From fa383e3ac609925be74af655b858d5c35d3dc37c Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Mon, 28 Apr 2025 21:04:35 +0800 Subject: [PATCH 01/10] Add alicloud vendor-access module --- .../files/access_policy.json.tpl | 179 ++++++++++++++++++ modules/alicloud/vendor-access/main.tf | 93 +++++++++ modules/alicloud/vendor-access/variables.tf | 122 ++++++++++++ modules/alicloud/vendor-access/versions.tf | 8 + 4 files changed, 402 insertions(+) create mode 100644 modules/alicloud/vendor-access/files/access_policy.json.tpl create mode 100644 modules/alicloud/vendor-access/main.tf create mode 100644 modules/alicloud/vendor-access/variables.tf create mode 100644 modules/alicloud/vendor-access/versions.tf diff --git a/modules/alicloud/vendor-access/files/access_policy.json.tpl b/modules/alicloud/vendor-access/files/access_policy.json.tpl new file mode 100644 index 0000000..b97bc55 --- /dev/null +++ b/modules/alicloud/vendor-access/files/access_policy.json.tpl @@ -0,0 +1,179 @@ +{ + "Version": "1", + "Statement": [ + { + "Action": [ + "ecs:Describe*", + "ecs:List*", + "ecs:AddTags", + "ecs:AttachDisk", + "ecs:AttachInstanceRamRole", + "ecs:AttachNetworkInterface", + "ecs:AttachVolume", + "ecs:AuthorizeSecurityGroup", + "ecs:CreateDisk", + "ecs:CreateInstance", + "ecs:CreateLaunchTemplate", + "ecs:CreateLaunchTemplateVersion", + "ecs:CreateNetworkInterface", + "ecs:CreateSecurityGroup", + "ecs:CreateVolume", + "ecs:DeleteDisk", + "ecs:DeleteInstance", + "ecs:DeleteInstances", + "ecs:DeleteLaunchTemplate", + "ecs:DeleteLaunchTemplateVersion", + "ecs:DeleteNetworkInterface", + "ecs:DeleteSecurityGroup", + "ecs:DeleteVolume", + "ecs:DetachDisk", + "ecs:DetachInstanceRamRole", + "ecs:DetachNetworkInterface", + "ecs:DetachVolume", + "ecs:ModifyDiskAttribute", + "ecs:ModifyDiskSpec", + "ecs:ModifyInstance*", + "ecs:ModifyLaunchTemplateDefaultVersion", + "ecs:ModifyNetworkInterfaceAttribute", + "ecs:ModifySecurityGroup*", + "ecs:RebootInstance", + "ecs:ResizeDisk", + "ecs:RunInstances", + "ecs:StartInstance", + "ecs:StartInstances", + "ecs:StopInstance", + "ecs:StopInstances", + "ecs:TagResources", + "ecs:UntagResources" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "vpc:Get*", + "vpc:Create*", + "vpc:Describe*", + "vpc:Modify*", + "vpc:Allocate*", + "vpc:AssociateRouteTable", + "vpc:Release*", + "vpc:Unassociate*", + "vpc:DeleteRouteEntry", + "vpc:DeleteRouteTable", + "vpc:DeleteRouterInterface", + "vpc:DeleteVSwitch", + "vpc:DeleteVpc", + "vpc:DeleteNatGateway", + "vpc:TagResources" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ram:Get*", + "ram:List*", + "ram:AttachPolicyToRole", + "ram:CreateAccessKey", + "ram:CreatePolicy", + "ram:CreatePolicyVersion", + "ram:CreateRole", + "ram:CreateServiceLinkedRole", + "ram:DeleteAccessKey", + "ram:DeletePolicy", + "ram:DeletePolicyVersion", + "ram:DeleteRole", + "ram:DeleteServiceLinkedRole", + "ram:DetachPolicyFromRole", + "ram:UpdateAccessKey", + "ram:UpdateRole", + "sts:AssumeRole" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "cs:Get*", + "cs:List*", + "cs:Cancel*", + "cs:Create*", + "cs:Describe*", + "cs:AttachInstances", + "cs:DeleteCluster", + "cs:DeleteClusterNodepool", + "cs:DeleteClusterNodes", + "cs:DeletePolicyInstance", + "cs:DeleteTemplate", + "cs:DeployPolicyInstance", + "cs:ModifyCluster", + "cs:ModifyClusterAddon", + "cs:ModifyClusterConfiguration", + "cs:ModifyClusterNodePool", + "cs:ModifyPolicyInstance", + "cs:PauseClusterUpgrade", + "cs:PauseComponentUpgrade", + "cs:QueryK8sComponentUpgradeStatus", + "cs:Queryk8sComponentsUpdateVersion", + "cs:RemoveClusterNodes", + "cs:ResumeComponentUpgrade", + "cs:ResumeUpgradeCluster", + "cs:ScaleCluster", + "cs:ScaleClusterNodePool", + "cs:ScaleOutCluster", + "cs:UnInstallK8sComponents", + "cs:UpdateK8sClusterUserConfigExpire", + "cs:UpdateTemplate", + "cs:UpgradeCluster", + "cs:UpgradeK8sComponents" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "nlb:*" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "privatelink:*" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "alidns:List*", + "alidns:Describe*", + "alidns:AddDomain", + "alidns:AddDomainRecord", + "alidns:DeleteDomain", + "alidns:DeleteDomainRecord", + "alidns:RetrieveDomain", + "alidns:UpdateDomainRecord", + "alidns:UpdateDomainRecordRemark", + "alidns:UpdateDomainRemark" + ], + "Resource": [ + "*" + ] + } + ] +} diff --git a/modules/alicloud/vendor-access/main.tf b/modules/alicloud/vendor-access/main.tf new file mode 100644 index 0000000..6814626 --- /dev/null +++ b/modules/alicloud/vendor-access/main.tf @@ -0,0 +1,93 @@ +locals { + access_policy_document = templatefile("${path.module}/files/access_policy.json.tpl", { + account_id = data.alicloud_caller_identity.current.account_id + region = var.region + }) +} + +data "alicloud_caller_identity" "current" { +} + +data "alicloud_ram_policy_document" "support_role_trust_policy" { + version = "1" + statement { + effect = "Allow" + action = ["sts:AssumeRole"] + principal { + entity = "RAM" + identifiers = var.streamnative_support_access_role_arns + } + condition { + operator = "StringEquals" + variable = "sts:ExternalId" + values = [var.organization_id] + } + } +} + +resource "alicloud_ram_policy" "support_access" { + policy_name = "StreamNativeSupportAccess" + description = "StreamNative support access policy" + policy_document = local.access_policy_document + force = true + rotate_strategy = "DeleteOldestNonDefaultVersionWhenLimitExceeded" +} + +resource "alicloud_ram_role" "support_access_role" { + name = "StreamNativeSupportAccessRole" + description = "StreamNative support access role" + document = data.alicloud_ram_policy_document.support_role_trust_policy.document + force = true +} + +resource "alicloud_ram_role_policy_attachment" "support_access" { + policy_name = alicloud_ram_policy.support_access.policy_name + policy_type = alicloud_ram_policy.support_access.type + role_name = alicloud_ram_role.support_access_role.name +} + + +// Activate ACK +// ref: https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/developer-reference/use-terraform-to-assign-default-roles-to-ack-when-you-use-ack-for-the-first-time +data "alicloud_ack_service" "open" { + enable = "On" + type = "propayasgo" +} + + +# data "alicloud_ram_roles" "roles" { +# policy_type = "Custom" +# name_regex = "^Aliyun.