From eb54092fcf5f56180d8036174d04541b6b9aaa8d Mon Sep 17 00:00:00 2001 From: Hubert Cornet Date: Sun, 16 Nov 2025 13:52:36 +0100 Subject: [PATCH] Update access_applications.tf --- access_applications.tf | 95 +++++++++++++++++++----------------------- 1 file changed, 44 insertions(+), 51 deletions(-) diff --git a/access_applications.tf b/access_applications.tf index 4af0e0f..05c95d5 100644 --- a/access_applications.tf +++ b/access_applications.tf @@ -7,7 +7,7 @@ resource "cloudflare_zero_trust_access_application" "example_zero_trust_access_a account_id = local.cloudflare_account_id type = "self_hosted" name = "Home Network Access Application" - domain = "home.tips-of-mine.org" + domain = "home.${local.cloudflare_zone_id}" session_duration = "24h" skip_interstitial = true tags = ["engineers"] @@ -24,7 +24,7 @@ data "cloudflare_zero_trust_access_application" "example_zero_trust_access_appli # Creating the Target resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { account_id = local.cloudflare_account_id - hostname = var.cf_target_ssh_name + hostname = var.cloudflare_target_ssh_name ip = { ipv4 = { ip_addr = var.gcp_vm_internal_ip @@ -33,20 +33,20 @@ resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { } # Creating the infrastructure Application -resource "cloudflare_zero_trust_access_application" "cf_app_ssh_infra" { +resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { account_id = local.cloudflare_account_id type = "infrastructure" - name = var.cf_infra_app_name + name = var.cloudflare_infra_app_name logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" tags = "devops" - custom_deny_url = "https://denied.macharpe.com/" - custom_non_identity_deny_url = "https://denied.macharpe.com/" + custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" + custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" target_criteria = [{ port = "22", protocol = "SSH" target_attributes = { - hostname = [var.cf_target_ssh_name] + hostname = [var.cloudflare_target_ssh_name] }, }] @@ -54,28 +54,28 @@ resource "cloudflare_zero_trust_access_application" "cf_app_ssh_infra" { name = "SSH GCP Infrastructure Policy" decision = "allow" - allowed_idps = [var.cf_okta_identity_provider_id] + allowed_idps = [var.cloudflare_okta_identity_provider_id] auto_redirect_to_identity = true allow_authenticate_via_warp = false include = [ { saml = { - identity_provider_id = var.cf_okta_identity_provider_id + identity_provider_id = var.cloudflare_okta_identity_provider_id attribute_name = "groups" attribute_value = var.okta_infra_admin_saml_group_name } }, { saml = { - identity_provider_id = var.cf_okta_identity_provider_id + identity_provider_id = var.cloudflare_okta_identity_provider_id attribute_name = "groups" attribute_value = var.okta_contractors_saml_group_name } }, { email_domain = { - domain = var.cf_email_domain + domain = var.cloudflare_email_domain } } ] @@ -83,7 +83,7 @@ resource "cloudflare_zero_trust_access_application" "cf_app_ssh_infra" { require = [ { device_posture = { - integration_uid = var.cf_gateway_posture_id + integration_uid = var.cloudflare_gateway_posture_id } }, { @@ -116,23 +116,23 @@ resource "cloudflare_zero_trust_access_application" "cf_app_ssh_infra" { # SELF-HOSTED APP: DB Server #====================================================== # Creating the Self-hosted Application for Browser rendering SSH -resource "cloudflare_zero_trust_access_application" "cf_app_ssh_browser" { +resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { account_id = local.cloudflare_account_id type = "ssh" - name = var.cf_browser_ssh_app_name + name = var.cloudflare_browser_ssh_app_name app_launcher_visible = true logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" tags = "devops" session_duration = "0s" - custom_deny_url = "https://denied.macharpe.com/" - custom_non_identity_deny_url = "https://denied.macharpe.com/" + custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" + custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" destinations = [{ type = "public" - uri = var.cf_subdomain_ssh + uri = var.cloudflare_subdomain_ssh }] - allowed_idps = [var.cf_okta_identity_provider_id, var.cf_otp_identity_provider_id] + allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] auto_redirect_to_identity = false allow_authenticate_via_warp = false @@ -150,23 +150,23 @@ resource "cloudflare_zero_trust_access_application" "cf_app_ssh_browser" { # SELF-HOSTED APP: PostgresDB Admin #====================================================== # Creating the Self-hosted Application for Browser rendering VNC -resource "cloudflare_zero_trust_access_application" "cf_app_vnc_browser" { +resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { account_id = local.cloudflare_account_id type = "vnc" - name = var.cf_browser_vnc_app_name + name = var.cloudflare_browser_vnc_app_name app_launcher_visible = true logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" tags = "devops" session_duration = "0s" - custom_deny_url = "https://denied.macharpe.com/" - custom_non_identity_deny_url = "https://denied.macharpe.com/" + custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" + custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" destinations = [{ type = "public" - uri = var.cf_subdomain_vnc + uri = var.cloudflare_subdomain_vnc }] - allowed_idps = [var.cf_okta_identity_provider_id, var.cf_otp_identity_provider_id] + allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] auto_redirect_to_identity = false allow_authenticate_via_warp = false @@ -175,29 +175,27 @@ resource "cloudflare_zero_trust_access_application" "cf_app_vnc_browser" { }] } - - #====================================================== # SELF-HOSTED APP: Competition App #====================================================== # Creating the Self-hosted Application for Competition web application -resource "cloudflare_zero_trust_access_application" "cf_app_web_competition" { +resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { account_id = local.cloudflare_account_id type = "self_hosted" - name = var.cf_sensitive_web_app_name + name = var.cloudflare_sensitive_web_app_name app_launcher_visible = true logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" tags = "devops" session_duration = "0s" - custom_deny_url = "https://denied.macharpe.com/" - custom_non_identity_deny_url = "https://denied.macharpe.com/" + custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" + custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" destinations = [{ type = "public" - uri = var.cf_subdomain_web_sensitive + uri = var.cloudflare_subdomain_web_sensitive }] - allowed_idps = [var.cf_okta_identity_provider_id] + allowed_idps = [var.cloudflare_okta_identity_provider_id] auto_redirect_to_identity = true allow_authenticate_via_warp = false @@ -206,30 +204,27 @@ resource "cloudflare_zero_trust_access_application" "cf_app_web_competition" { }] } - - - #====================================================== # SELF-HOSTED APP: Macharpe Intranet #====================================================== # Creating the Self-hosted Application for Administration web application -resource "cloudflare_zero_trust_access_application" "cf_app_web_intranet" { +resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { account_id = local.cloudflare_account_id type = "self_hosted" - name = var.cf_intranet_web_app_name + name = var.cloudflare_intranet_web_app_name app_launcher_visible = true logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" tags = "devops" session_duration = "0s" - custom_deny_url = "https://denied.macharpe.com/" - custom_non_identity_deny_url = "https://denied.macharpe.com/" + custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" + custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" destinations = [{ type = "public" - uri = var.cf_subdomain_web + uri = var.cloudflare_subdomain_web }] - allowed_idps = [var.cf_okta_identity_provider_id] + allowed_idps = [var.cloudflare_okta_identity_provider_id] auto_redirect_to_identity = true allow_authenticate_via_warp = false @@ -238,15 +233,13 @@ resource "cloudflare_zero_trust_access_application" "cf_app_web_intranet" { }] } - - #====================================================== # SELF-HOSTED APP: Domain Controller #====================================================== # Creating the Target resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { account_id = local.cloudflare_account_id - hostname = var.cf_target_rdp_name + hostname = var.cloudflare_target_rdp_name ip = { ipv4 = { ip_addr = var.gcp_windows_vm_internal_ip @@ -255,31 +248,31 @@ resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { } # Domain Controller Browser-Rendered RDP Application -resource "cloudflare_zero_trust_access_application" "cf_app_rdp_domain" { +resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { account_id = local.cloudflare_account_id type = "rdp" - name = var.cf_browser_rdp_app_name + name = var.cloudflare_browser_rdp_app_name app_launcher_visible = true logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" tags = "devops" session_duration = "0s" - custom_deny_url = "https://denied.macharpe.com/" - custom_non_identity_deny_url = "https://denied.macharpe.com/" + custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" + custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # Public hostname for browser rendering - domain = var.cf_subdomain_rdp + domain = var.cloudflare_subdomain_rdp # Target criteria - references the existing gcp_rdp_target target_criteria = [{ port = 3389 protocol = "RDP" target_attributes = { - hostname = [var.cf_target_rdp_name] # This will be "Domain-Controller" + hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller" } }] # Identity provider settings - allowed_idps = [var.cf_okta_identity_provider_id] + allowed_idps = [var.cloudflare_okta_identity_provider_id] auto_redirect_to_identity = true enable_binding_cookie = false http_only_cookie_attribute = false