# ============================================================================= # CLOUDFLARE : Access : Applications # ============================================================================= # resource "cloudflare_zero_trust_access_application" "example_zero_trust_access_application" { account_id = local.cloudflare_account_id type = "self_hosted" name = "Home Network Access Application" domain = "home.tips-of-mine.org" session_duration = "24h" skip_interstitial = true # tags = ["engineers"] tags = [for tag in cloudflare_zero_trust_access_tag.tags : tag.name] depends_on = [ cloudflare_zero_trust_access_tag.tags ] } data "cloudflare_zero_trust_access_application" "example_zero_trust_access_application" { account_id = local.cloudflare_account_id app_id = cloudflare_zero_trust_access_application.example_zero_trust_access_application.id } #====================================================== # INFRASTRUCTURE APP: MySQL Database (Infrastructure) #====================================================== # Creating the Target #resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { # account_id = local.cloudflare_account_id # hostname = var.cloudflare_target_ssh_name # hostname = "GCP-database" # ip = { # ipv4 = { # ip_addr = var.gcp_vm_internal_ip # ip_addr = "10.0.4.100" # } # } #} # Creating the infrastructure Application #resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { # account_id = local.cloudflare_account_id # type = "infrastructure" # name = var.cloudflare_infra_app_name # name = "GCP Infrastructure SSH database" # logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" # tags = ["devops"] # custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" # custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # target_criteria = [{ # port = "22", # protocol = "SSH" # target_attributes = { # hostname = var.cloudflare_target_ssh_name # }, # }] # policies = [{ # name = "SSH GCP Infrastructure Policy" # decision = "allow" # allowed_idps = [var.cloudflare_okta_identity_provider_id] # auto_redirect_to_identity = true # allow_authenticate_via_warp = false # include = [ # { # saml = { # identity_provider_id = var.cloudflare_okta_identity_provider_id # attribute_name = "groups" # attribute_value = var.okta_infra_admin_saml_group_name # } # }, # { # saml = { # identity_provider_id = var.cloudflare_okta_identity_provider_id # attribute_name = "groups" # attribute_value = var.okta_contractors_saml_group_name # } # }, # { # email_domain = { # domain = "thedjinhn@gmail.com" # } # } # ] # require = [ # { # device_posture = { # integration_uid = var.cloudflare_gateway_posture_id # } # }, # { # auth_method = { # auth_method = "mfa" # } # } # ] # exclude = [ # { # auth_method = { # auth_method = "sms" # } # } # ] # connection_rules = { # ssh = { # allow_email_alias = true # usernames = [] # None # } # } # }] #} #====================================================== # SELF-HOSTED APP: DB Server #====================================================== # Creating the Self-hosted Application for Browser rendering SSH #resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { # account_id = local.cloudflare_account_id # type = "ssh" # name = var.cloudflare_browser_ssh_app_name # name = "AWS Browser SSH database" # app_launcher_visible = true # logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" # tags = ["devops"] # session_duration = "0s" # custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" # custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # destinations = [{ # type = "public" # uri = var.cloudflare_subdomain_ssh # }] # allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] # auto_redirect_to_identity = false # allow_authenticate_via_warp = false # policies = [ # { # id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id # }, # { # id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id # } # ] #} #====================================================== # SELF-HOSTED APP: PostgresDB Admin #====================================================== # Creating the Self-hosted Application for Browser rendering VNC #resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { # account_id = local.cloudflare_account_id # type = "vnc" # name = var.cloudflare_browser_vnc_app_name # name = "AWS Browser VNC database" # app_launcher_visible = true # logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" # tags = ["devops"] # session_duration = "0s" # custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" # custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # destinations = [{ # type = "public" # uri = var.cloudflare_subdomain_vnc # }] # allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] # auto_redirect_to_identity = false # allow_authenticate_via_warp = false # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id # }] #} #====================================================== # SELF-HOSTED APP: Competition App #====================================================== # Creating the Self-hosted Application for Competition web application #resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { # account_id = local.cloudflare_account_id # type = "self_hosted" # name = var.cloudflare_sensitive_web_app_name # name = "Competition App" # app_launcher_visible = true # logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" # tags = ["devops"] # session_duration = "0s" # custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" # custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # destinations = [{ # type = "public" # uri = var.cloudflare_subdomain_web_sensitive # }] # allowed_idps = [var.cloudflare_okta_identity_provider_id] # auto_redirect_to_identity = true # allow_authenticate_via_warp = false # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id # }] #} #====================================================== # SELF-HOSTED APP: Macharpe Intranet #====================================================== # Creating the Self-hosted Application for Administration web application #resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { # account_id = local.cloudflare_account_id # type = "self_hosted" # name = var.cloudflare_intranet_web_app_name # name = "Intranet" # app_launcher_visible = true # logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" # tags = ["devops"] # session_duration = "0s" # custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" # custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # destinations = [{ # type = "public" # uri = var.cloudflare_subdomain_web # }] # allowed_idps = [var.cloudflare_okta_identity_provider_id] # auto_redirect_to_identity = true # allow_authenticate_via_warp = false # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id # }] #} #====================================================== # SELF-HOSTED APP: Domain Controller #====================================================== # Creating the Target #resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { # account_id = local.cloudflare_account_id # hostname = var.cloudflare_target_rdp_name # hostname = "Domain-Controller" # ip = { # ipv4 = { # ip_addr = "10.0.4.101" # } # } #} # Domain Controller Browser-Rendered RDP Application #resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { # account_id = local.cloudflare_account_id # type = "rdp" # name = var.cloudflare_browser_rdp_app_name # name = "GCP Browser RDP windows" # app_launcher_visible = true # logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" # tags = ["devops"] # session_duration = "0s" # custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" # custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # Public hostname for browser rendering # domain = var.cloudflare_subdomain_rdp # Target criteria - references the existing gcp_rdp_target # target_criteria = [{ # port = 3389 # protocol = "RDP" # target_attributes = { # hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller" # hostname = var.cloudflare_target_rdp_name # } # }] # Identity provider settings # allowed_idps = [var.cloudflare_okta_identity_provider_id] # auto_redirect_to_identity = true # enable_binding_cookie = false # http_only_cookie_attribute = false # options_preflight_bypass = false # Reference the policy from cloudflare-app-policies.tf # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id # }] # Depends on the existing target # depends_on = [ # cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target # ] #}