diff --git a/Access_Controls-Applications.tf b/Access_Controls-Applications.tf index bc3a05b..ac96e59 100644 --- a/Access_Controls-Applications.tf +++ b/Access_Controls-Applications.tf @@ -185,4 +185,122 @@ resource "cloudflare_zero_trust_access_application" "cf_app_vnc_browser" { policies = [{ id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id }] +} + +#====================================================== +# SELF-HOSTED APP: Competition App +#====================================================== +# Creating the Self-hosted Application for Competition web application +resource "cloudflare_zero_trust_access_application" "cf_app_web_competition" { + account_id = local.cloudflare_account_id + + type = "self_hosted" + name = var.cloudflare_sensitive_web_app_name + app_launcher_visible = true + logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" + tags = ["engineers"] + session_duration = "0s" + custom_deny_url = "https://denied.tips-of-mine.org/" + custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" + + destinations = [{ + type = "public" + uri = var.cloudflare_subdomain_web_sensitive + }] + + allowed_idps = [var.cloudflare_okta_identity_provider_id] + auto_redirect_to_identity = true + allow_authenticate_via_warp = false + + policies = [{ + id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id + }] +} + +#====================================================== +# SELF-HOSTED APP: Macharpe Intranet +#====================================================== +# Creating the Self-hosted Application for Administration web application +resource "cloudflare_zero_trust_access_application" "cf_app_web_intranet" { + account_id = local.cloudflare_account_id + + type = "self_hosted" + name = var.cloudflare_intranet_web_app_name + app_launcher_visible = true + logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" + tags = ["engineers"] + session_duration = "0s" + custom_deny_url = "https://denied.tips-of-mine.org/" + custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" + + destinations = [{ + type = "public" + uri = var.cloudflare_subdomain_web + }] + + allowed_idps = [var.cloudflare_okta_identity_provider_id] + auto_redirect_to_identity = true + allow_authenticate_via_warp = false + + policies = [{ + id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id + }] +} + +#====================================================== +# SELF-HOSTED APP: Domain Controller +#====================================================== +# Creating the Target +resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { + account_id = local.cloudflare_account_id + + hostname = var.cloudflare_target_rdp_name + ip = { + ipv4 = { + ip_addr = var.gcp_windows_vm_internal_ip + } + } +} + +# Domain Controller Browser-Rendered RDP Application +resource "cloudflare_zero_trust_access_application" "cf_app_rdp_domain" { + account_id = local.cloudflare_account_id + + type = "rdp" + name = var.cf_browser_rdp_app_name + app_launcher_visible = true + logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" + tags = [cloudflare_zero_trust_access_tag.tags["engineers"].name] + session_duration = "0s" + custom_deny_url = "https://denied.tips-of-mine.org/" + custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" + + # Public hostname for browser rendering + domain = var.cloudflare_subdomain_rdp + + # Target criteria - references the existing gcp_rdp_target + target_criteria = [{ + port = 3389 + protocol = "RDP" + target_attributes = { + hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller" + } + }] + + # Identity provider settings + allowed_idps = [var.cloudflare_okta_identity_provider_id] + auto_redirect_to_identity = true + enable_binding_cookie = false + http_only_cookie_attribute = false + options_preflight_bypass = false + + # Reference the policy from cloudflare-app-policies.tf + policies = [{ + id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id + }] + + # Depends on the existing target + depends_on = [ + cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target + ] } \ No newline at end of file diff --git a/Integrations-Identity_providers.tf b/Integrations-Identity_providers.tf index d2670c0..f0d48f2 100644 --- a/Integrations-Identity_providers.tf +++ b/Integrations-Identity_providers.tf @@ -24,13 +24,13 @@ resource "cloudflare_zero_trust_access_identity_provider" "authentik_oidc" { zone_id = local.cloudflare_zone_id config = { - auth_url = "https://authentik.${var.cloudflare_email_domain}/application/o/authorize/" - certs_url = "https://authentik.${var.cloudflare_email_domain}/application/o/cloudflare-access/jwks/" + auth_url = "https://authentik.${var.cloudflare_authentik_domain}/application/o/authorize/" + certs_url = "https://authentik.${var.cloudflare_authentik_domain}/application/o/cloudflare-access/jwks/" claims = ["given_name", "preferred_username", "nickname", "groups", "role"] client_id = local.authentik_oidc_client_id_cloudflare client_secret = local.authentik_oidc_secret_cloudflare email_claim_name = "email" scopes = ["openid", "email", "profile"] - token_url = "https://authentik.${var.cloudflare_email_domain}/application/o/token/" + token_url = "https://authentik.${var.cloudflare_authentik_domain}/application/o/token/" } }