import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; export interface AccessApplicationCorsHeaders { /** * Allows all HTTP request headers. */ allowAllHeaders?: pulumi.Input; /** * Allows all HTTP request methods. */ allowAllMethods?: pulumi.Input; /** * Allows all origins. */ allowAllOrigins?: pulumi.Input; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. */ allowCredentials?: pulumi.Input; /** * Allowed HTTP request headers. */ allowedHeaders?: pulumi.Input[]>; /** * Allowed HTTP request methods. */ allowedMethods?: pulumi.Input[]>; /** * Allowed origins. */ allowedOrigins?: pulumi.Input[]>; /** * The maximum number of seconds the results of a preflight request can be cached. */ maxAge?: pulumi.Input; } export interface AccessApplicationDestination { /** * The CIDR range of the destination. Single IPs will be computed as /32. */ cidr?: pulumi.Input; /** * The hostname of the destination. Matches a valid SNI served by an HTTPS origin. */ hostname?: pulumi.Input; /** * The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. * Available values: "tcp", "udp". */ l4Protocol?: pulumi.Input; /** * The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. */ portRange?: pulumi.Input; /** * Available values: "public", "private". */ type?: pulumi.Input; /** * The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). */ uri?: pulumi.Input; /** * The VNET ID to match the destination. When omitted, all VNETs will match. */ vnetId?: pulumi.Input; } export interface AccessApplicationFooterLink { /** * The hypertext in the footer link. */ name: pulumi.Input; /** * the hyperlink in the footer link. */ url: pulumi.Input; } export interface AccessApplicationLandingPageDesign { /** * The background color of the log in button on the landing page. */ buttonColor?: pulumi.Input; /** * The color of the text in the log in button on the landing page. */ buttonTextColor?: pulumi.Input; /** * The URL of the image shown on the landing page. */ imageUrl?: pulumi.Input; /** * The message shown on the landing page. */ message?: pulumi.Input; /** * The title shown on the landing page. */ title?: pulumi.Input; } export interface AccessApplicationPolicy { /** * The rules that define how users may connect to the targets secured by your application. */ connectionRules?: pulumi.Input; /** * The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. * Available values: "allow", "deny", "nonIdentity", "bypass". */ decision?: pulumi.Input; /** * Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. */ excludes?: pulumi.Input[]>; /** * The UUID of the policy */ id?: pulumi.Input; /** * Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. */ includes?: pulumi.Input[]>; /** * The name of the Access policy. */ name?: pulumi.Input; /** * The order of execution for this policy. Must be unique for each policy within an app. */ precedence?: pulumi.Input; /** * Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. */ requires?: pulumi.Input[]>; } export interface AccessApplicationPolicyConnectionRules { /** * The SSH-specific rules that define how users may connect to the targets secured by your application. */ ssh?: pulumi.Input; } export interface AccessApplicationPolicyConnectionRulesSsh { /** * Enables using Identity Provider email alias as SSH username. */ allowEmailAlias?: pulumi.Input; /** * Contains the Unix usernames that may be used when connecting over SSH. */ usernames: pulumi.Input[]>; } export interface AccessApplicationPolicyExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessApplicationPolicyExcludeAnyValidServiceToken { } export interface AccessApplicationPolicyExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessApplicationPolicyExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyExcludeCertificate { } export interface AccessApplicationPolicyExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessApplicationPolicyExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessApplicationPolicyExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessApplicationPolicyExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessApplicationPolicyExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessApplicationPolicyExcludeEveryone { } export interface AccessApplicationPolicyExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessApplicationPolicyExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessApplicationPolicyExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessApplicationPolicyExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessApplicationPolicyExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessApplicationPolicyExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessApplicationPolicyExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessApplicationPolicyExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessApplicationPolicyExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessApplicationPolicyExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessApplicationPolicyInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessApplicationPolicyIncludeAnyValidServiceToken { } export interface AccessApplicationPolicyIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessApplicationPolicyIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyIncludeCertificate { } export interface AccessApplicationPolicyIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessApplicationPolicyIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessApplicationPolicyIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessApplicationPolicyIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessApplicationPolicyIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessApplicationPolicyIncludeEveryone { } export interface AccessApplicationPolicyIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessApplicationPolicyIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessApplicationPolicyIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessApplicationPolicyIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessApplicationPolicyIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessApplicationPolicyIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessApplicationPolicyIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessApplicationPolicyIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessApplicationPolicyIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessApplicationPolicyIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessApplicationPolicyRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessApplicationPolicyRequireAnyValidServiceToken { } export interface AccessApplicationPolicyRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessApplicationPolicyRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyRequireCertificate { } export interface AccessApplicationPolicyRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessApplicationPolicyRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessApplicationPolicyRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessApplicationPolicyRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessApplicationPolicyRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessApplicationPolicyRequireEveryone { } export interface AccessApplicationPolicyRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessApplicationPolicyRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessApplicationPolicyRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessApplicationPolicyRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessApplicationPolicyRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessApplicationPolicyRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessApplicationPolicyRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessApplicationPolicyRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessApplicationPolicyRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessApplicationPolicyRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessApplicationPolicyRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessApplicationSaasApp { /** * The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. */ accessTokenLifetime?: pulumi.Input; /** * If client secret should be required on the token endpoint when authorization*code*with_pkce grant is used. */ allowPkceWithoutClientSecret?: pulumi.Input; /** * The URL where this applications tile redirects users */ appLauncherUrl?: pulumi.Input; /** * Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" * Available values: "saml", "oidc". */ authType?: pulumi.Input; /** * The application client id */ clientId?: pulumi.Input; /** * The application client secret, only returned on POST request. */ clientSecret?: pulumi.Input; /** * The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. */ consumerServiceUrl?: pulumi.Input; createdAt?: pulumi.Input; customAttributes?: pulumi.Input[]>; customClaims?: pulumi.Input[]>; /** * The URL that the user will be redirected to after a successful login for IDP initiated logins. */ defaultRelayState?: pulumi.Input; /** * The OIDC flows supported by this application */ grantTypes?: pulumi.Input[]>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint */ groupFilterRegex?: pulumi.Input; hybridAndImplicitOptions?: pulumi.Input; /** * The unique identifier for your SaaS application. */ idpEntityId?: pulumi.Input; /** * The format of the name identifier sent to the SaaS application. * Available values: "id", "email". */ nameIdFormat?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `nameIdFormat` setting. */ nameIdTransformJsonata?: pulumi.Input; /** * The Access public certificate that will be used to verify your identity. */ publicKey?: pulumi.Input; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens */ redirectUris?: pulumi.Input[]>; refreshTokenOptions?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml*attributes or oidc*fields of the identity provider used to authenticate. The output of this expression must be a JSON object. */ samlAttributeTransformJsonata?: pulumi.Input; /** * Define the user information shared with access, "offlineAccess" scope will be automatically enabled if refresh tokens are enabled */ scopes?: pulumi.Input[]>; /** * A globally unique name for an identity or service provider. */ spEntityId?: pulumi.Input; /** * The endpoint where your SaaS application will send login requests. */ ssoEndpoint?: pulumi.Input; updatedAt?: pulumi.Input; } export interface AccessApplicationSaasAppCustomAttribute { /** * The SAML FriendlyName of the attribute. */ friendlyName?: pulumi.Input; /** * The name of the attribute. */ name?: pulumi.Input; /** * A globally unique name for an identity or service provider. * Available values: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri". */ nameFormat?: pulumi.Input; /** * If the attribute is required when building a SAML assertion. */ required?: pulumi.Input; source?: pulumi.Input; } export interface AccessApplicationSaasAppCustomAttributeSource { /** * The name of the IdP attribute. */ name?: pulumi.Input; /** * A mapping from IdP ID to attribute name. */ nameByIdps?: pulumi.Input[]>; } export interface AccessApplicationSaasAppCustomAttributeSourceNameByIdp { /** * The UID of the IdP. */ idpId?: pulumi.Input; /** * The name of the IdP provided attribute. */ sourceName?: pulumi.Input; } export interface AccessApplicationSaasAppCustomClaim { /** * The name of the claim. */ name?: pulumi.Input; /** * If the claim is required when building an OIDC token. */ required?: pulumi.Input; /** * The scope of the claim. * Available values: "groups", "profile", "email", "openid". */ scope?: pulumi.Input; source?: pulumi.Input; } export interface AccessApplicationSaasAppCustomClaimSource { /** * The name of the IdP claim. */ name?: pulumi.Input; /** * A mapping from IdP ID to claim name. */ nameByIdp?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface AccessApplicationSaasAppHybridAndImplicitOptions { /** * If an Access Token should be returned from the OIDC Authorization endpoint */ returnAccessTokenFromAuthorizationEndpoint?: pulumi.Input; /** * If an ID Token should be returned from the OIDC Authorization endpoint */ returnIdTokenFromAuthorizationEndpoint?: pulumi.Input; } export interface AccessApplicationSaasAppRefreshTokenOptions { /** * How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. */ lifetime?: pulumi.Input; } export interface AccessApplicationScimConfig { /** * Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. */ authentication?: pulumi.Input; /** * If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. */ deactivateOnDelete?: pulumi.Input; /** * Whether SCIM provisioning is turned on for this application. */ enabled?: pulumi.Input; /** * The UID of the IdP to use as the source for SCIM resources to provision to this application. */ idpUid: pulumi.Input; /** * A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. */ mappings?: pulumi.Input[]>; /** * The base URI for the application's SCIM-compatible API. */ remoteUri: pulumi.Input; } export interface AccessApplicationScimConfigAuthentication { /** * URL used to generate the auth code used during token generation. */ authorizationUrl?: pulumi.Input; /** * Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. */ clientId?: pulumi.Input; /** * Secret used to authenticate when generating a token for authenticating with the remove SCIM service. */ clientSecret?: pulumi.Input; /** * Password used to authenticate with the remote SCIM service. */ password?: pulumi.Input; /** * The authentication scheme to use when making SCIM requests to this application. * Available values: "httpbasic", "oauthbearertoken", "oauth2", "access*service*token". */ scheme: pulumi.Input; /** * The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. */ scopes?: pulumi.Input[]>; /** * Token used to authenticate with the remote SCIM service. */ token?: pulumi.Input; /** * URL used to generate the token used to authenticate with the remote SCIM service. */ tokenUrl?: pulumi.Input; /** * User name used to authenticate with the remote SCIM service. */ user?: pulumi.Input; } export interface AccessApplicationScimConfigMapping { /** * Whether or not this mapping is enabled. */ enabled?: pulumi.Input; /** * A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. */ filter?: pulumi.Input; /** * Whether or not this mapping applies to creates, updates, or deletes. */ operations?: pulumi.Input; /** * Which SCIM resource type this mapping applies to. */ schema: pulumi.Input; /** * The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. * Available values: "strict", "passthrough". */ strictness?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. */ transformJsonata?: pulumi.Input; } export interface AccessApplicationScimConfigMappingOperations { /** * Whether or not this mapping applies to create (POST) operations. */ create?: pulumi.Input; /** * Whether or not this mapping applies to DELETE operations. */ delete?: pulumi.Input; /** * Whether or not this mapping applies to update (PATCH/PUT) operations. */ update?: pulumi.Input; } export interface AccessApplicationTargetCriteria { /** * The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. */ port: pulumi.Input; /** * The communication protocol your application secures. * Available values: "SSH", "RDP". */ protocol: pulumi.Input; /** * Contains a map of target attribute keys to target attribute values. */ targetAttributes: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; } export interface AccessGroupExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessGroupExcludeAnyValidServiceToken { } export interface AccessGroupExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessGroupExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupExcludeCertificate { } export interface AccessGroupExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessGroupExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessGroupExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessGroupExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessGroupExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessGroupExcludeEveryone { } export interface AccessGroupExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessGroupExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessGroupExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessGroupExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessGroupExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessGroupExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessGroupExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessGroupExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessGroupExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessGroupExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessGroupInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessGroupIncludeAnyValidServiceToken { } export interface AccessGroupIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessGroupIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupIncludeCertificate { } export interface AccessGroupIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessGroupIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessGroupIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessGroupIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessGroupIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessGroupIncludeEveryone { } export interface AccessGroupIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessGroupIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessGroupIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessGroupIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessGroupIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessGroupIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessGroupIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessGroupIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessGroupIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessGroupIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessGroupRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessGroupRequireAnyValidServiceToken { } export interface AccessGroupRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessGroupRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupRequireCertificate { } export interface AccessGroupRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessGroupRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessGroupRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessGroupRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessGroupRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessGroupRequireEveryone { } export interface AccessGroupRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessGroupRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessGroupRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessGroupRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessGroupRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessGroupRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessGroupRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessGroupRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessGroupRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessGroupRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessGroupRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessIdentityProviderConfig { /** * Your companies TLD */ appsDomain?: pulumi.Input; /** * A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. */ attributes?: pulumi.Input[]>; /** * The authorizationEndpoint URL of your IdP */ authUrl?: pulumi.Input; /** * Your okta authorization server id */ authorizationServerId?: pulumi.Input; /** * Your centrify account url */ centrifyAccount?: pulumi.Input; /** * Your centrify app id */ centrifyAppId?: pulumi.Input; /** * The jwksUri endpoint of your IdP to allow the IdP keys to sign the tokens */ certsUrl?: pulumi.Input; /** * Custom claims */ claims?: pulumi.Input[]>; /** * Your OAuth Client ID */ clientId?: pulumi.Input; /** * Your OAuth Client Secret */ clientSecret?: pulumi.Input; /** * Should Cloudflare try to load authentication contexts from your account */ conditionalAccessEnabled?: pulumi.Input; /** * Your Azure directory uuid */ directoryId?: pulumi.Input; /** * The attribute name for email in the SAML response. */ emailAttributeName?: pulumi.Input; /** * The claim name for email in the idToken response. */ emailClaimName?: pulumi.Input; /** * Add a list of attribute names that will be returned in the response header from the Access callback. */ headerAttributes?: pulumi.Input[]>; /** * X509 certificate to verify the signature in the SAML authentication response */ idpPublicCerts?: pulumi.Input[]>; /** * IdP Entity ID or Issuer URL */ issuerUrl?: pulumi.Input; /** * Your okta account url */ oktaAccount?: pulumi.Input; /** * Your OneLogin account url */ oneloginAccount?: pulumi.Input; /** * Your PingOne environment identifier */ pingEnvId?: pulumi.Input; /** * Enable Proof Key for Code Exchange (PKCE) */ pkceEnabled?: pulumi.Input; /** * Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction*required error. prompt=select*account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. * Available values: "login", "selectAccount", "none". */ prompt?: pulumi.Input; redirectUrl?: pulumi.Input; /** * OAuth scopes */ scopes?: pulumi.Input[]>; /** * Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. */ signRequest?: pulumi.Input; /** * URL to send the SAML authentication requests to */ ssoTargetUrl?: pulumi.Input; /** * Should Cloudflare try to load groups from your account */ supportGroups?: pulumi.Input; /** * The tokenEndpoint URL of your IdP */ tokenUrl?: pulumi.Input; } export interface AccessIdentityProviderConfigHeaderAttribute { /** * attribute name from the IDP */ attributeName?: pulumi.Input; /** * header that will be added on the request to the origin */ headerName?: pulumi.Input; } export interface AccessIdentityProviderScimConfig { /** * A flag to enable or disable SCIM for the identity provider. */ enabled?: pulumi.Input; /** * Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no*action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. * Available values: "automatic", "reauth", "no*action". */ identityUpdateBehavior?: pulumi.Input; /** * The base URL of Cloudflare's SCIM V2.0 API endpoint. */ scimBaseUrl?: pulumi.Input; /** * A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless userDeprovision is also enabled. */ seatDeprovision?: pulumi.Input; /** * A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity*providers/:idpID/refresh*scim_secret. */ secret?: pulumi.Input; /** * A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. */ userDeprovision?: pulumi.Input; } export interface AccessMutualTlsHostnameSettingsSetting { /** * Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. */ chinaNetwork: pulumi.Input; /** * Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. */ clientCertificateForwarding: pulumi.Input; /** * The hostname that these settings apply to. */ hostname: pulumi.Input; } export interface AccessOrganizationCustomPages { /** * The uid of the custom page to use when a user is denied access after failing a non-identity rule. */ forbidden?: pulumi.Input; /** * The uid of the custom page to use when a user is denied access. */ identityDenied?: pulumi.Input; } export interface AccessOrganizationLoginDesign { /** * The background color on your login page. */ backgroundColor?: pulumi.Input; /** * The text at the bottom of your login page. */ footerText?: pulumi.Input; /** * The text at the top of your login page. */ headerText?: pulumi.Input; /** * The URL of the logo on your login page. */ logoPath?: pulumi.Input; /** * The text color on your login page. */ textColor?: pulumi.Input; } export interface AccessPolicyApprovalGroup { /** * The number of approvals needed to obtain access. */ approvalsNeeded: pulumi.Input; /** * A list of emails that can approve the access request. */ emailAddresses?: pulumi.Input[]>; /** * The UUID of an re-usable email list. */ emailListUuid?: pulumi.Input; } export interface AccessPolicyExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessPolicyExcludeAnyValidServiceToken { } export interface AccessPolicyExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessPolicyExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyExcludeCertificate { } export interface AccessPolicyExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessPolicyExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessPolicyExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessPolicyExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessPolicyExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessPolicyExcludeEveryone { } export interface AccessPolicyExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessPolicyExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessPolicyExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessPolicyExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessPolicyExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessPolicyExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessPolicyExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessPolicyExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessPolicyExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessPolicyExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessPolicyInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessPolicyIncludeAnyValidServiceToken { } export interface AccessPolicyIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessPolicyIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyIncludeCertificate { } export interface AccessPolicyIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessPolicyIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessPolicyIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessPolicyIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessPolicyIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessPolicyIncludeEveryone { } export interface AccessPolicyIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessPolicyIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessPolicyIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessPolicyIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessPolicyIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessPolicyIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessPolicyIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessPolicyIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessPolicyIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessPolicyIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessPolicyRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface AccessPolicyRequireAnyValidServiceToken { } export interface AccessPolicyRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface AccessPolicyRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyRequireCertificate { } export interface AccessPolicyRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface AccessPolicyRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface AccessPolicyRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface AccessPolicyRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface AccessPolicyRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface AccessPolicyRequireEveryone { } export interface AccessPolicyRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface AccessPolicyRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface AccessPolicyRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface AccessPolicyRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface AccessPolicyRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface AccessPolicyRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface AccessPolicyRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface AccessPolicyRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface AccessPolicyRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface AccessPolicyRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface AccessPolicyRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface AccessRuleConfiguration { /** * The configuration target. You must set the target to `ip` when specifying an IP address in the rule. * Available values: "ip", "ip6", "ipRange", "asn", "country". */ target?: pulumi.Input; /** * The IP address to match. This address will be compared to the IP address of incoming requests. */ value?: pulumi.Input; } export interface AccessRuleScope { /** * The contact email address of the user. */ email?: pulumi.Input; /** * Defines an identifier. */ id?: pulumi.Input; /** * Defines the scope of the rule. * Available values: "user", "organization". */ type?: pulumi.Input; } export interface AccountDnsSettingsZoneDefaults { /** * Whether to flatten all CNAME records in the zone. Note that, due to DNS limitations, a CNAME record at the zone apex will always be flattened. */ flattenAllCnames?: pulumi.Input; /** * Whether to enable Foundation DNS Advanced Nameservers on the zone. */ foundationDns?: pulumi.Input; /** * Settings for this internal zone. */ internalDns?: pulumi.Input; /** * Whether to enable multi-provider DNS, which causes Cloudflare to activate the zone even when non-Cloudflare NS records exist, and to respect NS records at the zone apex during outbound zone transfers. */ multiProvider?: pulumi.Input; /** * Settings determining the nameservers through which the zone should be available. */ nameservers?: pulumi.Input; /** * The time to live (TTL) of the zone's nameserver (NS) records. */ nsTtl?: pulumi.Input; /** * Allows a Secondary DNS zone to use (proxied) override records and CNAME flattening at the zone apex. */ secondaryOverrides?: pulumi.Input; /** * Components of the zone's SOA record. */ soa?: pulumi.Input; /** * Whether the zone mode is a regular or CDN/DNS only zone. * Available values: "standard", "cdn*only", "dns*only". */ zoneMode?: pulumi.Input; } export interface AccountDnsSettingsZoneDefaultsInternalDns { /** * The ID of the zone to fallback to. */ referenceZoneId?: pulumi.Input; } export interface AccountDnsSettingsZoneDefaultsNameservers { /** * Nameserver type * Available values: "cloudflare.standard", "cloudflare.standard.random", "custom.account", "custom.tenant". */ type: pulumi.Input; } export interface AccountDnsSettingsZoneDefaultsSoa { /** * Time in seconds of being unable to query the primary server after which secondary servers should stop serving the zone. */ expire: pulumi.Input; /** * The time to live (TTL) for negative caching of records within the zone. */ minTtl: pulumi.Input; /** * The primary nameserver, which may be used for outbound zone transfers. */ mname: pulumi.Input; /** * Time in seconds after which secondary servers should re-check the SOA record to see if the zone has been updated. */ refresh: pulumi.Input; /** * Time in seconds after which secondary servers should retry queries after the primary server was unresponsive. */ retry: pulumi.Input; /** * The email address of the zone administrator, with the first label representing the local part of the email address. */ rname: pulumi.Input; /** * The time to live (TTL) of the SOA record itself. */ ttl: pulumi.Input; } export interface AccountMemberPolicy { /** * Allow or deny operations against the resources. * Available values: "allow", "deny". */ access: pulumi.Input; /** * Policy identifier. */ id?: pulumi.Input; /** * A set of permission groups that are specified to the policy. */ permissionGroups: pulumi.Input[]>; /** * A list of resource groups that the policy applies to. */ resourceGroups: pulumi.Input[]>; } export interface AccountMemberPolicyPermissionGroup { /** * Identifier of the group. */ id: pulumi.Input; } export interface AccountMemberPolicyResourceGroup { /** * Identifier of the group. */ id: pulumi.Input; } export interface AccountMemberUser { /** * The contact email address of the user. */ email?: pulumi.Input; /** * User's first name */ firstName?: pulumi.Input; /** * Identifier */ id?: pulumi.Input; /** * User's last name */ lastName?: pulumi.Input; /** * Indicates whether two-factor authentication is enabled for the user account. Does not apply to API authentication. */ twoFactorAuthenticationEnabled?: pulumi.Input; } export interface AccountSettings { /** * Sets an abuse contact email to notify for abuse reports. */ abuseContactEmail?: pulumi.Input; /** * Indicates whether membership in this account requires that * Two-Factor Authentication is enabled */ enforceTwofactor?: pulumi.Input; } export interface AccountSubscriptionRatePlan { /** * The currency applied to the rate plan subscription. */ currency?: pulumi.Input; /** * Whether this rate plan is managed externally from Cloudflare. */ externallyManaged?: pulumi.Input; /** * The ID of the rate plan. * Available values: "free", "lite", "pro", "pro*plus", "business", "enterprise", "partners*free", "partners*pro", "partners*business", "partnersEnterprise". */ id?: pulumi.Input; /** * Whether a rate plan is enterprise-based (or newly adopted term contract). */ isContract?: pulumi.Input; /** * The full name of the rate plan. */ publicName?: pulumi.Input; /** * The scope that this rate plan applies to. */ scope?: pulumi.Input; /** * The list of sets this rate plan applies to. */ sets?: pulumi.Input[]>; } export interface AccountTokenCondition { /** * Client IP restrictions. */ requestIp?: pulumi.Input; } export interface AccountTokenConditionRequestIp { /** * List of IPv4/IPv6 CIDR addresses. */ ins?: pulumi.Input[]>; /** * List of IPv4/IPv6 CIDR addresses. */ notIns?: pulumi.Input[]>; } export interface AccountTokenPolicy { /** * Allow or deny operations against the resources. * Available values: "allow", "deny". */ effect: pulumi.Input; /** * Policy identifier. */ id?: pulumi.Input; /** * A set of permission groups that are specified to the policy. */ permissionGroups: pulumi.Input[]>; /** * A list of resource names that the policy applies to. */ resources: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface AccountTokenPolicyPermissionGroup { /** * Identifier of the permission group. */ id: pulumi.Input; /** * Attributes associated to the permission group. */ meta?: pulumi.Input; /** * Name of the permission group. */ name?: pulumi.Input; } export interface AccountTokenPolicyPermissionGroupMeta { key?: pulumi.Input; value?: pulumi.Input; } export interface AccountUnit { /** * Tenant unit ID */ id?: pulumi.Input; } export interface AddressMapMembership { /** * Controls whether the membership can be deleted via the API or not. */ canDelete?: pulumi.Input; createdAt?: pulumi.Input; /** * The identifier for the membership (eg. a zone or account tag). */ identifier?: pulumi.Input; /** * The type of the membership. * Available values: "zone", "account". */ kind?: pulumi.Input; } export interface ApiShieldAuthIdCharacteristic { /** * The name of the characteristic field, i.e., the header or cookie name. */ name: pulumi.Input; /** * The type of characteristic. * Available values: "header", "cookie", "jwt". */ type: pulumi.Input; } export interface ApiShieldError { code?: pulumi.Input; documentationUrl?: pulumi.Input; message?: pulumi.Input; source?: pulumi.Input; } export interface ApiShieldErrorSource { pointer?: pulumi.Input; } export interface ApiShieldMessage { code?: pulumi.Input; documentationUrl?: pulumi.Input; message?: pulumi.Input; source?: pulumi.Input; } export interface ApiShieldMessageSource { pointer?: pulumi.Input; } export interface ApiShieldOperationFeatures { /** * API Routing settings on endpoint. */ apiRouting?: pulumi.Input; confidenceIntervals?: pulumi.Input; parameterSchemas?: pulumi.Input; schemaInfo?: pulumi.Input; thresholds?: pulumi.Input; } export interface ApiShieldOperationFeaturesApiRouting { lastUpdated?: pulumi.Input; /** * Target route. */ route?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervals { lastUpdated?: pulumi.Input; suggestedThreshold?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervalsSuggestedThreshold { confidenceIntervals?: pulumi.Input; /** * Suggested threshold. */ mean?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervalsSuggestedThresholdConfidenceIntervals { /** * Upper and lower bound for percentile estimate */ p90?: pulumi.Input; /** * Upper and lower bound for percentile estimate */ p95?: pulumi.Input; /** * Upper and lower bound for percentile estimate */ p99?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervalsSuggestedThresholdConfidenceIntervalsP90 { /** * Lower bound for percentile estimate */ lower?: pulumi.Input; /** * Upper bound for percentile estimate */ upper?