代码之家  ›  专栏  ›  技术社区  ›  McGin

无法为我的Postgres云SQL实例启用专用IP

google-cloud-sql terraform google-cloud-platform
  •  1
  • McGin  · 技术社区  · 7 年前

    当我尝试在我的云SQL实例(PostgreSQL 9.6)上启用一个私有IP时,我收到以下错误消息:

    Network association failed due to the following error: set Service Networking service account as servicenetworking.serviceAgent role on consumer project

    我在“关联网络”下拉列表中选择了一个vpc,我也选择了一个我已经设置好的托管服务网络,所以理论上它应该都能工作。

    我在IAM下找不到与错误消息相关的任何内容,无论是服务帐户,还是 servicenetworking.serviceAgent 许可。

    更新 包括相关的地形片段 

    ## VPC Setup
resource "google_compute_network" "my_network" {
  project                 = "${var.project_id}"
  name                    = "vpc-play"
  auto_create_subnetworks = "false"
  routing_mode            = "REGIONAL"
}
# There is a bunch of subnets linked to this network which are not included here

## Managed services network

resource "google_compute_global_address" "default" {
  name = "google-managed-services-vpc-${var.project_id}"
  project = "${var.project_id}"
  provider = "google-beta"
  ip_version = "IPV4"
  prefix_length = 16
  address_type = "INTERNAL"
  purpose = "VPC_PEERING"
  network = "${google_compute_network.my_network.self_link}"
}


## Error occurs on this step
## Error is : google_service_networking_connection.private_vpc_connection: set Service Networking service account as servicenetworking.serviceAgent role on consumer project

resource "google_service_networking_connection" "private_vpc_connection" {
    provider = "google-beta"
    network       = "${google_compute_network.my_network.self_link}"
    service       = "servicenetworking.googleapis.com"
    reserved_peering_ranges = ["${google_compute_global_address.default.name}"]
}

## Database configuration <-- omitted private ip stuff for now as doesn't even get to creation of this, error in previous step

resource "google_sql_database_instance" "my_db" {
  depends_on = ["google_service_networking_connection.private_vpc_connection"]
  name             = "my_db"
  project          = "${var.project_id}"
  database_version = "POSTGRES_9_6"
  region           = "${var.region}"
  lifecycle {
    prevent_destroy = true
  }

  settings {
    tier = "db-f1-micro"

    backup_configuration {
      enabled     = true
      start_time  = "02:00"
    }

    maintenance_window {
      day = 1
      hour = 3
      update_track = "stable"
    }

    ip_configuration {
      authorized_networks = [
        {
          name  = "office"
          value = "${var.my_ip}"
        },
      ]
    }

    disk_size         = 10
    availability_type = "ZONAL"

    location_preference {
      zone = "${var.zone}"
    }
  }
}
    2 回复  |  直到 6 年前
        1
  •  1
  •   Alex Riquelme    7 年前

    这个 Terraform code to create a Cloud SQL instance with Private IP 有一些错误。第一个是 ${google_compute_network.private_network.self_link} 变量获取整个网络的名称,这意味着 www.googleapis.com/compute/v1/projects/PROJECT-ID/global/networks/testnw2 . 字段中不允许此值 google_compute_global_address.private_ip_address.network ,因此,您需要将$Google_Compute_Network.private_Network.self_link更改为$Google_Compute_Network.private_Network.name。

    另一个错误是 google_sql_database_instance.instance.settings.ip_configuration.private_network 应该是 projects/PROJECT_ID/global/networks/NW_ID . 所以你需要把字段改为 projects/[PROJECT_ID]/global/networks/${google_compute_network.private_network.name} 为了工作。

    第三个错误,以及您在初始消息中共享的错误,需要设置 service account 在TerraForm代码中具有适当的特权以避免此错误。请检查共享代码的第一行。

    第四个错误是您需要使用Google beta提供程序,而不是Google默认的提供程序来执行此操作。

    正如我发表的评论中所讨论的,我看到 "An Unknown Error occurred" 错误在使用该地形代码之前,此错误是指在执行vpc对等时发生的错误。我理解这是令人沮丧的故障排除,因为它没有显示任何有用的信息,但如果您在谷歌云平台支持打开一张罚单,我们将能够使用我们的内部工具检查真正的错误。

    正如所承诺的,这是我用来创建私有网络并在创建时将其附加到谷歌云SQL实例的代码。 

    provider "google-beta" {
 credentials = "${file("CREDENTIALS.json")}"
 project     = "PROJECT-ID"
 region      = "us-central1"
}
resource "google_compute_network" "private_network" {
    name       = "testnw"
}

resource "google_compute_global_address" "private_ip_address" {
    provider="google-beta"
    name          = "${google_compute_network.private_network.name}"
    purpose       = "VPC_PEERING"
    address_type = "INTERNAL"
    prefix_length = 16
    network       = "${google_compute_network.private_network.name}"
}

resource "google_service_networking_connection" "private_vpc_connection" {
    provider="google-beta"
    network       = "${google_compute_network.private_network.self_link}"
    service       = "servicenetworking.googleapis.com"
    reserved_peering_ranges = ["${google_compute_global_address.private_ip_address.name}"]
}

resource "google_sql_database_instance" "instance" {
    provider="google-beta"
    depends_on = ["google_service_networking_connection.private_vpc_connection"]
    name = "privateinstance"
    region = "us-central1"
    settings {
        tier = "db-f1-micro"
        ip_configuration {
            ipv4_enabled = "false"
            private_network = "projects/PROJECT-ID/global/networks/${google_compute_network.private_network.name}"
        }
    }
}
        2
  •  -1
  •   McGin    6 年前

    似乎TerraForm在某个时候破坏了对帐户的权限,并从所有用户中删除了serviceNetworking.serviceAgent角色。

    禁用然后重新启用服务网络API可以通过重置系统所有用户的权限来解决问题。

    推荐文章
    Jess The Witch  ·  GCP云功能中处理延迟任务的模式
    1 年前
    Victor  ·  云运行-经过身份验证的请求在自定义(子)域上不起作用
    1 年前
    Javier Tan  ·  建议如何在firebase中存储需要限制字符的字段?
    1 年前
    Dmitr Zar  ·  Google OAuth 2.0身份验证在React应用程序中不起作用:我做错了什么?
    1 年前
    Monzur Alam  ·  在GCP中启动计算VM实例后,我的VM外部IP和SSH不可访问
    1 年前
    trndjc  ·  在谷歌云控制台中,将Firebase Admin SDK角色授予默认计算服务帐户是否安全?
    1 年前
    Junekuan  ·  Google Appsheet未显示Google sheet图像URL列中的图像
    1 年前
    pnpjtr  ·  谷歌云SQL/mysql谁是对的?
    1 年前
    ffejrekaburb  ·  谷歌云平台Python 3 CURRENT_VERSION_ID
    1 年前
    Grantie  ·  Firebase说ID不匹配
    1 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号