vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
vm-cloudflare/terraform/README.md
Vault Sovereign f0b8d962de
Some checks failed
WAF Intelligence Guardrail / waf-intel (push) Waiting to run
Details
Cloudflare Registry Validation / validate-registry (push) Has been cancelled
Details
chore: pre-migration snapshot 
Layer0, MCP servers, Terraform consolidation
2025-12-27 01:52:27 +00:00

108 lines
2.8 KiB
Markdown
Raw Permalink Blame History

# Cloudflare Terraform Configuration
Infrastructure as Code for VaultMesh and OffSec Cloudflare resources.
## Prerequisites
1. Terraform >= 1.0
2. Cloudflare API token with permissions:
- Zone: Edit
- DNS: Edit
- Access: Edit
- Argo Tunnel: Edit
- WAF: Edit
## Files
| File | Description |
|------|-------------|
| `main.tf` | Provider configuration |
| `variables.tf` | Input variables |
| `zones.tf` | Zone creation and settings |
| `dns.tf` | DNS records |
| `waf.tf` | WAF and firewall rules |
| `tunnels.tf` | Cloudflare Tunnels |
| `access.tf` | Zero Trust Access apps |
| `outputs.tf` | Output values |
## Usage
```bash
# Initialize
terraform init
# Create terraform.tfvars
cat > terraform.tfvars <<EOF
cloudflare_api_token = "your-api-token"
cloudflare_account_name = "your-account-name"
tunnel_secret_vaultmesh = "base64-encoded-secret"
tunnel_secret_offsec = "base64-encoded-secret"
admin_emails = ["admin@vaultmesh.org"]
enable_managed_waf = true
enable_bot_management = false
EOF
# Plan
terraform plan
# Apply
terraform apply
```
## Plan-Aware Security Features
- `enable_managed_waf` applies the managed WAF ruleset only when the zone `plan` is not `"free"`.
- `enable_bot_management` applies bot management settings only when the zone `plan` is not `"free"`.
This lets `terraform apply` succeed on Free-plan zones (DNS, tunnels, Access, settings) while keeping the security posture ready for plan upgrades.
### WAF Truth Table
| Zone plan (`var.domains[*].plan`) | `enable_managed_waf` | `enable_bot_management` | Expected resources |
| --- | --- | --- | --- |
| `free` | any | any | `cloudflare_ruleset.security_rules` only |
| not `free` | `false` | any | `cloudflare_ruleset.security_rules` only |
| not `free` | `true` | `false` | `cloudflare_ruleset.security_rules`, `cloudflare_ruleset.managed_waf` |
| not `free` | `true` | `true` | `cloudflare_ruleset.security_rules`, `cloudflare_ruleset.managed_waf`, `cloudflare_bot_management.domains` |
### Assurance Varfiles
For deterministic, token-format-safe gating checks (no apply), use:
```bash
terraform plan -refresh=false -var-file=assurance_free.tfvars
terraform plan -refresh=false -var-file=assurance_pro.tfvars
```
## Generate Tunnel Secrets
```bash
# Generate 32-byte random secret, base64 encoded
openssl rand -base64 32
```
## Domains Managed
- vaultmesh.org
- offsec.global
- offsecglobal.com
- offsecagent.com
- offsecshield.com
## Security Notes
- Never commit `terraform.tfvars` to git
- Use environment variables for CI/CD:
```bash
export TF_VAR_cloudflare_api_token="..."
```
- Rotate tunnel secrets every 90 days
- Review Access policies regularly
## VaultMesh Integration
After applying, emit a VaultMesh receipt:
```bash
terraform output -json > /var/lib/vaultmesh/snapshots/cloudflare-$(date +%Y%m%d).json
```
Reference in New Issue View Git Blame Copy Permalink