Skip to content

Commit

Permalink
Merge pull request #11 from m4xmorris/device-policy-os
Browse files Browse the repository at this point in the history
Add ability to filter device rules by OS
  • Loading branch information
m4xmorris authored Nov 28, 2023
2 parents d3d88db + 8149403 commit 719bffc
Show file tree
Hide file tree
Showing 2 changed files with 93 additions and 12 deletions.
83 changes: 73 additions & 10 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,28 +25,56 @@ resource "cloudflare_access_policy" "github_policy" {
teams = var.github_teams
}
}
count = length(var.device_policy_rules) == 0 ? 1 : 0
count = length(flatten([var.device_policy_rules_windows, var.device_policy_rules_macos, var.device_policy_rules_ios, var.device_policy_rules_android])) == 0 ? 1 : 0
}

resource "cloudflare_access_policy" "email_policy" {
resource "cloudflare_access_policy" "device_policy_windows" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Email Policy"
name = "${var.name} Device Policy (Windows)"
precedence = "1"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
require {
device_posture = var.device_policy_rules_windows
}
count = length(var.device_policy_rules_windows) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "device_policy_macos" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy (macOS)"
precedence = "2"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
email = var.allowed_emails
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
count = length(var.allowed_emails) == 0 ? 0 : 1
require {
device_posture = var.device_policy_rules_macos
}
count = length(var.device_policy_rules_macos) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "device_policy" {
resource "cloudflare_access_policy" "device_policy_ios" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy"
precedence = "1"
name = "${var.name} Device Policy (iOS)"
precedence = "3"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
Expand All @@ -58,7 +86,42 @@ resource "cloudflare_access_policy" "device_policy" {
}
}
require {
device_posture = var.device_policy_rules
device_posture = var.device_policy_rules_ios
}
count = length(var.device_policy_rules) == 0 ? 0 : 1
count = length(var.device_policy_rules_ios) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "device_policy_android" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Device Policy (Android)"
precedence = "4"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
github {
identity_provider_id = var.github_idp
name = var.github_org
teams = var.github_teams
}
}
require {
device_posture = var.device_policy_rules_android
}
count = length(var.device_policy_rules_android) == 0 ? 0 : 1
}

resource "cloudflare_access_policy" "email_policy" {
application_id = cloudflare_access_application.application.id
zone_id = var.cloudflare_zone_id
name = "${var.name} Email Policy"
precedence = "5"
decision = "allow"
purpose_justification_required = var.purpose_justification_required
purpose_justification_prompt = var.purpose_justification_required ? var.purpose_justification_prompt : null
include {
email = var.allowed_emails
}
count = length(var.allowed_emails) == 0 ? 0 : 1
}
22 changes: 20 additions & 2 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -87,10 +87,28 @@ variable "allowed_emails" {
description = "List of email addresses permitted to login via OTP"
}

variable "device_policy_rules" {
variable "device_policy_rules_windows" {
type = list(string)
default = []
description = "List of WARP/device posture rule IDs to check for the device policy"
description = "List of WARP/device posture rule IDs to check for Windows"
}

variable "device_policy_rules_macos" {
type = list(string)
default = []
description = "List of WARP/device posture rule IDs to check for macOS"
}

variable "device_policy_rules_ios" {
type = list(string)
default = []
description = "List of WARP/device posture rule IDs to check for iOS"
}

variable "device_policy_rules_android" {
type = list(string)
default = []
description = "List of WARP/device posture rule IDs to check for Android"
}

variable "purpose_justification_required" {
Expand Down

0 comments on commit 719bffc

Please sign in to comment.