search

dapperlabs-platform / terraform-confluent-official-kafka-cluster

Apache License 2.0
1 stars 2 forks source link

User "system:serviceaccount:sre:terraform" cannot create resource "serviceaccounts" in API group "" in the namespace "sre" #22

Open ShahNewazKhan opened 1 year ago

ShahNewazKhan commented 1 year ago

When applying this module with metrics exporter enabled using v0.12.3, we get the following error:

│ Error: serviceaccounts is forbidden: User "system:serviceaccount:sre:terraform" cannot create resource "serviceaccounts" in API group "" in the namespace "sre"
│ 
│   with module.confluent_kafka_cluster_staging.kubernetes_service_account.lag_exporter_service_account[0],
│   on .terraform/modules/confluent_kafka_cluster_staging/kafka-lag-exporter.tf line 10, in resource "kubernetes_service_account" "lag_exporter_service_account":
│   10: resource "kubernetes_service_account" "lag_exporter_service_account" {
│ 

...

│ Error: secrets is forbidden: User "system:serviceaccount:sre:terraform" cannot create resource "secrets" in API group "" in the namespace "sre"
│ 
│   with module.confluent_kafka_cluster_staging.kubernetes_secret.lag_exporter_config[0],
│   on .terraform/modules/confluent_kafka_cluster_staging/kafka-lag-exporter.tf line 20, in resource "kubernetes_secret" "lag_exporter_config":
│   20: resource "kubernetes_secret" "lag_exporter_config" {
│
ShahNewazKhan commented 1 year ago

This terraform module does not include any k8s rolebindings so I'm not sure where the kafka cluster on gke is being provisoned and how to grant the proper access for system:serviceaccount:sre:terraform