vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f0b8d962de8f3d8a98b33d43419fa3bcb53eee58
vm-cloudflare/ASSURANCE.md
Vault Sovereign f0b8d962de
Some checks failed
WAF Intelligence Guardrail / waf-intel (push) Waiting to run
Details
Cloudflare Registry Validation / validate-registry (push) Has been cancelled
Details
chore: pre-migration snapshot 
Layer0, MCP servers, Terraform consolidation
2025-12-27 01:52:27 +00:00

82 lines
2.7 KiB
Markdown
Raw Blame History

# Assurance Run — 2025-12-18
- Commit: 7f2e60e1c514fbe2f459d6c2080841db7e167d85
- Tooling: `terraform v1.5.7`, `python3 3.14.2`
| Check | Status | Notes |
| --- | --- | --- |
| `terraform fmt -recursive` | ✅ | Ran from repo root; terraform rewrote any files that diverged from canonical formatting (see `git status` for changes, if any). |
| `terraform validate` | ⚠️ | After `terraform init`, validation succeeded but emitted deprecation warnings (`cloudflare_access_application` and `cloudflare_record.value` usage). No fixes applied. |
| `python3 -m py_compile layer0/security_classifier.py scripts/*.py` | ✅ | All Layer0 + scripts modules compiled. |
Additional context:
- `terraform init` was executed to download `cloudflare/cloudflare v4.52.5` so that validation could run; `.terraform/` and `.terraform.lock.hcl` were created/updated.
- No other files were modified manually during this pass.
---
## Canonical Gates (CI / Audit)
These are the *operator-safe, auditor-grade* checks expected to pass on every sweep.
### 1) WAF Intel regression + CLI sanity
From `cloudflare/`:
```bash
# Install dev deps (once)
python3 -m pip install -r requirements-dev.txt
# Full test suite
python3 -m pytest -q
# Analyzer regression only
python3 -m pytest -q tests/test_waf_intelligence_analyzer.py
# WAF Intel CLI (must not emit false "no managed WAF" warnings)
python3 -m mcp.waf_intelligence --file terraform/waf.tf --format json --limit 5 | python3 -m json.tool
```
Acceptance:
- Exit code 0
- JSON parses
- `insights` is `[]` (or informational-only; no false `"No managed WAF rules detected"` warning)
### 2) Terraform hardening correctness (empty-list safety + plan gates)
From `cloudflare/terraform/`:
```bash
terraform fmt -recursive
terraform init
terraform validate
# Free-plan path (managed WAF + bot mgmt must be gated off even if flags are true)
terraform plan -refresh=false -var-file=assurance_free.tfvars
# Paid-plan path (managed WAF + bot mgmt appear when flags are true)
terraform plan -refresh=false -var-file=assurance_pro.tfvars
```
Acceptance:
- Both plans succeed (no `{}` expression errors)
- Paid-plan run includes `cloudflare_ruleset.managed_waf` / `cloudflare_bot_management.domains`
- Free-plan run does not include those resources
One-shot (runs all gates + JSON-plan assertions):
```bash
bash scripts/waf-and-plan-invariants.sh
```
### Notes for sandboxed runs
Some sandboxed execution environments block Terraform provider plugins from binding unix sockets, which surfaces as:
```
Unrecognized remote plugin message
...
listen unix ...: bind: operation not permitted
```
Run Terraform with the necessary OS permissions (or outside the sandbox) in that case.
Reference in New Issue View Git Blame Copy Permalink