google_project_iam_binding 中的 terraform 'condition' 错误 [英] terraform 'condition' error in google_project_iam_binding

问题描述

我正在尝试创建用户并为他设置策略.创建用户，没问题.问题是当我尝试设置条件时.

I'm try create user and set a policy to him. Create user, is ok. The problem is when I try set a condition.

通过 gcloud 可以正常工作，但使用 terraform 则不行.当我删除条件行时，可以工作，但我需要这个条件.

Via gcloud works fine, but using terraform, not. When I remove the condition line, works, but I need this condition.

按照 gcloud 命令:

Follow the gcloud command:

cloud projects add-iam-policy-binding projeto-xyz --member='serviceAccount:client-bot@projeto-xyz.iam.gserviceaccount.com' --role='roles/storage.objectAdmin' --condition='expression=resource.type == "storage.googleapis.com/Bucket" && resource.name.startsWith("projects/_/buckets/bucket-clientz") ,title=bucket'

关注iam.tf:

resource "google_service_account" "service_account" {
  account_id   = var.accountid
  display_name = var.iam-display-name
   provisioner "local-exec" {
    command = "gcloud iam service-accounts keys create ${var.accountid}.json --iam-account ${var.accountid}@${var.project}.iam.gserviceaccount.com"
  }

}
resource "google_project_iam_binding" "project" {
  project = var.project
  role    = "roles/storage.objectAdmin"
  members  = [
    "serviceAccount:${var.accountid}@${var.project}.iam.gserviceaccount.com",
  ]
  condition {
    title       = "bucket"
    description = "acessar_bucket"
    expression  = "resource.type == "storage.googleapis.com/Bucket"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"
  }
}

错误输出:

$terraform plan

错误:参数后缺少换行符

Error: Missing newline after argument

  on iam.tf line 18, in resource "google_project_iam_binding" "project":
  18:     expression  = "resource.type == "storage.googleapis.com/Bucket"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"

An argument definition must end with a newline.


Error: Invalid character

  on iam.tf line 18, in resource "google_project_iam_binding" "project":
  18:     expression  = "resource.type == "storage.googleapis.com/Bucket"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"

该字符未在该语言中使用.

This character is not used within the language.

感谢您的帮助.

推荐答案

在资源中使用google-beta作为provider后，报错信息关于'条件'已经消失了.现在我可以创建服务帐户，并在此帐户中使用带条件的角色.

After using google-beta as provider in the resource, the error messages about 'condition' has gone and. Now I can create service account and use role with condition to this account.

感谢约翰·汉利的支持.

Thanks, John Hanley, for the support.

main.tf

terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "3.5.0"
    }
  }
}

provider "google" {

  credentials = file(var.credentials_file)

  project = var.project
  region  = var.region
  zone    = var.zone
}
provider "google-beta" {

  credentials = file(var.credentials_file)

  project = var.project
  region  = var.region
  zone    = var.zone

iam.tf:

resource "google_service_account" "service_account" {
  provider = google-beta
  account_id   = var.accountid
  display_name = var.iam-display-name 
   provisioner "local-exec" {
    command = "gcloud iam service-accounts keys create ${var.accountid}.json --iam-account ${var.accountid}@${var.project}.iam.gserviceaccount.com"
  }

}
resource "google_project_iam_member" "project" {
  provider = google-beta
  project = var.project
  role    = "roles/storage.objectAdmin"
  member  =  "serviceAccount:${var.accountid}@${var.project}.iam.gserviceaccount.com"
  condition {
   title       = "bucket"
   description = "acessar_bucket"
   expression  = "resource.type == "storage.googleapis.com/Bucket" && resource.name.startsWith("projects/_/buckets/${var.gcp-bucket}")"
  }
}

这篇关于google_project_iam_binding 中的 terraform 'condition' 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！