search

confluentinc / terraform-provider-confluentcloud

Confluent Cloud Terraform Provider is deprecated in favor of Confluent Terraform Provider
https://registry.terraform.io/providers/confluentinc/confluentcloud/latest/docs
52 stars 23 forks source link

acl - support for service account in acl. (clarification) #6

Closed bluedog13 closed 3 years ago

bluedog13 commented 3 years ago

Is there a way to assign a service account and a consumer group while creating an acl for a topic?

I am trying to replicate the below feature from here 

ccloud kafka acl create --allow --service-account sa-55555 --operation READ --operation DESCRIBE --consumer-group java_example_group_1
ccloud kafka acl create --allow --service-account sa-55555 --operation READ --operation DESCRIBE --topic '*'

Below is what I have - based on the examples. From what I understand - I don't have an option to assign service account to the acl's and from what I understand, principal is not the same as service account (ex: sa-55555)

Is the below statement the equivalent of assigning the service account? 

**principal     = "User:${var.service_account_terraform_sa_id}"**

acl for topic operation

resource "confluentcloud_kafka_acl" "read-test-topic" {
  kafka_cluster = var.cluster_id
  resource_type = "TOPIC"
  resource_name = confluentcloud_kafka_topic.test-topic.topic_name
  pattern_type  = "LITERAL"
  principal     = "User:${var.service_account_terraform_sa_id}"
  host          = "*"
  operation     = "READ"
  permission    = "ALLOW"
  http_endpoint = var.cluster_http_endpoint

  credentials {
    key    = var.kafka_api_key
    secret = var.kafka_api_secret
  }
}

What will be the name of the consumer group after applying acl for consumer group and can the name be customized?

resource "confluentcloud_kafka_acl" "consumer-group-test-topic" {
  kafka_cluster = var.cluster_id
  resource_type = "GROUP"
  resource_name = confluentcloud_kafka_topic.test-topic.topic_name
  pattern_type  = "LITERAL"
  principal     = "User:${var.service_account_terraform_sa_id}"
  host          = "*"
  operation     = "READ"
  permission    = "ALLOW"
  http_endpoint = var.cluster_http_endpoint

  credentials {
    key    = var.kafka_api_key
    secret = var.kafka_api_secret
  }
}

Much appreciated

bluedog13 commented 3 years ago

I think I may figured this out.

resource_name is what sets the resource/consumer group name that can be used in the requests. Setting this appropriately will give the required consumer group name

resource "confluentcloud_kafka_acl" "consumer-group-test-topic" {
  kafka_cluster = var.cluster_id
  resource_type = "GROUP"
  resource_name = <desired-consumer-group-name>
  pattern_type  = "LITERAL"
  .......................................

Thanks.