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervalsSuggestedThresholdConfidenceIntervalsP95 { /** * Lower bound for percentile estimate */ lower?: pulumi.Input; /** * Upper bound for percentile estimate */ upper?: pulumi.Input; } export interface ApiShieldOperationFeaturesConfidenceIntervalsSuggestedThresholdConfidenceIntervalsP99 { /** * Lower bound for percentile estimate */ lower?: pulumi.Input; /** * Upper bound for percentile estimate */ upper?: pulumi.Input; } export interface ApiShieldOperationFeaturesParameterSchemas { lastUpdated?: pulumi.Input; /** * An operation schema object containing a response. */ parameterSchemas?: pulumi.Input; } export interface ApiShieldOperationFeaturesParameterSchemasParameterSchemas { /** * An array containing the learned parameter schemas. */ parameters?: pulumi.Input[]>; /** * An empty response object. This field is required to yield a valid operation schema. */ responses?: pulumi.Input; } export interface ApiShieldOperationFeaturesSchemaInfo { /** * Schema active on endpoint. */ activeSchema?: pulumi.Input; /** * True if a Cloudflare-provided learned schema is available for this endpoint. */ learnedAvailable?: pulumi.Input; /** * Action taken on requests failing validation. * Available values: "none", "log", "block". */ mitigationAction?: pulumi.Input; } export interface ApiShieldOperationFeaturesSchemaInfoActiveSchema { createdAt?: pulumi.Input; /** * UUID. */ id?: pulumi.Input; /** * True if schema is Cloudflare-provided. */ isLearned?: pulumi.Input; /** * Schema file name. */ name?: pulumi.Input; } export interface ApiShieldOperationFeaturesThresholds { /** * The total number of auth-ids seen across this calculation. */ authIdTokens?: pulumi.Input; /** * The number of data points used for the threshold suggestion calculation. */ dataPoints?: pulumi.Input; lastUpdated?: pulumi.Input; /** * The p50 quantile of requests (in period_seconds). */ p50?: pulumi.Input; /** * The p90 quantile of requests (in period_seconds). */ p90?: pulumi.Input; /** * The p99 quantile of requests (in period_seconds). */ p99?: pulumi.Input; /** * The period over which this threshold is suggested. */ periodSeconds?: pulumi.Input; /** * The estimated number of requests covered by these calculations. */ requests?: pulumi.Input; /** * The suggested threshold in requests done by the same auth*id or period*seconds. */ suggestedThreshold?: pulumi.Input; } export interface ApiShieldSchemaSchema { createdAt?: pulumi.Input; /** * Kind of schema * Available values: "openapiV3". */ kind?: pulumi.Input; /** * Name of the schema */ name?: pulumi.Input; /** * UUID. */ schemaId?: pulumi.Input; /** * Source of the schema */ source?: pulumi.Input; /** * Flag whether schema is enabled for validation. */ validationEnabled?: pulumi.Input; } export interface ApiShieldSchemaUploadDetails { /** * Diagnostic warning events that occurred during processing. These events are non-critical errors found within the schema. */ warnings?: pulumi.Input[]>; } export interface ApiShieldSchemaUploadDetailsWarning { /** * Code that identifies the event that occurred. */ code?: pulumi.Input; /** * JSONPath location(s) in the schema where these events were encountered. See [https://goessner.net/articles/JsonPath/](https://goessner.net/articles/JsonPath/) for JSONPath specification. */ locations?: pulumi.Input[]>; /** * Diagnostic message that describes the event. */ message?: pulumi.Input; } export interface ApiTokenCondition { /** * Client IP restrictions. */ requestIp?: pulumi.Input; } export interface ApiTokenConditionRequestIp { /** * List of IPv4/IPv6 CIDR addresses. */ ins?: pulumi.Input[]>; /** * List of IPv4/IPv6 CIDR addresses. */ notIns?: pulumi.Input[]>; } export interface ApiTokenPolicy { /** * Allow or deny operations against the resources. * Available values: "allow", "deny". */ effect: pulumi.Input; /** * Policy identifier. */ id?: pulumi.Input; /** * A set of permission groups that are specified to the policy. */ permissionGroups: pulumi.Input[]>; /** * A list of resource names that the policy applies to. */ resources: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface ApiTokenPolicyPermissionGroup { /** * Identifier of the permission group. */ id: pulumi.Input; /** * Attributes associated to the permission group. */ meta?: pulumi.Input; /** * Name of the permission group. */ name?: pulumi.Input; } export interface ApiTokenPolicyPermissionGroupMeta { key?: pulumi.Input; value?: pulumi.Input; } export interface AuthenticatedOriginPullsConfig { /** * Certificate identifier tag. */ certId?: pulumi.Input; /** * Indicates whether hostname-level authenticated origin pulls is enabled. A null value voids the association. */ enabled?: pulumi.Input; /** * The hostname on the origin for which the client certificate uploaded will be used. */ hostname?: pulumi.Input; } export interface BotManagementStaleZoneConfiguration { /** * Indicates that the zone's Bot Fight Mode is turned on. */ fightMode?: pulumi.Input; /** * Indicates that the zone's wordpress optimization for SBFM is turned on. */ optimizeWordpress?: pulumi.Input; /** * Indicates that the zone's definitely automated requests are being blocked or challenged. */ sbfmDefinitelyAutomated?: pulumi.Input; /** * Indicates that the zone's likely automated requests are being blocked or challenged. */ sbfmLikelyAutomated?: pulumi.Input; /** * Indicates that the zone's static resource protection is turned on. */ sbfmStaticResourceProtection?: pulumi.Input; /** * Indicates that the zone's verified bot requests are being blocked. */ sbfmVerifiedBots?: pulumi.Input; /** * Indicates that the zone's session score tracking is disabled. */ suppressSessionScore?: pulumi.Input; } export interface CertificatePackValidationError { /** * A domain validation error. */ message?: pulumi.Input; } export interface CertificatePackValidationRecord { /** * The set of email addresses that the certificate authority (CA) will use to complete domain validation. */ emails?: pulumi.Input[]>; /** * The content that the certificate authority (CA) will expect to find at the httpUrl during the domain validation. */ httpBody?: pulumi.Input; /** * The url that will be checked during domain validation. */ httpUrl?: pulumi.Input; /** * The hostname that the certificate authority (CA) will check for a TXT record during domain validation . */ txtName?: pulumi.Input; /** * The TXT record that the certificate authority (CA) will check during domain validation. */ txtValue?: pulumi.Input; } export interface CloudConnectorRulesRule { description?: pulumi.Input; enabled?: pulumi.Input; expression?: pulumi.Input; id?: pulumi.Input; /** * Parameters of Cloud Connector Rule */ parameters?: pulumi.Input; /** * Cloud Provider type * Available values: "aws*s3", "cloudflare*r2", "gcp*storage", "azure*storage". */ provider?: pulumi.Input; } export interface CloudConnectorRulesRuleParameters { /** * Host to perform Cloud Connection to */ host?: pulumi.Input; } export interface ContentScanningExpressionBody { /** * Defines the ruleset expression to use in matching content objects. */ payload: pulumi.Input; } export interface CustomHostnameOwnershipVerification { /** * DNS Name for record. */ name?: pulumi.Input; /** * DNS Record type. * Available values: "txt". */ type?: pulumi.Input; /** * Content for the record. */ value?: pulumi.Input; } export interface CustomHostnameOwnershipVerificationHttp { /** * Token to be served. */ httpBody?: pulumi.Input; /** * The HTTP URL that will be checked during custom hostname verification and where the customer should host the token. */ httpUrl?: pulumi.Input; } export interface CustomHostnameSsl { /** * A ubiquitous bundle has the highest probability of being verified everywhere, even by clients using outdated or unusual trust stores. An optimal bundle uses the shortest chain and newest intermediates. And the force bundle verifies the chain, but does not otherwise modify it. * Available values: "ubiquitous", "optimal", "force". */ bundleMethod?: pulumi.Input; /** * The Certificate Authority that will issue the certificate * Available values: "digicert", "google", "lets*encrypt", "ssl*com". */ certificateAuthority?: pulumi.Input; /** * Whether or not to add Cloudflare Branding for the order. This will add a subdomain of sni.cloudflaressl.com as the Common Name if set to true */ cloudflareBranding?: pulumi.Input; /** * Array of custom certificate and key pairs (1 or 2 pairs allowed) */ customCertBundles?: pulumi.Input[]>; /** * If a custom uploaded certificate is used. */ customCertificate?: pulumi.Input; /** * The key for a custom uploaded certificate. */ customKey?: pulumi.Input; /** * Domain control validation (DCV) method used for this hostname. * Available values: "http", "txt", "email". */ method?: pulumi.Input; /** * SSL specific settings. */ settings?: pulumi.Input; /** * Level of validation to be used for this hostname. Domain validation (dv) must be used. * Available values: "dv". */ type?: pulumi.Input; /** * Indicates whether the certificate covers a wildcard. */ wildcard?: pulumi.Input; } export interface CustomHostnameSslCustomCertBundle { /** * If a custom uploaded certificate is used. */ customCertificate: pulumi.Input; /** * The key for a custom uploaded certificate. */ customKey: pulumi.Input; } export interface CustomHostnameSslSettings { /** * An allowlist of ciphers for TLS termination. These ciphers must be in the BoringSSL format. */ ciphers?: pulumi.Input[]>; /** * Whether or not Early Hints is enabled. * Available values: "on", "off". */ earlyHints?: pulumi.Input; /** * Whether or not HTTP2 is enabled. * Available values: "on", "off". */ http2?: pulumi.Input; /** * The minimum TLS version supported. * Available values: "1.0", "1.1", "1.2", "1.3". */ minTlsVersion?: pulumi.Input; /** * Whether or not TLS 1.3 is enabled. * Available values: "on", "off". */ tls13?: pulumi.Input; } export interface CustomSslGeoRestrictions { /** * Available values: "us", "eu", "highestSecurity". */ label?: pulumi.Input; } export interface CustomSslKeylessServer { /** * When the Keyless SSL was created. */ createdOn?: pulumi.Input; /** * Whether or not the Keyless SSL is on or off. */ enabled?: pulumi.Input; /** * The keyless SSL name. */ host?: pulumi.Input; /** * Keyless certificate identifier tag. */ id?: pulumi.Input; /** * When the Keyless SSL was last modified. */ modifiedOn?: pulumi.Input; /** * The keyless SSL name. */ name?: pulumi.Input; /** * Available permissions for the Keyless SSL for the current user requesting the item. */ permissions?: pulumi.Input[]>; /** * The keyless SSL port used to communicate between Cloudflare and the client's Keyless SSL server. */ port?: pulumi.Input; /** * Status of the Keyless SSL. * Available values: "active", "deleted". */ status?: pulumi.Input; /** * Configuration for using Keyless SSL through a Cloudflare Tunnel */ tunnel?: pulumi.Input; } export interface CustomSslKeylessServerTunnel { /** * Private IP of the Key Server Host */ privateIp?: pulumi.Input; /** * Cloudflare Tunnel Virtual Network ID */ vnetId?: pulumi.Input; } export interface D1DatabaseReadReplication { /** * The read replication mode for the database. Use 'auto' to create replicas and allow D1 automatically place them around the world, or 'disabled' to not use any database replicas (it can take a few hours for all replicas to be deleted). * Available values: "auto", "disabled". */ mode: pulumi.Input; } export interface DeviceManagedNetworksConfig { /** * The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. */ sha256?: pulumi.Input; /** * A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. */ tlsSockaddr: pulumi.Input; } export interface DevicePostureIntegrationConfig { /** * If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `apiUrl`. */ accessClientId?: pulumi.Input; /** * If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `apiUrl`. */ accessClientSecret?: pulumi.Input; /** * The Workspace One API URL provided in the Workspace One Admin Dashboard. */ apiUrl?: pulumi.Input; /** * The Workspace One Authorization URL depending on your region. */ authUrl?: pulumi.Input; /** * The Workspace One client ID provided in the Workspace One Admin Dashboard. */ clientId?: pulumi.Input; /** * The Uptycs client secret. */ clientKey?: pulumi.Input; /** * The Workspace One client secret provided in the Workspace One Admin Dashboard. */ clientSecret?: pulumi.Input; /** * The Crowdstrike customer ID. */ customerId?: pulumi.Input; } export interface DevicePostureRuleInput { /** * The Number of active threats. */ activeThreats?: pulumi.Input; /** * UUID of Cloudflare managed certificate. */ certificateId?: pulumi.Input; /** * List of volume names to be checked for encryption. */ checkDisks?: pulumi.Input[]>; /** * Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. */ checkPrivateKey?: pulumi.Input; /** * Common Name that is protected by the certificate. */ cn?: pulumi.Input; /** * Compliance Status. * Available values: "compliant", "noncompliant", "unknown", "notapplicable", "ingraceperiod", "error". */ complianceStatus?: pulumi.Input; /** * Posture Integration ID. */ connectionId?: pulumi.Input; /** * Count Operator. * Available values: "<", "<=", ">", ">=", "==". */ countOperator?: pulumi.Input; /** * Domain. */ domain?: pulumi.Input; /** * For more details on eid last seen, refer to the Tanium documentation. */ eidLastSeen?: pulumi.Input; /** * Enabled. */ enabled?: pulumi.Input; /** * Whether or not file exists. */ exists?: pulumi.Input; /** * List of values indicating purposes for which the certificate public key can be used. */ extendedKeyUsages?: pulumi.Input[]>; /** * List ID. */ id?: pulumi.Input; /** * Whether device is infected. */ infected?: pulumi.Input; /** * Whether device is active. */ isActive?: pulumi.Input; /** * The Number of Issues. */ issueCount?: pulumi.Input; /** * For more details on last seen, please refer to the Crowdstrike documentation. */ lastSeen?: pulumi.Input; locations?: pulumi.Input; /** * Network status of device. * Available values: "connected", "disconnected", "disconnecting", "connecting". */ networkStatus?: pulumi.Input; /** * Operating system. * Available values: "windows", "linux", "mac", "android", "ios", "chromeos". */ operatingSystem?: pulumi.Input; /** * Agent operational state. * Available values: "na", "partially*disabled", "auto*fully*disabled", "fully*disabled", "auto*partially*disabled", "disabled*error", "db*corruption". */ operationalState?: pulumi.Input; /** * Operator. * Available values: "<", "<=", ">", ">=", "==". */ operator?: pulumi.Input; /** * Os Version. */ os?: pulumi.Input; /** * Operating System Distribution Name (linux only). */ osDistroName?: pulumi.Input; /** * Version of OS Distribution (linux only). */ osDistroRevision?: pulumi.Input; /** * Additional version data. For Mac or iOS, the Product Version Extra. For Linux, the kernel release version. (Mac, iOS, and Linux only). */ osVersionExtra?: pulumi.Input; /** * Overall. */ overall?: pulumi.Input; /** * File path. */ path?: pulumi.Input; /** * Whether to check all disks for encryption. */ requireAll?: pulumi.Input; /** * For more details on risk level, refer to the Tanium documentation. * Available values: "low", "medium", "high", "critical". */ riskLevel?: pulumi.Input; /** * A value between 0-100 assigned to devices set by the 3rd party posture provider. */ score?: pulumi.Input; /** * Score Operator. * Available values: "<", "<=", ">", ">=", "==". */ scoreOperator?: pulumi.Input; /** * SensorConfig. */ sensorConfig?: pulumi.Input; /** * SHA-256. */ sha256?: pulumi.Input; /** * For more details on state, please refer to the Crowdstrike documentation. * Available values: "online", "offline", "unknown". */ state?: pulumi.Input; /** * List of certificate Subject Alternative Names. */ subjectAlternativeNames?: pulumi.Input[]>; /** * Signing certificate thumbprint. */ thumbprint?: pulumi.Input; /** * For more details on total score, refer to the Tanium documentation. */ totalScore?: pulumi.Input; /** * Version of OS. */ version?: pulumi.Input; /** * Version Operator. * Available values: "<", "<=", ">", ">=", "==". */ versionOperator?: pulumi.Input; } export interface DevicePostureRuleInputLocations { /** * List of paths to check for client certificate on linux. */ paths?: pulumi.Input[]>; /** * List of trust stores to check for client certificate. */ trustStores?: pulumi.Input[]>; } export interface DevicePostureRuleMatch { /** * Available values: "windows", "mac", "linux", "android", "ios", "chromeos". */ platform?: pulumi.Input; } export interface DlpCustomProfileContextAwareness { /** * If true, scan the context of predefined entries to only return matches surrounded by keywords. */ enabled: pulumi.Input; /** * Content types to exclude from context analysis and return all matches. */ skip: pulumi.Input; } export interface DlpCustomProfileContextAwarenessSkip { /** * If the content type is a file, skip context analysis and return all matches. */ files: pulumi.Input; } export interface DlpCustomProfileEntry { enabled: pulumi.Input; entryId?: pulumi.Input; name: pulumi.Input; pattern: pulumi.Input; } export interface DlpCustomProfileEntryPattern { regex: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface DlpCustomProfileSharedEntry { enabled: pulumi.Input; entryId: pulumi.Input; /** * Available values: "custom", "predefined", "integration", "exact*data", "document*fingerprint". */ entryType: pulumi.Input; } export interface DlpPredefinedProfileContextAwareness { /** * If true, scan the context of predefined entries to only return matches surrounded by keywords. */ enabled: pulumi.Input; /** * Content types to exclude from context analysis and return all matches. */ skip: pulumi.Input; } export interface DlpPredefinedProfileContextAwarenessSkip { /** * If the content type is a file, skip context analysis and return all matches. */ files: pulumi.Input; } export interface DlpPredefinedProfileEntry { enabled: pulumi.Input; id: pulumi.Input; } export interface DnsFirewallAttackMitigation { /** * When enabled, automatically mitigate random-prefix attacks to protect upstream DNS servers */ enabled?: pulumi.Input; /** * Only mitigate attacks when upstream servers seem unhealthy */ onlyWhenUpstreamUnhealthy?: pulumi.Input; } export interface DnsRecordData { /** * Algorithm. */ algorithm?: pulumi.Input; /** * Altitude of location in meters. */ altitude?: pulumi.Input; /** * Certificate. */ certificate?: pulumi.Input; /** * Digest. */ digest?: pulumi.Input; /** * Digest Type. */ digestType?: pulumi.Input; /** * Fingerprint. */ fingerprint?: pulumi.Input; /** * Flags for the CAA record. */ flags?: any; /** * Key Tag. */ keyTag?: pulumi.Input; /** * Degrees of latitude. */ latDegrees?: pulumi.Input; /** * Latitude direction. * Available values: "N", "S". */ latDirection?: pulumi.Input; /** * Minutes of latitude. */ latMinutes?: pulumi.Input; /** * Seconds of latitude. */ latSeconds?: pulumi.Input; /** * Degrees of longitude. */ longDegrees?: pulumi.Input; /** * Longitude direction. * Available values: "E", "W". */ longDirection?: pulumi.Input; /** * Minutes of longitude. */ longMinutes?: pulumi.Input; /** * Seconds of longitude. */ longSeconds?: pulumi.Input; /** * Matching Type. */ matchingType?: pulumi.Input; /** * Order. */ order?: pulumi.Input; /** * The port of the service. */ port?: pulumi.Input; /** * Horizontal precision of location. */ precisionHorz?: pulumi.Input; /** * Vertical precision of location. */ precisionVert?: pulumi.Input; /** * Preference. */ preference?: pulumi.Input; /** * Priority. */ priority?: pulumi.Input; /** * Protocol. */ protocol?: pulumi.Input; /** * Public Key. */ publicKey?: pulumi.Input; /** * Regex. */ regex?: pulumi.Input; /** * Replacement. */ replacement?: pulumi.Input; /** * Selector. */ selector?: pulumi.Input; /** * Service. */ service?: pulumi.Input; /** * Size of location in meters. */ size?: pulumi.Input; /** * Name of the property controlled by this record (e.g.: issue, issuewild, iodef). */ tag?: pulumi.Input; /** * Target. */ target?: pulumi.Input; /** * Type. */ type?: pulumi.Input; /** * Usage. */ usage?: pulumi.Input; /** * Value of the record. This field's semantics depend on the chosen tag. */ value?: pulumi.Input; /** * The record weight. */ weight?: pulumi.Input; } export interface DnsRecordSettings { /** * If enabled, causes the CNAME record to be resolved externally and the resulting address records (e.g., A and AAAA) to be returned instead of the CNAME record itself. This setting is unavailable for proxied records, since they are always flattened. */ flattenCname?: pulumi.Input; /** * When enabled, only A records will be generated, and AAAA records will not be created. This setting is intended for exceptional cases. Note that this option only applies to proxied records and it has no effect on whether Cloudflare communicates with the origin using IPv4 or IPv6. */ ipv4Only?: pulumi.Input; /** * When enabled, only AAAA records will be generated, and A records will not be created. This setting is intended for exceptional cases. Note that this option only applies to proxied records and it has no effect on whether Cloudflare communicates with the origin using IPv4 or IPv6. */ ipv6Only?: pulumi.Input; } export interface EmailRoutingCatchAllAction { /** * Type of action for catch-all rule. * Available values: "drop", "forward", "worker". */ type: pulumi.Input; values?: pulumi.Input[]>; } export interface EmailRoutingCatchAllMatcher { /** * Type of matcher. Default is 'all'. * Available values: "all". */ type: pulumi.Input; } export interface EmailRoutingDnsError { code?: pulumi.Input; documentationUrl?: pulumi.Input; message?: pulumi.Input; source?: pulumi.Input; } export interface EmailRoutingDnsErrorSource { pointer?: pulumi.Input; } export interface EmailRoutingDnsMessage { code?: pulumi.Input; documentationUrl?: pulumi.Input; message?: pulumi.Input; source?: pulumi.Input; } export interface EmailRoutingDnsMessageSource { pointer?: pulumi.Input; } export interface EmailRoutingDnsResult { /** * DNS record content. */ content?: pulumi.Input; errors?: pulumi.Input[]>; /** * DNS record name (or @ for the zone apex). */ name?: pulumi.Input; /** * Required for MX, SRV and URI records. Unused by other record types. Records with lower priorities are preferred. */ priority?: pulumi.Input; records?: pulumi.Input[]>; /** * Time to live, in seconds, of the DNS record. Must be between 60 and 86400, or 1 for 'automatic'. */ ttl?: pulumi.Input; /** * DNS record type. * Available values: "A", "AAAA", "CNAME", "HTTPS", "TXT", "SRV", "LOC", "MX", "NS", "CERT", "DNSKEY", "DS", "NAPTR", "SMIMEA", "SSHFP", "SVCB", "TLSA", "URI". */ type?: pulumi.Input; } export interface EmailRoutingDnsResultError { code?: pulumi.Input; /** * List of records needed to enable an Email Routing zone. */ missing?: pulumi.Input; } export interface EmailRoutingDnsResultErrorMissing { /** * DNS record content. */ content?: pulumi.Input; /** * DNS record name (or @ for the zone apex). */ name?: pulumi.Input; /** * Required for MX, SRV and URI records. Unused by other record types. Records with lower priorities are preferred. */ priority?: pulumi.Input; /** * Time to live, in seconds, of the DNS record. Must be between 60 and 86400, or 1 for 'automatic'. */ ttl?: pulumi.Input; /** * DNS record type. * Available values: "A", "AAAA", "CNAME", "HTTPS", "TXT", "SRV", "LOC", "MX", "NS", "CERT", "DNSKEY", "DS", "NAPTR", "SMIMEA", "SSHFP", "SVCB", "TLSA", "URI". */ type?: pulumi.Input; } export interface EmailRoutingDnsResultInfo { /** * Total number of results for the requested service. */ count?: pulumi.Input; /** * Current page within paginated list of results. */ page?: pulumi.Input; /** * Number of results per page of results. */ perPage?: pulumi.Input; /** * Total results available without any search parameters. */ totalCount?: pulumi.Input; } export interface EmailRoutingDnsResultRecord { /** * DNS record content. */ content?: pulumi.Input; /** * DNS record name (or @ for the zone apex). */ name?: pulumi.Input; /** * Required for MX, SRV and URI records. Unused by other record types. Records with lower priorities are preferred. */ priority?: pulumi.Input; /** * Time to live, in seconds, of the DNS record. Must be between 60 and 86400, or 1 for 'automatic'. */ ttl?: pulumi.Input; /** * DNS record type. * Available values: "A", "AAAA", "CNAME", "HTTPS", "TXT", "SRV", "LOC", "MX", "NS", "CERT", "DNSKEY", "DS", "NAPTR", "SMIMEA", "SSHFP", "SVCB", "TLSA", "URI". */ type?: pulumi.Input; } export interface EmailRoutingRuleAction { /** * Type of supported action. * Available values: "drop", "forward", "worker". */ type: pulumi.Input; values?: pulumi.Input[]>; } export interface EmailRoutingRuleMatcher { /** * Field for type matcher. * Available values: "to". */ field?: pulumi.Input; /** * Type of matcher. * Available values: "all", "literal". */ type: pulumi.Input; /** * Value for matcher. */ value?: pulumi.Input; } export interface EmailSecurityTrustedDomainsBody { comments?: pulumi.Input; /** * Select to prevent recently registered domains from triggering a * Suspicious or Malicious disposition. */ isRecent: pulumi.Input; isRegex: pulumi.Input; /** * Select for partner or other approved domains that have similar * spelling to your connected domains. Prevents listed domains from * triggering a Spoof disposition. */ isSimilarity: pulumi.Input; pattern: pulumi.Input; } export interface FilterBody { /** * An informative summary of the filter. */ description?: pulumi.Input; /** * The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). */ expression?: pulumi.Input; /** * The unique identifier of the filter. */ id?: pulumi.Input; /** * When true, indicates that the filter is currently paused. */ paused?: pulumi.Input; /** * A short reference tag. Allows you to select related filters. */ ref?: pulumi.Input; } export interface FirewallRuleAction { /** * The action to perform. * Available values: "simulate", "ban", "challenge", "js*challenge", "managed*challenge". */ mode?: pulumi.Input; /** * A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. * Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed*challenge", or "js*challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. */ response?: pulumi.Input; /** * The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. * Notes: If "mode" is "challenge", "managed*challenge", or "js*challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. */ timeout?: pulumi.Input; } export interface FirewallRuleActionResponse { /** * The response body to return. The value must conform to the configured content type. */ body?: pulumi.Input; /** * The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. */ contentType?: pulumi.Input; } export interface FirewallRuleFilter { /** * An informative summary of the filter. */ description?: pulumi.Input; /** * The filter expression. For more information, refer to [Expressions](https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/). */ expression?: pulumi.Input; /** * The unique identifier of the filter. */ id?: pulumi.Input; /** * When true, indicates that the filter is currently paused. */ paused?: pulumi.Input; /** * A short reference tag. Allows you to select related filters. */ ref?: pulumi.Input; } export interface GetAccessRuleFilter { configuration?: inputs.GetAccessRuleFilterConfiguration; /** * Defines the direction used to sort returned rules. * Available values: "asc", "desc". */ direction?: string; /** * Defines the search requirements. When set to `all`, all the search requirements must match. When set to `any`, only one of the search requirements has to match. * Available values: "any", "all". */ match?: string; /** * The action to apply to a matched request. * Available values: "block", "challenge", "whitelist", "js*challenge", "managed*challenge". */ mode?: string; /** * Defines the string to search for in the notes of existing IP Access rules. * Notes: For example, the string 'attack' would match IP Access rules with notes 'Attack 26/02' and 'Attack 27/02'. The search is case insensitive. */ notes?: string; /** * Defines the field used to sort returned rules. * Available values: "configuration.target", "configuration.value", "mode". */ order?: string; } export interface GetAccessRuleFilterArgs { configuration?: pulumi.Input; /** * Defines the direction used to sort returned rules. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Defines the search requirements. When set to `all`, all the search requirements must match. When set to `any`, only one of the search requirements has to match. * Available values: "any", "all". */ match?: pulumi.Input; /** * The action to apply to a matched request. * Available values: "block", "challenge", "whitelist", "js*challenge", "managed*challenge". */ mode?: pulumi.Input; /** * Defines the string to search for in the notes of existing IP Access rules. * Notes: For example, the string 'attack' would match IP Access rules with notes 'Attack 26/02' and 'Attack 27/02'. The search is case insensitive. */ notes?: pulumi.Input; /** * Defines the field used to sort returned rules. * Available values: "configuration.target", "configuration.value", "mode". */ order?: pulumi.Input; } export interface GetAccessRuleFilterConfiguration { /** * Defines the target to search in existing rules. * Available values: "ip", "ipRange", "asn", "country". */ target?: string; /** * Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided `configuration.target`. * Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code. */ value?: string; } export interface GetAccessRuleFilterConfigurationArgs { /** * Defines the target to search in existing rules. * Available values: "ip", "ipRange", "asn", "country". */ target?: pulumi.Input; /** * Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided `configuration.target`. * Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code. */ value?: pulumi.Input; } export interface GetAccessRulesConfiguration { /** * Defines the target to search in existing rules. * Available values: "ip", "ipRange", "asn", "country". */ target?: string; /** * Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided `configuration.target`. * Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code. */ value?: string; } export interface GetAccessRulesConfigurationArgs { /** * Defines the target to search in existing rules. * Available values: "ip", "ipRange", "asn", "country". */ target?: pulumi.Input; /** * Defines the target value to search for in existing rules: an IP address, an IP address range, or a country code, depending on the provided `configuration.target`. * Notes: You can search for a single IPv4 address, an IP address range with a subnet of '/16' or '/24', or a two-letter ISO-3166-1 alpha-2 country code. */ value?: pulumi.Input; } export interface GetAccountDnsSettingsInternalViewFilter { /** * Direction to order DNS views in. * Available values: "asc", "desc". */ direction?: string; /** * Whether to match all search requirements or at least one (any). If set to `all`, acts like a logical AND between filters. If set to `any`, acts like a logical OR instead. * Available values: "any", "all". */ match?: string; name?: inputs.GetAccountDnsSettingsInternalViewFilterName; /** * Field to order DNS views by. * Available values: "name", "created*on", "modified*on". */ order?: string; /** * A zone ID that exists in the zones list for the view. */ zoneId?: string; /** * A zone name that exists in the zones list for the view. */ zoneName?: string; } export interface GetAccountDnsSettingsInternalViewFilterArgs { /** * Direction to order DNS views in. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Whether to match all search requirements or at least one (any). If set to `all`, acts like a logical AND between filters. If set to `any`, acts like a logical OR instead. * Available values: "any", "all". */ match?: pulumi.Input; name?: pulumi.Input; /** * Field to order DNS views by. * Available values: "name", "created*on", "modified*on". */ order?: pulumi.Input; /** * A zone ID that exists in the zones list for the view. */ zoneId?: pulumi.Input; /** * A zone name that exists in the zones list for the view. */ zoneName?: pulumi.Input; } export interface GetAccountDnsSettingsInternalViewFilterName { /** * Substring of the DNS view name. */ contains?: string; /** * Suffix of the DNS view name. */ endswith?: string; /** * Exact value of the DNS view name. */ exact?: string; /** * Prefix of the DNS view name. */ startswith?: string; } export interface GetAccountDnsSettingsInternalViewFilterNameArgs { /** * Substring of the DNS view name. */ contains?: pulumi.Input; /** * Suffix of the DNS view name. */ endswith?: pulumi.Input; /** * Exact value of the DNS view name. */ exact?: pulumi.Input; /** * Prefix of the DNS view name. */ startswith?: pulumi.Input; } export interface GetAccountDnsSettingsInternalViewsName { /** * Substring of the DNS view name. */ contains?: string; /** * Suffix of the DNS view name. */ endswith?: string; /** * Exact value of the DNS view name. */ exact?: string; /** * Prefix of the DNS view name. */ startswith?: string; } export interface GetAccountDnsSettingsInternalViewsNameArgs { /** * Substring of the DNS view name. */ contains?: pulumi.Input; /** * Suffix of the DNS view name. */ endswith?: pulumi.Input; /** * Exact value of the DNS view name. */ exact?: pulumi.Input; /** * Prefix of the DNS view name. */ startswith?: pulumi.Input; } export interface GetAccountFilter { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: string; /** * Name of the account. */ name?: string; } export interface GetAccountFilterArgs { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Name of the account. */ name?: pulumi.Input; } export interface GetAccountMemberFilter { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: string; /** * Field to order results by. * Available values: "user.first*name", "user.last*name", "user.email", "status". */ order?: string; /** * A member's status in the account. * Available values: "accepted", "pending", "rejected". */ status?: string; } export interface GetAccountMemberFilterArgs { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Field to order results by. * Available values: "user.first*name", "user.last*name", "user.email", "status". */ order?: pulumi.Input; /** * A member's status in the account. * Available values: "accepted", "pending", "rejected". */ status?: pulumi.Input; } export interface GetAccountTokenFilter { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: string; } export interface GetAccountTokenFilterArgs { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: pulumi.Input; } export interface GetApiShieldOperationFilter { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: string; /** * Filter results to only include endpoints containing this pattern. */ endpoint?: string; /** * Add feature(s) to the results. The feature name that is given here corresponds to the resulting feature object. Have a look at the top-level object description for more details on the specific meaning. */ features?: string[]; /** * Filter results to only include the specified hosts. */ hosts?: string[]; /** * Filter results to only include the specified HTTP methods. */ methods?: string[]; /** * Field to order by. When requesting a feature, the feature keys are available for ordering as well, e.g., `thresholds.suggested_threshold`. * Available values: "method", "host", "endpoint", "thresholds.$key". */ order?: string; } export interface GetApiShieldOperationFilterArgs { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Filter results to only include endpoints containing this pattern. */ endpoint?: pulumi.Input; /** * Add feature(s) to the results. The feature name that is given here corresponds to the resulting feature object. Have a look at the top-level object description for more details on the specific meaning. */ features?: pulumi.Input[]>; /** * Filter results to only include the specified hosts. */ hosts?: pulumi.Input[]>; /** * Filter results to only include the specified HTTP methods. */ methods?: pulumi.Input[]>; /** * Field to order by. When requesting a feature, the feature keys are available for ordering as well, e.g., `thresholds.suggested_threshold`. * Available values: "method", "host", "endpoint", "thresholds.$key". */ order?: pulumi.Input; } export interface GetApiTokenFilter { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: string; } export interface GetApiTokenFilterArgs { /** * Direction to order results. * Available values: "asc", "desc". */ direction?: pulumi.Input; } export interface GetCloudforceOneRequestFilter { /** * Retrieve requests completed after this time. */ completedAfter?: string; /** * Retrieve requests completed before this time. */ completedBefore?: string; /** * Retrieve requests created after this time. */ createdAfter?: string; /** * Retrieve requests created before this time. */ createdBefore?: string; /** * Page number of results. */ page: number; /** * Number of results per page. */ perPage: number; /** * Requested information from request. */ requestType?: string; /** * Field to sort results by. */ sortBy?: string; /** * Sort order (asc or desc). * Available values: "asc", "desc". */ sortOrder?: string; /** * Request Status. * Available values: "open", "accepted", "reported", "approved", "completed", "declined". */ status?: string; } export interface GetCloudforceOneRequestFilterArgs { /** * Retrieve requests completed after this time. */ completedAfter?: pulumi.Input; /** * Retrieve requests completed before this time. */ completedBefore?: pulumi.Input; /** * Retrieve requests created after this time. */ createdAfter?: pulumi.Input; /** * Retrieve requests created before this time. */ createdBefore?: pulumi.Input; /** * Page number of results. */ page: pulumi.Input; /** * Number of results per page. */ perPage: pulumi.Input; /** * Requested information from request. */ requestType?: pulumi.Input; /** * Field to sort results by. */ sortBy?: pulumi.Input; /** * Sort order (asc or desc). * Available values: "asc", "desc". */ sortOrder?: pulumi.Input; /** * Request Status. * Available values: "open", "accepted", "reported", "approved", "completed", "declined". */ status?: pulumi.Input; } export interface GetCustomHostnameFilter { /** * Direction to order hostnames. * Available values: "asc", "desc". */ direction?: string; /** * Fully qualified domain name to match against. This parameter cannot be used with the 'id' parameter. */ hostname?: string; /** * Hostname ID to match against. This ID was generated and returned during the initial customHostname creation. This parameter cannot be used with the 'hostname' parameter. */ id?: string; /** * Field to order hostnames by. * Available values: "ssl", "sslStatus". */ order?: string; /** * Whether to filter hostnames based on if they have SSL enabled. * Available values: 0, 1. */ ssl?: number; } export interface GetCustomHostnameFilterArgs { /** * Direction to order hostnames. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Fully qualified domain name to match against. This parameter cannot be used with the 'id' parameter. */ hostname?: pulumi.Input; /** * Hostname ID to match against. This ID was generated and returned during the initial customHostname creation. This parameter cannot be used with the 'hostname' parameter. */ id?: pulumi.Input; /** * Field to order hostnames by. * Available values: "ssl", "sslStatus". */ order?: pulumi.Input; /** * Whether to filter hostnames based on if they have SSL enabled. * Available values: 0, 1. */ ssl?: pulumi.Input; } export interface GetCustomSslFilter { /** * Whether to match all search requirements or at least one (any). * Available values: "any", "all". */ match?: string; /** * Status of the zone's custom SSL. * Available values: "active", "expired", "deleted", "pending", "initializing". */ status?: string; } export interface GetCustomSslFilterArgs { /** * Whether to match all search requirements or at least one (any). * Available values: "any", "all". */ match?: pulumi.Input; /** * Status of the zone's custom SSL. * Available values: "active", "expired", "deleted", "pending", "initializing". */ status?: pulumi.Input; } export interface GetD1DatabaseFilter { /** * a database name to search for. */ name?: string; } export interface GetD1DatabaseFilterArgs { /** * a database name to search for. */ name?: pulumi.Input; } export interface GetDnsRecordFilter { comment?: inputs.GetDnsRecordFilterComment; content?: inputs.GetDnsRecordFilterContent; /** * Direction to order DNS records in. * Available values: "asc", "desc". */ direction?: string; /** * Whether to match all search requirements or at least one (any). If set to `all`, acts like a logical AND between filters. If set to `any`, acts like a logical OR instead. Note that the interaction between tag filters is controlled by the `tag-match` parameter instead. * Available values: "any", "all". */ match?: string; name?: inputs.GetDnsRecordFilterName; /** * Field to order DNS records by. * Available values: "type", "name", "content", "ttl", "proxied". */ order?: string; /** * Whether the record is receiving the performance and security benefits of Cloudflare. */ proxied?: boolean; /** * Allows searching in multiple properties of a DNS record simultaneously. This parameter is intended for human users, not automation. Its exact behavior is intentionally left unspecified and is subject to change in the future. This parameter works independently of the `match` setting. For automated searches, please use the other available parameters. */ search?: string; tag?: inputs.GetDnsRecordFilterTag; /** * Whether to match all tag search requirements or at least one (any). If set to `all`, acts like a logical AND between tag filters. If set to `any`, acts like a logical OR instead. Note that the regular `match` parameter is still used to combine the resulting condition with other filters that aren't related to tags. * Available values: "any", "all". */ tagMatch?: string; /** * Record type. * Available values: "A", "AAAA", "CAA", "CERT", "CNAME", "DNSKEY", "DS", "HTTPS", "LOC", "MX", "NAPTR", "NS", "OPENPGPKEY", "PTR", "SMIMEA", "SRV", "SSHFP", "SVCB", "TLSA", "TXT", "URI". */ type?: string; } export interface GetDnsRecordFilterArgs { comment?: pulumi.Input; content?: pulumi.Input; /** * Direction to order DNS records in. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Whether to match all search requirements or at least one (any). If set to `all`, acts like a logical AND between filters. If set to `any`, acts like a logical OR instead. Note that the interaction between tag filters is controlled by the `tag-match` parameter instead. * Available values: "any", "all". */ match?: pulumi.Input; name?: pulumi.Input; /** * Field to order DNS records by. * Available values: "type", "name", "content", "ttl", "proxied". */ order?: pulumi.Input; /** * Whether the record is receiving the performance and security benefits of Cloudflare. */ proxied?: pulumi.Input; /** * Allows searching in multiple properties of a DNS record simultaneously. This parameter is intended for human users, not automation. Its exact behavior is intentionally left unspecified and is subject to change in the future. This parameter works independently of the `match` setting. For automated searches, please use the other available parameters. */ search?: pulumi.Input; tag?: pulumi.Input; /** * Whether to match all tag search requirements or at least one (any). If set to `all`, acts like a logical AND between tag filters. If set to `any`, acts like a logical OR instead. Note that the regular `match` parameter is still used to combine the resulting condition with other filters that aren't related to tags. * Available values: "any", "all". */ tagMatch?: pulumi.Input; /** * Record type. * Available values: "A", "AAAA", "CAA", "CERT", "CNAME", "DNSKEY", "DS", "HTTPS", "LOC", "MX", "NAPTR", "NS", "OPENPGPKEY", "PTR", "SMIMEA", "SRV", "SSHFP", "SVCB", "TLSA", "TXT", "URI". */ type?: pulumi.Input; } export interface GetDnsRecordFilterComment { /** * If this parameter is present, only records *without* a comment are returned. */ absent?: string; /** * Substring of the DNS record comment. Comment filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record comment. Comment filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record comment. Comment filters are case-insensitive. */ exact?: string; /** * If this parameter is present, only records *with* a comment are returned. */ present?: string; /** * Prefix of the DNS record comment. Comment filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordFilterCommentArgs { /** * If this parameter is present, only records *without* a comment are returned. */ absent?: pulumi.Input; /** * Substring of the DNS record comment. Comment filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record comment. Comment filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record comment. Comment filters are case-insensitive. */ exact?: pulumi.Input; /** * If this parameter is present, only records *with* a comment are returned. */ present?: pulumi.Input; /** * Prefix of the DNS record comment. Comment filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordFilterContent { /** * Substring of the DNS record content. Content filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record content. Content filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record content. Content filters are case-insensitive. */ exact?: string; /** * Prefix of the DNS record content. Content filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordFilterContentArgs { /** * Substring of the DNS record content. Content filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record content. Content filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record content. Content filters are case-insensitive. */ exact?: pulumi.Input; /** * Prefix of the DNS record content. Content filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordFilterName { /** * Substring of the DNS record name. Name filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record name. Name filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record name. Name filters are case-insensitive. */ exact?: string; /** * Prefix of the DNS record name. Name filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordFilterNameArgs { /** * Substring of the DNS record name. Name filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record name. Name filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record name. Name filters are case-insensitive. */ exact?: pulumi.Input; /** * Prefix of the DNS record name. Name filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordFilterTag { /** * Name of a tag which must *not* be present on the DNS record. Tag filters are case-insensitive. */ absent?