Cloudflare v6.1.1, Apr 21 25

Cloudflare v6.1.1 published on Monday, Apr 21, 2025 by Pulumi

cloudflare.TunnelConfig

Explore with Pulumi AI

Cloudflare v6.1.1 published on Monday, Apr 21, 2025 by Pulumi

Example Usage

Coming soon!

Coming soon!

Coming soon!

Coming soon!

Coming soon!

resources:
  exampleZeroTrustTunnelCloudflaredConfig:
    type: cloudflare:ZeroTrustTunnelCloudflaredConfig
    name: example_zero_trust_tunnel_cloudflared_config
    properties:
      accountId: 023e105f4ecef8ad9ca31a8372d0c353
      tunnelId: f70ff985-a4ef-4643-bbbc-4a0ed4fc8415
      config:
        ingress:
          - hostname: tunnel.example.com
            service: https://localhost:8001
            originRequest:
              access:
                audTag:
                  - string
                teamName: teamName
                required: true
              caPool: caPool
              connectTimeout: 0
              disableChunkedEncoding: true
              http2Origin: true
              httpHostHeader: httpHostHeader
              keepAliveConnections: 0
              keepAliveTimeout: 0
              noHappyEyeballs: true
              noTlsVerify: true
              originServerName: originServerName
              proxyType: proxyType
              tcpKeepAlive: 0
              tlsTimeout: 0
            path: subpath
        origin_request:
          access:
            audTag:
              - string
            teamName: teamName
            required: true
          caPool: caPool
          connectTimeout: 0
          disableChunkedEncoding: true
          http2Origin: true
          httpHostHeader: httpHostHeader
          keepAliveConnections: 0
          keepAliveTimeout: 0
          noHappyEyeballs: true
          noTlsVerify: true
          originServerName: originServerName
          proxyType: proxyType
          tcpKeepAlive: 0
          tlsTimeout: 0

Create TunnelConfig Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new TunnelConfig(name: string, args: TunnelConfigArgs, opts?: CustomResourceOptions);

@overload
def TunnelConfig(resource_name: str,
                 args: TunnelConfigArgs,
                 opts: Optional[ResourceOptions] = None)

@overload
def TunnelConfig(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 account_id: Optional[str] = None,
                 config: Optional[TunnelConfigConfigArgs] = None,
                 source: Optional[str] = None,
                 tunnel_id: Optional[str] = None)

func NewTunnelConfig(ctx *Context, name string, args TunnelConfigArgs, opts ...ResourceOption) (*TunnelConfig, error)

public TunnelConfig(string name, TunnelConfigArgs args, CustomResourceOptions? opts = null)

public TunnelConfig(String name, TunnelConfigArgs args)
public TunnelConfig(String name, TunnelConfigArgs args, CustomResourceOptions options)

type: cloudflare:TunnelConfig
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args TunnelConfigArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args TunnelConfigArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args TunnelConfigArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args TunnelConfigArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args TunnelConfigArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

TunnelConfig Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The TunnelConfig resource accepts the following input properties:

AccountId string: Identifier.
TunnelId string: UUID of the tunnel.
Config TunnelConfigConfig: The tunnel configuration and ingress rules.
Source string: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".

AccountId string: Identifier.
TunnelId string: UUID of the tunnel.
Config TunnelConfigConfigArgs: The tunnel configuration and ingress rules.
Source string: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".

accountId String: Identifier.
tunnelId String: UUID of the tunnel.
config TunnelConfigConfig: The tunnel configuration and ingress rules.
source String: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".

accountId string: Identifier.
tunnelId string: UUID of the tunnel.
config TunnelConfigConfig: The tunnel configuration and ingress rules.
source string: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".

account_id str: Identifier.
tunnel_id str: UUID of the tunnel.
config TunnelConfigConfigArgs: The tunnel configuration and ingress rules.
source str: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".

accountId String: Identifier.
tunnelId String: UUID of the tunnel.
config Property Map: The tunnel configuration and ingress rules.
source String: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".

Outputs

All input properties are implicitly available as output properties. Additionally, the TunnelConfig resource produces the following output properties:

CreatedAt string
Id string: The provider-assigned unique ID for this managed resource.
Version int: The version of the Tunnel Configuration.

