diff --git a/modules/alicloud/private-link/README.md b/modules/alicloud/private-link/README.md new file mode 100644 index 0000000..d142a1a --- /dev/null +++ b/modules/alicloud/private-link/README.md @@ -0,0 +1,124 @@ +# StreamNative Cloud - Managed AliCloud Private Link + +This Terraform module configures your AliCloud network to access private StreamNative BYOC pulsar service. + +# QuickStart + +## Create PrivateLink with default settings + +```hcl +provider "alicloud" { + region = "" +} + +module "alicloud_private_link" { + source = "github.com/streamnative/terraform-managed-cloud//modules/alicloud/private-link?ref=main" + + privatelink_service_id = "" + domain_name = "" + endpoint_name = "streamnative-pulsar-endpoint" + + vpc_id = "" + vswitches = [ + { + id = "" + zone = "" + }, + { + id = "" + zone = "" + } + ] +} +``` + +## Create PrivateLink with customized Security Group + +```hcl +provider "alicloud" { + region = "region" +} + +module "alicloud_private_link" { + source = "github.com/streamnative/terraform-managed-cloud//modules/alicloud/private-link?ref=main" + + privatelink_service_id = "" + domain_name = "" + endpoint_name = "streamnative-pulsar-endpoint" + + vpc_id = "" + vswitches = [ + { + id = "" + zone = "" + }, + { + id = "" + zone = "" + } + ] + security_group_ids = [""] +} +``` + +Make sure you have the following inbound rules in your security group: + +- Allow TCP port 443 from the VPC CIDR +- Allow TCP port 6651 from the VPC CIDR +- Allow TCP port 9093 from the VPC CIDR +- Allow TCP port 5671 from the VPC CIDR +- Allow TCP port 8883 from the VPC CIDR + +## Run terraform + +After [authenticating to your AliCloud international account](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs#authentication) execute the following sequence of commands from the directory containing the `main.tf` configuration file: + +1. Run `terraform init` +2. Run `terraform plan` +3. Run `terraform apply` + +# Terraform Docs + +## Requirements + +| Name | Version | +| --------------------------------------------------------------------- | ------- | +| [alicloud](#requirement_alicloud) | 1.248.0 | + +## Providers + +| Name | Version | +| --------------------------------------------------------------- | ------- | +| [alicloud](#provider_alicloud) | 1.248.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | +| [alicloud_privatelink_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/privatelink_vpc_endpoint) | resource | +| [alicloud_privatelink_vpc_endpoint_zone.this](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/privatelink_vpc_endpoint_zone) | resource | +| [alicloud_pvtz_zone.this](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/pvtz_zone) | resource | +| [alicloud_pvtz_zone_attachment.this](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/pvtz_zone_attachment) | resource | +| [alicloud_pvtz_zone_record.this](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/pvtz_zone_record) | resource | +| [alicloud_security_group.new](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/security_group) | resource | +| [alicloud_security_group_rule.new](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/security_group_rule) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [domain_name](#input_domain_name) | The domain suffix of the Pulsar endpoint, it should be obtained from StreamNative Cloud. | `string` | n/a | yes | +| [endpoint_name](#input_endpoint_name) | The name of the VPC endpoint will be created, used to identify from other endpoints. | `string` | `"streamnative-pulsar-endpoint"` | no | +| [privatelink_service_id](#input_privatelink_service_id) | The ID of the PrivateLink service, it should be obtained from StreamNative Cloud. | `string` | n/a | yes | +| [security_group_ids](#input_security_group_ids) | The list of security group IDs to associate with the endpoint, will create a new security group if this is empty. | `list(string)` | `[]` | no | +| [security_group_inbound_rules](#input_security_group_inbound_rules) | List of inbound rules for the security group, allowing traffic to the endpoint. | 
list(object({
 port = string
 description = string
 }))
| 
[
 {
 "description": "Allow HTTPS traffic to the endpoint",
 "port": "443/443"
 },
 {
 "description": "Allow Pulsar traffic to the endpoint",
 "port": "6651/6651"
 },
 {
 "description": "Allow Kafka traffic to the endpoint",
 "port": "9093/9093"
 },
 {
 "description": "Allow AMQP traffic to the endpoint",
 "port": "5671/5671"
 },
 {
