IaC Bazaar
Get started
CloudflareStatic-verified

Cloudflare Zero Trust Access

Access application with policies, identity provider wiring, and a cloudflared tunnel to private origins.

terraformEdge & DNS#cloudflare
cloudflare-zero-trust-accessterraform v1.7

Verification

Static-verified

Passed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).

Conformance

  • Static validation (fmt · validate · tflint)
  • No applicable security policies for this provider
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

cloudflare-zero-trust-access

Status: static-validated, live-test pending. Ships under live-test quarantine — Zero Trust Access provisioning needs a Cloudflare account token, at least one configured identity provider, and (to verify the tunnel) a running cloudflared connector, none of which exist in a CI sandbox yet. The full apply → verify → destroy gate runs once a Cloudflare sandbox account is wired up. Schema is validated against the auto-generated provider v5 docs.

An account-level Cloudflare Zero Trust Access application with reusable Access policies and an optional cloudflared tunnel to private origins. Built directly against the v5 schema (cloudflare_zero_trust_access_application, cloudflare_zero_trust_access_policy, cloudflare_zero_trust_tunnel_cloudflared), not the v4 cloudflare_access_* resource names that break on upgrade. Works with Terraform and OpenTofu (>= 1.6), Cloudflare provider >= 5.0, < 6.0.

Design & secure defaults

  • Identity-first, deny-by-default. Policies are reusable account-level objects attached to the application by ID, with precedence derived from sorted policy keys. The default policy admits a single email domain (not everyone) — a request that matches no allow policy is denied by Access.
  • Account-scoped throughout. Access is an account product, so the application, its policies, and the tunnel are all account_id-scoped, which lets the application reference reusable policies cleanly.
  • Short sessions. session_duration defaults to 1h to limit token lifetime; set 0s to force re-auth on every request.
  • Private origins, not public ones. The optional cloudflared tunnel (create_tunnel = true) is remotely managed (config_src = "cloudflare") so origins are reached over the tunnel instead of being exposed publicly. Cloudflare generates the tunnel secret when you do not supply one; the connector run token is returned as a sensitive output.
  • No permissive CORS by default. CORS is unmanaged unless you set the cors object; prefer explicit allow-lists over allow_all_*.
  • App not advertised. app_launcher_visible defaults to false so the app is not surfaced to every enrolled user.
  • No hardcoded secrets. tunnel_secret is optional and sensitive; pass it via TF_VAR_tunnel_secret or a secrets manager, or omit it.

Verification

Static-validated (tofu fmt, tofu validate, tflint). Live apply/verify/ destroy testing pending Cloudflare sandbox availability — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs
  • Requirements & notes