英文:
Terraform Conditional IAM GCP
问题
尝试使用 Terraform 和基于时间的条件将用户添加到角色中。我的代码如下:
resource "google_project_iam_binding" "cwx_readonly_users" {for_each = toset(local.grantees)project = "<project_id>"role = google_project_iam_custom_role.my-custom-role.idmembers = ["user:${each.value}"]condition {title = "expires_after_30days"description = "Expires in 30 dates from now"expression = "request.time < timestamp(${local.expiry})"}}
我已经定义了一个本地变量 "expiry" 如下:
expiry = timeadd(timestamp(), "720h")
我已经尝试了一切,但无法解决这个问题。
这是我收到的错误信息:
Error: Request `Set IAM Binding for role "projects/xxxx/roles/xxx" on "project "xxxxl""` returned error: Batch request and retried single request "Set IAM Binding for role "projects/xxx/roles/xxxx"" both failed. Final error: Error applying IAM policy for project "xxx": Error setting IAM policy for project "xxx": googleapi: Error 400: Condition expression compilation failed. Debug message: ERROR : ERROR: <expression>:1:36: mismatched input 'T16' expecting {'==', '!=', 'in', '<', '<=', '>=', '>', '&&', '||', '[', ')', '.', ',', '-', '?', '+', '*', '/', '%%'}│ | request.time < timestamp(2023-09-03T16:05:22Z)│ | ...................................^ , badRequest││ with google_project_iam_binding.cwx_readonly_users["xxxx"],│ on main.tf line 37, in resource "google_project_iam_binding" "cwx_readonly_users":│ 37: resource "google_project_iam_binding" "cwx_readonly_users" {
如果我使用这行代码,它可以正常工作:
expression = "request.time < timestamp('2023-04-12T00:00:00.00Z')"
但我希望使用一个变量时间而不是硬编码一个日期,以提高可用性。
英文:
Trying to add a user to a role using Terraform with a time based condition.
My code looks like below
for_each = toset(local.grantees)project = <project_id>role = google_project_iam_custom_role.my-custom-role.idmembers = ["user:${each.value}"]condition {title = "expires_after_30days"description = "Expires in 30 dates from now"#expression = "request.time < timestamp('2023-04-12T00:00:00.00Z')"expression = "request.time < timestamp(${local.expiry})"}}
I have defined a local variable "expiry" as below
expiry = timeadd(timestamp(), "720h")
I have tried everything but unable to resolve this blocker.
Here is the error I get
Error: Request `Set IAM Binding for role "projects/xxxx/roles/xxx" on "project \"xxxxl\""` returned error: Batch request and retried single request "Set IAM Binding for role \"projects/xxx/roles/xxxx\" on \"project \\\"xxx\\\"\"" both failed. Final error: Error applying IAM policy for project "xxx": Error setting IAM policy for project "xxx": googleapi: Error 400: Condition expression compilation failed. Debug message: ERROR : ERROR: <expression>:1:36: mismatched input 'T16' expecting {'==', '!=', 'in', '<', '<=', '>=', '>', '&&', '||', '[', ')', '.', ',', '-', '?', '+', '*', '/', '%%'}│ | request.time < timestamp(2023-09-03T16:05:22Z)│ | ...................................^ , badRequest││ with google_project_iam_binding.cwx_readonly_users["xxxx"],│ on main.tf line 37, in resource "google_project_iam_binding" "cwx_readonly_users":│ 37: resource "google_project_iam_binding" "cwx_readonly_users" {
If I use this line instead, it works just fine
#expression = "request.time < timestamp('2023-04-12T00:00:00.00Z')"
But, I am interested in using a variable time and not hard code a date for better usability
答案1
得分: 1
guillaume blaquiere 是对的,你漏了单引号:
expression = "request.time < timestamp('${local.expiry}')"
英文:
guillaume blaquiere is right, you are missing single quotes:
expression = "request.time < timestamp('${local.expiry}')"
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论