsTimeout?: pulumi.Input; } export interface TunnelConfigConfigIngressOriginRequestAccess { /** * Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. */ audTags: pulumi.Input[]>; /** * Deny traffic that has not fulfilled Access authorization. */ required?: pulumi.Input; teamName: pulumi.Input; } export interface TunnelConfigConfigOriginRequest { /** * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. */ access?: pulumi.Input; /** * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. */ caPool?: pulumi.Input; /** * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. */ connectTimeout?: pulumi.Input; /** * Disables chunked transfer encoding. Useful if you are running a WSGI server. */ disableChunkedEncoding?: pulumi.Input; /** * Attempt to connect to origin using HTTP2. Origin must be configured as https. */ http2Origin?: pulumi.Input; /** * Sets the HTTP Host header on requests sent to the local service. */ httpHostHeader?: pulumi.Input; /** * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. */ keepAliveConnections?: pulumi.Input; /** * Timeout after which an idle keepalive connection can be discarded. */ keepAliveTimeout?: pulumi.Input; /** * Auto configure the Hostname on the origin server certificate. */ matchSnItoHost?: pulumi.Input; /** * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. */ noHappyEyeballs?: pulumi.Input; /** * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. */ noTlsVerify?: pulumi.Input; /** * Hostname that cloudflared should expect from your origin server certificate. */ originServerName?: pulumi.Input; /** * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. */ proxyType?: pulumi.Input; /** * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. */ tcpKeepAlive?: pulumi.Input; /** * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. */ tlsTimeout?: pulumi.Input; } export interface TunnelConfigConfigOriginRequestAccess { /** * Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. */ audTags: pulumi.Input[]>; /** * Deny traffic that has not fulfilled Access authorization. */ required?: pulumi.Input; teamName: pulumi.Input; } export interface TunnelConnection { /** * UUID of the Cloudflare Tunnel connector. */ clientId?: pulumi.Input; /** * The cloudflared version used to establish this connection. */ clientVersion?: pulumi.Input; /** * The Cloudflare data center used for this connection. */ coloName?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ id?: pulumi.Input; /** * Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. */ isPendingReconnect?: pulumi.Input; /** * Timestamp of when the connection was established. */ openedAt?: pulumi.Input; /** * The public IP address of the host running cloudflared. */ originIp?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ uuid?: pulumi.Input; } export interface UserAgentBlockingRuleConfiguration { /** * The configuration target. You must set the target to `ua` when specifying a user agent in the rule. * Available values: "ua". */ target?: pulumi.Input; /** * the user agent to exactly match */ value?: pulumi.Input; } export interface UserOrganization { /** * Identifier */ id?: pulumi.Input; /** * Organization name. */ name?: pulumi.Input; /** * Access permissions for this User. */ permissions?: pulumi.Input[]>; /** * List of roles that a user has within an organization. */ roles?: pulumi.Input[]>; /** * Whether the user is a member of the organization or has an invitation pending. * Available values: "member", "invited". */ status?: pulumi.Input; } export interface WaitingRoomAdditionalRoute { /** * The hostname to which this waiting room will be applied (no wildcards). The hostname must be the primary domain, subdomain, or custom hostname (if using SSL for SaaS) of this zone. Please do not include the scheme (http:// or https://). */ host?: pulumi.Input; /** * Sets the path within the host to enable the waiting room on. The waiting room will be enabled for all subpaths as well. If there are two waiting rooms on the same subpath, the waiting room for the most specific path will be chosen. Wildcards and query parameters are not supported. */ path?: pulumi.Input; } export interface WaitingRoomCookieAttributes { /** * Configures the SameSite attribute on the waiting room cookie. Value `auto` will be translated to `lax` or `none` depending if **Always Use HTTPS** is enabled. Note that when using value `none`, the secure attribute cannot be set to `never`. * Available values: "auto", "lax", "none", "strict". */ samesite?: pulumi.Input; /** * Configures the Secure attribute on the waiting room cookie. Value `always` indicates that the Secure attribute will be set in the Set-Cookie header, `never` indicates that the Secure attribute will not be set, and `auto` will set the Secure attribute depending if **Always Use HTTPS** is enabled. * Available values: "auto", "always", "never". */ secure?: pulumi.Input; } export interface WaitingRoomRulesRule { /** * The action to take when the expression matches. * Available values: "bypass*waiting*room". */ action: pulumi.Input; /** * The description of the rule. */ description?: pulumi.Input; /** * When set to true, the rule is enabled. */ enabled?: pulumi.Input; /** * Criteria defining when there is a match for the current rule. */ expression: pulumi.Input; } export interface WebAnalyticsSiteRule { created?: pulumi.Input; /** * The hostname the rule will be applied to. */ host?: pulumi.Input; /** * The Web Analytics rule identifier. */ id?: pulumi.Input; /** * Whether the rule includes or excludes traffic from being measured. */ inclusive?: pulumi.Input; /** * Whether the rule is paused or not. */ isPaused?: pulumi.Input; /** * The paths the rule will be applied to. */ paths?: pulumi.Input[]>; priority?: pulumi.Input; } export interface WebAnalyticsSiteRuleset { /** * Whether the ruleset is enabled. */ enabled?: pulumi.Input; /** * The Web Analytics ruleset identifier. */ id?: pulumi.Input; zoneName?: pulumi.Input; /** * The zone identifier. */ zoneTag?: pulumi.Input; } export interface WorkerCronTriggerSchedule { createdOn?: pulumi.Input; cron: pulumi.Input; modifiedOn?: pulumi.Input; } export interface WorkerObservability { /** * Whether observability is enabled for the Worker. */ enabled?: pulumi.Input; /** * The sampling rate for observability. From 0 to 1 (1 = 100%, 0.1 = 10%). */ headSamplingRate?: pulumi.Input; /** * Log settings for the Worker. */ logs?: pulumi.Input; } export interface WorkerObservabilityLogs { /** * Whether logs are enabled for the Worker. */ enabled?: pulumi.Input; /** * The sampling rate for logs. From 0 to 1 (1 = 100%, 0.1 = 10%). */ headSamplingRate?: pulumi.Input; /** * Whether [invocation logs](https://developers.cloudflare.com/workers/observability/logs/workers-logs/#invocation-logs) are enabled for the Worker. */ invocationLogs?: pulumi.Input; } export interface WorkerReferences { /** * Other Workers that reference the Worker as an outbound for a dispatch namespace. */ dispatchNamespaceOutbounds?: pulumi.Input[]>; /** * Custom domains connected to the Worker. */ domains?: pulumi.Input[]>; /** * Other Workers that reference Durable Object classes implemented by the Worker. */ durableObjects?: pulumi.Input[]>; /** * Queues that send messages to the Worker. */ queues?: pulumi.Input[]>; /** * Other Workers that reference the Worker using [service bindings](https://developers.cloudflare.com/workers/runtime-apis/bindings/service-bindings/). */ workers?: pulumi.Input[]>; } export interface WorkerReferencesDispatchNamespaceOutbound { /** * ID of the dispatch namespace. */ namespaceId?: pulumi.Input; /** * Name of the dispatch namespace. */ namespaceName?: pulumi.Input; /** * ID of the Worker using the dispatch namespace. */ workerId?: pulumi.Input; /** * Name of the Worker using the dispatch namespace. */ workerName?: pulumi.Input; } export interface WorkerReferencesDomain { /** * ID of the TLS certificate issued for the custom domain. */ certificateId?: pulumi.Input; /** * Full hostname of the custom domain, including the zone name. */ hostname?: pulumi.Input; /** * ID of the custom domain. */ id?: pulumi.Input; /** * ID of the zone. */ zoneId?: pulumi.Input; /** * Name of the zone. */ zoneName?: pulumi.Input; } export interface WorkerReferencesDurableObject { /** * ID of the Durable Object namespace being used. */ namespaceId?: pulumi.Input; /** * Name of the Durable Object namespace being used. */ namespaceName?: pulumi.Input; /** * ID of the Worker using the Durable Object implementation. */ workerId?: pulumi.Input; /** * Name of the Worker using the Durable Object implementation. */ workerName?: pulumi.Input; } export interface WorkerReferencesQueue { /** * ID of the queue consumer configuration. */ queueConsumerId?: pulumi.Input; /** * ID of the queue. */ queueId?: pulumi.Input; /** * Name of the queue. */ queueName?: pulumi.Input; } export interface WorkerReferencesWorker { /** * ID of the referencing Worker. */ id?: pulumi.Input; /** * Name of the referencing Worker. */ name?: pulumi.Input; } export interface WorkerScriptAssets { /** * The SHA-256 hash of the asset manifest of files to upload. */ assetManifestSha256?: pulumi.Input; /** * Configuration for assets within a Worker. */ config?: pulumi.Input; /** * Path to the directory containing asset files to upload. */ directory?: pulumi.Input; /** * Token provided upon successful upload of all files from a registered manifest. */ jwt?: pulumi.Input; } export interface WorkerScriptAssetsConfig { /** * The contents of a _headers file (used to attach custom headers on asset responses). */ headers?: pulumi.Input; /** * Determines the redirects and rewrites of requests for HTML content. * Available values: "auto-trailing-slash", "force-trailing-slash", "drop-trailing-slash", "none". */ htmlHandling?: pulumi.Input; /** * Determines the response when a request does not match a static asset, and there is no Worker script. * Available values: "none", "404-page", "single-page-application". */ notFoundHandling?: pulumi.Input; /** * The contents of a _redirects file (used to apply redirects or proxy paths ahead of asset serving). */ redirects?: pulumi.Input; /** * When a boolean true, requests will always invoke the Worker script. Otherwise, attempt to serve an asset matching the request, falling back to the Worker script. When a list of strings, contains path rules to control routing to either the Worker or assets. Glob (*) and negative (!) rules are supported. Rules must start with either '/' or '!/'. At least one non-negative rule must be provided, and negative rules have higher precedence than non-negative rules. */ runWorkerFirst?: any; /** * When true and the incoming request matches an asset, that will be served instead of invoking the Worker script. When false, requests will always invoke the Worker script. * * @deprecated This attribute is deprecated. */ serveDirectly?: pulumi.Input; } export interface WorkerScriptBinding { /** * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm). */ algorithm?: pulumi.Input; /** * List of allowed destination addresses. */ allowedDestinationAddresses?: pulumi.Input[]>; /** * List of allowed sender addresses. */ allowedSenderAddresses?: pulumi.Input[]>; /** * R2 bucket to bind to. */ bucketName?: pulumi.Input; /** * Identifier of the certificate to bind to. */ certificateId?: pulumi.Input; /** * The exported class name of the Durable Object. */ className?: pulumi.Input; /** * The name of the dataset to bind to. */ dataset?: pulumi.Input; /** * Destination address for the email. */ destinationAddress?: pulumi.Input; /** * The environment of the scriptName to bind to. */ environment?: pulumi.Input; /** * Data format of the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#format). * Available values: "raw", "pkcs8", "spki", "jwk". */ format?: pulumi.Input; /** * Identifier of the D1 database to bind to. */ id?: pulumi.Input; /** * Name of the Vectorize index to bind to. */ indexName?: pulumi.Input; /** * JSON data to use. */ json?: pulumi.Input; /** * The [jurisdiction](https://developers.cloudflare.com/r2/reference/data-location/#jurisdictional-restrictions) of the R2 bucket. * Available values: "eu", "fedramp". */ jurisdiction?: pulumi.Input; /** * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki". */ keyBase64?: pulumi.Input; /** * Key data in [JSON Web Key](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#json_web_key) format. Required if `format` is "jwk". */ keyJwk?: pulumi.Input; /** * A JavaScript variable name for the binding. */ name: pulumi.Input; /** * The name of the dispatch namespace. */ namespace?: pulumi.Input; /** * Namespace identifier tag. */ namespaceId?: pulumi.Input; /** * The old name of the inherited binding. If set, the binding will be renamed from `oldName` to `name` in the new version. If not set, the binding will keep the same name between versions. */ oldName?: pulumi.Input; /** * Outbound worker. */ outbound?: pulumi.Input; /** * The name of the file containing the data content. Only accepted for `service worker syntax` Workers. */ part?: pulumi.Input; /** * Name of the Pipeline to bind to. */ pipeline?: pulumi.Input; /** * Name of the Queue to bind to. */ queueName?: pulumi.Input; /** * The script where the Durable Object is defined, if it is external to this Worker. */ scriptName?: pulumi.Input; /** * Name of the secret in the store. */ secretName?: pulumi.Input; /** * Name of Worker to bind to. */ service?: pulumi.Input; /** * A simple rate limit. */ simple?: pulumi.Input; /** * ID of the store containing the secret. */ storeId?: pulumi.Input; /** * The text value to use. */ text?: pulumi.Input; /** * The kind of resource that the binding provides. * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "data*blob", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "inherit", "images", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "send*email", "service", "tail*consumer", "text*blob", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow", "wasm*module". */ type: pulumi.Input; /** * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages). */ usages?: pulumi.Input[]>; /** * Identifier for the version to inherit the binding from, which can be the version ID or the literal "latest" to inherit from the latest version. Defaults to inheriting the binding from the latest version. */ versionId?: pulumi.Input; /** * Name of the Workflow to bind to. */ workflowName?: pulumi.Input; } export interface WorkerScriptBindingOutbound { /** * Pass information from the Dispatch Worker to the Outbound Worker through the parameters. */ params?: pulumi.Input[]>; /** * Outbound worker. */ worker?: pulumi.Input; } export interface WorkerScriptBindingOutboundWorker { /** * Environment of the outbound worker. */ environment?: pulumi.Input; /** * Name of the outbound worker. */ service?: pulumi.Input; } export interface WorkerScriptBindingSimple { /** * The rate limit value. */ limit: pulumi.Input; /** * The rate limit period in seconds. */ period: pulumi.Input; } export interface WorkerScriptLimits { /** * The amount of CPU time this Worker can use in milliseconds. */ cpuMs?: pulumi.Input; } export interface WorkerScriptMigrations { /** * A list of classes to delete Durable Object namespaces from. */ deletedClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces from. */ newClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces with SQLite from. */ newSqliteClasses?: pulumi.Input[]>; /** * Tag to set as the latest migration tag. */ newTag?: pulumi.Input; /** * Tag used to verify against the latest migration tag for this Worker. If they don't match, the upload is rejected. */ oldTag?: pulumi.Input; /** * A list of classes with Durable Object namespaces that were renamed. */ renamedClasses?: pulumi.Input[]>; /** * Migrations to apply in order. */ steps?: pulumi.Input[]>; /** * A list of transfers for Durable Object namespaces from a different Worker and class to a class defined in this Worker. */ transferredClasses?: pulumi.Input[]>; } export interface WorkerScriptMigrationsRenamedClass { from?: pulumi.Input; to?: pulumi.Input; } export interface WorkerScriptMigrationsStep { /** * A list of classes to delete Durable Object namespaces from. */ deletedClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces from. */ newClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces with SQLite from. */ newSqliteClasses?: pulumi.Input[]>; /** * A list of classes with Durable Object namespaces that were renamed. */ renamedClasses?: pulumi.Input[]>; /** * A list of transfers for Durable Object namespaces from a different Worker and class to a class defined in this Worker. */ transferredClasses?: pulumi.Input[]>; } export interface WorkerScriptMigrationsStepRenamedClass { from?: pulumi.Input; to?: pulumi.Input; } export interface WorkerScriptMigrationsStepTransferredClass { from?: pulumi.Input; fromScript?: pulumi.Input; to?: pulumi.Input; } export interface WorkerScriptMigrationsTransferredClass { from?: pulumi.Input; fromScript?: pulumi.Input; to?: pulumi.Input; } export interface WorkerScriptNamedHandler { /** * The names of handlers exported as part of the named export. */ handlers?: pulumi.Input[]>; /** * The name of the export. */ name?: pulumi.Input; } export interface WorkerScriptObservability { /** * Whether observability is enabled for the Worker. */ enabled: pulumi.Input; /** * The sampling rate for incoming requests. From 0 to 1 (1 = 100%, 0.1 = 10%). Default is 1. */ headSamplingRate?: pulumi.Input; /** * Log settings for the Worker. */ logs?: pulumi.Input; } export interface WorkerScriptObservabilityLogs { /** * A list of destinations where logs will be exported to. */ destinations?: pulumi.Input[]>; /** * Whether logs are enabled for the Worker. */ enabled: pulumi.Input; /** * The sampling rate for logs. From 0 to 1 (1 = 100%, 0.1 = 10%). Default is 1. */ headSamplingRate?: pulumi.Input; /** * Whether [invocation logs](https://developers.cloudflare.com/workers/observability/logs/workers-logs/#invocation-logs) are enabled for the Worker. */ invocationLogs: pulumi.Input; /** * Whether log persistence is enabled for the Worker. */ persist?: pulumi.Input; } export interface WorkerScriptPlacement { /** * TCP host and port for targeted placement. */ host?: pulumi.Input; /** * HTTP hostname for targeted placement. */ hostname?: pulumi.Input; /** * The last time the script was analyzed for [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). */ lastAnalyzedAt?: pulumi.Input; /** * Enables [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). * Available values: "smart", "targeted". */ mode?: pulumi.Input; /** * Cloud region for targeted placement in format 'provider:region'. */ region?: pulumi.Input; /** * Status of [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). * Available values: "SUCCESS", "UNSUPPORTED*APPLICATION", "INSUFFICIENT*INVOCATIONS". */ status?: pulumi.Input; /** * Array of placement targets (currently limited to single target). */ targets?: pulumi.Input[]>; } export interface WorkerScriptPlacementTarget { /** * TCP host:port for targeted placement. */ host?: pulumi.Input; /** * HTTP hostname for targeted placement. */ hostname?: pulumi.Input; /** * Cloud region in format 'provider:region'. */ region?: pulumi.Input; } export interface WorkerScriptTailConsumer { /** * Optional environment if the Worker utilizes one. */ environment?: pulumi.Input; /** * Optional dispatch namespace the script belongs to. */ namespace?: pulumi.Input; /** * Name of Worker that is to be the consumer. */ service: pulumi.Input; } export interface WorkerSubdomain { /** * Whether the *.workers.dev subdomain is enabled for the Worker. */ enabled?: pulumi.Input; /** * Whether [preview URLs](https://developers.cloudflare.com/workers/configuration/previews/) are enabled for the Worker. */ previewsEnabled?: pulumi.Input; } export interface WorkerTailConsumer { /** * Name of the consumer Worker. */ name: pulumi.Input; } export interface WorkerVersionAnnotations { /** * Human-readable message about the version. */ workersMessage?: pulumi.Input; /** * User-provided identifier for the version. */ workersTag?: pulumi.Input; /** * Operation that triggered the creation of the version. */ workersTriggeredBy?: pulumi.Input; } export interface WorkerVersionAssets { /** * The SHA-256 hash of the asset manifest of files to upload. */ assetManifestSha256?: pulumi.Input; /** * Configuration for assets within a Worker. */ config?: pulumi.Input; /** * Path to the directory containing asset files to upload. */ directory?: pulumi.Input; /** * Token provided upon successful upload of all files from a registered manifest. */ jwt?: pulumi.Input; } export interface WorkerVersionAssetsConfig { /** * Determines the redirects and rewrites of requests for HTML content. * Available values: "auto-trailing-slash", "force-trailing-slash", "drop-trailing-slash", "none". */ htmlHandling?: pulumi.Input; /** * Determines the response when a request does not match a static asset, and there is no Worker script. * Available values: "none", "404-page", "single-page-application". */ notFoundHandling?: pulumi.Input; /** * When a boolean true, requests will always invoke the Worker script. Otherwise, attempt to serve an asset matching the request, falling back to the Worker script. When a list of strings, contains path rules to control routing to either the Worker or assets. Glob (*) and negative (!) rules are supported. Rules must start with either '/' or '!/'. At least one non-negative rule must be provided, and negative rules have higher precedence than non-negative rules. */ runWorkerFirst?: any; } export interface WorkerVersionBinding { /** * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm). */ algorithm?: pulumi.Input; /** * List of allowed destination addresses. */ allowedDestinationAddresses?: pulumi.Input[]>; /** * List of allowed sender addresses. */ allowedSenderAddresses?: pulumi.Input[]>; /** * R2 bucket to bind to. */ bucketName?: pulumi.Input; /** * Identifier of the certificate to bind to. */ certificateId?: pulumi.Input; /** * The exported class name of the Durable Object. */ className?: pulumi.Input; /** * The name of the dataset to bind to. */ dataset?: pulumi.Input; /** * Destination address for the email. */ destinationAddress?: pulumi.Input; /** * The environment of the scriptName to bind to. */ environment?: pulumi.Input; /** * Data format of the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#format). * Available values: "raw", "pkcs8", "spki", "jwk". */ format?: pulumi.Input; /** * Identifier of the D1 database to bind to. */ id?: pulumi.Input; /** * Name of the Vectorize index to bind to. */ indexName?: pulumi.Input; /** * JSON data to use. */ json?: pulumi.Input; /** * The [jurisdiction](https://developers.cloudflare.com/r2/reference/data-location/#jurisdictional-restrictions) of the R2 bucket. * Available values: "eu", "fedramp". */ jurisdiction?: pulumi.Input; /** * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki". */ keyBase64?: pulumi.Input; /** * Key data in [JSON Web Key](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#json_web_key) format. Required if `format` is "jwk". */ keyJwk?: pulumi.Input; /** * A JavaScript variable name for the binding. */ name: pulumi.Input; /** * The name of the dispatch namespace. */ namespace?: pulumi.Input; /** * Namespace identifier tag. */ namespaceId?: pulumi.Input; /** * The old name of the inherited binding. If set, the binding will be renamed from `oldName` to `name` in the new version. If not set, the binding will keep the same name between versions. */ oldName?: pulumi.Input; /** * Outbound worker. */ outbound?: pulumi.Input; /** * The name of the file containing the data content. Only accepted for `service worker syntax` Workers. */ part?: pulumi.Input; /** * Name of the Pipeline to bind to. */ pipeline?: pulumi.Input; /** * Name of the Queue to bind to. */ queueName?: pulumi.Input; /** * The script where the Durable Object is defined, if it is external to this Worker. */ scriptName?: pulumi.Input; /** * Name of the secret in the store. */ secretName?: pulumi.Input; /** * Name of Worker to bind to. */ service?: pulumi.Input; /** * The rate limit configuration. */ simple?: pulumi.Input; /** * ID of the store containing the secret. */ storeId?: pulumi.Input; /** * The text value to use. */ text?: pulumi.Input; /** * The kind of resource that the binding provides. * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "data*blob", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "inherit", "images", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "ratelimit", "r2*bucket", "secret*text", "send*email", "service", "text*blob", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow", "wasmModule". */ type: pulumi.Input; /** * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages). */ usages?: pulumi.Input[]>; /** * Identifier for the version to inherit the binding from, which can be the version ID or the literal "latest" to inherit from the latest version. Defaults to inheriting the binding from the latest version. */ versionId?: pulumi.Input; /** * Name of the Workflow to bind to. */ workflowName?: pulumi.Input; } export interface WorkerVersionBindingOutbound { /** * Pass information from the Dispatch Worker to the Outbound Worker through the parameters. */ params?: pulumi.Input[]>; /** * Outbound worker. */ worker?: pulumi.Input; } export interface WorkerVersionBindingOutboundParam { /** * Name of the parameter. */ name: pulumi.Input; } export interface WorkerVersionBindingOutboundWorker { /** * Entrypoint to invoke on the outbound worker. */ entrypoint?: pulumi.Input; /** * Environment of the outbound worker. */ environment?: pulumi.Input; /** * Name of the outbound worker. */ service?: pulumi.Input; } export interface WorkerVersionBindingSimple { /** * The limit (requests per period). */ limit: pulumi.Input; /** * The period in seconds. */ period: pulumi.Input; } export interface WorkerVersionLimits { /** * CPU time limit in milliseconds. */ cpuMs: pulumi.Input; } export interface WorkerVersionMigrations { /** * A list of classes to delete Durable Object namespaces from. */ deletedClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces from. */ newClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces with SQLite from. */ newSqliteClasses?: pulumi.Input[]>; /** * Tag to set as the latest migration tag. */ newTag?: pulumi.Input; /** * Tag used to verify against the latest migration tag for this Worker. If they don't match, the upload is rejected. */ oldTag?: pulumi.Input; /** * A list of classes with Durable Object namespaces that were renamed. */ renamedClasses?: pulumi.Input[]>; /** * Migrations to apply in order. */ steps?: pulumi.Input[]>; /** * A list of transfers for Durable Object namespaces from a different Worker and class to a class defined in this Worker. */ transferredClasses?: pulumi.Input[]>; } export interface WorkerVersionMigrationsRenamedClass { from?: pulumi.Input; to?: pulumi.Input; } export interface WorkerVersionMigrationsStep { /** * A list of classes to delete Durable Object namespaces from. */ deletedClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces from. */ newClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces with SQLite from. */ newSqliteClasses?: pulumi.Input[]>; /** * A list of classes with Durable Object namespaces that were renamed. */ renamedClasses?: pulumi.Input[]>; /** * A list of transfers for Durable Object namespaces from a different Worker and class to a class defined in this Worker. */ transferredClasses?: pulumi.Input[]>; } export interface WorkerVersionMigrationsStepRenamedClass { from?: pulumi.Input; to?: pulumi.Input; } export interface WorkerVersionMigrationsStepTransferredClass { from?: pulumi.Input; fromScript?: pulumi.Input; to?: pulumi.Input; } export interface WorkerVersionMigrationsTransferredClass { from?: pulumi.Input; fromScript?: pulumi.Input; to?: pulumi.Input; } export interface WorkerVersionModule { /** * The base64-encoded module content. */ contentBase64?: pulumi.Input; /** * The file path of the module content. */ contentFile?: pulumi.Input; /** * The SHA-256 hash of the module content. */ contentSha256?: pulumi.Input; /** * The content type of the module. */ contentType: pulumi.Input; /** * The name of the module. */ name: pulumi.Input; } export interface WorkerVersionPlacement { /** * TCP host and port for targeted placement. */ host?: pulumi.Input; /** * HTTP hostname for targeted placement. */ hostname?: pulumi.Input; /** * Enables [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). * Available values: "smart", "targeted". */ mode?: pulumi.Input; /** * Cloud region for targeted placement in format 'provider:region'. */ region?: pulumi.Input; /** * Array of placement targets (currently limited to single target). */ targets?: pulumi.Input[]>; } export interface WorkerVersionPlacementTarget { /** * TCP host:port for targeted placement. */ host?: pulumi.Input; /** * HTTP hostname for targeted placement. */ hostname?: pulumi.Input; /** * Cloud region in format 'provider:region'. */ region?: pulumi.Input; } export interface WorkersCronTriggerSchedule { createdOn?: pulumi.Input; cron: pulumi.Input; modifiedOn?: pulumi.Input; } export interface WorkersDeploymentAnnotations { /** * Human-readable message about the deployment. Truncated to 100 bytes. */ workersMessage?: pulumi.Input; /** * Operation that triggered the creation of the deployment. */ workersTriggeredBy?: pulumi.Input; } export interface WorkersDeploymentVersion { percentage: pulumi.Input; versionId: pulumi.Input; } export interface WorkersScriptAssets { /** * The SHA-256 hash of the asset manifest of files to upload. */ assetManifestSha256?: pulumi.Input; /** * Configuration for assets within a Worker. */ config?: pulumi.Input; /** * Path to the directory containing asset files to upload. */ directory?: pulumi.Input; /** * Token provided upon successful upload of all files from a registered manifest. */ jwt?: pulumi.Input; } export interface WorkersScriptAssetsConfig { /** * The contents of a _headers file (used to attach custom headers on asset responses). */ headers?: pulumi.Input; /** * Determines the redirects and rewrites of requests for HTML content. * Available values: "auto-trailing-slash", "force-trailing-slash", "drop-trailing-slash", "none". */ htmlHandling?: pulumi.Input; /** * Determines the response when a request does not match a static asset, and there is no Worker script. * Available values: "none", "404-page", "single-page-application". */ notFoundHandling?: pulumi.Input; /** * The contents of a _redirects file (used to apply redirects or proxy paths ahead of asset serving). */ redirects?: pulumi.Input; /** * When a boolean true, requests will always invoke the Worker script. Otherwise, attempt to serve an asset matching the request, falling back to the Worker script. When a list of strings, contains path rules to control routing to either the Worker or assets. Glob (*) and negative (!) rules are supported. Rules must start with either '/' or '!/'. At least one non-negative rule must be provided, and negative rules have higher precedence than non-negative rules. */ runWorkerFirst?: any; /** * When true and the incoming request matches an asset, that will be served instead of invoking the Worker script. When false, requests will always invoke the Worker script. * * @deprecated This attribute is deprecated. */ serveDirectly?: pulumi.Input; } export interface WorkersScriptBinding { /** * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm). */ algorithm?: pulumi.Input; /** * List of allowed destination addresses. */ allowedDestinationAddresses?: pulumi.Input[]>; /** * List of allowed sender addresses. */ allowedSenderAddresses?: pulumi.Input[]>; /** * R2 bucket to bind to. */ bucketName?: pulumi.Input; /** * Identifier of the certificate to bind to. */ certificateId?: pulumi.Input; /** * The exported class name of the Durable Object. */ className?: pulumi.Input; /** * The name of the dataset to bind to. */ dataset?: pulumi.Input; /** * Destination address for the email. */ destinationAddress?: pulumi.Input; /** * The environment of the scriptName to bind to. */ environment?: pulumi.Input; /** * Data format of the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#format). * Available values: "raw", "pkcs8", "spki", "jwk". */ format?: pulumi.Input; /** * Identifier of the D1 database to bind to. */ id?: pulumi.Input; /** * Name of the Vectorize index to bind to. */ indexName?: pulumi.Input; /** * JSON data to use. */ json?: pulumi.Input; /** * The [jurisdiction](https://developers.cloudflare.com/r2/reference/data-location/#jurisdictional-restrictions) of the R2 bucket. * Available values: "eu", "fedramp". */ jurisdiction?: pulumi.Input; /** * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki". */ keyBase64?: pulumi.Input; /** * Key data in [JSON Web Key](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#json_web_key) format. Required if `format` is "jwk". */ keyJwk?: pulumi.Input; /** * A JavaScript variable name for the binding. */ name: pulumi.Input; /** * The name of the dispatch namespace. */ namespace?: pulumi.Input; /** * Namespace identifier tag. */ namespaceId?: pulumi.Input; /** * The old name of the inherited binding. If set, the binding will be renamed from `oldName` to `name` in the new version. If not set, the binding will keep the same name between versions. */ oldName?: pulumi.Input; /** * Outbound worker. */ outbound?: pulumi.Input; /** * The name of the file containing the data content. Only accepted for `service worker syntax` Workers. */ part?: pulumi.Input; /** * Name of the Pipeline to bind to. */ pipeline?: pulumi.Input; /** * Name of the Queue to bind to. */ queueName?: pulumi.Input; /** * The script where the Durable Object is defined, if it is external to this Worker. */ scriptName?: pulumi.Input; /** * Name of the secret in the store. */ secretName?: pulumi.Input; /** * Name of Worker to bind to. */ service?: pulumi.Input; /** * A simple rate limit. */ simple?: pulumi.Input; /** * ID of the store containing the secret. */ storeId?: pulumi.Input; /** * The text value to use. */ text?: pulumi.Input; /** * The kind of resource that the binding provides. * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "data*blob", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "inherit", "images", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "send*email", "service", "tail*consumer", "text*blob", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow", "wasm*module". */ type: pulumi.Input; /** * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages). */ usages?: pulumi.Input[]>; /** * Identifier for the version to inherit the binding from, which can be the version ID or the literal "latest" to inherit from the latest version. Defaults to inheriting the binding from the latest version. */ versionId?: pulumi.Input; /** * Name of the Workflow to bind to. */ workflowName?: pulumi.Input; } export interface WorkersScriptBindingOutbound { /** * Pass information from the Dispatch Worker to the Outbound Worker through the parameters. */ params?: pulumi.Input[]>; /** * Outbound worker. */ worker?: pulumi.Input; } export interface WorkersScriptBindingOutboundWorker { /** * Environment of the outbound worker. */ environment?: pulumi.Input; /** * Name of the outbound worker. */ service?: pulumi.Input; } export interface WorkersScriptBindingSimple { /** * The rate limit value. */ limit: pulumi.Input; /** * The rate limit period in seconds. */ period: pulumi.Input; } export interface WorkersScriptLimits { /** * The amount of CPU time this Worker can use in milliseconds. */ cpuMs?: pulumi.Input; } export interface WorkersScriptMigrations { /** * A list of classes to delete Durable Object namespaces from. */ deletedClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces from. */ newClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces with SQLite from. */ newSqliteClasses?: pulumi.Input[]>; /** * Tag to set as the latest migration tag. */ newTag?: pulumi.Input; /** * Tag used to verify against the latest migration tag for this Worker. If they don't match, the upload is rejected. */ oldTag?: pulumi.Input; /** * A list of classes with Durable Object namespaces that were renamed. */ renamedClasses?: pulumi.Input[]>; /** * Migrations to apply in order. */ steps?: pulumi.Input[]>; /** * A list of transfers for Durable Object namespaces from a different Worker and class to a class defined in this Worker. */ transferredClasses?: pulumi.Input[]>; } export interface WorkersScriptMigrationsRenamedClass { from?: pulumi.Input; to?: pulumi.Input; } export interface WorkersScriptMigrationsStep { /** * A list of classes to delete Durable Object namespaces from. */ deletedClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces from. */ newClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces with SQLite from. */ newSqliteClasses?: pulumi.Input[]>; /** * A list of classes with Durable Object namespaces that were renamed. */ renamedClasses?: pulumi.Input[]>; /** * A list of transfers for Durable Object namespaces from a different Worker and class to a class defined in this Worker. */ transferredClasses?: pulumi.Input[]>; } export interface WorkersScriptMigrationsStepRenamedClass { from?: pulumi.Input; to?: pulumi.Input; } export interface WorkersScriptMigrationsStepTransferredClass { from?: pulumi.Input; fromScript?: pulumi.Input; to?: pulumi.Input; } export interface WorkersScriptMigrationsTransferredClass { from?: pulumi.Input; fromScript?: pulumi.Input; to?: pulumi.Input; } export interface WorkersScriptNamedHandler { /** * The names of handlers exported as part of the named export. */ handlers?: pulumi.Input[]>; /** * The name of the export. */ name?: pulumi.Input; } export interface WorkersScriptObservability { /** * Whether observability is enabled for the Worker. */ enabled: pulumi.Input; /** * The sampling rate for incoming requests. From 0 to 1 (1 = 100%, 0.1 = 10%). Default is 1. */ headSamplingRate?: pulumi.Input; /** * Log settings for the Worker. */ logs?: pulumi.Input; } export interface WorkersScriptObservabilityLogs { /** * A list of destinations where logs will be exported to. */ destinations?: pulumi.Input[]>; /** * Whether logs are enabled for the Worker. */ enabled: pulumi.Input; /** * The sampling rate for logs. From 0 to 1 (1 = 100%, 0.1 = 10%). Default is 1. */ headSamplingRate?: pulumi.Input; /** * Whether [invocation logs](https://developers.cloudflare.com/workers/observability/logs/workers-logs/#invocation-logs) are enabled for the Worker. */ invocationLogs: pulumi.Input; /** * Whether log persistence is enabled for the Worker. */ persist?: pulumi.Input; } export interface WorkersScriptPlacement { /** * TCP host and port for targeted placement. */ host?: pulumi.Input; /** * HTTP hostname for targeted placement. */ hostname?: pulumi.Input; /** * The last time the script was analyzed for [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). */ lastAnalyzedAt?: pulumi.Input; /** * Enables [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). * Available values: "smart", "targeted". */ mode?: pulumi.Input; /** * Cloud region for targeted placement in format 'provider:region'. */ region?: pulumi.Input; /** * Status of [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). * Available values: "SUCCESS", "UNSUPPORTED*APPLICATION", "INSUFFICIENT*INVOCATIONS". */ status?: pulumi.Input; /** * Array of placement targets (currently limited to single target). */ targets?: pulumi.Input[]>; } export interface WorkersScriptPlacementTarget { /** * TCP host:port for targeted placement. */ host?: pulumi.Input; /** * HTTP hostname for targeted placement. */ hostname?: pulumi.Input; /** * Cloud region in format 'provider:region'. */ region?: pulumi.Input; } export interface WorkersScriptTailConsumer { /** * Optional environment if the Worker utilizes one. */ environment?: pulumi.Input; /** * Optional dispatch namespace the script belongs to. */ namespace?: pulumi.Input; /** * Name of Worker that is to be the consumer. */ service: pulumi.Input; } export interface WorkflowInstances { complete?: pulumi.Input; errored?: pulumi.Input; paused?: pulumi.Input; queued?: pulumi.Input; running?: pulumi.Input; terminated?: pulumi.Input; waiting?: pulumi.Input; waitingForPause?: pulumi.Input; } export interface ZeroTrustAccessAiControlsMcpPortalServer { defaultDisabled?: pulumi.Input; onBehalf?: pulumi.Input; /** * server id */ serverId: pulumi.Input; updatedPrompts?: pulumi.Input[]>; updatedTools?: pulumi.Input[]>; } export interface ZeroTrustAccessAiControlsMcpPortalServerUpdatedPrompt { description?: pulumi.Input; enabled?: pulumi.Input; name: pulumi.Input; } export interface ZeroTrustAccessAiControlsMcpPortalServerUpdatedTool { description?: pulumi.Input; enabled?: pulumi.Input; name: pulumi.Input; } export interface ZeroTrustAccessApplicationCorsHeaders { /** * Allows all HTTP request headers. */ allowAllHeaders?: pulumi.Input; /** * Allows all HTTP request methods. */ allowAllMethods?: pulumi.Input; /** * Allows all origins. */ allowAllOrigins?: pulumi.Input; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. */ allowCredentials?: pulumi.Input; /** * Allowed HTTP request headers. */ allowedHeaders?: pulumi.Input[]>; /** * Allowed HTTP request methods. */ allowedMethods?: pulumi.Input[]>; /** * Allowed origins. */ allowedOrigins?: pulumi.Input[]>; /** * The maximum number of seconds the results of a preflight request can be cached. */ maxAge?: pulumi.Input; } export interface ZeroTrustAccessApplicationDestination { /** * The CIDR range of the destination. Single IPs will be computed as /32. */ cidr?: pulumi.Input; /** * The hostname of the destination. Matches a valid SNI served by an HTTPS origin. */ hostname?: pulumi.Input; /** * The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. * Available values: "tcp", "udp". */ l4Protocol?: pulumi.Input; /** * A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. */ mcpServerId?: pulumi.Input; /** * The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. */ portRange?: pulumi.Input; /** * Available values: "public", "private". */ type?: pulumi.Input; /** * The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). */ uri?: pulumi.Input; /** * The VNET ID to match the destination. When omitted, all VNETs will match. */ vnetId?: pulumi.Input; } export interface ZeroTrustAccessApplicationFooterLink { /** * The hypertext in the footer link. */ name: pulumi.Input; /** * the hyperlink in the footer link. */ url: pulumi.Input; } export interface ZeroTrustAccessApplicationLandingPageDesign { /** * The background color of the log in button on the landing page. */ buttonColor?: pulumi.Input; /** * The color of the text in the log in button on the landing page. */ buttonTextColor?: pulumi.Input; /** * The URL of the image shown on the landing page. */ imageUrl?: pulumi.Input; /** * The message shown on the landing page. */ message?: pulumi.Input; /** * The title shown on the landing page. */ title?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicy { /** * The rules that define how users may connect to the targets secured by your application. */ connectionRules?: pulumi.Input; /** * The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. * Available values: "allow", "deny", "nonIdentity", "bypass". */ decision?: pulumi.Input; /** * Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. */ excludes?: pulumi.Input[]>; /** * The UUID of the policy */ id?: pulumi.Input; /** * Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. */ includes?: pulumi.Input[]>; /** * The name of the Access policy. */ name?: pulumi.Input; /** * The order of execution for this policy. Must be unique for each policy within an app. */ precedence?: pulumi.Input; /** * Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. */ requires?: pulumi.Input[]>; } export interface ZeroTrustAccessApplicationPolicyConnectionRules { /** * The RDP-specific rules that define clipboard behavior for RDP connections. */ rdp?: pulumi.Input; /** * The SSH-specific rules that define how users may connect to the targets secured by your application. */ ssh?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyConnectionRulesRdp { /** * Clipboard formats allowed when copying from local machine to remote RDP session. */ allowedClipboardLocalToRemoteFormats?: pulumi.Input[]>; /** * Clipboard formats allowed when copying from remote RDP session to local machine. */ allowedClipboardRemoteToLocalFormats?: pulumi.Input[]>; } export interface ZeroTrustAccessApplicationPolicyConnectionRulesSsh { /** * Enables using Identity Provider email alias as SSH username. */ allowEmailAlias?: pulumi.Input; /** * Contains the Unix usernames that may be used when connecting over SSH. */ usernames: pulumi.Input[]>; } export interface ZeroTrustAccessApplicationPolicyExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeAnyValidServiceToken { } export interface ZeroTrustAccessApplicationPolicyExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeCertificate { } export interface ZeroTrustAccessApplicationPolicyExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeEveryone { } export interface ZeroTrustAccessApplicationPolicyExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeAnyValidServiceToken { } export interface ZeroTrustAccessApplicationPolicyIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeCertificate { } export interface ZeroTrustAccessApplicationPolicyIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeEveryone { } export interface ZeroTrustAccessApplicationPolicyIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireAnyValidServiceToken { } export interface ZeroTrustAccessApplicationPolicyRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireCertificate { } export interface ZeroTrustAccessApplicationPolicyRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireEveryone { } export interface ZeroTrustAccessApplicationPolicyRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasApp { /** * The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. */ accessTokenLifetime?: pulumi.Input; /** * If client secret should be required on the token endpoint when authorization*code*with_pkce grant is used. */ allowPkceWithoutClientSecret?: pulumi.Input; /** * The URL where this applications tile redirects users */ appLauncherUrl?: pulumi.Input; /** * Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" * Available values: "saml", "oidc". */ authType?: pulumi.Input; /** * The application client id */ clientId?: pulumi.Input; /** * The application client secret, only returned on POST request. */ clientSecret?: pulumi.Input; /** * The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. */ consumerServiceUrl?: pulumi.Input; customAttributes?: pulumi.Input[]>; customClaims?: pulumi.Input[]>; /** * The URL that the user will be redirected to after a successful login for IDP initiated logins. */ defaultRelayState?: pulumi.Input; /** * The OIDC flows supported by this application */ grantTypes?: pulumi.Input[]>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint */ groupFilterRegex?: pulumi.Input; hybridAndImplicitOptions?: pulumi.Input; /** * The unique identifier for your SaaS application. */ idpEntityId?: pulumi.Input; /** * The format of the name identifier sent to the SaaS application. * Available values: "id", "email". */ nameIdFormat?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `nameIdFormat` setting. */ nameIdTransformJsonata?: pulumi.Input; /** * The Access public certificate that will be used to verify your identity. */ publicKey?: pulumi.Input; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens */ redirectUris?: pulumi.Input[]>; refreshTokenOptions?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml*attributes or oidc*fields of the identity provider used to authenticate. The output of this expression must be a JSON object. */ samlAttributeTransformJsonata?: pulumi.Input; /** * Define the user information shared with access, "offlineAccess" scope will be automatically enabled if refresh tokens are enabled */ scopes?: pulumi.Input[]>; /** * A globally unique name for an identity or service provider. */ spEntityId?: pulumi.Input; /** * The endpoint where your SaaS application will send login requests. */ ssoEndpoint?: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasAppCustomAttribute { /** * The SAML FriendlyName of the attribute. */ friendlyName?: pulumi.Input; /** * The name of the attribute. */ name?: pulumi.Input; /** * A globally unique name for an identity or service provider. * Available values: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri". */ nameFormat?: pulumi.Input; /** * If the attribute is required when building a SAML assertion. */ required?: pulumi.Input; source?: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasAppCustomAttributeSource { /** * The name of the IdP attribute. */ name?: pulumi.Input; /** * A mapping from IdP ID to attribute name. */ nameByIdps?: pulumi.Input[]>; } export interface ZeroTrustAccessApplicationSaasAppCustomAttributeSourceNameByIdp { /** * The UID of the IdP. */ idpId?: pulumi.Input; /** * The name of the IdP provided attribute. */ sourceName?: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasAppCustomClaim { /** * The name of the claim. */ name?: pulumi.Input; /** * If the claim is required when building an OIDC token. */ required?: pulumi.Input; /** * The scope of the claim. * Available values: "groups", "profile", "email", "openid". */ scope?: pulumi.Input; source?: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasAppCustomClaimSource { /** * The name of the IdP claim. */ name?: pulumi.Input; /** * A mapping from IdP ID to claim name. */ nameByIdp?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface ZeroTrustAccessApplicationSaasAppHybridAndImplicitOptions { /** * If an Access Token should be returned from the OIDC Authorization endpoint */ returnAccessTokenFromAuthorizationEndpoint?: pulumi.Input; /** * If an ID Token should be returned from the OIDC Authorization endpoint */ returnIdTokenFromAuthorizationEndpoint?: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasAppRefreshTokenOptions { /** * How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. */ lifetime?: pulumi.Input; } export interface ZeroTrustAccessApplicationScimConfig { /** * Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. */ authentication?: pulumi.Input; /** * If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. */ deactivateOnDelete?: pulumi.Input; /** * Whether SCIM provisioning is turned on for this application. */ enabled?: pulumi.Input; /** * The UID of the IdP to use as the source for SCIM resources to provision to this application. */ idpUid: pulumi.Input; /** * A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. */ mappings?: pulumi.Input[]>; /** * The base URI for the application's SCIM-compatible API. */ remoteUri: pulumi.Input; } export interface ZeroTrustAccessApplicationScimConfigAuthentication { /** * URL used to generate the auth code used during token generation. */ authorizationUrl?: pulumi.Input; /** * Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. */ clientId?: pulumi.Input; /** * Secret used to authenticate when generating a token for authenticating with the remove SCIM service. */ clientSecret?: pulumi.Input; /** * Password used to authenticate with the remote SCIM service. */ password?: pulumi.Input; /** * The authentication scheme to use when making SCIM requests to this application. * Available values: "httpbasic", "oauthbearertoken", "oauth2", "access*service*token". */ scheme: pulumi.Input; /** * The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. */ scopes?: pulumi.Input[]>; /** * Token used to authenticate with the remote SCIM service. */ token?: pulumi.Input; /** * URL used to generate the token used to authenticate with the remote SCIM service. */ tokenUrl?: pulumi.Input; /** * User name used to authenticate with the remote SCIM service. */ user?: pulumi.Input; } export interface ZeroTrustAccessApplicationScimConfigMapping { /** * Whether or not this mapping is enabled. */ enabled?: pulumi.Input; /** * A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. */ filter?: pulumi.Input; /** * Whether or not this mapping applies to creates, updates, or deletes. */ operations?: pulumi.Input; /** * Which SCIM resource type this mapping applies to. */ schema: pulumi.Input; /** * The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. * Available values: "strict", "passthrough". */ strictness?