如何将策略附加到资源(在本例中为 PubSub 主题)?
How can I attach a policy to a resource (in this case a PubSub topic)?
resource "google_pubsub_topic" "topic" {
name = "argo-events"
}
resource "google_service_account" "argo_events_pubsub_publish" {
account_id = "pubsub-publish"
}
resource "google_project_iam_member" "argo_events_pubsub_publish" {
role = "roles/pubsub.editor"
member = "serviceAccount:${google_service_account.argo_events_pubsub_publish.email}"
}
这将创建一个对项目的所有 PubSub 基础设施具有编辑权限的服务帐户。
如何将策略(由服务帐户 + roles/pubsub.editor 生成)附加到最初创建的主题?
(这样服务帐户就拥有 roles/pubsub.editor 的权限,但仅限于最初创建的名为“argo-events”的主题。)
问题是在 Terraform 实现类似于 GCP 通用概念的策略附件的假设下编写的。
有几种方法可以将策略附加到主题或订阅。有趣的是,该方法不是通用的,而是特定于您要绑定到的资源(在本例中为 pubsub 主题),并且至少有三种方法可以做到这一点:
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic_iam
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam
在这种情况下,解决方案可能如下所示:
data "google_iam_policy" "topic" {
binding {
role = "roles/pubsub.publisher"
members = [
"serviceAccount:${google_service_account.argo_events_pubsub_publish.email}",
]
}
}
resource "google_pubsub_topic_iam_policy" "policy" {
topic = google_pubsub_topic.topic.name
policy_data = data.google_iam_policy.topic.policy_data
}
resource "google_pubsub_topic" "topic" {
name = "argo-events"
}
resource "google_service_account" "argo_events_pubsub_publish" {
account_id = "pubsub-publish"
}
resource "google_project_iam_member" "argo_events_pubsub_publish" {
role = "roles/pubsub.editor"
member = "serviceAccount:${google_service_account.argo_events_pubsub_publish.email}"
}
这将创建一个对项目的所有 PubSub 基础设施具有编辑权限的服务帐户。
如何将策略(由服务帐户 + roles/pubsub.editor 生成)附加到最初创建的主题?
(这样服务帐户就拥有 roles/pubsub.editor 的权限,但仅限于最初创建的名为“argo-events”的主题。)
问题是在 Terraform 实现类似于 GCP 通用概念的策略附件的假设下编写的。
有几种方法可以将策略附加到主题或订阅。有趣的是,该方法不是通用的,而是特定于您要绑定到的资源(在本例中为 pubsub 主题),并且至少有三种方法可以做到这一点:
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic_iam
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam
在这种情况下,解决方案可能如下所示:
data "google_iam_policy" "topic" {
binding {
role = "roles/pubsub.publisher"
members = [
"serviceAccount:${google_service_account.argo_events_pubsub_publish.email}",
]
}
}
resource "google_pubsub_topic_iam_policy" "policy" {
topic = google_pubsub_topic.topic.name
policy_data = data.google_iam_policy.topic.policy_data
}