 "description": "Allow MQTT traffic to the endpoint",
 "port": "8883/8883"
 }
]
| no | +| [vpc_id](#input_vpc_id) | The ID of the VPC to create the endpoint in. | `string` | n/a | yes | +| [vswitches](#input_vswitches) | The list of VSwitches to associate with the endpoint. | 
list(object({
 id = string
 zone = string
 }))
| n/a | yes | + +## Outputs + +No outputs. diff --git a/modules/alicloud/private-link/main.tf b/modules/alicloud/private-link/main.tf new file mode 100644 index 0000000..140ee3a --- /dev/null +++ b/modules/alicloud/private-link/main.tf @@ -0,0 +1,60 @@ +resource "alicloud_security_group" "new" { + count = length(var.security_group_ids) != 0 ? 0 : 1 + + security_group_name = "${var.endpoint_name}-sg" + vpc_id = var.vpc_id + description = "Security group for PrivateLink VPC Endpoint ${var.endpoint_name}" +} + +resource "alicloud_security_group_rule" "new" { + count = length(var.security_group_ids) != 0 ? 0 : length(var.security_group_inbound_rules) + + security_group_id = alicloud_security_group.new[0].id + type = "ingress" + ip_protocol = "tcp" + cidr_ip = "0.0.0.0/0" + port_range = var.security_group_inbound_rules[count.index].port + policy = "accept" + description = var.security_group_inbound_rules[count.index].description +} + + +locals { + security_group_ids = length(var.security_group_ids) != 0 ? var.security_group_ids : [alicloud_security_group.new[0].id] +} + + +resource "alicloud_privatelink_vpc_endpoint" "this" { + service_id = var.privatelink_service_id + security_group_ids = local.security_group_ids + vpc_id = var.vpc_id + vpc_endpoint_name = var.endpoint_name +} + +resource "alicloud_privatelink_vpc_endpoint_zone" "this" { + count = length(var.vswitches) + + endpoint_id = alicloud_privatelink_vpc_endpoint.this.id + vswitch_id = var.vswitches[count.index].id + zone_id = var.vswitches[count.index].zone +} + +resource "alicloud_pvtz_zone" "this" { + zone_name = var.domain_name + remark = "PrivateLink-${var.endpoint_name}" +} + +resource "alicloud_pvtz_zone_attachment" "this" { + zone_id = alicloud_pvtz_zone.this.id + vpc_ids = [var.vpc_id] +} + +resource "alicloud_pvtz_zone_record" "this" { + count = length(var.vswitches) + + zone_id = alicloud_pvtz_zone.this.id + rr = "*" + type = "A" + value = alicloud_privatelink_vpc_endpoint_zone.this[count.index].eni_ip + ttl = 600 +} diff --git a/modules/alicloud/private-link/variables.tf b/modules/alicloud/private-link/variables.tf new file mode 100644 index 0000000..6c8383d --- /dev/null +++ b/modules/alicloud/private-link/variables.tf @@ -0,0 +1,73 @@ +terraform { + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.248.0" + } + } +} + +variable "privatelink_service_id" { + description = "The ID of the PrivateLink service, it should be obtained from StreamNative Cloud." + type = string +} + +variable "domain_name" { + description = "The domain suffix of the Pulsar endpoint, it should be obtained from StreamNative Cloud." + type = string +} + +variable "endpoint_name" { + description = "The name of the VPC endpoint will be created, used to identify from other endpoints." + type = string + default = "streamnative-pulsar-endpoint" +} + +variable "vpc_id" { + description = "The ID of the VPC to create the endpoint in." + type = string +} + +variable "vswitches" { + description = "The list of VSwitches to associate with the endpoint." + type = list(object({ + id = string + zone = string + })) +} + +variable "security_group_ids" { + description = "The list of security group IDs to associate with the endpoint, will create a new security group if this is empty." + type = list(string) + default = [] +} + +variable "security_group_inbound_rules" { + description = "List of inbound rules for the security group, allowing traffic to the endpoint." + type = list(object({ + port = string + description = string + })) + default = [ + { + port = "443/443", + description = "Allow HTTPS traffic to the endpoint" + }, + { + port = "6651/6651", + description = "Allow Pulsar traffic to the endpoint" + }, + { + port = "9093/9093", + description = "Allow Kafka traffic to the endpoint" + }, + { + port = "5671/5671", + description = "Allow AMQP traffic to the endpoint" + }, + { + port = "8883/8883", + description = "Allow MQTT traffic to the endpoint" + } + ] +} diff --git a/modules/alicloud/vendor-access/README.md b/modules/alicloud/vendor-access/README.md new file mode 100644 index 0000000..2ede613 --- /dev/null +++ b/modules/alicloud/vendor-access/README.md @@ -0,0 +1,82 @@ +# StreamNative Cloud - Managed