# =============================================================================
# CLOUDFLARE : Access Controls : Applications
# =============================================================================

#======================================================
# SELF-HOSTED APP: DB Server
#======================================================

# Creating the Self-hosted Application for Browser rendering SSH
resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_browser" {
  account_id                   = local.cloudflare_account_id

  type                         = "ssh"
  name                         = var.cloudflare_aws_browser_ssh_app_name
  app_launcher_visible         = true
  logo_url                     = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png"
  tags                         = [cloudflare_zero_trust_access_tag.tags["engineers"].name]
  session_duration             = "0s"
  custom_deny_url              = "https://denied.tips-of-mine.org/"
  custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"

  destinations = [{
    type = "public"
    uri  = var.cloudflare_subdomain_ssh
  }]

  allowed_idps                = [
    cloudflare_zero_trust_access_identity_provider.gmail.id,
    cloudflare_zero_trust_access_identity_provider.authentik_oidc.id,
  ]
  auto_redirect_to_identity   = false
  allow_authenticate_via_warp = false

  policies = [
    {
      id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id
    },
    {
      id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id
    }
  ]
}