modify policy

2025-11-24 15:45:52 +01:00
parent 28903349e2
commit 4c3150a9b9
3 changed files with 32 additions and 8 deletions
--- a/Access_Controls-Applications-ssh.tf
+++ b/Access_Controls-Applications-ssh.tf
@@ -33,10 +33,10 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_brow

  policies = [
    {
-      id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
+      id = cloudflare_zero_trust_access_policy.policies["aws_employees_browser_rendering"].id
    },
    {
-      id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id
+      id = cloudflare_zero_trust_access_policy.policies["aws_contractors_browser_rendering"].id
    }
  ]
 }
@@ -72,10 +72,10 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_ssh_brow

  policies = [
    {
-      id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
+      id = cloudflare_zero_trust_access_policy.policies["gcp_employees_browser_rendering"].id
    },
    {
-      id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id
+      id = cloudflare_zero_trust_access_policy.policies["gcp_contractors_browser_rendering"].id
    }
  ]
 }
--- a/Access_Controls-Applications-vnc.tf
+++ b/Access_Controls-Applications-vnc.tf
@@ -32,7 +32,7 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_vnc_brow
  allow_authenticate_via_warp = false

  policies = [{
-    id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
+    id = cloudflare_zero_trust_access_policy.policies["aws_employees_browser_rendering"].id
  }]
 }

@@ -66,6 +66,6 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_vnc_brow
  allow_authenticate_via_warp = false

  policies = [{
-    id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
+    id = cloudflare_zero_trust_access_policy.policies["gcp_employees_browser_rendering"].id
  }]
 }
--- a/Access_Controls-Policies-Rule_Groups.tf
+++ b/Access_Controls-Policies-Rule_Groups.tf
@@ -145,7 +145,7 @@ locals {
      purpose_justification_prompt    = "Access justification required: Please provide your business reason for accessing this sensitive resource."
      lifecycle_create_before_destroy = true
    }
-    employees_browser_rendering = {
+    aws_employees_browser_rendering = {
      name                         = "Employees AWS Database Policy"
      include_groups               = ["infrastructure_admin"]
      require_posture              = true
@@ -154,7 +154,7 @@ locals {
      purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
      require_login_method         = true
    }
-    contractors_browser_rendering = {
+    aws_contractors_browser_rendering = {
      name                         = "Contractors AWS Database Policy"
      include_groups               = ["contractors"]
      require_posture              = true
@@ -163,12 +163,36 @@ locals {
      purpose_justification        = true
      purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
    }
+    gcp_employees_browser_rendering = {
+      name                         = "Employees GCP Database Policy"
+      include_groups               = ["infrastructure_admin"]
+      require_posture              = true
+      require_mfa                  = false
+      purpose_justification        = true
+      purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
+      require_login_method         = true
+    }
+    gcp_contractors_browser_rendering = {
+      name                         = "Contractors GCP Database Policy"
+      include_groups               = ["contractors"]
+      require_posture              = true
+      require_mfa                  = false
+      require_country              = true
+      purpose_justification        = true
+      purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
+    }
    aws = {
      name            = "AWS Cloud Policy"
      include_groups  = ["sales_engineering"]
      require_posture = true
      require_mfa     = true
    }
+    gcp = {
+      name            = "GCP Cloud Policy"
+      include_groups  = ["sales_engineering"]
+      require_posture = true
+      require_mfa     = true
+    }
    okta = {
      name            = "Okta Cloud Policy"
      include_groups  = ["it_admin"]