diff --git a/.gitea/workflows/validate.yml b/.gitea/workflows/validate.yml index f12f03f..4c5e76b 100644 --- a/.gitea/workflows/validate.yml +++ b/.gitea/workflows/validate.yml @@ -54,11 +54,11 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - name: Terraform Destroy - run: terraform destroy -var="cloudflare_api_token=${{ secrets.CLOUDFLARE_API_TOKEN }}" -var="vault_token=${{ secrets.VAULT_TOKEN }}" --auto-approve --input=false - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} +# - name: Terraform Destroy +# run: terraform destroy -var="cloudflare_api_token=${{ secrets.CLOUDFLARE_API_TOKEN }}" -var="vault_token=${{ secrets.VAULT_TOKEN }}" --auto-approve --input=false +# env: +# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} +# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - name: Terraform Output run: terraform output diff --git a/Access_Controls-Applications.tf b/Access_Controls-Applications.tf index 5d4973e..5a5e255 100644 --- a/Access_Controls-Applications.tf +++ b/Access_Controls-Applications.tf @@ -3,7 +3,7 @@ # ============================================================================= # -resource "cloudflare_zero_trust_access_application" "example_zero_trust_access_application" { +resource "cloudflare_zero_trust_access_application" "zero_trust_access_application" { account_id = local.cloudflare_account_id type = "self_hosted" name = "Home Network Access Application" @@ -18,286 +18,7 @@ resource "cloudflare_zero_trust_access_application" "example_zero_trust_access_a ] } -data "cloudflare_zero_trust_access_application" "example_zero_trust_access_application" { +data "cloudflare_zero_trust_access_application" "zero_trust_access_application" { account_id = local.cloudflare_account_id app_id = cloudflare_zero_trust_access_application.example_zero_trust_access_application.id } - -#====================================================== -# INFRASTRUCTURE APP: MySQL Database (Infrastructure) -#====================================================== -# Creating the Target -#resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { -# account_id = local.cloudflare_account_id -# hostname = var.cloudflare_target_ssh_name -# hostname = "GCP-database" -# ip = { -# ipv4 = { -# ip_addr = var.gcp_vm_internal_ip -# ip_addr = "10.0.4.100" -# } -# } -#} - -# Creating the infrastructure Application -#resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { -# account_id = local.cloudflare_account_id -# type = "infrastructure" -# name = var.cloudflare_infra_app_name -# name = "GCP Infrastructure SSH database" -# logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" -# tags = ["devops"] -# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" -# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" - -# target_criteria = [{ -# port = "22", -# protocol = "SSH" -# target_attributes = { -# hostname = var.cloudflare_target_ssh_name -# }, -# }] - -# policies = [{ -# name = "SSH GCP Infrastructure Policy" -# decision = "allow" - -# allowed_idps = [var.cloudflare_okta_identity_provider_id] -# auto_redirect_to_identity = true -# allow_authenticate_via_warp = false - -# include = [ -# { -# saml = { -# identity_provider_id = var.cloudflare_okta_identity_provider_id -# attribute_name = "groups" -# attribute_value = var.okta_infra_admin_saml_group_name -# } -# }, -# { -# saml = { -# identity_provider_id = var.cloudflare_okta_identity_provider_id -# attribute_name = "groups" -# attribute_value = var.okta_contractors_saml_group_name -# } -# }, -# { -# email_domain = { -# domain = "thedjinhn@gmail.com" -# } -# } -# ] - -# require = [ -# { -# device_posture = { -# integration_uid = var.cloudflare_gateway_posture_id -# } -# }, -# { -# auth_method = { -# auth_method = "mfa" -# } -# } -# ] - -# exclude = [ -# { -# auth_method = { -# auth_method = "sms" -# } -# } -# ] - -# connection_rules = { -# ssh = { -# allow_email_alias = true -# usernames = [] # None -# } -# } -# }] -#} - -#====================================================== -# SELF-HOSTED APP: DB Server -#====================================================== -# Creating the Self-hosted Application for Browser rendering SSH -#resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { -# account_id = local.cloudflare_account_id -# type = "ssh" -# name = var.cloudflare_browser_ssh_app_name -# name = "AWS Browser SSH database" -# app_launcher_visible = true -# logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" -# tags = ["devops"] -# session_duration = "0s" -# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" -# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" - -# destinations = [{ -# type = "public" -# uri = var.cloudflare_subdomain_ssh -# }] - -# allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] -# auto_redirect_to_identity = false -# allow_authenticate_via_warp = false - -# policies = [ -# { -# id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id -# }, -# { -# id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id -# } -# ] -#} - -#====================================================== -# SELF-HOSTED APP: PostgresDB Admin -#====================================================== -# Creating the Self-hosted Application for Browser rendering VNC -#resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { -# account_id = local.cloudflare_account_id -# type = "vnc" -# name = var.cloudflare_browser_vnc_app_name -# name = "AWS Browser VNC database" -# app_launcher_visible = true -# logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" -# tags = ["devops"] -# session_duration = "0s" -# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" -# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" - -# destinations = [{ -# type = "public" -# uri = var.cloudflare_subdomain_vnc -# }] - -# allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] -# auto_redirect_to_identity = false -# allow_authenticate_via_warp = false - -# policies = [{ -# id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id -# }] -#} - -#====================================================== -# SELF-HOSTED APP: Competition App -#====================================================== -# Creating the Self-hosted Application for Competition web application -#resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { -# account_id = local.cloudflare_account_id -# type = "self_hosted" -# name = var.cloudflare_sensitive_web_app_name -# name = "Competition App" -# app_launcher_visible = true -# logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" -# tags = ["devops"] -# session_duration = "0s" -# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" -# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" - -# destinations = [{ -# type = "public" -# uri = var.cloudflare_subdomain_web_sensitive -# }] - -# allowed_idps = [var.cloudflare_okta_identity_provider_id] -# auto_redirect_to_identity = true -# allow_authenticate_via_warp = false - -# policies = [{ -# id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id -# }] -#} - -#====================================================== -# SELF-HOSTED APP: Macharpe Intranet -#====================================================== -# Creating the Self-hosted Application for Administration web application -#resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { -# account_id = local.cloudflare_account_id -# type = "self_hosted" -# name = var.cloudflare_intranet_web_app_name -# name = "Intranet" -# app_launcher_visible = true -# logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" -# tags = ["devops"] -# session_duration = "0s" -# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" -# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" - -# destinations = [{ -# type = "public" -# uri = var.cloudflare_subdomain_web -# }] - -# allowed_idps = [var.cloudflare_okta_identity_provider_id] -# auto_redirect_to_identity = true -# allow_authenticate_via_warp = false - -# policies = [{ -# id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id -# }] -#} - -#====================================================== -# SELF-HOSTED APP: Domain Controller -#====================================================== -# Creating the Target -#resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { -# account_id = local.cloudflare_account_id -# hostname = var.cloudflare_target_rdp_name -# hostname = "Domain-Controller" -# ip = { -# ipv4 = { -# ip_addr = "10.0.4.101" -# } -# } -#} - -# Domain Controller Browser-Rendered RDP Application -#resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { -# account_id = local.cloudflare_account_id -# type = "rdp" -# name = var.cloudflare_browser_rdp_app_name -# name = "GCP Browser RDP windows" -# app_launcher_visible = true -# logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" -# tags = ["devops"] -# session_duration = "0s" -# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" -# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" - - # Public hostname for browser rendering -# domain = var.cloudflare_subdomain_rdp - - # Target criteria - references the existing gcp_rdp_target -# target_criteria = [{ -# port = 3389 -# protocol = "RDP" -# target_attributes = { -# hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller" -# hostname = var.cloudflare_target_rdp_name -# } -# }] - - # Identity provider settings -# allowed_idps = [var.cloudflare_okta_identity_provider_id] -# auto_redirect_to_identity = true -# enable_binding_cookie = false -# http_only_cookie_attribute = false -# options_preflight_bypass = false - - # Reference the policy from cloudflare-app-policies.tf -# policies = [{ -# id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id -# }] - - # Depends on the existing target -# depends_on = [ -# cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target -# ] -#} diff --git a/Access_Controls-Policies-Rule_Groups.tf b/Access_Controls-Policies-Rule_Groups.tf index 07b3a7d..c8e26e5 100644 --- a/Access_Controls-Policies-Rule_Groups.tf +++ b/Access_Controls-Policies-Rule_Groups.tf @@ -225,7 +225,6 @@ resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group_a ] } - # resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group_america_north" { account_id = local.cloudflare_account_id @@ -401,6 +400,7 @@ resource "cloudflare_zero_trust_access_group" "employees_rule_group" { ] } +# resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" { account_id = local.cloudflare_account_id name = "GL_Users_Sales Team" @@ -414,6 +414,7 @@ resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" { ] } +# resource "cloudflare_zero_trust_access_group" "admins_rule_group" { account_id = local.cloudflare_account_id name = "GL_Users_Administrators" @@ -427,6 +428,7 @@ resource "cloudflare_zero_trust_access_group" "admins_rule_group" { ] } +# resource "cloudflare_zero_trust_access_group" "contractors_rule_group" { account_id = local.cloudflare_account_id name = "GL_Users_Contractors Extended" diff --git a/Networks-Routes-cidr.tf b/Networks-Routes-cidr.tf index 97479df..f656178 100644 --- a/Networks-Routes-cidr.tf +++ b/Networks-Routes-cidr.tf @@ -20,6 +20,7 @@ resource "cloudflare_zero_trust_tunnel_cloudflared_route" "home_tunnel_route" { # DNS RECORDS (un par application) # ============================================================================= +# resource "cloudflare_dns_record" "applications" { for_each = var.applications @@ -36,6 +37,7 @@ resource "cloudflare_dns_record" "applications" { # TUNNEL CONFIGURATION # ============================================================================= +# resource "cloudflare_zero_trust_tunnel_cloudflared_config" "home_tunnel_config" { account_id = local.cloudflare_account_id tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id diff --git a/Traffic_Policies-Traffic_Settings-Certificates.tf b/Traffic_Policies-Traffic_Settings-Certificates.tf index 6053518..21c85d9 100644 --- a/Traffic_Policies-Traffic_Settings-Certificates.tf +++ b/Traffic_Policies-Traffic_Settings-Certificates.tf @@ -3,7 +3,7 @@ # ============================================================================= # -resource "cloudflare_zero_trust_gateway_certificate" "example_zero_trust_gateway_certificate" { +resource "cloudflare_zero_trust_gateway_certificate" "zero_trust_gateway_certificate" { account_id = local.cloudflare_account_id validity_period_days = 1826 } \ No newline at end of file diff --git a/Traffic_Policies-Traffic_Settings-Policy_Setting.tf b/Traffic_Policies-Traffic_Settings-Policy_Setting.tf index a8b8073..b42426a 100644 --- a/Traffic_Policies-Traffic_Settings-Policy_Setting.tf +++ b/Traffic_Policies-Traffic_Settings-Policy_Setting.tf @@ -3,7 +3,7 @@ # ============================================================================= # -resource "cloudflare_zero_trust_gateway_settings" "example_zero_trust_gateway_settings" { +resource "cloudflare_zero_trust_gateway_settings" "zero_trust_gateway_settings" { account_id = local.cloudflare_account_id settings = { diff --git a/main.tf b/main.tf index 72f7139..072a253 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,7 @@ # ============================================================================= # VAULT DATA SOURCES # ============================================================================= + data "vault_generic_secret" "cloudflare" { path = var.vault_cloudflare_path } @@ -12,6 +13,7 @@ data "vault_generic_secret" "authentik" { # ============================================================================= # LOCALS # ============================================================================= + locals { # Secrets Cloudflare depuis Vault cloudflare_api_token = data.vault_generic_secret.cloudflare.data["api_token"]