Mongey / terraform-provider-confluentcloud

A Terraform provider for managing resource in confluent.cloud
MIT License
110 stars 47 forks source link

Support ACLs #31

Closed wheresalice closed 4 years ago

wheresalice commented 4 years ago

Now that service accounts can be created by this provider, we need a way of setting ACLs so that the service accounts can be used.

The provider should support setting alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, and write on topics, consumer-groups, and clusters and the underlying API requires a service account ID (rather than name).

Mongey commented 4 years ago

alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, and write on topics, consumer-groups, and clusters

Are these not just ACLs on the Kafka cluster itself? couldn't they be configured with terraform-provider-kafka

wheresalice commented 4 years ago

I was really not expecting that to work given the previous insistence from Confluent that you need to use their ccloud tool to do anything with permissions.

But you're right - it works!

resource "confluentcloud_service_account" "alice" {
  name           = "alice-test"
  description    = "alice service account test"
}

resource "kafka_acl" "alice_acl" {
  resource_name = "dev_alice_test"
  resource_type = "Topic"
  acl_principal = "User:${confluentcloud_service_account.alice.id}"
  acl_operation = "Read"
  acl_permission_type = "Allow"
  acl_host = "*"
}

That acl_principal could be nicer, but that's a minor thing.