rybbit: use 'Account Rule Lists' permission group for the CF sync token (v4)
tg plan verified the agent's guess 'Account Filter Lists Edit/Read' is not a key in the v4.52.7 permission-group map; the live CF API lists the correct account-scoped groups as 'Account Rule Lists Read'/'Write'. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
cc4bfb593b
commit
ca8d617e72
1 changed files with 2 additions and 2 deletions
|
|
@ -154,8 +154,8 @@ resource "cloudflare_api_token" "list_sync" {
|
||||||
policy {
|
policy {
|
||||||
effect = "allow"
|
effect = "allow"
|
||||||
permission_groups = [
|
permission_groups = [
|
||||||
data.cloudflare_api_token_permission_groups.all.account["Account Filter Lists Edit"],
|
data.cloudflare_api_token_permission_groups.all.account["Account Rule Lists Write"],
|
||||||
data.cloudflare_api_token_permission_groups.all.account["Account Filter Lists Read"],
|
data.cloudflare_api_token_permission_groups.all.account["Account Rule Lists Read"],
|
||||||
]
|
]
|
||||||
resources = {
|
resources = {
|
||||||
"com.cloudflare.api.account.${local.cf_account_id}" = "*"
|
"com.cloudflare.api.account.${local.cf_account_id}" = "*"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue