# =============================================================================
# CLOUDFLARE : Access : Groups
# =============================================================================

locals {
  # SAML groups from Okta
  saml_groups = {
    contractors          = var.okta_contractors_saml_group_name
    infrastructure_admin = var.okta_infra_admin_saml_group_name
    sales_engineering    = var.okta_sales_eng_saml_group_name
    sales                = var.okta_sales_saml_group_name
    it_admin             = var.okta_itadmin_saml_group_name
  }

  # Allowed countries
  allowed_countries = ["FR", "DE", "US", "GB"]
  blocked_countries = ["CN", "RU", "AF", "BY", "CD", "CU", "IR", "IQ", "KP", "MM", "SD", "SY", "UA", "ZW"]

  # OS posture checks
  os_posture_checks = [
    var.cf_linux_posture_id,
    var.cf_macos_posture_id,
    var.cf_windows_posture_id
  ]
}

# SAML Rule Groups
resource "cloudflare_zero_trust_access_group" "saml_groups" {
  for_each   = local.saml_groups
  account_id = local.cloudflare_account_id
  name       = each.value

  include = [{
    saml = {
      identity_provider_id = var.cf_okta_identity_provider_id
      attribute_name       = "groups"
      attribute_value      = each.value
    }
  }]
}

# Geographic Rule Groups
resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "Country Requirements"

  include = [
    for country in local.allowed_countries : {
      geo = {
        country_code = country
      }
    }
  ]
  exclude = [
    for country in local.blocked_countries : {
      geo = {
        country_code = country
      }
    }
  ]
}