使用 KMS 密钥在 Terraform 中为 GCP 创建 VM 时出错(创建实例时出错:googleapi:错误 503)

时间:2021-06-21 20:42:51

标签: google-cloud-platform terraform virtual-machine google-cloud-kms

我无法使用 terraform 在 GCP 上创建 VM,我想在属性“kms_key_self_link”中附加一个 kms 密钥,但是在创建机器时,时间过去了,等待 2 分钟后(在每种情况下)出现错误 503。我要分享我的脚本,值得说的是,禁用“kms_key_self_link”属性后,脚本运行正常。

data "google_compute_image" "tomcat_centos" {
  name = var.vm_img_name
}

data "google_kms_key_ring" "keyring" {
  name     = "keyring-example"
  location = "global"
}

data "google_kms_crypto_key" "cmek-key" {
  name     = "crypto-key-example"
  key_ring = data.google_kms_key_ring.keyring.self_link
}

data "google_project" "project" {}

resource "google_kms_crypto_key_iam_member" "key_user" {
  crypto_key_id = data.google_kms_crypto_key.cmek-key.id
  role          = "roles/owner"
  member        = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
}


resource "google_compute_instance" "vm-hsbc" {
  name         = var.vm_name
  machine_type = var.vm_machine_type
  zone         = var.zone

  allow_stopping_for_update = true
  can_ip_forward            = false
  deletion_protection       = false

  boot_disk {
    kms_key_self_link = data.google_kms_crypto_key.cmek-key.self_link
    initialize_params {
      type = var.disk_type
      #GCP-CE-CTRL-22
      image = data.google_compute_image.tomcat_centos.self_link
    }
  }


  network_interface {
    network = var.network
  }


  #GCP-CE-CTRL-2-...-5, 7, 8 
  service_account {
    email  = var.service_account_email
    scopes = var.scopes
  }

  #GCP-CE-CTRL-31
  shielded_instance_config {
    enable_secure_boot          = true
    enable_vtpm                 = true
    enable_integrity_monitoring = true
  }
}

这是完整的错误:

Error creating instance: googleapi: Error 503: Internal error. Please try again or contact Google Support. (Code: '5C54C97EB5265.AA25590.F4046F68'), backendError

1 个答案:

答案 0 :(得分:0)

我解决了这个问题,通过此资源授予我的计算服务帐户加密器/解密器的角色:

resource "google_kms_crypto_key_iam_binding" "key_iam_binding" {
  crypto_key_id = data.google_kms_crypto_key.cmek-key.id
  role          = "roles/cloudkms.cryptoKeyEncrypter"

  members = [
    "serviceAccount:service-${data.google_project.gcp_project.number}@compute-system.iam.gserviceaccount.com",

  ]
}