correction de la mise en forme et des commentaires
All checks were successful
Terraform Apply / Terraform Apply (push) Successful in 4m37s
All checks were successful
Terraform Apply / Terraform Apply (push) Successful in 4m37s
This commit is contained in:
@@ -2,11 +2,17 @@
|
|||||||
# CLOUDFLARE : Access Controls : Applications
|
# CLOUDFLARE : Access Controls : Applications
|
||||||
# =============================================================================
|
# =============================================================================
|
||||||
|
|
||||||
#======================================================
|
# ======================================================
|
||||||
# Create Aapp in mode Infrastructure : MySQL Database for AWS
|
# Création d'une Application en mode Infrastructure :
|
||||||
#======================================================
|
# Accès SSH à une base MySQL hébergée sur AWS
|
||||||
|
# ======================================================
|
||||||
|
|
||||||
# Creating the Target
|
# ------------------------------------------------------
|
||||||
|
# Création de la cible (Target)
|
||||||
|
# Cette ressource définit la machine ou l’adresse interne qui sera protégée
|
||||||
|
# par Cloudflare Zero Trust. Elle représente l’endpoint auquel les utilisateurs
|
||||||
|
# se connecteront via Cloudflare Access (ici : accès SSH vers une VM AWS).
|
||||||
|
# ------------------------------------------------------
|
||||||
resource "cloudflare_zero_trust_access_infrastructure_target" "aws_ssh_target" {
|
resource "cloudflare_zero_trust_access_infrastructure_target" "aws_ssh_target" {
|
||||||
account_id = local.cloudflare_account_id
|
account_id = local.cloudflare_account_id
|
||||||
|
|
||||||
@@ -18,17 +24,26 @@ resource "cloudflare_zero_trust_access_infrastructure_target" "aws_ssh_target" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Creating the infrastructure Application
|
# ------------------------------------------------------
|
||||||
|
# Création de l’application en mode Infrastructure
|
||||||
|
# Cette ressource représente l'application Zero Trust côté Cloudflare,
|
||||||
|
# permettant d'appliquer politiques et règles d’accès pour le protocole SSH.
|
||||||
|
# ------------------------------------------------------
|
||||||
resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_infra" {
|
resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_infra" {
|
||||||
account_id = local.cloudflare_account_id
|
account_id = local.cloudflare_account_id
|
||||||
|
|
||||||
type = "infrastructure"
|
type = "infrastructure"
|
||||||
name = var.cloudflare_aws_infra_app_name
|
name = var.cloudflare_aws_infra_app_name
|
||||||
logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg"
|
logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg"
|
||||||
|
|
||||||
|
# Tag permettant d'associer cette app à un groupe logique de ressources
|
||||||
tags = [cloudflare_zero_trust_access_tag.tags["engineers"].name]
|
tags = [cloudflare_zero_trust_access_tag.tags["engineers"].name]
|
||||||
|
|
||||||
|
# URLs personnalisées en cas d'accès refusé ou d'identité non reconnue
|
||||||
custom_deny_url = "https://denied.tips-of-mine.org/"
|
custom_deny_url = "https://denied.tips-of-mine.org/"
|
||||||
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
|
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
|
||||||
|
|
||||||
|
# Définition des critères de la cible (port et protocole)
|
||||||
target_criteria = [{
|
target_criteria = [{
|
||||||
port = "22",
|
port = "22",
|
||||||
protocol = "SSH"
|
protocol = "SSH"
|
||||||
@@ -37,30 +52,39 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_infr
|
|||||||
},
|
},
|
||||||
}]
|
}]
|
||||||
|
|
||||||
# SSH Infrastructure Policy
|
# ------------------------------------------------------
|
||||||
|
# Définition de la politique d’accès SSH pour cette application
|
||||||
|
# Cette politique précise :
|
||||||
|
# - qui peut se connecter
|
||||||
|
# - via quel fournisseur d'identité
|
||||||
|
# - quelles méthodes d'authentification sont requises
|
||||||
|
# - quelles règles de sécurité supplémentaires s'appliquent
|
||||||
|
# ------------------------------------------------------
|
||||||
policies = [{
|
policies = [{
|
||||||
name = "SSH GCP Infrastructure Policy"
|
name = "SSH GCP Infrastructure Policy"
|
||||||
decision = "allow"
|
decision = "allow"
|
||||||
|
|
||||||
|
# Fournisseurs d'identité autorisés
|
||||||
allowed_idps = [
|
allowed_idps = [
|
||||||
cloudflare_zero_trust_access_identity_provider.authentik_oidc.id,
|
cloudflare_zero_trust_access_identity_provider.authentik_oidc.id,
|
||||||
]
|
]
|
||||||
auto_redirect_to_identity = true
|
auto_redirect_to_identity = true
|
||||||
allow_authenticate_via_warp = false
|
allow_authenticate_via_warp = false
|
||||||
|
|
||||||
|
# Groupes / domaines autorisés à accéder
|
||||||
include = [
|
include = [
|
||||||
{
|
{
|
||||||
saml = {
|
saml = {
|
||||||
identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
|
identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
|
||||||
attribute_name = "groups"
|
attribute_name = "groups"
|
||||||
attribute_value = var.okta_infra_admin_saml_group_name
|
attribute_value = var.okta_infra_admin_saml_group_name # Admins Infra
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
saml = {
|
saml = {
|
||||||
identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
|
identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
|
||||||
attribute_name = "groups"
|
attribute_name = "groups"
|
||||||
attribute_value = var.okta_contractors_saml_group_name
|
attribute_value = var.okta_contractors_saml_group_name # Contractuels
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@@ -69,6 +93,8 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_infr
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
# Exigences de sécurité obligatoires (MFA, posture appareil, etc.)
|
||||||
require = [
|
require = [
|
||||||
{
|
{
|
||||||
device_posture = {
|
device_posture = {
|
||||||
@@ -81,6 +107,8 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_infr
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
# Méthodes explicitement interdites
|
||||||
exclude = [
|
exclude = [
|
||||||
{
|
{
|
||||||
auth_method = {
|
auth_method = {
|
||||||
@@ -88,6 +116,8 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_infr
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
# Configuration spécifique SSH (règles de connexion)
|
||||||
connection_rules = {
|
connection_rules = {
|
||||||
ssh = {
|
ssh = {
|
||||||
allow_email_alias = true
|
allow_email_alias = true
|
||||||
@@ -97,11 +127,17 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_infr
|
|||||||
}]
|
}]
|
||||||
}
|
}
|
||||||
|
|
||||||
#======================================================
|
# ======================================================
|
||||||
# Create Aapp in mode Infrastructure : MySQL Database for GCP
|
# Création d'une Application en mode Infrastructure :
|
||||||
#======================================================
|
# Accès SSH à une base MySQL hébergée sur GCP
|
||||||
|
# ======================================================
|
||||||
|
|
||||||
# Creating the Target
|
# ------------------------------------------------------
|
||||||
|
# Création de la cible (Target)
|
||||||
|
# Cette ressource définit la machine ou l’adresse interne qui sera protégée
|
||||||
|
# par Cloudflare Zero Trust. Elle représente l’endpoint auquel les utilisateurs
|
||||||
|
# se connecteront via Cloudflare Access (ici : accès SSH vers une VM GCP).
|
||||||
|
# ------------------------------------------------------
|
||||||
resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" {
|
resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" {
|
||||||
account_id = local.cloudflare_account_id
|
account_id = local.cloudflare_account_id
|
||||||
|
|
||||||
@@ -113,7 +149,11 @@ resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Creating the infrastructure Application
