Skip to content

Commit

Permalink
Merge pull request #13 from m4xmorris/add-gateway-policy
Browse files Browse the repository at this point in the history 
Add Gateway policy and split policies to seperate file
  • Loading branch information
@m4xmorris
m4xmorris authored Nov 29, 2023
2 parents faec5e5 + f27fc18 commit 39171de
Show file tree
Hide file tree
Showing 4 changed files with 142 additions and 124 deletions.
125 changes: 9 additions & 116 deletions main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
terraform {
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 4.0"
}
}
}

resource "cloudflare_access_application" "application" {
zone_id = var.cloudflare_zone_id
name = var.name
Expand All @@ -8,120 +17,4 @@ resource "cloudflare_access_application" "application" {
app_launcher_visible = var.app_launcher_visible
session_duration = var.session_duration
auto_redirect_to_identity = false
}

resource "cloudflare_access_policy" "github_policy" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} GitHub Policy"
precedence = "1"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
count = length(flatten([var.device_policy_rules_windows, var.device_policy_rules_macos, var.device_policy_rules_ios, var.device_policy_rules_android])) == 0 ? 1 : 0
}

resource "cloudflare_access_policy" "device_policy_windows" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy (Windows)"
precedence = "1"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
require {
device_posture = var.device_policy_rules_windows
}
count = length(var.device_policy_rules_windows) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "device_policy_macos" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy (macOS)"
precedence = "2"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
require {
device_posture = var.device_policy_rules_macos
}
count = length(var.device_policy_rules_macos) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "device_policy_ios" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy (iOS)"
precedence = "3"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
require {
device_posture = var.device_policy_rules_ios
}
count = length(var.device_policy_rules_ios) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "device_policy_android" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy (Android)"
precedence = "4"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
require {
device_posture = var.device_policy_rules_android
}
count = length(var.device_policy_rules_android) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "email_policy" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Email Policy"
precedence = "5"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
email = var.allowed_emails
}
count = length(var.allowed_emails) == 0 ? 0 : 1
}
127 changes: 127 additions & 0 deletions policies.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
resource "cloudflare_access_policy" "github_policy" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} GitHub Policy"
precedence = "1"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
count = length(flatten([var.device_policy_rules_windows, var.device_policy_rules_macos, var.device_policy_rules_ios, var.device_policy_rules_android])) == 0 ? 1 : 0
}

resource "cloudflare_access_policy" "device_policy_windows" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy (Windows)"
precedence = "1"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
require {
device_posture = var.device_policy_rules_windows
}
count = length(var.device_policy_rules_windows) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "device_policy_macos" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy (macOS)"
precedence = "2"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
require {
device_posture = var.device_policy_rules_macos
}
count = length(var.device_policy_rules_macos) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "device_policy_ios" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy (iOS)"
precedence = "3"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
require {
device_posture = var.device_policy_rules_ios
}
count = length(var.device_policy_rules_ios) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "device_policy_android" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy (Android)"
precedence = "4"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
require {
device_posture = var.device_policy_rules_android
}
count = length(var.device_policy_rules_android) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "gateway_policy" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Gateway Policy"
precedence = "5"
decision = "non_identity"
include {
device_posture = [var.gateway_device_rule_id]
}
count = var.gateway_device_rule_id != "null" ? 1 : 0
}

resource "cloudflare_access_policy" "email_policy" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Email Policy"
precedence = "6"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
email = var.allowed_emails
}
count = length(var.allowed_emails) == 0 ? 0 : 1
}
8 changes: 0 additions & 8 deletions providers.tf
View file

This file was deleted.

6 changes: 6 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,4 +121,10 @@ variable "purpose_justification_prompt" {
type = string
default = "Access to this application requires a justification/reason to be provided to your administrator."
description = "Prompt to display when prompting for access justification"
}

variable "gateway_device_rule_id" {
type = string
default = "null"
description = "ID of a Gateway device rule to add a \"Service Auth\" policy that skips login page for Gateway/WARP users"
}

0 comments on commit 39171de

Please sign in to comment.