--- description: **CLOUDFLARE OPERATOR RULES**: Load this file for ANY Cloudflare-related operations including DNS, WAF, Tunnels, Zero Trust, Terraform IaC, or security configurations. This provides operator doctrine for Cloudflare infrastructure management. **MUST** be read when user mentions: Cloudflare, WAF, DNS records, Tunnels, Zero Trust, Workers, or any Cloudflare-specific patterns. --- # IDE Operator Rules — Cloudflare Security Mesh > **Control Surface:** This file can be seeded into VS Code extension folders to provide > policy-aware guidance for AI assistants and code generation. --- ## Core Principles 1. **Security-First Infrastructure** - All Cloudflare resources must be defined in Terraform - Never hardcode API tokens or secrets in code - WAF rules must have documented justification 2. **GitOps Workflow** - No manual changes via Cloudflare dashboard - All changes flow through: PR → Review → Merge → Apply - Drift triggers automatic remediation PRs 3. **Zero Trust by Default** - Assume all traffic is hostile until verified - Access policies must enforce MFA where possible - Tunnel configurations require explicit allow-lists --- ## Terraform Guardrails ### DNS Records ```hcl # ✅ ALWAYS include TTL and proxied status explicitly resource "cloudflare_record" "example" { zone_id = var.zone_id name = "api" type = "A" value = "192.0.2.1" ttl = 300 # Explicit TTL proxied = true # Explicit proxy status } # ❌ NEVER create unproxied A/AAAA records for sensitive services # ❌ NEVER use TTL < 60 for production DNS ``` ### WAF Rules ```hcl # ✅ ALWAYS include description and tags resource "cloudflare_ruleset" "waf_custom" { zone_id = var.zone_id name = "Custom WAF Rules" description = "Phase 7 WAF Intelligence generated rules" kind = "zone" phase = "http_request_firewall_custom" rules { action = "block" expression = "(ip.src in $threat_intel_ips)" description = "Block threat intel IPs - auto-generated" enabled = true } } # ❌ NEVER disable managed rulesets without documented exception # ❌ NEVER use action = "allow" for external IPs without review ``` ### Tunnels ```hcl # ✅ ALWAYS rotate tunnel secrets on schedule # ✅ ALWAYS use ingress rules with explicit hostnames # ❌ NEVER expose internal services without Access policies # ❌ NEVER use catch-all ingress rules in production ``` ### Access Policies ```hcl # ✅ ALWAYS require MFA for admin applications # ✅ ALWAYS set session duration explicitly # ❌ NEVER use "everyone" include without additional restrictions # ❌ NEVER bypass Access for internal tools ``` --- ## WAF Intelligence Integration ### Using the Analyzer ```bash # Analyze WAF configuration python -m mcp.waf_intelligence.orchestrator analyze terraform/waf.tf # Full threat assessment python -m mcp.waf_intelligence.orchestrator assess --include-threat-intel # Generate rule proposals python -m mcp.waf_intelligence.orchestrator propose --max-rules 5 ``` ### Threat Classification The ML classifier detects: - `sqli` — SQL injection patterns - `xss` — Cross-site scripting - `rce` — Remote code execution - `path_traversal` — Directory traversal - `scanner` — Automated scanning tools ### Auto-Deploy Criteria Rules may be auto-deployed when: - Confidence ≥ 85% - Severity is `critical` or `high` - Pattern matches known attack signature - No existing rule covers the threat --- ## GitOps Workflow Rules ### PR Requirements | Risk Level | Approvals | Auto-Merge | |------------|-----------|------------| | Low | 1 | Allowed | | Medium | 1 | Manual | | High | 2 | Manual | | Critical | 2 | Never | ### Drift Remediation - DNS drift → Auto-PR with `drift/remediation-*` branch - WAF drift → Security team review required - Tunnel drift → Infra team review required ### Compliance Flags Changes affecting these frameworks trigger warnings: - **SOC2** — SSL settings, WAF deletions - **PCI-DSS** — TLS version, WAF modifications - **HIPAA** — Access policy deletions, encryption settings --- ## Agent Instructions When working with this Cloudflare infrastructure: 1. **Always check WAF impact** before proposing changes 2. **Prefer Terraform patterns** over ad-hoc API calls 3. **Use WAF Intelligence CLI** for security analysis before generating rules 4. **Propose GitOps-style patches**, not manual edits 5. **Never assume external APIs**; prefer local, deterministic tools 6. **Reference compliance frameworks** when implementing security features ### Tool Availability - `filesystem` — Explore project structure - `git` — Track and review changes - `waf_intel` — Analyze WAF configurations - `terraform` — Plan and validate infrastructure --- ## Quick Reference ### Risk Classification ``` High Risk: DNS, WAF, Tunnels, Access, Certificates Medium Risk: Performance, Workers, Page Rules Low Risk: Logging, Notifications, API Tokens ``` ### Emergency Procedures - DNS Compromise: See `playbooks/DNS-COMPROMISE-PLAYBOOK.md` - WAF Incident: See `playbooks/waf_incident_playbook.md` - Tunnel Rotation: See `playbooks/TUNNEL-ROTATION-PROTOCOL.md` --- **Last Updated:** 2025-12-09 **Phase:** 7 (WAF Intelligence) **Seeded By:** `scripts/seed_ide_rules.py`