Resource cloudflare_api_token fails due to schema issues with permission_groups.id

[jrogers-dlp]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.8.5
on windows_amd64

• provider registry.terraform.io/cloudflare/cloudflare v5.0.0-alpha1
• provider registry.terraform.io/hashicorp/local v2.5.2

Affected resource(s)

cloudflare_api_token

Terraform configuration files

resource "cloudflare_api_token" "api_token" {
  name = "api_token"
  policies = [{
    effect            = "allow"
    permission_groups = [
      {
        id = "dfe525ec7b07472c827d8d009178b2ac"
      }
    ]
    resources = {
      resource = "com.cloudflare.api.user.${var.jr_user_id}"
      scope    = "*" 
    }
  }]
}

Link to debug output

https://gist.github.com/jrogers-dlp/a2e4e2d6dabcc623a770ee36c597cf73

Panic output

No response

Expected output

Expected id to be set for permission group and terraform plan shown like so:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # cloudflare_api_token.api_token will be created
  + resource "cloudflare_api_token" "api_token" {
      + condition    = (known after apply)
      + expires_on   = (known after apply)
      + id           = (known after apply)
      + issued_on    = (known after apply)
      + last_used_on = (known after apply)
      + modified_on  = (known after apply)
      + name         = "api_token"
      + not_before   = (known after apply)
      + policies     = [
          + {
              + effect            = "allow"
              + id                = (known after apply)
              + permission_groups = [
                  + {
                      + id   = "dfe525ec7b07472c827d8d009178b2ac"
                      + meta = (known after apply)
                      + name = (known after apply)
                    },
                ]
              + resources         = {
                  + resource = "com.cloudflare.api.user.f4fdf41e55edfb26ba7e63c86053c9f9"
                  + scope    = "*"
                }
            },
        ]
      + status       = (known after apply)
      + value        = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Actual output

Terraform error on attempting to set a read-only attribute.

╷
│ Error: Invalid Configuration for Read-Only Attribute
│
│   with cloudflare_api_token.api_token,
│   on main.tf line 60, in resource "cloudflare_api_token" "api_token":
│   60: resource "cloudflare_api_token" "api_token" {
│
│ Cannot set value for this attribute as the provider has marked it as read-only. Remove the configuration line setting the value.
│
│ Refer to the provider documentation or contact the provider developers for additional information about configurable and read-only attributes that are supported.

Steps to reproduce

1. terraform init with cloudflare provider version 5.0.0-alpha1
2. Create a resource with cloudflare_api_token that creates an api token
3. Run terraform apply

Additional factoids

Feels like with the current way that it is written, there is no valid resource configuration for cloudflare_api_token, as policies.permission_groups.id is listed as computed in the schema so it cannot be set.

I also tried modifying internal/services/api_token/resource.go and internal/services/api_token/model.go to change id from computed to required and rebuilt, and the resource does then succeed to at least the plan step. However, I'm currently having issues with the api not accepting anything I give the resources attribute so I havent gotten the resource to fully create yet, but that part is potentially just my own ignorance.

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jacobbednarz]

thanks but we're not accepting bugs for the alpha release at the moment. these are known issues and will be resolved in later releases.