*Role$" +# } + + +# locals { +# all_role_names = [for role in var.buildin_roles : role.name] +# created_role_names = [for role in data.alicloud_ram_roles.roles.roles : role.name] +# complement_names = setsubtract(local.all_role_names, local.created_role_names) +# complement_roles = [for role in var.buildin_roles : role if contains(local.complement_names, role.name)] +# } + +resource "alicloud_ram_role" "role" { + for_each = { for r in var.buildin_roles : r.name => r } + name = each.value.name + document = each.value.policy_document + description = each.value.description + force = true +} + +resource "alicloud_ram_role_policy_attachment" "attach" { + for_each = { for r in var.buildin_roles : r.name => r } + policy_name = each.value.policy_name + policy_type = "System" + role_name = each.value.name + depends_on = [alicloud_ram_role.role] +} + + +output "complement_roles" { + value = [for role in var.buildin_roles : { + name = role.name + description = role.description + }] +} \ No newline at end of file diff --git a/modules/alicloud/vendor-access/variables.tf b/modules/alicloud/vendor-access/variables.tf new file mode 100644 index 0000000..ac53011 --- /dev/null +++ b/modules/alicloud/vendor-access/variables.tf @@ -0,0 +1,122 @@ +variable "sn_policy_version" { + default = "" +} + +variable "organization_id" { + description = "The ID of your organization on StreamNative Cloud." + type = string +} + +variable "region" { + default = "*" + description = "The aliyun region where your StreamNative Cloud Environment can be deployed. Defaults to all regions." +} + + +variable "streamnative_support_access_role_arns" { + default = ["acs:ram::5595745479818014:role/streamnativesupport"] + description = "The list of StreamNative support access role ARNs. This is used to grant StreamNative support access to your environment." + type = list(string) +} + + +variable "buildin_roles" { + type = list(object({ + name = string + policy_document = string + description = string + policy_name = string + })) + default = [ + { + name = "AliyunCSManagedLogRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." + policy_name = "AliyunCSManagedLogRolePolicy" + }, + { + name = "AliyunCSManagedCmsRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." + policy_name = "AliyunCSManagedCmsRolePolicy" + }, + { + name = "AliyunCSManagedCsiRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." + policy_name = "AliyunCSManagedCsiRolePolicy" + }, + { + name = "AliyunCSManagedCsiPluginRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." + policy_name = "AliyunCSManagedCsiPluginRolePolicy" + }, + { + name = "AliyunCSManagedCsiProvisionerRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." + policy_name = "AliyunCSManagedCsiProvisionerRolePolicy" + }, + { + name = "AliyunCSManagedVKRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services." + policy_name = "AliyunCSManagedVKRolePolicy" + }, + { + name = "AliyunCSServerlessKubernetesRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "By default, ACK clusters assume this role to access your cloud resources." + policy_name = "AliyunCSServerlessKubernetesRolePolicy" + }, + { + name = "AliyunCSKubernetesAuditRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services." + policy_name = "AliyunCSKubernetesAuditRolePolicy" + }, + { + name = "AliyunCSManagedNetworkRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." + policy_name = "AliyunCSManagedNetworkRolePolicy" + }, + { + name = "AliyunCSDefaultRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters." + policy_name = "AliyunCSDefaultRolePolicy" + }, + { + name = "AliyunCSManagedKubernetesRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "By default, ACK clusters assume this role to access your cloud resources." + policy_name = "AliyunCSManagedKubernetesRolePolicy" + }, + { + name = "AliyunCSManagedArmsRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "The Application Real-Time Monitoring Service (ARMS) plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." + policy_name = "AliyunCSManagedArmsRolePolicy" + }, + { + name = "AliyunCISDefaultRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "Container Intelligence Service (CIS) assumes this role to access your resources in other Alibaba Cloud services." + policy_name = "AliyunCISDefaultRolePolicy" + }, + { + name = "AliyunOOSLifecycleHook4CSRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools." + policy_name = "AliyunOOSLifecycleHook4CSRolePolicy" + }, + { + name = "AliyunCSManagedAutoScalerRole" + policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" + description = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services." + policy_name = "AliyunCSManagedAutoScalerRolePolicy" + } + ] +} \ No newline at end of file diff --git a/modules/alicloud/vendor-access/versions.tf b/modules/alicloud/vendor-access/versions.tf new file mode 100644 index 0000000..52718b5 --- /dev/null +++ b/modules/alicloud/vendor-access/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + alicloud = { + source = "aliyun/alicloud" + version = "1.248.0" + } + } +} From 1a9d1494b0e3106dcb63b3dd4e11eb7cd0aa4b8a Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Wed, 7 May 2025 13:35:39 +0800 Subject: [PATCH 02/10] Update permissions --- .../files/access_policy.json.tpl | 41 +++- modules/alicloud/vendor-access/main.tf | 49 +++-- modules/alicloud/vendor-access/variables.tf | 202 +++++++++--------- modules/alicloud/vendor-access/versions.tf | 2 +- 4 files changed, 168 insertions(+), 126 deletions(-) diff --git a/modules/alicloud/vendor-access/files/access_policy.json.tpl b/modules/alicloud/vendor-access/files/access_policy.json.tpl index b97bc55..fe896f4 100644 --- a/modules/alicloud/vendor-access/files/access_policy.json.tpl +++ b/modules/alicloud/vendor-access/files/access_policy.json.tpl @@ -54,10 +54,12 @@ { "Action": [ "vpc:Get*", + "vpc:List*", "vpc:Create*", "vpc:Describe*", "vpc:Modify*", "vpc:Allocate*", + "vpc:AssociateEipAddress", "vpc:AssociateRouteTable", "vpc:Release*", "vpc:Unassociate*", @@ -67,6 +69,7 @@ "vpc:DeleteVSwitch", "vpc:DeleteVpc", "vpc:DeleteNatGateway", + "vpc:DeleteSnatEntry", "vpc:TagResources" ], "Effect": "Allow", @@ -93,6 +96,10 @@ "ram:DetachPolicyFromRole", "ram:UpdateAccessKey", "ram:UpdateRole", + "ram:CreateUser", + "ram:DeleteUser", + "ram:AttachPolicyToUser", + "ram:DetachPolicyFromUser", "sts:AssumeRole" ], "Resource": [ @@ -114,6 +121,7 @@ "cs:DeletePolicyInstance", "cs:DeleteTemplate", "cs:DeployPolicyInstance", + "cs:*ClusterAddons", "cs:ModifyCluster", "cs:ModifyClusterAddon", "cs:ModifyClusterConfiguration", @@ -132,6 +140,7 @@ "cs:UnInstallK8sComponents", "cs:UpdateK8sClusterUserConfigExpire", "cs:UpdateTemplate", + "cs:UpdateUserPermissions", "cs:UpgradeCluster", "cs:UpgradeK8sComponents" ], @@ -160,6 +169,7 @@ { "Effect": "Allow", "Action": [ + "alidns:Get*", "alidns:List*", "alidns:Describe*", "alidns:AddDomain", @@ -167,9 +177,34 @@ "alidns:DeleteDomain", "alidns:DeleteDomainRecord", "alidns:RetrieveDomain", - "alidns:UpdateDomainRecord", - "alidns:UpdateDomainRecordRemark", - "alidns:UpdateDomainRemark" + "alidns:Update*", + "alidns:Set*", + "alidns:BindInstanceDomains", + "alidns:UnbindInstanceDomains", + "alidns:*", + "pvtz:*" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "alidns:Get*", + "alidns:List*", + "alidns:Describe*", + "alidns:AddDomain", + "alidns:AddDomainRecord", + "alidns:DeleteDomain", + "alidns:DeleteDomainRecord", + "alidns:RetrieveDomain", + "alidns:Update*", + "alidns:Set*", + "alidns:BindInstanceDomains", + "alidns:UnbindInstanceDomains", + "pvtz:*", + "bss:ModifyInstance" ], "Resource": [ "*" diff --git a/modules/alicloud/vendor-access/main.tf b/modules/alicloud/vendor-access/main.tf index 6814626..a4ffb9c 100644 --- a/modules/alicloud/vendor-access/main.tf +++ b/modules/alicloud/vendor-access/main.tf @@ -54,13 +54,20 @@ data "alicloud_ack_service" "open" { type = "propayasgo" } +output "account_id" { + value = data.alicloud_caller_identity.current.account_id +} + +output "organization_id" { + value = var.organization_id +} + # data "alicloud_ram_roles" "roles" { # policy_type = "Custom" # name_regex = "^Aliyun.