Access to Cloudflare

[ovflowd]

Requesting access to Cloudflare, as I would like to be around to support with times the cache for Nodejs.org becomes havoc, and also for the incoming changes we're going to do with nodejs.dev, nodejs.org, vercel, etc

cc @nodejs/build

[ovflowd]

Note.: The kind of access I'm requesting (because of CF ACLs) is to have enough "power/authorisation" to do these actions:

• Monitor/Analysis of Traffic
• Purge Cache / Create/Delete cache rules
• Enabling/Disabling features (useful for when we want to test things such as Static File CDN)
• Or anything useful for allowing me to solve incidents that we might have with CF.

In general, these privileges would also be helpful for the incoming Vercel work.

[tniessen]

If the number of people with access to CF grows, we should probably start making use of CF "members" so that we can manage access in more detail. Right now we just use a single set of credentials (with 2FA) as far as I know.

[nschonni]

Might make sense to look at something like https://developers.cloudflare.com/terraform/ to pull the actual config changes into this repo. I didn't see any first party Ansible tasks with a very quick search

[mhdawson]

@nschonni the terraform suggestion looks interesting. That would address one concern related to growing the number of people with cloudflare access.

[MattIPv4]

+1 to having the Cloudflare config defined in terraform in the repo. Would make it much easier for folks to understand what's currently configured and propose edits etc.

[UlisesGascon]

+1 to manage Cloudflare using Terraform, also I agree to provide access to Cloudflare for @ovflowd as some tasks will require it like the Monitor/Analysis of Traffic.

[UlisesGascon]

@ovflowd we agreed in #3299 that we will grant you access, but first we will need to change the way we access to Cloudflare from a single account to an individual accounts (organization approach).

[ovflowd]

Thanks for the update!

[richardlau]

If the number of people with access to CF grows, we should probably start making use of CF "members" so that we can manage access in more detail. Right now we just use a single set of credentials (with 2FA) as far as I know.

I've just invited myself to the build account (which has resulted in a confirmation to the build email address FYI @nodejs/build-infra ). For people in the build-infra team, who already have access to the existing build account, I'm comfortable giving their individual accounts "Super Administrator" which should mean they would not normally need to log in directly as the build account.

For anyone outside of the build-infra team we'd need to work out which of the account-scoped roles we would want to grant
Refs: https://developers.cloudflare.com/fundamentals/account-and-billing/members/roles/#account-scoped-roles

[targos]

I've tried to add myself to the account but I get:

Error when processing member: Cannot add existing user that is participating in an incompatible authorization system(Code: 1005)

Note that I do have 2FA enabled.

I opened a support ticket.

[ovflowd]

Got access so closing this :)