我使用 terraform 创建了一个 GCP 项目，但它没有出现在项目列表中。为什么？

Question

我正在关注https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform的教程

基本上归结为创建一个terraform-admin 默认项目，并有权成为roles/resourcemanager.projectCreator

$ gcloud organizations get-iam-policy $TF_VAR_org_id
bindings:
...snipped...
- members:
  - domain:raverun.com
  - serviceAccount:terraform@terraform-admin.iam.gserviceaccount.com
  role: roles/resourcemanager.projectCreator

我不会在这里复制project.tf 文件，但主要内容是：

provider "google" {
    ...snipped...
}

resource "google_project" "proj" {
    ...snipped...
    project_id      = "tf-foobar"
}

resource "google_project_services" "svcs" {
     ...snipped...
}

运行前terraform apply

$ gcloud projects list
PROJECT_ID          NAME              PROJECT_NUMBER
terraform-admin     terraform-admin     300000000000

运行后terraform apply

$ terraform apply
...snipped...
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Outputs:

project_id = tf-foobar

$ gcloud projects list
PROJECT_ID          NAME              PROJECT_NUMBER
terraform-admin     terraform-admin     300000000000

我的问题是为什么新项目tf-foobar 没有出现？

Answer 1

我想我找到了问题所在。我需要提供域所有者的用户帐户 owner@mydomain.com 一个项目角色，有权编辑新创建的项目。我试过这个：

resource "google_project_iam_binding" "projiambinding1" {
  project = "${google_project.proj.project_id}"
  role    = "roles/editor"

  members = [
    "user:owner@mydomain.com",
    "serviceAccount:xxxxxxxxx-compute@developer.gserviceaccount.com",
    "serviceAccount:yyyyyyyyyyyyy@cloudservices.gserviceaccount.com",
  ]
}

https://console.cloud.google.com/iam-admin/iam?authuser=1&project=tf-foobar&organizationId=xxxxxxxxxxx

所以现在，我新创建的项目现在可见：

$ gcloud projects list
PROJECT_ID          NAME                   PROJECT_NUMBER
terraform-admin     terraform-admin        300000000000
tf-foobar           tf-foobar              111111111111