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value contains ``. Tag filters are case-insensitive. */ contains?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value ends with ``. Tag filters are case-insensitive. */ endswith?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value is ``. Tag filters are case-insensitive. */ exact?: string; /** * Name of a tag which must be present on the DNS record. Tag filters are case-insensitive. */ present?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value starts with ``. Tag filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordFilterTagArgs { /** * Name of a tag which must *not* be present on the DNS record. Tag filters are case-insensitive. */ absent?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value contains ``. Tag filters are case-insensitive. */ contains?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value ends with ``. Tag filters are case-insensitive. */ endswith?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value is ``. Tag filters are case-insensitive. */ exact?: pulumi.Input; /** * Name of a tag which must be present on the DNS record. Tag filters are case-insensitive. */ present?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value starts with ``. Tag filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordsComment { /** * If this parameter is present, only records *without* a comment are returned. */ absent?: string; /** * Substring of the DNS record comment. Comment filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record comment. Comment filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record comment. Comment filters are case-insensitive. */ exact?: string; /** * If this parameter is present, only records *with* a comment are returned. */ present?: string; /** * Prefix of the DNS record comment. Comment filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordsCommentArgs { /** * If this parameter is present, only records *without* a comment are returned. */ absent?: pulumi.Input; /** * Substring of the DNS record comment. Comment filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record comment. Comment filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record comment. Comment filters are case-insensitive. */ exact?: pulumi.Input; /** * If this parameter is present, only records *with* a comment are returned. */ present?: pulumi.Input; /** * Prefix of the DNS record comment. Comment filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordsContent { /** * Substring of the DNS record content. Content filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record content. Content filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record content. Content filters are case-insensitive. */ exact?: string; /** * Prefix of the DNS record content. Content filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordsContentArgs { /** * Substring of the DNS record content. Content filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record content. Content filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record content. Content filters are case-insensitive. */ exact?: pulumi.Input; /** * Prefix of the DNS record content. Content filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordsName { /** * Substring of the DNS record name. Name filters are case-insensitive. */ contains?: string; /** * Suffix of the DNS record name. Name filters are case-insensitive. */ endswith?: string; /** * Exact value of the DNS record name. Name filters are case-insensitive. */ exact?: string; /** * Prefix of the DNS record name. Name filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordsNameArgs { /** * Substring of the DNS record name. Name filters are case-insensitive. */ contains?: pulumi.Input; /** * Suffix of the DNS record name. Name filters are case-insensitive. */ endswith?: pulumi.Input; /** * Exact value of the DNS record name. Name filters are case-insensitive. */ exact?: pulumi.Input; /** * Prefix of the DNS record name. Name filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetDnsRecordsTag { /** * Name of a tag which must *not* be present on the DNS record. Tag filters are case-insensitive. */ absent?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value contains ``. Tag filters are case-insensitive. */ contains?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value ends with ``. Tag filters are case-insensitive. */ endswith?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value is ``. Tag filters are case-insensitive. */ exact?: string; /** * Name of a tag which must be present on the DNS record. Tag filters are case-insensitive. */ present?: string; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value starts with ``. Tag filters are case-insensitive. */ startswith?: string; } export interface GetDnsRecordsTagArgs { /** * Name of a tag which must *not* be present on the DNS record. Tag filters are case-insensitive. */ absent?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value contains ``. Tag filters are case-insensitive. */ contains?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value ends with ``. Tag filters are case-insensitive. */ endswith?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value is ``. Tag filters are case-insensitive. */ exact?: pulumi.Input; /** * Name of a tag which must be present on the DNS record. Tag filters are case-insensitive. */ present?: pulumi.Input; /** * A tag and value, of the form `:`. The API will only return DNS records that have a tag named `` whose value starts with ``. Tag filters are case-insensitive. */ startswith?: pulumi.Input; } export interface GetEmailRoutingAddressFilter { /** * Sorts results in an ascending or descending order. * Available values: "asc", "desc". */ direction?: string; /** * Filter by verified destination addresses. */ verified?: boolean; } export interface GetEmailRoutingAddressFilterArgs { /** * Sorts results in an ascending or descending order. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Filter by verified destination addresses. */ verified?: pulumi.Input; } export interface GetEmailRoutingRuleFilter { /** * Filter by enabled routing rules. */ enabled?: boolean; } export interface GetEmailRoutingRuleFilterArgs { /** * Filter by enabled routing rules. */ enabled?: pulumi.Input; } export interface GetEmailSecurityBlockSenderFilter { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: string; /** * The field to sort by. * Available values: "pattern", "createdAt". */ order?: string; pattern?: string; /** * Available values: "EMAIL", "DOMAIN", "IP", "UNKNOWN". */ patternType?: string; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: string; } export interface GetEmailSecurityBlockSenderFilterArgs { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * The field to sort by. * Available values: "pattern", "createdAt". */ order?: pulumi.Input; pattern?: pulumi.Input; /** * Available values: "EMAIL", "DOMAIN", "IP", "UNKNOWN". */ patternType?: pulumi.Input; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: pulumi.Input; } export interface GetEmailSecurityImpersonationRegistryFilter { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: string; /** * The field to sort by. * Available values: "name", "email", "createdAt". */ order?: string; /** * Available values: "A1S*INTERNAL", "SNOOPY-CASB*OFFICE*365", "SNOOPY-OFFICE*365", "SNOOPY-GOOGLE_DIRECTORY". */ provenance?: string; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: string; } export interface GetEmailSecurityImpersonationRegistryFilterArgs { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * The field to sort by. * Available values: "name", "email", "createdAt". */ order?: pulumi.Input; /** * Available values: "A1S*INTERNAL", "SNOOPY-CASB*OFFICE*365", "SNOOPY-OFFICE*365", "SNOOPY-GOOGLE_DIRECTORY". */ provenance?: pulumi.Input; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: pulumi.Input; } export interface GetEmailSecurityTrustedDomainsFilter { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: string; isRecent?: boolean; isSimilarity?: boolean; /** * The field to sort by. * Available values: "pattern", "createdAt". */ order?: string; pattern?: string; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: string; } export interface GetEmailSecurityTrustedDomainsFilterArgs { /** * The sorting direction. * Available values: "asc", "desc". */ direction?: pulumi.Input; isRecent?: pulumi.Input; isSimilarity?: pulumi.Input; /** * The field to sort by. * Available values: "pattern", "createdAt". */ order?: pulumi.Input; pattern?: pulumi.Input; /** * Allows searching in multiple properties of a record simultaneously. * This parameter is intended for human users, not automation. Its exact * behavior is intentionally left unspecified and is subject to change * in the future. */ search?: pulumi.Input; } export interface GetFilterFilter { /** * A case-insensitive string to find in the description. */ description?: string; /** * A case-insensitive string to find in the expression. */ expression?: string; /** * The unique identifier of the filter. */ id?: string; /** * When true, indicates that the filter is currently paused. */ paused?: boolean; /** * The filter ref (a short reference tag) to search for. Must be an exact match. */ ref?: string; } export interface GetFilterFilterArgs { /** * A case-insensitive string to find in the description. */ description?: pulumi.Input; /** * A case-insensitive string to find in the expression. */ expression?: pulumi.Input; /** * The unique identifier of the filter. */ id?: pulumi.Input; /** * When true, indicates that the filter is currently paused. */ paused?: pulumi.Input; /** * The filter ref (a short reference tag) to search for. Must be an exact match. */ ref?: pulumi.Input; } export interface GetLoadBalancerPoolFilter { /** * The ID of the Monitor to use for checking the health of origins within this pool. */ monitor?: string; } export interface GetLoadBalancerPoolFilterArgs { /** * The ID of the Monitor to use for checking the health of origins within this pool. */ monitor?: pulumi.Input; } export interface GetMagicTransitSiteFilter { /** * Identifier */ connectorid?: string; } export interface GetMagicTransitSiteFilterArgs { /** * Identifier */ connectorid?: pulumi.Input; } export interface GetOriginCaCertificateFilter { /** * Limit to the number of records returned. */ limit?: number; /** * Offset the results */ offset?: number; /** * Identifier. */ zoneId: string; } export interface GetOriginCaCertificateFilterArgs { /** * Limit to the number of records returned. */ limit?: pulumi.Input; /** * Offset the results */ offset?: pulumi.Input; /** * Identifier. */ zoneId: pulumi.Input; } export interface GetSchemaValidationSchemasFilter { /** * Omit the source-files of schemas and only retrieve their meta-data. */ omitSource?: boolean; /** * Filter for enabled schemas */ validationEnabled?: boolean; } export interface GetSchemaValidationSchemasFilterArgs { /** * Omit the source-files of schemas and only retrieve their meta-data. */ omitSource?: pulumi.Input; /** * Filter for enabled schemas */ validationEnabled?: pulumi.Input; } export interface GetTurnstileWidgetFilter { /** * Direction to order widgets. * Available values: "asc", "desc". */ direction?: string; /** * Field to order widgets by. * Available values: "id", "sitekey", "name", "created*on", "modified*on". */ order?: string; } export interface GetTurnstileWidgetFilterArgs { /** * Direction to order widgets. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Field to order widgets by. * Available values: "id", "sitekey", "name", "created*on", "modified*on". */ order?: pulumi.Input; } export interface GetUserAgentBlockingRuleFilter { /** * A string to search for in the description of existing rules. */ description?: string; /** * When true, indicates that the rule is currently paused. */ paused?: boolean; /** * A string to search for in the user agent values of existing rules. */ userAgent?: string; } export interface GetUserAgentBlockingRuleFilterArgs { /** * A string to search for in the description of existing rules. */ description?: pulumi.Input; /** * When true, indicates that the rule is currently paused. */ paused?: pulumi.Input; /** * A string to search for in the user agent values of existing rules. */ userAgent?: pulumi.Input; } export interface GetWebAnalyticsSiteFilter { /** * The property used to sort the list of results. * Available values: "host", "created". */ orderBy?: string; } export interface GetWebAnalyticsSiteFilterArgs { /** * The property used to sort the list of results. * Available values: "host", "created". */ orderBy?: pulumi.Input; } export interface GetWorkersCustomDomainFilter { /** * Worker environment associated with the zone and hostname. */ environment?: string; /** * Hostname of the Worker Domain. */ hostname?: string; /** * Worker service associated with the zone and hostname. */ service?: string; /** * Identifier of the zone. */ zoneId?: string; /** * Name of the zone. */ zoneName?: string; } export interface GetWorkersCustomDomainFilterArgs { /** * Worker environment associated with the zone and hostname. */ environment?: pulumi.Input; /** * Hostname of the Worker Domain. */ hostname?: pulumi.Input; /** * Worker service associated with the zone and hostname. */ service?: pulumi.Input; /** * Identifier of the zone. */ zoneId?: pulumi.Input; /** * Name of the zone. */ zoneName?: pulumi.Input; } export interface GetWorkersKvNamespaceFilter { /** * Direction to order namespaces. * Available values: "asc", "desc". */ direction?: string; /** * Field to order results by. * Available values: "id", "title". */ order?: string; } export interface GetWorkersKvNamespaceFilterArgs { /** * Direction to order namespaces. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Field to order results by. * Available values: "id", "title". */ order?: pulumi.Input; } export interface GetZeroTrustAccessApplicationFilter { /** * The aud of the app. */ aud?: string; /** * The domain of the app. */ domain?: string; /** * True for only exact string matches against passed name/domain query parameters. */ exact?: boolean; /** * The name of the app. */ name?: string; /** * Search for apps by other listed query parameters. */ search?: string; } export interface GetZeroTrustAccessApplicationFilterArgs { /** * The aud of the app. */ aud?: pulumi.Input; /** * The domain of the app. */ domain?: pulumi.Input; /** * True for only exact string matches against passed name/domain query parameters. */ exact?: pulumi.Input; /** * The name of the app. */ name?: pulumi.Input; /** * Search for apps by other listed query parameters. */ search?: pulumi.Input; } export interface GetZeroTrustAccessGroupFilter { /** * The name of the group. */ name?: string; /** * Search for groups by other listed query parameters. */ search?: string; } export interface GetZeroTrustAccessGroupFilterArgs { /** * The name of the group. */ name?: pulumi.Input; /** * Search for groups by other listed query parameters. */ search?: pulumi.Input; } export interface GetZeroTrustAccessIdentityProviderFilter { /** * Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled. */ scimEnabled?: string; } export interface GetZeroTrustAccessIdentityProviderFilterArgs { /** * Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled. */ scimEnabled?: pulumi.Input; } export interface GetZeroTrustAccessInfrastructureTargetFilter { /** * Date and time at which the target was created after (inclusive) */ createdAfter?: string; /** * Date and time at which the target was created before (inclusive) */ createdBefore?: string; /** * The sorting direction. * Available values: "asc", "desc". */ direction?: string; /** * Hostname of a target */ hostname?: string; /** * Partial match to the hostname of a target */ hostnameContains?: string; /** * Filters for targets whose IP addresses look like the specified string. * Supports `*` as a wildcard character */ ipLike?: string; /** * IPv4 address of the target */ ipV4?: string; /** * IPv6 address of the target */ ipV6?: string; /** * Filters for targets that have any of the following IP addresses. Specify * `ips` multiple times in query parameter to build list of candidates. */ ips?: string[]; /** * Defines an IPv4 filter range's ending value (inclusive). Requires * `ipv4Start` to be specified as well. */ ipv4End?: string; /** * Defines an IPv4 filter range's starting value (inclusive). Requires * `ipv4End` to be specified as well. */ ipv4Start?: string; /** * Defines an IPv6 filter range's ending value (inclusive). Requires * `ipv6Start` to be specified as well. */ ipv6End?: string; /** * Defines an IPv6 filter range's starting value (inclusive). Requires * `ipv6End` to be specified as well. */ ipv6Start?: string; /** * Date and time at which the target was modified after (inclusive) */ modifiedAfter?: string; /** * Date and time at which the target was modified before (inclusive) */ modifiedBefore?: string; /** * The field to sort by. * Available values: "hostname", "createdAt". */ order?: string; /** * Filters for targets that have any of the following UUIDs. Specify * `targetIds` multiple times in query parameter to build list of * candidates. */ targetIds?: string[]; /** * Private virtual network identifier of the target */ virtualNetworkId?: string; } export interface GetZeroTrustAccessInfrastructureTargetFilterArgs { /** * Date and time at which the target was created after (inclusive) */ createdAfter?: pulumi.Input; /** * Date and time at which the target was created before (inclusive) */ createdBefore?: pulumi.Input; /** * The sorting direction. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Hostname of a target */ hostname?: pulumi.Input; /** * Partial match to the hostname of a target */ hostnameContains?: pulumi.Input; /** * Filters for targets whose IP addresses look like the specified string. * Supports `*` as a wildcard character */ ipLike?: pulumi.Input; /** * IPv4 address of the target */ ipV4?: pulumi.Input; /** * IPv6 address of the target */ ipV6?: pulumi.Input; /** * Filters for targets that have any of the following IP addresses. Specify * `ips` multiple times in query parameter to build list of candidates. */ ips?: pulumi.Input[]>; /** * Defines an IPv4 filter range's ending value (inclusive). Requires * `ipv4Start` to be specified as well. */ ipv4End?: pulumi.Input; /** * Defines an IPv4 filter range's starting value (inclusive). Requires * `ipv4End` to be specified as well. */ ipv4Start?: pulumi.Input; /** * Defines an IPv6 filter range's ending value (inclusive). Requires * `ipv6Start` to be specified as well. */ ipv6End?: pulumi.Input; /** * Defines an IPv6 filter range's starting value (inclusive). Requires * `ipv6End` to be specified as well. */ ipv6Start?: pulumi.Input; /** * Date and time at which the target was modified after (inclusive) */ modifiedAfter?: pulumi.Input; /** * Date and time at which the target was modified before (inclusive) */ modifiedBefore?: pulumi.Input; /** * The field to sort by. * Available values: "hostname", "createdAt". */ order?: pulumi.Input; /** * Filters for targets that have any of the following UUIDs. Specify * `targetIds` multiple times in query parameter to build list of * candidates. */ targetIds?: pulumi.Input[]>; /** * Private virtual network identifier of the target */ virtualNetworkId?: pulumi.Input; } export interface GetZeroTrustAccessServiceTokenFilter { /** * The name of the service token. */ name?: string; /** * Search for service tokens by other listed query parameters. */ search?: string; } export interface GetZeroTrustAccessServiceTokenFilterArgs { /** * The name of the service token. */ name?: pulumi.Input; /** * Search for service tokens by other listed query parameters. */ search?: pulumi.Input; } export interface GetZeroTrustListFilter { /** * The type of list. * Available values: "SERIAL", "URL", "DOMAIN", "EMAIL", "IP". */ type?: string; } export interface GetZeroTrustListFilterArgs { /** * The type of list. * Available values: "SERIAL", "URL", "DOMAIN", "EMAIL", "IP". */ type?: pulumi.Input; } export interface GetZeroTrustTunnelCloudflaredFilter { excludePrefix?: string; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: string; includePrefix?: string; /** * If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. */ isDeleted?: boolean; /** * A user-friendly name for a tunnel. */ name?: string; /** * The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). * Available values: "inactive", "degraded", "healthy", "down". */ status?: string; /** * UUID of the tunnel. */ uuid?: string; wasActiveAt?: string; wasInactiveAt?: string; } export interface GetZeroTrustTunnelCloudflaredFilterArgs { excludePrefix?: pulumi.Input; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: pulumi.Input; includePrefix?: pulumi.Input; /** * If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. */ isDeleted?: pulumi.Input; /** * A user-friendly name for a tunnel. */ name?: pulumi.Input; /** * The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). * Available values: "inactive", "degraded", "healthy", "down". */ status?: pulumi.Input; /** * UUID of the tunnel. */ uuid?: pulumi.Input; wasActiveAt?: pulumi.Input; wasInactiveAt?: pulumi.Input; } export interface GetZeroTrustTunnelCloudflaredRouteFilter { /** * Optional remark describing the route. */ comment?: string; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: string; /** * If `true`, only include deleted routes. If `false`, exclude deleted routes. If empty, all routes will be included. */ isDeleted?: boolean; /** * If set, only list routes that are contained within this IP range. */ networkSubset?: string; /** * If set, only list routes that contain this IP range. */ networkSuperset?: string; /** * UUID of the route. */ routeId?: string; /** * The types of tunnels to filter by, separated by commas. */ tunTypes?: string[]; /** * UUID of the tunnel. */ tunnelId?: string; /** * UUID of the virtual network. */ virtualNetworkId?: string; } export interface GetZeroTrustTunnelCloudflaredRouteFilterArgs { /** * Optional remark describing the route. */ comment?: pulumi.Input; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: pulumi.Input; /** * If `true`, only include deleted routes. If `false`, exclude deleted routes. If empty, all routes will be included. */ isDeleted?: pulumi.Input; /** * If set, only list routes that are contained within this IP range. */ networkSubset?: pulumi.Input; /** * If set, only list routes that contain this IP range. */ networkSuperset?: pulumi.Input; /** * UUID of the route. */ routeId?: pulumi.Input; /** * The types of tunnels to filter by, separated by commas. */ tunTypes?: pulumi.Input[]>; /** * UUID of the tunnel. */ tunnelId?: pulumi.Input; /** * UUID of the virtual network. */ virtualNetworkId?: pulumi.Input; } export interface GetZeroTrustTunnelCloudflaredVirtualNetworkFilter { /** * UUID of the virtual network. */ id?: string; /** * If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. */ isDefault?: boolean; /** * If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. */ isDefaultNetwork?: boolean; /** * If `true`, only include deleted virtual networks. If `false`, exclude deleted virtual networks. If empty, all virtual networks will be included. */ isDeleted?: boolean; /** * A user-friendly name for the virtual network. */ name?: string; } export interface GetZeroTrustTunnelCloudflaredVirtualNetworkFilterArgs { /** * UUID of the virtual network. */ id?: pulumi.Input; /** * If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. */ isDefault?: pulumi.Input; /** * If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. */ isDefaultNetwork?: pulumi.Input; /** * If `true`, only include deleted virtual networks. If `false`, exclude deleted virtual networks. If empty, all virtual networks will be included. */ isDeleted?: pulumi.Input; /** * A user-friendly name for the virtual network. */ name?: pulumi.Input; } export interface GetZeroTrustTunnelWarpConnectorFilter { excludePrefix?: string; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: string; includePrefix?: string; /** * If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. */ isDeleted?: boolean; /** * A user-friendly name for the tunnel. */ name?: string; /** * The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). * Available values: "inactive", "degraded", "healthy", "down". */ status?: string; /** * UUID of the tunnel. */ uuid?: string; wasActiveAt?: string; wasInactiveAt?: string; } export interface GetZeroTrustTunnelWarpConnectorFilterArgs { excludePrefix?: pulumi.Input; /** * If provided, include only resources that were created (and not deleted) before this time. URL encoded. */ existedAt?: pulumi.Input; includePrefix?: pulumi.Input; /** * If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. */ isDeleted?: pulumi.Input; /** * A user-friendly name for the tunnel. */ name?: pulumi.Input; /** * The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). * Available values: "inactive", "degraded", "healthy", "down". */ status?: pulumi.Input; /** * UUID of the tunnel. */ uuid?: pulumi.Input; wasActiveAt?: pulumi.Input; wasInactiveAt?: pulumi.Input; } export interface GetZoneFilter { account?: inputs.GetZoneFilterAccount; /** * Direction to order zones. * Available values: "asc", "desc". */ direction?: string; /** * Whether to match all search requirements or at least one (any). * Available values: "any", "all". */ match?: string; /** * A domain name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: string; /** * Field to order zones by. * Available values: "name", "status", "account.id", "account.name", "plan.id". */ order?: string; /** * Specify a zone status to filter by. * Available values: "initializing", "pending", "active", "moved". */ status?: string; } export interface GetZoneFilterArgs { account?: pulumi.Input; /** * Direction to order zones. * Available values: "asc", "desc". */ direction?: pulumi.Input; /** * Whether to match all search requirements or at least one (any). * Available values: "any", "all". */ match?: pulumi.Input; /** * A domain name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: pulumi.Input; /** * Field to order zones by. * Available values: "name", "status", "account.id", "account.name", "plan.id". */ order?: pulumi.Input; /** * Specify a zone status to filter by. * Available values: "initializing", "pending", "active", "moved". */ status?: pulumi.Input; } export interface GetZoneFilterAccount { /** * Filter by an account ID. */ id?: string; /** * An account Name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: string; } export interface GetZoneFilterAccountArgs { /** * Filter by an account ID. */ id?: pulumi.Input; /** * An account Name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: pulumi.Input; } export interface GetZoneLockdownFilter { /** * The timestamp of when the rule was created. */ createdOn?: string; /** * A string to search for in the description of existing rules. */ description?: string; /** * A string to search for in the description of existing rules. */ descriptionSearch?: string; /** * A single IP address to search for in existing rules. */ ip?: string; /** * A single IP address range to search for in existing rules. */ ipRangeSearch?: string; /** * A single IP address to search for in existing rules. */ ipSearch?: string; /** * The timestamp of when the rule was last modified. */ modifiedOn?: string; /** * The priority of the rule to control the processing order. A lower number indicates higher priority. If not provided, any rules with a configured priority will be processed before rules without a priority. */ priority?: number; /** * A single URI to search for in the list of URLs of existing rules. */ uriSearch?: string; } export interface GetZoneLockdownFilterArgs { /** * The timestamp of when the rule was created. */ createdOn?: pulumi.Input; /** * A string to search for in the description of existing rules. */ description?: pulumi.Input; /** * A string to search for in the description of existing rules. */ descriptionSearch?: pulumi.Input; /** * A single IP address to search for in existing rules. */ ip?: pulumi.Input; /** * A single IP address range to search for in existing rules. */ ipRangeSearch?: pulumi.Input; /** * A single IP address to search for in existing rules. */ ipSearch?: pulumi.Input; /** * The timestamp of when the rule was last modified. */ modifiedOn?: pulumi.Input; /** * The priority of the rule to control the processing order. A lower number indicates higher priority. If not provided, any rules with a configured priority will be processed before rules without a priority. */ priority?: pulumi.Input; /** * A single URI to search for in the list of URLs of existing rules. */ uriSearch?: pulumi.Input; } export interface GetZonesAccount { /** * Filter by an account ID. */ id?: string; /** * An account Name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: string; } export interface GetZonesAccountArgs { /** * Filter by an account ID. */ id?: pulumi.Input; /** * An account Name. Optional filter operators can be provided to extend refine the search: * * `equal` (default) * * `notEqual` * * `startsWith` * * `endsWith` * * `contains` * * `startsWithCaseSensitive` * * `endsWithCaseSensitive` * * `containsCaseSensitive` */ name?: pulumi.Input; } export interface HealthcheckHttpConfig { /** * Do not validate the certificate when the health check uses HTTPS. */ allowInsecure?: pulumi.Input; /** * A case-insensitive sub-string to look for in the response body. If this string is not found, the origin will be marked as unhealthy. */ expectedBody?: pulumi.Input; /** * The expected HTTP response codes (e.g. "200") or code ranges (e.g. "2xx" for all codes starting with 2) of the health check. */ expectedCodes?: pulumi.Input[]>; /** * Follow redirects if the origin returns a 3xx status code. */ followRedirects?: pulumi.Input; /** * The HTTP request headers to send in the health check. It is recommended you set a Host header by default. The User-Agent header cannot be overridden. */ header?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * The HTTP method to use for the health check. * Available values: "GET", "HEAD". */ method?: pulumi.Input; /** * The endpoint path to health check against. */ path?: pulumi.Input; /** * Port number to connect to for the health check. Defaults to 80 if type is HTTP or 443 if type is HTTPS. */ port?: pulumi.Input; } export interface HealthcheckTcpConfig { /** * The TCP connection method to use for the health check. * Available values: "connectionEstablished". */ method?: pulumi.Input; /** * Port number to connect to for the health check. Defaults to 80. */ port?: pulumi.Input; } export interface HyperdriveConfigCaching { /** * Set to true to disable caching of SQL responses. Default is false. */ disabled?: pulumi.Input; /** * Specify the maximum duration items should persist in the cache. Not returned if set to the default (60). */ maxAge?: pulumi.Input; /** * Specify the number of seconds the cache may serve a stale response. Omitted if set to the default (15). */ staleWhileRevalidate?: pulumi.Input; } export interface HyperdriveConfigMtls { /** * Define CA certificate ID obtained after uploading CA cert. */ caCertificateId?: pulumi.Input; /** * Define mTLS certificate ID obtained after uploading client cert. */ mtlsCertificateId?: pulumi.Input; /** * Set SSL mode to 'require', 'verify-ca', or 'verify-full' to verify the CA. */ sslmode?: pulumi.Input; } export interface HyperdriveConfigOrigin { /** * Defines the Client ID of the Access token to use when connecting to the origin database. */ accessClientId?: pulumi.Input; /** * Defines the Client Secret of the Access Token to use when connecting to the origin database. The API never returns this write-only value. */ accessClientSecret?: pulumi.Input; /** * Set the name of your origin database. */ database: pulumi.Input; /** * Defines the host (hostname or IP) of your origin database. */ host: pulumi.Input; /** * Set the password needed to access your origin database. The API never returns this write-only value. */ password: pulumi.Input; /** * Defines the port (default: 5432 for Postgres) of your origin database. */ port?: pulumi.Input; /** * Specifies the URL scheme used to connect to your origin database. * Available values: "postgres", "postgresql", "mysql". */ scheme: pulumi.Input; /** * Set the user of your origin database. */ user: pulumi.Input; } export interface ImageVariantOptions { /** * The fit property describes how the width and height dimensions should be interpreted. * Available values: "scale-down", "contain", "cover", "crop", "pad". */ fit: pulumi.Input; /** * Maximum height in image pixels. */ height: pulumi.Input; /** * What EXIF data should be preserved in the output image. * Available values: "keep", "copyright", "none". */ metadata: pulumi.Input; /** * Maximum width in image pixels. */ width: pulumi.Input; } export interface ImageVariantVariant { id?: pulumi.Input; /** * Indicates whether the variant can access an image without a signature, regardless of image access control. */ neverRequireSignedUrls?: pulumi.Input; /** * Allows you to define image resizing sizes for different use cases. */ options?: pulumi.Input; } export interface ImageVariantVariantOptions { /** * The fit property describes how the width and height dimensions should be interpreted. * Available values: "scale-down", "contain", "cover", "crop", "pad". */ fit?: pulumi.Input; /** * Maximum height in image pixels. */ height?: pulumi.Input; /** * What EXIF data should be preserved in the output image. * Available values: "keep", "copyright", "none". */ metadata?: pulumi.Input; /** * Maximum width in image pixels. */ width?: pulumi.Input; } export interface KeylessCertificateTunnel { /** * Private IP of the Key Server Host */ privateIp: pulumi.Input; /** * Cloudflare Tunnel Virtual Network ID */ vnetId: pulumi.Input; } export interface ListItem { /** * A non-negative 32 bit integer */ asn?: pulumi.Input; /** * An informative summary of the list item. */ comment?: pulumi.Input; /** * Valid characters for hostnames are ASCII(7) letters from a to z, the digits from 0 to 9, wildcards (*), and the hyphen (-). */ hostname?: pulumi.Input; /** * An IPv4 address, an IPv4 CIDR, an IPv6 address, or an IPv6 CIDR. */ ip?: pulumi.Input; /** * The definition of the redirect. */ redirect?: pulumi.Input; } export interface ListItemHostname { /** * Only applies to wildcard hostnames (e.g., *.example.com). When true (default), only subdomains are blocked. When false, both the root domain and subdomains are blocked. */ excludeExactHostname?: pulumi.Input; urlHostname: pulumi.Input; } export interface ListItemRedirect { includeSubdomains?: pulumi.Input; preservePathSuffix?: pulumi.Input; preserveQueryString?: pulumi.Input; sourceUrl: pulumi.Input; /** * Available values: 301, 302, 307, 308. */ statusCode?: pulumi.Input; subpathMatching?: pulumi.Input; targetUrl: pulumi.Input; } export interface LoadBalancerAdaptiveRouting { /** * Extends zero-downtime failover of requests to healthy origins from alternate pools, when no healthy alternate exists in the same pool, according to the failover order defined by traffic and origin steering. When set false (the default) zero-downtime failover will only occur between origins within the same pool. See `sessionAffinityAttributes` for control over when sessions are broken or reassigned. */ failoverAcrossPools?: pulumi.Input; } export interface LoadBalancerLocationStrategy { /** * Determines the authoritative location when ECS is not preferred, does not exist in the request, or its GeoIP lookup is unsuccessful. */ mode?: pulumi.Input; /** * Whether the EDNS Client Subnet (ECS) GeoIP should be preferred as the authoritative location. */ preferEcs?: pulumi.Input; } export interface LoadBalancerPoolLoadShedding { /** * The percent of traffic to shed from the pool, according to the default policy. Applies to new sessions and traffic without session affinity. */ defaultPercent?: pulumi.Input; /** * The default policy to use when load shedding. A random policy randomly sheds a given percent of requests. A hash policy computes a hash over the CF-Connecting-IP address and sheds all requests originating from a percent of IPs. * Available values: "random", "hash". */ defaultPolicy?: pulumi.Input; /** * The percent of existing sessions to shed from the pool, according to the session policy. */ sessionPercent?: pulumi.Input; /** * Only the hash policy is supported for existing sessions (to avoid exponential decay). * Available values: "hash". */ sessionPolicy?: pulumi.Input; } export interface LoadBalancerPoolNotificationFilter { /** * Filter options for a particular resource type (pool or origin). Use null to reset. */ origin?: pulumi.Input; /** * Filter options for a particular resource type (pool or origin). Use null to reset. */ pool?: pulumi.Input; } export interface LoadBalancerPoolNotificationFilterOrigin { /** * If set true, disable notifications for this type of resource (pool or origin). */ disable?: pulumi.Input; /** * If present, send notifications only for this health status (e.g. false for only DOWN events). Use null to reset (all events). */ healthy?: pulumi.Input; } export interface LoadBalancerPoolNotificationFilterPool { /** * If set true, disable notifications for this type of resource (pool or origin). */ disable?: pulumi.Input; /** * If present, send notifications only for this health status (e.g. false for only DOWN events). Use null to reset (all events). */ healthy?: pulumi.Input; } export interface LoadBalancerPoolOrigin { /** * The IP address (IPv4 or IPv6) of the origin, or its publicly addressable hostname. Hostnames entered here should resolve directly to the origin, and not be a hostname proxied by Cloudflare. To set an internal/reserved address, virtual*network*id must also be set. */ address?: pulumi.Input; /** * This field shows up only if the origin is disabled. This field is set with the time the origin was disabled. */ disabledAt?: pulumi.Input; /** * Whether to enable (the default) this origin within the pool. Disabled origins will not receive traffic and are excluded from health checks. The origin will only be disabled for the current pool. */ enabled?: pulumi.Input; /** * The request header is used to pass additional information with an HTTP request. Currently supported header is 'Host'. */ header?: pulumi.Input; /** * A human-identifiable name for the origin. */ name?: pulumi.Input; /** * The port for upstream connections. A value of 0 means the default port for the protocol will be used. */ port?: pulumi.Input; /** * The virtual network subnet ID the origin belongs in. Virtual network must also belong to the account. */ virtualNetworkId?: pulumi.Input; /** * The weight of this origin relative to other origins in the pool. Based on the configured weight the total traffic is distributed among origins within the pool. */ weight?: pulumi.Input; } export interface LoadBalancerPoolOriginHeader { /** * The 'Host' header allows to override the hostname set in the HTTP request. Current support is 1 'Host' header override per origin. */ hosts?: pulumi.Input[]>; } export interface LoadBalancerPoolOriginSteering { /** * The type of origin steering policy to use. */ policy?: pulumi.Input; } export interface LoadBalancerRandomSteering { /** * The default weight for pools in the load balancer that are not specified in the poolWeights map. */ defaultWeight?: pulumi.Input; /** * A mapping of pool IDs to custom weights. The weight is relative to other pools in the load balancer. */ poolWeights?