From fb698c693b88b0281f96fa3660a9a9f78a3c70d1 Mon Sep 17 00:00:00 2001 From: hcornet Date: Mon, 24 Nov 2025 11:41:47 +0100 Subject: [PATCH] splitting the "applications" file --- ...ss_Controls-Applications-Infrastructure.tf | 95 ++++ Access_Controls-Applications-rdp.tf | 62 +++ Access_Controls-Applications-self_hosted.tf | 91 ++++ Access_Controls-Applications-ssh.tf | 39 ++ Access_Controls-Applications-vnc.tf | 34 ++ Access_Controls-Applications.tf | 453 +++++++++--------- 6 files changed, 549 insertions(+), 225 deletions(-) create mode 100644 Access_Controls-Applications-Infrastructure.tf create mode 100644 Access_Controls-Applications-rdp.tf create mode 100644 Access_Controls-Applications-self_hosted.tf create mode 100644 Access_Controls-Applications-ssh.tf create mode 100644 Access_Controls-Applications-vnc.tf diff --git a/Access_Controls-Applications-Infrastructure.tf b/Access_Controls-Applications-Infrastructure.tf new file mode 100644 index 0000000..9fc3527 --- /dev/null +++ b/Access_Controls-Applications-Infrastructure.tf @@ -0,0 +1,95 @@ +# ============================================================================= +# CLOUDFLARE : Access Controls : Applications +# ============================================================================= + +#====================================================== +# INFRASTRUCTURE APP: MySQL Database (Infrastructure) +#====================================================== + +# Creating the Target +resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { + account_id = local.cloudflare_account_id + + hostname = var.cloudflare_target_ssh_name + ip = { + ipv4 = { + ip_addr = var.gcp_vm_internal_ip + } + } +} + +# Creating the infrastructure Application +resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { + account_id = local.cloudflare_account_id + + type = "infrastructure" + name = var.cloudflare_infra_app_name + logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" + tags = ["engineers"] + custom_deny_url = "https://denied.tips-of-mine.org/" + custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" + + target_criteria = [{ + port = "22", + protocol = "SSH" + target_attributes = { + hostname = [var.cloudflare_target_ssh_name] + }, + }] + + policies = [{ + name = "SSH GCP Infrastructure Policy" + decision = "allow" + + allowed_idps = [var.cloudflare_okta_identity_provider_id] + auto_redirect_to_identity = true + allow_authenticate_via_warp = false + + include = [ + { + saml = { + identity_provider_id = var.cloudflare_okta_identity_provider_id + attribute_name = "groups" + attribute_value = var.okta_infra_admin_saml_group_name + } + }, + { + saml = { + identity_provider_id = var.cloudflare_okta_identity_provider_id + attribute_name = "groups" + attribute_value = var.okta_contractors_saml_group_name + } + }, + { + email_domain = { + domain = var.cloudflare_email_domain + } + } + ] + require = [ + { + device_posture = { + integration_uid = var.cloudflare_gateway_posture_id + } + }, + { + auth_method = { + auth_method = "mfa" + } + } + ] + exclude = [ + { + auth_method = { + auth_method = "sms" + } + } + ] + connection_rules = { + ssh = { + allow_email_alias = true + usernames = [] # None + } + } + }] +} diff --git a/Access_Controls-Applications-rdp.tf b/Access_Controls-Applications-rdp.tf new file mode 100644 index 0000000..57ad3c5 --- /dev/null +++ b/Access_Controls-Applications-rdp.tf @@ -0,0 +1,62 @@ +# ============================================================================= +# CLOUDFLARE : Access Controls : Applications +# ============================================================================= + +#====================================================== +# SELF-HOSTED APP: Domain Controller +#====================================================== + +# Creating the Target +resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { + account_id = local.cloudflare_account_id + + hostname = var.cloudflare_target_rdp_name + ip = { + ipv4 = { + ip_addr = var.gcp_windows_vm_internal_ip + } + } +} + +# Domain Controller Browser-Rendered RDP Application +resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { + account_id = local.cloudflare_account_id + + type = "rdp" + name = var.cloudflare_browser_rdp_app_name + app_launcher_visible = true + logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" + tags = [cloudflare_zero_trust_access_tag.tags["engineers"].name] + session_duration = "0s" + custom_deny_url = "https://denied.tips-of-mine.org/" + custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" + + # Public hostname for browser rendering + domain = var.cloudflare_subdomain_rdp + + # Target criteria - references the existing gcp_rdp_target + target_criteria = [{ + port = 3389 + protocol = "RDP" + target_attributes = { + hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller" + } + }] + + # Identity provider settings + allowed_idps = [var.cloudflare_okta_identity_provider_id] + auto_redirect_to_identity = true + enable_binding_cookie = false + http_only_cookie_attribute = false + options_preflight_bypass = false + + # Reference the policy from cloudflare-app-policies.tf + policies = [{ + id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id + }] + + # Depends on the existing target + depends_on = [ + cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target + ] +} \ No newline at end of file diff --git a/Access_Controls-Applications-self_hosted.tf b/Access_Controls-Applications-self_hosted.tf new file mode 100644 index 0000000..5125f32 --- /dev/null +++ b/Access_Controls-Applications-self_hosted.tf @@ -0,0 +1,91 @@ +# ============================================================================= +# CLOUDFLARE : Access Controls : Applications +# ============================================================================= + +#====================================================== +# INFRASTRUCTURE Application: Test Home Network Access +#====================================================== + +resource "cloudflare_zero_trust_access_application" "zero_trust_access_application" { + account_id = local.cloudflare_account_id + + type = "self_hosted" + name = "Home Network Access Application" + domain = "home.tips-of-mine.org" + session_duration = "24h" + skip_interstitial = true +# tags = ["engineers"] + tags = [for tag in cloudflare_zero_trust_access_tag.tags : tag.name] + + depends_on = [ + cloudflare_zero_trust_access_tag.tags + ] +} + +data "cloudflare_zero_trust_access_application" "zero_trust_access_application" { + account_id = local.cloudflare_account_id + + app_id = cloudflare_zero_trust_access_application.zero_trust_access_application.id +} + +#====================================================== +# SELF-HOSTED APP: Competition App +#====================================================== + +# Creating the Self-hosted Application for Competition web application +resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { + account_id = local.cloudflare_account_id + + type = "self_hosted" + name = var.cloudflare_sensitive_web_app_name + app_launcher_visible = true + logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" + tags = ["engineers"] + session_duration = "0s" + custom_deny_url = "https://denied.tips-of-mine.org/" + custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" + + destinations = [{ + type = "public" + uri = var.cloudflare_subdomain_web_sensitive + }] + + allowed_idps = [var.cloudflare_okta_identity_provider_id] + auto_redirect_to_identity = true + allow_authenticate_via_warp = false + + policies = [{ + id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id + }] +} + +#====================================================== +# SELF-HOSTED APP: Macharpe Intranet +#====================================================== + +# Creating the Self-hosted Application for Administration web application +resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { + account_id = local.cloudflare_account_id + + type = "self_hosted" + name = var.cloudflare_intranet_web_app_name + app_launcher_visible = true + logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" + tags = ["engineers"] + session_duration = "0s" + custom_deny_url = "https://denied.tips-of-mine.org/" + custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" + + destinations = [{ + type = "public" + uri = var.cloudflare_subdomain_web + }] + + allowed_idps = [var.cloudflare_okta_identity_provider_id] + auto_redirect_to_identity = true + allow_authenticate_via_warp = false + + policies = [{ + id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id + }] +} diff --git a/Access_Controls-Applications-ssh.tf b/Access_Controls-Applications-ssh.tf new file mode 100644 index 0000000..2f80890 --- /dev/null +++ b/Access_Controls-Applications-ssh.tf @@ -0,0 +1,39 @@ +# ============================================================================= +# CLOUDFLARE : Access Controls : Applications +# ============================================================================= + +#====================================================== +# SELF-HOSTED APP: DB Server +#====================================================== + +# Creating the Self-hosted Application for Browser rendering SSH +resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { + account_id = local.cloudflare_account_id + + type = "ssh" + name = var.cloudflare_browser_ssh_app_name + app_launcher_visible = true + logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" + tags = ["engineers"] + session_duration = "0s" + custom_deny_url = "https://denied.tips-of-mine.org/" + custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" + + destinations = [{ + type = "public" + uri = var.cloudflare_subdomain_ssh + }] + + allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] + auto_redirect_to_identity = false + allow_authenticate_via_warp = false + + policies = [ + { + id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id + }, + { + id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id + } + ] +} diff --git a/Access_Controls-Applications-vnc.tf b/Access_Controls-Applications-vnc.tf new file mode 100644 index 0000000..92ca3a0 --- /dev/null +++ b/Access_Controls-Applications-vnc.tf @@ -0,0 +1,34 @@ +# ============================================================================= +# CLOUDFLARE : Access Controls : Applications +# ============================================================================= + +#====================================================== +# SELF-HOSTED APP: PostgresDB Admin +#====================================================== +# Creating the Self-hosted Application for Browser rendering VNC + +resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { + account_id = local.cloudflare_account_id + + type = "vnc" + name = var.cloudflare_browser_vnc_app_name + app_launcher_visible = true + logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" + tags = ["engineers"] + session_duration = "0s" + custom_deny_url = "https://denied.tips-of-mine.org/" + custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" + + destinations = [{ + type = "public" + uri = var.cloudflare_subdomain_vnc + }] + + allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] + auto_redirect_to_identity = false + allow_authenticate_via_warp = false + + policies = [{ + id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id + }] +} diff --git a/Access_Controls-Applications.tf b/Access_Controls-Applications.tf index 0ae3656..7e712eb 100644 --- a/Access_Controls-Applications.tf +++ b/Access_Controls-Applications.tf @@ -6,301 +6,304 @@ # INFRASTRUCTURE Application: Test Home Network Access #====================================================== -resource "cloudflare_zero_trust_access_application" "zero_trust_access_application" { - account_id = local.cloudflare_account_id +#resource "cloudflare_zero_trust_access_application" "zero_trust_access_application" { +# account_id = local.cloudflare_account_id - type = "self_hosted" - name = "Home Network Access Application" - domain = "home.tips-of-mine.org" - session_duration = "24h" - skip_interstitial = true +# type = "self_hosted" +# name = "Home Network Access Application" +# domain = "home.tips-of-mine.org" +# session_duration = "24h" +# skip_interstitial = true # tags = ["engineers"] - tags = [for tag in cloudflare_zero_trust_access_tag.tags : tag.name] +# tags = [for tag in cloudflare_zero_trust_access_tag.tags : tag.name] +# +# depends_on = [ +# cloudflare_zero_trust_access_tag.tags +# ] +#} - depends_on = [ - cloudflare_zero_trust_access_tag.tags - ] -} +#data "cloudflare_zero_trust_access_application" "zero_trust_access_application" { +# account_id = local.cloudflare_account_id -data "cloudflare_zero_trust_access_application" "zero_trust_access_application" { - account_id = local.cloudflare_account_id - - app_id = cloudflare_zero_trust_access_application.zero_trust_access_application.id -} +# app_id = cloudflare_zero_trust_access_application.zero_trust_access_application.id +#} #====================================================== # INFRASTRUCTURE APP: MySQL Database (Infrastructure) #====================================================== # Creating the Target -resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { - account_id = local.cloudflare_account_id +#resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { +# account_id = local.cloudflare_account_id - hostname = var.cloudflare_target_ssh_name - ip = { - ipv4 = { - ip_addr = var.gcp_vm_internal_ip - } - } -} +# hostname = var.cloudflare_target_ssh_name +# ip = { +# ipv4 = { +# ip_addr = var.gcp_vm_internal_ip +# } +# } +#} # Creating the infrastructure Application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { - account_id = local.cloudflare_account_id +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { +# account_id = local.cloudflare_account_id - type = "infrastructure" - name = var.cloudflare_infra_app_name - logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" - tags = ["engineers"] - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" +# type = "infrastructure" +# name = var.cloudflare_infra_app_name +# logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" +# tags = ["engineers"] +# custom_deny_url = "https://denied.tips-of-mine.org/" +# custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - target_criteria = [{ - port = "22", - protocol = "SSH" - target_attributes = { - hostname = [var.cloudflare_target_ssh_name] - }, - }] +# target_criteria = [{ +# port = "22", +# protocol = "SSH" +# target_attributes = { +# hostname = [var.cloudflare_target_ssh_name] +# }, +# }] - policies = [{ - name = "SSH GCP Infrastructure Policy" - decision = "allow" +# policies = [{ +# name = "SSH GCP Infrastructure Policy" +# decision = "allow" - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - allow_authenticate_via_warp = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id] +# auto_redirect_to_identity = true +# allow_authenticate_via_warp = false - include = [ - { - saml = { - identity_provider_id = var.cloudflare_okta_identity_provider_id - attribute_name = "groups" - attribute_value = var.okta_infra_admin_saml_group_name - } - }, - { - saml = { - identity_provider_id = var.cloudflare_okta_identity_provider_id - attribute_name = "groups" - attribute_value = var.okta_contractors_saml_group_name - } - }, - { - email_domain = { - domain = var.cloudflare_email_domain - } - } - ] - require = [ - { - device_posture = { - integration_uid = var.cloudflare_gateway_posture_id - } - }, - { - auth_method = { - auth_method = "mfa" - } - } - ] - exclude = [ - { - auth_method = { - auth_method = "sms" - } - } - ] - connection_rules = { - ssh = { - allow_email_alias = true - usernames = [] # None - } - } - }] -} +# include = [ +# { +# saml = { +# identity_provider_id = var.cloudflare_okta_identity_provider_id +# attribute_name = "groups" +# attribute_value = var.okta_infra_admin_saml_group_name +# } +# }, +# { +# saml = { +# identity_provider_id = var.cloudflare_okta_identity_provider_id +# attribute_name = "groups" +# attribute_value = var.okta_contractors_saml_group_name +# } +# }, +# { +# email_domain = { +# domain = var.cloudflare_email_domain +# } +# } +# ] +# require = [ +# { +# device_posture = { +# integration_uid = var.cloudflare_gateway_posture_id +# } +# }, +# { +# auth_method = { +# auth_method = "mfa" +# } +# } +# ] +# exclude = [ +# { +# auth_method = { +# auth_method = "sms" +# } +# } +# ] +# connection_rules = { +# ssh = { +# allow_email_alias = true +# usernames = [] # None +# } +# } +# }] +#} #====================================================== # SELF-HOSTED APP: DB Server #====================================================== # Creating the Self-hosted Application for Browser rendering SSH -resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { - account_id = local.cloudflare_account_id +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { +# account_id = local.cloudflare_account_id - type = "ssh" - name = var.cloudflare_browser_ssh_app_name - app_launcher_visible = true - logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" - tags = ["engineers"] - session_duration = "0s" - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" +# type = "ssh" +# name = var.cloudflare_browser_ssh_app_name +# app_launcher_visible = true +# logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" +# tags = ["engineers"] +# session_duration = "0s" +# custom_deny_url = "https://denied.tips-of-mine.org/" +# custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_ssh - }] +# destinations = [{ +# type = "public" +# uri = var.cloudflare_subdomain_ssh +# }] - allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] - auto_redirect_to_identity = false - allow_authenticate_via_warp = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] +# auto_redirect_to_identity = false +# allow_authenticate_via_warp = false - policies = [ - { - id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id - }, - { - id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id - } - ] -} +# policies = [ +# { +# id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id +# }, +# { +# id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id +# } +# ] +#} #====================================================== # SELF-HOSTED APP: PostgresDB Admin #====================================================== + # Creating the Self-hosted Application for Browser rendering VNC +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { +# account_id = local.cloudflare_account_id -resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { - account_id = local.cloudflare_account_id +# type = "vnc" +# name = var.cloudflare_browser_vnc_app_name +# app_launcher_visible = true +# logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" +# tags = ["engineers"] +# session_duration = "0s" +# custom_deny_url = "https://denied.tips-of-mine.org/" +# custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - type = "vnc" - name = var.cloudflare_browser_vnc_app_name - app_launcher_visible = true - logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" - tags = ["engineers"] - session_duration = "0s" - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" +# destinations = [{ +# type = "public" +# uri = var.cloudflare_subdomain_vnc +# }] - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_vnc - }] +# allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] +# auto_redirect_to_identity = false +# allow_authenticate_via_warp = false - allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] - auto_redirect_to_identity = false - allow_authenticate_via_warp = false - - policies = [{ - id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id - }] -} +# policies = [{ +# id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id +# }] +#} #====================================================== # SELF-HOSTED APP: Competition App #====================================================== + # Creating the Self-hosted Application for Competition web application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { - account_id = local.cloudflare_account_id +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { +# account_id = local.cloudflare_account_id - type = "self_hosted" - name = var.cloudflare_sensitive_web_app_name - app_launcher_visible = true - logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" - tags = ["engineers"] - session_duration = "0s" - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" +# type = "self_hosted" +# name = var.cloudflare_sensitive_web_app_name +# app_launcher_visible = true +# logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" +# tags = ["engineers"] +# session_duration = "0s" +# custom_deny_url = "https://denied.tips-of-mine.org/" +# custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_web_sensitive - }] +# destinations = [{ +# type = "public" +# uri = var.cloudflare_subdomain_web_sensitive +# }] - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - allow_authenticate_via_warp = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id] +# auto_redirect_to_identity = true +# allow_authenticate_via_warp = false - policies = [{ - id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id - }] -} +# policies = [{ +# id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id +# }] +#} #====================================================== # SELF-HOSTED APP: Macharpe Intranet #====================================================== + # Creating the Self-hosted Application for Administration web application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { - account_id = local.cloudflare_account_id +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { +# account_id = local.cloudflare_account_id - type = "self_hosted" - name = var.cloudflare_intranet_web_app_name - app_launcher_visible = true - logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" - tags = ["engineers"] - session_duration = "0s" - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" +# type = "self_hosted" +# name = var.cloudflare_intranet_web_app_name +# app_launcher_visible = true +# logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" +# tags = ["engineers"] +# session_duration = "0s" +# custom_deny_url = "https://denied.tips-of-mine.org/" +# custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" - destinations = [{ - type = "public" - uri = var.cloudflare_subdomain_web - }] +# destinations = [{ +# type = "public" +# uri = var.cloudflare_subdomain_web +# }] - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - allow_authenticate_via_warp = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id] +# auto_redirect_to_identity = true +# allow_authenticate_via_warp = false - policies = [{ - id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id - }] -} +# policies = [{ +# id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id +# }] +#} #====================================================== # SELF-HOSTED APP: Domain Controller #====================================================== -# Creating the Target -resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { - account_id = local.cloudflare_account_id - hostname = var.cloudflare_target_rdp_name - ip = { - ipv4 = { - ip_addr = var.gcp_windows_vm_internal_ip - } - } -} +# Creating the Target +#resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { +# account_id = local.cloudflare_account_id + +# hostname = var.cloudflare_target_rdp_name +# ip = { +# ipv4 = { +# ip_addr = var.gcp_windows_vm_internal_ip +# } +# } +#} # Domain Controller Browser-Rendered RDP Application -resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { - account_id = local.cloudflare_account_id +#resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { +# account_id = local.cloudflare_account_id - type = "rdp" - name = var.cloudflare_browser_rdp_app_name - app_launcher_visible = true - logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" - tags = [cloudflare_zero_trust_access_tag.tags["engineers"].name] - session_duration = "0s" - custom_deny_url = "https://denied.tips-of-mine.org/" - custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" +# type = "rdp" +# name = var.cloudflare_browser_rdp_app_name +# app_launcher_visible = true +# logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" +# tags = [cloudflare_zero_trust_access_tag.tags["engineers"].name] +# session_duration = "0s" +# custom_deny_url = "https://denied.tips-of-mine.org/" +# custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" # Public hostname for browser rendering - domain = var.cloudflare_subdomain_rdp +# domain = var.cloudflare_subdomain_rdp # Target criteria - references the existing gcp_rdp_target - target_criteria = [{ - port = 3389 - protocol = "RDP" - target_attributes = { - hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller" - } - }] +# target_criteria = [{ +# port = 3389 +# protocol = "RDP" +# target_attributes = { +# hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller" +# } +# }] # Identity provider settings - allowed_idps = [var.cloudflare_okta_identity_provider_id] - auto_redirect_to_identity = true - enable_binding_cookie = false - http_only_cookie_attribute = false - options_preflight_bypass = false +# allowed_idps = [var.cloudflare_okta_identity_provider_id] +# auto_redirect_to_identity = true +# enable_binding_cookie = false +# http_only_cookie_attribute = false +# options_preflight_bypass = false # Reference the policy from cloudflare-app-policies.tf - policies = [{ - id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id - }] +# policies = [{ +# id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id +# }] # Depends on the existing target - depends_on = [ - cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target - ] -} \ No newline at end of file +# depends_on = [ +# cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target +# ] +#} \ No newline at end of file