# =============================================================================
# CLOUDFLARE : Gateway : Policy
# =============================================================================

# POLICY: block_malware
resource "cloudflare_zero_trust_gateway_policy" "block_malware" {
  account_id = local.cloudflare_account_id

  name        = "Block malware"
  description = "Block known threats based on Cloudflare s threat intelligence"

  enabled    = true
  precedence = 10

  # Block all security risks
  filters = ["dns"]
  traffic = "any(dns.security_category[*] in {178 80 83 176 175 117 131 134 151 153 68})"
  action  = "block"

  rule_settings = {
    block_page_enabled = true
  }
}

# POLICY: Block Ads

locals {
  # Iterate through each ads_domain_list resource and extract its ID
  ads_domain_lists = [for k, v in cloudflare_zero_trust_list.ads_domain_lists : v.id]

  # Format the values: remove dashes and prepend $
  ads_domain_lists_formatted = [for v in local.ads_domain_lists : format("$%s", replace(v, "-", ""))]

  # Create filters to use in the policy
  ads_ad_filters = formatlist("any(dns.domains[*] in %s)", local.ads_domain_lists_formatted)
  ads_ad_filter  = join(" or ", local.ads_ad_filters)
}

resource "cloudflare_zero_trust_gateway_policy" "block_ads" {
  account_id = local.cloudflare_account_id

  name        = "Block Ads"
  description = "Block Ads domains"

  enabled    = true
  precedence = 11

  # Block domain belonging to lists (defined below)
  filters = ["dns"]
  action  = "block"
  traffic = local.ads_ad_filter

  rule_settings = {
    block_page_enabled = false
  }
}

locals {
  # The full path of the list holding the domain list
  ads_domain_list_file = "${path.module}/lists/pihole_domain_list.txt"

  # Parse the file and create a list, one item per line
  ads_domain_list = split("\n", file(local.ads_domain_list_file))

  # Remove empty lines
  ads_domain_list_clean = [for x in local.ads_domain_list : x if x != ""]

  # Use chunklist to split a list into fixed-size chunks
  # It returns a list of lists
  ads_aggregated_lists = chunklist(local.ads_domain_list_clean, 1000)

  # Get the number of lists (chunks) created
  ads_list_count = length(local.ads_aggregated_lists)
}

resource "cloudflare_zero_trust_list" "ads_domain_lists" {
  account_id = local.cloudflare_account_id

  for_each = {
    for i in range(0, local.ads_list_count) :
    i => element(local.ads_aggregated_lists, i)
  }

  name  = "ads_domain_list_${each.key}"
  type  = "DOMAIN"
  items = each.value
}

# 
#resource "cloudflare_zero_trust_gateway_policy" "example_zero_trust_gateway_policy" {
#  account_id = local.cloudflare_account_id
#  action = "allow"
#  name = "block bad websites"
#  description = "Block bad websites based on their host name."
#  device_posture = "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})"
#  enabled = true
#  expiration = {
#    expires_at = "2026-01-01T05:20:20Z"
#    duration = 10
#  }
#  filters = ["http"]
#  identity = "any(identity.groups.name[*] in {\"finance\"})"
#  precedence = 0
#  rule_settings = {
#    add_headers = {
#      My-Next-Header = ["foo", "bar"]
#      X-Custom-Header-Name = ["somecustomvalue"]
#    }
#    allow_child_bypass = true
#    audit_ssh = {
#      command_logging = false
#    }
#    biso_admin_controls = {
#      copy = "remote_only"
#      dcp = true
#      dd = true
#      dk = true
#      download = "enabled"
#      dp = false
#      du = true
#      keyboard = "enabled"
#      paste = "enabled"
#      printing = "enabled"
#      upload = "enabled"
#      version = "v1"
#    }
#    block_page = {
#      target_uri = "https://example.com"
#      include_context = true
#    }
#    block_page_enabled = true
#    block_reason = "This website is a security risk"
#    bypass_parent_rule = false
#    check_session = {
#      duration = "300s"
#      enforce = true
#    }
#    dns_resolvers = {
#      ipv4 = [{
#        ip = "2.2.2.2"
#        port = 5053
#        route_through_private_network = true
#        vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
#      }]
#      ipv6 = [{
#        ip = "2001:DB8::"
#        port = 5053
#        route_through_private_network = true
#        vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
#      }]
#    }
#    egress = {
#      ipv4 = "192.0.2.2"
#      ipv4_fallback = "192.0.2.3"
#      ipv6 = "2001:DB8::/64"
#    }
#    ignore_cname_category_matches = true
#    insecure_disable_dnssec_validation = false
#    ip_categories = true
#    ip_indicator_feeds = true
#    l4override = {
#      ip = "1.1.1.1"
#      port = 0
#    }
#    notification_settings = {
#      enabled = true
#      include_context = true
#      msg = "msg"
#      support_url = "support_url"
#    }
#    override_host = "example.com"
#    override_ips = ["1.1.1.1", "2.2.2.2"]
#    payload_log = {
#      enabled = true
#    }
#    quarantine = {
#      file_types = ["exe"]
#    }
#    redirect = {
#      target_uri = "https://example.com"
#      include_context = true
#      preserve_path_and_query = true
#    }
#    resolve_dns_internally = {
#      fallback = "none"
#      view_id = "view_id"
#    }
#    resolve_dns_through_cloudflare = true
#    untrusted_cert = {
#      action = "error"
#    }
#  }
#  schedule = {
#    time_zone = "Europe/Paris"
#    mon = "08:00-12:30,13:30-17:00"
#    thu = "08:00-12:30,13:30-17:00"
#    tue = "08:00-12:30,13:30-17:00"
#    wed = "08:00-12:30,13:30-17:00"
#    fri = "08:00-12:30,13:30-17:00"
#    sat = "08:00-12:30,13:30-17:00"
#    sun = "08:00-12:30,13:30-17:00"
#  }
#  traffic = "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10"
#}