chore: pre-migration snapshot

Layer0, MCP servers, Terraform consolidation
2025-12-27 01:52:27 +00:00
parent 7f2e60e1c5
commit f0b8d962de
67 changed files with 14887 additions and 650 deletions
--- a/terraform/waf.tf
+++ b/terraform/waf.tf
@@ -11,7 +11,7 @@ resource "cloudflare_ruleset" "security_rules" {
  # Rule 1: Block requests to /admin from non-trusted IPs
  rules {
    action      = "block"
-    expression  = "(http.request.uri.path contains \"/admin\") and not (ip.src in {${join(" ", var.trusted_admin_ips)}})"
+    expression  = length(var.trusted_admin_ips) > 0 ? "(http.request.uri.path contains \"/admin\") and not (ip.src in {${join(" ", var.trusted_admin_ips)}})" : "false"
    description = "Block admin access from untrusted IPs"
    enabled     = length(var.trusted_admin_ips) > 0
  }
@@ -19,9 +19,9 @@ resource "cloudflare_ruleset" "security_rules" {
  # Rule 2: Challenge suspicious countries
  rules {
    action      = "managed_challenge"
-    expression  = "(ip.src.country in {\"${join("\" \"", var.blocked_countries)}\"})"
+    expression  = length(var.blocked_countries) > 0 ? format("(ip.src.country in {%s})", join(" ", [for c in var.blocked_countries : format("\"%s\"", c)])) : "false"
    description = "Challenge traffic from high-risk countries"
-    enabled     = true
+    enabled     = length(var.blocked_countries) > 0
  }

  # Rule 3: Block known bad user agents
@@ -49,11 +49,14 @@ resource "cloudflare_ruleset" "security_rules" {

 # Enable Cloudflare Managed WAF Ruleset
 resource "cloudflare_ruleset" "managed_waf" {
-  for_each = cloudflare_zone.domains
-  zone_id  = each.value.id
-  name     = "Managed WAF"
-  kind     = "zone"
-  phase    = "http_request_firewall_managed"
+  for_each = {
+    for domain, zone in cloudflare_zone.domains : domain => zone
+    if var.enable_managed_waf && var.domains[domain].plan != "free"
+  }
+  zone_id = each.value.id
+  name    = "Managed WAF"
+  kind    = "zone"
+  phase   = "http_request_firewall_managed"

  # Cloudflare Managed Ruleset
  rules {
@@ -80,7 +83,10 @@ resource "cloudflare_ruleset" "managed_waf" {

 # Bot Management (if available on plan)
 resource "cloudflare_bot_management" "domains" {
-  for_each                        = cloudflare_zone.domains
+  for_each = {
+    for domain, zone in cloudflare_zone.domains : domain => zone
+    if var.enable_bot_management && var.domains[domain].plan != "free"
+  }
  zone_id                         = each.value.id
  enable_js                       = true
  fight_mode                      = true