Skip to content

Commit 71b0b8f

Browse files
github-actions[bot]shanye997
github-actions[bot]
authored and
shanye997
committed
enable ACk
update
1 parent 24da8b3 commit 71b0b8f

File tree

3 files changed

+173
-0
lines changed

3 files changed

+173
-0
lines changed

quickstarts/Container_Service_for_Kubernetes(ACK)/101-use-case-enable-ack-and-assign-role/README.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
<!-- BEGIN_TF_DOCS -->
2+
## Providers
3+
4+
| Name | Version |
5+
|------|---------|
6+
| <a name="provider_alicloud"></a> [alicloud](#provider\_alicloud) | n/a |
7+
8+
## Modules
9+
10+
No modules.
11+
12+
## Resources
13+
14+
| Name | Type |
15+
|------|------|
16+
| [alicloud_ram_role.role](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_role) | resource |
17+
| [alicloud_ram_role_policy_attachment.attach](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_role_policy_attachment) | resource |
18+
| [alicloud_ack_service.open](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/data-sources/ack_service) | data source |
19+
| [alicloud_ram_roles.roles](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/data-sources/ram_roles) | data source |
20+
21+
## Inputs
22+
23+
| Name | Description | Type | Default | Required |
24+
|------|-------------|------|---------|:--------:|
25+
| <a name="input_region_id"></a> [region\_id](#input\_region\_id) | n/a | `string` | `"cn-hangzhou"` | no |
26+
| <a name="input_roles"></a> [roles](#input\_roles) | 所需RAM角色。 | <pre>list(object({<br/> name = string<br/> policy_document = string<br/> description = string<br/> policy_name = string<br/> }))</pre> | <pre>[<br/> {<br/> "description": "集群的日志组件使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCSManagedLogRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCSManagedLogRolePolicy"<br/> },<br/> {<br/> "description": "集群的CMS组件使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCSManagedCmsRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCSManagedCmsRolePolicy"<br/> },<br/> {<br/> "description": "集群的存储插件使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCSManagedCsiRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCSManagedCsiRolePolicy"<br/> },<br/> {<br/> "description": "ACK Serverless集群的VK组件使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCSManagedVKRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCSManagedVKRolePolicy"<br/> },<br/> {<br/> "description": "集群默认使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCSServerlessKubernetesRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCSServerlessKubernetesRolePolicy"<br/> },<br/> {<br/> "description": "集群审计功能使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCSKubernetesAuditRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCSKubernetesAuditRolePolicy"<br/> },<br/> {<br/> "description": "集群网络组件使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCSManagedNetworkRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCSManagedNetworkRolePolicy"<br/> },<br/> {<br/> "description": "集群操作时默认使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCSDefaultRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCSDefaultRolePolicy"<br/> },<br/> {<br/> "description": "集群默认使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCSManagedKubernetesRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCSManagedKubernetesRolePolicy"<br/> },<br/> {<br/> "description": "集群Arms插件使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCSManagedArmsRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCSManagedArmsRolePolicy"<br/> },<br/> {<br/> "description": "容器服务(CS)智能运维使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunCISDefaultRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunCISDefaultRolePolicy"<br/> },<br/> {<br/> "description": "集群扩缩容节点池依赖OOS服务,OOS使用此角色来访问您在其他云产品中的资源。",<br/> "name": "AliyunOOSLifecycleHook4CSRole",<br/> "policy_document": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}",<br/> "policy_name": "AliyunOOSLifecycleHook4CSRolePolicy"<br/> }<br/>]</pre> | no |
27+
<!-- END_TF_DOCS -->
28+
## Documentation
29+
<!-- docs-link -->
30+
31+
The template is based on Aliyun document: [Enable ACK and assign role](http://help.aliyun.com/document_detail/606722.htm)
32+
33+
<!-- docs-link -->

quickstarts/Container_Service_for_Kubernetes(ACK)/101-use-case-enable-ack-and-assign-role/main.tf