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. */ transformJsonata?: pulumi.Input; } export interface ZeroTrustAccessApplicationScimConfigMappingOperations { /** * Whether or not this mapping applies to create (POST) operations. */ create?: pulumi.Input; /** * Whether or not this mapping applies to DELETE operations. */ delete?: pulumi.Input; /** * Whether or not this mapping applies to update (PATCH/PUT) operations. */ update?: pulumi.Input; } export interface ZeroTrustAccessApplicationTargetCriteria { /** * The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. */ port: pulumi.Input; /** * The communication protocol your application secures. * Available values: "SSH", "RDP". */ protocol: pulumi.Input; /** * Contains a map of target attribute keys to target attribute values. */ targetAttributes: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; } export interface ZeroTrustAccessGroupExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeAnyValidServiceToken { } export interface ZeroTrustAccessGroupExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeCertificate { } export interface ZeroTrustAccessGroupExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeEveryone { } export interface ZeroTrustAccessGroupExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessGroupInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeAnyValidServiceToken { } export interface ZeroTrustAccessGroupIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeCertificate { } export interface ZeroTrustAccessGroupIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeEveryone { } export interface ZeroTrustAccessGroupIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessGroupRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessGroupRequireAnyValidServiceToken { } export interface ZeroTrustAccessGroupRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessGroupRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupRequireCertificate { } export interface ZeroTrustAccessGroupRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessGroupRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessGroupRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessGroupRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessGroupRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupRequireEveryone { } export interface ZeroTrustAccessGroupRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessGroupRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessGroupRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessGroupRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessGroupRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessGroupRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessGroupRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessIdentityProviderConfig { /** * Your companies TLD */ appsDomain?: pulumi.Input; /** * A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. */ attributes?: pulumi.Input[]>; /** * The authorizationEndpoint URL of your IdP */ authUrl?: pulumi.Input; /** * Your okta authorization server id */ authorizationServerId?: pulumi.Input; /** * Your centrify account url */ centrifyAccount?: pulumi.Input; /** * Your centrify app id */ centrifyAppId?: pulumi.Input; /** * The jwksUri endpoint of your IdP to allow the IdP keys to sign the tokens */ certsUrl?: pulumi.Input; /** * Custom claims */ claims?: pulumi.Input[]>; /** * Your OAuth Client ID */ clientId?: pulumi.Input; /** * Your OAuth Client Secret */ clientSecret?: pulumi.Input; /** * Should Cloudflare try to load authentication contexts from your account */ conditionalAccessEnabled?: pulumi.Input; /** * Your Azure directory uuid */ directoryId?: pulumi.Input; /** * The attribute name for email in the SAML response. */ emailAttributeName?: pulumi.Input; /** * The claim name for email in the idToken response. */ emailClaimName?: pulumi.Input; /** * Add a list of attribute names that will be returned in the response header from the Access callback. */ headerAttributes?: pulumi.Input[]>; /** * X509 certificate to verify the signature in the SAML authentication response */ idpPublicCerts?: pulumi.Input[]>; /** * IdP Entity ID or Issuer URL */ issuerUrl?: pulumi.Input; /** * Your okta account url */ oktaAccount?: pulumi.Input; /** * Your OneLogin account url */ oneloginAccount?: pulumi.Input; /** * Your PingOne environment identifier */ pingEnvId?: pulumi.Input; /** * Enable Proof Key for Code Exchange (PKCE) */ pkceEnabled?: pulumi.Input; /** * Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction*required error. prompt=select*account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. * Available values: "login", "selectAccount", "none". */ prompt?: pulumi.Input; redirectUrl?: pulumi.Input; /** * OAuth scopes */ scopes?: pulumi.Input[]>; /** * Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. */ signRequest?: pulumi.Input; /** * URL to send the SAML authentication requests to */ ssoTargetUrl?: pulumi.Input; /** * Should Cloudflare try to load groups from your account */ supportGroups?: pulumi.Input; /** * The tokenEndpoint URL of your IdP */ tokenUrl?: pulumi.Input; } export interface ZeroTrustAccessIdentityProviderConfigHeaderAttribute { /** * attribute name from the IDP */ attributeName?: pulumi.Input; /** * header that will be added on the request to the origin */ headerName?: pulumi.Input; } export interface ZeroTrustAccessIdentityProviderScimConfig { /** * A flag to enable or disable SCIM for the identity provider. */ enabled?: pulumi.Input; /** * Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no*action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. * Available values: "automatic", "reauth", "no*action". */ identityUpdateBehavior?: pulumi.Input; /** * The base URL of Cloudflare's SCIM V2.0 API endpoint. */ scimBaseUrl?: pulumi.Input; /** * A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless userDeprovision is also enabled. */ seatDeprovision?: pulumi.Input; /** * A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity*providers/:idpID/refresh*scim_secret. */ secret?: pulumi.Input; /** * A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. */ userDeprovision?: pulumi.Input; } export interface ZeroTrustAccessInfrastructureTargetIp { /** * The target's IPv4 address */ ipv4?: pulumi.Input; /** * The target's IPv6 address */ ipv6?: pulumi.Input; } export interface ZeroTrustAccessInfrastructureTargetIpIpv4 { /** * IP address of the target */ ipAddr?: pulumi.Input; /** * (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. */ virtualNetworkId?: pulumi.Input; } export interface ZeroTrustAccessInfrastructureTargetIpIpv6 { /** * IP address of the target */ ipAddr?: pulumi.Input; /** * (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. */ virtualNetworkId?: pulumi.Input; } export interface ZeroTrustAccessMtlsHostnameSettingsSetting { /** * Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. */ chinaNetwork: pulumi.Input; /** * Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. */ clientCertificateForwarding: pulumi.Input; /** * The hostname that these settings apply to. */ hostname: pulumi.Input; } export interface ZeroTrustAccessPolicyApprovalGroup { /** * The number of approvals needed to obtain access. */ approvalsNeeded: pulumi.Input; /** * A list of emails that can approve the access request. */ emailAddresses?: pulumi.Input[]>; /** * The UUID of an re-usable email list. */ emailListUuid?: pulumi.Input; } export interface ZeroTrustAccessPolicyConnectionRules { /** * The RDP-specific rules that define clipboard behavior for RDP connections. */ rdp?: pulumi.Input; } export interface ZeroTrustAccessPolicyConnectionRulesRdp { /** * Clipboard formats allowed when copying from local machine to remote RDP session. */ allowedClipboardLocalToRemoteFormats?: pulumi.Input[]>; /** * Clipboard formats allowed when copying from remote RDP session to local machine. */ allowedClipboardRemoteToLocalFormats?: pulumi.Input[]>; } export interface ZeroTrustAccessPolicyExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeAnyValidServiceToken { } export interface ZeroTrustAccessPolicyExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeCertificate { } export interface ZeroTrustAccessPolicyExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeEveryone { } export interface ZeroTrustAccessPolicyExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessPolicyInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeAnyValidServiceToken { } export interface ZeroTrustAccessPolicyIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeCertificate { } export interface ZeroTrustAccessPolicyIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeEveryone { } export interface ZeroTrustAccessPolicyIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessPolicyMfaConfig { /** * Lists the MFA methods that users can authenticate with. */ allowedAuthenticators?: pulumi.Input[]>; /** * Indicates whether to bypass MFA for this resource. This option is available at the application and policy level. */ mfaBypass?: pulumi.Input; /** * Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. */ sessionDuration?: pulumi.Input; } export interface ZeroTrustAccessPolicyRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireAnyValidServiceToken { } export interface ZeroTrustAccessPolicyRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireCertificate { } export interface ZeroTrustAccessPolicyRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireEveryone { } export interface ZeroTrustAccessPolicyRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileExclude { /** * The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. */ address?: pulumi.Input; /** * A description of the Split Tunnel item, displayed in the client UI. */ description?: pulumi.Input; /** * The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. */ host?: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileFallbackDomain { /** * A description of the fallback domain, displayed in the client UI. */ description?: pulumi.Input; /** * A list of IP addresses to handle domain resolution. */ dnsServers?: pulumi.Input[]>; /** * The domain suffix to match when resolving locally. */ suffix?: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileInclude { /** * The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. */ address?: pulumi.Input; /** * A description of the Split Tunnel item, displayed in the client UI. */ description?: pulumi.Input; /** * The domain name to include in the tunnel. If `host` is present, `address` must not be present. */ host?: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileLocalDomainFallbackDomain { /** * A description of the fallback domain, displayed in the client UI. */ description?: pulumi.Input; /** * A list of IP addresses to handle domain resolution. */ dnsServers?: pulumi.Input[]>; /** * The domain suffix to match when resolving locally. */ suffix: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileServiceModeV2 { /** * The mode to run the WARP client under. */ mode?: pulumi.Input; /** * The port number when used with proxy mode. */ port?: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileTargetTest { /** * The id of the DEX test targeting this policy. */ id?: pulumi.Input; /** * The name of the DEX test targeting this policy. */ name?: pulumi.Input; } export interface ZeroTrustDeviceDefaultProfileExclude { /** * The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. */ address?: pulumi.Input; /** * A description of the Split Tunnel item, displayed in the client UI. */ description?: pulumi.Input; /** * The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. */ host?: pulumi.Input; } export interface ZeroTrustDeviceDefaultProfileFallbackDomain { /** * A description of the fallback domain, displayed in the client UI. */ description?: pulumi.Input; /** * A list of IP addresses to handle domain resolution. */ dnsServers?: pulumi.Input[]>; /** * The domain suffix to match when resolving locally. */ suffix?: pulumi.Input; } export interface ZeroTrustDeviceDefaultProfileInclude { /** * The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. */ address?: pulumi.Input; /** * A description of the Split Tunnel item, displayed in the client UI. */ description?: pulumi.Input; /** * The domain name to include in the tunnel. If `host` is present, `address` must not be present. */ host?: pulumi.Input; } export interface ZeroTrustDeviceDefaultProfileLocalDomainFallbackDomain { /** * A description of the fallback domain, displayed in the client UI. */ description?: pulumi.Input; /** * A list of IP addresses to handle domain resolution. */ dnsServers?: pulumi.Input[]>; /** * The domain suffix to match when resolving locally. */ suffix: pulumi.Input; } export interface ZeroTrustDeviceDefaultProfileServiceModeV2 { /** * The mode to run the WARP client under. */ mode?: pulumi.Input; /** * The port number when used with proxy mode. */ port?: pulumi.Input; } export interface ZeroTrustDeviceManagedNetworksConfig { /** * The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. */ sha256?: pulumi.Input; /** * A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. */ tlsSockaddr: pulumi.Input; } export interface ZeroTrustDevicePostureIntegrationConfig { /** * If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `apiUrl`. */ accessClientId?: pulumi.Input; /** * If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `apiUrl`. */ accessClientSecret?: pulumi.Input; /** * The Workspace One API URL provided in the Workspace One Admin Dashboard. */ apiUrl?: pulumi.Input; /** * The Workspace One Authorization URL depending on your region. */ authUrl?: pulumi.Input; /** * The Workspace One client ID provided in the Workspace One Admin Dashboard. */ clientId?: pulumi.Input; /** * The Uptycs client secret. */ clientKey?: pulumi.Input; /** * The Workspace One client secret provided in the Workspace One Admin Dashboard. */ clientSecret?: pulumi.Input; /** * The Crowdstrike customer ID. */ customerId?: pulumi.Input; } export interface ZeroTrustDevicePostureRuleInput { /** * The Number of active threats. */ activeThreats?: pulumi.Input; /** * UUID of Cloudflare managed certificate. */ certificateId?: pulumi.Input; /** * List of volume names to be checked for encryption. */ checkDisks?: pulumi.Input[]>; /** * Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. */ checkPrivateKey?: pulumi.Input; /** * Common Name that is protected by the certificate. */ cn?: pulumi.Input; /** * Compliance Status. * Available values: "compliant", "noncompliant", "unknown", "notapplicable", "ingraceperiod", "error". */ complianceStatus?: pulumi.Input; /** * Posture Integration ID. */ connectionId?: pulumi.Input; /** * Count Operator. * Available values: "<", "<=", ">", ">=", "==". */ countOperator?: pulumi.Input; /** * Domain. */ domain?: pulumi.Input; /** * For more details on eid last seen, refer to the Tanium documentation. */ eidLastSeen?: pulumi.Input; /** * Enabled. */ enabled?: pulumi.Input; /** * Whether or not file exists. */ exists?: pulumi.Input; /** * List of values indicating purposes for which the certificate public key can be used. */ extendedKeyUsages?: pulumi.Input[]>; /** * List ID. */ id?: pulumi.Input; /** * Whether device is infected. */ infected?: pulumi.Input; /** * Whether device is active. */ isActive?: pulumi.Input; /** * The Number of Issues. */ issueCount?: pulumi.Input; /** * For more details on last seen, please refer to the Crowdstrike documentation. */ lastSeen?: pulumi.Input; locations?: pulumi.Input; /** * Network status of device. * Available values: "connected", "disconnected", "disconnecting", "connecting". */ networkStatus?: pulumi.Input; /** * Operating system. * Available values: "windows", "linux", "mac", "android", "ios", "chromeos". */ operatingSystem?: pulumi.Input; /** * Agent operational state. * Available values: "na", "partially*disabled", "auto*fully*disabled", "fully*disabled", "auto*partially*disabled", "disabled*error", "db*corruption". */ operationalState?: pulumi.Input; /** * Operator. * Available values: "<", "<=", ">", ">=", "==". */ operator?: pulumi.Input; /** * Os Version. */ os?: pulumi.Input; /** * Operating System Distribution Name (linux only). */ osDistroName?: pulumi.Input; /** * Version of OS Distribution (linux only). */ osDistroRevision?: pulumi.Input; /** * Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. */ osVersionExtra?: pulumi.Input; /** * Overall. */ overall?: pulumi.Input; /** * File path. */ path?: pulumi.Input; /** * Whether to check all disks for encryption. */ requireAll?: pulumi.Input; /** * For more details on risk level, refer to the Tanium documentation. * Available values: "low", "medium", "high", "critical". */ riskLevel?: pulumi.Input; /** * A value between 0-100 assigned to devices set by the 3rd party posture provider. */ score?: pulumi.Input; /** * Score Operator. * Available values: "<", "<=", ">", ">=", "==". */ scoreOperator?: pulumi.Input; /** * SensorConfig. */ sensorConfig?: pulumi.Input; /** * SHA-256. */ sha256?: pulumi.Input; /** * For more details on state, please refer to the Crowdstrike documentation. * Available values: "online", "offline", "unknown". */ state?: pulumi.Input; /** * List of certificate Subject Alternative Names. */ subjectAlternativeNames?: pulumi.Input[]>; /** * Signing certificate thumbprint. */ thumbprint?: pulumi.Input; /** * For more details on total score, refer to the Tanium documentation. */ totalScore?: pulumi.Input; /** * Number of days that the antivirus should be updated within. */ updateWindowDays?: pulumi.Input; /** * Version of OS. */ version?: pulumi.Input; /** * Version Operator. * Available values: "<", "<=", ">", ">=", "==". */ versionOperator?: pulumi.Input; } export interface ZeroTrustDevicePostureRuleInputLocations { /** * List of paths to check for client certificate on linux. */ paths?: pulumi.Input[]>; /** * List of trust stores to check for client certificate. */ trustStores?: pulumi.Input[]>; } export interface ZeroTrustDevicePostureRuleMatch { /** * Available values: "windows", "mac", "linux", "android", "ios", "chromeos". */ platform?: pulumi.Input; } export interface ZeroTrustDexRuleTargetedTest { /** * The configuration object which contains the details for the WARP client to conduct the test. */ data?: pulumi.Input; enabled?: pulumi.Input; name?: pulumi.Input; testId?: pulumi.Input; } export interface ZeroTrustDexRuleTargetedTestData { /** * The desired endpoint to test. */ host?: pulumi.Input; /** * The type of test. * Available values: "http", "traceroute". */ kind?: pulumi.Input; /** * The HTTP request method type. * Available values: "GET". */ method?: pulumi.Input; } export interface ZeroTrustDexTestData { /** * The desired endpoint to test. */ host?: pulumi.Input; /** * The type of test. */ kind?: pulumi.Input; /** * The HTTP request method type. */ method?: pulumi.Input; } export interface ZeroTrustDexTestTargetPolicy { /** * Whether the DEX rule is the account default */ default?: pulumi.Input; /** * The id of the DEX rule */ id: pulumi.Input; /** * The name of the DEX rule */ name?: pulumi.Input; } export interface ZeroTrustDlpCustomEntryConfidence { /** * Indicates whether this entry has AI remote service validation. */ aiContextAvailable?: pulumi.Input; /** * Indicates whether this entry has any form of validation that is not an AI remote service. */ available?: pulumi.Input; } export interface ZeroTrustDlpCustomEntryPattern { regex: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface ZeroTrustDlpCustomEntryProfile { id?: pulumi.Input; name?: pulumi.Input; } export interface ZeroTrustDlpCustomEntryVariant { description?: pulumi.Input; /** * Available values: "Intent", "Content". */ topicType?: pulumi.Input; /** * Available values: "PromptTopic". */ type?: pulumi.Input; } export interface ZeroTrustDlpCustomProfileContextAwareness { /** * If true, scan the context of predefined entries to only return matches surrounded by keywords. */ enabled?: pulumi.Input; /** * Content types to exclude from context analysis and return all matches. */ skip?: pulumi.Input; } export interface ZeroTrustDlpCustomProfileContextAwarenessSkip { /** * If the content type is a file, skip context analysis and return all matches. */ files?: pulumi.Input; } export interface ZeroTrustDlpCustomProfileEntry { description?: pulumi.Input; enabled: pulumi.Input; entryId?: pulumi.Input; name: pulumi.Input; pattern: pulumi.Input; } export interface ZeroTrustDlpCustomProfileEntryPattern { regex: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface ZeroTrustDlpCustomProfileSharedEntry { enabled: pulumi.Input; entryId: pulumi.Input; /** * Available values: "custom", "predefined", "integration", "exact*data", "document*fingerprint". */ entryType: pulumi.Input; } export interface ZeroTrustDlpDatasetColumn { entryId?: pulumi.Input; headerName?: pulumi.Input; numCells?: pulumi.Input; /** * Available values: "empty", "uploading", "pending", "processing", "failed", "complete". */ uploadStatus?: pulumi.Input; } export interface ZeroTrustDlpDatasetDataset { caseSensitive?: pulumi.Input; columns?: pulumi.Input[]>; createdAt?: pulumi.Input; /** * The description of the dataset. */ description?: pulumi.Input; encodingVersion?: pulumi.Input; id?: pulumi.Input; name?: pulumi.Input; numCells?: pulumi.Input; secret?: pulumi.Input; /** * Available values: "empty", "uploading", "pending", "processing", "failed", "complete". */ status?: pulumi.Input; /** * Stores when the dataset was last updated. */ updatedAt?: pulumi.Input; uploads?: pulumi.Input[]>; } export interface ZeroTrustDlpDatasetDatasetColumn { entryId?: pulumi.Input; headerName?: pulumi.Input; numCells?: pulumi.Input; /** * Available values: "empty", "uploading", "pending", "processing", "failed", "complete". */ uploadStatus?: pulumi.Input; } export interface ZeroTrustDlpDatasetDatasetUpload { numCells?: pulumi.Input; /** * Available values: "empty", "uploading", "pending", "processing", "failed", "complete". */ status?: pulumi.Input; version?: pulumi.Input; } export interface ZeroTrustDlpDatasetUpload { numCells?: pulumi.Input; /** * Available values: "empty", "uploading", "pending", "processing", "failed", "complete". */ status?: pulumi.Input; version?: pulumi.Input; } export interface ZeroTrustDlpEntryConfidence { /** * Indicates whether this entry has AI remote service validation. */ aiContextAvailable?: pulumi.Input; /** * Indicates whether this entry has any form of validation that is not an AI remote service. */ available?: pulumi.Input; } export interface ZeroTrustDlpEntryPattern { regex: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface ZeroTrustDlpEntryProfile { id?: pulumi.Input; name?: pulumi.Input; } export interface ZeroTrustDlpEntryVariant { description?: pulumi.Input; /** * Available values: "Intent", "Content". */ topicType?: pulumi.Input; /** * Available values: "PromptTopic". */ type?: pulumi.Input; } export interface ZeroTrustDlpIntegrationEntryConfidence { /** * Indicates whether this entry has AI remote service validation. */ aiContextAvailable?: pulumi.Input; /** * Indicates whether this entry has any form of validation that is not an AI remote service. */ available?: pulumi.Input; } export interface ZeroTrustDlpIntegrationEntryPattern { regex?: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface ZeroTrustDlpIntegrationEntryProfile { id?: pulumi.Input; name?: pulumi.Input; } export interface ZeroTrustDlpIntegrationEntryVariant { description?: pulumi.Input; /** * Available values: "Intent", "Content". */ topicType?: pulumi.Input; /** * Available values: "PromptTopic". */ type?: pulumi.Input; } export interface ZeroTrustDlpPredefinedEntryConfidence { /** * Indicates whether this entry has AI remote service validation. */ aiContextAvailable?: pulumi.Input; /** * Indicates whether this entry has any form of validation that is not an AI remote service. */ available?: pulumi.Input; } export interface ZeroTrustDlpPredefinedEntryPattern { regex?: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface ZeroTrustDlpPredefinedEntryProfile { id?: pulumi.Input; name?: pulumi.Input; } export interface ZeroTrustDlpPredefinedEntryVariant { description?: pulumi.Input; /** * Available values: "Intent", "Content". */ topicType?: pulumi.Input; /** * Available values: "PromptTopic". */ type?: pulumi.Input; } export interface ZeroTrustDlpPredefinedProfileEntry { enabled: pulumi.Input; id: pulumi.Input; } export interface ZeroTrustDnsLocationEndpoints { doh: pulumi.Input; dot: pulumi.Input; ipv4: pulumi.Input; ipv6: pulumi.Input; } export interface ZeroTrustDnsLocationEndpointsDoh { /** * Indicate whether the DOH endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; /** * Specify whether the DOH endpoint requires user identity authentication. */ requireToken?: pulumi.Input; } export interface ZeroTrustDnsLocationEndpointsDohNetwork { /** * Specify the IP address or IP CIDR. */ network: pulumi.Input; } export interface ZeroTrustDnsLocationEndpointsDot { /** * Indicate whether the DOT endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; } export interface ZeroTrustDnsLocationEndpointsDotNetwork { /** * Specify the IP address or IP CIDR. */ network: pulumi.Input; } export interface ZeroTrustDnsLocationEndpointsIpv4 { /** * Indicate whether the IPv4 endpoint is enabled for this location. */ enabled?: pulumi.Input; } export interface ZeroTrustDnsLocationEndpointsIpv6 { /** * Indicate whether the IPV6 endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; } export interface ZeroTrustDnsLocationEndpointsIpv6Network { /** * Specify the IPv6 address or IPv6 CIDR. */ network: pulumi.Input; } export interface ZeroTrustDnsLocationNetwork { /** * Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. */ network: pulumi.Input; } export interface ZeroTrustGatewayLoggingSettingsByRuleType { /** * Configure logging settings for DNS firewall. */ dns?: pulumi.Input; /** * Configure logging settings for HTTP/HTTPS firewall. */ http?: pulumi.Input; /** * Configure logging settings for Network firewall. */ l4?: pulumi.Input; } export interface ZeroTrustGatewayLoggingSettingsByRuleTypeDns { /** * Specify whether to log all requests to this service. */ logAll?: pulumi.Input; /** * Specify whether to log only blocking requests to this service. */ logBlocks?: pulumi.Input; } export interface ZeroTrustGatewayLoggingSettingsByRuleTypeHttp { /** * Specify whether to log all requests to this service. */ logAll?: pulumi.Input; /** * Specify whether to log only blocking requests to this service. */ logBlocks?: pulumi.Input; } export interface ZeroTrustGatewayLoggingSettingsByRuleTypeL4 { /** * Specify whether to log all requests to this service. */ logAll?: pulumi.Input; /** * Specify whether to log only blocking requests to this service. */ logBlocks?: pulumi.Input; } export interface ZeroTrustGatewayPolicyExpiration { /** * Defines the default duration a policy active in minutes. Must set in order to use the `resetExpiration` endpoint on this rule. */ duration?: pulumi.Input; /** * Indicates whether the policy is expired. */ expired?: pulumi.Input; /** * Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expiresAt time. */ expiresAt: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettings { /** * Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. */ addHeaders?