upgrade prod cf provider

terraform/aws/accounts/prod/data.tf

@@ -1 +1,12 @@
-data "cloudflare_api_token_permission_groups" "all" {}
+data "cloudflare_accounts" "lingrino" {
+  name = "lingrino"
+}
+
+data "cloudflare_api_token_permissions_groups_list" "all" {
+  account_id = data.cloudflare_accounts.lingrino.result[0].id
+}
+
+locals {
+  account_permission_group_ids = [for k, v in data.cloudflare_api_token_permissions_groups_list.all.result : { id = v.id } if v.scopes[0] == "com.cloudflare.api.account" && v.name != "Account API Tokens Write"]
+  zone_permission_group_ids    = [for k, v in data.cloudflare_api_token_permissions_groups_list.all.result : { id = v.id } if v.scopes[0] == "com.cloudflare.api.account.zone"]
+}

terraform/aws/accounts/prod/meta.tf

@@ -20,6 +20,11 @@ provider "b2" {
 }
 
 provider "cloudflare" {
+  api_token = jsondecode(ephemeral.aws_secretsmanager_secret_version.cloudflare_keys_terraform_cloud.secret_string)["CLOUDFLARE_API_TOKEN"]
+}
+
+provider "cloudflare" {
+  alias     = "create-tokens"
   api_token = jsondecode(ephemeral.aws_secretsmanager_secret_version.cloudflare_keys_create_tokens.secret_string)["CLOUDFLARE_API_TOKEN"]
 }
 

terraform/aws/accounts/prod/secrets_cloudflare.tf

@@ -24,29 +24,42 @@ resource "aws_secretsmanager_secret" "cloudflare_keys_terraform_cloud" {
   }
 }
 
+ephemeral "aws_secretsmanager_secret_version" "cloudflare_keys_terraform_cloud" {
+  secret_id = aws_secretsmanager_secret.cloudflare_keys_terraform_cloud.id
+}
+
 resource "aws_secretsmanager_secret_version" "cloudflare_keys_terraform_cloud" {
   secret_id = aws_secretsmanager_secret.cloudflare_keys_terraform_cloud.id
   secret_string = jsonencode({
     CLOUDFLARE_API_TOKEN = cloudflare_api_token.terraform_cloud.value,
   })
+
+  lifecycle {
+    ignore_changes = [secret_string]
+  }
 }
 
 resource "cloudflare_api_token" "terraform_cloud" {
-  name = "terraform-cloud"
+  provider = cloudflare.create-tokens
 
-  policy {
-    resources = {
-      "com.cloudflare.api.account.*" = "*"
-    }
-    permission_groups = values(data.cloudflare_api_token_permission_groups.all.account)
-  }
+  name = "terraform-cloud"
 
-  policy {
-    resources = {
-      "com.cloudflare.api.account.zone.*" = "*"
+  policies = [
+    {
+      effect = "allow"
+      resources = {
+        "com.cloudflare.api.account.*" = "*"
+      }
+      permission_groups = local.account_permission_group_ids
+    },
+    {
+      effect = "allow"
+      resources = {
+        "com.cloudflare.api.account.zone.*" = "*"
+      }
+      permission_groups = local.zone_permission_group_ids
     }
-    permission_groups = values(data.cloudflare_api_token_permission_groups.all.zone)
-  }
+  ]
 }
 
 #################################
@@ -65,22 +78,31 @@ resource "aws_secretsmanager_secret_version" "cloudflare_keys_local" {
   secret_string = jsonencode({
     CLOUDFLARE_API_TOKEN = cloudflare_api_token.local.value,
   })
+
+  lifecycle {
+    ignore_changes = [secret_string]
+  }
 }
 
 resource "cloudflare_api_token" "local" {
-  name = "local"
+  provider = cloudflare.create-tokens
 
-  policy {
-    resources = {
-      "com.cloudflare.api.account.*" = "*"
-    }
-    permission_groups = values(data.cloudflare_api_token_permission_groups.all.account)
-  }
+  name = "local"
 
-  policy {
-    resources = {
-      "com.cloudflare.api.account.zone.*" = "*"
+  policies = [
+    {
+      effect = "allow"
+      resources = {
+        "com.cloudflare.api.account.*" = "*"
+      }
+      permission_groups = local.account_permission_group_ids
+    },
+    {
+      effect = "allow"
+      resources = {
+        "com.cloudflare.api.account.zone.*" = "*"
+      }
+      permission_groups = local.zone_permission_group_ids
     }
-    permission_groups = values(data.cloudflare_api_token_permission_groups.all.zone)
-  }
+  ]
 }