chore: pre-migration snapshot

Layer0, MCP servers, Terraform consolidation
2025-12-27 01:52:27 +00:00
parent 7f2e60e1c5
commit f0b8d962de
67 changed files with 14887 additions and 650 deletions
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -38,6 +38,8 @@ cloudflare_account_name = "your-account-name"
 tunnel_secret_vaultmesh = "base64-encoded-secret"
 tunnel_secret_offsec    = "base64-encoded-secret"
 admin_emails            = ["admin@vaultmesh.org"]
+enable_managed_waf      = true
+enable_bot_management   = false
 EOF

 # Plan
@@ -47,6 +49,31 @@ terraform plan
 terraform apply
 ```

+## Plan-Aware Security Features
+
+- `enable_managed_waf` applies the managed WAF ruleset only when the zone `plan` is not `"free"`.
+- `enable_bot_management` applies bot management settings only when the zone `plan` is not `"free"`.
+
+This lets `terraform apply` succeed on Free-plan zones (DNS, tunnels, Access, settings) while keeping the security posture ready for plan upgrades.
+
+### WAF Truth Table
+
+| Zone plan (`var.domains[*].plan`) | `enable_managed_waf` | `enable_bot_management` | Expected resources |
+| --- | --- | --- | --- |
+| `free` | any | any | `cloudflare_ruleset.security_rules` only |
+| not `free` | `false` | any | `cloudflare_ruleset.security_rules` only |
+| not `free` | `true` | `false` | `cloudflare_ruleset.security_rules`, `cloudflare_ruleset.managed_waf` |
+| not `free` | `true` | `true` | `cloudflare_ruleset.security_rules`, `cloudflare_ruleset.managed_waf`, `cloudflare_bot_management.domains` |
+
+### Assurance Varfiles
+
+For deterministic, token-format-safe gating checks (no apply), use:
+
+```bash
+terraform plan -refresh=false -var-file=assurance_free.tfvars
+terraform plan -refresh=false -var-file=assurance_pro.tfvars
+```
+
 ## Generate Tunnel Secrets

 ```bash