# Cloudflare Tunnels

# Tunnel for VaultMesh services
resource "cloudflare_tunnel" "vaultmesh" {
  account_id = local.account_id
  name       = "vaultmesh-tunnel"
  secret     = var.tunnel_secret_vaultmesh
}

# Tunnel for OffSec services
resource "cloudflare_tunnel" "offsec" {
  account_id = local.account_id
  name       = "offsec-tunnel"
  secret     = var.tunnel_secret_offsec
}

# Tunnel configuration for VaultMesh
resource "cloudflare_tunnel_config" "vaultmesh" {
  account_id = local.account_id
  tunnel_id  = cloudflare_tunnel.vaultmesh.id

  config {
    # VaultMesh Core API
    ingress_rule {
      hostname = "api.vaultmesh.org"
      service  = "http://localhost:8080"
      origin_request {
        connect_timeout = "10s"
        no_tls_verify   = false
      }
    }

    # VaultMesh Dashboard
    ingress_rule {
      hostname = "dash.vaultmesh.org"
      service  = "http://localhost:3000"
    }

    # VaultMesh Guardian
    ingress_rule {
      hostname = "guardian.vaultmesh.org"
      service  = "http://localhost:8081"
    }

    # Catch-all
    ingress_rule {
      service = "http_status:404"
    }
  }
}

# Tunnel configuration for OffSec
resource "cloudflare_tunnel_config" "offsec" {
  account_id = local.account_id
  tunnel_id  = cloudflare_tunnel.offsec.id

  config {
    # OffSec main site
    ingress_rule {
      hostname = "offsec.global"
      service  = "http://localhost:8090"
    }

    # OffSec Agent portal
    ingress_rule {
      hostname = "offsecagent.com"
      service  = "http://localhost:8091"
    }

    # OffSec Shield dashboard
    ingress_rule {
      hostname = "offsecshield.com"
      service  = "http://localhost:8092"
    }

    # Catch-all
    ingress_rule {
      service = "http_status:404"
    }
  }
}

# DNS records pointing to tunnels
resource "cloudflare_record" "tunnel_vaultmesh_api" {
  zone_id = cloudflare_zone.domains["vaultmesh.org"].id
  name    = "api"
  value   = "${cloudflare_tunnel.vaultmesh.id}.cfargotunnel.com"
  type    = "CNAME"
  proxied = true
}

resource "cloudflare_record" "tunnel_vaultmesh_dash" {
  zone_id = cloudflare_zone.domains["vaultmesh.org"].id
  name    = "dash"
  value   = "${cloudflare_tunnel.vaultmesh.id}.cfargotunnel.com"
  type    = "CNAME"
  proxied = true
}

resource "cloudflare_record" "tunnel_vaultmesh_guardian" {
  zone_id = cloudflare_zone.domains["vaultmesh.org"].id
  name    = "guardian"
  value   = "${cloudflare_tunnel.vaultmesh.id}.cfargotunnel.com"
  type    = "CNAME"
  proxied = true
}

# Variables for tunnel secrets
variable "tunnel_secret_vaultmesh" {
  description = "Secret for VaultMesh tunnel (base64 encoded 32+ bytes)"
  type        = string
  sensitive   = true
  default     = ""
}

variable "tunnel_secret_offsec" {
  description = "Secret for OffSec tunnel (base64 encoded 32+ bytes)"
  type        = string
  sensitive   = true
  default     = ""
}