terraform - 如何将 GCP 服务帐户 JSON 存储在 terraform 变量中？

Question

我的 terraform gcp 提供程序配置看起来像

provider "google" {
  project     = var.project
  region      = var.region
  credentials = file("account.json")
}

我想在 terraform cloud 上运行我的 terraform 文件，我不想将 account.json 文件放在源代码管理中。如何将 json GCP 服务帐户文件存储在 terraform 云中，然后从 terraform 脚本访问它？

Answer 1

您可以将凭据提供为 Multi-Line value调用 google_credentials 在 Terraform Cloud UI 中并将其标记为 Sensitive Value并为您的帐户输入正确的值(可能只是您已经拥有的 account.json 文件的复制粘贴):

{
  "type": "service_account",
  "project_id": "project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
  "client_email": "service-account-email",
  "client_id": "client-id",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}

然后，您可以将工作空间变量中的凭据提供给您的。谷歌 将 Terraform 模块中的 provider 作为单个变量，将其解释为 JSON:

provider "google" {
  project     = var.project
  region      = var.region
  credentials = var.google_credentials
}

variable "google_credentials" {
  description = "the contents of a service account key file in JSON format."
  type = string
}

credentials - (Optional) Either the path to or the contents of a service account key file in JSON format. You can manage key files using the Cloud Console.

来自 Google Provider Configuration Reference .