我有一个 Terraform 模块,它接收一个名为“service_accounts_objects”的变量。每个对象都会接收一个服务帐户字符串以创建新的服务帐户以及包含该 SA 将接收的角色的字符串列表。在模块方面,我可以创建服务帐户,但现在我不知道如何引用第一个资源生成的 SA 成员以在其上应用正确的角色。 我知道我可以通过以下方式引用 google_service_account.service_account:
for_each = google_service_account.service_account
但这需要我唯一可以在此资源上使用的 for-each 循环
模块代码:
module "iam" {
source = "../../modules/iam"
project = var.project
service_accounts_objects = [
{
service_account = "service-${var.project_short}-tl"
roles = [
"roles/run.invoker",
"roles/cloudsql.client",
"roles/cloudsql.instanceUser",
"roles/pubsub.publisher"
]
},
{
service_account = "service-${var.project_short}-template"
roles = [
"roles/cloudsql.client",
"roles/cloudsql.instanceUser",
"roles/pubsub.publisher"
]
}
]
}
resource "google_service_account" "service_account" {
for_each = {
for index, sa in var.service_accounts_objects:
sa.service_account => sa
}
project = var.project
account_id = each.value.service_account
}
resource "google_project_iam_member" "member" {
for_each = {
for i, role in var.service_accounts_objects:
role.roles => role
for j, members in google_service_account.service_account:
members.member => members
}
member = each.value.member
project = var.project
role = each.value.role
}
我是 Terraform 的菜鸟,我不知道这是否可能
如果“第一个服务”是指 GCP 服务帐户,则应该可以通过
google_service_account.service_account[X]Xservice_accounts_objects.[].service_account只是一个一般提示,如果您不确定引用对象有哪些,请尝试运行
terraform state list