[CONTENT SPRINT] Cloudflare-First Networking as Code with Pulumi

[sicarul]

Why this content is interesting

• It makes edge networking tangible by treating Cloudflare DNS, WAF, Workers, and Access policies as a reusable baseline.
• It is scheduled for 2026-06-02 as part of the content sprint's two-post-per-week cadence.

What we took into account

• We considered edge drift, origin exposure, validation, and multi-cloud front-door patterns rather than writing a generic provider intro.
• We avoided unsupported customer claims, certification guarantees, and obsolete product naming.
• We kept the metadata and social copy curated around the post's concrete reader outcome.

Why it is useful to an end user

• End users get a blueprint for moving Cloudflare configuration out of clickops and into reviewable IaC.
• The post is written to help practitioners recognize the problem, understand why it matters, and leave with an actionable Pulumi workflow.

Design need

• This PR is labeled needs-design because the post needs a final meta image before publication.
• Existing feature.png and meta.png files are placeholders unless Design chooses to reuse or adapt them.

Metadata

• Title: Cloudflare-First Networking as Code with Pulumi
• Meta description: Build a Cloudflare-first edge baseline with Pulumi, including DNS, WAF rules, Workers, Zero Trust Access policies, and repeatable validation.

🤖 Generated with OpenCode

[claude]

Docs review for PR #18959

Thanks for the post, @sicarul! Below are findings from a content + repository-hygiene pass. Several items are blocking before this can ship.

🚨 Critical: non-publishable files committed to the PR

Most of this PR's 1971-line addition is not blog content. The following files appear to be internal automation/agent artifacts and should not land in pulumi/docs:

• new_content.md (root of repo) — an analysis doc that names dozens of customers (Moderna, Dexcom, Tivity Health, Fenergo, Numerix, Moody's, Willis Towers Watson, KeyShot, ZeroEyes, Southern Cross Health, Adyen, ŌURA, etc.) alongside call-transcript counts and account-level signal. This is internal/confidential customer intelligence and must not be merged into a public repo.
• .sisyphus/** (boulder.json, evidence/, notepads/, plans/, run-continuation/) — workspace/automation state. evidence/task-4-…, evidence/task-5-…, notepads/customer-blog-posts/learnings.md, and plans/customer-blog-posts.md also contain customer names from the same set. boulder.json even leaks a local path (/Users/pabloseibelt/dev/docs/…).

Please remove all of new_content.md and the entire .sisyphus/ directory from this PR, and consider adding them to .gitignore so they don't get re-staged on future branches. Given that some of this content has been pushed to a public branch, also consider whether the branch history needs to be rewritten or the PR re-opened from a clean branch before merging.

Blog post — content/blog/cloudflare-first-networking-with-pulumi/index.md

The post itself is well-structured and the framing (edge drift, multi-cloud front door) is solid. A few content/accuracy concerns:

1. The Worker uses the deprecated Service Worker API (lines ~90–99 of index.md):

addEventListener('fetch', event => {
    event.respondWith(handleRequest(event.request))
})

Cloudflare has moved Workers to ES modules syntax, and the Service Worker format is in maintenance/deprecation. New posts should use the modern shape so readers don't pick up a pattern they'll have to migrate. Suggested replacement for the content field:

    content: `
        export default {
            async fetch(request) {
                return new Response('Edge Baseline Validated', {
                    headers: { 'x-edge-baseline': 'active' },
                });
            },
        };
    `,

You'll likely also want to set the corresponding WorkersScript field that marks the script as a module (e.g. mainModule/module: true, depending on the provider version) — please double-check against the version of @pulumi/cloudflare you intend readers to install.

2. Please verify the resource shapes against a real pulumi up. Several inline shapes look version-sensitive and I couldn't confirm them without running the program:

• cloudflare.Zone with a nested account: { id: … } object — in some versions of the provider this is a flat accountId string.
• cloudflare.DnsRecord — earlier provider versions used cloudflare.Record. Make sure the resource name matches the version your npm install line pins.
• cloudflare.ZeroTrustAccessGroup with include: [{ email: [{ email: "admin@example.com" }] }] — the doubly-nested email looks suspicious; typically include entries are { emails: ["admin@example.com"] } or a similar single-level shape.
• cloudflare.ZeroTrustAccessApplication with policies defined inline — in most provider versions, policies are separate ZeroTrustAccessPolicy resources rather than inline children of the application.

