vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
7f2e60e1c514fbe2f459d6c2080841db7e167d85
vm-cloudflare/terraform/waf.tf
Vault Sovereign 37a867c485 Initial commit: Cloudflare infrastructure with WAF Intelligence 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00

92 lines
2.7 KiB
HCL
Raw Blame History

# WAF Rulesets and Firewall Rules
# Block non-HTTPS (should be handled by always_use_https, but explicit rule)
resource "cloudflare_ruleset" "security_rules" {
for_each = cloudflare_zone.domains
zone_id = each.value.id
name = "Security Rules"
kind = "zone"
phase = "http_request_firewall_custom"
# Rule 1: Block requests to /admin from non-trusted IPs
rules {
action = "block"
expression = "(http.request.uri.path contains \"/admin\") and not (ip.src in {${join(" ", var.trusted_admin_ips)}})"
description = "Block admin access from untrusted IPs"
enabled = length(var.trusted_admin_ips) > 0
}
# Rule 2: Challenge suspicious countries
rules {
action = "managed_challenge"
expression = "(ip.src.country in {\"${join("\" \"", var.blocked_countries)}\"})"
description = "Challenge traffic from high-risk countries"
enabled = true
}
# Rule 3: Block known bad user agents
rules {
action = "block"
expression = "(http.user_agent contains \"sqlmap\") or (http.user_agent contains \"nikto\") or (http.user_agent contains \"nmap\")"
description = "Block known scanning tools"
enabled = true
}
# Rule 4: Rate limit API endpoints
rules {
action = "block"
ratelimit {
characteristics = ["ip.src"]
period = 10
requests_per_period = 30
mitigation_timeout = 60
}
expression = "(http.request.uri.path starts_with \"/api/\")"
description = "Rate limit API endpoints"
enabled = true
}
}
# Enable Cloudflare Managed WAF Ruleset
resource "cloudflare_ruleset" "managed_waf" {
for_each = cloudflare_zone.domains
zone_id = each.value.id
name = "Managed WAF"
kind = "zone"
phase = "http_request_firewall_managed"
# Cloudflare Managed Ruleset
rules {
action = "execute"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee" # Cloudflare Managed Ruleset
}
expression = "true"
description = "Execute Cloudflare Managed Ruleset"
enabled = true
}
# OWASP Core Ruleset
rules {
action = "execute"
action_parameters {
id = "4814384a9e5d4991b9815dcfc25d2f1f" # OWASP Core Ruleset
}
expression = "true"
description = "Execute OWASP Core Ruleset"
enabled = true
}
}
# Bot Management (if available on plan)
resource "cloudflare_bot_management" "domains" {
for_each = cloudflare_zone.domains
zone_id = each.value.id
enable_js = true
fight_mode = true
sbfm_definitely_automated = "block"
sbfm_likely_automated = "managed_challenge"
sbfm_verified_bots = "allow"
sbfm_static_resource_protection = false
}
Reference in New Issue View Git Blame Copy Permalink