vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
bee801694aa5c22cc8fa363e33717a649cd18051
vm-cloudflare/gitops/config.yml
Vault Sovereign 37a867c485 Initial commit: Cloudflare infrastructure with WAF Intelligence 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00

374 lines
10 KiB
YAML
Raw Blame History

# Phase 6 GitOps Configuration
# Cloudflare Mesh Observatory - PR Workflows
#
# This config drives:
# - Risk classification for Terraform changes
# - Drift PR generation
# - CI plan comments
# - Alertmanager → GitLab webhook triggers
---
# ==============================================================================
# GIT PLATFORM CONFIGURATION
# ==============================================================================
gitlab:
base_url: "${GITLAB_BASE_URL:-https://gitlab.com}"
project_id: "${GITLAB_PROJECT_ID}"
default_branch: "main"
# API settings
api_version: "v4"
timeout_seconds: 30
# GitHub alternative (uncomment if using GitHub)
# github:
# base_url: "https://api.github.com"
# owner: "your-org"
# repo: "cloudflare-infra"
# default_branch: "main"
# ==============================================================================
# TERRAFORM CONFIGURATION
# ==============================================================================
terraform:
working_dir: "terraform"
plan_file: "plan.tfplan"
state_file: "terraform.tfstate"
# Backend configuration hints (for plan summarizer)
backend_type: "local" # or "s3", "gcs", "azurerm", etc.
# Parallelism for plan operations
parallelism: 10
# ==============================================================================
# RISK CLASSIFICATION
# ==============================================================================
# Maps Cloudflare resource types to risk levels
# Used by plan_summarizer.py to score changes
risk:
# DNS changes - high blast radius
dns:
resource_types:
- "cloudflare_record"
- "cloudflare_zone"
- "cloudflare_zone_settings_override"
- "cloudflare_zone_dnssec"
base_risk: "high"
# WAF/Security changes - security-critical
waf:
resource_types:
- "cloudflare_waf_rule"
- "cloudflare_waf_package"
- "cloudflare_waf_group"
- "cloudflare_waf_override"
- "cloudflare_firewall_rule"
- "cloudflare_filter"
- "cloudflare_rate_limit"
- "cloudflare_zone_lockdown"
- "cloudflare_access_rule"
- "cloudflare_user_agent_blocking_rule"
base_risk: "high"
# Tunnel changes - connectivity-critical
tunnels:
resource_types:
- "cloudflare_tunnel"
- "cloudflare_tunnel_config"
- "cloudflare_tunnel_route"
- "cloudflare_argo_tunnel"
base_risk: "high"
# Access/Zero Trust - identity-critical
access:
resource_types:
- "cloudflare_access_application"
- "cloudflare_access_policy"
- "cloudflare_access_group"
- "cloudflare_access_identity_provider"
- "cloudflare_access_service_token"
- "cloudflare_access_ca_certificate"
- "cloudflare_access_mutual_tls_certificate"
- "cloudflare_teams_account"
- "cloudflare_teams_list"
- "cloudflare_teams_rule"
- "cloudflare_device_posture_rule"
- "cloudflare_device_posture_integration"
base_risk: "high"
# Performance/Caching - medium risk
performance:
resource_types:
- "cloudflare_page_rule"
- "cloudflare_tiered_cache"
- "cloudflare_cache_reserve"
- "cloudflare_regional_tiered_cache"
- "cloudflare_argo"
- "cloudflare_load_balancer"
- "cloudflare_load_balancer_pool"
- "cloudflare_load_balancer_monitor"
base_risk: "medium"
# Workers - code deployment
workers:
resource_types:
- "cloudflare_worker_script"
- "cloudflare_worker_route"
- "cloudflare_worker_cron_trigger"
- "cloudflare_workers_kv_namespace"
- "cloudflare_workers_kv"
base_risk: "medium"
# Certificates - availability-critical
certificates:
resource_types:
- "cloudflare_certificate_pack"
- "cloudflare_origin_ca_certificate"
- "cloudflare_authenticated_origin_pulls"
- "cloudflare_authenticated_origin_pulls_certificate"
base_risk: "high"
# Other/Low risk
other:
resource_types:
- "cloudflare_api_token"
- "cloudflare_logpush_job"
- "cloudflare_logpull_retention"
- "cloudflare_notification_policy"
- "cloudflare_notification_policy_webhooks"
base_risk: "low"
# Action-based risk modifiers
actions:
create:
modifier: 0 # Neutral - new resources
update:
modifier: 1 # +1 risk level
delete:
modifier: 2 # +2 risk levels (always dangerous)
replace:
modifier: 2 # Same as delete (destroy + create)
no-op:
modifier: -10 # Effectively ignore
# Final risk level mapping
levels:
low: 0
medium: 1
high: 2
critical: 3
# ==============================================================================
# DRIFT PR CONFIGURATION
# ==============================================================================
drift_pr:
# Branch naming
branch_prefix: "drift/remediation-"
# MR/PR settings
title_prefix: "Drift Remediation"