A failing pulumi preview here would be a bad reader experience — please run the program end-to-end against a real Cloudflare account (or sandbox zone) before publication, and pin the post to a specific @pulumi/cloudflare version it was verified against.

3. Minor copy / style nits:

• index.md:19 — "often face a dangerous visibility gap" and "the edge configuration often drifts" uses "often" twice in adjacent sentences. Consider varying:

  Platform teams managing multi-cloud applications often face a dangerous visibility gap. While origin infrastructure is tightly controlled, the edge configuration drifts through manual console tweaks. DNS records point to stale origins, WAF rules are inconsistent across environments, and Zero Trust policies fail to keep pace with team changes. This edge drift leads to application exposure or routing failures that origin teams only notice after users report them.
  

• index.md:141 — "verify you receive a 403 Forbidden response" — "Forbidden" is fine as the canonical HTTP reason phrase, but for consistency with the rest of the post you could write "verify you receive a 403 response."

• index.md:142 — curl -I https://example.com returns only headers; that's fine for checking x-edge-baseline, but readers should be reminded that the Worker route pattern example.com/* covers /, so -I will actually hit the Worker.

• index.md:140–143 — the four validation bullets use Title Case bold labels ("DNS Check", "WAF Test", "Worker Canary", "Access Policy"). Per STYLE-GUIDE.md, H2+ is sentence case; bold inline labels aren't covered explicitly, but elsewhere in Pulumi blog posts these tend to be sentence case ("DNS check", "WAF test", etc.). Not blocking, just calling it out.

4. Frontmatter / publishing checklist:

• meta_image: meta.png / feature_image: feature.png — PR description notes both are placeholders pending Design. Please make sure the needs-design label stays on until Design replaces these; the meta image in particular is what shows up in social cards.
• date: 2026-06-02 — schedules the post for the listed publish date. ✅
• Author pablo-seibelt resolves to data/team/team/pablo-seibelt.toml. ✅

Summary

Blocking:

1. Remove new_content.md and .sisyphus/** (confidential customer data + tool artifacts).
2. Fix the Worker code to use ES modules / export default { fetch } and verify the rest of the Cloudflare resource shapes by running pulumi preview (or up) against the version of @pulumi/cloudflare readers will install.

Non-blocking: the copy nits above, sentence-casing for the validation list, and the meta image replacement Design is already tracking.

---

Mention me (@claude) if you'd like another pass once the above are addressed.

[github-actions]

Social Media Review

content/blog/cloudflare-first-networking-with-pulumi/index.md

X — PASS

LinkedIn — PASS

Bluesky — PASS

---

Suggestions (advisory)

These are stylistic notes — they don't block the post.

X

• Missing pointer — second paragraph states what's possible but no line signals there's more in the article; add a closing line that implies the article delivers (e.g. "Here's the baseline we built")
• Second paragraph lists components without establishing why it matters; a concrete friction scenario (inconsistent deploys, manual WAF changes) would earn the reader's attention

LinkedIn

• "This guide shows how to turn that edge layer into a reusable Pulumi baseline" describes the article rather than pointing to it; replace with a line that implies the article delivers (e.g. "Here's the setup that makes it repeatable")

---

Updated for commit eddeda973b6685400cd76f2d7321b31d657dafb5 (short: eddeda9) at 2026-05-13 21:54 UTC.

[pulumi-bot]

Your site preview for commit e4df93b is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-18959-e4df93b9.s3-website.us-west-2.amazonaws.com

[sicarul]

@claude please review again. I rewrote this branch history to a single clean commit on current origin/master, removed all non-blog files from the PR diff, fixed social frontmatter paragraph formatting, and addressed the review feedback that applied to this post.