Lines changed: 133 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,133 @@
1+
provider "alicloud" {
2+
region = var.region_id
3+
}
4+
5+
variable "region_id" {
6+
type = string
7+
default = "cn-hangzhou"
8+
}
9+
10+
// 开通容器服务ACK。
11+
data "alicloud_ack_service" "open" {
12+
enable = "On"
13+
type = "propayasgo"
14+
}
15+
16+
// 所需RAM角色。
17+
variable "roles" {
18+
type = list(object({
19+
name = string
20+
policy_document = string
21+
description = string
22+
policy_name = string
23+
}))
24+
default = [
25+
{
26+
name = "AliyunCSManagedLogRole"
27+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
28+
description = "集群的日志组件使用此角色来访问您在其他云产品中的资源。"
29+
policy_name = "AliyunCSManagedLogRolePolicy"
30+
},
31+
{
32+
name = "AliyunCSManagedCmsRole"
33+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
34+
description = "集群的CMS组件使用此角色来访问您在其他云产品中的资源。"
35+
policy_name = "AliyunCSManagedCmsRolePolicy"
36+
},
37+
{
38+
name = "AliyunCSManagedCsiRole"
39+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
40+
description = "集群的存储插件使用此角色来访问您在其他云产品中的资源。"
41+
policy_name = "AliyunCSManagedCsiRolePolicy"
42+
},
43+
{
44+
name = "AliyunCSManagedVKRole"
45+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
46+
description = "ACK Serverless集群的VK组件使用此角色来访问您在其他云产品中的资源。"
47+
policy_name = "AliyunCSManagedVKRolePolicy"
48+
},
49+
{
50+
name = "AliyunCSServerlessKubernetesRole"
51+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
52+
description = "集群默认使用此角色来访问您在其他云产品中的资源。"
53+
policy_name = "AliyunCSServerlessKubernetesRolePolicy"
54+
},
55+
{
56+
name = "AliyunCSKubernetesAuditRole"
57+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
58+
description = "集群审计功能使用此角色来访问您在其他云产品中的资源。"
59+
policy_name = "AliyunCSKubernetesAuditRolePolicy"
60+
},
61+
{
62+
name = "AliyunCSManagedNetworkRole"
63+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
64+
description = "集群网络组件使用此角色来访问您在其他云产品中的资源。"
65+
policy_name = "AliyunCSManagedNetworkRolePolicy"
66+
},
67+
{
68+
name = "AliyunCSDefaultRole"
69+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
70+
description = "集群操作时默认使用此角色来访问您在其他云产品中的资源。"
71+
policy_name = "AliyunCSDefaultRolePolicy"
72+
},
73+
{
74+
name = "AliyunCSManagedKubernetesRole"
75+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
76+
description = "集群默认使用此角色来访问您在其他云产品中的资源。"
77+
policy_name = "AliyunCSManagedKubernetesRolePolicy"
78+
},
79+
{
80+
name = "AliyunCSManagedArmsRole"
81+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
82+
description = "集群Arms插件使用此角色来访问您在其他云产品中的资源。"
83+
policy_name = "AliyunCSManagedArmsRolePolicy"
84+
},
85+
{
86+
name = "AliyunCISDefaultRole"
87+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
88+
description = "容器服务(CS)智能运维使用此角色来访问您在其他云产品中的资源。"
89+
policy_name = "AliyunCISDefaultRolePolicy"
90+
},
91+
{
92+
name = "AliyunOOSLifecycleHook4CSRole"
93+
policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}"
94+
description = "集群扩缩容节点池依赖OOS服务,OOS使用此角色来访问您在其他云产品中的资源。"
95+
policy_name = "AliyunOOSLifecycleHook4CSRolePolicy"
96+
}
97+
]
98+
}
99+
100+
// 查询RAM角色列表
101+
data "alicloud_ram_roles" "roles" {
102+
policy_type = "Custom"
103+
name_regex = "^Aliyun.*Role$"
104+
}
105+
106+
locals {
107+
# 提取所有所需RAM角色name
108+
all_role_names = [for role in var.roles : role.name]
109+
# 提取已存在的RAM角色name
110+
created_role_names = [for role in data.alicloud_ram_roles.roles.roles : role.name]
111+
# 计算补集:即找出还未创建的所需RAM角色
112+
complement_names = setsubtract(local.all_role_names, local.created_role_names)
113+
# 待创建的RAM角色
114+
complement_roles = [for role in var.roles : role if contains(local.complement_names, role.name)]
115+
}
116+
117+
// 创建角色。
118+
resource "alicloud_ram_role" "role" {
119+
for_each = { for r in local.complement_roles : r.name => r }
120+
name = each.value.name
121+
document = each.value.policy_document
122+
description = each.value.description
123+
force = true
124+
}
125+
126+
// 角色关联系统权限。
127+
resource "alicloud_ram_role_policy_attachment" "attach" {
128+
for_each = { for r in local.complement_roles : r.name => r }
129+
policy_name = each.value.policy_name
130+
policy_type = "System"
131+
role_name = each.value.name
132+
depends_on = [alicloud_ram_role.role]
133+
}

quickstarts/Container_Service_for_Kubernetes(ACK)/101-use-case-enable-ack-and-assign-role/provider.tf

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
terraform {
2+
required_providers {
3+
alicloud = {
4+
source = "aliyun/alicloud"
5+
}
6+
}
7+
}

0 commit comments

Comments
 (0)