Hubert Cornet
e2f7c35a24
Some checks failed
Terraform Apply / Terraform Apply (push) Failing after 15s
489 lines
14 KiB
HCL
489 lines
14 KiB
HCL
# =============================================================================
|
|
# VAULT CONFIGURATION
|
|
# =============================================================================
|
|
variable "vault_url" {
|
|
description = "URL du serveur Vault"
|
|
type = string
|
|
default = "https://vault.tips-of-mine.com"
|
|
}
|
|
|
|
variable "vault_token" {
|
|
description = "Token d'authentification Vault (fourni par CI/CD)"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "vault_cloudflare_path" {
|
|
description = "Chemin vers les secrets Cloudflare dans Vault"
|
|
type = string
|
|
default = "secret/cloudflare"
|
|
}
|
|
|
|
variable "vault_authentik_path" {
|
|
description = "Chemin vers les secrets Authentik dans Vault"
|
|
type = string
|
|
default = "secret/authentik"
|
|
}
|
|
|
|
# =============================================================================
|
|
# CLOUDFLARE CONFIGURATION
|
|
# =============================================================================
|
|
|
|
variable "authentik_oidc_client_id_cloudflare" {
|
|
description = "Client ID for Authentik"
|
|
type = string
|
|
default = "exemple"
|
|
}
|
|
|
|
variable "authentik_oidc_secret_cloudflare" {
|
|
description = "Secret for Authentik"
|
|
type = string
|
|
default = "exemple"
|
|
}
|
|
|
|
# =============================================================================
|
|
# CLOUDFLARE CONFIGURATION
|
|
# =============================================================================
|
|
variable "cloudflare_zone" {
|
|
description = "Domaine principal"
|
|
type = string
|
|
default = "tips-of-mine.org"
|
|
}
|
|
|
|
variable "tunnel_name" {
|
|
description = "Nom du tunnel Cloudflare"
|
|
type = string
|
|
default = "home-tunnel"
|
|
}
|
|
|
|
variable "tunnel_network" {
|
|
description = "Network du tunnel Cloudflare"
|
|
type = string
|
|
default = "10.0.0.0/24"
|
|
}
|
|
|
|
variable "tunnel_network_comment" {
|
|
description = "Commentaire du network du tunnel Cloudflare"
|
|
type = string
|
|
default = "tips-of-mine comment for this route."
|
|
}
|
|
|
|
variable "cloudflare_api_token" {
|
|
description = "Token d'API Cloudflare"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "cloudflare_access_tags" {
|
|
type = list(string)
|
|
description = "Liste des tags Cloudflare Zero Trust à créer"
|
|
}
|
|
|
|
# =============================================================================
|
|
# APPLICATIONS CONFIGURATION
|
|
# =============================================================================
|
|
variable "applications" {
|
|
description = "Liste des applications à exposer via le tunnel"
|
|
type = map(object({
|
|
subdomain = string
|
|
origin_url = string
|
|
no_tls_verify = optional(bool, true)
|
|
access_enabled = optional(bool, false)
|
|
access_team_name = optional(string, "")
|
|
access_aud_tags = optional(list(string), [])
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
# =============================================================================
|
|
# Group
|
|
# =============================================================================
|
|
|
|
#
|
|
|
|
#======================================================
|
|
# CLOUDFLARE WARP CONNECTOR CONFIGURATION
|
|
#======================================================
|
|
|
|
variable "cloudflare_default_cgnat_routes" {
|
|
description = "default cgnat routes"
|
|
type = list(object({
|
|
address = string
|
|
description = string
|
|
}))
|
|
default = [{
|
|
address = "100.64.0.0/10"
|
|
description = "Default CGNAT Range"
|
|
}]
|
|
}
|
|
|
|
variable "cloudflare_custom_cgnat_routes" {
|
|
description = "List of custom CGNAT routes to add to the device profile"
|
|
type = list(object({
|
|
address = string
|
|
description = string
|
|
}))
|
|
}
|
|
|
|
variable "cloudflare_warp_cgnat_cidr" {
|
|
description = "default ip range for WARP when overriding local interface IP"
|
|
type = string
|
|
}
|
|
|
|
# =============================================================================
|
|
# ADVANCED OPTIONS
|
|
# =============================================================================
|
|
variable "tunnel_warp_routing_enabled" {
|
|
description = "Activer le routage WARP pour le tunnel"
|
|
type = bool
|
|
default = false
|
|
}
|
|
|
|
variable "dns_ttl" {
|
|
description = "TTL pour les enregistrements DNS"
|
|
type = number
|
|
default = 1
|
|
}
|
|
|
|
variable "dns_proxied" {
|
|
description = "Activer le proxy Cloudflare pour les DNS"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
#======================================================
|
|
# IDENTITY PROVIDERS
|
|
#======================================================
|
|
variable "cloudflare_okta_identity_provider_id" {
|
|
