Update roles

Author: ciiiii

modules/alicloud/vendor-access/files/access_policy.json.tpl

@@ -209,6 +209,19 @@
       "Resource": [
         "*"
       ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "oss:Get*",
+        "oss:List*",
+        "oss:Delete*",
+        "oss:Put*",
+        "oss:Restore*"
+      ],
+      "Resource": [
+        "*"
+      ]
     }
   ]
 }

modules/alicloud/vendor-access/main.tf

@@ -8,33 +8,72 @@ locals {
 data "alicloud_caller_identity" "current" {
 }
 
+data "alicloud_ram_policy_document" "cloud_manager_trust_policy" {
+  version = "1"
+  statement {
+    effect = "Allow"
+    action = ["sts:AssumeRole"]
+    principal {
+      entity      = "RAM"
+      identifiers = var.streamnative_cloud_manager_role_arns
+    }
+    condition {
+      operator = "StringEquals"
+      variable = "sts:ExternalId"
+      values   = var.organization_ids
+    }
+  }
+}
+
+resource "alicloud_ram_policy" "cloud_manager_access" {
+  policy_name     = "streamnative-bootstrap"
+  description     = "StreamNative cloud manager access policy"
+  policy_document = local.access_policy_document
+  force           = true
+  rotate_strategy = "DeleteOldestNonDefaultVersionWhenLimitExceeded"
+}
+
+resource "alicloud_ram_role" "cloud_manager_role" {
+  name        = "streamnative-bootstrap"
+  description = "StreamNative cloud manager access role"
+  document    = data.alicloud_ram_policy_document.cloud_manager_trust_policy.document
+  force       = true
+}
+
+resource "alicloud_ram_role_policy_attachment" "cloud_manager_access" {
+  policy_name = alicloud_ram_policy.cloud_manager_access.policy_name
+  policy_type = alicloud_ram_policy.cloud_manager_access.type
+  role_name   = alicloud_ram_role.cloud_manager_role.name
+}
+
+
 data "alicloud_ram_policy_document" "support_role_trust_policy" {
   version = "1"
   statement {
     effect = "Allow"
     action = ["sts:AssumeRole"]
     principal {
-      entity        = "RAM"
-      identifiers = var.streamnative_support_access_role_arns
+      entity      = "RAM"
+      identifiers = var.streamnative_support_role_arns
     }
     condition {
       operator = "StringEquals"
       variable = "sts:ExternalId"
-      values   = [var.organization_id]
+      values   = var.organization_ids
     }
   }
 }
 
 resource "alicloud_ram_policy" "support_access" {
-  policy_name     = "StreamNativeSupportAccess"
-  description     = "StreamNative support access policy"
+  policy_name     = "streamnative-support"
+  description     = "StreamNative support role access policy"
   policy_document = local.access_policy_document
   force           = true
   rotate_strategy = "DeleteOldestNonDefaultVersionWhenLimitExceeded"
 }
 
-resource "alicloud_ram_role" "support_access_role" {
-  name        = "StreamNativeSupportAccessRole"
+resource "alicloud_ram_role" "support_role" {
+  name        = "streamnative-support"
   description = "StreamNative support access role"
   document    = data.alicloud_ram_policy_document.support_role_trust_policy.document
   force       = true
@@ -43,23 +82,35 @@ resource "alicloud_ram_role" "support_access_role" {
 resource "alicloud_ram_role_policy_attachment" "support_access" {
   policy_name = alicloud_ram_policy.support_access.policy_name
   policy_type = alicloud_ram_policy.support_access.type
-  role_name   = alicloud_ram_role.support_access_role.name
+  role_name   = alicloud_ram_role.support_role.name
 }
 
 
+// Activate OSS
+data "alicloud_oss_service" "open" {
+  enable = "On"
+}
+
 // Activate ACK
 // ref: https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/developer-reference/use-terraform-to-assign-default-roles-to-ack-when-you-use-ack-for-the-first-time
 data "alicloud_ack_service" "open" {
-    enable = "On"
-    type   = "propayasgo"
+  enable = "On"
+  type   = "propayasgo"
 }
 
 output "account_id" {
   value = data.alicloud_caller_identity.current.account_id
 }
 
-output "organization_id" {
-  value = var.organization_id
+output "organization_ids" {
+  value = var.organization_ids
+}
+
+output "services" {
+  value = {
+    oss = data.alicloud_oss_service.open.status
+    ack = data.alicloud_ack_service.open.status
+  }
 }
 
 

modules/alicloud/vendor-access/variables.tf

@@ -2,20 +2,27 @@ variable "sn_policy_version" {
   default = ""  
 }
 
-variable "organization_id" {
+variable "organization_ids" {
   description = "The ID of your organization on StreamNative Cloud."
-  type        = string 
+  type        = list(string)
 }
 
 variable "region" {
   default = "*"
   description = "The aliyun region where your StreamNative Cloud Environment can be deployed. Defaults to all regions."
 }
 
+variable "streamnative_cloud_manager_role_arns" {
+  default = ["acs:ram::5855446584058772:role/cloud-manager"]
+  description = "The list of StreamNative cloud manager role ARNs. This is used to grant StreamNative cloud manager to your environment."
+  type        = list(string)
+}
+
+
 
-variable "streamnative_support_access_role_arns" {
-  default = ["acs:ram::5855446584058772:role/streamnativesupport"]
-  description = "The list of StreamNative support access role ARNs. This is used to grant StreamNative support access to your environment."
+variable "streamnative_support_role_arns" {
+  default = ["acs:ram::5855446584058772:role/support-general"]
+  description = "The list of StreamNative support role ARNs. This is used to grant StreamNative support to your environment."
   type        = list(string)
 }