cloudflare management for cms
This commit is contained in:
79
iac/modules/cloudflare_token/main.tf
Normal file
79
iac/modules/cloudflare_token/main.tf
Normal file
@@ -0,0 +1,79 @@
|
||||
# Récupère toutes les permissions Cloudflare disponibles
|
||||
data "cloudflare_account_api_token_permission_groups_list" "all" {
|
||||
account_id = var.account_id
|
||||
}
|
||||
|
||||
# Sélectionne uniquement les permissions demandées
|
||||
locals {
|
||||
# Simplifie le scope Cloudflare (ex: "account" depuis "com.cloudflare.api.account")
|
||||
permission_map = {
|
||||
for p in data.cloudflare_account_api_token_permission_groups_list.all.result :
|
||||
"${split(".", p.scopes[0])[length(split(".", p.scopes[0])) - 1]}:${p.name}" => p.id
|
||||
}
|
||||
|
||||
# Résout les permissions (si présentes) pour chaque catégorie
|
||||
selected_account_permissions = var.permissions.account != null ? compact([
|
||||
for name in var.permissions.account : lookup(local.permission_map, name, null)
|
||||
]) : []
|
||||
|
||||
selected_bucket_permissions = var.bucket != null && try(var.permissions.bucket, null) != null ? compact([
|
||||
for name in var.permissions.bucket : lookup(local.permission_map, name, null)
|
||||
]) : []
|
||||
|
||||
# Validation des permissions introuvables
|
||||
missing_permissions = concat(
|
||||
[for name in coalesce(var.permissions.account, []) : name if lookup(local.permission_map, name, null) == null],
|
||||
[for name in coalesce(var.permissions.bucket, []) : name if lookup(local.permission_map, name, null) == null]
|
||||
)
|
||||
|
||||
# Ressources cibles
|
||||
account_resource = {
|
||||
"com.cloudflare.api.account.${var.account_id}" = "*"
|
||||
}
|
||||
|
||||
bucket_resource = var.bucket != null ? {
|
||||
"com.cloudflare.edge.r2.bucket.${var.account_id}_${var.bucket.jurisdiction}_${var.bucket.name}" = "*"
|
||||
} : {}
|
||||
|
||||
# Policies construites dynamiquement
|
||||
policies = [for policy in [
|
||||
length(local.selected_account_permissions) > 0 ? {
|
||||
effect = "allow"
|
||||
permission_groups = [for id in local.selected_account_permissions : { id = id }]
|
||||
resources = local.account_resource
|
||||
} : null,
|
||||
|
||||
length(local.selected_bucket_permissions) > 0 ? {
|
||||
effect = "allow"
|
||||
permission_groups = [for id in local.selected_bucket_permissions : { id = id }]
|
||||
resources = local.bucket_resource
|
||||
} : null
|
||||
] : policy if policy != null]
|
||||
|
||||
error_message = length(local.missing_permissions) > 0 ? format("Permissions introuvables : %s", join(", ", local.missing_permissions)) : ""
|
||||
}
|
||||
|
||||
# Création du token
|
||||
resource "cloudflare_account_token" "token" {
|
||||
account_id = var.account_id
|
||||
name = var.token_name
|
||||
|
||||
policies = local.policies
|
||||
|
||||
expires_on = null
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [expires_on]
|
||||
replace_triggered_by = [null_resource.cloudflare_account_token_replace]
|
||||
precondition {
|
||||
condition = length(local.missing_permissions) == 0
|
||||
error_message = local.error_message
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "null_resource" "cloudflare_account_token_replace" {
|
||||
triggers = {
|
||||
"policies" = sha256(join("", local.selected_account_permissions, local.selected_bucket_permissions))
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user