Creating a redpanda_schema resource targeting a redpanda_serverless_cluster fails with:
Error: Failed to create Schema Registry client
with redpanda_schema.this["my_schema"],
on redpanda.tf line 69, in resource "redpanda_schema" "this":
69: resource "redpanda_schema" "this" {
Unable to create client for cluster <id>: failed to get cluster details:
unable to request cluster "<id>" information: rpc error: code = PermissionDenied
desc = Missing required permission read
The service account is an organization-level Admin. Other resources (redpanda_topic, redpanda_user, redpanda_pipeline) that reference the same serverless cluster work fine — those use cluster_api_url rather than cluster_id.
Observations from the source (v1.7.3):
kclients/schema_registry_client.go:GetSchemaRegistryClientForCluster calls cpCl.ClusterForID(). In cloud/controlplane.go, ClusterForID uses the ClusterService gRPC endpoint, while a separate ServerlessClusterForID method exists that uses the ServerlessClusterService endpoint. The Create, Read, Update, and Delete methods on redpanda_schema all call getClient which calls GetSchemaRegistryClientForCluster, so other operations likely hit the same path — but we have only observed the failure on Create.
Note: This appears similar to #247, where redpanda_topic and redpanda_user import paths called ClusterForID for serverless cluster IDs and got the same error. That was fixed in #249 by falling back to ServerlessClusterForID.
Provider version: 1.7.3 Cluster type: redpanda_serverless_cluster
Reproduction:
resource "redpanda_serverless_cluster" "this" {
name = "my-cluster"
resource_group_id = redpanda_resource_group.this.id
serverless_region = "us-west-2"
}
resource "redpanda_schema" "this" {
cluster_id = redpanda_serverless_cluster.this.id
subject = "my_schema"
schema_type = "PROTOBUF"
schema = file("my_schema.proto")
username = "schema-user"
password = "..."
}
Creating a redpanda_schema resource targeting a redpanda_serverless_cluster fails with:
The service account is an organization-level Admin. Other resources (redpanda_topic, redpanda_user, redpanda_pipeline) that reference the same serverless cluster work fine — those use cluster_api_url rather than cluster_id.
Observations from the source (v1.7.3):
kclients/schema_registry_client.go:GetSchemaRegistryClientForCluster calls cpCl.ClusterForID(). In cloud/controlplane.go, ClusterForID uses the ClusterService gRPC endpoint, while a separate ServerlessClusterForID method exists that uses the ServerlessClusterService endpoint. The Create, Read, Update, and Delete methods on redpanda_schema all call getClient which calls GetSchemaRegistryClientForCluster, so other operations likely hit the same path — but we have only observed the failure on Create.
Note: This appears similar to #247, where redpanda_topic and redpanda_user import paths called ClusterForID for serverless cluster IDs and got the same error. That was fixed in #249 by falling back to ServerlessClusterForID.
Provider version: 1.7.3 Cluster type: redpanda_serverless_cluster
Reproduction: