Tips-Of-Mine/terraform-cloudflare-tunnel-zone-org
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

add all app
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 15s
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-11-20 15:44:13 +01:00
parent bafe4ccb46
commit d1657056b2
2 changed files with 121 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
Access_Controls-Applications.tf
View File

@@ -186,3 +186,121 @@ resource "cloudflare_zero_trust_access_application" "cf_app_vnc_browser" {
id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
}] }]
} }
#======================================================
# SELF-HOSTED APP: Competition App
#======================================================
# Creating the Self-hosted Application for Competition web application
resource "cloudflare_zero_trust_access_application" "cf_app_web_competition" {
account_id = local.cloudflare_account_id
type = "self_hosted"
name = var.cloudflare_sensitive_web_app_name
app_launcher_visible = true
logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg"
tags = ["engineers"]
session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
destinations = [{
type = "public"
uri = var.cloudflare_subdomain_web_sensitive
}]
allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true
allow_authenticate_via_warp = false
policies = [{
id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id
}]
}
#======================================================
# SELF-HOSTED APP: Macharpe Intranet
#======================================================
# Creating the Self-hosted Application for Administration web application
resource "cloudflare_zero_trust_access_application" "cf_app_web_intranet" {
account_id = local.cloudflare_account_id
type = "self_hosted"
name = var.cloudflare_intranet_web_app_name
app_launcher_visible = true
logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg"
tags = ["engineers"]
session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
destinations = [{
type = "public"
uri = var.cloudflare_subdomain_web
}]
allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true
allow_authenticate_via_warp = false
policies = [{
id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id
}]
}
#======================================================
# SELF-HOSTED APP: Domain Controller
#======================================================
# Creating the Target
resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" {
account_id = local.cloudflare_account_id
hostname = var.cloudflare_target_rdp_name
ip = {
ipv4 = {
ip_addr = var.gcp_windows_vm_internal_ip
}
}
}
# Domain Controller Browser-Rendered RDP Application
resource "cloudflare_zero_trust_access_application" "cf_app_rdp_domain" {
account_id = local.cloudflare_account_id
type = "rdp"
name = var.cf_browser_rdp_app_name
app_launcher_visible = true
logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png"
tags = [cloudflare_zero_trust_access_tag.tags["engineers"].name]
session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
# Public hostname for browser rendering
domain = var.cloudflare_subdomain_rdp
# Target criteria - references the existing gcp_rdp_target
target_criteria = [{
port = 3389
protocol = "RDP"
target_attributes = {
hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller"
}
}]
# Identity provider settings
allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true
enable_binding_cookie = false
http_only_cookie_attribute = false
options_preflight_bypass = false
# Reference the policy from cloudflare-app-policies.tf
policies = [{
id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id
}]
# Depends on the existing target
depends_on = [
cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target
]
}

6
Integrations-Identity_providers.tf
View File

@@ -24,13 +24,13 @@ resource "cloudflare_zero_trust_access_identity_provider" "authentik_oidc" {
zone_id = local.cloudflare_zone_id zone_id = local.cloudflare_zone_id
config = { config = {
auth_url = "https://authentik.${var.cloudflare_email_domain}/application/o/authorize/" auth_url = "https://authentik.${var.cloudflare_authentik_domain}/application/o/authorize/"
certs_url = "https://authentik.${var.cloudflare_email_domain}/application/o/cloudflare-access/jwks/" certs_url = "https://authentik.${var.cloudflare_authentik_domain}/application/o/cloudflare-access/jwks/"
claims = ["given_name", "preferred_username", "nickname", "groups", "role"] claims = ["given_name", "preferred_username", "nickname", "groups", "role"]
client_id = local.authentik_oidc_client_id_cloudflare client_id = local.authentik_oidc_client_id_cloudflare
client_secret = local.authentik_oidc_secret_cloudflare client_secret = local.authentik_oidc_secret_cloudflare
email_claim_name = "email" email_claim_name = "email"
scopes = ["openid", "email", "profile"] scopes = ["openid", "email", "profile"]
token_url = "https://authentik.${var.cloudflare_email_domain}/application/o/token/" token_url = "https://authentik.${var.cloudflare_authentik_domain}/application/o/token/"
} }
} }