zero trust app

terraform/main.tf

@@ -10,5 +10,6 @@ module "zero-trust-app" {
   source             = "./modules/zero_trust_application"
   cloudflare_zone_id = var.cloudflare_zone_id
 
-  names = ["ollama", "argocd", "ceph", "grafana", "oauth2"]
+  names      = ["ollama", "argocd", "ceph", "grafana", "oauth2"]
+  group_list = var.group_list
 }

terraform/modules/zero_trust_application/main.tf

@@ -1,3 +1,12 @@
+resource "cloudflare_access_policy" "policy" {
+  for_each = { for idx, name in var.names : idx => name }
+
+  zone_id  = var.cloudflare_zone_id
+  name     = "${each.value}-github-auth"
+  decision = "allow"
+  group    = var.group_list
+}
+
 resource "cloudflare_zero_trust_access_application" "app" {
   for_each = { for idx, name in var.names : idx => name }
 
@@ -9,6 +18,6 @@ resource "cloudflare_zero_trust_access_application" "app" {
   auto_redirect_to_identity  = false
   http_only_cookie_attribute = true
   policies = [
-    "fb055de1-7853-4cd1-847c-1404d43b70cb"
+    cloudflare_access_policy.policy[each.key].id
   ]
 }

terraform/modules/zero_trust_application/variables.tf

@@ -6,4 +6,9 @@ variable "names" {
 variable "cloudflare_zone_id" {
   description = "The zone ID for Cloudflare"
   type        = string
+}
+
+variable "group_list" {
+  description = "zero trust access group list"
+  type        = list(string)
 }

terraform/variables.tf

@@ -11,4 +11,9 @@ variable "cloudflare_api_key" {
 variable "cloudflare_zone_id" {
   description = "The zone ID for Cloudflare"
   type        = string
+}
+
+variable "group_list" {
+  description = "zero trust access group list"
+  type        = list(string)
 }