在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称(OpenSource Name):terraform-google-modules/terraform-google-iam开源软件地址(OpenSource Url):https://github.com/terraform-google-modules/terraform-google-iam开源编程语言(OpenSource Language):HCL 74.0%开源软件介绍(OpenSource Introduction):Google IAM Terraform ModuleThis is a collection of submodules that make it easier to non-destructively manage multiple IAM roles for resources on Google Cloud Platform:
CompatibilityThis module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v6.4.1. UpgradingThe following guides are available to assist with upgrades: UsageFull examples are in the examples folder, but basic usage is as follows for managing roles on two projects: module "projects_iam_bindings" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 6.4"
projects = ["project-123456", "project-9876543"]
bindings = {
"roles/storage.admin" = [
"group:[email protected]",
"user:[email protected]",
]
"roles/compute.networkAdmin" = [
"group:[email protected]",
"user:[email protected]",
]
"roles/compute.imageUser" = [
"user:[email protected]",
]
}
} The module also offers an authoritative mode which will remove all roles not assigned through Terraform. This is an example of using the authoritative mode to manage access to a storage bucket: module "storage_buckets_iam_bindings" {
source = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
version = "~> 6.4"
storage_buckets = ["my-storage-bucket"]
mode = "authoritative"
bindings = {
"roles/storage.legacyBucketReader" = [
"user:[email protected]",
"group:[email protected]",
]
"roles/storage.legacyBucketWriter" = [
"user:[email protected]",
"group:[email protected]",
]
}
} Additive and Authoritative ModesThe
In authoritative mode, a submodule takes full control over the IAM bindings listed in the module. This means that any members added to roles outside the module will be removed the next time Terraform runs. However, roles not listed in the module will be unaffected. In additive mode, a submodule leaves existing bindings unaffected. Instead, any members listed in the module will be added to the existing set of IAM bindings. However, members listed in the module are fully controlled by the module. This means that if you add a binding via the module and later remove it, the module will correctly handle removing the role binding. CaveatsReferencing values/attributes from other resourcesEach submodule performs operations over some variables before making any changes on the IAM bindings in GCP. Because of the limitations of
IAM BindingsYou can choose the following resource types to apply the IAM bindings:
Set the specified variable on the module call to choose the resources to affect. Remember to set the RequirementsTerraform plugins
PermissionsIn order to execute a submodule you must have a Service Account with an appropriate role to manage IAM for the applicable resource. The appropriate role differs depending on which resource you are targeting, as follows:
InstallTerraformBe sure you have the correct Terraform version (0.12), you can choose the binary here: Terraform pluginsBe sure you have the compiled plugins on $HOME/.terraform.d/plugins/
See each plugin page for more information about how to compile and use them. Fast install (optional)For a fast install, please configure the variables on init_centos.sh or init_debian.sh script and then launch it. The script will do:
|
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论