以link为例,如果我有一个服务帐户并附加了一个角色-是否可以动态添加和删除该角色的权限,而无需在每次编辑该角色时都删除该角色本身? >
data "google_project" "project" {}
resource "google_service_account" "mservice_infra_service_account" {
account_id = "mserviceinfra-service-account"
display_name = "Infrastructure Service Account"
}
resource "google_project_iam_custom_role" "mservice_infra_admin" {
role_id = "mservice_infra_admin"
title = "mservice_infra_admin"
description = "Infrastructure Administrator Custom Role"
permissions = ["compute.disks.create", "compute.firewalls.create", "compute.firewalls.delete", "compute.firewalls.get", "compute.instanceGroupManagers.get", "compute.instances.create", "compute.instances.delete", "compute.instances.get", "compute.instances.setMetadata", "compute.instances.setServiceAccount", "compute.instances.setTags", "compute.machineTypes.get", "compute.networks.create", "compute.networks.delete", "compute.networks.get", "compute.networks.updatePolicy", "compute.subnetworks.create", "compute.subnetworks.delete", "compute.subnetworks.get", "compute.subnetworks.setPrivateIpGoogleAccess", "compute.subnetworks.update", "compute.subnetworks.use", "compute.subnetworks.useExternalIp", "compute.zones.get", "container.clusters.create", "container.clusters.delete", "container.clusters.get", "container.clusters.update", "container.operations.get"]
}
resource "google_project_iam_binding" "mservice_infra_binding" {
role = "projects/${data.google_project.project.project_id}/roles/${google_project_iam_custom_role.mservice_infra_admin.role_id}"
members = [
"serviceAccount:${google_service_account.mservice_infra_service_account.email}",
]
}
我知道AWS中有一件事,您需要声明一个空的角色,然后声明一堆权限,然后在AWS中创建另一个名为aws_iam_policy_attachment的(第三个)资源,将它们全部绑定在一起-好处是您没有编辑角色的权限时不要删除该角色-可以