feat(warp): add Zero Trust WARP config with GitHub SSO

xnoto · xnoto · commit 2c97ac44cb4d · 2025-12-28T00:01:12.000-07:00
- Add Zero Trust organization and identity providers to terraform
- Add GitHub identity provider for WARP enrollment
- Add makeitworkcloud-admins access group (GitHub team requirement)
- Keep Email OTP as additional auth option
- Add GitHub WARP OAuth credentials to sops secrets
diff --git a/README.md b/README.md
@@ -32,6 +32,10 @@ No modules.
 | [cloudflare_dns_record.root](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource |
 | [cloudflare_dns_record.spf](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource |
 | [cloudflare_dns_record.www](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource |
+| [cloudflare_zero_trust_access_group.admins](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_group) | resource |
+| [cloudflare_zero_trust_access_identity_provider.email_otp](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) | resource |
+| [cloudflare_zero_trust_access_identity_provider.github](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) | resource |
+| [cloudflare_zero_trust_organization.main](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_organization) | resource |
 | [cloudflare_zone_setting.browser_cache_ttl](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zone_setting) | resource |
 | [cloudflare_zone_setting.browser_check](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zone_setting) | resource |
 | [cloudflare_zone_setting.cache_level](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zone_setting) | resource |
diff --git a/cf-warp.tf b/cf-warp.tf
@@ -0,0 +1,46 @@
+# Zero Trust / WARP configuration
+
+# Organization settings
+resource "cloudflare_zero_trust_organization" "main" {
+  account_id  = local.account_id
+  name        = "makeitworkcloud.cloudflareaccess.com"
+  auth_domain = "makeitworkcloud.cloudflareaccess.com"
+
+  allow_authenticate_via_warp = false
+  is_ui_read_only             = false
+}
+
+# Email OTP identity provider (existing, imported)
+resource "cloudflare_zero_trust_access_identity_provider" "email_otp" {
+  account_id = local.account_id
+  name       = "Email OTP"
+  type       = "onetimepin"
+
+  config = {}
+}
+
+# GitHub identity provider for WARP enrollment
+resource "cloudflare_zero_trust_access_identity_provider" "github" {
+  account_id = local.account_id
+  name       = "GitHub"
+  type       = "github"
+
+  config = {
+    client_id     = local.github_warp_client_id
+    client_secret = local.github_warp_client_secret
+  }
+}
+
+# Access group for makeitworkcloud admins
+resource "cloudflare_zero_trust_access_group" "admins" {
+  account_id = local.account_id
+  name       = "makeitworkcloud-admins"
+
+  include = [{
+    github_organization = {
+      identity_provider_id = cloudflare_zero_trust_access_identity_provider.github.id
+      name                 = "makeitworkcloud"
+      team                 = "admins"
+    }
+  }]
+}
diff --git a/main.tf b/main.tf
@@ -3,8 +3,10 @@ data "sops_file" "secret_vars" {
 }
 
 locals {
-  account_id = data.sops_file.secret_vars.data["cloudflare_account_id"]
-  zone_id    = data.sops_file.secret_vars.data["cloudflare_zone_id"]
+  account_id                = data.sops_file.secret_vars.data["cloudflare_account_id"]
+  zone_id                   = data.sops_file.secret_vars.data["cloudflare_zone_id"]
+  github_warp_client_id     = data.sops_file.secret_vars.data["github_warp_client_id"]
+  github_warp_client_secret = data.sops_file.secret_vars.data["github_warp_client_secret"]
 }
 
 data "cloudflare_zone" "makeitwork_cloud" {
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
@@ -1,23 +1,25 @@
-s3_bucket: ENC[AES256_GCM,data:9+gZdACtLDeJ60q0xrmRK+cb7ZPKn+OP,iv:ZDYhYRpnuoEyZ5i4sCVfJSaxWDsZN8wNjTGcVHH/DGo=,tag:i6ComNZur866Wa8V8cqgDg==,type:str]
-s3_key: ENC[AES256_GCM,data:Wvsb4MQhijWK4gxQvfdtRII=,iv:vJ6srs4iIAuK03zex5bZ8g+zYnqhm3bUu5tXjY3z0YU=,tag:X1Gf8VaCgk65VMInB7hz3A==,type:str]
-s3_region: ENC[AES256_GCM,data:uB+OCrSbmJx6,iv:xoR7moBSDtq5JE7nQiJ16clBB9lowxASV1LegxCUOlk=,tag:om7xMKsMWxE3MUKxhXTvmw==,type:str]
-s3_access_key: ENC[AES256_GCM,data:28vvZJqtNf/FV3BISA+MHJW6dJc=,iv:1nEv0aKBFHqi9x3FuwYJQ5vu/ahkragNphlAhbI+7dQ=,tag:X88T/qiWTBSV2+XX7DI3ug==,type:str]
-s3_secret_key: ENC[AES256_GCM,data:Pr4eWrjaH/j3OEsO+hFDz/7YptnRBU2JPLaqi7s++HNVJvNdgmz9fw==,iv:GxMrfsG8ZJD5zAyquULojq2YGXnwfm8M6PT9Yj1Nw6I=,tag:vx4fnb8ch+DtRyNXJmeP9Q==,type:str]
-cloudflare_api_token: ENC[AES256_GCM,data:7Nf7bNL670HNHpY68/n8DQkNOyvOp84knvzTxQ4IrgVPhoIMjDJW0w==,iv:ABl9haqK2sPoerKXNw7/P+rYvo9XT81LDpNax4dKn10=,tag:/uQdYf3wxzpXTZjdjClbUg==,type:str]
-cloudflare_account_id: ENC[AES256_GCM,data:Kd9ObyA5hCZtYKxHe3TcYhxhhk96oO8pw17HTrudZVo=,iv:EG+v+iRmQQ1VZEmucI87PjF9WCDIxd55pbSiuUU2kmE=,tag:2DzfGnyBJv0GMvJahYibqw==,type:str]
-cloudflare_zone_id: ENC[AES256_GCM,data:VghxCjikK9qhdaQHTMgNbFPapFG4TqfYHM3yjCNl2v0=,iv:NJckLw2hao3tX5fuZ0c1sqlHRfpr1nTeQJZf9BwZCUU=,tag:ZHoeodBu0kkpwCFQPgOUnA==,type:str]
+s3_bucket: ENC[AES256_GCM,data:ECQtaAJzAOPSLPEUXiG1F5KJKr6isX0c,iv:LQLfdkGZHDNkeUqTKSfw3W+zOhm4zinLFq8z0eYEadM=,tag:51QPMfS8oXagbgnK/tl9SA==,type:str]
+s3_key: ENC[AES256_GCM,data:TkOCluW8NzhrEQ3MifmQHLA=,iv:J63vTKw7Fulair4JwQj3FtRGGHIIVR+A1xha2QePe7k=,tag:nZA1YXPMNmaxm17pQqIqbQ==,type:str]
+s3_region: ENC[AES256_GCM,data:uMUPCcGphbBc,iv:XzSQxjexZ+HiF9JEHlv0a3eJI7iaFhwmo5tepqH9yQs=,tag:S0OEyg17OQZiCtaX4/1wkg==,type:str]
+s3_access_key: ENC[AES256_GCM,data:EuKP6SrNR4q7Ocfk94IPlN29UiM=,iv:PE2buWSo4ZawKyLJIqbNS8g5eXP+lSCRxCybu4o3wDo=,tag:o6CAuJ3/phiRXVEWXRsjcg==,type:str]
+s3_secret_key: ENC[AES256_GCM,data:71LUCw0T6r43Vk3LnACNyBUBCI9+prVGDjvbHfmdkxk3/5kfzhWLyA==,iv:TlHg5KY8MXf/VNL6ay24eRrUMrSy/nC5wHvFsLcSrRE=,tag:7K1WpvUtaNYf3pUDO7uZ5w==,type:str]
+cloudflare_api_token: ENC[AES256_GCM,data:dYCY2mPnqByFkRuPvtK1yuyoxFA6DiANTMsd5lcl3RtA8pV+JCM6kg==,iv:naDR7NK4HxAlkwXrOhUc6byZBlQE2hL939r2tvZGA5s=,tag:MRyxtPLg2UKX43Edg/c/7A==,type:str]
+cloudflare_account_id: ENC[AES256_GCM,data:Y8RQ38yMR0lOGvP5OXTsx8X4WYNxl72FxNlSaimd47w=,iv:9d0bpeAF32gNjFs+nbCf6zMDNgLoXwiwrwhznkAqPEg=,tag:X8HzrA7H3litXA4HGBdGNw==,type:str]
+cloudflare_zone_id: ENC[AES256_GCM,data:996WSh3SRmgmDuhgO30szQsf1Mda4TmRAYlwx1/3mwk=,iv:ejTj8Iqc+1uCzabVnf64FUft8OUB9tnPyi9hluQhcUA=,tag:E6WYbb+yj/OI7YhmsQsZhw==,type:str]
+github_warp_client_id: ENC[AES256_GCM,data:q5swiYRx6XpPPnqvXFzUPtrUxVg=,iv:3wk7Rktt4YfBpp7qbSnkWIW59Wq08tQbqfkoxKMskgU=,tag:4xtBaWYPPdBBEmXGCHJGFA==,type:str]
+github_warp_client_secret: ENC[AES256_GCM,data:yLK1kJ7PkgzxE7u7XXVDh+nHVVWJEtYI6aZxpL2A/iYX/ua6RjGv6g==,iv:mDRLO8BAAOIQln9hZgR0xBZMw6fQCezRCZd+svVjxtk=,tag:BACS9ZuwBwP57qHGcwBiKA==,type:str]
 sops:
     age:
         - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVXd4c2cyT1VjbERabk9w
-            Uzl0U3hEWDU0V2RIR3h0TGJjQlpnamtmUHdFCmUrTWJEY0pFeHUveDIrZXB4azBa
-            a3pxZ2U0cFduZmRQS2M1alA3UUJkWWsKLS0tIE1NRzE1akpkTlBJcFJsdGxUOFUx
-            QUxMaHB0aU1aaDBvYXZ6V25MQTJvYkEKZfwdoqmjVwQK5CAFWOZGl6cbmj4SVGfX
-            BW7pRFHW1TX6TyV3myQ6m4yVr17HBlsyjiQQK4ID/RsUJpyGpCXgEg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1d1dmSGFXRnQxSXJvWkNP
+            VFdxdllqWFVQdmVVY2hQNy9aSFJiSkVWQzBVCjdkZGJycDkvWkxPdzhrdlNGVlFZ
+            eWVkVnJhblFuTWRpbWVXbHJPRHpPUUUKLS0tIHQvU2RzOW9ET0hWd3ZUQ01ibE1w
+            dWYwMHFjSFBjbmE5cFl1U2hJdTZqczgK5uy8SJWSzIc7SjLq8NdnRP+hcN3DAk4r
+            MTU5T82eqjJ8vLDTPbAABIrSHYNhsf2DCNY1jtgqyofo3NvmjZLzMg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-28T06:30:53Z"
-    mac: ENC[AES256_GCM,data:oO/kejJCKPvPFSRugxy+/xNnkL4juOom74zT56JfLOLTfCNpTdwV4OvFK/YucTLsWJs1pb2+3DFwt+eQQCmJAWOWqq2HIdTm/VDQEqWeRqSZXB1F//VlM3NMXtiNciGqVj68UFGKpVAo3VtBLj0sKBsT29P4bImKLIylubJQnnw=,iv:WmN3AsiUIFffSn8xspdn6I95b+RLszJmpdsrGh5pni4=,tag:Bomin6RNr/oBiI/N1cKPDw==,type:str]
+    lastmodified: "2025-12-28T06:58:50Z"
+    mac: ENC[AES256_GCM,data:qTIgZM7d7OoH00rh4EXVgpju9hzCnCwFJi8q99AgGxpRZvuq6/vTzWGgFgHvn6WcgXpV5DAB70hOKt2F7E7VGujaP3ey4oQDwcbzZ9Q6l7u3MyRwz8KU9m4BOIrHfeIIWS6CxUbZSH2fVugoK4XomnHn8kocjT6Xm0dNWWBRyew=,iv:NMEGiKVlOMXzDbMGTiYVqeyMhzOdF5btVCc2HZKvu9I=,tag:GIJlGOjqL77KrhDlZ6x7oA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,10 @@ data "sops_file" "secret_vars" {`
`3`	`3`	`}`
`4`	`4`
`5`	`5`	`locals {`
`6`		`- account_id = data.sops_file.secret_vars.data["cloudflare_account_id"]`
`7`		`- zone_id = data.sops_file.secret_vars.data["cloudflare_zone_id"]`
	`6`	`+ account_id = data.sops_file.secret_vars.data["cloudflare_account_id"]`
	`7`	`+ zone_id = data.sops_file.secret_vars.data["cloudflare_zone_id"]`
	`8`	`+ github_warp_client_id = data.sops_file.secret_vars.data["github_warp_client_id"]`
	`9`	`+ github_warp_client_secret = data.sops_file.secret_vars.data["github_warp_client_secret"]`
`8`	`10`	`}`
`9`	`11`
`10`	`12`	`data "cloudflare_zone" "makeitwork_cloud" {`