-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcf-tunnels.tf
More file actions
50 lines (45 loc) · 1.57 KB
/
cf-tunnels.tf
File metadata and controls
50 lines (45 loc) · 1.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Cloudflare Tunnels — connect cloudflared pods to Cloudflare's edge.
#
# The cluster-apps tunnel is created and owned by cloudflare-operator
# (see kustomize-cluster/operators/cloudflare/cluster-tunnel.yaml). Tunnel
# credentials live in the cluster's Secret. CNAME records for the apps
# fronted by that tunnel are managed below.
# Look up the cluster-apps tunnel by name so DNS records can target it
# without hard-coding a UUID that changes if the operator recreates it.
data "cloudflare_zero_trust_tunnel_cloudflared" "cluster_apps" {
account_id = local.account_id
filter = {
name = "cluster-apps-k3s"
}
}
# Hostnames fronted by the cluster-apps tunnel. The TunnelBinding in
# kustomize-cluster picks up traffic for each FQDN; this CNAME just tells
# Cloudflare's edge which tunnel to route requests through.
locals {
cluster_apps_hostnames = [
"argocd",
"forgejo",
"grafana",
"headlamp",
"k3s",
"status",
]
}
resource "cloudflare_dns_record" "cluster_apps" {
for_each = toset(local.cluster_apps_hostnames)
zone_id = local.zone_id
type = "CNAME"
name = each.value
content = "${data.cloudflare_zero_trust_tunnel_cloudflared.cluster_apps.id}.cfargotunnel.com"
proxied = true
ttl = 1
}
resource "cloudflare_zero_trust_tunnel_cloudflared" "warp" {
account_id = local.account_id
name = "warp-connector"
}
resource "cloudflare_zero_trust_tunnel_cloudflared_route" "private_network" {
account_id = local.account_id
tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.warp.id
network = local.warp_private_network
}