Description
When configuring an RBAC rolebinding with the role MetricsViewer using Confluent Terraform Provider on the organization level, the following error could occur:
Error: error creating Role Binding: 400 Bad Request: Bad Request
Applies To
Confluent Terraform Provider
Cause
A 400 Bad Request error can occur when assigning the MetricsViewer RBAC role at the organization level due to the way the Cloud Resource Name (CRN) pattern is specified in the Terraform resource definition. If you define the crn_pattern using a trailing slash after the organization ID, for example, as given below, the API request fails because the trailing slash makes the CRN format invalid for this context.
crn_pattern = "crn://confluent.cloud/organization=<org_id>/"
Confluent Cloud enforces strict validation on CRN patterns. An unsupported pattern, even a minor formatting issue, could lead to a 400 error response.
Resolution
To resolve the 400 Bad Request error when assigning the MetricsViewer role at the organization level with Terraform in Confluent Cloud, correct the CRN Pattern by removing the trailing slash from the organization-level CRN pattern, and use it as given below:
crn_pattern = "crn://confluent.cloud/organization=<org_id>"
resource "confluent_role_binding" "app-manager-kafka-metrics-viewer" {
principal = "User:${confluent_service_account.app-manager.id}"
role_name = "MetricsViewer"
crn_pattern = "crn://confluent.cloud/organization=<org_id>"
}
terraform applycommand. The role binding would be created successfully if all other parameters are valid.