想要使用 terraform 在 GCP 中部署具有 public 可读存储对象权限的存储桶

Want to deploy a storage bucket with public readable storage object permission in GCP using terraform

我创建了一个 terraform 文件来创建具有 public 可读存储对象权限的 Google 存储桶。我能够部署存储桶,但无法针对我的模板分配正确的 ACL,我发现 ACL 部分存在一些错误。

provider "google-beta" {
  project = "${var.project}"
}

 resource "google_storage_default_object_access_control" "public_rule" {
  bucket = "google_storage_bucket.test-${var.project}"
  role   = "READER"
  entity = "allUsers"
 }

resource "google_storage_bucket" "bucket" {
  name = "test-${var.project}"
  storage_class = "standard"
  location = "US"
}

错误:附加

如果有人能帮我在创建存储桶时分配权限,那就太好了。

根据Terraform Official Documentation,使用函数bucket.name,它从变量name中读取桶名。您必须在 resource_storage_bucket 中提供您的项目 ID,如下所示。我试过了,它对我来说工作正常:

provider "google-beta" {
}

resource "google_storage_default_object_access_control" "public_rule" {
  bucket = google_storage_bucket.bucket.name
  role   = "READER"
  entity = "allUsers"
}

resource "google_storage_bucket" "bucket" {
  name = "[THE_BUCKET_NAME]"
  project = "[PROJECT_ID]"
  storage_class = "standard"
  location = "US"
}

其中 PROJECT_ID 是您的项目 ID,THE_BUCKET_NAME 是您要放置的存储桶名称。

以下设置解决了我的问题:

provider "google-beta" {
  project = "${var.project}"
}

data "google_iam_policy" "viewer" {
  binding {
    role = "roles/storage.objectViewer"
    members = [
        "allUsers",
    ] 
  }
}

resource "google_storage_bucket_iam_policy" "editor" {
  bucket = "${google_storage_bucket.bucket.name}"
  policy_data = "${data.google_iam_policy.viewer.policy_data}"
}

resource "google_storage_bucket" "bucket" {
  name = "${var.project}-xxxx"
  storage_class = "xxxxx"
  location = "xxxxxxx"
}