Tips-Of-Mine/terraform-cloudflare-tunnel-zone-org
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
04a45c80f0e53822ea5837cdd3b4183c07d91c97
terraform-cloudflare-tunnel…/variables.auto.tfvars
Hubert Cornet 1e63b10f85
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 13s
Details
Update variables.auto.tfvars
2025-11-14 20:52:51 +01:00

163 lines
6.1 KiB
HCL
Raw Blame History

# =============================================================================
# CONFIGURATION TERRAFORM - SANS SECRETS
# =============================================================================
# Les secrets sont gérés via Vault
# Le vault_token est fourni par la CI/CD via variable d'environnement
# Configuration Vault
vault_url = "https://vault.tips-of-mine.com"
vault_cloudflare_path = "secret/cloudflare"
# Configuration Cloudflare
cloudflare_zone = "tips-of-mine.org"
# =============================================================================
# TUNNEL INFORMATION
# =============================================================================
tunnel_name = "Tips-Of-Mine-sldokp02"
tunnel_network = "10.0.2.0/24"
tunnel_network_comment = "Example comment for this route sldokp02."
# Configuration DNS
dns_ttl = 1
dns_proxied = true
# Options avancées
tunnel_warp_routing_enabled = false
# =============================================================================
# APPLICATIONS
# =============================================================================
applications = {
# Application 1 : Service HTTP classique
"http-app" = {
subdomain = "http-app"
origin_url = "https://10.0.4.133"
no_tls_verify = true
access_enabled = false
}
# Application 2 : Service avec Access activé
"secure-app" = {
subdomain = "secure"
origin_url = "http://10.0.4.134:8080"
no_tls_verify = false
access_enabled = true
access_team_name = "tips-of-mine"
access_aud_tags = ["secure-app-tag"]
}
# Application 3 : Autre service
"homeassistant" = {
subdomain = "home"
origin_url = "http://10.0.4.135:8123"
no_tls_verify = false
access_enabled = false
}
}
# =============================================================================
# Groups
# =============================================================================
#
local {
# Group mapping for policies (supports both SAML and composite groups)
policy_groups = {
# Composite groups
employees = cloudflare_zero_trust_access_group.employees_rule_group.id
sales_team = cloudflare_zero_trust_access_group.sales_team_rule_group.id
admins = cloudflare_zero_trust_access_group.admins_rule_group.id
contractors = cloudflare_zero_trust_access_group.contractors_rule_group.id
# Individual SAML groups
infrastructure_admin = cloudflare_zero_trust_access_group.saml_groups["infrastructure_admin"].id
sales_engineering = cloudflare_zero_trust_access_group.saml_groups["sales_engineering"].id
sales = cloudflare_zero_trust_access_group.saml_groups["sales"].id
it_admin = cloudflare_zero_trust_access_group.saml_groups["it_admin"].id
}
# Common access policy configurations
access_policies = {
intranet_web_app = {
name = "Intranet App Policy"
include_groups = ["employees", "contractors"]
require_posture = true
require_mfa = false
purpose_justification = false
}
competition_web_app = {
name = "Competition App Policy"
include_groups = ["sales_team"]
require_posture = true
require_mfa = true
# IMPORTANT: Comment out the next 3 lines if you haven't deployed the "Training Compliance Gateway"
# Otherwise the Competition App won't work or show up in App Launcher
# Repository: https://github.com/macharpe/cloudflare-access-training-evaluator
require_external_evaluation = true
external_evaluation_url = "https://training-status.macharpe.com"
external_evaluation_keys_url = "https://training-status.macharpe.com/keys"
purpose_justification = true
purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this sensitive resource."
lifecycle_create_before_destroy = true
}
employees_browser_rendering = {
name = "Employees AWS Database Policy"
include_groups = ["infrastructure_admin"]
require_posture = true
require_mfa = false
purpose_justification = true
purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
require_login_method = true
}
contractors_browser_rendering = {
name = "Contractors AWS Database Policy"
include_groups = ["contractors"]
require_posture = true
require_mfa = false
require_country = true
purpose_justification = true
purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this production system."
}
aws = {
name = "AWS Cloud Policy"
include_groups = ["sales_engineering"]
require_posture = true
require_mfa = true
}
okta = {
name = "Okta Cloud Policy"
include_groups = ["it_admin"]
require_posture = true
require_mfa = true
}
meraki = {
name = "Meraki Cloud Policy"
include_groups = ["it_admin"]
require_posture = true
require_mfa = true
}
domain_controller = {
name = "Domain Controller Policy"
include_groups = ["it_admin", "contractors"]
require_posture = true
require_mfa = true
require_country = true
purpose_justification = true
purpose_justification_prompt = "Access justification required: Please provide your business reason for accessing this sensitive resource."
}
}
}
# =============================================================================
# Tags
# =============================================================================
#
cloudflare_access_tags = [
"engineers",
"developers",
"qa",
"devops"
]
Reference in New Issue View Git Blame Copy Permalink