diff --git a/access_groups.tf b/access_groups.tf index 2aff5a4..889a86f 100644 --- a/access_groups.tf +++ b/access_groups.tf @@ -2,16 +2,60 @@ # CLOUDFLARE : Access : Groups # ============================================================================= -# -#resource "cloudflare_zero_trust_access_policy" "allow_policie" { -# account_id = local.cloudflare_account_id -# name = "Allow" -# decision = "allow" -# session_duration = "24h" -# -# include = [{ -# group = { -# id = cloudflare_zero_trust_access_group.default_groups.id -# } -# }] -#} \ No newline at end of file +locals { + # SAML groups from Okta + saml_groups = { + contractors = var.okta_contractors_saml_group_name + infrastructure_admin = var.okta_infra_admin_saml_group_name + sales_engineering = var.okta_sales_eng_saml_group_name + sales = var.okta_sales_saml_group_name + it_admin = var.okta_itadmin_saml_group_name + } + + # Allowed countries + allowed_countries = ["FR", "DE", "US", "GB"] + blocked_countries = ["CN", "RU", "AF", "BY", "CD", "CU", "IR", "IQ", "KP", "MM", "SD", "SY", "UA", "ZW"] + + # OS posture checks + os_posture_checks = [ + var.cf_linux_posture_id, + var.cf_macos_posture_id, + var.cf_windows_posture_id + ] +} + +# SAML Rule Groups +resource "cloudflare_zero_trust_access_group" "saml_groups" { + for_each = local.saml_groups + account_id = local.cloudflare_account_id + name = each.value + + include = [{ + saml = { + identity_provider_id = var.cf_okta_identity_provider_id + attribute_name = "groups" + attribute_value = each.value + } + }] +} + +# Geographic Rule Groups +resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group" { + account_id = local.cloudflare_account_id + name = "Country Requirements" + + include = [ + for country in local.allowed_countries : { + geo = { + country_code = country + } + } + ] + exclude = [ + for country in local.blocked_countries : { + geo = { + country_code = country + } + } + ] +} \ No newline at end of file