resource"google_project_service""composer_api"{provider=google-betaproject="example-project"service="composer.googleapis.com" // Disabling Cloud Composer API might irreversibly break all other // environments in your project. // This parameter prevents automatic disabling // of the API when the resource is destroyed. // We recommend to disable the API only after all environments are deleted.disable_on_destroy=false // this flag is introduced in 5.39.0 version of Terraform. If set to true it will //prevent you from disabling composer_api through Terraform if any environment was //there in the last 30 dayscheck_if_service_has_usage_on_destroy=true}
您的环境的服务账号可能需要额外的权限才能访问项目中的其他资源。例如,如果您的 DAG 将数据转移到 BigQuery,此账号可能需要 BigQuery 专有的权限或角色。
定义具有以下角色和权限的自定义服务账号:
resource"google_service_account""custom_service_account"{provider=google-betaaccount_id="custom-service-account"display_name="Example Custom Service Account"}resource"google_project_iam_member""custom_service_account"{provider=google-betaproject="example-project"member=format("serviceAccount:%s",google_service_account.custom_service_account.email) // Role for Public IP environmentsrole="roles/composer.worker"}
provider"google-beta"{project="example-project"region="us-central1"}resource"google_project_service""composer_api"{provider=google-betaproject="example-project"service="composer.googleapis.com" // Disabling Cloud Composer API might irreversibly break all other // environments in your project.disable_on_destroy=false // this flag is introduced in 5.39.0 version of Terraform. If set to true it will //prevent you from disabling composer_api through Terraform if any environment was //there in the last 30 dayscheck_if_service_has_usage_on_destroy=true}resource"google_service_account""custom_service_account"{provider=google-betaaccount_id="custom-service-account"display_name="Example Custom Service Account"}resource"google_project_iam_member""custom_service_account"{provider=google-betaproject="example-project"member=format("serviceAccount:%s",google_service_account.custom_service_account.email) // Role for Public IP environmentsrole="roles/composer.worker"}resource"google_composer_environment""example_environment"{provider=google-betaname="example-environment"config{software_config{image_version="composer-1.20.12-airflow-1.10.15"}node_config{service_account=google_service_account.custom_service_account.email}}}
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-29。"],[[["\u003cp\u003eThis page provides a guide on setting up a Cloud Composer 1 environment and a user-managed service account using Terraform in an existing Google Cloud project.\u003c/p\u003e\n"],["\u003cp\u003eIt's recommended to create a user-managed service account with specific permissions, instead of relying on the default Compute Engine service account, which will be deprecated for new Cloud Composer environments after April 13, 2025.\u003c/p\u003e\n"],["\u003cp\u003eThe guide includes steps to configure the Google provider, enable the Cloud Composer API, and define a custom service account with necessary roles.\u003c/p\u003e\n"],["\u003cp\u003eThe document provides a complete Terraform script example for creating a Cloud Composer environment with a custom service account, which can be further customized with additional parameters.\u003c/p\u003e\n"],["\u003cp\u003eThe provided guide is related to the use of Cloud Composer version 1.\u003c/p\u003e\n"]]],[],null,["\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n[Cloud Composer 3](/composer/docs/composer-3/terraform-create-environments \"View this page for Cloud Composer 3\") \\| [Cloud Composer 2](/composer/docs/composer-2/terraform-create-environments \"View this page for Cloud Composer 2\") \\| **Cloud Composer 1**\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page is a companion to the main page about\n[creating environments](/composer/docs/composer-1/create-environments). It demonstrates how to set up a\nCloud Composer environment and a user-managed service account\nfor this environment in an existing Google Cloud project with\n[Terraform](https://www.terraform.io). You can use this page as a start, then add more\nconfiguration parameters for your environment, as needed.\n\nAbout Terraform modules for Cloud Composer\n\nGoogle maintains\nthe [Terraform provider for Google Cloud](https://registry.terraform.io/providers/hashicorp/google/latest/docs),\nwhich includes the\n[google_composer_environment](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/composer_environment) resource.\nThis is the officially supported module for Terraform.\n\nThere are other Terraform modules maintained by the open source\ncommunity. To resolve problems with such modules, you can create issues in their\nrepositories on GitHub. One example of an open source project maintaned on\nGitHub is the\n[terraform-google-composer](https://github.com/terraform-google-modules/terraform-google-composer) module, which is a\npart of\n[Terraform blueprints and modules for Google Cloud](/docs/terraform/blueprints/terraform-blueprints).\nWhile Google contributes to this project, the module is not maintained by\nGoogle and is not related to the Terraform provider for Google Cloud.\n\nBefore you begin\n\n- This guide assumes that you have a Google Cloud project with\n configured billing:\n\n - You can use an existing project.\n - You can [create a new project](/resource-manager/docs/creating-managing-projects) using Google Cloud console, Google Cloud CLI, API, or a Python client library.\n - You can create and manage your project using Terraform. For more information, see Terraform documentation for the [`google_project`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project) resource.\n- [Install gcloud CLI](/sdk/docs/install).\n\nAuthenticate with Google Cloud\n\nTo authenticate with Google Cloud, run: \n\n gcloud auth application-default login\n\nFor more information about this command, see\n[`gcloud auth application-default`](/sdk/gcloud/reference/auth/application-default/login).\n\nConfigure the Google provider in Terraform\n\nSpecify your existing [project ID](/resource-manager/docs/creating-managing-projects)\nand a default region for resources. Your Cloud Composer\nenvironment uses this region.