# =============================================================================
# CONFIGURATION TERRAFORM - SANS SECRETS
# =============================================================================
# Les secrets sont gérés via Vault
# Le vault_token est fourni par la CI/CD via variable d'environnement

# Configuration Vault
vault_url                = "https://vault.tips-of-mine.com"
vault_cloudflare_path    = "secret/cloudflare"
vault_authentik_path     = "secret/authentik"

# Configuration Cloudflare
cloudflare_zone          = "tips-of-mine.org"

# =============================================================================
# TUNNEL INFORMATION
# =============================================================================
tunnel_name              = "Tips-Of-Mine-sldokp02"
tunnel_network           = "10.0.2.0/24"
tunnel_network_comment   = "Example comment for this route sldokp02."

# Configuration DNS
dns_ttl                  = 1
dns_proxied              = true

# Options avancées
tunnel_warp_routing_enabled = false

# =============================================================================
# APPLICATIONS
# =============================================================================
applications = {
  # Application 1 : Service HTTP classique
  "http-app" = {
    subdomain      = "http-app"
    origin_url     = "https://10.0.4.133"
    no_tls_verify  = true
    access_enabled = false
  }

  # Application 2 : Service avec Access activé
  "secure-app" = {
    subdomain        = "secure"
    origin_url       = "http://10.0.4.134:8080"
    no_tls_verify    = false
    access_enabled   = true
    access_team_name = "tips-of-mine"
    access_aud_tags  = ["secure-app-tag"]
  }

  # Application 3 : Autre service
  "homeassistant" = {
    subdomain      = "home"
    origin_url     = "http://10.0.4.135:8123"
    no_tls_verify  = false
    access_enabled = false
  }
}

# =============================================================================
# Groups
# =============================================================================

#

# =============================================================================
# Tags
# =============================================================================

#
cloudflare_access_tags = [
  "engineers",
  "developers",
  "qa",
  "devops"
]

#=====================================
# Cloudflare variables
#=====================================
cloudflare_team_name    = "tips-of-mine"
cloudflare_email_domain = "tips-of-mine.org"
cloudflare_authentik_domain = "tips-of-mine.com"

# Tunnels
cloudflare_tunnel_name_gcp = "test-gcp-tunnel"
#Cloudflare_tunnel_name_gcp         = "Tunnel GCP (Access For Infrastructure)"
#Cloudflare_tunnel_name_aws         = "Tunnel AWS (SSH Browser Rendered)"
#cloudflare_tunnel_name_azure       = "Tunnel Azure (SSH Browser Rendered)"
#cloudflare_tunnel_name_ovh         = "Tunnel OVH (SSH Browser Rendered)"
#cloudflare_windows_rdp_tunnel_name = "Tunnel GCP (Windows RDP)"
cloudflare_windows_rdp_tunnel_name_gcp = "Tunnel GCP (Windows RDP)"

# WARP Connector Tunnels - Sensitive: manually retrieved from Cloudflare dashboard
#cloudflare_warp_tunnel_azure_id = "185f0bc0-986d-********"
#cloudflare_warp_tunnel_gcp_id   = "ad04a3ed-a1a1-********"

# Subdomains
cloudflare_subdomain_ssh            = "ssh-database.tips-of-mine.org"
cloudflare_subdomain_vnc            = "vnc.tips-of-mine.org"
cloudflare_subdomain_web            = "intranet.tips-of-mine.org"
cloudflare_subdomain_rdp            = "rdp.tips-of-mine.org"
cloudflare_subdomain_web_sensitive  = "competition.tips-of-mine.org"
cloudflare_subdomain_training_status = "training-status.tips-of-mine.org"

# Targets
cloudflare_target_ssh_name = "GCP-database"
cloudflare_target_rdp_name = "Domain-Controller"

# Applications AWS
cloudflare_aws_browser_ssh_app_name   = "AWS : Browser SSH database"
cloudflare_aws_browser_vnc_app_name   = "AWS : Browser VNC database"
cloudflare_aws_infra_app_name         = "AWS : Infrastructure SSH database"
cloudflare_aws_browser_rdp_app_name   = "AWS : Browser RDP windows"
cloudflare_sensitive_web_app_name = "Competition App"
cloudflare_intranet_web_app_name  = "Intranet"

# Applications GCP
cloudflare_gcp_browser_ssh_app_name   = "GCP : Browser SSH database"
cloudflare_gcp_browser_vnc_app_name   = "GCP : Browser VNC database"
cloudflare_gcp_infra_app_name         = "GCP : Infrastructure SSH database"
cloudflare_gcp_browser_rdp_app_name   = "GCP : Browser RDP windows"

# Application Ports
cloudflare_competition_app_port       = 8080
cloudflare_intranet_app_port          = 8181
cloudflare_domain_controller_rdp_port = 3389

# Identity Providers - Sensitive: manually retrieved from Cloudflare dashboard
cloudflare_okta_identity_provider_id  = "2af2b24b-f850-4e04-95f6-04a651c71f7a"
cloudflare_otp_identity_provider_id   = "0f818053-eafb-458f-90c2-0ff2d4b5d69c"
cloudflare_azure_identity_provider_id = "8c593fe8-aee3-4075-33333333"
cloudflare_azure_admin_rule_group_id  = "5f253130-a400-4215-44444444"

