使用 Terraform 啟用存取權核准

Terraform 是一種開放原始碼基礎架構即程式碼軟體工具,可讓您管理存取核准要求。您可以使用 Terraform 執行所有可透過 Access Approval API 執行的動作。

本頁說明如何使用 Terraform 啟用存取權核准。 本教學課程使用 Google Cloud Terraform Provider

目標

本教學課程說明如何建立 Terraform 設定檔,以執行下列操作:

  • 設定存取權核准要求通知的電子郵件地址。
  • 為所有支援的 Google Cloud 產品啟用「存取權核准」功能。如需 Access Approval 支援的 Google Cloud 產品完整清單,請參閱支援的服務

事前準備

建立 Google Cloud 專案

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Enable the Access Approval API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  5. Enable the Access Approval API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

    6.

    安裝 Google Cloud CLI

    安裝 Google Cloud CLI。 安裝完成後,執行下列指令初始化 Google Cloud CLI: 

    gcloud init

    如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI

    系統提示時,請選擇先前選取或建立的專案。

    如果您已安裝 Google Cloud CLI,請使用下列指令更新:

    gcloud components update

    建立 Terraform 設定檔

    1. 開啟 Cloud Shell,啟動獨立的 Cloud Shell 工作階段。
    2. 開啟工作區。
    3. 建立新資料夾。
    4. 在這個資料夾中新增名為 main.tf 的 Terraform 設定檔。

    5. 複製下列資源,然後貼到 main.tf 檔案中。

      main.tf

      variable "parent_value" {
type        = string
}

variable "email_1" {
type        = string
}

variable "email_2" {
type        = string
}

resource "google_folder" "my_folder" {
display_name = "my-folder"
parent       = var.parent_value
# parent = "organizations/123456789"
}

resource "google_folder_access_approval_settings" "folder_access_approval" {
folder_id           = google_folder.my_folder.folder_id
notification_emails = [var.email_1, var.email_2]

enrolled_services {
  cloud_product = "all"
  }
}

      輸入下列變數的值:

      • email_1email_2:提供要設為這個專案存取要求審查者的使用者電子郵件地址。
      • parent_value:要建立 my_folder 資料夾的資料夾名稱。如要進一步瞭解資料夾,請參閱建立及管理資料夾

    執行 Terraform 設定檔

    在 Cloud Shell 中執行下列指令。

    1. 在目錄中初始化 Terraform。

      terraform init

    2. 執行建立的 Terraform 設定檔。

      terraform apply

    3. 系統提示您確認是否要執行設定檔時,請輸入「yes」

    如要進一步瞭解如何使用 Terraform 運作存取權核准,請參閱這份 Terraform 文件:google_folder_access_approval_settings

    後續步驟