Skip to content

Terraform

Get started with API Shield using Terraform from the examples below. For more information on how to use Terraform with Cloudflare, refer to the Terraform documentation.

The following resources are available to configure through Terraform:

Session identifiers

  • api_shield for configuring session identifiers in API Shield.

Endpoint Management

  • api_shield_operation for configuring endpoints in Endpoint Management.

Schema Validation 2.0

Manage API Shield session identifiers

Refer to the example configuration below to set up session identifiers on your zone.

Example configuration
resource "cloudflare_api_shield" "my_api_shield" {
zone_id = var.zone_id
auth_id_characteristics {
name = "authorization"
type = "header"
}
}

Manage API Shield Endpoint Management

Refer to the example configuration below to manage endpoints on your zone.

Example configuration
resource "cloudflare_api_shield_operation" "get_image" {
zone_id = var.zone_id
method = "GET"
host = "example.com"
endpoint = "/api/images/{var1}"
}
resource "cloudflare_api_shield_operation" "post_image" {
zone_id = var.zone_id
method = "POST"
host = "example.com"
endpoint = "/api/images/{var1}"
}

Manage Schema Validation 2.0

Refer to the example configuration below to manage Schema Validation 2.0 on your zone.

Example configuration
# Schema that should be used for schema validation 2.0
resource "cloudflare_api_shield_schema" "example_schema" {
zone_id = var.zone_id
name = "example-schema"
kind = "openapi_v3"
validation_enabled = true
source = file("./schemas/example-schema.json")
}
# Block all requests that violate schema by default
resource "cloudflare_api_shield_schema_validation_settings" "zone_level_settings" {
zone_id = var.zone_id
validation_default_mitigation_action = "block"
}
# For endpoint post_image - only log requests that violate schema
resource "cloudflare_api_shield_operation_schema_validation_settings" "post_image_log_only" {
zone_id = var.zone_id
operation_id = cloudflare_api_shield_operation.post_image.id
mitigation_action = "log"
}