Skip to content

Application

Source: src/Cloudflare/Access/Application.ts

A Cloudflare Zero Trust Access application.

Replaces the curl-based POST /accounts/{accountId}/access/apps workflow with an Alchemy-managed resource. Supports every Cloudflare application type including warp, which Cloudflare requires for device enrolment via the WARP client.

Access policies are authored as standalone Policy resources and referenced here by id — there is no inline-policy support.

const allowMyOrg = yield* Cloudflare.Access.Policy("AllowMyOrg", {
name: "Allow example.com via Google",
decision: "allow",
include: [{ emailDomain: { domain: "example.com" } }],
});
const app = yield* Cloudflare.Access.Application("InternalDashboard", {
type: "self_hosted",
domain: "dashboard.example.com",
sessionDuration: "24h",
policies: [allowMyOrg.policyId],
});
// There can only be ONE warp app per account; Cloudflare auto-derives the
// domain (`${authDomain}/warp`) so do not pass `domain` for this type.
const allowCorp = yield* Cloudflare.Access.Policy("AllowCorpUsers", {
name: "Allow corp users",
decision: "allow",
include: [{ emailDomain: { domain: "example.com" } }],
});
const enroll = yield* Cloudflare.Access.Application("warp-login", {
type: "warp",
allowedIdps: [googleIdpId],
autoRedirectToIdentity: true,
sessionDuration: "720h",
policies: [allowCorp.policyId],
});
const admins = yield* Cloudflare.Access.Policy("AdminsOnly", {
name: "Admins only",
decision: "allow",
include: [
{
gsuite: {
email: "admins@example.com",
identityProviderId: googleIdpUuid,
},
},
],
});
const app = yield* Cloudflare.Access.Application("AdminConsole", {
type: "self_hosted",
domain: "admin.example.com",
allowedIdps: [googleIdpUuid],
autoRedirectToIdentity: true,
policies: [admins.policyId],
});