Google cloud platform 如何使用Terraform公开gcp云功能
我首先要说的是,我对GCP和Terraform都很陌生,所以我希望有一个我刚刚忽略的简单答案 我正在尝试创建一个GCP云函数,然后使用Terraform将其公开。我能够创建函数,但不能将其公开,尽管我严格遵循了文档的示例: 当访问google_cloudfunctions_function_iam_成员资源时,我收到错误“googleapi:error 403:Permission'cloudfunctions.functions.setIamPolicy'denied on resource…(或资源可能不存在)” 如何公开此功能?它是否与我用于创建所有这些资源的凭据的帐户/api密钥有关 提前谢谢 my main.tf文件:Google cloud platform 如何使用Terraform公开gcp云功能,google-cloud-platform,google-cloud-functions,terraform,google-iam,Google Cloud Platform,Google Cloud Functions,Terraform,Google Iam,我首先要说的是,我对GCP和Terraform都很陌生,所以我希望有一个我刚刚忽略的简单答案 我正在尝试创建一个GCP云函数,然后使用Terraform将其公开。我能够创建函数,但不能将其公开,尽管我严格遵循了文档的示例: 当访问google_cloudfunctions_function_iam_成员资源时,我收到错误“googleapi:error 403:Permission'cloudfunctions.functions.setIamPolicy'denied on resource…
provider "google" {
project = "my-project"
credentials = "key.json" #compute engine default service account api key
region = "us-central1"
}
terraform {
backend "gcs" {
bucket = "manually-created-bucket"
prefix = "terraform/state"
credentials = "key.json"
}
}
# create the storage bucket for our scripts
resource "google_storage_bucket" "source_code" {
name = "test-bucket-lh05111992"
location = "us-central1"
force_destroy = true
}
# zip up function source code
data "archive_file" "my_function_script_zip" {
type = "zip"
source_dir = "../source/scripts/my-function-script"
output_path = "../source/scripts/my-function-script.zip"
}
# add function source code to storage
resource "google_storage_bucket_object" "my_function_script_zip" {
name = "index.zip"
bucket = google_storage_bucket.source_code.name
source = "../source/scripts/my-function-script.zip"
}
#create the cloudfunction
resource "google_cloudfunctions_function" "function" {
name = "send_my_function_script"
description = "This function is called in GTM. It sends a users' google analytics id to BigQuery."
runtime = "nodejs10"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.source_code.name
source_archive_object = google_storage_bucket_object.my_function_script_zip.name
trigger_http = true
entry_point = "handleRequest"
}
# IAM entry for all users to invoke the function
resource "google_cloudfunctions_function_iam_member" "invoker" {
project = google_cloudfunctions_function.function.project
region = "us-central1"
cloud_function = google_cloudfunctions_function.function.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
terraform站点上的这个示例的唯一问题似乎是自2019年11月以来修改的“云功能IAM资源”。现在,您必须按照说明指定这些资源。现在,对于您的用户案例(公共云功能),我建议您遵循,只需将“members”属性更改为“allUsers”,这样就可以了
resource "google_cloudfunctions_function_iam_binding" "binding" {
project = google_cloudfunctions_function.function.project
region = google_cloudfunctions_function.function.region
cloud_function = google_cloudfunctions_function.function.name
role = "roles/cloudfunctions.invoker"
members = [
"allUsers",
]
}
最后,您可以对其进行测试,并修改您在#Try this API“右侧面板上已经创建的函数,然后像这样输入适当的资源和请求正文(确保正确输入“resource”参数):
除了按照@chinoche的建议调整IAM角色外,我还发现我需要修改我使用的服务帐户以授予其项目所有者权限。(我猜我使用的默认帐户没有这个权限)。我更新了key.json,它终于成功了。感谢您在IAM资源中指出了更新。您不必为SA授予所有者权限,只需添加此权限;cloudfunctions.functions.setIamPolicy实现此目标的最佳方法是通过创建自己的自定义角色a应用最小特权原则然后将其附加到SA。
{
"policy": {
"bindings": [
{
"members": [
"allUsers"
],
"role": "roles/cloudfunctions.invoker"
}
]
}
}