Accessing and Using CloudFlare
Users that have been provisioned can access Cloudflare directly at
https://dash.cloudflare.com.
Instructions for Access Provisioners
Section titled “Instructions for Access Provisioners”- Ping
@gitlab-org/production-engineering/foundationsto add the user to theokta-cloudflare-usersGoogle group. If they are unavailable, IT can help provision this piece. You can reach out to IT using the #it_help channel or tagging@gitlab-com/gl-security/corp/helpdeskin the issue. - If the team member needs to be added to the GitLab.com Cloudflare account: (usually Production Engineering or Scalability SREs)
- Open a merge request adding the user to https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/blob/main/environments/cloudflare/users.tf
- Assign the role based on the access request or baseline entitlements (SREs receive Administrator access as baseline).
- The user will automatically receive an invite once the change is applied.
- If the user does not accept the invite before expiration, a state drift will occur and the change will need to be applied again.
- Open a merge request adding the user to https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/blob/main/environments/cloudflare/users.tf
- If the team member should be added to the Dedicated Cloudflare accounts (for SREs on the Dedicated Teams), they should open an MR against the Dedicated Cloudflare Organization project
Deprovisioning
Section titled “Deprovisioning”- Remove user from Google group if they have not already been removed.
- Remove user from https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/blob/main/environments/cloudflare/users.tf.
- If applicable: Remove user from Dedicated Cloudflare Organization.
Configuration
Section titled “Configuration”Creating or Editing Custom Rules
Section titled “Creating or Editing Custom Rules”Managing Traffic (blocks, allowlists and abuse mitigation)
Section titled “Managing Traffic (blocks, allowlists and abuse mitigation)”Managing Workers
Section titled “Managing Workers”Getting support from Cloudflare
Section titled “Getting support from Cloudflare”Contacting support
Section titled “Contacting support”Contact Numbers
Section titled “Contact Numbers”Should we need to call Cloudflare, we were given these numbers to reach out to for help.
Those numbers are documented in https://gitlab.com/gitlab-com/gl-security/runbooks/-/blob/master/sirt/infrastructure/cloudflare.md
Other References
Section titled “Other References”- Implementation Epic: https://gitlab.com/groups/gitlab-com/gl-infra/-/epics/94
- Readiness review: https://gitlab.com/gitlab-com/gl-infra/readiness/blob/master/cloudflare/README.md
- Issue Tracker for Evaluation: https://gitlab.com/gitlab-com/gl-infra/cloudflare/issues
- Ongoing Cloudflare Epic: https://gitlab.com/groups/gitlab-com/gl-infra/-/epics/1131
- Managing Limits: https://handbook.gitlab.com/handbook/engineering/infrastructure/rate-limiting/managing-limits/
- Cloudflare terraform configuration: https://gitlab.com/gitlab-com/gl-infra/terraform-modules/cloudflare