# Cloudflare Access - Zero Trust Applications

# Access Application for VaultMesh Dashboard
resource "cloudflare_access_application" "vaultmesh_dash" {
  zone_id                   = cloudflare_zone.domains["vaultmesh.org"].id
  name                      = "VaultMesh Dashboard"
  domain                    = "dash.vaultmesh.org"
  type                      = "self_hosted"
  session_duration          = "24h"
  auto_redirect_to_identity = true

  allowed_idps = var.allowed_idps
}

# Access Application for VaultMesh Guardian (Admin)
resource "cloudflare_access_application" "vaultmesh_guardian" {
  zone_id                   = cloudflare_zone.domains["vaultmesh.org"].id
  name                      = "VaultMesh Guardian"
  domain                    = "guardian.vaultmesh.org"
  type                      = "self_hosted"
  session_duration          = "8h" # Shorter for admin
  auto_redirect_to_identity = true

  allowed_idps = var.allowed_idps
}

# Access Application for OffSec Internal
resource "cloudflare_access_application" "offsec_internal" {
  zone_id                   = cloudflare_zone.domains["offsec.global"].id
  name                      = "OffSec Internal Tools"
  domain                    = "internal.offsec.global"
  type                      = "self_hosted"
  session_duration          = "12h"
  auto_redirect_to_identity = true

  allowed_idps = var.allowed_idps
}

# Access Policy - Allow specific emails
resource "cloudflare_access_policy" "vaultmesh_dash_policy" {
  application_id = cloudflare_access_application.vaultmesh_dash.id
  zone_id        = cloudflare_zone.domains["vaultmesh.org"].id
  name           = "Allow VaultMesh Team"
  precedence     = 1
  decision       = "allow"

  include {
    email_domain = var.allowed_email_domains
  }

  require {
    # Require MFA
    auth_method = "mfa"
  }
}

# Access Policy - Guardian (more restrictive)
resource "cloudflare_access_policy" "vaultmesh_guardian_policy" {
  application_id = cloudflare_access_application.vaultmesh_guardian.id
  zone_id        = cloudflare_zone.domains["vaultmesh.org"].id
  name           = "Allow Guardian Admins"
  precedence     = 1
  decision       = "allow"

  include {
    email = var.admin_emails
  }

  require {
    # Require hardware key MFA
    auth_method = "mfa"
  }
}

# Access Policy - OffSec Internal
resource "cloudflare_access_policy" "offsec_internal_policy" {
  application_id = cloudflare_access_application.offsec_internal.id
  zone_id        = cloudflare_zone.domains["offsec.global"].id
  name           = "Allow OffSec Team"
  precedence     = 1
  decision       = "allow"

  include {
    email_domain = var.allowed_email_domains
  }

  require {
    auth_method = "mfa"
  }
}

# Service Tokens for machine-to-machine auth
resource "cloudflare_access_service_token" "vaultmesh_api" {
  zone_id              = cloudflare_zone.domains["vaultmesh.org"].id
  name                 = "VaultMesh API Service Token"
  min_days_for_renewal = 30
}

resource "cloudflare_access_service_token" "offsec_api" {
  zone_id              = cloudflare_zone.domains["offsec.global"].id
  name                 = "OffSec API Service Token"
  min_days_for_renewal = 30
}

# Variables for Access
variable "allowed_idps" {
  description = "List of allowed Identity Provider IDs"
  type        = list(string)
  default     = []
}

variable "allowed_email_domains" {
  description = "Email domains allowed to access applications"
  type        = list(string)
  default     = ["vaultmesh.org", "offsec.global"]
}

variable "admin_emails" {
  description = "Specific admin email addresses for sensitive apps"
  type        = list(string)
  default     = []
}