confluent_role_binding
provides a Role Binding resource that enables creating, reading, and deleting role bindings on Confluent Cloud.
resource "confluent_role_binding" "org-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "MetricsViewer"
crn_pattern = data.confluent_organization.demo.resource_name
}
resource "confluent_role_binding" "environment-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "EnvironmentAdmin"
crn_pattern = confluent_environment.stag.resource_name
}
resource "confluent_role_binding" "environment-example-rb-2" {
principal = "User:${confluent_identity_pool.test.id}"
role_name = "EnvironmentAdmin"
crn_pattern = confluent_environment.stag.resource_name
}
resource "confluent_role_binding" "data-discovery-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "DataDiscovery"
crn_pattern = confluent_environment.stag.resource_name
}
resource "confluent_role_binding" "network-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "NetworkAdmin"
crn_pattern = data.confluent_organization.demo.resource_name
}
resource "confluent_role_binding" "cluster-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "CloudClusterAdmin"
crn_pattern = confluent_kafka_cluster.basic.rbac_crn
}
resource "confluent_role_binding" "topic-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "DeveloperWrite"
crn_pattern = "${confluent_kafka_cluster.standard.rbac_crn}/kafka=${confluent_kafka_cluster.standard.id}/topic=${confluent_kafka_topic.orders.topic_name}"
}
resource "confluent_role_binding" "topic-example-rb-2" {
principal = "User:${confluent_identity_pool.test.id}"
role_name = "DeveloperWrite"
crn_pattern = "${confluent_kafka_cluster.standard.rbac_crn}/kafka=${confluent_kafka_cluster.standard.id}/topic=${confluent_kafka_topic.orders.topic_name}"
}
resource "confluent_role_binding" "group-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "DeveloperRead"
// The existing value of crn_pattern's suffix (group=confluent_cli_consumer_*) are set up to match Confluent CLI's default consumer group ID ("confluent_cli_consumer_<uuid>").
// https://docs.confluent.io/confluent-cli/current/command-reference/kafka/topic/confluent_kafka_topic_consume.html
// Update it to match your target consumer group ID.
crn_pattern = "${confluent_kafka_cluster.basic.rbac_crn}/kafka=${confluent_kafka_cluster.standard.id}/group=confluent_cli_consumer_*"
}
resource "confluent_role_binding" "transaction-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "DeveloperRead"
crn_pattern = "${confluent_kafka_cluster.basic.rbac_crn}/kafka=${confluent_kafka_cluster.standard.id}/transactional-id=my_transaction"
}
resource "confluent_role_binding" "connector-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "DeveloperRead"
crn_pattern = "${confluent_kafka_cluster.standard.rbac_crn}/connector=${local.connector_name}"
}
resource "confluent_role_binding" "all-subjects-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "DeveloperRead"
crn_pattern = "${confluent_schema_registry_cluster.example.resource_name}/subject=*"
}
resource "confluent_role_binding" "subject-foo-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "DeveloperRead"
crn_pattern = "${confluent_schema_registry_cluster.example.resource_name}/subject=foo"
}
resource "confluent_role_binding" "subject-with-abc-prefix-example-rb" {
principal = "User:${confluent_service_account.test.id}"
role_name = "DeveloperRead"
crn_pattern = "${confluent_schema_registry_cluster.example.resource_name}/subject=abc*"
}
locals {
connector_name = lookup(confluent_connector.test.config_nonsensitive, "name", "\"name\" attribute is missing")
}
The following arguments are supported:
principal
- (Required String) A principal User to bind the role to, for example, "User:u-111aaa" for binding to a user "u-111aaa", or "User:sa-111aaa" for binding to a service account "sa-111aaa".role_name
- (Required String) A name of the role to bind to the principal. See Confluent Cloud RBAC Roles for a full list of supported role names.crn_pattern
- (Required String) A Confluent Resource Name(CRN) that specifies the scope and resource patterns necessary for the role to bind.In addition to the preceding arguments, the following attributes are exported:
id
- (Required String) The ID of the Role Binding (e.g., rb-f3a90de
).You can import a Role Binding by using Role Binding ID, for example:
$ export CONFLUENT_CLOUD_API_KEY="<cloud_api_key>"
$ export CONFLUENT_CLOUD_API_SECRET="<cloud_api_secret>"
$ terraform import confluent_role_binding.my_rb rb-f3a90de
The following end-to-end examples might help to get started with confluent_role_binding
resource:
standard-kafka-rbac
: _Standard_ Kafka cluster with authorization using RBACdedicated-public-kafka-rbac
: _Dedicated_ Kafka cluster that is accessible over the public internet with authorization using RBACdedicated-privatelink-aws-kafka-rbac
: _Dedicated_ Kafka cluster on AWS that is accessible via PrivateLink connections with authorization using RBACdedicated-privatelink-azure-kafka-rbac
: _Dedicated_ Kafka cluster on Azure that is accessible via PrivateLink connections with authorization using RBACdedicated-vnet-peering-azure-kafka-rbac
: _Dedicated_ Kafka cluster on Azure that is accessible via VPC Peering connections with authorization using RBACdedicated-vpc-peering-aws-kafka-rbac
: _Dedicated_ Kafka cluster on AWS that is accessible via VPC Peering connections with authorization using RBACdedicated-vpc-peering-gcp-kafka-rbac
: _Dedicated_ Kafka cluster on GCP that is accessible via VPC Peering connections with authorization using RBACdedicated-transit-gateway-attachment-aws-kafka-acls
: _Dedicated_ Kafka cluster on AWS that is accessible via Transit Gateway Endpoint with authorization using ACLsdedicated-transit-gateway-attachment-aws-kafka-rbac
: _Dedicated_ Kafka cluster on AWS that is accessible via Transit Gateway Endpoint with authorization using RBACenterprise-privatelinkattachment-aws-kafka-acls
: _Enterprise_ Kafka cluster on AWS that is accessible via PrivateLink connections with authorization using ACLs