Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Binding for role "mdb.dataproc.agent" not found in policy for folder #283

Open
patsevanton opened this issue Aug 12, 2022 · 2 comments
Open

Binding for role "mdb.dataproc.agent" not found in policy for folder #283

patsevanton opened this issue Aug 12, 2022 · 2 comments

Comments

@patsevanton
Copy link
Contributor

Hello!
When install and destroy example from yandex_dataproc_cluster i get error:

yandex_dataproc_cluster.foo: Destroying... [id=c9qjroagc36nb3c97am3]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 10s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 20s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 30s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 40s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 50s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m0s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m10s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m20s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m30s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m40s elapsed]
yandex_dataproc_cluster.foo: Still destroying... [id=c9qjroagc36nb3c97am3, 1m50s elapsed]
yandex_dataproc_cluster.foo: Destruction complete after 1m54s
yandex_resourcemanager_folder_iam_binding.dataproc: Destroying... [id=b1g972v94kscfi3qmfmh/mdb.dataproc.agent]
yandex_vpc_subnet.foo: Destroying... [id=e2lu17eoapj0il6auj4b]
yandex_storage_bucket.bucket-apatsev: Destroying... [id=bucket-apatsev]
yandex_vpc_subnet.foo: Destruction complete after 5s
yandex_vpc_network.foo: Destroying... [id=enpllufk5evee1t73g76]
yandex_vpc_network.foo: Destruction complete after 0s
yandex_storage_bucket.bucket-apatsev: Still destroying... [id=bucket-apatsev, 10s elapsed]
yandex_storage_bucket.bucket-apatsev: Destruction complete after 12s
yandex_resourcemanager_folder_iam_binding.bucket-creator: Destroying... [id=b1g972v94kscfi3qmfmh/editor]
yandex_iam_service_account_static_access_key.foo: Destroying... [id=aje0fpde57nso7crm9l9]
yandex_iam_service_account_static_access_key.foo: Destruction complete after 0s
╷
│ Error: Binding for role "editor" not found in policy for folder "b1g972v94kscfi3qmfmh".
│ 
│ 
╵
╷
│ Error: Binding for role "mdb.dataproc.agent" not found in policy for folder "b1g972v94kscfi3qmfmh".

my terraform code - copy from https://registry.tfpla.net/providers/yandex-cloud/yandex/latest/docs/resources/dataproc_cluster

resource "yandex_dataproc_cluster" "foo" {
  depends_on = [yandex_resourcemanager_folder_iam_binding.dataproc]

  bucket      = yandex_storage_bucket.bucket-apatsev.bucket
  description = "Dataproc Cluster created by Terraform"
  name        = "dataproc-cluster"
  labels = {
    created_by = "terraform"
  }
  service_account_id = yandex_iam_service_account.dataproc.id
  zone_id            = "ru-central1-b"

  cluster_config {
    # Certain cluster version can be set, but better to use default value (last stable version)
    # version_id = "1.4"

    hadoop {
      services = ["HDFS", "YARN", "SPARK", "TEZ", "MAPREDUCE", "HIVE"]
      properties = {
        "yarn:yarn.resourcemanager.am.max-attempts" = 5
      }
      ssh_public_keys = [
      file("~/.ssh/id_rsa.pub")]
    }

    subcluster_spec {
      name = "main"
      role = "MASTERNODE"
      resources {
        resource_preset_id = "s2.small"
        disk_type_id       = "network-hdd"
        disk_size          = 20
      }
      subnet_id   = yandex_vpc_subnet.foo.id
      hosts_count = 1
    }

    subcluster_spec {
      name = "data"
      role = "DATANODE"
      resources {
        resource_preset_id = "s2.small"
        disk_type_id       = "network-hdd"
        disk_size          = 20
      }
      subnet_id   = yandex_vpc_subnet.foo.id
      hosts_count = 2
    }

    subcluster_spec {
      name = "compute"
      role = "COMPUTENODE"
      resources {
        resource_preset_id = "s2.small"
        disk_type_id       = "network-hdd"
        disk_size          = 20
      }
      subnet_id   = yandex_vpc_subnet.foo.id
      hosts_count = 2
    }

    subcluster_spec {
      name = "compute_autoscaling"
      role = "COMPUTENODE"
      resources {
        resource_preset_id = "s2.small"
        disk_type_id       = "network-hdd"
        disk_size          = 20
      }
      subnet_id   = yandex_vpc_subnet.foo.id
      hosts_count = 2      
      autoscaling_config {
        max_hosts_count = 10
        measurement_duration = 60
        warmup_duration = 60
        stabilization_duration = 120
        preemptible = false
        decommission_timeout = 60
      }
    }
  }
}

resource "yandex_vpc_network" "foo" {}

resource "yandex_vpc_subnet" "foo" {
  zone           = "ru-central1-b"
  network_id     = yandex_vpc_network.foo.id
  v4_cidr_blocks = ["10.1.0.0/24"]
}

resource "yandex_iam_service_account" "dataproc" {
  name        = "dataproc"
  description = "service account to manage Dataproc Cluster"
}

data "yandex_resourcemanager_folder" "default" {
  name = "default"
}

resource "yandex_resourcemanager_folder_iam_binding" "dataproc" {
  folder_id = data.yandex_resourcemanager_folder.default.id
  role      = "mdb.dataproc.agent"
  members = [
    "serviceAccount:${yandex_iam_service_account.dataproc.id}",
  ]
}

// required in order to create bucket
resource "yandex_resourcemanager_folder_iam_binding" "bucket-creator" {
  folder_id = data.yandex_resourcemanager_folder.default.id
  role      = "editor"
  members = [
    "serviceAccount:${yandex_iam_service_account.dataproc.id}",
  ]
}

resource "yandex_iam_service_account_static_access_key" "foo" {
  service_account_id = yandex_iam_service_account.dataproc.id
}

resource "yandex_storage_bucket" "bucket-apatsev" {
  depends_on = [
    yandex_resourcemanager_folder_iam_binding.bucket-creator
  ]

  bucket     = "bucket-apatsev"
  access_key = yandex_iam_service_account_static_access_key.foo.access_key
  secret_key = yandex_iam_service_account_static_access_key.foo.secret_key
}
@patsevanton patsevanton mentioned this issue Aug 12, 2022
Open
@patsevanton
Copy link
Contributor Author

Fixed by #284

@apilikov
Copy link
Contributor

apilikov commented Feb 1, 2023

I don't quite get why you experience the problem. By looking at the code I've concluded there should be no errors of the sort you are getting. Could you please re-run our original example with the following tweak TF_ENABLE_API_LOGGING=1 terraform destroy and attach a log file to the issue? Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@patsevanton @apilikov