terraform-cloudflare-tunnel-zone-org/access_groups.tf

# =============================================================================
# CLOUDFLARE : Access : Groups
# =============================================================================

locals {
  # SAML groups from Okta
  saml_groups = {
    contractors          = "Contractors"
    infrastructure_admin = "GL_Users_Infrastructure Admin"
    sales_engineering    = "GL_Users_Sales Engineering"
    sales                = "GL_Users_Sales"
    it_admin             = "GL_Users_IT Admin"
  }

  # Allowed countries
  allowed_countries = ["FR", "DE", "US", "GB"]
  blocked_countries = ["CN", "RU", "AF", "BY", "CD", "CU", "IR", "IQ", "KP", "MM", "SD", "SY", "UA", "ZW"]

  main_countries            = ["FR"]
  europe_countries          = ["AL","AD","AT","AX","BA","BE","BG","BY","CH","CY","CZ","DE","DK","EE","ES","FI","FO","GB","GG","GI","GR","HR","HU","IE","IM","IS","IT","JE","LI","LT","LU","LV","MC","MD","ME","MK","MT","NL","NO","PL","PT","RO","RS","SE","SI","SK","SM","UA","VA"]
  afrique_countries         = ["AO","BF","BI","BJ","BW","CD","CF","CG","CI","CM","CV","DJ","DZ","EG","EH","ER","ET","GA","GH","GM","GN","GQ","GW","KE","KM","LR","LS","LY","MA","MG","ML","MR","MU","MW","MZ","NA","NE","NG","RE","RW","SC","SD","SH","SL","SN","SO","SS","ST","SZ","TD","TF","TG","TN","TZ","UG","YT","ZA","ZM","ZW"]
  america_north_countries   = ["CA","US","MX","BM","PM","GL","UM"]
  america_central_countries = ["AG","AI","AW","BB","BZ","CR","CU","DM","DO","GD","GP","GT","HN","HT","JM","KN","KY","LC","MF","MQ","MS","NI","PA","PR","SV","SX","TC","TT","VC","VG","VI"]
  america_south_countries   = ["AR","BO","BR","CL","CO","EC","FK","GF","GY","PE","PY","SR","UY","VE"]
  asie_countries            = ["AF","AM","AZ","BD","BH","BN","BT","CN","GE","HK","ID","IL","IN","IQ","IR","JO","JP","KG","KH","KP","KR","KW","KZ","LA","LB","LK","MM","MN","MO","MY","NP","OM","PH","PK","PS","QA","SA","SG","SY","TH","TJ","TL","TM","TR","TW","UZ","VN","YE"]
  oceanie_countries         = ["AS","AU","CK","FJ","FM","GU","HM","KI","MH","MP","NC","NF","NR","NU","NZ","PF","PG","PN","PW","SB","TK","TO","TV","UM","VU","WF","WS"]
  antarctique_countries     = ["AQ", "BV"]
  other_countries           = ["IO","GS","XX","ZZ"]

  # On fusionne *toutes* les zones dans une seule liste
  all_countries = flatten([
    local.europe_countries,
    local.afrique_countries,
    local.america_north_countries,
    local.america_central_countries,
    local.america_south_countries,
    local.asie_countries,
    local.oceanie_countries,
    local.antarctique_countries,
    local.other_countries,
  ])

  # On retire les pays "main"
  blocked_countries_except_main = compact([
    for code in local.all_countries :
    (contains(local.main_countries, code) ? null : code)
  ])

  # OS posture checks
  os_posture_checks = [
    var.cloudflare_linux_posture_id,
    var.cloudflare_macos_posture_id,
    var.cloudflare_windows_posture_id
  ]
}

# SAML Rule Groups
resource "cloudflare_zero_trust_access_group" "saml_groups" {
  for_each   = local.saml_groups
  account_id = local.cloudflare_account_id
  name       = each.value

  include = [{
    saml = {
      identity_provider_id = var.cloudflare_okta_identity_provider_id
      attribute_name       = "groups"
      attribute_value      = each.value
    }
  }]
}

# Geographic Rule Groups
resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_Localisation_Country Requirements"

  include = [
    for country in local.allowed_countries : {
      geo = {
        country_code = country
      }
    }
  ]
  exclude = [
    for country in local.blocked_countries : {
      geo = {
        country_code = country
      }
    }
  ]
}

#
resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group_main" {
  account_id = local.cloudflare_account_id

  name       = "GL_Localisation Country Requirements : Main"
  include = [
    for country in local.main_countries : {
      geo = {
        country_code = country
      }
    }
  ]
  exclude = [
    for country in local.blocked_countries_except_main : {
      geo = {
        country_code = country
      }
    }
  ]
}

# Device Posture Rule Groups
resource "cloudflare_zero_trust_access_group" "latest_os_version_requirements_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_OS Version Requirements"

  include = [
    for posture_id in local.os_posture_checks : {
      device_posture = {
        integration_uid = posture_id
      }
    }
  ]
}

# Composite Rule Groups
resource "cloudflare_zero_trust_access_group" "employees_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_Users_Employees"

  include = [
    for group_key in ["it_admin", "sales", "sales_engineering", "infrastructure_admin"] : {
      group = {
        id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
      }
    }
  ]
}

resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_Users_Sales Team"

  include = [
    for group_key in ["sales", "sales_engineering"] : {
      group = {
        id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
      }
    }
  ]
}

resource "cloudflare_zero_trust_access_group" "admins_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_Users_Administrators"

  include = [
    for group_key in ["it_admin", "infrastructure_admin"] : {
      group = {
        id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
      }
    }
  ]
}

resource "cloudflare_zero_trust_access_group" "contractors_rule_group" {
  account_id = local.cloudflare_account_id
  name       = "GL_Users_Contractors Extended"

  include = [
    {
      group = {
        id = cloudflare_zero_trust_access_group.saml_groups["contractors"].id
      }
    },
    {
      email_domain = {
        domain = var.cloudflare_email_domain
      }
    }
  ]
}