Skip to content

Commit

Permalink
add Terraform examples
Browse files Browse the repository at this point in the history
  • Loading branch information
ranbel committed Oct 18, 2024
1 parent d1182f5 commit b487888
Show file tree
Hide file tree
Showing 5 changed files with 159 additions and 99 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -47,29 +47,13 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti

<Render file="access/add-infrastructure-app" />

## 3. Add a policy

<Render file="access/add-infrastructure-policy" />

### Selectors

The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications:

- Email
- Emails ending in
- SAML group
- Country
- Authentication method
- Device posture
- Entra group, GitHub organization, Google Workspace group, Okta group

## 4. Configure the server
## 3. Configure the server

Certain protocols require configuring the server to trust connections through Access for Infrastructure. For more information, refer to the protocol-specific tutorial:

- [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#7-configure-ssh-server)

## Connect as a user
## 4. Connect as a user

Users connect to the target's IP address as if they were on your private network, using their preferred client software. The user must be logged into WARP on their device, but no other system configuration is required. You can optionally configure a [private DNS resolver](/cloudflare-one/policies/gateway/resolver-policies/) to allow connections to the target's private hostname.

Expand Down Expand Up @@ -116,3 +100,15 @@ warp-cli target list
## Revoke a user's session

To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.

## Infrastructure policy selectors

The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications:

- Email
- Emails ending in
- SAML group
- Country
- Authentication method
- Device posture
- Entra group, GitHub organization, Google Workspace group, Okta group
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,7 @@ To connect your devices to Cloudflare:

<Render file="access/add-infrastructure-app" />

## 6. Add a policy

<Render file="access/add-infrastructure-policy" />

## 7. Configure SSH server
## 6. Configure SSH server

Next, configure your SSH server to trust the Cloudflare SSH CA. This allows Access to authenticate using short-lived certificates instead of traditional SSH keys.

Expand All @@ -65,7 +61,7 @@ To generate a Cloudflare SSH CA and get its public key:
### Restart your SSH server
<Render file="ssh/restart-server" />

## 8. Connect as a user
## 7. Connect as a user

Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is [connected to that virtual network](/cloudflare-one/connections/connect-networks/private-net/cloudflared/tunnel-virtual-networks/#connect-to-a-virtual-network) before initiating the connection. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal:

Expand Down
138 changes: 98 additions & 40 deletions src/content/partials/cloudflare-one/access/add-infrastructure-app.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -15,57 +15,115 @@ import { Tabs, TabItem, Render } from "~/components"
5. In **Target criteria**, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future.
6. Enter the **Protocol** and **Port** that will be used to connect to the server.
7. (Optional) If a protocol runs on more than one port, select **Add new target criteria** and reconfigure the same target hostname and protocol with a different port number.
:::note
Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.
:::
8. Select **Next**.
9. To secure your targets, configure a policy that defines who can connect and how they can connect:
1. Enter any name for your policy.
2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to [Access policies](/cloudflare-one/policies/access/) and review the list of [infrastructure policy selectors](/cloudflare-one/applications/non-http/infrastructure-apps/#infrastructure-policy-selectors).
3. In **Connection context**, enter the UNIX usernames that users can log in as (for example, `root` or `ec2-user`).
4. Select **Add application**.
</TabItem>
<TabItem label="API">

To add an infrastructure application using the [API](/api/operations/access-applications-add-an-application):

```sh
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"name": "example app",
"type": "infrastructure",
"target_criteria": [
{
"target_attributes": {
"hostname": [
"infra-access-target"
]
},
"port": 22,
"protocol": "SSH"
}
],
"policies": [
{
"name": "Allow a specific email",
"decision": "allow",
"include": [
{
"email": {
"email": "jdoe@company.com"
}
}
],
"connection_rules": {
"ssh": {
"usernames": [
"root",
"ec2-user"
1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
| Type | Item | Permission |
| ------- | ---------------- | ---------- |
| Account | Access: Apps & Policies | Edit |

2. Make a `POST` request to the [Access applications](/api/operations/access-applications-add-an-application) endpoint:

```sh
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"name": "Example infrastructure app",
"type": "infrastructure",
"target_criteria": [
{
"target_attributes": {
"hostname": [
"infra-access-target"
]
},
"port": 22,
"protocol": "SSH"
}
],
"policies": [
{
"name": "Allow a specific email",
"decision": "allow",
"include": [
{
"email": {
"email": "jdoe@company.com"
}
}
],
"connection_rules": {
"ssh": {
"usernames": [
"root",
"ec2-user"
]
}
}
}
]
}'
```

</TabItem>
<TabItem label="Terraform">

1. Use the [`cloudflare_zero_trust_access_application`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_application) resource to create an infrastructure application:

```tf
resource "cloudflare_zero_trust_access_application" "infra-app" {
account_id = "f037e56e89293a057740de681ac9abbe"
name = "Example infrastructure app"
type = "infrastructure"
target_criteria {
port = 22
protocol = "SSH"
target_attributes {
name = "hostname"
values = ["infra-access-target"]
}
}
}
```

2. Use the [`cloudflare_zero_trust_access_policy`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/zero_trust_access_policy) resource to add an infrastructure policy to the application:

```tf
resource "cloudflare_zero_trust_access_policy" "infra-app-policy" {
application_id = cloudflare_zero_trust_access_application.infra-app.id
account_id = "f037e56e89293a057740de681ac9abbe"
name = "Allow a specific email"
decision = "allow"
precedence = 1
include {
email = ["jdoe@company.com"]
}
]
}'
```
connection_rules {
ssh {
usernames = ["root", "ec2-user"]
}
}
}
```
</TabItem>
</Tabs>

The targets in this application are now secured by your infrastructure policies.

:::note
Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.
Gateway [network policies](/cloudflare-one/policies/gateway/network-policies/) take precedence over infrastructure policies. For example, if you block port `22` for all users in Gateway, then no one can SSH over port `22` to your targets.
:::

This file was deleted.

61 changes: 45 additions & 16 deletions src/content/partials/cloudflare-one/access/add-target.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ A target represents a single resource in your infrastructure (such as a server,

To create a new target:

<Tabs>
<Tabs syncKey="dashPlusAPI">
<TabItem label="Dashboard">
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Network** > **Targets**.
2. Select **Add a target**.
Expand All @@ -30,22 +30,51 @@ To create a new target:
</TabItem>
<TabItem label="API">

```sh
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
| Type | Item | Permission |
| ------- | ---------------- | ---------- |
| Account | Zero Trust | Edit |

2. Make a `POST` request to the [Infrastructure Access Targets](/api/operations/infra-targets-post) endpoint:

```sh
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
}
}'
```

</TabItem>
<TabItem label="Terraform">

Configure the [`cloudflare_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.44.0/docs/resources/infrastructure_access_target) resource:

```tf
resource "cloudflare_infrastructure_access_target" "infra-ssh-target" {
account_id = "f037e56e89293a057740de681ac9abbe"
hostname = "infra-access-target"
ip = {
ipv4 = {
ip_addr = "187.26.29.249"
virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
}
ipv6 = {
ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
}
}
}
}'
}
```

</TabItem>
Expand Down

0 comments on commit b487888

Please sign in to comment.