terraform-provider-cloudflare
terraform-provider-cloudflare copied to clipboard
cloudflare
Expose `cloudflare_access_service_token` as a data source
Current Terraform and Cloudflare provider version
Terraform v1.4.2 on darwin_arm64
- provider registry.terraform.io/cloudflare/cloudflare v4.1.0
Description
Consider this access policy for an Access app:
resource "cloudflare_access_policy" "telegraf" {
zone_id = "..."
application_id = "..."
precedence = 1
name = "Service Token"
decision = "non_identity"
include {
service_token = ["some-token-id"]
}
}
In order to make this work, I need a service token ID. There's currently no way to get this ID directly in Terraform (or via the UI for that matter, I had to snoop on a Network request to figure this out). It would be nice if there was a cloudflare_access_service_token data source so I can "search" for a service token by name (just like I can "search" for a cloudflare_access_identity_provider, for example)
Alternatively, if I could supply the service token name in here directly, that would make things easier as well! (Doing so currently yields access.api.error.invalid_request (12130))
Use cases
I'm trying to Terraform an Access app that authenticates via a Service token only.
Potential Terraform configuration
// This `data` block is what I'm proposing
data "cloudflare_access_service_token" "service_token" {
name = "my-token-name"
zone_id = "..."
}
resource "cloudflare_access_policy" "telegraf" {
zone_id = "..."
application_id = "..."
precedence = 1
name = "Service Token"
decision = "non_identity"
include {
service_token = [data.cloudflare_access_service_token.service_token.id] // I should be able to use the `data` block's result here
}
}
References
No response
Community Note
Voting for Prioritization
- Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
- If you are interested in working on this issue, please leave a comment.
- If this would be your first contribution, please review the contribution guide.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @sdnts ! I found this by looking for another issue. It's been a while. Hope you figured out.
For others, If I understood correctly, you can already solve this. At least with this version:
terraform {
required_providers {
cloudflare = { source = "cloudflare/cloudflare", version = "~> 4.18.0" }
}
}
What you need to do is:
resource "cloudflare_access_service_token" "service-token" {
account_id = var.account_id
name = var.domain_name
duration = "forever"
}
resource "cloudflare_access_policy" "policy-service-token" {
application_id = cloudflare_access_application.application.id
zone_id = var.zone_id
session_duration = var.session_duration
name = "AllowServiceTokenPolicy"
precedence = "1"
decision = "non_identity"
include {
service_token = [cloudflare_access_service_token.service-token[count.index].id]
}
}
The magic is service_token = [cloudflare_access_service_token.service-token[count.index].id]. Which is basically pointing to the resource created above.
cloudflare_access_service_token returns a list, so you need to access it by an index.
If [count.index].id does not work, try [0].id
This issue has been closed as we are now tracking this internally with service teams directly. If you would like an update or to be notified when/if the product ships with this change, please reach out to Cloudflare Support or your account team who can watch the internal feature request for you.
@ainformatico, If you are creating the service token as a resource, collecting the ID from that resource is trivial.
However the trade off is you now the service token client secret permanently stored and is retrievable in you terraform state.
I ran into this limitation wanting to lookup service tokens by name while setting up include rules for non_identity policies for access apps.
