google-cloud-platform - Terraform:log export sink 在正常工作一段时间后抛出此错误“permission denied on bucket”
问题描述
我正在尝试在 GCP 中将日志从源导出到目标项目。我已经使用下面的 Terraform 代码创建了 logsink 并为 unique_writer_identity 分配了相关权限。它在前 15 到 20 分钟内运行良好,然后我收到一封邮件,上面写着“log_bucket_permission_denied”。为了找出问题所在,我在同一部署上做了 Terraform 计划,它报告通过接收器创建的服务帐户已更改并且这些服务帐户没有分配的权限,如果这就是它在 15 分钟后停止工作的原因,可以做些什么来让这项工作在一段时间后不会失败?请帮帮我。谢谢
部署 15 分钟后的“Terraform 计划”:
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the last "terraform apply":
# google_project_iam_binding.config_writer_audit_log_service_account["roles/logging.fieldAccessor"] has been changed
~ resource "google_project_iam_binding" "config_writer_audit_log_service_account" {
~ etag = "XXXXXXXX=" -> "YYYYYYYYY="
id = "project_id/roles/logging.fieldAccessor"
# (3 unchanged attributes hidden)
}
# google_project_iam_binding.config_writer_audit_log_service_account["roles/logging.logWriter"] has been changed
~ resource "google_project_iam_binding" "config_writer_audit_log_service_account" {
~ etag = "XXXXXXXX=" -> "YYYYYYYYY="
id = "project_id/roles/logging.logWriter"
# (3 unchanged attributes hidden)
}
Terrraform will make the following changes:
google_project_iam_binding.config_writer_audit_service_account["roles/logging.logWriter"] will be updated in-place
~ resource "google_project_iam_binding" "config_writer_audit_service_account" {
id = ""
~ members = [
- "serviceAccount:XXXXXXXXXX-XXXXXX@gcp-sa-logging.iam.gserviceaccount.com",
+ "serviceAccount:XXXXXXXXXX-YYYYYY@gcp-sa-logging.iam.gserviceaccount.com",
]
# (3 unchanged attributes hidden)
}
....and some more
代码:
#Audit Log Sink1 --> Audit Logs to Log Bucket
resource "google_logging_project_sink" "sink_logging_audit_log_bucket" {
name = "${var.project_id}_ingest_audit_log_bucket_test"
project = var.project_id
description = "Logging Sink for Audit"
destination = "logging.googleapis.com/${google_logging_project_bucket_config.logging_sink_audit_test.id}"
filter="LOG_ID(cloudaudit.googleapis.com/activity) OR LOG_ID(externalaudit.googleapis.com/activity) OR LOG_ID(cloudaudit.googleapis.com/system_event) OR LOG_ID(externalaudit.googleapis.com/system_event) OR LOG_ID(cloudaudit.googleapis.com/access_transparency) OR LOG_ID(externalaudit.googleapis.com/access_transparency)"
unique_writer_identity = true
}
###log bucket
resource "google_logging_project_bucket_config" "logging_sink_audit_test" {
project = var.common_project_id
location = var.location
retention_days = 30
bucket_id = "log-test-bucket_test"
}
resource "google_project_iam_binding" "object_creator_log_audit_test" {
project = var.common_project_id
role = "roles/storage.objectCreator"
members = [
google_logging_project_sink.sink_logging_audit_log_bucket.writer_identity
]
}
resource "google_project_iam_binding" "log_bucket_Writer_audit_log_test" {
project = var.common_project_id
role = "roles/logging.bucketWriter"
members = [
google_logging_project_sink.sink_logging_audit_log_bucket.writer_identity
]
}
resource "google_project_iam_binding" "log_config_Writer_audit_test" {
project = var.common_project_id
role = "roles/logging.configWriter"
members = [
google_logging_project_sink.sink_logging_audit_log_bucket.writer_identity
]
}
resource "google_project_iam_binding" "logging_Writer_audit_test" {
project = var.common_project_id
role = "roles/logging.logWriter"
members = [
google_logging_project_sink.sink_logging_audit_log_bucket.writer_identity
]
}
解决方案
推荐阅读
- sql - 如何将两个以上的选择查询合并到oracle中的单个结果集
- javascript - 为什么 Swiper 在角度上不适合我?
- python - Boto3 方法 list_inventory_entries 的自定义分页
- javascript - 如何在客户端使用 javascript/JQuery 检查文件下载状态
- computational-geometry - 正确生成凸包并得到平面方程
- reactjs - × TypeError:无法读取未定义的属性“位置”
- ms-access - 子窗体中的记录集小计
- angular - 角度组件悬停类动态
- javascript - Node JS中每个的顺序异步操作
- css - CSS动画属性不起作用/在反应中应用