Update Traffic_Policies-Firewall_Policies-Network.tf

2025-11-19 14:57:27 +01:00
parent d947740902
commit e5b0954a01
1 changed files with 13 additions and 13 deletions
--- a/Traffic_Policies-Firewall_Policies-Network.tf
+++ b/Traffic_Policies-Firewall_Policies-Network.tf
@@ -6,7 +6,7 @@
 # Local Variables
 #==========================================================
 locals {
-  precedence = {
+  precedence_network = {
    # NETWORK (L4) Policies - Access Infrastructure Integration
    access_infra_target = 4000 # Access Infrastructure integration (between DNS groups)

@@ -37,7 +37,7 @@ locals {
  # Organized by policy type: NETWORK (L4) policies first
  # Following Cloudflare best practices with 1000-spacing between major groups
  # Integrates with dashboard-managed policies at precedence: 1000-3000, 5000-20000, 36000-40000
-  gateway_policies = {
+  gateway_policies_network = {
    #==========================================================
    # NETWORK (L4) POLICIES
    # Port/Protocol/IP-based filtering evaluated before HTTP policies
@@ -51,7 +51,7 @@ locals {
      description          = "Évaluer les applications d'accès avant ou après des stratégies de passerelle spécifiques"
      enabled              = true
      action               = "allow"
-      precedence           = local.precedence.access_infra_target
+      precedence           = local.precedence_network.access_infra_target
      filters              = ["l4"]
      traffic              = "access.target"
      notification_enabled = false
@@ -63,7 +63,7 @@ locals {
      description          = "Autoriser l'accès RDP aux administrateurs informatiques avec vérification de l'identité et de la posture des appareils"
      enabled              = true
      action               = "allow"
-      precedence           = local.precedence.rdp_admin_allow
+      precedence           = local.precedence_network.rdp_admin_allow
      filters              = ["l4"]
      traffic              = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\""
      identity             = "any(identity.saml_attributes[*] == \"groups=${var.okta_itadmin_saml_group_name}\") or any(identity.saml_attributes[*] == \"groups=${var.okta_infra_admin_saml_group_name}\")"
@@ -77,7 +77,7 @@ locals {
      description          = "Bloquez les connexions SSH entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions SSH directes depuis les clients WARP."
      enabled              = true
      action               = "block"
-      precedence           = local.precedence.block_lateral_ssh
+      precedence           = local.precedence_network.block_lateral_ssh
      filters              = ["l4"]
      traffic              = "net.dst.port == 22 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
      block_reason         = "SSH lateral movement blocked - use authorized access methods or ensure device compliance"
@@ -88,7 +88,7 @@ locals {
      description          = "Bloquez les connexions RDP entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions RDP directes depuis les clients WARP."
      enabled              = true
      action               = "block"
-      precedence           = local.precedence.block_lateral_rdp
+      precedence           = local.precedence_network.block_lateral_rdp
      filters              = ["l4"]
      traffic              = "net.dst.port == 3389 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
      block_reason         = "RDP lateral movement blocked - use authorized methods"
@@ -99,7 +99,7 @@ locals {
      description          = "Bloquez les connexions SMB/CIFS entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions SMB directes depuis les clients WARP."
      enabled              = true
      action               = "block"
-      precedence           = local.precedence.block_lateral_smb
+      precedence           = local.precedence_network.block_lateral_smb
      filters              = ["l4"]
      traffic              = "net.dst.port in {445 139} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
      block_reason         = "SMB lateral movement blocked - use authorized methods"
@@ -110,7 +110,7 @@ locals {
      description          = "Bloquez les connexions WinRM entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions WinRM directes depuis les clients WARP."
      enabled              = true
      action               = "block"
-      precedence           = local.precedence.block_lateral_winrm
+      precedence           = local.precedence_network.block_lateral_winrm
      filters              = ["l4"]
      traffic              = "net.dst.port in {5985 5986} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
      block_reason         = "WinRM lateral movement blocked - use authorized methods"
@@ -121,7 +121,7 @@ locals {
      description          = "Bloquer les connexions aux bases de données entre les machines virtuelles internes afin d'empêcher les mouvements latéraux, tout en autorisant l'accès direct à la base de données depuis les clients WARP."
      enabled              = true
      action               = "block"
-      precedence           = local.precedence.block_lateral_database
+      precedence           = local.precedence_network.block_lateral_database
      filters              = ["l4"]
      traffic              = "net.dst.port in {3306 5432 1433 1521 27017} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
      block_reason         = "Database lateral movement blocked - use authorized methods"
@@ -134,7 +134,7 @@ locals {
      description          = "Cette règle bloque l'accès à l'application Compétition et à l'application Administration via l'adresse IP et le port."
      enabled              = true
      action               = "block"
-      precedence           = local.precedence.ip_access_block
+      precedence           = local.precedence_network.ip_access_block
      filters              = ["l4"]
      traffic              = "(net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_intranet_app_port}) or (net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_competition_app_port})"
      block_reason         = "This website is blocked because you are trying to access an internal app via its IP address"
@@ -147,7 +147,7 @@ locals {
      description          = "Refuser l'accès RDP aux utilisateurs sans privilèges d'administrateur informatique (évalué après la politique d'autorisation)"
      enabled              = true
      action               = "block"
-      precedence           = local.precedence.rdp_default_deny
+      precedence           = local.precedence_network.rdp_default_deny
      filters              = ["l4"]
      traffic              = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\""
      block_reason         = "RDP access denied - insufficient privileges"
@@ -160,14 +160,14 @@ locals {
 # Gateway Policies
 #==========================================================
 resource "cloudflare_zero_trust_gateway_policy" "policies" {
-  for_each = local.gateway_policies
+  for_each = local.gateway_policies_network

  account_id  = local.cloudflare_account_id
  name        = each.value.name
  description = each.value.description
  enabled     = each.value.enabled
  action      = each.value.action
-  precedence  = each.value.precedence
+  precedence  = each.value.precedence_network
  filters     = each.value.filters
  traffic     = each.value.traffic