Skip to content
GitHubXDiscordRSS

AccessGroup

Define reusable rule sets for Cloudflare Zero Trust Access policies.

A Cloudflare Access group is a reusable bundle of include / exclude / require rules that can be referenced by AccessPolicy resources.

import { AccessGroup } from "alchemy/cloudflare";
const engineering = await AccessGroup("engineering", {
name: "Engineering",
include: [{ email_domain: { domain: "acme.com" } }],
});

Groups can reference other groups, and the lifted string | AccessGroup type lets you pass the resource directly.

const admins = await AccessGroup("admins", {
name: "Admins",
include: [{ email: { email: "alice@acme.com" } }],
});
const engineeringPlusAdmins = await AccessGroup("eng-plus-admins", {
name: "Engineering + Admins",
include: [
{ email_domain: { domain: "acme.com" } },
{ group: { id: admins } },
],
});

Mark a group as the account default — it applies to every Access application unless overridden.

const defaultEmployees = await AccessGroup("default-employees", {
name: "All Employees",
include: [{ email_domain: { domain: "acme.com" } }],
isDefault: true,
});

The include, exclude, and require arrays accept any AccessRule — see the AccessPolicy page for the full catalog.