From cecb49a197e11a87e8964da965e52a25eba96414 Mon Sep 17 00:00:00 2001
From: clarkzjw <i@jinwei.me>
Date: Fri, 13 Jan 2023 21:43:44 -0800
Subject: cloudflare: add access application and tunnel for bt

---
 clarkzjw.cc/infra/cloudflare.tf | 21 +++++++++++++++++++++
 clarkzjw.cc/infra/variables.tf  |  6 ++++++
 2 files changed, 27 insertions(+)

diff --git a/clarkzjw.cc/infra/cloudflare.tf b/clarkzjw.cc/infra/cloudflare.tf
index 0b40e57..13e7f41 100644
--- a/clarkzjw.cc/infra/cloudflare.tf
+++ b/clarkzjw.cc/infra/cloudflare.tf
@@ -62,6 +62,27 @@ resource "cloudflare_tunnel_config" "atlas_tunnel_route" {
   }
 }
 
+resource "cloudflare_access_application" "bt" {
+  zone_id                   = data.cloudflare_zones.homelab_main_domain.zones[0].id
+  name                      = "bt.${var.homelab_main_domain}"
+  domain                    = "bt.${var.homelab_main_domain}"
+  type                      = "self_hosted"
+  session_duration          = "24h"
+  auto_redirect_to_identity = false
+}
+
+resource "cloudflare_access_policy" "bt" {
+  application_id = cloudflare_access_application.bt.id
+  zone_id        = data.cloudflare_zones.homelab_main_domain.zones[0].id
+  name           = "Allow"
+  precedence     = "1"
+  decision       = "allow"
+
+  include {
+    email = [var.cloudflare_access_application_email]
+  }
+}
+
 # notify
 resource "cloudflare_record" "notify_SPF" {
   zone_id = data.cloudflare_zones.homelab_main_domain.zones[0].id
diff --git a/clarkzjw.cc/infra/variables.tf b/clarkzjw.cc/infra/variables.tf
index a9a8580..5326464 100644
--- a/clarkzjw.cc/infra/variables.tf
+++ b/clarkzjw.cc/infra/variables.tf
@@ -19,3 +19,9 @@ variable "cloudflare_api_token" {
   type = string
   sensitive = true
 }
+
+variable "cloudflare_access_application_email" {
+  description = "Email addresses allowed in Cloudflare Access config"
+  type = string
+  sensitive = false
+}
-- 
cgit v1.2.3