Tips-Of-Mine/terraform-cloudflare-tunnel-zone-org
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

test
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 8s
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-11-20 11:36:56 +01:00
parent 9bc192581b
commit a6dc597994
1 changed files with 216 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

216
Access_Controls-Policies-Rule_Groups.tf
View File

@@ -106,6 +106,64 @@ locals {
var.cloudflare_macos_posture_id,
var.cloudflare_windows_posture_id
]
policy_groups = {
# Composite groups
employees = cloudflare_zero_trust_access_group.employees_rule_group.id
sales_team = cloudflare_zero_trust_access_group.sales_team_rule_group.id
admins = cloudflare_zero_trust_access_group.admins_rule_group.id
contractors = cloudflare_zero_trust_access_group.contractors_rule_group.id
# Individual SAML groups
infrastructure_admin = cloudflare_zero_trust_access_group.saml_groups["infrastructure_admin"].id
sales_engineering = cloudflare_zero_trust_access_group.saml_groups["sales_engineering"].id
sales = cloudflare_zero_trust_access_group.saml_groups["sales"].id
it_admin = cloudflare_zero_trust_access_group.saml_groups["it_admin"].id
}
# Common access policy configurations
access_policies = {
intranet_web_app = {
name = "Intranet App Policy"
include_groups = ["employees", "contractors"]
require_posture = true
require_mfa = false
purpose_justification = false
}
competition_web_app = {
name = "Competition App Policy"
include_groups = ["sales_team"]
require_posture = true
require_mfa = true
# IMPORTANT: Comment out the next 3 lines if you haven't deployed the "Training Compliance Gateway"
# Otherwise the Competition App won't work or show up in App Launcher
# Repository: https://github.com/macharpe/cloudflare-access-training-evaluator
require_external_evaluation = true
external_evaluation_url = "https://training-status.macharpe.com"
external_evaluation_keys_url = "https://training-status.macharpe.com/keys"
purpose_justification = true
purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this sensitive resource."
lifecycle_create_before_destroy = true
}
employees_browser_rendering = {
name = "Employees AWS Database Policy"
include_groups = ["infrastructure_admin"]
require_posture = true
require_mfa = false
purpose_justification = true
purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
require_login_method = true
}
contractors_browser_rendering = {
name = "Contractors AWS Database Policy"
include_groups = ["contractors"]
require_posture = true
require_mfa = false
require_country = true
purpose_justification = true
purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
}
}
}
#==================================================
@@ -113,6 +171,7 @@ locals {
#===================================================
resource "cloudflare_zero_trust_access_group" "default_groups" {
account_id = local.cloudflare_account_id
name = "default group"
zone_id = local.cloudflare_zone_id
is_default = true
@@ -130,6 +189,7 @@ resource "cloudflare_zero_trust_access_group" "default_groups" {
resource "cloudflare_zero_trust_access_group" "saml_groups" {
for_each = local.saml_groups
account_id = local.cloudflare_account_id
name = each.value
include = [{
@@ -141,6 +201,66 @@ resource "cloudflare_zero_trust_access_group" "saml_groups" {
}]
}
#==================================================
# Composite Rule Groups
#===================================================
resource "cloudflare_zero_trust_access_group" "employees_rule_group" {
account_id = var.cloudflare_account_id
name = "Employees"
include = [
for group_key in ["it_admin", "sales", "sales_engineering", "infrastructure_admin"] : {
group = {
id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
}
}
]
}
resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" {
account_id = var.cloudflare_account_id
name = "Sales Team"
include = [
for group_key in ["sales", "sales_engineering"] : {
group = {
id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
}
}
]
}
resource "cloudflare_zero_trust_access_group" "admins_rule_group" {
account_id = var.cloudflare_account_id
name = "Administrators"
include = [
for group_key in ["it_admin", "infrastructure_admin"] : {
group = {
id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
}
}
]
}
resource "cloudflare_zero_trust_access_group" "contractors_rule_group" {
account_id = var.cloudflare_account_id
name = "Contractors Extended"
include = [
{
group = {
id = cloudflare_zero_trust_access_group.saml_groups["contractors"].id
}
},
{
email_domain = {
domain = var.cf_email_domain
}
}
]
}
# Geographic Rule Groups
resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group" {
account_id = local.cloudflare_account_id
@@ -446,3 +566,99 @@ resource "cloudflare_zero_trust_access_group" "contractors_rule_group" {
}
]
}
#==========================================================
# Access Policies
#==========================================================
resource "cloudflare_zero_trust_access_policy" "policies" {
for_each = local.access_policies
account_id = local.cloudflare_account_id
decision = "allow"
name = each.value.name
session_duration = "0s"
# Purpose justification
purpose_justification_prompt = try(each.value.purpose_justification_prompt, null)
purpose_justification_required = try(each.value.purpose_justification, false)
# Include groups
include = concat(
# Groups (both SAML and composite groups via mapping)
[
for group in each.value.include_groups : {
group = {
id = local.policy_groups[group]
}
}
],
# Email domain (for contractors)
try(each.value.include_email_domain, false) ? [{
email_domain = {
domain = var.cf_email_domain
}
}] : []
)
# Require conditions
require = concat(
# Device posture (always required if specified)
try(each.value.require_posture, false) ? [{
device_posture = {
integration_uid = var.cf_gateway_posture_id
}
}] : [],
# MFA requirement
try(each.value.require_mfa, false) ? [{
auth_method = {
auth_method = "mfa"
}
}] : [],
# Login method (for specific policies)
try(each.value.require_login_method, false) ? [{
login_method = {
id = var.cf_okta_identity_provider_id
}
}] : [],
# Country requirements
try(each.value.require_country, false) ? [{
group = {
id = cloudflare_zero_trust_access_group.country_requirements_rule_group.id
}
}] : [],
# OS version requirements
try(each.value.require_os_version, false) ? [{
group = {
id = cloudflare_zero_trust_access_group.latest_os_version_requirements_rule_group.id
}
}] : [],
# External evaluation requirements
try(each.value.require_external_evaluation, false) ? [{
external_evaluation = {
evaluate_url = each.value.external_evaluation_url
keys_url = each.value.external_evaluation_keys_url
}
}] : []
)
# Exclude SMS (for MFA policies)
exclude = try(each.value.require_mfa, false) ? [{
auth_method = {
auth_method = "sms"
}
}] : []
# Explicit dependencies to ensure proper destruction order:
# Policies → Composite Groups → Individual SAML Groups
depends_on = [
cloudflare_zero_trust_access_group.employees_rule_group,
cloudflare_zero_trust_access_group.sales_team_rule_group,
cloudflare_zero_trust_access_group.admins_rule_group,
cloudflare_zero_trust_access_group.contractors_rule_group,
cloudflare_zero_trust_access_group.saml_groups
]
# Note: lifecycle blocks cannot be conditional in for_each resources
}