CreatedAt string
Id string: The provider-assigned unique ID for this managed resource.
Version int: The version of the Tunnel Configuration.

createdAt String
id String: The provider-assigned unique ID for this managed resource.
version Integer: The version of the Tunnel Configuration.

createdAt string
id string: The provider-assigned unique ID for this managed resource.
version number: The version of the Tunnel Configuration.

created_at str
id str: The provider-assigned unique ID for this managed resource.
version int: The version of the Tunnel Configuration.

createdAt String
id String: The provider-assigned unique ID for this managed resource.
version Number: The version of the Tunnel Configuration.

Look up Existing TunnelConfig Resource

Get an existing TunnelConfig resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: TunnelConfigState, opts?: CustomResourceOptions): TunnelConfig

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_id: Optional[str] = None,
        config: Optional[TunnelConfigConfigArgs] = None,
        created_at: Optional[str] = None,
        source: Optional[str] = None,
        tunnel_id: Optional[str] = None,
        version: Optional[int] = None) -> TunnelConfig

func GetTunnelConfig(ctx *Context, name string, id IDInput, state *TunnelConfigState, opts ...ResourceOption) (*TunnelConfig, error)

public static TunnelConfig Get(string name, Input<string> id, TunnelConfigState? state, CustomResourceOptions? opts = null)

public static TunnelConfig get(String name, Output<String> id, TunnelConfigState state, CustomResourceOptions options)

resources:  _:    type: cloudflare:TunnelConfig    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountId string: Identifier.
Config TunnelConfigConfig: The tunnel configuration and ingress rules.
CreatedAt string
Source string: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".
TunnelId string: UUID of the tunnel.
Version int: The version of the Tunnel Configuration.

AccountId string: Identifier.
Config TunnelConfigConfigArgs: The tunnel configuration and ingress rules.
CreatedAt string
Source string: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".
TunnelId string: UUID of the tunnel.
Version int: The version of the Tunnel Configuration.

accountId String: Identifier.
config TunnelConfigConfig: The tunnel configuration and ingress rules.
createdAt String
source String: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".
tunnelId String: UUID of the tunnel.
version Integer: The version of the Tunnel Configuration.

accountId string: Identifier.
config TunnelConfigConfig: The tunnel configuration and ingress rules.
createdAt string
source string: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".
tunnelId string: UUID of the tunnel.
version number: The version of the Tunnel Configuration.

account_id str: Identifier.
config TunnelConfigConfigArgs: The tunnel configuration and ingress rules.
created_at str
source str: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".
tunnel_id str: UUID of the tunnel.
version int: The version of the Tunnel Configuration.

accountId String: Identifier.
config Property Map: The tunnel configuration and ingress rules.
createdAt String
source String: Indicates if this is a locally or remotely configured tunnel. If local, manage the tunnel using a YAML file on the origin machine. If cloudflare, manage the tunnel's configuration on the Zero Trust dashboard. Available values: "local", "cloudflare".
tunnelId String: UUID of the tunnel.
version Number: The version of the Tunnel Configuration.

Supporting Types

TunnelConfigConfig, TunnelConfigConfigArgs

Ingresses List<TunnelConfigConfigIngress>: List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.
OriginRequest TunnelConfigConfigOriginRequest: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
WarpRouting TunnelConfigConfigWarpRouting: Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.

Ingresses []TunnelConfigConfigIngress: List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.
OriginRequest TunnelConfigConfigOriginRequest: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
WarpRouting TunnelConfigConfigWarpRouting: Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.

ingresses List<TunnelConfigConfigIngress>: List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.
originRequest TunnelConfigConfigOriginRequest: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
warpRouting TunnelConfigConfigWarpRouting: Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.

ingresses TunnelConfigConfigIngress[]: List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.
originRequest TunnelConfigConfigOriginRequest: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
warpRouting TunnelConfigConfigWarpRouting: Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.

ingresses Sequence[TunnelConfigConfigIngress]: List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.
origin_request TunnelConfigConfigOriginRequest: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
warp_routing TunnelConfigConfigWarpRouting: Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.

ingresses List<Property Map>: List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel.
originRequest Property Map: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
warpRouting Property Map: Enable private network access from WARP users to private network routes. This is enabled if the tunnel has an assigned route.

TunnelConfigConfigIngress, TunnelConfigConfigIngressArgs

Service string: Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code httpstatus:[code] e.g. 'httpstatus:404'.
Hostname string: Public hostname for this service.
OriginRequest TunnelConfigConfigIngressOriginRequest: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
Path string: Requests with this path route to this public hostname.

