# =============================================================================
# CLOUDFLARE : Access : Policies
# =============================================================================

#
resource "cloudflare_zero_trust_access_policy" "policies" {
  for_each = var.access_policies

  account_id       = local.cloudflare_account_id
  decision         = "allow"
  name             = each.value.name
  session_duration = "0s"

  purpose_justification_prompt   = try(each.value.purpose_justification_prompt, null)
  purpose_justification_required = try(each.value.purpose_justification, false)

  include = [
    for group in each.value.include_groups : {
      group = {
        id = var.policy_groups[group]
      }
    }
  ]

  exclude = try([
    for group in each.value.exclude_groups : {
      group = {
        id = var.policy_groups[group]
      }
    }
  ], [])

  require = concat(
    try(each.value.require_mfa, false) ? [{
      any_valid_service_token = false
      auth_method = {
      type = "mfa"
    }
  }] : [],

  try(each.value.require_country, false) == true ? [{
    group = {
      id = var.policy_groups["country_requirements"]
    }
  }] : [],

  try(each.value.require_latest_os, false) == true ? [{
    group = {
      id = var.policy_groups["latest_os_version_requirements"]
    }
  }] : []
  )
}