# =============================================================================
# CLOUDFLARE : Access : policies
# =============================================================================

#
resource "cloudflare_zero_trust_access_policy" "allow_policie_default" {
  account_id       = local.cloudflare_account_id
  name             = "Default"
  decision         = "allow"
  session_duration = "24h"

  include = [{
    group = {
        id = cloudflare_zero_trust_access_group.default_groups.id
    }
  }]
}

#
resource "cloudflare_zero_trust_access_policy" "allow_policie_it_admin" {
  account_id       = local.cloudflare_account_id
  name             = "Default It Admin"
  decision         = "allow"
  session_duration = "6h"

  include = [{
    for group_key in ["it_admin", "infrastructure_admin"] : {
      group = {
          id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
      }
    }
  }]
}

#
resource "cloudflare_zero_trust_access_policy" "allow_policie_administrators" {
  account_id       = local.cloudflare_account_id
  name             = "Default Admionistratoes"
  decision         = "allow"
  session_duration = "30m"

  include = [{
    group = {
        id = cloudflare_zero_trust_access_group.admins_rule_group.id
    }
  }]
}