Service string: Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code httpstatus:[code] e.g. 'httpstatus:404'.
Hostname string: Public hostname for this service.
OriginRequest TunnelConfigConfigIngressOriginRequest: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
Path string: Requests with this path route to this public hostname.

service String: Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code httpstatus:[code] e.g. 'httpstatus:404'.
hostname String: Public hostname for this service.
originRequest TunnelConfigConfigIngressOriginRequest: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
path String: Requests with this path route to this public hostname.

service string: Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code httpstatus:[code] e.g. 'httpstatus:404'.
hostname string: Public hostname for this service.
originRequest TunnelConfigConfigIngressOriginRequest: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
path string: Requests with this path route to this public hostname.

service str: Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code httpstatus:[code] e.g. 'httpstatus:404'.
hostname str: Public hostname for this service.
origin_request TunnelConfigConfigIngressOriginRequest: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
path str: Requests with this path route to this public hostname.

service String: Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code httpstatus:[code] e.g. 'httpstatus:404'.
hostname String: Public hostname for this service.
originRequest Property Map: Configuration parameters for the public hostname specific connection settings between cloudflared and origin server.
path String: Requests with this path route to this public hostname.

TunnelConfigConfigIngressOriginRequest, TunnelConfigConfigIngressOriginRequestArgs

Access TunnelConfigConfigIngressOriginRequestAccess: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
CaPool string: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
ConnectTimeout int: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
DisableChunkedEncoding bool: Disables chunked transfer encoding. Useful if you are running a WSGI server.
Http2Origin bool: Attempt to connect to origin using HTTP2. Origin must be configured as https.
HttpHostHeader string: Sets the HTTP Host header on requests sent to the local service.
KeepAliveConnections int: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
KeepAliveTimeout int: Timeout after which an idle keepalive connection can be discarded.
NoHappyEyeballs bool: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
NoTlsVerify bool: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
OriginServerName string: Hostname that cloudflared should expect from your origin server certificate.
ProxyType string: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
TcpKeepAlive int: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
TlsTimeout int: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

Access TunnelConfigConfigIngressOriginRequestAccess: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
CaPool string: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
ConnectTimeout int: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
DisableChunkedEncoding bool: Disables chunked transfer encoding. Useful if you are running a WSGI server.
Http2Origin bool: Attempt to connect to origin using HTTP2. Origin must be configured as https.
HttpHostHeader string: Sets the HTTP Host header on requests sent to the local service.
KeepAliveConnections int: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
KeepAliveTimeout int: Timeout after which an idle keepalive connection can be discarded.
NoHappyEyeballs bool: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
NoTlsVerify bool: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
OriginServerName string: Hostname that cloudflared should expect from your origin server certificate.
ProxyType string: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
TcpKeepAlive int: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
TlsTimeout int: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

access TunnelConfigConfigIngressOriginRequestAccess: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
caPool String: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
connectTimeout Integer: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
disableChunkedEncoding Boolean: Disables chunked transfer encoding. Useful if you are running a WSGI server.
http2Origin Boolean: Attempt to connect to origin using HTTP2. Origin must be configured as https.
httpHostHeader String: Sets the HTTP Host header on requests sent to the local service.
keepAliveConnections Integer: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
keepAliveTimeout Integer: Timeout after which an idle keepalive connection can be discarded.
noHappyEyeballs Boolean: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
noTlsVerify Boolean: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
originServerName String: Hostname that cloudflared should expect from your origin server certificate.
proxyType String: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
tcpKeepAlive Integer: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
tlsTimeout Integer: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

access TunnelConfigConfigIngressOriginRequestAccess: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
caPool string: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
connectTimeout number: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
disableChunkedEncoding boolean: Disables chunked transfer encoding. Useful if you are running a WSGI server.
http2Origin boolean: Attempt to connect to origin using HTTP2. Origin must be configured as https.
httpHostHeader string: Sets the HTTP Host header on requests sent to the local service.
keepAliveConnections number: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
keepAliveTimeout number: Timeout after which an idle keepalive connection can be discarded.
noHappyEyeballs boolean: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
noTlsVerify boolean: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
originServerName string: Hostname that cloudflared should expect from your origin server certificate.
proxyType string: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
tcpKeepAlive number: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
tlsTimeout number: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

