gateway_rules
Creates, updates, deletes, gets or lists a gateway_rules resource.
Overview
| Name | gateway_rules |
| Type | Resource |
| Id | cloudflare.zero_trust.gateway_rules |
Fields
The following fields are returned by SELECT queries:
- get
- list
Get Zero Trust Gateway rule details response.
| Name | Datatype | Description |
|---|---|---|
id | string | Identify the API resource with a UUID. (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | Specify the rule name. (example: block bad websites) |
action | string | Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true. (on, off, allow, block, scan, noscan, safesearch, ytrestricted, isolate, noisolate, override, l4_override, egress, resolve, quarantine, redirect) (example: allow) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
deleted_at | string (date-time) | Indicate the date of deletion, if any. (x-stainless-terraform-configurability: computed) |
description | string | Specify the rule description. (example: Block bad websites based on their host name.) |
device_posture | string | Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. (default: , example: any(device_posture.checks.passed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), x-stainless-terraform-configurability: computed_optional) |
enabled | boolean | Specify whether the rule is enabled. |
expiration | object | Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules. (x-stainless-terraform-configurability: computed_optional) |
filters | array | Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. |
identity | string | Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. (default: , example: any(identity.groups.name[*] in {"finance"}), x-stainless-terraform-configurability: computed_optional) |
precedence | integer | Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform. (x-stainless-terraform-configurability: computed_optional) |
read_only | boolean | Indicate that this rule is shared via the Orgs API and read only. (x-stainless-terraform-configurability: computed) |
rule_settings | object | Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. (x-stainless-terraform-configurability: computed_optional) |
schedule | object | Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules. (x-stainless-terraform-configurability: computed_optional) |
sharable | boolean | Indicate that this rule is sharable via the Orgs API. (x-stainless-terraform-configurability: computed) |
source_account | string | Provide the account tag of the account that created the rule. (x-stainless-terraform-configurability: computed) |
traffic | string | Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. (default: , example: http.request.uri matches ".a/partial/uri." and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10, x-stainless-terraform-configurability: computed_optional) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
version | integer | Indicate the version number of the rule(read-only). (x-stainless-terraform-configurability: computed) |
warning_status | string | Indicate a warning for a misconfigured rule, if any. (x-stainless-terraform-configurability: computed) |
List Zero Trust Gateway rules response.
| Name | Datatype | Description |
|---|---|---|
id | string | Identify the API resource with a UUID. (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | Specify the rule name. (example: block bad websites) |
action | string | Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true. (on, off, allow, block, scan, noscan, safesearch, ytrestricted, isolate, noisolate, override, l4_override, egress, resolve, quarantine, redirect) (example: allow) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
deleted_at | string (date-time) | Indicate the date of deletion, if any. (x-stainless-terraform-configurability: computed) |
description | string | Specify the rule description. (example: Block bad websites based on their host name.) |
device_posture | string | Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. (default: , example: any(device_posture.checks.passed[*] in {"1308749e-fcfb-4ebc-b051-fe022b632644"}), x-stainless-terraform-configurability: computed_optional) |
enabled | boolean | Specify whether the rule is enabled. |
expiration | object | Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules. (x-stainless-terraform-configurability: computed_optional) |
filters | array | Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. |
identity | string | Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. (default: , example: any(identity.groups.name[*] in {"finance"}), x-stainless-terraform-configurability: computed_optional) |
precedence | integer | Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform. (x-stainless-terraform-configurability: computed_optional) |
read_only | boolean | Indicate that this rule is shared via the Orgs API and read only. (x-stainless-terraform-configurability: computed) |
rule_settings | object | Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. (x-stainless-terraform-configurability: computed_optional) |
schedule | object | Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules. (x-stainless-terraform-configurability: computed_optional) |
sharable | boolean | Indicate that this rule is sharable via the Orgs API. (x-stainless-terraform-configurability: computed) |
source_account | string | Provide the account tag of the account that created the rule. (x-stainless-terraform-configurability: computed) |
traffic | string | Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. (default: , example: http.request.uri matches ".a/partial/uri." and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10, x-stainless-terraform-configurability: computed_optional) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
version | integer | Indicate the version number of the rule(read-only). (x-stainless-terraform-configurability: computed) |
warning_status | string | Indicate a warning for a misconfigured rule, if any. (x-stainless-terraform-configurability: computed) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | rule_id, account_id | Get a single Zero Trust Gateway rule. | |
list | select | account_id | List Zero Trust Gateway rules for an account. | |
create | insert | account_id, name, action | Create a new Zero Trust Gateway rule. | |
update | replace | rule_id, account_id, name, action | Update a configured Zero Trust Gateway rule. | |
delete | delete | rule_id, account_id | Delete a Zero Trust Gateway rule. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
account_id | string | The Cloudflare account ID. |
rule_id | string | The rule ID. |
SELECT examples
- get
- list
Get a single Zero Trust Gateway rule.