|
# ------------------------------------------------------
|
||||||
|
# Création de l’application en mode Infrastructure
|
||||||
|
# Cette ressource représente l'application Zero Trust côté Cloudflare,
|
||||||
|
# permettant d'appliquer politiques et règles d’accès pour le protocole SSH.
|
||||||
|
# ------------------------------------------------------
|
||||||
resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_ssh_infra" {
|
resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_ssh_infra" {
|
||||||
account_id = local.cloudflare_account_id
|
account_id = local.cloudflare_account_id
|
||||||
|
|
||||||
@@ -132,7 +172,7 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_ssh_infr
|
|||||||
},
|
},
|
||||||
}]
|
}]
|
||||||
|
|
||||||
# SSH Infrastructure Policy
|
# Politique d’accès SSH pour GCP (mêmes principes que pour AWS)
|
||||||
policies = [{
|
policies = [{
|
||||||
name = "SSH GCP Infrastructure Policy"
|
name = "SSH GCP Infrastructure Policy"
|
||||||
decision = "allow"
|
decision = "allow"
|
||||||
@@ -143,19 +183,20 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_ssh_infr
|
|||||||
auto_redirect_to_identity = true
|
auto_redirect_to_identity = true
|
||||||
allow_authenticate_via_warp = false
|
allow_authenticate_via_warp = false
|
||||||
|
|
||||||
|
# Groupes / domaines autorisés à accéder
|
||||||
include = [
|
include = [
|
||||||
{
|
{
|
||||||
saml = {
|
saml = {
|
||||||
identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
|
identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
|
||||||
attribute_name = "groups"
|
attribute_name = "groups"
|
||||||
attribute_value = var.okta_infra_admin_saml_group_name
|
attribute_value = var.okta_infra_admin_saml_group_name # Admins Infra
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
saml = {
|
saml = {
|
||||||
identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
|
identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
|
||||||
attribute_name = "groups"
|
attribute_name = "groups"
|
||||||
attribute_value = var.okta_contractors_saml_group_name
|
attribute_value = var.okta_contractors_saml_group_name # Contractuels
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@@ -164,6 +205,8 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_ssh_infr
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
# Exigences de sécurité obligatoires (MFA, posture appareil, etc.)
|
||||||
require = [
|
require = [
|
||||||
{
|
{
|
||||||
device_posture = {
|
device_posture = {
|
||||||
@@ -176,6 +219,8 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_ssh_infr
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
# Méthodes explicitement interdites
|
||||||
exclude = [
|
exclude = [
|
||||||
{
|
{
|
||||||
auth_method = {
|
auth_method = {
|
||||||
@@ -183,6 +228,8 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_ssh_infr
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
# Configuration spécifique SSH (règles de connexion)
|
||||||
connection_rules = {
|
connection_rules = {
|
||||||
ssh = {
|
ssh = {
|
||||||
allow_email_alias = true
|
allow_email_alias = true
|
||||||
|
|||||||
@@ -29,7 +29,7 @@ data "cloudflare_zero_trust_tunnel_cloudflared_token" "home_tunnel_token" {
|
|||||||
resource "cloudflare_zero_trust_tunnel_cloudflared" "aws_tunnel" {
|
resource "cloudflare_zero_trust_tunnel_cloudflared" "aws_tunnel" {
|
||||||
account_id = local.cloudflare_account_id
|
account_id = local.cloudflare_account_id
|
||||||
|
|
||||||
name = "tunnel-aws-warp-connector"
|
name = "Tunnel AWS WARP Connector"
|
||||||
config_src = "cloudflare"
|
config_src = "cloudflare"
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -48,7 +48,7 @@ data "cloudflare_zero_trust_tunnel_cloudflared_token" "aws_tunnel_token" {
|
|||||||
resource "cloudflare_zero_trust_tunnel_cloudflared" "gcp_tunnel" {
|
resource "cloudflare_zero_trust_tunnel_cloudflared" "gcp_tunnel" {
|
||||||
account_id = local.cloudflare_account_id
|
account_id = local.cloudflare_account_id
|
||||||
|
|
||||||
name = "tunnel-gcp-warp-connector"
|
name = "Tunnel GCP WARP Connector"
|
||||||
config_src = "cloudflare"
|
config_src = "cloudflare"
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -67,7 +67,7 @@ data "cloudflare_zero_trust_tunnel_cloudflared_token" "gcp_tunnel_token" {
|
|||||||
resource "cloudflare_zero_trust_tunnel_cloudflared" "azure_tunnel" {
|
resource "cloudflare_zero_trust_tunnel_cloudflared" "azure_tunnel" {
|
||||||
account_id = local.cloudflare_account_id
|
account_id = local.cloudflare_account_id
|
||||||
|
|
||||||
name = "tunnel-azure-warp-connector"
|
name = "Tunnel AZURE WARP Connector"
|
||||||
config_src = "cloudflare"
|
config_src = "cloudflare"
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -86,7 +86,7 @@ data "cloudflare_zero_trust_tunnel_cloudflared_token" "azure_tunnel_token" {
|
|||||||
resource "cloudflare_zero_trust_tunnel_cloudflared" "ovh_tunnel" {
|
resource "cloudflare_zero_trust_tunnel_cloudflared" "ovh_tunnel" {
|
||||||
account_id = local.cloudflare_account_id
|
account_id = local.cloudflare_account_id
|
||||||
|
|
||||||
name = "tunnel-ovh-warp-connector"
|
name = "Tunnel OVH WARP Connector"
|
||||||
config_src = "cloudflare"
|
config_src = "cloudflare"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user