access TunnelConfigConfigIngressOriginRequestAccess: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
ca_pool str: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
connect_timeout int: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
disable_chunked_encoding bool: Disables chunked transfer encoding. Useful if you are running a WSGI server.
http2_origin bool: Attempt to connect to origin using HTTP2. Origin must be configured as https.
http_host_header str: Sets the HTTP Host header on requests sent to the local service.
keep_alive_connections int: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
keep_alive_timeout int: Timeout after which an idle keepalive connection can be discarded.
no_happy_eyeballs bool: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
no_tls_verify bool: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
origin_server_name str: Hostname that cloudflared should expect from your origin server certificate.
proxy_type str: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
tcp_keep_alive int: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
tls_timeout int: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

access Property Map: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
caPool String: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
connectTimeout Number: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
disableChunkedEncoding Boolean: Disables chunked transfer encoding. Useful if you are running a WSGI server.
http2Origin Boolean: Attempt to connect to origin using HTTP2. Origin must be configured as https.
httpHostHeader String: Sets the HTTP Host header on requests sent to the local service.
keepAliveConnections Number: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
keepAliveTimeout Number: Timeout after which an idle keepalive connection can be discarded.
noHappyEyeballs Boolean: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
noTlsVerify Boolean: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
originServerName String: Hostname that cloudflared should expect from your origin server certificate.
proxyType String: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
tcpKeepAlive Number: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
tlsTimeout Number: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

TunnelConfigConfigIngressOriginRequestAccess, TunnelConfigConfigIngressOriginRequestAccessArgs

AudTags List<string>: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
Required bool: Deny traffic that has not fulfilled Access authorization.
TeamName string

AudTags []string: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
Required bool: Deny traffic that has not fulfilled Access authorization.
TeamName string

audTags List<String>: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
required Boolean: Deny traffic that has not fulfilled Access authorization.
teamName String

audTags string[]: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
required boolean: Deny traffic that has not fulfilled Access authorization.
teamName string

aud_tags Sequence[str]: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
required bool: Deny traffic that has not fulfilled Access authorization.
team_name str

audTags List<String>: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
required Boolean: Deny traffic that has not fulfilled Access authorization.
teamName String

TunnelConfigConfigOriginRequest, TunnelConfigConfigOriginRequestArgs

Access TunnelConfigConfigOriginRequestAccess: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
CaPool string: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
ConnectTimeout int: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
DisableChunkedEncoding bool: Disables chunked transfer encoding. Useful if you are running a WSGI server.
Http2Origin bool: Attempt to connect to origin using HTTP2. Origin must be configured as https.
HttpHostHeader string: Sets the HTTP Host header on requests sent to the local service.
KeepAliveConnections int: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
KeepAliveTimeout int: Timeout after which an idle keepalive connection can be discarded.
NoHappyEyeballs bool: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
NoTlsVerify bool: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
OriginServerName string: Hostname that cloudflared should expect from your origin server certificate.
ProxyType string: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
TcpKeepAlive int: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
TlsTimeout int: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

Access TunnelConfigConfigOriginRequestAccess: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
CaPool string: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
ConnectTimeout int: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
DisableChunkedEncoding bool: Disables chunked transfer encoding. Useful if you are running a WSGI server.
Http2Origin bool: Attempt to connect to origin using HTTP2. Origin must be configured as https.
HttpHostHeader string: Sets the HTTP Host header on requests sent to the local service.
KeepAliveConnections int: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
KeepAliveTimeout int: Timeout after which an idle keepalive connection can be discarded.
NoHappyEyeballs bool: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
NoTlsVerify bool: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
OriginServerName string: Hostname that cloudflared should expect from your origin server certificate.
ProxyType string: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
TcpKeepAlive int: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
TlsTimeout int: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

access TunnelConfigConfigOriginRequestAccess: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
caPool String: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
connectTimeout Integer: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
disableChunkedEncoding Boolean: Disables chunked transfer encoding. Useful if you are running a WSGI server.
http2Origin Boolean: Attempt to connect to origin using HTTP2. Origin must be configured as https.
httpHostHeader String: Sets the HTTP Host header on requests sent to the local service.
keepAliveConnections Integer: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
keepAliveTimeout Integer: Timeout after which an idle keepalive connection can be discarded.
noHappyEyeballs Boolean: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
noTlsVerify Boolean: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
originServerName String: Hostname that cloudflared should expect from your origin server certificate.
proxyType String: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
tcpKeepAlive Integer: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
tlsTimeout Integer: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

access TunnelConfigConfigOriginRequestAccess: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
caPool string: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
connectTimeout number: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
disableChunkedEncoding boolean: Disables chunked transfer encoding. Useful if you are running a WSGI server.
http2Origin boolean: Attempt to connect to origin using HTTP2. Origin must be configured as https.
httpHostHeader string: Sets the HTTP Host header on requests sent to the local service.
keepAliveConnections number: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
keepAliveTimeout number: Timeout after which an idle keepalive connection can be discarded.
noHappyEyeballs boolean: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
noTlsVerify boolean: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
originServerName string: Hostname that cloudflared should expect from your origin server certificate.
proxyType string: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
tcpKeepAlive number: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
tlsTimeout number: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

access TunnelConfigConfigOriginRequestAccess: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
ca_pool str: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
connect_timeout int: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
disable_chunked_encoding bool: Disables chunked transfer encoding. Useful if you are running a WSGI server.
http2_origin bool: Attempt to connect to origin using HTTP2. Origin must be configured as https.
http_host_header str: Sets the HTTP Host header on requests sent to the local service.
keep_alive_connections int: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
keep_alive_timeout int: Timeout after which an idle keepalive connection can be discarded.
no_happy_eyeballs bool: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
no_tls_verify bool: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
origin_server_name str: Hostname that cloudflared should expect from your origin server certificate.
proxy_type str: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
tcp_keep_alive int: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
tls_timeout int: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

access Property Map: For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header.
caPool String: Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.
connectTimeout Number: Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.
disableChunkedEncoding Boolean: Disables chunked transfer encoding. Useful if you are running a WSGI server.
http2Origin Boolean: Attempt to connect to origin using HTTP2. Origin must be configured as https.
httpHostHeader String: Sets the HTTP Host header on requests sent to the local service.
keepAliveConnections Number: Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.
keepAliveTimeout Number: Timeout after which an idle keepalive connection can be discarded.
noHappyEyeballs Boolean: Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.
noTlsVerify Boolean: Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.
originServerName String: Hostname that cloudflared should expect from your origin server certificate.
proxyType String: cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy.
tcpKeepAlive Number: The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.
tlsTimeout Number: Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

TunnelConfigConfigOriginRequestAccess, TunnelConfigConfigOriginRequestAccessArgs

AudTags List<string>: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
Required bool: Deny traffic that has not fulfilled Access authorization.
TeamName string

AudTags []string: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
Required bool: Deny traffic that has not fulfilled Access authorization.
TeamName string

audTags List<String>: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
required Boolean: Deny traffic that has not fulfilled Access authorization.
teamName String

audTags string[]: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
required boolean: Deny traffic that has not fulfilled Access authorization.
teamName string

aud_tags Sequence[str]: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
required bool: Deny traffic that has not fulfilled Access authorization.
team_name str

audTags List<String>: Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API.
required Boolean: Deny traffic that has not fulfilled Access authorization.
teamName String

TunnelConfigConfigWarpRouting, TunnelConfigConfigWarpRoutingArgs

Enabled bool

Enabled bool

enabled Boolean

enabled boolean

enabled bool

enabled Boolean

Import

$ pulumi import cloudflare:index/tunnelConfig:TunnelConfig example '<account_id>/<tunnel_id>'

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Cloudflare pulumi/pulumi-cloudflare
License: Apache-2.0
Notes: This Pulumi package is based on the cloudflare Terraform Provider.

Cloudflare v6.1.1 published on Monday, Apr 21, 2025 by Pulumi

pulumi/pulumi-cloudflare

cloudflare.TunnelConfig

On this page

On this page

Example Usage

Create TunnelConfig Resource

Constructor syntax

Parameters

TunnelConfig Resource Properties

Inputs

Outputs

Look up Existing TunnelConfig Resource

Supporting Types

TunnelConfigConfig, TunnelConfigConfigArgs

TunnelConfigConfigIngress, TunnelConfigConfigIngressArgs

TunnelConfigConfigIngressOriginRequest, TunnelConfigConfigIngressOriginRequestArgs

TunnelConfigConfigIngressOriginRequestAccess, TunnelConfigConfigIngressOriginRequestAccessArgs

TunnelConfigConfigOriginRequest, TunnelConfigConfigOriginRequestArgs

TunnelConfigConfigOriginRequestAccess, TunnelConfigConfigOriginRequestAccessArgs

TunnelConfigConfigWarpRouting, TunnelConfigConfigWarpRoutingArgs

Import

Package Details

On this page

On this page