# =============================================================================
# CLOUDFLARE : Traffic Policies : Firewall Policies : DNS
# =============================================================================

# POLICY: block_malware
resource "cloudflare_zero_trust_gateway_policy" "block_malware" {
  account_id  = local.cloudflare_account_id
  name        = "DNS - Block malware"
  description = "Block known threats based on Cloudflare s threat intelligence"
  enabled     = true
  precedence  = 10

  # Block all security risks
  filters     = ["dns"]
  traffic     = "any(dns.security_category[*] in {178 80 83 176 175 117 131 134 151 153 68})"
  action      = "block"

  rule_settings = {
    block_page_enabled = true
  }
}

# POLICY: Block Ads
locals {
  ads_domain_lists           = [for k, v in cloudflare_zero_trust_list.ads_domain_lists : v.id]
  ads_domain_lists_formatted = [for v in local.ads_domain_lists : format("$%s", replace(v, "-", ""))]
  ads_ad_filters             = formatlist("any(dns.domains[*] in %s)", local.ads_domain_lists_formatted)
  ads_ad_filter              = join(" or ", local.ads_ad_filters)
}

resource "cloudflare_zero_trust_gateway_policy" "block_ads" {
  account_id  = local.cloudflare_account_id
  name        = "DNS - Block Ads"
  description = "Block Ads domains"
  enabled     = true
  precedence  = 11

  # Block domain belonging to lists (defined below)
  filters     = ["dns"]
  traffic     = local.ads_ad_filter_new
  action      = "block"

  rule_settings = {
    block_page_enabled = false
  }
}

locals {
  ads_domain_list_file           =  "${path.module}/lists/pihole_domain_list.txt"
  ads_domain_list                = length(file(local.ads_domain_list_file)) > 0 ? split("\n", file(local.ads_domain_list_file)) : []
  ads_domain_list_clean          = [for x in local.ads_domain_list : x if x != ""]
  ads_aggregated_lists           = chunklist(local.ads_domain_list_clean, 1000)
  ads_list_count                 = length(local.ads_aggregated_lists)
  ads_domain_lists_new           = [for k, v in cloudflare_zero_trust_list.ads_domain_lists : v.id]
  ads_domain_lists_formatted_new = [for v in local.ads_domain_lists_new : format("$%s", replace(v, "-", ""))]
  ads_ad_filters_new             = formatlist("any(dns.domains[*] in %s)", local.ads_domain_lists_formatted_new)
  ads_ad_filter_new              = join(" or ", local.ads_ad_filters_new)
}

resource "cloudflare_zero_trust_list" "ads_domain_lists" {
  account_id = local.cloudflare_account_id

  for_each = {
    for i in range(0, local.ads_list_count) :
    i => element(local.ads_aggregated_lists, i)
  }

  name  = "ads_domain_list_${each.key}"
  type  = "DOMAIN"
  items = [for domain in each.value : {
    value = domain  
  }]
}