sigismund · May 27, 2025 11:42
diff --git a/cloudflare_account_token_creation.tf b/cloudflare_account_token_creation.tf
 # To use this configuration, you need to set these environment variables:
 # export CLOUDFLARE_API_TOKEN="your_api_token"
 # OR
 # export CLOUDFLARE_EMAIL="your_email"
 # export CLOUDFLARE_API_KEY="your_global_api_key"
 locals {
  account_id = "xxx"
 }

 data "cloudflare_account" "account" {
  account_id              = local.account_id
 }

 data "cloudflare_api_token_permission_groups_list" "all_permissions" {}

 output "all_permissions" {
  value = data.cloudflare_api_token_permission_groups_list.all_permissions.result
 }

 resource "cloudflare_account_token" "full_access_token" {
  account_id = local.account_id
  name       = "Full Access API Token"
  
  policies = [
    # Account-level permissions
    {
      effect = "allow"
      permission_groups = [
        for group in data.cloudflare_api_token_permission_groups_list.all_permissions.result : {
          id = group.id
        }
        if contains(group.scopes, "com.cloudflare.api.account") && !contains(group.scopes, "com.cloudflare.api.account.zone")
      ]
      resources = {
        "com.cloudflare.api.account.${local.account_id}" = "*"
      }
    },
    # Zone-level permissions (nested under account)
    {
      effect = "allow"
      permission_groups = [
        for group in data.cloudflare_api_token_permission_groups_list.all_permissions.result : {
          id = group.id
        }
        if contains(group.scopes, "com.cloudflare.api.account.zone")
      ]
      resources = {
        "com.cloudflare.api.account.${local.account_id}" = "*"
      }
    }
  ]
 }

 # Output the token value (sensitive)
 output "api_token_value" {
  description = "The generated API token value"
  value       = cloudflare_account_token.full_access_token.value
  sensitive   = true
 }

 # Output token metadata
 output "api_token_id" {
  description = "The ID of the created API token"
  value       = cloudflare_account_token.full_access_token.id
 }

 output "api_token_name" {
  description = "The name of the created API token"
  value       = cloudflare_account_token.full_access_token.name
 }
	# To use this configuration, you need to set these environment variables:
	# export CLOUDFLARE_API_TOKEN="your_api_token"
	# OR
	# export CLOUDFLARE_EMAIL="your_email"
	# export CLOUDFLARE_API_KEY="your_global_api_key"
	locals {
	account_id = "xxx"
	}

	data "cloudflare_account" "account" {
	account_id = local.account_id
	}

	data "cloudflare_api_token_permission_groups_list" "all_permissions" {}

	output "all_permissions" {
	value = data.cloudflare_api_token_permission_groups_list.all_permissions.result
	}

	resource "cloudflare_account_token" "full_access_token" {
	account_id = local.account_id
	name = "Full Access API Token"

	policies = [
	# Account-level permissions
	{
	effect = "allow"
	permission_groups = [
	for group in data.cloudflare_api_token_permission_groups_list.all_permissions.result : {
	id = group.id
	}
	if contains(group.scopes, "com.cloudflare.api.account") && !contains(group.scopes, "com.cloudflare.api.account.zone")
	]
	resources = {
	"com.cloudflare.api.account.${local.account_id}" = "*"
	}
	},
	# Zone-level permissions (nested under account)
	{
	effect = "allow"
	permission_groups = [
	for group in data.cloudflare_api_token_permission_groups_list.all_permissions.result : {
	id = group.id
	}
	if contains(group.scopes, "com.cloudflare.api.account.zone")
	]
	resources = {
	"com.cloudflare.api.account.${local.account_id}" = "*"
	}
	}
	]
	}

	# Output the token value (sensitive)
	output "api_token_value" {
	description = "The generated API token value"
	value = cloudflare_account_token.full_access_token.value
	sensitive = true
	}

	# Output token metadata
	output "api_token_id" {
	description = "The ID of the created API token"
	value = cloudflare_account_token.full_access_token.id
	}

	output "api_token_name" {
	description = "The name of the created API token"
	value = cloudflare_account_token.full_access_token.name
	}