Incorrect documentation on service_account_int_id to be of type number

[mdasberg]

The documentation as available on the on confluentcloud documentation page is incorrect. On the part on how to create the variables.tf file it is specifying that service account id's are of type number, however they are actually of type string using the following format:

sa-2f2asd

I have created a pr to correct the docs

[linouk23]

Thanks for opening an issue and creating a PR!

Unfortunately, the docs are correct and that's a limitation (that principal only accepts int IDs: User:12345 instead of User:sa-111aaa at the moment) we're actively working on: otherwise we'd be able to bypass this manual step by referencing SA's ID directly in ACL's principal attribute:

resource "confluentcloud_kafka_acl" "describe-orders" {
  kafka_cluster = confluentcloud_kafka_cluster.test-basic-cluster.id
  resource_type = "TOPIC"
  resource_name = confluentcloud_kafka_topic.orders.topic_name
  pattern_type = "LITERAL"
  # instead of principal = "User:${var.service_account_int_id}" we could use
  principal = "User:${confluentcloud_service_account.test-sa.id}"
  ...
}

and remove var.service_account_int_id from variables.tf.

[mdasberg]

@linouk23 The only way I got it to work is by using the service-account id, which is a string and not an integer. To get it to work I had to define it as an string. Otherwise I have no way of creating the resources environment and cluster.

This is because the service account ids are of a format sa-33...

For using it to create acl entries I could reference the api-key ids which are integers.

Could you please explain to me how to get a hold of the service-account id?

[linouk23]

See #31 for more context / details.

Could you double check you inserted the int ID without any quotes or something?

For using it to create acl entries I could reference the api-key ids which are integers. Could you please explain to me how to get a hold of the service-account id?

Could you provide more context around these? I'm not sure I get it right.

[mdasberg]

executing this

# Example for using Confluent Cloud https://docs.confluent.io/cloud/current/api.html
# that creates multiple resources: a service account, an environment, a basic cluster, a topic, and 2 ACLs.
# Configure Confluent Cloud provider
terraform {
  required_providers {
    confluentcloud = {
      source  = "confluentinc/confluentcloud"
      version = "0.3.0"
    }
  }
}

provider "confluentcloud" {}

# Create a service account
resource "confluentcloud_service_account" "demo-service-account" {
  display_name = "demo-service-account"
  description = "Demo service account"
}

giving this as output: from the terraform apply

confluentcloud_service_account.demo-service-account: Creating...
confluentcloud_service_account.demo-service-account: Creation complete after 1s [id=sa-dopkyd]

and creates this in the interface:

[mdasberg]

So my question would than be, where do I find the service-account-int-id?

because I now used the ID which worked but it required me to make it a string instead of number

[linouk23]

executing this

This part looks good to me.

So my question would than be, where do I find the service-account-int-id?

Please follow this note to find the corresponding int ID for your created service account.

because I now used the ID which worked

Even though ACL creation went through, I'm not sure you created a correct ACL this way that will work as expected. E.g., if you try to list ACLs for this SA I'm not sure it'll be displayed.

All that said, we're going to address this issue in one our next releases and remove that var.service_account_int_id from variables.tf.

[mdasberg]

@linouk23 I will try that. Thanks

[linouk23]

Sounds good! Feel free to reopen an issue if you run into any other issues.

[linouk23]

@mdasberg here's the example of what happens when you use User:sa-12345 as a principal: even thought the request goes through, we can see that principal field wasn't populated correctly

$ ccloud kafka acl list --cluster lkc-12345
Principal      | Permission   | Operation | ResourceType| ResourceName | PatternType  
------------+------------+-----------+--------------+---------------+--------------
User:           | ALLOW         | DESCRIBE | CLUSTER       | my-cluster        | LITERAL  

[linouk23]

@mdasberg starting from 0.4.0 version TF Provider supports principal = "User:sa-abc123" so you don't need to look up corresponding int ID manually and can reference SA's ID:

principal     = "User:${confluentcloud_service_account.app-producer.id}"