我想使用 Google Cloud Build Trigger 来执行 Terraform 处理。 而且,我想使用 Terraform 创建一个 Firebase 项目。但是,出现构建触发器错误,如下所示。
步骤 #2 - “terraform apply”: │ 错误:创建项目时出错 ************(项目显示名称):googleapi:错误 403:服务帐户无法创建没有父级的项目。禁止。如果您收到 403 错误,请确保您拥有
权限roles/resourcemanager.projectCreator
该错误表示运行Cloud Build的服务帐号没有roles/resourcemanager.projectCreator权限。
下面是 terraform 的 main.tf。
# Terraform configuration to set up providers by version.
terraform {
required_providers {
google-beta = {
source = "hashicorp/google-beta"
version = "~> 4.0"
}
}
}
# Configures the provider to use the resource block's specified project for quota checks.
provider "google-beta" {
user_project_override = true
}
# Configures the provider to not use the resource block's specified project for quota checks.
# This provider should only be used during project creation and initializing services.
provider "google-beta" {
alias = "no_user_project_override"
user_project_override = false
}
# Creates a new Google Cloud project.
resource "google_project" "default" {
provider = google-beta.no_user_project_override
name = "Project Display Name"
project_id = "imatsusoft-project-new-prct5"
# Required for any service that requires the Blaze pricing plan
# (like Firebase Authentication with GCIP)
billing_account = "*****-******-******"
# Required for the project to display in any list of Firebase projects.
labels = {
"firebase" = "enabled"
}
}
# Enables required APIs.
resource "google_project_service" "default" {
provider = google-beta.no_user_project_override
project = google_project.default.project_id
for_each = toset([
"cloudbilling.googleapis.com",
"cloudresourcemanager.googleapis.com",
"firebase.googleapis.com",
# Enabling the ServiceUsage API allows the new project to be quota checked from now on.
"serviceusage.googleapis.com",
])
service = each.key
# Don't disable the service if the resource block is removed by accident.
disable_on_destroy = false
}
# Enables Firebase services for the new project created above.
resource "google_firebase_project" "default" {
provider = google-beta
project = google_project.default.project_id
# Waits for the required APIs to be enabled.
depends_on = [
google_project_service.default
]
}
# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "default" {
provider = google-beta
project = google_project.default.project_id
display_name = "My Awesome Android app"
package_name = "awesome.package.name"
# Wait for Firebase to be enabled in the Google Cloud project before creating this App.
depends_on = [
google_firebase_project.default,
]
}
因此,我执行了以下命令来授予此服务帐户权限:
gcloud projects add-iam-policy-binding sample-project-1354w23 --member serviceAccount:**********@cloudbuild.gserviceaccount.com --role roles/resourcemanager.projectCreator
出现以下错误信息,表示无法向该服务帐户授予权限。
错误:(gcloud.projects.add-iam-policy-binding)INVALID_ARGUMENT:此资源不支持角色 Roles/resourcemanager.projectCreator。
我已经确认GCP项目属于该组织,但我仍然遇到同样的错误。我想就这个问题寻求帮助。
因此角色
roles/resourcemanager.projectCreator
不能在项目级别分配,最低级别是文件夹级别(最高是组织级别)
检查这里
我认为这将是您提到的最后一个错误消息。
对于 CloudBuild 部分,它可能是 IAM 部分,或者您需要定义项目是否将直接附加到组织或特定文件夹
如此处解释
将项目附加到组织的示例
resource "google_project" "my_project" {
name = "My Project"
project_id = "your-project-id"
org_id = "1234567"
}
将项目附加到组织的示例
resource "google_project" "my_project-in-a-folder" {
name = "My Project"
project_id = "your-project-id"
folder_id = google_folder.department1.name
}
resource "google_folder" "department1" {
display_name = "Department 1"
parent = "organizations/1234567"
}