Overview:
We use Cloudflare to provide security for Safi domains. We use the recommended Managed rules, with the default sensitivities. We also use few custom rules.
The rules are enabled trough terraform, with the ability to change the implemented rules and their sensitivities in the future.
Implementation:
The Cloudflare API Token necessary for this implementation can be found in our Vault, it’s generated via terraform in this file. The permission documentation can be found here. There is error in the documentation, terraform uses Write instead of Edit.
resource "cloudflare_api_token" "waf" { provider = cloudflare.tokens #provider name = format("%s-%s-env-waf-api", local.prefix, var.env_name) #name of the token policy { permission_groups = [ #permissions for this token data.cloudflare_api_token_permission_groups.all.permissions["Account WAF Write"], data.cloudflare_api_token_permission_groups.all.permissions["Account Rulesets Write"], data.cloudflare_api_token_permission_groups.all.permissions["Account Firewall Access Rules Write"], data.cloudflare_api_token_permission_groups.all.permissions["Zone WAF Write"], data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"], data.cloudflare_api_token_permission_groups.all.permissions["Firewall Services Write"], data.cloudflare_api_token_permission_groups.all.permissions["Sanitize Write"], data.cloudflare_api_token_permission_groups.all.permissions["Bot Management Write"] ] resources = { #To which resources (account and zone) the token has access "com.cloudflare.api.account.${data.cloudflare_zone.safi_domain.account_id}" = "*", "com.cloudflare.api.account.zone.${data.cloudflare_zone.safi_domain.zone_id}" = "*" } } }
Useful Links:
Cloudflare provides a documentation regarding managing rules with terraform it can be found here