如何使用Terraform公开gcp云功能

时间:2020-06-22 21:30:05

标签: google-cloud-platform google-cloud-functions terraform google-iam

首先,我对GCP和Terraform都是陌生的,所以我希望有一个简单的答案被我忽略了。

我正在尝试创建GCP云功能,然后使用Terraform将其公开。尽管可以严格按照文档的示例进行操作,但我仍然可以创建该函数,但不能将其公开:https://www.terraform.io/docs/providers/google/r/cloudfunctions_function.html

当到达google_cloudfunctions_function_iam_member资源时,我收到错误消息“ googleapi:错误403:权限'cloudfunctions.functions.setIamPolicy'在资源上被拒绝(或资源可能不存在)”。

如何公开此功能?它与我用于创建所有这些资源的凭据的account / api密钥有关吗?

谢谢。

我的main.tf文件: 

provider "google" {
  project     = "my-project"
  credentials = "key.json" #compute engine default service account api key
  region      = "us-central1"
}

terraform {
  backend "gcs" {
    bucket  = "manually-created-bucket"
    prefix  = "terraform/state"
    credentials = "key.json"
  }
}

# create the storage bucket for our scripts
resource "google_storage_bucket" "source_code" {
  name     = "test-bucket-lh05111992"
  location = "us-central1"
  force_destroy = true
}

# zip up function source code
data "archive_file" "my_function_script_zip" {
 type        = "zip"
 source_dir  = "../source/scripts/my-function-script"
 output_path = "../source/scripts/my-function-script.zip"
}

# add function source code to storage
resource "google_storage_bucket_object" "my_function_script_zip" {
 name   = "index.zip"
 bucket = google_storage_bucket.source_code.name
 source = "../source/scripts/my-function-script.zip"
}

#create the cloudfunction 
resource "google_cloudfunctions_function" "function" {
  name        = "send_my_function_script"
  description = "This function is called in GTM. It sends a users' google analytics id to BigQuery."
  runtime     = "nodejs10"

  available_memory_mb   = 128
  source_archive_bucket = google_storage_bucket.source_code.name
  source_archive_object = google_storage_bucket_object.my_function_script_zip.name
  trigger_http          = true
  entry_point           = "handleRequest"
}

# IAM entry for all users to invoke the function 
resource "google_cloudfunctions_function_iam_member" "invoker" {
  project        = google_cloudfunctions_function.function.project
  region         = "us-central1"
  cloud_function = google_cloudfunctions_function.function.name
  
  role = "roles/cloudfunctions.invoker"
  member = "allUsers"
}

2 个答案:

答案 0 :(得分:2)

从terraform站点来看,该示例的唯一问题似乎是“云功能IAM资源”,该资源自2019年11月以来已进行了修改。现在,您必须按照here的说明指定这些资源。现在针对您的用户案例(公共云功能),我建议您遵循this configuration,只需将“ members”属性更改为“ allUsers”,这样就可以了

resource "google_cloudfunctions_function_iam_binding" "binding" {
  project = google_cloudfunctions_function.function.project
  region = google_cloudfunctions_function.function.region
  cloud_function = google_cloudfunctions_function.function.name
  role = "roles/cloudfunctions.invoker"
  members = [
    "allUsers",
  ]
}

最后,您可以在#Try this API“右侧面板中对其进行测试并修改您已经创建的功能here,然后输入适当的资源和请求主体(请确保输入“ resource”参数正确):

{
  "policy": {
    "bindings": [
      {
        "members": [
          "allUsers"
        ],
        "role": "roles/cloudfunctions.invoker"
      }
    ]
  }
}

答案 1 :(得分:0)

除了按照@chinoche的建议调整IAM角色外,我还发现我需要修改我用来为其授予项目所有者权限的服务帐户。 (我猜我使用的默认值没有这个值)。我更新了key.json,终于可以了。

相关问题
最新问题