SELECT
id,
name,
action,
created_at,
deleted_at,
description,
device_posture,
enabled,
expiration,
filters,
identity,
precedence,
read_only,
rule_settings,
schedule,
sharable,
source_account,
traffic,
updated_at,
version,
warning_status
FROM cloudflare.zero_trust.gateway_rules
WHERE rule_id = '{{ rule_id }}' -- required
AND account_id = '{{ account_id }}' -- required
;
List Zero Trust Gateway rules for an account.
SELECT
id,
name,
action,
created_at,
deleted_at,
description,
device_posture,
enabled,
expiration,
filters,
identity,
precedence,
read_only,
rule_settings,
schedule,
sharable,
source_account,
traffic,
updated_at,
version,
warning_status
FROM cloudflare.zero_trust.gateway_rules
WHERE account_id = '{{ account_id }}' -- required
;
INSERT examples
- create
- Manifest
Create a new Zero Trust Gateway rule.
INSERT INTO cloudflare.zero_trust.gateway_rules (
action,
description,
device_posture,
enabled,
expiration,
filters,
identity,
name,
precedence,
rule_settings,
schedule,
traffic,
account_id
)
SELECT
'{{ action }}' /* required */,
'{{ description }}',
'{{ device_posture }}',
{{ enabled }},
'{{ expiration }}',
'{{ filters }}',
'{{ identity }}',
'{{ name }}' /* required */,
{{ precedence }},
'{{ rule_settings }}',
'{{ schedule }}',
'{{ traffic }}',
'{{ account_id }}'
RETURNING
errors,
messages,
result,
success
;
# Description fields are for documentation purposes
- name: gateway_rules
props:
- name: account_id
value: "{{ account_id }}"
description: Required parameter for the gateway_rules resource.
- name: action
value: "{{ action }}"
description: |
Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`.
valid_values: ['on', 'off', 'allow', 'block', 'scan', 'noscan', 'safesearch', 'ytrestricted', 'isolate', 'noisolate', 'override', 'l4_override', 'egress', 'resolve', 'quarantine', 'redirect']
- name: description
value: "{{ description }}"
description: |
Specify the rule description.
- name: device_posture
value: "{{ device_posture }}"
description: |
Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
default:
- name: enabled
value: {{ enabled }}
description: |
Specify whether the rule is enabled.
default: false
- name: expiration
description: |
Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules.
value:
duration: {{ duration }}
expired: {{ expired }}
expires_at: "{{ expires_at }}"
- name: filters
value:
- "{{ filters }}"
description: |
Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.
- name: identity
value: "{{ identity }}"
description: |
Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
default:
- name: name
value: "{{ name }}"
description: |
Specify the rule name.
- name: precedence
value: {{ precedence }}
description: |
Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform.
