Add tunnel.tf

2025-11-04 17:00:19 +01:00
parent c598c89159
commit 5c70af3b06
1 changed files with 99 additions and 0 deletions
--- a/tunnel.tf
+++ b/tunnel.tf
@@ -0,0 +1,99 @@
+# =============================================================================
+# CLOUDFLARE TUNNEL
+# =============================================================================
+
+# Création du tunnel Cloudflare
+resource "cloudflare_zero_trust_tunnel_cloudflared" "home_tunnel" {
+  account_id = local.cloudflare_account_id
+  name       = var.tunnel_name
+  config_src = "cloudflare"
+}
+
+# Récupération du token pour l'agent cloudflared
+data "cloudflare_zero_trust_tunnel_cloudflared_token" "home_tunnel_token" {
+  account_id = local.cloudflare_account_id
+  tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id
+}
+
+# =============================================================================
+# DNS RECORDS (un par application)
+# =============================================================================
+
+resource "cloudflare_dns_record" "applications" {
+  for_each = var.applications
+
+  zone_id = local.cloudflare_zone_id
+  name    = each.value.subdomain
+  content = "${cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id}.cfargotunnel.com"
+  type    = "CNAME"
+  ttl     = var.dns_ttl
+  proxied = var.dns_proxied
+  comment = "Managed by Terraform - ${each.key} via Cloudflare Tunnel"
+}
+
+# =============================================================================
+# TUNNEL CONFIGURATION
+# =============================================================================
+
+resource "cloudflare_zero_trust_tunnel_cloudflared_config" "home_tunnel_config" {
+  tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id
+  account_id = local.cloudflare_account_id
+  
+  config = {
+    warp_routing = {
+      enabled = var.tunnel_warp_routing_enabled
+    }
+    
+    ingress = local.ingress_rules
+  }
+
+  lifecycle {
+    # Ignorer les changements manuels dans Cloudflare Dashboard
+    ignore_changes = [config]
+  }
+}
+
+# =============================================================================
+# ACCESS POLICIES (optionnel)
+# =============================================================================
+
+# Exemple de politique d'accès réutilisable
+# Décommentez si vous souhaitez utiliser Cloudflare Access
+/*
+resource "cloudflare_zero_trust_access_policy" "allow_emails" {
+  account_id = local.cloudflare_account_id
+  name       = "Allow specific emails"
+  decision   = "allow"
+  
+  include = [
+    {
+      email = {
+        email = local.cloudflare_email
+      }
+    },
+    {
+      email_domain = {
+        domain = var.cloudflare_zone
+      }
+    }
+  ]
+}
+
+# Application Access pour chaque application qui l'exige
+resource "cloudflare_zero_trust_access_application" "applications" {
+  for_each = {
+    for app_name, app_config in var.applications : 
+    app_name => app_config 
+    if app_config.access_enabled
+  }
+
+  account_id = local.cloudflare_account_id
+  type       = "self_hosted"
+  name       = "Access for ${each.key}"
+  domain     = "${each.value.subdomain}.${var.cloudflare_zone}"
+  
+  policies = [
+    cloudflare_zero_trust_access_policy.allow_emails.id
+  ]
+}
+*/