# ============================================================================= # CLOUDFLARE : Access : Applications # ============================================================================= # resource "cloudflare_zero_trust_access_application" "example_zero_trust_access_application" { account_id = local.cloudflare_account_id type = "self_hosted" name = "Home Network Access Application" domain = "home.${local.cloudflare_zone_id}" session_duration = "24h" skip_interstitial = true tags = ["engineers"] } data "cloudflare_zero_trust_access_application" "example_zero_trust_access_application" { account_id = local.cloudflare_account_id app_id = cloudflare_zero_trust_access_application.example_zero_trust_access_application.id } #====================================================== # INFRASTRUCTURE APP: MySQL Database (Infrastructure) #====================================================== # Creating the Target resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" { account_id = local.cloudflare_account_id hostname = "var.cloudflare_target_ssh_name" ip = { ipv4 = { # ip_addr = var.gcp_vm_internal_ip ip_addr = "10.0.4.100" } } } # Creating the infrastructure Application resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_infra" { account_id = local.cloudflare_account_id type = "infrastructure" name = "var.cloudflare_infra_app_name" logo_url = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg" # tags = ["devops"] custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # target_criteria = [{ # port = "22", # protocol = "SSH" # target_attributes = { # hostname = "var.cloudflare_target_ssh_name" # }, # }] policies = [{ name = "SSH GCP Infrastructure Policy" decision = "allow" allowed_idps = [var.cloudflare_okta_identity_provider_id] auto_redirect_to_identity = true allow_authenticate_via_warp = false include = [ { saml = { identity_provider_id = var.cloudflare_okta_identity_provider_id attribute_name = "groups" attribute_value = var.okta_infra_admin_saml_group_name } }, { saml = { identity_provider_id = var.cloudflare_okta_identity_provider_id attribute_name = "groups" attribute_value = var.okta_contractors_saml_group_name } }, { email_domain = { domain = "thedjinhn@gmail.com" } } ] require = [ { device_posture = { integration_uid = var.cloudflare_gateway_posture_id } }, { auth_method = { auth_method = "mfa" } } ] exclude = [ { auth_method = { auth_method = "sms" } } ] connection_rules = { ssh = { allow_email_alias = true usernames = [] # None } } }] } #====================================================== # SELF-HOSTED APP: DB Server #====================================================== # Creating the Self-hosted Application for Browser rendering SSH resource "cloudflare_zero_trust_access_application" "cloudflare_app_ssh_browser" { account_id = local.cloudflare_account_id type = "ssh" name = "var.cloudflare_browser_ssh_app_name" app_launcher_visible = true logo_url = "https://cdn.iconscout.com/icon/free/png-256/free-database-icon-download-in-svg-png-gif-file-formats--ui-elements-pack-user-interface-icons-444649.png" tags = ["devops"] session_duration = "0s" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" destinations = [{ type = "public" uri = var.cloudflare_subdomain_ssh }] allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] auto_redirect_to_identity = false allow_authenticate_via_warp = false # policies = [ # { # id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id # }, # { # id = cloudflare_zero_trust_access_policy.policies["contractors_browser_rendering"].id # } # ] } #====================================================== # SELF-HOSTED APP: PostgresDB Admin #====================================================== # Creating the Self-hosted Application for Browser rendering VNC resource "cloudflare_zero_trust_access_application" "cloudflare_app_vnc_browser" { account_id = local.cloudflare_account_id type = "vnc" name = "var.cloudflare_browser_vnc_app_name" app_launcher_visible = true logo_url = "https://blog.zwindler.fr/2015/07/vnc.png" tags = ["devops"] session_duration = "0s" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" destinations = [{ type = "public" uri = var.cloudflare_subdomain_vnc }] allowed_idps = [var.cloudflare_okta_identity_provider_id, var.cloudflare_otp_identity_provider_id] auto_redirect_to_identity = false allow_authenticate_via_warp = false # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["employees_browser_rendering"].id # }] } #====================================================== # SELF-HOSTED APP: Competition App #====================================================== # Creating the Self-hosted Application for Competition web application resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_competition" { account_id = local.cloudflare_account_id type = "self_hosted" name = "var.cloudflare_sensitive_web_app_name" app_launcher_visible = true logo_url = "https://img.freepik.com/free-vector/trophy_78370-345.jpg" tags = ["devops"] session_duration = "0s" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" destinations = [{ type = "public" uri = var.cloudflare_subdomain_web_sensitive }] allowed_idps = [var.cloudflare_okta_identity_provider_id] auto_redirect_to_identity = true allow_authenticate_via_warp = false # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["competition_web_app"].id # }] } #====================================================== # SELF-HOSTED APP: Macharpe Intranet #====================================================== # Creating the Self-hosted Application for Administration web application resource "cloudflare_zero_trust_access_application" "cloudflare_app_web_intranet" { account_id = local.cloudflare_account_id type = "self_hosted" name = "var.cloudflare_intranet_web_app_name" app_launcher_visible = true logo_url = "https://raw.githubusercontent.com/uditkumar489/Icon-pack/master/Entrepreneur/digital-marketing/svg/computer-1.svg" tags = ["devops"] session_duration = "0s" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" destinations = [{ type = "public" uri = var.cloudflare_subdomain_web }] allowed_idps = [var.cloudflare_okta_identity_provider_id] auto_redirect_to_identity = true allow_authenticate_via_warp = false # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["intranet_web_app"].id # }] } #====================================================== # SELF-HOSTED APP: Domain Controller #====================================================== # Creating the Target resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_rdp_target" { account_id = local.cloudflare_account_id hostname = "var.cloudflare_target_rdp_name" ip = { ipv4 = { ip_addr = "10.0.4.101" } } } # Domain Controller Browser-Rendered RDP Application resource "cloudflare_zero_trust_access_application" "cloudflare_app_rdp_domain" { account_id = local.cloudflare_account_id type = "rdp" name = "var.cloudflare_browser_rdp_app_name" app_launcher_visible = true logo_url = "https://www.kevinsubileau.fr/wp-content/uploads/2016/05/RDP_icon.png" tags = ["devops"] session_duration = "0s" custom_deny_url = "https://denied.${local.cloudflare_zone_id}/" custom_non_identity_deny_url = "https://denied.${local.cloudflare_zone_id}/" # Public hostname for browser rendering domain = var.cloudflare_subdomain_rdp # Target criteria - references the existing gcp_rdp_target # target_criteria = [{ # port = 3389 # protocol = "RDP" # target_attributes = { # hostname = [var.cloudflare_target_rdp_name] # This will be "Domain-Controller" # hostname = "var.cloudflare_target_rdp_name" # } # }] # Identity provider settings allowed_idps = [var.cloudflare_okta_identity_provider_id] auto_redirect_to_identity = true enable_binding_cookie = false http_only_cookie_attribute = false options_preflight_bypass = false # Reference the policy from cloudflare-app-policies.tf # policies = [{ # id = cloudflare_zero_trust_access_policy.policies["domain_controller"].id # }] # Depends on the existing target depends_on = [ cloudflare_zero_trust_access_infrastructure_target.gcp_rdp_target ] }