Terraform：“创建防火墙时出错: googleapi:错误403:需要'compute.firewalls.create‘”

Question

我坚持使用这个脚本来使用Terraform在GCP中部署镜像。我的想法是启动一个V实例，并为http请求打开端口443和80，当我写下"Terraform validate“时，它显示为正确：

provider "google" {
  project     = "terraform-packer-xxxxxx"
  region      = "us-central1"
  zone        = "us-central1-a"
  credentials = "C:/.../path"
}


data "google_compute_image" "test" {
  name = "packer-08022021-1"
}


resource "google_compute_instance" "myVM" {
  name         = "test"
  machine_type = "e2-micro"
  zone         = "us-central1-a"
  tags = [ "http-server" ]
  boot_disk {
    initialize_params {
      image = data.google_compute_image.test.self_link
    }
  }
  network_interface {
    # A default network is created for all GCP projects
    network = "default"
    access_config {
    }
  }
}

resource "google_compute_firewall" "allow-http" {
  name    = "http-firewall"
  network = "default"

  allow {
    protocol = "all"
    ports    = ["80"]
  }

    allow {
    protocol = "all"
    ports    = ["443"]
  }

    allow {
    protocol = "all"
    ports    = ["22"]
  }

  source_tags = ["http-server"]
}

# resource "google_compute_network" "default" {
#   name = "test-network"
# }

output "ip" {
 value = google_compute_instance.myVM.network_interface.0.access_config.0.nat_ip
}

但是当我写下"Terraform apply“时，这个错误出现了：

Error: Error creating Firewall: googleapi: Error 403: Required 'compute.firewalls.create' permission for 'projects/terraform-packer-303806/global/firewalls/http-firewall'
More details:
Reason: forbidden, Message: Required 'compute.firewalls.create' permission for 'projects/terraform-packer-303806/global/firewalls/http-firewall'
Reason: forbidden, Message: Required 'compute.networks.updatePolicy' permission for 'projects/terraform-packer-303806/global/networks/default'

我已经在我的服务帐户中检查了两次权限，我有以下权限:计算实例的管理员，服务帐户的用户，网络管理员，防火墙管理员。

我不知道我做错了什么

Answer 1

从提供的错误消息看，服务帐户似乎没有分配compute.firewalls.create权限。创建防火墙规则需要此权限，如here所示。

Here，您将通过搜索compute.firewalls..找到具有权限的角色列表。。如果有权限的角色都不能满足您的需求，您可以按照官方GCP Documentation中的步骤创建自定义角色。