1 reply

Adding permissions via Terraform gives `Failed common permission check against resources` error

Hello everyone,
I'm trying to create a token that has the needs DNS admin permission groups because I need them for an application that needs to change the DNS Zones dynamically.

What I did is to follow what the documentation states (https://developers.cloudflare.com/fundamentals/api/reference/permissions) about finding permission group, i checked the permission group id using the

List Token Permission Group API

List Token Permission Group API

: https://developers.cloudflare.com/api/resources/user/subresources/tokens/subresources/permission_groups/methods/list/
By doing so, I found out that the required permission groups were:
- DNS Write (

4755a26eedb94da69e1066d98aa820be

4755a26eedb94da69e1066d98aa820be

)
- Zone Read (

c8fed203ed3043cba015a93ad1616f1f

c8fed203ed3043cba015a93ad1616f1f

)

This is my Terraform block:

resource "cloudflare_account_token" "kubernetes_dev_cluster_token" {
  account_id = var.cloudflare_account_id
  name       = "kubernetes dev cluster - DNS zone token"
  policies = [{
    effect = "allow"
    permission_groups = [
      {
        id = "c8fed203ed3043cba015a93ad1616f1f" # zone read 
      },
      {
        id = "4755a26eedb94da69e1066d98aa820be" # dns write
      }
    ]
    resources = {
      "com.cloudflare.api.account.zone.${data.cloudflare_zone.zuru_click.zone_id}" = "*"
    }
  }]
}

resource "cloudflare_account_token" "kubernetes_dev_cluster_token" {
  account_id = var.cloudflare_account_id
  name       = "kubernetes dev cluster - DNS zone token"
  policies = [{
    effect = "allow"
    permission_groups = [
      {
        id = "c8fed203ed3043cba015a93ad1616f1f" # zone read 
      },
      {
        id = "4755a26eedb94da69e1066d98aa820be" # dns write
      }
    ]
    resources = {
      "com.cloudflare.api.account.zone.${data.cloudflare_zone.zuru_click.zone_id}" = "*"
    }
  }]
}

When adding the

Zone Read

Zone Read

permission, everything goes smoothly, but when I try to add the

DNS Write

DNS Write

one I get the following error:

"https://api.cloudflare.com/client/v4/accounts/6d9e5b506456acb18f48610c6141dae9/tokens":
│ 400 Bad Request {"success":false,"errors":[{"code":1001,"message":"Failed common permission
│ check against resources. (Permission group: \"DNS Write\")"}],"messages":[],"result":null}

"https://api.cloudflare.com/client/v4/accounts/6d9e5b506456acb18f48610c6141dae9/tokens":
│ 400 Bad Request {"success":false,"errors":[{"code":1001,"message":"Failed common permission
│ check against resources. (Permission group: \"DNS Write\")"}],"messages":[],"result":null}

To temporarily fix this issue, I commented the

DNS Write

DNS Write

permission group and I added it via the UI (

DNS Write

DNS Write

Zone -> DNS -> Edit

Zone -> DNS -> Edit

in the dashboard), but I'm really hoping you folks can help me out with this issue, because it breaks many automations for my Kubernetes cluster.

Thanks!

Cloudflare Docs

API token permissions

Permissions are segmented into three categories based on resource:

Cloudflare API | User › Tokens › Permission Groups › List Tok...

Interact with Cloudflare's products and services via the Cloudflare API

Adding permissions via Terraform gives `Failed common permission check against resources` error

List Token Permission Group API

List Token Permission Group API

4755a26eedb94da69e1066d98aa820be

4755a26eedb94da69e1066d98aa820be

)
- Zone Read (

c8fed203ed3043cba015a93ad1616f1f

c8fed203ed3043cba015a93ad1616f1f

)

This is my Terraform block:

resource "cloudflare_account_token" "kubernetes_dev_cluster_token" {
  account_id = var.cloudflare_account_id
  name       = "kubernetes dev cluster - DNS zone token"
  policies = [{
    effect = "allow"
    permission_groups = [
      {
        id = "c8fed203ed3043cba015a93ad1616f1f" # zone read 
      },
      {
        id = "4755a26eedb94da69e1066d98aa820be" # dns write
      }
    ]
    resources = {
      "com.cloudflare.api.account.zone.${data.cloudflare_zone.zuru_click.zone_id}" = "*"
    }
  }]
}

resource "cloudflare_account_token" "kubernetes_dev_cluster_token" {
  account_id = var.cloudflare_account_id
  name       = "kubernetes dev cluster - DNS zone token"
  policies = [{
    effect = "allow"
    permission_groups = [
      {
        id = "c8fed203ed3043cba015a93ad1616f1f" # zone read 
      },
      {
        id = "4755a26eedb94da69e1066d98aa820be" # dns write
      }
    ]
    resources = {
      "com.cloudflare.api.account.zone.${data.cloudflare_zone.zuru_click.zone_id}" = "*"
    }
  }]
}

When adding the

Zone Read

Zone Read

permission, everything goes smoothly, but when I try to add the

DNS Write

DNS Write

one I get the following error:

"https://api.cloudflare.com/client/v4/accounts/6d9e5b506456acb18f48610c6141dae9/tokens":
│ 400 Bad Request {"success":false,"errors":[{"code":1001,"message":"Failed common permission
│ check against resources. (Permission group: \"DNS Write\")"}],"messages":[],"result":null}

"https://api.cloudflare.com/client/v4/accounts/6d9e5b506456acb18f48610c6141dae9/tokens":
│ 400 Bad Request {"success":false,"errors":[{"code":1001,"message":"Failed common permission
│ check against resources. (Permission group: \"DNS Write\")"}],"messages":[],"result":null}

To temporarily fix this issue, I commented the

DNS Write

DNS Write

permission group and I added it via the UI (

DNS Write

DNS Write

Zone -> DNS -> Edit

Zone -> DNS -> Edit

in the dashboard), but I'm really hoping you folks can help me out with this issue, because it breaks many automations for my Kubernetes cluster.

Thanks!

Cloudflare Docs

API token permissions

Permissions are segmented into three categories based on resource:

Cloudflare API | User › Tokens › Permission Groups › List Tok...

Interact with Cloudflare's products and services via the Cloudflare API

Adding permissions via Terraform gives `Failed common permission check against resources` error

Adding permissions via Terraform gives `Failed common permission check against resources` error

Similar Threads

Similar Threads

Similar Threads