# =============================================================================
# CONFIGURATION TERRAFORM - SANS SECRETS
# =============================================================================
# Les secrets sont gérés via Vault
# Le vault_token est fourni par la CI/CD via variable d'environnement

# Configuration Vault
vault_url                = "https://vault.tips-of-mine.com"
vault_cloudflare_path    = "secret/cloudflare"
vault_authentik_path     = "secret/authentik"

# Configuration Cloudflare
cloudflare_zone          = "tips-of-mine.org"

# =============================================================================
# TUNNEL INFORMATION
# =============================================================================
tunnel_name              = "Tips-Of-Mine-sldokp02"
tunnel_network           = "10.0.2.0/24"
tunnel_network_comment   = "Example comment for this route sldokp02."

# Configuration DNS
dns_ttl                  = 1
dns_proxied              = true

# Options avancées
tunnel_warp_routing_enabled = false

# =============================================================================
# APPLICATIONS
# =============================================================================
applications = {
  # Application 1 : Service HTTP classique
  "http-app" = {
    subdomain      = "http-app"
    origin_url     = "https://10.0.4.133"
    no_tls_verify  = true
    access_enabled = false
  }

  # Application 2 : Service avec Access activé
  "secure-app" = {
    subdomain        = "secure"
    origin_url       = "http://10.0.4.134:8080"
    no_tls_verify    = false
    access_enabled   = true
    access_team_name = "tips-of-mine"
    access_aud_tags  = ["secure-app-tag"]
  }

  # Application 3 : Autre service
  "homeassistant" = {
    subdomain      = "home"
    origin_url     = "http://10.0.4.135:8123"
    no_tls_verify  = false
    access_enabled = false
  }
}

# =============================================================================
# Groups
# =============================================================================

#

# =============================================================================
# Tags
# =============================================================================

#
cloudflare_access_tags = [
  "engineers",
  "developers",
  "qa",
  "devops"
]

#=====================================
# Cloudflare variables
#=====================================
cloudflare_team_name    = "tips-of-mine"
cloudflare_email_domain = "tips-of-mine.org"

# Tunnels
cloudflare_tunnel_name_gcp         = "Tunnel GCP (Access For Infrastructure)"
cloudflare_tunnel_name_aws         = "Tunnel AWS (SSH Browser Rendered)"
cloudflare_windows_rdp_tunnel_name = "Tunnel GCP (Windows RDP)"

# WARP Connector Tunnels - Sensitive: manually retrieved from Cloudflare dashboard
cloudflare_warp_tunnel_azure_id = "185f0bc0-986d-********"
cloudflare_warp_tunnel_gcp_id   = "ad04a3ed-a1a1-********"

# Subdomains
cloudflare_subdomain_ssh            = "ssh-database.tips-of-mine.org"
cloudflare_subdomain_vnc            = "vnc.tips-of-mine.org"
cloudflare_subdomain_web            = "intranet.tips-of-mine.org"
cloudflare_subdomain_rdp            = "rdp.tips-of-mine.org"
cloudflare_subdomain_web_sensitive  = "competition.tips-of-mine.org"
cloudflare_subdomain_training_status = "training-status.tips-of-mine.org"

# Targets
cloudflare_target_ssh_name = "GCP-database"
cloudflare_target_rdp_name = "Domain-Controller"

# Applications
cloudflare_infra_app_name         = "GCP Infrastructure SSH database"
cloudflare_browser_ssh_app_name   = "AWS Browser SSH database"
cloudflare_browser_vnc_app_name   = "AWS Browser VNC database"
cloudflare_browser_rdp_app_name   = "GCP Browser RDP windows"
cloudflare_sensitive_web_app_name = "Competition App"
cloudflare_intranet_web_app_name  = "Intranet"

# Application Ports
cloudflare_competition_app_port = 8080
cloudflare_intranet_app_port    = 8181
cloudflare_domain_controller_rdp_port = 3389

# Identity Providers - Sensitive: manually retrieved from Cloudflare dashboard
cloudflare_okta_identity_provider_id  = "8fd4786e-97d7-4257-********"
cloudflare_otp_identity_provider_id   = "a6dfbf35-0e20-4244-********"
cloudflare_azure_identity_provider_id = "8c593fe8-aee3-4075-********"
cloudflare_azure_admin_rule_group_id  = "5f253130-a400-4215-********"

# Device Posture - Sensitive: manually retrieved from Cloudflare dashboard
cloudflare_gateway_posture_id = "4d8d7499-38c3-4bf0-********"
cloudflare_macos_posture_id   = "6d64ff80-1308-4462-********"
cloudflare_ios_posture_id     = "56454654-1245-8564-********"
cloudflare_windows_posture_id = "67b05735-3b9b-4bcc-********"
cloudflare_linux_posture_id   = "ed5639c7-3305-4a91-********"
cloudflare_device_os                   = "mac"                              # Options: "linux", "windows", "mac"

# WARP CGNAT Routes
cloudflare_custom_cgnat_routes = [
  {
    address     = "100.64.0.0/11"
    description = "WARP Connector CGNAT 1"
  },
  {
    address     = "100.112.0.0/12"
    description = "WARP Connector CGNAT 2"
  }
]

cloudflare_default_cgnat_routes = [{
  address     = "100.64.0.0/10"
  description = "Default CGNAT Range"
}]

cloudflare_warp_cgnat_cidr = "100.96.0.0/12"


#=====================================
# Okta
#=====================================

# SAML Group IDs - Unused variables removed

# SAML Group names
okta_sales_eng_saml_group_name   = "SalesEngineering"
okta_itadmin_saml_group_name     = "ITAdmin"
okta_sales_saml_group_name       = "Sales"
okta_contractors_saml_group_name = "Contractors"
okta_infra_admin_saml_group_name = "InfrastructureAdmin"

# User IDs - Unused variables removed

# User logins
okta_bob_user_login      = "********3@passfwd.com"
okta_matthieu_user_login = "********"

okta_bob_user_linux_password = "bob"