From ca8d617e72974cec7bd0a839741ae5dde65cdcfa Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 20 Jun 2026 09:41:41 +0000 Subject: [PATCH] rybbit: use 'Account Rule Lists' permission group for the CF sync token (v4) tg plan verified the agent's guess 'Account Filter Lists Edit/Read' is not a key in the v4.52.7 permission-group map; the live CF API lists the correct account-scoped groups as 'Account Rule Lists Read'/'Write'. Co-Authored-By: Claude Opus 4.8 --- stacks/rybbit/crowdsec_edge.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stacks/rybbit/crowdsec_edge.tf b/stacks/rybbit/crowdsec_edge.tf index 598cde28..0c1ff5dc 100644 --- a/stacks/rybbit/crowdsec_edge.tf +++ b/stacks/rybbit/crowdsec_edge.tf @@ -154,8 +154,8 @@ resource "cloudflare_api_token" "list_sync" { policy { effect = "allow" permission_groups = [ - data.cloudflare_api_token_permission_groups.all.account["Account Filter Lists Edit"], - data.cloudflare_api_token_permission_groups.all.account["Account Filter Lists Read"], + data.cloudflare_api_token_permission_groups.all.account["Account Rule Lists Write"], + data.cloudflare_api_token_permission_groups.all.account["Account Rule Lists Read"], ] resources = { "com.cloudflare.api.account.${local.cf_account_id}" = "*"