GCP-terraform删除了所有策略，我该如何还原 [英] GCP - terraform removed all policies, how can I revert

问题描述

我按照地形跑.我误用了google_storage_bucket_iam_policy而不是google_storage_bucket_iam_binding，所以没有添加新策略，而是替换了所有现有策略.

I run following terraform. I made a mistake of using google_storage_bucket_iam_policy instead of google_storage_bucket_iam_binding so instead of adding new policy, it replaced all of existing policy.

data "google_iam_policy" "deploy-script-admin-policy" {
  binding {
    role = "roles/storage.objectAdmin"
    members = [
      "serviceAccount:${google_service_account.deploy-script.email}",
    ]
  }
}
# deploy script can read/write to a bucket
resource "google_storage_bucket_iam_policy" "policy" {
  bucket      = "my-bucket"
  policy_data = data.google_iam_policy.deploy-script-admin-policy.policy_data
}

现在我无法运行Terraform计划，因为我无法使用自己的存储桶.我收到类似<my email> does not have storage.buckets.get access to the Google Cloud Storage bucket., forbidden的错误消息.

Now I cannot run terraform plan because I lost access to my own bucket. I get error message like <my email> does not have storage.buckets.get access to the Google Cloud Storage bucket., forbidden.

我去了GCP控制台，试图删除或更新此存储桶的权限，但由于存储桶权限不允许(我拥有所有者和storage.admin角色)，因此它也不起作用.

I went to GCP console and tried to either delete or update permission of this bucket but it won't work either since bucket permission doesn't allow it (I have owner and storage.admin role).

如何从这种情况中恢复?我不介意删除存储桶，如果那是唯一的选择.

How can I recover from this situation? I don't mind deleting the bucket if that's the only option.

编辑: 我不知道发生了什么，但是也许GCP可以从这种情况中自动恢复.出于某种原因，过了一会儿，我又可以从控制台再次编辑存储桶了.

EDIT: I don't know what happened, but maybe GCP has some way of auto-recover from such situation. For some reason I was able to edit bucket again from console after a while...

推荐答案

您无法还原所做的更改，也无法恢复对相关存储分区的访问权限.

You can't revert changes made and restore your access to the bucket in question.

[google_storage_bucket_iam_policy][1]是权威性的(如@Prashant所述)，意味着首先删除该对象的所有策略，然后创建您定义的策略.

[google_storage_bucket_iam_policy][1] is authoritative (as @Prashant mentioned) wchich means that first it erases any policies for the object and then creates the ones that you defined.

如果您的定义中没有适当的访问权限，并且您被锁定，那么唯一的解决方案就是删除存储桶.

If your definition dind't include proper access and you got yourself locked then the only solution is to delete the bucket.

这篇关于GCP-terraform删除了所有策略，我该如何还原的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！