与其他云提供商一样,Google 云平台通过混杂的机制来处理数据访问权限。
GCP 支持标签、IAM 权限和角色等。但它也支持BigQuery 策略标签。
“普通”标签可以通过基础设施代码进行管理。例如,这里是 Terraform。
但我找不到任何方法通过基础设施代码来管理 BigQuery 策略标签。这可能吗?
我本身不需要基础设施作为代码,但我需要它为此用例提供的核心保证:
terraform plan
和 apply
检查以确保野外存在的内容与对野外应有内容的理解相符。如何使用 BigQuery 策略标签 实现这一目标?任何示例或文档将不胜感激!
这是我用来通过 Terraform 创建策略标签并将其应用到表的方法:
# https://cloud.google.com/iam/docs/understanding-roles#datacatalog.categoryFineGrainedReader
data "google_iam_policy" "unrestricted_finegrained_reader" {
binding {
role = "roles/datacatalog.categoryFineGrainedReader"
members = [
"allAuthenticatedUsers",
]
}
}
resource "google_data_catalog_taxonomy" "basic_taxonomy" {
display_name = "my_taxonomy"
description = "A collection of policy tags"
region = "us"
}
resource "google_data_catalog_policy_tag" "date_policy" {
taxonomy = google_data_catalog_taxonomy.basic_taxonomy.id
display_name = "Date"
description = "<Add Description>"
}
resource "google_data_catalog_policy_tag_iam_policy" "policy" {
policy_tag = google_data_catalog_policy_tag.date_policy.name
policy_data = data.google_iam_policy.unrestricted_finegrained_reader.policy_data
}
# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_dataset
# Let's create a dataset
resource "google_bigquery_dataset" "tf_dataset" {
dataset_id = "tf_dataset"
description = "Test dataset for Terraform"
friendly_name = "tf_dataset"
location = "us"
}
# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table
# Let's create a table!
resource "google_bigquery_table" "table1" {
dataset_id = google_bigquery_dataset.tf_dataset.dataset_id
table_id = "table1"
description = "Sample table"
schema = <<EOF
[
{
"name": "col1",
"type": "STRING",
"mode": "NULLABLE",
"description": "col1",
"policyTags":{
"names": [
"${google_data_catalog_policy_tag.date_policy.id}"
]
}
},
{
"name": "col2",
"type": "STRING",
"mode": "NULLABLE",
"description": "col2"
}
]
EOF
}