Terraform gcloud

Question

我在Google中有以下设置：

• 将消息发布到Google主题的应用程序“生成器”。
• 使用唯一消息的应用程序'worker‘。
• 任何无效的PubSub消息都应该以“死信”主题结束。

这个主题应该有一个“死信”主题，其中无效的消息结束。然而，每当我通过Terraform配置它时，google云控制台就会提到，我没有将“订户”和“publisher”角色附加到我的项目公共服务帐户：

​

​

我有以下地形结构，似乎是正确的AFAIK：

resource "google_project_service_identity" "pubsub_sa" {
    provider = google-beta
    
    project = var.project_id
    service = "pubsub.googleapis.com"
}

/* ... topic and dead-letter topic config here ... */

data "google_iam_policy" "project_pubsub_publishers" {
    binding {
        role = "roles/pubsub.publisher"
        members = [
            "serviceAccount:${google_service_account.project_generator_serviceaccount.email}",
            "serviceAccount:${google_service_account.project_worker_serviceaccount.email}",
            "serviceAccount:${google_project_service_identity.pubsub_sa.email}",
        ]
    }
}

resource "google_pubsub_topic_iam_policy" "project_request_publishers" {
    project  = var.project_id
    topic = google_pubsub_topic.generator_request_pubsub.name
    policy_data = data.google_iam_policy.project_pubsub_publishers.policy_data
}

data "google_iam_policy" "project_pubsub_subscribers" {
    binding {
        role = "roles/pubsub.subscriber"
        members = [
            "serviceAccount:${google_service_account.project_generator_serviceaccount.email}",
            "serviceAccount:${google_service_account.project_worker_serviceaccount.email}",
            "serviceAccount:${google_project_service_identity.pubsub_sa.email}",
        ]
    }
}

resource "google_pubsub_topic_iam_policy" "project_request_subscribers" {
    topic = google_pubsub_topic.generator_request_pubsub.name
    project  = var.project_id
    policy_data = data.google_iam_policy.project_pubsub_subscribers.policy_data
}

单击web中的“Add”，然后执行terraform plan显示以下更改：

Terraform will perform the following actions:

  # module.gcloud.google_pubsub_topic_iam_policy.project_invalid_request_publishers will be updated in-place
  ~ resource "google_pubsub_topic_iam_policy" "project_invalid_request_publishers" {
        id          = "projects/MY-GCLOUD-PROJECTID/topics/generator-request-pubsub-invalid"
      ~ policy_data = jsonencode(
          ~ {
              ~ bindings = [
                  ~ {
                      ~ members = [
                          + "serviceAccount:cicd-generator-sa@MY-GCLOUD-PROJECTID.iam.gserviceaccount.com",
                          + "serviceAccount:cicd-worker-sa@MY-GCLOUD-PROJECTID.iam.gserviceaccount.com",
                            "serviceAccount:service-251572179467@gcp-sa-pubsub.iam.gserviceaccount.com",
                        ]
                        # (1 unchanged element hidden)
                    },
                  - {
                      - members = [
                          - "serviceAccount:cicd-generator-sa@MY-GCLOUD-PROJECTID.iam.gserviceaccount.com",
                          - "serviceAccount:cicd-worker-sa@MY-GCLOUD-PROJECTID.iam.gserviceaccount.com",
                          - "serviceAccount:service-251572179467@gcp-sa-pubsub.iam.gserviceaccount.com",
                        ]
                      - role    = "roles/pubsub.subscriber"
                    },
                ]
            }
        )
        # (3 unchanged attributes hidden)
    }

  # module.gcloud.google_pubsub_topic_iam_policy.project_invalid_request_subscribers will be updated in-place
  ~ resource "google_pubsub_topic_iam_policy" "project_invalid_request_subscribers" {
        id          = "projects/MY-GCLOUD-PROJECTID/topics/generator-request-pubsub-invalid"
      ~ policy_data = jsonencode(
          ~ {
              ~ bindings = [
                  - {
                      - members = [
                          - "serviceAccount:service-251572179467@gcp-sa-pubsub.iam.gserviceaccount.com",
                        ]
                      - role    = "roles/pubsub.publisher"
                    },
                    {
                        members = [
                            "serviceAccount:cicd-generator-sa@MY-GCLOUD-PROJECTID.iam.gserviceaccount.com",
                            "serviceAccount:cicd-worker-sa@MY-GCLOUD-PROJECTID.iam.gserviceaccount.com",
                            "serviceAccount:service-251572179467@gcp-sa-pubsub.iam.gserviceaccount.com",
                        ]
                        role    = "roles/pubsub.subscriber"
                    },
                ]
            }
        )
        # (3 unchanged attributes hidden)
    }

  # module.gcloud.google_pubsub_topic_iam_policy.project_request_subscribers will be updated in-place
  ~ resource "google_pubsub_topic_iam_policy" "project_request_subscribers" {
        id          = "projects/MY-GCLOUD-PROJECTID/topics/generator-request-pubsub"
      ~ policy_data = jsonencode(
          ~ {
              ~ bindings = [
                  ~ {
                      ~ role    = "roles/pubsub.publisher" -> "roles/pubsub.subscriber"
                        # (1 unchanged element hidden)
                    },
                ]
            }
        )
        # (3 unchanged attributes hidden)
    }

但我不知道我做错了什么。有什么想法吗？

Answer 1

根据文档，您需要首先为GCP中的“死信主题”设置配置。

设置一个死信的主题

其中(除其他资料外)指出：

若要创建订阅并设置死信主题，请使用gcloud公共订阅创建命令：

gcloud pubsub subscriptions create subscription-id \
  --topic=topic-id \
  --dead-letter-topic=dead-letter-topic-id \
  [--max-delivery-attempts=max-delivery-attempts] \
  [--dead-letter-topic-project=dead-letter-topic-project]

若要更新订阅并设置死信主题，请使用gcloud发布订阅更新命令：

gcloud pubsub subscriptions update subscription-id \
  --dead-letter-topic=dead-letter-topic-id \
  [--max-delivery-attempts=max-delivery-attempts] \
  [--dead-letter-topic-project=dead-letter-topic-project]

授予转发权限

若要将无法传递的消息转发到死信主题，Pub/Sub必须具有执行以下操作的权限：

将消息发布到主题。

确认消息，它将它们从订阅中删除。

Pub/Sub为每个项目创建和维护一个服务帐户：service-project-number@gcp-sa-pubsub.iam.gserviceaccount.com。可以通过向此服务帐户分配发布服务器和订阅服务器角色来授予转发权限。如果使用云控制台配置订阅，角色将自动授予。

分配Pub/Sub发布者角色

若要授予Pub/Sub将消息发布到死信主题的权限，请运行以下命令：

PUBSUB_SERVICE_ACCOUNT="service-${project-number}@gcp-sa-pubsub.iam.gserviceaccount.com"

gcloud pubsub topics add-iam-policy-binding dead-letter-topic-id \
    --member="serviceAccount:$PUBSUB_SERVICE_ACCOUNT"\
    --role="roles/pubsub.publisher"

分配Pub/Sub用户角色

若要授予Pub/Sub确认转发的不可交付邮件的权限，请运行以下命令：

PUBSUB_SERVICE_ACCOUNT="service-${project-number}@gcp-sa-pubsub.iam.gserviceaccount.com"

gcloud pubsub subscriptions add-iam-policy-binding subscription-id \
    --member="serviceAccount:$PUBSUB_SERVICE_ACCOUNT"\
    --role="roles/pubsub.subscriber"

希望这对你有帮助。致以问候。

Answer 2

Jaime是对的，你需要把这些IAM策略添加到

"service-${project-number}@gcp-sa-pubsub.iam.gserviceaccount.com"

这是一个特定的sa隐藏在主要的。您可以在>IAM中的控制台中找到它，并选择右上角的复选框“包括google提供的角色授予”。

还需要添加一个google_pubsub_topic_iam_policy。

下面是一个Terraform工作示例

data "google_project" "current" {}

data "google_iam_policy" "publisher" {
  binding {
    role = "roles/pubsub.publisher"
    members = [
      "serviceAccount:service-${data.google_project.current.number}@gcp-sa-pubsub.iam.gserviceaccount.com",
    ]
  }
}
resource "google_pubsub_topic_iam_policy" "policy" {
  project = var.project
  topic = google_pubsub_topic.yourTopic.name
  policy_data = data.google_iam_policy.publisher.policy_data
}
data "google_iam_policy" "subscriber" {
  binding {
    role = "roles/pubsub.subscriber"
    members = [
      "serviceAccount:service-${data.google_project.current.number}@gcp-sa-pubsub.iam.gserviceaccount.com",
    ]
  }
}
resource "google_pubsub_subscription_iam_policy" "policy" {
  subscription = google_pubsub_subscription.yourSubscription.name
  policy_data  = data.google_iam_policy.subscriber.policy_data
}