# ============================================================================= # CONFIGURATION TERRAFORM - SANS SECRETS # ============================================================================= # Les secrets sont gérés via Vault # Le vault_token est fourni par la CI/CD via variable d'environnement # Configuration Vault vault_url = "https://vault.tips-of-mine.com" vault_cloudflare_path = "secret/cloudflare" vault_authentik_path = "secret/authentik" # Configuration Cloudflare cloudflare_zone = "tips-of-mine.org" # ============================================================================= # TUNNEL INFORMATION # ============================================================================= tunnel_name = "Tips-Of-Mine-sldokp02" tunnel_network = "10.0.2.0/24" tunnel_network_comment = "Example comment for this route sldokp02." # Configuration DNS dns_ttl = 1 dns_proxied = true # Options avancées tunnel_warp_routing_enabled = false # ============================================================================= # APPLICATIONS # ============================================================================= applications = { # Application 1 : Service HTTP classique "http-app" = { subdomain = "http-app" origin_url = "https://10.0.4.133" no_tls_verify = true access_enabled = false } # Application 2 : Service avec Access activé "secure-app" = { subdomain = "secure" origin_url = "http://10.0.4.134:8080" no_tls_verify = false access_enabled = true access_team_name = "tips-of-mine" access_aud_tags = ["secure-app-tag"] } # Application 3 : Autre service "homeassistant" = { subdomain = "home" origin_url = "http://10.0.4.135:8123" no_tls_verify = false access_enabled = false } } # ============================================================================= # Groups # ============================================================================= # # ============================================================================= # Tags # ============================================================================= # cloudflare_access_tags = [ "engineers", "developers", "qa", "devops" ] #===================================== # Cloudflare variables #===================================== cloudflare_team_name = "tips-of-mine" cloudflare_email_domain = "tips-of-mine.org" # Tunnels cloudflare_tunnel_name_gcp = "Tunnel GCP (Access For Infrastructure)" cloudflare_tunnel_name_aws = "Tunnel AWS (SSH Browser Rendered)" cloudflare_tunnel_name_azure = "Tunnel Azure (SSH Browser Rendered)" cloudflare_tunnel_name_ovh = "Tunnel OVH (SSH Browser Rendered)" cloudflare_windows_rdp_tunnel_name = "Tunnel GCP (Windows RDP)" # WARP Connector Tunnels - Sensitive: manually retrieved from Cloudflare dashboard cloudflare_warp_tunnel_azure_id = "185f0bc0-986d-********" cloudflare_warp_tunnel_gcp_id = "ad04a3ed-a1a1-********" # Subdomains cloudflare_subdomain_ssh = "ssh-database.tips-of-mine.org" cloudflare_subdomain_vnc = "vnc.tips-of-mine.org" cloudflare_subdomain_web = "intranet.tips-of-mine.org" cloudflare_subdomain_rdp = "rdp.tips-of-mine.org" cloudflare_subdomain_web_sensitive = "competition.tips-of-mine.org" cloudflare_subdomain_training_status = "training-status.tips-of-mine.org" # Targets cloudflare_target_ssh_name = "GCP-database" cloudflare_target_rdp_name = "Domain-Controller" # Applications cloudflare_infra_app_name = "GCP Infrastructure SSH database" cloudflare_browser_ssh_app_name = "AWS Browser SSH database" cloudflare_browser_vnc_app_name = "AWS Browser VNC database" cloudflare_browser_rdp_app_name = "GCP Browser RDP windows" cloudflare_sensitive_web_app_name = "Competition App" cloudflare_intranet_web_app_name = "Intranet" # Application Ports cloudflare_competition_app_port = 8080 cloudflare_intranet_app_port = 8181 cloudflare_domain_controller_rdp_port = 3389 # Identity Providers - Sensitive: manually retrieved from Cloudflare dashboard