Infisical Cloud SaaS configuration runbook

System: Infisical Cloud SaaS (app.infisical.com — the managed cloud instance, not vault.raxx.app) Owner: Operator (Kristerpher) Last incident: 2026-05-04 (CF Access lockout on moosequest.cloudflareaccess.com — see #1076) Last reviewed: 2026-05-12 UTC Related issues: #1076 (bring CF Access gate + Infisical config under IaC)

What is managed where

What the Terraform provider covers

The official Infisical/infisical provider (registry.terraform.io/providers/Infisical/infisical) manages:

• infisical_project — project creation and settings
• infisical_project_environment — environment names and slugs per project
• infisical_project_role — custom project-level RBAC roles
• infisical_identity — machine identities (universal auth)
• infisical_secret — individual secrets (use sparingly; not suited for bulk management)

The provider does NOT expose: - Organization-level SSO / OIDC / SAML IdP config - Audit log streaming or SIEM webhook endpoints - Third-party integration sync targets (Heroku, GitHub Actions, Vercel, etc.) - Webhook notification endpoints - Infisical Cloud billing or subscription settings

These are managed exclusively via the Infisical Cloud UI and are documented below.

How to tell it's broken

CF Access gate broken (operator cannot reach Infisical Cloud login)

• Symptom: Navigating to the Infisical Cloud login URL redirects to Cloudflare and shows "That account does not have access."

• Diagnostic: Check that kris@moosequest.net is in cf_access_allowed_emails in terraform/cf-access/terraform.tfvars. Run: bash cd terraform/cf-access export CLOUDFLARE_API_TOKEN=$(infisical secrets get CF_ACCESS_MGMT \ --path /MooseQuest/cloudflare/ --plain) terraform plan A non-empty plan means state has drifted from config. If the plan shows a destroy of cloudflare_zero_trust_access_application.infisical_cloud_saas, STOP — do not apply. That means the import was never run. Follow the import sequence in main.tf.

• Fix: If the application has been imported and the plan is clean, verify the policy: bash curl -sS \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ "https://api.cloudflare.com/client/v4/accounts/$TF_VAR_cf_access_account_id/access/apps/<app_id>/policies" \ | python3 -m json.tool Confirm include[].email contains kris@moosequest.net.

Infisical Cloud dashboard inaccessible after login (not CF Access)

• Symptom: CF Access passes (no "That account does not have access"), but Infisical Cloud itself shows an error or blank screen.
• Diagnostic: This is an Infisical Cloud service issue, not a CF or Terraform issue. Check https://status.infisical.com.
• Fix: Wait for Infisical Cloud to recover. If Infisical Cloud is healthy but the account is locked, check SSO / SAML config (see "Manual configuration" below).

How to diagnose (in order)

1. Check Infisical Cloud status page — https://status.infisical.com
2. Verify CF Access gate — navigate to the Infisical Cloud URL. "That account does not have access" = CF Access issue. Any other error = Infisical issue.
3. Check Terraform state — terraform plan from terraform/cf-access/. Zero diff = no config drift.
4. Check the CF Access application in the dashboard — https://one.dash.cloudflare.com/<account_id>/access/apps — confirm the Infisical Cloud app exists and has the correct policy.

Initial import (run once after first terraform init)

This only needs to be run once. After a successful import + zero-diff plan, normal terraform apply cadence applies.

cd terraform/cf-access

# Resolve secrets
export CLOUDFLARE_API_TOKEN=$(infisical secrets get CF_ACCESS_MGMT \
  --path /MooseQuest/cloudflare/ --plain)
export TF_VAR_cf_access_account_id=$(infisical secrets get CF_ACCESS_ACCOUNT_ID_MOOSEQUEST \
  --path /MooseQuest/cloudflare/ --plain)

# Step 1: discover the existing app ID
curl -sS \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  "https://api.cloudflare.com/client/v4/accounts/$TF_VAR_cf_access_account_id/access/apps?per_page=50" \
  | python3 -c "
import sys, json
apps = json.load(sys.stdin)['result']
for a in apps:
    if 'infisical' in (a.get('name') or '').lower():
        print('APP ID:', a['id'])
        print('NAME:', a['name'])
        print('TYPE:', a.get('type'))
        print('DOMAIN:', a.get('domain') or a.get('self_hosted_domains'))
"

# Step 2: import the application (replace APP_ID with the value from Step 1)
APP_ID="<paste-app-id-from-step-1>"
terraform import \
  cloudflare_zero_trust_access_application.infisical_cloud_saas \
  "${TF_VAR_cf_access_account_id}/${APP_ID}"

# Step 3: discover the existing operator policy
curl -sS \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  "https://api.cloudflare.com/client/v4/accounts/$TF_VAR_cf_access_account_id/access/apps/${APP_ID}/policies" \
  | python3 -c "
import sys, json
for p in json.load(sys.stdin)['result']:
    print('POLICY ID:', p['id'])
    print('NAME:', p['name'])
    print('DECISION:', p['decision'])
    print()
"

# Step 4: import the operator policy (replace POLICY_ID from Step 3)
POLICY_ID="<paste-policy-id-from-step-3>"
terraform import \
  cloudflare_zero_trust_access_policy.infisical_cloud_operator \
  "${TF_VAR_cf_access_account_id}/${APP_ID}/${POLICY_ID}"

# Step 5: verify zero diff
terraform plan
# Expected output: "No changes. Your infrastructure matches the configuration."
# If there ARE diffs, review carefully. Update terraform.tfvars / main.tf to
# match the real state before applying. Never apply a destroy of this app.

# Step 6: record the real app ID in terraform.tfvars
# Update: infisical_cloud_app_id = "<real-app-id>"

Manual configuration (no Terraform equivalent)

These settings live exclusively in the Infisical Cloud dashboard. They are not covered by the Terraform provider as of 2026-05. Document the current state here and update after any change.

SSO / identity provider (current: Cloudflare Access / OIDC)

Infisical Cloud can be configured to use Cloudflare Access as an upstream OIDC provider. When this is enabled, Infisical Cloud delegates all authentication to Cloudflare, and the CF Access gate is the only required credential.

Location in Infisical Cloud UI: Organization Settings → SSO

Current state: Cloudflare Access OIDC. Client ID and secret are stored in Infisical Cloud's own config (not accessible via API). If SSO is ever reconfigured, the OIDC Client ID / Secret pair must be refreshed manually.

To verify SSO is working:

# Should redirect to Cloudflare login, pass through CF Access, and return a valid session.
curl -sS -o /dev/null -w "%{http_code}" \
  "https://app.infisical.com/login"
# Expect: 200 or 302 to Cloudflare login

To reconfigure SSO (operator action required): 1. Log in to Infisical Cloud with current credentials. 2. Navigate to Organization Settings → SSO. 3. Update the OIDC provider settings. 4. Record any new Client ID / Secret in vault at /MooseQuest/infisical/ with keys INFISICAL_CLOUD_OIDC_CLIENT_ID and (sensitive) INFISICAL_CLOUD_OIDC_CLIENT_SECRET.

Audit log streaming

Location: Organization Settings → Audit Log Streaming

Current state: Not configured. Audit logs are available in the Infisical Cloud UI only.

Action item: Wire audit log streaming to the Raxx ops inbox or SIEM once one is provisioned. Until then, manual review via UI. Tracked in #1076 action items.

Integration syncs (Heroku, GitHub Actions, etc.)

Location: Project → Integrations

Current state: Manual review required. Any integration configured via UI is invisible to Terraform. After each integration is added or removed via UI, add a row to this table:

Recommendation: Before adding any integration, open a type:infrastructure issue so the change is tracked. Integration tokens live in Infisical Cloud's storage, not in vault.raxx.app.

Webhook notification endpoints

Location: Project → Webhooks

Current state: Not configured.

Emergency stop

To immediately revoke operator access to Infisical Cloud without touching the vault itself:

# Remove kris@moosequest.net from the CF Access policy allowlist:
# Edit terraform/cf-access/terraform.tfvars:
#   cf_access_allowed_emails = []  # empty = no one can pass CF gate

cd terraform/cf-access
export CLOUDFLARE_API_TOKEN=$(infisical secrets get CF_ACCESS_MGMT \
  --path /MooseQuest/cloudflare/ --plain)
export TF_VAR_cf_access_account_id=$(infisical secrets get CF_ACCESS_ACCOUNT_ID_MOOSEQUEST \
  --path /MooseQuest/cloudflare/ --plain)
terraform apply -auto-approve

This gates ALL access via the CF Access policy. The Infisical Cloud account itself is unaffected — access can be restored by re-adding the email and re-applying.

Escalation

Escalate to operator (Kristerpher) when: - terraform plan shows a destroy of cloudflare_zero_trust_access_application.infisical_cloud_saas — this means the app was deleted from the CF dashboard. Do NOT apply. Manual import or recreation is needed. - Infisical Cloud SSO is broken and secrets are inaccessible — this is a full vault lockout. Break-glass credentials are in the private Google Drive (see project memory: project_aws_iam_state.md pattern). - A novel CF Access failure mode not documented here.

Refs

• CF Access gate: terraform/cf-access/main.tf (resource cloudflare_zero_trust_access_application.infisical_cloud_saas)
• Service token provisioning: docs/ops/runbooks/cf-access-service-token-provisioning.md
• CF token inventory: docs/ops/runbooks/cloudflare-tokens.md
• Infisical Terraform provider: https://registry.terraform.io/providers/Infisical/infisical/latest/docs
• Infisical Cloud status: https://status.infisical.com
• Related incident: 2026-05-04 lockout — triggered #1076