A Cloudflare Access group is a reusable bundle of include / exclude / require rules that can be referenced by AccessPolicy resources.
Email Domain Allowlist
Section titled “Email Domain Allowlist”import { AccessGroup } from "alchemy/cloudflare";
const engineering = await AccessGroup("engineering", { name: "Engineering", include: [{ email_domain: { domain: "acme.com" } }],});Nested Groups via the group Rule
Section titled “Nested Groups via the group Rule”Groups can reference other groups, and the lifted string | AccessGroup type lets you pass the resource directly.
const admins = await AccessGroup("admins", { name: "Admins", include: [{ email: { email: "alice@acme.com" } }],});
const engineeringPlusAdmins = await AccessGroup("eng-plus-admins", { name: "Engineering + Admins", include: [ { email_domain: { domain: "acme.com" } }, { group: { id: admins } }, ],});Default Group
Section titled “Default Group”Mark a group as the account default — it applies to every Access application unless overridden.
const defaultEmployees = await AccessGroup("default-employees", { name: "All Employees", include: [{ email_domain: { domain: "acme.com" } }], isDefault: true,});Rule Reference
Section titled “Rule Reference”The include, exclude, and require arrays accept any AccessRule — see the AccessPolicy page for the full catalog.