resource "google_service_account" bq_test{
account_id = "ei-cs-test"
display_name = "SA"
project = "dev01-ein"
}
resource "google_service_account_key" "sa_key"{
service_account_id = google_service_account.bq_test.name
public_key_type = "TYPE_X509_PEM_FILE"
}
resource "google_secret_manager_secret" "secret-basic" {
secret_id = "test-sa-ad-sec-id"
labels = {
label = "my-label"
}
replication {
automatic = true
}
project = "-dev01-ein"
}
resource "google_secret_manager_secret_version" "admin-password" {
secret = "test-sa-ad"
secret_data = base64decode(google_service_account_key.sa_key.private_key)
}
我试图用服务帐户密钥创建一个服务帐户,并将其存储在秘密管理器中,但我遇到了错误。
Error: Error creating SecretVersion: googleapi: got HTTP response code 404 with body: <!DOCTYPE html>
我怀疑您试图加密一些敏感信息。我会建议你使用谷歌KMS加密和解密。因此,您的机密将被加密为secret.auto.tfvars.encrypted,您也可以在同一本地存储库中解密密码文本,例如secrets.auto.tfvars.
您可以使用以下脚本:
$ echo -n my-secret-password | gcloud kms encrypt
> --project my-project
> --location us-central1
> --keyring my-key-ring
> --key my-crypto-key
> --plaintext-file -
> --ciphertext-file -
> | base64
CiQAqD+xX4SXOSziF4a8JYvq4spfAuWhhYSNul33H85HnVtNQW4SOgDu2UZ46dQCRFl5MF6ekabviN8xq+F+2035ZJ85B+xTYXqNf4mZs0RJitnWWuXlYQh6axnnJYu3kDU=
这里的一个例子会给你一个更好的线索:
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/kms_secret#example-用法
- https://cloud.google.com/kms/docs/encrypt-decrypt
别忘了在资源定义中引用加密的密文:
resource "google_service_account" bq_test{
account_id = "ei-cs-test"
display_name = "SA"
project = ""
}
resource "google_service_account_key" "sa_key"{
service_account_id = google_service_account.bq_test.name
public_key_type = "TYPE_X509_PEM_FILE"
}
resource "google_secret_manager_secret" "secret-basic" {
secret_id = "secret-version"
labels = {
label = "my-label"
}
replication {
automatic = true
}
project = ""
}
resource "google_secret_manager_secret_version" "admin-password" {
secret = google_secret_manager_secret.secret-basic.id
secret_data = base64decode(google_service_account_key.sa_key.private_key)
}
错误发生在google_secret_manager_secret_version上,该机密没有被正确引用,因此它不起作用,请尝试上面的代码,它会起作用。