Initial commit: Cloudflare infrastructure with WAF Intelligence

- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00
commit 37a867c485
123 changed files with 25407 additions and 0 deletions
--- a/terraform/waf.tf
+++ b/terraform/waf.tf
@@ -0,0 +1,91 @@
+# WAF Rulesets and Firewall Rules
+
+# Block non-HTTPS (should be handled by always_use_https, but explicit rule)
+resource "cloudflare_ruleset" "security_rules" {
+  for_each = cloudflare_zone.domains
+  zone_id  = each.value.id
+  name     = "Security Rules"
+  kind     = "zone"
+  phase    = "http_request_firewall_custom"
+
+  # Rule 1: Block requests to /admin from non-trusted IPs
+  rules {
+    action      = "block"
+    expression  = "(http.request.uri.path contains \"/admin\") and not (ip.src in {${join(" ", var.trusted_admin_ips)}})"
+    description = "Block admin access from untrusted IPs"
+    enabled     = length(var.trusted_admin_ips) > 0
+  }
+
+  # Rule 2: Challenge suspicious countries
+  rules {
+    action      = "managed_challenge"
+    expression  = "(ip.src.country in {\"${join("\" \"", var.blocked_countries)}\"})"
+    description = "Challenge traffic from high-risk countries"
+    enabled     = true
+  }
+
+  # Rule 3: Block known bad user agents
+  rules {
+    action      = "block"
+    expression  = "(http.user_agent contains \"sqlmap\") or (http.user_agent contains \"nikto\") or (http.user_agent contains \"nmap\")"
+    description = "Block known scanning tools"
+    enabled     = true
+  }
+
+  # Rule 4: Rate limit API endpoints
+  rules {
+    action = "block"
+    ratelimit {
+      characteristics     = ["ip.src"]
+      period              = 10
+      requests_per_period = 30
+      mitigation_timeout  = 60
+    }
+    expression  = "(http.request.uri.path starts_with \"/api/\")"
+    description = "Rate limit API endpoints"
+    enabled     = true
+  }
+}
+
+# Enable Cloudflare Managed WAF Ruleset
+resource "cloudflare_ruleset" "managed_waf" {
+  for_each = cloudflare_zone.domains
+  zone_id  = each.value.id
+  name     = "Managed WAF"
+  kind     = "zone"
+  phase    = "http_request_firewall_managed"
+
+  # Cloudflare Managed Ruleset
+  rules {
+    action = "execute"
+    action_parameters {
+      id = "efb7b8c949ac4650a09736fc376e9aee" # Cloudflare Managed Ruleset
+    }
+    expression  = "true"
+    description = "Execute Cloudflare Managed Ruleset"
+    enabled     = true
+  }
+
+  # OWASP Core Ruleset
+  rules {
+    action = "execute"
+    action_parameters {
+      id = "4814384a9e5d4991b9815dcfc25d2f1f" # OWASP Core Ruleset
+    }
+    expression  = "true"
+    description = "Execute OWASP Core Ruleset"
+    enabled     = true
+  }
+}
+
+# Bot Management (if available on plan)
+resource "cloudflare_bot_management" "domains" {
+  for_each                        = cloudflare_zone.domains
+  zone_id                         = each.value.id
+  enable_js                       = true
+  fight_mode                      = true
+  sbfm_definitely_automated       = "block"
+  sbfm_likely_automated           = "managed_challenge"
+  sbfm_verified_bots              = "allow"
+  sbfm_static_resource_protection = false
+}