Skip to content

Unable to update resource name restrictions of a rolebinding #142

New issue
New issue
Open
Open
Unable to update resource name restrictions of a rolebinding#142
@rvanderstarre

Description

@rvanderstarre
rvanderstarre
opened on Nov 21, 2025

Community Note

  • Please vote on this issue by adding a
    👍 reaction to the original
    issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra
    noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

v1.12.2

Affected Resource(s)

streamnative_rolebinding

Terraform Configuration Files

Initial configuration:

resource "streamnative_rolebinding" "rolebinding_topics" {

  name                                = "topic-readonly_example-accept"
  organization                    = local.streamnative_myorg_id
  cluster_role_name          = "topic-consumer"
  service_account_names = [ "example-accept"]

  resource_name_restriction {
    common_organization  = local.streamnative_myorg_id
    common_tenant             = "example-tenant-accept"
    common_namespace    =  "example-namespace"
    common_topic                = "allPartition('example.avro.1')"
  }
}

updated configuration:

resource "streamnative_rolebinding" "rolebinding_topics" {

  name                                = "topic-readonly_example-accept"
  organization                    = local.streamnative_myorg_id
  cluster_role_name          = "topic-consumer"
  service_account_names = [ "example-accept"]

  resource_name_restriction {
    common_cluster             = "cluster-1"
    common_organization  = local.streamnative_myorg_id
    common_tenant             = "example-tenant-accept"
    common_namespace    =  "example-namespace"
    common_topic                = "allPartition('example.avro.1')"
  }
}

Debug Output

module.pulsar-accounts.streamnative_service_account.service_accounts["example-accept"]: Refreshing state... [id=o-abc12/example-accept]
module.pulsar-accounts.streamnative_rolebinding.rolebinding_topics["example-accept-consume-example-tenant-accept/example-namespace/example.avro.1"]: Refreshing state... [id=o-abc12/topic-consumer_example-accept_example-tenant-accept-example-namespace-example.avro.1]
module.pulsar-accounts.streamnative_rolebinding.topic_readonly["example-accept"]: Refreshing state... [id=o-abc12/topic-readonly_example-accept]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.pulsar-accounts.streamnative_rolebinding.rolebinding_topics["example-accept-consume-example-tenant-accept/example-namespace/example.avro.1"] will be updated in-place
  ~ resource "streamnative_rolebinding" "rolebinding_topics" {
        id                    = "o-abc12/topic-consumer_example-accept_example-tenant-accept-example-namespace-example.avro.1"
        name                  = "topic-consumer_example-accept_example-tenant-accept-example-namespace-example.avro.1"
        # (4 unchanged attributes hidden)

      ~ resource_name_restriction {
          ~ common_cluster            = "cluster-2" -> "cluster-3"
            # (13 unchanged attributes hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.pulsar-accounts.streamnative_rolebinding.rolebinding_topics["example-accept-consume-example-tenant-accept/example-namespace/example.avro.1"]: Modifying... [id=o-abc12/topic-consumer_example-accept_example-tenant-accept-example-namespace-example.avro.1]
module.pulsar-accounts.streamnative_rolebinding.rolebinding_topics["example-accept-consume-example-tenant-accept/example-namespace/example.avro.1"]: Modifications complete after 1s [id=o-abc12/topic-consumer_example-accept_example-tenant-accept-example-namespace-example.avro.1]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Expected Behavior

I would expect that once the updated configuration is applied, the corresponding restriction in the role binding would be updated to reflect the change.

Actual Behavior

The apply operation succeeded, but the role-binding restrictions did not update as expected.

Steps to Reproduce

  1. After running terraform apply on the initial configuration, the role-binding condition is as follows:
{"common":{"organization":"****","tenant":"example-tenant-accept","namespace":"example-namespace","topic":"allPartition('example.avro.1')"}}
  1. After updating the Terraform configuration and running terraform apply, the condition in the role remains unchanged.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions