AccessApplication

Source: src/Cloudflare/Access/Application.ts

A Cloudflare Zero Trust Access application.

Replaces the curl-based POST /accounts/{accountId}/access/apps workflow with an Alchemy-managed resource. Supports every Cloudflare application type including warp, which Cloudflare requires for device enrolment via the WARP client.

Access policies are authored as standalone {@link AccessPolicy} resources and referenced here by id — there is no inline-policy support.

Creating an Application

const allowMyOrg = yield* Cloudflare.AccessPolicy("AllowMyOrg", {
  name: "Allow example.com via Google",
  decision: "allow",
  include: [{ emailDomain: { domain: "example.com" } }],
});

const app = yield* Cloudflare.AccessApplication("InternalDashboard", {
  type: "self_hosted",
  domain: "dashboard.example.com",
  sessionDuration: "24h",
  policies: [allowMyOrg.policyId],
});

Device-enrollment (warp)

// There can only be ONE warp app per account; Cloudflare auto-derives the
// domain (`${authDomain}/warp`) so do not pass `domain` for this type.
const allowCorp = yield* Cloudflare.AccessPolicy("AllowCorpUsers", {
  name: "Allow corp users",
  decision: "allow",
  include: [{ emailDomain: { domain: "example.com" } }],
});

const enroll = yield* Cloudflare.AccessApplication("warp-login", {
  type: "warp",
  allowedIdps: [googleIdpId],
  autoRedirectToIdentity: true,
  sessionDuration: "720h",
  policies: [allowCorp.policyId],
});

Self-hosted with Google IdP

const admins = yield* Cloudflare.AccessPolicy("AdminsOnly", {
  name: "Admins only",
  decision: "allow",
  include: [
    {
      gsuite: {
        email: "admins@example.com",
        identityProviderId: googleIdpUuid,
      },
    },
  ],
});

const app = yield* Cloudflare.AccessApplication("AdminConsole", {
  type: "self_hosted",
  domain: "admin.example.com",
  allowedIdps: [googleIdpUuid],
  autoRedirectToIdentity: true,
  policies: [admins.policyId],
});