diff --git a/access_applications.tf b/access_applications.tf index 52bcaf8..d860d85 100644 --- a/access_applications.tf +++ b/access_applications.tf @@ -22,28 +22,28 @@ data "cloudflare_zero_trust_access_application" "example_zero_trust_access_appli # INFRASTRUCTURE APP: MySQL Database (Infrastructure) #====================================================== # Creating the Target -resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { - account_id = local.cloudflare_account_id +#resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { +# account_id = local.cloudflare_account_id # hostname = var.cloudflare_target_ssh_name - hostname = "GCP-database" - ip = { - ipv4 = { +# hostname = "GCP-database" +# ip = { +# ipv4 = { # ip_addr = var.gcp_vm_internal_ip - ip_addr = "10.0.4.100" - } - } -} +# ip_addr = "10.0.4.100" +# } +# } +#} # Creating the infrastructure Application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { - account_id = local.cloudflare_account_id - type = "infrastructure" +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { +# account_id = local.cloudflare_account_id +# type = "infrastructure" # name = var.cloudflare_infra_app_name - name = "GCP Infrastructure SSH database" - logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" +# name = "GCP Infrastructure SSH database" +# logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" # tags = ["devops"] - custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" - custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # target_criteria = [{ # port = "22", @@ -53,90 +53,90 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { # }, # }] - policies = [{ - name = "SSH GCP Infrastructure Policy" - decision = "allow" +# policies = [{ +# name = "SSH GCP Infrastructure Policy" +# decision = "allow" - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - allow_authenticate_via_warp = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id] +# auto_redirect_to_identity = true +# allow_authenticate_via_warp = false - include = [ - { - saml = { - identity_provider_id = var.cloudflare_okta_identity_provider_id - attribute_name = "groups" - attribute_value = var.okta_infra_admin_saml_group_name - } - }, - { - saml = { - identity_provider_id = var.cloudflare_okta_identity_provider_id - attribute_name = "groups" - attribute_value = var.okta_contractors_saml_group_name - } - }, - { - email_domain = { - domain = "thedjinhn@gmail.com" - } - } - ] +# include = [ +# { +# saml = { +# identity_provider_id = var.cloudflare_okta_identity_provider_id +# attribute_name = "groups" +# attribute_value = var.okta_infra_admin_saml_group_name +# } +# }, +# { +# saml = { +# identity_provider_id = var.cloudflare_okta_identity_provider_id +# attribute_name = "groups" +# attribute_value = var.okta_contractors_saml_group_name +# } +# }, +# { +# email_domain = { +# domain = "thedjinhn@gmail.com" +# } +# } +# ] - require = [ - { - device_posture = { - integration_uid = var.cloudflare_gateway_posture_id - } - }, - { - auth_method = { - auth_method = "mfa" - } - } - ] +# require = [ +# { +# device_posture = { +# integration_uid = var.cloudflare_gateway_posture_id +# } +# }, +# { +# auth_method = { +# auth_method = "mfa" +# } +# } +# ] - exclude = [ - { - auth_method = { - auth_method = "sms" - } - } - ] +# exclude = [ +# { +# auth_method = { +# auth_method = "sms" +# } +# } +# ] - connection_rules = { - ssh = { - allow_email_alias = true - usernames = [] # None - } - } - }] -} +# connection_rules = { +# ssh = { +# allow_email_alias = true +# usernames = [] # None +# } +# } +# }] +#} #====================================================== # SELF-HOSTED APP: DB Server #====================================================== # Creating the Self-hosted Application for Browser rendering SSH -resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { - account_id = local.cloudflare_account_id - type = "ssh" +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { +# account_id = local.cloudflare_account_id +# type = "ssh" # name = var.cloudflare_browser_ssh_app_name - name = "AWS Browser SSH database" - app_launcher_visible = true - logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" - tags = ["devops"] - session_duration = "0s" - custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" - custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# name = "AWS Browser SSH database" +# app_launcher_visible = true +# logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" +# tags = ["devops"] +# session_duration = "0s" +# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_ssh - }] +# destinations = [{ +# type = "public" +# uri = var.cloudflare_subdomain_ssh +# }] - allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] - auto_redirect_to_identity = false - allow_authenticate_via_warp = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] +# auto_redirect_to_identity = false +# allow_authenticate_via_warp = false # policies = [ # { @@ -146,92 +146,92 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" # id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id # } # ] -} +#} #====================================================== # SELF-HOSTED APP: PostgresDB Admin #====================================================== # Creating the Self-hosted Application for Browser rendering VNC -resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { - account_id = local.cloudflare_account_id - type = "vnc" +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { +# account_id = local.cloudflare_account_id +# type = "vnc" # name = var.cloudflare_browser_vnc_app_name - name = "AWS Browser VNC database" - app_launcher_visible = true - logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" - tags = ["devops"] - session_duration = "0s" - custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" - custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# name = "AWS Browser VNC database" +# app_launcher_visible = true +# logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" +# tags = ["devops"] +# session_duration = "0s" +# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_vnc - }] +# destinations = [{ +# type = "public" +# uri = var.cloudflare_subdomain_vnc +# }] - allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] - auto_redirect_to_identity = false - allow_authenticate_via_warp = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] +# auto_redirect_to_identity = false +# allow_authenticate_via_warp = false # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id # }] -} +#} #====================================================== # SELF-HOSTED APP: Competition App #====================================================== # Creating the Self-hosted Application for Competition web application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { - account_id = local.cloudflare_account_id - type = "self_hosted" +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { +# account_id = local.cloudflare_account_id +# type = "self_hosted" # name = var.cloudflare_sensitive_web_app_name - name = "Competition App" - app_launcher_visible = true - logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" - tags = ["devops"] - session_duration = "0s" - custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" - custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# name = "Competition App" +# app_launcher_visible = true +# logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" +# tags = ["devops"] +# session_duration = "0s" +# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_web_sensitive - }] +# destinations = [{ +# type = "public" +# uri = var.cloudflare_subdomain_web_sensitive +# }] - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - allow_authenticate_via_warp = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id] +# auto_redirect_to_identity = true +# allow_authenticate_via_warp = false # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id # }] -} +#} #====================================================== # SELF-HOSTED APP: Macharpe Intranet #====================================================== # Creating the Self-hosted Application for Administration web application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { - account_id = local.cloudflare_account_id - type = "self_hosted" +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { +# account_id = local.cloudflare_account_id +# type = "self_hosted" # name = var.cloudflare_intranet_web_app_name - name = "Intranet" - app_launcher_visible = true - logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" - tags = ["devops"] - session_duration = "0s" - custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" - custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# name = "Intranet" +# app_launcher_visible = true +# logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" +# tags = ["devops"] +# session_duration = "0s" +# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_web - }] +# destinations = [{ +# type = "public" +# uri = var.cloudflare_subdomain_web +# }] - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - allow_authenticate_via_warp = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id] +# auto_redirect_to_identity = true +# allow_authenticate_via_warp = false # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id @@ -242,32 +242,32 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet # SELF-HOSTED APP: Domain Controller #====================================================== # Creating the Target -resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { - account_id = local.cloudflare_account_id +#resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { +# account_id = local.cloudflare_account_id # hostname = var.cloudflare_target_rdp_name - hostname = "Domain-Controller" - ip = { - ipv4 = { - ip_addr = "10.0.4.101" - } - } -} +# hostname = "Domain-Controller" +# ip = { +# ipv4 = { +# ip_addr = "10.0.4.101" +# } +# } +#} # Domain Controller Browser-Rendered RDP Application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { - account_id = local.cloudflare_account_id - type = "rdp" +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { +# account_id = local.cloudflare_account_id +# type = "rdp" # name = var.cloudflare_browser_rdp_app_name - name = "GCP Browser RDP windows" - app_launcher_visible = true - logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" - tags = ["devops"] - session_duration = "0s" - custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" - custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# name = "GCP Browser RDP windows" +# app_launcher_visible = true +# logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" +# tags = ["devops"] +# session_duration = "0s" +# custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" +# custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # Public hostname for browser rendering - domain = var.cloudflare_subdomain_rdp +# domain = var.cloudflare_subdomain_rdp # Target criteria - references the existing gcp_rdp_target # target_criteria = [{ @@ -280,11 +280,11 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" # }] # Identity provider settings - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - enable_binding_cookie = false - http_only_cookie_attribute = false - options_preflight_bypass = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id] +# auto_redirect_to_identity = true +# enable_binding_cookie = false +# http_only_cookie_attribute = false +# options_preflight_bypass = false # Reference the policy from cloudflare-app-policies.tf # policies = [{ @@ -292,7 +292,7 @@ resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" # }] # Depends on the existing target - depends_on = [ - cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target - ] -} +# depends_on = [ +# cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target +# ] +#}