本文介绍如何通过Terraform一键创建命名空间和容器镜像仓库并授权的RAM账号。

前提条件

在开始之前,请您确保完成以下操作:

背景信息

阿里云容器镜像服务(Container Registry)提供安全的应用镜像托管能力,精确的镜像安全扫描功能,稳定的国内外镜像构建服务,便捷的镜像授权功能,方便用户进行镜像全生命周期管理。当我们的DevOps工具需要访问、使用在阿里云创建的容器镜像仓库时,就需要使用阿里云账号授权访问,我们使用Terraform Module(cr)可以一键创建具有访问目标仓库权限的RAM子账号,精确授权,规避安全风险。

操作步骤

  1. 编写Terraform脚本代码。
    1. main.tf文件中声明Module,文件内容如下:
      provider "alicloud" {}
      
      module "cr" {
        source  = "roura356a/cr/alicloud"
        version = "1.3.0"
        # 命名空间名称
        namespace    = "cr_repo_namespace"
        # 授权仓库列表
        repositories = ["one", "two", "three"]
      }
    2. outputs.tf文件中定义输出参数,文件内容如下:
      output "cr_namespace" {
        description = "The CR Namespace's ID"
        value       = module.cr.cr_namespace
      }
      
      output "cr_access_key" {
        description = "The CR Namespace's Access Key"
        value       = module.cr.cr_access_key
      }
      
      output "cr_user" {
        description = "The CR Namespace's User"
        value       = module.cr.cr_user
      }
      
      output "ram_user" {
        description = "The RAM User"
        value       = module.cr.ram_user
      }
      
      output "ram_console_username" {
        description = "Console login username"
        value       = module.cr.ram_console_username
      }
      
      output "cr_endpoint" {
        description = "Public endpoint of the registry"
        value       = module.cr.cr_endpoint
      }
      
      output "repository_ids" {
        description = "List of repository IDs created"
        value       = module.cr.repository_ids
      }
      
      output "disposable_password" {
        description = "Password to activate the console login profile, forces to reset it"
        value       = module.cr.disposable_password
      }
      
      output "access_key_status" {
        description = "Status of the created AccessKey"
        value       = module.cr.access_key_status
      }
      
      output "ram_policy_name" {
        description = "The RAM policy name"
        value       = module.cr.ram_policy_name
      }
      
      output "ram_policy_type" {
        description = "The RAM policy type"
        value       = module.cr.ram_policy_type
      }
      
      output "ram_policy_attachment" {
        description = "The RAM policy attachment ID"
        value       = module.cr.ram_policy_attachment
      }
  2. 运行terraform init初始化。
    terraform init

    命令输出结果类似如下:

    Initializing modules...
    Downloading roura356a/cr/alicloud 1.3.0 for cr...
    - cr in .terraform\modules\cr\roura356a-terraform-alicloud-cr-c60a3d4
    
    Initializing the backend...
    
    Initializing provider plugins...
    - Checking for available provider plugins...
    - Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.68.0...
    - Downloading plugin for provider "random" (hashicorp/random) 2.2.1...
    
    The following providers do not have any version constraints in configuration,
    so the latest version was installed.
    
    To prevent automatic upgrades to new major versions that may contain breaking
    changes, it is recommended to add version = "..." constraints to the
    corresponding provider blocks in configuration, with the constraint strings
    suggested below.
    
    * provider.random: version = "~> 2.2"
    
    Terraform has been successfully initialized!
    
    You may now begin working with Terraform. Try running "terraform plan" to see
    any changes that are required for your infrastructure. All Terraform commands
    should now work.
    
    If you ever set or change modules or backend configuration for Terraform,
    rerun this command to reinitialize your working directory. If you forget, other
    commands will detect it and remind you to do so if necessary.
  3. 运行terraform apply开始创建。
    terraform apply

    命令输出结果类似如下:

    module.cr.data.alicloud_account.current: Refreshing state...
    module.cr.data.alicloud_regions.current: Refreshing state...
    
    An execution plan has been generated and is shown below.
    Resource actions are indicated with the following symbols:
      + create
    
    Terraform will perform the following actions:
    
    ...
    
    Plan: 10 to add, 0 to change, 0 to destroy.
    
    Do you want to perform these actions?
      Terraform will perform the actions described above.
      Only 'yes' will be accepted to approve.
    
      Enter a value: yes
    
    module.cr.random_string.cr_console_password: Creating...
    ...
    
    Apply complete! Resources: 10 added, 0 changed, 0 destroyed.
    
    Outputs:
    
    access_key_status = Active
    cr_access_key = LTAI4FfqhU7csppPe******
    cr_endpoint = registry.cn-hangzhou.aliyuncs.com
    cr_namespace = cr_repo_namespace
    cr_user = cr_repo_namespace-cr-user
    disposable_password = er1PQu******
    ram_console_username = cr_repo_namespace-cr-user@1231579085******.onaliyun.com
    ram_policy_attachment = user:cr_repo_namespace-cr-policy:Custom:cr_repo_namespace-cr-user
    ram_policy_name = cr_repo_namespace-cr-policy
    ram_policy_type = Custom
    ram_user = cr_repo_namespace-cr-user
    repository_ids = [
      "cr_repo_namespace/one",
      "cr_repo_namespace/two",
      "cr_repo_namespace/three",
    ]
    同时,会在执行目录下生成文件cr-cr_repo_namespace-ak.json,该文件存储了创建的具有访问目标仓库权限的RAM子账号的密钥信息,文件内容如下:
    {
        "AccessKeySecret": "qkxn1AkG6B50******sneyCQDuurcW",
        "CreateDate": "2020-01-07T07:00:00Z",
        "Status": "Active",
        "AccessKeyId": "LTAI4Ff******ppPeLRkJHES"
    }