Terraform：“创建防火墙时出错：googleapi：错误 403：必需 'compute.firewalls.create'”

Question

我坚持使用此脚本在 GCP 中使用 Terraform 部署映像。这个想法是启动一个 V 实例并为 http 请求打开端口 443 和 80，当我写“Terraform validate”时它显示为正确：

provider "google" {
  project     = "terraform-packer-xxxxxx"
  region      = "us-central1"
  zone        = "us-central1-a"
  credentials = "C:/.../path"
}


data "google_compute_image" "test" {
  name = "packer-08022021-1"
}


resource "google_compute_instance" "myVM" {
  name         = "test"
  machine_type = "e2-micro"
  zone         = "us-central1-a"
  tags = [ "http-server" ]
  boot_disk {
    initialize_params {
      image = data.google_compute_image.test.self_link
    }
  }
  network_interface {
    # A default network is created for all GCP projects
    network = "default"
    access_config {
    }
  }
}

resource "google_compute_firewall" "allow-http" {
  name    = "http-firewall"
  network = "default"

  allow {
    protocol = "all"
    ports    = ["80"]
  }

    allow {
    protocol = "all"
    ports    = ["443"]
  }

    allow {
    protocol = "all"
    ports    = ["22"]
  }

  source_tags = ["http-server"]
}

# resource "google_compute_network" "default" {
#   name = "test-network"
# }

output "ip" {
 value = google_compute_instance.myVM.network_interface.0.access_config.0.nat_ip
}

但是当我写“Terraform apply”时出现这个错误：

Error: Error creating Firewall: googleapi: Error 403: Required 'compute.firewalls.create' permission for 'projects/terraform-packer-303806/global/firewalls/http-firewall'
More details:
Reason: forbidden, Message: Required 'compute.firewalls.create' permission for 'projects/terraform-packer-303806/global/firewalls/http-firewall'
Reason: forbidden, Message: Required 'compute.networks.updatePolicy' permission for 'projects/terraform-packer-303806/global/networks/default'

我已经仔细检查了我的服务帐户中的权限，我有以下内容： 计算实例的管理员， 服务帐户的用户， 网络管理员， 防火墙管理员。

我不知道我做错了什么

Answer 1

从提供的错误消息来看，服务帐户似乎没有分配 compute.firewalls.create 权限。需要此权限才能创建防火墙规则，如 here.

所示

Here you will find a list of roles which have the permission by searching for compute.firewalls.. If none of the roles with the permissions suit your needs you can create custom roles following the steps in the official GCP Documentation.