vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Initial commit: Cloudflare infrastructure with WAF Intelligence

Browse Source 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
This commit is contained in:
Vault Sovereign
2025-12-16 18:31:53 +00:00
commit 37a867c485
123 changed files with 25407 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

326
observatory/alertmanager/templates/email.tmpl Normal file
View File

@@ -0,0 +1,326 @@
{{/* Email notification templates for Cloudflare Mesh Observatory */}}
{{/* HTML email template */}}
{{ define "email.cloudflare.html" }}
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<style>
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
line-height: 1.6;
color: #333;
max-width: 800px;
margin: 0 auto;
padding: 20px;
}
.header {
background: linear-gradient(135deg, #F6821F 0%, #F38020 100%);
color: white;
padding: 20px;
border-radius: 8px 8px 0 0;
text-align: center;
}
.header h1 {
margin: 0;
font-size: 24px;
}
.status-badge {
display: inline-block;
padding: 4px 12px;
border-radius: 20px;
font-size: 12px;
font-weight: bold;
text-transform: uppercase;
margin-top: 10px;
}
.status-firing { background: #dc3545; color: white; }
.status-resolved { background: #28a745; color: white; }
.content {
background: #fff;
border: 1px solid #e0e0e0;
border-top: none;
padding: 20px;
border-radius: 0 0 8px 8px;
}
.alert-card {
background: #f8f9fa;
border-left: 4px solid #F6821F;
padding: 15px;
margin: 15px 0;
border-radius: 0 4px 4px 0;
}
.alert-card.critical { border-left-color: #dc3545; }
.alert-card.warning { border-left-color: #ffc107; }
.alert-card.info { border-left-color: #17a2b8; }
.alert-card.resolved { border-left-color: #28a745; }
.alert-title {
font-size: 16px;
font-weight: bold;
color: #333;
margin-bottom: 10px;
}
.alert-meta {
font-size: 12px;
color: #666;
margin-bottom: 10px;
}
.alert-meta span {
display: inline-block;
margin-right: 15px;
}
.label {
display: inline-block;
background: #e9ecef;
padding: 2px 8px;
border-radius: 4px;
font-size: 11px;
margin: 2px;
}
.description {
margin: 10px 0;
padding: 10px;
background: white;
border-radius: 4px;
}
.runbook-link {
display: inline-block;
background: #F6821F;
color: white;
padding: 8px 16px;
border-radius: 4px;
text-decoration: none;
font-size: 14px;
margin-top: 10px;
}
.runbook-link:hover {
background: #e67316;
}
.summary-table {
width: 100%;
border-collapse: collapse;
margin: 20px 0;
}
.summary-table th, .summary-table td {
padding: 10px;
text-align: left;
border-bottom: 1px solid #e0e0e0;
}
.summary-table th {
background: #f8f9fa;
font-weight: 600;
}
.footer {
text-align: center;
font-size: 12px;
color: #888;
margin-top: 20px;
padding-top: 20px;
border-top: 1px solid #e0e0e0;
}
.footer a {
color: #F6821F;
text-decoration: none;
}
</style>
</head>
<body>
<div class="header">
<h1>Cloudflare Mesh Observatory</h1>
<span class="status-badge status-{{ .Status }}">{{ .Status }}</span>
</div>
<div class="content">
<h2>Alert Summary</h2>
<table class="summary-table">
<tr>
<th>Status</th>
<td>{{ .Status | toUpper }}</td>
</tr>
<tr>
<th>Alert Name</th>
<td>{{ .CommonLabels.alertname }}</td>
</tr>
<tr>
<th>Severity</th>
<td>{{ .CommonLabels.severity | toUpper }}</td>
</tr>
<tr>
<th>Component</th>
<td>{{ .CommonLabels.component }}</td>
</tr>
<tr>
<th>Firing Alerts</th>
<td>{{ .Alerts.Firing | len }}</td>
</tr>
<tr>
<th>Resolved Alerts</th>
<td>{{ .Alerts.Resolved | len }}</td>
</tr>
</table>
<h2>Alert Details</h2>
{{ range .Alerts }}
<div class="alert-card {{ .Labels.severity }}{{ if eq .Status "resolved" }} resolved{{ end }}">
<div class="alert-title">
{{ .Labels.alertname }}
<span class="status-badge status-{{ .Status }}" style="font-size: 10px; padding: 2px 8px;">{{ .Status }}</span>
</div>
<div class="alert-meta">
<span><strong>Severity:</strong> {{ .Labels.severity }}</span>
<span><strong>Component:</strong> {{ .Labels.component }}</span>
<span><strong>Started:</strong> {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}</span>
{{ if eq .Status "resolved" }}
<span><strong>Resolved:</strong> {{ .EndsAt.Format "2006-01-02 15:04:05 UTC" }}</span>
{{ end }}
</div>
<div class="description">
<strong>Summary:</strong> {{ .Annotations.summary }}<br>
<strong>Description:</strong> {{ .Annotations.description }}
</div>
<div style="margin-top: 10px;">
<strong>Labels:</strong><br>
{{ range .Labels.SortedPairs }}
<span class="label">{{ .Name }}: {{ .Value }}</span>
{{ end }}
</div>
{{ if .Annotations.runbook_url }}
<a href="{{ .Annotations.runbook_url }}" class="runbook-link">View Runbook</a>
{{ end }}
</div>
{{ end }}
<h2>Quick Links</h2>
<ul>
<li><a href="http://localhost:3000">Grafana Dashboard</a></li>
<li><a href="http://localhost:9090">Prometheus</a></li>
<li><a href="https://dash.cloudflare.com">Cloudflare Dashboard</a></li>
</ul>
</div>
<div class="footer">
<p>
This alert was generated by <strong>Cloudflare Mesh Observatory</strong><br>
<a href="http://localhost:9093">Alertmanager</a> |
<a href="http://localhost:3000">Grafana</a> |
<a href="http://localhost:9090">Prometheus</a>
</p>
<p>
Generated at {{ .ExternalURL }}
</p>
</div>
</body>
</html>
{{ end }}
{{/* Plain text email template */}}
{{ define "email.cloudflare.text" }}
================================================================================
CLOUDFLARE MESH OBSERVATORY - ALERT {{ .Status | toUpper }}
================================================================================
Status: {{ .Status | toUpper }}
Alert: {{ .CommonLabels.alertname }}
Severity: {{ .CommonLabels.severity | toUpper }}
Component: {{ .CommonLabels.component }}
Firing: {{ .Alerts.Firing | len }} alerts
Resolved: {{ .Alerts.Resolved | len }} alerts
================================================================================
ALERT DETAILS
================================================================================
{{ range .Alerts }}
--------------------------------------------------------------------------------
{{ .Labels.alertname }} [{{ .Status | toUpper }}]
--------------------------------------------------------------------------------
Severity: {{ .Labels.severity }}
Component: {{ .Labels.component }}
Started: {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}
{{ if eq .Status "resolved" }}Resolved: {{ .EndsAt.Format "2006-01-02 15:04:05 UTC" }}{{ end }}
Summary: {{ .Annotations.summary }}
Description: {{ .Annotations.description }}
Labels:
{{ range .Labels.SortedPairs }} - {{ .Name }}: {{ .Value }}
{{ end }}
{{ if .Annotations.runbook_url }}Runbook: {{ .Annotations.runbook_url }}{{ end }}
{{ end }}
================================================================================
QUICK LINKS
================================================================================
Grafana: http://localhost:3000
Prometheus: http://localhost:9090
Alertmanager: http://localhost:9093
Cloudflare: https://dash.cloudflare.com
================================================================================
Generated by Cloudflare Mesh Observatory
{{ end }}
{{/* Daily digest email template */}}
{{ define "email.cloudflare.digest" }}
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<style>
/* Same styles as above */
</style>
</head>
<body>
<div class="header">
<h1>Daily Alert Digest</h1>
<p>{{ now.Format "Monday, January 2, 2006" }}</p>
</div>
<div class="content">
<h2>24-Hour Summary</h2>
<table class="summary-table">
<tr>
<th>Metric</th>
<th>Count</th>
</tr>
<tr>
<td>Total Alerts</td>
<td>{{ len .Alerts }}</td>
</tr>
<tr>
<td>Currently Firing</td>
