Tips-Of-Mine/terraform-cloudflare-tunnel-zone-org
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

splitting the "applications" file
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 4m24s
Details

Browse Source
This commit is contained in:
Hubert Cornet
2025-11-24 11:41:47 +01:00
parent 02a5e354f0
commit fb698c693b
6 changed files with 549 additions and 225 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
Access_Controls-Applications-Infrastructure.tf Normal file
View File

@@ -0,0 +1,95 @@
# =============================================================================
# CLOUDFLARE : Access Controls : Applications
# =============================================================================
#======================================================
# INFRASTRUCTURE APP: MySQL Database (Infrastructure)
#======================================================
# Creating the Target
resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" {
account_id = local.cloudflare_account_id
hostname = var.cloudflare_target_ssh_name
ip = {
ipv4 = {
ip_addr = var.gcp_vm_internal_ip
}
}
}
# Creating the infrastructure Application
resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" {
account_id = local.cloudflare_account_id
type = "infrastructure"
name = var.cloudflare_infra_app_name
logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg"
tags = ["engineers"]
custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
target_criteria = [{
port = "22",
protocol = "SSH"
target_attributes = {
hostname = [var.cloudflare_target_ssh_name]
},
}]
policies = [{
name = "SSH GCP Infrastructure Policy"
decision = "allow"
allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true
allow_authenticate_via_warp = false
include = [
{
saml = {
identity_provider_id = var.cloudflare_okta_identity_provider_id
attribute_name = "groups"
attribute_value = var.okta_infra_admin_saml_group_name
}
},
{
saml = {
identity_provider_id = var.cloudflare_okta_identity_provider_id
attribute_name = "groups"
attribute_value = var.okta_contractors_saml_group_name
}
},
{
email_domain = {
domain = var.cloudflare_email_domain
}
}
]
require = [
{
device_posture = {
integration_uid = var.cloudflare_gateway_posture_id
}
},
{
auth_method = {
auth_method = "mfa"
}
}
]
exclude = [
{
auth_method = {
auth_method = "sms"
}
}
]
connection_rules = {
ssh = {
allow_email_alias = true
usernames = [] # None
}
}
}]
}

62
Access_Controls-Applications-rdp.tf Normal file
View File

@@ -0,0 +1,62 @@
# =============================================================================
# CLOUDFLARE : Access Controls : Applications
# =============================================================================
#======================================================
# SELF-HOSTED APP: Domain Controller
#======================================================
# Creating the Target
resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" {
account_id = local.cloudflare_account_id
hostname = var.cloudflare_target_rdp_name
ip = {
ipv4 = {
ip_addr = var.gcp_windows_vm_internal_ip
}
}
}
# Domain Controller Browser-Rendered RDP Application
resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" {
account_id = local.cloudflare_account_id
type = "rdp"
name = var.cloudflare_browser_rdp_app_name
app_launcher_visible = true
logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png"
tags = [cloudflare_zero_trust_access_tag.tags["engineers"].name]
session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
# Public hostname for browser rendering
domain = var.cloudflare_subdomain_rdp
# Target criteria - references the existing gcp_rdp_target
target_criteria = [{
port = 3389
protocol = "RDP"
target_attributes = {
hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller"
}
}]
# Identity provider settings
allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true
enable_binding_cookie = false
http_only_cookie_attribute = false
options_preflight_bypass = false
# Reference the policy from cloudflare-app-policies.tf
policies = [{
id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id
}]
# Depends on the existing target
depends_on = [
cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target
]
}