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. */ allowChildBypass?: pulumi.Input; /** * Define the settings for the Audit SSH action. Settable only for `l4` rules with `auditSsh` action. */ auditSsh?: pulumi.Input; /** * Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. */ bisoAdminControls?: pulumi.Input; /** * Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. */ blockPage?: pulumi.Input; /** * Enable the custom block page. Settable only for `dns` rules with action `block`. */ blockPageEnabled?: pulumi.Input; /** * Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. */ blockReason?: pulumi.Input; /** * Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. */ bypassParentRule?: pulumi.Input; /** * Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. */ checkSession?: pulumi.Input; /** * Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules. */ dnsResolvers?: pulumi.Input; /** * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. */ egress?: pulumi.Input; /** * Configure whether a copy of the HTTP request will be sent to storage when the rule matches. */ forensicCopy?: pulumi.Input; /** * Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dnsResolver` rules. */ ignoreCnameCategoryMatches?: pulumi.Input; /** * Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. */ insecureDisableDnssecValidation?: pulumi.Input; /** * Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dnsResolver` rules. */ ipCategories?: pulumi.Input; /** * Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dnsResolver` rules. */ ipIndicatorFeeds?: pulumi.Input; /** * Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4Override`. */ l4override?: pulumi.Input; /** * Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. */ notificationSettings?: pulumi.Input; /** * Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. */ overrideHost?: pulumi.Input; /** * Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. */ overrideIps?: pulumi.Input[]>; /** * Configure DLP payload logging. Settable only for `http` rules. */ payloadLog?: pulumi.Input; /** * Configure settings that apply to quarantine rules. Settable only for `http` rules. */ quarantine?: pulumi.Input; /** * Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. */ redirect?: pulumi.Input; /** * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Not used when 'dns*resolvers' is specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules. */ resolveDnsInternally?: pulumi.Input; /** * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns*resolvers' specified or 'resolve*dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dnsResolver` rules. */ resolveDnsThroughCloudflare?: pulumi.Input; /** * Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. */ untrustedCert?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsAuditSsh { /** * Enable SSH command logging. */ commandLogging?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsBisoAdminControls { /** * Configure copy behavior. If set to remote*only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". * Available values: "enabled", "disabled", "remote*only". */ copy?: pulumi.Input; /** * Set to false to enable copy-pasting. Only applies when `version == "v1"`. */ dcp?: pulumi.Input; /** * Set to false to enable downloading. Only applies when `version == "v1"`. */ dd?: pulumi.Input; /** * Set to false to enable keyboard usage. Only applies when `version == "v1"`. */ dk?: pulumi.Input; /** * Configure download behavior. When set to remote*only, users can view downloads but cannot save them. Applies only when version == "v2". * Available values: "enabled", "disabled", "remote*only". */ download?: pulumi.Input; /** * Set to false to enable printing. Only applies when `version == "v1"`. */ dp?: pulumi.Input; /** * Set to false to enable uploading. Only applies when `version == "v1"`. */ du?: pulumi.Input; /** * Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". * Available values: "enabled", "disabled". */ keyboard?: pulumi.Input; /** * Configure paste behavior. If set to remote*only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". * Available values: "enabled", "disabled", "remote*only". */ paste?: pulumi.Input; /** * Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". * Available values: "enabled", "disabled". */ printing?: pulumi.Input; /** * Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". * Available values: "enabled", "disabled". */ upload?: pulumi.Input; /** * Indicate which version of the browser isolation controls should apply. * Available values: "v1", "v2". */ version?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsBlockPage { /** * Specify whether to pass the context information as query parameters. */ includeContext?: pulumi.Input; /** * Specify the URI to which the user is redirected. */ targetUri: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsCheckSession { /** * Sets the required session freshness threshold. The API returns a normalized version of this value. */ duration?: pulumi.Input; /** * Enable session enforcement. */ enforce?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsDnsResolvers { ipv4s?: pulumi.Input[]>; ipv6s?: pulumi.Input[]>; } export interface ZeroTrustGatewayPolicyRuleSettingsDnsResolversIpv4 { /** * Specify the IPv4 address of the upstream resolver. */ ip: pulumi.Input; /** * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. */ port?: pulumi.Input; /** * Indicate whether to connect to this resolver over a private network. Must set when vnetId set. */ routeThroughPrivateNetwork?: pulumi.Input; /** * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. */ vnetId?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsDnsResolversIpv6 { /** * Specify the IPv6 address of the upstream resolver. */ ip: pulumi.Input; /** * Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. */ port?: pulumi.Input; /** * Indicate whether to connect to this resolver over a private network. Must set when vnetId set. */ routeThroughPrivateNetwork?: pulumi.Input; /** * Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. */ vnetId?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsEgress { /** * Specify the IPv4 address to use for egress. */ ipv4?: pulumi.Input; /** * Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. */ ipv4Fallback?: pulumi.Input; /** * Specify the IPv6 range to use for egress. */ ipv6?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsForensicCopy { /** * Enable sending the copy to storage. */ enabled?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsL4override { /** * Defines the IPv4 or IPv6 address. */ ip?: pulumi.Input; /** * Defines a port number to use for TCP/UDP overrides. */ port?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsNotificationSettings { /** * Enable notification. */ enabled?: pulumi.Input; /** * Indicates whether to pass the context information as query parameters. */ includeContext?: pulumi.Input; /** * Customize the message shown in the notification. */ msg?: pulumi.Input; /** * Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. */ supportUrl?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsPayloadLog { /** * Enable DLP payload logging for this rule. */ enabled?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsQuarantine { /** * Specify the types of files to sandbox. */ fileTypes?: pulumi.Input[]>; } export interface ZeroTrustGatewayPolicyRuleSettingsRedirect { /** * Specify whether to pass the context information as query parameters. */ includeContext?: pulumi.Input; /** * Specify whether to append the path and query parameters from the original request to target_uri. */ preservePathAndQuery?: pulumi.Input; /** * Specify the URI to which the user is redirected. */ targetUri: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsResolveDnsInternally { /** * Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. * Available values: "none", "publicDns". */ fallback?: pulumi.Input; /** * Specify the internal DNS view identifier to pass to the internal DNS service. */ viewId?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsUntrustedCert { /** * Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. * Available values: "passThrough", "block", "error". */ action?: pulumi.Input; } export interface ZeroTrustGatewayPolicySchedule { /** * Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ fri?: pulumi.Input; /** * Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ mon?: pulumi.Input; /** * Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ sat?: pulumi.Input; /** * Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ sun?: pulumi.Input; /** * Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ thu?: pulumi.Input; /** * Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. */ timeZone?: pulumi.Input; /** * Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ tue?: pulumi.Input; /** * Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. */ wed?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettings { /** * Specify activity log settings. */ activityLog?: pulumi.Input; /** * Specify anti-virus settings. */ antivirus?: pulumi.Input; /** * Specify block page layout settings. */ blockPage?: pulumi.Input; /** * Specify the DLP inspection mode. */ bodyScanning?: pulumi.Input; /** * Specify Clientless Browser Isolation settings. */ browserIsolation?: pulumi.Input; /** * Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. */ certificate?: pulumi.Input; /** * Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. * * @deprecated This attribute is deprecated. */ customCertificate?: pulumi.Input; /** * Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. */ extendedEmailMatching?: pulumi.Input; /** * Specify FIPS settings. */ fips?: pulumi.Input; /** * Enable host selection in egress policies. */ hostSelector?: pulumi.Input; /** * Define the proxy inspection mode. */ inspection?: pulumi.Input; /** * Specify whether to detect protocols from the initial bytes of client traffic. */ protocolDetection?: pulumi.Input; /** * Specify whether to enable the sandbox. */ sandbox?: pulumi.Input; /** * Specify whether to inspect encrypted HTTP traffic. */ tlsDecrypt?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsActivityLog { /** * Specify whether to log activity. */ enabled?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsAntivirus { /** * Specify whether to enable anti-virus scanning on downloads. */ enabledDownloadPhase?: pulumi.Input; /** * Specify whether to enable anti-virus scanning on uploads. */ enabledUploadPhase?: pulumi.Input; /** * Specify whether to block requests for unscannable files. */ failClosed?: pulumi.Input; /** * Configure the message the user's device shows during an antivirus scan. */ notificationSettings?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsAntivirusNotificationSettings { /** * Specify whether to enable notifications. */ enabled?: pulumi.Input; /** * Specify whether to include context information as query parameters. */ includeContext?: pulumi.Input; /** * Specify the message to show in the notification. */ msg?: pulumi.Input; /** * Specify a URL that directs users to more information. If unset, the notification opens a block page. */ supportUrl?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsBlockPage { /** * Specify the block page background color in `#rrggbb` format when the mode is customized*block*page. */ backgroundColor?: pulumi.Input; /** * Specify whether to enable the custom block page. */ enabled?: pulumi.Input; /** * Specify the block page footer text when the mode is customized*block*page. */ footerText?: pulumi.Input; /** * Specify the block page header text when the mode is customized*block*page. */ headerText?: pulumi.Input; /** * Specify whether to append context to target*uri as query parameters. This applies only when the mode is redirect*uri. */ includeContext?: pulumi.Input; /** * Specify the full URL to the logo file when the mode is customized*block*page. */ logoPath?: pulumi.Input; /** * Specify the admin email for users to contact when the mode is customized*block*page. */ mailtoAddress?: pulumi.Input; /** * Specify the subject line for emails created from the block page when the mode is customized*block*page. */ mailtoSubject?: pulumi.Input; /** * Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. * Available values: "", "customized*block*page", "redirectUri". */ mode?: pulumi.Input; /** * Specify the block page title when the mode is customized*block*page. */ name?: pulumi.Input; /** * Indicate that this setting was shared via the Orgs API and read only for the current account. */ readOnly?: pulumi.Input; /** * Indicate the account tag of the account that shared this setting. */ sourceAccount?: pulumi.Input; /** * Specify whether to suppress detailed information at the bottom of the block page when the mode is customized*block*page. */ suppressFooter?: pulumi.Input; /** * Specify the URI to redirect users to when the mode is redirect_uri. */ targetUri?: pulumi.Input; /** * Indicate the version number of the setting. */ version?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsBodyScanning { /** * Specify the inspection mode as either `deep` or `shallow`. * Available values: "deep", "shallow". */ inspectionMode?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsBrowserIsolation { /** * Specify whether to enable non-identity onramp support for Browser Isolation. */ nonIdentityEnabled?: pulumi.Input; /** * Specify whether to enable Clientless Browser Isolation. */ urlBrowserIsolationEnabled?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsCertificate { /** * Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. */ id: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsCustomCertificate { /** * Indicate the internal certificate status. */ bindingStatus?: pulumi.Input; /** * Specify whether to enable a custom certificate authority for signing Gateway traffic. */ enabled: pulumi.Input; /** * Specify the UUID of the certificate (ID from MTLS certificate store). */ id?: pulumi.Input; updatedAt?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsExtendedEmailMatching { /** * Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. */ enabled?: pulumi.Input; /** * Indicate that this setting was shared via the Orgs API and read only for the current account. */ readOnly?: pulumi.Input; /** * Indicate the account tag of the account that shared this setting. */ sourceAccount?: pulumi.Input; /** * Indicate the version number of the setting. */ version?