feat(dns): setup cloudflared tunnel and DNS records

cloudflare/main.tf

@@ -0,0 +1,60 @@
+terraform {
+  required_providers {
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "cloudflare" {
+  api_token = var.cloudflare_api_token
+}
+
+module "services" {
+  source = "./services"
+}
+
+module "dns" {
+  source               = "./dns"
+  services             = module.services.services
+  cloudflare_zone_id   = var.cloudflare_zone_id
+  cloudflare_tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.ratchet_tunnel.id
+}
+
+module "policies" {
+  source                = "./policies"
+  cloudflare_zone_id    = var.cloudflare_zone_id
+  cloudflare_account_id = var.cloudflare_account_id
+  cloudflare_email      = var.cloudflare_email
+}
+
+resource "cloudflare_zero_trust_tunnel_cloudflared" "ratchet_tunnel" {
+  account_id    = var.cloudflare_account_id
+  tunnel_secret = var.cloudflared_tunnel_secret
+  name          = "cloudflare > ratchet tunnel"
+  config_src    = "cloudflare"
+}
+
+resource "cloudflare_zero_trust_tunnel_cloudflared_config" "ratchet_tunnel_config" {
+  account_id = var.cloudflare_account_id
+  tunnel_id  = cloudflare_zero_trust_tunnel_cloudflared.ratchet_tunnel.id
+  config = {
+    ingress = concat([for k,v in module.services.services : { hostname = "${v.subdomain}.madunde.ad", service = v.service} ], [{ service = "http_status:404" }])
+  }
+}
+
+resource "cloudflare_zero_trust_access_application" "access_application" {
+  for_each = module.services.services
+  account_id = var.cloudflare_account_id
+  zone_id    = var.cloudflare_zone_id
+  domain     = "${each.value.subdomain}.madunde.ad"
+  type       = "self_hosted"
+  name       = "Access application for ${each.value.subdomain}.madunde.ad"
+  policies = [
+    {
+      id         = module.policies[each.value.policy].id
+      precedence = 1
+    }
+  ]
+}