# ============================================================================= # CONFIGURATION TERRAFORM - SANS SECRETS # ============================================================================= # Les secrets sont gérés via Vault # Le vault_token est fourni par la CI/CD via variable d'environnement # Configuration Vault vault_url = "https://vault.tips-of-mine.com" vault_cloudflare_path = "secret/cloudflare" # Configuration Cloudflare cloudflare_zone = "tips-of-mine.org" # ============================================================================= # TUNNEL INFORMATION # ============================================================================= tunnel_name = "Tips-Of-Mine-sldokp02" tunnel_network = "10.0.2.0/24" tunnel_network_comment = "Example comment for this route sldokp02." # Configuration DNS dns_ttl = 1 dns_proxied = true # Options avancées tunnel_warp_routing_enabled = false # ============================================================================= # APPLICATIONS # ============================================================================= applications = { # Application 1 : Service HTTP classique "http-app" = { subdomain = "http-app" origin_url = "https://10.0.4.133" no_tls_verify = true access_enabled = false } # Application 2 : Service avec Access activé "secure-app" = { subdomain = "secure" origin_url = "http://10.0.4.134:8080" no_tls_verify = false access_enabled = true access_team_name = "tips-of-mine" access_aud_tags = ["secure-app-tag"] } # Application 3 : Autre service "homeassistant" = { subdomain = "home" origin_url = "http://10.0.4.135:8123" no_tls_verify = false access_enabled = false } } # ============================================================================= # Groups # ============================================================================= # local { # Group mapping for policies (supports both SAML and composite groups) policy_groups = { # Composite groups employees = cloudflare_zero_trust_access_group.employees_rule_group.id sales_team = cloudflare_zero_trust_access_group.sales_team_rule_group.id admins = cloudflare_zero_trust_access_group.admins_rule_group.id contractors = cloudflare_zero_trust_access_group.contractors_rule_group.id # Individual SAML groups infrastructure_admin = cloudflare_zero_trust_access_group.saml_groups["infrastructure_admin"].id sales_engineering = cloudflare_zero_trust_access_group.saml_groups["sales_engineering"].id sales = cloudflare_zero_trust_access_group.saml_groups["sales"].id it_admin = cloudflare_zero_trust_access_group.saml_groups["it_admin"].id } # Common access policy configurations access_policies = { intranet_web_app = { name = "Intranet App Policy" include_groups = ["employees", "contractors"] require_posture = true require_mfa = false purpose_justification = false } competition_web_app = { name = "Competition App Policy" include_groups = ["sales_team"] require_posture = true require_mfa = true # IMPORTANT: Comment out the next 3 lines if you haven't deployed the "Training Compliance Gateway" # Otherwise the Competition App won't work or show up in App Launcher # Repository: https://github.com/macharpe/cloudflare-access-training-evaluator require_external_evaluation = true external_evaluation_url = "https://training-status.macharpe.com" external_evaluation_keys_url = "https://training-status.macharpe.com/keys" purpose_justification = true purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this sensitive resource." lifecycle_create_before_destroy = true } employees_browser_rendering = { name = "Employees AWS Database Policy" include_groups = ["infrastructure_admin"] require_posture = true require_mfa = false purpose_justification = true purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system." require_login_method = true } contractors_browser_rendering = { name = "Contractors AWS Database Policy" include_groups = ["contractors"] require_posture = true require_mfa = false require_country = true purpose_justification = true purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system." } aws = { name = "AWS Cloud Policy" include_groups = ["sales_engineering"] require_posture = true require_mfa = true } okta = { name = "Okta Cloud Policy" include_groups = ["it_admin"] require_posture = true require_mfa = true } meraki = { name = "Meraki Cloud Policy" include_groups = ["it_admin"] require_posture = true require_mfa = true } domain_controller = { name = "Domain Controller Policy" include_groups = ["it_admin", "contractors"] require_posture = true require_mfa = true require_country = true purpose_justification = true purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this sensitive resource." } } } # ============================================================================= # Tags # ============================================================================= # cloudflare_access_tags = [ "engineers", "developers", "qa", "devops" ]