How to create an API token using Terraform?

I’m having no success using Terraform to create an API token for maintaining Cloudflare Workers. The Workers documentation only describes the token as created in the UI, so I’ve tried to translate what’s there to a Terraform script.

I’ve been through several attempts but didn’t document them all, so unfortunately I can’t lay them all out here. What I have currently is

data "cloudflare_api_token_permission_groups" "all" {}

resource "cloudflare_api_token" "workers-token" {
  name = "workers-token"

  policy {
    permission_groups = [
      data.cloudflare_api_token_permission_groups.all.permissions["Account Settings Read"],
      data.cloudflare_api_token_permission_groups.all.permissions["User Details Read"],
      data.cloudflare_api_token_permission_groups.all.permissions["Workers KV Storage Write"],
      data.cloudflare_api_token_permission_groups.all.permissions["Workers Routes Write"],
      data.cloudflare_api_token_permission_groups.all.permissions["Workers Scripts Write"],
    ]
    resources = {
      "com.cloudflare.api.account.*"      = "*",
      "com.cloudflare.api.account.zone.*" = "*",
      "com.cloudflare.api.user.*"         = "*",
    }
  }
}

but that nets the error

Error: error creating Cloudflare API Token "workers-token": HTTP status 400: Access can only be scoped to a specific user (1001)

I tried changing the user resources definition to a single user:

com.cloudflare.api.user.${cloudflare_account_member.api_user.id}

but that results in a different error:

(insert error message here - we have other TF work going on so I can't regenerate the error at the moment)

Any suggestions for what I’m doing wrong, and how to fix it?