Tips-Of-Mine/terraform-cloudflare-tunnel-zone-org
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5d23f7bb264bc2741d62875e716b44a6169dbb0c
terraform-cloudflare-tunnel…/Traffic_Policies-Firewall_Policies-DNS.tf
hcornet 4d35926c32
All checks were successful
Terraform Apply / Terraform Apply (push) Successful in 4m25s
Details
removal of the term: example
2025-11-20 11:05:40 +01:00

74 lines
2.7 KiB
HCL
Raw Blame History

# =============================================================================
# CLOUDFLARE : Traffic Policies : Firewall Policies : DNS
# =============================================================================
# POLICY: block_malware
resource "cloudflare_zero_trust_gateway_policy" "block_malware" {
account_id = local.cloudflare_account_id
name = "DNS - Block malware"
description = "Block known threats based on Cloudflare s threat intelligence"
enabled = true
precedence = 10
# Block all security risks
filters = ["dns"]
traffic = "any(dns.security_category[*] in {178 80 83 176 175 117 131 134 151 153 68})"
action = "block"
rule_settings = {
block_page_enabled = true
}
}
# POLICY: Block Ads
locals {
ads_domain_lists = [for k, v in cloudflare_zero_trust_list.ads_domain_lists : v.id]
ads_domain_lists_formatted = [for v in local.ads_domain_lists : format("$%s", replace(v, "-", ""))]
ads_ad_filters = formatlist("any(dns.domains[*] in %s)", local.ads_domain_lists_formatted)
ads_ad_filter = join(" or ", local.ads_ad_filters)
}
resource "cloudflare_zero_trust_gateway_policy" "block_ads" {
account_id = local.cloudflare_account_id
name = "DNS - Block Ads"
description = "Block Ads domains"
enabled = true
precedence = 11
# Block domain belonging to lists (defined below)
filters = ["dns"]
traffic = local.ads_ad_filter_new
action = "block"
rule_settings = {
block_page_enabled = false
}
}
locals {
ads_domain_list_file = "${path.module}/lists/pihole_domain_list.txt"
ads_domain_list = length(file(local.ads_domain_list_file)) > 0 ? split("\n", file(local.ads_domain_list_file)) : []
ads_domain_list_clean = [for x in local.ads_domain_list : x if x != ""]
ads_aggregated_lists = chunklist(local.ads_domain_list_clean, 1000)
ads_list_count = length(local.ads_aggregated_lists)
ads_domain_lists_new = [for k, v in cloudflare_zero_trust_list.ads_domain_lists : v.id]
ads_domain_lists_formatted_new = [for v in local.ads_domain_lists_new : format("$%s", replace(v, "-", ""))]
ads_ad_filters_new = formatlist("any(dns.domains[*] in %s)", local.ads_domain_lists_formatted_new)
ads_ad_filter_new = join(" or ", local.ads_ad_filters_new)
}
resource "cloudflare_zero_trust_list" "ads_domain_lists" {
account_id = local.cloudflare_account_id
for_each = {
for i in range(0, local.ads_list_count) :
i => element(local.ads_aggregated_lists, i)
}
name = "ads_domain_list_${each.key}"
type = "DOMAIN"
items = [for domain in each.value : {
value = domain
}]
}
Reference in New Issue View Git Blame Copy Permalink