From bd0b5a1062ec974eea56366db8f422e36c79cd7e Mon Sep 17 00:00:00 2001 From: Hubert Cornet Date: Wed, 19 Nov 2025 14:43:20 +0100 Subject: [PATCH] Delete test.tf --- test.tf | 260 -------------------------------------------------------- 1 file changed, 260 deletions(-) delete mode 100644 test.tf diff --git a/test.tf b/test.tf deleted file mode 100644 index a8683e3..0000000 --- a/test.tf +++ /dev/null @@ -1,260 +0,0 @@ -#========================================================== -# Local Variables -#========================================================== -locals { - precedence = { - # NETWORK (L4) Policies - Access Infrastructure Integration - access_infra_target = 4000 # Access Infrastructure integration (between DNS groups) - - # NETWORK (L4) Policies - Zero Trust RDP Access Control - rdp_admin_allow = 21000 # Allow RDP for IT admins (identity-based) - rdp_default_deny = 21700 # Default deny RDP (after allow, before lateral movement) - - # NETWORK (L4) Policies - Lateral Movement Prevention (East-West Traffic) - block_lateral_ssh = 22550 # Block SSH lateral movement - block_lateral_rdp = 22600 # Block RDP lateral movement - block_lateral_smb = 22200 # Block SMB lateral movement - block_lateral_winrm = 22300 # Block WinRM lateral movement - block_lateral_database = 22400 # Block database lateral movement - - # NETWORK (L4) Policies - IP Access Control - ip_access_block = 23000 # Block direct IP access to apps (force hostname-based access) - - # HTTP (L7) Policies - AI Application Governance - ai_tools_redirect = 24000 # Redirect unreviewed AI tools to Claude - chatgpt_allow_log = 24100 # Allow ChatGPT with prompt logging - - # HTTP (L7) Policies - Content Filtering & DLP - pdf_block = 25000 # Block PDF downloads for Sales Eng (identity-based DLP) - gambling_block = 25100 # Block gambling websites (category blocking) - } - - # Common rule settings for block policies - default_block_settings = { - block_page_enabled = false - ip_categories = false - ip_indicator_feeds = false - insecure_disable_dnssec_validation = false - } - - # Gateway policies configuration - # Organized by policy type: NETWORK (L4) policies first, then HTTP (L7) policies - # Following Cloudflare best practices with 1000-spacing between major groups - # Integrates with dashboard-managed policies at precedence: 1000-3000, 5000-20000, 36000-40000 - gateway_policies = { - #========================================================== - # NETWORK (L4) POLICIES - # Port/Protocol/IP-based filtering evaluated before HTTP policies - # Terraform precedence ranges: 4000, 21000-23000 - # Dashboard precedence ranges: 1000-3000, 36000-37000 - #========================================================== - - # Access Infrastructure Integration (Precedence: 4000) - access_infra_target = { - name = "NETWORK - Allow: Cible en matière d'infrastructures d'accès" - description = "Évaluer les applications d'accès avant ou après des stratégies de passerelle spécifiques" - enabled = true - action = "allow" - precedence = local.precedence.access_infra_target - filters = ["l4"] - traffic = "access.target" - notification_enabled = false - } - - # Zero Trust RDP Access Control (Precedence: 21000) - rdp_admin_access = { - name = "NETWORK - Allow: RDP - Accès administrateur informatique" - description = "Autoriser l'accès RDP aux administrateurs informatiques avec vérification de l'identité et de la posture des appareils" - enabled = true - action = "allow" - precedence = local.precedence.rdp_admin_allow - filters = ["l4"] - traffic = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\"" - identity = "any(identity.saml_attributes[*] == \"groups=${var.okta_itadmin_saml_group_name}\") or any(identity.saml_attributes[*] == \"groups=${var.okta_infra_admin_saml_group_name}\")" - device_posture = "any(device_posture.checks.passed[*] == \"${var.cloudflare_macos_posture_id}\") or any(device_posture.checks.passed[*] == \"${var.cloudflare_windows_posture_id}\") or any(device_posture.checks.passed[*] == \"${var.cloudflare_linux_posture_id}\")" - notification_enabled = false - } - - # Lateral Movement Prevention - East-West Traffic (Precedence: 22000-22400) - block_lateral_ssh = { - name = "NETWORK - Block: Mouvement latéral SSH" - description = "Bloquez les connexions SSH entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions SSH directes depuis les clients WARP." - enabled = true - action = "block" - precedence = local.precedence.block_lateral_ssh - filters = ["l4"] - traffic = "net.dst.port == 22 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})" - block_reason = "SSH lateral movement blocked - use authorized access methods or ensure device compliance" - notification_enabled = true - } - block_lateral_rdp = { - name = "NETWORK - Block: Mouvement latéral RDP" - description = "Bloquez les connexions RDP entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions RDP directes depuis les clients WARP." - enabled = true - action = "block" - precedence = local.precedence.block_lateral_rdp - filters = ["l4"] - traffic = "net.dst.port == 3389 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})" - block_reason = "RDP lateral movement blocked - use authorized methods" - notification_enabled = true - } - block_lateral_smb = { - name = "NETWORK - Block: Mouvement latéral SMB" - description = "Bloquez les connexions SMB/CIFS entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions SMB directes depuis les clients WARP." - enabled = true - action = "block" - precedence = local.precedence.block_lateral_smb - filters = ["l4"] - traffic = "net.dst.port in {445 139} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})" - block_reason = "SMB lateral movement blocked - use authorized methods" - notification_enabled = true - } - block_lateral_winrm = { - name = "NETWORK - Block: Mouvement latéral WinRM" - description = "Bloquez les connexions WinRM entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions WinRM directes depuis les clients WARP." - enabled = true - action = "block" - precedence = local.precedence.block_lateral_winrm - filters = ["l4"] - traffic = "net.dst.port in {5985 5986} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})" - block_reason = "WinRM lateral movement blocked - use authorized methods" - notification_enabled = true - } - block_lateral_database = { - name = "NETWORK - Block: Mouvement latéral dans les bases de données" - description = "Bloquer les connexions aux bases de données entre les machines virtuelles internes afin d'empêcher les mouvements latéraux, tout en autorisant l'accès direct à la base de données depuis les clients WARP." - enabled = true - action = "block" - precedence = local.precedence.block_lateral_database - filters = ["l4"] - traffic = "net.dst.port in {3306 5432 1433 1521 27017} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})" - block_reason = "Database lateral movement blocked - use authorized methods" - notification_enabled = true - } - - # IP-based Access Control (Precedence: 23000) - block_ip_access = { - name = "NETWORK - Block : Accéder aux applications GCP via une adresse IP privée" - description = "Cette règle bloque l'accès à l'application Compétition et à l'application Administration via l'adresse IP et le port." - enabled = true - action = "block" - precedence = local.precedence.ip_access_block - filters = ["l4"] - traffic = "(net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_intranet_app_port}) or (net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_competition_app_port})" - block_reason = "This website is blocked because you are trying to access an internal app via its IP address" - notification_enabled = true - } - - # Default Deny - Evaluated Last (Precedence: 21700) - rdp_default_deny = { - name = "NETWORK - Block : Deny par défaut" - description = "Refuser l'accès RDP aux utilisateurs sans privilèges d'administrateur informatique (évalué après la politique d'autorisation)" - enabled = true - action = "block" - precedence = local.precedence.rdp_default_deny - filters = ["l4"] - traffic = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\"" - block_reason = "RDP access denied - insufficient privileges" - notification_enabled = true - } - - #========================================================== - # HTTP (L7) POLICIES - # Application/Content-based filtering - # Terraform precedence ranges: 24000-25100 - # Dashboard precedence ranges: 13000-20000 - # Note: Dashboard Do-Not-Inspect policies (13000-15000) evaluated before Terraform HTTP policies - #========================================================== - - # AI Application Governance (Precedence: 24000-24100) - redirect_ai_to_claude = { - name = "HTTP - Redirect: Redirect users to claude.ai" - description = "Redirect any unreviewed AI application to claude.ai instead" - enabled = true - action = "redirect" - precedence = local.precedence.ai_tools_redirect - filters = ["http"] - traffic = "any(app.type.ids[*] in {25}) and any(app.statuses[*] == \"unreviewed\")" - redirect_url = "https://claude.ai" - notification_enabled = false - } - - # Content Filtering & DLP (Precedence: 25000-25100) - block_pdf_download = { - name = "HTTP - Block: PDF Files download" - description = "Block Downloading PDF Files for Sales Engineering group" - enabled = false - action = "block" - precedence = local.precedence.pdf_block - filters = ["http"] - traffic = "any(http.download.file.types[*] in {\"pdf\"})" - identity = "any(identity.saml_attributes[*] == \"groups=${var.okta_sales_eng_saml_group_name}\")" - block_reason = "This download is blocked because it is a pdf file (not approved)" - notification_enabled = true - } - - block_gambling = { - name = "HTTP - Block: Gambling websites" - description = "Block Gambling website according to corporate policies (HTTP)." - enabled = true - action = "block" - precedence = local.precedence.gambling_block - filters = ["http"] - traffic = "any(http.request.uri.content_category[*] in {99})" - identity = "not(any(identity.saml_attributes[*] == \"groups=${var.okta_contractors_saml_group_name}\")) or not(identity.email == \"${var.okta_bob_user_login}\")" - block_reason = "This website is blocked according to corporate policies (HTTP)" - notification_enabled = true - } - - allow_chatgpt_log = { - name = "HTTP - Allow: ChatGPT logging" - description = "Log ChatGPT requests" - enabled = true - action = "allow" - precedence = local.precedence.chatgpt_allow_log - filters = ["http"] - traffic = "any(app.ids[*] == 1199) and any(app_control.controls[*] in {1652})" - notification_enabled = false - gen_ai_prompt_log = true - } - } -} - -#========================================================== -# Gateway Policies -#========================================================== -resource "cloudflare_zero_trust_gateway_policy" "policies" { - for_each = local.gateway_policies - - account_id = local.cloudflare_account_id - name = each.value.name - description = each.value.description - enabled = each.value.enabled - action = each.value.action - precedence = each.value.precedence - filters = each.value.filters - traffic = each.value.traffic - - # Optional fields - identity = try(each.value.identity, null) - device_posture = try(each.value.device_posture, null) - - rule_settings = merge( - local.default_block_settings, - { - block_reason = try(each.value.block_reason, "") - notification_settings = { - enabled = try(each.value.notification_enabled, false) - msg = try(each.value.block_reason, "") - } - redirect = try(each.value.redirect_url, null) != null ? { - target_uri = each.value.redirect_url - preserve_path_and_query = false - include_context = false - } : null - gen_ai_prompt_log = try(each.value.gen_ai_prompt_log, null) != null ? { - enabled = each.value.gen_ai_prompt_log - } : null - } - ) -}