Skip to content

Commit 325dfae

Browse files
Cyb3r-Jak3Cyb3r-Jak3
committed
Parse out permissions
1 parent 510ff71 commit 325dfae

File tree

3 files changed

+12
-14
lines changed

3 files changed

+12
-14
lines changed

.github/testing/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,4 +72,4 @@ module "r2-api-token_eu" {
7272
bucket_write = false
7373
expires_on = timeadd(timestamp(), "10m")
7474
jurisdiction = "eu"
75-
}
75+
}

README.md

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ No modules.
3535
| Name | Type |
3636
|------|------|
3737
| [cloudflare_api_token.token](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token) | resource |
38-
| [cloudflare_account_api_token_permission_groups.this](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/data-sources/account_api_token_permission_groups) | data source |
38+
| [cloudflare_api_token_permission_groups_list.this](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/data-sources/api_token_permission_groups_list) | data source |
3939

4040
## Inputs
4141

@@ -56,8 +56,5 @@ No modules.
5656

5757
| Name | Description |
5858
|------|-------------|
59-
| <a name="output_id"></a> [id](#output\_id) | API Token ID.<br/>Used as the Access Key ID |
60-
| <a name="output_name"></a> [name](#output\_name) | Name of the API Token |
61-
| <a name="output_secret"></a> [secret](#output\_secret) | Secret Access Key |
62-
| <a name="output_value"></a> [value](#output\_value) | API Token Value |
59+
| <a name="output_debug"></a> [debug](#output\_debug) | Debug output of the API Token |
6360
<!-- END_TF_DOCS -->

main.tf

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -8,24 +8,25 @@ terraform {
88
}
99
}
1010

11-
data "cloudflare_account_api_token_permission_groups" "this" {
12-
account_id = var.account_id
11+
data "cloudflare_api_token_permission_groups_list" "this" {
1312
}
1413

1514
locals {
1615
resources = length(var.buckets) > 0 ? { for bucket in var.buckets : "com.cloudflare.edge.r2.bucket.${var.account_id}_${var.jurisdiction}_${bucket}" => "*" } : { "com.cloudflare.edge.r2.bucket.*" = "*" }
1716
token_bucket_names = length(var.buckets) > 0 ? join(",", var.buckets) : "All-Buckets"
17+
r2_api_permissions = { for x in data.cloudflare_api_token_permission_groups_list.this.result : x.name => x.id if contains(["Workers R2 Storage Bucket Item Read", "Workers R2 Storage Bucket Item Write"], x.name) }
18+
permission_id_list = compact([
19+
var.bucket_read ? local.r2_api_permissions["Workers R2 Storage Bucket Item Read"] : null,
20+
var.bucket_write ? local.r2_api_permissions["Workers R2 Storage Bucket Item Write"] : null,
21+
])
1822
}
1923

2024
resource "cloudflare_api_token" "token" {
2125
name = var.token_name != "" ? var.token_name : "R2-${local.token_bucket_names}-${var.bucket_read ? "Read" : ""}-${var.bucket_write ? "Write" : ""}"
2226
policies = [{
23-
effect = "allow"
24-
resources = local.resources
25-
permission_groups = compact([
26-
var.bucket_read ? { id = data.cloudflare_account_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Read"] }: null,
27-
var.bucket_write ? { id = data.cloudflare_account_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Write"] }: null,
28-
])
27+
effect = "allow"
28+
resources = local.resources
29+
permission_groups = [for x in local.permission_id_list : { id = x }]
2930
}]
3031
not_before = var.not_before != "" ? var.not_before : null
3132
expires_on = var.expires_on != "" ? var.expires_on : null

0 commit comments

Comments
 (0)