Skip to content

Commit

Permalink
Merge pull request #9 from m4xmorris/fix-device-policy
Browse files Browse the repository at this point in the history 
Fix error in device policies and added a few more defaults
  • Loading branch information
@m4xmorris
m4xmorris authored Nov 27, 2023
2 parents d57ec48 + ca6a229 commit 59740e3
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 29 deletions.
2 changes: 0 additions & 2 deletions .github/workflows/terraform-build-test.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,4 @@ module "terraform_cloudflare_access_application" {
cloudflare_zone_id = "null"
github_idp = "null"
github_org = "Null"
github_teams = ["Null"]
allowed_emails = []
}
44 changes: 28 additions & 16 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,13 @@ resource "cloudflare_access_application" "application" {
}

resource "cloudflare_access_policy" "github_policy" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} GitHub Policy"
precedence = "1"
decision = "allow"
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} GitHub Policy"
precedence = "1"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
name = var.github_org
Expand All @@ -26,25 +28,35 @@ resource "cloudflare_access_policy" "github_policy" {
}

resource "cloudflare_access_policy" "email_policy" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Email Policy"
precedence = "2"
decision = "allow"
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Email Policy"
precedence = "2"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
email = var.allowed_emails
}
count = length(var.allowed_emails) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "device_policy" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy"
precedence = "10"
decision = var.device_policy_mode
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy"
precedence = "10"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
name = var.github_org
identity_provider_id = var.github_idp
}
}
require {
device_posture = var.device_policy_rules
}
count = var.device_policy_mode != "disabled" ? 1 : 0
count = length(var.device_policy_rules) == 0 ? 0 : 1
}
25 changes: 14 additions & 11 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,27 +77,30 @@ variable "github_org" {

variable "github_teams" {
type = list(string)
default = []
description = "List of GitHub Teams to allow"
}

variable "allowed_emails" {
type = list(string)
default = []
description = "List of email addresses permitted to login via OTP"
}

variable "device_policy_mode" {
type = string
description = "Decision mode for the WARP/device policy"
default = "disabled"

validation {
condition = can(regex("^allow$|^deny$|^non_identity$|^bypass$|^disabled$", var.device_policy_mode))
error_message = "Invalid value for device_policy_mode. Must be one of allow, deny, non_identity, bypass, or disabled."
}
}

variable "device_policy_rules" {
type = list(string)
default = []
description = "List of WARP/device posture rule IDs to check for the device policy"
}

variable "purpose_justification_required" {
type = bool
default = false
description = "Whether user must provide a justification for accessing the application"
}

variable "purpose_justification_prompt" {
type = string
default = "Access to this application requires a justification/reason to be provided to your administrator."
description = "Prompt to display when prompting for access justification"
}

0 comments on commit 59740e3

Please sign in to comment.