<td>{{ .Alerts.Firing | len }}</td>
</tr>
<tr>
<td>Resolved</td>
<td>{{ .Alerts.Resolved | len }}</td>
</tr>
</table>
<h2>Alerts by Severity</h2>
<!-- Alert breakdown would go here -->
<h2>Alerts by Component</h2>
<!-- Component breakdown would go here -->
</div>
<div class="footer">
<p>This is an automated daily digest from Cloudflare Mesh Observatory</p>
</div>
</body>
</html>
{{ end }}

169
observatory/alertmanager/templates/pagerduty.tmpl Normal file
View File

@@ -0,0 +1,169 @@
{{/* PagerDuty notification templates for Cloudflare Mesh Observatory */}}
{{/* Main description template */}}
{{ define "pagerduty.cloudflare.description" -}}
[{{ .CommonLabels.severity | toUpper }}] {{ .CommonLabels.alertname }} - {{ .CommonAnnotations.summary }}
{{- end }}
{{/* Detailed incident description */}}
{{ define "pagerduty.cloudflare.details" -}}
{{ range .Alerts }}
Alert: {{ .Labels.alertname }}
Severity: {{ .Labels.severity }}
Component: {{ .Labels.component }}
Summary: {{ .Annotations.summary }}
Description: {{ .Annotations.description }}
Labels:
{{ range .Labels.SortedPairs -}}
{{ .Name }}: {{ .Value }}
{{ end }}
Started: {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}
{{ if eq .Status "resolved" }}Resolved: {{ .EndsAt.Format "2006-01-02 15:04:05 UTC" }}{{ end }}
Runbook: {{ if .Annotations.runbook_url }}{{ .Annotations.runbook_url }}{{ else }}https://wiki.internal/playbooks/cloudflare{{ end }}
---
{{ end }}
{{- end }}
{{/* Critical tunnel incident */}}
{{ define "pagerduty.cloudflare.tunnel.critical" -}}
CRITICAL TUNNEL FAILURE
Tunnel: {{ .CommonLabels.tunnel_name }} ({{ .CommonLabels.tunnel_id }})
Zone: {{ .CommonLabels.zone }}
All tunnel connections have failed. Services behind this tunnel are UNREACHABLE.
Immediate Actions Required:
1. Check cloudflared daemon status on origin server
2. Verify network path to Cloudflare edge
3. Review recent configuration changes
4. Consider emergency tunnel rotation
Impact: {{ .CommonAnnotations.impact }}
ETA to degradation: IMMEDIATE
Escalation Chain:
1. On-call Infrastructure Engineer
2. Platform Team Lead
3. Security Team (if compromise suspected)
{{- end }}
{{/* Critical DNS incident */}}
{{ define "pagerduty.cloudflare.dns.critical" -}}
CRITICAL DNS INCIDENT
Type: {{ .CommonLabels.alertname }}
Zone: {{ .CommonLabels.zone }}
Record: {{ .CommonLabels.record_name }}
{{ if eq .CommonLabels.alertname "DNSHijackDetected" -}}
POTENTIAL DNS HIJACK DETECTED
This is a SECURITY INCIDENT. DNS records do not match expected configuration.
Immediate Actions:
1. Verify DNS resolution from multiple locations
2. Check Cloudflare dashboard for unauthorized changes
3. Review audit logs for suspicious activity
4. Engage security incident response
DO NOT dismiss without verification.
{{- else -}}
DNS configuration drift detected. Records have changed from expected baseline.
Actions:
1. Compare current vs expected records
2. Determine if change was authorized
3. Restore from known-good state if needed
{{- end }}
{{- end }}
{{/* Critical WAF incident */}}
{{ define "pagerduty.cloudflare.waf.critical" -}}
CRITICAL WAF INCIDENT
Attack Type: {{ .CommonLabels.attack_type }}
Source: {{ .CommonLabels.source_ip }}
Request Volume: {{ .CommonLabels.request_count }} requests
{{ if eq .CommonLabels.alertname "WAFMassiveAttack" -}}
MASSIVE ATTACK IN PROGRESS
Request volume significantly exceeds baseline. This may indicate:
- DDoS attack
- Credential stuffing
- Application-layer attack
Immediate Actions:
1. Review attack traffic patterns
2. Consider enabling Under Attack Mode
3. Increase rate limiting thresholds
4. Block attacking IPs if identified
Current Mitigation: {{ .CommonAnnotations.current_mitigation }}
{{- else -}}
WAF rule bypass detected. Malicious traffic may be reaching origin.
