Skip to content
Runbooks

Cloudflare Audit Log Rule Processing

The following flow chart describes the processing performed on every rule when Cloudflare Audit Log runs.

graph TD

Rule{Rule description} ==> Parsed[full description could be parsed and is valid]
Rule ==> NotParsed[description cannot be parsed]
Rule ==> IssueID[only the issue ID could be extracted & is valid]

Parsed --> Duration{rule duration}
NotParsed --> AbortProcessing[rule processing aborted]
IssueID --> CommentWithErrors[leave issue comment with error details]

CommentWithErrors --> AbortProcessing
AbortProcessing --> END{end}

Duration ==> LongTerm[long-term]
LongTerm --> NoteLongTerm[prepare label `role-duration::long-term`]
NoteLongTerm --> ApplyLabels

Duration ==> Temporary[temporary]
Temporary --> NoteTemporary[prepare label `role-duration::temporary`]
NoteTemporary --> MaxLifetime{maximum lifetime in h}

MaxLifetime ==> Set[explicitly set]
MaxLifetime ==> Unset[unset/automatic]

Set --> IsMaxExpired{has elapsed?}
IsMaxExpired ==> MaxExpired[yes] --> Expired[has expired]
IsMaxExpired ==> MaxNotExpired[no] --> MinLifetime{minimum lifetime in h}
NotExpired -->  ApplyLabels

Unset --> MinLifetime
MinLifetime ==> MinSet[set, check for value]
MinLifetime ==> MinUnset[unset, check for 48h]
MinUnset --> MinElapsed{has elapsed}
MinSet --> MinElapsed{has elapsed}
MinElapsed ==> HasElapsed[yes]
MinElapsed ==> HasNotElapsed[no]

HasNotElapsed --> NotExpired[not expired]
HasElapsed --> CheckTraffic[Check traffic in last 24h]

CheckTraffic --> NoteTraffic[add the traffic level to the issue comment about to be posted]

NoteTraffic --> ReqCount{> 0 reqests?}
ReqCount ==> MoreRequests[yes] --> NotExpired
ReqCount ==> NoRequests[no] --> Expired

Expired --> Delete[delete rule in Cloudflare]
Delete --> OnError[On error add to the message of the comment about to be posted]
OnError --> ApplyLabels

subgraph choose and apply labels
ApplyLabels[evaluate rule filter and select candidate labels for `rule-filter`] --> EvaluateType{rule type}
EvaluateType ==> TypeBypass['bypass']
EvaluateType ==> TypeOther[other]

TypeBypass --> EvaluateBlock[determine matching `bypass-action` labels/firewall `products`]

EvaluateBlock --> RenderComment[render comment before posting - implicit label check]
TypeOther --> RenderComment

RenderComment --> MatchComment{matches previous}
MatchComment ==> CommentMatch[yes]
MatchComment ==> CommentNotMatch[no]

CommentNotMatch --> Comment[comment status on issue & apply labels]
end

CommentMatch --> END
Comment --> END

subgraph expiry detection
MaxLifetime
Set
IsMaxExpired
MaxNotExpired
MaxExpired
Expired
NotExpired
Unset
MinLifetime
MinSet
MinUnset
MinElapsed
HasElapsed
HasNotElapsed
CheckTraffic
NoteTraffic
ReqCount
MoreRequests
NoRequests
end