Hubert Cornet
5c70af3b06
Some checks failed
terraform validation / Terraform (push) Failing after 7s
99 lines
2.9 KiB
HCL
99 lines
2.9 KiB
HCL
# =============================================================================
|
|
# CLOUDFLARE TUNNEL
|
|
# =============================================================================
|
|
|
|
# Création du tunnel Cloudflare
|
|
resource "cloudflare_zero_trust_tunnel_cloudflared" "home_tunnel" {
|
|
account_id = local.cloudflare_account_id
|
|
name = var.tunnel_name
|
|
config_src = "cloudflare"
|
|
}
|
|
|
|
# Récupération du token pour l'agent cloudflared
|
|
data "cloudflare_zero_trust_tunnel_cloudflared_token" "home_tunnel_token" {
|
|
account_id = local.cloudflare_account_id
|
|
tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id
|
|
}
|
|
|
|
# =============================================================================
|
|
# DNS RECORDS (un par application)
|
|
# =============================================================================
|
|
|
|
resource "cloudflare_dns_record" "applications" {
|
|
for_each = var.applications
|
|
|
|
zone_id = local.cloudflare_zone_id
|
|
name = each.value.subdomain
|
|
content = "${cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id}.cfargotunnel.com"
|
|
type = "CNAME"
|
|
ttl = var.dns_ttl
|
|
proxied = var.dns_proxied
|
|
comment = "Managed by Terraform - ${each.key} via Cloudflare Tunnel"
|
|
}
|
|
|
|
# =============================================================================
|
|
# TUNNEL CONFIGURATION
|
|
# =============================================================================
|
|
|
|
resource "cloudflare_zero_trust_tunnel_cloudflared_config" "home_tunnel_config" {
|
|
tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.home_tunnel.id
|
|
account_id = local.cloudflare_account_id
|
|
|
|
config = {
|
|
warp_routing = {
|
|
enabled = var.tunnel_warp_routing_enabled
|
|
}
|
|
|
|
ingress = local.ingress_rules
|
|
}
|
|
|
|
lifecycle {
|
|
# Ignorer les changements manuels dans Cloudflare Dashboard
|
|
ignore_changes = [config]
|
|
}
|
|
}
|
|
|
|
# =============================================================================
|
|
# ACCESS POLICIES (optionnel)
|
|
# =============================================================================
|
|
|
|
# Exemple de politique d'accès réutilisable
|
|
# Décommentez si vous souhaitez utiliser Cloudflare Access
|
|
/*
|
|
resource "cloudflare_zero_trust_access_policy" "allow_emails" {
|
|
account_id = local.cloudflare_account_id
|
|
name = "Allow specific emails"
|
|
decision = "allow"
|
|
|
|
include = [
|
|
{
|
|
email = {
|
|
email = local.cloudflare_email
|
|
}
|
|
},
|
|
{
|
|
email_domain = {
|
|
domain = var.cloudflare_zone
|
|
}
|
|
}
|
|
]
|
|
}
|
|
|
|
# Application Access pour chaque application qui l'exige
|
|
resource "cloudflare_zero_trust_access_application" "applications" {
|
|
for_each = {
|
|
for app_name, app_config in var.applications :
|
|
app_name => app_config
|
|
if app_config.access_enabled
|
|
}
|
|
|
|
account_id = local.cloudflare_account_id
|
|
type = "self_hosted"
|
|
name = "Access for ${each.key}"
|
|
domain = "${each.value.subdomain}.${var.cloudflare_zone}"
|
|
|
|
policies = [
|
|
cloudflare_zero_trust_access_policy.allow_emails.id
|
|
]
|
|
}
|
|
*/ |