Cloudflare + Indent Webhook
This guide explains how to deploy an Indent webhook to the cloud for managing access to Cloudflare Account Roles. This webhook can be run as an AWS Lambda.
Take a look at our example template on GitHub:
This page assumes that you or someone on your team has already completed the Quickstart. If you haven't already, we would recommend you check it out - it should take 5 minutes. By the end you should have a working Space you can integrate with this webhook.
Prerequisites
Overview
We're going to pull Cloudflare Account Roles into Indent (optionally, you can import roles manually) then set up automated change management. This webhook can only be deployed as an AWS Lambda.
Step 0: Configure your cloud provider
- AWS
Let's get all the AWS-specific items ready before getting started:
Step 1: Configure the GitHub Repo
Before you deploy these webhooks for the first time, create an S3 bucket to use to store Terraform state, add your credentials as GitHub Secrets, then update the bucket in main.tf
.
1. Configuring the S3 bucket
- Go to AWS S3 and select an existing bucket or create a new one.
- Select the settings given your environment:
- Name — easily identifiable name for the bucket (example = indent-deploy-state-123)
- Region — where you plan to deploy the Lambda (default = us-west-2)
- Bucket versioning — if you want to have revisions of past deployments (default = disabled)
- Default encryption — server-side encryption for deployment files (default = Enable)
2. Configuring AWS credentials
- Go to AWS IAM → New User and create a new user for deploys, e.g.
indent-terraform-deployer
- Configure the service account access:
- Credential type — select Access key - Programmatic access
- Permissions — select Attach existing policies directly and select
AdministratorAccess
- Add the
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
as GitHub Secrets to this repo
3. Connecting to Cloudflare
- Go to Cloudflare → My Profile → API Tokens
- Click "Create Token" to create a new API Token to use with Indent
- Grant the token these scopes:
- Access: Organizations, Identity Providers, and Groups:Edit, Account Settings:Edit,
- Memberships:Edit, User Details:Edit
- Save the new token in a safe place.
4. Connecting to Indent
- If you're setting up as part of a catalog flow, you should be presented a Webhook Secret or go to your Indent space and create a webhook
- Add this
INDENT_WEBHOOK_SECRET
as a GitHub Secret
5. Adding the GitHub Actions Secrets. What are GitHub Action Secrets?
Name | Value |
---|---|
INDENT_WEBHOOK_SECRET | Get this from your Indent App or an Indent Webhook in the Dashboard |
INDENT_PULL_WEBHOOK_SECRET | Get this from the Indent Webhook you created while setting up your space |
CLOUDFLARE_API_TOKEN | Your Cloudflare API Token. This token lets you programatically manage access and permissions for your accounts, sites, and products. |
AWS_ACCESS_KEY_ID | Your Programmatic AWS Access Key ID |
AWS_SECRET_ACCESS_KEY | Your Programmatic AWS Secret Access Key |
AWS_SESSION_TOKEN | Optional: Your AWS Session Token. Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires |
Step 2: Add the webhooks to Indent
- Sign into your Indent Space.
- Navigate to your Catalog in the sidebar.
- Select Cloudflare from the catalog. You'll be taken to a new page where you'll create the webhooks.
- Write down the signing secrets for use with your new GitHub repository and store them securely.
- Click Create webhooks, we'll add the URLs for each webhook in the next step.
Step 3: Deploy the webhooks
- In your repository, click Actions in the top menu, you should see at least one workflow run in the list.
- Click on the workflow run, then click Re-run all jobs in the top right.
- The workflow automatically deploys the webhooks to AWS. If you commit any changes to the main branch of this repository the workflows will redeploy automatically.
- After you finish deploying your webhooks, enter the HTTP endpoint from AWS Lambda as the Webhook URL field in your new Webhook.
- Save the Webhook.
- Go to your Resources and click the dropdown arrow next to New
- Select Pull Update and a modal window appears with a list of resource kinds you can pull.
- Choose the slider for Cloudflare Account Roles then press Start Pulling Updates.
Step 4: Configure your Indent policies
Click Apps in the Indent Dashboard and click on your communication app.
Open Access Request Rules and add
cloudflare.v1.AccountRole
to the "Kinds of Resources," your app can manage.- Alternatively, you can add individual Groups based on Resource ID in this section.
Configure the approvers for granting access to your Cloudflare Account Roles.
Step 5: Make a test request
- Go to Request Access.
- Select your Cloudflare Account Roles from the dropdown and enter a reason for access.
- Once the access is approved, check the role's page to confirm membership.
Congrats! You’ve just configured requesting and managing Cloudflare Account Role access with Indent.
Import roles manually
- Sign into your Indent Space.
- Go to your Resources.
- Click +New to create a new Resource:
- Under Resource Kind, type in "cloudflare.v1.AccountRole"
- Enter the name of your Cloudflare Account Role
- Under Resource ID enter the resource ID in this format:
- `api.cloudflare.com/client/v4/accounts/${account ID}/roles/${role ID}