terraform-cloudflare-tunnel-zone-org/gateway_policy.tf

# =============================================================================
# CLOUDFLARE : Gateway : Policy
# =============================================================================

#
resource "cloudflare_zero_trust_gateway_policy" "block_malware" {
  account_id = local.cloudflare_account_id

  name        = "Block malware"
  description = "Block known threats based on Cloudflare’s threat intelligence"

  enabled    = true
  precedence = 10

  # Block all security risks
  filters = ["dns"]
  traffic = "any(dns.security_category[*] in {178 80 83 176 175 117 131 134 151 153 68})"
  action  = "block"

  rule_settings {
    block_page_enabled = true
  }
}

# 
#resource "cloudflare_zero_trust_gateway_policy" "example_zero_trust_gateway_policy" {
#  account_id = local.cloudflare_account_id
#  action = "allow"
#  name = "block bad websites"
#  description = "Block bad websites based on their host name."
#  device_posture = "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})"
#  enabled = true
#  expiration = {
#    expires_at = "2026-01-01T05:20:20Z"
#    duration = 10
#  }
#  filters = ["http"]
#  identity = "any(identity.groups.name[*] in {\"finance\"})"
#  precedence = 0
#  rule_settings = {
#    add_headers = {
#      My-Next-Header = ["foo", "bar"]
#      X-Custom-Header-Name = ["somecustomvalue"]
#    }
#    allow_child_bypass = true
#    audit_ssh = {
#      command_logging = false
#    }
#    biso_admin_controls = {
#      copy = "remote_only"
#      dcp = true
#      dd = true
#      dk = true
#      download = "enabled"
#      dp = false
#      du = true
#      keyboard = "enabled"
#      paste = "enabled"
#      printing = "enabled"
#      upload = "enabled"
#      version = "v1"
#    }
#    block_page = {
#      target_uri = "https://example.com"
#      include_context = true
#    }
#    block_page_enabled = true
#    block_reason = "This website is a security risk"
#    bypass_parent_rule = false
#    check_session = {
#      duration = "300s"
#      enforce = true
#    }
#    dns_resolvers = {
#      ipv4 = [{
#        ip = "2.2.2.2"
#        port = 5053
#        route_through_private_network = true
#        vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
#      }]
#      ipv6 = [{
#        ip = "2001:DB8::"
#        port = 5053
#        route_through_private_network = true
#        vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
#      }]
#    }
#    egress = {
#      ipv4 = "192.0.2.2"
#      ipv4_fallback = "192.0.2.3"
#      ipv6 = "2001:DB8::/64"
#    }
#    ignore_cname_category_matches = true
#    insecure_disable_dnssec_validation = false
#    ip_categories = true
#    ip_indicator_feeds = true
#    l4override = {
#      ip = "1.1.1.1"
#      port = 0
#    }
#    notification_settings = {
#      enabled = true
#      include_context = true
#      msg = "msg"
#      support_url = "support_url"
#    }
#    override_host = "example.com"
#    override_ips = ["1.1.1.1", "2.2.2.2"]
#    payload_log = {
#      enabled = true
#    }
#    quarantine = {
#      file_types = ["exe"]
#    }
#    redirect = {
#      target_uri = "https://example.com"
#      include_context = true
#      preserve_path_and_query = true
#    }
#    resolve_dns_internally = {
#      fallback = "none"
#      view_id = "view_id"
#    }
#    resolve_dns_through_cloudflare = true
#    untrusted_cert = {
#      action = "error"
#    }
#  }
#  schedule = {
#    time_zone = "Europe/Paris"
#    mon = "08:00-12:30,13:30-17:00"
#    thu = "08:00-12:30,13:30-17:00"
#    tue = "08:00-12:30,13:30-17:00"
#    wed = "08:00-12:30,13:30-17:00"
#    fri = "08:00-12:30,13:30-17:00"
#    sat = "08:00-12:30,13:30-17:00"
#    sun = "08:00-12:30,13:30-17:00"
#  }
#  traffic = "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10"
#}