google-cloud-platform - 如何使用 Terraform 公开 gcp 云功能

Question

我首先要说我对 GCP 和 Terraform 都很陌生，所以我希望有一个我刚刚忽略的简单答案。
我正在尝试创建一个 GCP 云功能，然后使用 Terraform 将其公开。尽管严格遵循文档的示例，但我能够创建该函数但不能将其公开:https://www.terraform.io/docs/providers/google/r/cloudfunctions_function.html
到达 google_cloudfunctions_function_iam_member 资源时，我收到错误“googleapi:错误 403:权限'cloudfunctions.functions.setIamPolicy'拒绝资源...(或资源可能不存在)”。
如何将此功能公开？它与我用于创建所有这些资源的凭据的帐户/api key 有关吗？
提前致谢。
我的 main.tf 文件:

provider "google" {
  project     = "my-project"
  credentials = "key.json" #compute engine default service account api key
  region      = "us-central1"
}

terraform {
  backend "gcs" {
    bucket  = "manually-created-bucket"
    prefix  = "terraform/state"
    credentials = "key.json"
  }
}

# create the storage bucket for our scripts
resource "google_storage_bucket" "source_code" {
  name     = "test-bucket-lh05111992"
  location = "us-central1"
  force_destroy = true
}

# zip up function source code
data "archive_file" "my_function_script_zip" {
 type        = "zip"
 source_dir  = "../source/scripts/my-function-script"
 output_path = "../source/scripts/my-function-script.zip"
}

# add function source code to storage
resource "google_storage_bucket_object" "my_function_script_zip" {
 name   = "index.zip"
 bucket = google_storage_bucket.source_code.name
 source = "../source/scripts/my-function-script.zip"
}

#create the cloudfunction 
resource "google_cloudfunctions_function" "function" {
  name        = "send_my_function_script"
  description = "This function is called in GTM. It sends a users' google analytics id to BigQuery."
  runtime     = "nodejs10"

  available_memory_mb   = 128
  source_archive_bucket = google_storage_bucket.source_code.name
  source_archive_object = google_storage_bucket_object.my_function_script_zip.name
  trigger_http          = true
  entry_point           = "handleRequest"
}

# IAM entry for all users to invoke the function 
resource "google_cloudfunctions_function_iam_member" "invoker" {
  project        = google_cloudfunctions_function.function.project
  region         = "us-central1"
  cloud_function = google_cloudfunctions_function.function.name
  
  role = "roles/cloudfunctions.invoker"
  member = "allUsers"
}

Answer 1

似乎 terraform 站点中该示例的唯一问题是自 2019 年 11 月以来已修改的“Cloud Functions IAM 资源”。现在您必须按照说明指定这些资源 here .现在对于您的用户案例(公共(public)云功能)，我建议您关注 this configuration只需将“members”属性更改为“allUsers”，这样就可以了

resource "google_cloudfunctions_function_iam_binding" "binding" {
  project = google_cloudfunctions_function.function.project
  region = google_cloudfunctions_function.function.region
  cloud_function = google_cloudfunctions_function.function.name
  role = "roles/cloudfunctions.invoker"
  members = [
    "allUsers",
  ]
}

最后，您可以对其进行测试并修改您已经创建的功能 here在“#Try this API”右侧面板中输入正确的资源和请求正文，如下所示(确保正确输入“resource”参数):

{
  "policy": {
    "bindings": [
      {
        "members": [
          "allUsers"
        ],
        "role": "roles/cloudfunctions.invoker"
      }
    ]
  }
}