IT OPS
Cloudflare TLS Certificate Expiry Sweep with PagerDuty Escalation
Scans every Cloudflare zone's edge and custom certificates daily, and pages on-call through PagerDuty when any cert expires inside the renewal window so it never lapses silently.
How it runs
The automated pipeline, trigger to output.
- TriggerDaily schedule at 08:00 UTC
- ActionList all zones and certificate packsCloudflare
- LogicCompute days-to-expiry and classify critical/warning/healthy
- LogicBranch: any cert in critical or warning window?
- ActionOpen PagerDuty incident for critical certsPagerDuty
- OutputPost warning + critical summary to SlackSlack
What it does
Pulls the full certificate inventory across all your Cloudflare zones once a day, calculates days-to-expiry for each edge and custom certificate, and routes anything inside the danger threshold to PagerDuty. Certs with plenty of runway are logged and ignored, so on-call only hears about real risk.
When to use it
When you run customer-facing domains on Cloudflare and a single expired TLS cert means an outage. Ideal for teams that have outgrown calendar reminders and want expiry to be an automatic, escalating signal rather than a Friday-afternoon surprise.
How it works
- 1A daily schedule fires the sweep at a fixed UTC hour.
- 2The flow lists every zone and its certificate packs from the Cloudflare API.
- 3For each certificate it computes days remaining and tags it critical (<= 14 days), warning (<= 30 days), or healthy.
- 4A branch checks whether any certificate landed in critical or warning.
- 5Critical certs open a PagerDuty incident with the zone, hostname, and exact expiry timestamp.
- 6A Slack summary of all warnings and criticals is posted to the infra channel so the broader team has the full picture.
Set it up
What you configure once, before turning it on.
- 1Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 2Connect PagerDutyIncidents, on-call, escalations.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More IT Ops workflows
Outlook Room Conflict Resolver with Approval Gate in Teams
When an Outlook room clashes, proposes a rebooking and asks the bumped meeting's organizer to approve the move in Microsoft Teams before any change is made.
Outlook Room Double-Booking Resolver with Auto-Rebook
Detects when two meetings claim the same Outlook room resource and automatically relocates the lower-priority meeting to a comparable free room.
Self-Service Reclaim Email for Idle Users
Detects users idle in a SaaS app past the threshold and emails each one a keep-or-release link; unanswered seats after the deadline are auto-flagged for removal.
Reconcile SSO logins against expense spend to find unmanaged tools
Joins SSO usage data with expense/payment records in Snowflake to surface tools that are being used but not paid for, or paid for but never logged.
Indoor Air Quality Breach to Tenant Notice and Work Order
Listens for CO2, VOC, or humidity sensor alerts via webhook, and when a zone exceeds occupant-safety limits it emails affected tenants, opens a Monday remediation task.
Daily Building Anomaly Digest to MS Teams
Each morning queries BigQuery for the prior day's flagged sensor anomalies, summarizes them by site and system into a ranked briefing.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.