*Role$" # } - # locals { # all_role_names = [for role in var.buildin_roles : role.name] # created_role_names = [for role in data.alicloud_ram_roles.roles.roles : role.name] @@ -68,26 +75,26 @@ data "alicloud_ack_service" "open" { # complement_roles = [for role in var.buildin_roles : role if contains(local.complement_names, role.name)] # } -resource "alicloud_ram_role" "role" { - for_each = { for r in var.buildin_roles : r.name => r } - name = each.value.name - document = each.value.policy_document - description = each.value.description - force = true -} +# resource "alicloud_ram_role" "role" { +# for_each = { for r in local.complement_roles : r.name => r } +# name = each.value.name +# document = each.value.policy_document +# description = each.value.description +# force = false +# } -resource "alicloud_ram_role_policy_attachment" "attach" { - for_each = { for r in var.buildin_roles : r.name => r } - policy_name = each.value.policy_name - policy_type = "System" - role_name = each.value.name - depends_on = [alicloud_ram_role.role] -} +# resource "alicloud_ram_role_policy_attachment" "attach" { +# for_each = { for r in local.complement_roles : r.name => r } +# policy_name = each.value.policy_name +# policy_type = "System" +# role_name = each.value.name +# depends_on = [alicloud_ram_role.role] +# } -output "complement_roles" { - value = [for role in var.buildin_roles : { - name = role.name - description = role.description - }] -} \ No newline at end of file +# output "complement_roles" { +# value = [for role in var.buildin_roles : { +# name = role.name +# description = role.description +# }] +# } diff --git a/modules/alicloud/vendor-access/variables.tf b/modules/alicloud/vendor-access/variables.tf index ac53011..fe6b951 100644 --- a/modules/alicloud/vendor-access/variables.tf +++ b/modules/alicloud/vendor-access/variables.tf @@ -14,109 +14,109 @@ variable "region" { variable "streamnative_support_access_role_arns" { - default = ["acs:ram::5595745479818014:role/streamnativesupport"] + default = ["acs:ram::5855446584058772:role/streamnativesupport"] description = "The list of StreamNative support access role ARNs. This is used to grant StreamNative support access to your environment." type = list(string) } -variable "buildin_roles" { - type = list(object({ - name = string - policy_document = string - description = string - policy_name = string - })) - default = [ - { - name = "AliyunCSManagedLogRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." - policy_name = "AliyunCSManagedLogRolePolicy" - }, - { - name = "AliyunCSManagedCmsRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." - policy_name = "AliyunCSManagedCmsRolePolicy" - }, - { - name = "AliyunCSManagedCsiRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." - policy_name = "AliyunCSManagedCsiRolePolicy" - }, - { - name = "AliyunCSManagedCsiPluginRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." - policy_name = "AliyunCSManagedCsiPluginRolePolicy" - }, - { - name = "AliyunCSManagedCsiProvisionerRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." - policy_name = "AliyunCSManagedCsiProvisionerRolePolicy" - }, - { - name = "AliyunCSManagedVKRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services." - policy_name = "AliyunCSManagedVKRolePolicy" - }, - { - name = "AliyunCSServerlessKubernetesRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "By default, ACK clusters assume this role to access your cloud resources." - policy_name = "AliyunCSServerlessKubernetesRolePolicy" - }, - { - name = "AliyunCSKubernetesAuditRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services." - policy_name = "AliyunCSKubernetesAuditRolePolicy" - }, - { - name = "AliyunCSManagedNetworkRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." - policy_name = "AliyunCSManagedNetworkRolePolicy" - }, - { - name = "AliyunCSDefaultRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters." - policy_name = "AliyunCSDefaultRolePolicy" - }, - { - name = "AliyunCSManagedKubernetesRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "By default, ACK clusters assume this role to access your cloud resources." - policy_name = "AliyunCSManagedKubernetesRolePolicy" - }, - { - name = "AliyunCSManagedArmsRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "The Application Real-Time Monitoring Service (ARMS) plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." - policy_name = "AliyunCSManagedArmsRolePolicy" - }, - { - name = "AliyunCISDefaultRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "Container Intelligence Service (CIS) assumes this role to access your resources in other Alibaba Cloud services." - policy_name = "AliyunCISDefaultRolePolicy" - }, - { - name = "AliyunOOSLifecycleHook4CSRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools." - policy_name = "AliyunOOSLifecycleHook4CSRolePolicy" - }, - { - name = "AliyunCSManagedAutoScalerRole" - policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" - description = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services." - policy_name = "AliyunCSManagedAutoScalerRolePolicy" - } - ] -} \ No newline at end of file +# variable "buildin_roles" { +# type = list(object({ +# name = string +# policy_document = string +# description = string +# policy_name = string +# })) +# default = [ +# { +# name = "AliyunCSManagedLogRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." +# policy_name = "AliyunCSManagedLogRolePolicy" +# }, +# { +# name = "AliyunCSManagedCmsRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." +# policy_name = "AliyunCSManagedCmsRolePolicy" +# }, +# { +# name = "AliyunCSManagedCsiRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." +# policy_name = "AliyunCSManagedCsiRolePolicy" +# }, +# { +# name = "AliyunCSManagedCsiPluginRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." +# policy_name = "AliyunCSManagedCsiPluginRolePolicy" +# }, +# { +# name = "AliyunCSManagedCsiProvisionerRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." +# policy_name = "AliyunCSManagedCsiProvisionerRolePolicy" +# }, +# { +# name = "AliyunCSManagedVKRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services." +# policy_name = "AliyunCSManagedVKRolePolicy" +# }, +# { +# name = "AliyunCSServerlessKubernetesRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "By default, ACK clusters assume this role to access your cloud resources." +# policy_name = "AliyunCSServerlessKubernetesRolePolicy" +# }, +# { +# name = "AliyunCSKubernetesAuditRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services." +# policy_name = "AliyunCSKubernetesAuditRolePolicy" +# }, +# { +# name = "AliyunCSManagedNetworkRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." +# policy_name = "AliyunCSManagedNetworkRolePolicy" +# }, +# { +# name = "AliyunCSDefaultRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters." +# policy_name = "AliyunCSDefaultRolePolicy" +# }, +# { +# name = "AliyunCSManagedKubernetesRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "By default, ACK clusters assume this role to access your cloud resources." +# policy_name = "AliyunCSManagedKubernetesRolePolicy" +# }, +# { +# name = "AliyunCSManagedArmsRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "The Application Real-Time Monitoring Service (ARMS) plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." +# policy_name = "AliyunCSManagedArmsRolePolicy" +# }, +# { +# name = "AliyunCISDefaultRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "Container Intelligence Service (CIS) assumes this role to access your resources in other Alibaba Cloud services." +# policy_name = "AliyunCISDefaultRolePolicy" +# }, +# { +# name = "AliyunOOSLifecycleHook4CSRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools." +# policy_name = "AliyunOOSLifecycleHook4CSRolePolicy" +# }, +# { +# name = "AliyunCSManagedAutoScalerRole" +# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" +# description = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services." +# policy_name = "AliyunCSManagedAutoScalerRolePolicy" +# } +# ] +# } \ No newline at end of file diff --git a/modules/alicloud/vendor-access/versions.tf b/modules/alicloud/vendor-access/versions.tf index 52718b5..1578ed8 100644 --- a/modules/alicloud/vendor-access/versions.tf +++ b/modules/alicloud/vendor-access/versions.tf @@ -1,7 +1,7 @@ terraform { required_providers { alicloud = { - source = "aliyun/alicloud" + source = "hashicorp/alicloud" version = "1.248.0" } } From cad58e3d2cd486c5fe119edd4a94d5c25a3b3d38 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Wed, 7 May 2025 13:42:10 +0800 Subject: [PATCH 03/10] Add privatelink --- modules/alicloud/private-link/main.tf | 35 ++++++++++++++++++ modules/alicloud/private-link/variables.tf | 42 ++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 modules/alicloud/private-link/main.tf create mode 100644 modules/alicloud/private-link/variables.tf diff --git a/modules/alicloud/private-link/main.tf b/modules/alicloud/private-link/main.tf new file mode 100644 index 0000000..f86d6cb --- /dev/null +++ b/modules/alicloud/private-link/main.tf @@ -0,0 +1,35 @@ + +resource "alicloud_privatelink_vpc_endpoint" "this" { + service_id = var.privatelink_service_id + security_group_ids = var.security_group_ids + vpc_id = var.vpc_id + vpc_endpoint_name = var.endpoint_name +} + +resource "alicloud_privatelink_vpc_endpoint_zone" "this" { + count = length(var.vswitches) + + endpoint_id = alicloud_privatelink_vpc_endpoint.this.id + vswitch_id = var.vswitches[count.index].id + zone_id = var.vswitches[count.index].zone +} + +resource "alicloud_pvtz_zone" "this" { + zone_name = var.domain_name + remark = "PrivateLink-${var.endpoint_name}" +} + +resource "alicloud_pvtz_zone_attachment" "this" { + zone_id = alicloud_pvtz_zone.this.id + vpc_ids = [var.vpc_id] +} + +resource "alicloud_pvtz_zone_record" "this" { + count = length(var.vswitches) + + zone_id = alicloud_pvtz_zone.this.id + rr = "*" + type = "A" + value = alicloud_privatelink_vpc_endpoint_zone.this[count.index].eni_ip + ttl = 600 +} \ No newline at end of file diff --git a/modules/alicloud/private-link/variables.tf b/modules/alicloud/private-link/variables.tf new file mode 100644 index 0000000..8a62021 --- /dev/null +++ b/modules/alicloud/private-link/variables.tf @@ -0,0 +1,42 @@ +terraform { + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.248.0" + } + } +} + +variable "vpc_id" { + description = "The ID of the VPC to create the endpoint in." + type = string +} + +variable "privatelink_service_id" { + description = "The ID of the PrivateLink service." + type = string +} + +variable "endpoint_name" { + description = "The name of the VPC endpoint." + type = string +} + +variable "vswitches" { + description = "The list of VSwitch IDs to associate with the endpoint." + type = list(object({ + id = string + zone = string + })) +} + +variable "domain_name" { + description = "The domain suffix used by the service." + type = string +} + + +variable "security_group_ids" { + description = "The list of security group IDs to associate with the endpoint." + type = list(string) +} \ No newline at end of file From 0fcf55a5d274da8c6c301ec6e36fa61b0a7ef569 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Tue, 10 Jun 2025 09:53:01 +0800 Subject: [PATCH 04/10] Update roles --- .../files/access_policy.json.tpl | 13 ++++ modules/alicloud/vendor-access/main.tf | 75 ++++++++++++++++--- modules/alicloud/vendor-access/variables.tf | 17 +++-- 3 files changed, 88 insertions(+), 17 deletions(-) diff --git a/modules/alicloud/vendor-access/files/access_policy.json.tpl b/modules/alicloud/vendor-access/files/access_policy.json.tpl index fe896f4..b276d3a 100644 --- a/modules/alicloud/vendor-access/files/access_policy.json.tpl +++ b/modules/alicloud/vendor-access/files/access_policy.json.tpl @@ -209,6 +209,19 @@ "Resource": [ "*" ] + }, + { + "Effect": "Allow", + "Action": [ + "oss:Get*", + "oss:List*", + "oss:Delete*", + "oss:Put*", + "oss:Restore*" + ], + "Resource": [ + "*" + ] } ] } diff --git a/modules/alicloud/vendor-access/main.tf b/modules/alicloud/vendor-access/main.tf index a4ffb9c..cdd6063 100644 --- a/modules/alicloud/vendor-access/main.tf +++ b/modules/alicloud/vendor-access/main.tf @@ -8,33 +8,72 @@ locals { data "alicloud_caller_identity" "current" { } +data "alicloud_ram_policy_document" "cloud_manager_trust_policy" { + version = "1" + statement { + effect = "Allow" + action = ["sts:AssumeRole"] + principal { + entity = "RAM" + identifiers = var.streamnative_cloud_manager_role_arns + } + condition { + operator = "StringEquals" + variable = "sts:ExternalId" + values = var.organization_ids + } + } +} + +resource "alicloud_ram_policy" "cloud_manager_access" { + policy_name = "streamnative-bootstrap" + description = "StreamNative cloud manager access policy" + policy_document = local.access_policy_document + force = true + rotate_strategy = "DeleteOldestNonDefaultVersionWhenLimitExceeded" +} + +resource "alicloud_ram_role" "cloud_manager_role" { + name = "streamnative-bootstrap" + description = "StreamNative cloud manager access role" + document = data.alicloud_ram_policy_document.cloud_manager_trust_policy.document + force = true +} + +resource "alicloud_ram_role_policy_attachment" "cloud_manager_access" { + policy_name = alicloud_ram_policy.cloud_manager_access.policy_name + policy_type = alicloud_ram_policy.cloud_manager_access.type + role_name = alicloud_ram_role.cloud_manager_role.name +} + + data "alicloud_ram_policy_document" "support_role_trust_policy" { version = "1" statement { effect = "Allow" action = ["sts:AssumeRole"] principal { - entity = "RAM" - identifiers = var.streamnative_support_access_role_arns + entity = "RAM" + identifiers = var.streamnative_support_role_arns } condition { operator = "StringEquals" variable = "sts:ExternalId" - values = [var.organization_id] + values = var.organization_ids } } } resource "alicloud_ram_policy" "support_access" { - policy_name = "StreamNativeSupportAccess" - description = "StreamNative support access policy" + policy_name = "streamnative-support" + description = "StreamNative support role access policy" policy_document = local.access_policy_document force = true rotate_strategy = "DeleteOldestNonDefaultVersionWhenLimitExceeded" } -resource "alicloud_ram_role" "support_access_role" { - name = "StreamNativeSupportAccessRole" +resource "alicloud_ram_role" "support_role" { + name = "streamnative-support" description = "StreamNative support access role" document = data.alicloud_ram_policy_document.support_role_trust_policy.document force = true @@ -43,23 +82,35 @@ resource "alicloud_ram_role" "support_access_role" { resource "alicloud_ram_role_policy_attachment" "support_access" { policy_name = alicloud_ram_policy.support_access.policy_name policy_type = alicloud_ram_policy.support_access.type - role_name = alicloud_ram_role.support_access_role.name + role_name = alicloud_ram_role.support_role.name } +// Activate OSS +data "alicloud_oss_service" "open" { + enable = "On" +} + // Activate ACK // ref: https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/developer-reference/use-terraform-to-assign-default-roles-to-ack-when-you-use-ack-for-the-first-time data "alicloud_ack_service" "open" { - enable = "On" - type = "propayasgo" + enable = "On" + type = "propayasgo" } output "account_id" { value = data.alicloud_caller_identity.current.account_id } -output "organization_id" { - value = var.organization_id +output "organization_ids" { + value = var.organization_ids +} + +output "services" { + value = { + oss = data.alicloud_oss_service.open.status + ack = data.alicloud_ack_service.open.status + } } diff --git a/modules/alicloud/vendor-access/variables.tf b/modules/alicloud/vendor-access/variables.tf index fe6b951..eab769e 100644 --- a/modules/alicloud/vendor-access/variables.tf +++ b/modules/alicloud/vendor-access/variables.tf @@ -2,9 +2,9 @@ variable "sn_policy_version" { default = "" } -variable "organization_id" { +variable "organization_ids" { description = "The ID of your organization on StreamNative Cloud." - type = string + type = list(string) } variable "region" { @@ -12,10 +12,17 @@ variable "region" { description = "The aliyun region where your StreamNative Cloud Environment can be deployed. Defaults to all regions." } +variable "streamnative_cloud_manager_role_arns" { + default = ["acs:ram::5855446584058772:role/cloud-manager"] + description = "The list of StreamNative cloud manager role ARNs. This is used to grant StreamNative cloud manager to your environment." + type = list(string) +} + + -variable "streamnative_support_access_role_arns" { - default = ["acs:ram::5855446584058772:role/streamnativesupport"] - description = "The list of StreamNative support access role ARNs. This is used to grant StreamNative support access to your environment." +variable "streamnative_support_role_arns" { + default = ["acs:ram::5855446584058772:role/support-general"] + description = "The list of StreamNative support role ARNs. This is used to grant StreamNative support to your environment." type = list(string) } From 76c46c7ba4f96cd671c6f70a70d00148afb451e1 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Tue, 10 Jun 2025 17:01:59 +0800 Subject: [PATCH 05/10] Add SG for privatelink --- modules/alicloud/private-link/main.tf | 44 +++++++++++++++++--- modules/alicloud/private-link/variables.tf | 48 ++++++++++++++++++++-- 2 files changed, 82 insertions(+), 10 deletions(-) diff --git a/modules/alicloud/private-link/main.tf b/modules/alicloud/private-link/main.tf index f86d6cb..3e1107e 100644 --- a/modules/alicloud/private-link/main.tf +++ b/modules/alicloud/private-link/main.tf @@ -1,9 +1,41 @@ +resource "alicloud_security_group" "new" { + count = var.use_existing_security_group ? 0 : 1 + + security_group_name = "${var.endpoint_name}-pl-sg" + vpc_id = var.vpc_id + description = "Security group for PrivateLink VPC Endpoint ${var.endpoint_name}" +} + +resource "alicloud_security_group_rule" "new" { + count = var.use_existing_security_group ? 0 : length(var.security_group_inbound_rules) + + security_group_id = alicloud_security_group.new[0].id + type = "ingress" + ip_protocol = "tcp" + cidr_ip = "0.0.0.0/0" + port_range = var.security_group_inbound_rules[count.index].port + policy = "accept" + description = var.security_group_inbound_rules[count.index].description +} + + +locals { + security_group_ids = var.use_existing_security_group ? var.security_group_ids : [alicloud_security_group.new[0].id] +} + resource "alicloud_privatelink_vpc_endpoint" "this" { service_id = var.privatelink_service_id - security_group_ids = var.security_group_ids + security_group_ids = local.security_group_ids vpc_id = var.vpc_id vpc_endpoint_name = var.endpoint_name + + lifecycle { + precondition { + condition = length(local.security_group_ids) > 0 + error_message = "At least one security group must be provided or created." + } + } } resource "alicloud_privatelink_vpc_endpoint_zone" "this" { @@ -28,8 +60,8 @@ resource "alicloud_pvtz_zone_record" "this" { count = length(var.vswitches) zone_id = alicloud_pvtz_zone.this.id - rr = "*" - type = "A" - value = alicloud_privatelink_vpc_endpoint_zone.this[count.index].eni_ip - ttl = 600 -} \ No newline at end of file + rr = "*" + type = "A" + value = alicloud_privatelink_vpc_endpoint_zone.this[count.index].eni_ip + ttl = 600 +} diff --git a/modules/alicloud/private-link/variables.tf b/modules/alicloud/private-link/variables.tf index 8a62021..e0797c4 100644 --- a/modules/alicloud/private-link/variables.tf +++ b/modules/alicloud/private-link/variables.tf @@ -24,8 +24,8 @@ variable "endpoint_name" { variable "vswitches" { description = "The list of VSwitch IDs to associate with the endpoint." - type = list(object({ - id = string + type = list(object({ + id = string zone = string })) } @@ -35,8 +35,48 @@ variable "domain_name" { type = string } - variable "security_group_ids" { description = "The list of security group IDs to associate with the endpoint." type = list(string) -} \ No newline at end of file + default = [] +} + +variable "use_existing_security_group" { + description = "Flag to indicate whether to use existing security groups or create new ones." + type = bool + default = false +} + +variable "security_group_inbound_rules" { + description = "List of inbound rules for the security group." + type = list(object({ + port = number + description = string + })) + default = [ + { + port = 443, + description = "Allow HTTPS traffic to the endpoint" + }, + { + port = 6651, + description = "Allow Pulsar traffic to the endpoint" + }, + { + port = 9093, + description = "Allow Kafka traffic to the endpoint" + }, + { + port = 5671, + description = "Allow AMQP traffic to the endpoint" + }, + { + port = 5672, + description = "Allow AMQP traffic to the endpoint" + }, + { + port = 8883, + description = "Allow MQTT traffic to the endpoint" + } + ] +} From 67d7f9ab493488a29f5b6ad23992203baad028d9 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Tue, 10 Jun 2025 17:09:05 +0800 Subject: [PATCH 06/10] Fix variable type --- modules/alicloud/private-link/variables.tf | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/modules/alicloud/private-link/variables.tf b/modules/alicloud/private-link/variables.tf index e0797c4..2307775 100644 --- a/modules/alicloud/private-link/variables.tf +++ b/modules/alicloud/private-link/variables.tf @@ -50,32 +50,28 @@ variable "use_existing_security_group" { variable "security_group_inbound_rules" { description = "List of inbound rules for the security group." type = list(object({ - port = number + port = string description = string })) default = [ { - port = 443, + port = "443/443", description = "Allow HTTPS traffic to the endpoint" }, { - port = 6651, + port = "6651/6651", description = "Allow Pulsar traffic to the endpoint" }, { - port = 9093, + port = "9093/9093", description = "Allow Kafka traffic to the endpoint" }, { - port = 5671, + port = "5671/5671", description = "Allow AMQP traffic to the endpoint" }, { - port = 5672, - description = "Allow AMQP traffic to the endpoint" - }, - { - port = 8883, + port = "8883/8883", description = "Allow MQTT traffic to the endpoint" } ] From 792883243b60562eacbb1db2009368de81fd4bed Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Wed, 11 Jun 2025 01:39:57 +0800 Subject: [PATCH 07/10] Simplify the privatelink SG --- modules/alicloud/private-link/main.tf | 15 +++------- modules/alicloud/private-link/variables.tf | 33 +++++++++------------- 2 files changed, 18 insertions(+), 30 deletions(-) diff --git a/modules/alicloud/private-link/main.tf b/modules/alicloud/private-link/main.tf index 3e1107e..140ee3a 100644 --- a/modules/alicloud/private-link/main.tf +++ b/modules/alicloud/private-link/main.tf @@ -1,13 +1,13 @@ resource "alicloud_security_group" "new" { - count = var.use_existing_security_group ? 