terraform-provider-confluent: Kafka ACL Fails to Read after some time without Changes

We recently started using the terraform provider an are currently creating some ServiceAccounts, ApiKeys and ACLs through terraform.

However we are currently facing the issue, that the ACLs suddenly can’t be read anymore some time after creation Even without any changes to the terraform code. We get the following error

The ClusterId and Endpoint have been replaced in the following error log.

╷
│ Error: error reading Kafka ACLs: Get "[https://xxx.eu-central-1.aws.confluent.cloud:443/kafka/v3/clusters/yyy/acls?host=%!A(MISSING)&operation=WRITE&pattern_type=PREFIXED&permission=ALLOW&principal=User%!A(MISSING)832913&resource_name=SomeTopic&resource_type=TOPIC"](https://xxx.%2A%2A%2A.aws.confluent.cloud/kafka/v3/clusters/yyy/acls?host=%!A(MISSING)&operation=WRITE&pattern_type=PREFIXED&permission=ALLOW&principal=User%!A(MISSING)832913&resource_name=SomeTopic&resource_type=TOPIC%22): GET [https://xxx.eu-central-1.aws.confluent.cloud:443/kafka/v3/clusters/yyy/acls?host=%!A(MISSING)&operation=WRITE&pattern_type=PREFIXED&permission=ALLOW&principal=User%!A(MISSING)832913&resource_name=SomeTopic&resource_type=TOPIC](https://xxx.%2A%2A%2A.aws.confluent.cloud/kafka/v3/clusters/yyy/acls?host=%!A(MISSING)&operation=WRITE&pattern_type=PREFIXED&permission=ALLOW&principal=User%!A(MISSING)832913&resource_name=SomeTopic&resource_type=TOPIC) giving up after 5 attempt(s): Get "[https://xxx.eu-central-1.aws.confluent.cloud:443/kafka/v3/clusters/yyy/acls?host=%!A(MISSING)&operation=WRITE&pattern_type=PREFIXED&permission=ALLOW&principal=User%!A(MISSING)832913&resource_name=SomeTopic&resource_type=TOPIC"](https://xxx.%2A%2A%2A.aws.confluent.cloud/kafka/v3/clusters/yyy/acls?host=%!A(MISSING)&operation=WRITE&pattern_type=PREFIXED&permission=ALLOW&principal=User%!A(MISSING)832913&resource_name=SomeTopic&resource_type=TOPIC%22): http: server gave HTTP response to HTTPS client
│ 
│   with confluent_kafka_acl.allow-write-vti-topics,
│   on vti-ams-credentials.tf line 33, in resource "confluent_kafka_acl" "allow-write-vti-topics":
│   33: resource "confluent_kafka_acl" "allow-write-vti-topics" {
│ 
╵

For Some Reason the ‘:’ in the username as well as the host suddenly contain a ‘MISSING’ The terraform statefile contains the correct values.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 18

Most upvoted comments

@linouk23 thanks for the update, we will look into this on our side.

+1
FischlerA on Jan 27, 2023

To be honest, we haven’t tried it since i opened this issue as the solution didn’t seem reliable, so we had to use another solution. We probably won’t be revisiting the terraform provider for the next few month, and since we seem to be the only ones facing this error the issue can be closed if you want.

+1
FischlerA on Sep 28, 2022

Received the forwarded email, thanks!

+1
linouk23 on Aug 26, 2022

Thanks for the provided info!

While we’re waiting for logs, could you double check that principal attribute equals to "User:sa-abc123" (basically that it starts with "User:sa-...") in TF state (and not "User:832913").

I just send you the log file via email. And yes i can confirm the terraform state contains the principal as “User:sa…” and not the number.

We recreate our Environments everyday and so all the resources were recreated as well. Once again the creation worked just fine and further runs worked as well but the issue still occurred after about 2 hours, and now we get the same error as yesterday and again without any changes to the terraform code. So it’s not a one of occurrence.

+1
FischlerA on Aug 26, 2022
Read more comments on GitHub
← terraform-provider-confluent: Error when provisioning schema with 1.32.0 version
terraform-provider-confluent: Not able to create a dedicated cluster with encryption_key on GCP →