AliCloud Vendor Access + +This Terraform module creates RAM resources within your AliCloud international account. These resources give StreamNative access only for the provisioning and management of StreamNative's BYOC(Bring Your Own Cloud) offering. + +For more information about StreamNative and our managed offerings for Apache Pulsar, visit our [website](https://streamnative.io/streamnativecloud/). + +# Quick Start + +## Pre Requisites + +To use this module you must have [Terraform installed](https://learn.hashicorp.com/tutorials/terraform/install-cli) and be familiar with its usage for [AliCloud](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs#authentication). It is recommended to securely store the Terraform configuration you create in source control, as well as use [Terraform's Remote State](https://www.terraform.io/language/state/remote) for storing the `*.tfstate` file. + +## Example + +```hcl +provider "alicloud" { + region = "" +} + +module "vendor_access" { + source = "github.com/streamnative/terraform-managed-cloud//modules/alicloud/vendor-access?ref=main" + + organization_ids = [""] +} +``` + +After [authenticating to your AliCloud international account](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs#authentication) execute the following sequence of commands from the directory containing the `main.tf` configuration file: + +1. Run `terraform init` +2. Run `terraform plan` +3. Run `terraform apply` + +# Terraform Docs + +## Requirements + +| Name | Version | +| --------------------------------------------------------------------- | ------- | +| [alicloud](#requirement_alicloud) | 1.248.0 | + +## Providers + +| Name | Version | +| --------------------------------------------------------------- | ------- | +| [alicloud](#provider_alicloud) | 1.248.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | +| [alicloud_ram_policy.cloud_manager_access](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_policy) | resource | +| [alicloud_ram_policy.support_access](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_policy) | resource | +| [alicloud_ram_role.cloud_manager_role](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_role) | resource | +| [alicloud_ram_role.support_role](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_role) | resource | +| [alicloud_ram_role_policy_attachment.cloud_manager_access](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_role_policy_attachment) | resource | +| [alicloud_ram_role_policy_attachment.support_access](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_role_policy_attachment) | resource | +| [alicloud_ack_service.open](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/data-sources/ack_service) | data source | +| [alicloud_caller_identity.current](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/data-sources/caller_identity) | data source | +| [alicloud_oss_service.open](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/data-sources/oss_service) | data source | +| [alicloud_ram_policy_document.cloud_manager_trust_policy](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/data-sources/ram_policy_document) | data source | +| [alicloud_ram_policy_document.support_role_trust_policy](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/data-sources/ram_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------------- | ---------------------------------------------------------------------- | :------: | +| [organization_ids](#input_organization_ids) | The ID of your organization on StreamNative Cloud. | `list(string)` | n/a | yes | +| [region](#input_region) | The aliyun region where your StreamNative Cloud Environment can be deployed. Defaults to all regions. | `string` | `"*"` | no | +| [streamnative_cloud_manager_role_arns](#input_streamnative_cloud_manager_role_arns) | The list of StreamNative cloud manager role ARNs. This is used to grant StreamNative cloud manager to your environment. | `list(string)` | 
[
 "acs:ram::5855446584058772:role/cloud-manager"
]
| no | +| [streamnative_support_role_arns](#input_streamnative_support_role_arns) | The list of StreamNative support role ARNs. This is used to grant StreamNative support to your environment. | `list(string)` | 
[
 "acs:ram::5855446584058772:role/support-general"
]
