为什么 Terraform 无法提供 google_cloudfunctions_function_iam_member?
Why does Terraform fail to provision google_cloudfunctions_function_iam_member?
虽然我能够提供单个 HTTP 触发的 GCP 云函数并公开调用它,但我似乎无法提供我的第二个函数也被公开调用。
我已为我的 Terraform 服务帐户分配了编辑者角色。
google_cloudfunctions_function_iam_member.v2invoker: Creating...
╷
│ Error: Error applying IAM policy for cloudfunctions cloudfunction "projects/myproject/locations/us-central1/functions/v2": Error setting IAM policy for cloudfunctions cloudfunction "projects/myproject/locations/us-central1/functions/v2": googleapi: Error 403: Permission 'cloudfunctions.functions.setIamPolicy' denied on resource 'projects/myproject/locations/us-central1/functions/v2' (or resource may not exist).
│
│ with google_cloudfunctions_function_iam_member.v2invoker,
│ on main.tf line 460, in resource "google_cloudfunctions_function_iam_member" "v2invoker":
│ 460: resource "google_cloudfunctions_function_iam_member" "v2invoker" {
说明 - 函数资源本身已正确配置,只有 iam_member 资源未正确配置。
我的 Terraform 配置:
resource "google_cloudfunctions_function" "v2" {
name = "v2"
runtime = "nodejs12"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.functions.name
source_archive_object = google_storage_bucket_object.nodejs_functions.name
entry_point = "v2"
trigger_http = true
}
resource "google_cloudfunctions_function_iam_member" "v2invoker" {
project = google_cloudfunctions_function.v2.project
region = google_cloudfunctions_function.v2.region
cloud_function = google_cloudfunctions_function.v2.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
output "function-v2" {
value = google_cloudfunctions_function.v2.https_trigger_url
}
为第一个(成功的)函数添加了 terraform 配置:
resource "google_cloudfunctions_function" "helloWorld" {
name = "helloWorld"
runtime = "nodejs12"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.functions.name
source_archive_object = google_storage_bucket_object.nodejs_functions.name
entry_point = "helloWorld"
trigger_http = true
}
# IAM entry so all users can invoke the function
resource "google_cloudfunctions_function_iam_member" "invoker" {
project = google_cloudfunctions_function.helloWorld.project
region = google_cloudfunctions_function.helloWorld.region
cloud_function = google_cloudfunctions_function.helloWorld.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
output "function-helloWorld" {
value = google_cloudfunctions_function.helloWorld.https_trigger_url
}
terraform 当前使用的服务帐户是我以“编辑”角色创建的。
根据 GCP IAM 文档:
Note: The Editor role contains permissions to create and delete resources for most Google Cloud services. However, it does not contain permissions to perform all actions for all services. See the section above for more information on how to check if a role has the permissions that you need.
您的编辑角色绝对无权对云函数执行 cloudfunctions.functions.setIamPolicy 操作(如错误消息所述)。
将 Cloud Functions Admin role (roles/cloudfunctions.admin) 分配给服务帐户。
它绝对应该拥有与云功能相关的所有权限,包括但不限于在功能上设置 IAM 策略。
虽然我能够提供单个 HTTP 触发的 GCP 云函数并公开调用它,但我似乎无法提供我的第二个函数也被公开调用。
我已为我的 Terraform 服务帐户分配了编辑者角色。
google_cloudfunctions_function_iam_member.v2invoker: Creating...
╷
│ Error: Error applying IAM policy for cloudfunctions cloudfunction "projects/myproject/locations/us-central1/functions/v2": Error setting IAM policy for cloudfunctions cloudfunction "projects/myproject/locations/us-central1/functions/v2": googleapi: Error 403: Permission 'cloudfunctions.functions.setIamPolicy' denied on resource 'projects/myproject/locations/us-central1/functions/v2' (or resource may not exist).
│
│ with google_cloudfunctions_function_iam_member.v2invoker,
│ on main.tf line 460, in resource "google_cloudfunctions_function_iam_member" "v2invoker":
│ 460: resource "google_cloudfunctions_function_iam_member" "v2invoker" {
说明 - 函数资源本身已正确配置,只有 iam_member 资源未正确配置。
我的 Terraform 配置:
resource "google_cloudfunctions_function" "v2" {
name = "v2"
runtime = "nodejs12"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.functions.name
source_archive_object = google_storage_bucket_object.nodejs_functions.name
entry_point = "v2"
trigger_http = true
}
resource "google_cloudfunctions_function_iam_member" "v2invoker" {
project = google_cloudfunctions_function.v2.project
region = google_cloudfunctions_function.v2.region
cloud_function = google_cloudfunctions_function.v2.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
output "function-v2" {
value = google_cloudfunctions_function.v2.https_trigger_url
}
为第一个(成功的)函数添加了 terraform 配置:
resource "google_cloudfunctions_function" "helloWorld" {
name = "helloWorld"
runtime = "nodejs12"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.functions.name
source_archive_object = google_storage_bucket_object.nodejs_functions.name
entry_point = "helloWorld"
trigger_http = true
}
# IAM entry so all users can invoke the function
resource "google_cloudfunctions_function_iam_member" "invoker" {
project = google_cloudfunctions_function.helloWorld.project
region = google_cloudfunctions_function.helloWorld.region
cloud_function = google_cloudfunctions_function.helloWorld.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
output "function-helloWorld" {
value = google_cloudfunctions_function.helloWorld.https_trigger_url
}
terraform 当前使用的服务帐户是我以“编辑”角色创建的。
根据 GCP IAM 文档:
Note: The Editor role contains permissions to create and delete resources for most Google Cloud services. However, it does not contain permissions to perform all actions for all services. See the section above for more information on how to check if a role has the permissions that you need.
您的编辑角色绝对无权对云函数执行 cloudfunctions.functions.setIamPolicy 操作(如错误消息所述)。
将 Cloud Functions Admin role (roles/cloudfunctions.admin) 分配给服务帐户。
它绝对应该拥有与云功能相关的所有权限,包括但不限于在功能上设置 IAM 策略。