0 : 1 + count = length(var.security_group_ids) != 0 ? 0 : 1 - security_group_name = "${var.endpoint_name}-pl-sg" + security_group_name = "${var.endpoint_name}-sg" vpc_id = var.vpc_id description = "Security group for PrivateLink VPC Endpoint ${var.endpoint_name}" } resource "alicloud_security_group_rule" "new" { - count = var.use_existing_security_group ? 0 : length(var.security_group_inbound_rules) + count = length(var.security_group_ids) != 0 ? 0 : length(var.security_group_inbound_rules) security_group_id = alicloud_security_group.new[0].id type = "ingress" @@ -20,7 +20,7 @@ resource "alicloud_security_group_rule" "new" { locals { - security_group_ids = var.use_existing_security_group ? var.security_group_ids : [alicloud_security_group.new[0].id] + security_group_ids = length(var.security_group_ids) != 0 ? var.security_group_ids : [alicloud_security_group.new[0].id] } @@ -29,13 +29,6 @@ resource "alicloud_privatelink_vpc_endpoint" "this" { security_group_ids = local.security_group_ids vpc_id = var.vpc_id vpc_endpoint_name = var.endpoint_name - - lifecycle { - precondition { - condition = length(local.security_group_ids) > 0 - error_message = "At least one security group must be provided or created." - } - } } resource "alicloud_privatelink_vpc_endpoint_zone" "this" { diff --git a/modules/alicloud/private-link/variables.tf b/modules/alicloud/private-link/variables.tf index 2307775..6c8383d 100644 --- a/modules/alicloud/private-link/variables.tf +++ b/modules/alicloud/private-link/variables.tf @@ -7,48 +7,43 @@ terraform { } } -variable "vpc_id" { - description = "The ID of the VPC to create the endpoint in." +variable "privatelink_service_id" { + description = "The ID of the PrivateLink service, it should be obtained from StreamNative Cloud." type = string } -variable "privatelink_service_id" { - description = "The ID of the PrivateLink service." +variable "domain_name" { + description = "The domain suffix of the Pulsar endpoint, it should be obtained from StreamNative Cloud." type = string } variable "endpoint_name" { - description = "The name of the VPC endpoint." + description = "The name of the VPC endpoint will be created, used to identify from other endpoints." + type = string + default = "streamnative-pulsar-endpoint" +} + +variable "vpc_id" { + description = "The ID of the VPC to create the endpoint in." type = string } variable "vswitches" { - description = "The list of VSwitch IDs to associate with the endpoint." + description = "The list of VSwitches to associate with the endpoint." type = list(object({ id = string zone = string })) } -variable "domain_name" { - description = "The domain suffix used by the service." - type = string -} - variable "security_group_ids" { - description = "The list of security group IDs to associate with the endpoint." + description = "The list of security group IDs to associate with the endpoint, will create a new security group if this is empty." type = list(string) default = [] } -variable "use_existing_security_group" { - description = "Flag to indicate whether to use existing security groups or create new ones." - type = bool - default = false -} - variable "security_group_inbound_rules" { - description = "List of inbound rules for the security group." + description = "List of inbound rules for the security group, allowing traffic to the endpoint." type = list(object({ port = string description = string From dbaecb749161509de52247d9c90ecf9e5c5e646c Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Wed, 11 Jun 2025 01:41:15 +0800 Subject: [PATCH 08/10] Remove unused variables in vendor-access --- modules/alicloud/vendor-access/main.tf | 37 ------ modules/alicloud/vendor-access/variables.tf | 121 ++------------------ modules/alicloud/vendor-access/versions.tf | 8 -- 3 files changed, 11 insertions(+), 155 deletions(-) delete mode 100644 modules/alicloud/vendor-access/versions.tf diff --git a/modules/alicloud/vendor-access/main.tf b/modules/alicloud/vendor-access/main.tf index cdd6063..9205c17 100644 --- a/modules/alicloud/vendor-access/main.tf +++ b/modules/alicloud/vendor-access/main.tf @@ -112,40 +112,3 @@ output "services" { ack = data.alicloud_ack_service.open.status } } - - -# data "alicloud_ram_roles" "roles" { -# policy_type = "Custom" -# name_regex = "^Aliyun.*Role$" -# } - -# locals { -# all_role_names = [for role in var.buildin_roles : role.name] -# created_role_names = [for role in data.alicloud_ram_roles.roles.roles : role.name] -# complement_names = setsubtract(local.all_role_names, local.created_role_names) -# complement_roles = [for role in var.buildin_roles : role if contains(local.complement_names, role.name)] -# } - -# resource "alicloud_ram_role" "role" { -# for_each = { for r in local.complement_roles : r.name => r } -# name = each.value.name -# document = each.value.policy_document -# description = each.value.description -# force = false -# } - -# resource "alicloud_ram_role_policy_attachment" "attach" { -# for_each = { for r in local.complement_roles : r.name => r } -# policy_name = each.value.policy_name -# policy_type = "System" -# role_name = each.value.name -# depends_on = [alicloud_ram_role.role] -# } - - -# output "complement_roles" { -# value = [for role in var.buildin_roles : { -# name = role.name -# description = role.description -# }] -# } diff --git a/modules/alicloud/vendor-access/variables.tf b/modules/alicloud/vendor-access/variables.tf index eab769e..d37bbd2 100644 --- a/modules/alicloud/vendor-access/variables.tf +++ b/modules/alicloud/vendor-access/variables.tf @@ -1,5 +1,10 @@ -variable "sn_policy_version" { - default = "" +terraform { + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.248.0" + } + } } variable "organization_ids" { @@ -8,122 +13,18 @@ variable "organization_ids" { } variable "region" { - default = "*" + default = "*" description = "The aliyun region where your StreamNative Cloud Environment can be deployed. Defaults to all regions." } variable "streamnative_cloud_manager_role_arns" { - default = ["acs:ram::5855446584058772:role/cloud-manager"] + default = ["acs:ram::5855446584058772:role/cloud-manager"] description = "The list of StreamNative cloud manager role ARNs. This is used to grant StreamNative cloud manager to your environment." type = list(string) } - - variable "streamnative_support_role_arns" { - default = ["acs:ram::5855446584058772:role/support-general"] + default = ["acs:ram::5855446584058772:role/support-general"] description = "The list of StreamNative support role ARNs. This is used to grant StreamNative support to your environment." type = list(string) -} - - -# variable "buildin_roles" { -# type = list(object({ -# name = string -# policy_document = string -# description = string -# policy_name = string -# })) -# default = [ -# { -# name = "AliyunCSManagedLogRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." -# policy_name = "AliyunCSManagedLogRolePolicy" -# }, -# { -# name = "AliyunCSManagedCmsRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." -# policy_name = "AliyunCSManagedCmsRolePolicy" -# }, -# { -# name = "AliyunCSManagedCsiRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." -# policy_name = "AliyunCSManagedCsiRolePolicy" -# }, -# { -# name = "AliyunCSManagedCsiPluginRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." -# policy_name = "AliyunCSManagedCsiPluginRolePolicy" -# }, -# { -# name = "AliyunCSManagedCsiProvisionerRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." -# policy_name = "AliyunCSManagedCsiProvisionerRolePolicy" -# }, -# { -# name = "AliyunCSManagedVKRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services." -# policy_name = "AliyunCSManagedVKRolePolicy" -# }, -# { -# name = "AliyunCSServerlessKubernetesRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "By default, ACK clusters assume this role to access your cloud resources." -# policy_name = "AliyunCSServerlessKubernetesRolePolicy" -# }, -# { -# name = "AliyunCSKubernetesAuditRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services." -# policy_name = "AliyunCSKubernetesAuditRolePolicy" -# }, -# { -# name = "AliyunCSManagedNetworkRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." -# policy_name = "AliyunCSManagedNetworkRolePolicy" -# }, -# { -# name = "AliyunCSDefaultRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters." -# policy_name = "AliyunCSDefaultRolePolicy" -# }, -# { -# name = "AliyunCSManagedKubernetesRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "By default, ACK clusters assume this role to access your cloud resources." -# policy_name = "AliyunCSManagedKubernetesRolePolicy" -# }, -# { -# name = "AliyunCSManagedArmsRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "The Application Real-Time Monitoring Service (ARMS) plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." -# policy_name = "AliyunCSManagedArmsRolePolicy" -# }, -# { -# name = "AliyunCISDefaultRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "Container Intelligence Service (CIS) assumes this role to access your resources in other Alibaba Cloud services." -# policy_name = "AliyunCISDefaultRolePolicy" -# }, -# { -# name = "AliyunOOSLifecycleHook4CSRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools." -# policy_name = "AliyunOOSLifecycleHook4CSRolePolicy" -# }, -# { -# name = "AliyunCSManagedAutoScalerRole" -# policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" -# description = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services." -# policy_name = "AliyunCSManagedAutoScalerRolePolicy" -# } -# ] -# } \ No newline at end of file +} \ No newline at end of file diff --git a/modules/alicloud/vendor-access/versions.tf b/modules/alicloud/vendor-access/versions.tf deleted file mode 100644 index 1578ed8..0000000 --- a/modules/alicloud/vendor-access/versions.tf +++ /dev/null @@ -1,8 +0,0 @@ -terraform { - required_providers { - alicloud = { - source = "hashicorp/alicloud" - version = "1.248.0" - } - } -} From 3a4c6b8d9df7078581ed9b0abc42cd88583948bc Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Wed, 11 Jun 2025 02:05:09 +0800 Subject: [PATCH 09/10] Add docs for privatelink --- modules/alicloud/private-link/README.md | 124 ++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 modules/alicloud/private-link/README.md diff --git a/modules/alicloud/private-link/README.md b/modules/alicloud/private-link/README.md new file mode 100644 index 0000000..7074ec8 --- /dev/null +++ b/modules/alicloud/private-link/README.md @@ -0,0 +1,124 @@ +# StreamNative Cloud - Managed AliCloud Private Link + +This Terraform module configures your AliCloud network to access private StreamNative BYOC pulsar service. + +# QuickStart + +Run the following terraform file with [AliCloud credentials](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs#authentication) configured in your environment: + +## Create PrivateLink with default settings + +```hcl +provider "alicloud" { + region = "region" +} + +module "alicloud_private_link" { + source = "github.com/streamnative/terraform-managed-cloud//modules/alicloud/private-link?ref=main" + + privatelink_service_id = "" + domain_name = "" + endpoint_name = "streamnative-pulsar-endpoint" + + vpc_id = "" + vswitches = [ + { + id = "" + zone = "" + }, + { + id = "" + zone = "" + } + ] +} +``` + +## Create PrivateLink with customized Security Group + +```hcl +provider "alicloud" { + region = "region" +} + +module "alicloud_private_link" { + source = "github.com/streamnative/terraform-managed-cloud//modules/alicloud/private-link?ref=main" + + privatelink_service_id = "" + domain_name = "" + endpoint_name = "streamnative-pulsar-endpoint" + + vpc_id = "" + vswitches = [ + { + id = "" + zone = "" + }, + { + id = "" + zone = "" + } + ] + security_group_ids = [""] +} +``` + +Make sure you have the following inbound rules in your security group: + +- Allow TCP port 443 from the VPC +- Allow TCP port 6651 from the VPC +- Allow TCP port 9093 from the VPC +- Allow TCP port 5671 from the VPC +- Allow TCP port 8883 from the VPC + +## Run terraform + +1. Run `terraform init` +2. Run `terraform plan` +3. Run `terraform apply` + +# Terraform Docs + +## Requirements + +| Name | Version | +| --------------------------------------------------------------------- | ------- | +| [alicloud](#requirement_alicloud) | 1.248.0 | + +## Providers + +| Name | Version | +| --------------------------------------------------------------- | ------- | +| [alicloud](#provider_alicloud) | 1.248.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | +| [alicloud_privatelink_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/privatelink_vpc_endpoint) | resource | +| [alicloud_privatelink_vpc_endpoint_zone.this](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/privatelink_vpc_endpoint_zone) | resource | +| [alicloud_pvtz_zone.this](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/pvtz_zone) | resource | +| [alicloud_pvtz_zone_attachment.this](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/pvtz_zone_attachment) | resource | +| [alicloud_pvtz_zone_record.this](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/pvtz_zone_record) | resource | +| [alicloud_security_group.new](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/security_group) | resource | +| [alicloud_security_group_rule.new](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/security_group_rule) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [domain_name](#input_domain_name) | The domain suffix of the Pulsar endpoint, it should be obtained from StreamNative Cloud. | `string` | n/a | yes | +| [endpoint_name](#input_endpoint_name) | The name of the VPC endpoint will be created, used to identify from other endpoints. | `string` | `"streamnative-pulsar-endpoint"` | no | +| [privatelink_service_id](#input_privatelink_service_id) | The ID of the PrivateLink service, it should be obtained from StreamNative Cloud. | `string` | n/a | yes | +| [security_group_ids](#input_security_group_ids) | The list of security group IDs to associate with the endpoint, will create a new security group if this is empty. | `list(string)` | `[]` | no | +| [security_group_inbound_rules](#input_security_group_inbound_rules) | List of inbound rules for the security group, allowing traffic to the endpoint. | 
list(object({
 port = string
 description = string
 }))
| 
[
 {
 "description": "Allow HTTPS traffic to the endpoint",
