我有一个将要创建的服务帐户列表,要为它们分配角色,我正在使用 module that Google provides ,我的代码如下:
module "service-accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "4.1.1"
project_id = var.project
names = var.sa_list
project_roles = [
"${var.project}=>roles/appengine.appAdmin",
"${var.project}=>roles/artifactregistry.reader",
"${var.project}=>roles/cloudbuild.builds.builder",
"${var.project}=>roles/cloudsql.client",
"${var.project}=>roles/cloudsql.instanceUser"
]
display_name = "Google App Engine SA - Managed by Terraform"
}
这很好用。但我不想让 project_roles 中的角色明确,所以我尝试使用 for_each 元参数“
变量.tf:
variable "rolesList" {
type =list(string)
default = ["roles/appengine.appAdmin","roles/artifactregistry.reader", "roles/cloudbuild.builds.builder", "roles/cloudsql.client", "roles/cloudsql.instanceUser"]
}
main.tf:
module "service-accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "4.1.1"
project_id = var.project
names = var.sa_list
for_each = (toset[var.rolesList])
project_roles = ["${var.project}=>${each.key}"]
display_name = "Google App Engine SA - Managed by Terraform"
}
这种方式行不通,因为 Terraform 会创建多个具有相同 ID 的帐户。我如何从 project_roles 中删除硬代码?有没有办法将角色存储在其他地方然后调用它们?或者我需要单独分配角色?
最佳答案
如果您想为多个服务帐户赋予多个角色,您可以尝试使用来自官方 Google 提供商的资源:
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam
首先,将您要创建的服务帐户放在配置文件中,如 JSON 文件,这样可以在修改时更加灵活。您将更改配置文件,而不是 Terraform 代码:
{
"servicesAccount": {
"first-service-account": {
"account_id": "first-service-account",
"display_name": "First SA managed by Terraform",
"roles": [
"roles/appengine.appAdmin",
"roles/artifactregistry.reader",
"roles/cloudbuild.builds.builder",
"roles/cloudsql.client",
"roles/cloudsql.instanceUser"
]
},
"second-service-account": {
"account_id": "second-service-account",
"display_name": "Second SA managed by Terraform",
"roles": [
"roles/appengine.appAdmin",
"roles/artifactregistry.reader",
"roles/cloudbuild.builds.builder",
"roles/cloudsql.client",
"roles/cloudsql.instanceUser"
]
}
}
}
然后你可以解析这个 JSON 文件并放入一个局部变量:
locals {
services_account = jsondecode(file("${path.module}/path/to/your/file.json"))["servicesAccount"]
sa_flattened = flatten([
for sa in local.services_account : [
for role in sa["roles"] : {
account_id = sa["account_id"]
display_name = sa["display_name"]
role = role
}
]
])
}
最后你可以创建 SA,然后给他们关联的角色:
resource "google_service_account" "sa_names" {
project = var.project
for_each = local.services_account
account_id = each.value["account_id"]
display_name = each.value["display_name"]
}
resource "google_project_iam_member" "sa_roles" {
depends_on = [google_service_account.sa_names]
for_each = {for idx, sa in local.sa_flattened: "${sa["account_id"]}_${sa["role"]}" => sa}
project = var.project
role = each.value["role"]
member = "serviceAccount:${each.value["account_id"]}@${var.project}.iam.gserviceaccount.com"
}
关于google-cloud-platform - 如何使用 Terraform 将多个角色分配给 GCP 中的多个服务帐户?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73870071/