From 9146d7c1fe88b6769a8a12e420c35cd79691c152 Mon Sep 17 00:00:00 2001 From: rotem Date: Mon, 29 Jun 2026 17:26:23 -0500 Subject: [PATCH] fix(api_token): migrate permission_groups data source references instead of extracting map keys The cloudflare_api_token migrator incorrectly extracted map key strings (e.g. "DNS Read") from data source index access expressions like data.cloudflare_api_token_permission_groups.all.permissions["DNS Read"] and used them as permission group IDs. This produced invalid output like id = "DNS Read" instead of the actual permission group UUID. Changes: - Fix transformPermissionGroups to use bracket-depth tracking so that TokenQuotedLit tokens inside index access (depth 2) are not collected as permission group IDs - When expression references are detected, parse them as cloudflare_api_token_permission_groups data source refs and convert to for-expressions against the v5 replacement data source: [for pg in data.cloudflare_api_token_permission_groups_list.