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsFips { /** * Enforce cipher suites and TLS versions compliant with FIPS 140-2. */ tls?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsHostSelector { /** * Specify whether to enable filtering via hosts for egress policies. */ enabled?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsInspection { /** * Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. * Available values: "static", "dynamic". */ mode?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsProtocolDetection { /** * Specify whether to detect protocols from the initial bytes of client traffic. */ enabled?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsSandbox { /** * Specify whether to enable the sandbox. */ enabled?: pulumi.Input; /** * Specify the action to take when the system cannot scan the file. * Available values: "allow", "block". */ fallbackAction?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsTlsDecrypt { /** * Specify whether to inspect encrypted HTTP traffic. */ enabled?: pulumi.Input; } export interface ZeroTrustListItem { /** * Provide the list item description (optional). */ description?: pulumi.Input; /** * Specify the item value. */ value?: pulumi.Input; } export interface ZeroTrustLocalFallbackDomainDomain { /** * A description of the fallback domain, displayed in the client UI. */ description?: pulumi.Input; /** * A list of IP addresses to handle domain resolution. */ dnsServers?: pulumi.Input[]>; /** * The domain suffix to match when resolving locally. */ suffix: pulumi.Input; } export interface ZeroTrustOrganizationCustomPages { /** * The uid of the custom page to use when a user is denied access after failing a non-identity rule. */ forbidden?: pulumi.Input; /** * The uid of the custom page to use when a user is denied access. */ identityDenied?: pulumi.Input; } export interface ZeroTrustOrganizationLoginDesign { /** * The background color on your login page. */ backgroundColor?: pulumi.Input; /** * The text at the bottom of your login page. */ footerText?: pulumi.Input; /** * The text at the top of your login page. */ headerText?: pulumi.Input; /** * The URL of the logo on your login page. */ logoPath?: pulumi.Input; /** * The text color on your login page. */ textColor?: pulumi.Input; } export interface ZeroTrustOrganizationMfaConfig { /** * Lists the MFA methods that users can authenticate with. */ allowedAuthenticators?: pulumi.Input[]>; /** * Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. */ sessionDuration?: pulumi.Input; } export interface ZeroTrustRiskBehaviorBehaviors { enabled: pulumi.Input; /** * Available values: "low", "medium", "high". */ riskLevel: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfig { /** * List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. */ ingresses?: pulumi.Input[]>; /** * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. */ originRequest?: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigIngress { /** * Public hostname for this service. */ hostname?: pulumi.Input; /** * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. */ originRequest?: pulumi.Input; /** * Requests with this path route to this public hostname. */ path?: pulumi.Input; /** * Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http*status:[code] e.g. 'http*status:404'. */ service: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequest { /** * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. */ access?: pulumi.Input; /** * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. */ caPool?: pulumi.Input; /** * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. */ connectTimeout?: pulumi.Input; /** * Disables chunked transfer encoding. Useful if you are running a WSGI server. */ disableChunkedEncoding?: pulumi.Input; /** * Attempt to connect to origin using HTTP2. Origin must be configured as https. */ http2Origin?: pulumi.Input; /** * Sets the HTTP Host header on requests sent to the local service. */ httpHostHeader?: pulumi.Input; /** * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. */ keepAliveConnections?: pulumi.Input; /** * Timeout after which an idle keepalive connection can be discarded. */ keepAliveTimeout?: pulumi.Input; /** * Auto configure the Hostname on the origin server certificate. */ matchSnItoHost?: pulumi.Input; /** * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. */ noHappyEyeballs?: pulumi.Input; /** * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. */ noTlsVerify?: pulumi.Input; /** * Hostname that cloudflared should expect from your origin server certificate. */ originServerName?: pulumi.Input; /** * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. */ proxyType?: pulumi.Input; /** * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. */ tcpKeepAlive?: pulumi.Input; /** * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. */ tlsTimeout?: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequestAccess { /** * Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. */ audTags: pulumi.Input[]>; /** * Deny traffic that has not fulfilled Access authorization. */ required?: pulumi.Input; teamName: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigOriginRequest { /** * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. */ access?: pulumi.Input; /** * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. */ caPool?: pulumi.Input; /** * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. */ connectTimeout?: pulumi.Input; /** * Disables chunked transfer encoding. Useful if you are running a WSGI server. */ disableChunkedEncoding?: pulumi.Input; /** * Attempt to connect to origin using HTTP2. Origin must be configured as https. */ http2Origin?: pulumi.Input; /** * Sets the HTTP Host header on requests sent to the local service. */ httpHostHeader?: pulumi.Input; /** * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. */ keepAliveConnections?: pulumi.Input; /** * Timeout after which an idle keepalive connection can be discarded. */ keepAliveTimeout?: pulumi.Input; /** * Auto configure the Hostname on the origin server certificate. */ matchSnItoHost?: pulumi.Input; /** * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. */ noHappyEyeballs?: pulumi.Input; /** * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. */ noTlsVerify?: pulumi.Input; /** * Hostname that cloudflared should expect from your origin server certificate. */ originServerName?: pulumi.Input; /** * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. */ proxyType?: pulumi.Input; /** * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. */ tcpKeepAlive?: pulumi.Input; /** * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. */ tlsTimeout?: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigOriginRequestAccess { /** * Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. */ audTags: pulumi.Input[]>; /** * Deny traffic that has not fulfilled Access authorization. */ required?: pulumi.Input; teamName: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConnection { /** * UUID of the Cloudflare Tunnel connector. */ clientId?: pulumi.Input; /** * The cloudflared version used to establish this connection. */ clientVersion?: pulumi.Input; /** * The Cloudflare data center used for this connection. */ coloName?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ id?: pulumi.Input; /** * Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. */ isPendingReconnect?: pulumi.Input; /** * Timestamp of when the connection was established. */ openedAt?: pulumi.Input; /** * The public IP address of the host running cloudflared. */ originIp?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ uuid?: pulumi.Input; } export interface ZeroTrustTunnelWarpConnectorConnection { /** * UUID of the Cloudflare Tunnel connector. */ clientId?: pulumi.Input; /** * The cloudflared version used to establish this connection. */ clientVersion?: pulumi.Input; /** * The Cloudflare data center used for this connection. */ coloName?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ id?: pulumi.Input; /** * Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. */ isPendingReconnect?: pulumi.Input; /** * Timestamp of when the connection was established. */ openedAt?: pulumi.Input; /** * The public IP address of the host running cloudflared. */ originIp?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ uuid?: pulumi.Input; } export interface ZoneAccount { /** * Identifier */ id?: pulumi.Input; } export interface ZoneCacheVariantsValue { /** * List of strings with the MIME types of all the variants that should be served for avif. */ avifs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for bmp. */ bmps?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for gif. */ gifs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for jp2. */ jp2s?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for jpeg. */ jpegs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for jpg2. */ jpg2s?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for jpg. */ jpgs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for png. */ pngs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for tiff. */ tiffs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for tif. */ tifs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for webp. */ webps?: pulumi.Input[]>; } export interface ZoneDnsSettingsInternalDns { /** * The ID of the zone to fallback to. */ referenceZoneId?: pulumi.Input; } export interface ZoneDnsSettingsNameservers { /** * Configured nameserver set to be used for this zone */ nsSet?: pulumi.Input; /** * Nameserver type * Available values: "cloudflare.standard", "custom.account", "custom.tenant", "custom.zone". */ type?: pulumi.Input; } export interface ZoneDnsSettingsSoa { /** * Time in seconds of being unable to query the primary server after which secondary servers should stop serving the zone. */ expire?: pulumi.Input; /** * The time to live (TTL) for negative caching of records within the zone. */ minTtl?: pulumi.Input; /** * The primary nameserver, which may be used for outbound zone transfers. If null, a Cloudflare-assigned value will be used. */ mname?: pulumi.Input; /** * Time in seconds after which secondary servers should re-check the SOA record to see if the zone has been updated. */ refresh?: pulumi.Input; /** * Time in seconds after which secondary servers should retry queries after the primary server was unresponsive. */ retry?: pulumi.Input; /** * The email address of the zone administrator, with the first label representing the local part of the email address. */ rname?: pulumi.Input; /** * The time to live (TTL) of the SOA record itself. */ ttl?: pulumi.Input; } export interface ZoneLockdownConfiguration { /** * The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. * Available values: "ip", "ipRange". */ target?: pulumi.Input; /** * The IP address to match. This address will be compared to the IP address of incoming requests. */ value?: pulumi.Input; } export interface ZoneMeta { /** * The zone is only configured for CDN. */ cdnOnly?: pulumi.Input; /** * Number of Custom Certificates the zone can have. */ customCertificateQuota?: pulumi.Input; /** * The zone is only configured for DNS. */ dnsOnly?: pulumi.Input; /** * The zone is setup with Foundation DNS. */ foundationDns?: pulumi.Input; /** * Number of Page Rules a zone can have. */ pageRuleQuota?: pulumi.Input; /** * The zone has been flagged for phishing. */ phishingDetected?: pulumi.Input; step?: pulumi.Input; } export interface ZoneOwner { /** * Identifier */ id?: pulumi.Input; /** * Name of the owner. */ name?: pulumi.Input; /** * The type of owner. */ type?: pulumi.Input; } export interface ZonePlan { /** * States if the subscription can be activated. */ canSubscribe?: pulumi.Input; /** * The denomination of the customer. */ currency?: pulumi.Input; /** * If this Zone is managed by another company. */ externallyManaged?: pulumi.Input; /** * How often the customer is billed. */ frequency?: pulumi.Input; /** * Identifier */ id?: pulumi.Input; /** * States if the subscription active. */ isSubscribed?: pulumi.Input; /** * If the legacy discount applies to this Zone. */ legacyDiscount?: pulumi.Input; /** * The legacy name of the plan. */ legacyId?: pulumi.Input; /** * Name of the owner. */ name?: pulumi.Input; /** * How much the customer is paying. */ price?: pulumi.Input; } export interface ZoneSubscriptionRatePlan { /** * The currency applied to the rate plan subscription. */ currency?: pulumi.Input; /** * Whether this rate plan is managed externally from Cloudflare. */ externallyManaged?: pulumi.Input; /** * The ID of the rate plan. * Available values: "free", "lite", "pro", "pro*plus", "business", "enterprise", "partners*free", "partners*pro", "partners*business", "partners*enterprise", "partners*ent". */ id?: pulumi.Input; /** * Whether a rate plan is enterprise-based (or newly adopted term contract). */ isContract?: pulumi.Input; /** * The full name of the rate plan. */ publicName?: pulumi.Input; /** * The scope that this rate plan applies to. */ scope?: pulumi.Input; /** * The list of sets this rate plan applies to. Returns array of strings. */ sets?: pulumi.Input[]>; } export interface ZoneTenant { /** * Identifier */ id?: pulumi.Input; /** * The name of the Tenant account. */ name?: pulumi.Input; } export interface ZoneTenantUnit { /** * Identifier */ id?: pulumi.Input; }