google_privileged_access_manager_entitlement 有一个授予单个角色的示例。
如何创建向一组或一组角色授予权利的权利?
我尝试过,但
for_each
声明不被接受。
locals {
roles = [
"roles/compute.instanceAdmin",
"roles/storage.admin",
]
}
resource "google_privileged_access_manager_entitlement" "entitlement" {
entitlement_id = "ndpe-entitlement"
location = "global"
max_request_duration = "43200s" #24hr
parent = "projects/${var.project_id}"
requester_justification_config {
unstructured {}
}
eligible_users {
principals = [
"group:[email protected]"
]
}
privileged_access {
gcp_iam_access {
role_bindings {
for_each = toset(local.roles) # THIS DOES NOT WORK
role = each.value
condition_expression = "request.time < timestamp(\"2024-04-23T18:30:00.000Z\")"
}
resource = "//cloudresourcemanager.googleapis.com/projects/my-project-name"
resource_type = "cloudresourcemanager.googleapis.com/Project"
}
}
additional_notification_targets {
admin_email_recipients = [
"[email protected]",
]
requester_email_recipients = [
"[email protected]"
]
}
approval_workflow {
manual_approvals {
require_approver_justification = true
steps {
approvals_needed = 1
approver_email_recipients = [
"[email protected]"
]
approvers {
principals = [
"group:[email protected]"
]
}
}
}
}
}
使用动态块:
privileged_access {
gcp_iam_access {
dynamic "role_bindings" {
for_each = toset(local.roles)
content {
role = role_bindings.value
}
}
resource = "//cloudresourcemanager.googleapis.com/projects/${local.my_project_id}"
resource_type = "cloudresourcemanager.googleapis.com/Project"
}