Skip to main content

organizations

Creates, updates, deletes, gets or lists an organizations resource.

Overview

Nameorganizations
TypeResource
Idcloudflare.zero_trust.organizations

Fields

The following fields are returned by SELECT queries:

Get your Zero Trust organization response

NameDatatypeDescription
namestringThe name of your Zero Trust organization. (example: Widget Corps Internal Applications)
allow_authenticate_via_warpbooleanWhen set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.
auth_domainstringThe unique subdomain assigned to your Zero Trust organization. (example: test.cloudflareaccess.com)
auto_redirect_to_identitybooleanWhen set to true, users skip the identity provider selection step during login.
created_atstring (date-time) (example: 2014-01-01T05:20:00.12345Z)
custom_pagesobject
deny_unmatched_requestsbooleanDetermines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.
deny_unmatched_requests_exempted_zone_namesarrayContains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.
is_ui_read_onlybooleanLock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.
login_designobject
mfa_configobjectConfigures multi-factor authentication (MFA) settings for an organization.
mfa_required_for_all_appsbooleanDetermines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.
mfa_ssh_piv_key_requirementsobjectConfigures SSH PIV key requirements for MFA using hardware security keys.
session_durationstringThe amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. (example: 24h)
ui_read_only_toggle_reasonstringA description of the reason why the UI read only field is being toggled. (example: Temporarily turn off the UI read only lock to make a change via the UI, x-stainless-terraform-configurability: computed_optional)
updated_atstring (date-time) (example: 2014-01-01T05:20:00.12345Z)
user_seat_expiration_inactive_timestringThe amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. (example: 730h)
warp_auth_session_durationstringThe amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h. (example: 24h)

Methods

The following methods are available for this resource:

NameAccessible byRequired ParamsOptional ParamsDescription
list_by_accountselectaccount_idReturns the configuration for your Zero Trust organization.
list_by_zoneselectzone_idReturns the configuration for your Zero Trust organization.
create_by_accountinsertaccount_id, name, auth_domainSets up a Zero Trust organization for your account or zone.
create_by_zoneinsertzone_id, name, auth_domainSets up a Zero Trust organization for your account or zone.
update_by_accountreplaceaccount_idUpdates the configuration for your Zero Trust organization.
update_by_zonereplacezone_idUpdates the configuration for your Zero Trust organization.
revoke_users_by_accountexecaccount_id, emaildevicesRevokes a user's access across all applications.
revoke_users_by_zoneexeczone_id, emaildevicesRevokes a user's access across all applications.

Parameters

Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.

NameDatatypeDescription
account_idstringThe Cloudflare account ID.
zone_idstringThe Cloudflare zone ID.
devicesbooleanWhen set to true, all devices associated with the user will be revoked.

SELECT examples

Returns the configuration for your Zero Trust organization.

SELECT
name,
allow_authenticate_via_warp,
auth_domain,
auto_redirect_to_identity,
created_at,
custom_pages,
deny_unmatched_requests,
deny_unmatched_requests_exempted_zone_names,
is_ui_read_only,
login_design,
mfa_config,
mfa_required_for_all_apps,
mfa_ssh_piv_key_requirements,
session_duration,
ui_read_only_toggle_reason,
updated_at,
user_seat_expiration_inactive_time,
warp_auth_session_duration
FROM cloudflare.zero_trust.organizations
WHERE account_id = '{{ account_id }}' -- required
;

INSERT examples

Sets up a Zero Trust organization for your account or zone.

INSERT INTO cloudflare.zero_trust.organizations (
allow_authenticate_via_warp,
auth_domain,
auto_redirect_to_identity,
deny_unmatched_requests,
deny_unmatched_requests_exempted_zone_names,
is_ui_read_only,
login_design,
mfa_config,
mfa_required_for_all_apps,
mfa_ssh_piv_key_requirements,
name,
session_duration,
ui_read_only_toggle_reason,
user_seat_expiration_inactive_time,
warp_auth_session_duration,
account_id
)
SELECT 
{{ allow_authenticate_via_warp }},
'{{ auth_domain }}' /* required */,
{{ auto_redirect_to_identity }},
{{ deny_unmatched_requests }},
'{{ deny_unmatched_requests_exempted_zone_names }}',
{{ is_ui_read_only }},
'{{ login_design }}',
'{{ mfa_config }}',
{{ mfa_required_for_all_apps }},
'{{ mfa_ssh_piv_key_requirements }}',
'{{ name }}' /* required */,
'{{ session_duration }}',
'{{ ui_read_only_toggle_reason }}',
'{{ user_seat_expiration_inactive_time }}',
'{{ warp_auth_session_duration }}',
'{{ account_id }}'
RETURNING
errors,
messages,
result,
success
;

REPLACE examples

Updates the configuration for your Zero Trust organization.

REPLACE cloudflare.zero_trust.organizations
SET 
allow_authenticate_via_warp = {{ allow_authenticate_via_warp }},
auth_domain = '{{ auth_domain }}',
auto_redirect_to_identity = {{ auto_redirect_to_identity }},
custom_pages = '{{ custom_pages }}',
deny_unmatched_requests = {{ deny_unmatched_requests }},
deny_unmatched_requests_exempted_zone_names = '{{ deny_unmatched_requests_exempted_zone_names }}',
is_ui_read_only = {{ is_ui_read_only }},
login_design = '{{ login_design }}',
mfa_config = '{{ mfa_config }}',
mfa_required_for_all_apps = {{ mfa_required_for_all_apps }},
mfa_ssh_piv_key_requirements = '{{ mfa_ssh_piv_key_requirements }}',
name = '{{ name }}',
session_duration = '{{ session_duration }}',
ui_read_only_toggle_reason = '{{ ui_read_only_toggle_reason }}',
user_seat_expiration_inactive_time = '{{ user_seat_expiration_inactive_time }}',
warp_auth_session_duration = '{{ warp_auth_session_duration }}'
WHERE 
account_id = '{{ account_id }}' --required
RETURNING
errors,
messages,
result,
success;

Lifecycle Methods

Revokes a user's access across all applications.

EXEC cloudflare.zero_trust.organizations.revoke_users_by_account 
@account_id='{{ account_id }}' --required, 
@devices={{ devices }} 
@@json=
'{
"devices": {{ devices }}, 
"email": "{{ email }}", 
"user_uid": "{{ user_uid }}", 
"warp_session_reauth": {{ warp_session_reauth }}
}'
;