feat: skip WAF checks for ansible.makeitwork.cloud

xnoto · xnoto · commit 93a0043a866b · 2026-02-16T12:12:14.000-07:00
diff --git a/README.md b/README.md
@@ -38,6 +38,7 @@ No modules.
 | [cloudflare_dns_record.status_tunnel](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource |
 | [cloudflare_dns_record.www](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource |
 | [cloudflare_ruleset.cache_rules](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) | resource |
+| [cloudflare_ruleset.zone_custom_firewall](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) | resource |
 | [cloudflare_zero_trust_access_application.warp](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_application) | resource |
 | [cloudflare_zero_trust_access_group.admins](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_group) | resource |
 | [cloudflare_zero_trust_access_identity_provider.github](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) | resource |
diff --git a/cf-waf.tf b/cf-waf.tf
@@ -0,0 +1,24 @@
+resource "cloudflare_ruleset" "zone_custom_firewall" {
+  zone_id     = local.zone_id
+  name        = "Custom Firewall Rules"
+  description = "Custom firewall rules for the zone"
+  kind        = "zone"
+  phase       = "http_request_firewall_custom"
+
+  rules = [
+    {
+      action = "skip"
+      action_parameters = {
+        products = [
+          "bic",
+          "securityLevel",
+          "uaBlock",
+          "zoneLockdown"
+        ]
+      }
+      expression  = "(http.host eq \"ansible.makeitwork.cloud\")"
+      description = "Skip WAF checks for Ansible"
+      enabled     = true
+    }
+  ]
+}
