RBAC provisioning errors : 403 error about terraform-provider-confluent HOT 5 CLOSED

Thank you. Have sent the email to the email shared above.

Below is the rbac_crn that was generated from the data block to be substituted in the confluent_role_binding block.

crn_pattern = "crn://confluent.cloud/organization=98a3cce4-255d-4a56-8449-6dcbd65*****/environment=env-*****/cloud-cluster=lkc-*****/kafka=lkc-*****/topic=test*"

from terraform-provider-confluent.

@linouk23 - Thank you for helping resolve the issue.

Below is the fix

I was using

principal   = "User:first.last@<company>.com"

For the fix to work, the email had to be substituted with the user id for the email

principal   = "User:u-mv****"

The reason for using the email initially was, the confluent CLI does take email for principal. This behavior is different in the terraform provisioning

confluent iam rbac role-binding create \
    --principal User:[email protected] \
    --role DeveloperRead \
    --kafka-cluster-id lkc-***** \
    --environment env-***** \
    --resource Topic:test \
    --prefix

from terraform-provider-confluent.

👋 thanks for opening an issue!

Created & replied to the 2nd issue (error) here: #28

Regarding the first one:
Your Cloud API Key (var.confluent_cloud_api_key/var.confluent_cloud_api_secret) should be owned by a principal with Org/Env/CloudClusterAdmin roles to be able to grant CloudClusterAdmin role.

I've got a quick question: is the end goal to create 2 role bindings: CloudClusterAdmin and DeveloperRead? I would expect that you run Terraform Provider with the Cloud API Key owned by OrgAdmin so 403 is a little bit surprising indeed.

There could be a typo in CRNs so I'd suggest to use data sources instead of variables:

data "confluent_kafka_cluster" "basic" {
  id = "lkc-abc123"
  environment {
    id = "env-xyz456"
  }
}

data "confluent_service_account" "example_using_name" {
  display_name = "test_sa"
}

resource "confluent_role_binding" "first-last-topic-rb" {
  principal   = "User:${data.confluent_service_account.example_using_name.id}"
  role_name   = "DeveloperRead"
  crn_pattern = "${data.confluent_kafka_cluster.basic.rbac_crn}/kafka=${data.confluent_kafka_cluster.basic.id}/group=test*"
}

Let me know if that helps.

I tried the below to assign the CloudClusterAdmin keys while provisioning..... but it did not work
That's expected, see docs/resources/confluent_role_binding for a list of supported arguments.

from terraform-provider-confluent.

Thank you for the reply.

The Cloud API key was created by me and I have the "OrganizationAdmin" role. Also, the cloud key/secret I am using, it has worked in other tf project where I used it to provision a service account with "CloudClusterAdmin" role.

I used the data block as suggested above but still get the 403 error

data "confluent_kafka_cluster" "non-prod" {
  id = var.kafka_cluster_id
  environment {
    id = var.environment_id
  }
}

resource "confluent_role_binding" "aleksandra-sarac-topic-rb" {
  principal   = "User:${var.user_first_last}"
  role_name   = "DeveloperRead"
  crn_pattern = "${data.confluent_kafka_cluster.non-prod.rbac_crn}/kafka=${data.confluent_kafka_cluster.non-prod.id}/topic=test*""
}

------------------- 
error creating Role Binding: 403 Forbidden: Forbidden Access

from terraform-provider-confluent.

@bluedog13 could you share your OrgID with [email protected] and our backend team will take a look at it?

from terraform-provider-confluent.