Update access_policies.tf

access_policies.tf

@@ -5,7 +5,7 @@
 #
 resource "cloudflare_zero_trust_access_policy" "allow_policie" {
   account_id       = local.cloudflare_account_id
-  name             = "Allow"
+  name             = "Default"
   decision         = "allow"
   session_duration = "24h"
 
@@ -17,93 +17,25 @@ resource "cloudflare_zero_trust_access_policy" "allow_policie" {
 }
 
 #
-resource "cloudflare_zero_trust_access_policy" "policies" {
+resource "cloudflare_zero_trust_access_policy" "intranet_web_app" {
-  for_each = local.access_policies
-
   account_id       = local.cloudflare_account_id
+  name             = "Intranet App Policy"
+  decision         = "allow"
+  session_duration = "0s"
+}
+
+#
+resource "cloudflare_zero_trust_access_policy" "competition_web_app" {
+  account_id       = local.cloudflare_account_id
+  name             = "Competition App Policy"
+  decision         = "allow"
+  session_duration = "0s"
+}
+
+#
+resource "cloudflare_zero_trust_access_policy" "employees_browser_rendering" {
+  account_id       = local.cloudflare_account_id
+  name             = "Employees AWS Database Policy"
   decision         = "allow"
-  name             = each.value.name
   session_duration = "0s"
-
-  # Purpose justification
-  purpose_justification_prompt   = try(each.value.purpose_justification_prompt, null)
-  purpose_justification_required = try(each.value.purpose_justification, false)
-
-  # Include groups
-  include = concat(
-    # Groups (both SAML and composite groups via mapping)
-    [
-      for group in each.value.include_groups : {
-        group = {
-          id = local.policy_groups[group]
-        }
-      }
-    ],
-    # Email domain (for contractors)
-    try(each.value.include_email_domain, false) ? [{
-      email_domain = {
-        domain = var.cf_email_domain
-      }
-    }] : []
-  )
-
-  # Require conditions
-  require = concat(
-    # Device posture (always required if specified)
-    try(each.value.require_posture, false) ? [{
-      device_posture = {
-        integration_uid = var.cf_gateway_posture_id
-      }
-    }] : [],
-    # MFA requirement
-    try(each.value.require_mfa, false) ? [{
-      auth_method = {
-        auth_method = "mfa"
-      }
-    }] : [],
-    # Login method (for specific policies)
-    try(each.value.require_login_method, false) ? [{
-      login_method = {
-        id = var.cf_okta_identity_provider_id
-      }
-    }] : [],
-    # Country requirements
-    try(each.value.require_country, false) ? [{
-      group = {
-        id = cloudflare_zero_trust_access_group.country_requirements_rule_group.id
-      }
-    }] : [],
-    # OS version requirements
-    try(each.value.require_os_version, false) ? [{
-      group = {
-        id = cloudflare_zero_trust_access_group.latest_os_version_requirements_rule_group.id
-      }
-    }] : [],
-    # External evaluation requirements
-    try(each.value.require_external_evaluation, false) ? [{
-      external_evaluation = {
-        evaluate_url = each.value.external_evaluation_url
-        keys_url     = each.value.external_evaluation_keys_url
-      }
-    }] : []
-  )
-
-  # Exclude SMS (for MFA policies)
-  exclude = try(each.value.require_mfa, false) ? [{
-    auth_method = {
-      auth_method = "sms"
-    }
-  }] : []
-
-  # Explicit dependencies to ensure proper destruction order:
-  # Policies → Composite Groups → Individual SAML Groups
-  depends_on = [
-    cloudflare_zero_trust_access_group.employees_rule_group,
-    cloudflare_zero_trust_access_group.sales_team_rule_group,
-    cloudflare_zero_trust_access_group.admins_rule_group,
-    cloudflare_zero_trust_access_group.contractors_rule_group,
-    cloudflare_zero_trust_access_group.saml_groups
-  ]
-
-  # Note: lifecycle blocks cannot be conditional in for_each resources
 }