Skip to content

fix(api_token): migrate permission_groups data source references instead of extracting map keys#314

Open
rotem-cloud wants to merge 1 commit into
mainfrom
fix/api-token-permission-groups-data-source-migration
Open

fix(api_token): migrate permission_groups data source references instead of extracting map keys#314
rotem-cloud wants to merge 1 commit into
mainfrom
fix/api-token-permission-groups-data-source-migration

Conversation

@rotem-cloud

Copy link
Copy Markdown
Collaborator

Problem

The cloudflare_api_token migrator incorrectly handled permission_groups that referenced the cloudflare_api_token_permission_groups data source. Expressions like:

data.cloudflare_api_token_permission_groups.all.permissions["DNS Read"]

had the map key string ("DNS Read") extracted as the permission group ID, producing invalid output:

permission_groups = [{ id = "DNS Read" }]  # wrong — should be UUID

Additionally, the data source block was silently removed via a Preprocess regex with no warning.

Fix

1. Bracket-depth tracking in transformPermissionGroups

Replaced the boolean inList flag with an integer bracketDepth counter. TokenQuotedLit tokens are only collected at depth 1 (direct list elements), not at depth 2+ (index access keys like ["DNS Read"]).

2. Data source reference → for-expression conversion

When expression elements are detected, each is parsed to check if it matches data.cloudflare_api_token_permission_groups.<label>.<category>["<name>"]. If so, it's converted to a for-expression against the v5 replacement data source:

permission_groups = [{
  id = [for pg in data.cloudflare_api_token_permission_groups_list.all.result : pg.id if pg.name == "DNS Read"][0]
}]

3. Datasource migrator (new)

Added internal/datasources/api_token_permission_groups/v4_to_v5.go that renames the data source block from cloudflare_api_token_permission_groups to cloudflare_api_token_permission_groups_list instead of silently removing it.

4. Fallback for unrecognized expressions

Expressions that don't match the data source pattern are wrapped as { id = <expr> } with a diagnostic warning.

Testing

  • All 12 unit tests pass (including 2 new test cases for the bug scenario)
  • Integration tests pass
  • Full suite: 94 packages, 0 failures
  • E2E verified against real Cloudflare infrastructure:
    • v4 config with data source refs → tf-migrate → v5 config with for-expressions
    • terraform apply with v5 provider succeeds
    • terraform plan shows no drift

Files changed

File Change
internal/resources/api_token/v4_to_v5.go Core fix + for-expression generation
internal/datasources/api_token_permission_groups/v4_to_v5.go New datasource migrator
internal/registry/registry.go Register new migrator
internal/resources/api_token/v4_to_v5_test.go Fix + add test cases
integration/.../api_token/expected/api_token.tf Updated expected output

Closes #298

…ead of extracting map keys

The cloudflare_api_token migrator incorrectly extracted map key strings
(e.g. "DNS Read") from data source index access expressions like
data.cloudflare_api_token_permission_groups.all.permissions["DNS Read"]
and used them as permission group IDs. This produced invalid output like
id = "DNS Read" instead of the actual permission group UUID.

Changes:
- Fix transformPermissionGroups to use bracket-depth tracking so that
  TokenQuotedLit tokens inside index access (depth 2) are not collected
  as permission group IDs
- When expression references are detected, parse them as
  cloudflare_api_token_permission_groups data source refs and convert to
  for-expressions against the v5 replacement data source:
  [for pg in data.cloudflare_api_token_permission_groups_list.<label>.result : pg.id if pg.name == "<name>"][0]
- Add datasource migrator that renames cloudflare_api_token_permission_groups
  to cloudflare_api_token_permission_groups_list (instead of silently
  removing via Preprocess regex)
- Unrecognized expressions fall back to { id = <expr> } wrapping with a
  diagnostic warning

Closes #298
@rotem-cloud rotem-cloud requested a review from a team as a code owner June 29, 2026 22:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

cloudflare_api_token_permission_groups decommissioned in v5, tool doesn't migrate existing usage in cloudflare_api_token resources

1 participant