Standardise web-infra/admins Cloudflare access #4194
Description
👋 @nodejs/web-infra currently does not have a standard set of permissions within Cloudflare, a few of us on the team just have permissions we've acquired over time for activities. With Cloudflare now supporting groups, I think it'd be good to create permission groups in Cloudflare for web-infra (and @nodejs/web-admins as well).
I think this is a @nodejs/build decision, as y'all have historically looked after Cloudflare, but feel free to bounce this elsewhere if not.
I believe that the web-infra group should be granted Administrator Read Only, which gives us permission to view all configurations within the Cloudflare account, to help us in diagnosing issues with Node.js' web presence. I already have this permission today, though @flakey5 only has read-only access to Workers + R2.
The web-admins group should likely be granted Administrator, so that they can carry out any action within the Cloudflare account. This is what both @ovflowd + @bmuenzenmeyer already have today. I'd perhaps suggest actually making them both super administrators, as this also allows them to create account-level tokens (which we've often needed for deploying new Workers etc.), though this does slightly further elevate the risk profile.
With these two groups in place and granted to all members (some members of web-infra may need to be invited to the Cloudflare account, as they don't have any access at all currently), we should be able to remove permissions assigned to the members individually.
(We also have the Node.js Sandbox account, where many of us are super admins -- when we update our documentation to encode the decision made here, we should also encode granting super admin access to that account for web-infra/admins)