cloudflare_okta_identity_provider_id = "8fd4786e-97d7-4257-********" cloudflare_otp_identity_provider_id = "a6dfbf35-0e20-4244-********" cloudflare_azure_identity_provider_id = "8c593fe8-aee3-4075-********" cloudflare_azure_admin_rule_group_id = "5f253130-a400-4215-********" # Device Posture - Sensitive: manually retrieved from Cloudflare dashboard cloudflare_gateway_posture_id = "4d8d7499-38c3-4bf0-********" cloudflare_macos_posture_id = "6d64ff80-1308-4462-********" cloudflare_ios_posture_id = "56454654-1245-8564-********" cloudflare_windows_posture_id = "67b05735-3b9b-4bcc-********" cloudflare_linux_posture_id = "ed5639c7-3305-4a91-********" cloudflare_device_os = "mac" # Options: "linux", "windows", "mac" # WARP CGNAT Routes cloudflare_custom_cgnat_routes = [ { address = "100.64.0.0/11" description = "WARP Connector CGNAT 1" }, { address = "100.112.0.0/12" description = "WARP Connector CGNAT 2" } ] cloudflare_default_cgnat_routes = [{ address = "100.64.0.0/10" description = "Default CGNAT Range" }] cloudflare_warp_cgnat_cidr = "100.96.0.0/12" #===================================== # Okta #===================================== # SAML Group IDs - Unused variables removed # SAML Group names okta_sales_eng_saml_group_name = "SalesEngineering" okta_itadmin_saml_group_name = "ITAdmin" okta_sales_saml_group_name = "Sales" okta_contractors_saml_group_name = "Contractors" okta_infra_admin_saml_group_name = "InfrastructureAdmin" # User IDs - Unused variables removed # User logins okta_bob_user_login = "********3@passfwd.com" okta_matthieu_user_login = "********" okta_bob_user_linux_password = "bob" #===================================== # AWS variables #===================================== # Networking # aws_vpc_cidr = "10.10.0.0/20" # aws_private_cidr = "10.10.15.0/24" # aws_public_cidr = "10.10.20.0/24" aws_vpc_cidr = "10.10.0.0/20" aws_public_cidr = "10.10.0.0/24" aws_private_cidr = "10.10.1.0/24" aws_infra_cidr = "10.10.10.0/24" aws_warp_cidr = "10.10.15.0/24" aws_windows_rdp_cidr = "10.10.20.0/24" #===================================== # GCP Variables #===================================== # Networking # gcp_vpc_cidr = "10.13.0.0/20" # gcp_infra_cidr = "10.11.10.0/24" # gcp_warp_cidr = "10.11.15.0/24" # gcp_windows_rdp_cidr = "10.11.20.0/24" gcp_vpc_cidr = "10.13.0.0/20" gcp_public_cidr = "10.13.0.0/24" gcp_private_cidr = "10.13.1.0/24" gcp_infra_cidr = "10.13.10.0/24" gcp_warp_cidr = "10.13.15.0/24" gcp_windows_rdp_cidr = "10.13.20.0/24" gcp_vm_internal_ip = "10.13.1.10" gcp_windows_vm_internal_ip = "10.13.20.10" #===================================== # Azure variables #===================================== # Networking azure_subnet_cidr = "10.14.25.0/24" # azure_vnet_cidr = "192.12.15.0/16" # azure_public_dns_domain = "westeurope.cloudapp.azure.com" azure_vnet_cidr = "10.14.0.0/20" azure_public_cidr = "10.14.0.0/24" azure_private_cidr = "10.14.1.0/24" azure_infra_cidr = "10.14.10.0/24" azure_warp_cidr = "10.14.15.0/24" azure_windows_rdp_cidr = "10.14.20.0/24" azure_public_dns_domain = "westeurope.cloudapp.azure.com" #===================================== # OVH variables #===================================== # Networking #ovh_vpc_cidr = "10.13.10.0/20" #ovh_warp_cidr = "10.13.15.0/24" #ovh_windows_rdp_cidr = "10.13.20.0/24" ovh_vpc_cidr = "10.16.0.0/20" ovh_public_cidr = "10.16.0.0/24" ovh_private_cidr = "10.16.1.0/24" ovh_infra_cidr = "10.16.10.0/24" ovh_warp_cidr = "10.16.15.0/24" ovh_windows_rdp_cidr = "10.16.20.0/24" # Tunnels #cloudflare_tunnel_name_gcp = "Tunnel GCP (Access For Infrastructure)" #cloudflare_tunnel_name_aws = "Tunnel AWS (SSH Browser Rendered)" #cloudflare_tunnel_name_azure = "Tunnel Azure (SSH Browser Rendered)" #cloudflare_tunnel_name_ovh = "Tunnel OVH (SSH Browser Rendered)" # Targets #cloudflare_target_ssh_name = "GCP-database" #cloudflare_target_rdp_name = "Domain-Controller"