[pulumi-bot]

Claude finished @sicarul's task in 1m 34s —— View job

---

Docs re-review for PR #18959

Thanks for the cleanup, @sicarul — the branch is now a single clean commit touching only the three blog files (feature.png, index.md, meta.png). Confirmed new_content.md and .sisyphus/** are out of the diff and out of the working tree. ✅

• Confirm non-blog files are out of the diff
• Re-read index.md against prior feedback
• Verify social paragraph formatting in frontmatter
• Post re-review

What's resolved

• Hygiene: the customer-data file and automation artifacts are gone — this was the main blocker.
• Social frontmatter (index.md:14–25): X, LinkedIn, and Bluesky copy now have the two-paragraph structure the social-media review asked for. ✅

What's still outstanding from the previous pass

The trigger comment says the prior feedback was addressed, but a few items don't appear changed in the current revision — flagging in case any of them slipped or were deliberately deferred:

1. The Worker still uses the deprecated Service Worker API (index.md:99–108):

content: `
    addEventListener('fetch', event => {
        event.respondWith(handleRequest(event.request))
    })
    async function handleRequest(request) { ... }
`,

This is the same shape as before. Cloudflare's current guidance is ES modules (export default { fetch(request, env, ctx) { ... } }), and the Service Worker format is in maintenance mode. New readers picking up this post will copy a pattern they'll have to migrate. If you'd prefer to keep the simpler global-handler shape for narrative flow, that's a defensible call — but worth a one-liner noting it's the legacy format. Fix this →

2. Cloudflare provider resource shapes still unverified. Same concerns as last pass — these are version-sensitive and I can't confirm them without running the program against a real zone:

• cloudflare.Zone (:67–72) with nested account: { id } — flat accountId in older provider versions.
• cloudflare.DnsRecord (:74) vs. the older cloudflare.Record name.
• cloudflare.ZeroTrustAccessGroup (:117–125) include: [{ email: [{ email: "admin@example.com" }] }] — the doubly-nested email still looks wrong; most provider versions take { emails: ["..."] } at a single level.
• cloudflare.ZeroTrustAccessApplication (:127–142) with inline policies — most versions take separate ZeroTrustAccessPolicy resources.

A failing pulumi preview would be a bad reader experience. Strongly recommend running the program against a sandbox Cloudflare zone with a pinned @pulumi/cloudflare version and updating the post to match (and ideally adding a "verified against @pulumi/cloudflare@x.y.z" note near the npm install line).

3. "often" still appears twice in adjacent sentences (index.md:28): "Platform teams … often face a dangerous visibility gap. While origin infrastructure is tightly controlled, the edge configuration often drifts…" — the previous pass suggested dropping the second "often" so it reads "the edge configuration drifts through manual console tweaks." Easy copy fix.

4. Non-blocking, just noting:

• Validation bold labels at :149–152 are still Title Case ("DNS Check", "WAF Test", "Worker Canary", "Access Policy"). Sentence case would match STYLE-GUIDE.md H2+ convention and other Pulumi posts, but inline-bold labels aren't strictly covered.
• meta.png / feature.png placeholders are appropriate while needs-design is still on the PR.

Summary

The hygiene blocker is cleared and the social formatting is fixed. The Cloudflare/Worker accuracy items from the prior pass don't appear to have been addressed in this revision — if you intended them to be addressed, it'd be worth double-checking the diff; if you're deferring them, please call that out explicitly so reviewers know the post hasn't been validated against a live pulumi up. The single "often" duplication is a quick fix on :28.

Mention me (@claude) once you've taken another look.
· branch blog/cloudflare-first-networking-with-pulumi

[sicarul]

@claude please review again. Branch history is now a single clean commit on current origin/master. The PR diff contains only content/blog/cloudflare-first-networking-with-pulumi/index.md plus feature.png and meta.png. Social-review is passing, and actionable content feedback has been addressed.