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface LoadBalancerRule { /** * The condition expressions to evaluate. If the condition evaluates to true, the overrides or fixedResponse in this rule will be applied. An empty condition is always true. For more details on condition expressions, please see https://developers.cloudflare.com/load-balancing/understand-basics/load-balancing-rules/expressions. */ condition?: pulumi.Input; /** * Disable this specific rule. It will no longer be evaluated by this load balancer. */ disabled?: pulumi.Input; /** * A collection of fields used to directly respond to the eyeball instead of routing to a pool. If a fixed*response is supplied the rule will be marked as terminates. */ fixedResponse?: pulumi.Input; /** * Name of this rule. Only used for human readability. */ name?: pulumi.Input; /** * A collection of overrides to apply to the load balancer when this rule's condition is true. All fields are optional. */ overrides?: pulumi.Input; /** * The order in which rules should be executed in relation to each other. Lower values are executed first. Values do not need to be sequential. If no value is provided for any rule the array order of the rules field will be used to assign a priority. */ priority?: pulumi.Input; /** * If this rule's condition is true, this causes rule evaluation to stop after processing this rule. */ terminates?: pulumi.Input; } export interface LoadBalancerRuleFixedResponse { /** * The http 'Content-Type' header to include in the response. */ contentType?: pulumi.Input; /** * The http 'Location' header to include in the response. */ location?: pulumi.Input; /** * Text to include as the http body. */ messageBody?: pulumi.Input; /** * The http status code to respond with. */ statusCode?: pulumi.Input; } export interface LoadBalancerRuleOverrides { /** * Controls features that modify the routing of requests to pools and origins in response to dynamic conditions, such as during the interval between active health monitoring requests. For example, zero-downtime failover occurs immediately when an origin becomes unavailable due to HTTP 521, 522, or 523 response codes. If there is another healthy origin in the same pool, the request is retried once against this alternate origin. */ adaptiveRouting?: pulumi.Input; /** * A mapping of country codes to a list of pool IDs (ordered by their failover priority) for the given country. Any country not explicitly defined will fall back to using the corresponding region*pool mapping if it exists else to default*pools. */ countryPools?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * A list of pool IDs ordered by their failover priority. Pools defined here are used by default, or when regionPools are not configured for a given region. */ defaultPools?: pulumi.Input[]>; /** * The pool ID to use when all other pools are detected as unhealthy. */ fallbackPool?: pulumi.Input; /** * Controls location-based steering for non-proxied requests. See `steeringPolicy` to learn how steering is affected. */ locationStrategy?: pulumi.Input; /** * Enterprise only: A mapping of Cloudflare PoP identifiers to a list of pool IDs (ordered by their failover priority) for the PoP (datacenter). Any PoPs not explicitly defined will fall back to using the corresponding country*pool, then region*pool mapping if it exists else to default_pools. */ popPools?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * Configures pool weights. */ randomSteering?: pulumi.Input; /** * A mapping of region codes to a list of pool IDs (ordered by their failover priority) for the given region. Any regions not explicitly defined will fall back to using default_pools. */ regionPools?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * Specifies the type of session affinity the load balancer should use unless specified as `"none"`. The supported types are: - `"cookie"`: On the first request to a proxied load balancer, a cookie is generated, encoding information of which origin the request will be forwarded to. Subsequent requests, by the same client to the same load balancer, will be sent to the origin server the cookie encodes, for the duration of the cookie and as long as the origin server remains healthy. If the cookie has expired or the origin server is unhealthy, then a new origin server is calculated and used. - `"ipCookie"`: Behaves the same as `"cookie"` except the initial origin selection is stable and based on the client's ip address. - `"header"`: On the first request to a proxied load balancer, a session key based on the configured HTTP headers (see `session_affinity_attributes.headers`) is generated, encoding the request headers used for storing in the load balancer session state which origin the request will be forwarded to. Subsequent requests to the load balancer with the same headers will be sent to the same origin server, for the duration of the session and as long as the origin server remains healthy. If the session has been idle for the duration of `sessionAffinityTtl` seconds or the origin server is unhealthy, then a new origin server is calculated and used. See `headers` in `sessionAffinityAttributes` for additional required configuration. * Available values: "none", "cookie", "ipCookie", "header". */ sessionAffinity?: pulumi.Input; /** * Configures attributes for session affinity. */ sessionAffinityAttributes?: pulumi.Input; /** * Time, in seconds, until a client's session expires after being created. Once the expiry time has been reached, subsequent requests may get sent to a different origin server. The accepted ranges per `sessionAffinity` policy are: - `"cookie"` / `"ipCookie"`: The current default of 23 hours will be used unless explicitly set. The accepted range of values is between [1800, 604800]. - `"header"`: The current default of 1800 seconds will be used unless explicitly set. The accepted range of values is between [30, 3600]. Note: With session affinity by header, sessions only expire after they haven't been used for the number of seconds specified. */ sessionAffinityTtl?: pulumi.Input; /** * Steering Policy for this load balancer. */ steeringPolicy?: pulumi.Input; /** * Time to live (TTL) of the DNS entry for the IP address returned by this load balancer. This only applies to gray-clouded (unproxied) load balancers. */ ttl?: pulumi.Input; } export interface LoadBalancerRuleOverridesAdaptiveRouting { /** * Extends zero-downtime failover of requests to healthy origins from alternate pools, when no healthy alternate exists in the same pool, according to the failover order defined by traffic and origin steering. When set false (the default) zero-downtime failover will only occur between origins within the same pool. See `sessionAffinityAttributes` for control over when sessions are broken or reassigned. */ failoverAcrossPools?: pulumi.Input; } export interface LoadBalancerRuleOverridesLocationStrategy { /** * Determines the authoritative location when ECS is not preferred, does not exist in the request, or its GeoIP lookup is unsuccessful. */ mode?: pulumi.Input; /** * Whether the EDNS Client Subnet (ECS) GeoIP should be preferred as the authoritative location. */ preferEcs?: pulumi.Input; } export interface LoadBalancerRuleOverridesRandomSteering { /** * The default weight for pools in the load balancer that are not specified in the poolWeights map. */ defaultWeight?: pulumi.Input; /** * A mapping of pool IDs to custom weights. The weight is relative to other pools in the load balancer. */ poolWeights?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface LoadBalancerRuleOverridesSessionAffinityAttributes { /** * Configures the drain duration in seconds. This field is only used when session affinity is enabled on the load balancer. */ drainDuration?: pulumi.Input; /** * Configures the names of HTTP headers to base session affinity on when header `sessionAffinity` is enabled. At least one HTTP header name must be provided. To specify the exact cookies to be used, include an item in the following format: `"cookie:,"` (example) where everything after the colon is a comma-separated list of cookie names. Providing only `"cookie"` will result in all cookies being used. The default max number of HTTP header names that can be provided depends on your plan: 5 for Enterprise, 1 for all other plans. */ headers?: pulumi.Input[]>; /** * When header `sessionAffinity` is enabled, this option can be used to specify how HTTP headers on load balancing requests will be used. The supported values are: - `"true"`: Load balancing requests must contain *all* of the HTTP headers specified by the `headers` session affinity attribute, otherwise sessions aren't created. - `"false"`: Load balancing requests must contain *at least one* of the HTTP headers specified by the `headers` session affinity attribute, otherwise sessions aren't created. */ requireAllHeaders?: pulumi.Input; /** * Configures the SameSite attribute on session affinity cookie. Value "Auto" will be translated to "Lax" or "None" depending if Always Use HTTPS is enabled. Note: when using value "None", the secure attribute can not be set to "Never". * Available values: "Auto", "Lax", "None", "Strict". */ samesite?: pulumi.Input; /** * Configures the Secure attribute on session affinity cookie. Value "Always" indicates the Secure attribute will be set in the Set-Cookie header, "Never" indicates the Secure attribute will not be set, and "Auto" will set the Secure attribute depending if Always Use HTTPS is enabled. * Available values: "Auto", "Always", "Never". */ secure?: pulumi.Input; /** * Configures the zero-downtime failover between origins within a pool when session affinity is enabled. This feature is currently incompatible with Argo, Tiered Cache, and Bandwidth Alliance. The supported values are: - `"none"`: No failover takes place for sessions pinned to the origin (default). - `"temporary"`: Traffic will be sent to another other healthy origin until the originally pinned origin is available; note that this can potentially result in heavy origin flapping. - `"sticky"`: The session affinity cookie is updated and subsequent requests are sent to the new origin. Note: Zero-downtime failover with sticky sessions is currently not supported for session affinity by header. * Available values: "none", "temporary", "sticky". */ zeroDowntimeFailover?: pulumi.Input; } export interface LoadBalancerSessionAffinityAttributes { /** * Configures the drain duration in seconds. This field is only used when session affinity is enabled on the load balancer. */ drainDuration?: pulumi.Input; /** * Configures the names of HTTP headers to base session affinity on when header `sessionAffinity` is enabled. At least one HTTP header name must be provided. To specify the exact cookies to be used, include an item in the following format: `"cookie:,"` (example) where everything after the colon is a comma-separated list of cookie names. Providing only `"cookie"` will result in all cookies being used. The default max number of HTTP header names that can be provided depends on your plan: 5 for Enterprise, 1 for all other plans. */ headers?: pulumi.Input[]>; /** * When header `sessionAffinity` is enabled, this option can be used to specify how HTTP headers on load balancing requests will be used. The supported values are: - `"true"`: Load balancing requests must contain *all* of the HTTP headers specified by the `headers` session affinity attribute, otherwise sessions aren't created. - `"false"`: Load balancing requests must contain *at least one* of the HTTP headers specified by the `headers` session affinity attribute, otherwise sessions aren't created. */ requireAllHeaders?: pulumi.Input; /** * Configures the SameSite attribute on session affinity cookie. Value "Auto" will be translated to "Lax" or "None" depending if Always Use HTTPS is enabled. Note: when using value "None", the secure attribute can not be set to "Never". * Available values: "Auto", "Lax", "None", "Strict". */ samesite?: pulumi.Input; /** * Configures the Secure attribute on session affinity cookie. Value "Always" indicates the Secure attribute will be set in the Set-Cookie header, "Never" indicates the Secure attribute will not be set, and "Auto" will set the Secure attribute depending if Always Use HTTPS is enabled. * Available values: "Auto", "Always", "Never". */ secure?: pulumi.Input; /** * Configures the zero-downtime failover between origins within a pool when session affinity is enabled. This feature is currently incompatible with Argo, Tiered Cache, and Bandwidth Alliance. The supported values are: - `"none"`: No failover takes place for sessions pinned to the origin (default). - `"temporary"`: Traffic will be sent to another other healthy origin until the originally pinned origin is available; note that this can potentially result in heavy origin flapping. - `"sticky"`: The session affinity cookie is updated and subsequent requests are sent to the new origin. Note: Zero-downtime failover with sticky sessions is currently not supported for session affinity by header. * Available values: "none", "temporary", "sticky". */ zeroDowntimeFailover?: pulumi.Input; } export interface LogpushJobOutputOptions { /** * String to be prepended before each batch. */ batchPrefix?: pulumi.Input; /** * String to be appended after each batch. */ batchSuffix?: pulumi.Input; /** * If set to true, will cause all occurrences of `${` in the generated files to be replaced with `x{`. */ cve202144228?: pulumi.Input; /** * String to join fields. This field be ignored when `recordTemplate` is set. */ fieldDelimiter?: pulumi.Input; /** * List of field names to be included in the Logpush output. For the moment, there is no option to add all fields at once, so you must specify all the fields names you are interested in. */ fieldNames?: pulumi.Input[]>; /** * Specifies the output type, such as `ndjson` or `csv`. This sets default values for the rest of the settings, depending on the chosen output type. Some formatting rules, like string quoting, are different between output types. * Available values: "ndjson", "csv". */ outputType?: pulumi.Input; /** * String to be inserted in-between the records as separator. */ recordDelimiter?: pulumi.Input; /** * String to be prepended before each record. */ recordPrefix?: pulumi.Input; /** * String to be appended after each record. */ recordSuffix?: pulumi.Input; /** * String to use as template for each record instead of the default json key value mapping. All fields used in the template must be present in `fieldNames` as well, otherwise they will end up as null. Format as a Go `text/template` without any standard functions, like conditionals, loops, sub-templates, etc. */ recordTemplate?: pulumi.Input; /** * Floating number to specify sampling rate. Sampling is applied on top of filtering, and regardless of the current `sampleInterval` of the data. */ sampleRate?: pulumi.Input; /** * String to specify the format for timestamps, such as `unixnano`, `unix`, or `rfc3339`. * Available values: "unixnano", "unix", "rfc3339". */ timestampFormat?: pulumi.Input; } export interface MagicNetworkMonitoringConfigurationWarpDevice { /** * Unique identifier for the warp device. */ id: pulumi.Input; /** * Name of the warp device. */ name: pulumi.Input; /** * IPv4 CIDR of the router sourcing flow data associated with this warp device. Only /32 addresses are currently supported. */ routerIp: pulumi.Input; } export interface MagicTransitConnectorDevice { id?: pulumi.Input; serialNumber?: pulumi.Input; } export interface MagicTransitSiteAclLan1 { /** * The identifier for the LAN you want to create an ACL policy with. */ lanId: pulumi.Input; /** * The name of the LAN based on the provided lan_id. */ lanName?: pulumi.Input; /** * Array of port ranges on the provided LAN that will be included in the ACL. If no ports or port rangess are provided, communication on any port on this LAN is allowed. */ portRanges?: pulumi.Input[]>; /** * Array of ports on the provided LAN that will be included in the ACL. If no ports or port ranges are provided, communication on any port on this LAN is allowed. */ ports?: pulumi.Input[]>; /** * Array of subnet IPs within the LAN that will be included in the ACL. If no subnets are provided, communication on any subnets on this LAN are allowed. */ subnets?: pulumi.Input[]>; } export interface MagicTransitSiteAclLan2 { /** * The identifier for the LAN you want to create an ACL policy with. */ lanId: pulumi.Input; /** * The name of the LAN based on the provided lan_id. */ lanName?: pulumi.Input; /** * Array of port ranges on the provided LAN that will be included in the ACL. If no ports or port rangess are provided, communication on any port on this LAN is allowed. */ portRanges?: pulumi.Input[]>; /** * Array of ports on the provided LAN that will be included in the ACL. If no ports or port ranges are provided, communication on any port on this LAN is allowed. */ ports?: pulumi.Input[]>; /** * Array of subnet IPs within the LAN that will be included in the ACL. If no subnets are provided, communication on any subnets on this LAN are allowed. */ subnets?: pulumi.Input[]>; } export interface MagicTransitSiteLanNat { /** * A valid CIDR notation representing an IP range. */ staticPrefix?: pulumi.Input; } export interface MagicTransitSiteLanRoutedSubnet { nat?: pulumi.Input; /** * A valid IPv4 address. */ nextHop: pulumi.Input; /** * A valid CIDR notation representing an IP range. */ prefix: pulumi.Input; } export interface MagicTransitSiteLanRoutedSubnetNat { /** * A valid CIDR notation representing an IP range. */ staticPrefix?: pulumi.Input; } export interface MagicTransitSiteLanStaticAddressing { /** * A valid CIDR notation representing an IP range. */ address: pulumi.Input; dhcpRelay?: pulumi.Input; dhcpServer?: pulumi.Input; /** * A valid CIDR notation representing an IP range. */ secondaryAddress?: pulumi.Input; /** * A valid CIDR notation representing an IP range. */ virtualAddress?: pulumi.Input; } export interface MagicTransitSiteLanStaticAddressingDhcpRelay { /** * List of DHCP server IPs. */ serverAddresses?: pulumi.Input[]>; } export interface MagicTransitSiteLanStaticAddressingDhcpServer { /** * A valid IPv4 address. */ dhcpPoolEnd?: pulumi.Input; /** * A valid IPv4 address. */ dhcpPoolStart?: pulumi.Input; /** * A valid IPv4 address. */ dnsServer?: pulumi.Input; dnsServers?: pulumi.Input[]>; /** * Mapping of MAC addresses to IP addresses */ reservations?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface MagicTransitSiteLocation { /** * Latitude */ lat?: pulumi.Input; /** * Longitude */ lon?: pulumi.Input; } export interface MagicTransitSiteWanStaticAddressing { /** * A valid CIDR notation representing an IP range. */ address: pulumi.Input; /** * A valid IPv4 address. */ gatewayAddress: pulumi.Input; /** * A valid CIDR notation representing an IP range. */ secondaryAddress?: pulumi.Input; } export interface MagicWanGreTunnelHealthCheck { /** * The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. * Available values: "unidirectional", "bidirectional". */ direction?: pulumi.Input; /** * Determines whether to run healthchecks for a tunnel. */ enabled?: pulumi.Input; /** * How frequent the health check is run. The default value is `mid`. * Available values: "low", "mid", "high". */ rate?: pulumi.Input; /** * The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customerGreEndpoint address`. This field is ignored for bidirectional healthchecks as the interface*address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. */ target?: pulumi.Input; /** * The type of healthcheck to run, reply or request. The default value is `reply`. * Available values: "reply", "request". */ type?: pulumi.Input; } export interface MagicWanGreTunnelHealthCheckTarget { /** * The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. */ effective?: pulumi.Input; /** * The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. */ saved?: pulumi.Input; } export interface MagicWanIpsecTunnelHealthCheck { /** * The direction of the flow of the healthcheck. Either unidirectional, where the probe comes to you via the tunnel and the result comes back to Cloudflare via the open Internet, or bidirectional where both the probe and result come and go via the tunnel. * Available values: "unidirectional", "bidirectional". */ direction?: pulumi.Input; /** * Determines whether to run healthchecks for a tunnel. */ enabled?: pulumi.Input; /** * How frequent the health check is run. The default value is `mid`. * Available values: "low", "mid", "high". */ rate?: pulumi.Input; /** * The destination address in a request type health check. After the healthcheck is decapsulated at the customer end of the tunnel, the ICMP echo will be forwarded to this address. This field defaults to `customerGreEndpoint address`. This field is ignored for bidirectional healthchecks as the interface*address (not assigned to the Cloudflare side of the tunnel) is used as the target. Must be in object form if the x-magic-new-hc-target header is set to true and string form if x-magic-new-hc-target is absent or set to false. */ target?: pulumi.Input; /** * The type of healthcheck to run, reply or request. The default value is `reply`. * Available values: "reply", "request". */ type?: pulumi.Input; } export interface MagicWanIpsecTunnelHealthCheckTarget { /** * The effective health check target. If 'saved' is empty, then this field will be populated with the calculated default value on GET requests. Ignored in POST, PUT, and PATCH requests. */ effective?: pulumi.Input; /** * The saved health check target. Setting the value to the empty string indicates that the calculated default value will be used. */ saved?: pulumi.Input; } export interface MagicWanIpsecTunnelPskMetadata { /** * The date and time the tunnel was last modified. */ lastGeneratedOn?: pulumi.Input; } export interface MagicWanStaticRouteScope { /** * List of colo names for the ECMP scope. */ coloNames?: pulumi.Input[]>; /** * List of colo regions for the ECMP scope. */ coloRegions?: pulumi.Input[]>; } export interface ManagedHeadersManagedRequestHeader { /** * Whether the Managed Transform is enabled. */ enabled: pulumi.Input; /** * The human-readable identifier of the Managed Transform. */ id: pulumi.Input; } export interface ManagedHeadersManagedResponseHeader { /** * Whether the Managed Transform is enabled. */ enabled: pulumi.Input; /** * The human-readable identifier of the Managed Transform. */ id: pulumi.Input; } export interface ManagedTransformsManagedRequestHeader { /** * Whether the Managed Transform is enabled. */ enabled: pulumi.Input; /** * The human-readable identifier of the Managed Transform. */ id: pulumi.Input; } export interface ManagedTransformsManagedResponseHeader { /** * Whether the Managed Transform is enabled. */ enabled: pulumi.Input; /** * The human-readable identifier of the Managed Transform. */ id: pulumi.Input; } export interface NotificationPolicyFilters { /** * Usage depends on specific alert type */ actions?: pulumi.Input[]>; /** * Used for configuring radar_notification */ affectedAsns?: pulumi.Input[]>; /** * Used for configuring incident_alert */ affectedComponents?: pulumi.Input[]>; /** * Used for configuring radar_notification */ affectedLocations?: pulumi.Input[]>; /** * Used for configuring maintenance*event*notification */ airportCodes?: pulumi.Input[]>; /** * Usage depends on specific alert type */ alertTriggerPreferences?: pulumi.Input[]>; /** * Usage depends on specific alert type */ alertTriggerPreferencesValues?: pulumi.Input[]>; /** * Used for configuring load*balancing*pool*enablement*alert */ enableds?: pulumi.Input[]>; /** * Used for configuring pages*event*alert */ environments?: pulumi.Input[]>; /** * Used for configuring load*balancing*health_alert */ eventSources?: pulumi.Input[]>; /** * Usage depends on specific alert type */ eventTypes?: pulumi.Input[]>; /** * Used for configuring pages*event*alert */ events?: pulumi.Input[]>; /** * Usage depends on specific alert type */ groupBies?: pulumi.Input[]>; /** * Used for configuring health*check*status_notification */ healthCheckIds?: pulumi.Input[]>; /** * Used for configuring incident_alert */ incidentImpacts?: pulumi.Input[]>; /** * Used for configuring stream*live*notifications */ inputIds?: pulumi.Input[]>; /** * Used for configuring security*insights*alert */ insightClasses?: pulumi.Input[]>; /** * Used for configuring billing*usage*alert */ limits?: pulumi.Input[]>; /** * Used for configuring logo*match*alert */ logoTags?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l4*alert */ megabitsPerSeconds?: pulumi.Input[]>; /** * Used for configuring load*balancing*health_alert */ newHealths?: pulumi.Input[]>; /** * Used for configuring tunnel*health*event */ newStatuses?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l4*alert */ packetsPerSeconds?: pulumi.Input[]>; /** * Usage depends on specific alert type */ poolIds?: pulumi.Input[]>; /** * Usage depends on specific alert type */ popNames?: pulumi.Input[]>; /** * Used for configuring billing*usage*alert */ products?: pulumi.Input[]>; /** * Used for configuring pages*event*alert */ projectIds?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l4*alert */ protocols?: pulumi.Input[]>; /** * Usage depends on specific alert type */ queryTags?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l7*alert */ requestsPerSeconds?: pulumi.Input[]>; /** * Usage depends on specific alert type */ selectors?: pulumi.Input[]>; /** * Used for configuring clickhouse*alert*fw*ent*anomaly */ services?: pulumi.Input[]>; /** * Usage depends on specific alert type */ slos?: pulumi.Input[]>; /** * Used for configuring health*check*status_notification */ statuses?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l7*alert */ targetHostnames?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l4*alert */ targetIps?: pulumi.Input[]>; /** * Used for configuring advanced*ddos*attack*l7*alert */ targetZoneNames?: pulumi.Input[]>; /** * Used for configuring traffic*anomalies*alert */ trafficExclusions?: pulumi.Input[]>; /** * Used for configuring tunnel*health*event */ tunnelIds?: pulumi.Input[]>; /** * Usage depends on specific alert type */ tunnelNames?: pulumi.Input[]>; /** * Usage depends on specific alert type */ wheres?: pulumi.Input[]>; /** * Usage depends on specific alert type */ zones?: pulumi.Input[]>; } export interface NotificationPolicyMechanisms { emails?: pulumi.Input[]>; pagerduties?: pulumi.Input[]>; webhooks?: pulumi.Input[]>; } export interface NotificationPolicyMechanismsEmail { /** * The email address */ id?: pulumi.Input; } export interface NotificationPolicyMechanismsPagerduty { /** * UUID */ id?: pulumi.Input; } export interface NotificationPolicyMechanismsWebhook { /** * UUID */ id?: pulumi.Input; } export interface ObservatoryScheduledTestSchedule { /** * The frequency of the test. * Available values: "DAILY", "WEEKLY". */ frequency?: pulumi.Input; /** * A test region. * Available values: "asia-east1", "asia-northeast1", "asia-northeast2", "asia-south1", "asia-southeast1", "australia-southeast1", "europe-north1", "europe-southwest1", "europe-west1", "europe-west2", "europe-west3", "europe-west4", "europe-west8", "europe-west9", "me-west1", "southamerica-east1", "us-central1", "us-east1", "us-east4", "us-south1", "us-west1". */ region?: pulumi.Input; /** * A URL. */ url?: pulumi.Input; } export interface ObservatoryScheduledTestTest { date?: pulumi.Input; /** * The Lighthouse report. */ desktopReport?: pulumi.Input; /** * UUID. */ id?: pulumi.Input; /** * The Lighthouse report. */ mobileReport?: pulumi.Input; /** * A test region with a label. */ region?: pulumi.Input; /** * The frequency of the test. * Available values: "DAILY", "WEEKLY". */ scheduleFrequency?: pulumi.Input; /** * A URL. */ url?: pulumi.Input; } export interface ObservatoryScheduledTestTestDesktopReport { /** * Cumulative Layout Shift. */ cls?: pulumi.Input; /** * The type of device. * Available values: "DESKTOP", "MOBILE". */ deviceType?: pulumi.Input; error?: pulumi.Input; /** * First Contentful Paint. */ fcp?: pulumi.Input; /** * The URL to the full Lighthouse JSON report. */ jsonReportUrl?: pulumi.Input; /** * Largest Contentful Paint. */ lcp?: pulumi.Input; /** * The Lighthouse performance score. */ performanceScore?: pulumi.Input; /** * Speed Index. */ si?: pulumi.Input; /** * The state of the Lighthouse report. * Available values: "RUNNING", "COMPLETE", "FAILED". */ state?: pulumi.Input; /** * Total Blocking Time. */ tbt?: pulumi.Input; /** * Time To First Byte. */ ttfb?: pulumi.Input; /** * Time To Interactive. */ tti?: pulumi.Input; } export interface ObservatoryScheduledTestTestDesktopReportError { /** * The error code of the Lighthouse result. * Available values: "NOT*REACHABLE", "DNS*FAILURE", "NOT*HTML", "LIGHTHOUSE*TIMEOUT", "UNKNOWN". */ code?: pulumi.Input; /** * Detailed error message. */ detail?: pulumi.Input; /** * The final URL displayed to the user. */ finalDisplayedUrl?: pulumi.Input; } export interface ObservatoryScheduledTestTestMobileReport { /** * Cumulative Layout Shift. */ cls?: pulumi.Input; /** * The type of device. * Available values: "DESKTOP", "MOBILE". */ deviceType?: pulumi.Input; error?: pulumi.Input; /** * First Contentful Paint. */ fcp?: pulumi.Input; /** * The URL to the full Lighthouse JSON report. */ jsonReportUrl?: pulumi.Input; /** * Largest Contentful Paint. */ lcp?: pulumi.Input; /** * The Lighthouse performance score. */ performanceScore?: pulumi.Input; /** * Speed Index. */ si?: pulumi.Input; /** * The state of the Lighthouse report. * Available values: "RUNNING", "COMPLETE", "FAILED". */ state?: pulumi.Input; /** * Total Blocking Time. */ tbt?: pulumi.Input; /** * Time To First Byte. */ ttfb?: pulumi.Input; /** * Time To Interactive. */ tti?: pulumi.Input; } export interface ObservatoryScheduledTestTestMobileReportError { /** * The error code of the Lighthouse result. * Available values: "NOT*REACHABLE", "DNS*FAILURE", "NOT*HTML", "LIGHTHOUSE*TIMEOUT", "UNKNOWN". */ code?: pulumi.Input; /** * Detailed error message. */ detail?: pulumi.Input; /** * The final URL displayed to the user. */ finalDisplayedUrl?: pulumi.Input; } export interface ObservatoryScheduledTestTestRegion { label?: pulumi.Input; /** * A test region. * Available values: "asia-east1", "asia-northeast1", "asia-northeast2", "asia-south1", "asia-southeast1", "australia-southeast1", "europe-north1", "europe-southwest1", "europe-west1", "europe-west2", "europe-west3", "europe-west4", "europe-west8", "europe-west9", "me-west1", "southamerica-east1", "us-central1", "us-east1", "us-east4", "us-south1", "us-west1". */ value?: pulumi.Input; } export interface PageRuleActions { alwaysUseHttps?: pulumi.Input; automaticHttpsRewrites?: pulumi.Input; browserCacheTtl?: pulumi.Input; browserCheck?: pulumi.Input; bypassCacheOnCookie?: pulumi.Input; cacheByDeviceType?: pulumi.Input; cacheDeceptionArmor?: pulumi.Input; cacheKeyFields?: pulumi.Input; cacheLevel?: pulumi.Input; cacheOnCookie?: pulumi.Input; cacheTtlByStatus?: pulumi.Input<{ [key: string]: pulumi.Input; }>; disableApps?: pulumi.Input; disablePerformance?: pulumi.Input; disableSecurity?: pulumi.Input; disableZaraz?: pulumi.Input; edgeCacheTtl?: pulumi.Input; emailObfuscation?: pulumi.Input; explicitCacheControl?: pulumi.Input; forwardingUrl?: pulumi.Input; hostHeaderOverride?: pulumi.Input; ipGeolocation?: pulumi.Input; mirage?: pulumi.Input; opportunisticEncryption?: pulumi.Input; originErrorPagePassThru?: pulumi.Input; polish?: pulumi.Input; resolveOverride?: pulumi.Input; respectStrongEtag?: pulumi.Input; responseBuffering?: pulumi.Input; rocketLoader?: pulumi.Input; securityLevel?: pulumi.Input; sortQueryStringForCache?: pulumi.Input; ssl?: pulumi.Input; trueClientIpHeader?: pulumi.Input; waf?: pulumi.Input; } export interface PageRuleActionsCacheKeyFields { cookie?: pulumi.Input; header?: pulumi.Input; host?: pulumi.Input; queryString?: pulumi.Input; user?: pulumi.Input; } export interface PageRuleActionsCacheKeyFieldsCookie { checkPresences?: pulumi.Input[]>; includes?: pulumi.Input[]>; } export interface PageRuleActionsCacheKeyFieldsHeader { checkPresences?: pulumi.Input[]>; excludes?: pulumi.Input[]>; includes?: pulumi.Input[]>; } export interface PageRuleActionsCacheKeyFieldsHost { resolved?: pulumi.Input; } export interface PageRuleActionsCacheKeyFieldsQueryString { excludes?: pulumi.Input[]>; includes?: pulumi.Input[]>; } export interface PageRuleActionsCacheKeyFieldsUser { deviceType?: pulumi.Input; geo?: pulumi.Input; lang?: pulumi.Input; } export interface PageRuleActionsForwardingUrl { statusCode: pulumi.Input; url: pulumi.Input; } export interface PagesDomainValidationData { errorMessage?: pulumi.Input; /** * Available values: "http", "txt". */ method?: pulumi.Input; /** * Available values: "initializing", "pending", "active", "deactivated", "error". */ status?: pulumi.Input; txtName?: pulumi.Input; txtValue?: pulumi.Input; } export interface PagesDomainVerificationData { errorMessage?: pulumi.Input; /** * Available values: "pending", "active", "deactivated", "blocked", "error". */ status?: pulumi.Input; } export interface PagesProjectBuildConfig { /** * Enable build caching for the project. */ buildCaching?: pulumi.Input; /** * Command used to build project. */ buildCommand?: pulumi.Input; /** * Output directory of the build. */ destinationDir?: pulumi.Input; /** * Directory to run the command. */ rootDir?: pulumi.Input; /** * The classifying tag for analytics. */ webAnalyticsTag?: pulumi.Input; /** * The auth token for analytics. */ webAnalyticsToken?: pulumi.Input; } export interface PagesProjectCanonicalDeployment { /** * A list of alias URLs pointing to this deployment. */ aliases?: pulumi.Input[]>; /** * Configs for the project build process. */ buildConfig?: pulumi.Input; /** * When the deployment was created. */ createdOn?: pulumi.Input; /** * Info about what caused the deployment. */ deploymentTrigger?: pulumi.Input; /** * Environment variables used for builds and Pages Functions. */ envVars?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Type of deploy. * Available values: "preview", "production". */ environment?: pulumi.Input; /** * Id of the deployment. */ id?: pulumi.Input; /** * If the deployment has been skipped. */ isSkipped?: pulumi.Input; /** * The status of the deployment. */ latestStage?: pulumi.Input; /** * When the deployment was last modified. */ modifiedOn?: pulumi.Input; /** * Id of the project. */ projectId?: pulumi.Input; /** * Name of the project. */ projectName?: pulumi.Input; /** * Short Id (8 character) of the deployment. */ shortId?: pulumi.Input; source?: pulumi.Input; /** * List of past stages. */ stages?: pulumi.Input[]>; /** * The live URL to view this deployment. */ url?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentBuildConfig { /** * Enable build caching for the project. */ buildCaching?: pulumi.Input; /** * Command used to build project. */ buildCommand?: pulumi.Input; /** * Output directory of the build. */ destinationDir?: pulumi.Input; /** * Directory to run the command. */ rootDir?: pulumi.Input; /** * The classifying tag for analytics. */ webAnalyticsTag?: pulumi.Input; /** * The auth token for analytics. */ webAnalyticsToken?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentDeploymentTrigger { /** * Additional info about the trigger. */ metadata?: pulumi.Input; /** * What caused the deployment. * Available values: "push", "adHoc". */ type?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentDeploymentTriggerMetadata { /** * Where the trigger happened. */ branch?: pulumi.Input; /** * Hash of the deployment trigger commit. */ commitHash?: pulumi.Input; /** * Message of the deployment trigger commit. */ commitMessage?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentEnvVars { /** * Available values: "plain*text", "secret*text". */ type?: pulumi.Input; /** * Environment variable value. */ value?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentLatestStage { /** * When the stage ended. */ endedOn?: pulumi.Input; /** * The current build stage. * Available values: "queued", "initialize", "cloneRepo", "build", "deploy". */ name?: pulumi.Input; /** * When the stage started. */ startedOn?: pulumi.Input; /** * State of the current stage. * Available values: "success", "idle", "active", "failure", "canceled". */ status?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentSource { config?: pulumi.Input; type?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentSourceConfig { deploymentsEnabled?: pulumi.Input; owner?: pulumi.Input; pathExcludes?: pulumi.Input[]>; pathIncludes?: pulumi.Input[]>; prCommentsEnabled?: pulumi.Input; previewBranchExcludes?: pulumi.Input[]>; previewBranchIncludes?: pulumi.Input[]>; /** * Available values: "all", "none", "custom". */ previewDeploymentSetting?: pulumi.Input; productionBranch?: pulumi.Input; productionDeploymentsEnabled?: pulumi.Input; repoName?: pulumi.Input; } export interface PagesProjectCanonicalDeploymentStage { /** * When the stage ended. */ endedOn?: pulumi.Input; /** * The current build stage. * Available values: "queued", "initialize", "cloneRepo", "build", "deploy". */ name?: pulumi.Input; /** * When the stage started. */ startedOn?: pulumi.Input; /** * State of the current stage. * Available values: "success", "idle", "active", "failure", "canceled". */ status?: pulumi.Input; } export interface PagesProjectDeploymentConfigs { /** * Configs for preview deploys. */ preview?: pulumi.Input; /** * Configs for production deploys. */ production?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreview { /** * Constellation bindings used for Pages Functions. */ aiBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Analytics Engine bindings used for Pages Functions. */ analyticsEngineDatasets?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Browser bindings used for Pages Functions. */ browsers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Compatibility date used for Pages Functions. */ compatibilityDate?: pulumi.Input; /** * Compatibility flags used for Pages Functions. */ compatibilityFlags?: pulumi.Input[]>; /** * D1 databases used for Pages Functions. */ d1Databases?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Durable Object namespaces used for Pages Functions. */ durableObjectNamespaces?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Environment variables used for builds and Pages Functions. */ envVars?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Hyperdrive bindings used for Pages Functions. */ hyperdriveBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * KV namespaces used for Pages Functions. */ kvNamespaces?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * mTLS bindings used for Pages Functions. */ mtlsCertificates?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Placement setting used for Pages Functions. */ placement?: pulumi.Input; /** * Queue Producer bindings used for Pages Functions. */ queueProducers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * R2 buckets used for Pages Functions. */ r2Buckets?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Services used for Pages Functions. */ services?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Vectorize bindings used for Pages Functions. */ vectorizeBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface PagesProjectDeploymentConfigsPreviewAiBindings { projectId?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewAnalyticsEngineDatasets { /** * Name of the dataset. */ dataset?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewBrowsers { } export interface PagesProjectDeploymentConfigsPreviewD1Databases { /** * UUID of the D1 database. */ id?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewDurableObjectNamespaces { /** * ID of the Durable Object namespace. */ namespaceId?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewEnvVars { /** * Available values: "plain*text", "secret*text". */ type: pulumi.Input; /** * Environment variable value. */ value: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewHyperdriveBindings { id?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewKvNamespaces { /** * ID of the KV namespace. */ namespaceId?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewMtlsCertificates { certificateId?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewPlacement { /** * Placement mode. */ mode?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewQueueProducers { /** * Name of the Queue. */ name?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewR2Buckets { /** * Jurisdiction of the R2 bucket. */ jurisdiction?: pulumi.Input; /** * Name of the R2 bucket. */ name?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewServices { /** * The entrypoint to bind to. */ entrypoint?: pulumi.Input; /** * The Service environment. */ environment?: pulumi.Input; /** * The Service name. */ service?: pulumi.Input; } export interface PagesProjectDeploymentConfigsPreviewVectorizeBindings { indexName?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProduction { /** * Constellation bindings used for Pages Functions. */ aiBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Analytics Engine bindings used for Pages Functions. */ analyticsEngineDatasets?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Browser bindings used for Pages Functions. */ browsers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Compatibility date used for Pages Functions. */ compatibilityDate?: pulumi.Input; /** * Compatibility flags used for Pages Functions. */ compatibilityFlags?: pulumi.Input[]>; /** * D1 databases used for Pages Functions. */ d1Databases?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Durable Object namespaces used for Pages Functions. */ durableObjectNamespaces?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Environment variables used for builds and Pages Functions. */ envVars?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Hyperdrive bindings used for Pages Functions. */ hyperdriveBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * KV namespaces used for Pages Functions. */ kvNamespaces?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * mTLS bindings used for Pages Functions. */ mtlsCertificates?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Placement setting used for Pages Functions. */ placement?: pulumi.Input; /** * Queue Producer bindings used for Pages Functions. */ queueProducers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * R2 buckets used for Pages Functions. */ r2Buckets?