- name: rule_settings
description: |
Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.
value:
add_headers: "{{ add_headers }}"
allow_child_bypass: {{ allow_child_bypass }}
audit_ssh:
command_logging: {{ command_logging }}
biso_admin_controls:
copy: "{{ copy }}"
dcp: {{ dcp }}
dd: {{ dd }}
dk: {{ dk }}
download: "{{ download }}"
dp: {{ dp }}
du: {{ du }}
keyboard: "{{ keyboard }}"
paste: "{{ paste }}"
printing: "{{ printing }}"
upload: "{{ upload }}"
version: "{{ version }}"
wm_id: "{{ wm_id }}"
block_page:
include_context: {{ include_context }}
target_uri: "{{ target_uri }}"
block_page_enabled: {{ block_page_enabled }}
block_reason: "{{ block_reason }}"
bypass_parent_rule: {{ bypass_parent_rule }}
check_session:
duration: "{{ duration }}"
enforce: {{ enforce }}
dns_resolvers:
ipv4:
- ip: "{{ ip }}"
port: {{ port }}
route_through_private_network: {{ route_through_private_network }}
vnet_id: "{{ vnet_id }}"
ipv6:
- ip: "{{ ip }}"
port: {{ port }}
route_through_private_network: {{ route_through_private_network }}
vnet_id: "{{ vnet_id }}"
egress:
ipv4: "{{ ipv4 }}"
ipv4_fallback: "{{ ipv4_fallback }}"
ipv6: "{{ ipv6 }}"
forensic_copy:
enabled: {{ enabled }}
ignore_cname_category_matches: {{ ignore_cname_category_matches }}
insecure_disable_dnssec_validation: {{ insecure_disable_dnssec_validation }}
ip_categories: {{ ip_categories }}
ip_indicator_feeds: {{ ip_indicator_feeds }}
l4override:
ip: "{{ ip }}"
port: {{ port }}
notification_settings:
enabled: {{ enabled }}
include_context: {{ include_context }}
msg: "{{ msg }}"
support_url: "{{ support_url }}"
override_host: "{{ override_host }}"
override_ips:
- "{{ override_ips }}"
payload_log:
enabled: {{ enabled }}
quarantine:
file_types:
- "{{ file_types }}"
redirect:
include_context: {{ include_context }}
preserve_path_and_query: {{ preserve_path_and_query }}
target_uri: "{{ target_uri }}"
resolve_dns_internally:
fallback: "{{ fallback }}"
view_id: "{{ view_id }}"
resolve_dns_through_cloudflare: {{ resolve_dns_through_cloudflare }}
untrusted_cert:
action: "{{ action }}"
- name: schedule
description: |
Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules.
value:
fri: "{{ fri }}"
mon: "{{ mon }}"
sat: "{{ sat }}"
sun: "{{ sun }}"
thu: "{{ thu }}"
time_zone: "{{ time_zone }}"
tue: "{{ tue }}"
wed: "{{ wed }}"
- name: traffic
value: "{{ traffic }}"
description: |
Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
default:
REPLACE examples
- update
Update a configured Zero Trust Gateway rule.
REPLACE cloudflare.zero_trust.gateway_rules
SET
action = '{{ action }}',
description = '{{ description }}',
device_posture = '{{ device_posture }}',
enabled = {{ enabled }},
expiration = '{{ expiration }}',
filters = '{{ filters }}',
identity = '{{ identity }}',
name = '{{ name }}',
precedence = {{ precedence }},
rule_settings = '{{ rule_settings }}',
schedule = '{{ schedule }}',
traffic = '{{ traffic }}'
WHERE
rule_id = '{{ rule_id }}' --required
AND account_id = '{{ account_id }}' --required
AND name = '{{ name }}' --required
AND action = '{{ action }}' --required
RETURNING
errors,
messages,
result,
success;
DELETE examples
- delete
Delete a Zero Trust Gateway rule.
DELETE FROM cloudflare.zero_trust.gateway_rules
WHERE rule_id = '{{ rule_id }}' --required
AND account_id = '{{ account_id }}' --required
;