Hubert Cornet
ee9b380c78
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 7s
132 lines
5.5 KiB
HCL
132 lines
5.5 KiB
HCL
# =============================================================================
|
|
# CLOUDFLARE : Traffic Policies : Firewall Policies : HTTP
|
|
# =============================================================================
|
|
|
|
#==========================================================
|
|
# Local Variables
|
|
#==========================================================
|
|
locals {
|
|
precedence = {
|
|
# HTTP (L7) Policies - AI Application Governance
|
|
ai_tools_redirect = 24000 # Redirect unreviewed AI tools to Claude
|
|
chatgpt_allow_log = 24100 # Allow ChatGPT with prompt logging
|
|
|
|
# HTTP (L7) Policies - Content Filtering & DLP
|
|
pdf_block = 25000 # Block PDF downloads for Sales Eng (identity-based DLP)
|
|
gambling_block = 25100 # Block gambling websites (category blocking)
|
|
}
|
|
|
|
# Common rule settings for block policies
|
|
default_block_settings_http = {
|
|
block_page_enabled = false
|
|
ip_categories = false
|
|
ip_indicator_feeds = false
|
|
insecure_disable_dnssec_validation = false
|
|
}
|
|
|
|
# Gateway policies configuration
|
|
# Organized by policy type: then HTTP (L7) policies
|
|
# Following Cloudflare best practices with 1000-spacing between major groups
|
|
# Integrates with dashboard-managed policies at precedence: 1000-3000, 5000-20000, 36000-40000
|
|
gateway_policies = {
|
|
#==========================================================
|
|
# HTTP (L7) POLICIES
|
|
# Application/Content-based filtering
|
|
# Terraform precedence ranges: 24000-25100
|
|
# Dashboard precedence ranges: 13000-20000
|
|
# Note: Dashboard Do-Not-Inspect policies (13000-15000) evaluated before Terraform HTTP policies
|
|
#==========================================================
|
|
|
|
# AI Application Governance (Precedence: 24000-24100)
|
|
redirect_ai_to_claude = {
|
|
name = "HTTP - Redirect: Redirect users to claude.ai"
|
|
description = "Redirect any unreviewed AI application to claude.ai instead"
|
|
enabled = true
|
|
action = "redirect"
|
|
precedence = local.precedence.ai_tools_redirect
|
|
filters = ["http"]
|
|
traffic = "any(app.type.ids[*] in {25}) and any(app.statuses[*] == \"unreviewed\")"
|
|
redirect_url = "https://claude.ai"
|
|
notification_enabled = false
|
|
}
|
|
|
|
# Content Filtering & DLP (Precedence: 25000-25100)
|
|
block_pdf_download = {
|
|
name = "HTTP - Block: PDF Files download"
|
|
description = "Block Downloading PDF Files for Sales Engineering group"
|
|
enabled = false
|
|
action = "block"
|
|
precedence = local.precedence.pdf_block
|
|
filters = ["http"]
|
|
traffic = "any(http.download.file.types[*] in {\"pdf\"})"
|
|
identity = "any(identity.saml_attributes[*] == \"groups=${var.okta_sales_eng_saml_group_name}\")"
|
|
block_reason = "This download is blocked because it is a pdf file (not approved)"
|
|
notification_enabled = true
|
|
}
|
|
|
|
block_gambling = {
|
|
name = "HTTP - Block: Gambling websites"
|
|
description = "Block Gambling website according to corporate policies (HTTP)."
|
|
enabled = true
|
|
action = "block"
|
|
precedence = local.precedence.gambling_block
|
|
filters = ["http"]
|
|
traffic = "any(http.request.uri.content_category[*] in {99})"
|
|
identity = "not(any(identity.saml_attributes[*] == \"groups=${var.okta_contractors_saml_group_name}\")) or not(identity.email == \"${var.okta_bob_user_login}\")"
|
|
block_reason = "This website is blocked according to corporate policies (HTTP)"
|
|
notification_enabled = true
|
|
}
|
|
|
|
allow_chatgpt_log = {
|
|
name = "HTTP - Allow: ChatGPT logging"
|
|
description = "Log ChatGPT requests"
|
|
enabled = true
|
|
action = "allow"
|
|
precedence = local.precedence.chatgpt_allow_log
|
|
filters = ["http"]
|
|
traffic = "any(app.ids[*] == 1199) and any(app_control.controls[*] in {1652})"
|
|
notification_enabled = false
|
|
gen_ai_prompt_log = true
|
|
}
|
|
}
|
|
}
|
|
|
|
#==========================================================
|
|
# Gateway Policies
|
|
#==========================================================
|
|
resource "cloudflare_zero_trust_gateway_policy" "policies" {
|
|
for_each = local.gateway_policies
|
|
|
|
account_id = local.cloudflare_account_id
|
|
name = each.value.name
|
|
description = each.value.description
|
|
enabled = each.value.enabled
|
|
action = each.value.action
|
|
precedence = each.value.precedence
|
|
filters = each.value.filters
|
|
traffic = each.value.traffic
|
|
|
|
# Optional fields
|
|
identity = try(each.value.identity, null)
|
|
device_posture = try(each.value.device_posture, null)
|
|
|
|
rule_settings = merge(
|
|
local.default_block_settings_http,
|
|
{
|
|
block_reason = try(each.value.block_reason, "")
|
|
notification_settings = {
|
|
enabled = try(each.value.notification_enabled, false)
|
|
msg = try(each.value.block_reason, "")
|
|
}
|
|
redirect = try(each.value.redirect_url, null) != null ? {
|
|
target_uri = each.value.redirect_url
|
|
preserve_path_and_query = false
|
|
include_context = false
|
|
} : null
|
|
gen_ai_prompt_log = try(each.value.gen_ai_prompt_log, null) != null ? {
|
|
enabled = each.value.gen_ai_prompt_log
|
|
} : null
|
|
}
|
|
)
|
|
}
|