vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f0b8d962de8f3d8a98b33d43419fa3bcb53eee58
vm-cloudflare/ASSURANCE.md
Vault Sovereign f0b8d962de
Some checks failed
WAF Intelligence Guardrail / waf-intel (push) Waiting to run
Details
Cloudflare Registry Validation / validate-registry (push) Has been cancelled
Details
chore: pre-migration snapshot 
Layer0, MCP servers, Terraform consolidation
2025-12-27 01:52:27 +00:00

2.7 KiB
Raw Blame History

Assurance Run — 2025-12-18

  • Commit: 7f2e60e1c5
  • Tooling: terraform v1.5.7, python3 3.14.2
Check Status Notes
terraform fmt -recursive Ran from repo root; terraform rewrote any files that diverged from canonical formatting (see git status for changes, if any).
terraform validate ⚠️ After terraform init, validation succeeded but emitted deprecation warnings (cloudflare_access_application and cloudflare_record.value usage). No fixes applied.
python3 -m py_compile layer0/security_classifier.py scripts/*.py All Layer0 + scripts modules compiled.

Additional context:

  • terraform init was executed to download cloudflare/cloudflare v4.52.5 so that validation could run; .terraform/ and .terraform.lock.hcl were created/updated.
  • No other files were modified manually during this pass.

Canonical Gates (CI / Audit)

These are the operator-safe, auditor-grade checks expected to pass on every sweep.

1) WAF Intel regression + CLI sanity

From cloudflare/:

# Install dev deps (once)
python3 -m pip install -r requirements-dev.txt

# Full test suite
python3 -m pytest -q

# Analyzer regression only
python3 -m pytest -q tests/test_waf_intelligence_analyzer.py

# WAF Intel CLI (must not emit false "no managed WAF" warnings)
python3 -m mcp.waf_intelligence --file terraform/waf.tf --format json --limit 5 | python3 -m json.tool

Acceptance:

  • Exit code 0
  • JSON parses
  • insights is [] (or informational-only; no false "No managed WAF rules detected" warning)

2) Terraform hardening correctness (empty-list safety + plan gates)

From cloudflare/terraform/:

terraform fmt -recursive
terraform init
terraform validate

# Free-plan path (managed WAF + bot mgmt must be gated off even if flags are true)
terraform plan -refresh=false -var-file=assurance_free.tfvars

# Paid-plan path (managed WAF + bot mgmt appear when flags are true)
terraform plan -refresh=false -var-file=assurance_pro.tfvars

Acceptance:

  • Both plans succeed (no {} expression errors)
  • Paid-plan run includes cloudflare_ruleset.managed_waf / cloudflare_bot_management.domains
  • Free-plan run does not include those resources

One-shot (runs all gates + JSON-plan assertions):

bash scripts/waf-and-plan-invariants.sh

Notes for sandboxed runs

Some sandboxed execution environments block Terraform provider plugins from binding unix sockets, which surfaces as:

Unrecognized remote plugin message
...
listen unix ...: bind: operation not permitted

Run Terraform with the necessary OS permissions (or outside the sandbox) in that case.

Reference in New Issue View Git Blame Copy Permalink