diff --git a/access_rule_groups.tf b/access_rule_groups.tf index f5af030..b7b2610 100644 --- a/access_rule_groups.tf +++ b/access_rule_groups.tf @@ -1,15 +1,15 @@ #========================================================== # Local Variables #========================================================== -locals { +#locals { # SAML groups from Okta - saml_groups = { - contractors = "Contractors" - infrastructure_admin = "InfrastructureAdmin" - sales_engineering = "SalesEngineering" - sales = "Sales" - it_admin = "ITAdmin" - } +# saml_groups = { +# contractors = "Contractors" +# infrastructure_admin = "InfrastructureAdmin" +# sales_engineering = "SalesEngineering" +# sales = "Sales" +# it_admin = "ITAdmin" +# } # Azure AD groups # azure_groups = { @@ -19,16 +19,16 @@ locals { # } # Allowed countries - allowed_countries = ["FR", "DE", "US", "GB"] - blocked_countries = ["CN", "RU", "AF", "BY", "CD", "CU", "IR", "IQ", "KP", "MM", "SD", "SY", "UA", "ZW"] +# allowed_countries = ["FR", "DE", "US", "GB"] +# blocked_countries = ["CN", "RU", "AF", "BY", "CD", "CU", "IR", "IQ", "KP", "MM", "SD", "SY", "UA", "ZW"] - # OS posture checks - os_posture_checks = [ - var.cloudflare_linux_posture_id, - var.cloudflare_macos_posture_id, - var.cloudflare_windows_posture_id - ] -} +# OS posture checks +# os_posture_checks = [ +# var.cloudflare_linux_posture_id, +# var.cloudflare_macos_posture_id, +# var.cloudflare_windows_posture_id +# ] +#} #================================================== # Default Rule Groups @@ -45,101 +45,101 @@ resource "cloudflare_zero_trust_access_group" "default_groups" { #================================================== # Geographic Rule Groups #=================================================== -resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group" { - account_id = local.cloudflare_account_id - name = "Country Requirements" - - include = [ - for country in local.allowed_countries : { - geo = { - country_code = country - } - } - ] - exclude = [ - for country in local.blocked_countries : { - geo = { - country_code = country - } - } - ] -} +#resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group" { +# account_id = local.cloudflare_account_id +# name = "Country Requirements" +# +# include = [ +# for country in local.allowed_countries : { +# geo = { +# country_code = country +# } +# } +# ] +# exclude = [ +# for country in local.blocked_countries : { +# geo = { +# country_code = country +# } +# } +# ] +#} #================================================== # Device Posture Rule Groups #=================================================== -resource "cloudflare_zero_trust_access_group" "latest_os_version_requirements_rule_group" { - account_id = local.cloudflare_account_id - name = "Latest OS Version Requirements" - - include = [ - for posture_id in local.os_posture_checks : { - device_posture = { - integration_uid = posture_id - } - } - ] -} +#resource "cloudflare_zero_trust_access_group" "latest_os_version_requirements_rule_group" { +# account_id = local.cloudflare_account_id +# name = "Latest OS Version Requirements" +# +# include = [ +# for posture_id in local.os_posture_checks : { +# device_posture = { +# integration_uid = posture_id +# } +# } +# ] +#} #================================================== # Composite Rule Groups #=================================================== -resource "cloudflare_zero_trust_access_group" "employees_rule_group" { - account_id = local.cloudflare_account_id - name = "Employees" +#resource "cloudflare_zero_trust_access_group" "employees_rule_group" { +# account_id = local.cloudflare_account_id +# name = "Employees" +# +# include = [ +# for group_key in ["it_admin", "sales", "sales_engineering", "infrastructure_admin"] : { +# group = { +# id = cloudflare_zero_trust_access_group.saml_groups[group_key].id +# } +# } +# ] +#} - include = [ - for group_key in ["it_admin", "sales", "sales_engineering", "infrastructure_admin"] : { - group = { - id = cloudflare_zero_trust_access_group.saml_groups[group_key].id - } - } - ] -} +#resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" { +# account_id = local.cloudflare_account_id +# name = "Sales Team" +# +# include = [ +# for group_key in ["sales", "sales_engineering"] : { +# group = { +# id = cloudflare_zero_trust_access_group.saml_groups[group_key].id +# } +# } +# ] +#} -resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" { - account_id = local.cloudflare_account_id - name = "Sales Team" +#resource "cloudflare_zero_trust_access_group" "admins_rule_group" { +# account_id = local.cloudflare_account_id +# name = "Administrators" +# +# include = [ +# for group_key in ["it_admin", "infrastructure_admin"] : { +# group = { +# id = cloudflare_zero_trust_access_group.saml_groups[group_key].id +# } +# } +# ] +#} - include = [ - for group_key in ["sales", "sales_engineering"] : { - group = { - id = cloudflare_zero_trust_access_group.saml_groups[group_key].id - } - } - ] -} - -resource "cloudflare_zero_trust_access_group" "admins_rule_group" { - account_id = local.cloudflare_account_id - name = "Administrators" - - include = [ - for group_key in ["it_admin", "infrastructure_admin"] : { - group = { - id = cloudflare_zero_trust_access_group.saml_groups[group_key].id - } - } - ] -} - -resource "cloudflare_zero_trust_access_group" "contractors_rule_group" { - account_id = local.cloudflare_account_id - name = "Contractors Extended" - - include = [ - { - group = { - id = cloudflare_zero_trust_access_group.saml_groups["contractors"].id - } - }, - { - email_domain = { - domain = var.cloudflare_email_domain - } - } - ] -} +#resource "cloudflare_zero_trust_access_group" "contractors_rule_group" { +# account_id = local.cloudflare_account_id +# name = "Contractors Extended" +# +# include = [ +# { +# group = { +# id = cloudflare_zero_trust_access_group.saml_groups["contractors"].id +# } +# }, +# { +# email_domain = { +# domain = var.cloudflare_email_domain +# } +# } +# ] +#} #================================================== # Azure AD Rule Groups