Terraform :是否有更好的方式来模拟服务帐户?是否可以在模块中使用和输出提供程序?
Terraform :是否有更好的方式来模拟服务帐户?是否可以在模块中使用和输出提供程序?
提问于 2022-09-19 22:17:47
目前,我能够通过terraform模拟服务帐户的方法是使用长时间的声明,比如带有多个provider块的声明。更别提我每次都要复制/粘贴这个给每个用户/S.A/项目.
provider "google" {
alias = "network_admin_impersonation"
scopes = var.impersonation_info.of_network_admin.tier_1_scopes
}
data "google_service_account_access_token" "network-admin" {
provider = google.network_admin_impersonation
target_service_account = google_service_account.network-admin.email
scopes = var.impersonation_info.of_network_admin.tier_2_scopes
lifetime = "1200s"
}
provider "google" {
alias = "as_network_admin"
access_token = data.google_service_account_access_token.network-admin.access_token
region = var.region
zone = var.zone
}并授予用户使用此服务帐户的权利:
resource "google_service_account_iam_member" "network-admin-impersonators" {
for_each = toset([
for account in var.user_accs_impersonators_info.as_network_admin :
"${account.acc_type}:${account.acc_details.email}"
])
service_account_id = google_service_account.network-admin.name
role = "roles/iam.serviceAccountTokenCreator"
member = each.value
}一定有更好的方法来做这件事,而我并没有看到。也许是通过模块?但我在某个地方读到,在模块中使用provider通常是个坏主意.我希望能就此提供一些指导。
回答 1
Stack Overflow用户
发布于 2022-09-19 22:25:14
您需要查看提供程序初始化语法,它允许您将提供程序的配置块嵌入到另一个提供程序的配置块中。因此,您的配置可以如下所示:
provider "google" {
alias = "network_admin_impersonation"
scopes = var.impersonation_info.of_network_admin.tier_1_scopes
provider {
access_token = data.google_service_account_access_token.network-admin.access_token
region = var.region
zone = var.zone
}
}注意,provider块嵌套在provider块中,并且它没有别名属性。
编辑:
我觉得你做不到。您可以做的是使用令牌创建一个提供程序配置块,并将其传递给子提供程序:
provider "google" {
alias = "network_admin_impersonation"
scopes = var.impersonation_info.of_network_admin.tier_1_scopes
provider {
access_token = data.google_service_account_access_token.network-admin.access_token
region = var.region
zone = var.zone
}
provider "google" {
alias = "as_network_admin"
}
}或者,您可以在google提供商中声明这一切:
provider "google" {
alias = "network_admin_impersonation"
scopes = var.impersonation_info.of_network_admin.tier_1_scopes
}
provider "google" {
alias = "as_network_admin"
access_token = data.google_service_account_access_token.network-admin.access_token
region = var.region
zone = var.zone
}编辑2
您可以使用服务帐户列表的计数来创建多个提供程序块。将服务帐户名称作为变量传递给模块。
示例模块
variable "service_accounts" {
type = list(string)
}
resource "google_service_account" "service_account" {
count = length(var.service_accounts)
name = var.service_accounts[count.index]
}
data "google_service_account_access_token" "service_account" {
count = length(var.service_accounts)
provider = google.service_account
service_account = element(var.service_accounts, count.index)
scopes = var.impersonation_info.of_network_admin.tier_2_scopes
lifetime = "1200s"
}
provider "google" {
count = length(var.service_accounts)
alias = element(var.service_accounts, count.index)
scopes = var.impersonation_info.of_network_admin.tier_1_scopes
provider {
access_token = element(data.google_service_account_access_token.service_account.*.access_token, count.index)
region = var.region
zone = var.zone
}
}
Example usage
module "impersonation" {
source = "./impersonation"
service_accounts = [
"network_admin_service_account",
"project_admin_service_account",
]
}还可以使用下列资源向服务帐户授予权限。
resource "google_iam_member" "service_account" {
count = length(var.service_accounts)
service_account_id = element(var.service_accounts, count.index)
role = "roles/iam.serviceAccountTokenCreator"
member = var.member
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/73779815
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号