\n\nThe `google-beta` provider supports Cloud Composer features\nthat are in Preview. If you want to use only GA features of\nCloud Composer, use the `google` provider instead of `google-beta`. \n\n provider \"google-beta\" {\n project = \"example-project\"\n region = \"us-central1\"\n }\n\nEnable the Cloud Composer API\n\nEnable the Cloud Composer API in your project: \n\n resource \"google_project_service\" \"composer_api\" {\n provider = google-beta\n project = \"example-project\"\n service = \"composer.googleapis.com\"\n // Disabling Cloud Composer API might irreversibly break all other\n // environments in your project.\n // This parameter prevents automatic disabling\n // of the API when the resource is destroyed.\n // We recommend to disable the API only after all environments are deleted.\n disable_on_destroy = false\n // this flag is introduced in 5.39.0 version of Terraform. If set to true it will\n //prevent you from disabling composer_api through Terraform if any environment was\n //there in the last 30 days\n check_if_service_has_usage_on_destroy = true\n }\n\nCreate an environment's service account in your project\n\nThis guide demonstrates how to create an environment's service account that has\nall required permissions to run a Cloud Composer environment.\n\nWe strongly recommend to\n[set up a user-managed service account](/composer/docs/composer-1/access-control#service-account)\nfor your Cloud Composer environments that has only\n**permissions required to run your environment and operations in your DAGs**,\nas described in this guide.\n\nAlthough we recommend against using this approach, if you do not specify an\nenvironment's service account, then your Cloud Composer environment\nuses the default Compute Engine service account.\n| **Upcoming deprecation:**\n|\n| Starting April 13, 2025, new\n| Cloud Composer environments will no longer use the\n| Compute Engine service account by default. An explicitly specified\n| service account will be required, make sure that it is specified in your\n| Terraform scripts. For more information about this\n| change, see [Release notes](/composer/docs/release-notes#January_15_2025).\n| **Warning:** Your environment's service account can have **too broad permissions on your project** . Because your environment runs DAGs on behalf of your environment's service account, users who can add and modify DAGs in your environment's bucket **can run their code on behalf of the environment's service account** and **exercise all permissions of this account** . Make sure that you are familiar with [security considerations for environment's service accounts](/composer/docs/composer-1/access-control#service-account-security) and understand how this account interacts with permissions and roles that you grant to individual users in your project.\n\nThe service account of your environment might need additional permissions to\naccess other resources in your project. For example, if your DAGs transfer data\ninto BigQuery, this account might need permissions or roles\nspecific to BigQuery.\n\nDefine a custom service account with the following roles and permissions: \n\n resource \"google_service_account\" \"custom_service_account\" {\n provider = google-beta\n account_id = \"custom-service-account\"\n display_name = \"Example Custom Service Account\"\n }\n\n resource \"google_project_iam_member\" \"custom_service_account\" {\n provider = google-beta\n project = \"example-project\"\n member = format(\"serviceAccount:%s\", google_service_account.custom_service_account.email)\n // Role for Public IP environments\n role = \"roles/composer.worker\"\n }\n\nCreate an environment\n\nCreate your environment using Terraform.\n\nThe example demonstrates how to create an environment that uses a custom\nservice account. You can add more parameters that define other configuration\nparameters of your environment, such as custom scale and performance\nparameters, or additional PyPI packages.\n\nFor more information about other parameters, see\n[Create environments](/composer/docs/composer-1/create-environments).\n**Caution:** If you use [version aliases](/composer/docs/composer-versioning-overview#version-aliases) in the `image_version` parameter, then your environment might upgrade to a later version when you run `terraform apply`. To avoid this, use a specific version in this parameter. \n\n resource \"google_composer_environment\" \"example_environment\" {\n provider = google-beta\n name = \"example-environment\"\n\n config {\n\n software_config {\n image_version = \"composer-1.20.12-airflow-1.10.15\"\n }\n\n node_config {\n service_account = google_service_account.custom_service_account.email\n }\n\n }\n }\n\nFull Terraform script \n\n provider \"google-beta\" {\n project = \"example-project\"\n region = \"us-central1\"\n }\n\n resource \"google_project_service\" \"composer_api\" {\n provider = google-beta\n project = \"example-project\"\n service = \"composer.googleapis.com\"\n // Disabling Cloud Composer API might irreversibly break all other\n // environments in your project.\n disable_on_destroy = false\n // this flag is introduced in 5.39.0 version of Terraform. If set to true it will\n //prevent you from disabling composer_api through Terraform if any environment was\n //there in the last 30 days\n check_if_service_has_usage_on_destroy = true\n }\n\n resource \"google_service_account\" \"custom_service_account\" {\n provider = google-beta\n account_id = \"custom-service-account\"\n display_name = \"Example Custom Service Account\"\n }\n\n resource \"google_project_iam_member\" \"custom_service_account\" {\n provider = google-beta\n project = \"example-project\"\n member = format(\"serviceAccount:%s\", google_service_account.custom_service_account.email)\n // Role for Public IP environments\n role = \"roles/composer.worker\"\n }\n\n resource \"google_composer_environment\" \"example_environment\" {\n provider = google-beta\n name = \"example-environment\"\n\n config {\n\n software_config {\n image_version = \"composer-1.20.12-airflow-1.10.15\"\n }\n\n node_config {\n service_account = google_service_account.custom_service_account.email\n }\n\n }\n }\n\nWhat's next\n\nSee other documentation pages for information about configuring your\nenvironment with Terraform. For example:\n\n- [Create environments](/composer/docs/composer-1/create-environments)\n- [Override Airflow configuration options](/composer/docs/composer-1/override-airflow-configurations)\n- [Set environment variables](/composer/docs/composer-1/set-environment-variables)\n- [Install Python dependencies](/composer/docs/composer-1/install-python-dependencies)\n- [Scale environments](/composer/docs/composer-1/scale-environments)"]]
