From f3b857406432a5e4fd80a882051a52f63d1302f9 Mon Sep 17 00:00:00 2001
From: Hubert Cornet <hcornet@noreply@tips-of-mine.fr>
Date: Sat, 15 Nov 2025 19:51:43 +0100
Subject: [PATCH] Update variables.auto.tfvars

---
 variables.auto.tfvars | 103 ++++++++----------------------------------
 1 file changed, 20 insertions(+), 83 deletions(-)

diff --git a/variables.auto.tfvars b/variables.auto.tfvars
index 713fc43..a24b12a 100644
--- a/variables.auto.tfvars
+++ b/variables.auto.tfvars
@@ -61,94 +61,31 @@ applications = {
 # =============================================================================
 
 #
-local {
-  # Group mapping for policies (supports both SAML and composite groups)
-  policy_groups = {
-    # Composite groups
-    employees   = cloudflare_zero_trust_access_group.employees_rule_group.id
-    sales_team  = cloudflare_zero_trust_access_group.sales_team_rule_group.id
-    admins      = cloudflare_zero_trust_access_group.admins_rule_group.id
-    contractors = cloudflare_zero_trust_access_group.contractors_rule_group.id
-
-    # Individual SAML groups
-    infrastructure_admin = cloudflare_zero_trust_access_group.saml_groups["infrastructure_admin"].id
-    sales_engineering    = cloudflare_zero_trust_access_group.saml_groups["sales_engineering"].id
-    sales                = cloudflare_zero_trust_access_group.saml_groups["sales"].id
-    it_admin             = cloudflare_zero_trust_access_group.saml_groups["it_admin"].id
+access_policies = {
+  allow_employees = {
+    name                         = "Allow - Employees"
+    include_groups               = ["employees"]
+    exclude_groups               = []
+    require_mfa                  = true
+    require_login_method         = false
+    require_country              = false
+    purpose_justification        = false
+    purpose_justification_prompt = null
   }
 
-  # Common access policy configurations
-  access_policies = {
-    intranet_web_app = {
-      name                  = "Intranet App Policy"
-      include_groups        = ["employees", "contractors"]
-      require_posture       = true
-      require_mfa           = false
-      purpose_justification = false
-    }
-    competition_web_app = {
-      name            = "Competition App Policy"
-      include_groups  = ["sales_team"]
-      require_posture = true
-      require_mfa     = true
-      # IMPORTANT: Comment out the next 3 lines if you haven't deployed the "Training Compliance Gateway"
-      # Otherwise the Competition App won't work or show up in App Launcher
-      # Repository: https://github.com/macharpe/cloudflare-access-training-evaluator
-      require_external_evaluation     = true
-      external_evaluation_url         = "https://training-status.macharpe.com"
-      external_evaluation_keys_url    = "https://training-status.macharpe.com/keys"
-      purpose_justification           = true
-      purpose_justification_prompt    = "Access justification required: Please provide your business reason for accessing this sensitive resource."
-      lifecycle_create_before_destroy = true
-    }
-    employees_browser_rendering = {
-      name                         = "Employees AWS Database Policy"
-      include_groups               = ["infrastructure_admin"]
-      require_posture              = true
-      require_mfa                  = false
-      purpose_justification        = true
-      purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
-      require_login_method         = true
-    }
-    contractors_browser_rendering = {
-      name                         = "Contractors AWS Database Policy"
-      include_groups               = ["contractors"]
-      require_posture              = true
-      require_mfa                  = false
-      require_country              = true
-      purpose_justification        = true
-      purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
-    }
-    aws = {
-      name            = "AWS Cloud Policy"
-      include_groups  = ["sales_engineering"]
-      require_posture = true
-      require_mfa     = true
-    }
-    okta = {
-      name            = "Okta Cloud Policy"
-      include_groups  = ["it_admin"]
-      require_posture = true
-      require_mfa     = true
-    }
-    meraki = {
-      name            = "Meraki Cloud Policy"
-      include_groups  = ["it_admin"]
-      require_posture = true
-      require_mfa     = true
-    }
-    domain_controller = {
-      name                         = "Domain Controller Policy"
-      include_groups               = ["it_admin", "contractors"]
-      require_posture              = true
-      require_mfa                  = true
-      require_country              = true
-      purpose_justification        = true
-      purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this sensitive resource."
-    }
+  allow_admins = {
+    name                         = "Allow - Admins"
+    include_groups               = ["admins"]
+    exclude_groups               = []
+    require_mfa                  = true
+    require_login_method         = true
+    require_country              = true
+    purpose_justification        = true
+    purpose_justification_prompt = "Why do you need admin access?"
   }
 }
 
+
 # =============================================================================
 # Tags
 # =============================================================================