82 lines
3.2 KiB
HCL
82 lines
3.2 KiB
HCL
# Récupère toutes les permissions Cloudflare disponibles
|
|
data "cloudflare_account_api_token_permission_groups_list" "all" {
|
|
account_id = var.account_id
|
|
}
|
|
|
|
# Sélectionne uniquement les permissions demandées
|
|
locals {
|
|
# Simplifie le scope Cloudflare (ex: "account" depuis "com.cloudflare.api.account")
|
|
permission_map = {
|
|
for p in data.cloudflare_account_api_token_permission_groups_list.all.result :
|
|
"${split(".", p.scopes[0])[length(split(".", p.scopes[0])) - 1]}:${p.name}" => p.id
|
|
}
|
|
permission_map_from_id = zipmap(values(local.permission_map), keys(local.permission_map))
|
|
|
|
# Résout les permissions (si présentes) pour chaque catégorie
|
|
selected_account_permissions = var.permissions.account != null ? compact([
|
|
for name in var.permissions.account : lookup(local.permission_map, name, null)
|
|
]) : []
|
|
|
|
selected_bucket_permissions = var.bucket != null && try(var.permissions.bucket, null) != null ? compact([
|
|
for name in var.permissions.bucket : lookup(local.permission_map, name, null)
|
|
]) : []
|
|
|
|
# Validation des permissions introuvables
|
|
missing_permissions = concat(
|
|
[for name in coalesce(var.permissions.account, []) : name if lookup(local.permission_map, name, null) == null],
|
|
[for name in coalesce(var.permissions.bucket, []) : name if lookup(local.permission_map, name, null) == null]
|
|
)
|
|
|
|
# Ressources cibles
|
|
account_resource = {
|
|
"com.cloudflare.api.account.${var.account_id}" = "*"
|
|
}
|
|
|
|
bucket_resource = var.bucket != null ? {
|
|
"com.cloudflare.edge.r2.bucket.${var.account_id}_${var.bucket.jurisdiction}_${var.bucket.name}" = "*"
|
|
} : {}
|
|
|
|
# Policies construites dynamiquement
|
|
policies = [for policy in [
|
|
length(local.selected_account_permissions) > 0 ? {
|
|
effect = "allow"
|
|
permission_groups = [for id in local.selected_account_permissions : { id = id }]
|
|
resources = local.account_resource
|
|
} : null,
|
|
|
|
length(local.selected_bucket_permissions) > 0 ? {
|
|
effect = "allow"
|
|
permission_groups = [for id in local.selected_bucket_permissions : { id = id }]
|
|
resources = local.bucket_resource
|
|
} : null
|
|
] : policy if policy != null]
|
|
|
|
error_message = length(local.missing_permissions) > 0 ? format("Permissions introuvables : %s", join(", ", local.missing_permissions)) : ""
|
|
}
|
|
|
|
# Création du token
|
|
resource "cloudflare_account_token" "token" {
|
|
account_id = var.account_id
|
|
name = var.token_name
|
|
|
|
policies = local.policies
|
|
|
|
expires_on = null
|
|
|
|
lifecycle {
|
|
ignore_changes = [expires_on, policies] # ignore permission id change as unstable
|
|
replace_triggered_by = [null_resource.cloudflare_account_token_replace] # replace permission name change d
|
|
precondition {
|
|
condition = length(local.missing_permissions) == 0
|
|
error_message = local.error_message
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "null_resource" "cloudflare_account_token_replace" { # replace token when permission names change
|
|
triggers = {
|
|
"account_permissions" = sha256(join("", sort([for p_id in local.selected_account_permissions : lookup(local.permission_map_from_id, p_id)])))
|
|
"bucket_permissions" = sha256(join("", sort([for p_id in local.selected_bucket_permissions : lookup(local.permission_map_from_id, p_id)])))
|
|
}
|
|
}
|