Initial commit: Cloudflare infrastructure with WAF Intelligence

- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00
commit 37a867c485
123 changed files with 25407 additions and 0 deletions
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@@ -0,0 +1,73 @@
+# DNS Records for each zone
+# Root A record (proxied) - points to tunnel or origin
+resource "cloudflare_record" "root_a" {
+  for_each = cloudflare_zone.domains
+  zone_id  = each.value.id
+  name     = "@"
+  value    = var.origin_ip
+  type     = "A"
+  proxied  = true
+  ttl      = 1 # Auto when proxied
+}
+
+# WWW CNAME
+resource "cloudflare_record" "www" {
+  for_each = cloudflare_zone.domains
+  zone_id  = each.value.id
+  name     = "www"
+  value    = each.key
+  type     = "CNAME"
+  proxied  = true
+  ttl      = 1
+}
+
+# SPF Record
+resource "cloudflare_record" "spf" {
+  for_each = cloudflare_zone.domains
+  zone_id  = each.value.id
+  name     = "@"
+  content  = "v=spf1 include:_spf.mx.cloudflare.net -all"
+  type     = "TXT"
+  ttl      = 3600
+}
+
+# DMARC Record
+resource "cloudflare_record" "dmarc" {
+  for_each = cloudflare_zone.domains
+  zone_id  = each.value.id
+  name     = "_dmarc"
+  value    = "v=DMARC1; p=reject; rua=mailto:dmarc@${each.key}"
+  type     = "TXT"
+  ttl      = 3600
+}
+
+# MX Records (using Cloudflare Email Routing or custom)
+resource "cloudflare_record" "mx_primary" {
+  for_each = cloudflare_zone.domains
+  zone_id  = each.value.id
+  name     = "@"
+  value    = "route1.mx.cloudflare.net"
+  type     = "MX"
+  priority = 10
+  ttl      = 3600
+}
+
+resource "cloudflare_record" "mx_secondary" {
+  for_each = cloudflare_zone.domains
+  zone_id  = each.value.id
+  name     = "@"
+  value    = "route2.mx.cloudflare.net"
+  type     = "MX"
+  priority = 20
+  ttl      = 3600
+}
+
+resource "cloudflare_record" "mx_tertiary" {
+  for_each = cloudflare_zone.domains
+  zone_id  = each.value.id
+  name     = "@"
+  value    = "route3.mx.cloudflare.net"
+  type     = "MX"
+  priority = 30
+  ttl      = 3600
+}