From feb211457415b27a7be4ce1d1f2a92c71c347cee Mon Sep 17 00:00:00 2001
From: hcornet <hcornet@tips-of-mine.fr>
Date: Thu, 20 Nov 2025 16:19:07 +0100
Subject: [PATCH] device profile

---
 Team_Resources-Devices-Device_profiles.tf | 101 +++++++++++++++++++++-
 1 file changed, 100 insertions(+), 1 deletion(-)

diff --git a/Team_Resources-Devices-Device_profiles.tf b/Team_Resources-Devices-Device_profiles.tf
index 2a09234..5930722 100644
--- a/Team_Resources-Devices-Device_profiles.tf
+++ b/Team_Resources-Devices-Device_profiles.tf
@@ -114,4 +114,103 @@ resource "cloudflare_zero_trust_device_custom_profile" "zero_trust_device_custom
   support_url = "https://1.1.1.1/help"
   switch_locked = true
   tunnel_protocol = "wireguard"
-}
\ No newline at end of file
+}
+
+#==========================================================
+# Device Profile Configurations
+#==========================================================
+locals {
+  # Device precedence values
+  device_precedence = {
+    laptop         = 10 # Highest priority - specific OS match
+    vm             = 20 # Medium priority - group-based match  
+    warp_connector = 30 # Lower priority - service account match
+  }
+
+  # Common profile settings
+  common_profile_settings = {
+    allow_mode_switch     = false
+    tunnel_protocol       = "masque"
+    switch_locked         = false
+    allowed_to_leave      = true
+    allow_updates         = true
+    auto_connect          = 0
+    disable_auto_fallback = false
+    lan_allow_minutes     = 30
+    lan_allow_subnet_size = 16
+    exclude_office_ips    = true
+    captive_portal        = 180
+  }
+
+  # Device profiles configuration
+  device_profiles = {
+    laptop = {
+      name        = "Zero-Trust demo local laptop (mac)"
+      description = "This profile is for the local laptop (running macos) for my zero-trust demo"
+      precedence  = local.device_precedence.laptop
+      match       = "os.name == \"${var.cloudflare_device_os}\" and identity.email == \"${var.okta_matthieu_user_login}\"",
+      support_url = "Zero-TrustDemo-LaptopProfile"
+    }
+    vm = {
+      name        = "Zero-Trust demo VMs (Ubuntu and Windows 11)"
+      description = "This profile is for my VMs for my zero-trust demo"
+      precedence  = local.device_precedence.vm
+      match       = "any(identity.saml_attributes[*] in {\"groups=${var.okta_infra_admin_saml_group_name}\"}) or any(identity.saml_attributes[*] in {\"groups=${var.okta_contractors_saml_group_name}\"}) or identity.email matches \"${var.cloudflare_email_domain}\""
+      support_url = "Zero-TrustDemo-VMProfile"
+    }
+    warp_connector = {
+      name        = "Zero-Trust demo WarpConnector"
+      description = "This profile is dedicated for WARP Connector"
+      precedence  = local.device_precedence.warp_connector
+      match       = "identity.email == \"warp_connector@${var.cloudflare_team_name}.cloudflareaccess.com\""
+      support_url = "WARPConnectorProfile"
+    }
+  }
+}
+
+#==========================================================
+# Device Custom Profiles
+#==========================================================
+resource "cloudflare_zero_trust_device_custom_profile" "profiles" {
+  for_each = local.device_profiles
+
+  account_id = local.cloudflare_account_id
+
+  enabled    = true
+
+  name        = each.value.name
+  description = each.value.description
+  precedence  = each.value.precedence
+  match       = each.value.match
+  support_url = each.value.support_url
+
+  # Common settings
+  allow_mode_switch     = local.common_profile_settings.allow_mode_switch
+  tunnel_protocol       = local.common_profile_settings.tunnel_protocol
+  switch_locked         = local.common_profile_settings.switch_locked
+  allowed_to_leave      = local.common_profile_settings.allowed_to_leave
+  allow_updates         = local.common_profile_settings.allow_updates
+  auto_connect          = local.common_profile_settings.auto_connect
+  disable_auto_fallback = local.common_profile_settings.disable_auto_fallback
+  lan_allow_minutes     = local.common_profile_settings.lan_allow_minutes
+  lan_allow_subnet_size = local.common_profile_settings.lan_allow_subnet_size
+  exclude_office_ips    = local.common_profile_settings.exclude_office_ips
+  captive_portal        = local.common_profile_settings.captive_portal
+
+  service_mode_v2 = {
+    mode = "warp"
+  }
+
+  # Exclude routes configuration
+  exclude = [
+    for route in values(local.final_exclude_routes) : {
+      address     = route.address
+      description = route.description
+    }
+  ]
+
+  # Apply once and ignore subsequent changes
+  lifecycle {
+    ignore_changes = all
+  }
+}