Hubert Cornet
ec2a4b794c
All checks were successful
Terraform Apply / Terraform Apply (push) Successful in 58s
133 lines
3.3 KiB
HCL
133 lines
3.3 KiB
HCL
# =============================================================================
|
|
# CLOUDFLARE : Access : Groups
|
|
# =============================================================================
|
|
|
|
locals {
|
|
# SAML groups from Okta
|
|
saml_groups = {
|
|
contractors = "Contractors"
|
|
infrastructure_admin = "InfrastructureAdmin"
|
|
sales_engineering = "SalesEngineering"
|
|
sales = "Sales"
|
|
it_admin = "ITAdmin"
|
|
}
|
|
|
|
# Allowed countries
|
|
allowed_countries = ["FR", "DE", "US", "GB"]
|
|
blocked_countries = ["CN", "RU", "AF", "BY", "CD", "CU", "IR", "IQ", "KP", "MM", "SD", "SY", "UA", "ZW"]
|
|
|
|
# OS posture checks
|
|
os_posture_checks = [
|
|
var.cloudflare_linux_posture_id,
|
|
var.cloudflare_macos_posture_id,
|
|
var.cloudflare_windows_posture_id
|
|
]
|
|
}
|
|
|
|
# SAML Rule Groups
|
|
resource "cloudflare_zero_trust_access_group" "saml_groups" {
|
|
for_each = local.saml_groups
|
|
account_id = local.cloudflare_account_id
|
|
name = each.value
|
|
|
|
include = [{
|
|
saml = {
|
|
identity_provider_id = var.cloudflare_okta_identity_provider_id
|
|
attribute_name = "groups"
|
|
attribute_value = each.value
|
|
}
|
|
}]
|
|
}
|
|
|
|
# Geographic Rule Groups
|
|
resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group" {
|
|
account_id = local.cloudflare_account_id
|
|
name = "Country Requirements"
|
|
|
|
include = [
|
|
for country in local.allowed_countries : {
|
|
geo = {
|
|
country_code = country
|
|
}
|
|
}
|
|
]
|
|
exclude = [
|
|
for country in local.blocked_countries : {
|
|
geo = {
|
|
country_code = country
|
|
}
|
|
}
|
|
]
|
|
}
|
|
|
|
# Device Posture Rule Groups
|
|
resource "cloudflare_zero_trust_access_group" "latest_os_version_requirements_rule_group" {
|
|
account_id = local.cloudflare_account_id
|
|
name = "Latest OS Version Requirements"
|
|
|
|
include = [
|
|
for posture_id in local.os_posture_checks : {
|
|
device_posture = {
|
|
integration_uid = posture_id
|
|
}
|
|
}
|
|
]
|
|
}
|
|
|
|
# Composite Rule Groups
|
|
resource "cloudflare_zero_trust_access_group" "employees_rule_group" {
|
|
account_id = local.cloudflare_account_id
|
|
name = "Employees"
|
|
|
|
include = [
|
|
for group_key in ["it_admin", "sales", "sales_engineering", "infrastructure_admin"] : {
|
|
group = {
|
|
id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
|
|
}
|
|
}
|
|
]
|
|
}
|
|
|
|
resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" {
|
|
account_id = local.cloudflare_account_id
|
|
name = "Sales Team"
|
|
|
|
include = [
|
|
for group_key in ["sales", "sales_engineering"] : {
|
|
group = {
|
|
id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
|
|
}
|
|
}
|
|
]
|
|
}
|
|
|
|
resource "cloudflare_zero_trust_access_group" "admins_rule_group" {
|
|
account_id = local.cloudflare_account_id
|
|
name = "Administrators"
|
|
|
|
include = [
|
|
for group_key in ["it_admin", "infrastructure_admin"] : {
|
|
group = {
|
|
id = cloudflare_zero_trust_access_group.saml_groups[group_key].id
|
|
}
|
|
}
|
|
]
|
|
}
|
|
|
|
resource "cloudflare_zero_trust_access_group" "contractors_rule_group" {
|
|
account_id = local.cloudflare_account_id
|
|
name = "Contractors Extended"
|
|
|
|
include = [
|
|
{
|
|
group = {
|
|
id = cloudflare_zero_trust_access_group.saml_groups["contractors"].id
|
|
}
|
|
},
|
|
{
|
|
email_domain = {
|
|
domain = var.cloudflare_email_domain
|
|
}
|
|
}
|
|
]
|
|
} |