feat: OCI deployment — Terraform VM + OKE stacks, OCIR, K8s manifests

- terraform-vm/: ARM VM (A1.Flex Free Tier), Docker Compose, Block Volume, LB+WAF+SSL
- terraform-oke/: OKE cluster (3 nodes Intel), NodePort, LB+WAF+SSL
- k8s/: namespace, deployments, services, PVC, secrets, configmap
- Dockerfile.frontend: self-contained nginx+dist image
- push-images.sh: multi-arch build (amd64+arm64) + push to OCIR
- dns.tf: conditional OCI DNS Zone + A record (when domain available)
- Both stacks 100% independent, no shared modules
- .gitignore: terraform state, .terraform/, *.tfvars
This commit is contained in:
nogueiraguh
2026-04-02 13:19:58 -03:00
parent f22bb54e25
commit 5efde6fcf4
31 changed files with 2489 additions and 0 deletions

114
deploy/terraform-oke/waf.tf Normal file
View File

@@ -0,0 +1,114 @@
# -----------------------------------------------------------------------------
# OCI CIS Agent — OKE Deployment Stack
# WAF: Web Application Firewall Policy + Association
# -----------------------------------------------------------------------------
resource "oci_waf_web_app_firewall_policy" "main" {
compartment_id = var.compartment_ocid
display_name = "cisagent-oke-waf-policy"
# --- OWASP Protection Rules ---
actions {
name = "block"
type = "RETURN_HTTP_RESPONSE"
code = 403
body {
type = "STATIC_TEXT"
text = "Blocked by WAF"
}
}
actions {
name = "allow"
type = "ALLOW"
}
# --- Request Protection: XSS ---
request_protection {
rules {
name = "xss-protection"
type = "PROTECTION"
action_name = "block"
is_body_inspection_enabled = true
protection_capabilities {
key = "941110"
version = 1
}
protection_capabilities {
key = "941100"
version = 1
}
protection_capabilities {
key = "941160"
version = 1
}
}
# --- Request Protection: SQL Injection ---
rules {
name = "sqli-protection"
type = "PROTECTION"
action_name = "block"
is_body_inspection_enabled = true
protection_capabilities {
key = "942110"
version = 1
}
protection_capabilities {
key = "942120"
version = 1
}
protection_capabilities {
key = "942130"
version = 1
}
}
# --- Request Protection: Path Traversal ---
rules {
name = "path-traversal-protection"
type = "PROTECTION"
action_name = "block"
is_body_inspection_enabled = true
protection_capabilities {
key = "930100"
version = 1
}
protection_capabilities {
key = "930110"
version = 1
}
}
}
# --- Rate Limiting: 300 requests/minute ---
request_rate_limiting {
rules {
name = "rate-limit-300-per-minute"
type = "RATE_LIMITING"
action_name = "block"
configurations {
period_in_seconds = 60
requests_limit = 300
action_duration_in_seconds = 60
}
}
}
freeform_tags = var.freeform_tags
}
# --- Associate WAF with Load Balancer ---
resource "oci_waf_web_app_firewall" "main" {
compartment_id = var.compartment_ocid
display_name = "cisagent-oke-waf"
backend_type = "LOAD_BALANCER"
load_balancer_id = oci_load_balancer_load_balancer.main.id
web_app_firewall_policy_id = oci_waf_web_app_firewall_policy.main.id
freeform_tags = var.freeform_tags
}