tfroot-cloudflare/cf-warp.tf at main · makeitworkcloud/tfroot-cloudflare · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Zero Trust / WARP configuration

# Organization settings
resource "cloudflare_zero_trust_organization" "main" {
  account_id  = local.account_id
  name        = "makeitworkcloud.cloudflareaccess.com"
  auth_domain = "makeitworkcloud.cloudflareaccess.com"

  # WARP-enrolled devices get a valid Access session automatically, so
  # protected hostnames (e.g. k3s.makeitwork.cloud) work without the OIDC
  # browser flow. Off-WARP devices still authenticate normally.
  allow_authenticate_via_warp = true
  is_ui_read_only             = false
}

# GitHub identity provider for WARP enrollment
resource "cloudflare_zero_trust_access_identity_provider" "github" {
  account_id = local.account_id
  name       = "GitHub"
  type       = "github"

  config = {
    client_id     = local.github_warp_client_id
    client_secret = local.github_warp_client_secret
  }
}

# Access group for makeitworkcloud admins
resource "cloudflare_zero_trust_access_group" "admins" {
  account_id = local.account_id
  name       = "makeitworkcloud-admins"

  include = [{
    github_organization = {
      identity_provider_id = cloudflare_zero_trust_access_identity_provider.github.id
      name                 = "makeitworkcloud"
      team                 = "admins"
    }
  }]
}

# WARP enrollment application
resource "cloudflare_zero_trust_access_application" "warp" {
  account_id       = local.account_id
  name             = "Warp Login App"
  type             = "warp"
  session_duration = "24h"

  # Only GitHub SSO allowed for WARP enrollment
  allowed_idps = [
    cloudflare_zero_trust_access_identity_provider.github.id,
  ]

  # Policies managed by Terraform
  policies = [
    {
      name             = "makeitworkcloud-admins"
      decision         = "allow"
      session_duration = "24h"
      include = [{
        group = {
          id = cloudflare_zero_trust_access_group.admins.id
        }
      }]
    },
    {
      name             = "GitHub Actions"
      decision         = "non_identity"
      session_duration = "24h"
      include = [{
        service_token = {
          token_id = "635d3164-6e89-4b4b-9812-112b77fdd797"
        }
      }]
    }
  ]
}