Manage API Shield with Terraform
Get started with API Shield using Terraform from the examples below. For more information on how to use Terraform with Cloudflare, refer to the Terraform documentation.
The following resources are available to configure through Terraform:
Session identifiers
api_shield
for configuring session identifiers in API Shield.
Endpoint Management
api_shield_operation
for configuring endpoints in Endpoint Management.
Schema Validation 2.0
api_shield_schema
for configuring a schema in Schema Validation 2.0.api_shield_schema_validation_settings
for configuring zone-level Schema Validation 2.0 settings.api_shield_operation_schema_validation_settings
for configuring operation-level Schema Validation 2.0 settings.
Manage API Shield session identifiers
Refer to the example configuration below to set up session identifiers on your zone.
Example configurationresource "cloudflare_api_shield" "my_api_shield" { zone_id = var.zone_id auth_id_characteristics { name = "authorization" type = "header" }
}
Manage API Shield Endpoint Management
Refer to the example configuration below to manage endpoints on your zone.
Example configurationresource "cloudflare_api_shield_operation" "get_image" { zone_id = var.zone_id method = "GET" host = "example.com" endpoint = "/api/images/{var1}"
} resource "cloudflare_api_shield_operation" "post_image" { zone_id = var.zone_id method = "POST" host = "example.com" endpoint = "/api/images/{var1}"
}
Manage Schema Validation 2.0
Refer to the example configuration below to manage Schema Validation 2.0 on your zone.
Example configuration# Schema that should be used for schema validation 2.0
resource "cloudflare_api_shield_schema" "example_schema" { zone_id = var.zone_id name = "example-schema" kind = "openapi_v3" validation_enabled = true source = file("./schemas/example-schema.json")} # Block all requests that violate schema by default
resource "cloudflare_api_shield_schema_validation_settings" "zone_level_settings" { zone_id = var.zone_id validation_default_mitigation_action = "block"
} # For endpoint post_image - only log requests that violate schema
resource "cloudflare_api_shield_operation_schema_validation_settings" "post_image_log_only" { zone_id = var.zone_id operation_id = cloudflare_api_shield_operation.post_image.id mitigation_action = "log"
}