From e5b0954a01e46793457fe2ad3b5de9f7a1f92ec7 Mon Sep 17 00:00:00 2001
From: Hubert Cornet <hcornet@noreply@tips-of-mine.fr>
Date: Wed, 19 Nov 2025 14:57:27 +0100
Subject: [PATCH] Update Traffic_Policies-Firewall_Policies-Network.tf

---
 Traffic_Policies-Firewall_Policies-Network.tf | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/Traffic_Policies-Firewall_Policies-Network.tf b/Traffic_Policies-Firewall_Policies-Network.tf
index 1b22b1d..7b5d7e4 100644
--- a/Traffic_Policies-Firewall_Policies-Network.tf
+++ b/Traffic_Policies-Firewall_Policies-Network.tf
@@ -6,7 +6,7 @@
 # Local Variables
 #==========================================================
 locals {
-  precedence = {
+  precedence_network = {
     # NETWORK (L4) Policies - Access Infrastructure Integration
     access_infra_target = 4000 # Access Infrastructure integration (between DNS groups)
 
@@ -37,7 +37,7 @@ locals {
   # Organized by policy type: NETWORK (L4) policies first
   # Following Cloudflare best practices with 1000-spacing between major groups
   # Integrates with dashboard-managed policies at precedence: 1000-3000, 5000-20000, 36000-40000
-  gateway_policies = {
+  gateway_policies_network = {
     #==========================================================
     # NETWORK (L4) POLICIES
     # Port/Protocol/IP-based filtering evaluated before HTTP policies
@@ -51,7 +51,7 @@ locals {
       description          = "Évaluer les applications d'accès avant ou après des stratégies de passerelle spécifiques"
       enabled              = true
       action               = "allow"
-      precedence           = local.precedence.access_infra_target
+      precedence           = local.precedence_network.access_infra_target
       filters              = ["l4"]
       traffic              = "access.target"
       notification_enabled = false
@@ -63,7 +63,7 @@ locals {
       description          = "Autoriser l'accès RDP aux administrateurs informatiques avec vérification de l'identité et de la posture des appareils"
       enabled              = true
       action               = "allow"
-      precedence           = local.precedence.rdp_admin_allow
+      precedence           = local.precedence_network.rdp_admin_allow
       filters              = ["l4"]
       traffic              = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\""
       identity             = "any(identity.saml_attributes[*] == \"groups=${var.okta_itadmin_saml_group_name}\") or any(identity.saml_attributes[*] == \"groups=${var.okta_infra_admin_saml_group_name}\")"
@@ -77,7 +77,7 @@ locals {
       description          = "Bloquez les connexions SSH entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions SSH directes depuis les clients WARP."
       enabled              = true
       action               = "block"
-      precedence           = local.precedence.block_lateral_ssh
+      precedence           = local.precedence_network.block_lateral_ssh
       filters              = ["l4"]
       traffic              = "net.dst.port == 22 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
       block_reason         = "SSH lateral movement blocked - use authorized access methods or ensure device compliance"
@@ -88,7 +88,7 @@ locals {
       description          = "Bloquez les connexions RDP entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions RDP directes depuis les clients WARP."
       enabled              = true
       action               = "block"
-      precedence           = local.precedence.block_lateral_rdp
+      precedence           = local.precedence_network.block_lateral_rdp
       filters              = ["l4"]
       traffic              = "net.dst.port == 3389 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
       block_reason         = "RDP lateral movement blocked - use authorized methods"
@@ -99,7 +99,7 @@ locals {
       description          = "Bloquez les connexions SMB/CIFS entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions SMB directes depuis les clients WARP."
       enabled              = true
       action               = "block"
-      precedence           = local.precedence.block_lateral_smb
+      precedence           = local.precedence_network.block_lateral_smb
       filters              = ["l4"]
       traffic              = "net.dst.port in {445 139} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
       block_reason         = "SMB lateral movement blocked - use authorized methods"
@@ -110,7 +110,7 @@ locals {
       description          = "Bloquez les connexions WinRM entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions WinRM directes depuis les clients WARP."
       enabled              = true
       action               = "block"
-      precedence           = local.precedence.block_lateral_winrm
+      precedence           = local.precedence_network.block_lateral_winrm
       filters              = ["l4"]
       traffic              = "net.dst.port in {5985 5986} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
       block_reason         = "WinRM lateral movement blocked - use authorized methods"
@@ -121,7 +121,7 @@ locals {
       description          = "Bloquer les connexions aux bases de données entre les machines virtuelles internes afin d'empêcher les mouvements latéraux, tout en autorisant l'accès direct à la base de données depuis les clients WARP."
       enabled              = true
       action               = "block"
-      precedence           = local.precedence.block_lateral_database
+      precedence           = local.precedence_network.block_lateral_database
       filters              = ["l4"]
       traffic              = "net.dst.port in {3306 5432 1433 1521 27017} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
       block_reason         = "Database lateral movement blocked - use authorized methods"
@@ -134,7 +134,7 @@ locals {
       description          = "Cette règle bloque l'accès à l'application Compétition et à l'application Administration via l'adresse IP et le port."
       enabled              = true
       action               = "block"
-      precedence           = local.precedence.ip_access_block
+      precedence           = local.precedence_network.ip_access_block
       filters              = ["l4"]
       traffic              = "(net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_intranet_app_port}) or (net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_competition_app_port})"
       block_reason         = "This website is blocked because you are trying to access an internal app via its IP address"
@@ -147,7 +147,7 @@ locals {
       description          = "Refuser l'accès RDP aux utilisateurs sans privilèges d'administrateur informatique (évalué après la politique d'autorisation)"
       enabled              = true
       action               = "block"
-      precedence           = local.precedence.rdp_default_deny
+      precedence           = local.precedence_network.rdp_default_deny
       filters              = ["l4"]
       traffic              = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\""
       block_reason         = "RDP access denied - insufficient privileges"
@@ -160,14 +160,14 @@ locals {
 # Gateway Policies
 #==========================================================
 resource "cloudflare_zero_trust_gateway_policy" "policies" {
-  for_each = local.gateway_policies
+  for_each = local.gateway_policies_network
 
   account_id  = local.cloudflare_account_id
   name        = each.value.name
   description = each.value.description
   enabled     = each.value.enabled
   action      = each.value.action
-  precedence  = each.value.precedence
+  precedence  = each.value.precedence_network
   filters     = each.value.filters
   traffic     = each.value.traffic