description = "Okta Identity Provider ID in Cloudflare"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "cloudflare_otp_identity_provider_id" {
|
|
description = "OneTime PIN identity provider ID in Cloudflare"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
#variable "cloudflare_azure_identity_provider_id" {
|
|
# description = "Azure Entra ID identity provider ID in Cloudflare"
|
|
# type = string
|
|
# sensitive = true
|
|
#}
|
|
|
|
#variable "cloudflare_azure_admin_rule_group_id" {
|
|
# description = "Azure Administrators Rule Group ID in Cloudflare"
|
|
# type = string
|
|
# sensitive = true
|
|
#}
|
|
|
|
variable "cloudflare_gateway_posture_id" {
|
|
description = "Gateway posture ID in Cloudflare"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "cloudflare_macos_posture_id" {
|
|
description = "Latest macOS version posture ID in Cloudflare"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "cloudflare_windows_posture_id" {
|
|
description = "Latest Windows version posture ID in Cloudflare"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "cloudflare_linux_posture_id" {
|
|
description = "Latest Linux Kernel version posture ID in Cloudflare"
|
|
type = string
|
|
sensitive = true
|
|
}
|
|
|
|
variable "cloudflare_device_os" {
|
|
description = "This is the OS you are running on your own client machine"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_email_domain" {
|
|
description = "Email Domain used for email authentication in App policies"
|
|
type = string
|
|
}
|
|
|
|
#======================================================
|
|
# OKTA SAML GROUPS
|
|
#======================================================
|
|
variable "okta_infra_admin_saml_group_name" {
|
|
description = "SAML Group name for InfrastructureAdmin group"
|
|
type = string
|
|
}
|
|
|
|
variable "okta_contractors_saml_group_name" {
|
|
description = "SAML Group name for Contractors group"
|
|
type = string
|
|
}
|
|
|
|
variable "okta_sales_eng_saml_group_name" {
|
|
description = "SAML Group name for SalesEngineering group"
|
|
type = string
|
|
}
|
|
|
|
variable "okta_sales_saml_group_name" {
|
|
description = "SAML Group name for Sales group"
|
|
type = string
|
|
}
|
|
|
|
variable "okta_itadmin_saml_group_name" {
|
|
description = "SAML Group name for ITAdmin group"
|
|
type = string
|
|
}
|
|
|
|
#======================================================
|
|
# OKTA USER LOGINS
|
|
#======================================================
|
|
variable "okta_bob_user_login" {
|
|
description = "User login for bob, in an email format"
|
|
type = string
|
|
}
|
|
|
|
variable "okta_matthieu_user_login" {
|
|
description = "User login for matthieu, in an email format"
|
|
type = string
|
|
}
|
|
|
|
#======================================================
|
|
# AZURE INFRASTRUCTURE
|
|
#======================================================
|
|
#variable "azure_engineering_group_id" {
|
|
# description = "Object ID of Azure_Engineering group from Azure AD"
|
|
# type = string
|
|
#}
|
|
|
|
#variable "azure_sales_group_id" {
|
|
# description = "Object ID of Azure_Sales group from Azure AD"
|
|
# type = string
|
|
#}
|
|
|
|
#variable "azure_subnet_cidr" {
|
|
# description = "Azure address prefix, subnet for VM in Azure"
|
|
# type = string
|
|
#}
|
|
|
|
#======================================================
|
|
# CLOUDFLARE APPLICATION PORTS
|
|
#======================================================
|
|
|
|
variable "cloudflare_intranet_app_port" {
|
|
description = "Port for the Intranet web App in Cloudflare"
|
|
type = number
|
|
}
|
|
|
|
variable "cloudflare_competition_app_port" {
|
|
description = "Port for the Competition web App in Cloudflare"
|
|
type = number
|
|
}
|
|
|
|
variable "cloudflare_domain_controller_rdp_port" {
|
|
description = "Port for the RDP domain controller"
|
|
type = number
|
|
}
|
|
|
|
#======================================================
|
|
#
|
|
#======================================================
|
|
|
|
#variable "cloudflare_subdomain_ssh" {
|
|
# description = "cloudflare_subdomain_ssh"
|
|
# type = string
|
|
# default = "ssh-database.tips-of-mine.com"
|
|
#}
|
|
|
|
#variable "cloudflare_subdomain_vnc" {
|
|
# description = "cloudflare_subdomain_vnc"
|
|
# type = string
|
|
# default = "vnc.tips-of-mine.com"
|
|
#}
|
|
|
|
#variable "cloudflare_subdomain_web" {
|
|
# description = "cloudflare_subdomain_web"
|
|
# type = string
|
|
# default = "intranet.tips-of-mine.com"
|
|
#}
|
|
|
|
#variable "cloudflare_subdomain_rdp" {
|
|
# description = "cloudflare_subdomain_rdp"
|
|
# type = string
|
|
# default = "rdp.tips-of-mine.com"
|
|
#}
|
|
|
|
#variable "cloudflare_subdomain_web_sensitive" {
|
|
# description = "cloudflare_subdomain_web_sensitive"
|
|
# type = string
|
|
# default = "competition.tips-of-mine.com"
|
|
#}
|
|
|
|
#variable "cloudflare_subdomain_training_status" {
|
|
