1. 背景问题
使用云产品时,有一些云产品功能需要到控制台点击授权,比如使用容器服务场景。中断了自动化集成流程。
2. 解决方式
可以通过调用以下API实现,自动授权。
- 调用 CreateRole 创建出服务角色
- 调用 AttachPolicyToRole 绑定系统权限策略
2.1 Terrafrom 实现方式
- 执行模板
//创建角色 resource "alicloud_ram_role" "role" { for_each = {for r in var.roles:r.name => r} name = each.value.name document= each.value.policy_document description = each.value.description force = true } //角色关联系统权限 resource "alicloud_ram_role_policy_attachment" "attach" { for_each = {for r in var.roles:r.name => r} policy_name = each.value.policy_name policy_type = "System" role_name = each.value.name depends_on = [alicloud_ram_role.role] }
- 模板参数
variable "access_key" { default = "" } variable "secret_key" { default = "" } variable "roles" { type = list(object({ name = string policy_document = string description = string policy_name = string })) //用到的服务角色 default = [ { } ] }
2.1.1 容器服务初始化
- 包含了开通和访问授权
variable "roles" { type = list(object({ name = string policy_document = string description = string policy_name = string })) default = [ { name = "AliyunCSManagedLogRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)Kubernetes集群日志组件使用此角色来访问您在其他云产品中的资源" policy_name = "AliyunCSManagedLogRolePolicy" }, { name = "AliyunCSManagedCmsRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)集群CMS组件使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedCmsRolePolicy" }, { name = "AliyunCSManagedCsiRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)Kubernetes集群存储插件使用此角色来访问您在其他云产品中的资源" policy_name = "AliyunCSManagedCsiRolePolicy" }, { name = "AliyunCSManagedVKRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)Serverless集群VK组件使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedVKRolePolicy" }, { name = "AliyunCSClusterRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)在应用运行期使用此角色来访问您在其他云产品中的资源" policy_name = "AliyunCSClusterRolePolicy" }, { name = "AliyunCSServerlessKubernetesRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)ServerlessKubernetes版默认使用此角色来访问您在其他云产品中的资源" policy_name = "AliyunCSServerlessKubernetesRolePolicy" }, { name = "AliyunCSKubernetesAuditRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)Kubernetes审计功能使用此角色来访问您在其他云产品中的资源" policy_name = "AliyunCSKubernetesAuditRolePolicy" }, { name = "AliyunCSManagedNetworkRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)集群网络组件使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedNetworkRolePolicy" }, { name = "AliyunCSDefaultRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)在集群操作时默认使用此角色来访问您在其他云产品中的资源" policy_name = "AliyunCSDefaultRolePolicy" }, { name = "AliyunCSManagedKubernetesRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)ManagedKubernetes版默认使用此角色来访问您在其他云产品中的资源" policy_name = "AliyunCSManagedKubernetesRolePolicy" } , { name = "AliyunCSManagedArmsRole" policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS) Kubernetes 集群Arms插件使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedArmsRolePolicy" } ] } data "alicloud_ack_service" "open" { enable = "On" type = "propayasgo" } resource "alicloud_ram_role" "role" { for_each = {for r in var.roles:r.name => r} name = each.value.name document= each.value.policy_document description = each.value.description force = true } resource "alicloud_ram_role_policy_attachment" "attach" { for_each = {for r in var.roles:r.name => r} policy_name = each.value.policy_name policy_type = "System" role_name = each.value.name depends_on = [alicloud_ram_role.role] }
3. 服务授权策略获取