此处列出以下示例 - https://medium.com/@mudrii/google-gke-and-sql-with-terraform-294fb840619d
我有一个基本的 Terraform 文件,用于创建数据库和用户:
resource "random_id" "id" {
byte_length = 4
prefix = "${local.resource_prefix}-"
}
resource "google_sql_database_instance" "postgres" {
name = random_id.id.hex
region = local.gcp_region
database_version = "POSTGRES_11"
settings {
availability_type = "ZONAL"
tier = "db-f1-micro"
disk_type = "PD_SSD"
disk_size = 10
disk_autoresize = true
ip_configuration {
authorized_networks {
value = "0.0.0.0/0"
}
require_ssl = false
ipv4_enabled = true
}
location_preference {
zone = local.subnet_public_1_az
}
backup_configuration {
# binary_log_enabled = true
enabled = true
start_time = "00:00"
}
}
}
resource "google_sql_user" "user" {
depends_on = [
google_sql_database_instance.postgres
]
instance = google_sql_database_instance.postgres.name
name = "*********"
password = "*********"
}
这似乎可以毫无问题地创建数据库,但是当它为该数据库创建用户时,它会失败并显示 403:
google_sql_database_instance.postgres: Still creating... [4m0s elapsed]
Error: Error, attempting to list users associated with instance foo-aac6b6f7: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
on postgres.tf line 6, in resource "google_sql_database_instance" "postgres":
6: resource "google_sql_database_instance" "postgres" {
打开详细日志记录,潜在错误如下所示:
GET /sql/v1beta4/projects/(project-id)/instances/foo-aac6b6f7/users?alt=json&prettyPrint=false HTTP/1.1
{
"error": {
"code": 403,
"message": "The client is not authorized to make this request.",
"errors": [
{
"message": "The client is not authorized to make this request.",
"domain": "global",
"reason": "notAuthorized"
}
]
}
}
我一生都无法弄清楚为什么我会在这里获得许可被拒绝,或者如何获得该许可。我使用相同的凭据文件尝试了从命令行发出的请求,它似乎工作正常:
gcloud sql users list --instance foo-aac6b6f7 --credential-file-override ~/gcp.json
NAME HOST
*********
有什么特别的酱汁吗?我在 Terraform 中使用的服务帐户是否不允许发出请求?那么为什么它可以从命令行运行呢?是否只是在创建数据库后过早尝试添加用户?如果是的话,这应该如何运作?
编辑我删除了除
google_sql_database_instance
以外的所有内容,创建了一个新的服务帐户并确保它具有项目所有者角色。
然后我打开跟踪调试来跟踪日志。它首先成功请求创建数据库,然后开始轮询请求等待其完成:
2020/06/11 18:28:50 [DEBUG] Waiting for state to become: [success]
...
GET /sql/v1beta4/projects/(project-id)/operations/(request-id)?alt=json&prettyPrint=false HTTP/1.1
...
HTTP/1.1 200 OK
...
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/(project-name)/instances/(db-name)",
"status": "RUNNING",
"user": "(service-account)@(project-name).iam.gserviceaccount.com",
"insertTime": "2020-06-11T22:26:46.845Z",
"startTime": "2020-06-11T22:26:47.141Z",
"operationType": "CREATE",
"name": "(request-id)",
"targetId": "(db-name)",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/(project-name)/operations/(request-id)",
"targetProject": "(project-name)"
}
它会这样做一段时间,直到获得
DONE
状态:
2020/06/11 18:30:43 [DEBUG] Got DONE while polling for operation (request-id)'s status
然后继续查找数据库,但该操作失败:
GET /sql/v1beta4/projects/(project-id)/instances/(db-name)?alt=json&prettyPrint=false HTTP/1.1
...
HTTP/1.1 404 Not Found
...
{
"error": {
"code": 404,
"message": "The Cloud SQL instance does not exist.",
"errors": [
{
"message": "The Cloud SQL instance does not exist.",
"domain": "global",
"reason": "instanceDoesNotExist"
}
]
}
}
所以这确实是根本错误。不过,它似乎并没有真正满足该请求,最终报告:
2020/06/11 18:30:44 [WARN] Removing SQL Database Instance "(db-name)" because it's gone
但它实际上并没有删除数据库(它仍然在控制台中),并且 Terraform 继续运行,现在从数据库请求用户:
GET /sql/v1beta4/projects/(project-id)/instances/(db-name)/users?alt=json&prettyPrint=false HTTP/1.1
...
{
"error": {
"code": 403,
"message": "The client is not authorized to make this request.",
"errors": [
{
"message": "The client is not authorized to make this request.",
"domain": "global",
"reason": "notAuthorized"
}
]
}
}
THIS是实际报告的错误,但在实际错误之前发生了一团糟。那么...有人知道这里发生了什么事吗?为什么创建数据库成功,然后查找立即失败?为什么 Terraform 会继续前进?
如果其他人登陆这里 - 没有任何权限问题,在提供程序配置中使用 GCP 项目编号而不是项目 ID 时可能会出现此问题。 需要注意的是,在 terraform db 资源中设置项目属性还不够好,它确实必须在提供程序级别。 比如:
provider "google" {
project = "some-non-numerical-google-project-id"
}