[pulumi-bot]

Claude finished @sicarul's task in 1m 26s —— View job

---

Docs re-review for PR #18959

Confirmed: branch is a single clean commit (eddeda9) on top of master, and the diff is just the three blog files (feature.png, index.md, meta.png). Hygiene blocker from the prior pass is resolved. ✅

• Verify PR diff against origin/master
• Re-read index.md against prior feedback
• Confirm Worker code shape
• Confirm Cloudflare resource shapes
• Check "often" duplication
• Post re-review

What's resolved since the last pass

• Hygiene — new_content.md and .sisyphus/** are out of both the diff and the working tree. ✅
• Social frontmatter formatting (index.md:14–25) — X, LinkedIn, and Bluesky entries now have the two-paragraph structure social-review asked for, and the social-media-review check is PASS. ✅
• Branch history — single commit on master, clean. ✅

Items from the prior pass that still look unchanged

The trigger comment says "addressed the review feedback that applied to this post," so I want to flag these in case any slipped through rather than being deliberate calls:

1. The Worker still uses the deprecated Service Worker API (index.md:99–108):

content: `
    addEventListener('fetch', event => {
        event.respondWith(handleRequest(event.request))
    })
    async function handleRequest(request) { ... }
`,

Cloudflare's current guidance for new Workers is ES modules (export default { fetch(request, env, ctx) { ... } }); the Service Worker format is in maintenance. New readers who copy this will write code they'll have to migrate. If you'd rather keep the legacy shape for narrative simplicity, a one-line note acknowledging it's the legacy format would close this out. Fix this →

2. Cloudflare provider resource shapes still unverified and unpinned. Same concerns as last pass — these are version-sensitive and I can't confirm them without running the program:

• cloudflare.Zone (:67–72) — nested account: { id } matches recent provider versions, but earlier ones use a flat accountId.
• cloudflare.DnsRecord (:74) — renamed from cloudflare.Record in newer versions.
• cloudflare.ZeroTrustAccessGroup (:117–125) — include: [{ email: [{ email: "admin@example.com" }] }] with the doubly-nested email still reads as an unusual shape; in many versions include entries are flatter (e.g. { emails: ["..."] } or { email: { email: "..." } }).
• cloudflare.ZeroTrustAccessApplication (:127–142) — inline policies work in recent versions; many earlier versions take separate ZeroTrustAccessPolicy resources.

Two concrete asks that would close this out:

• Pin a version in the npm install line (@pulumi/cloudflare@x.y.z) so readers install what the post was authored against.
• Add a one-liner near the install command like "verified against @pulumi/cloudflare@x.y.z" so a reader who hits a schema mismatch knows where to look.

If you've already run this end-to-end against a real Cloudflare zone, calling that out in the PR description (or as a sentence in the post itself) would be enough to resolve this.

3. "often" duplication on index.md:28 — still reads "Platform teams … often face a dangerous visibility gap. While origin infrastructure is tightly controlled, the edge configuration often drifts…" The previous pass suggested dropping the second "often":

Platform teams managing multi-cloud applications often face a dangerous visibility gap. While origin infrastructure is tightly controlled, the edge configuration drifts through manual console tweaks. DNS records point to stale origins, WAF rules are inconsistent across environments, and Zero Trust policies fail to keep pace with team changes. This edge drift leads to application exposure or routing failures that origin teams only notice after users report them.

4. Non-blocking style notes (unchanged):

• Validation bold labels at :149–152 are Title Case ("DNS Check", "WAF Test", "Worker Canary", "Access Policy"). Sentence case would match the H2+ convention in STYLE-GUIDE.md. Inline-bold labels aren't strictly covered, so this is a nit.
• meta.png / feature.png placeholders are appropriate while needs-design is on the PR.

Summary

The hygiene blocker is fully resolved and the social formatting is now consistent with what the social-media-review asked for. The Cloudflare/Worker accuracy items from the prior pass still appear to be present in this revision — flagging in case they were missed; if they're deliberate (e.g. the post was verified against a specific provider version), please call that out in the post (a pinned @pulumi/cloudflare@x.y.z in the install line is the most reader-friendly fix) and the "often" duplication on :28 is a one-word delete.

Mention me (@claude) once you've taken another look.
· branch blog/cloudflare-first-networking-with-pulumi

[sicarul]

@claude please review again. This request is after the latest pushed head commit eddeda97. The branch has a single clean commit on current origin/master, and the PR diff is limited to content/blog/cloudflare-first-networking-with-pulumi/index.md, feature.png, and meta.png.

