From 4c3150a9b9302be2996c4d7d0402d3a871a8367a Mon Sep 17 00:00:00 2001
From: hcornet <hcornet@tips-of-mine.fr>
Date: Mon, 24 Nov 2025 15:45:52 +0100
Subject: [PATCH] modify policy

---
 Access_Controls-Applications-ssh.tf     |  8 +++----
 Access_Controls-Applications-vnc.tf     |  4 ++--
 Access_Controls-Policies-Rule_Groups.tf | 28 +++++++++++++++++++++++--
 3 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/Access_Controls-Applications-ssh.tf b/Access_Controls-Applications-ssh.tf
index 51f48a9..f264db9 100644
--- a/Access_Controls-Applications-ssh.tf
+++ b/Access_Controls-Applications-ssh.tf
@@ -33,10 +33,10 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_brow
 
   policies = [
     {
-      id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
+      id = cloudflare_zero_trust_access_policy.policies["aws_employees_browser_rendering"].id
     },
     {
-      id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id
+      id = cloudflare_zero_trust_access_policy.policies["aws_contractors_browser_rendering"].id
     }
   ]
 }
@@ -72,10 +72,10 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_ssh_brow
 
   policies = [
     {
-      id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
+      id = cloudflare_zero_trust_access_policy.policies["gcp_employees_browser_rendering"].id
     },
     {
-      id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id
+      id = cloudflare_zero_trust_access_policy.policies["gcp_contractors_browser_rendering"].id
     }
   ]
 }
diff --git a/Access_Controls-Applications-vnc.tf b/Access_Controls-Applications-vnc.tf
index 536663d..2e30d79 100644
--- a/Access_Controls-Applications-vnc.tf
+++ b/Access_Controls-Applications-vnc.tf
@@ -32,7 +32,7 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_vnc_brow
   allow_authenticate_via_warp = false
 
   policies = [{
-    id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
+    id = cloudflare_zero_trust_access_policy.policies["aws_employees_browser_rendering"].id
   }]
 }
 
@@ -66,6 +66,6 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_vnc_brow
   allow_authenticate_via_warp = false
 
   policies = [{
-    id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
+    id = cloudflare_zero_trust_access_policy.policies["gcp_employees_browser_rendering"].id
   }]
 }
diff --git a/Access_Controls-Policies-Rule_Groups.tf b/Access_Controls-Policies-Rule_Groups.tf
index c3a82ba..36588c5 100644
--- a/Access_Controls-Policies-Rule_Groups.tf
+++ b/Access_Controls-Policies-Rule_Groups.tf
@@ -145,7 +145,7 @@ locals {
       purpose_justification_prompt    = "Access justification required: Please provide your business reason for accessing this sensitive resource."
       lifecycle_create_before_destroy = true
     }
-    employees_browser_rendering = {
+    aws_employees_browser_rendering = {
       name                         = "Employees AWS Database Policy"
       include_groups               = ["infrastructure_admin"]
       require_posture              = true
@@ -154,7 +154,7 @@ locals {
       purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
       require_login_method         = true
     }
-    contractors_browser_rendering = {
+    aws_contractors_browser_rendering = {
       name                         = "Contractors AWS Database Policy"
       include_groups               = ["contractors"]
       require_posture              = true
@@ -163,12 +163,36 @@ locals {
       purpose_justification        = true
       purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
     }
+    gcp_employees_browser_rendering = {
+      name                         = "Employees GCP Database Policy"
+      include_groups               = ["infrastructure_admin"]
+      require_posture              = true
+      require_mfa                  = false
+      purpose_justification        = true
+      purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
+      require_login_method         = true
+    }
+    gcp_contractors_browser_rendering = {
+      name                         = "Contractors GCP Database Policy"
+      include_groups               = ["contractors"]
+      require_posture              = true
+      require_mfa                  = false
+      require_country              = true
+      purpose_justification        = true
+      purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
+    }
     aws = {
       name            = "AWS Cloud Policy"
       include_groups  = ["sales_engineering"]
       require_posture = true
       require_mfa     = true
     }
+    gcp = {
+      name            = "GCP Cloud Policy"
+      include_groups  = ["sales_engineering"]
+      require_posture = true
+      require_mfa     = true
+    }
     okta = {
       name            = "Okta Cloud Policy"
       include_groups  = ["it_admin"]