无法使用 Terraform 资源 google_cloud_identity_group 创建 google 组

Question

以下资源用于使用 terraform google-beta 和版本 3.36 创建 google 组：

resource "google_cloud_identity_group" "cloud_identity_group_basic" {
  provider = google-beta
  display_name = "aaa bbb"

  parent = "customers/XXX"

  group_key {
    id = "aaa_bbb@evilcorp.com"
  }

  labels = {
    "cloudidentity.googleapis.com/groups.discussion_forum" = ""
  }
}

terraform plan 告诉我它将创建资源，但执行 apply 会导致错误 (Actor does not have permission to create group)。 terraform service-account 已经拥有Organization Administrator、Google Cloud Managed Identities Admin、Google Cloud Managed Identities Domain Admin、...等很多权限。

G Suite 域范围委派也已尝试过，但不确定这有什么帮助。

Terraform will perform the following actions:

  # google_cloud_identity_group.cloud_identity_group_basic will be created
  + resource "google_cloud_identity_group" "cloud_identity_group_basic" {
      + create_time  = (known after apply)
      + display_name = "aaa bbb"
      + id           = (known after apply)
      + labels       = {
          + "cloudidentity.googleapis.com/groups.discussion_forum" = ""
        }
      + name         = (known after apply)
      + parent       = "customers/XXX"
      + update_time  = (known after apply)

      + group_key {
          + id = "aaa_bbb@evilcorp.com"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_cloud_identity_group.cloud_identity_group_basic: Creating...

Error: Error creating Group: googleapi: Error 403: Error(2015): Actor does not have permission to create group 'aaa_bbb@evilcorp.com'.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2015): Actor does not have permission to create group 'aaa_bbb@evilcorp.com'.",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  on groups.tf line 1, in resource "google_cloud_identity_group" "cloud_identity_group_basic":
   1: resource "google_cloud_identity_group" "cloud_identity_group_basic" {

Answer 1

现在可以use service accounts with Google Groups APIs without domain-wide delegation了。

请参阅：设置组 API /Assigning an admin role to the service account。这使 terraform 服务帐户能够创建/管理组。

Answer 2

在@Dag 上面构建一点答案：

也可以通过Admin Console进行。

其实我也没找到其他办法，好像无法获取默认云构建服务帐号的uniqueID。

1. 以 Workspace 超级用户身份访问上一个链接。
2. 点击Groups Admin角色。
3. 点击Admins部分的向下箭头
4. 最后点击 Assign service account 在那里你可以粘贴 服务帐户电子邮件 (<YOUR-PROJECT-ID>@cloudbuild.gserviceaccount.com)

执行此操作后，实际上可以获取服务帐户uniqueID：只需从 Directory API 文档中运行 Try this API 并使用 roleId（您可以从 URL 中获取 roleId您在第 2 点之后）以及您可以从 Account settings 获得的客户 ID。