3

我创建了一个 terraform 文件来创建一个具有公共可读存储对象权限的 Google Storage 存储桶。我能够部署存储桶,但无法针对我的模板分配正确的 ACL,我发现 ACL 部分存在一些错误。

provider "google-beta" {
  project = "${var.project}"
}

 resource "google_storage_default_object_access_control" "public_rule" {
  bucket = "google_storage_bucket.test-${var.project}"
  role   = "READER"
  entity = "allUsers"
 }

resource "google_storage_bucket" "bucket" {
  name = "test-${var.project}"
  storage_class = "standard"
  location = "US"
}

错误:附加在此处输入图像描述

如果有人可以在创建存储桶时帮助我分配权限,那将是非常好的。

4

2 回答 2

4

以下设置解决了我的问题:

provider "google-beta" {
  project = "${var.project}"
}

data "google_iam_policy" "viewer" {
  binding {
    role = "roles/storage.objectViewer"
    members = [
        "allUsers",
    ] 
  }
}

resource "google_storage_bucket_iam_policy" "editor" {
  bucket = "${google_storage_bucket.bucket.name}"
  policy_data = "${data.google_iam_policy.viewer.policy_data}"
}

resource "google_storage_bucket" "bucket" {
  name = "${var.project}-xxxx"
  storage_class = "xxxxx"
  location = "xxxxxxx"
}
于 2020-02-06T10:14:54.837 回答
3

根据Terraform Official Documentation,使用该函数bucket.name,它从变量中读取存储桶名称name。您必须在resource_storage_bucket下面提供您的项目 ID。我试过了,它对我来说是正确的:

provider "google-beta" {
}

resource "google_storage_default_object_access_control" "public_rule" {
  bucket = google_storage_bucket.bucket.name
  role   = "READER"
  entity = "allUsers"
}

resource "google_storage_bucket" "bucket" {
  name = "[THE_BUCKET_NAME]"
  project = "[PROJECT_ID]"
  storage_class = "standard"
  location = "US"
}

PROJECT_ID您的项目 ID在哪里,并且THE_BUCKET_NAME是您要放置的存储桶名称。

于 2020-02-05T14:29:29.373 回答