Tips-Of-Mine/terraform-cloudflare-tunnel-zone-org
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Update Traffic_Policies-Firewall_Policies-Network.tf
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 14s
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-11-19 14:57:27 +01:00
parent d947740902
commit e5b0954a01
1 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
Traffic_Policies-Firewall_Policies-Network.tf
View File

@@ -6,7 +6,7 @@
# Local Variables # Local Variables
#========================================================== #==========================================================
locals { locals {
precedence = { precedence_network = {
# NETWORK (L4) Policies - Access Infrastructure Integration # NETWORK (L4) Policies - Access Infrastructure Integration
access_infra_target = 4000 # Access Infrastructure integration (between DNS groups) access_infra_target = 4000 # Access Infrastructure integration (between DNS groups)
@@ -37,7 +37,7 @@ locals {
# Organized by policy type: NETWORK (L4) policies first # Organized by policy type: NETWORK (L4) policies first
# Following Cloudflare best practices with 1000-spacing between major groups # Following Cloudflare best practices with 1000-spacing between major groups
# Integrates with dashboard-managed policies at precedence: 1000-3000, 5000-20000, 36000-40000 # Integrates with dashboard-managed policies at precedence: 1000-3000, 5000-20000, 36000-40000
gateway_policies = { gateway_policies_network = {
#========================================================== #==========================================================
# NETWORK (L4) POLICIES # NETWORK (L4) POLICIES
# Port/Protocol/IP-based filtering evaluated before HTTP policies # Port/Protocol/IP-based filtering evaluated before HTTP policies
@@ -51,7 +51,7 @@ locals {
description = "Évaluer les applications d'accès avant ou après des stratégies de passerelle spécifiques" description = "Évaluer les applications d'accès avant ou après des stratégies de passerelle spécifiques"
enabled = true enabled = true
action = "allow" action = "allow"
precedence = local.precedence.access_infra_target precedence = local.precedence_network.access_infra_target
filters = ["l4"] filters = ["l4"]
traffic = "access.target" traffic = "access.target"
notification_enabled = false notification_enabled = false
@@ -63,7 +63,7 @@ locals {
description = "Autoriser l'accès RDP aux administrateurs informatiques avec vérification de l'identité et de la posture des appareils" description = "Autoriser l'accès RDP aux administrateurs informatiques avec vérification de l'identité et de la posture des appareils"
enabled = true enabled = true
action = "allow" action = "allow"
precedence = local.precedence.rdp_admin_allow precedence = local.precedence_network.rdp_admin_allow
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\"" traffic = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\""
identity = "any(identity.saml_attributes[*] == \"groups=${var.okta_itadmin_saml_group_name}\") or any(identity.saml_attributes[*] == \"groups=${var.okta_infra_admin_saml_group_name}\")" identity = "any(identity.saml_attributes[*] == \"groups=${var.okta_itadmin_saml_group_name}\") or any(identity.saml_attributes[*] == \"groups=${var.okta_infra_admin_saml_group_name}\")"
@@ -77,7 +77,7 @@ locals {
description = "Bloquez les connexions SSH entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions SSH directes depuis les clients WARP." description = "Bloquez les connexions SSH entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions SSH directes depuis les clients WARP."
enabled = true enabled = true
action = "block" action = "block"
precedence = local.precedence.block_lateral_ssh precedence = local.precedence_network.block_lateral_ssh
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.port == 22 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})" traffic = "net.dst.port == 22 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
block_reason = "SSH lateral movement blocked - use authorized access methods or ensure device compliance" block_reason = "SSH lateral movement blocked - use authorized access methods or ensure device compliance"
@@ -88,7 +88,7 @@ locals {
description = "Bloquez les connexions RDP entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions RDP directes depuis les clients WARP." description = "Bloquez les connexions RDP entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions RDP directes depuis les clients WARP."
enabled = true enabled = true
action = "block" action = "block"
precedence = local.precedence.block_lateral_rdp precedence = local.precedence_network.block_lateral_rdp
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.port == 3389 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})" traffic = "net.dst.port == 3389 and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
block_reason = "RDP lateral movement blocked - use authorized methods" block_reason = "RDP lateral movement blocked - use authorized methods"
@@ -99,7 +99,7 @@ locals {
description = "Bloquez les connexions SMB/CIFS entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions SMB directes depuis les clients WARP." description = "Bloquez les connexions SMB/CIFS entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions SMB directes depuis les clients WARP."
