Cloudflare Docs
API Shield
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Manage API Shield with Terraform

Get started with API Shield using Terraform from the examples below. For more information on how to use Terraform with Cloudflare, refer to the Terraform documentation.

The following resources are available to configure through Terraform:

Session identifiers

Endpoint Management

Schema Validation 2.0

​​ Manage API Shield session identifiers

Refer to the example configuration below to set up session identifiers on your zone.

Example configuration
resource "cloudflare_api_shield" "my_api_shield" {
zone_id = var.zone_id
auth_id_characteristics {
name = "authorization"
type = "header"
}
}

​​ Manage API Shield Endpoint Management

Refer to the example configuration below to manage endpoints on your zone.

Example configuration
resource "cloudflare_api_shield_operation" "get_image" {
zone_id = var.zone_id
method = "GET"
host = "example.com"
endpoint = "/api/images/{var1}"
}
resource "cloudflare_api_shield_operation" "post_image" {
zone_id = var.zone_id
method = "POST"
host = "example.com"
endpoint = "/api/images/{var1}"
}

​​ Manage Schema Validation 2.0

Refer to the example configuration below to manage Schema Validation 2.0 on your zone.

Example configuration
# Schema that should be used for schema validation 2.0
resource "cloudflare_api_shield_schema" "example_schema" {
zone_id = var.zone_id
name = "example-schema"
kind = "openapi_v3"
validation_enabled = true
source = file("./schemas/example-schema.json")
}
# Block all requests that violate schema by default
resource "cloudflare_api_shield_schema_validation_settings" "zone_level_settings" {
zone_id = var.zone_id
validation_default_mitigation_action = "block"
}
# For endpoint post_image - only log requests that violate schema
resource "cloudflare_api_shield_operation_schema_validation_settings" "post_image_log_only" {
zone_id = var.zone_id
operation_id = cloudflare_api_shield_operation.post_image.id
mitigation_action = "log"
}