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Services used for Pages Functions. */ services?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Vectorize bindings used for Pages Functions. */ vectorizeBindings?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface PagesProjectDeploymentConfigsProductionAiBindings { projectId?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionAnalyticsEngineDatasets { /** * Name of the dataset. */ dataset?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionBrowsers { } export interface PagesProjectDeploymentConfigsProductionD1Databases { /** * UUID of the D1 database. */ id?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionDurableObjectNamespaces { /** * ID of the Durable Object namespace. */ namespaceId?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionEnvVars { /** * Available values: "plain*text", "secret*text". */ type: pulumi.Input; /** * Environment variable value. */ value: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionHyperdriveBindings { id?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionKvNamespaces { /** * ID of the KV namespace. */ namespaceId?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionMtlsCertificates { certificateId?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionPlacement { /** * Placement mode. */ mode?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionQueueProducers { /** * Name of the Queue. */ name?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionR2Buckets { /** * Jurisdiction of the R2 bucket. */ jurisdiction?: pulumi.Input; /** * Name of the R2 bucket. */ name?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionServices { /** * The entrypoint to bind to. */ entrypoint?: pulumi.Input; /** * The Service environment. */ environment?: pulumi.Input; /** * The Service name. */ service?: pulumi.Input; } export interface PagesProjectDeploymentConfigsProductionVectorizeBindings { indexName?: pulumi.Input; } export interface PagesProjectLatestDeployment { /** * A list of alias URLs pointing to this deployment. */ aliases?: pulumi.Input[]>; /** * Configs for the project build process. */ buildConfig?: pulumi.Input; /** * When the deployment was created. */ createdOn?: pulumi.Input; /** * Info about what caused the deployment. */ deploymentTrigger?: pulumi.Input; /** * Environment variables used for builds and Pages Functions. */ envVars?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Type of deploy. * Available values: "preview", "production". */ environment?: pulumi.Input; /** * Id of the deployment. */ id?: pulumi.Input; /** * If the deployment has been skipped. */ isSkipped?: pulumi.Input; /** * The status of the deployment. */ latestStage?: pulumi.Input; /** * When the deployment was last modified. */ modifiedOn?: pulumi.Input; /** * Id of the project. */ projectId?: pulumi.Input; /** * Name of the project. */ projectName?: pulumi.Input; /** * Short Id (8 character) of the deployment. */ shortId?: pulumi.Input; source?: pulumi.Input; /** * List of past stages. */ stages?: pulumi.Input[]>; /** * The live URL to view this deployment. */ url?: pulumi.Input; } export interface PagesProjectLatestDeploymentBuildConfig { /** * Enable build caching for the project. */ buildCaching?: pulumi.Input; /** * Command used to build project. */ buildCommand?: pulumi.Input; /** * Output directory of the build. */ destinationDir?: pulumi.Input; /** * Directory to run the command. */ rootDir?: pulumi.Input; /** * The classifying tag for analytics. */ webAnalyticsTag?: pulumi.Input; /** * The auth token for analytics. */ webAnalyticsToken?: pulumi.Input; } export interface PagesProjectLatestDeploymentDeploymentTrigger { /** * Additional info about the trigger. */ metadata?: pulumi.Input; /** * What caused the deployment. * Available values: "push", "adHoc". */ type?: pulumi.Input; } export interface PagesProjectLatestDeploymentDeploymentTriggerMetadata { /** * Where the trigger happened. */ branch?: pulumi.Input; /** * Hash of the deployment trigger commit. */ commitHash?: pulumi.Input; /** * Message of the deployment trigger commit. */ commitMessage?: pulumi.Input; } export interface PagesProjectLatestDeploymentEnvVars { /** * Available values: "plain*text", "secret*text". */ type?: pulumi.Input; /** * Environment variable value. */ value?: pulumi.Input; } export interface PagesProjectLatestDeploymentLatestStage { /** * When the stage ended. */ endedOn?: pulumi.Input; /** * The current build stage. * Available values: "queued", "initialize", "cloneRepo", "build", "deploy". */ name?: pulumi.Input; /** * When the stage started. */ startedOn?: pulumi.Input; /** * State of the current stage. * Available values: "success", "idle", "active", "failure", "canceled". */ status?: pulumi.Input; } export interface PagesProjectLatestDeploymentSource { config?: pulumi.Input; type?: pulumi.Input; } export interface PagesProjectLatestDeploymentSourceConfig { deploymentsEnabled?: pulumi.Input; owner?: pulumi.Input; pathExcludes?: pulumi.Input[]>; pathIncludes?: pulumi.Input[]>; prCommentsEnabled?: pulumi.Input; previewBranchExcludes?: pulumi.Input[]>; previewBranchIncludes?: pulumi.Input[]>; /** * Available values: "all", "none", "custom". */ previewDeploymentSetting?: pulumi.Input; productionBranch?: pulumi.Input; productionDeploymentsEnabled?: pulumi.Input; repoName?: pulumi.Input; } export interface PagesProjectLatestDeploymentStage { /** * When the stage ended. */ endedOn?: pulumi.Input; /** * The current build stage. * Available values: "queued", "initialize", "cloneRepo", "build", "deploy". */ name?: pulumi.Input; /** * When the stage started. */ startedOn?: pulumi.Input; /** * State of the current stage. * Available values: "success", "idle", "active", "failure", "canceled". */ status?: pulumi.Input; } export interface PagesProjectSource { config?: pulumi.Input; type?: pulumi.Input; } export interface PagesProjectSourceConfig { deploymentsEnabled?: pulumi.Input; owner?: pulumi.Input; pathExcludes?: pulumi.Input[]>; pathIncludes?: pulumi.Input[]>; prCommentsEnabled?: pulumi.Input; previewBranchExcludes?: pulumi.Input[]>; previewBranchIncludes?: pulumi.Input[]>; /** * Available values: "all", "none", "custom". */ previewDeploymentSetting?: pulumi.Input; productionBranch?: pulumi.Input; productionDeploymentsEnabled?: pulumi.Input; repoName?: pulumi.Input; } export interface QueueConsumer { /** * A Resource identifier. */ consumerId?: pulumi.Input; createdOn?: pulumi.Input; /** * A Resource identifier. */ queueId?: pulumi.Input; /** * Name of a Worker */ script?: pulumi.Input; /** * Name of a Worker */ scriptName?: pulumi.Input; settings?: pulumi.Input; /** * Available values: "worker", "httpPull". */ type?: pulumi.Input; } export interface QueueConsumerSettings { /** * The maximum number of messages to include in a batch. */ batchSize?: pulumi.Input; /** * Maximum number of concurrent consumers that may consume from this Queue. Set to `null` to automatically opt in to the platform's maximum (recommended). */ maxConcurrency?: pulumi.Input; /** * The maximum number of retries */ maxRetries?: pulumi.Input; /** * The number of milliseconds to wait for a batch to fill up before attempting to deliver it */ maxWaitTimeMs?: pulumi.Input; /** * The number of seconds to delay before making the message available for another attempt. */ retryDelay?: pulumi.Input; /** * The number of milliseconds that a message is exclusively leased. After the timeout, the message becomes available for another attempt. */ visibilityTimeoutMs?: pulumi.Input; } export interface QueueProducer { bucketName?: pulumi.Input; script?: pulumi.Input; /** * Available values: "worker", "r2Bucket". */ type?: pulumi.Input; } export interface QueueSettings { /** * Number of seconds to delay delivery of all messages to consumers. */ deliveryDelay?: pulumi.Input; /** * Indicates if message delivery to consumers is currently paused. */ deliveryPaused?: pulumi.Input; /** * Number of seconds after which an unconsumed message will be delayed. */ messageRetentionPeriod?: pulumi.Input; } export interface R2BucketCorsRule { /** * Object specifying allowed origins, methods and headers for this CORS rule. */ allowed: pulumi.Input; /** * Specifies the headers that can be exposed back, and accessed by, the JavaScript making the cross-origin request. If you need to access headers beyond the safelisted response headers, such as Content-Encoding or cf-cache-status, you must specify it here. */ exposeHeaders?: pulumi.Input[]>; /** * Identifier for this rule. */ id?: pulumi.Input; /** * Specifies the amount of time (in seconds) browsers are allowed to cache CORS preflight responses. Browsers may limit this to 2 hours or less, even if the maximum value (86400) is specified. */ maxAgeSeconds?: pulumi.Input; } export interface R2BucketCorsRuleAllowed { /** * Specifies the value for the Access-Control-Allow-Headers header R2 sets when requesting objects in this bucket from a browser. Cross-origin requests that include custom headers (e.g. x-user-id) should specify these headers as AllowedHeaders. */ headers?: pulumi.Input[]>; /** * Specifies the value for the Access-Control-Allow-Methods header R2 sets when requesting objects in a bucket from a browser. */ methods: pulumi.Input[]>; /** * Specifies the value for the Access-Control-Allow-Origin header R2 sets when requesting objects in a bucket from a browser. */ origins: pulumi.Input[]>; } export interface R2BucketEventNotificationRule { /** * Array of R2 object actions that will trigger notifications. */ actions: pulumi.Input[]>; /** * A description that can be used to identify the event notification rule after creation. */ description?: pulumi.Input; /** * Notifications will be sent only for objects with this prefix. */ prefix?: pulumi.Input; /** * Notifications will be sent only for objects with this suffix. */ suffix?: pulumi.Input; } export interface R2BucketLifecycleRule { /** * Transition to abort ongoing multipart uploads. */ abortMultipartUploadsTransition?: pulumi.Input; /** * Conditions that apply to all transitions of this rule. */ conditions: pulumi.Input; /** * Transition to delete objects. */ deleteObjectsTransition?: pulumi.Input; /** * Whether or not this rule is in effect. */ enabled: pulumi.Input; /** * Unique identifier for this rule. */ id: pulumi.Input; /** * Transitions to change the storage class of objects. */ storageClassTransitions?: pulumi.Input[]>; } export interface R2BucketLifecycleRuleAbortMultipartUploadsTransition { /** * Condition for lifecycle transitions to apply after an object reaches an age in seconds. */ condition?: pulumi.Input; } export interface R2BucketLifecycleRuleAbortMultipartUploadsTransitionCondition { maxAge: pulumi.Input; /** * Available values: "Age". */ type: pulumi.Input; } export interface R2BucketLifecycleRuleConditions { /** * Transitions will only apply to objects/uploads in the bucket that start with the given prefix, an empty prefix can be provided to scope rule to all objects/uploads. */ prefix: pulumi.Input; } export interface R2BucketLifecycleRuleDeleteObjectsTransition { /** * Condition for lifecycle transitions to apply after an object reaches an age in seconds. */ condition?: pulumi.Input; } export interface R2BucketLifecycleRuleDeleteObjectsTransitionCondition { date?: pulumi.Input; maxAge?: pulumi.Input; /** * Available values: "Age", "Date". */ type: pulumi.Input; } export interface R2BucketLifecycleRuleStorageClassTransition { /** * Condition for lifecycle transitions to apply after an object reaches an age in seconds. */ condition: pulumi.Input; /** * Available values: "InfrequentAccess". */ storageClass: pulumi.Input; } export interface R2BucketLifecycleRuleStorageClassTransitionCondition { date?: pulumi.Input; maxAge?: pulumi.Input; /** * Available values: "Age", "Date". */ type: pulumi.Input; } export interface R2BucketLockRule { /** * Condition to apply a lock rule to an object for how long in seconds. */ condition: pulumi.Input; /** * Whether or not this rule is in effect. */ enabled: pulumi.Input; /** * Unique identifier for this rule. */ id: pulumi.Input; /** * Rule will only apply to objects/uploads in the bucket that start with the given prefix, an empty prefix can be provided to scope rule to all objects/uploads. */ prefix?: pulumi.Input; } export interface R2BucketLockRuleCondition { date?: pulumi.Input; maxAgeSeconds?: pulumi.Input; /** * Available values: "Age", "Date", "Indefinite". */ type: pulumi.Input; } export interface R2BucketSippyDestination { /** * ID of a Cloudflare API token. * This is the value labelled "Access Key ID" when creating an API. * token from the [R2 dashboard](https://dash.cloudflare.com/?to=/:account/r2/api-tokens). */ accessKeyId?: pulumi.Input; /** * Available values: "r2". */ cloudProvider?: pulumi.Input; /** * Value of a Cloudflare API token. * This is the value labelled "Secret Access Key" when creating an API. * token from the [R2 dashboard](https://dash.cloudflare.com/?to=/:account/r2/api-tokens). * * Sippy will use this token when writing objects to R2, so it is * best to scope this token to the bucket you're enabling Sippy for. */ secretAccessKey?: pulumi.Input; } export interface R2BucketSippySource { /** * Access Key ID of an IAM credential (ideally scoped to a single S3 bucket). */ accessKeyId?: pulumi.Input; /** * Name of the AWS S3 bucket. */ bucket?: pulumi.Input; /** * Client email of an IAM credential (ideally scoped to a single GCS bucket). */ clientEmail?: pulumi.Input; /** * Available values: "aws", "gcs". */ cloudProvider?: pulumi.Input; /** * Private Key of an IAM credential (ideally scoped to a single GCS bucket). */ privateKey?: pulumi.Input; /** * Name of the AWS availability zone. */ region?: pulumi.Input; /** * Secret Access Key of an IAM credential (ideally scoped to a single S3 bucket). */ secretAccessKey?: pulumi.Input; } export interface R2CustomDomainStatus { /** * Ownership status of the domain. * Available values: "pending", "active", "deactivated", "blocked", "error", "unknown". */ ownership?: pulumi.Input; /** * SSL certificate status. * Available values: "initializing", "pending", "active", "deactivated", "error", "unknown". */ ssl?: pulumi.Input; } export interface RateLimitAction { /** * The action to perform. * Available values: "simulate", "ban", "challenge", "js*challenge", "managed*challenge". */ mode?: pulumi.Input; /** * A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. * Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed*challenge", or "js*challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. */ response?: pulumi.Input; /** * The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. * Notes: If "mode" is "challenge", "managed*challenge", or "js*challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. */ timeout?: pulumi.Input; } export interface RateLimitActionResponse { /** * The response body to return. The value must conform to the configured content type. */ body?: pulumi.Input; /** * The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. */ contentType?: pulumi.Input; } export interface RateLimitBypass { /** * Available values: "url". */ name?: pulumi.Input; /** * The URL to bypass. */ value?: pulumi.Input; } export interface RateLimitMatch { headers?: pulumi.Input[]>; request?: pulumi.Input; response?: pulumi.Input; } export interface RateLimitMatchHeader { /** * The name of the response header to match. */ name?: pulumi.Input; /** * The operator used when matching: `eq` means "equal" and `ne` means "not equal". * Available values: "eq", "ne". */ op?: pulumi.Input; /** * The value of the response header, which must match exactly. */ value?: pulumi.Input; } export interface RateLimitMatchRequest { /** * The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. */ methods?: pulumi.Input[]>; /** * The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. */ schemes?: pulumi.Input[]>; /** * The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. */ url?: pulumi.Input; } export interface RateLimitMatchResponse { /** * When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. * Notes: This field is deprecated. Instead, use response headers and set "origin*traffic" to "false" to avoid legacy behaviour interacting with the "response*headers" property. */ originTraffic?: pulumi.Input; } export interface RecordData { /** * Algorithm. */ algorithm?: pulumi.Input; /** * Altitude of location in meters. */ altitude?: pulumi.Input; /** * Certificate. */ certificate?: pulumi.Input; /** * Digest. */ digest?: pulumi.Input; /** * Digest Type. */ digestType?: pulumi.Input; /** * Fingerprint. */ fingerprint?: pulumi.Input; /** * Flags for the CAA record. */ flags?: any; /** * Key Tag. */ keyTag?: pulumi.Input; /** * Degrees of latitude. */ latDegrees?: pulumi.Input; /** * Latitude direction. * Available values: "N", "S". */ latDirection?: pulumi.Input; /** * Minutes of latitude. */ latMinutes?: pulumi.Input; /** * Seconds of latitude. */ latSeconds?: pulumi.Input; /** * Degrees of longitude. */ longDegrees?: pulumi.Input; /** * Longitude direction. * Available values: "E", "W". */ longDirection?: pulumi.Input; /** * Minutes of longitude. */ longMinutes?: pulumi.Input; /** * Seconds of longitude. */ longSeconds?: pulumi.Input; /** * Matching Type. */ matchingType?: pulumi.Input; /** * Order. */ order?: pulumi.Input; /** * The port of the service. */ port?: pulumi.Input; /** * Horizontal precision of location. */ precisionHorz?: pulumi.Input; /** * Vertical precision of location. */ precisionVert?: pulumi.Input; /** * Preference. */ preference?: pulumi.Input; /** * Priority. */ priority?: pulumi.Input; /** * Protocol. */ protocol?: pulumi.Input; /** * Public Key. */ publicKey?: pulumi.Input; /** * Regex. */ regex?: pulumi.Input; /** * Replacement. */ replacement?: pulumi.Input; /** * Selector. */ selector?: pulumi.Input; /** * Service. */ service?: pulumi.Input; /** * Size of location in meters. */ size?: pulumi.Input; /** * Name of the property controlled by this record (e.g.: issue, issuewild, iodef). */ tag?: pulumi.Input; /** * Target. */ target?: pulumi.Input; /** * Type. */ type?: pulumi.Input; /** * Usage. */ usage?: pulumi.Input; /** * Value of the record. This field's semantics depend on the chosen tag. */ value?: pulumi.Input; /** * The record weight. */ weight?: pulumi.Input; } export interface RecordSettings { /** * If enabled, causes the CNAME record to be resolved externally and the resulting address records (e.g., A and AAAA) to be returned instead of the CNAME record itself. This setting is unavailable for proxied records, since they are always flattened. */ flattenCname?: pulumi.Input; /** * When enabled, only A records will be generated, and AAAA records will not be created. This setting is intended for exceptional cases. Note that this option only applies to proxied records and it has no effect on whether Cloudflare communicates with the origin using IPv4 or IPv6. */ ipv4Only?: pulumi.Input; /** * When enabled, only AAAA records will be generated, and A records will not be created. This setting is intended for exceptional cases. Note that this option only applies to proxied records and it has no effect on whether Cloudflare communicates with the origin using IPv4 or IPv6. */ ipv6Only?: pulumi.Input; } export interface RiskBehaviorBehaviors { enabled: pulumi.Input; /** * Available values: "low", "medium", "high". */ riskLevel: pulumi.Input; } export interface RulesetRule { /** * The action to perform when the rule matches. * Available values: "block", "challenge", "compress*response", "ddos*dynamic", "execute", "force*connection*close", "js*challenge", "log", "log*custom*field", "managed*challenge", "redirect", "rewrite", "route", "score", "serve*error", "set*cache*settings", "set*config", "skip". */ action: pulumi.Input; /** * The parameters configuring the rule's action. */ actionParameters?: pulumi.Input; /** * An informative description of the rule. */ description?: pulumi.Input; /** * Whether the rule should be executed. */ enabled?: pulumi.Input; /** * Configuration for exposed credential checking. */ exposedCredentialCheck?: pulumi.Input; /** * The expression defining which traffic will match the rule. */ expression: pulumi.Input; /** * The unique ID of the rule. */ id?: pulumi.Input; /** * An object configuring the rule's logging behavior. */ logging?: pulumi.Input; /** * An object configuring the rule's rate limit behavior. */ ratelimit?: pulumi.Input; /** * The reference of the rule (the rule's ID by default). */ ref?: pulumi.Input; } export interface RulesetRuleActionParameters { /** * A list of additional ports that caching should be enabled on. */ additionalCacheablePorts?: pulumi.Input[]>; /** * Custom order for compression algorithms. */ algorithms?: pulumi.Input[]>; /** * The name of a custom asset to serve as the response. */ assetName?: pulumi.Input; /** * Whether to enable Automatic HTTPS Rewrites. */ automaticHttpsRewrites?: pulumi.Input; /** * Which file extensions to minify automatically. */ autominify?: pulumi.Input; /** * Whether to enable Browser Integrity Check (BIC). */ bic?: pulumi.Input; /** * How long client browsers should cache the response. Cloudflare cache purge will not purge content cached on client browsers, so high browser TTLs may lead to stale content. */ browserTtl?: pulumi.Input; /** * Whether the request's response from the origin is eligible for caching. Caching itself will still depend on the cache control header and your other caching configurations. */ cache?: pulumi.Input; /** * Which components of the request are included in or excluded from the cache key Cloudflare uses to store the response in cache. */ cacheKey?: pulumi.Input; /** * Settings to determine whether the request's response from origin is eligible for Cache Reserve (requires a Cache Reserve add-on plan). */ cacheReserve?: pulumi.Input; /** * The response content. */ content?: pulumi.Input; /** * The content type header to set with the error response. * Available values: "application/json", "text/html", "text/plain", "text/xml". */ contentType?: pulumi.Input; /** * The cookie fields to log. */ cookieFields?: pulumi.Input[]>; /** * Whether to disable Cloudflare Apps. */ disableApps?: pulumi.Input; /** * Whether to disable Real User Monitoring (RUM). */ disableRum?: pulumi.Input; /** * Whether to disable Zaraz. */ disableZaraz?: pulumi.Input; /** * How long the Cloudflare edge network should cache the response. */ edgeTtl?: pulumi.Input; /** * Whether to enable Email Obfuscation. */ emailObfuscation?: pulumi.Input; /** * Whether to enable Cloudflare Fonts. */ fonts?: pulumi.Input; /** * A redirect based on a bulk list lookup. */ fromList?: pulumi.Input; /** * A redirect based on the request properties. */ fromValue?: pulumi.Input; /** * A map of headers to rewrite. */ headers?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * A value to rewrite the HTTP host header to. */ hostHeader?: pulumi.Input; /** * Whether to enable Hotlink Protection. */ hotlinkProtection?: pulumi.Input; /** * The ID of the ruleset to execute. */ id?: pulumi.Input; /** * A delta to change the score by, which can be either positive or negative. */ increment?: pulumi.Input; /** * The configuration to use for matched data logging. */ matchedData?: pulumi.Input; /** * Whether to enable Mirage. */ mirage?: pulumi.Input; /** * Whether to enable Opportunistic Encryption. */ opportunisticEncryption?: pulumi.Input; /** * An origin to route to. */ origin?: pulumi.Input; /** * Whether Cloudflare will aim to strictly adhere to RFC 7234. */ originCacheControl?: pulumi.Input; /** * Whether to generate Cloudflare error pages for issues from the origin server. */ originErrorPagePassthru?: pulumi.Input; /** * A set of overrides to apply to the target ruleset. */ overrides?: pulumi.Input; /** * A list of phases to skip the execution of. This option is incompatible with the rulesets option. * Available values: "ddos*l4", "ddos*l7", "http*config*settings", "http*custom*errors", "http*log*custom*fields", "http*ratelimit", "http*request*cache*settings", "http*request*dynamic*redirect", "http*request*firewall*custom", "http*request*firewall*managed", "http*request*late*transform", "http*request*origin", "http*request*redirect", "http*request*sanitize", "http*request*sbfm", "http*request*transform", "http*response*compression", "http*response*firewall*managed", "http*response*headers*transform", "magic*transit", "magic*transit*ids*managed", "magic*transit*managed", "magic*transit_ratelimit". */ phases?: pulumi.Input[]>; /** * The Polish level to configure. * Available values: "off", "lossless", "lossy", "webp". */ polish?: pulumi.Input; /** * A list of legacy security products to skip the execution of. * Available values: "bic", "hot", "rateLimit", "securityLevel", "uaBlock", "waf", "zoneLockdown". */ products?: pulumi.Input[]>; /** * The raw response fields to log. */ rawResponseFields?: pulumi.Input[]>; /** * A timeout value between two successive read operations to use for your origin server. Historically, the timeout value between two read options from Cloudflare to an origin server is 100 seconds. If you are attempting to reduce HTTP 524 errors because of timeouts from an origin server, try increasing this timeout value. */ readTimeout?: pulumi.Input; /** * The raw request fields to log. */ requestFields?: pulumi.Input[]>; /** * Whether Cloudflare should respect strong ETag (entity tag) headers. If false, Cloudflare converts strong ETag headers to weak ETag headers. */ respectStrongEtags?: pulumi.Input; /** * The response to show when the block is applied. */ response?: pulumi.Input; /** * The transformed response fields to log. */ responseFields?: pulumi.Input[]>; /** * Whether to enable Rocket Loader. */ rocketLoader?: pulumi.Input; /** * A mapping of ruleset IDs to a list of rule IDs in that ruleset to skip the execution of. This option is incompatible with the ruleset option. */ rules?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * A ruleset to skip the execution of. This option is incompatible with the rulesets option. * Available values: "current". */ ruleset?: pulumi.Input; /** * A list of ruleset IDs to skip the execution of. This option is incompatible with the ruleset and phases options. */ rulesets?: pulumi.Input[]>; /** * The Security Level to configure. * Available values: "off", "essentially*off", "low", "medium", "high", "under*attack". */ securityLevel?: pulumi.Input; /** * When to serve stale content from cache. */ serveStale?: pulumi.Input; /** * Whether to enable Server-Side Excludes. */ serverSideExcludes?: pulumi.Input; /** * A Server Name Indication (SNI) override. */ sni?: pulumi.Input; /** * The SSL level to configure. * Available values: "off", "flexible", "full", "strict", "originPull". */ ssl?: pulumi.Input; /** * The status code to use for the error. */ statusCode?: pulumi.Input; /** * Whether to enable Signed Exchanges (SXG). */ sxg?: pulumi.Input; /** * The transformed request fields to log. */ transformedRequestFields?: pulumi.Input[]>; /** * A URI rewrite. */ uri?: pulumi.Input; } export interface RulesetRuleActionParametersAlgorithm { /** * Name of the compression algorithm to enable. * Available values: "none", "auto", "default", "gzip", "brotli", "zstd". */ name?: pulumi.Input; } export interface RulesetRuleActionParametersAutominify { /** * Whether to minify CSS files. */ css?: pulumi.Input; /** * Whether to minify HTML files. */ html?: pulumi.Input; /** * Whether to minify JavaScript files. */ js?: pulumi.Input; } export interface RulesetRuleActionParametersBrowserTtl { /** * The browser TTL (in seconds) if you choose the "overrideOrigin" mode. */ default?: pulumi.Input; /** * The browser TTL mode. * Available values: "respect*origin", "bypass*by*default", "override*origin", "bypass". */ mode: pulumi.Input; } export interface RulesetRuleActionParametersCacheKey { /** * Whether to separate cached content based on the visitor's device type. */ cacheByDeviceType?: pulumi.Input; /** * Whether to protect from web cache deception attacks, while allowing static assets to be cached. */ cacheDeceptionArmor?: pulumi.Input; /** * Which components of the request are included or excluded from the cache key. */ customKey?: pulumi.Input; /** * Whether to treat requests with the same query parameters the same, regardless of the order those query parameters are in. */ ignoreQueryStringsOrder?: pulumi.Input; } export interface RulesetRuleActionParametersCacheKeyCustomKey { /** * Which cookies to include in the cache key. */ cookie?: pulumi.Input; /** * Which headers to include in the cache key. */ header?: pulumi.Input; /** * How to use the host in the cache key. */ host?: pulumi.Input; /** * Which query string parameters to include in or exclude from the cache key. */ queryString?: pulumi.Input; /** * How to use characteristics of the request user agent in the cache key. */ user?: pulumi.Input; } export interface RulesetRuleActionParametersCacheKeyCustomKeyCookie { /** * A list of cookies to check for the presence of. The presence of these cookies is included in the cache key. */ checkPresences?: pulumi.Input[]>; /** * A list of cookies to include in the cache key. */ includes?: pulumi.Input[]>; } export interface RulesetRuleActionParametersCacheKeyCustomKeyHeader { /** * A list of headers to check for the presence of. The presence of these headers is included in the cache key. */ checkPresences?: pulumi.Input[]>; /** * A mapping of header names to a list of values. If a header is present in the request and contains any of the values provided, its value is included in the cache key. */ contains?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * Whether to exclude the origin header in the cache key. */ excludeOrigin?: pulumi.Input; /** * A list of headers to include in the cache key. */ includes?: pulumi.Input[]>; } export interface RulesetRuleActionParametersCacheKeyCustomKeyHost { /** * Whether to use the resolved host in the cache key. */ resolved?: pulumi.Input; } export interface RulesetRuleActionParametersCacheKeyCustomKeyQueryString { /** * Which query string parameters to exclude from the cache key. */ exclude?: pulumi.Input; /** * Which query string parameters to include in the cache key. */ include?: pulumi.Input; } export interface RulesetRuleActionParametersCacheKeyCustomKeyQueryStringExclude { /** * Whether to exclude all query string parameters from the cache key. */ all?: pulumi.Input; /** * A list of query string parameters to exclude from the cache key. */ lists?: pulumi.Input[]>; } export interface RulesetRuleActionParametersCacheKeyCustomKeyQueryStringInclude { /** * Whether to include all query string parameters in the cache key. */ all?: pulumi.Input; /** * A list of query string parameters to include in the cache key. */ lists?: pulumi.Input[]>; } export interface RulesetRuleActionParametersCacheKeyCustomKeyUser { /** * Whether to use the user agent's device type in the cache key. */ deviceType?: pulumi.Input; /** * Whether to use the user agents's country in the cache key. */ geo?: pulumi.Input; /** * Whether to use the user agent's language in the cache key. */ lang?: pulumi.Input; } export interface RulesetRuleActionParametersCacheReserve { /** * Whether Cache Reserve is enabled. If this is true and a request meets eligibility criteria, Cloudflare will write the resource to Cache Reserve. */ eligible: pulumi.Input; /** * The minimum file size eligible for storage in Cache Reserve. */ minimumFileSize?: pulumi.Input; } export interface RulesetRuleActionParametersCookieField { /** * The name of the cookie. */ name: pulumi.Input; } export interface RulesetRuleActionParametersEdgeTtl { /** * The edge TTL (in seconds) if you choose the "overrideOrigin" mode. */ default?: pulumi.Input; /** * The edge TTL mode. * Available values: "respect*origin", "bypass*by*default", "override*origin". */ mode: pulumi.Input; /** * A list of TTLs to apply to specific status codes or status code ranges. */ statusCodeTtls?: pulumi.Input[]>; } export interface RulesetRuleActionParametersEdgeTtlStatusCodeTtl { /** * A single status code to apply the TTL to. */ statusCode?: pulumi.Input; /** * A range of status codes to apply the TTL to. */ statusCodeRange?: pulumi.Input; /** * The time to cache the response for (in seconds). A value of 0 is equivalent to setting the cache control header with the value "no-cache". A value of -1 is equivalent to setting the cache control header with the value of "no-store". */ value: pulumi.Input; } export interface RulesetRuleActionParametersEdgeTtlStatusCodeTtlStatusCodeRange { /** * The lower bound of the range. */ from?: pulumi.Input; /** * The upper bound of the range. */ to?: pulumi.Input; } export interface RulesetRuleActionParametersFromList { /** * An expression that evaluates to the list lookup key. */ key: pulumi.Input; /** * The name of the list to match against. */ name: pulumi.Input; } export interface RulesetRuleActionParametersFromValue { /** * Whether to keep the query string of the original request. */ preserveQueryString?: pulumi.Input; /** * The status code to use for the redirect. */ statusCode?: pulumi.Input; /** * A URL to redirect the request to. */ targetUrl: pulumi.Input; } export interface RulesetRuleActionParametersFromValueTargetUrl { /** * An expression that evaluates to a URL to redirect the request to. */ expression?: pulumi.Input; /** * A URL to redirect the request to. */ value?: pulumi.Input; } export interface RulesetRuleActionParametersHeaders { /** * An expression that evaluates to a value for the header. */ expression?: pulumi.Input; /** * The operation to perform on the header. * Available values: "add", "set", "remove". */ operation: pulumi.Input; /** * A static value for the header. */ value?: pulumi.Input; } export interface RulesetRuleActionParametersMatchedData { /** * The public key to encrypt matched data logs with. */ publicKey: pulumi.Input; } export interface RulesetRuleActionParametersOrigin { /** * A resolved host to route to. */ host?: pulumi.Input; /** * A destination port to route to. */ port?: pulumi.Input; } export interface RulesetRuleActionParametersOverrides { /** * An action to override all rules with. This option has lower precedence than rule and category overrides. */ action?: pulumi.Input; /** * A list of category-level overrides. This option has the second-highest precedence after rule-level overrides. */ categories?: pulumi.Input[]>; /** * Whether to enable execution of all rules. This option has lower precedence than rule and category overrides. */ enabled?: pulumi.Input; /** * A list of rule-level overrides. This option has the highest precedence. */ rules?: pulumi.Input[]>; /** * A sensitivity level to set for all rules. This option has lower precedence than rule and category overrides and is only applicable for DDoS phases. * Available values: "default", "medium", "low", "eoff". */ sensitivityLevel?: pulumi.Input; } export interface RulesetRuleActionParametersOverridesCategory { /** * The action to override rules in the category with. */ action?: pulumi.Input; /** * The name of the category to override. */ category: pulumi.Input; /** * Whether to enable execution of rules in the category. */ enabled?: pulumi.Input; /** * The sensitivity level to use for rules in the category. This option is only applicable for DDoS phases. * Available values: "default", "medium", "low", "eoff". */ sensitivityLevel?: pulumi.Input; } export interface RulesetRuleActionParametersOverridesRule { /** * The action to override the rule with. */ action?: pulumi.Input; /** * Whether to enable execution of the rule. */ enabled?: pulumi.Input; /** * The ID of the rule to override. */ id: pulumi.Input; /** * The score threshold to use for the rule. */ scoreThreshold?: pulumi.Input; /** * The sensitivity level to use for the rule. This option is only applicable for DDoS phases. * Available values: "default", "medium", "low", "eoff". */ sensitivityLevel?: pulumi.Input; } export interface RulesetRuleActionParametersRawResponseField { /** * The name of the response header. */ name: pulumi.Input; /** * Whether to log duplicate values of the same header. */ preserveDuplicates?: pulumi.Input; } export interface RulesetRuleActionParametersRequestField { /** * The name of the header. */ name: pulumi.Input; } export interface RulesetRuleActionParametersResponse { /** * The content to return. */ content: pulumi.Input; /** * The type of the content to return. */ contentType: pulumi.Input; /** * The status code to return. */ statusCode: pulumi.Input; } export interface RulesetRuleActionParametersResponseField { /** * The name of the response header. */ name: pulumi.Input; /** * Whether to log duplicate values of the same header. */ preserveDuplicates?: pulumi.Input; } export interface RulesetRuleActionParametersServeStale { /** * Whether Cloudflare should disable serving stale content while getting the latest content from the origin. */ disableStaleWhileUpdating?: pulumi.Input; } export interface RulesetRuleActionParametersSni { /** * A value to override the SNI to. */ value: pulumi.Input; } export interface RulesetRuleActionParametersTransformedRequestField { /** * The name of the header. */ name: pulumi.Input; } export interface RulesetRuleActionParametersUri { /** * A URI path rewrite. */ path?: pulumi.Input; /** * A URI query rewrite. */ query?: pulumi.Input; } export interface RulesetRuleActionParametersUriPath { /** * An expression that evaluates to a value to rewrite the URI path to. */ expression?: pulumi.Input; /** * A value to rewrite the URI path to. */ value?: pulumi.Input; } export interface RulesetRuleActionParametersUriQuery { /** * An expression that evaluates to a value to rewrite the URI query to. */ expression?: pulumi.Input; /** * A value to rewrite the URI query to. */ value?: pulumi.Input; } export interface RulesetRuleExposedCredentialCheck { /** * An expression that selects the password used in the credentials check. */ passwordExpression: pulumi.Input; /** * An expression that selects the user ID used in the credentials check. */ usernameExpression: pulumi.Input; } export interface RulesetRuleLogging { /** * Whether to generate a log when the rule matches. */ enabled?: pulumi.Input; } export interface RulesetRuleRatelimit { /** * Characteristics of the request on which the rate limit counter will be incremented. */ characteristics: pulumi.Input[]>; /** * An expression that defines when the rate limit counter should be incremented. It defaults to the same as the rule's expression. */ countingExpression?: pulumi.Input; /** * Period of time in seconds after which the action will be disabled following its first execution. */ mitigationTimeout?: pulumi.Input; /** * Period in seconds over which the counter is being incremented. */ period: pulumi.Input; /** * The threshold of requests per period after which the action will be executed for the first time. */ requestsPerPeriod?: pulumi.Input; /** * Whether counting is only performed when an origin is reached. */ requestsToOrigin?: pulumi.Input; /** * The score threshold per period for which the action will be executed the first time. */ scorePerPeriod?: pulumi.Input; /** * A response header name provided by the origin, which contains the score to increment rate limit counter with. */ scoreResponseHeaderName?: pulumi.Input; } export interface SnippetFile { content: pulumi.Input; name: pulumi.Input; } export interface SnippetMetadata { /** * Name of the file that contains the main module of the snippet. */ mainModule: pulumi.Input; } export interface SnippetRulesRule { /** * An informative description of the rule. */ description?: pulumi.Input; /** * Whether the rule should be executed. */ enabled?: pulumi.Input; /** * The expression defining which traffic will match the rule. */ expression: pulumi.Input; /** * The unique ID of the rule. */ id?: pulumi.Input; /** * The timestamp of when the rule was last modified. */ lastUpdated?: pulumi.Input; /** * The identifying name of the snippet. */ snippetName: pulumi.Input; } export interface SnippetsMetadata { /** * Name of the file that contains the main module of the snippet. */ mainModule: pulumi.Input; } export interface SpectrumApplicationDns { /** * The name of the DNS record associated with the application. */ name?: pulumi.Input; /** * The type of DNS record associated with the application. * Available values: "CNAME", "ADDRESS". */ type?: pulumi.Input; } export interface SpectrumApplicationEdgeIps { /** * The IP versions supported for inbound connections on Spectrum anycast IPs. * Available values: "all", "ipv4", "ipv6". */ connectivity?: pulumi.Input; /** * The array of customer owned IPs we broadcast via anycast for this hostname and application. */ ips?: pulumi.Input[]>; /** * The type of edge IP configuration specified. Dynamically allocated edge IPs use Spectrum anycast IPs in accordance with the connectivity you specify. Only valid with CNAME DNS names. * Available values: "dynamic", "static". */ type?: pulumi.Input; } export interface SpectrumApplicationOriginDns { /** * The name of the DNS record associated with the origin. */ name?: pulumi.Input; /** * The TTL of our resolution of your DNS record in seconds. */ ttl?: pulumi.Input; /** * The type of DNS record associated with the origin. "" is used to specify a combination of A/AAAA records. * Available values: "", "A", "AAAA", "SRV". */ type?: pulumi.Input; } export interface StaticRouteScope { /** * List of colo names for the ECMP scope. */ coloNames?: pulumi.Input[]>; /** * List of colo regions for the ECMP scope. */ coloRegions?: pulumi.Input[]>; } export interface StreamInput { /** * The video height in pixels. A value of `-1` means the height is unknown. The value becomes available after the upload and before the video is ready. */ height?: pulumi.Input; /** * The video width in pixels. A value of `-1` means the width is unknown. The value becomes available after the upload and before the video is ready. */ width?: pulumi.Input; } export interface StreamLiveInputRecording { /** * Lists the origins allowed to display videos created with this input. Enter allowed origin domains in an array and use `*` for wildcard subdomains. An empty array allows videos to be viewed on any origin. */ allowedOrigins?: pulumi.Input[]>; /** * Disables reporting the number of live viewers when this property is set to `true`. */ hideLiveViewerCount?: pulumi.Input; /** * Specifies the recording behavior for the live input. Set this value to `off` to prevent a recording. Set the value to `automatic` to begin a recording and transition to on-demand after Stream Live stops receiving input. * Available values: "off", "automatic". */ mode?: pulumi.Input; /** * Indicates if a video using the live input has the `requireSignedURLs` property set. Also enforces access controls on any video recording of the livestream with the live input. */ requireSignedUrls?: pulumi.Input; /** * Determines the amount of time a live input configured in `automatic` mode should wait before a recording transitions from live to on-demand. `0` is recommended for most use cases and indicates the platform default should be used. */ timeoutSeconds?: pulumi.Input; } export interface StreamLiveInputRtmps { /** * The secret key to use when streaming via RTMPS to a live input. */ streamKey?: pulumi.Input; /** * The RTMPS URL you provide to the broadcaster, which they stream live video to. */ url?: pulumi.Input; } export interface StreamLiveInputRtmpsPlayback { /** * The secret key to use for playback via RTMPS. */ streamKey?: pulumi.Input; /** * The URL used to play live video over RTMPS. */ url?: pulumi.Input; } export interface StreamLiveInputSrt { /** * The secret key to use when streaming via SRT to a live input. */ passphrase?: pulumi.Input; /** * The identifier of the live input to use when streaming via SRT. */ streamId?: pulumi.Input; /** * The SRT URL you provide to the broadcaster, which they stream live video to. */ url?: pulumi.Input; } export interface StreamLiveInputSrtPlayback { /** * The secret key to use for playback via SRT. */ passphrase?: pulumi.Input; /** * The identifier of the live input to use for playback via SRT. */ streamId?: pulumi.Input; /** * The URL used to play live video over SRT. */ url?: pulumi.Input; } export interface StreamLiveInputWebRtc { /** * The WebRTC URL you provide to the broadcaster, which they stream live video to. */ url?: pulumi.Input; } export interface StreamLiveInputWebRtcPlayback { /** * The URL used to play live video over WebRTC. */ url?: pulumi.Input; } export interface StreamPlayback { /** * DASH Media Presentation Description for the video. */ dash?: pulumi.Input; /** * The HLS manifest for the video. */ hls?: pulumi.Input; } export interface StreamStatus { /** * Specifies why the video failed to encode. This field is empty if the video is not in an `error` state. Preferred for programmatic use. */ errorReasonCode?: pulumi.Input; /** * Specifies why the video failed to encode using a human readable error message in English. This field is empty if the video is not in an `error` state. */ errorReasonText?: pulumi.Input; /** * Indicates the size of the entire upload in bytes. The value must be a non-negative integer. */ pctComplete?: pulumi.Input; /** * Specifies the processing status for all quality levels for a video. * Available values: "pendingupload", "downloading", "queued", "inprogress", "ready", "error", "live-inprogress". */ state?: pulumi.Input; } export interface StreamWatermark { /** * The date and a time a watermark profile was created. */ created?: pulumi.Input; /** * The source URL for a downloaded image. If the watermark profile was created via direct upload, this field is null. */ downloadedFrom?: pulumi.Input; /** * The height of the image in pixels. */ height?: pulumi.Input; /** * A short description of the watermark profile. */ name?: pulumi.Input; /** * The translucency of the image. A value of `0.0` makes the image completely transparent, and `1.0` makes the image completely opaque. Note that if the image is already semi-transparent, setting this to `1.0` will not make the image completely opaque. */ opacity?: pulumi.Input; /** * The whitespace between the adjacent edges (determined by position) of the video and the image. `0.0` indicates no padding, and `1.0` indicates a fully padded video width or length, as determined by the algorithm. */ padding?: pulumi.Input; /** * The location of the image. Valid positions are: `upperRight`, `upperLeft`, `lowerLeft`, `lowerRight`, and `center`. Note that `center` ignores the `padding` parameter. */ position?: pulumi.Input; /** * The size of the image relative to the overall size of the video. This parameter will adapt to horizontal and vertical videos automatically. `0.0` indicates no scaling (use the size of the image as-is), and `1.0`fills the entire video. */ scale?: pulumi.Input; /** * The size of the image in bytes. */ size?: pulumi.Input; /** * The unique identifier for a watermark profile. */ uid?: pulumi.Input; /** * The width of the image in pixels. */ width?: pulumi.Input; } export interface TeamsAccountSettings { /** * Activity log settings. */ activityLog?: pulumi.Input; /** * Anti-virus settings. */ antivirus?: pulumi.Input; /** * Block page layout settings. */ blockPage?: pulumi.Input; /** * DLP body scanning settings. */ bodyScanning?: pulumi.Input; /** * Browser isolation settings. */ browserIsolation?: pulumi.Input; /** * Certificate settings for Gateway TLS interception. If not specified, the Cloudflare Root CA will be used. */ certificate?: pulumi.Input; /** * Custom certificate settings for BYO-PKI. (deprecated and replaced by `certificate`). * * @deprecated This attribute is deprecated. */ customCertificate?: pulumi.Input; /** * Extended e-mail matching settings. */ extendedEmailMatching?: pulumi.Input; /** * FIPS settings. */ fips?: pulumi.Input; /** * Setting to enable host selector in egress policies. */ hostSelector?: pulumi.Input; /** * Setting to define inspection settings. */ inspection?: pulumi.Input; /** * Protocol Detection settings. */ protocolDetection?: pulumi.Input; /** * Sandbox settings. */ sandbox?: pulumi.Input; /** * TLS interception settings. */ tlsDecrypt?: pulumi.Input; } export interface TeamsAccountSettingsActivityLog { /** * Enable activity logging. */ enabled?: pulumi.Input; } export interface TeamsAccountSettingsAntivirus { /** * Enable anti-virus scanning on downloads. */ enabledDownloadPhase?: pulumi.Input; /** * Enable anti-virus scanning on uploads. */ enabledUploadPhase?: pulumi.Input; /** * Block requests for files that cannot be scanned. */ failClosed?: pulumi.Input; /** * Configure a message to display on the user's device when an antivirus search is performed. */ notificationSettings?: pulumi.Input; } export interface TeamsAccountSettingsAntivirusNotificationSettings { /** * Set notification on. */ enabled?: pulumi.Input; /** * If true, context information will be passed as query parameters. */ includeContext?: pulumi.Input; /** * Customize the message shown in the notification. */ msg?: pulumi.Input; /** * Optional URL to direct users to additional information. If not set, the notification will open a block page. */ supportUrl?: pulumi.Input; } export interface TeamsAccountSettingsBlockPage { /** * If mode is customized_block_page: block page background color in #rrggbb format. */ backgroundColor?: pulumi.Input; /** * Enable only cipher suites and TLS versions compliant with FIPS. 140-2. */ enabled?: pulumi.Input; /** * If mode is customized_block_page: block page footer text. */ footerText?: pulumi.Input; /** * If mode is customized_block_page: block page header text. */ headerText?: pulumi.Input; /** * If mode is redirect_uri: when enabled, context will be appended to targetUri as query parameters. */ includeContext?: pulumi.Input; /** * If mode is customized_block_page: full URL to the logo file. */ logoPath?: pulumi.Input; /** * If mode is customized_block_page: admin email for users to contact. */ mailtoAddress?: pulumi.Input; /** * If mode is customized_block_page: subject line for emails created from block page. */ mailtoSubject?: pulumi.Input; /** * Controls whether the user is redirected to a Cloudflare-hosted block page or to a customer-provided URI. * Available values: "", "customizedBlockPage", "redirectUri". */ mode?: pulumi.Input; /** * If mode is customized_block_page: block page title. */ name?: pulumi.Input; /** * This setting was shared via the Orgs API and cannot be edited by the current account. */ readOnly?: pulumi.Input; /** * Account tag of account that shared this setting. */ sourceAccount?: pulumi.Input; /** * If mode is customized_block_page: suppress detailed info at the bottom of the block page. */ suppressFooter?: pulumi.Input; /** * If mode is redirect_uri: URI to which the user should be redirected. */ targetUri?: pulumi.Input; /** * Version number of the setting. */ version?: pulumi.Input; } export interface TeamsAccountSettingsBodyScanning { /** * Set the inspection mode to either `deep` or `shallow`. * Available values: "deep", "shallow". */ inspectionMode?: pulumi.Input; } export interface TeamsAccountSettingsBrowserIsolation { /** * Enable non-identity onramp support for Browser Isolation. */ nonIdentityEnabled?: pulumi.Input; /** * Enable Clientless Browser Isolation. */ urlBrowserIsolationEnabled?: pulumi.Input; } export interface TeamsAccountSettingsCertificate { /** * UUID of certificate to be used for interception. Certificate must be available (previously called 'active') on the edge. A nil UUID will indicate the Cloudflare Root CA should be used. */ id: pulumi.Input; } export interface TeamsAccountSettingsCustomCertificate { /** * Certificate status (internal). */ bindingStatus?: pulumi.Input; /** * Enable use of custom certificate authority for signing Gateway. traffic. */ enabled: pulumi.Input; /** * UUID of certificate (ID from MTLS certificate store). */ id?: pulumi.Input; updatedAt?: pulumi.Input; } export interface TeamsAccountSettingsExtendedEmailMatching { /** * Enable matching all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. */ enabled?: pulumi.Input; /** * This setting was shared via the Orgs API and cannot be edited by the current account. */ readOnly?: pulumi.Input; /** * Account tag of account that shared this setting. */ sourceAccount?: pulumi.Input; /** * Version number of the setting. */ version?: pulumi.Input; } export interface TeamsAccountSettingsFips { /** * Enable only cipher suites and TLS versions compliant with FIPS. 140-2. */ tls?: pulumi.Input; } export interface TeamsAccountSettingsHostSelector { /** * Enable filtering via hosts for egress policies. */ enabled?: pulumi.Input; } export interface TeamsAccountSettingsInspection { /** * Defines the mode of inspection the proxy will use. * - static: Gateway will use static inspection to inspect HTTP on TCP(80). If TLS decryption is on, Gateway will inspect HTTPS traffic on TCP(443) & UDP(443). * - dynamic: Gateway will use protocol detection to dynamically inspect HTTP and HTTPS traffic on any port. TLS decryption must be on to inspect HTTPS traffic. * Available values: "static", "dynamic". */ mode?: pulumi.Input; } export interface TeamsAccountSettingsProtocolDetection { /** * Enable detecting protocol on initial bytes of client traffic. */ enabled?: pulumi.Input; } export interface TeamsAccountSettingsSandbox { /** * Enable sandbox. */ enabled?: pulumi.Input; /** * Action to take when the file cannot be scanned. * Available values: "allow", "block". */ fallbackAction?: pulumi.Input; } export interface TeamsAccountSettingsTlsDecrypt { /** * Enable inspecting encrypted HTTP traffic. */ enabled?: pulumi.Input; } export interface TeamsListItem { /** * The description of the list item, if present. */ description?: pulumi.Input; /** * The value of the item in a list. */ value?: pulumi.Input; } export interface TeamsLocationEndpoints { doh: pulumi.Input; dot: pulumi.Input; ipv4: pulumi.Input; ipv6: pulumi.Input; } export interface TeamsLocationEndpointsDoh { /** * True if the endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; /** * True if the endpoint requires [user identity](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/#filter-doh-requests-by-user) authentication. */ requireToken?: pulumi.Input; } export interface TeamsLocationEndpointsDohNetwork { /** * The IP address or IP CIDR. */ network: pulumi.Input; } export interface TeamsLocationEndpointsDot { /** * True if the endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; } export interface TeamsLocationEndpointsDotNetwork { /** * The IP address or IP CIDR. */ network: pulumi.Input; } export interface TeamsLocationEndpointsIpv4 { /** * True if the endpoint is enabled for this location. */ enabled?: pulumi.Input; } export interface TeamsLocationEndpointsIpv6 { /** * True if the endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * A list of allowed source IPv6 network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; } export interface TeamsLocationEndpointsIpv6Network { /** * The IPv6 address or IPv6 CIDR. */ network: pulumi.Input; } export interface TeamsLocationNetwork { /** * The IPv4 address or IPv4 CIDR. IPv4 CIDRs are limited to a maximum of /24. */ network: pulumi.Input; } export interface TeamsRuleExpiration { /** * The default duration a policy will be active in minutes. Must be set in order to use the `resetExpiration` endpoint on this rule. */ duration?: pulumi.Input; /** * Whether the policy has expired. */ expired?: pulumi.Input; /** * The time stamp at which the policy will expire and cease to be * applied. */ expiresAt: pulumi.Input; } export interface TeamsRuleRuleSettings { /** * Add custom headers to allowed requests, in the form of key-value pairs. Keys are header names, pointing to an array with its header value(s). */ addHeaders?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * Set by parent MSP accounts to enable their children to bypass this rule. */ allowChildBypass?: pulumi.Input; /** * Settings for the Audit SSH action. */ auditSsh?: pulumi.Input; /** * Configure how browser isolation behaves. */ bisoAdminControls?: pulumi.Input; /** * Custom block page settings. If missing/null, blocking will use the the account settings. */ blockPage?: pulumi.Input; /** * Enable the custom block page. */ blockPageEnabled?: pulumi.Input; /** * The text describing why this block occurred, displayed on the custom block page (if enabled). */ blockReason?: pulumi.Input; /** * Set by children MSP accounts to bypass their parent's rules. */ bypassParentRule?: pulumi.Input; /** * Configure how session check behaves. */ checkSession?: pulumi.Input; /** * Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' are set. DNS queries will route to the address closest to their origin. Only valid when a rule's action is set to 'resolve'. */ dnsResolvers?: pulumi.Input; /** * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. */ egress?: pulumi.Input; /** * Set to true, to ignore the category matches at CNAME domains in a response. If unchecked, the categories in this rule will be checked against all the CNAME domain categories in a response. */ ignoreCnameCategoryMatches?: pulumi.Input; /** * INSECURE - disable DNSSEC validation (for Allow actions). */ insecureDisableDnssecValidation?: pulumi.Input; /** * Set to true to enable IPs in DNS resolver category blocks. By default categories only block based on domain names. */ ipCategories?: pulumi.Input; /** * Set to true to include IPs in DNS resolver indicator feed blocks. By default indicator feeds only block based on domain names. */ ipIndicatorFeeds?: pulumi.Input; /** * Send matching traffic to the supplied destination IP address. and port. */ l4override?: pulumi.Input; /** * Configure a notification to display on the user's device when this rule is matched. */ notificationSettings?: pulumi.Input; /** * Override matching DNS queries with a hostname. */ overrideHost?: pulumi.Input; /** * Override matching DNS queries with an IP or set of IPs. */ overrideIps?: pulumi.Input[]>; /** * Configure DLP payload logging. */ payloadLog?: pulumi.Input; /** * Settings that apply to quarantine rules. */ quarantine?: pulumi.Input; /** * Settings that apply to redirect rules. */ redirect?: pulumi.Input; /** * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action is set to 'resolve'. */ resolveDnsInternally?: pulumi.Input; /** * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns_internally' is set. Only valid when a rule's action is set to 'resolve'. */ resolveDnsThroughCloudflare?: pulumi.Input; /** * Configure behavior when an upstream cert is invalid or an SSL error occurs. */ untrustedCert?: pulumi.Input; } export interface TeamsRuleRuleSettingsAuditSsh { /** * Enable to turn on SSH command logging. */ commandLogging?: pulumi.Input; } export interface TeamsRuleRuleSettingsBisoAdminControls { /** * Configure whether copy is enabled or not. When set with "remote*only", copying isolated content from the remote browser to the user's local clipboard is disabled. When absent, copy is enabled. Only applies when `version == "v2"`. * Available values: "enabled", "disabled", "remote*only". */ copy?: pulumi.Input; /** * Set to false to enable copy-pasting. Only applies when `version == "v1"`. */ dcp?: pulumi.Input; /** * Set to false to enable downloading. Only applies when `version == "v1"`. */ dd?: pulumi.Input; /** * Set to false to enable keyboard usage. Only applies when `version == "v1"`. */ dk?: pulumi.Input; /** * Configure whether downloading enabled or not. When set with "remote*only", downloads are only available for viewing. Only applies when `version == "v2"`. * Available values: "enabled", "disabled", "remote*only". */ download?: pulumi.Input; /** * Set to false to enable printing. Only applies when `version == "v1"`. */ dp?: pulumi.Input; /** * Set to false to enable uploading. Only applies when `version == "v1"`. */ du?: pulumi.Input; /** * Configure whether keyboard usage is enabled or not. When absent, keyboard usage is enabled. Only applies when `version == "v2"`. * Available values: "enabled", "disabled". */ keyboard?: pulumi.Input; /** * Configure whether pasting is enabled or not. When set with "remote*only", pasting content from the user's local clipboard into isolated pages is disabled. When absent, paste is enabled. Only applies when `version == "v2"`. * Available values: "enabled", "disabled", "remote*only". */ paste?: pulumi.Input; /** * Configure whether printing is enabled or not. When absent, printing is enabled. Only applies when `version == "v2"`. * Available values: "enabled", "disabled". */ printing?: pulumi.Input; /** * Configure whether uploading is enabled or not. When absent, uploading is enabled. Only applies when `version == "v2"`. * Available values: "enabled", "disabled". */ upload?: pulumi.Input; /** * Indicates which version of the browser isolation controls should apply. * Available values: "v1", "v2". */ version?: pulumi.Input; } export interface TeamsRuleRuleSettingsBlockPage { /** * If true, context information will be passed as query parameters. */ includeContext?: pulumi.Input; /** * URI to which the user will be redirected. */ targetUri: pulumi.Input; } export interface TeamsRuleRuleSettingsCheckSession { duration?: pulumi.Input; /** * Set to true to enable session enforcement. */ enforce?: pulumi.Input; } export interface TeamsRuleRuleSettingsDnsResolvers { ipv4s?: pulumi.Input[]>; ipv6s?: pulumi.Input[]>; } export interface TeamsRuleRuleSettingsDnsResolversIpv4 { /** * IPv4 address of upstream resolver. */ ip: pulumi.Input; /** * A port number to use for upstream resolver. Defaults to 53 if unspecified. */ port?: pulumi.Input; /** * Whether to connect to this resolver over a private network. Must be set when vnetId is set. */ routeThroughPrivateNetwork?: pulumi.Input; /** * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted. */ vnetId?: pulumi.Input; } export interface TeamsRuleRuleSettingsDnsResolversIpv6 { /** * IPv6 address of upstream resolver. */ ip: pulumi.Input; /** * A port number to use for upstream resolver. Defaults to 53 if unspecified. */ port?: pulumi.Input; /** * Whether to connect to this resolver over a private network. Must be set when vnetId is set. */ routeThroughPrivateNetwork?: pulumi.Input; /** * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted. */ vnetId?: pulumi.Input; } export interface TeamsRuleRuleSettingsEgress { /** * The IPv4 address to be used for egress. */ ipv4?: pulumi.Input; /** * The fallback IPv4 address to be used for egress in the event of an error egressing with the primary IPv4. Can be '0.0.0.0' to indicate local egress via WARP IPs. */ ipv4Fallback?: pulumi.Input; /** * The IPv6 range to be used for egress. */ ipv6?: pulumi.Input; } export interface TeamsRuleRuleSettingsL4override { /** * IPv4 or IPv6 address. */ ip?: pulumi.Input; /** * A port number to use for TCP/UDP overrides. */ port?: pulumi.Input; } export interface TeamsRuleRuleSettingsNotificationSettings { /** * Set notification on. */ enabled?: pulumi.Input; /** * If true, context information will be passed as query parameters. */ includeContext?: pulumi.Input; /** * Customize the message shown in the notification. */ msg?: pulumi.Input; /** * Optional URL to direct users to additional information. If not set, the notification will open a block page. */ supportUrl?: pulumi.Input; } export interface TeamsRuleRuleSettingsPayloadLog { /** * Set to true to enable DLP payload logging for this rule. */ enabled?: pulumi.Input; } export interface TeamsRuleRuleSettingsQuarantine { /** * Types of files to sandbox. */ fileTypes?: pulumi.Input[]>; } export interface TeamsRuleRuleSettingsRedirect { /** * If true, context information will be passed as query parameters. */ includeContext?: pulumi.Input; /** * If true, the path and query parameters from the original request will be appended to target_uri. */ preservePathAndQuery?: pulumi.Input; /** * URI to which the user will be redirected. */ targetUri: pulumi.Input; } export interface TeamsRuleRuleSettingsResolveDnsInternally { /** * The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries. * Available values: "none", "publicDns". */ fallback?: pulumi.Input; /** * The internal DNS view identifier that's passed to the internal DNS service. */ viewId?: pulumi.Input; } export interface TeamsRuleRuleSettingsUntrustedCert { /** * The action performed when an untrusted certificate is seen. The default action is an error with HTTP code 526. * Available values: "passThrough", "block", "error". */ action?: pulumi.Input; } export interface TeamsRuleSchedule { /** * The time intervals when the rule will be active on Fridays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Fridays. */ fri?: pulumi.Input; /** * The time intervals when the rule will be active on Mondays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Mondays. */ mon?: pulumi.Input; /** * The time intervals when the rule will be active on Saturdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Saturdays. */ sat?: pulumi.Input; /** * The time intervals when the rule will be active on Sundays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Sundays. */ sun?: pulumi.Input; /** * The time intervals when the rule will be active on Thursdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Thursdays. */ thu?: pulumi.Input; /** * The time zone the rule will be evaluated against. If a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway will always use the current time at that time zone. If this parameter is omitted, then Gateway will use the time zone inferred from the user's source IP to evaluate the rule. If Gateway cannot determine the time zone from the IP, we will fall back to the time zone of the user's connected data center. */ timeZone?: pulumi.Input; /** * The time intervals when the rule will be active on Tuesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Tuesdays. */ tue?: pulumi.Input; /** * The time intervals when the rule will be active on Wednesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Wednesdays. */ wed?: pulumi.Input; } export interface TunnelConfigConfig { /** * List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. */ ingresses?: pulumi.Input[]>; /** * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. */ originRequest?: pulumi.Input; /** * Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route. */ warpRouting?: pulumi.Input; } export interface TunnelConfigConfigIngress { /** * Public hostname for this service. */ hostname?: pulumi.Input; /** * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. */ originRequest?: pulumi.Input; /** * Requests with this path route to this public hostname. */ path?: pulumi.Input; /** * Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http*status:[code] e.g. 'http*status:404'. */ service: pulumi.Input; } export interface TunnelConfigConfigIngressOriginRequest { /** * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. */ access?: pulumi.Input; /** * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. */ caPool?: pulumi.Input; /** * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. */ connectTimeout?: pulumi.Input; /** * Disables chunked transfer encoding. Useful if you are running a WSGI server. */ disableChunkedEncoding?: pulumi.Input; /** * Attempt to connect to origin using HTTP2. Origin must be configured as https. */ http2Origin?: pulumi.Input; /** * Sets the HTTP Host header on requests sent to the local service. */ httpHostHeader?: pulumi.Input; /** * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. */ keepAliveConnections?: pulumi.Input; /** * Timeout after which an idle keepalive connection can be discarded. */ keepAliveTimeout?: pulumi.Input; /** * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. */ noHappyEyeballs?: pulumi.Input; /** * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. */ noTlsVerify?: pulumi.Input; /** * Hostname that cloudflared should expect from your origin server certificate. */ originServerName?: pulumi.Input; /** * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. */ proxyType?: pulumi.Input; /** * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. */ tcpKeepAlive?: pulumi.Input; /** * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. */ tlsTimeout?: pulumi.Input; } export interface TunnelConfigConfigIngressOriginRequestAccess { /** * Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. */ audTags: pulumi.Input[]>; /** * Deny traffic that has not fulfilled Access authorization. */ required?: pulumi.Input; teamName: pulumi.Input; } export interface TunnelConfigConfigOriginRequest { /** * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. */ access?: pulumi.Input; /** * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. */ caPool?: pulumi.Input; /** * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. */ connectTimeout?: pulumi.Input; /** * Disables chunked transfer encoding. Useful if you are running a WSGI server. */ disableChunkedEncoding?: pulumi.Input; /** * Attempt to connect to origin using HTTP2. Origin must be configured as https. */ http2Origin?: pulumi.Input; /** * Sets the HTTP Host header on requests sent to the local service. */ httpHostHeader?: pulumi.Input; /** * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. */ keepAliveConnections?: pulumi.Input; /** * Timeout after which an idle keepalive connection can be discarded. */ keepAliveTimeout?: pulumi.Input; /** * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. */ noHappyEyeballs?: pulumi.Input; /** * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. */ noTlsVerify?: pulumi.Input; /** * Hostname that cloudflared should expect from your origin server certificate. */ originServerName?: pulumi.Input; /** * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. */ proxyType?: pulumi.Input; /** * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. */ tcpKeepAlive?: pulumi.Input; /** * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. */ tlsTimeout?: pulumi.Input; } export interface TunnelConfigConfigOriginRequestAccess { /** * Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. */ audTags: pulumi.Input[]>; /** * Deny traffic that has not fulfilled Access authorization. */ required?: pulumi.Input; teamName: pulumi.Input; } export interface TunnelConfigConfigWarpRouting { enabled?: pulumi.Input; } export interface TunnelConnection { /** * UUID of the Cloudflare Tunnel connector. */ clientId?: pulumi.Input; /** * The cloudflared version used to establish this connection. */ clientVersion?: pulumi.Input; /** * The Cloudflare data center used for this connection. */ coloName?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ id?: pulumi.Input; /** * Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. */ isPendingReconnect?: pulumi.Input; /** * Timestamp of when the connection was established. */ openedAt?: pulumi.Input; /** * The public IP address of the host running cloudflared. */ originIp?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ uuid?: pulumi.Input; } export interface UserAgentBlockingRuleConfiguration { /** * The configuration target. You must set the target to `ua` when specifying a user agent in the rule. * Available values: "ua". */ target?: pulumi.Input; /** * the user agent to exactly match */ value?: pulumi.Input; } export interface UserOrganization { /** * Identifier */ id?: pulumi.Input; /** * Organization name. */ name?: pulumi.Input; /** * Access permissions for this User. */ permissions?: pulumi.Input[]>; /** * List of roles that a user has within an organization. */ roles?: pulumi.Input[]>; /** * Whether the user is a member of the organization or has an invitation pending. * Available values: "member", "invited". */ status?: pulumi.Input; } export interface WaitingRoomAdditionalRoute { /** * The hostname to which this waiting room will be applied (no wildcards). The hostname must be the primary domain, subdomain, or custom hostname (if using SSL for SaaS) of this zone. Please do not include the scheme (http:// or https://). */ host?: pulumi.Input; /** * Sets the path within the host to enable the waiting room on. The waiting room will be enabled for all subpaths as well. If there are two waiting rooms on the same subpath, the waiting room for the most specific path will be chosen. Wildcards and query parameters are not supported. */ path?: pulumi.Input; } export interface WaitingRoomCookieAttributes { /** * Configures the SameSite attribute on the waiting room cookie. Value `auto` will be translated to `lax` or `none` depending if **Always Use HTTPS** is enabled. Note that when using value `none`, the secure attribute cannot be set to `never`. * Available values: "auto", "lax", "none", "strict". */ samesite?: pulumi.Input; /** * Configures the Secure attribute on the waiting room cookie. Value `always` indicates that the Secure attribute will be set in the Set-Cookie header, `never` indicates that the Secure attribute will not be set, and `auto` will set the Secure attribute depending if **Always Use HTTPS** is enabled. * Available values: "auto", "always", "never". */ secure?: pulumi.Input; } export interface WaitingRoomRulesRule { /** * The action to take when the expression matches. * Available values: "bypass*waiting*room". */ action: pulumi.Input; /** * The description of the rule. */ description?: pulumi.Input; /** * When set to true, the rule is enabled. */ enabled?: pulumi.Input; /** * Criteria defining when there is a match for the current rule. */ expression: pulumi.Input; } export interface WebAnalyticsSiteRule { created?: pulumi.Input; /** * The hostname the rule will be applied to. */ host?: pulumi.Input; /** * The Web Analytics rule identifier. */ id?: pulumi.Input; /** * Whether the rule includes or excludes traffic from being measured. */ inclusive?: pulumi.Input; /** * Whether the rule is paused or not. */ isPaused?: pulumi.Input; /** * The paths the rule will be applied to. */ paths?: pulumi.Input[]>; priority?: pulumi.Input; } export interface WebAnalyticsSiteRuleset { /** * Whether the ruleset is enabled. */ enabled?: pulumi.Input; /** * The Web Analytics ruleset identifier. */ id?: pulumi.Input; zoneName?: pulumi.Input; /** * The zone identifier. */ zoneTag?: pulumi.Input; } export interface WorkerCronTriggerSchedule { createdOn?: pulumi.Input; cron: pulumi.Input; modifiedOn?: pulumi.Input; } export interface WorkerObservability { /** * Whether observability is enabled for the Worker. */ enabled?: pulumi.Input; /** * The sampling rate for observability. From 0 to 1 (1 = 100%, 0.1 = 10%). */ headSamplingRate?: pulumi.Input; /** * Log settings for the Worker. */ logs?: pulumi.Input; } export interface WorkerObservabilityLogs { /** * Whether logs are enabled for the Worker. */ enabled?: pulumi.Input; /** * The sampling rate for logs. From 0 to 1 (1 = 100%, 0.1 = 10%). */ headSamplingRate?: pulumi.Input; /** * Whether [invocation logs](https://developers.cloudflare.com/workers/observability/logs/workers-logs/#invocation-logs) are enabled for the Worker. */ invocationLogs?: pulumi.Input; } export interface WorkerScriptAssets { /** * Configuration for assets within a Worker. */ config?: pulumi.Input; /** * Token provided upon successful upload of all files from a registered manifest. */ jwt?: pulumi.Input; } export interface WorkerScriptAssetsConfig { /** * The contents of a _headers file (used to attach custom headers on asset responses). */ headers?: pulumi.Input; /** * Determines the redirects and rewrites of requests for HTML content. * Available values: "auto-trailing-slash", "force-trailing-slash", "drop-trailing-slash", "none". */ htmlHandling?: pulumi.Input; /** * Determines the response when a request does not match a static asset, and there is no Worker script. * Available values: "none", "404-page", "single-page-application". */ notFoundHandling?: pulumi.Input; /** * The contents of a _redirects file (used to apply redirects or proxy paths ahead of asset serving). */ redirects?: pulumi.Input; /** * When true, requests will always invoke the Worker script. Otherwise, attempt to serve an asset matching the request, falling back to the Worker script. */ runWorkerFirst?: pulumi.Input; /** * When true and the incoming request matches an asset, that will be served instead of invoking the Worker script. When false, requests will always invoke the Worker script. * * @deprecated This attribute is deprecated. */ serveDirectly?: pulumi.Input; } export interface WorkerScriptBinding { /** * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm). */ algorithm?: pulumi.Input; /** * R2 bucket to bind to. */ bucketName?: pulumi.Input; /** * Identifier of the certificate to bind to. */ certificateId?: pulumi.Input; /** * The exported class name of the Durable Object. */ className?: pulumi.Input; /** * The name of the dataset to bind to. */ dataset?: pulumi.Input; /** * The environment of the scriptName to bind to. */ environment?: pulumi.Input; /** * Data format of the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#format). * Available values: "raw", "pkcs8", "spki", "jwk". */ format?: pulumi.Input; /** * Identifier of the D1 database to bind to. */ id?: pulumi.Input; /** * Name of the Vectorize index to bind to. */ indexName?: pulumi.Input; /** * JSON data to use. */ json?: pulumi.Input; /** * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki". */ keyBase64?: pulumi.Input; /** * Key data in [JSON Web Key](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#json_web_key) format. Required if `format` is "jwk". */ keyJwk?: pulumi.Input; /** * A JavaScript variable name for the binding. */ name: pulumi.Input; /** * Namespace to bind to. */ namespace?: pulumi.Input; /** * Namespace identifier tag. */ namespaceId?: pulumi.Input; /** * Outbound worker. */ outbound?: pulumi.Input; /** * Name of the Pipeline to bind to. */ pipeline?: pulumi.Input; /** * Name of the Queue to bind to. */ queueName?: pulumi.Input; /** * The script where the Durable Object is defined, if it is external to this Worker. */ scriptName?: pulumi.Input; /** * Name of the secret in the store. */ secretName?: pulumi.Input; /** * Name of Worker to bind to. */ service?: pulumi.Input; /** * ID of the store containing the secret. */ storeId?: pulumi.Input; /** * The text value to use. */ text?: pulumi.Input; /** * The kind of resource that the binding provides. * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "service", "tail*consumer", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow". */ type: pulumi.Input; /** * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages). */ usages?: pulumi.Input[]>; /** * Name of the Workflow to bind to. */ workflowName?: pulumi.Input; } export interface WorkerScriptBindingOutbound { /** * Pass information from the Dispatch Worker to the Outbound Worker through the parameters. */ params?: pulumi.Input[]>; /** * Outbound worker. */ worker?: pulumi.Input; } export interface WorkerScriptBindingOutboundWorker { /** * Environment of the outbound worker. */ environment?: pulumi.Input; /** * Name of the outbound worker. */ service?: pulumi.Input; } export interface WorkerScriptLimits { /** * The amount of CPU time this Worker can use in milliseconds. */ cpuMs?: pulumi.Input; } export interface WorkerScriptNamedHandler { /** * The names of handlers exported as part of the named export. */ handlers?: pulumi.Input[]>; /** * The name of the export. */ name?: pulumi.Input; } export interface WorkerScriptObservability { /** * Whether observability is enabled for the Worker. */ enabled: pulumi.Input; /** * The sampling rate for incoming requests. From 0 to 1 (1 = 100%, 0.1 = 10%). Default is 1. */ headSamplingRate?: pulumi.Input; /** * Log settings for the Worker. */ logs?: pulumi.Input; } export interface WorkerScriptObservabilityLogs { /** * Whether logs are enabled for the Worker. */ enabled: pulumi.Input; /** * The sampling rate for logs. From 0 to 1 (1 = 100%, 0.1 = 10%). Default is 1. */ headSamplingRate?: pulumi.Input; /** * Whether [invocation logs](https://developers.cloudflare.com/workers/observability/logs/workers-logs/#invocation-logs) are enabled for the Worker. */ invocationLogs: pulumi.Input; } export interface WorkerScriptPlacement { /** * The last time the script was analyzed for [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). */ lastAnalyzedAt?: pulumi.Input; /** * Enables [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). * Available values: "smart". */ mode?: pulumi.Input; /** * Status of [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). * Available values: "SUCCESS", "UNSUPPORTED*APPLICATION", "INSUFFICIENT*INVOCATIONS". */ status?: pulumi.Input; } export interface WorkerScriptTailConsumer { /** * Optional environment if the Worker utilizes one. */ environment?: pulumi.Input; /** * Optional dispatch namespace the script belongs to. */ namespace?: pulumi.Input; /** * Name of Worker that is to be the consumer. */ service: pulumi.Input; } export interface WorkerSubdomain { /** * Whether the *.workers.dev subdomain is enabled for the Worker. */ enabled?: pulumi.Input; /** * Whether [preview URLs](https://developers.cloudflare.com/workers/configuration/previews/) are enabled for the Worker. */ previewsEnabled?: pulumi.Input; } export interface WorkerTailConsumer { /** * Name of the consumer Worker. */ name: pulumi.Input; } export interface WorkerVersionAnnotations { /** * Human-readable message about the version. */ workersMessage?: pulumi.Input; /** * User-provided identifier for the version. */ workersTag?: pulumi.Input; /** * Operation that triggered the creation of the version. */ workersTriggeredBy?: pulumi.Input; } export interface WorkerVersionAssets { /** * Configuration for assets within a Worker. */ config?: pulumi.Input; } export interface WorkerVersionAssetsConfig { /** * Determines the redirects and rewrites of requests for HTML content. * Available values: "auto-trailing-slash", "force-trailing-slash", "drop-trailing-slash", "none". */ htmlHandling?: pulumi.Input; /** * Determines the response when a request does not match a static asset, and there is no Worker script. * Available values: "none", "404-page", "single-page-application". */ notFoundHandling?: pulumi.Input; /** * Contains a list path rules to control routing to either the Worker or assets. Glob (*) and negative (!) rules are supported. Rules must start with either '/' or '!