cloudflare_api_token_permissions_groups_list usage in terraform cloudflare provider v5

[nuxdie]

Hey, just passing by. I noticed that you have this

dotfiles/terraform/cloudflare.tf

Lines 18 to 29 in 2d9a841

	# # TODO cloudflare_api_token_permissions_groups_list not working
	# # permission_groups = [for group in data.cloudflare_api_token_permissions_groups_list.all.result : group if contains(["Zone Read", "Zone Settings Read", "DNS Write"], group.name) ]
	# # permission_groups = [
	# # data.cloudflare_api_token_permissions_groups_list.all.zone["Zone Read"],
	# # data.cloudflare_api_token_permissions_groups_list.all.zone["Zone Settings Read"],
	# # data.cloudflare_api_token_permissions_groups_list.all.zone["DNS Write"],
	# # ]
	# permission_groups = [
	# { id = "517b21aee92c4d89936c976ba6e4be55" }, # Zone Settings Read
	# { id = "c8fed203ed3043cba015a93ad1616f1f" }, # Zone Read
	# { id = "4755a26eedb94da69e1066d98aa820be" } # DNS Write
	# ]

I'm in the process of upgrading to terraform cloudflare provider v5 myself. Believe it or not, but your commented out code is the only thing that mentions cloudflare_api_token_permissions_groups_list data source anywhere on the web ATM.

anyways, here's what i found. querrying https://api.cloudflare.com/client/v4/user/tokens/permission_groups i got a list like this:

{
  "result": [
    {
      "id": "19637fbb73d242c0a92845d8db0b95b1",
      "name": "AI Audit Read",
      "description": "Grants access to reading AI Audit",
      "scopes": [
        "com.cloudflare.api.account.zone"
      ]
    },
    {
      "id": "1ba6ab4cacdb454b913bbb93e1b8cb8c",
      "name": "AI Audit Write",
      "description": "Grants access to reading and editing AI Audit",
      "scopes": [
        "com.cloudflare.api.account.zone"
      ]
    },
    {
      "id": "4dc8917b4b40457d88d3035d5dadb054",
      "name": "AI Gateway Read",
      "description": "Grants access to reading AI Gateways",
      "scopes": [
        "com.cloudflare.api.account"
      ]
    },
...

and so on. So, result is actually a giant flat array of objects. (in v4 of cloudflare provider it was a bit different: https://registry.terraform.io/providers/cloudflare/cloudflare/4.51.0/docs/data-sources/api_token_permission_groups#permissions-1 split, into account, user, r2 and zone, BTW.)

basically your idea of:

#     # permission_groups = [for group in data.cloudflare_api_token_permissions_groups_list.all.result : group if contains(["Zone Read", "Zone Settings Read", "DNS Write"], group.name) ]

was really close to what you need. here's the solution that works for me:

data "cloudflare_api_token_permissions_groups_list" "all" {
  account_id = cloudflare_account.<account>.id
}

locals {
  # Create a map of permission names to IDs
  permission_map = {
    for group in data.cloudflare_api_token_permissions_groups_list.all.result :
    group.name => group.id
  }
}

resource "cloudflare_api_token" "my_api_token" {
  name = "my_api_token"
  policies = [{
    effect = "allow"
    permission_groups = [
      {id = local.permission_map["Workers R2 Storage Write"]},
      {id = local.permission_map["Workers R2 Storage Read"]},
    ]
    resources = { 
      "com.cloudflare.api.account.${cloudflare_account.<account>.id}" = "*" 
    }
  }]
}

as you can see, i'm creating a token for using r2 on cloudflare, but you can use any permission descriptions you can get from https://developers.cloudflare.com/api/resources/user/subresources/tokens/subresources/permission_groups/methods/list/ and any resources that are relevant to you.

hope this helps!

[linyinfeng]

Thank you for your help!

I commented these codes out since I found there seem to be several weird problems in the v5.0.0 provider. I think the second problem may also affect your configuration.

1. I can not find the correct API token permission for the data cloudflare_api_token_permissions_groups_list. Seems your configuration is working, are you using the "Global API Key"?

   The document (https://developers.cloudflare.com/api/python/resources/user/subresources/tokens/methods/update/) says that I need API Tokens Write or API Tokens Read. The problem is:

   • These permissions can not be added to tokens using the web GUI. I then added API Tokens Write to my token using a direct API call.

     

   • But after terraform apply I got the following result, every element in the array is an empty object, pretty weird.

   

2. There is a big problem in cloudflare_api_token. If I apply again after creating the token, the token value will deleted from the state and the output.

   • Token creation works well.

     

   • Immediately apply again, the token value will be removed.

     

[linyinfeng]

Related issues:

1. Unclear how to migrate cloudflare_api_token_permission_groups to version 5.0.0 cloudflare/terraform-provider-cloudflare#5062
2. V5 cloudflare_api_tokens value is constantly delete cloudflare/terraform-provider-cloudflare#5045

[linyinfeng]

I can not find the correct API token permission for the data cloudflare_api_token_permissions_groups_list.

• But after terraform apply I got the following result, every element in the array is an empty object, pretty weird.

I think the following code indicates that cloudflare_api_token_permissions_groups_list has not been implemented, as explained in cloudflare/terraform-provider-cloudflare#5062 (comment).

https://github.com/cloudflare/terraform-provider-cloudflare/blob/1b70a6439cff5e9c6d1d2a44953c689639530ac8/internal/services/permission_group/list_data_source_model.go#L46-L47

type PermissionGroupsResultDataSourceModel struct {
}

[khawarizmus]

@linyinfeng The only way for you to get the API Token permissions added to your token from the web UI is by creating a token via a specific template. this means if you have an already existing token it has to be thrown out of the window.

This is the only mention i saw about it: https://community.cloudflare.com/t/api-token-user-permission/368098/3

Now waiting for a new version to at least fix the value disappearing

[linyinfeng]

@linyinfeng The only way for you to get the API Token permissions added to your token from the web UI is by creating a token via a specific template. this means if you have an already existing token it has to be thrown out of the window.

This is the only mention i saw about it: https://community.cloudflare.com/t/api-token-user-permission/368098/3

Now waiting for a new version to at least fix the value disappearing

Yes, User API Tokens Edit permission can be added using the template on web UI.
But at the time I do the test, the API /user/tokens/permission_groups only accepts the Account API Tokens Edit permission, which is different from User API Tokens Edit and can only be added to tokens using API call.

I tested again and it seems that /user/tokens/permission_groups now accepts tokens with only User API Tokens Edit permission. So Account API Tokens Edit are not needed anymore.

By the way, in Cloudflare's concept (https://developers.cloudflare.com/fundamentals/setup/accounts-and-zones/#accounts):

An account refers to an organization account. Accounts contain one or more users and can contain one or more zones. A user can be part of one or more accounts.