search

yandex-cloud / terraform-provider-yandex

Terraform Yandex provider
https://www.terraform.io/docs/providers/yandex/
Mozilla Public License 2.0
206 stars 113 forks source link

Binding for role "mdb.dataproc.agent" not found in policy for folder #283

Open patsevanton opened 2 years ago

patsevanton commented 2 years ago

Hello! When install and destroy example from yandex_dataproc_cluster i get error:

yandex_dataproc_cluster.foo: Destroying... [id=c9qjroagc36nb3c97am3]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 10s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 20s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 30s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 40s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 50s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m0s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m10s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m20s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m30s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m40s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m50s elapsed]
yandex_dataproc_cluster.foo: Destruction complete after 1m54s
yandex_resourcemanager_folder_iam_binding.dataproc: Destroying... [id=b1g972v94kscfi3qmfmh/mdb.dataproc.agent]
yandex_vpc_subnet.foo: Destroying... [id=e2lu17eoapj0il6auj4b]
yandex_storage_bucket.bucket-apatsev: Destroying... [id=bucket-apatsev]
yandex_vpc_subnet.foo: Destruction complete after 5s
yandex_vpc_network.foo: Destroying... [id=enpllufk5evee1t73g76]
yandex_vpc_network.foo: Destruction complete after 0s
yandex_storage_bucket.bucket-apatsev: Still destroying... [id=bucket-apatsev, 10s elapsed]
yandex_storage_bucket.bucket-apatsev: Destruction complete after 12s
yandex_resourcemanager_folder_iam_binding.bucket-creator: Destroying... [id=b1g972v94kscfi3qmfmh/editor]
yandex_iam_service_account_static_access_key.foo: Destroying... [id=aje0fpde57nso7crm9l9]
yandex_iam_service_account_static_access_key.foo: Destruction complete after 0s
╷
│ Error: Binding for role "editor" not found in policy for folder "b1g972v94kscfi3qmfmh".
│ 
│ 
╵
╷
│ Error: Binding for role "mdb.dataproc.agent" not found in policy for folder "b1g972v94kscfi3qmfmh".

my terraform code - copy from https://registry.tfpla.net/providers/yandex-cloud/yandex/latest/docs/resources/dataproc_cluster

resource "yandex_dataproc_cluster" "foo" {
  depends_on = [yandex_resourcemanager_folder_iam_binding.dataproc]

  bucket      = yandex_storage_bucket.bucket-apatsev.bucket
  description = "Dataproc Cluster created by Terraform"
  name        = "dataproc-cluster"
  labels = {
    created_by = "terraform"
  }
  service_account_id = yandex_iam_service_account.dataproc.id
  zone_id            = "ru-central1-b"

  cluster_config {
    # Certain cluster version can be set, but better to use default value (last stable version)
    # version_id = "1.4"

    hadoop {
      services = ["HDFS", "YARN", "SPARK", "TEZ", "MAPREDUCE", "HIVE"]
      properties = {
        "yarn:yarn.resourcemanager.am.max-attempts" = 5
      }
      ssh_public_keys = [
      file("~/.ssh/id_rsa.pub")]
    }

    subcluster_spec {
      name = "main"
      role = "MASTERNODE"
      resources {
        resource_preset_id = "s2.small"
        disk_type_id       = "network-hdd"
        disk_size          = 20
      }
      subnet_id   = yandex_vpc_subnet.foo.id
      hosts_count = 1
    }

    subcluster_spec {
      name = "data"
      role = "DATANODE"
      resources {
        resource_preset_id = "s2.small"
        disk_type_id       = "network-hdd"
        disk_size          = 20
      }
      subnet_id   = yandex_vpc_subnet.foo.id
      hosts_count = 2
    }

    subcluster_spec {
      name = "compute"
      role = "COMPUTENODE"
      resources {
        resource_preset_id = "s2.small"
        disk_type_id       = "network-hdd"
        disk_size          = 20
      }
      subnet_id   = yandex_vpc_subnet.foo.id
      hosts_count = 2
    }

    subcluster_spec {
      name = "compute_autoscaling"
      role = "COMPUTENODE"
      resources {
        resource_preset_id = "s2.small"
        disk_type_id       = "network-hdd"
        disk_size          = 20
      }
      subnet_id   = yandex_vpc_subnet.foo.id
      hosts_count = 2      
      autoscaling_config {
        max_hosts_count = 10
        measurement_duration = 60
        warmup_duration = 60
        stabilization_duration = 120
        preemptible = false
        decommission_timeout = 60
      }
    }
  }
}

resource "yandex_vpc_network" "foo" {}

resource "yandex_vpc_subnet" "foo" {
  zone           = "ru-central1-b"
  network_id     = yandex_vpc_network.foo.id
  v4_cidr_blocks = ["10.1.0.0/24"]
}

resource "yandex_iam_service_account" "dataproc" {
  name        = "dataproc"
  description = "service account to manage Dataproc Cluster"
}

data "yandex_resourcemanager_folder" "default" {
  name = "default"
}

resource "yandex_resourcemanager_folder_iam_binding" "dataproc" {
  folder_id = data.yandex_resourcemanager_folder.default.id
  role      = "mdb.dataproc.agent"
  members = [
    "serviceAccount:${yandex_iam_service_account.dataproc.id}",
  ]
}

// required in order to create bucket
resource "yandex_resourcemanager_folder_iam_binding" "bucket-creator" {
  folder_id = data.yandex_resourcemanager_folder.default.id
  role      = "editor"
  members = [
    "serviceAccount:${yandex_iam_service_account.dataproc.id}",
  ]
}

resource "yandex_iam_service_account_static_access_key" "foo" {
  service_account_id = yandex_iam_service_account.dataproc.id
}

resource "yandex_storage_bucket" "bucket-apatsev" {
  depends_on = [
    yandex_resourcemanager_folder_iam_binding.bucket-creator
  ]

  bucket     = "bucket-apatsev"
  access_key = yandex_iam_service_account_static_access_key.foo.access_key
  secret_key = yandex_iam_service_account_static_access_key.foo.secret_key
}
patsevanton commented 2 years ago

Fixed by https://github.com/yandex-cloud/terraform-provider-yandex/pull/284

apilikov commented 1 year ago

I don't quite get why you experience the problem. By looking at the code I've concluded there should be no errors of the sort you are getting. Could you please re-run our original example with the following tweak TF_ENABLE_API_LOGGING=1 terraform destroy and attach a log file to the issue? Thank you!