labels:
- "drift"
- "terraform"
- "auto-generated"
# Auto-assign reviewers based on component
reviewer_mapping:
dns: ["dns-team"]
waf: ["security-team"]
tunnels: ["infra-team"]
access: ["security-team", "identity-team"]
default: ["platform-team"]
# Approval requirements by risk level
approvals_required:
low: 1
medium: 1
high: 2
critical: 2
# Auto-merge settings
auto_merge:
enabled: false
allowed_risk_levels: ["low"]
require_pipeline_success: true
# ==============================================================================
# CI PLAN COMMENT CONFIGURATION
# ==============================================================================
ci:
comment_header: "Terraform Plan Summary"
# What to include in comments
include:
risk_summary: true
resource_table: true
action_counts: true
affected_zones: true
compliance_flags: true
# Collapse large tables
collapse_threshold: 10
# Link to dashboards
dashboard_links:
grafana: "http://localhost:3000/d/cloudflare-overview"
prometheus: "http://localhost:9090"
# ==============================================================================
# ALERTMANAGER WEBHOOK INTEGRATION
# ==============================================================================
webhook:
# GitLab pipeline trigger
gitlab_trigger:
enabled: true
trigger_token: "${GITLAB_TRIGGER_TOKEN}"
ref: "main"
# Alerts that trigger drift remediation
trigger_alerts:
- "DNSDriftDetected"
- "WAFRuleMissing"
- "TunnelConfigChanged"
- "InvariantViolation"
- "FirewallRuleMissing"
# Alerts that only notify (no auto-PR)
notify_only_alerts:
- "DNSHijackDetected" # Security incident - manual only
- "ProofchainIntegrityFailure" # Never auto-remediate
- "WAFRuleBypass" # Needs investigation first
# ==============================================================================
# SLACK NOTIFICATIONS
# ==============================================================================
slack:
webhook_url: "${SLACK_WEBHOOK_URL}"
channel: "#cloudflare-gitops"
# Notification settings
notify_on:
pr_created: true
pr_merged: true
pr_failed: true
high_risk_plan: true
# Message templates
templates:
pr_created: |
*GitOps PR Created*
Title: {title}
Risk Level: {risk_level}
Changes: {change_count}
Link: {url}
pr_merged: |
*GitOps PR Merged*
Title: {title}
Merged by: {merged_by}
Applied changes: {change_count}
# ==============================================================================
# COMPLIANCE INTEGRATION
# ==============================================================================
compliance:
# Flag changes that affect compliance frameworks
frameworks:
- name: "SOC2"
triggers:
- resource_types: ["cloudflare_zone_settings_override"]
fields: ["ssl", "always_use_https", "min_tls_version"]
- resource_types: ["cloudflare_waf_rule"]
actions: ["delete"]
- name: "PCI-DSS"
triggers:
- resource_types: ["cloudflare_zone_settings_override"]
fields: ["min_tls_version"]
- resource_types: ["cloudflare_waf_*"]
actions: ["delete", "update"]
- name: "HIPAA"
triggers:
- resource_types: ["cloudflare_zone_settings_override"]
fields: ["ssl", "always_use_https"]
- resource_types: ["cloudflare_access_*"]
actions: ["delete"]
# Add compliance warnings to PR descriptions
add_warnings: true
# Block merge for compliance violations
block_on_violation: false # Set true for strict mode
# ==============================================================================
# PHASE 7: WAF INTELLIGENCE CONFIGURATION
# ==============================================================================
waf_intelligence:
# Enable/disable Phase 7 features
enabled: true
# Threat intelligence collection
threat_intel:
enabled: true
log_paths:
- "logs/cloudflare"
- "/var/log/cloudflare"
max_indicators: 100
min_hit_count: 3 # Minimum hits before flagging
# External threat feeds (optional)
external_feeds:
abuseipdb:
enabled: false
api_key: "${ABUSEIPDB_API_KEY}"
min_abuse_score: 80
emerging_threats:
enabled: false
feed_url: "https://rules.emergingthreats.net/blockrules/compromised-ips.txt"
# ML classifier settings
classifier:
enabled: true
min_confidence: 0.7
sample_limit: 50
# Attack type detection
detect_types:
- sqli
- xss
- rce
- path_traversal
- scanner
# Rule proposal settings
proposals:
max_per_batch: 10
auto_deploy_min_confidence: 0.85
auto_deploy_severities:
- critical
- high
require_review_severities:
- medium
- low
# GitOps integration for WAF rules
gitops:
create_mrs: true
branch_prefix: "waf-intel/"
labels:
- "waf-intelligence"
- "auto-generated"
- "security"
reviewers:
- "security-team"
# Auto-merge high-confidence critical blocks
auto_merge:
enabled: false
min_confidence: 0.95
allowed_severities:
- critical
Reference in New Issue View Git Blame Copy Permalink