48 lines
1.8 KiB
HCL
48 lines
1.8 KiB
HCL
# =============================================================================
|
|
# VAULT DATA SOURCES
|
|
# =============================================================================
|
|
data "vault_generic_secret" "cloudflare" {
|
|
path = var.vault_cloudflare_path
|
|
}
|
|
|
|
data "vault_generic_secret" "authentik" {
|
|
path = var.vault_authentik_path
|
|
}
|
|
|
|
# =============================================================================
|
|
# LOCALS
|
|
# =============================================================================
|
|
locals {
|
|
# Secrets Cloudflare depuis Vault
|
|
cloudflare_api_token = data.vault_generic_secret.cloudflare.data["api_token"]
|
|
cloudflare_account_id = data.vault_generic_secret.cloudflare.data["account_id"]
|
|
cloudflare_zone_id = data.vault_generic_secret.cloudflare.data["zone_id_org"]
|
|
cloudflare_email = data.vault_generic_secret.cloudflare.data["email"]
|
|
|
|
authentik_oidc_client_id_cloudflare = data.vault_generic_secret.authentik.data["client_id_cloudflare"]
|
|
authentik_oidc_secret_cloudflare = data.vault_generic_secret.authentik.data["secret_cloudflare"]
|
|
|
|
# Construction des ingress rules pour toutes les applications
|
|
ingress_rules = concat(
|
|
[
|
|
for app_name, app_config in var.applications : {
|
|
hostname = "${app_config.subdomain}.${local.cloudflare_zone_id}"
|
|
service = app_config.origin_url
|
|
origin_request = {
|
|
no_tls_verify = app_config.no_tls_verify
|
|
|
|
# Configuration Access si activée
|
|
access = app_config.access_enabled ? {
|
|
team_name = app_config.access_team_name
|
|
aud_tag = app_config.access_aud_tags
|
|
required = true
|
|
} : null
|
|
}
|
|
}
|
|
],
|
|
# Règle catch-all en dernier
|
|
[{
|
|
service = "http_status:404"
|
|
}]
|
|
)
|
|
} |