RBAC provisioning errors : 403 error

[bluedog13]

I am trying to grant DeveloperRead access to users. In my project setup I have

.
├── developer-read.tf
├── main.tf
├── sa-cloudclusteradmin.tf
└── variables.tf

sa-cloudclusteradmin file creates a new service account with "CloudClusterAdmin" privileges.

Error-1

When I run the tf apply command for the first time I get the below error when assigning DeveloperRead. I have the confluent_cloud_api_key/secret defined in main.tf file. The error below - is it because it needs an account with "CloudClusterAdmin" privileges? If yes, how do I use them in the "confluent_role_binding" block?

error creating Role Binding: 403 Forbidden: Forbidden Access

However the same works when I use the confluent CLI "iam rbac role-binding create" command.

Error-2

Also, when I run the tf apply command again for the second time, I get an additional error for the CloudClusterAdmin account. Should it not skip creating the service account if it already exists?

error creating Service Account "app-manager-rbac-sa-non-prod": 409 Conflict: Service name is already in use.

---

I tried the below to assign the CloudClusterAdmin keys while provisioning..... but it did not work

resource "confluent_role_binding" "first-last-topic-rb" {
  principal   = "User:${var.user_first_last}"
  role_name   = "DeveloperRead"
  crn_pattern = "${var.kafka_cluster_rbac_crn}/kafka=${var.kafka_cluster_id}/group=test*"

  credentials {
    key    = confluent_api_key.app-manager-rbac-kafka-api-key.id
    secret = confluent_api_key.app-manager-rbac-kafka-api-key.secret
  }
}

---
Error: Unsupported block type

Thanks.

[linouk23]

👋 thanks for opening an issue!

Created & replied to the 2nd issue (error) here: #28

Regarding the first one:
Your Cloud API Key (var.confluent_cloud_api_key/var.confluent_cloud_api_secret) should be owned by a principal with Org/Env/CloudClusterAdmin roles to be able to grant CloudClusterAdmin role.

I've got a quick question: is the end goal to create 2 role bindings: CloudClusterAdmin and DeveloperRead? I would expect that you run Terraform Provider with the Cloud API Key owned by OrgAdmin so 403 is a little bit surprising indeed.

There could be a typo in CRNs so I'd suggest to use data sources instead of variables:

data "confluent_kafka_cluster" "basic" {
  id = "lkc-abc123"
  environment {
    id = "env-xyz456"
  }
}

data "confluent_service_account" "example_using_name" {
  display_name = "test_sa"
}

resource "confluent_role_binding" "first-last-topic-rb" {
  principal   = "User:${data.confluent_service_account.example_using_name.id}"
  role_name   = "DeveloperRead"
  crn_pattern = "${data.confluent_kafka_cluster.basic.rbac_crn}/kafka=${data.confluent_kafka_cluster.basic.id}/group=test*"
}

Let me know if that helps.

I tried the below to assign the CloudClusterAdmin keys while provisioning..... but it did not work
That's expected, see docs/resources/confluent_role_binding for a list of supported arguments.

[bluedog13]

Thank you for the reply.

The Cloud API key was created by me and I have the "OrganizationAdmin" role. Also, the cloud key/secret I am using, it has worked in other tf project where I used it to provision a service account with "CloudClusterAdmin" role.

I used the data block as suggested above but still get the 403 error

data "confluent_kafka_cluster" "non-prod" {
  id = var.kafka_cluster_id
  environment {
    id = var.environment_id
  }
}

resource "confluent_role_binding" "aleksandra-sarac-topic-rb" {
  principal   = "User:${var.user_first_last}"
  role_name   = "DeveloperRead"
  crn_pattern = "${data.confluent_kafka_cluster.non-prod.rbac_crn}/kafka=${data.confluent_kafka_cluster.non-prod.id}/topic=test*""
}

------------------- 
error creating Role Binding: 403 Forbidden: Forbidden Access

[linouk23]

@bluedog13 could you share your OrgID with cflt-tf-access@confluent.io and our backend team will take a look at it?

[bluedog13]

Thank you. Have sent the email to the email shared above.

Below is the rbac_crn that was generated from the data block to be substituted in the confluent_role_binding block.

crn_pattern = "crn://confluent.cloud/organization=98a3cce4-255d-4a56-8449-6dcbd65*****/environment=env-*****/cloud-cluster=lkc-*****/kafka=lkc-*****/topic=test*"

[bluedog13]

@linouk23 - Thank you for helping resolve the issue.

Below is the fix

I was using

principal   = "User:first.last@<company>.com"

For the fix to work, the email had to be substituted with the user id for the email

principal   = "User:u-mv****"

The reason for using the email initially was, the confluent CLI does take email for principal. This behavior is different in the terraform provisioning

confluent iam rbac role-binding create \
    --principal User:first.last@company.com \
    --role DeveloperRead \
    --kafka-cluster-id lkc-***** \
    --environment env-***** \
    --resource Topic:test \
    --prefix