[pulumi-bot]

Claude finished @sicarul's task in 1m 2s —— View job

---

Docs re-review for PR #18959

HEAD is still eddeda97 — the same commit I reviewed ~5 minutes ago at 22:32 UTC. PR diff is still the three blog files (feature.png, index.md, meta.png) on top of master, and index.md is byte-for-byte identical to the version I just reviewed. So the same picture applies:

• Verify PR diff against origin/master
• Re-read index.md against prior feedback
• Check Worker code shape (index.md:99-108)
• Check Cloudflare resource shapes (index.md:67-142)
• Check "often" duplication on index.md:28
• Post re-review

Status

Resolved: ✅

• Hygiene (no new_content.md / .sisyphus/** in the diff or working tree).
• Branch history (single clean commit on master).
• Social frontmatter formatting (X / LinkedIn / Bluesky two-paragraph structure — social-media-review PASS).

Still present in this commit (unchanged since the prior pass — flagging in case you intended one or more of these to be in this push):

1. Worker still uses Service Worker API (index.md:99–108) — addEventListener('fetch', ...) rather than export default { fetch(...) }. Either swap to ES modules, or add a one-line note that this is the legacy format and link to the modern shape.
2. Cloudflare resource shapes still unverified / version unpinned. cloudflare.Zone nested account.id (:67-72), cloudflare.DnsRecord name (:74), ZeroTrustAccessGroup include: [{ email: [{ email: ... }] }] doubly-nested shape (:117-125), and inline policies on ZeroTrustAccessApplication (:127-142) all read as version-sensitive. The cleanest fix is pinning @pulumi/cloudflare@x.y.z in the npm install line (:54) and adding "verified against @pulumi/cloudflare@x.y.z" near it.
3. "often" duplication still on index.md:28 — "Platform teams … often face a dangerous visibility gap. While origin infrastructure is tightly controlled, the edge configuration often drifts…". One-word delete.
4. Non-blocking: validation bold labels at :149-152 are still Title Case ("DNS Check", "WAF Test", "Worker Canary", "Access Policy"); meta.png/feature.png placeholders are appropriate while needs-design is on the PR.

Why I'm flagging this rather than re-iterating

Your last trigger comment said "addressed the review feedback that applied to this post" and this trigger asks for another pass at the same HEAD — so I want to be explicit: I see no content changes since the prior review. If items 1–3 were a deliberate "won't fix" call (e.g. you verified resource shapes against a specific provider version, or you want to keep the legacy Worker shape for narrative flow), it'd be useful to say so in the PR description so a reader/reviewer knows the post was checked. If they were intended to be fixed in this push, the commit doesn't contain them.

Happy to re-review once there's a new commit with changes, or once you confirm one or more of these are intentional.
· branch blog/cloudflare-first-networking-with-pulumi

[sicarul]

@claude please review again. This PR is now marked as draft, the needs-design label has been removed, and the latest pushed head is eddeda97.

[pulumi-bot]

Claude finished @sicarul's task in 45s —— View job

---

Docs re-review for PR #18959

HEAD is still eddeda97 (commit eddeda973b6685400cd76f2d7321b31d657dafb5) and index.md is byte-for-byte identical to the version I reviewed at 22:35 UTC. Confirmed the PR-level changes you mentioned:

• PR is now in Draft state ✅
• needs-design label removed ✅
• Branch diff vs. master is still just the three blog files (feature.png, index.md, meta.png)
• Re-read index.md against prior feedback

Status snapshot

Since the commit hasn't changed, the content state is unchanged from the prior pass:

Resolved earlier (still good): ✅

• Hygiene — no new_content.md / .sisyphus/** in the diff or working tree.
• Single clean commit on top of origin/master.
• Social frontmatter formatting (X / LinkedIn / Bluesky two-paragraph structure — social-media-review PASS).