enabled = true enabled = true
action = "block" action = "block"
precedence = local.precedence.block_lateral_smb precedence = local.precedence_network.block_lateral_smb
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.port in {445 139} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})" traffic = "net.dst.port in {445 139} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
block_reason = "SMB lateral movement blocked - use authorized methods" block_reason = "SMB lateral movement blocked - use authorized methods"
@@ -110,7 +110,7 @@ locals {
description = "Bloquez les connexions WinRM entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions WinRM directes depuis les clients WARP." description = "Bloquez les connexions WinRM entre les machines virtuelles internes pour empêcher les mouvements latéraux, tout en autorisant les connexions WinRM directes depuis les clients WARP."
enabled = true enabled = true
action = "block" action = "block"
precedence = local.precedence.block_lateral_winrm precedence = local.precedence_network.block_lateral_winrm
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.port in {5985 5986} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})" traffic = "net.dst.port in {5985 5986} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
block_reason = "WinRM lateral movement blocked - use authorized methods" block_reason = "WinRM lateral movement blocked - use authorized methods"
@@ -121,7 +121,7 @@ locals {
description = "Bloquer les connexions aux bases de données entre les machines virtuelles internes afin d'empêcher les mouvements latéraux, tout en autorisant l'accès direct à la base de données depuis les clients WARP." description = "Bloquer les connexions aux bases de données entre les machines virtuelles internes afin d'empêcher les mouvements latéraux, tout en autorisant l'accès direct à la base de données depuis les clients WARP."
enabled = true enabled = true
action = "block" action = "block"
precedence = local.precedence.block_lateral_database precedence = local.precedence_network.block_lateral_database
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.port in {3306 5432 1433 1521 27017} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})" traffic = "net.dst.port in {3306 5432 1433 1521 27017} and net.protocol == \"tcp\" and (net.dst.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and (net.src.ip in {${var.aws_private_cidr} ${var.gcp_infra_cidr} ${var.gcp_windows_rdp_cidr} ${var.gcp_warp_cidr} ${var.azure_subnet_cidr}}) and not (net.src.ip in {${var.cloudflare_warp_cgnat_cidr}})"
block_reason = "Database lateral movement blocked - use authorized methods" block_reason = "Database lateral movement blocked - use authorized methods"
@@ -134,7 +134,7 @@ locals {
description = "Cette règle bloque l'accès à l'application Compétition et à l'application Administration via l'adresse IP et le port." description = "Cette règle bloque l'accès à l'application Compétition et à l'application Administration via l'adresse IP et le port."
enabled = true enabled = true
action = "block" action = "block"
precedence = local.precedence.ip_access_block precedence = local.precedence_network.ip_access_block
filters = ["l4"] filters = ["l4"]
traffic = "(net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_intranet_app_port}) or (net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_competition_app_port})" traffic = "(net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_intranet_app_port}) or (net.dst.ip == ${var.gcp_vm_internal_ip} and net.dst.port == ${var.cloudflare_competition_app_port})"
block_reason = "This website is blocked because you are trying to access an internal app via its IP address" block_reason = "This website is blocked because you are trying to access an internal app via its IP address"
@@ -147,7 +147,7 @@ locals {
description = "Refuser l'accès RDP aux utilisateurs sans privilèges d'administrateur informatique (évalué après la politique d'autorisation)" description = "Refuser l'accès RDP aux utilisateurs sans privilèges d'administrateur informatique (évalué après la politique d'autorisation)"
enabled = true enabled = true
action = "block" action = "block"
precedence = local.precedence.rdp_default_deny precedence = local.precedence_network.rdp_default_deny
filters = ["l4"] filters = ["l4"]
traffic = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\"" traffic = "net.dst.ip == ${var.gcp_windows_vm_internal_ip} and net.dst.port == ${var.cloudflare_domain_controller_rdp_port} and net.protocol == \"tcp\""
block_reason = "RDP access denied - insufficient privileges" block_reason = "RDP access denied - insufficient privileges"
@@ -160,14 +160,14 @@ locals {
# Gateway Policies # Gateway Policies
#========================================================== #==========================================================
resource "cloudflare_zero_trust_gateway_policy" "policies" { resource "cloudflare_zero_trust_gateway_policy" "policies" {
for_each = local.gateway_policies for_each = local.gateway_policies_network
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id
name = each.value.name name = each.value.name
description = each.value.description description = each.value.description
enabled = each.value.enabled enabled = each.value.enabled
action = each.value.action action = each.value.action
precedence = each.value.precedence precedence = each.value.precedence_network
filters = each.value.filters filters = each.value.filters
traffic = each.value.traffic traffic = each.value.traffic