Insufficient permissions error with Zone-specific API tokens

[tornyairoland]

Hi!

While trying to limit the access of our Cloudflare API Tokens, I have come across an error.
I have created a new Token, added permissions to "Edit" the "Zone Settings" and "Included" only that "Specific Zone".

Then I tried to add a new ZoneSettingsOverride, like this:

const zoneFromCloudflare = await cloudflare.getZones({
  filter: {
    name: '<zone name>'
  }
})
new cloudflare.ZoneSettingsOverride('settings', {
  zoneId: zoneFromCloudflare.id,
  settings: {
    ssl: 'flexible',
    minTlsVersion: '1.2'
  }
})

When running pulumi up I get the following error:

Error: invocation of cloudflare:index/getZones:getZones returned an error: invoking cloudflare:index/getZones:getZones: error listing Zone: error from makeRequest: HTTP status 403: insufficient permissions
        at monitor.invoke (/home/rtornyai/repos/prmrgt-infra/pulumi/node_modules/@pulumi/pulumi/runtime/invoke.js:172:33)
        at Object.onReceiveStatus (/home/rtornyai/repos/prmrgt-infra/pulumi/node_modules/grpc/src/client_interceptors.js:1210:9)
        at InterceptingListener._callNext (/home/rtornyai/repos/prmrgt-infra/pulumi/node_modules/grpc/src/client_interceptors.js:568:42)
        at InterceptingListener.onReceiveStatus (/home/rtornyai/repos/prmrgt-infra/pulumi/node_modules/grpc/src/client_interceptors.js:618:8)
        at callback (/home/rtornyai/repos/prmrgt-infra/pulumi/node_modules/grpc/src/client_interceptors.js:847:24)

I tried using the actual Zone ID from Cloudflare, instead of getting it with cloudflare.getZones(), and I get the same error.

Using the same token and calling the Cloudflare API with curl works:

$ curl -X GET "https://api.cloudflare.com/client/v4/zones?name=<zone name>" -H "Authorization: Bearer <api token>" -H "Content-Type:application/json"

{"result":[{"id":"be2[...]","name":"<zone name>","status":"active",[...]}

Additional info:

• using the same curl command, but without the ?name=<zone name> part returns an error from the Cloudflare API:

{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.81a[...]' requires permission 'com.cloudflare.api.account.zone.list' to list zones"}],"messages":[],"result":null}

Something similar is mentioned in the Cloudflare forums: here

• using an API Token that has 'Include' - 'All zones from an account' doesn't return an error.

Package versions:
@pulumi/pulumi@1.14.0
@pulumi/cloudflare@1.9.0

[leezen]

It looks like the upstream provider used here simply attempts to list all the zones and only filters afterward (instead of passing names to the underlying API client): https://github.com/terraform-providers/terraform-provider-cloudflare/blob/master/cloudflare/data_source_zones.go#L68

I don't see an upstream issue open, so if you don't mind opening one there, that'd be awesome. Separately, I'll keep this open to track fixing the issue either from an upstream merge or submitting a patch upstream.

[tornyairoland]

@leezen I created an issue on the terraform-provider-cloudflare project here, but please take a look to see if I missed any critical information as I have not used terraform.

[Aaronontheweb]

Ran into this issue too - can only use the global API key for CloudFlare. Would much rather prefer to use a scoped key.

[ncsibra]

@leezen
It was fixed in the upstream provider and already released: https://github.com/cloudflare/terraform-provider-cloudflare/blob/master/CHANGELOG.md#290-july-30th-2020
Could you upgrade to the latest terraform provider?