0

我有这样的当前 TF 代码设置。 

../../modules/cp_project
resource "google_storage_bucket_iam_binding" "bucket_permission" {
  bucket = google_container_registry.registry.id
  role   = "roles/storage.objectViewer"
  members = var.members
}

qat01.tf
module "qat01_project" {
  source = "../../../../modules/cp_project"
 members = [
    "serviceAccount:k8s-default-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-default-c002@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c002@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infra-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infras-c002@qat01.iam.gserviceaccount.com",
  ]
  }
  
dev01.tf
module "dev01_project" {
  source = "../../../../modules/cp_project"
  members= [
    "serviceAccount:k8s-default-c001@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-default-c002@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c003@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c004@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infra-c003@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infras-c004@dev01.iam.gserviceaccount.com",
  ]
  }

正如您在代码中看到的,服务帐户因项目而异。是否有任何有效(逻辑)方式我在 modules/cp_project 本身中添加服务帐户。我确实有多个文件,例如 prod.tf 和 preprod.tf,它们使用相同的模块和成员中的不同电子邮件地址。我想将所有这些项目特定成员放在 modules/cp_project 中,然后各个项目可以从 cp_project 本身调用各自的成员列表。有办法吗?谢谢你

文件结构

正如您从文件结构中看到的,我想在 module/vars.tf 中列出服务帐户成员,并从 qat01 或 dev01 调用变量。所以我希望模块/vars.tf 如下所示。并且这些变量可以被 dev01.tf 和 qat01.tf 在“members”变量中调用。module/vars.tf 的示例如下

 module/vars.tf

variable "qat01_members" {
    type= list(any)
    default = [
    "serviceAccount:k8s-default-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-default-c002@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c002@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infra-c001@qat01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infras-c002@qat01.iam.gserviceaccount.com",
  ] 
}

variable "dev01_members" {
    type= list(any)
    default = [
    "serviceAccount:k8s-default-c001@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-default-c002@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c003@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-ecp-c004@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infra-c003@dev01.iam.gserviceaccount.com",
    "serviceAccount:k8s-infras-c004@dev01.iam.gserviceaccount.com",
    ]  
}

4

0 回答 0