一键创建容器镜像仓库和授权RAM账号

阿里云容器镜像服务（Container Registry）提供安全的应用镜像托管能力，精确的镜像安全扫描功能，稳定的国内外镜像构建服务，便捷的镜像授权功能，方便用户进行镜像全生命周期管理。当我们的DevOps工具需要访问、使用在阿里云创建的容器镜像仓库时，就需要使用阿里云账号授权访问，我们使用Terraform Module（cr）可以一键创建具有访问目标仓库权限的RAM子账号，精确授权，规避安全风险。

1. 编写Terraform脚本代码。
   1. 在main.tf文件中声明Module，文件内容如下：

      provider "alicloud" {}
      
      module "cr" {
        source  = "roura356a/cr/alicloud"
        version = "1.3.0"
        # 命名空间名称
        namespace    = "cr_repo_namespace"
        # 授权仓库列表
        repositories = ["one", "two", "three"]
      }

   2. 在outputs.tf文件中定义输出参数，文件内容如下：

      output "cr_namespace" {
        description = "The CR Namespace's ID"
        value       = module.cr.cr_namespace
      }
      
      output "cr_access_key" {
        description = "The CR Namespace's Access Key"
        value       = module.cr.cr_access_key
      }
      
      output "cr_user" {
        description = "The CR Namespace's User"
        value       = module.cr.cr_user
      }
      
      output "ram_user" {
        description = "The RAM User"
        value       = module.cr.ram_user
      }
      
      output "ram_console_username" {
        description = "Console login username"
        value       = module.cr.ram_console_username
      }
      
      output "cr_endpoint" {
        description = "Public endpoint of the registry"
        value       = module.cr.cr_endpoint
      }
      
      output "repository_ids" {
        description = "List of repository IDs created"
        value       = module.cr.repository_ids
      }
      
      output "disposable_password" {
        description = "Password to activate the console login profile, forces to reset it"
        value       = module.cr.disposable_password
      }
      
      output "access_key_status" {
        description = "Status of the created AccessKey"
        value       = module.cr.access_key_status
      }
      
      output "ram_policy_name" {
        description = "The RAM policy name"
        value       = module.cr.ram_policy_name
      }
      
      output "ram_policy_type" {
        description = "The RAM policy type"
        value       = module.cr.ram_policy_type
      }
      
      output "ram_policy_attachment" {
        description = "The RAM policy attachment ID"
        value       = module.cr.ram_policy_attachment
      }

2. 运行terraform init初始化。

   terraform init

   命令输出结果类似如下：

   Initializing modules...
   Downloading roura356a/cr/alicloud 1.3.0 for cr...
   - cr in .terraform\modules\cr\roura356a-terraform-alicloud-cr-c60a3d4
   
   Initializing the backend...
   
   Initializing provider plugins...
   - Checking for available provider plugins...
   - Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.68.0...
   - Downloading plugin for provider "random" (hashicorp/random) 2.2.1...
   
   The following providers do not have any version constraints in configuration,
   so the latest version was installed.
   
   To prevent automatic upgrades to new major versions that may contain breaking
   changes, it is recommended to add version = "..." constraints to the
   corresponding provider blocks in configuration, with the constraint strings
   suggested below.
   
   * provider.random: version = "~> 2.2"
   
   Terraform has been successfully initialized!
   
   You may now begin working with Terraform. Try running "terraform plan" to see
   any changes that are required for your infrastructure. All Terraform commands
   should now work.
   
   If you ever set or change modules or backend configuration for Terraform,
   rerun this command to reinitialize your working directory. If you forget, other
   commands will detect it and remind you to do so if necessary.

3. 运行terraform apply开始创建。

   terraform apply

   命令输出结果类似如下：

   module.cr.data.alicloud_account.current: Refreshing state...
   module.cr.data.alicloud_regions.current: Refreshing state...
   
   An execution plan has been generated and is shown below.
   Resource actions are indicated with the following symbols:
     + create
   
   Terraform will perform the following actions:
   
   ...
   
   Plan: 10 to add, 0 to change, 0 to destroy.
   
   Do you want to perform these actions?
     Terraform will perform the actions described above.
     Only 'yes' will be accepted to approve.
   
     Enter a value: yes
   
   module.cr.random_string.cr_console_password: Creating...
   ...
   
   Apply complete! Resources: 10 added, 0 changed, 0 destroyed.
   
   Outputs:
   
   access_key_status = Active
   cr_access_key = LTAI4FfqhU7csppPe******
   cr_endpoint = registry.cn-hangzhou.aliyuncs.com
   cr_namespace = cr_repo_namespace
   cr_user = cr_repo_namespace-cr-user
   disposable_password = er1PQu******
   ram_console_username = cr_repo_namespace-cr-user@1231579085******.onaliyun.com
   ram_policy_attachment = user:cr_repo_namespace-cr-policy:Custom:cr_repo_namespace-cr-user
   ram_policy_name = cr_repo_namespace-cr-policy
   ram_policy_type = Custom
   ram_user = cr_repo_namespace-cr-user
   repository_ids = [
     "cr_repo_namespace/one",
     "cr_repo_namespace/two",
     "cr_repo_namespace/three",
   ]

   同时，会在执行目录下生成文件 cr-cr_repo_namespace-ak.json，该文件存储了创建的具有访问目标仓库权限的RAM子账号的密钥信息，文件内容如下：

   {
       "AccessKeySecret": "qkxn1AkG6B50******sneyCQDuurcW",
       "CreateDate": "2020-01-07T07:00:00Z",
       "Status": "Active",
       "AccessKeyId": "LTAI4Ff******ppPeLRkJHES"
   }