无法从 terraform 更改存储传输服务帐户权限
我正在尝试使用云函数中的网址列表启动谷歌存储传输服务。
为此,我需要存储传输服务帐户具有以下权限(遵循谷歌文档 此处)。 为此,我的 IAC 如下:
main.tf
provider "google" {
project = var.project
region = var.region
zone = var.zone
}
locals {
storage_transfer_service_account = "project-${var.project}@storage-transfer-service.iam.gserviceaccount.com"
}
resource "google_project_service" "storage_transfer_api" {
project = var.project
service = "storagetransfer.googleapis.com"
disable_on_destroy = true
}
# For the storage transfer service account
resource "google_project_iam_member" "legacy_bucket_writer" {
project = var.project
role = "roles/storage.legacyBucketWriter"
member = "serviceAccount:${local.storage_transfer_service_account}"
}
resource "google_project_iam_member" "object_viewer" {
project = var.project
role = "roles/storage.objectViewer"
member = "serviceAccount:${local.storage_transfer_service_account}"
}
但是当我运行我的 terraform plan 时,我收到以下错误:
tf.plan : var.project is a string, known only after apply
tf.plan : Can't access attributes on a primitive-typed value (string).
我了解 项目计划期间尚未设置变量,但如何向服务帐户授予必要的权限?
I am trying to launch a google storage transfer service using url list from a cloudfunction.
For that I need the storage transfer service account to have the following permissions (following the google documentation here).
For that, my IAC is the following:
main.tf
provider "google" {
project = var.project
region = var.region
zone = var.zone
}
locals {
storage_transfer_service_account = "project-${var.project}@storage-transfer-service.iam.gserviceaccount.com"
}
resource "google_project_service" "storage_transfer_api" {
project = var.project
service = "storagetransfer.googleapis.com"
disable_on_destroy = true
}
# For the storage transfer service account
resource "google_project_iam_member" "legacy_bucket_writer" {
project = var.project
role = "roles/storage.legacyBucketWriter"
member = "serviceAccount:${local.storage_transfer_service_account}"
}
resource "google_project_iam_member" "object_viewer" {
project = var.project
role = "roles/storage.objectViewer"
member = "serviceAccount:${local.storage_transfer_service_account}"
}
But when I run my terraform plan I get the following error:
tf.plan : var.project is a string, known only after apply
tf.plan : Can't access attributes on a primitive-typed value (string).
I understand the project variable is not set yet during plan, but how can I grant the necessary permission to the service account ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
仅关于 terraform 代码的一些评论:
有一个特殊的 terraform 数据资源 - google_storage_transfer_project_service_account - 使用它可能会很有用。它可能看起来像这样(
var.project表示项目 ID):Terraform 尝试异步运行大量 API 命令。同时,某些资源可能依赖于其他资源。有时可以推断这些依赖关系,有时 terraform 源文件中没有足够的信息。在 alter 情况下,可以使用
depends_on元参数< /a>.有一段代码(在您的 terraform 中)用于启用存储传输 API。这需要时间。据我所知,存储传输服务帐户是在 API 启用期间创建的。在创建服务账户之前,无法获取其详细信息并为其分配其他 IAM 角色。Couple of comments about terraform code only:
There is a special terraform data resource - google_storage_transfer_project_service_account - it might be useful to utilize it. It might look something like (
var.projectmeans the project ID):Terraform tries to run a lot API commands asynchronously. At the same time some resources may be dependent on others. Sometimes it is possible to infer those dependencies and sometimes there is not enough information in terraform source files. In the alter case a
depends_onmeta-argument can be used. There is a piece of code (in your terraform) used to enable a Storage Transfer API. It takes time. From the best of my understanding, the storage transfer service account is created during that API enabling. And until the service account is created, it is not possible to get its details and assign additional IAM roles for it.