From dc6e3ca952b17b3a145a84fec28462b917058b84 Mon Sep 17 00:00:00 2001 From: Hubert Cornet Date: Sun, 16 Nov 2025 18:31:06 +0100 Subject: [PATCH] Update access_policies.tf --- access_policies.tf | 104 ++++++++------------------------------------- 1 file changed, 18 insertions(+), 86 deletions(-) diff --git a/access_policies.tf b/access_policies.tf index 7a8e419..62539e9 100644 --- a/access_policies.tf +++ b/access_policies.tf @@ -5,7 +5,7 @@ # resource "cloudflare_zero_trust_access_policy" "allow_policie" { account_id = local.cloudflare_account_id - name = "Allow" + name = "Default" decision = "allow" session_duration = "24h" @@ -17,93 +17,25 @@ resource "cloudflare_zero_trust_access_policy" "allow_policie" { } # -resource "cloudflare_zero_trust_access_policy" "policies" { - for_each = local.access_policies - +resource "cloudflare_zero_trust_access_policy" "intranet_web_app" { account_id = local.cloudflare_account_id + name = "Intranet App Policy" decision = "allow" - name = each.value.name session_duration = "0s" +} - # Purpose justification - purpose_justification_prompt = try(each.value.purpose_justification_prompt, null) - purpose_justification_required = try(each.value.purpose_justification, false) +# +resource "cloudflare_zero_trust_access_policy" "competition_web_app" { + account_id = local.cloudflare_account_id + name = "Competition App Policy" + decision = "allow" + session_duration = "0s" +} - # Include groups - include = concat( - # Groups (both SAML and composite groups via mapping) - [ - for group in each.value.include_groups : { - group = { - id = local.policy_groups[group] - } - } - ], - # Email domain (for contractors) - try(each.value.include_email_domain, false) ? [{ - email_domain = { - domain = var.cf_email_domain - } - }] : [] - ) - - # Require conditions - require = concat( - # Device posture (always required if specified) - try(each.value.require_posture, false) ? [{ - device_posture = { - integration_uid = var.cf_gateway_posture_id - } - }] : [], - # MFA requirement - try(each.value.require_mfa, false) ? [{ - auth_method = { - auth_method = "mfa" - } - }] : [], - # Login method (for specific policies) - try(each.value.require_login_method, false) ? [{ - login_method = { - id = var.cf_okta_identity_provider_id - } - }] : [], - # Country requirements - try(each.value.require_country, false) ? [{ - group = { - id = cloudflare_zero_trust_access_group.country_requirements_rule_group.id - } - }] : [], - # OS version requirements - try(each.value.require_os_version, false) ? [{ - group = { - id = cloudflare_zero_trust_access_group.latest_os_version_requirements_rule_group.id - } - }] : [], - # External evaluation requirements - try(each.value.require_external_evaluation, false) ? [{ - external_evaluation = { - evaluate_url = each.value.external_evaluation_url - keys_url = each.value.external_evaluation_keys_url - } - }] : [] - ) - - # Exclude SMS (for MFA policies) - exclude = try(each.value.require_mfa, false) ? [{ - auth_method = { - auth_method = "sms" - } - }] : [] - - # Explicit dependencies to ensure proper destruction order: - # Policies → Composite Groups → Individual SAML Groups - depends_on = [ - cloudflare_zero_trust_access_group.employees_rule_group, - cloudflare_zero_trust_access_group.sales_team_rule_group, - cloudflare_zero_trust_access_group.admins_rule_group, - cloudflare_zero_trust_access_group.contractors_rule_group, - cloudflare_zero_trust_access_group.saml_groups - ] - - # Note: lifecycle blocks cannot be conditional in for_each resources -} \ No newline at end of file +# +resource "cloudflare_zero_trust_access_policy" "employees_browser_rendering" { + account_id = local.cloudflare_account_id + name = "Employees AWS Database Policy" + decision = "allow" + session_duration = "0s" +}