Cloudflare Terraform Configuration
Infrastructure as Code for VaultMesh and OffSec Cloudflare resources.
Prerequisites
- Terraform >= 1.0
- Cloudflare API token with permissions:
- Zone: Edit
- DNS: Edit
- Access: Edit
- Argo Tunnel: Edit
- WAF: Edit
Files
| File | Description |
|---|---|
main.tf |
Provider configuration |
variables.tf |
Input variables |
zones.tf |
Zone creation and settings |
dns.tf |
DNS records |
waf.tf |
WAF and firewall rules |
tunnels.tf |
Cloudflare Tunnels |
access.tf |
Zero Trust Access apps |
outputs.tf |
Output values |
Usage
# Initialize
terraform init
# Create terraform.tfvars
cat > terraform.tfvars <<EOF
cloudflare_api_token = "your-api-token"
cloudflare_account_name = "your-account-name"
tunnel_secret_vaultmesh = "base64-encoded-secret"
tunnel_secret_offsec = "base64-encoded-secret"
admin_emails = ["admin@vaultmesh.org"]
enable_managed_waf = true
enable_bot_management = false
EOF
# Plan
terraform plan
# Apply
terraform apply
Plan-Aware Security Features
enable_managed_wafapplies the managed WAF ruleset only when the zoneplanis not"free".enable_bot_managementapplies bot management settings only when the zoneplanis not"free".
This lets terraform apply succeed on Free-plan zones (DNS, tunnels, Access, settings) while keeping the security posture ready for plan upgrades.
WAF Truth Table
Zone plan (var.domains[*].plan) |
enable_managed_waf |
enable_bot_management |
Expected resources |
|---|---|---|---|
free |
any | any | cloudflare_ruleset.security_rules only |
not free |
false |
any | cloudflare_ruleset.security_rules only |
not free |
true |
false |
cloudflare_ruleset.security_rules, cloudflare_ruleset.managed_waf |
not free |
true |
true |
cloudflare_ruleset.security_rules, cloudflare_ruleset.managed_waf, cloudflare_bot_management.domains |
Assurance Varfiles
For deterministic, token-format-safe gating checks (no apply), use:
terraform plan -refresh=false -var-file=assurance_free.tfvars
terraform plan -refresh=false -var-file=assurance_pro.tfvars
Generate Tunnel Secrets
# Generate 32-byte random secret, base64 encoded
openssl rand -base64 32
Domains Managed
- vaultmesh.org
- offsec.global
- offsecglobal.com
- offsecagent.com
- offsecshield.com
Security Notes
- Never commit
terraform.tfvarsto git - Use environment variables for CI/CD:
export TF_VAR_cloudflare_api_token="..." - Rotate tunnel secrets every 90 days
- Review Access policies regularly
VaultMesh Integration
After applying, emit a VaultMesh receipt:
terraform output -json > /var/lib/vaultmesh/snapshots/cloudflare-$(date +%Y%m%d).json