User "system:serviceaccount:atlantis:atlantis" cannot create resource "customresourcedefinitions"

[papanito]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

We are trying to deploy a helm chart using the helm-provider, using atlantis. This however fails with the following error

customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:atlantis:atlantis" 
cannot create resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

The user we are using for the terraform provider has cluster owner issue so it can create any resource.

Reproduction Steps

We deploy this terraform code

resource "helm_release" "velero" {
  name         = "velero"
  repository   = "https://helm.intra/virtual-helm"
  chart        = "velero"
  namespace    = "velero"
  version      = var.chart_version
  force_update = true
  values = [
    <<YAML
image:
  repository: docker.intra/velero/velero
  pullPolicy: IfNotPresent

dnsPolicy: ClusterFirst

initContainers:
  - name: velero-plugin-for-csi
    image: docker.intra/velero/velero-plugin-for-csi:v${var.velero_plugin_csi_image_tag}
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: /target
        name: plugins
  - name: velero-plugin-for-azure
    image: docker.intra/velero/velero-plugin-for-microsoft-azure:v${var.velero_plugin_microsoft_azure_image_tag}
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: /target
        name: plugins

configuration:
  backupStorageLocation:
    - name: ${var.backup_storage_location_name}
      provider: azure
      bucket: ${var.storage_account_bucket_name}
      default: true
      validationFrequency:
      accessMode: ReadWrite
      config:
        resourceGroup: ${var.backup_storage_location_resource_group}
        subscriptionId: ${var.backup_storage_location_subscription_id}
        storageAccount: ${var.backup_storage_location_storage_account_name}

  volumeSnapshotLocation:
    - name: ${var.volume_snapshot_location_name}
      provider: azure
      config:
        resourceGroup: ${var.volume_snapshot_location_resource_group}
        subscriptionId: ${var.volume_snapshot_location_subscription_id}

rbac:
  create: true
  clusterAdministrator: true
  clusterAdministratorName: cluster-admin

serviceAccount:
  server:
    create: true

credentials:
  secretContents:
    cloud: |-
      AZURE_TENANT_ID=${var.azure_tenant_id}
      AZURE_CLIENT_ID=${var.azure_client_id}
      AZURE_CLIENT_SECRET=${var.azure_client_secret}
      AZURE_BACKUP_SUBSCRIPTION_NAME=${var.backup_storage_location_subscription_name}
      AZURE_BACKUP_SUBSCRIPTION_ID=${var.backup_storage_location_subscription_id}
      AZURE_STORAGE_ACCOUNT_NAME=${var.backup_storage_location_storage_account_name}
  useSecret: true

upgradeCRDs: true
cleanUpCRDs: false

kubectl:
  image:
    repository: docker.intra/bitnami/kubectl

YAML

Logs

No logs as the issue occurs during plan

Environment details

• Atlantis version: v0.25.0
• Deployment method: helm
• If not running the latest Atlantis version have you tried to reproduce this issue on the latest version: No
• Atlantis flags:

Additional Context

N/A

[papanito]

What I don't understand is, why the service account should be involved, when we configure the terraform provider to use a specific user with adequate access.