Update Traffic_Policies-Firewall_Policies-HTTP.tf

2025-11-19 14:40:53 +01:00
parent 80df312a55
commit 24d121b0c0
1 changed files with 127 additions and 1 deletions
--- a/Traffic_Policies-Firewall_Policies-HTTP.tf
+++ b/Traffic_Policies-Firewall_Policies-HTTP.tf
@@ -2,4 +2,130 @@
 # CLOUDFLARE : Traffic Policies : Firewall Policies : HTTP
 # =============================================================================

-#
+#==========================================================
+# Local Variables
+#==========================================================
+locals {
+  precedence = {
+    # HTTP (L7) Policies - AI Application Governance
+    ai_tools_redirect = 24000 # Redirect unreviewed AI tools to Claude
+    chatgpt_allow_log = 24100 # Allow ChatGPT with prompt logging
+
+    # HTTP (L7) Policies - Content Filtering & DLP
+    pdf_block      = 25000 # Block PDF downloads for Sales Eng (identity-based DLP)
+    gambling_block = 25100 # Block gambling websites (category blocking)
+  }
+
+  # Common rule settings for block policies
+  default_block_settings = {
+    block_page_enabled                 = false
+    ip_categories                      = false
+    ip_indicator_feeds                 = false
+    insecure_disable_dnssec_validation = false
+  }
+
+  # Gateway policies configuration
+  # Organized by policy type: then HTTP (L7) policies
+  # Following Cloudflare best practices with 1000-spacing between major groups
+  # Integrates with dashboard-managed policies at precedence: 1000-3000, 5000-20000, 36000-40000
+  gateway_policies = {
+    #==========================================================
+    # HTTP (L7) POLICIES
+    # Application/Content-based filtering
+    # Terraform precedence ranges: 24000-25100
+    # Dashboard precedence ranges: 13000-20000
+    # Note: Dashboard Do-Not-Inspect policies (13000-15000) evaluated before Terraform HTTP policies
+    #==========================================================
+
+    # AI Application Governance (Precedence: 24000-24100)
+    redirect_ai_to_claude = {
+      name                 = "HTTP - Redirect: Redirect users to claude.ai"
+      description          = "Redirect any unreviewed AI application to claude.ai instead"
+      enabled              = true
+      action               = "redirect"
+      precedence           = local.precedence.ai_tools_redirect
+      filters              = ["http"]
+      traffic              = "any(app.type.ids[*] in {25}) and any(app.statuses[*] == \"unreviewed\")"
+      redirect_url         = "https://claude.ai"
+      notification_enabled = false
+    }
+
+    # Content Filtering & DLP (Precedence: 25000-25100)
+    block_pdf_download = {
+      name                 = "HTTP - Block: PDF Files download"
+      description          = "Block Downloading PDF Files for Sales Engineering group"
+      enabled              = false
+      action               = "block"
+      precedence           = local.precedence.pdf_block
+      filters              = ["http"]
+      traffic              = "any(http.download.file.types[*] in {\"pdf\"})"
+      identity             = "any(identity.saml_attributes[*] == \"groups=${var.okta_sales_eng_saml_group_name}\")"
+      block_reason         = "This download is blocked because it is a pdf file (not approved)"
+      notification_enabled = true
+    }
+
+    block_gambling = {
+      name                 = "HTTP - Block: Gambling websites"
+      description          = "Block Gambling website according to corporate policies (HTTP)."
+      enabled              = true
+      action               = "block"
+      precedence           = local.precedence.gambling_block
+      filters              = ["http"]
+      traffic              = "any(http.request.uri.content_category[*] in {99})"
+      identity             = "not(any(identity.saml_attributes[*] == \"groups=${var.okta_contractors_saml_group_name}\")) or not(identity.email == \"${var.okta_bob_user_login}\")"
+      block_reason         = "This website is blocked according to corporate policies (HTTP)"
+      notification_enabled = true
+    }
+
+    allow_chatgpt_log = {
+      name                 = "HTTP - Allow: ChatGPT logging"
+      description          = "Log ChatGPT requests"
+      enabled              = true
+      action               = "allow"
+      precedence           = local.precedence.chatgpt_allow_log
+      filters              = ["http"]
+      traffic              = "any(app.ids[*] == 1199) and any(app_control.controls[*] in {1652})"
+      notification_enabled = false
+      gen_ai_prompt_log    = true
+    }
+  }
+}
+
+#==========================================================
+# Gateway Policies
+#==========================================================
+resource "cloudflare_zero_trust_gateway_policy" "policies" {
+  for_each = local.gateway_policies
+
+  account_id  = local.cloudflare_account_id
+  name        = each.value.name
+  description = each.value.description
+  enabled     = each.value.enabled
+  action      = each.value.action
+  precedence  = each.value.precedence
+  filters     = each.value.filters
+  traffic     = each.value.traffic
+
+  # Optional fields
+  identity       = try(each.value.identity, null)
+  device_posture = try(each.value.device_posture, null)
+
+  rule_settings = merge(
+    local.default_block_settings,
+    {
+      block_reason = try(each.value.block_reason, "")
+      notification_settings = {
+        enabled = try(each.value.notification_enabled, false)
+        msg     = try(each.value.block_reason, "")
+      }
+      redirect = try(each.value.redirect_url, null) != null ? {
+        target_uri              = each.value.redirect_url
+        preserve_path_and_query = false
+        include_context         = false
+      } : null
+      gen_ai_prompt_log = try(each.value.gen_ai_prompt_log, null) != null ? {
+        enabled = each.value.gen_ai_prompt_log
+      } : null
+    }
+  )
+}