diff --git a/variables.auto.tfvars b/variables.auto.tfvars index 9f79f2f..e7eeb21 100644 --- a/variables.auto.tfvars +++ b/variables.auto.tfvars @@ -62,6 +62,99 @@ applications = { } } +# ============================================================================= +# Groups +# ============================================================================= + +# +local { + # Group mapping for policies (supports both SAML and composite groups) + policy_groups = { + # Composite groups + employees = cloudflare_zero_trust_access_group.employees_rule_group.id + sales_team = cloudflare_zero_trust_access_group.sales_team_rule_group.id + admins = cloudflare_zero_trust_access_group.admins_rule_group.id + contractors = cloudflare_zero_trust_access_group.contractors_rule_group.id + + # Individual SAML groups + infrastructure_admin = cloudflare_zero_trust_access_group.saml_groups["infrastructure_admin"].id + sales_engineering = cloudflare_zero_trust_access_group.saml_groups["sales_engineering"].id + sales = cloudflare_zero_trust_access_group.saml_groups["sales"].id + it_admin = cloudflare_zero_trust_access_group.saml_groups["it_admin"].id + } + + # Common access policy configurations + access_policies = { + intranet_web_app = { + name = "Intranet App Policy" + include_groups = ["employees", "contractors"] + require_posture = true + require_mfa = false + purpose_justification = false + } + competition_web_app = { + name = "Competition App Policy" + include_groups = ["sales_team"] + require_posture = true + require_mfa = true + # IMPORTANT: Comment out the next 3 lines if you haven't deployed the "Training Compliance Gateway" + # Otherwise the Competition App won't work or show up in App Launcher + # Repository: https://github.com/macharpe/cloudflare-access-training-evaluator + require_external_evaluation = true + external_evaluation_url = "https://training-status.macharpe.com" + external_evaluation_keys_url = "https://training-status.macharpe.com/keys" + purpose_justification = true + purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this sensitive resource." + lifecycle_create_before_destroy = true + } + employees_browser_rendering = { + name = "Employees AWS Database Policy" + include_groups = ["infrastructure_admin"] + require_posture = true + require_mfa = false + purpose_justification = true + purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system." + require_login_method = true + } + contractors_browser_rendering = { + name = "Contractors AWS Database Policy" + include_groups = ["contractors"] + require_posture = true + require_mfa = false + require_country = true + purpose_justification = true + purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system." + } + aws = { + name = "AWS Cloud Policy" + include_groups = ["sales_engineering"] + require_posture = true + require_mfa = true + } + okta = { + name = "Okta Cloud Policy" + include_groups = ["it_admin"] + require_posture = true + require_mfa = true + } + meraki = { + name = "Meraki Cloud Policy" + include_groups = ["it_admin"] + require_posture = true + require_mfa = true + } + domain_controller = { + name = "Domain Controller Policy" + include_groups = ["it_admin", "contractors"] + require_posture = true + require_mfa = true + require_country = true + purpose_justification = true + purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this sensitive resource." + } + } +} + # ============================================================================= # Tags # =============================================================================