d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Sankofa/cloudflare/terraform/main.tf
defiQUG 9daf1fd378 Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
2025-12-12 18:01:35 -08:00

251 lines
5.9 KiB
HCL
Raw Permalink Blame History

terraform {
required_version = ">= 1.0"
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 4.0"
}
}
backend "s3" {
# Configure your backend here
# bucket = "your-terraform-state"
# key = "cloudflare/terraform.tfstate"
# region = "us-east-1"
}
}
provider "cloudflare" {
api_token = var.cloudflare_api_token
}
# Variables
variable "cloudflare_api_token" {
description = "Cloudflare API token"
type = string
sensitive = true
}
variable "zone_id" {
description = "Cloudflare Zone ID"
type = string
}
variable "account_id" {
description = "Cloudflare Account ID"
type = string
}
# Access Applications
resource "cloudflare_access_application" "portal" {
zone_id = var.zone_id
name = "Hybrid Cloud Portal"
domain = "portal.sankofa.nexus"
session_duration = "24h"
cors_headers {
allowed_methods = ["GET", "POST", "PUT", "DELETE"]
allowed_origins = ["https://portal.sankofa.nexus"]
allow_credentials = true
}
}
resource "cloudflare_access_application" "rancher" {
zone_id = var.zone_id
name = "Rancher UI"
domain = "rancher.sankofa.nexus"
session_duration = "4h"
}
resource "cloudflare_access_application" "argocd" {
zone_id = var.zone_id
name = "ArgoCD GitOps"
domain = "argocd.sankofa.nexus"
session_duration = "8h"
}
resource "cloudflare_access_application" "grafana" {
zone_id = var.zone_id
name = "Grafana Dashboards"
domain = "grafana.sankofa.nexus"
session_duration = "24h"
}
resource "cloudflare_access_application" "vault" {
zone_id = var.zone_id
name = "HashiCorp Vault"
domain = "vault.sankofa.nexus"
session_duration = "2h"
}
resource "cloudflare_access_application" "keycloak" {
zone_id = var.zone_id
name = "Keycloak Admin"
domain = "keycloak.sankofa.nexus"
session_duration = "2h"
}
# Access Policies
resource "cloudflare_access_policy" "portal_authenticated" {
application_id = cloudflare_access_application.portal.id
zone_id = var.zone_id
name = "Allow Authenticated Users"
decision = "allow"
precedence = 1
include {
email_domain = "sankofa.nexus"
}
}
resource "cloudflare_access_policy" "portal_admin_mfa" {
application_id = cloudflare_access_application.portal.id
zone_id = var.zone_id
name = "Require MFA for Admins"
decision = "allow"
precedence = 2
include {
group = cloudflare_access_group.admins.id
}
require {
mfa = true
}
}
# Access Groups
resource "cloudflare_access_group" "admins" {
account_id = var.account_id
name = "admins"
include {
email_domain = "sankofa.nexus"
}
require {
email = ["admin@sankofa.nexus"]
}
}
resource "cloudflare_access_group" "platform_engineers" {
account_id = var.account_id
name = "platform-engineers"
include {
email_domain = "sankofa.nexus"
}
}
resource "cloudflare_access_group" "employees" {
account_id = var.account_id
name = "employees"
include {
email_domain = "sankofa.nexus"
}
}
# Tunnels
resource "cloudflare_tunnel" "control_plane" {
account_id = var.account_id
name = "control-plane-tunnel"
secret = var.tunnel_secret_control_plane
}
resource "cloudflare_tunnel" "proxmox_site_1" {
account_id = var.account_id
name = "proxmox-site-1-tunnel"
secret = var.tunnel_secret_site_1
}
resource "cloudflare_tunnel" "proxmox_site_2" {
account_id = var.account_id
name = "proxmox-site-2-tunnel"
secret = var.tunnel_secret_site_2
}
resource "cloudflare_tunnel" "proxmox_site_3" {
account_id = var.account_id
name = "proxmox-site-3-tunnel"
secret = var.tunnel_secret_site_3
}
# Tunnel Routes
resource "cloudflare_tunnel_route" "control_plane" {
account_id = var.account_id
tunnel_id = cloudflare_tunnel.control_plane.id
network = "10.0.0.0/16"
comment = "Control plane network"
}
resource "cloudflare_tunnel_route" "site_1" {
account_id = var.account_id
tunnel_id = cloudflare_tunnel.proxmox_site_1.id
network = "10.1.0.0/16"
comment = "Proxmox site 1 network"
}
resource "cloudflare_tunnel_route" "site_2" {
account_id = var.account_id
tunnel_id = cloudflare_tunnel.proxmox_site_2.id
network = "10.2.0.0/16"
comment = "Proxmox site 2 network"
}
resource "cloudflare_tunnel_route" "site_3" {
account_id = var.account_id
tunnel_id = cloudflare_tunnel.proxmox_site_3.id
network = "10.3.0.0/16"
comment = "Proxmox site 3 network"
}
# Gateway Policies
resource "cloudflare_teams_list" "blocked_domains" {
account_id = var.account_id
name = "Blocked Domains"
type = "DOMAIN"
items = [
"malware.example.com",
"phishing.example.com"
]
}
resource "cloudflare_teams_rule" "block_malicious" {
account_id = var.account_id
name = "Block Malicious Domains"
description = "Block known malicious domains"
precedence = 1
action = "block"
filters = ["dns"]
rule_settings {
block_page_enabled = true
block_reason = "This domain is blocked by security policy"
}
}
# Outputs
output "tunnel_ids" {
value = {
control_plane = cloudflare_tunnel.control_plane.id
site_1 = cloudflare_tunnel.proxmox_site_1.id
site_2 = cloudflare_tunnel.proxmox_site_2.id
site_3 = cloudflare_tunnel.proxmox_site_3.id
}
}
output "application_ids" {
value = {
portal = cloudflare_access_application.portal.id
rancher = cloudflare_access_application.rancher.id
argocd = cloudflare_access_application.argocd.id
grafana = cloudflare_access_application.grafana.id
vault = cloudflare_access_application.vault.id
keycloak = cloudflare_access_application.keycloak.id
}
}
Reference in New Issue View Git Blame Copy Permalink