alicloud_cs_kubernetes_permissions Grant user permission failed

[harrypunk]

Problem

resource alicloud_cs_kubernetes_permissions

1. does not return enough information of error
2. creation fails after 2min

Description

We have several ack clusters on separate sub accounts. We are setting rbac rules for a roles on sub accounts so that RAM users in the master account can assume the roles to access kubernetes resources.

terraform v1.2.8 aliyun/alicloud v1.182.0

output

alicloud_cs_kubernetes_permissions.developer_staging_permission: Still creating... [1m40s elapsed]
alicloud_cs_kubernetes_permissions.developer_staging_permission: Still creating... [1m50s elapsed]
Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_cs_kubernetes_permissions.go:99: Resource resource_alicloud_cs_kubernetes_permissions GrantPermissions Failed!!! [SDK aliyun-tablestore-go-sdk ERROR]:
[ERROR] Grant user permission failed 

Expected result

1. creation can run longer than 2min
2. returned error has more information

Terraform Configuration Files

resource "alicloud_cs_kubernetes_permissions" "developer_staging_permission" {
  uid = "acs:ram::113************:role/developer"
  permissions {
    cluster     = "ceb61c*************"
    role_type   = "cluster"
    role_name   = "restricted"
    is_ram_role = true
  }
}

An admin credential is used for deploying.

Source

https://github.com/aliyun/terraform-provider-alicloud/blob/master/alicloud/resource_alicloud_cs_kubernetes_permissions.go#L99

func resourceAlicloudCSKubernetesPermissionsCreate(d *schema.ResourceData, meta interface{}) error {
...
	err = resource.Retry(2*time.Minute, func() *resource.RetryError {
...
}

Panic Output

https://gist.github.com/harrypunk/7e9947195f98714af2192421381376ab

Steps to Reproduce

terraform apply -auto-approve

[harrypunk]

Update: Upgraded version to 1.184.0, still the same problems.

[poblahblahblah]

@harrypunk did you ever figure out a workaround for this?

[poblahblahblah]

I figured out a workaround.

Here's our terraform snippet:

# fetch the sre role so we can authorize it against the cluster
data "alicloud_ram_roles" "sre" {
  name_regex = "^sre$"
}

# Grant sre role cluster-admin on the cluster
resource "alicloud_cs_kubernetes_permissions" "cluster-admin" {
  for_each = toset(data.alicloud_ram_roles.sre.ids)

  uid = each.key

  permissions {
    cluster     = alicloud_cs_managed_kubernetes.k8s.0.id
    role_type   = "cluster"
    role_name   = "admin"
    is_custom   = false
    is_ram_role = true
  }
}