Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Access application and policy support #145

Merged
merged 7 commits into from
Nov 7, 2018
Merged

Add Access application and policy support #145

merged 7 commits into from
Nov 7, 2018

Conversation

jacobbednarz
Copy link
Member

This introduces two new resources for Cloudflare Access:

  • cloudflare_access_application: An Access Application that covers the
    URL and a friendly name.
  • cloudflare_access_policy: An Access Policy that enforces
    authorisation on aforementioned Application.

Initially I considered introducing a single resource
(cloudflare_access_application) however running over our existing
Access configuration showed that we would end up with quite a bit of
duplication if the policy was embedded in the resource. For example:

resource "cloudflare_access_application" "test"
  zone_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
  name    = "my test"
  domain  = "test.envato-staging.com"

  policy {
    name = "allow test user"
    precedence = "1"
    decision  = "allow"

    include = {
      email = ["[email protected]"]
    }
  }
}

While it looks sensible here, it gets a bit messy with multiple policies
for a single application.

resource "cloudflare_access_application" "test"
  zone_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
  name    = "my test"
  domain  = "test.envato-staging.com"

  policies = [
    {
      name = "prevent former employee access"
      precedence = "1"
      decision  = "deny"

      include = {
        email = ["[email protected]"]
      }
    },
    {
      name = "allow all users"
      precedence = "2"
      decision  = "allow"

      include = {
        email_domains = ["test.com"]
      }
    }
  ]
}

(Yes, this could be collapsed into a single policy block but bear with
me for the sake of the example)

Now, I'm not totally opposed to this approach however I was swayed away
from it since there are dedicated endpoints for the Application and
Policies and I thought this may cause some confusion if I coupled them
in the Terraform provider. If others think it should be embedded though,
I'm happy to update.

In it's current form, you'd need to create the two resources to
actually have a useful implementation. Example:

resource "cloudflare_access_application" "test_app" {
  zone_id = "1d5fdc9e88c8a8c4518b068cd94331fe"
  name    = "my test"
  domain  = "staging.example.com"
}

resource "cloudflare_access_policy" "test_policy" {
  application_id = "${cloudflare_access_application.test_app.id}"
  zone_id        = "${cloudflare_access_application.test_app.zone_id}"
  name           = "test policy"
  precedence     = "1"
  decision       = "allow"

  include = {
    email = ["[email protected]"]
  }
}

Screenshots

Access Application: https://shares.jacobbednarz.com/dfs98jdsf.png
Access Policy: https://shares.jacobbednarz.com/dfgsgdwf.png

Depends on cloudflare/cloudflare-go#244
Closes #100

cc @AustinCorridor

@ghost ghost added the size/XL label Oct 30, 2018
@jacobbednarz jacobbednarz mentioned this pull request Oct 30, 2018
Closed
@patryk
Copy link
Contributor

patryk commented Nov 7, 2018

Yes, I agree with your design decision, this one looks better. Many thanks for contribution! 🍻

@patryk patryk merged commit ed996ef into cloudflare:master Nov 7, 2018
@jacobbednarz jacobbednarz deleted the access-support branch November 7, 2018 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jacobbednarz @patryk