From f034aeba6fd528742b9ce37919e7ead989413bd9 Mon Sep 17 00:00:00 2001 From: hcornet Date: Thu, 20 Nov 2025 16:31:11 +0100 Subject: [PATCH] add all tunnels --- test.tf.old => test.tf | 0 test02.tf.old | 277 ----------------------------------------- 2 files changed, 277 deletions(-) rename test.tf.old => test.tf (100%) delete mode 100644 test02.tf.old diff --git a/test.tf.old b/test.tf similarity index 100% rename from test.tf.old rename to test.tf diff --git a/test02.tf.old b/test02.tf.old deleted file mode 100644 index a5505fb..0000000 --- a/test02.tf.old +++ /dev/null @@ -1,277 +0,0 @@ -#====================================================== -# INFRASTRUCTURE APP: MySQL Database (Infrastructure) -#====================================================== -# Creating the Target -resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { - account_id = local.cloudflare_account_id - hostname = var.cloudflare_target_ssh_name - ip = { - ipv4 = { - ip_addr = var.gcp_vm_internal_ip - } - } -} - -# Creating the infrastructure Application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { - account_id = local.cloudflare_account_id - type = "infrastructure" - name = var.cloudflare_infra_app_name - logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" - tags = ["engineers"] - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - - target_criteria = [{ - port = "22", - protocol = "SSH" - target_attributes = { - hostname = [var.cloudflare_target_ssh_name] - }, - }] - - policies = [{ - name = "SSH GCP Infrastructure Policy" - decision = "allow" - - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - allow_authenticate_via_warp = false - - include = [ - { - saml = { - identity_provider_id = var.cloudflare_okta_identity_provider_id - attribute_name = "groups" - attribute_value = var.okta_infra_admin_saml_group_name - } - }, - { - saml = { - identity_provider_id = var.cloudflare_okta_identity_provider_id - attribute_name = "groups" - attribute_value = var.okta_contractors_saml_group_name - } - }, - { - email_domain = { - domain = var.cloudflare_email_domain - } - } - ] - - require = [ - { - device_posture = { - integration_uid = var.cloudflare_gateway_posture_id - } - }, - { - auth_method = { - auth_method = "mfa" - } - } - ] - - exclude = [ - { - auth_method = { - auth_method = "sms" - } - } - ] - - connection_rules = { - ssh = { - allow_email_alias = true - usernames = [] # None - } - } - }] -} - - - -#====================================================== -# SELF-HOSTED APP: DB Server -#====================================================== -# Creating the Self-hosted Application for Browser rendering SSH -resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { - account_id = local.cloudflare_account_id - type = "ssh" - name = var.cloudflare_browser_ssh_app_name - app_launcher_visible = true - logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" - tags = ["engineers"] - session_duration = "0s" - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_ssh - }] - - allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] - auto_redirect_to_identity = false - allow_authenticate_via_warp = false - - policies = [ - { - id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id - }, - { - id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id - } - ] -} - -#====================================================== -# SELF-HOSTED APP: PostgresDB Admin -#====================================================== -# Creating the Self-hosted Application for Browser rendering VNC -resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { - account_id = local.cloudflare_account_id - type = "vnc" - name = var.cloudflare_browser_vnc_app_name - app_launcher_visible = true - logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" - tags = ["engineers"] - session_duration = "0s" - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_vnc - }] - - allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] - auto_redirect_to_identity = false - allow_authenticate_via_warp = false - - policies = [{ - id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id - }] -} - - - -#====================================================== -# SELF-HOSTED APP: Competition App -#====================================================== -# Creating the Self-hosted Application for Competition web application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { - account_id = local.cloudflare_account_id - type = "self_hosted" - name = var.cloudflare_sensitive_web_app_name - app_launcher_visible = true - logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" - tags = ["engineers"] - session_duration = "0s" - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_web_sensitive - }] - - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - allow_authenticate_via_warp = false - - policies = [{ - id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id - }] -} - - - - -#====================================================== -# SELF-HOSTED APP: Macharpe Intranet -#====================================================== -# Creating the Self-hosted Application for Administration web application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { - account_id = local.cloudflare_account_id - type = "self_hosted" - name = var.cloudflare_intranet_web_app_name - app_launcher_visible = true - logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" - tags = ["engineers"] - session_duration = "0s" - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_web - }] - - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - allow_authenticate_via_warp = false - - policies = [{ - id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id - }] -} - - - -#====================================================== -# SELF-HOSTED APP: Domain Controller -#====================================================== -# Creating the Target -resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { - account_id = local.cloudflare_account_id - hostname = var.cloudflare_target_rdp_name - ip = { - ipv4 = { - ip_addr = var.gcp_windows_vm_internal_ip - } - } -} - -# Domain Controller Browser-Rendered RDP Application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { - account_id = local.cloudflare_account_id - type = "rdp" - name = var.cloudflare_browser_rdp_app_name - app_launcher_visible = true - logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" - tags = ["engineers"] - session_duration = "0s" - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - - # Public hostname for browser rendering - domain = var.cloudflare_subdomain_rdp - - # Target criteria - references the existing gcp_rdp_target - target_criteria = [{ - port = 3389 - protocol = "RDP" - target_attributes = { - hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller" - } - }] - - # Identity provider settings - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - enable_binding_cookie = false - http_only_cookie_attribute = false - options_preflight_bypass = false - - # Reference the policy from cloudflare-app-policies.tf - policies = [{ - id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id - }] - - # Depends on the existing target - depends_on = [ - cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target - ] -}