From b789a059b85ae5eac1bb259844d0fb4e9c4e5623 Mon Sep 17 00:00:00 2001
From: Sven Sauleau <sven@cloudflare.com>
Date: Wed, 4 Jan 2023 16:09:39 +0000
Subject: [PATCH] inject ACCESS_AUD and ACCESS_AUTH_DOMAIN Pages app

---
 .github/workflows/deploy.yml | 11 +++++++++++
 tf/main.tf                   | 10 ++++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 8ebf4f0..42586b4 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -11,6 +11,10 @@ jobs:
       - uses: actions/checkout@v2
       - uses: hashicorp/setup-terraform@v2
 
+      - name: Install package
+        run: |
+          sudo apt-get -y install jq
+
       - name: Setup node.js
         uses: actions/setup-node@v3
         with:
@@ -45,6 +49,12 @@ jobs:
         env:
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
 
+      - name: retrieve Zero Trust organization
+        run: |
+            auth_domain=$(curl https://api.cloudflare.com/client/v4/accounts/${{ secrets.CF_ACCOUNT_ID }}/access/organizations \
+                -H 'Authorization: Bearer ${{ secrets.CF_API_TOKEN }}' | jq -r '.result.auth_domain')
+            printf "auth_domain=$auth_domain" >> $GITHUB_ENV
+
       - name: Init
         run: terraform init
         working-directory: ./tf
@@ -59,6 +69,7 @@ jobs:
           TF_VAR_cloudflare_zone_name: ${{ secrets.CF_ZONE_NAME }}
           TF_VAR_gh_username: ${{ github.actor }}
           TF_VAR_d1_id: ${{ env.d1_id }}
+          TF_VAR_access_auth_domain: ${{ env.auth_domain }}
 
       - name: Publish
         uses: cloudflare/wrangler-action@2.0.0
diff --git a/tf/main.tf b/tf/main.tf
index fa9693b..00181e9 100644
--- a/tf/main.tf
+++ b/tf/main.tf
@@ -18,6 +18,10 @@ variable "d1_id" {
   type = string
 }
 
+variable "access_auth_domain" {
+  type = string
+}
+
 terraform {
   required_providers {
     cloudflare = {
@@ -65,6 +69,8 @@ resource "cloudflare_pages_project" "wildebeest_pages_project" {
         CF_API_TOKEN  = ""
 
         USER_KEY = random_password.user_key.result
+        ACCESS_AUD = cloudflare_access_application.wildebeest_access.aud
+        ACCESS_AUTH_DOMAIN = var.access_auth_domain
       }
       kv_namespaces = {
         KV_CACHE = cloudflare_workers_kv_namespace.wildebeest_cache.id
@@ -111,7 +117,3 @@ resource "cloudflare_access_policy" "policy" {
     email = ["test@example.com"]
   }
 }
-
-/* output "access_aud" { */
-/*   value = cloudflare_access_application.wildebeest_access.aud */
-/* } */