Skip to content

Commit

Permalink
Merge pull request #2 from initd1/feature/configure-zero-trust-tunnel
Browse files Browse the repository at this point in the history 
Feature/configure zero trust tunnel
  • Loading branch information
@initd1
initd1 authored Oct 9, 2024
2 parents 24b8f06 + 009b764 commit 031d2a1
Show file tree
Hide file tree
Showing 8 changed files with 681 additions and 56 deletions.
3 changes: 2 additions & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
*.tfvars
*.tfvars
*.tfstate.backup
20 changes: 17 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ The intent of this repo is to demonstrate how to manage Cloudflare configuration
## Usage
- Check providers using `terraform providers`
- Initialize Terraform: Run `terraform init` in your working directory to download necessary plugins.
- Plan Changes: Use `terraform plan` to see what changes will be made.
- Apply Configuration: Deploy your setup with `terraform apply`.
- Plan Changes: Use `terraform plan --var-file team1.tfvars` to see what changes will be made.
- Apply Configuration: Deploy your setup with `terraform apply --var-file team1.tfvars`.

## Repo structure for modularity with multiple teams being able to 'self-serve'
```
Expand All @@ -30,4 +30,18 @@ curl -X GET "https://api.cloudflare.com/client/v4/accounts/<account_id>/tokens/v
-H "Authorization: Bearer <api_token>" \
-H "Content-Type:application/json"
```
```

### Permissions Required for API Token

| Type | Permission | Mode |
| ----| ------| ----|
Account | Cloudflare Tunnel | Edit |
Account | Zero Trust | Edit |
Account | DNS Firewall | Edit |
Account | Access: Apps and Policies | Edit |
Account | Account Firewall Access Rules | Edit |
Account | Access: Apps and Policies | Edit |
Account | Account Firewall Access Rules | Read |
Account | Access: Apps and Policies | Read |
Zone | DNS | Edit |
1 change: 0 additions & 1 deletion terraform/.terraform.tfstate.lock.info
View file

This file was deleted.

11 changes: 11 additions & 0 deletions terraform/example.tfvars.template
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Template for the tfvars file
zone = "kashyapvijay.com"
zone_id = "ZONEID"
account_id = "ACCOUNTID"
subdomain = "webserver1"
tunnel_name = "tun1"
api_token = "APITOKEN"
app_id = "app1"
application1_name = "app1"
waf_expression = "(http.request.uri.path contains \"/secure\")"
waf_description = "(http.request.uri.path contains \"/admin\")"
143 changes: 95 additions & 48 deletions terraform/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,51 +9,98 @@ resource "cloudflare_zero_trust_tunnel_cloudflared" "tun1" {
secret = random_id.tunnel_secret.b64_std
}

# resource "cloudflare_zero_trust_tunnel_cloudflared_config" "example_config" {
# account_id = "f037e56e89293a057740de681ac9abbe"
# tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.example_tunnel.id

# config {
# warp_routing {
# enabled = true
# }
# origin_request {
# connect_timeout = "1m0s"
# tls_timeout = "1m0s"
# tcp_keep_alive = "1m0s"
# no_happy_eyeballs = false
# keep_alive_connections = 1024
# keep_alive_timeout = "1m0s"
# http_host_header = "baz"
# origin_server_name = "foobar"
# ca_pool = "/path/to/unsigned/ca/pool"
# no_tls_verify = false
# disable_chunked_encoding = false
# bastion_mode = false
# proxy_address = "10.0.0.1"
# proxy_port = "8123"
# proxy_type = "socks"
# ip_rules {
# prefix = "/web"
# ports = [80, 443]
# allow = false
# }
# }
# ingress_rule {
# hostname = "foo"
# path = "/bar"
# service = "http://10.0.0.2:8080"
# origin_request {
# connect_timeout = "2m0s"
# access {
# required = true
# team_name = "terraform"
# aud_tag = ["AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"]
# }
# }
# }
# ingress_rule {
# service = "https://10.0.0.3:8081"
# }
# }
# }
resource "cloudflare_zero_trust_tunnel_cloudflared_config" "tun1_config" {
account_id = var.account_id
tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.tun1.id
config {
warp_routing {
enabled = true
}
origin_request {
connect_timeout = "1m0s"
tls_timeout = "1m0s"
tcp_keep_alive = "1m0s"
# no_happy_eyeballs = false
keep_alive_connections = 1024
keep_alive_timeout = "1m0s"
# http_host_header = "baz"
# origin_server_name = "foobar"
# ca_pool = "/path/to/unsigned/ca/pool"
no_tls_verify = true
# disable_chunked_encoding = false
# bastion_mode = false
proxy_address = "10.0.0.1"
proxy_port = "8123"
proxy_type = "socks"
# ip_rules {
# prefix = "/web"
# ports = [443]
# allow = true
# }
}
ingress_rule {
# Hostname to match the incoming request with
hostname = "kash"
path = "/service2"
service = "http://10.0.0.2:8080"
origin_request {
connect_timeout = "2m0s"
access {
required = true
# team_name = "XYZ"
}
}
}
ingress_rule {
# Hostname to match the incoming request with
hostname = "kash"
service = "https://10.0.0.3:8081"
origin_request {
connect_timeout = "2m0s"
access {
required = true
# team_name = "XYZ"
}
}
}
ingress_rule {
service = "http_status:404"
# hostname = "foo"
}
}
}

# Allowing access to `[email protected]` email address only
resource "cloudflare_zero_trust_access_group" "geo_policy" {
account_id = var.account_id
name = var.geo_policy_name

include {
# Allow access only from Australia and India
geo = [ "au", "in" ]
}
}

# Allowing access to `[email protected]` email address only
resource "cloudflare_zero_trust_access_group" "mail_policy" {
account_id = var.account_id
name = var.mail_policy_name

include {
email = [ "[email protected]" ]
}
}


resource "cloudflare_zero_trust_access_application" "app1" {
zone_id = var.zone_id
name = var.application1_name
domain = var.subdomain
type = "self_hosted"
session_duration = "4h"
auto_redirect_to_identity = false
policies = [
cloudflare_zero_trust_access_group.mail_policy.id,
cloudflare_zero_trust_access_group.geo_policy.id
]
}
Loading

0 comments on commit 031d2a1

Please sign in to comment.