terraform 中不同项目中多个服务帐户的模块

时间:2021-07-22 22:29:00

标签: terraform terraform-provider-gcp terraform-modules

我当前的 TF 代码设置是这样的。 

../../modules/cp_project
resource "google_storage_bucket_iam_binding" "bucket_permission" {
  bucket = google_container_registry.registry.id
  role   = "roles/storage.objectViewer"
  members = var.members
}

qat01.tf
module "qat01_project" {
  source = "../../../../modules/cp_project"
 members = [
    "serviceAccount:k8s-default-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-default-c002@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c002@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infra-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infras-c002@qat01.iam.gserviceaccount.com",
  ]
  }
  
dev01.tf
module "dev01_project" {
  source = "../../../../modules/cp_project"
  members= [
    "serviceAccount:k8s-default-c001@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-default-c002@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c003@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c004@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infra-c003@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infras-c004@dev01.iam.gserviceaccount.com",
  ]
  }

正如您在代码中看到的那样,服务帐户因项目而异。我在 modules/cp_project 本身中添加服务帐户是否有任何有效(逻辑)的方式。我确实有多个文件,例如 prod.tf 和 preprod.tf,它们使用相同的模块和成员中的不同电子邮件地址。我想将所有这些项目特定成员放在 modules/cp_project 中,然后各个项目可以从 cp_project 本身调用各自的成员列表。有办法吗?谢谢

File structure

从文件结构中可以看出,我想在module/vars.tf中列出服务帐户成员,并从qat01或dev01中调用变量。 所以我希望模块/vars.tf 如下所示。并且这些变量可以被 dev01.tf 和 qat01.tf 在“members”变量中调用。 module/vars.tf 如下所示的示例

 module/vars.tf

variable "qat01_members" {
    type= list(any)
    default = [
    "serviceAccount:k8s-default-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-default-c002@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c002@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infra-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infras-c002@qat01.iam.gserviceaccount.com",
  ] 
}

variable "dev01_members" {
    type= list(any)
    default = [
    "serviceAccount:k8s-default-c001@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-default-c002@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c003@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c004@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infra-c003@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infras-c004@dev01.iam.gserviceaccount.com",
    ]  
}

0 个答案:

没有答案
相关问题
最新问题