# Device Posture - Sensitive: manually retrieved from Cloudflare dashboard
cloudflare_gateway_posture_id = "4d8d7499-38c3-4bf0-55555555"
cloudflare_macos_posture_id   = "6d64ff80-1308-4462-66666666"
cloudflare_ios_posture_id     = "56454654-1245-8564-77777777"
cloudflare_windows_posture_id = "67b05735-3b9b-4bcc-88888888"
cloudflare_linux_posture_id   = "ed5639c7-3305-4a91-9999999"
cloudflare_device_os          = "mac"                              # Options: "linux", "windows", "mac"

#cloudflare_tunnel_warp_connector_azure_id = ""
#cloudflare_tunnel_warp_connector_gcp_id   = ""
#cloudflare_tunnel_warp_connector_azure_id = cloudflare_zero_trust_tunnel_cloudflared_token.azure_tunnel_token.tunnel_token_id
#cloudflare_tunnel_warp_connector_gcp_id   = cloudflare_zero_trust_tunnel_cloudflared_token.gcp_tunnel_token.tunnel_token_id

# WARP CGNAT Routes
cloudflare_custom_cgnat_routes = [
  {
    address     = "100.64.0.0/11"
    description = "WARP Connector CGNAT 1"
  },
  {
    address     = "100.112.0.0/12"
    description = "WARP Connector CGNAT 2"
  }
]

cloudflare_default_cgnat_routes = [{
  address     = "100.64.0.0/10"
  description = "Default CGNAT Range"
}]

cloudflare_warp_cgnat_cidr = "100.96.0.0/12"


#=====================================
# Okta
#=====================================

# SAML Group IDs - Unused variables removed

# SAML Group names
okta_sales_eng_saml_group_name   = "SalesEngineering"
okta_itadmin_saml_group_name     = "ITAdmin"
okta_sales_saml_group_name       = "Sales"
okta_contractors_saml_group_name = "Contractors"
okta_infra_admin_saml_group_name = "InfrastructureAdmin"

# User IDs - Unused variables removed

# User logins
okta_bob_user_login      = "********3@passfwd.com"
okta_matthieu_user_login = "********"

okta_bob_user_linux_password = "bob"

#=====================================
# AWS variables
#=====================================

# Networking
# aws_vpc_cidr            = "10.10.0.0/20"
# aws_private_cidr        = "10.10.15.0/24"
# aws_public_cidr         = "10.10.20.0/24"

aws_vpc_cidr            = "10.10.0.0/20"
aws_public_cidr         = "10.10.0.0/24"
aws_private_cidr        = "10.10.1.0/24"
aws_infra_cidr          = "10.10.10.0/24"
aws_warp_cidr           = "10.10.15.0/24"
aws_windows_rdp_cidr    = "10.10.20.0/24"

#=====================================
# GCP Variables
#=====================================

# Networking
# gcp_vpc_cidr            = "10.13.0.0/20"
# gcp_infra_cidr          = "10.11.10.0/24"
# gcp_warp_cidr           = "10.11.15.0/24"
# gcp_windows_rdp_cidr    = "10.11.20.0/24"

gcp_vpc_cidr               = "10.13.0.0/20"
gcp_public_cidr            = "10.13.0.0/24"
gcp_private_cidr           = "10.13.1.0/24"
gcp_infra_cidr             = "10.13.10.0/24"
gcp_warp_cidr              = "10.13.15.0/24"
gcp_windows_rdp_cidr       = "10.13.20.0/24"
gcp_vm_internal_ip         = "10.13.1.10"
gcp_windows_vm_internal_ip = "10.13.20.10"

#=====================================
# Azure variables
#=====================================

# Networking
azure_subnet_cidr       = "10.14.25.0/24"
# azure_vnet_cidr         = "192.12.15.0/16"
# azure_public_dns_domain = "westeurope.cloudapp.azure.com"

azure_vnet_cidr         = "10.14.0.0/20"
azure_public_cidr       = "10.14.0.0/24"
azure_private_cidr      = "10.14.1.0/24"
azure_infra_cidr        = "10.14.10.0/24"
azure_warp_cidr         = "10.14.15.0/24"
azure_windows_rdp_cidr  = "10.14.20.0/24"
azure_public_dns_domain = "westeurope.cloudapp.azure.com"

#=====================================
# OVH variables
#=====================================

# Networking
#ovh_vpc_cidr            = "10.13.10.0/20"
#ovh_warp_cidr           = "10.13.15.0/24"
#ovh_windows_rdp_cidr    = "10.13.20.0/24"

ovh_vpc_cidr            = "10.16.0.0/20"
ovh_public_cidr         = "10.16.0.0/24"
ovh_private_cidr        = "10.16.1.0/24"
ovh_infra_cidr          = "10.16.10.0/24"
ovh_warp_cidr           = "10.16.15.0/24"
ovh_windows_rdp_cidr    = "10.16.20.0/24"

# Tunnels
#cloudflare_tunnel_name_gcp         = "Tunnel GCP (Access For Infrastructure)"
#cloudflare_tunnel_name_aws         = "Tunnel AWS (SSH Browser Rendered)"
#cloudflare_tunnel_name_azure       = "Tunnel Azure (SSH Browser Rendered)"
#cloudflare_tunnel_name_ovh         = "Tunnel OVH (SSH Browser Rendered)"

# Targets
#cloudflare_target_ssh_name = "GCP-database"
#cloudflare_target_rdp_name = "Domain-Controller"