 "port": "443/443"
 },
 {
 "description": "Allow Pulsar traffic to the endpoint",
 "port": "6651/6651"
 },
 {
 "description": "Allow Kafka traffic to the endpoint",
 "port": "9093/9093"
 },
 {
 "description": "Allow AMQP traffic to the endpoint",
 "port": "5671/5671"
 },
 {
 "description": "Allow MQTT traffic to the endpoint",
 "port": "8883/8883"
 }
]
| no | +| [vpc_id](#input_vpc_id) | The ID of the VPC to create the endpoint in. | `string` | n/a | yes | +| [vswitches](#input_vswitches) | The list of VSwitches to associate with the endpoint. | 
list(object({
 id = string
 zone = string
 }))
| n/a | yes | + +## Outputs + +No outputs. From 9c5faecef0d1cce5c098cc0249924a2a938f08e3 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Wed, 11 Jun 2025 02:18:29 +0800 Subject: [PATCH 10/10] Add docs for vendor-access --- modules/alicloud/private-link/README.md | 16 ++--- modules/alicloud/vendor-access/README.md | 82 ++++++++++++++++++++++++ 2 files changed, 90 insertions(+), 8 deletions(-) create mode 100644 modules/alicloud/vendor-access/README.md diff --git a/modules/alicloud/private-link/README.md b/modules/alicloud/private-link/README.md index 7074ec8..d142a1a 100644 --- a/modules/alicloud/private-link/README.md +++ b/modules/alicloud/private-link/README.md @@ -4,13 +4,11 @@ This Terraform module configures your AliCloud network to access private StreamN # QuickStart -Run the following terraform file with [AliCloud credentials](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs#authentication) configured in your environment: - ## Create PrivateLink with default settings ```hcl provider "alicloud" { - region = "region" + region = "" } module "alicloud_private_link" { @@ -65,14 +63,16 @@ module "alicloud_private_link" { Make sure you have the following inbound rules in your security group: -- Allow TCP port 443 from the VPC -- Allow TCP port 6651 from the VPC -- Allow TCP port 9093 from the VPC -- Allow TCP port 5671 from the VPC -- Allow TCP port 8883 from the VPC +- Allow TCP port 443 from the VPC CIDR +- Allow TCP port 6651 from the VPC CIDR +- Allow TCP port 9093 from the VPC CIDR +- Allow TCP port 5671 from the VPC CIDR +- Allow TCP port 8883 from the VPC CIDR ## Run terraform +After [authenticating to your AliCloud international account](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs#authentication) execute the following sequence of commands from the directory containing the `main.tf` configuration file: + 1. Run `terraform init` 2. Run `terraform plan` 3. Run `terraform apply` diff --git a/modules/alicloud/vendor-access/README.md b/modules/alicloud/vendor-access/README.md new file mode 100644 index 0000000..2ede613 --- /dev/null +++ b/modules/alicloud/vendor-access/README.md @@ -0,0 +1,82 @@ +# StreamNative Cloud - Managed AliCloud Vendor Access + +This Terraform module creates RAM resources within your AliCloud international account. These resources give StreamNative access only for the provisioning and management of StreamNative's BYOC(Bring Your Own Cloud) offering. + +For more information about StreamNative and our managed offerings for Apache Pulsar, visit our [website](https://streamnative.io/streamnativecloud/). + +# Quick Start + +## Pre Requisites + +To use this module you must have [Terraform installed](https://learn.hashicorp.com/tutorials/terraform/install-cli) and be familiar with its usage for [AliCloud](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs#authentication). It is recommended to securely store the Terraform configuration you create in source control, as well as use [Terraform's Remote State](https://www.terraform.io/language/state/remote) for storing the `*.tfstate` file. + +## Example + +```hcl +provider "alicloud" { + region = "" +} + +module "vendor_access" { + source = "github.com/streamnative/terraform-managed-cloud//modules/alicloud/vendor-access?ref=main" + + organization_ids = [""] +} +``` + +After [authenticating to your AliCloud international account](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs#authentication) execute the following sequence of commands from the directory containing the `main.tf` configuration file: + +1. Run `terraform init` +2. Run `terraform plan` +3. Run `terraform apply` + +# Terraform Docs + +## Requirements + +| Name | Version | +| --------------------------------------------------------------------- | ------- | +| [alicloud](#requirement_alicloud) | 1.248.0 | + +## Providers + +| Name | Version | +| --------------------------------------------------------------- | ------- | +| [alicloud](#provider_alicloud) | 1.248.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | +| [alicloud_ram_policy.cloud_manager_access](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_policy) | resource | +| [alicloud_ram_policy.support_access](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_policy) | resource | +| [alicloud_ram_role.cloud_manager_role](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_role) | resource | +| [alicloud_ram_role.support_role](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_role) | resource | +| [alicloud_ram_role_policy_attachment.cloud_manager_access](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_role_policy_attachment) | resource | +| [alicloud_ram_role_policy_attachment.support_access](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/resources/ram_role_policy_attachment) | resource | +| [alicloud_ack_service.open](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/data-sources/ack_service) | data source | +| [alicloud_caller_identity.current](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/data-sources/caller_identity) | data source | +| [alicloud_oss_service.open](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/data-sources/oss_service) | data source | +| [alicloud_ram_policy_document.cloud_manager_trust_policy](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/data-sources/ram_policy_document) | data source | +| [alicloud_ram_policy_document.support_role_trust_policy](https://registry.terraform.io/providers/hashicorp/alicloud/1.248.0/docs/data-sources/ram_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------------- | ---------------------------------------------------------------------- | :------: | +| [organization_ids](#input_organization_ids) | The ID of your organization on StreamNative Cloud. | `list(string)` | n/a | yes | +| [region](#input_region) | The aliyun region where your StreamNative Cloud Environment can be deployed. Defaults to all regions. | `string` | `"*"` | no | +| [streamnative_cloud_manager_role_arns](#input_streamnative_cloud_manager_role_arns) | The list of StreamNative cloud manager role ARNs. This is used to grant StreamNative cloud manager to your environment. | `list(string)` | 
[
 "acs:ram::5855446584058772:role/cloud-manager"
]
| no | +| [streamnative_support_role_arns](#input_streamnative_support_role_arns) | The list of StreamNative support role ARNs. This is used to grant StreamNative support to your environment. | `list(string)` | 
[
 "acs:ram::5855446584058772:role/support-general"
]
| no | + +## Outputs + +| Name | Description | +| ----------------------------------------------------------------------------------- | ----------- | +| [account_id](#output_account_id) | n/a | +| [organization_ids](#output_organization_ids) | n/a | +| [services](#output_services) | n/a |