Hubert Cornet
9987aaae75
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 12s
204 lines
5.6 KiB
HCL
204 lines
5.6 KiB
HCL
# =============================================================================
|
|
# CLOUDFLARE : Gateway : Policy
|
|
# =============================================================================
|
|
|
|
# POLICY: block_malware
|
|
resource "cloudflare_zero_trust_gateway_policy" "block_malware" {
|
|
account_id = local.cloudflare_account_id
|
|
|
|
name = "Block malware"
|
|
description = "Block known threats based on Cloudflare s threat intelligence"
|
|
|
|
enabled = true
|
|
precedence = 10
|
|
|
|
# Block all security risks
|
|
filters = ["dns"]
|
|
traffic = "any(dns.security_category[*] in {178 80 83 176 175 117 131 134 151 153 68})"
|
|
action = "block"
|
|
|
|
rule_settings = {
|
|
block_page_enabled = true
|
|
}
|
|
}
|
|
|
|
# POLICY: Block Ads
|
|
|
|
locals {
|
|
# Iterate through each ads_domain_list resource and extract its ID
|
|
ads_domain_lists = [for k, v in cloudflare_zero_trust_list.ads_domain_lists : v.id]
|
|
|
|
# Format the values: remove dashes and prepend $
|
|
ads_domain_lists_formatted = [for v in local.ads_domain_lists : format("$%s", replace(v, "-", ""))]
|
|
|
|
# Create filters to use in the policy
|
|
ads_ad_filters = formatlist("any(dns.domains[*] in %s)", local.ads_domain_lists_formatted)
|
|
ads_ad_filter = join(" or ", local.ads_ad_filters)
|
|
}
|
|
|
|
resource "cloudflare_zero_trust_gateway_policy" "block_ads" {
|
|
account_id = local.cloudflare_account_id
|
|
|
|
name = "Block Ads"
|
|
description = "Block Ads domains"
|
|
|
|
enabled = true
|
|
precedence = 11
|
|
|
|
# Block domain belonging to lists (defined below)
|
|
filters = ["dns"]
|
|
action = "block"
|
|
traffic = local.ads_ad_filter
|
|
|
|
rule_settings {
|
|
block_page_enabled = false
|
|
}
|
|
}
|
|
|
|
locals {
|
|
# The full path of the list holding the domain list
|
|
ads_domain_list_file = "${path.module}/lists/pihole_domain_list.txt"
|
|
|
|
# Parse the file and create a list, one item per line
|
|
ads_domain_list = split("\n", file(local.ads_domain_list_file))
|
|
|
|
# Remove empty lines
|
|
ads_domain_list_clean = [for x in local.ads_domain_list : x if x != ""]
|
|
|
|
# Use chunklist to split a list into fixed-size chunks
|
|
# It returns a list of lists
|
|
ads_aggregated_lists = chunklist(local.ads_domain_list_clean, 1000)
|
|
|
|
# Get the number of lists (chunks) created
|
|
ads_list_count = length(local.ads_aggregated_lists)
|
|
}
|
|
|
|
resource "cloudflare_zero_trust_list" "ads_domain_lists" {
|
|
account_id = local.cloudflare_account_id
|
|
|
|
for_each = {
|
|
for i in range(0, local.ads_list_count) :
|
|
i => element(local.ads_aggregated_lists, i)
|
|
}
|
|
|
|
name = "ads_domain_list_${each.key}"
|
|
type = "DOMAIN"
|
|
items = each.value
|
|
}
|
|
|
|
#
|
|
#resource "cloudflare_zero_trust_gateway_policy" "example_zero_trust_gateway_policy" {
|
|
# account_id = local.cloudflare_account_id
|
|
# action = "allow"
|
|
# name = "block bad websites"
|
|
# description = "Block bad websites based on their host name."
|
|
# device_posture = "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})"
|
|
# enabled = true
|
|
# expiration = {
|
|
# expires_at = "2026-01-01T05:20:20Z"
|
|
# duration = 10
|
|
# }
|
|
# filters = ["http"]
|
|
# identity = "any(identity.groups.name[*] in {\"finance\"})"
|
|
# precedence = 0
|
|
# rule_settings = {
|
|
# add_headers = {
|
|
# My-Next-Header = ["foo", "bar"]
|
|
# X-Custom-Header-Name = ["somecustomvalue"]
|
|
# }
|
|
# allow_child_bypass = true
|
|
# audit_ssh = {
|
|
# command_logging = false
|
|
# }
|
|
# biso_admin_controls = {
|
|
# copy = "remote_only"
|
|
# dcp = true
|
|
# dd = true
|
|
# dk = true
|
|
# download = "enabled"
|
|
# dp = false
|
|
# du = true
|
|
# keyboard = "enabled"
|
|
# paste = "enabled"
|
|
# printing = "enabled"
|
|
# upload = "enabled"
|
|
# version = "v1"
|
|
# }
|
|
# block_page = {
|
|
# target_uri = "https://example.com"
|
|
# include_context = true
|
|
# }
|
|
# block_page_enabled = true
|
|
# block_reason = "This website is a security risk"
|
|
# bypass_parent_rule = false
|
|
# check_session = {
|
|
# duration = "300s"
|
|
# enforce = true
|
|
# }
|
|
# dns_resolvers = {
|
|
# ipv4 = [{
|
|
# ip = "2.2.2.2"
|
|
# port = 5053
|
|
# route_through_private_network = true
|
|
# vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
|
|
# }]
|
|
# ipv6 = [{
|
|
# ip = "2001:DB8::"
|
|
# port = 5053
|
|
# route_through_private_network = true
|
|
# vnet_id = "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
|
|
# }]
|
|
# }
|
|
# egress = {
|
|
# ipv4 = "192.0.2.2"
|
|
# ipv4_fallback = "192.0.2.3"
|
|
# ipv6 = "2001:DB8::/64"
|
|
# }
|
|
# ignore_cname_category_matches = true
|
|
# insecure_disable_dnssec_validation = false
|
|
# ip_categories = true
|
|
# ip_indicator_feeds = true
|
|
# l4override = {
|
|
# ip = "1.1.1.1"
|
|
# port = 0
|
|
# }
|
|
# notification_settings = {
|
|
# enabled = true
|
|
# include_context = true
|
|
# msg = "msg"
|
|
# support_url = "support_url"
|
|
# }
|
|
# override_host = "example.com"
|
|
# override_ips = ["1.1.1.1", "2.2.2.2"]
|
|
# payload_log = {
|
|
# enabled = true
|
|
# }
|
|
# quarantine = {
|
|
# file_types = ["exe"]
|
|
# }
|
|
# redirect = {
|
|
# target_uri = "https://example.com"
|
|
# include_context = true
|
|
# preserve_path_and_query = true
|
|
# }
|
|
# resolve_dns_internally = {
|
|
# fallback = "none"
|
|
# view_id = "view_id"
|
|
# }
|
|
# resolve_dns_through_cloudflare = true
|
|
# untrusted_cert = {
|
|
# action = "error"
|
|
# }
|
|
# }
|
|
# schedule = {
|
|
# time_zone = "Europe/Paris"
|
|
# mon = "08:00-12:30,13:30-17:00"
|
|
# thu = "08:00-12:30,13:30-17:00"
|
|
# tue = "08:00-12:30,13:30-17:00"
|
|
# wed = "08:00-12:30,13:30-17:00"
|
|
# fri = "08:00-12:30,13:30-17:00"
|
|
# sat = "08:00-12:30,13:30-17:00"
|
|
# sun = "08:00-12:30,13:30-17:00"
|
|
# }
|
|
# traffic = "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10"
|
|
#} |