Tips-Of-Mine/terraform-cloudflare-tunnel-zone-org
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

removal of the term: example / Create all
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 13s
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-11-20 11:02:54 +01:00
parent 76c297ffa8
commit 38ff1fbefd
7 changed files with 16 additions and 289 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.gitea/workflows/validate.yml
View File

@@ -54,11 +54,11 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Terraform Destroy
run: terraform destroy -var="cloudflare_api_token=${{ secrets.CLOUDFLARE_API_TOKEN }}" -var="vault_token=${{ secrets.VAULT_TOKEN }}" --auto-approve --input=false
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# - name: Terraform Destroy
# run: terraform destroy -var="cloudflare_api_token=${{ secrets.CLOUDFLARE_API_TOKEN }}" -var="vault_token=${{ secrets.VAULT_TOKEN }}" --auto-approve --input=false
# env:
# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Terraform Output
run: terraform output

283
Access_Controls-Applications.tf
View File

@@ -3,7 +3,7 @@
# =============================================================================
#
resource "cloudflare_zero_trust_access_application" "example_zero_trust_access_application" {
resource "cloudflare_zero_trust_access_application" "zero_trust_access_application" {
account_id = local.cloudflare_account_id
type = "self_hosted"
name = "Home Network Access Application"
@@ -18,286 +18,7 @@ resource "cloudflare_zero_trust_access_application" "example_zero_trust_access_a
]
}
data "cloudflare_zero_trust_access_application" "example_zero_trust_access_application" {
data "cloudflare_zero_trust_access_application" "zero_trust_access_application" {
account_id = local.cloudflare_account_id
app_id = cloudflare_zero_trust_access_application.example_zero_trust_access_application.id
}
#======================================================
# INFRASTRUCTURE APP: MySQL Database (Infrastructure)
#======================================================
# Creating the Target
#resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" {
# account_id = local.cloudflare_account_id
# hostname = var.cloudflare_target_ssh_name
# hostname = "GCP-database"
# ip = {
# ipv4 = {
# ip_addr = var.gcp_vm_internal_ip
# ip_addr = "10.0.4.100"
# }
# }
#}
# Creating the infrastructure Application
#resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" {
# account_id = local.cloudflare_account_id
# type = "infrastructure"
# name = var.cloudflare_infra_app_name
# name = "GCP Infrastructure SSH database"
# logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg"
# tags = ["devops"]
# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# target_criteria = [{
# port = "22",
# protocol = "SSH"
# target_attributes = {
# hostname = var.cloudflare_target_ssh_name
# },
# }]
# policies = [{
# name = "SSH GCP Infrastructure Policy"
# decision = "allow"
# allowed_idps = [var.cloudflare_okta_identity_provider_id]
# auto_redirect_to_identity = true
# allow_authenticate_via_warp = false
# include = [
# {
# saml = {
# identity_provider_id = var.cloudflare_okta_identity_provider_id
# attribute_name = "groups"
# attribute_value = var.okta_infra_admin_saml_group_name
# }
# },
# {
# saml = {
# identity_provider_id = var.cloudflare_okta_identity_provider_id
# attribute_name = "groups"
# attribute_value = var.okta_contractors_saml_group_name
# }
# },
# {
# email_domain = {
# domain = "thedjinhn@gmail.com"
# }
# }
# ]
# require = [
# {
# device_posture = {
# integration_uid = var.cloudflare_gateway_posture_id
# }
# },
# {
# auth_method = {
# auth_method = "mfa"
# }
# }
# ]
# exclude = [
# {
# auth_method = {
# auth_method = "sms"
# }
# }
# ]
# connection_rules = {
# ssh = {
# allow_email_alias = true
# usernames = [] # None
# }
# }
# }]
#}
#======================================================
# SELF-HOSTED APP: DB Server
#======================================================
# Creating the Self-hosted Application for Browser rendering SSH
#resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" {
# account_id = local.cloudflare_account_id
# type = "ssh"
# name = var.cloudflare_browser_ssh_app_name
# name = "AWS Browser SSH database"
# app_launcher_visible = true
# logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png"
# tags = ["devops"]
# session_duration = "0s"
# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# destinations = [{
# type = "public"
# uri = var.cloudflare_subdomain_ssh
# }]
# allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id]
# auto_redirect_to_identity = false
# allow_authenticate_via_warp = false
# policies = [
# {
# id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
# },
# {
# id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id
# }
# ]
#}
#======================================================
# SELF-HOSTED APP: PostgresDB Admin
#======================================================
# Creating the Self-hosted Application for Browser rendering VNC
#resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" {
# account_id = local.cloudflare_account_id
# type = "vnc"
# name = var.cloudflare_browser_vnc_app_name
# name = "AWS Browser VNC database"
# app_launcher_visible = true
# logo_url = "https://blog.zwindler.fr/2015/07/vnc.png"
# tags = ["devops"]
# session_duration = "0s"
# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# destinations = [{
# type = "public"
# uri = var.cloudflare_subdomain_vnc
# }]
# allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id]
# auto_redirect_to_identity = false
# allow_authenticate_via_warp = false
# policies = [{
# id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
# }]
#}
#======================================================
# SELF-HOSTED APP: Competition App
#======================================================
# Creating the Self-hosted Application for Competition web application
#resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" {
# account_id = local.cloudflare_account_id
# type = "self_hosted"
# name = var.cloudflare_sensitive_web_app_name
# name = "Competition App"
# app_launcher_visible = true
# logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg"
# tags = ["devops"]
# session_duration = "0s"
# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# destinations = [{
# type = "public"
# uri = var.cloudflare_subdomain_web_sensitive
# }]
# allowed_idps = [var.cloudflare_okta_identity_provider_id]
# auto_redirect_to_identity = true
# allow_authenticate_via_warp = false
# policies = [{
# id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id
# }]
#}
#======================================================
# SELF-HOSTED APP: Macharpe Intranet
#======================================================
# Creating the Self-hosted Application for Administration web application
#resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" {
# account_id = local.cloudflare_account_id
# type = "self_hosted"
# name = var.cloudflare_intranet_web_app_name
# name = "Intranet"
# app_launcher_visible = true
# logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg"
# tags = ["devops"]
# session_duration = "0s"
# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# destinations = [{
# type = "public"
# uri = var.cloudflare_subdomain_web
# }]
# allowed_idps = [var.cloudflare_okta_identity_provider_id]
# auto_redirect_to_identity = true
# allow_authenticate_via_warp = false
# policies = [{
# id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id
# }]
#}
#======================================================
# SELF-HOSTED APP: Domain Controller
#======================================================
# Creating the Target
#resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" {
# account_id = local.cloudflare_account_id
# hostname = var.cloudflare_target_rdp_name
# hostname = "Domain-Controller"
# ip = {
# ipv4 = {
# ip_addr = "10.0.4.101"
# }
# }
#}
# Domain Controller Browser-Rendered RDP Application
#resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" {
# account_id = local.cloudflare_account_id
# type = "rdp"
# name = var.cloudflare_browser_rdp_app_name
# name = "GCP Browser RDP windows"
# app_launcher_visible = true
# logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png"
# tags = ["devops"]
# session_duration = "0s"
# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# Public hostname for browser rendering
# domain = var.cloudflare_subdomain_rdp
# Target criteria - references the existing gcp_rdp_target
# target_criteria = [{
# port = 3389
# protocol = "RDP"
# target_attributes = {
# hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller"
# hostname = var.cloudflare_target_rdp_name
# }
# }]
# Identity provider settings
# allowed_idps = [var.cloudflare_okta_identity_provider_id]
# auto_redirect_to_identity = true
# enable_binding_cookie = false
# http_only_cookie_attribute = false
# options_preflight_bypass = false
# Reference the policy from cloudflare-app-policies.tf
# policies = [{
# id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id
# }]
# Depends on the existing target
# depends_on = [
# cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target
# ]
#}

