cloudflare / terraform-provider-cloudflare

Cloudflare Terraform Provider
https://registry.terraform.io/providers/cloudflare/cloudflare
Mozilla Public License 2.0
789 stars 610 forks source link

Resource `cloudflare_api_token` fails due to schema issues with permission_groups.id #4591

Open jrogers-dlp opened 2 hours ago

jrogers-dlp commented 2 hours ago

Confirmation

Terraform and Cloudflare provider version

Terraform v1.8.5 on windows_amd64

Affected resource(s)

cloudflare_api_token

Terraform configuration files

resource "cloudflare_api_token" "api_token" {
  name = "api_token"
  policies = [{
    effect            = "allow"
    permission_groups = [
      {
        id = "dfe525ec7b07472c827d8d009178b2ac"
      }
    ]
    resources = {
      resource = "com.cloudflare.api.user.${var.jr_user_id}"
      scope    = "*" 
    }
  }]
}

Link to debug output

https://gist.github.com/jrogers-dlp/a2e4e2d6dabcc623a770ee36c597cf73

Panic output

No response

Expected output

Expected id to be set for permission group and terraform plan shown like so:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # cloudflare_api_token.api_token will be created
  + resource "cloudflare_api_token" "api_token" {
      + condition    = (known after apply)
      + expires_on   = (known after apply)
      + id           = (known after apply)
      + issued_on    = (known after apply)
      + last_used_on = (known after apply)
      + modified_on  = (known after apply)
      + name         = "api_token"
      + not_before   = (known after apply)
      + policies     = [
          + {
              + effect            = "allow"
              + id                = (known after apply)
              + permission_groups = [
                  + {
                      + id   = "dfe525ec7b07472c827d8d009178b2ac"
                      + meta = (known after apply)
                      + name = (known after apply)
                    },
                ]
              + resources         = {
                  + resource = "com.cloudflare.api.user.f4fdf41e55edfb26ba7e63c86053c9f9"
                  + scope    = "*"
                }
            },
        ]
      + status       = (known after apply)
      + value        = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Actual output

Terraform error on attempting to set a read-only attribute.

╷
│ Error: Invalid Configuration for Read-Only Attribute
│
│   with cloudflare_api_token.api_token,
│   on main.tf line 60, in resource "cloudflare_api_token" "api_token":
│   60: resource "cloudflare_api_token" "api_token" {
│
│ Cannot set value for this attribute as the provider has marked it as read-only. Remove the configuration line setting the value.
│
│ Refer to the provider documentation or contact the provider developers for additional information about configurable and read-only attributes that are supported.

Steps to reproduce

  1. terraform init with cloudflare provider version 5.0.0-alpha1
  2. Create a resource with cloudflare_api_token that creates an api token
  3. Run terraform apply

Additional factoids

Feels like with the current way that it is written, there is no valid resource configuration for cloudflare_api_token, as policies.permission_groups.id is listed as computed in the schema so it cannot be set.

I also tried modifying internal/services/api_token/resource.go and internal/services/api_token/model.go to change id from computed to required and rebuilt, and the resource does then succeed to at least the plan step. However, I'm currently having issues with the api not accepting anything I give the resources attribute so I havent gotten the resource to fully create yet, but that part is potentially just my own ignorance.

References

No response

github-actions[bot] commented 2 hours ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue