Tips-Of-Mine/terraform-cloudflare-tunnel-zone-org
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Update Traffic_Policies-Firewall_Policies-DNS.tf

Browse Source
This commit is contained in:
Hubert Cornet
2025-11-18 19:35:36 +01:00
parent 29e9455e0d
commit d18ae1c7ad
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

190
Traffic_Policies-Firewall_Policies-DNS.tf Normal file
View File

@@ -0,0 +1,190 @@
# =============================================================================
# CLOUDFLARE : Traffic Policies : Firewall Policies : DNS
# =============================================================================
# POLICY: block_malware
resource "cloudflare_zero_trust_gateway_policy" "block_malware" {
account_id = local.cloudflare_account_id
name = "Block malware"
description = "Block known threats based on Cloudflare s threat intelligence"
enabled = true
precedence = 10
# Block all security risks
filters = ["dns"]
traffic = "any(dns.security_category[*] in {178 80 83 176 175 117 131 134 151 153 68})"
action = "block"
rule_settings = {
block_page_enabled = true
}
}
# POLICY: Block Ads
locals {
ads_domain_lists = [for k, v in cloudflare_zero_trust_list.ads_domain_lists : v.id]
ads_domain_lists_formatted = [for v in local.ads_domain_lists : format("$%s", replace(v, "-", ""))]
ads_ad_filters = formatlist("any(dns.domains[*] in %s)", local.ads_domain_lists_formatted)
ads_ad_filter = join(" or ", local.ads_ad_filters)
}
resource "cloudflare_zero_trust_gateway_policy" "block_ads" {
account_id = local.cloudflare_account_id
name = "Block Ads"
description = "Block Ads domains"
enabled = true
precedence = 11
# Block domain belonging to lists (defined below)
filters = ["dns"]
traffic = local.ads_ad_filter_new
action = "block"
rule_settings = {
block_page_enabled = false
}
}
locals {
ads_domain_list_file = "${path.module}/lists/pihole_domain_list.txt"
ads_domain_list = length(file(local.ads_domain_list_file)) > 0 ? split("\n", file(local.ads_domain_list_file)) : []
ads_domain_list_clean = [for x in local.ads_domain_list : x if x != ""]
ads_aggregated_lists = chunklist(local.ads_domain_list_clean, 1000)
ads_list_count = length(local.ads_aggregated_lists)
ads_domain_lists_new = [for k, v in cloudflare_zero_trust_list.ads_domain_lists : v.id]
ads_domain_lists_formatted_new = [for v in local.ads_domain_lists_new : format("$%s", replace(v, "-", ""))]
ads_ad_filters_new = formatlist("any(dns.domains[*] in %s)", local.ads_domain_lists_formatted_new)
ads_ad_filter_new = join(" or ", local.ads_ad_filters_new)
}
resource "cloudflare_zero_trust_list" "ads_domain_lists" {
account_id = local.cloudflare_account_id
for_each = {
for i in range(0, local.ads_list_count) :
i => element(local.ads_aggregated_lists, i)
}
name = "ads_domain_list_${each.key}"
type = "DOMAIN"
items = [for domain in each.value : {
value = domain
}]
}
#
#resource "cloudflare_zero_trust_gateway_policy" "example_zero_trust_gateway_policy" {
# account_id = local.cloudflare_account_id
# action = "allow"
# name = "block bad websites"
# description = "Block bad websites based on their host name."
# device_posture = "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})"
# enabled = true
# expiration = {
# expires_at = "2026-01-01T05:20:20Z"
# duration = 10
# }
# filters = ["http"]
# identity = "any(identity.groups.name[*] in {\"finance\"})"
# precedence = 0
# rule_settings = {
# add_headers = {
# My-Next-Header = ["foo", "bar"]
# X-Custom-Header-Name = ["somecustomvalue"]
# }
# allow_child_bypass = true
# audit_ssh = {
# command_logging = false
# }
# biso_admin_controls = {
# copy = "remote_only"
# dcp = true
# dd = true
# dk = true
# download = "enabled"
# dp = false
# du = true
# keyboard = "enabled"
# paste = "enabled"
# printing = "enabled"
# upload = "enabled"
# version = "v1"
# }
# block_page = {
# target_uri = "https://example.com"
# include_context = true
# }
# block_page_enabled = true
# block_reason = "This website is a security risk"
# bypass_parent_rule = false
# check_session = {
# duration = "300s"
# enforce = true
# }
# dns_resolvers = {
# ipv4 = [{
# ip = "2.2.2.2"
# port = 5053
# route_through_private_network = true
# vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
# }]
# ipv6 = [{
# ip = "2001:DB8::"
# port = 5053
# route_through_private_network = true
# vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
# }]
# }
# egress = {
# ipv4 = "192.0.2.2"
# ipv4_fallback = "192.0.2.3"
# ipv6 = "2001:DB8::/64"
# }
# ignore_cname_category_matches = true
# insecure_disable_dnssec_validation = false
# ip_categories = true
# ip_indicator_feeds = true
# l4override = {
# ip = "1.1.1.1"
# port = 0
# }
# notification_settings = {
# enabled = true
# include_context = true
# msg = "msg"
# support_url = "support_url"
# }
# override_host = "example.com"
# override_ips = ["1.1.1.1", "2.2.2.2"]
# payload_log = {
# enabled = true
# }
# quarantine = {
# file_types = ["exe"]
# }
# redirect = {
# target_uri = "https://example.com"
# include_context = true
# preserve_path_and_query = true
# }
# resolve_dns_internally = {
# fallback = "none"
# view_id = "view_id"
# }
# resolve_dns_through_cloudflare = true
# untrusted_cert = {
# action = "error"
# }
# }
# schedule = {
# time_zone = "Europe/Paris"
# mon = "08:00-12:30,13:30-17:00"
# thu = "08:00-12:30,13:30-17:00"
# tue = "08:00-12:30,13:30-17:00"
# wed = "08:00-12:30,13:30-17:00"
# fri = "08:00-12:30,13:30-17:00"
# sat = "08:00-12:30,13:30-17:00"
# sun = "08:00-12:30,13:30-17:00"
# }
# traffic = "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10"
#}