Application
Source:
src/Cloudflare/Access/Application.ts
A Cloudflare Zero Trust Access application.
Replaces the curl-based POST /accounts/{accountId}/access/apps workflow
with an Alchemy-managed resource. Supports every Cloudflare application
type including warp, which Cloudflare requires for device enrolment via
the WARP client.
Access policies are authored as standalone Policy resources
and referenced here by id — there is no inline-policy support.
Creating an Application
Section titled “Creating an Application”const allowMyOrg = yield* Cloudflare.Access.Policy("AllowMyOrg", { name: "Allow example.com via Google", decision: "allow", include: [{ emailDomain: { domain: "example.com" } }],});
const app = yield* Cloudflare.Access.Application("InternalDashboard", { type: "self_hosted", domain: "dashboard.example.com", sessionDuration: "24h", policies: [allowMyOrg.policyId],});Device-enrollment (warp)
Section titled “Device-enrollment (warp)”// There can only be ONE warp app per account; Cloudflare auto-derives the// domain (`${authDomain}/warp`) so do not pass `domain` for this type.const allowCorp = yield* Cloudflare.Access.Policy("AllowCorpUsers", { name: "Allow corp users", decision: "allow", include: [{ emailDomain: { domain: "example.com" } }],});
const enroll = yield* Cloudflare.Access.Application("warp-login", { type: "warp", allowedIdps: [googleIdpId], autoRedirectToIdentity: true, sessionDuration: "720h", policies: [allowCorp.policyId],});Self-hosted with Google IdP
Section titled “Self-hosted with Google IdP”const admins = yield* Cloudflare.Access.Policy("AdminsOnly", { name: "Admins only", decision: "allow", include: [ { gsuite: { email: "admins@example.com", identityProviderId: googleIdpUuid, }, }, ],});
const app = yield* Cloudflare.Access.Application("AdminConsole", { type: "self_hosted", domain: "admin.example.com", allowedIdps: [googleIdpUuid], autoRedirectToIdentity: true, policies: [admins.policyId],});