Revert access applications to use zone-id instead of account-id

[piizei]

Hi,

Please revert changes introduced in #724 so that access resources prefer zone_id instead of account_id.

Zones path deprecation has been cancelled due the fact that you cannot create granular enough access-tokens in large enterprises without the zones. Currently we are unable to work with provider versions 2.10 forward.

Br,
Petteri

[jacobbednarz]

@piizei Are you able to please elaborate on the issue you're facing here? A production test case would be great to fully demonstrate the issue.

@Justin-Holmes do you know anything about the deprecation being reverted?

[Justin-Holmes]

Hello,

@piizei is correct that we reverted our decision to deprecate zone-level routes. In terms of next steps, I was thinking we'd support both zone_id and account_id for Access resources and direct the request to the proper route. This will require us to add support for the zone-level endpoints in cloudflare-go before we can make this change. Assuming this approach sounds good to you @jacobbednarz, I can get started on this tomorrow!

[piizei]

Hi,
@jacobbednarz the problem is that after 2.10.1 release this does not work anymore:

provider "cloudflare" {
  api_token = var.api_token
}
resource "cloudflare_access_application" "app" {
  zone_id          = var.dns_zone_id
  name             = var.target_dns
  domain           = var.target_dns
  session_duration = "30m"
  auto_redirect_to_identity = true
  allowed_idps = var.allowed_idps
}

Reason being that our api_tokens don't have account level access. Change introduced in 2.10.1 tries to use level access even if just zone_id is provided. This results 403 for us when terraform runs.