terraform-cloudflare-tunnel-zone-org/Access_Controls-Applications-Infrastructure.tf

# =============================================================================
# CLOUDFLARE : Access Controls : Applications
# =============================================================================

#======================================================
# INFRASTRUCTURE APP: MySQL Database (Infrastructure)
#======================================================

# Creating the Target
resource "cloudflare_zero_trust_access_infrastructure_target" "aws_ssh_target" {
  account_id = local.cloudflare_account_id

  hostname   = var.cloudflare_aws_target_ssh_name
  ip = {
    ipv4 = {
      ip_addr = var.aws_vm_internal_ip
    }
  }
}

# Creating the infrastructure Application
resource "cloudflare_zero_trust_access_application" "cloudflare_aws_app_ssh_infra" {
  account_id                   = local.cloudflare_account_id

  type                         = "infrastructure"
  name                         = var.cloudflare_aws_infra_app_name
  logo_url                     = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg"
  tags                         = [cloudflare_zero_trust_access_tag.tags["engineers"].name]
  custom_deny_url              = "https://denied.tips-of-mine.org/"
  custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"

  target_criteria = [{
    port     = "22",
    protocol = "SSH"
    target_attributes = {
      hostname = [var.cloudflare_aws_target_ssh_name]
    },
  }]

  policies = [{
    name     = "SSH GCP Infrastructure Policy"
    decision = "allow"

    allowed_idps                = [
    cloudflare_zero_trust_access_identity_provider.authentik_oidc.id,
    ]
    auto_redirect_to_identity   = true
    allow_authenticate_via_warp = false

    include = [
      {
        saml = {
          identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
          attribute_name       = "groups"
          attribute_value      = var.okta_infra_admin_saml_group_name
        }
      },
      {
        saml = {
          identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
          attribute_name       = "groups"
          attribute_value      = var.okta_contractors_saml_group_name
        }
      },
      {
        email_domain = {
          domain = var.cloudflare_email_domain
        }
      }
    ]
    require = [
      {
        device_posture = {
          integration_uid = var.cloudflare_gateway_posture_id
        }
      },
      {
        auth_method = {
          auth_method = "mfa"
        }
      }
    ]
    exclude = [
      {
        auth_method = {
          auth_method = "sms"
        }
      }
    ]
    connection_rules = {
      ssh = {
        allow_email_alias = true
        usernames         = [] # None
      }
    }
  }]
}

#======================================================
# INFRASTRUCTURE APP: MySQL Database (Infrastructure)
#======================================================

# Creating the Target
resource "cloudflare_zero_trust_access_infrastructure_target" "gcp_ssh_target" {
  account_id = local.cloudflare_account_id

  hostname   = var.cloudflare_gcp_target_ssh_name
  ip = {
    ipv4 = {
      ip_addr = var.gcp_vm_internal_ip
    }
  }
}

# Creating the infrastructure Application
resource "cloudflare_zero_trust_access_application" "cloudflare_gcp_app_ssh_infra" {
  account_id                   = local.cloudflare_account_id

  type                         = "infrastructure"
  name                         = var.cloudflare_gcp_infra_app_name
  logo_url                     = "https://upload.wikimedia.org/wikipedia/commons/0/01/Google-cloud-platform.svg"
  tags                         = [cloudflare_zero_trust_access_tag.tags["engineers"].name]
  custom_deny_url              = "https://denied.tips-of-mine.org/"
  custom_non_identity_deny_url = "https://denied.tips-of-mine.org/"

  target_criteria = [{
    port     = "22",
    protocol = "SSH"
    target_attributes = {
      hostname = [var.cloudflare_gcp_target_ssh_name]
    },
  }]

  policies = [{
    name     = "SSH GCP Infrastructure Policy"
    decision = "allow"

    allowed_idps                = [
    cloudflare_zero_trust_access_identity_provider.authentik_oidc.id,
    ]
    auto_redirect_to_identity   = true
    allow_authenticate_via_warp = false

    include = [
      {
        saml = {
          identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
          attribute_name       = "groups"
          attribute_value      = var.okta_infra_admin_saml_group_name
        }
      },
      {
        saml = {
          identity_provider_id = cloudflare_zero_trust_access_identity_provider.authentik_oidc.id
          attribute_name       = "groups"
          attribute_value      = var.okta_contractors_saml_group_name
        }
      },
      {
        email_domain = {
          domain = var.cloudflare_email_domain
        }
      }
    ]
    require = [
      {
        device_posture = {
          integration_uid = var.cloudflare_gateway_posture_id
        }
      },
      {
        auth_method = {
          auth_method = "mfa"
        }
      }
    ]
    exclude = [
      {
        auth_method = {
          auth_method = "sms"
        }
      }
    ]
    connection_rules = {
      ssh = {
        allow_email_alias = true
        usernames         = [] # None
      }
    }
  }]
}