From b60da06096ff15232d2f082d5892cca9632d86c3 Mon Sep 17 00:00:00 2001
From: Hubert Cornet <hcornet@noreply@tips-of-mine.fr>
Date: Sun, 16 Nov 2025 18:43:49 +0100
Subject: [PATCH] Update access_groups.tf

---
 access_groups.tf | 72 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/access_groups.tf b/access_groups.tf
index 889a86f..a08eed5 100644
--- a/access_groups.tf
+++ b/access_groups.tf
@@ -58,4 +58,76 @@ resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group"
       }
     }
   ]
+}
+
+# Device Posture Rule Groups
+resource "cloudflare_zero_trust_access_group" "latest_os_version_requirements_rule_group" {
+  account_id = local.cloudflare_account_id
+  name       = "Latest OS Version Requirements"
+
+  include = [
+    for posture_id in local.os_posture_checks : {
+      device_posture = {
+        integration_uid = posture_id
+      }
+    }
+  ]
+}
+
+# Composite Rule Groups
+resource "cloudflare_zero_trust_access_group" "employees_rule_group" {
+  account_id = local.cloudflare_account_id
+  name       = "Employees"
+
+  include = [
+    for group_key in ["it_admin", "sales", "sales_engineering", "infrastructure_admin"] : {
+      group = {
+        id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
+      }
+    }
+  ]
+}
+
+resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" {
+  account_id = local.cloudflare_account_id
+  name       = "Sales Team"
+
+  include = [
+    for group_key in ["sales", "sales_engineering"] : {
+      group = {
+        id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
+      }
+    }
+  ]
+}
+
+resource "cloudflare_zero_trust_access_group" "admins_rule_group" {
+  account_id = var.cloudflare_account_id
+  name       = "Administrators"
+
+  include = [
+    for group_key in ["it_admin", "infrastructure_admin"] : {
+      group = {
+        id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
+      }
+    }
+  ]
+}
+
+resource "cloudflare_zero_trust_access_group" "contractors_rule_group" {
+  account_id = local.cloudflare_account_id
+  name       = "Contractors Extended"
+
+  include = [
+    {
+      group = {
+        id = cloudflare_zero_trust_access_group.saml_groups["contractors"].id
+      }
+    },
+    {
+      email_domain = {
+        domain = var.cloudflare_email_domain
+      }
+    }
+  ]
 }
\ No newline at end of file