What permissions are required to create a zone via Terraform/API?

I’m trying to create a zone via Terraform that looks like this:

resource "cloudflare_zone" "myzone" {
  account_id = data.cloudflare_accounts.myaccount.id
  zone       = "mydomain.com"
  jump_start = false
  paused     = true
  plan       = "free"
  type       = "full"

I’m getting a “permission denied” error:

│ Error: error creating zone "mydomain.com": Permission denied (1068)
│   with cloudflare_zone.myzone,
│   on cf_zone.tf line 1, in resource "cloudflare_zone" "myzone":
│    1: resource "cloudflare_zone" "myzone" {

The permissions on the API token that I’m using are:

  • Account: SSL and Certificates:Edit, Transform Rules:Edit, Select Configuration:Edit, Account Analytics:Read, Rule Policies:Edit, Billing:Edit, Account Settings:Edit
    • All zones - Disable ESC:Edit, Config Rules:Edit, Dynamic Redirect:Edit, Custom Error Rules:Edit, Email Routing Rules:Edit, Managed Headers:Edit, HTTP DDoS Managed Ruleset:Edit, Zone WAF:Edit, Health Checks:Edit, Zone Settings:Edit, Zone:Edit, SSL and Certificates:Edit, Load Balancers:Edit, Firewall Services:Edit, DNS:Edit, Analytics:Read

I can’t seem to find documentation on what permissions an API endpoint requires. It seems that the CF docs are missing this information?

Terraform Plan works, so I know my token can access authenticate on the account.

Here is the output from TF_LOG=DEBUG:

2023/03/07 00:08:10
POST /client/v4/zones HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.3.9 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/4.0.0
Content-Length: 149
Authorization: Bearer [redacted]
Content-Type: application/json
Accept-Encoding: gzip

2023/03/07 00:08:11
HTTP/2.0 400 Bad Request
Connection: close
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cf-Cache-Status: DYNAMIC
Cf-Ray: 7a3e9a3cdb0adf30-MEL
Content-Type: application/json
Date: Tue, 07 Mar 2023 00:08:11 GMT
Expires: Sun, 25 Jan 1981 05:00:00 GMT
Pragma: no-cache
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGUFqYFDiSDreGJnUmow17iX5gAZ; SameSite=Lax; path=/; expires=Tue, 07-Mar-23 02:38:12 GMT; HttpOnly
Set-Cookie: __cfruid=9edcf455113cacb0cc9becde2e1b30cd541b9c6f-1678147691; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
{"success":false,"errors":[{"code":1068,"message":"Permission denied"}],"messages":[],"result":null}

I can’t seem to figure out what token permissions I need to make it work. Hopefully someone can point me in the right direction!

Ah I found the issue, the syntax for the account_id on the resource needs to be:

resource "cloudflare_zone" "myzone" {
  account_id = data.cloudflare_accounts.myaccount.accounts[0].id
  zone       = "mydomain.com"
  jump_start = false
  paused     = true
  plan       = "free"
  type       = "full"

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.