vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Initial commit: Cloudflare infrastructure with WAF Intelligence

Browse Source 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
This commit is contained in:
Vault Sovereign
2025-12-16 18:31:53 +00:00
commit 37a867c485
123 changed files with 25407 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
terraform/access.tf Normal file
View File

@@ -0,0 +1,122 @@
# Cloudflare Access - Zero Trust Applications
# Access Application for VaultMesh Dashboard
resource "cloudflare_access_application" "vaultmesh_dash" {
zone_id = cloudflare_zone.domains["vaultmesh.org"].id
name = "VaultMesh Dashboard"
domain = "dash.vaultmesh.org"
type = "self_hosted"
session_duration = "24h"
auto_redirect_to_identity = true
allowed_idps = var.allowed_idps
}
# Access Application for VaultMesh Guardian (Admin)
resource "cloudflare_access_application" "vaultmesh_guardian" {
zone_id = cloudflare_zone.domains["vaultmesh.org"].id
name = "VaultMesh Guardian"
domain = "guardian.vaultmesh.org"
type = "self_hosted"
session_duration = "8h" # Shorter for admin
auto_redirect_to_identity = true
allowed_idps = var.allowed_idps
}
# Access Application for OffSec Internal
resource "cloudflare_access_application" "offsec_internal" {
zone_id = cloudflare_zone.domains["offsec.global"].id
name = "OffSec Internal Tools"
domain = "internal.offsec.global"
type = "self_hosted"
session_duration = "12h"
auto_redirect_to_identity = true
allowed_idps = var.allowed_idps
}
# Access Policy - Allow specific emails
resource "cloudflare_access_policy" "vaultmesh_dash_policy" {
application_id = cloudflare_access_application.vaultmesh_dash.id
zone_id = cloudflare_zone.domains["vaultmesh.org"].id
name = "Allow VaultMesh Team"
precedence = 1
decision = "allow"
include {
email_domain = var.allowed_email_domains
}
require {
# Require MFA
auth_method = "mfa"
}
}
# Access Policy - Guardian (more restrictive)
resource "cloudflare_access_policy" "vaultmesh_guardian_policy" {
application_id = cloudflare_access_application.vaultmesh_guardian.id
zone_id = cloudflare_zone.domains["vaultmesh.org"].id
name = "Allow Guardian Admins"
precedence = 1
decision = "allow"
include {
email = var.admin_emails
}
require {
# Require hardware key MFA
auth_method = "mfa"
}
}
# Access Policy - OffSec Internal
resource "cloudflare_access_policy" "offsec_internal_policy" {
application_id = cloudflare_access_application.offsec_internal.id
zone_id = cloudflare_zone.domains["offsec.global"].id
name = "Allow OffSec Team"
precedence = 1
decision = "allow"
include {
email_domain = var.allowed_email_domains
}
require {
auth_method = "mfa"
}
}
# Service Tokens for machine-to-machine auth
resource "cloudflare_access_service_token" "vaultmesh_api" {
zone_id = cloudflare_zone.domains["vaultmesh.org"].id
name = "VaultMesh API Service Token"
min_days_for_renewal = 30
}
resource "cloudflare_access_service_token" "offsec_api" {
zone_id = cloudflare_zone.domains["offsec.global"].id
name = "OffSec API Service Token"
min_days_for_renewal = 30
}
# Variables for Access
variable "allowed_idps" {
description = "List of allowed Identity Provider IDs"
type = list(string)
default = []
}
variable "allowed_email_domains" {
description = "Email domains allowed to access applications"
type = list(string)
default = ["vaultmesh.org", "offsec.global"]
}
variable "admin_emails" {
description = "Specific admin email addresses for sensitive apps"
type = list(string)
default = []
}