This commit is contained in:
@@ -114,4 +114,103 @@ resource "cloudflare_zero_trust_device_custom_profile" "zero_trust_device_custom
|
|||||||
support_url = "https://1.1.1.1/help"
|
support_url = "https://1.1.1.1/help"
|
||||||
switch_locked = true
|
switch_locked = true
|
||||||
tunnel_protocol = "wireguard"
|
tunnel_protocol = "wireguard"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#==========================================================
|
||||||
|
# Device Profile Configurations
|
||||||
|
#==========================================================
|
||||||
|
locals {
|
||||||
|
# Device precedence values
|
||||||
|
device_precedence = {
|
||||||
|
laptop = 10 # Highest priority - specific OS match
|
||||||
|
vm = 20 # Medium priority - group-based match
|
||||||
|
warp_connector = 30 # Lower priority - service account match
|
||||||
|
}
|
||||||
|
|
||||||
|
# Common profile settings
|
||||||
|
common_profile_settings = {
|
||||||
|
allow_mode_switch = false
|
||||||
|
tunnel_protocol = "masque"
|
||||||
|
switch_locked = false
|
||||||
|
allowed_to_leave = true
|
||||||
|
allow_updates = true
|
||||||
|
auto_connect = 0
|
||||||
|
disable_auto_fallback = false
|
||||||
|
lan_allow_minutes = 30
|
||||||
|
lan_allow_subnet_size = 16
|
||||||
|
exclude_office_ips = true
|
||||||
|
captive_portal = 180
|
||||||
|
}
|
||||||
|
|
||||||
|
# Device profiles configuration
|
||||||
|
device_profiles = {
|
||||||
|
laptop = {
|
||||||
|
name = "Zero-Trust demo local laptop (mac)"
|
||||||
|
description = "This profile is for the local laptop (running macos) for my zero-trust demo"
|
||||||
|
precedence = local.device_precedence.laptop
|
||||||
|
match = "os.name == \"${var.cloudflare_device_os}\" and identity.email == \"${var.okta_matthieu_user_login}\"",
|
||||||
|
support_url = "Zero-TrustDemo-LaptopProfile"
|
||||||
|
}
|
||||||
|
vm = {
|
||||||
|
name = "Zero-Trust demo VMs (Ubuntu and Windows 11)"
|
||||||
|
description = "This profile is for my VMs for my zero-trust demo"
|
||||||
|
precedence = local.device_precedence.vm
|
||||||
|
match = "any(identity.saml_attributes[*] in {\"groups=${var.okta_infra_admin_saml_group_name}\"}) or any(identity.saml_attributes[*] in {\"groups=${var.okta_contractors_saml_group_name}\"}) or identity.email matches \"${var.cloudflare_email_domain}\""
|
||||||
|
support_url = "Zero-TrustDemo-VMProfile"
|
||||||
|
}
|
||||||
|
warp_connector = {
|
||||||
|
name = "Zero-Trust demo WarpConnector"
|
||||||
|
description = "This profile is dedicated for WARP Connector"
|
||||||
|
precedence = local.device_precedence.warp_connector
|
||||||
|
match = "identity.email == \"warp_connector@${var.cloudflare_team_name}.cloudflareaccess.com\""
|
||||||
|
support_url = "WARPConnectorProfile"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#==========================================================
|
||||||
|
# Device Custom Profiles
|
||||||
|
#==========================================================
|
||||||
|
resource "cloudflare_zero_trust_device_custom_profile" "profiles" {
|
||||||
|
for_each = local.device_profiles
|
||||||
|
|
||||||
|
account_id = local.cloudflare_account_id
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
|
||||||
|
name = each.value.name
|
||||||
|
description = each.value.description
|
||||||
|
precedence = each.value.precedence
|
||||||
|
match = each.value.match
|
||||||
|
support_url = each.value.support_url
|
||||||
|
|
||||||
|
# Common settings
|
||||||
|
allow_mode_switch = local.common_profile_settings.allow_mode_switch
|
||||||
|
tunnel_protocol = local.common_profile_settings.tunnel_protocol
|
||||||
|
switch_locked = local.common_profile_settings.switch_locked
|
||||||
|
allowed_to_leave = local.common_profile_settings.allowed_to_leave
|
||||||
|
allow_updates = local.common_profile_settings.allow_updates
|
||||||
|
auto_connect = local.common_profile_settings.auto_connect
|
||||||
|
disable_auto_fallback = local.common_profile_settings.disable_auto_fallback
|
||||||
|
lan_allow_minutes = local.common_profile_settings.lan_allow_minutes
|
||||||
|
lan_allow_subnet_size = local.common_profile_settings.lan_allow_subnet_size
|
||||||
|
exclude_office_ips = local.common_profile_settings.exclude_office_ips
|
||||||
|
captive_portal = local.common_profile_settings.captive_portal
|
||||||
|
|
||||||
|
service_mode_v2 = {
|
||||||
|
mode = "warp"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Exclude routes configuration
|
||||||
|
exclude = [
|
||||||
|
for route in values(local.final_exclude_routes) : {
|
||||||
|
address = route.address
|
||||||
|
description = route.description
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
||||||
|
# Apply once and ignore subsequent changes
|
||||||
|
lifecycle {
|
||||||
|
ignore_changes = all
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user