From 714cb4c398c38c751315d0787a8a6682e5c2ff9b Mon Sep 17 00:00:00 2001 From: Cyb3r-Jak3 Date: Fri, 21 Mar 2025 17:26:33 -0400 Subject: [PATCH 1/6] Try with v5 cloudflare provider --- .github/testing/main.tf | 6 ++---- .terraform.lock.hcl | 29 +++++++++++------------------ main.tf | 19 ++++++++++--------- 3 files changed, 23 insertions(+), 31 deletions(-) diff --git a/.github/testing/main.tf b/.github/testing/main.tf index 0cc5cb5..4ae3e92 100644 --- a/.github/testing/main.tf +++ b/.github/testing/main.tf @@ -2,11 +2,11 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = ">= 4.7.0" + version = ">= 5, <6" } random = { source = "hashicorp/random" - version = "3.5.1" + version = "3.7.1" } } } @@ -66,8 +66,6 @@ module "r2-api-token_wildcard" { expires_on = timeadd(timestamp(), "10m") } - - module "r2-api-token_eu" { source = "../.." account_id = var.account_id diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index b39d397..402bf3b 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -2,24 +2,17 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/cloudflare/cloudflare" { - version = "4.21.0" - constraints = ">= 4.13.0" + version = "5.2.0" + constraints = ">= 5.0.0, < 6.0.0" hashes = [ - "h1:yE3NwbKWcauqm0WijrJfLftllP3L+DbBT4acn6ssK3U=", - "zh:35b80c29ba47dd843f4281903389a519e90406efe1fd440f704d3a8ccf5a8338", - "zh:5af1ff1d13c7e91cd7e5382000b8f25bdd437ae3b73895b5876eb556352baf65", - "zh:5cc5418817c766af16e2ca9f23ddf3bbdd3c7f5e1a65756ed6f010c75005493e", - "zh:61655486cf10f65367f2bdc53701edb95a068859d54d30050d5028f5028f762d", - "zh:6a6d09d78442b4177e768ddeecc2cd9807bea839ce660e6771df96ff33c34f10", - "zh:6e56c6db96fb87a3a150a28588aa8ed430ef165ca3fde9ad873d40fad1f19021", - "zh:72ab4b2ebc3e06d045b28fcf9156577c7c685fe8445154888aeda74a767b0666", - "zh:78aa9402a1dc8a1c545355a63f6f64a7585ac8cb85ea1f4ef2d63919b8ea9864", - "zh:7c337f94a1ebe35ca5aa8f36d11bea114a8baa09030036c3875c99595e6a3059", - "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f", - "zh:91c8a229a39bb3b79766da6ad77bdd18afa1fadeb811129de64a8c40a15708eb", - "zh:a8cdad0dbea2528b716138d0e123ced7a676d24a785f7c27c14fe199f0e5d67a", - "zh:a982d06804e3abd4d50d09df3e6926253b43c86767b5d5fb69396ca479aecaff", - "zh:e1a2f880282aaa47344fda83c9f75dd3a317d152388adf1155c7aed3e12cb7a7", - "zh:e64bb1d0199d492535b0825527b01ca42039804cf3903f583976486c40d5328e", + "h1:JC86gRl0Hbavb0PTSI7z6K/h/BD5SYg14fyCVRu3Tp8=", + "h1:bBevLqDBPm9wGkuGlmpCNuyJVgCkgViL64Yn5ut4wRM=", + "zh:1c2785da1d01b2afd0cca625e8fee472a36f681dc206823db9d59e82a4a7db68", + "zh:cfe874ddc069cce594f2b660bbac4692bf267012002e1884fd0772ba3ddd77ef", + "zh:debe086c0fee03bebebce9bf387ff3859efb54471d10981fe408de81c1af03f1", + "zh:e42fa5538a90620a366af7a32a48197fcb4509c6ade5ad4750166435de06fbe3", + "zh:e8d6eef684bbd12c6d9678a8ebeb7be982eb44f5916e1c471419dd78d3911848", + "zh:ea0698597ccc8a5fef56d0b76678a20701dc4f8b74e4b4c53904e3372cb50de7", + "zh:f809ab383cca0a5f83072981c64208cbd7fa67e986a86ee02dd2c82333221e32", ] } diff --git a/main.tf b/main.tf index 2bc73f9..85aa4b9 100644 --- a/main.tf +++ b/main.tf @@ -3,12 +3,12 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = ">= 4.13.0, <5" + version = ">= 5, <6" } } } -data "cloudflare_api_token_permission_groups" "this" {} +data "cloudflare_account_api_token_permission_groups" "this" {} locals { resources = length(var.buckets) > 0 ? { for bucket in var.buckets : "com.cloudflare.edge.r2.bucket.${var.account_id}_${var.jurisdiction}_${bucket}" => "*" } : { "com.cloudflare.edge.r2.bucket.*" = "*" } @@ -17,17 +17,18 @@ locals { resource "cloudflare_api_token" "token" { name = var.token_name != "" ? var.token_name : "R2-${local.token_bucket_names}-${var.bucket_read ? "Read" : ""}-${var.bucket_write ? "Write" : ""}" - policy { + polices = [{ + effect = "allow" + resources = local.resources permission_groups = compact([ - var.bucket_read ? data.cloudflare_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Read"] : null, - var.bucket_write ? data.cloudflare_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Write"] : null, + var.bucket_read ? data.cloudflare_account_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Read"] : null, + var.bucket_write ? data.cloudflare_account_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Write"] : null, ]) - resources = local.resources - } + }] not_before = var.not_before != "" ? var.not_before : null expires_on = var.expires_on != "" ? var.expires_on : null - condition { - request_ip { + condition = { + request_ip = { in = var.condition_ip_in not_in = var.condition_ip_not_in } From da5e7bf3891d2467827f7c1c2c22e104ee8d0eb0 Mon Sep 17 00:00:00 2001 From: Cyb3r-Jak3 Date: Fri, 21 Mar 2025 17:28:59 -0400 Subject: [PATCH 2/6] fix typos --- README.md | 6 +++--- main.tf | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 341a2da..4614a16 100644 --- a/README.md +++ b/README.md @@ -18,13 +18,13 @@ module "r2-api-token" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.2.0 | -| [cloudflare](#requirement\_cloudflare) | >= 4.13.0, <5 | +| [cloudflare](#requirement\_cloudflare) | >= 5, <6 | ## Providers | Name | Version | |------|---------| -| [cloudflare](#provider\_cloudflare) | >= 4.13.0, <5 | +| [cloudflare](#provider\_cloudflare) | >= 5, <6 | ## Modules @@ -35,7 +35,7 @@ No modules. | Name | Type | |------|------| | [cloudflare_api_token.token](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token) | resource | -| [cloudflare_api_token_permission_groups.this](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/data-sources/api_token_permission_groups) | data source | +| [cloudflare_account_api_token_permission_groups.this](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/data-sources/account_api_token_permission_groups) | data source | ## Inputs diff --git a/main.tf b/main.tf index 85aa4b9..ce59a34 100644 --- a/main.tf +++ b/main.tf @@ -17,12 +17,12 @@ locals { resource "cloudflare_api_token" "token" { name = var.token_name != "" ? var.token_name : "R2-${local.token_bucket_names}-${var.bucket_read ? "Read" : ""}-${var.bucket_write ? "Write" : ""}" - polices = [{ - effect = "allow" + policies = [{ + effect = "allow" resources = local.resources permission_groups = compact([ - var.bucket_read ? data.cloudflare_account_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Read"] : null, - var.bucket_write ? data.cloudflare_account_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Write"] : null, + var.bucket_read ? { id = data.cloudflare_account_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Read"] }: null, + var.bucket_write ? { id = data.cloudflare_account_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Write"] }: null, ]) }] not_before = var.not_before != "" ? var.not_before : null From 510ff712d31e2089ea26579d9e4fd6663ea4612f Mon Sep 17 00:00:00 2001 From: Cyb3r-Jak3 Date: Fri, 21 Mar 2025 17:31:29 -0400 Subject: [PATCH 3/6] Account id needed for api permissions --- main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ce59a34..c32cc1c 100644 --- a/main.tf +++ b/main.tf @@ -8,7 +8,9 @@ terraform { } } -data "cloudflare_account_api_token_permission_groups" "this" {} +data "cloudflare_account_api_token_permission_groups" "this" { + account_id = var.account_id +} locals { resources = length(var.buckets) > 0 ? { for bucket in var.buckets : "com.cloudflare.edge.r2.bucket.${var.account_id}_${var.jurisdiction}_${bucket}" => "*" } : { "com.cloudflare.edge.r2.bucket.*" = "*" } From 5629c88ea6e168acb80cff54b1725bd8c363fe74 Mon Sep 17 00:00:00 2001 From: Cyb3r-Jak3 Date: Fri, 21 Mar 2025 23:05:49 -0400 Subject: [PATCH 4/6] Parse out permissions --- .github/testing/main.tf | 2 +- README.md | 2 +- main.tf | 17 +++++++++-------- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/testing/main.tf b/.github/testing/main.tf index 4ae3e92..f0056bc 100644 --- a/.github/testing/main.tf +++ b/.github/testing/main.tf @@ -72,4 +72,4 @@ module "r2-api-token_eu" { bucket_write = false expires_on = timeadd(timestamp(), "10m") jurisdiction = "eu" -} +} \ No newline at end of file diff --git a/README.md b/README.md index 4614a16..c000bfc 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ No modules. | Name | Type | |------|------| | [cloudflare_api_token.token](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token) | resource | -| [cloudflare_account_api_token_permission_groups.this](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/data-sources/account_api_token_permission_groups) | data source | +| [cloudflare_api_token_permission_groups_list.this](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/data-sources/api_token_permission_groups_list) | data source | ## Inputs diff --git a/main.tf b/main.tf index c32cc1c..7e2ef1b 100644 --- a/main.tf +++ b/main.tf @@ -8,24 +8,25 @@ terraform { } } -data "cloudflare_account_api_token_permission_groups" "this" { - account_id = var.account_id +data "cloudflare_api_token_permission_groups_list" "this" { } locals { resources = length(var.buckets) > 0 ? { for bucket in var.buckets : "com.cloudflare.edge.r2.bucket.${var.account_id}_${var.jurisdiction}_${bucket}" => "*" } : { "com.cloudflare.edge.r2.bucket.*" = "*" } token_bucket_names = length(var.buckets) > 0 ? join(",", var.buckets) : "All-Buckets" + r2_api_permissions = { for x in data.cloudflare_api_token_permission_groups_list.this.result : x.name => x.id if contains(["Workers R2 Storage Bucket Item Read", "Workers R2 Storage Bucket Item Write"], x.name) } + permission_id_list = compact([ + var.bucket_read ? local.r2_api_permissions["Workers R2 Storage Bucket Item Read"] : null, + var.bucket_write ? local.r2_api_permissions["Workers R2 Storage Bucket Item Write"] : null, + ]) } resource "cloudflare_api_token" "token" { name = var.token_name != "" ? var.token_name : "R2-${local.token_bucket_names}-${var.bucket_read ? "Read" : ""}-${var.bucket_write ? "Write" : ""}" policies = [{ - effect = "allow" - resources = local.resources - permission_groups = compact([ - var.bucket_read ? { id = data.cloudflare_account_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Read"] }: null, - var.bucket_write ? { id = data.cloudflare_account_api_token_permission_groups.this.r2["Workers R2 Storage Bucket Item Write"] }: null, - ]) + effect = "allow" + resources = local.resources + permission_groups = [for x in local.permission_id_list : { id = x }] }] not_before = var.not_before != "" ? var.not_before : null expires_on = var.expires_on != "" ? var.expires_on : null From 467a2604b487d3317b8f09786887c79648c83f15 Mon Sep 17 00:00:00 2001 From: Cyb3r-Jak3 Date: Fri, 21 Mar 2025 23:11:44 -0400 Subject: [PATCH 5/6] Add a test for write token --- .github/testing/main.tf | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/testing/main.tf b/.github/testing/main.tf index f0056bc..84087c5 100644 --- a/.github/testing/main.tf +++ b/.github/testing/main.tf @@ -42,7 +42,7 @@ resource "cloudflare_r2_bucket" "test2" { name = random_string.bucket2_name.result } -module "r2-api-token" { +module "r2-api-token-read" { source = "../.." account_id = var.account_id buckets = [cloudflare_r2_bucket.test1.name, cloudflare_r2_bucket.test2.name] @@ -50,6 +50,14 @@ module "r2-api-token" { expires_on = timeadd(timestamp(), "10m") } +module "r2-api-token-write" { + source = "../.." + account_id = var.account_id + buckets = [cloudflare_r2_bucket.test2.name] + bucket_write = true + expires_on = timeadd(timestamp(), "10m") +} + module "r2-api-token_custom_name" { source = "../.." account_id = var.account_id From 78cd51aaf1943287b6a05b421e06cb01008943e9 Mon Sep 17 00:00:00 2001 From: Cyb3r-Jak3 Date: Fri, 21 Mar 2025 23:17:50 -0400 Subject: [PATCH 6/6] Add comment about version support --- .terraform-docs.yml | 7 +++++++ README.md | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/.terraform-docs.yml b/.terraform-docs.yml index 7105e3c..a7319f8 100644 --- a/.terraform-docs.yml +++ b/.terraform-docs.yml @@ -21,6 +21,13 @@ output: write = false } ``` + + ### Cloudflare provider version support + + 5.0 and above uses version 5.0 of the Cloudflare provider. + 4.1.1 and below uses version 4 of the Cloudflare provider. + + I will continue to support the 4.1.1 version to the best of my ability, but I will not be adding new features to it. I will only add new features to the 5.0 version of the provider. {{ .Content }} diff --git a/README.md b/README.md index c000bfc..1b0c5a6 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,13 @@ module "r2-api-token" { write = false } ``` + +### Cloudflare provider version support + +5.0 and above uses version 5.0 of the Cloudflare provider. +4.1.1 and below uses version 4 of the Cloudflare provider. + +I will continue to support the 4.1.1 version to the best of my ability, but I will not be adding new features to it. I will only add new features to the 5.0 version of the provider. ## Requirements