add all app

2025-11-20 15:44:13 +01:00
parent bafe4ccb46
commit d1657056b2
2 changed files with 121 additions and 3 deletions
--- a/Access_Controls-Applications.tf
+++ b/Access_Controls-Applications.tf
@@ -185,4 +185,122 @@ resource "cloudflare_zero_trust_access_application" "cf_app_vnc_browser" {
  policies = [{
    id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
  }]
+}
+
+#======================================================
+# SELF-HOSTED APP: Competition App
+#======================================================
+# Creating the Self-hosted Application for Competition web application
+resource "cloudflare_zero_trust_access_application" "cf_app_web_competition" {
+  account_id                   = local.cloudflare_account_id
+
+  type                         = "self_hosted"
+  name                         = var.cloudflare_sensitive_web_app_name
+  app_launcher_visible         = true
+  logo_url                     = "https://img.freepik.com/free-vector/trophy_78370-345.jpg"
+  tags                         = ["engineers"]
+  session_duration             = "0s"
+  custom_deny_url              = "https://denied.tips-of-mine.org/"
+  custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
+
+  destinations = [{
+    type = "public"
+    uri  = var.cloudflare_subdomain_web_sensitive
+  }]
+
+  allowed_idps                = [var.cloudflare_okta_identity_provider_id]
+  auto_redirect_to_identity   = true
+  allow_authenticate_via_warp = false
+
+  policies = [{
+    id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id
+  }]
+}
+
+#======================================================
+# SELF-HOSTED APP: Macharpe Intranet
+#======================================================
+# Creating the Self-hosted Application for Administration web application
+resource "cloudflare_zero_trust_access_application" "cf_app_web_intranet" {
+  account_id                   = local.cloudflare_account_id
+
+  type                         = "self_hosted"
+  name                         = var.cloudflare_intranet_web_app_name
+  app_launcher_visible         = true
+  logo_url                     = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg"
+  tags                         = ["engineers"]
+  session_duration             = "0s"
+  custom_deny_url              = "https://denied.tips-of-mine.org/"
+  custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
+
+  destinations = [{
+    type = "public"
+    uri  = var.cloudflare_subdomain_web
+  }]
+
+  allowed_idps                = [var.cloudflare_okta_identity_provider_id]
+  auto_redirect_to_identity   = true
+  allow_authenticate_via_warp = false
+
+  policies = [{
+    id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id
+  }]
+}
+
+#======================================================
+# SELF-HOSTED APP: Domain Controller
+#======================================================
+# Creating the Target
+resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" {
+  account_id = local.cloudflare_account_id
+
+  hostname   = var.cloudflare_target_rdp_name
+  ip = {
+    ipv4 = {
+      ip_addr = var.gcp_windows_vm_internal_ip
+    }
+  }
+}
+
+# Domain Controller Browser-Rendered RDP Application
+resource "cloudflare_zero_trust_access_application" "cf_app_rdp_domain" {
+  account_id                   = local.cloudflare_account_id
+
+  type                         = "rdp"
+  name                         = var.cf_browser_rdp_app_name
+  app_launcher_visible         = true
+  logo_url                     = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png"
+  tags                         = [cloudflare_zero_trust_access_tag.tags["engineers"].name]
+   session_duration             = "0s"
+  custom_deny_url              = "https://denied.tips-of-mine.org/"
+  custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
+
+  # Public hostname for browser rendering
+  domain = var.cloudflare_subdomain_rdp
+
+  # Target criteria - references the existing gcp_rdp_target
+  target_criteria = [{
+    port     = 3389
+    protocol = "RDP"
+    target_attributes = {
+      hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller"
+    }
+  }]
+
+  # Identity provider settings
+  allowed_idps               = [var.cloudflare_okta_identity_provider_id]
+  auto_redirect_to_identity  = true
+  enable_binding_cookie      = false
+  http_only_cookie_attribute = false
+  options_preflight_bypass   = false
+
+  # Reference the policy from cloudflare-app-policies.tf
+  policies = [{
+    id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id
+  }]
+
+  # Depends on the existing target
+  depends_on = [
+    cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target
+  ]
 }
--- a/Integrations-Identity_providers.tf
+++ b/Integrations-Identity_providers.tf
@@ -24,13 +24,13 @@ resource "cloudflare_zero_trust_access_identity_provider" "authentik_oidc" {
  zone_id    = local.cloudflare_zone_id

  config = {
-    auth_url         = "https://authentik.${var.cloudflare_email_domain}/application/o/authorize/"
-    certs_url        = "https://authentik.${var.cloudflare_email_domain}/application/o/cloudflare-access/jwks/"
+    auth_url         = "https://authentik.${var.cloudflare_authentik_domain}/application/o/authorize/"
+    certs_url        = "https://authentik.${var.cloudflare_authentik_domain}/application/o/cloudflare-access/jwks/"
    claims           = ["given_name", "preferred_username", "nickname", "groups", "role"]
    client_id        = local.authentik_oidc_client_id_cloudflare
    client_secret    = local.authentik_oidc_secret_cloudflare
    email_claim_name = "email"
    scopes           = ["openid", "email", "profile"]
-    token_url        = "https://authentik.${var.cloudflare_email_domain}/application/o/token/"
+    token_url        = "https://authentik.${var.cloudflare_authentik_domain}/application/o/token/"
  }
 }