37a867c485
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
1.6 KiB
1.6 KiB
Cloudflare Terraform Configuration
Infrastructure as Code for VaultMesh and OffSec Cloudflare resources.
Prerequisites
- Terraform >= 1.0
- Cloudflare API token with permissions:
- Zone: Edit
- DNS: Edit
- Access: Edit
- Argo Tunnel: Edit
- WAF: Edit
Files
| File | Description |
|---|---|
main.tf |
Provider configuration |
variables.tf |
Input variables |
zones.tf |
Zone creation and settings |
dns.tf |
DNS records |
waf.tf |
WAF and firewall rules |
tunnels.tf |
Cloudflare Tunnels |
access.tf |
Zero Trust Access apps |
outputs.tf |
Output values |
Usage
# Initialize
terraform init
# Create terraform.tfvars
cat > terraform.tfvars <<EOF
cloudflare_api_token = "your-api-token"
cloudflare_account_name = "your-account-name"
tunnel_secret_vaultmesh = "base64-encoded-secret"
tunnel_secret_offsec = "base64-encoded-secret"
admin_emails = ["admin@vaultmesh.org"]
EOF
# Plan
terraform plan
# Apply
terraform apply
Generate Tunnel Secrets
# Generate 32-byte random secret, base64 encoded
openssl rand -base64 32
Domains Managed
- vaultmesh.org
- offsec.global
- offsecglobal.com
- offsecagent.com
- offsecshield.com
Security Notes
- Never commit
terraform.tfvarsto git - Use environment variables for CI/CD:
export TF_VAR_cloudflare_api_token="..." - Rotate tunnel secrets every 90 days
- Review Access policies regularly
VaultMesh Integration
After applying, emit a VaultMesh receipt:
terraform output -json > /var/lib/vaultmesh/snapshots/cloudflare-$(date +%Y%m%d).json