# =============================================================================
# CONFIGURATION TERRAFORM - SANS SECRETS
# =============================================================================
# Les secrets sont gérés via Vault
# Le vault_token est fourni par la CI/CD via variable d'environnement

# Configuration Vault
vault_url                = "https://vault.tips-of-mine.com"
vault_cloudflare_path    = "secret/cloudflare"

# Configuration Cloudflare
cloudflare_zone          = "tips-of-mine.org"

# =============================================================================
# TUNNEL INFORMATION
# =============================================================================
tunnel_name              = "Tips-Of-Mine-sldokp02"
tunnel_network           = "10.0.2.0/24"
tunnel_network_comment   = "Example comment for this route sldokp02."

# Configuration DNS
dns_ttl                  = 1
dns_proxied              = true

# Options avancées
tunnel_warp_routing_enabled = false

# =============================================================================
# APPLICATIONS
# =============================================================================
applications = {
  # Application 1 : Service HTTP classique
  "http-app" = {
    subdomain      = "http-app"
    origin_url     = "https://10.0.4.133"
    no_tls_verify  = true
    access_enabled = false
  }

  # Application 2 : Service avec Access activé
  "secure-app" = {
    subdomain        = "secure"
    origin_url       = "http://10.0.4.134:8080"
    no_tls_verify    = false
    access_enabled   = true
    access_team_name = "tips-of-mine"
    access_aud_tags  = ["secure-app-tag"]
  }

  # Application 3 : Autre service
  "homeassistant" = {
    subdomain      = "home"
    origin_url     = "http://10.0.4.135:8123"
    no_tls_verify  = false
    access_enabled = false
  }
}

# =============================================================================
# Groups
# =============================================================================

#
access_policies = {
  allow_employees = {
    name                         = "Allow - Employees"
    include_groups               = ["employees"]
    exclude_groups               = []
    require_mfa                  = true
    require_login_method         = false
    require_country              = false
    purpose_justification        = false
    purpose_justification_prompt = null
  }

  allow_admins = {
    name                         = "Allow - Admins"
    include_groups               = ["admins"]
    exclude_groups               = []
    require_mfa                  = true
    require_login_method         = true
    require_country              = true
    purpose_justification        = true
    purpose_justification_prompt = "Why do you need admin access?"
  }
}

policy_groups = {
  employees                    = cloudflare_zero_trust_access_group.employees_rule_group.id
  admins                       = cloudflare_zero_trust_access_group.admins_rule_group.id
  contractors                  = cloudflare_zero_trust_access_group.contractors_rule_group.id
  sales                        = cloudflare_zero_trust_access_group.sales_team_rule_group.id
  saml_groups                  = cloudflare_zero_trust_access_group.saml_groups.id
  country_requirements         = cloudflare_zero_trust_access_group.country_requirements_rule_group.id
  latest_os_version_requirements = cloudflare_zero_trust_access_group.latest_os_version_requirements_rule_group.id
}

# =============================================================================
# Tags
# =============================================================================

#
cloudflare_access_tags = [
  "engineers",
  "developers",
  "qa",
  "devops"
]