Provides a resource which manages Cloudflare API tokens.
Read more about permission groups and their applicable scopes in the developer documentation.
# User permissions
data "cloudflare_api_token_permission_groups" "all" {}
# Token allowed to create new tokens.
# Can only be used from specific ip range.
resource "cloudflare_api_token" "api_token_create" {
name = "api_token_create"
policy {
permission_groups = [
data.cloudflare_api_token_permission_groups.all.user["API Tokens Write"],
]
resources = {
"com.cloudflare.api.user.${var.user_id}" = "*"
}
}
not_before = "2018-07-01T05:20:00Z"
expires_on = "2020-01-01T00:00:00Z"
condition {
request_ip {
in = ["192.0.2.1/32"]
not_in = ["198.51.100.1/32"]
}
}
}
# Account permissions
data "cloudflare_api_token_permission_groups" "all" {}
# Token allowed to read audit logs from all accounts.
resource "cloudflare_api_token" "logs_account_all" {
name = "logs_account_all"
policy {
permission_groups = [
data.cloudflare_api_token_permission_groups.all.account["Access: Audit Logs Read"],
]
resources = {
"com.cloudflare.api.account.*" = "*"
}
}
}
# Token allowed to read audit logs from specific account.
resource "cloudflare_api_token" "logs_account" {
name = "logs_account"
policy {
permission_groups = [
data.cloudflare_api_token_permission_groups.all.account["Access: Audit Logs Read"],
]
resources = {
"com.cloudflare.api.account.${var.account_id}" = "*"
}
}
}
# Zone permissions
data "cloudflare_api_token_permission_groups" "all" {}
# Token allowed to edit DNS entries and TLS certs for specific zone.
resource "cloudflare_api_token" "dns_tls_edit" {
name = "dns_tls_edit"
policy {
permission_groups = [
data.cloudflare_api_token_permission_groups.all.zone["DNS Write"],
data.cloudflare_api_token_permission_groups.all.zone["SSL and Certificates Write"],
]
resources = {
"com.cloudflare.api.account.zone.${var.zone_id}" = "*"
}
}
}
# Token allowed to edit DNS entries for all zones except one.
resource "cloudflare_api_token" "dns_tls_edit_all_except_one" {
name = "dns_tls_edit_all_except_one"
# include all zones
policy {
permission_groups = [
data.cloudflare_api_token_permission_groups.all.zone["DNS Write"],
]
resources = {
"com.cloudflare.api.account.zone.*" = "*"
}
}
# exclude (deny) specific zone
policy {
permission_groups = [
data.cloudflare_api_token_permission_groups.all.zone["DNS Write"],
]
resources = {
"com.cloudflare.api.account.zone.${var.zone_id}" = "*"
}
effect = "deny"
}
}
# Token allowed to edit DNS entries for all zones from specific account.
resource "cloudflare_api_token" "dns_edit_all_account" {
name = "dns_edit_all_account"
# include all zones from specific account
policy {
permission_groups = [
data.cloudflare_api_token_permission_groups.all.zone["DNS Write"],
]
resources = {
"com.cloudflare.api.account.${var.account_id}" = jsonencode({
"com.cloudflare.api.account.zone.*" = "*"
})
}
}
}
name
(String) Name of the API Token.policy
(Block Set, Min: 1) Permissions policy. Multiple policy blocks can be defined. (see below for nested schema)condition
(Block List, Max: 1) Conditions under which the token should be considered valid. (see below for nested schema)expires_on
(String) The expiration time on or after which the token MUST NOT be accepted for processing.not_before
(String) The time before which the token MUST NOT be accepted for processing.id
(String) The ID of this resource.issued_on
(String) Timestamp of when the token was issued.modified_on
(String) Timestamp of when the token was last modified.status
(String)value
(String, Sensitive) The value of the API Token.policy
Required:
permission_groups
(Set of String) List of permissions groups IDs. See documentation for more information.resources
(Map of String) Describes what operations against which resources are allowed or denied.Optional:
effect
(String) Effect of the policy. Available values: allow
, deny
. Defaults to allow
.condition
Optional:
request_ip
(Block List, Max: 1) Request IP related conditions. (see below for nested schema)condition.request_ip
Optional:
in
(Set of String) List of IP addresses or CIDR notation where the token may be used from. If not specified, the token will be valid for all IP addresses.not_in
(Set of String) List of IP addresses or CIDR notation where the token should not be used from.