# description = "cloudflare_subdomain_training_status"
|
|
# type = string
|
|
# default = "training-status.tips-of-mine.com"
|
|
#}
|
|
|
|
#======================================================
|
|
# GCP Networking
|
|
#======================================================
|
|
|
|
variable "gcp_vm_internal_ip" {
|
|
description = "Internal Private IP of GCP Compute Engine Instance"
|
|
type = string
|
|
}
|
|
|
|
variable "gcp_windows_vm_internal_ip" {
|
|
description = "Internal Private IP of GCP Compute Engine Instance running Windows RDP"
|
|
type = string
|
|
}
|
|
|
|
variable "gcp_infra_cidr" {
|
|
description = "CIDR Range for GCP VMs running cloudflared"
|
|
type = string
|
|
}
|
|
|
|
variable "gcp_warp_cidr" {
|
|
description = "CIDR Range for GCP VMs running warp"
|
|
type = string
|
|
}
|
|
|
|
variable "gcp_windows_rdp_cidr" {
|
|
description = "CIDR Range for GCP VMs running cloudflared, Windows and RDP Server"
|
|
type = string
|
|
}
|
|
|
|
#======================================================
|
|
# AWS Networking
|
|
#======================================================
|
|
|
|
variable "aws_vpc_cidr" {
|
|
description = "AWS vpc cidr, subnet for vpc in AWS"
|
|
type = string
|
|
}
|
|
|
|
variable "aws_private_cidr" {
|
|
description = "AWS private subnet, subnet for VMs in AWS"
|
|
type = string
|
|
}
|
|
|
|
variable "aws_public_cidr" {
|
|
description = "AWS public subnet"
|
|
type = string
|
|
}
|
|
|
|
#======================================================
|
|
# AZURE Networking
|
|
#======================================================
|
|
|
|
variable "azure_subnet_cidr" {
|
|
description = "Azure address prefix, subnet for VM in Azure"
|
|
type = string
|
|
}
|
|
|
|
variable "azure_vnet_cidr" {
|
|
description = "Azure address vnet, subnet for vnet in Azure"
|
|
type = string
|
|
}
|
|
|
|
variable "azure_public_dns_domain" {
|
|
description = "Azure Public DNS Domain"
|
|
type = string
|
|
}
|
|
|
|
#======================================================
|
|
# TUNNEL CONFIGURATION
|
|
#======================================================
|
|
variable "cloudflare_tunnel_name_gcp" {
|
|
description = "Name of the Cloudflared tunnel for GCP"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_tunnel_name_aws" {
|
|
description = "Name of the Cloudflared tunnel for AWS"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_tunnel_name_azure" {
|
|
description = "Name of the Cloudflared tunnel for Azure"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_tunnel_name_ovh" {
|
|
description = "Name of the Cloudflared tunnel for OVH"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_windows_rdp_tunnel_name_gcp" {
|
|
description = "Name of the Cloudflared tunnel for Windows RDP Server GCP"
|
|
type = string
|
|
}
|
|
|
|
#======================================================
|
|
# WARP CONNECTOR TUNNEL IDS
|
|
#======================================================
|
|
|
|
variable "cloudflare_tunnel_warp_connector_azure_id" {
|
|
description = "ID of the WARP Connector Tunnel manually created for Azure in UI"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_tunnel_warp_connector_gcp_id" {
|
|
description = "ID of the WARP Connector Tunnel manually created for GCP in UI"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_tunnel_warp_connector_aws_id" {
|
|
description = "ID of the WARP Connector Tunnel manually created for AWS in UI"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_tunnel_warp_connector_ovh_id" {
|
|
description = "ID of the WARP Connector Tunnel manually created for OVH in UI"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_team_name" {
|
|
description = "Name of the Team in Cloudflare, essentially zero-trust org name"
|
|
type = string
|
|
}
|
|
|
|
#======================================================
|
|
# CLOUDFLARE DNS SUBDOMAIN CONFIGURATION
|
|
#======================================================
|
|
|
|
variable "cloudflare_subdomain_ssh" {
|
|
description = "Name of the subdomain for ssh public hostname of tunnel"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_subdomain_vnc" {
|
|
description = "Name of the subdomain for VNC public hostname of tunnel"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_subdomain_web" {
|
|
description = "Name of the subdomain for web public hostname of tunnel"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_subdomain_web_sensitive" {
|
|
description = "Name of the subdomain for web sensitive public hostname of tunnel"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_subdomain_rdp" {
|
|
description = "Name of the subdomain for rdp browser rendered public hostname"
|
|
type = string
|
|
}
|
|
|
|
variable "cloudflare_subdomain_training_status" {
|
|
description = "Name of the subdomain for training status admin portal (OPTIONAL: only needed if using optional-cloudflare-apps.tf)"
|
|
type = string
|
|
} |