| no | + +## Outputs + +| Name | Description | +| ----------------------------------------------------------------------------------- | ----------- | +| [account_id](#output_account_id) | n/a | +| [organization_ids](#output_organization_ids) | n/a | +| [services](#output_services) | n/a | diff --git a/modules/alicloud/vendor-access/files/access_policy.json.tpl b/modules/alicloud/vendor-access/files/access_policy.json.tpl new file mode 100644 index 0000000..b276d3a --- /dev/null +++ b/modules/alicloud/vendor-access/files/access_policy.json.tpl @@ -0,0 +1,227 @@ +{ + "Version": "1", + "Statement": [ + { + "Action": [ + "ecs:Describe*", + "ecs:List*", + "ecs:AddTags", + "ecs:AttachDisk", + "ecs:AttachInstanceRamRole", + "ecs:AttachNetworkInterface", + "ecs:AttachVolume", + "ecs:AuthorizeSecurityGroup", + "ecs:CreateDisk", + "ecs:CreateInstance", + "ecs:CreateLaunchTemplate", + "ecs:CreateLaunchTemplateVersion", + "ecs:CreateNetworkInterface", + "ecs:CreateSecurityGroup", + "ecs:CreateVolume", + "ecs:DeleteDisk", + "ecs:DeleteInstance", + "ecs:DeleteInstances", + "ecs:DeleteLaunchTemplate", + "ecs:DeleteLaunchTemplateVersion", + "ecs:DeleteNetworkInterface", + "ecs:DeleteSecurityGroup", + "ecs:DeleteVolume", + "ecs:DetachDisk", + "ecs:DetachInstanceRamRole", + "ecs:DetachNetworkInterface", + "ecs:DetachVolume", + "ecs:ModifyDiskAttribute", + "ecs:ModifyDiskSpec", + "ecs:ModifyInstance*", + "ecs:ModifyLaunchTemplateDefaultVersion", + "ecs:ModifyNetworkInterfaceAttribute", + "ecs:ModifySecurityGroup*", + "ecs:RebootInstance", + "ecs:ResizeDisk", + "ecs:RunInstances", + "ecs:StartInstance", + "ecs:StartInstances", + "ecs:StopInstance", + "ecs:StopInstances", + "ecs:TagResources", + "ecs:UntagResources" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "vpc:Get*", + "vpc:List*", + "vpc:Create*", + "vpc:Describe*", + "vpc:Modify*", + "vpc:Allocate*", + "vpc:AssociateEipAddress", + "vpc:AssociateRouteTable", + "vpc:Release*", + "vpc:Unassociate*", + "vpc:DeleteRouteEntry", + "vpc:DeleteRouteTable", + "vpc:DeleteRouterInterface", + "vpc:DeleteVSwitch", + "vpc:DeleteVpc", + "vpc:DeleteNatGateway", + "vpc:DeleteSnatEntry", + "vpc:TagResources" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ram:Get*", + "ram:List*", + "ram:AttachPolicyToRole", + "ram:CreateAccessKey", + "ram:CreatePolicy", + "ram:CreatePolicyVersion", + "ram:CreateRole", + "ram:CreateServiceLinkedRole", + "ram:DeleteAccessKey", + "ram:DeletePolicy", + "ram:DeletePolicyVersion", + "ram:DeleteRole", + "ram:DeleteServiceLinkedRole", + "ram:DetachPolicyFromRole", + "ram:UpdateAccessKey", + "ram:UpdateRole", + "ram:CreateUser", + "ram:DeleteUser", + "ram:AttachPolicyToUser", + "ram:DetachPolicyFromUser", + "sts:AssumeRole" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "cs:Get*", + "cs:List*", + "cs:Cancel*", + "cs:Create*", + "cs:Describe*", + "cs:AttachInstances", + "cs:DeleteCluster", + "cs:DeleteClusterNodepool", + "cs:DeleteClusterNodes", + "cs:DeletePolicyInstance", + "cs:DeleteTemplate", + "cs:DeployPolicyInstance", + "cs:*ClusterAddons", + "cs:ModifyCluster", + "cs:ModifyClusterAddon", + "cs:ModifyClusterConfiguration", + "cs:ModifyClusterNodePool", + "cs:ModifyPolicyInstance", + "cs:PauseClusterUpgrade", + "cs:PauseComponentUpgrade", + "cs:QueryK8sComponentUpgradeStatus", + "cs:Queryk8sComponentsUpdateVersion", + "cs:RemoveClusterNodes", + "cs:ResumeComponentUpgrade", + "cs:ResumeUpgradeCluster", + "cs:ScaleCluster", + "cs:ScaleClusterNodePool", + "cs:ScaleOutCluster", + "cs:UnInstallK8sComponents", + "cs:UpdateK8sClusterUserConfigExpire", + "cs:UpdateTemplate", + "cs:UpdateUserPermissions", + "cs:UpgradeCluster", + "cs:UpgradeK8sComponents" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "nlb:*" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "privatelink:*" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "alidns:Get*", + "alidns:List*", + "alidns:Describe*", + "alidns:AddDomain", + "alidns:AddDomainRecord", + "alidns:DeleteDomain", + "alidns:DeleteDomainRecord", + "alidns:RetrieveDomain", + "alidns:Update*", + "alidns:Set*", + "alidns:BindInstanceDomains", + "alidns:UnbindInstanceDomains", + "alidns:*", + "pvtz:*" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "alidns:Get*", + "alidns:List*", + "alidns:Describe*", + "alidns:AddDomain", + "alidns:AddDomainRecord", + "alidns:DeleteDomain", + "alidns:DeleteDomainRecord", + "alidns:RetrieveDomain", + "alidns:Update*", + "alidns:Set*", + "alidns:BindInstanceDomains", + "alidns:UnbindInstanceDomains", + "pvtz:*", + "bss:ModifyInstance" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "oss:Get*", + "oss:List*", + "oss:Delete*", + "oss:Put*", + "oss:Restore*" + ], + "Resource": [ + "*" + ] + } + ] +} diff --git