vm-cloudflare/terraform/README.md

# Cloudflare Terraform Configuration

Infrastructure as Code for VaultMesh and OffSec Cloudflare resources.

## Prerequisites

1. Terraform >= 1.0
2. Cloudflare API token with permissions:
   - Zone: Edit
   - DNS: Edit
   - Access: Edit
   - Argo Tunnel: Edit
   - WAF: Edit

## Files

| File | Description |
|------|-------------|
| `main.tf` | Provider configuration |
| `variables.tf` | Input variables |
| `zones.tf` | Zone creation and settings |
| `dns.tf` | DNS records |
| `waf.tf` | WAF and firewall rules |
| `tunnels.tf` | Cloudflare Tunnels |
| `access.tf` | Zero Trust Access apps |
| `outputs.tf` | Output values |

## Usage

```bash
# Initialize
terraform init

# Create terraform.tfvars
cat > terraform.tfvars <<EOF
cloudflare_api_token    = "your-api-token"
cloudflare_account_name = "your-account-name"
tunnel_secret_vaultmesh = "base64-encoded-secret"
tunnel_secret_offsec    = "base64-encoded-secret"
admin_emails            = ["admin@vaultmesh.org"]
EOF

# Plan
terraform plan

# Apply
terraform apply
```

## Generate Tunnel Secrets

```bash
# Generate 32-byte random secret, base64 encoded
openssl rand -base64 32
```

## Domains Managed

- vaultmesh.org
- offsec.global
- offsecglobal.com
- offsecagent.com
- offsecshield.com

## Security Notes

- Never commit `terraform.tfvars` to git
- Use environment variables for CI/CD:
  ```bash
  export TF_VAR_cloudflare_api_token="..."
  ```
- Rotate tunnel secrets every 90 days
- Review Access policies regularly

## VaultMesh Integration

After applying, emit a VaultMesh receipt:
```bash
terraform output -json > /var/lib/vaultmesh/snapshots/cloudflare-$(date +%Y%m%d).json
```