From bc47309b48f8d6f6b2e3cca60db8e4967a996291 Mon Sep 17 00:00:00 2001 From: Hubert Cornet Date: Mon, 17 Nov 2025 14:45:40 +0100 Subject: [PATCH] Update gateway_policy.tf --- gateway_policy.tf | 53 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/gateway_policy.tf b/gateway_policy.tf index a5441a0..897d1be 100644 --- a/gateway_policy.tf +++ b/gateway_policy.tf @@ -2,7 +2,7 @@ # CLOUDFLARE : Gateway : Policy # ============================================================================= -# +# POLICY: block_malware resource "cloudflare_zero_trust_gateway_policy" "block_malware" { account_id = local.cloudflare_account_id @@ -22,6 +22,57 @@ resource "cloudflare_zero_trust_gateway_policy" "block_malware" { } } +# POLICY: Block Ads + +locals { + # Iterate through each pihole_domain_list resource and extract its ID + pihole_domain_lists = [for k, v in cloudflare_teams_list.pihole_domain_lists : v.id] + + # Format the values: remove dashes and prepend $ + pihole_domain_lists_formatted = [for v in local.pihole_domain_lists : format("$%s", replace(v, "-", ""))] + + # Create filters to use in the policy + pihole_ad_filters = formatlist("any(dns.domains[*] in %s)", local.pihole_domain_lists_formatted) + pihole_ad_filter = join(" or ", local.pihole_ad_filters) +} + +locals { + # The full path of the list holding the domain list + pihole_domain_list_file = "${path.module}/lists/pihole_domain_list.txt" + + # Parse the file and create a list, one item per line + pihole_domain_list = split("\n", file(local.pihole_domain_list_file)) + + # Remove empty lines + pihole_domain_list_clean = [for x in local.pihole_domain_list : x if x != ""] + + # Use chunklist to split a list into fixed-size chunks + # It returns a list of lists + pihole_aggregated_lists = chunklist(local.pihole_domain_list_clean, 1000) + + # Get the number of lists (chunks) created + pihole_list_count = length(local.pihole_aggregated_lists) +} + +resource "cloudflare_teams_rule" "block_ads" { + account_id = local.cloudflare_account_id + + name = "Block Ads" + description = "Block Ads domains" + + enabled = true + precedence = 11 + + # Block domain belonging to lists (defined below) + filters = ["dns"] + action = "block" + traffic = local.pihole_ad_filter + + rule_settings { + block_page_enabled = false + } +} + # #resource "cloudflare_zero_trust_gateway_policy" "example_zero_trust_gateway_policy" { # account_id = local.cloudflare_account_id