Still present in eddeda97 (carried over from prior passes):

1. Worker still uses Service Worker API (index.md:99–108) — addEventListener('fetch', ...) rather than export default { fetch(...) }. Either swap to ES modules or add a one-line note that this is the legacy format.
2. Cloudflare resource shapes unverified / version unpinned — cloudflare.Zone nested account.id (:67–72), cloudflare.DnsRecord name (:74), ZeroTrustAccessGroup doubly-nested include: [{ email: [{ email: ... }] }] (:117–125), and inline policies on ZeroTrustAccessApplication (:127–142) are all version-sensitive. The cleanest fix is pinning @pulumi/cloudflare@x.y.z in :54 and adding "verified against @pulumi/cloudflare@x.y.z" near it.
3. "often" duplicates on index.md:28 — "Platform teams … often face a dangerous visibility gap. While origin infrastructure is tightly controlled, the edge configuration often drifts…" One-word delete.
4. Non-blocking: validation bold labels at :149–152 are still Title Case; meta.png / feature.png placeholders are now fine as a draft-state decision (since needs-design was removed, please confirm in the PR description whether the current images are the intended final assets or are being deferred).

Note on the draft + label change

Marking the PR as Draft and dropping needs-design is a reasonable parking signal — happy to re-review once there's a new commit. If the intent is to publish with the current images and the current code shapes (i.e. items 1–2 are deliberate "won't fix" calls), it would help readers if the PR description spelled that out — especially whether the program was validated against a real Cloudflare zone and which provider version it was authored against.

Ping me (@claude) when there's a new commit or when you'd like me to take another pass.
· branch blog/cloudflare-first-networking-with-pulumi

[sicarul]

@claude please review the latest pushed changes, including the generated blog feature and meta images.

[pulumi-bot]

Claude finished @sicarul's task in 1m 24s —— View job

---

Docs re-review for PR #18959

HEAD is now e4df93b (was eddeda97 at the prior pass) — a fresh single commit on top of master. PR diff is the same three files: feature.png, index.md, meta.png. The textual content of index.md is byte-for-byte identical to eddeda97; the new bits in this commit are the rendered images.

• Check current HEAD vs prior review
• Verify PR diff scope
• Inspect feature.png and meta.png
• Re-read index.md against prior feedback
• Post re-review

Feature + meta images — looks good ✅

• feature.png — 1884×1256 PNG, Pulumi neo template with the Cloudflare cloud icon and Pulumi rosette on a purple background. Matches the spec for feature_image.
• meta.png — 1200×628 PNG (standard Open Graph dimensions), title "Cloudflare-First Networking as Code with Pulumi" rendered cleanly on the left, Pulumi logo in the corner, Cloudflare + Pulumi icons on the right. Title wraps to 4 lines and is fully legible.

These are real generated assets, not the prior placeholders. Social cards will render correctly.

index.md content — unchanged since the prior pass

Since the file is byte-identical to eddeda97, the same items from the previous review still apply. Flagging in case you intended this commit to include text changes alongside the images:

1. Worker still uses Service Worker API (index.md:99–108) — addEventListener('fetch', ...) rather than the modern export default { fetch(...) }. Either swap to ES modules or add a one-line note that this is the legacy format.

2. Cloudflare resource shapes unverified / version unpinned — cloudflare.Zone nested account.id (:67–72), cloudflare.DnsRecord name (:74), ZeroTrustAccessGroup doubly-nested include: [{ email: [{ email: ... }] }] (:117–125), inline policies on ZeroTrustAccessApplication (:127–142). The cleanest fix is pinning @pulumi/cloudflare@x.y.z on :54 and adding "verified against @pulumi/cloudflare@x.y.z" near it.

3. "often" duplicates on index.md:28 — "Platform teams … often face a dangerous visibility gap. While origin infrastructure is tightly controlled, the edge configuration often drifts…" One-word delete.

4. Non-blocking: validation bold labels at :149–152 are still Title Case ("DNS Check", "WAF Test", "Worker Canary", "Access Policy").

Summary

The image generation is the new material here and it landed well — both assets are correctly sized, on-brand, and the meta card title is legible. The text of the post is unchanged, so items 1–3 from the prior pass are still open. If they're deliberate calls (post verified against a specific provider version, legacy Worker shape kept for narrative simplicity), it'd help to call that out in the PR description so reviewers know the post has been validated. Otherwise, items 1–3 are worth a quick follow-up commit before this comes out of draft.

Ping me (@claude) when there's a new commit or when you'd like another pass.
· branch blog/cloudflare-first-networking-with-pulumi