# =============================================================================
# CLOUDFLARE : Access : Groups
# =============================================================================

locals {
  # SAML groups from Okta
  saml_groups = {
    contractors          = "Contractors"
    infrastructure_admin = "GL_Users_Infrastructure Admin"
    sales_engineering    = "GL_Users_Sales Engineering"
    sales                = "GL_Users_Sales"
    it_admin             = "GL_Users_IT Admin"
  }

  # Allowed countries
  allowed_countries = ["FR", "DE", "US", "GB"]
  blocked_countries = ["CN", "RU", "AF", "BY", "CD", "CU", "IR", "IQ", "KP", "MM", "SD", "SY", "UA", "ZW"]

  # OS posture checks
  os_posture_checks = [
    var.cloudflare_linux_posture_id,
    var.cloudflare_macos_posture_id,
    var.cloudflare_windows_posture_id
  ]
}

# SAML Rule Groups
resource "cloudflare_zero_trust_access_group" "saml_groups" {
  for_each   = local.saml_groups
  account_id = local.cloudflare_account_id
  name       = each.value

  include = [{
    saml = {
      identity_provider_id = var.cloudflare_okta_identity_provider_id
      attribute_name       = "groups"
      attribute_value      = each.value
    }
  }]
}

# Geographic Rule Groups
resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_Localisation_Country Requirements"

  include = [
    for country in local.allowed_countries : {
      geo = {
        country_code = country
      }
    }
  ]
  exclude = [
    for country in local.blocked_countries : {
      geo = {
        country_code = country
      }
    }
  ]
}

# Device Posture Rule Groups
resource "cloudflare_zero_trust_access_group" "latest_os_version_requirements_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_OS Version Requirements"

  include = [
    for posture_id in local.os_posture_checks : {
      device_posture = {
        integration_uid = posture_id
      }
    }
  ]
}

# Composite Rule Groups
resource "cloudflare_zero_trust_access_group" "employees_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_Users_Employees"

  include = [
    for group_key in ["it_admin", "sales", "sales_engineering", "infrastructure_admin"] : {
      group = {
        id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
      }
    }
  ]
}

resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_Users_Sales Team"

  include = [
    for group_key in ["sales", "sales_engineering"] : {
      group = {
        id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
      }
    }
  ]
}

resource "cloudflare_zero_trust_access_group" "admins_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_Users_Administrators"

  include = [
    for group_key in ["it_admin", "infrastructure_admin"] : {
      group = {
        id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
      }
    }
  ]
}

resource "cloudflare_zero_trust_access_group" "contractors_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_Users_Contractors Extended"

  include = [
    {
      group = {
        id = cloudflare_zero_trust_access_group.saml_groups["contractors"].id
      }
    },
    {
      email_domain = {
        domain = var.cloudflare_email_domain
      }
    }
  ]
}