# Phase 6 GitOps Configuration # Cloudflare Mesh Observatory - PR Workflows # # This config drives: # - Risk classification for Terraform changes # - Drift PR generation # - CI plan comments # - Alertmanager → GitLab webhook triggers --- # ============================================================================== # GIT PLATFORM CONFIGURATION # ============================================================================== gitlab: base_url: "${GITLAB_BASE_URL:-https://gitlab.com}" project_id: "${GITLAB_PROJECT_ID}" default_branch: "main" # API settings api_version: "v4" timeout_seconds: 30 # GitHub alternative (uncomment if using GitHub) # github: # base_url: "https://api.github.com" # owner: "your-org" # repo: "cloudflare-infra" # default_branch: "main" # ============================================================================== # TERRAFORM CONFIGURATION # ============================================================================== terraform: working_dir: "terraform" plan_file: "plan.tfplan" state_file: "terraform.tfstate" # Backend configuration hints (for plan summarizer) backend_type: "local" # or "s3", "gcs", "azurerm", etc. # Parallelism for plan operations parallelism: 10 # ============================================================================== # RISK CLASSIFICATION # ============================================================================== # Maps Cloudflare resource types to risk levels # Used by plan_summarizer.py to score changes risk: # DNS changes - high blast radius dns: resource_types: - "cloudflare_record" - "cloudflare_zone" - "cloudflare_zone_settings_override" - "cloudflare_zone_dnssec" base_risk: "high" # WAF/Security changes - security-critical waf: resource_types: - "cloudflare_waf_rule" - "cloudflare_waf_package" - "cloudflare_waf_group" - "cloudflare_waf_override" - "cloudflare_firewall_rule" - "cloudflare_filter" - "cloudflare_rate_limit" - "cloudflare_zone_lockdown" - "cloudflare_access_rule" - "cloudflare_user_agent_blocking_rule" base_risk: "high" # Tunnel changes - connectivity-critical tunnels: resource_types: - "cloudflare_tunnel" - "cloudflare_tunnel_config" - "cloudflare_tunnel_route" - "cloudflare_argo_tunnel" base_risk: "high" # Access/Zero Trust - identity-critical access: resource_types: - "cloudflare_access_application" - "cloudflare_access_policy" - "cloudflare_access_group" - "cloudflare_access_identity_provider" - "cloudflare_access_service_token" - "cloudflare_access_ca_certificate" - "cloudflare_access_mutual_tls_certificate" - "cloudflare_teams_account" - "cloudflare_teams_list" - "cloudflare_teams_rule" - "cloudflare_device_posture_rule" - "cloudflare_device_posture_integration" base_risk: "high" # Performance/Caching - medium risk performance: resource_types: - "cloudflare_page_rule" - "cloudflare_tiered_cache" - "cloudflare_cache_reserve" - "cloudflare_regional_tiered_cache" - "cloudflare_argo" - "cloudflare_load_balancer" - "cloudflare_load_balancer_pool" - "cloudflare_load_balancer_monitor" base_risk: "medium" # Workers - code deployment workers: resource_types: - "cloudflare_worker_script" - "cloudflare_worker_route" - "cloudflare_worker_cron_trigger" - "cloudflare_workers_kv_namespace" - "cloudflare_workers_kv" base_risk: "medium" # Certificates - availability-critical certificates: resource_types: - "cloudflare_certificate_pack" - "cloudflare_origin_ca_certificate" - "cloudflare_authenticated_origin_pulls" - "cloudflare_authenticated_origin_pulls_certificate" base_risk: "high" # Other/Low risk other: resource_types: - "cloudflare_api_token" - "cloudflare_logpush_job" - "cloudflare_logpull_retention" - "cloudflare_notification_policy" - "cloudflare_notification_policy_webhooks" base_risk: "low" # Action-based risk modifiers actions: create: modifier: 0 # Neutral - new resources update: modifier: 1 # +1 risk level delete: modifier: 2 # +2 risk levels (always dangerous) replace: modifier: 2 # Same as delete (destroy + create) no-op: modifier: -10 # Effectively ignore # Final risk level mapping levels: low: 0 medium: 1 high: 2 critical: 3 # ============================================================================== # DRIFT PR CONFIGURATION # ============================================================================== drift_pr: # Branch naming branch_prefix: "drift/remediation-" # MR/PR settings title_prefix: "Drift Remediation" labels: - "drift" - "terraform" - "auto-generated" # Auto-assign reviewers based on component reviewer_mapping: dns: ["dns-team"] waf: ["security-team"] tunnels: ["infra-team"] access: ["security-team", "identity-team"] default: ["platform-team"] # Approval requirements by risk level approvals_required: low: 1 medium: 1 high: 2 critical: 2 # Auto-merge settings auto_merge: enabled: false allowed_risk_levels: ["low"] require_pipeline_success: true # ============================================================================== # CI PLAN COMMENT CONFIGURATION # ============================================================================== ci: comment_header: "Terraform Plan Summary" # What to include in comments include: risk_summary: true resource_table: true action_counts: true affected_zones: true compliance_flags: true # Collapse large tables collapse_threshold: 10 # Link to dashboards dashboard_links: grafana: "http://localhost:3000/d/cloudflare-overview" prometheus: "http://localhost:9090" # ============================================================================== # ALERTMANAGER WEBHOOK INTEGRATION # ============================================================================== webhook: # GitLab pipeline trigger gitlab_trigger: enabled: true trigger_token: "${GITLAB_TRIGGER_TOKEN}" ref: "main" # Alerts that trigger drift remediation trigger_alerts: - "DNSDriftDetected" - "WAFRuleMissing" - "TunnelConfigChanged" - "InvariantViolation" - "FirewallRuleMissing" # Alerts that only notify (no auto-PR) notify_only_alerts: - "DNSHijackDetected" # Security incident - manual only - "ProofchainIntegrityFailure" # Never auto-remediate - "WAFRuleBypass" # Needs investigation first # ============================================================================== # SLACK NOTIFICATIONS # ============================================================================== slack: webhook_url: "${SLACK_WEBHOOK_URL}" channel: "#cloudflare-gitops" # Notification settings notify_on: pr_created: true pr_merged: true pr_failed: true high_risk_plan: true # Message templates templates: pr_created: | *GitOps PR Created* Title: {title} Risk Level: {risk_level} Changes: {change_count} Link: {url} pr_merged: | *GitOps PR Merged* Title: {title} Merged by: {merged_by} Applied changes: {change_count} # ============================================================================== # COMPLIANCE INTEGRATION # ============================================================================== compliance: # Flag changes that affect compliance frameworks frameworks: - name: "SOC2" triggers: - resource_types: ["cloudflare_zone_settings_override"] fields: ["ssl", "always_use_https", "min_tls_version"] - resource_types: ["cloudflare_waf_rule"] actions: ["delete"] - name: "PCI-DSS" triggers: - resource_types: ["cloudflare_zone_settings_override"] fields: ["min_tls_version"] - resource_types: ["cloudflare_waf_*"] actions: ["delete", "update"] - name: "HIPAA" triggers: - resource_types: ["cloudflare_zone_settings_override"] fields: ["ssl", "always_use_https"] - resource_types: ["cloudflare_access_*"] actions: ["delete"] # Add compliance warnings to PR descriptions add_warnings: true # Block merge for compliance violations block_on_violation: false # Set true for strict mode # ============================================================================== # PHASE 7: WAF INTELLIGENCE CONFIGURATION # ============================================================================== waf_intelligence: # Enable/disable Phase 7 features enabled: true # Threat intelligence collection threat_intel: enabled: true log_paths: - "logs/cloudflare" - "/var/log/cloudflare" max_indicators: 100 min_hit_count: 3 # Minimum hits before flagging # External threat feeds (optional) external_feeds: abuseipdb: enabled: false api_key: "${ABUSEIPDB_API_KEY}" min_abuse_score: 80 emerging_threats: enabled: false feed_url: "https://rules.emergingthreats.net/blockrules/compromised-ips.txt" # ML classifier settings classifier: enabled: true min_confidence: 0.7 sample_limit: 50 # Attack type detection detect_types: - sqli - xss - rce - path_traversal - scanner # Rule proposal settings proposals: max_per_batch: 10 auto_deploy_min_confidence: 0.85 auto_deploy_severities: - critical - high require_review_severities: - medium - low # GitOps integration for WAF rules gitops: create_mrs: true branch_prefix: "waf-intel/" labels: - "waf-intelligence" - "auto-generated" - "security" reviewers: - "security-team" # Auto-merge high-confidence critical blocks auto_merge: enabled: false min_confidence: 0.95 allowed_severities: - critical