feat(cloudflare): make Cloudflare Zero Trust optional

terraform/cloudflare.tf

@@ -1,8 +1,8 @@
 locals {
-  cf_zone_id     = data.cloudflare_zone.cf_zone.id
+  cf_zone_id     = var.cf_zero_trust_enabled ? data.cloudflare_zone.cf_zone.id : ""
   cf_cname       = "${var.cf_subdomain}.${var.cf_domain}"
   cf_tunnel_name = "${var.namespace}-tunnel-${var.stage}"
-  cf_argo_secret = random_id.argo_secret.b64_std
+  cf_argo_secret = random_id.argo_secret[0].b64_std
 }
 
 # Get the zone ID for the given domain
@@ -16,29 +16,41 @@ data "cloudflare_zone" "cf_zone" {
 
 # Create a secret for the Cloudflare Argo Tunnel
 resource "random_id" "argo_secret" {
+
+  count = var.cf_zero_trust_enabled ? 1 : 0
+
   byte_length = 35
 }
 
 # Create the Cloudflare Argo Tunnel for Cloudflare Access
 resource "cloudflare_argo_tunnel" "cf_tunnel" {
+
+  count = var.cf_zero_trust_enabled ? 1 : 0
+
   account_id = var.cf_account_id
   name       = local.cf_tunnel_name
   secret     = local.cf_argo_secret
 }
 
 # Create the Cloudfflare Argo Tunnel Route
 resource "cloudflare_tunnel_route" "cf_tunnel_route" {
+
+  count = var.cf_zero_trust_enabled ? 1 : 0
+
   account_id = var.cf_account_id
-  tunnel_id  = cloudflare_argo_tunnel.cf_tunnel.id
+  tunnel_id  = cloudflare_argo_tunnel.cf_tunnel[0].id
   network    = "${oci_core_instance.instance.private_ip}/32"
   comment    = "Tunnel Route for VSCode Server"
 }
 
 # Create the Cloudflare DNS Record for the Cloudflare Argo Tunnel
 resource "cloudflare_record" "cf_tunnel_cname" {
+
+  count = var.cf_zero_trust_enabled ? 1 : 0
+
   zone_id = local.cf_zone_id
   name    = var.cf_subdomain
-  value   = "${cloudflare_argo_tunnel.cf_tunnel.id}.cfargotunnel.com"
+  value   = "${cloudflare_argo_tunnel.cf_tunnel[0].id}.cfargotunnel.com"
   type    = "CNAME"
   proxied = true
 }
@@ -49,6 +61,9 @@ resource "cloudflare_record" "cf_tunnel_cname" {
 
 # Create the Cloudflare Access Application
 resource "cloudflare_access_application" "cf_application" {
+
+  count = var.cf_zero_trust_enabled ? 1 : 0
+
   zone_id          = local.cf_zone_id
   domain           = local.cf_cname
   name             = "VSCode Server"
@@ -60,9 +75,10 @@ resource "cloudflare_access_application" "cf_application" {
 # Create the Cloudflare Access Application Allow Policy
 resource "cloudflare_access_policy" "cf_allow_policy" {
 
-  count = length(var.cf_allowed_users) != 0 ? 1 : 0
+  count = var.cf_zero_trust_enabled ? 1 : 0
+  # count = length(var.cf_allowed_users) != 0 ? 1 : 0
 
-  application_id = cloudflare_access_application.cf_application.id
+  application_id = cloudflare_access_application.cf_application[0].id
   zone_id        = local.cf_zone_id
   name           = "Allow Policy"
   precedence     = "1"

terraform/install.tf

@@ -25,7 +25,7 @@ resource "local_file" "ansible_variables" {
     volume_device_name   = var.block_volume_device_name
     vscode_version       = var.vscode_version
     cf_account_id        = var.cf_account_id
-    cf_tunnel_id         = cloudflare_argo_tunnel.cf_tunnel.id != null ? cloudflare_argo_tunnel.cf_tunnel.id : ""
+    cf_tunnel_id         = cloudflare_argo_tunnel.cf_tunnel[0].id != null ? cloudflare_argo_tunnel.cf_tunnel[0].id : ""
     cf_tunnel_name       = local.cf_tunnel_name
     cf_tunnel_secret     = local.cf_argo_secret
     cf_zone              = local.cf_cname != null ? local.cf_cname : ""

terraform/variables.tf

@@ -62,19 +62,19 @@ variable "region" {
 # Cloudflare Zero Trust
 #############################
 
+variable "cf_zero_trust_enabled" {
+  type        = bool
+  description = "Register VSCode with Cloudflare Zero Trust"
+  default     = false
+}
+
 variable "cf_account_id" {
   type        = string
   description = "Set by TF_VAR_cf_account_id environment variable on ~/.zprofile or ~/.bash_profile"
   default     = null
   sensitive   = true
 }
 
-variable "cf_zero_trust_enabled" {
-  type        = bool
-  description = "Register VSCode with Cloudflare Zero Trust"
-  default     = false
-}
-
 variable "cf_domain" {
   type        = string
   description = "Domain Name for Cloudflare Zero Trust"