4
Access_Controls-Policies-Rule_Groups.tf
View File

@@ -225,7 +225,6 @@ resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group_a
]
}
#
resource "cloudflare_zero_trust_access_group" "country_requirements_rule_group_america_north" {
account_id = local.cloudflare_account_id
@@ -401,6 +400,7 @@ resource "cloudflare_zero_trust_access_group" "employees_rule_group" {
]
}
#
resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" {
account_id = local.cloudflare_account_id
name = "GL_Users_Sales Team"
@@ -414,6 +414,7 @@ resource "cloudflare_zero_trust_access_group" "sales_team_rule_group" {
]
}
#
resource "cloudflare_zero_trust_access_group" "admins_rule_group" {
account_id = local.cloudflare_account_id
name = "GL_Users_Administrators"
@@ -427,6 +428,7 @@ resource "cloudflare_zero_trust_access_group" "admins_rule_group" {
]
}
#
resource "cloudflare_zero_trust_access_group" "contractors_rule_group" {
account_id = local.cloudflare_account_id
name = "GL_Users_Contractors Extended"

2
Networks-Routes-cidr.tf
View File

@@ -20,6 +20,7 @@ resource "cloudflare_zero_trust_tunnel_cloudflared_route" "home_tunnel_route" {
# DNS RECORDS (un par application)
# =============================================================================
#
resource "cloudflare_dns_record" "applications" {
for_each = var.applications
@@ -36,6 +37,7 @@ resource "cloudflare_dns_record" "applications" {
# TUNNEL CONFIGURATION
# =============================================================================
#
resource "cloudflare_zero_trust_tunnel_cloudflared_config" "home_tunnel_config" {
account_id = local.cloudflare_account_id
tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id

2
Traffic_Policies-Traffic_Settings-Certificates.tf
View File

@@ -3,7 +3,7 @@
# =============================================================================
#
resource "cloudflare_zero_trust_gateway_certificate" "example_zero_trust_gateway_certificate" {
resource "cloudflare_zero_trust_gateway_certificate" "zero_trust_gateway_certificate" {
account_id = local.cloudflare_account_id
validity_period_days = 1826
}

2
Traffic_Policies-Traffic_Settings-Policy_Setting.tf
View File

@@ -3,7 +3,7 @@
# =============================================================================
#
resource "cloudflare_zero_trust_gateway_settings" "example_zero_trust_gateway_settings" {
resource "cloudflare_zero_trust_gateway_settings" "zero_trust_gateway_settings" {
account_id = local.cloudflare_account_id
settings = {

2
main.tf
View File

@@ -1,6 +1,7 @@
# =============================================================================
# VAULT DATA SOURCES
# =============================================================================
data "vault_generic_secret" "cloudflare" {
path = var.vault_cloudflare_path
}
@@ -12,6 +13,7 @@ data "vault_generic_secret" "authentik" {
# =============================================================================
# LOCALS
# =============================================================================
locals {
# Secrets Cloudflare depuis Vault
cloudflare_api_token = data.vault_generic_secret.cloudflare.data["api_token"]