/'. At least one non-negative rule must be provided, and negative rules have higher precedence than non-negative rules. */ runWorkerFirsts?: pulumi.Input[]>; } export interface WorkerVersionBinding { /** * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm). */ algorithm?: pulumi.Input; /** * R2 bucket to bind to. */ bucketName?: pulumi.Input; /** * Identifier of the certificate to bind to. */ certificateId?: pulumi.Input; /** * The exported class name of the Durable Object. */ className?: pulumi.Input; /** * The name of the dataset to bind to. */ dataset?: pulumi.Input; /** * The environment of the scriptName to bind to. */ environment?: pulumi.Input; /** * Data format of the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#format). * Available values: "raw", "pkcs8", "spki", "jwk". */ format?: pulumi.Input; /** * Identifier of the D1 database to bind to. */ id?: pulumi.Input; /** * Name of the Vectorize index to bind to. */ indexName?: pulumi.Input; /** * JSON data to use. */ json?: pulumi.Input; /** * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki". */ keyBase64?: pulumi.Input; /** * Key data in [JSON Web Key](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#json_web_key) format. Required if `format` is "jwk". */ keyJwk?: pulumi.Input; /** * A JavaScript variable name for the binding. */ name: pulumi.Input; /** * Namespace to bind to. */ namespace?: pulumi.Input; /** * Namespace identifier tag. */ namespaceId?: pulumi.Input; /** * Outbound worker. */ outbound?: pulumi.Input; /** * Name of the Pipeline to bind to. */ pipeline?: pulumi.Input; /** * Name of the Queue to bind to. */ queueName?: pulumi.Input; /** * The script where the Durable Object is defined, if it is external to this Worker. */ scriptName?: pulumi.Input; /** * Name of the secret in the store. */ secretName?: pulumi.Input; /** * Name of Worker to bind to. */ service?: pulumi.Input; /** * ID of the store containing the secret. */ storeId?: pulumi.Input; /** * The text value to use. */ text?: pulumi.Input; /** * The kind of resource that the binding provides. * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "service", "tail*consumer", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow". */ type: pulumi.Input; /** * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages). */ usages?: pulumi.Input[]>; /** * Name of the Workflow to bind to. */ workflowName?: pulumi.Input; } export interface WorkerVersionBindingOutbound { /** * Pass information from the Dispatch Worker to the Outbound Worker through the parameters. */ params?: pulumi.Input[]>; /** * Outbound worker. */ worker?: pulumi.Input; } export interface WorkerVersionBindingOutboundWorker { /** * Environment of the outbound worker. */ environment?: pulumi.Input; /** * Name of the outbound worker. */ service?: pulumi.Input; } export interface WorkerVersionLimits { /** * CPU time limit in milliseconds. */ cpuMs: pulumi.Input; } export interface WorkerVersionMigrations { /** * A list of classes to delete Durable Object namespaces from. */ deletedClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces from. */ newClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces with SQLite from. */ newSqliteClasses?: pulumi.Input[]>; /** * Tag to set as the latest migration tag. */ newTag?: pulumi.Input; /** * Tag used to verify against the latest migration tag for this Worker. If they don't match, the upload is rejected. */ oldTag?: pulumi.Input; /** * A list of classes with Durable Object namespaces that were renamed. */ renamedClasses?: pulumi.Input[]>; /** * Migrations to apply in order. */ steps?: pulumi.Input[]>; /** * A list of transfers for Durable Object namespaces from a different Worker and class to a class defined in this Worker. */ transferredClasses?: pulumi.Input[]>; } export interface WorkerVersionMigrationsRenamedClass { from?: pulumi.Input; to?: pulumi.Input; } export interface WorkerVersionMigrationsStep { /** * A list of classes to delete Durable Object namespaces from. */ deletedClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces from. */ newClasses?: pulumi.Input[]>; /** * A list of classes to create Durable Object namespaces with SQLite from. */ newSqliteClasses?: pulumi.Input[]>; /** * A list of classes with Durable Object namespaces that were renamed. */ renamedClasses?: pulumi.Input[]>; /** * A list of transfers for Durable Object namespaces from a different Worker and class to a class defined in this Worker. */ transferredClasses?: pulumi.Input[]>; } export interface WorkerVersionMigrationsStepRenamedClass { from?: pulumi.Input; to?: pulumi.Input; } export interface WorkerVersionMigrationsStepTransferredClass { from?: pulumi.Input; fromScript?: pulumi.Input; to?: pulumi.Input; } export interface WorkerVersionMigrationsTransferredClass { from?: pulumi.Input; fromScript?: pulumi.Input; to?: pulumi.Input; } export interface WorkerVersionModule { /** * The file path of the module content. */ contentFile: pulumi.Input; /** * The SHA-256 hash of the module content. */ contentSha256?: pulumi.Input; /** * The content type of the module. */ contentType: pulumi.Input; /** * The name of the module. */ name: pulumi.Input; } export interface WorkerVersionPlacement { /** * Placement mode for the version. * Available values: "smart". */ mode?: pulumi.Input; } export interface WorkersCronTriggerSchedule { createdOn?: pulumi.Input; cron: pulumi.Input; modifiedOn?: pulumi.Input; } export interface WorkersDeploymentAnnotations { /** * Human-readable message about the deployment. Truncated to 100 bytes. */ workersMessage?: pulumi.Input; /** * Operation that triggered the creation of the deployment. */ workersTriggeredBy?: pulumi.Input; } export interface WorkersDeploymentVersion { percentage: pulumi.Input; versionId: pulumi.Input; } export interface WorkersScriptAssets { /** * Configuration for assets within a Worker. */ config?: pulumi.Input; /** * Token provided upon successful upload of all files from a registered manifest. */ jwt?: pulumi.Input; } export interface WorkersScriptAssetsConfig { /** * The contents of a _headers file (used to attach custom headers on asset responses). */ headers?: pulumi.Input; /** * Determines the redirects and rewrites of requests for HTML content. * Available values: "auto-trailing-slash", "force-trailing-slash", "drop-trailing-slash", "none". */ htmlHandling?: pulumi.Input; /** * Determines the response when a request does not match a static asset, and there is no Worker script. * Available values: "none", "404-page", "single-page-application". */ notFoundHandling?: pulumi.Input; /** * The contents of a _redirects file (used to apply redirects or proxy paths ahead of asset serving). */ redirects?: pulumi.Input; /** * When true, requests will always invoke the Worker script. Otherwise, attempt to serve an asset matching the request, falling back to the Worker script. */ runWorkerFirst?: pulumi.Input; /** * When true and the incoming request matches an asset, that will be served instead of invoking the Worker script. When false, requests will always invoke the Worker script. * * @deprecated This attribute is deprecated. */ serveDirectly?: pulumi.Input; } export interface WorkersScriptBinding { /** * Algorithm-specific key parameters. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#algorithm). */ algorithm?: pulumi.Input; /** * R2 bucket to bind to. */ bucketName?: pulumi.Input; /** * Identifier of the certificate to bind to. */ certificateId?: pulumi.Input; /** * The exported class name of the Durable Object. */ className?: pulumi.Input; /** * The name of the dataset to bind to. */ dataset?: pulumi.Input; /** * The environment of the scriptName to bind to. */ environment?: pulumi.Input; /** * Data format of the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#format). * Available values: "raw", "pkcs8", "spki", "jwk". */ format?: pulumi.Input; /** * Identifier of the D1 database to bind to. */ id?: pulumi.Input; /** * Name of the Vectorize index to bind to. */ indexName?: pulumi.Input; /** * JSON data to use. */ json?: pulumi.Input; /** * Base64-encoded key data. Required if `format` is "raw", "pkcs8", or "spki". */ keyBase64?: pulumi.Input; /** * Key data in [JSON Web Key](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#json_web_key) format. Required if `format` is "jwk". */ keyJwk?: pulumi.Input; /** * A JavaScript variable name for the binding. */ name: pulumi.Input; /** * Namespace to bind to. */ namespace?: pulumi.Input; /** * Namespace identifier tag. */ namespaceId?: pulumi.Input; /** * Outbound worker. */ outbound?: pulumi.Input; /** * Name of the Pipeline to bind to. */ pipeline?: pulumi.Input; /** * Name of the Queue to bind to. */ queueName?: pulumi.Input; /** * The script where the Durable Object is defined, if it is external to this Worker. */ scriptName?: pulumi.Input; /** * Name of the secret in the store. */ secretName?: pulumi.Input; /** * Name of Worker to bind to. */ service?: pulumi.Input; /** * ID of the store containing the secret. */ storeId?: pulumi.Input; /** * The text value to use. */ text?: pulumi.Input; /** * The kind of resource that the binding provides. * Available values: "ai", "analytics*engine", "assets", "browser", "d1", "dispatch*namespace", "durable*object*namespace", "hyperdrive", "json", "kv*namespace", "mtls*certificate", "plain*text", "pipelines", "queue", "r2*bucket", "secret*text", "service", "tail*consumer", "vectorize", "version*metadata", "secrets*store*secret", "secret*key", "workflow". */ type: pulumi.Input; /** * Allowed operations with the key. [Learn more](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#keyUsages). */ usages?: pulumi.Input[]>; /** * Name of the Workflow to bind to. */ workflowName?: pulumi.Input; } export interface WorkersScriptBindingOutbound { /** * Pass information from the Dispatch Worker to the Outbound Worker through the parameters. */ params?: pulumi.Input[]>; /** * Outbound worker. */ worker?: pulumi.Input; } export interface WorkersScriptBindingOutboundWorker { /** * Environment of the outbound worker. */ environment?: pulumi.Input; /** * Name of the outbound worker. */ service?: pulumi.Input; } export interface WorkersScriptLimits { /** * The amount of CPU time this Worker can use in milliseconds. */ cpuMs?: pulumi.Input; } export interface WorkersScriptNamedHandler { /** * The names of handlers exported as part of the named export. */ handlers?: pulumi.Input[]>; /** * The name of the export. */ name?: pulumi.Input; } export interface WorkersScriptObservability { /** * Whether observability is enabled for the Worker. */ enabled: pulumi.Input; /** * The sampling rate for incoming requests. From 0 to 1 (1 = 100%, 0.1 = 10%). Default is 1. */ headSamplingRate?: pulumi.Input; /** * Log settings for the Worker. */ logs?: pulumi.Input; } export interface WorkersScriptObservabilityLogs { /** * Whether logs are enabled for the Worker. */ enabled: pulumi.Input; /** * The sampling rate for logs. From 0 to 1 (1 = 100%, 0.1 = 10%). Default is 1. */ headSamplingRate?: pulumi.Input; /** * Whether [invocation logs](https://developers.cloudflare.com/workers/observability/logs/workers-logs/#invocation-logs) are enabled for the Worker. */ invocationLogs: pulumi.Input; } export interface WorkersScriptPlacement { /** * The last time the script was analyzed for [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). */ lastAnalyzedAt?: pulumi.Input; /** * Enables [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). * Available values: "smart". */ mode?: pulumi.Input; /** * Status of [Smart Placement](https://developers.cloudflare.com/workers/configuration/smart-placement). * Available values: "SUCCESS", "UNSUPPORTED*APPLICATION", "INSUFFICIENT*INVOCATIONS". */ status?: pulumi.Input; } export interface WorkersScriptTailConsumer { /** * Optional environment if the Worker utilizes one. */ environment?: pulumi.Input; /** * Optional dispatch namespace the script belongs to. */ namespace?: pulumi.Input; /** * Name of Worker that is to be the consumer. */ service: pulumi.Input; } export interface ZeroTrustAccessApplicationCorsHeaders { /** * Allows all HTTP request headers. */ allowAllHeaders?: pulumi.Input; /** * Allows all HTTP request methods. */ allowAllMethods?: pulumi.Input; /** * Allows all origins. */ allowAllOrigins?: pulumi.Input; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. */ allowCredentials?: pulumi.Input; /** * Allowed HTTP request headers. */ allowedHeaders?: pulumi.Input[]>; /** * Allowed HTTP request methods. */ allowedMethods?: pulumi.Input[]>; /** * Allowed origins. */ allowedOrigins?: pulumi.Input[]>; /** * The maximum number of seconds the results of a preflight request can be cached. */ maxAge?: pulumi.Input; } export interface ZeroTrustAccessApplicationDestination { /** * The CIDR range of the destination. Single IPs will be computed as /32. */ cidr?: pulumi.Input; /** * The hostname of the destination. Matches a valid SNI served by an HTTPS origin. */ hostname?: pulumi.Input; /** * The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. * Available values: "tcp", "udp". */ l4Protocol?: pulumi.Input; /** * The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. */ portRange?: pulumi.Input; /** * Available values: "public", "private". */ type?: pulumi.Input; /** * The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). */ uri?: pulumi.Input; /** * The VNET ID to match the destination. When omitted, all VNETs will match. */ vnetId?: pulumi.Input; } export interface ZeroTrustAccessApplicationFooterLink { /** * The hypertext in the footer link. */ name: pulumi.Input; /** * the hyperlink in the footer link. */ url: pulumi.Input; } export interface ZeroTrustAccessApplicationLandingPageDesign { /** * The background color of the log in button on the landing page. */ buttonColor?: pulumi.Input; /** * The color of the text in the log in button on the landing page. */ buttonTextColor?: pulumi.Input; /** * The URL of the image shown on the landing page. */ imageUrl?: pulumi.Input; /** * The message shown on the landing page. */ message?: pulumi.Input; /** * The title shown on the landing page. */ title?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicy { /** * The rules that define how users may connect to the targets secured by your application. */ connectionRules?: pulumi.Input; /** * The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. * Available values: "allow", "deny", "nonIdentity", "bypass". */ decision?: pulumi.Input; /** * Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. */ excludes?: pulumi.Input[]>; /** * The UUID of the policy */ id?: pulumi.Input; /** * Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. */ includes?: pulumi.Input[]>; /** * The name of the Access policy. */ name?: pulumi.Input; /** * The order of execution for this policy. Must be unique for each policy within an app. */ precedence?: pulumi.Input; /** * Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. */ requires?: pulumi.Input[]>; } export interface ZeroTrustAccessApplicationPolicyConnectionRules { /** * The SSH-specific rules that define how users may connect to the targets secured by your application. */ ssh?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyConnectionRulesSsh { /** * Enables using Identity Provider email alias as SSH username. */ allowEmailAlias?: pulumi.Input; /** * Contains the Unix usernames that may be used when connecting over SSH. */ usernames: pulumi.Input[]>; } export interface ZeroTrustAccessApplicationPolicyExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeAnyValidServiceToken { } export interface ZeroTrustAccessApplicationPolicyExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeCertificate { } export interface ZeroTrustAccessApplicationPolicyExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeEveryone { } export interface ZeroTrustAccessApplicationPolicyExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeAnyValidServiceToken { } export interface ZeroTrustAccessApplicationPolicyIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeCertificate { } export interface ZeroTrustAccessApplicationPolicyIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeEveryone { } export interface ZeroTrustAccessApplicationPolicyIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireAnyValidServiceToken { } export interface ZeroTrustAccessApplicationPolicyRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireCertificate { } export interface ZeroTrustAccessApplicationPolicyRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireEveryone { } export interface ZeroTrustAccessApplicationPolicyRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessApplicationPolicyRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasApp { /** * The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. */ accessTokenLifetime?: pulumi.Input; /** * If client secret should be required on the token endpoint when authorization*code*with_pkce grant is used. */ allowPkceWithoutClientSecret?: pulumi.Input; /** * The URL where this applications tile redirects users */ appLauncherUrl?: pulumi.Input; /** * Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" * Available values: "saml", "oidc". */ authType?: pulumi.Input; /** * The application client id */ clientId?: pulumi.Input; /** * The application client secret, only returned on POST request. */ clientSecret?: pulumi.Input; /** * The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. */ consumerServiceUrl?: pulumi.Input; createdAt?: pulumi.Input; customAttributes?: pulumi.Input[]>; customClaims?: pulumi.Input[]>; /** * The URL that the user will be redirected to after a successful login for IDP initiated logins. */ defaultRelayState?: pulumi.Input; /** * The OIDC flows supported by this application */ grantTypes?: pulumi.Input[]>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint */ groupFilterRegex?: pulumi.Input; hybridAndImplicitOptions?: pulumi.Input; /** * The unique identifier for your SaaS application. */ idpEntityId?: pulumi.Input; /** * The format of the name identifier sent to the SaaS application. * Available values: "id", "email". */ nameIdFormat?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `nameIdFormat` setting. */ nameIdTransformJsonata?: pulumi.Input; /** * The Access public certificate that will be used to verify your identity. */ publicKey?: pulumi.Input; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens */ redirectUris?: pulumi.Input[]>; refreshTokenOptions?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml*attributes or oidc*fields of the identity provider used to authenticate. The output of this expression must be a JSON object. */ samlAttributeTransformJsonata?: pulumi.Input; /** * Define the user information shared with access, "offlineAccess" scope will be automatically enabled if refresh tokens are enabled */ scopes?: pulumi.Input[]>; /** * A globally unique name for an identity or service provider. */ spEntityId?: pulumi.Input; /** * The endpoint where your SaaS application will send login requests. */ ssoEndpoint?: pulumi.Input; updatedAt?: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasAppCustomAttribute { /** * The SAML FriendlyName of the attribute. */ friendlyName?: pulumi.Input; /** * The name of the attribute. */ name?: pulumi.Input; /** * A globally unique name for an identity or service provider. * Available values: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "urn:oasis:names:tc:SAML:2.0:attrname-format:uri". */ nameFormat?: pulumi.Input; /** * If the attribute is required when building a SAML assertion. */ required?: pulumi.Input; source?: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasAppCustomAttributeSource { /** * The name of the IdP attribute. */ name?: pulumi.Input; /** * A mapping from IdP ID to attribute name. */ nameByIdps?: pulumi.Input[]>; } export interface ZeroTrustAccessApplicationSaasAppCustomAttributeSourceNameByIdp { /** * The UID of the IdP. */ idpId?: pulumi.Input; /** * The name of the IdP provided attribute. */ sourceName?: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasAppCustomClaim { /** * The name of the claim. */ name?: pulumi.Input; /** * If the claim is required when building an OIDC token. */ required?: pulumi.Input; /** * The scope of the claim. * Available values: "groups", "profile", "email", "openid". */ scope?: pulumi.Input; source?: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasAppCustomClaimSource { /** * The name of the IdP claim. */ name?: pulumi.Input; /** * A mapping from IdP ID to claim name. */ nameByIdp?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } export interface ZeroTrustAccessApplicationSaasAppHybridAndImplicitOptions { /** * If an Access Token should be returned from the OIDC Authorization endpoint */ returnAccessTokenFromAuthorizationEndpoint?: pulumi.Input; /** * If an ID Token should be returned from the OIDC Authorization endpoint */ returnIdTokenFromAuthorizationEndpoint?: pulumi.Input; } export interface ZeroTrustAccessApplicationSaasAppRefreshTokenOptions { /** * How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. */ lifetime?: pulumi.Input; } export interface ZeroTrustAccessApplicationScimConfig { /** * Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. */ authentication?: pulumi.Input; /** * If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. */ deactivateOnDelete?: pulumi.Input; /** * Whether SCIM provisioning is turned on for this application. */ enabled?: pulumi.Input; /** * The UID of the IdP to use as the source for SCIM resources to provision to this application. */ idpUid: pulumi.Input; /** * A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. */ mappings?: pulumi.Input[]>; /** * The base URI for the application's SCIM-compatible API. */ remoteUri: pulumi.Input; } export interface ZeroTrustAccessApplicationScimConfigAuthentication { /** * URL used to generate the auth code used during token generation. */ authorizationUrl?: pulumi.Input; /** * Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. */ clientId?: pulumi.Input; /** * Secret used to authenticate when generating a token for authenticating with the remove SCIM service. */ clientSecret?: pulumi.Input; /** * Password used to authenticate with the remote SCIM service. */ password?: pulumi.Input; /** * The authentication scheme to use when making SCIM requests to this application. * Available values: "httpbasic", "oauthbearertoken", "oauth2", "access*service*token". */ scheme: pulumi.Input; /** * The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. */ scopes?: pulumi.Input[]>; /** * Token used to authenticate with the remote SCIM service. */ token?: pulumi.Input; /** * URL used to generate the token used to authenticate with the remote SCIM service. */ tokenUrl?: pulumi.Input; /** * User name used to authenticate with the remote SCIM service. */ user?: pulumi.Input; } export interface ZeroTrustAccessApplicationScimConfigMapping { /** * Whether or not this mapping is enabled. */ enabled?: pulumi.Input; /** * A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. */ filter?: pulumi.Input; /** * Whether or not this mapping applies to creates, updates, or deletes. */ operations?: pulumi.Input; /** * Which SCIM resource type this mapping applies to. */ schema: pulumi.Input; /** * The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. * Available values: "strict", "passthrough". */ strictness?: pulumi.Input; /** * A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. */ transformJsonata?: pulumi.Input; } export interface ZeroTrustAccessApplicationScimConfigMappingOperations { /** * Whether or not this mapping applies to create (POST) operations. */ create?: pulumi.Input; /** * Whether or not this mapping applies to DELETE operations. */ delete?: pulumi.Input; /** * Whether or not this mapping applies to update (PATCH/PUT) operations. */ update?: pulumi.Input; } export interface ZeroTrustAccessApplicationTargetCriteria { /** * The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. */ port: pulumi.Input; /** * The communication protocol your application secures. * Available values: "SSH", "RDP". */ protocol: pulumi.Input; /** * Contains a map of target attribute keys to target attribute values. */ targetAttributes: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; } export interface ZeroTrustAccessGroupExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeAnyValidServiceToken { } export interface ZeroTrustAccessGroupExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeCertificate { } export interface ZeroTrustAccessGroupExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeEveryone { } export interface ZeroTrustAccessGroupExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessGroupInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeAnyValidServiceToken { } export interface ZeroTrustAccessGroupIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeCertificate { } export interface ZeroTrustAccessGroupIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeEveryone { } export interface ZeroTrustAccessGroupIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessGroupRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessGroupRequireAnyValidServiceToken { } export interface ZeroTrustAccessGroupRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessGroupRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupRequireCertificate { } export interface ZeroTrustAccessGroupRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessGroupRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessGroupRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessGroupRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessGroupRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupRequireEveryone { } export interface ZeroTrustAccessGroupRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessGroupRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessGroupRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessGroupRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessGroupRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessGroupRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessGroupRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessGroupRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessGroupRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessIdentityProviderConfig { /** * Your companies TLD */ appsDomain?: pulumi.Input; /** * A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. */ attributes?: pulumi.Input[]>; /** * The authorizationEndpoint URL of your IdP */ authUrl?: pulumi.Input; /** * Your okta authorization server id */ authorizationServerId?: pulumi.Input; /** * Your centrify account url */ centrifyAccount?: pulumi.Input; /** * Your centrify app id */ centrifyAppId?: pulumi.Input; /** * The jwksUri endpoint of your IdP to allow the IdP keys to sign the tokens */ certsUrl?: pulumi.Input; /** * Custom claims */ claims?: pulumi.Input[]>; /** * Your OAuth Client ID */ clientId?: pulumi.Input; /** * Your OAuth Client Secret */ clientSecret?: pulumi.Input; /** * Should Cloudflare try to load authentication contexts from your account */ conditionalAccessEnabled?: pulumi.Input; /** * Your Azure directory uuid */ directoryId?: pulumi.Input; /** * The attribute name for email in the SAML response. */ emailAttributeName?: pulumi.Input; /** * The claim name for email in the idToken response. */ emailClaimName?: pulumi.Input; /** * Add a list of attribute names that will be returned in the response header from the Access callback. */ headerAttributes?: pulumi.Input[]>; /** * X509 certificate to verify the signature in the SAML authentication response */ idpPublicCerts?: pulumi.Input[]>; /** * IdP Entity ID or Issuer URL */ issuerUrl?: pulumi.Input; /** * Your okta account url */ oktaAccount?: pulumi.Input; /** * Your OneLogin account url */ oneloginAccount?: pulumi.Input; /** * Your PingOne environment identifier */ pingEnvId?: pulumi.Input; /** * Enable Proof Key for Code Exchange (PKCE) */ pkceEnabled?: pulumi.Input; /** * Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction*required error. prompt=select*account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. * Available values: "login", "selectAccount", "none". */ prompt?: pulumi.Input; redirectUrl?: pulumi.Input; /** * OAuth scopes */ scopes?: pulumi.Input[]>; /** * Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. */ signRequest?: pulumi.Input; /** * URL to send the SAML authentication requests to */ ssoTargetUrl?: pulumi.Input; /** * Should Cloudflare try to load groups from your account */ supportGroups?: pulumi.Input; /** * The tokenEndpoint URL of your IdP */ tokenUrl?: pulumi.Input; } export interface ZeroTrustAccessIdentityProviderConfigHeaderAttribute { /** * attribute name from the IDP */ attributeName?: pulumi.Input; /** * header that will be added on the request to the origin */ headerName?: pulumi.Input; } export interface ZeroTrustAccessIdentityProviderScimConfig { /** * A flag to enable or disable SCIM for the identity provider. */ enabled?: pulumi.Input; /** * Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no*action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. * Available values: "automatic", "reauth", "no*action". */ identityUpdateBehavior?: pulumi.Input; /** * The base URL of Cloudflare's SCIM V2.0 API endpoint. */ scimBaseUrl?: pulumi.Input; /** * A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless userDeprovision is also enabled. */ seatDeprovision?: pulumi.Input; /** * A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity*providers/:idpID/refresh*scim_secret. */ secret?: pulumi.Input; /** * A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. */ userDeprovision?: pulumi.Input; } export interface ZeroTrustAccessInfrastructureTargetIp { /** * The target's IPv4 address */ ipv4?: pulumi.Input; /** * The target's IPv6 address */ ipv6?: pulumi.Input; } export interface ZeroTrustAccessInfrastructureTargetIpIpv4 { /** * IP address of the target */ ipAddr?: pulumi.Input; /** * (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. */ virtualNetworkId?: pulumi.Input; } export interface ZeroTrustAccessInfrastructureTargetIpIpv6 { /** * IP address of the target */ ipAddr?: pulumi.Input; /** * (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. */ virtualNetworkId?: pulumi.Input; } export interface ZeroTrustAccessMtlsHostnameSettingsSetting { /** * Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. */ chinaNetwork: pulumi.Input; /** * Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. */ clientCertificateForwarding: pulumi.Input; /** * The hostname that these settings apply to. */ hostname: pulumi.Input; } export interface ZeroTrustAccessPolicyApprovalGroup { /** * The number of approvals needed to obtain access. */ approvalsNeeded: pulumi.Input; /** * A list of emails that can approve the access request. */ emailAddresses?: pulumi.Input[]>; /** * The UUID of an re-usable email list. */ emailListUuid?: pulumi.Input; } export interface ZeroTrustAccessPolicyExclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeAnyValidServiceToken { } export interface ZeroTrustAccessPolicyExcludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeCertificate { } export interface ZeroTrustAccessPolicyExcludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeEveryone { } export interface ZeroTrustAccessPolicyExcludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyExcludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessPolicyInclude { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeAnyValidServiceToken { } export interface ZeroTrustAccessPolicyIncludeAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeCertificate { } export interface ZeroTrustAccessPolicyIncludeCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeEveryone { } export interface ZeroTrustAccessPolicyIncludeExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyIncludeServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequire { /** * An empty object which matches on all service tokens. */ anyValidServiceToken?: pulumi.Input; authContext?: pulumi.Input; authMethod?: pulumi.Input; azureAd?: pulumi.Input; certificate?: pulumi.Input; commonName?: pulumi.Input; devicePosture?: pulumi.Input; email?: pulumi.Input; emailDomain?: pulumi.Input; emailList?: pulumi.Input; /** * An empty object which matches on all users. */ everyone?: pulumi.Input; externalEvaluation?: pulumi.Input; geo?: pulumi.Input; githubOrganization?: pulumi.Input; group?: pulumi.Input; gsuite?: pulumi.Input; ip?: pulumi.Input; ipList?: pulumi.Input; linkedAppToken?: pulumi.Input; loginMethod?: pulumi.Input; oidc?: pulumi.Input; okta?: pulumi.Input; saml?: pulumi.Input; serviceToken?: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireAnyValidServiceToken { } export interface ZeroTrustAccessPolicyRequireAuthContext { /** * The ACID of an Authentication context. */ acId: pulumi.Input; /** * The ID of an Authentication context. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireAuthMethod { /** * The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. */ authMethod: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireAzureAd { /** * The ID of an Azure group. */ id: pulumi.Input; /** * The ID of your Azure identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireCertificate { } export interface ZeroTrustAccessPolicyRequireCommonName { /** * The common name to match. */ commonName: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireDevicePosture { /** * The ID of a device posture integration. */ integrationUid: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireEmail { /** * The email of the user. */ email: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireEmailDomain { /** * The email domain to match. */ domain: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireEmailList { /** * The ID of a previously created email list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireEveryone { } export interface ZeroTrustAccessPolicyRequireExternalEvaluation { /** * The API endpoint containing your business logic. */ evaluateUrl: pulumi.Input; /** * The API endpoint containing the key that Access uses to verify that the response came from your API. */ keysUrl: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireGeo { /** * The country code that should be matched. */ countryCode: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireGithubOrganization { /** * The ID of your Github identity provider. */ identityProviderId: pulumi.Input; /** * The name of the organization. */ name: pulumi.Input; /** * The name of the team */ team?: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireGroup { /** * The ID of a previously created Access group. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireGsuite { /** * The email of the Google Workspace group. */ email: pulumi.Input; /** * The ID of your Google Workspace identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireIp { /** * An IPv4 or IPv6 CIDR block. */ ip: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireIpList { /** * The ID of a previously created IP list. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireLinkedAppToken { /** * The ID of an Access OIDC SaaS application */ appUid: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireLoginMethod { /** * The ID of an identity provider. */ id: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireOidc { /** * The name of the OIDC claim. */ claimName: pulumi.Input; /** * The OIDC claim value to look for. */ claimValue: pulumi.Input; /** * The ID of your OIDC identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireOkta { /** * The ID of your Okta identity provider. */ identityProviderId: pulumi.Input; /** * The name of the Okta group. */ name: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireSaml { /** * The name of the SAML attribute. */ attributeName: pulumi.Input; /** * The SAML attribute value to look for. */ attributeValue: pulumi.Input; /** * The ID of your SAML identity provider. */ identityProviderId: pulumi.Input; } export interface ZeroTrustAccessPolicyRequireServiceToken { /** * The ID of a Service Token. */ tokenId: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileExclude { /** * The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. */ address?: pulumi.Input; /** * A description of the Split Tunnel item, displayed in the client UI. */ description?: pulumi.Input; /** * The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. */ host?: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileFallbackDomain { /** * A description of the fallback domain, displayed in the client UI. */ description?: pulumi.Input; /** * A list of IP addresses to handle domain resolution. */ dnsServers?: pulumi.Input[]>; /** * The domain suffix to match when resolving locally. */ suffix?: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileInclude { /** * The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. */ address?: pulumi.Input; /** * A description of the Split Tunnel item, displayed in the client UI. */ description?: pulumi.Input; /** * The domain name to include in the tunnel. If `host` is present, `address` must not be present. */ host?: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileLocalDomainFallbackDomain { /** * A description of the fallback domain, displayed in the client UI. */ description?: pulumi.Input; /** * A list of IP addresses to handle domain resolution. */ dnsServers?: pulumi.Input[]>; /** * The domain suffix to match when resolving locally. */ suffix: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileServiceModeV2 { /** * The mode to run the WARP client under. */ mode?: pulumi.Input; /** * The port number when used with proxy mode. */ port?: pulumi.Input; } export interface ZeroTrustDeviceCustomProfileTargetTest { /** * The id of the DEX test targeting this policy. */ id?: pulumi.Input; /** * The name of the DEX test targeting this policy. */ name?: pulumi.Input; } export interface ZeroTrustDeviceDefaultProfileExclude { /** * The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. */ address?: pulumi.Input; /** * A description of the Split Tunnel item, displayed in the client UI. */ description?: pulumi.Input; /** * The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. */ host?: pulumi.Input; } export interface ZeroTrustDeviceDefaultProfileFallbackDomain { /** * A description of the fallback domain, displayed in the client UI. */ description?: pulumi.Input; /** * A list of IP addresses to handle domain resolution. */ dnsServers?: pulumi.Input[]>; /** * The domain suffix to match when resolving locally. */ suffix?: pulumi.Input; } export interface ZeroTrustDeviceDefaultProfileInclude { /** * The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. */ address?: pulumi.Input; /** * A description of the Split Tunnel item, displayed in the client UI. */ description?: pulumi.Input; /** * The domain name to include in the tunnel. If `host` is present, `address` must not be present. */ host?: pulumi.Input; } export interface ZeroTrustDeviceDefaultProfileLocalDomainFallbackDomain { /** * A description of the fallback domain, displayed in the client UI. */ description?: pulumi.Input; /** * A list of IP addresses to handle domain resolution. */ dnsServers?: pulumi.Input[]>; /** * The domain suffix to match when resolving locally. */ suffix: pulumi.Input; } export interface ZeroTrustDeviceDefaultProfileServiceModeV2 { /** * The mode to run the WARP client under. */ mode?: pulumi.Input; /** * The port number when used with proxy mode. */ port?: pulumi.Input; } export interface ZeroTrustDeviceManagedNetworksConfig { /** * The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. */ sha256?: pulumi.Input; /** * A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. */ tlsSockaddr: pulumi.Input; } export interface ZeroTrustDevicePostureIntegrationConfig { /** * If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `apiUrl`. */ accessClientId?: pulumi.Input; /** * If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `apiUrl`. */ accessClientSecret?: pulumi.Input; /** * The Workspace One API URL provided in the Workspace One Admin Dashboard. */ apiUrl?: pulumi.Input; /** * The Workspace One Authorization URL depending on your region. */ authUrl?: pulumi.Input; /** * The Workspace One client ID provided in the Workspace One Admin Dashboard. */ clientId?: pulumi.Input; /** * The Uptycs client secret. */ clientKey?: pulumi.Input; /** * The Workspace One client secret provided in the Workspace One Admin Dashboard. */ clientSecret?: pulumi.Input; /** * The Crowdstrike customer ID. */ customerId?: pulumi.Input; } export interface ZeroTrustDevicePostureRuleInput { /** * The Number of active threats. */ activeThreats?: pulumi.Input; /** * UUID of Cloudflare managed certificate. */ certificateId?: pulumi.Input; /** * List of volume names to be checked for encryption. */ checkDisks?: pulumi.Input[]>; /** * Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. */ checkPrivateKey?: pulumi.Input; /** * Common Name that is protected by the certificate. */ cn?: pulumi.Input; /** * Compliance Status. * Available values: "compliant", "noncompliant", "unknown", "notapplicable", "ingraceperiod", "error". */ complianceStatus?: pulumi.Input; /** * Posture Integration ID. */ connectionId?: pulumi.Input; /** * Count Operator. * Available values: "<", "<=", ">", ">=", "==". */ countOperator?: pulumi.Input; /** * Domain. */ domain?: pulumi.Input; /** * For more details on eid last seen, refer to the Tanium documentation. */ eidLastSeen?: pulumi.Input; /** * Enabled. */ enabled?: pulumi.Input; /** * Whether or not file exists. */ exists?: pulumi.Input; /** * List of values indicating purposes for which the certificate public key can be used. */ extendedKeyUsages?: pulumi.Input[]>; /** * List ID. */ id?: pulumi.Input; /** * Whether device is infected. */ infected?: pulumi.Input; /** * Whether device is active. */ isActive?: pulumi.Input; /** * The Number of Issues. */ issueCount?: pulumi.Input; /** * For more details on last seen, please refer to the Crowdstrike documentation. */ lastSeen?: pulumi.Input; locations?: pulumi.Input; /** * Network status of device. * Available values: "connected", "disconnected", "disconnecting", "connecting". */ networkStatus?: pulumi.Input; /** * Operating system. * Available values: "windows", "linux", "mac", "android", "ios", "chromeos". */ operatingSystem?: pulumi.Input; /** * Agent operational state. * Available values: "na", "partially*disabled", "auto*fully*disabled", "fully*disabled", "auto*partially*disabled", "disabled*error", "db*corruption". */ operationalState?: pulumi.Input; /** * Operator. * Available values: "<", "<=", ">", ">=", "==". */ operator?: pulumi.Input; /** * Os Version. */ os?: pulumi.Input; /** * Operating System Distribution Name (linux only). */ osDistroName?: pulumi.Input; /** * Version of OS Distribution (linux only). */ osDistroRevision?: pulumi.Input; /** * Additional version data. For Mac or iOS, the Product Version Extra. For Linux, the kernel release version. (Mac, iOS, and Linux only). */ osVersionExtra?: pulumi.Input; /** * Overall. */ overall?: pulumi.Input; /** * File path. */ path?: pulumi.Input; /** * Whether to check all disks for encryption. */ requireAll?: pulumi.Input; /** * For more details on risk level, refer to the Tanium documentation. * Available values: "low", "medium", "high", "critical". */ riskLevel?: pulumi.Input; /** * A value between 0-100 assigned to devices set by the 3rd party posture provider. */ score?: pulumi.Input; /** * Score Operator. * Available values: "<", "<=", ">", ">=", "==". */ scoreOperator?: pulumi.Input; /** * SensorConfig. */ sensorConfig?: pulumi.Input; /** * SHA-256. */ sha256?: pulumi.Input; /** * For more details on state, please refer to the Crowdstrike documentation. * Available values: "online", "offline", "unknown". */ state?: pulumi.Input; /** * List of certificate Subject Alternative Names. */ subjectAlternativeNames?: pulumi.Input[]>; /** * Signing certificate thumbprint. */ thumbprint?: pulumi.Input; /** * For more details on total score, refer to the Tanium documentation. */ totalScore?: pulumi.Input; /** * Version of OS. */ version?: pulumi.Input; /** * Version Operator. * Available values: "<", "<=", ">", ">=", "==". */ versionOperator?: pulumi.Input; } export interface ZeroTrustDevicePostureRuleInputLocations { /** * List of paths to check for client certificate on linux. */ paths?: pulumi.Input[]>; /** * List of trust stores to check for client certificate. */ trustStores?: pulumi.Input[]>; } export interface ZeroTrustDevicePostureRuleMatch { /** * Available values: "windows", "mac", "linux", "android", "ios", "chromeos". */ platform?: pulumi.Input; } export interface ZeroTrustDexTestData { /** * The desired endpoint to test. */ host?: pulumi.Input; /** * The type of test. */ kind?: pulumi.Input; /** * The HTTP request method type. */ method?: pulumi.Input; } export interface ZeroTrustDexTestTargetPolicy { /** * Whether the DEX rule is the account default */ default?: pulumi.Input; /** * The id of the DEX rule */ id?: pulumi.Input; /** * The name of the DEX rule */ name?: pulumi.Input; } export interface ZeroTrustDlpCustomEntryConfidence { /** * Indicates whether this entry has AI remote service validation. */ aiContextAvailable?: pulumi.Input; /** * Indicates whether this entry has any form of validation that is not an AI remote service. */ available?: pulumi.Input; } export interface ZeroTrustDlpCustomEntryPattern { regex: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface ZeroTrustDlpCustomEntryVariant { description?: pulumi.Input; /** * Available values: "Intent", "Content". */ topicType?: pulumi.Input; /** * Available values: "PromptTopic". */ type?: pulumi.Input; } export interface ZeroTrustDlpCustomProfileContextAwareness { /** * If true, scan the context of predefined entries to only return matches surrounded by keywords. */ enabled: pulumi.Input; /** * Content types to exclude from context analysis and return all matches. */ skip: pulumi.Input; } export interface ZeroTrustDlpCustomProfileContextAwarenessSkip { /** * If the content type is a file, skip context analysis and return all matches. */ files: pulumi.Input; } export interface ZeroTrustDlpCustomProfileEntry { enabled: pulumi.Input; entryId?: pulumi.Input; name: pulumi.Input; pattern: pulumi.Input; } export interface ZeroTrustDlpCustomProfileEntryPattern { regex: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface ZeroTrustDlpCustomProfileSharedEntry { enabled: pulumi.Input; entryId: pulumi.Input; /** * Available values: "custom", "predefined", "integration", "exact*data", "document*fingerprint". */ entryType: pulumi.Input; } export interface ZeroTrustDlpDatasetColumn { entryId?: pulumi.Input; headerName?: pulumi.Input; numCells?: pulumi.Input; /** * Available values: "empty", "uploading", "pending", "processing", "failed", "complete". */ uploadStatus?: pulumi.Input; } export interface ZeroTrustDlpDatasetDataset { caseSensitive?: pulumi.Input; columns?: pulumi.Input[]>; createdAt?: pulumi.Input; /** * The description of the dataset. */ description?: pulumi.Input; encodingVersion?: pulumi.Input; id?: pulumi.Input; name?: pulumi.Input; numCells?: pulumi.Input; secret?: pulumi.Input; /** * Available values: "empty", "uploading", "pending", "processing", "failed", "complete". */ status?: pulumi.Input; /** * When the dataset was last updated. */ updatedAt?: pulumi.Input; uploads?: pulumi.Input[]>; } export interface ZeroTrustDlpDatasetDatasetColumn { entryId?: pulumi.Input; headerName?: pulumi.Input; numCells?: pulumi.Input; /** * Available values: "empty", "uploading", "pending", "processing", "failed", "complete". */ uploadStatus?: pulumi.Input; } export interface ZeroTrustDlpDatasetDatasetUpload { numCells?: pulumi.Input; /** * Available values: "empty", "uploading", "pending", "processing", "failed", "complete". */ status?: pulumi.Input; version?: pulumi.Input; } export interface ZeroTrustDlpDatasetUpload { numCells?: pulumi.Input; /** * Available values: "empty", "uploading", "pending", "processing", "failed", "complete". */ status?: pulumi.Input; version?: pulumi.Input; } export interface ZeroTrustDlpEntryConfidence { /** * Indicates whether this entry has AI remote service validation. */ aiContextAvailable?: pulumi.Input; /** * Indicates whether this entry has any form of validation that is not an AI remote service. */ available?: pulumi.Input; } export interface ZeroTrustDlpEntryPattern { regex: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface ZeroTrustDlpEntryVariant { description?: pulumi.Input; /** * Available values: "Intent", "Content". */ topicType?: pulumi.Input; /** * Available values: "PromptTopic". */ type?: pulumi.Input; } export interface ZeroTrustDlpIntegrationEntryConfidence { /** * Indicates whether this entry has AI remote service validation. */ aiContextAvailable?: pulumi.Input; /** * Indicates whether this entry has any form of validation that is not an AI remote service. */ available?: pulumi.Input; } export interface ZeroTrustDlpIntegrationEntryPattern { regex?: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface ZeroTrustDlpIntegrationEntryVariant { description?: pulumi.Input; /** * Available values: "Intent", "Content". */ topicType?: pulumi.Input; /** * Available values: "PromptTopic". */ type?: pulumi.Input; } export interface ZeroTrustDlpPredefinedEntryConfidence { /** * Indicates whether this entry has AI remote service validation. */ aiContextAvailable?: pulumi.Input; /** * Indicates whether this entry has any form of validation that is not an AI remote service. */ available?: pulumi.Input; } export interface ZeroTrustDlpPredefinedEntryPattern { regex?: pulumi.Input; /** * Available values: "luhn". * * @deprecated This attribute is deprecated. */ validation?: pulumi.Input; } export interface ZeroTrustDlpPredefinedEntryVariant { description?: pulumi.Input; /** * Available values: "Intent", "Content". */ topicType?: pulumi.Input; /** * Available values: "PromptTopic". */ type?: pulumi.Input; } export interface ZeroTrustDlpPredefinedProfileContextAwareness { /** * If true, scan the context of predefined entries to only return matches surrounded by keywords. */ enabled: pulumi.Input; /** * Content types to exclude from context analysis and return all matches. */ skip: pulumi.Input; } export interface ZeroTrustDlpPredefinedProfileContextAwarenessSkip { /** * If the content type is a file, skip context analysis and return all matches. */ files: pulumi.Input; } export interface ZeroTrustDlpPredefinedProfileEntry { enabled: pulumi.Input; id: pulumi.Input; } export interface ZeroTrustDnsLocationEndpoints { doh: pulumi.Input; dot: pulumi.Input; ipv4: pulumi.Input; ipv6: pulumi.Input; } export interface ZeroTrustDnsLocationEndpointsDoh { /** * True if the endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; /** * True if the endpoint requires [user identity](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/dns/dns-over-https/#filter-doh-requests-by-user) authentication. */ requireToken?: pulumi.Input; } export interface ZeroTrustDnsLocationEndpointsDohNetwork { /** * The IP address or IP CIDR. */ network: pulumi.Input; } export interface ZeroTrustDnsLocationEndpointsDot { /** * True if the endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * A list of allowed source IP network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; } export interface ZeroTrustDnsLocationEndpointsDotNetwork { /** * The IP address or IP CIDR. */ network: pulumi.Input; } export interface ZeroTrustDnsLocationEndpointsIpv4 { /** * True if the endpoint is enabled for this location. */ enabled?: pulumi.Input; } export interface ZeroTrustDnsLocationEndpointsIpv6 { /** * True if the endpoint is enabled for this location. */ enabled?: pulumi.Input; /** * A list of allowed source IPv6 network ranges for this endpoint. When empty, all source IPs are allowed. A non-empty list is only effective if the endpoint is enabled for this location. */ networks?: pulumi.Input[]>; } export interface ZeroTrustDnsLocationEndpointsIpv6Network { /** * The IPv6 address or IPv6 CIDR. */ network: pulumi.Input; } export interface ZeroTrustDnsLocationNetwork { /** * The IPv4 address or IPv4 CIDR. IPv4 CIDRs are limited to a maximum of /24. */ network: pulumi.Input; } export interface ZeroTrustGatewayLoggingSettingsByRuleType { dns?: pulumi.Input; http?: pulumi.Input; l4?: pulumi.Input; } export interface ZeroTrustGatewayLoggingSettingsByRuleTypeDns { /** * Log all requests to this service. */ logAll?: pulumi.Input; /** * Log only blocking requests to this service. */ logBlocks?: pulumi.Input; } export interface ZeroTrustGatewayLoggingSettingsByRuleTypeHttp { /** * Log all requests to this service. */ logAll?: pulumi.Input; /** * Log only blocking requests to this service. */ logBlocks?: pulumi.Input; } export interface ZeroTrustGatewayLoggingSettingsByRuleTypeL4 { /** * Log all requests to this service. */ logAll?: pulumi.Input; /** * Log only blocking requests to this service. */ logBlocks?: pulumi.Input; } export interface ZeroTrustGatewayPolicyExpiration { /** * The default duration a policy will be active in minutes. Must be set in order to use the `resetExpiration` endpoint on this rule. */ duration?: pulumi.Input; /** * Whether the policy has expired. */ expired?: pulumi.Input; /** * The time stamp at which the policy will expire and cease to be * applied. */ expiresAt: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettings { /** * Add custom headers to allowed requests, in the form of key-value pairs. Keys are header names, pointing to an array with its header value(s). */ addHeaders?: pulumi.Input<{ [key: string]: pulumi.Input[]>; }>; /** * Set by parent MSP accounts to enable their children to bypass this rule. */ allowChildBypass?: pulumi.Input; /** * Settings for the Audit SSH action. */ auditSsh?: pulumi.Input; /** * Configure how browser isolation behaves. */ bisoAdminControls?: pulumi.Input; /** * Custom block page settings. If missing/null, blocking will use the the account settings. */ blockPage?: pulumi.Input; /** * Enable the custom block page. */ blockPageEnabled?: pulumi.Input; /** * The text describing why this block occurred, displayed on the custom block page (if enabled). */ blockReason?: pulumi.Input; /** * Set by children MSP accounts to bypass their parent's rules. */ bypassParentRule?: pulumi.Input; /** * Configure how session check behaves. */ checkSession?: pulumi.Input; /** * Add your own custom resolvers to route queries that match the resolver policy. Cannot be used when 'resolve*dns*through*cloudflare' or 'resolve*dns*internally' are set. DNS queries will route to the address closest to their origin. Only valid when a rule's action is set to 'resolve'. */ dnsResolvers?: pulumi.Input; /** * Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. */ egress?: pulumi.Input; /** * Set to true, to ignore the category matches at CNAME domains in a response. If unchecked, the categories in this rule will be checked against all the CNAME domain categories in a response. */ ignoreCnameCategoryMatches?: pulumi.Input; /** * INSECURE - disable DNSSEC validation (for Allow actions). */ insecureDisableDnssecValidation?: pulumi.Input; /** * Set to true to enable IPs in DNS resolver category blocks. By default categories only block based on domain names. */ ipCategories?: pulumi.Input; /** * Set to true to include IPs in DNS resolver indicator feed blocks. By default indicator feeds only block based on domain names. */ ipIndicatorFeeds?: pulumi.Input; /** * Send matching traffic to the supplied destination IP address. and port. */ l4override?: pulumi.Input; /** * Configure a notification to display on the user's device when this rule is matched. */ notificationSettings?: pulumi.Input; /** * Override matching DNS queries with a hostname. */ overrideHost?: pulumi.Input; /** * Override matching DNS queries with an IP or set of IPs. */ overrideIps?: pulumi.Input[]>; /** * Configure DLP payload logging. */ payloadLog?: pulumi.Input; /** * Settings that apply to quarantine rules. */ quarantine?: pulumi.Input; /** * Settings that apply to redirect rules. */ redirect?: pulumi.Input; /** * Configure to forward the query to the internal DNS service, passing the specified 'view*id' as input. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns*through*cloudflare' is set. Only valid when a rule's action is set to 'resolve'. */ resolveDnsInternally?: pulumi.Input; /** * Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot be set when 'dns*resolvers' are specified or 'resolve*dns_internally' is set. Only valid when a rule's action is set to 'resolve'. */ resolveDnsThroughCloudflare?: pulumi.Input; /** * Configure behavior when an upstream cert is invalid or an SSL error occurs. */ untrustedCert?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsAuditSsh { /** * Enable to turn on SSH command logging. */ commandLogging?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsBisoAdminControls { /** * Configure whether copy is enabled or not. When set with "remote*only", copying isolated content from the remote browser to the user's local clipboard is disabled. When absent, copy is enabled. Only applies when `version == "v2"`. * Available values: "enabled", "disabled", "remote*only". */ copy?: pulumi.Input; /** * Set to false to enable copy-pasting. Only applies when `version == "v1"`. */ dcp?: pulumi.Input; /** * Set to false to enable downloading. Only applies when `version == "v1"`. */ dd?: pulumi.Input; /** * Set to false to enable keyboard usage. Only applies when `version == "v1"`. */ dk?: pulumi.Input; /** * Configure whether downloading enabled or not. When set with "remote*only", downloads are only available for viewing. Only applies when `version == "v2"`. * Available values: "enabled", "disabled", "remote*only". */ download?: pulumi.Input; /** * Set to false to enable printing. Only applies when `version == "v1"`. */ dp?: pulumi.Input; /** * Set to false to enable uploading. Only applies when `version == "v1"`. */ du?: pulumi.Input; /** * Configure whether keyboard usage is enabled or not. When absent, keyboard usage is enabled. Only applies when `version == "v2"`. * Available values: "enabled", "disabled". */ keyboard?: pulumi.Input; /** * Configure whether pasting is enabled or not. When set with "remote*only", pasting content from the user's local clipboard into isolated pages is disabled. When absent, paste is enabled. Only applies when `version == "v2"`. * Available values: "enabled", "disabled", "remote*only". */ paste?: pulumi.Input; /** * Configure whether printing is enabled or not. When absent, printing is enabled. Only applies when `version == "v2"`. * Available values: "enabled", "disabled". */ printing?: pulumi.Input; /** * Configure whether uploading is enabled or not. When absent, uploading is enabled. Only applies when `version == "v2"`. * Available values: "enabled", "disabled". */ upload?: pulumi.Input; /** * Indicates which version of the browser isolation controls should apply. * Available values: "v1", "v2". */ version?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsBlockPage { /** * If true, context information will be passed as query parameters. */ includeContext?: pulumi.Input; /** * URI to which the user will be redirected. */ targetUri: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsCheckSession { duration?: pulumi.Input; /** * Set to true to enable session enforcement. */ enforce?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsDnsResolvers { ipv4s?: pulumi.Input[]>; ipv6s?: pulumi.Input[]>; } export interface ZeroTrustGatewayPolicyRuleSettingsDnsResolversIpv4 { /** * IPv4 address of upstream resolver. */ ip: pulumi.Input; /** * A port number to use for upstream resolver. Defaults to 53 if unspecified. */ port?: pulumi.Input; /** * Whether to connect to this resolver over a private network. Must be set when vnetId is set. */ routeThroughPrivateNetwork?: pulumi.Input; /** * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted. */ vnetId?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsDnsResolversIpv6 { /** * IPv6 address of upstream resolver. */ ip: pulumi.Input; /** * A port number to use for upstream resolver. Defaults to 53 if unspecified. */ port?: pulumi.Input; /** * Whether to connect to this resolver over a private network. Must be set when vnetId is set. */ routeThroughPrivateNetwork?: pulumi.Input; /** * Optionally specify a virtual network for this resolver. Uses default virtual network id if omitted. */ vnetId?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsEgress { /** * The IPv4 address to be used for egress. */ ipv4?: pulumi.Input; /** * The fallback IPv4 address to be used for egress in the event of an error egressing with the primary IPv4. Can be '0.0.0.0' to indicate local egress via WARP IPs. */ ipv4Fallback?: pulumi.Input; /** * The IPv6 range to be used for egress. */ ipv6?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsL4override { /** * IPv4 or IPv6 address. */ ip?: pulumi.Input; /** * A port number to use for TCP/UDP overrides. */ port?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsNotificationSettings { /** * Set notification on. */ enabled?: pulumi.Input; /** * If true, context information will be passed as query parameters. */ includeContext?: pulumi.Input; /** * Customize the message shown in the notification. */ msg?: pulumi.Input; /** * Optional URL to direct users to additional information. If not set, the notification will open a block page. */ supportUrl?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsPayloadLog { /** * Set to true to enable DLP payload logging for this rule. */ enabled?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsQuarantine { /** * Types of files to sandbox. */ fileTypes?: pulumi.Input[]>; } export interface ZeroTrustGatewayPolicyRuleSettingsRedirect { /** * If true, context information will be passed as query parameters. */ includeContext?: pulumi.Input; /** * If true, the path and query parameters from the original request will be appended to target_uri. */ preservePathAndQuery?: pulumi.Input; /** * URI to which the user will be redirected. */ targetUri: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsResolveDnsInternally { /** * The fallback behavior to apply when the internal DNS response code is different from 'NOERROR' or when the response data only contains CNAME records for 'A' or 'AAAA' queries. * Available values: "none", "publicDns". */ fallback?: pulumi.Input; /** * The internal DNS view identifier that's passed to the internal DNS service. */ viewId?: pulumi.Input; } export interface ZeroTrustGatewayPolicyRuleSettingsUntrustedCert { /** * The action performed when an untrusted certificate is seen. The default action is an error with HTTP code 526. * Available values: "passThrough", "block", "error". */ action?: pulumi.Input; } export interface ZeroTrustGatewayPolicySchedule { /** * The time intervals when the rule will be active on Fridays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Fridays. */ fri?: pulumi.Input; /** * The time intervals when the rule will be active on Mondays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Mondays. */ mon?: pulumi.Input; /** * The time intervals when the rule will be active on Saturdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Saturdays. */ sat?: pulumi.Input; /** * The time intervals when the rule will be active on Sundays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Sundays. */ sun?: pulumi.Input; /** * The time intervals when the rule will be active on Thursdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Thursdays. */ thu?: pulumi.Input; /** * The time zone the rule will be evaluated against. If a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway will always use the current time at that time zone. If this parameter is omitted, then Gateway will use the time zone inferred from the user's source IP to evaluate the rule. If Gateway cannot determine the time zone from the IP, we will fall back to the time zone of the user's connected data center. */ timeZone?: pulumi.Input; /** * The time intervals when the rule will be active on Tuesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Tuesdays. */ tue?: pulumi.Input; /** * The time intervals when the rule will be active on Wednesdays, in increasing order from 00:00-24:00. If this parameter is omitted, the rule will be deactivated on Wednesdays. */ wed?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettings { /** * Activity log settings. */ activityLog?: pulumi.Input; /** * Anti-virus settings. */ antivirus?: pulumi.Input; /** * Block page layout settings. */ blockPage?: pulumi.Input; /** * DLP body scanning settings. */ bodyScanning?: pulumi.Input; /** * Browser isolation settings. */ browserIsolation?: pulumi.Input; /** * Certificate settings for Gateway TLS interception. If not specified, the Cloudflare Root CA will be used. */ certificate?: pulumi.Input; /** * Custom certificate settings for BYO-PKI. (deprecated and replaced by `certificate`). * * @deprecated This attribute is deprecated. */ customCertificate?: pulumi.Input; /** * Extended e-mail matching settings. */ extendedEmailMatching?: pulumi.Input; /** * FIPS settings. */ fips?: pulumi.Input; /** * Setting to enable host selector in egress policies. */ hostSelector?: pulumi.Input; /** * Setting to define inspection settings. */ inspection?: pulumi.Input; /** * Protocol Detection settings. */ protocolDetection?: pulumi.Input; /** * Sandbox settings. */ sandbox?: pulumi.Input; /** * TLS interception settings. */ tlsDecrypt?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsActivityLog { /** * Enable activity logging. */ enabled?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsAntivirus { /** * Enable anti-virus scanning on downloads. */ enabledDownloadPhase?: pulumi.Input; /** * Enable anti-virus scanning on uploads. */ enabledUploadPhase?: pulumi.Input; /** * Block requests for files that cannot be scanned. */ failClosed?: pulumi.Input; /** * Configure a message to display on the user's device when an antivirus search is performed. */ notificationSettings?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsAntivirusNotificationSettings { /** * Set notification on. */ enabled?: pulumi.Input; /** * If true, context information will be passed as query parameters. */ includeContext?: pulumi.Input; /** * Customize the message shown in the notification. */ msg?: pulumi.Input; /** * Optional URL to direct users to additional information. If not set, the notification will open a block page. */ supportUrl?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsBlockPage { /** * If mode is customized_block_page: block page background color in #rrggbb format. */ backgroundColor?: pulumi.Input; /** * Enable only cipher suites and TLS versions compliant with FIPS. 140-2. */ enabled?: pulumi.Input; /** * If mode is customized_block_page: block page footer text. */ footerText?: pulumi.Input; /** * If mode is customized_block_page: block page header text. */ headerText?: pulumi.Input; /** * If mode is redirect_uri: when enabled, context will be appended to targetUri as query parameters. */ includeContext?: pulumi.Input; /** * If mode is customized_block_page: full URL to the logo file. */ logoPath?: pulumi.Input; /** * If mode is customized_block_page: admin email for users to contact. */ mailtoAddress?: pulumi.Input; /** * If mode is customized_block_page: subject line for emails created from block page. */ mailtoSubject?: pulumi.Input; /** * Controls whether the user is redirected to a Cloudflare-hosted block page or to a customer-provided URI. * Available values: "", "customizedBlockPage", "redirectUri". */ mode?: pulumi.Input; /** * If mode is customized_block_page: block page title. */ name?: pulumi.Input; /** * This setting was shared via the Orgs API and cannot be edited by the current account. */ readOnly?: pulumi.Input; /** * Account tag of account that shared this setting. */ sourceAccount?: pulumi.Input; /** * If mode is customized_block_page: suppress detailed info at the bottom of the block page. */ suppressFooter?: pulumi.Input; /** * If mode is redirect_uri: URI to which the user should be redirected. */ targetUri?: pulumi.Input; /** * Version number of the setting. */ version?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsBodyScanning { /** * Set the inspection mode to either `deep` or `shallow`. * Available values: "deep", "shallow". */ inspectionMode?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsBrowserIsolation { /** * Enable non-identity onramp support for Browser Isolation. */ nonIdentityEnabled?: pulumi.Input; /** * Enable Clientless Browser Isolation. */ urlBrowserIsolationEnabled?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsCertificate { /** * UUID of certificate to be used for interception. Certificate must be available (previously called 'active') on the edge. A nil UUID will indicate the Cloudflare Root CA should be used. */ id: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsCustomCertificate { /** * Certificate status (internal). */ bindingStatus?: pulumi.Input; /** * Enable use of custom certificate authority for signing Gateway. traffic. */ enabled: pulumi.Input; /** * UUID of certificate (ID from MTLS certificate store). */ id?: pulumi.Input; updatedAt?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsExtendedEmailMatching { /** * Enable matching all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. */ enabled?: pulumi.Input; /** * This setting was shared via the Orgs API and cannot be edited by the current account. */ readOnly?: pulumi.Input; /** * Account tag of account that shared this setting. */ sourceAccount?: pulumi.Input; /** * Version number of the setting. */ version?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsFips { /** * Enable only cipher suites and TLS versions compliant with FIPS. 140-2. */ tls?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsHostSelector { /** * Enable filtering via hosts for egress policies. */ enabled?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsInspection { /** * Defines the mode of inspection the proxy will use. * - static: Gateway will use static inspection to inspect HTTP on TCP(80). If TLS decryption is on, Gateway will inspect HTTPS traffic on TCP(443) & UDP(443). * - dynamic: Gateway will use protocol detection to dynamically inspect HTTP and HTTPS traffic on any port. TLS decryption must be on to inspect HTTPS traffic. * Available values: "static", "dynamic". */ mode?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsProtocolDetection { /** * Enable detecting protocol on initial bytes of client traffic. */ enabled?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsSandbox { /** * Enable sandbox. */ enabled?: pulumi.Input; /** * Action to take when the file cannot be scanned. * Available values: "allow", "block". */ fallbackAction?: pulumi.Input; } export interface ZeroTrustGatewaySettingsSettingsTlsDecrypt { /** * Enable inspecting encrypted HTTP traffic. */ enabled?: pulumi.Input; } export interface ZeroTrustListItem { /** * The description of the list item, if present. */ description?: pulumi.Input; /** * The value of the item in a list. */ value?: pulumi.Input; } export interface ZeroTrustLocalFallbackDomainDomain { /** * A description of the fallback domain, displayed in the client UI. */ description?: pulumi.Input; /** * A list of IP addresses to handle domain resolution. */ dnsServers?: pulumi.Input[]>; /** * The domain suffix to match when resolving locally. */ suffix: pulumi.Input; } export interface ZeroTrustOrganizationCustomPages { /** * The uid of the custom page to use when a user is denied access after failing a non-identity rule. */ forbidden?: pulumi.Input; /** * The uid of the custom page to use when a user is denied access. */ identityDenied?: pulumi.Input; } export interface ZeroTrustOrganizationLoginDesign { /** * The background color on your login page. */ backgroundColor?: pulumi.Input; /** * The text at the bottom of your login page. */ footerText?: pulumi.Input; /** * The text at the top of your login page. */ headerText?: pulumi.Input; /** * The URL of the logo on your login page. */ logoPath?: pulumi.Input; /** * The text color on your login page. */ textColor?: pulumi.Input; } export interface ZeroTrustRiskBehaviorBehaviors { enabled: pulumi.Input; /** * Available values: "low", "medium", "high". */ riskLevel: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfig { /** * List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. */ ingresses?: pulumi.Input[]>; /** * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. */ originRequest?: pulumi.Input; /** * Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route. */ warpRouting?: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigIngress { /** * Public hostname for this service. */ hostname?: pulumi.Input; /** * Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. */ originRequest?: pulumi.Input; /** * Requests with this path route to this public hostname. */ path?: pulumi.Input; /** * Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http*status:[code] e.g. 'http*status:404'. */ service: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequest { /** * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. */ access?: pulumi.Input; /** * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. */ caPool?: pulumi.Input; /** * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. */ connectTimeout?: pulumi.Input; /** * Disables chunked transfer encoding. Useful if you are running a WSGI server. */ disableChunkedEncoding?: pulumi.Input; /** * Attempt to connect to origin using HTTP2. Origin must be configured as https. */ http2Origin?: pulumi.Input; /** * Sets the HTTP Host header on requests sent to the local service. */ httpHostHeader?: pulumi.Input; /** * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. */ keepAliveConnections?: pulumi.Input; /** * Timeout after which an idle keepalive connection can be discarded. */ keepAliveTimeout?: pulumi.Input; /** * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. */ noHappyEyeballs?: pulumi.Input; /** * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. */ noTlsVerify?: pulumi.Input; /** * Hostname that cloudflared should expect from your origin server certificate. */ originServerName?: pulumi.Input; /** * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. */ proxyType?: pulumi.Input; /** * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. */ tcpKeepAlive?: pulumi.Input; /** * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. */ tlsTimeout?: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigIngressOriginRequestAccess { /** * Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. */ audTags: pulumi.Input[]>; /** * Deny traffic that has not fulfilled Access authorization. */ required?: pulumi.Input; teamName: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigOriginRequest { /** * For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. */ access?: pulumi.Input; /** * Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. */ caPool?: pulumi.Input; /** * Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. */ connectTimeout?: pulumi.Input; /** * Disables chunked transfer encoding. Useful if you are running a WSGI server. */ disableChunkedEncoding?: pulumi.Input; /** * Attempt to connect to origin using HTTP2. Origin must be configured as https. */ http2Origin?: pulumi.Input; /** * Sets the HTTP Host header on requests sent to the local service. */ httpHostHeader?: pulumi.Input; /** * Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. */ keepAliveConnections?: pulumi.Input; /** * Timeout after which an idle keepalive connection can be discarded. */ keepAliveTimeout?: pulumi.Input; /** * Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. */ noHappyEyeballs?: pulumi.Input; /** * Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. */ noTlsVerify?: pulumi.Input; /** * Hostname that cloudflared should expect from your origin server certificate. */ originServerName?: pulumi.Input; /** * cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. */ proxyType?: pulumi.Input; /** * The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. */ tcpKeepAlive?: pulumi.Input; /** * Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. */ tlsTimeout?: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigOriginRequestAccess { /** * Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. */ audTags: pulumi.Input[]>; /** * Deny traffic that has not fulfilled Access authorization. */ required?: pulumi.Input; teamName: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConfigConfigWarpRouting { enabled?: pulumi.Input; } export interface ZeroTrustTunnelCloudflaredConnection { /** * UUID of the Cloudflare Tunnel connector. */ clientId?: pulumi.Input; /** * The cloudflared version used to establish this connection. */ clientVersion?: pulumi.Input; /** * The Cloudflare data center used for this connection. */ coloName?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ id?: pulumi.Input; /** * Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. */ isPendingReconnect?: pulumi.Input; /** * Timestamp of when the connection was established. */ openedAt?: pulumi.Input; /** * The public IP address of the host running cloudflared. */ originIp?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ uuid?: pulumi.Input; } export interface ZeroTrustTunnelWarpConnectorConnection { /** * UUID of the Cloudflare Tunnel connector. */ clientId?: pulumi.Input; /** * The cloudflared version used to establish this connection. */ clientVersion?: pulumi.Input; /** * The Cloudflare data center used for this connection. */ coloName?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ id?: pulumi.Input; /** * Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. */ isPendingReconnect?: pulumi.Input; /** * Timestamp of when the connection was established. */ openedAt?: pulumi.Input; /** * The public IP address of the host running cloudflared. */ originIp?: pulumi.Input; /** * UUID of the Cloudflare Tunnel connection. */ uuid?: pulumi.Input; } export interface ZoneAccount { /** * Identifier */ id?: pulumi.Input; } export interface ZoneCacheVariantsValue { /** * List of strings with the MIME types of all the variants that should be served for avif. */ avifs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for bmp. */ bmps?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for gif. */ gifs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for jp2. */ jp2s?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for jpeg. */ jpegs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for jpg2. */ jpg2s?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for jpg. */ jpgs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for png. */ pngs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for tiff. */ tiffs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for tif. */ tifs?: pulumi.Input[]>; /** * List of strings with the MIME types of all the variants that should be served for webp. */ webps?: pulumi.Input[]>; } export interface ZoneDnsSettingsInternalDns { /** * The ID of the zone to fallback to. */ referenceZoneId?: pulumi.Input; } export interface ZoneDnsSettingsNameservers { /** * Configured nameserver set to be used for this zone */ nsSet?: pulumi.Input; /** * Nameserver type * Available values: "cloudflare.standard", "custom.account", "custom.tenant", "custom.zone". */ type: pulumi.Input; } export interface ZoneDnsSettingsSoa { /** * Time in seconds of being unable to query the primary server after which secondary servers should stop serving the zone. */ expire: pulumi.Input; /** * The time to live (TTL) for negative caching of records within the zone. */ minTtl: pulumi.Input; /** * The primary nameserver, which may be used for outbound zone transfers. */ mname: pulumi.Input; /** * Time in seconds after which secondary servers should re-check the SOA record to see if the zone has been updated. */ refresh: pulumi.Input; /** * Time in seconds after which secondary servers should retry queries after the primary server was unresponsive. */ retry: pulumi.Input; /** * The email address of the zone administrator, with the first label representing the local part of the email address. */ rname: pulumi.Input; /** * The time to live (TTL) of the SOA record itself. */ ttl: pulumi.Input; } export interface ZoneLockdownConfiguration { /** * The configuration target. You must set the target to `ip` when specifying an IP address in the Zone Lockdown rule. * Available values: "ip", "ipRange". */ target?: pulumi.Input; /** * The IP address to match. This address will be compared to the IP address of incoming requests. */ value?: pulumi.Input; } export interface ZoneMeta { /** * The zone is only configured for CDN. */ cdnOnly?: pulumi.Input; /** * Number of Custom Certificates the zone can have. */ customCertificateQuota?: pulumi.Input; /** * The zone is only configured for DNS. */ dnsOnly?: pulumi.Input; /** * The zone is setup with Foundation DNS. */ foundationDns?: pulumi.Input; /** * Number of Page Rules a zone can have. */ pageRuleQuota?: pulumi.Input; /** * The zone has been flagged for phishing. */ phishingDetected?: pulumi.Input; step?: pulumi.Input; } export interface ZoneOwner { /** * Identifier */ id?: pulumi.Input; /** * Name of the owner. */ name?: pulumi.Input; /** * The type of owner. */ type?: pulumi.Input; } export interface ZonePlan { /** * States if the subscription can be activated. */ canSubscribe?: pulumi.Input; /** * The denomination of the customer. */ currency?: pulumi.Input; /** * If this Zone is managed by another company. */ externallyManaged?: pulumi.Input; /** * How often the customer is billed. */ frequency?: pulumi.Input; /** * Identifier */ id?: pulumi.Input; /** * States if the subscription active. */ isSubscribed?: pulumi.Input; /** * If the legacy discount applies to this Zone. */ legacyDiscount?: pulumi.Input; /** * The legacy name of the plan. */ legacyId?: pulumi.Input; /** * Name of the owner. */ name?: pulumi.Input; /** * How much the customer is paying. */ price?: pulumi.Input; } export interface ZoneSubscriptionRatePlan { /** * The currency applied to the rate plan subscription. */ currency?: pulumi.Input; /** * Whether this rate plan is managed externally from Cloudflare. */ externallyManaged?: pulumi.Input; /** * The ID of the rate plan. * Available values: "free", "lite", "pro", "pro*plus", "business", "enterprise", "partners*free", "partners*pro", "partners*business", "partnersEnterprise". */ id?: pulumi.Input; /** * Whether a rate plan is enterprise-based (or newly adopted term contract). */ isContract?: pulumi.Input; /** * The full name of the rate plan. */ publicName?: pulumi.Input; /** * The scope that this rate plan applies to. */ scope?: pulumi.Input; /** * The list of sets this rate plan applies to. */ sets?: pulumi.Input[]>; } export interface ZoneTenant { /** * Identifier */ id?: pulumi.Input; /** * The name of the Tenant account. */ name?: pulumi.Input; } export interface ZoneTenantUnit { /** * Identifier */ id?: pulumi.Input; }