a/modules/alicloud/vendor-access/main.tf b/modules/alicloud/vendor-access/main.tf new file mode 100644 index 0000000..9205c17 --- /dev/null +++ b/modules/alicloud/vendor-access/main.tf @@ -0,0 +1,114 @@ +locals { + access_policy_document = templatefile("${path.module}/files/access_policy.json.tpl", { + account_id = data.alicloud_caller_identity.current.account_id + region = var.region + }) +} + +data "alicloud_caller_identity" "current" { +} + +data "alicloud_ram_policy_document" "cloud_manager_trust_policy" { + version = "1" + statement { + effect = "Allow" + action = ["sts:AssumeRole"] + principal { + entity = "RAM" + identifiers = var.streamnative_cloud_manager_role_arns + } + condition { + operator = "StringEquals" + variable = "sts:ExternalId" + values = var.organization_ids + } + } +} + +resource "alicloud_ram_policy" "cloud_manager_access" { + policy_name = "streamnative-bootstrap" + description = "StreamNative cloud manager access policy" + policy_document = local.access_policy_document + force = true + rotate_strategy = "DeleteOldestNonDefaultVersionWhenLimitExceeded" +} + +resource "alicloud_ram_role" "cloud_manager_role" { + name = "streamnative-bootstrap" + description = "StreamNative cloud manager access role" + document = data.alicloud_ram_policy_document.cloud_manager_trust_policy.document + force = true +} + +resource "alicloud_ram_role_policy_attachment" "cloud_manager_access" { + policy_name = alicloud_ram_policy.cloud_manager_access.policy_name + policy_type = alicloud_ram_policy.cloud_manager_access.type + role_name = alicloud_ram_role.cloud_manager_role.name +} + + +data "alicloud_ram_policy_document" "support_role_trust_policy" { + version = "1" + statement { + effect = "Allow" + action = ["sts:AssumeRole"] + principal { + entity = "RAM" + identifiers = var.streamnative_support_role_arns + } + condition { + operator = "StringEquals" + variable = "sts:ExternalId" + values = var.organization_ids + } + } +} + +resource "alicloud_ram_policy" "support_access" { + policy_name = "streamnative-support" + description = "StreamNative support role access policy" + policy_document = local.access_policy_document + force = true + rotate_strategy = "DeleteOldestNonDefaultVersionWhenLimitExceeded" +} + +resource "alicloud_ram_role" "support_role" { + name = "streamnative-support" + description = "StreamNative support access role" + document = data.alicloud_ram_policy_document.support_role_trust_policy.document + force = true +} + +resource "alicloud_ram_role_policy_attachment" "support_access" { + policy_name = alicloud_ram_policy.support_access.policy_name + policy_type = alicloud_ram_policy.support_access.type + role_name = alicloud_ram_role.support_role.name +} + + +// Activate OSS +data "alicloud_oss_service" "open" { + enable = "On" +} + +// Activate ACK +// ref: https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/developer-reference/use-terraform-to-assign-default-roles-to-ack-when-you-use-ack-for-the-first-time +data "alicloud_ack_service" "open" { + enable = "On" + type = "propayasgo" +} + +output "account_id" { + value = data.alicloud_caller_identity.current.account_id +} + +output "organization_ids" { + value = var.organization_ids +} + +output "services" { + value = { + oss = data.alicloud_oss_service.open.status + ack = data.alicloud_ack_service.open.status + } +} diff --git a/modules/alicloud/vendor-access/variables.tf b/modules/alicloud/vendor-access/variables.tf new file mode 100644 index 0000000..d37bbd2 --- /dev/null +++ b/modules/alicloud/vendor-access/variables.tf @@ -0,0 +1,30 @@ +terraform { + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.248.0" + } + } +} + +variable "organization_ids" { + description = "The ID of your organization on StreamNative Cloud." + type = list(string) +} + +variable "region" { + default = "*" + description = "The aliyun region where your StreamNative Cloud Environment can be deployed. Defaults to all regions." +} + +variable "streamnative_cloud_manager_role_arns" { + default = ["acs:ram::5855446584058772:role/cloud-manager"] + description = "The list of StreamNative cloud manager role ARNs. This is used to grant StreamNative cloud manager to your environment." + type = list(string) +} + +variable "streamnative_support_role_arns" { + default = ["acs:ram::5855446584058772:role/support-general"] + description = "The list of StreamNative support role ARNs. This is used to grant StreamNative support to your environment." + type = list(string) +} \ No newline at end of file