Tips-Of-Mine/terraform-cloudflare-tunnel-zone-org
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Update access_applications.tf
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 12s
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-11-16 13:52:36 +01:00
parent bac8dfc962
commit eb54092fcf
1 changed files with 44 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
access_applications.tf
View File

@@ -7,7 +7,7 @@ resource "cloudflare_zero_trust_access_application" "example_zero_trust_access_a
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id
type = "self_hosted" type = "self_hosted"
name = "Home Network Access Application" name = "Home Network Access Application"
domain = "home.tips-of-mine.org" domain = "home.${local.cloudflare_zone_id}"
session_duration = "24h" session_duration = "24h"
skip_interstitial = true skip_interstitial = true
tags = ["engineers"] tags = ["engineers"]
@@ -24,7 +24,7 @@ data "cloudflare_zero_trust_access_application" "example_zero_trust_access_appli
# Creating the Target # Creating the Target
resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" {
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id
hostname = var.cf_target_ssh_name hostname = var.cloudflare_target_ssh_name
ip = { ip = {
ipv4 = { ipv4 = {
ip_addr = var.gcp_vm_internal_ip ip_addr = var.gcp_vm_internal_ip
@@ -33,20 +33,20 @@ resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" {
} }
# Creating the infrastructure Application # Creating the infrastructure Application
resource "cloudflare_zero_trust_access_application" "cf_app_ssh_infra" { resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" {
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id
type = "infrastructure" type = "infrastructure"
name = var.cf_infra_app_name name = var.cloudflare_infra_app_name
logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg"
tags = "devops" tags = "devops"
custom_deny_url = "https://denied.macharpe.com/" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
custom_non_identity_deny_url = "https://denied.macharpe.com/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
target_criteria = [{ target_criteria = [{
port = "22", port = "22",
protocol = "SSH" protocol = "SSH"
target_attributes = { target_attributes = {
hostname = [var.cf_target_ssh_name] hostname = [var.cloudflare_target_ssh_name]
}, },
}] }]
@@ -54,28 +54,28 @@ resource "cloudflare_zero_trust_access_application" "cf_app_ssh_infra" {
name = "SSH GCP Infrastructure Policy" name = "SSH GCP Infrastructure Policy"
decision = "allow" decision = "allow"
allowed_idps = [var.cf_okta_identity_provider_id] allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true auto_redirect_to_identity = true
allow_authenticate_via_warp = false allow_authenticate_via_warp = false
include = [ include = [
{ {
saml = { saml = {
identity_provider_id = var.cf_okta_identity_provider_id identity_provider_id = var.cloudflare_okta_identity_provider_id
attribute_name = "groups" attribute_name = "groups"
attribute_value = var.okta_infra_admin_saml_group_name attribute_value = var.okta_infra_admin_saml_group_name
} }
}, },
{ {
saml = { saml = {
identity_provider_id = var.cf_okta_identity_provider_id identity_provider_id = var.cloudflare_okta_identity_provider_id
attribute_name = "groups" attribute_name = "groups"
attribute_value = var.okta_contractors_saml_group_name attribute_value = var.okta_contractors_saml_group_name
} }
}, },
{ {
email_domain = { email_domain = {
domain = var.cf_email_domain domain = var.cloudflare_email_domain
} }
} }
] ]
@@ -83,7 +83,7 @@ resource "cloudflare_zero_trust_access_application" "cf_app_ssh_infra" {
require = [ require = [
{ {
device_posture = { device_posture = {
integration_uid = var.cf_gateway_posture_id integration_uid = var.cloudflare_gateway_posture_id
} }
}, },
{ {
@@ -116,23 +116,23 @@ resource "cloudflare_zero_trust_access_application" "cf_app_ssh_infra" {
# SELF-HOSTED APP: DB Server # SELF-HOSTED APP: DB Server
#====================================================== #======================================================
# Creating the Self-hosted Application for Browser rendering SSH # Creating the Self-hosted Application for Browser rendering SSH
resource "cloudflare_zero_trust_access_application" "cf_app_ssh_browser" { resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" {
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id
type = "ssh" type = "ssh"
name = var.cf_browser_ssh_app_name name = var.cloudflare_browser_ssh_app_name
app_launcher_visible = true app_launcher_visible = true
logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png"
tags = "devops" tags = "devops"
session_duration = "0s" session_duration = "0s"
custom_deny_url = "https://denied.macharpe.com/" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
custom_non_identity_deny_url = "https://denied.macharpe.com/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
destinations = [{ destinations = [{
type = "public" type = "public"
uri = var.cf_subdomain_ssh uri = var.cloudflare_subdomain_ssh
}] }]
allowed_idps = [var.cf_okta_identity_provider_id, var.cf_otp_identity_provider_id] allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id]
auto_redirect_to_identity = false auto_redirect_to_identity = false
allow_authenticate_via_warp = false allow_authenticate_via_warp = false
@@ -150,23 +150,23 @@ resource "cloudflare_zero_trust_access_application" "cf_app_ssh_browser" {
# SELF-HOSTED APP: PostgresDB Admin # SELF-HOSTED APP: PostgresDB Admin
#====================================================== #======================================================
# Creating the Self-hosted Application for Browser rendering VNC # Creating the Self-hosted Application for Browser rendering VNC
resource "cloudflare_zero_trust_access_application" "cf_app_vnc_browser" { resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" {
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id
type = "vnc" type = "vnc"
name = var.cf_browser_vnc_app_name name = var.cloudflare_browser_vnc_app_name
app_launcher_visible = true app_launcher_visible = true
logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" logo_url = "https://blog.zwindler.fr/2015/07/vnc.png"
tags = "devops" tags = "devops"
session_duration = "0s" session_duration = "0s"
custom_deny_url = "https://denied.macharpe.com/" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
custom_non_identity_deny_url = "https://denied.macharpe.com/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
destinations = [{ destinations = [{
type = "public" type = "public"
uri = var.cf_subdomain_vnc uri = var.cloudflare_subdomain_vnc
}] }]
allowed_idps = [var.cf_okta_identity_provider_id, var.cf_otp_identity_provider_id] allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id]
auto_redirect_to_identity = false auto_redirect_to_identity = false
allow_authenticate_via_warp = false allow_authenticate_via_warp = false
@@ -175,29 +175,27 @@ resource "cloudflare_zero_trust_access_application" "cf_app_vnc_browser" {
}] }]
} }
#====================================================== #======================================================
# SELF-HOSTED APP: Competition App # SELF-HOSTED APP: Competition App
#====================================================== #======================================================
# Creating the Self-hosted Application for Competition web application # Creating the Self-hosted Application for Competition web application
resource "cloudflare_zero_trust_access_application" "cf_app_web_competition" { resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" {
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id
type = "self_hosted" type = "self_hosted"
name = var.cf_sensitive_web_app_name name = var.cloudflare_sensitive_web_app_name
app_launcher_visible = true app_launcher_visible = true
logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg"
tags = "devops" tags = "devops"
session_duration = "0s" session_duration = "0s"
custom_deny_url = "https://denied.macharpe.com/" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
custom_non_identity_deny_url = "https://denied.macharpe.com/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
destinations = [{ destinations = [{
type = "public" type = "public"
uri = var.cf_subdomain_web_sensitive uri = var.cloudflare_subdomain_web_sensitive
}] }]
allowed_idps = [var.cf_okta_identity_provider_id] allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true auto_redirect_to_identity = true
allow_authenticate_via_warp = false allow_authenticate_via_warp = false
@@ -206,30 +204,27 @@ resource "cloudflare_zero_trust_access_application" "cf_app_web_competition" {
}] }]
} }
#====================================================== #======================================================
# SELF-HOSTED APP: Macharpe Intranet # SELF-HOSTED APP: Macharpe Intranet
#====================================================== #======================================================
# Creating the Self-hosted Application for Administration web application # Creating the Self-hosted Application for Administration web application
resource "cloudflare_zero_trust_access_application" "cf_app_web_intranet" { resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" {
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id
type = "self_hosted" type = "self_hosted"
name = var.cf_intranet_web_app_name name = var.cloudflare_intranet_web_app_name
app_launcher_visible = true app_launcher_visible = true
logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg"
tags = "devops" tags = "devops"
session_duration = "0s" session_duration = "0s"
custom_deny_url = "https://denied.macharpe.com/" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
custom_non_identity_deny_url = "https://denied.macharpe.com/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
destinations = [{ destinations = [{
type = "public" type = "public"
uri = var.cf_subdomain_web uri = var.cloudflare_subdomain_web
}] }]
allowed_idps = [var.cf_okta_identity_provider_id] allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true auto_redirect_to_identity = true
allow_authenticate_via_warp = false allow_authenticate_via_warp = false
@@ -238,15 +233,13 @@ resource "cloudflare_zero_trust_access_application" "cf_app_web_intranet" {
}] }]
} }
#====================================================== #======================================================
# SELF-HOSTED APP: Domain Controller # SELF-HOSTED APP: Domain Controller
#====================================================== #======================================================
# Creating the Target # Creating the Target
resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" {
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id
hostname = var.cf_target_rdp_name hostname = var.cloudflare_target_rdp_name
ip = { ip = {
ipv4 = { ipv4 = {
ip_addr = var.gcp_windows_vm_internal_ip ip_addr = var.gcp_windows_vm_internal_ip
@@ -255,31 +248,31 @@ resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" {
} }
# Domain Controller Browser-Rendered RDP Application # Domain Controller Browser-Rendered RDP Application
resource "cloudflare_zero_trust_access_application" "cf_app_rdp_domain" { resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" {
account_id = local.cloudflare_account_id account_id = local.cloudflare_account_id
type = "rdp" type = "rdp"
name = var.cf_browser_rdp_app_name name = var.cloudflare_browser_rdp_app_name
app_launcher_visible = true app_launcher_visible = true
logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png"
tags = "devops" tags = "devops"
session_duration = "0s" session_duration = "0s"
custom_deny_url = "https://denied.macharpe.com/" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/"
custom_non_identity_deny_url = "https://denied.macharpe.com/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/"
# Public hostname for browser rendering # Public hostname for browser rendering
domain = var.cf_subdomain_rdp domain = var.cloudflare_subdomain_rdp
# Target criteria - references the existing gcp_rdp_target # Target criteria - references the existing gcp_rdp_target
target_criteria = [{ target_criteria = [{
port = 3389 port = 3389
protocol = "RDP" protocol = "RDP"
target_attributes = { target_attributes = {
hostname = [var.cf_target_rdp_name] # This will be "Domain-Controller" hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller"
} }
}] }]
# Identity provider settings # Identity provider settings
allowed_idps = [var.cf_okta_identity_provider_id] allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true auto_redirect_to_identity = true
enable_binding_cookie = false enable_binding_cookie = false
http_only_cookie_attribute = false http_only_cookie_attribute = false