我正试图使用Terraform在GCP上创建一个非常简单的结构:一个计算实例+存储桶。我对GCP文档、Terraform文档以及SO问题进行了一些研究,但仍然不明白这里的诀窍是什么。有人建议使用google_project_iam_binding,但阅读一些文章似乎很危险(阅读:不安全的解决方案(。还有一个只有GCP描述的一般答案,在这里使用了tf术语,这仍然有点令人困惑。同样在这里结束类似的问题,我确认域名所有权是通过谷歌控制台验证的。
因此,我得到了以下结果:
data "google_iam_policy" "admin" {
binding {
role = "roles/iam.serviceAccountUser"
members = [
"user:myemail@domain.name",
"serviceAccount:${google_service_account.serviceaccount.email}",
]
}
}
resource "google_service_account" "serviceaccount" {
account_id = "sa-1"
}
resource "google_service_account_iam_policy" "admin-acc-iam" {
service_account_id = google_service_account.serviceaccount.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_storage_bucket_iam_policy" "policy" {
bucket = google_storage_bucket.storage_bucket.name
policy_data = data.google_iam_policy.admin.policy_data
}
resource "google_compute_network" "vpc_network" {
name = "vpc-network"
auto_create_subnetworks = "true"
}
resource "google_compute_instance" "instance_1" {
name = "instance-1"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "cos-cloud/cos-stable"
}
}
network_interface {
network = google_compute_network.vpc_network.self_link
access_config {
}
}
}
resource "google_storage_bucket" "storage_bucket" {
name = "bucket-1"
location = "US"
force_destroy = true
website {
main_page_suffix = "index.html"
not_found_page = "404.html"
}
cors {
origin = ["http://the.domain.name"]
method = ["GET", "HEAD", "PUT", "POST", "DELETE"]
response_header = ["*"]
max_age_seconds = 3600
}
}
但如果我terraform apply,日志会显示类似的错误
Error: Error setting IAM policy for service account 'trololo': googleapi: Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account trololo., forbidden
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
on main.tf line 35, in resource "google_service_account_iam_policy" "admin-acc-iam":
35: resource "google_service_account_iam_policy" "admin-acc-iam" {
2020/09/28 19:19:34 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
Error: googleapi: Error 403: The bucket you tried to create is a domain name owned by another user., forbidden
on main.tf line 82, in resource "google_storage_bucket" "storage_bucket":
以及一些无用的调试信息。怎么了?哪个帐户缺少哪些权限以及如何安全地分配这些权限?
我发现了问题。和往常一样,在90%的情况下,问题都摆在电脑前。
以下是帮助我理解和解决问题的步骤:
- 我读了更多的文章,尤其是这个和这个答案对理解用户、服务帐户和权限之间的关系非常有帮助
- 我知道执行
terraform destroy也非常重要,因为不会回滚新基础结构更改的不成功部署(例如DB迁移(,因此您必须使用destroy或手动清理 - 完全删除了
"user:${var.admin_email}"用户帐户IAM策略,因为它是无用的;所有内容都必须由新创建的服务帐户管理 - 保留了具有大多数权限的主服务帐户(手动创建并下载访问密钥的帐户(,因为Terraform使用了它的凭据
- 并将新服务帐户的IAM策略更改为
roles/iam.serviceAccountAdmin而不是User-感谢@Wojtek_B的提示
在这之后,一切都很顺利!