Cloudflare Developers•4mo ago

Adding permissions via Terraform gives `Failed common permission check against resources` error

Hello everyone, I'm trying to create a token that has the needs DNS admin permission groups because I need them for an application that needs to change the DNS Zones dynamically. What I did is to follow what the documentation states (https://developers.cloudflare.com/fundamentals/api/reference/permissions) about finding permission group, i checked the permission group id using the List Token Permission Group API: https://developers.cloudflare.com/api/resources/user/subresources/tokens/subresources/permission_groups/methods/list/ By doing so, I found out that the required permission groups were: - DNS Write (4755a26eedb94da69e1066d98aa820be) - Zone Read (c8fed203ed3043cba015a93ad1616f1f) This is my Terraform block:

resource "cloudflare_account_token" "kubernetes_dev_cluster_token" {
  account_id = var.cloudflare_account_id
  name       = "kubernetes dev cluster - DNS zone token"
  policies = [{
    effect = "allow"
    permission_groups = [
      {
        id = "c8fed203ed3043cba015a93ad1616f1f" # zone read 
      },
      {
        id = "4755a26eedb94da69e1066d98aa820be" # dns write
      }
    ]
    resources = {
      "com.cloudflare.api.account.zone.${data.cloudflare_zone.zuru_click.zone_id}" = "*"
    }
  }]
}

resource "cloudflare_account_token" "kubernetes_dev_cluster_token" {
  account_id = var.cloudflare_account_id
  name       = "kubernetes dev cluster - DNS zone token"
  policies = [{
    effect = "allow"
    permission_groups = [
      {
        id = "c8fed203ed3043cba015a93ad1616f1f" # zone read 
      },
      {
        id = "4755a26eedb94da69e1066d98aa820be" # dns write
      }
    ]
    resources = {
      "com.cloudflare.api.account.zone.${data.cloudflare_zone.zuru_click.zone_id}" = "*"
    }
  }]
}

When adding the Zone Read permission, everything goes smoothly, but when I try to add the DNS Write one I get the following error:

"https://api.cloudflare.com/client/v4/accounts/6d9e5b506456acb18f48610c6141dae9/tokens":
│ 400 Bad Request {"success":false,"errors":[{"code":1001,"message":"Failed common permission
│ check against resources. (Permission group: \"DNS Write\")"}],"messages":[],"result":null}

"https://api.cloudflare.com/client/v4/accounts/6d9e5b506456acb18f48610c6141dae9/tokens":
│ 400 Bad Request {"success":false,"errors":[{"code":1001,"message":"Failed common permission
│ check against resources. (Permission group: \"DNS Write\")"}],"messages":[],"result":null}

To temporarily fix this issue, I commented the DNS Write permission group and I added it via the UI (DNS Write = Zone -> DNS -> Edit in the dashboard), but I'm really hoping you folks can help me out with this issue, because it breaks many automations for my Kubernetes cluster. Thanks!

Cloudflare Docs

API token permissions

Permissions are segmented into three categories based on resource:

Cloudflare API | User › Tokens › Permission Groups › List Tok...

Interact with Cloudflare's products and services via the Cloudflare API

1 Reply

donglerioOP•4mo ago

Gaming

Programming

Adding permissions via Terraform gives `Failed common permission check against resources` error

Did you find this page helpful?