Google cloud platform 如何使用Terraform公开gcp云功能_Google Cloud Platform_Google Cloud Functions_Terraform_Google Iam

Google cloud platform 如何使用Terraform公开gcp云功能

google-cloud-platform terraform

Google cloud platform 如何使用Terraform公开gcp云功能,google-cloud-platform,google-cloud-functions,terraform,google-iam,Google Cloud Platform,Google Cloud Functions,Terraform,Google Iam,我首先要说的是，我对GCP和Terraform都很陌生，所以我希望有一个我刚刚忽略的简单答案我正在尝试创建一个GCP云函数，然后使用Terraform将其公开。我能够创建函数，但不能将其公开，尽管我严格遵循了文档的示例：当访问google_cloudfunctions_function_iam_成员资源时，我收到错误“googleapi:error 403:Permission'cloudfunctions.functions.setIamPolicy'denied on resource…

我首先要说的是，我对GCP和Terraform都很陌生，所以我希望有一个我刚刚忽略的简单答案

我正在尝试创建一个GCP云函数，然后使用Terraform将其公开。我能够创建函数，但不能将其公开，尽管我严格遵循了文档的示例：

当访问google_cloudfunctions_function_iam_成员资源时，我收到错误“googleapi:error 403:Permission'cloudfunctions.functions.setIamPolicy'denied on resource…（或资源可能不存在）”

如何公开此功能？它是否与我用于创建所有这些资源的凭据的帐户/api密钥有关

提前谢谢

my main.tf文件：

provider "google" {
  project     = "my-project"
  credentials = "key.json" #compute engine default service account api key
  region      = "us-central1"
}

terraform {
  backend "gcs" {
    bucket  = "manually-created-bucket"
    prefix  = "terraform/state"
    credentials = "key.json"
  }
}

# create the storage bucket for our scripts
resource "google_storage_bucket" "source_code" {
  name     = "test-bucket-lh05111992"
  location = "us-central1"
  force_destroy = true
}

# zip up function source code
data "archive_file" "my_function_script_zip" {
 type        = "zip"
 source_dir  = "../source/scripts/my-function-script"
 output_path = "../source/scripts/my-function-script.zip"
}

# add function source code to storage
resource "google_storage_bucket_object" "my_function_script_zip" {
 name   = "index.zip"
 bucket = google_storage_bucket.source_code.name
 source = "../source/scripts/my-function-script.zip"
}

#create the cloudfunction 
resource "google_cloudfunctions_function" "function" {
  name        = "send_my_function_script"
  description = "This function is called in GTM. It sends a users' google analytics id to BigQuery."
  runtime     = "nodejs10"

  available_memory_mb   = 128
  source_archive_bucket = google_storage_bucket.source_code.name
  source_archive_object = google_storage_bucket_object.my_function_script_zip.name
  trigger_http          = true
  entry_point           = "handleRequest"
}

# IAM entry for all users to invoke the function 
resource "google_cloudfunctions_function_iam_member" "invoker" {
  project        = google_cloudfunctions_function.function.project
  region         = "us-central1"
  cloud_function = google_cloudfunctions_function.function.name
  
  role = "roles/cloudfunctions.invoker"
  member = "allUsers"
}

terraform站点上的这个示例的唯一问题似乎是自2019年11月以来修改的“云功能IAM资源”。现在，您必须按照说明指定这些资源。现在，对于您的用户案例（公共云功能），我建议您遵循，只需将“members”属性更改为“allUsers”，这样就可以了

resource "google_cloudfunctions_function_iam_binding" "binding" {
  project = google_cloudfunctions_function.function.project
  region = google_cloudfunctions_function.function.region
  cloud_function = google_cloudfunctions_function.function.name
  role = "roles/cloudfunctions.invoker"
  members = [
    "allUsers",
  ]
}

最后，您可以对其进行测试，并修改您在#Try this API“右侧面板上已经创建的函数，然后像这样输入适当的资源和请求正文（确保正确输入“resource”参数）：

除了按照@chinoche的建议调整IAM角色外，我还发现我需要修改我使用的服务帐户以授予其项目所有者权限。（我猜我使用的默认帐户没有这个权限）。我更新了key.json，它终于成功了。

感谢您在IAM资源中指出了更新。您不必为SA授予所有者权限，只需添加此权限；cloudfunctions.functions.setIamPolicy实现此目标的最佳方法是通过创建自己的自定义角色a应用最小特权原则然后将其附加到SA。

{
  "policy": {
    "bindings": [
      {
        "members": [
          "allUsers"
        ],
        "role": "roles/cloudfunctions.invoker"
      }
    ]
  }
}