Skip to content
Documentation

ADR-0005 Cloudflare Access for Internal Docs

Status

Section titled “Status”

Accepted

Context

Section titled “Context”

The RCS internal documentation site (apps/docs, served at https://docs.example.com) contains architecture, security, and operational guidance that must remain confidential. Prior ADRs established Cloudflare Pages as the hosting platform and mandated an internal-only posture. A formal access control mechanism is required before any stakeholders can use the site.

Decision

Section titled “Decision”

Adopt Cloudflare Access to protect https://docs.example.com, enforcing:

  • Authentication via the corporate identity provider (Google Workspace recommended, GitHub Enterprise acceptable).
  • Multi-factor authentication required by the IdP.
  • Group-based, least-privilege authorization.
  • Session lifetime capped at 12 hours.
  • Deny-by-default posture with an auditable break-glass path.

Rationale

Section titled “Rationale”
  • Cloudflare Access integrates natively with Cloudflare Pages and existing DNS.
  • Provides Zero Trust controls without deploying additional infrastructure.
  • Supports granular policies, logging, and future device posture rules.
  • Minimizes operational complexity compared to custom auth proxies.

Consequences

Section titled “Consequences”
  • Internal docs are inaccessible until Access policies are defined and tested.
  • Group membership management becomes an operational responsibility (platform + security).
  • Onboarding requires coordination with identity administrators.
  • Break-glass procedure must be documented and audited.

Deferred Considerations

Section titled “Deferred Considerations”
  • Enforcing device posture checks (managed devices, up-to-date OS).
  • Automating Access policy validation in CI once workflows mature.
  • Integrating Access logs with a central SIEM for retention beyond 30 days.

Implementation Steps

Section titled “Implementation Steps”
  1. Follow the Cloudflare Access runbook to create the Access application for docs.example.com.
  2. Define least-privilege groups in the identity provider and document owners.
  3. Configure MFA enforcement and 12-hour session duration in the Access policy.
  4. Test access with allowed and denied accounts; capture evidence in release records.
  5. Record the configuration in change management, linking to this ADR.

Verification Method

Section titled “Verification Method”
  • Accessing https://docs.example.com unauthenticated prompts for Cloudflare Access.
  • Authorized group members can sign in; unauthorized users are denied.
  • Access logs show successful and blocked attempts with accurate user attribution.
  • Annual security review confirms policies still meet Zero Trust requirements.