confluent_role_binding Resource

General Availability

confluent_role_binding provides a Role Binding resource that enables creating, reading, and deleting role bindings on Confluent Cloud.

Example Usage

resource "confluent_role_binding" "org-example-rb" {
  principal   = "User:${confluent_service_account.test.id}"
  role_name   = "MetricsViewer"
  crn_pattern = data.confluent_organization.demo.resource_name
}

resource "confluent_role_binding" "environment-example-rb" {
  principal   = "User:${confluent_service_account.test.id}"
  role_name   = "EnvironmentAdmin"
  crn_pattern = confluent_environment.stag.resource_name
}

resource "confluent_role_binding" "environment-example-rb-2" {
  principal   = "User:${confluent_identity_pool.test.id}"
  role_name   = "EnvironmentAdmin"
  crn_pattern = confluent_environment.stag.resource_name
}

resource "confluent_role_binding" "data-discovery-example-rb" {
  principal   = "User:${confluent_service_account.test.id}"
  role_name   = "DataDiscovery"
  crn_pattern = confluent_environment.stag.resource_name
}

resource "confluent_role_binding" "network-example-rb" {
  principal   = "User:${confluent_service_account.test.id}"
  role_name   = "NetworkAdmin"
  crn_pattern = data.confluent_organization.demo.resource_name
}

resource "confluent_role_binding" "cluster-example-rb" {
  principal   = "User:${confluent_service_account.test.id}"
  role_name   = "CloudClusterAdmin"
  crn_pattern = confluent_kafka_cluster.basic.rbac_crn
}

resource "confluent_role_binding" "topic-example-rb" {
  principal   = "User:${confluent_service_account.test.id}"
  role_name   = "DeveloperWrite"
  crn_pattern = "${confluent_kafka_cluster.standard.rbac_crn}/kafka=${confluent_kafka_cluster.standard.id}/topic=${confluent_kafka_topic.orders.topic_name}"
}

resource "confluent_role_binding" "topic-example-rb-2" {
  principal   = "User:${confluent_identity_pool.test.id}"
  role_name   = "DeveloperWrite"
  crn_pattern = "${confluent_kafka_cluster.standard.rbac_crn}/kafka=${confluent_kafka_cluster.standard.id}/topic=${confluent_kafka_topic.orders.topic_name}"
}

resource "confluent_role_binding" "group-example-rb" {
  principal = "User:${confluent_service_account.test.id}"
  role_name = "DeveloperRead"
  // The existing value of crn_pattern's suffix (group=confluent_cli_consumer_*) are set up to match Confluent CLI's default consumer group ID ("confluent_cli_consumer_<uuid>").
  // https://docs.confluent.io/confluent-cli/current/command-reference/kafka/topic/confluent_kafka_topic_consume.html
  // Update it to match your target consumer group ID.
  crn_pattern = "${confluent_kafka_cluster.basic.rbac_crn}/kafka=${confluent_kafka_cluster.standard.id}/group=confluent_cli_consumer_*"
}

resource "confluent_role_binding" "transaction-example-rb" {
  principal = "User:${confluent_service_account.test.id}"
  role_name = "DeveloperRead"
  crn_pattern = "${confluent_kafka_cluster.basic.rbac_crn}/kafka=${confluent_kafka_cluster.standard.id}/transactional-id=my_transaction"
}

resource "confluent_role_binding" "connector-example-rb" {
  principal   = "User:${confluent_service_account.test.id}"
  role_name   = "DeveloperRead"
  crn_pattern = "${confluent_kafka_cluster.standard.rbac_crn}/connector=${local.connector_name}"
}

resource "confluent_role_binding" "all-subjects-example-rb" {
  principal   = "User:${confluent_service_account.test.id}"
  role_name   = "DeveloperRead"
  crn_pattern = "${confluent_schema_registry_cluster.example.resource_name}/subject=*"
}

resource "confluent_role_binding" "subject-foo-example-rb" {
  principal   = "User:${confluent_service_account.test.id}"
  role_name   = "DeveloperRead"
  crn_pattern = "${confluent_schema_registry_cluster.example.resource_name}/subject=foo"
}

resource "confluent_role_binding" "subject-with-abc-prefix-example-rb" {
  principal   = "User:${confluent_service_account.test.id}"
  role_name   = "DeveloperRead"
  crn_pattern = "${confluent_schema_registry_cluster.example.resource_name}/subject=abc*"
}

locals {
  connector_name = lookup(confluent_connector.test.config_nonsensitive, "name", "\"name\" attribute is missing")
}

Argument Reference

The following arguments are supported:

Attributes Reference

In addition to the preceding arguments, the following attributes are exported:

Import

You can import a Role Binding by using Role Binding ID, for example:

$ export CONFLUENT_CLOUD_API_KEY="<cloud_api_key>"
$ export CONFLUENT_CLOUD_API_SECRET="<cloud_api_secret>"
$ terraform import confluent_role_binding.my_rb rb-f3a90de

Getting Started

The following end-to-end examples might help to get started with confluent_role_binding resource: