Add access_rule_groups.tf
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 14s
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 14s
This commit is contained in:
163
access_rule_groups.tf
Normal file
163
access_rule_groups.tf
Normal file
@@ -0,0 +1,163 @@
|
||||
#==========================================================
|
||||
# Local Variables
|
||||
#==========================================================
|
||||
locals {
|
||||
# SAML groups from Okta
|
||||
saml_groups = {
|
||||
contractors = var.okta_contractors_saml_group_name
|
||||
infrastructure_admin = var.okta_infra_admin_saml_group_name
|
||||
sales_engineering = var.okta_sales_eng_saml_group_name
|
||||
sales = var.okta_sales_saml_group_name
|
||||
it_admin = var.okta_itadmin_saml_group_name
|
||||
}
|
||||
|
||||
# Azure AD groups
|
||||
azure_groups = {
|
||||
azure_engineering = var.azure_engineering_group_id
|
||||
azure_sales = var.azure_sales_group_id
|
||||
azure_administrators = var.cf_azure_admin_rule_group_id
|
||||
}
|
||||
|
||||
# Allowed countries
|
||||
allowed_countries = ["FR", "DE", "US", "GB"]
|
||||
blocked_countries = ["CN", "RU", "AF", "BY", "CD", "CU", "IR", "IQ", "KP", "MM", "SD", "SY", "UA", "ZW"]
|
||||
|
||||
# OS posture checks
|
||||
os_posture_checks = [
|
||||
var.cf_linux_posture_id,
|
||||
var.cf_macos_posture_id,
|
||||
var.cf_windows_posture_id
|
||||
]
|
||||
}
|
||||
|
||||
#==================================================
|
||||
# SAML Rule Groups
|
||||
#===================================================
|
||||
resource "cloudflare_zero_trust_access_group" "saml_groups" {
|
||||
for_each = local.saml_groups
|
||||
account_id = var.cloudflare_account_id
|
||||
name = each.value
|
||||
|
||||
include = [{
|
||||
saml = {
|
||||
identity_provider_id = var.cf_okta_identity_provider_id
|
||||
attribute_name = "groups"
|
||||
attribute_value = each.value
|
||||
}
|
||||
}]
|
||||
}
|
||||
|
||||
#==================================================
|
||||
# Geographic Rule Groups
|
||||
#===================================================
|
||||
resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group" {
|
||||
account_id = var.cloudflare_account_id
|
||||
name = "Country Requirements"
|
||||
|
||||
include = [
|
||||
for country in local.allowed_countries : {
|
||||
geo = {
|
||||
country_code = country
|
||||
}
|
||||
}
|
||||
]
|
||||
exclude = [
|
||||
for country in local.blocked_countries : {
|
||||
geo = {
|
||||
country_code = country
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
#==================================================
|
||||
# Device Posture Rule Groups
|
||||
#===================================================
|
||||
resource "cloudflare_zero_trust_access_group" "latest_os_version_requirements_rule_group" {
|
||||
account_id = var.cloudflare_account_id
|
||||
name = "Latest OS Version Requirements"
|
||||
|
||||
include = [
|
||||
for posture_id in local.os_posture_checks : {
|
||||
device_posture = {
|
||||
integration_uid = posture_id
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
#==================================================
|
||||
# Composite Rule Groups
|
||||
#===================================================
|
||||
resource "cloudflare_zero_trust_access_group" "employees_rule_group" {
|
||||
account_id = var.cloudflare_account_id
|
||||
name = "Employees"
|
||||
|
||||
include = [
|
||||
for group_key in ["it_admin", "sales", "sales_engineering", "infrastructure_admin"] : {
|
||||
group = {
|
||||
id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" {
|
||||
account_id = var.cloudflare_account_id
|
||||
name = "Sales Team"
|
||||
|
||||
include = [
|
||||
for group_key in ["sales", "sales_engineering"] : {
|
||||
group = {
|
||||
id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
resource "cloudflare_zero_trust_access_group" "admins_rule_group" {
|
||||
account_id = var.cloudflare_account_id
|
||||
name = "Administrators"
|
||||
|
||||
include = [
|
||||
for group_key in ["it_admin", "infrastructure_admin"] : {
|
||||
group = {
|
||||
id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
resource "cloudflare_zero_trust_access_group" "contractors_rule_group" {
|
||||
account_id = var.cloudflare_account_id
|
||||
name = "Contractors Extended"
|
||||
|
||||
include = [
|
||||
{
|
||||
group = {
|
||||
id = cloudflare_zero_trust_access_group.saml_groups["contractors"].id
|
||||
}
|
||||
},
|
||||
{
|
||||
email_domain = {
|
||||
domain = var.cf_email_domain
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
#==================================================
|
||||
# Azure AD Rule Groups
|
||||
#===================================================
|
||||
resource "cloudflare_zero_trust_access_group" "azure_groups" {
|
||||
for_each = local.azure_groups
|
||||
account_id = var.cloudflare_account_id
|
||||
name = replace(title(replace(each.key, "_", " ")), "Azure", "Azure")
|
||||
|
||||
include = [{
|
||||
azure_ad = {
|
||||
identity_provider_id = var.cf_azure_identity_provider_id
|
||||
id = each.value
|
||||
}
|
||||
}]
|
||||
}
|
||||
Reference in New Issue
Block a user