AccessPolicy

Source: src/Cloudflare/Access/Policy.ts

A reusable, account-scoped Cloudflare Access policy. Distinct from the inline policies attached directly to an AccessApplication — a reusable policy can be referenced by multiple applications by id.

Creating a Policy

Allow a single email domain

const policy = yield* Cloudflare.AccessPolicy("AllowExampleDomain", {
  decision: "allow",
  include: [{ emailDomain: { domain: "example.com" } }],
});

Allow everyone but require purpose justification

const policy = yield* Cloudflare.AccessPolicy("OpenWithJustification", {
  decision: "allow",
  include: [{ everyone: {} }],
  purposeJustificationRequired: true,
  sessionDuration: "12h",
});

Combining rule groups

const policy = yield* Cloudflare.AccessPolicy("EngineersExceptInterns", {
  decision: "allow",
  include: [{ emailDomain: { domain: "example.com" } }],
  exclude: [{ email: { email: "intern@example.com" } }],
  require: [{ geo: { countryCode: "US" } }],
});