Shifting left at enterprise scale: how we manage Cloudflare with Infrastructure as Code

Cloudflare's platform emphasizes the importance of its internal Customer Zero team, which uses Cloudflare's own products to ensure security and optimize services, highlighting the challenges of managing security at a global scale. To address these challenges, Cloudflare has adopted a "shift left" approach, integrating security checks early in the software development lifecycle to minimize human error and ensure consistent security configurations across its numerous accounts. This strategy involves treating configurations as code using Infrastructure as Code (IaC) methodologies, primarily through Terraform and a custom CI/CD pipeline, to maintain security baselines and enforce policy compliance. Cloudflare's approach includes using Policy as Code with the Open Policy Agent to automate policy enforcement, allowing for efficient handling of exceptions and minimizing configuration drift. Despite hurdles such as onboarding existing resources and maintaining feature parity with their Terraform provider, Cloudflare's proactive governance model enhances engineering efficiency by ensuring compliance and reducing the risk of errors.