Actions:
1. Analyze bypassed requests
2. Tighten rule specificity
3. Add supplementary blocking rules
{{- end }}
{{- end }}
{{/* Critical invariant violation */}}
{{ define "pagerduty.cloudflare.invariant.critical" -}}
SECURITY INVARIANT VIOLATION
Invariant: {{ .CommonLabels.invariant_name }}
Category: {{ .CommonLabels.category }}
A critical security invariant has been violated. This indicates:
- Unauthorized configuration change
- Potential security misconfiguration
- Compliance violation
Violation Details:
- Expected: {{ .CommonLabels.expected_value }}
- Actual: {{ .CommonLabels.actual_value }}
- Impact: {{ .CommonAnnotations.impact }}
Affected Frameworks: {{ .CommonLabels.frameworks }}
This violation requires immediate investigation and remediation.
{{- end }}
{{/* Critical proofchain incident */}}
{{ define "pagerduty.cloudflare.proofchain.critical" -}}
PROOFCHAIN INTEGRITY FAILURE
Chain: {{ .CommonLabels.chain_name }}
Receipt Type: {{ .CommonLabels.receipt_type }}
CRITICAL: Proofchain integrity verification has FAILED.
This indicates one of:
1. Ledger tampering
2. Receipt corruption
3. Chain fork
4. Hash collision (extremely unlikely)
Integrity Details:
- Last Valid Hash: {{ .CommonLabels.last_valid_hash }}
- Expected Hash: {{ .CommonLabels.expected_hash }}
- Computed Hash: {{ .CommonLabels.computed_hash }}
IMMEDIATE ACTIONS:
1. HALT all new receipt generation
2. Preserve current state for forensics
3. Identify last known-good checkpoint
4. Engage proofchain administrator
This is a potential SECURITY INCIDENT if tampering is suspected.
{{- end }}

200
observatory/alertmanager/templates/slack.tmpl Normal file
View File

@@ -0,0 +1,200 @@
{{/* Slack notification templates for Cloudflare Mesh Observatory */}}
{{/* Title template */}}
{{ define "slack.cloudflare.title" -}}
{{ if eq .Status "firing" }}{{ .Alerts.Firing | len }} FIRING{{ end }}{{ if and (eq .Status "resolved") (gt (.Alerts.Resolved | len) 0) }}{{ .Alerts.Resolved | len }} RESOLVED{{ end }} | {{ .CommonLabels.alertname }}
{{- end }}
{{/* Color template based on severity */}}
{{ define "slack.cloudflare.color" -}}
{{ if eq .Status "resolved" }}good{{ else if eq .CommonLabels.severity "critical" }}danger{{ else if eq .CommonLabels.severity "warning" }}warning{{ else }}#439FE0{{ end }}
{{- end }}
{{/* Main text body */}}
{{ define "slack.cloudflare.text" -}}
{{ range .Alerts }}
*Alert:* {{ .Labels.alertname }}
*Severity:* {{ .Labels.severity | toUpper }}
*Component:* {{ .Labels.component }}
*Status:* {{ .Status | toUpper }}
*Summary:* {{ .Annotations.summary }}
*Description:* {{ .Annotations.description }}
{{ if .Annotations.runbook_url }}*Runbook:* <{{ .Annotations.runbook_url }}|View Playbook>{{ end }}
*Labels:*
{{ range .Labels.SortedPairs -}}
- {{ .Name }}: `{{ .Value }}`
{{ end }}
*Started:* {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}
{{ if eq .Status "resolved" }}*Resolved:* {{ .EndsAt.Format "2006-01-02 15:04:05 UTC" }}{{ end }}
---
{{ end }}
{{- end }}
{{/* Runbook URL template */}}
{{ define "slack.cloudflare.runbook" -}}
{{ if .CommonAnnotations.runbook_url }}{{ .CommonAnnotations.runbook_url }}{{ else }}https://wiki.internal/playbooks/cloudflare{{ end }}
{{- end }}
{{/* Compact alert list for summary */}}
{{ define "slack.cloudflare.alertlist" -}}
{{ range . }}
- {{ .Labels.alertname }} ({{ .Labels.severity }})
{{ end }}
{{- end }}
{{/* Tunnel-specific template */}}
{{ define "slack.cloudflare.tunnel" -}}
{{ range .Alerts }}
*Tunnel Alert*
*Tunnel ID:* {{ .Labels.tunnel_id }}
*Tunnel Name:* {{ .Labels.tunnel_name }}
*Status:* {{ .Status | toUpper }}
{{ .Annotations.description }}
*Action Required:*
{{ if eq .Labels.alertname "TunnelDown" }}
1. Check cloudflared service status
2. Verify network connectivity
3. Run tunnel rotation if unrecoverable
{{ else if eq .Labels.alertname "TunnelRotationDue" }}
1. Schedule maintenance window
2. Execute tunnel rotation protocol
3. Verify new tunnel connectivity
{{ end }}
---
{{ end }}
{{- end }}
{{/* DNS-specific template */}}
{{ define "slack.cloudflare.dns" -}}
{{ range .Alerts }}
*DNS Alert*
*Record:* {{ .Labels.record_name }}
*Type:* {{ .Labels.record_type }}
*Zone:* {{ .Labels.zone }}
*Status:* {{ .Status | toUpper }}
{{ .Annotations.description }}
*Immediate Actions:*
{{ if eq .Labels.alertname "DNSHijackDetected" }}
1. CRITICAL: Potential DNS hijack detected
2. Immediately verify DNS resolution
3. Check Cloudflare audit logs
4. Engage incident response team
{{ else if eq .Labels.alertname "DNSDriftDetected" }}
1. Compare current vs expected records
2. Check for unauthorized changes
3. Run state reconciler if needed
{{ end }}
---
{{ end }}
{{- end }}
{{/* WAF-specific template */}}
{{ define "slack.cloudflare.waf" -}}
{{ range .Alerts }}
*WAF Alert*
*Rule ID:* {{ .Labels.rule_id }}
*Action:* {{ .Labels.action }}
*Source:* {{ .Labels.source_ip }}
*Status:* {{ .Status | toUpper }}
{{ .Annotations.description }}
*Threat Intelligence:*
- Request Count: {{ .Labels.request_count }}
- Block Rate: {{ .Labels.block_rate }}%
- Attack Type: {{ .Labels.attack_type }}
*Recommended Actions:*
{{ if eq .Labels.alertname "WAFMassiveAttack" }}
1. Verify attack is not false positive
2. Consider enabling Under Attack Mode
3. Review and adjust rate limiting
4. Document attack patterns
{{ else if eq .Labels.alertname "WAFRuleBypass" }}
1. Analyze bypassed requests
2. Tighten rule specificity
3. Add supplementary rules
{{ end }}
---
{{ end }}
{{- end }}
{{/* Security/Invariant template */}}
{{ define "slack.cloudflare.security" -}}
{{ range .Alerts }}
*Security Invariant Violation*
*Invariant:* {{ .Labels.invariant_name }}
*Category:* {{ .Labels.category }}
*Status:* {{ .Status | toUpper }}
{{ .Annotations.description }}
*Violation Details:*
- Expected: {{ .Labels.expected_value }}
- Actual: {{ .Labels.actual_value }}
- First Seen: {{ .StartsAt.Format "2006-01-02 15:04:05 UTC" }}
*Compliance Impact:*
This violation may affect:
{{ range split .Labels.frameworks "," -}}
- {{ . }}
{{ end }}
*Remediation Steps:*
1. Review invariant definition
2. Check for authorized changes
3. Run autonomous remediator or manual fix
4. Document change justification
---
{{ end }}
{{- end }}
{{/* Proofchain template */}}
{{ define "slack.cloudflare.proofchain" -}}
{{ range .Alerts }}
*Proofchain Alert*
*Chain:* {{ .Labels.chain_name }}
*Receipt Type:* {{ .Labels.receipt_type }}
*Status:* {{ .Status | toUpper }}
{{ .Annotations.description }}
*Integrity Details:*
- Last Valid Hash: {{ .Labels.last_valid_hash }}
- Expected Hash: {{ .Labels.expected_hash }}
- Computed Hash: {{ .Labels.computed_hash }}
*This indicates potential:*
- Ledger tampering
- Receipt corruption
- Chain fork
- Missing anchors
*Immediate Actions:*
1. DO NOT write new receipts until resolved
2. Identify last known-good state
3. Investigate discrepancy source
4. Contact proofchain administrator
---
{{ end }}
{{- end }}