Tips-Of-Mine/terraform-cloudflare-tunnel-zone-org
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Update test.tf
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 14s
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-11-19 09:34:07 +01:00
parent 192d2651b5
commit b147e14715
1 changed files with 9 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
test.tf
View File

@@ -2,9 +2,6 @@
# Local Variables # Local Variables
#========================================================== #==========================================================
locals { locals {
# Precedence values - organized by policy type and purpose
# Following Cloudflare best practices with 1000-spacing between major groups
# Integrates with dashboard-managed policies (1000-3000, 5000-20000, 36000-40000)
precedence = { precedence = {
# NETWORK (L4) Policies - Access Infrastructure Integration # NETWORK (L4) Policies - Access Infrastructure Integration
access_infra_target = 4000 # Access Infrastructure integration (between DNS groups) access_infra_target = 4000 # Access Infrastructure integration (between DNS groups)
@@ -32,7 +29,6 @@ locals {
gambling_block = 25100 # Block gambling websites (category blocking) gambling_block = 25100 # Block gambling websites (category blocking)
} }
# Common rule settings for block policies # Common rule settings for block policies
default_block_settings = { default_block_settings = {
block_page_enabled = false block_page_enabled = false
@@ -73,9 +69,9 @@ locals {
action = "allow" action = "allow"
precedence = local.precedence.rdp_admin_allow precedence = local.precedence.rdp_admin_allow
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cf_domain_controller_rdp_port} and net.protocol == \"tcp\"" traffic = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\""
identity = "any(identity.saml_attributes[*] == \"groups=${var.okta_itadmin_saml_group_name}\") or any(identity.saml_attributes[*] == \"groups=${var.okta_infra_admin_saml_group_name}\")" identity = "any(identity.saml_attributes[*] == \"groups=${var.okta_itadmin_saml_group_name}\") or any(identity.saml_attributes[*] == \"groups=${var.okta_infra_admin_saml_group_name}\")"
device_posture = "any(device_posture.checks.passed[*] == \"${var.cf_macos_posture_id}\") or any(device_posture.checks.passed[*] == \"${var.cf_windows_posture_id}\") or any(device_posture.checks.passed[*] == \"${var.cf_linux_posture_id}\")" device_posture = "any(device_posture.checks.passed[*] == \"${var.cloudflare_macos_posture_id}\") or any(device_posture.checks.passed[*] == \"${var.cloudflare_windows_posture_id}\") or any(device_posture.checks.passed[*] == \"${var.cloudflare_linux_posture_id}\")"
notification_enabled = false notification_enabled = false
} }
@@ -87,7 +83,7 @@ locals {
action = "block" action = "block"
precedence = local.precedence.block_lateral_ssh precedence = local.precedence.block_lateral_ssh
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.port == 22 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cf_warp_cgnat_cidr}})" traffic = "net.dst.port == 22 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
block_reason = "SSH lateral movement blocked - use authorized access methods or ensure device compliance" block_reason = "SSH lateral movement blocked - use authorized access methods or ensure device compliance"
notification_enabled = true notification_enabled = true
} }
@@ -98,7 +94,7 @@ locals {
action = "block" action = "block"
precedence = local.precedence.block_lateral_rdp precedence = local.precedence.block_lateral_rdp
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.port == 3389 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cf_warp_cgnat_cidr}})" traffic = "net.dst.port == 3389 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
block_reason = "RDP lateral movement blocked - use authorized methods" block_reason = "RDP lateral movement blocked - use authorized methods"
notification_enabled = true notification_enabled = true
} }
@@ -109,7 +105,7 @@ locals {
action = "block" action = "block"
precedence = local.precedence.block_lateral_smb precedence = local.precedence.block_lateral_smb
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.port in {445 139} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cf_warp_cgnat_cidr}})" traffic = "net.dst.port in {445 139} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
block_reason = "SMB lateral movement blocked - use authorized methods" block_reason = "SMB lateral movement blocked - use authorized methods"
notification_enabled = true notification_enabled = true
} }
@@ -120,7 +116,7 @@ locals {
action = "block" action = "block"
precedence = local.precedence.block_lateral_winrm precedence = local.precedence.block_lateral_winrm
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.port in {5985 5986} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cf_warp_cgnat_cidr}})" traffic = "net.dst.port in {5985 5986} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
block_reason = "WinRM lateral movement blocked - use authorized methods" block_reason = "WinRM lateral movement blocked - use authorized methods"
notification_enabled = true notification_enabled = true
} }
@@ -131,7 +127,7 @@ locals {
action = "block" action = "block"
precedence = local.precedence.block_lateral_database precedence = local.precedence.block_lateral_database
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.port in {3306 5432 1433 1521 27017} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cf_warp_cgnat_cidr}})" traffic = "net.dst.port in {3306 5432 1433 1521 27017} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
block_reason = "Database lateral movement blocked - use authorized methods" block_reason = "Database lateral movement blocked - use authorized methods"
notification_enabled = true notification_enabled = true
} }
@@ -144,7 +140,7 @@ locals {
action = "block" action = "block"
precedence = local.precedence.ip_access_block precedence = local.precedence.ip_access_block
filters = ["l4"] filters = ["l4"]
traffic = "(net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cf_intranet_app_port}) or (net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cf_competition_app_port})" traffic = "(net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_intranet_app_port}) or (net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_competition_app_port})"
block_reason = "This website is blocked because you are trying to access an internal app via its IP address" block_reason = "This website is blocked because you are trying to access an internal app via its IP address"
notification_enabled = true notification_enabled = true
} }
@@ -157,7 +153,7 @@ locals {
action = "block" action = "block"
precedence = local.precedence.rdp_default_deny precedence = local.precedence.rdp_default_deny
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cf_domain_controller_rdp_port} and net.protocol == \"tcp\"" traffic = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\""
block_reason = "RDP access denied - insufficient privileges" block_reason = "RDP access denied - insufficient privileges"
notification_enabled = true notification_enabled = true
} }