google_project_iam_binding 中的 terraform 'condition' 错误
terraform 'condition' error in google_project_iam_binding
我正在尝试创建用户并为其设置策略。
创建用户,就可以了。
问题是当我尝试设置条件时。
通过 gcloud 可以正常工作,但使用 terraform 则不行。
当我删除条件行时,有效,但我需要这个条件。
遵循 gcloud 命令:
cloud projects add-iam-policy-binding projeto-xyz --member='serviceAccount:client-bot@projeto-xyz.iam.gserviceaccount.com' --role='roles/storage.objectAdmin' --condition='expression=resource.type == "storage.googleapis.com/Bucket" && resource.name.startsWith("projects/_/buckets/bucket-clientz") ,title=bucket'
关注,iam.tf:
resource "google_service_account" "service_account" {
account_id = var.accountid
display_name = var.iam-display-name
provisioner "local-exec" {
command = "gcloud iam service-accounts keys create ${var.accountid}.json --iam-account ${var.accountid}@${var.project}.iam.gserviceaccount.com"
}
}
resource "google_project_iam_binding" "project" {
project = var.project
role = "roles/storage.objectAdmin"
members = [
"serviceAccount:${var.accountid}@${var.project}.iam.gserviceaccount.com",
]
condition {
title = "bucket"
description = "acessar_bucket"
expression = "resource.type == \"storage.googleapis.com/Bucket\"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"
}
}
错误输出:
$terraform plan
错误:参数后缺少换行符
on iam.tf line 18, in resource "google_project_iam_binding" "project":
18: expression = "resource.type == \"storage.googleapis.com/Bucket\"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"
An argument definition must end with a newline.
Error: Invalid character
on iam.tf line 18, in resource "google_project_iam_binding" "project":
18: expression = "resource.type == \"storage.googleapis.com/Bucket\"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"
该语言未使用此字符。
感谢您的帮助。
您没有转义条件中的所有引号。当您看到错误 Missing newline after argument 时,这通常意味着未转义的引号已结束字符串并且以下文本是意外的。
更改此行:
expression = "resource.type == \"storage.googleapis.com/Bucket\"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"
为此:
expression = "resource.type == \"storage.googleapis.com/Bucket\" && resource.name.startsWith(\"projects/_/buckets/${var.gcp-bucket}\")"
在资源中使用 google-beta 作为提供程序后,错误消息
大约 'condition' 已经过去了。现在我可以创建服务帐户并使用此帐户的条件角色。
感谢 John Hanley 的支持。
main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "3.5.0"
}
}
}
provider "google" {
credentials = file(var.credentials_file)
project = var.project
region = var.region
zone = var.zone
}
provider "google-beta" {
credentials = file(var.credentials_file)
project = var.project
region = var.region
zone = var.zone
iam.tf:
resource "google_service_account" "service_account" {
provider = google-beta
account_id = var.accountid
display_name = var.iam-display-name
provisioner "local-exec" {
command = "gcloud iam service-accounts keys create ${var.accountid}.json --iam-account ${var.accountid}@${var.project}.iam.gserviceaccount.com"
}
}
resource "google_project_iam_member" "project" {
provider = google-beta
project = var.project
role = "roles/storage.objectAdmin"
member = "serviceAccount:${var.accountid}@${var.project}.iam.gserviceaccount.com"
condition {
title = "bucket"
description = "acessar_bucket"
expression = "resource.type == \"storage.googleapis.com/Bucket\" && resource.name.startsWith(\"projects/_/buckets/${var.gcp-bucket}\")"
}
}
我正在尝试创建用户并为其设置策略。 创建用户,就可以了。 问题是当我尝试设置条件时。
通过 gcloud 可以正常工作,但使用 terraform 则不行。 当我删除条件行时,有效,但我需要这个条件。
遵循 gcloud 命令:
cloud projects add-iam-policy-binding projeto-xyz --member='serviceAccount:client-bot@projeto-xyz.iam.gserviceaccount.com' --role='roles/storage.objectAdmin' --condition='expression=resource.type == "storage.googleapis.com/Bucket" && resource.name.startsWith("projects/_/buckets/bucket-clientz") ,title=bucket'
关注,iam.tf:
resource "google_service_account" "service_account" {
account_id = var.accountid
display_name = var.iam-display-name
provisioner "local-exec" {
command = "gcloud iam service-accounts keys create ${var.accountid}.json --iam-account ${var.accountid}@${var.project}.iam.gserviceaccount.com"
}
}
resource "google_project_iam_binding" "project" {
project = var.project
role = "roles/storage.objectAdmin"
members = [
"serviceAccount:${var.accountid}@${var.project}.iam.gserviceaccount.com",
]
condition {
title = "bucket"
description = "acessar_bucket"
expression = "resource.type == \"storage.googleapis.com/Bucket\"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"
}
}
错误输出:
$terraform plan
错误:参数后缺少换行符
on iam.tf line 18, in resource "google_project_iam_binding" "project":
18: expression = "resource.type == \"storage.googleapis.com/Bucket\"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"
An argument definition must end with a newline.
Error: Invalid character
on iam.tf line 18, in resource "google_project_iam_binding" "project":
18: expression = "resource.type == \"storage.googleapis.com/Bucket\"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"
该语言未使用此字符。
感谢您的帮助。
您没有转义条件中的所有引号。当您看到错误 Missing newline after argument 时,这通常意味着未转义的引号已结束字符串并且以下文本是意外的。
更改此行:
expression = "resource.type == \"storage.googleapis.com/Bucket\"&& resource.name.startsWith("projects/_/buckets/${var.gcp-bucket")"
为此:
expression = "resource.type == \"storage.googleapis.com/Bucket\" && resource.name.startsWith(\"projects/_/buckets/${var.gcp-bucket}\")"
在资源中使用 google-beta 作为提供程序后,错误消息 大约 'condition' 已经过去了。现在我可以创建服务帐户并使用此帐户的条件角色。
感谢 John Hanley 的支持。
main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "3.5.0"
}
}
}
provider "google" {
credentials = file(var.credentials_file)
project = var.project
region = var.region
zone = var.zone
}
provider "google-beta" {
credentials = file(var.credentials_file)
project = var.project
region = var.region
zone = var.zone
iam.tf:
resource "google_service_account" "service_account" {
provider = google-beta
account_id = var.accountid
display_name = var.iam-display-name
provisioner "local-exec" {
command = "gcloud iam service-accounts keys create ${var.accountid}.json --iam-account ${var.accountid}@${var.project}.iam.gserviceaccount.com"
}
}
resource "google_project_iam_member" "project" {
provider = google-beta
project = var.project
role = "roles/storage.objectAdmin"
member = "serviceAccount:${var.accountid}@${var.project}.iam.gserviceaccount.com"
condition {
title = "bucket"
description = "acessar_bucket"
expression = "resource.type == \"storage.googleapis.com/Bucket\" && resource.name.startsWith(\"projects/_/buckets/${var.gcp-bucket}\")"
}
}