[英]Terraform GCP Assign IAM roles to service account
我正在使用以下
resource "google_service_account" "store_user" {
account_id = "store-user"
display_name = "Storage User"
}
resource "google_project_iam_binding" "store_user" {
project = var.project_id
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}"
]
}
效果很好,因为它创建了 SA 并为其分配了存储管理员角色。 伟大的。 但我需要给这个 SA 大约 4 个角色。 我尝试了各种方法,包括使用带有重复绑定/角色块的数据块,如下所示:
data "google_iam_policy" "store_user_roles" {
binding {
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
binding {
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
}
奇怪的是,它运行了,但 SA 没有获得角色/权限。 我尝试了各种我在这里和那里找到的其他示例,但没有成功。 有人可以在正确的方向上推动我如何实现这一目标吗?
// 更新。 以下确实对我有用:
resource "google_project_iam_binding" "storage-iam" {
project = var.project_id
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
resource "google_project_iam_binding" "pubsub-iam" {
project = var.project_id
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
另一种选择是使用循环。 这是一些使用count
循环的示例代码。
变量.tf
variable "rolesList" {
type =list(string)
default = ["roles/storage.admin","roles/pubsub.admin"]
}
服务帐户.tf
resource "google_service_account" "store_user" {
account_id = "store-user"
display_name = "Storage User"
}
resource "google_project_iam_binding" "store_user" {
project = var.project_id
count = length(var.rolesList)
role = var.rolesList[count.index]
members = [
"serviceAccount:${google_service_account.store_user.email}"
]
}
请注意,当使用count
循环时,Terraform 使用 state 文件中的值维护索引的 map。 简单来说,如果您仅仅因为我们不想要该角色而从列表中删除第一个元素,那么 Terraform 将从索引 2(旧列表的)中删除所有元素,然后将它们应用回来。
此外,我更喜欢使用google_project_iam_member
而不是google_project_iam_binding
,因为当使用google_project_iam_binding
时,如果有任何用户或 SAs 在 Terraform 绑定到同一角色之外创建,GCP 将在未来运行时将其删除(TF 应用)。
我认为这是通过以下资源实现的:
所以用你的代码,减去数据源,改变口味:
resource "google_service_account_iam_binding" "storage-iam" {
service_account_id = google_service_account.store_user.name
role = "roles/storage.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
resource "google_service_account_iam_binding" "pubsub-iam" {
service_account_id = google_service_account.store_user.name
role = "roles/pubsub.admin"
members = [
"serviceAccount:${google_service_account.store_user.email}",
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.