91
Access_Controls-Applications-self_hosted.tf Normal file
View File

@@ -0,0 +1,91 @@
# =============================================================================
# CLOUDFLARE : Access Controls : Applications
# =============================================================================
#======================================================
# INFRASTRUCTURE Application: Test Home Network Access
#======================================================
resource "cloudflare_zero_trust_access_application" "zero_trust_access_application" {
account_id = local.cloudflare_account_id
type = "self_hosted"
name = "Home Network Access Application"
domain = "home.tips-of-mine.org"
session_duration = "24h"
skip_interstitial = true
# tags = ["engineers"]
tags = [for tag in cloudflare_zero_trust_access_tag.tags : tag.name]
depends_on = [
cloudflare_zero_trust_access_tag.tags
]
}
data "cloudflare_zero_trust_access_application" "zero_trust_access_application" {
account_id = local.cloudflare_account_id
app_id = cloudflare_zero_trust_access_application.zero_trust_access_application.id
}
#======================================================
# SELF-HOSTED APP: Competition App
#======================================================
# Creating the Self-hosted Application for Competition web application
resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" {
account_id = local.cloudflare_account_id
type = "self_hosted"
name = var.cloudflare_sensitive_web_app_name
app_launcher_visible = true
logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg"
tags = ["engineers"]
session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
destinations = [{
type = "public"
uri = var.cloudflare_subdomain_web_sensitive
}]
allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true
allow_authenticate_via_warp = false
policies = [{
id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id
}]
}
#======================================================
# SELF-HOSTED APP: Macharpe Intranet
#======================================================
# Creating the Self-hosted Application for Administration web application
resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" {
account_id = local.cloudflare_account_id
type = "self_hosted"
name = var.cloudflare_intranet_web_app_name
app_launcher_visible = true
logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg"
tags = ["engineers"]
session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
destinations = [{
type = "public"
uri = var.cloudflare_subdomain_web
}]
allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true
allow_authenticate_via_warp = false
policies = [{
id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id
}]
}

39
Access_Controls-Applications-ssh.tf Normal file
View File

@@ -0,0 +1,39 @@
# =============================================================================
# CLOUDFLARE : Access Controls : Applications
# =============================================================================
#======================================================
# SELF-HOSTED APP: DB Server
#======================================================
# Creating the Self-hosted Application for Browser rendering SSH
resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" {
account_id = local.cloudflare_account_id
type = "ssh"
name = var.cloudflare_browser_ssh_app_name
app_launcher_visible = true
logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png"
tags = ["engineers"]
session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
destinations = [{
type = "public"
uri = var.cloudflare_subdomain_ssh
}]
allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id]
auto_redirect_to_identity = false
allow_authenticate_via_warp = false
policies = [
{
id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
},
{
id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id
}
]
}

34
Access_Controls-Applications-vnc.tf Normal file
View File

@@ -0,0 +1,34 @@
# =============================================================================
# CLOUDFLARE : Access Controls : Applications
# =============================================================================
#======================================================
# SELF-HOSTED APP: PostgresDB Admin
#======================================================
# Creating the Self-hosted Application for Browser rendering VNC
resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" {
account_id = local.cloudflare_account_id
type = "vnc"
name = var.cloudflare_browser_vnc_app_name
app_launcher_visible = true
logo_url = "https://blog.zwindler.fr/2015/07/vnc.png"
tags = ["engineers"]
session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
destinations = [{
type = "public"
uri = var.cloudflare_subdomain_vnc
}]
allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id]
auto_redirect_to_identity = false
allow_authenticate_via_warp = false
policies = [{
id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
}]
}

453
Access_Controls-Applications.tf
View File

@@ -6,301 +6,304 @@
# INFRASTRUCTURE Application: Test Home Network Access # INFRASTRUCTURE Application: Test Home Network Access
#====================================================== #======================================================
resource "cloudflare_zero_trust_access_application" "zero_trust_access_application" { #resource "cloudflare_zero_trust_access_application" "zero_trust_access_application" {
account_id = local.cloudflare_account_id # account_id = local.cloudflare_account_id
type = "self_hosted" # type = "self_hosted"
name = "Home Network Access Application" # name = "Home Network Access Application"
domain = "home.tips-of-mine.org" # domain = "home.tips-of-mine.org"
session_duration = "24h" # session_duration = "24h"
skip_interstitial = true # skip_interstitial = true
# tags = ["engineers"] # tags = ["engineers"]
tags = [for tag in cloudflare_zero_trust_access_tag.tags : tag.name] # tags = [for tag in cloudflare_zero_trust_access_tag.tags : tag.name]
#
# depends_on = [
# cloudflare_zero_trust_access_tag.tags
# ]
#}
depends_on = [ #data "cloudflare_zero_trust_access_application" "zero_trust_access_application" {
cloudflare_zero_trust_access_tag.tags # account_id = local.cloudflare_account_id
]
}
data "cloudflare_zero_trust_access_application" "zero_trust_access_application" { # app_id = cloudflare_zero_trust_access_application.zero_trust_access_application.id
account_id = local.cloudflare_account_id #}
app_id = cloudflare_zero_trust_access_application.zero_trust_access_application.id
}
#====================================================== #======================================================
# INFRASTRUCTURE APP: MySQL Database (Infrastructure) # INFRASTRUCTURE APP: MySQL Database (Infrastructure)
#====================================================== #======================================================
# Creating the Target # Creating the Target
resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { #resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" {
account_id = local.cloudflare_account_id # account_id = local.cloudflare_account_id
hostname = var.cloudflare_target_ssh_name # hostname = var.cloudflare_target_ssh_name
ip = { # ip = {
ipv4 = { # ipv4 = {
ip_addr = var.gcp_vm_internal_ip # ip_addr = var.gcp_vm_internal_ip
} # }
} # }
} #}
# Creating the infrastructure Application # Creating the infrastructure Application
resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { #resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" {
account_id = local.cloudflare_account_id # account_id = local.cloudflare_account_id
type = "infrastructure" # type = "infrastructure"
name = var.cloudflare_infra_app_name # name = var.cloudflare_infra_app_name
logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" # logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg"
tags = ["engineers"] # tags = ["engineers"]
custom_deny_url = "https://denied.tips-of-mine.org/" # custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" # custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
target_criteria = [{ # target_criteria = [{
port = "22", # port = "22",
protocol = "SSH" # protocol = "SSH"
target_attributes = { # target_attributes = {
hostname = [var.cloudflare_target_ssh_name] # hostname = [var.cloudflare_target_ssh_name]
}, # },
}] # }]
policies = [{ # policies = [{
name = "SSH GCP Infrastructure Policy" # name = "SSH GCP Infrastructure Policy"
decision = "allow" # decision = "allow"
allowed_idps = [var.cloudflare_okta_identity_provider_id] # allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true # auto_redirect_to_identity = true
allow_authenticate_via_warp = false # allow_authenticate_via_warp = false
include = [ # include = [
{ # {
saml = { # saml = {
identity_provider_id = var.cloudflare_okta_identity_provider_id # identity_provider_id = var.cloudflare_okta_identity_provider_id
attribute_name = "groups" # attribute_name = "groups"
attribute_value = var.okta_infra_admin_saml_group_name # attribute_value = var.okta_infra_admin_saml_group_name
} # }
}, # },
{ # {
saml = { # saml = {
identity_provider_id = var.cloudflare_okta_identity_provider_id # identity_provider_id = var.cloudflare_okta_identity_provider_id
attribute_name = "groups" # attribute_name = "groups"
attribute_value = var.okta_contractors_saml_group_name # attribute_value = var.okta_contractors_saml_group_name
} # }
}, # },
{ # {
email_domain = { # email_domain = {
domain = var.cloudflare_email_domain # domain = var.cloudflare_email_domain
} # }
} # }
] # ]
require = [ # require = [
{ # {
device_posture = { # device_posture = {
integration_uid = var.cloudflare_gateway_posture_id # integration_uid = var.cloudflare_gateway_posture_id
} # }
}, # },
{ # {
auth_method = { # auth_method = {
auth_method = "mfa" # auth_method = "mfa"
} # }
} # }
] # ]
exclude = [ # exclude = [
{ # {
auth_method = { # auth_method = {
auth_method = "sms" # auth_method = "sms"
} # }
} # }
] # ]
connection_rules = { # connection_rules = {
ssh = { # ssh = {
allow_email_alias = true # allow_email_alias = true
usernames = [] # None # usernames = [] # None
} # }
} # }
}] # }]
} #}
#====================================================== #======================================================
# SELF-HOSTED APP: DB Server # SELF-HOSTED APP: DB Server
#====================================================== #======================================================
# Creating the Self-hosted Application for Browser rendering SSH # Creating the Self-hosted Application for Browser rendering SSH
resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { #resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" {
account_id = local.cloudflare_account_id # account_id = local.cloudflare_account_id
type = "ssh" # type = "ssh"
name = var.cloudflare_browser_ssh_app_name # name = var.cloudflare_browser_ssh_app_name
app_launcher_visible = true # app_launcher_visible = true
logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" # logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png"
tags = ["engineers"] # tags = ["engineers"]
session_duration = "0s" # session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/" # custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" # custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
destinations = [{ # destinations = [{
type = "public" # type = "public"
uri = var.cloudflare_subdomain_ssh # uri = var.cloudflare_subdomain_ssh
}] # }]
allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] # allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id]
auto_redirect_to_identity = false # auto_redirect_to_identity = false
allow_authenticate_via_warp = false # allow_authenticate_via_warp = false
policies = [ # policies = [
{ # {
id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id # id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
}, # },
{ # {
id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id # id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id
} # }
] # ]
} #}
#====================================================== #======================================================
# SELF-HOSTED APP: PostgresDB Admin # SELF-HOSTED APP: PostgresDB Admin
#====================================================== #======================================================
# Creating the Self-hosted Application for Browser rendering VNC # Creating the Self-hosted Application for Browser rendering VNC
#resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" {
# account_id = local.cloudflare_account_id
resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { # type = "vnc"
account_id = local.cloudflare_account_id # name = var.cloudflare_browser_vnc_app_name
# app_launcher_visible = true
# logo_url = "https://blog.zwindler.fr/2015/07/vnc.png"
# tags = ["engineers"]
# session_duration = "0s"
# custom_deny_url = "https://denied.tips-of-mine.org/"
# custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
type = "vnc" # destinations = [{
name = var.cloudflare_browser_vnc_app_name # type = "public"
app_launcher_visible = true # uri = var.cloudflare_subdomain_vnc
logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" # }]
tags = ["engineers"]
session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
destinations = [{ # allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id]
type = "public" # auto_redirect_to_identity = false
uri = var.cloudflare_subdomain_vnc # allow_authenticate_via_warp = false
}]
allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] # policies = [{
auto_redirect_to_identity = false # id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
allow_authenticate_via_warp = false # }]
#}
policies = [{
id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
}]
}
#====================================================== #======================================================
# SELF-HOSTED APP: Competition App # SELF-HOSTED APP: Competition App
#====================================================== #======================================================
# Creating the Self-hosted Application for Competition web application # Creating the Self-hosted Application for Competition web application
resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { #resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" {
account_id = local.cloudflare_account_id # account_id = local.cloudflare_account_id
type = "self_hosted" # type = "self_hosted"
name = var.cloudflare_sensitive_web_app_name # name = var.cloudflare_sensitive_web_app_name
app_launcher_visible = true # app_launcher_visible = true
logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" # logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg"
tags = ["engineers"] # tags = ["engineers"]
session_duration = "0s" # session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/" # custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" # custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
destinations = [{ # destinations = [{
type = "public" # type = "public"
uri = var.cloudflare_subdomain_web_sensitive # uri = var.cloudflare_subdomain_web_sensitive
}] # }]
allowed_idps = [var.cloudflare_okta_identity_provider_id] # allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true # auto_redirect_to_identity = true
allow_authenticate_via_warp = false # allow_authenticate_via_warp = false
policies = [{ # policies = [{
id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id # id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id
}] # }]
} #}
#====================================================== #======================================================
# SELF-HOSTED APP: Macharpe Intranet # SELF-HOSTED APP: Macharpe Intranet
#====================================================== #======================================================
# Creating the Self-hosted Application for Administration web application # Creating the Self-hosted Application for Administration web application
resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { #resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" {
account_id = local.cloudflare_account_id # account_id = local.cloudflare_account_id
type = "self_hosted" # type = "self_hosted"
name = var.cloudflare_intranet_web_app_name # name = var.cloudflare_intranet_web_app_name
app_launcher_visible = true # app_launcher_visible = true
logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" # logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg"
tags = ["engineers"] # tags = ["engineers"]
session_duration = "0s" # session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/" # custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" # custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
destinations = [{ # destinations = [{
type = "public" # type = "public"
uri = var.cloudflare_subdomain_web # uri = var.cloudflare_subdomain_web
}] # }]
allowed_idps = [var.cloudflare_okta_identity_provider_id] # allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true # auto_redirect_to_identity = true
allow_authenticate_via_warp = false # allow_authenticate_via_warp = false
policies = [{ # policies = [{
id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id # id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id
}] # }]
} #}
#====================================================== #======================================================
# SELF-HOSTED APP: Domain Controller # SELF-HOSTED APP: Domain Controller
#====================================================== #======================================================
# Creating the Target
resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" {
account_id = local.cloudflare_account_id
hostname = var.cloudflare_target_rdp_name # Creating the Target
ip = { #resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" {
ipv4 = { # account_id = local.cloudflare_account_id
ip_addr = var.gcp_windows_vm_internal_ip
} # hostname = var.cloudflare_target_rdp_name
} # ip = {
} # ipv4 = {
# ip_addr = var.gcp_windows_vm_internal_ip
# }
# }
#}
# Domain Controller Browser-Rendered RDP Application # Domain Controller Browser-Rendered RDP Application
resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { #resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" {
account_id = local.cloudflare_account_id # account_id = local.cloudflare_account_id
type = "rdp" # type = "rdp"
name = var.cloudflare_browser_rdp_app_name # name = var.cloudflare_browser_rdp_app_name
app_launcher_visible = true # app_launcher_visible = true
logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" # logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png"
tags = [cloudflare_zero_trust_access_tag.tags["engineers"].name] # tags = [cloudflare_zero_trust_access_tag.tags["engineers"].name]
session_duration = "0s" # session_duration = "0s"
custom_deny_url = "https://denied.tips-of-mine.org/" # custom_deny_url = "https://denied.tips-of-mine.org/"
custom_non_identity_deny_url = "https://denied.tips-of-mine.org/" # custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"
# Public hostname for browser rendering # Public hostname for browser rendering
domain = var.cloudflare_subdomain_rdp # domain = var.cloudflare_subdomain_rdp
# Target criteria - references the existing gcp_rdp_target # Target criteria - references the existing gcp_rdp_target
target_criteria = [{ # target_criteria = [{
port = 3389 # port = 3389
protocol = "RDP" # protocol = "RDP"
target_attributes = { # target_attributes = {
hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller" # hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller"
} # }
}] # }]
# Identity provider settings # Identity provider settings
allowed_idps = [var.cloudflare_okta_identity_provider_id] # allowed_idps = [var.cloudflare_okta_identity_provider_id]
auto_redirect_to_identity = true # auto_redirect_to_identity = true
enable_binding_cookie = false # enable_binding_cookie = false
http_only_cookie_attribute = false # http_only_cookie_attribute = false
options_preflight_bypass = false # options_preflight_bypass = false
# Reference the policy from cloudflare-app-policies.tf # Reference the policy from cloudflare-app-policies.tf
policies = [{ # policies = [{
id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id # id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id
}] # }]
# Depends on the existing target # Depends on the existing target
depends_on = [ # depends_on = [
cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target # cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target
] # ]
} #}