The first time you use an ACK Edge cluster, you must grant it the default system roles. These roles allow the ACK Edge cluster to access other Alibaba Cloud services, such as ECS, OSS, NAS, and SLB, create resources, and save logs. This topic describes how to use Terraform to grant these default roles to Container Service.
Prerequisites
ACK is activated. If not already active, see Activate ACK via Terraform.
Your Alibaba Cloud account must have full permissions on all resources. If the credentials of your Alibaba Cloud account are leaked, you may face significant security risks. We recommend that you use a Resource Access Management (RAM) user and create an AccessKey for the RAM user. For more information, see Create a RAM user and Create an AccessKey.
Attach the following least privilege policy to the RAM user that you use to run Terraform commands. This policy grants the RAM user permissions to manage the resources in this example. For more information, see Manage RAM user permissions.
This access policy allows the RAM user to create, view, and delete VPCs, vSwitches, security groups, and ACK clusters.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "vpc:CreateVpc", "vpc:CreateVSwitch", "vpc:DescribeVpcAttribute", "vpc:DescribeRouteTableList", "vpc:DescribeVSwitchAttributes", "ecs:CreateSecurityGroup", "ecs:ModifySecurityGroupPolicy", "ecs:DescribeSecurityGroups", "ecs:DescribeSecurityGroupAttribute", "ecs:ListTagResources", "cs:CreateCluster", "cs:DescribeTaskInfo", "cs:DescribeClusterDetail", "vpc:DeleteVpc", "vpc:DeleteVSwitch", "cs:DeleteCluster", "ecs:DeleteSecurityGroup" ], "Resource": "*" } ] }Prepare a Terraform environment. You can use one of the following methods to run Terraform.
Use Terraform in Terraform Explorer: Alibaba Cloud provides an online environment to run Terraform. You do not need to install Terraform. You can log on to use and try Terraform online. This method is suitable for scenarios where you want to try and debug Terraform quickly and conveniently at no cost.
Cloud Shell: Alibaba Cloud Cloud Shell has Terraform components pre-installed and identity credentials configured. You can run Terraform commands directly in Cloud Shell. This method is suitable for scenarios where you want to access and use Terraform quickly and conveniently at a low cost.
Install and configure Terraform on your local machine: This method is suitable for scenarios with poor network connectivity or when you need a custom development environment.
ImportantMake sure that your Terraform version is 0.12.28 or later. You can run the terraform --version command to check the version.
Step 1: Create an ACK Edge cluster
ACK Edge is a commercial service. Before you can create an ACK Edge cluster, you must activate the service.
Create a working directory, and then create a configuration file named
main.tfin the directory.Copy the following code to the
main.tffile.Run the following command to initialize the Terraform runtime environment.
terraform initThe following output indicates that the initialization is successful.
Initializing the backend... Initializing provider plugins... ... Terraform has been successfully initialized! ...Run the following command to activate ACK Edge.
terraform applyThe following output indicates that the service is activated.
data.alicloud_ack_service.open: Refreshing state... Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Step 2: Grant roles
When you use an ACK Edge cluster for the first time, you must grant the default system roles to the service account.
Add the following code to the
main.tffile.NoteTerraform cannot automatically detect whether a role exists. You must manually query for role information and then grant the required roles to your account.
// Check if the role exists. data "alicloud_ram_roles" "roles" { policy_type = "System" } // List the roles that are fully granted to the account. output "exist_role" { value = data.alicloud_ram_roles.roles }Run the following command to query the roles that are granted to your account.
terraform applyThe following output is returned.
No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: ... exist_role = { "id" = "1788****59" "ids" = tolist([ "3009617019****1438", "3023233020****0278", "3302003419****4675", "3178548808****5924", "3371411011****5177", "3475619590****3519", ]) "name_regex" = tostring(null) "names" = tolist([ "AliyunCASDefaultRole", "AliyunContainerRegistryDefaultRole", "AliyunCSDefaultRole", "AliyunCSKubernetesAuditRole", "AliyunCSManagedArmsRole", "AliyunCSManagedCmsRole", "AliyunCSManagedCsiRole", "AliyunCSManagedKubernetesRole", "AliyunCSManagedLogRole", "AliyunCSManagedNetworkRole", "AliyunCSServerlessKubernetesRole", "AliyunServiceRoleForCSB", "AliyunServiceRoleForECI", "AliyunServiceRoleForGws", "AliyunServiceRoleForResourceDirectory", "AliyunServiceRoleForServiceMesh", ]) "output_file" = tostring(null) "policy_name" = tostring(null) "policy_type" = "System" "roles" = tolist([ { "arn" = "acs:ram::1848450434088535:role/aliyuncasdefaultrole" "assume_role_policy_document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cas.aliyuncs.com"]}}], "Version": "1"} EOT "create_date" = "2023-07-17T03:27:28Z" "description" = "Alibaba Cloud Certificate Service (CAS) uses this role by default to access your resources in other cloud products." "document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cas.aliyuncs.com"]}}], "Version": "1"} EOT "id" = "300961701980****" "name" = "AliyunCASDefaultRole" "update_date" = "2023-07-17T03:27:28Z" }, { "arn" = "acs:ram::1848450434****:role/aliyuncontainerregistrydefaultrole" "assume_role_policy_document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cr.aliyuncs.com"]}}], "Version": "1"} "id" = "3502335964487******" "name" = "AliyunServiceRoleForServiceMesh" "update_date" = "2022-09-27T10:26:50Z" }, ]) }In the
main.tffile, replace the content with the following authorization template.NoteThis template grants permissions based on service roles and uses variables to specify properties such as the name and policy for each role. To adjust role authorizations, see Optional roles and the roles that you queried in Step 2: Grant roles. In the
default = []section of the template, you can add or delete roles as needed. This helps prevent duplicate or missed authorizations.Run the following command to initialize the Terraform runtime environment.
terraform initThe following output indicates that the initialization is successful.
Initializing the backend... Initializing provider plugins... ... Terraform has created a lock file .terraform.lock.hcl to record the providerselections it made above. Include this file in your version control repositoryso that Terraform can guarantee to make the same selections by default whenyou run "terraform init" in the future. Terraform has been successfully initialized! ...Run the following command to grant the roles to your account.
terraform applyThe system displays the following information. To grant the authorization, enter
yesand press Enter.Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes alicloud_ram_role_policy_attachment.attach["AliyunCSManagedEdgeRole"]: Creating... alicloud_ram_role_policy_attachment.attach["AliyunCSManagedEdgeRole"]: Creation complete after 0s [id=role:AliyunCSManagedEdgeRolePolicy:System:AliyunCSManagedEdgeRole] ...Run the following command to view the existing roles.
terraform showThe output lists all roles that are granted to the account. This indicates that the role authorization is complete.
# alicloud_ram_role.role["AliyunCSManagedEdgeRole"]: resource "alicloud_ram_role" "role" { arn = "acs:ram::10051XXXXXX30:role/aliyuncsmanagededgerole" description = "The control plane component of the cluster uses this role to access your resources in Smart Access Gateway, VPC, and Cloud Enterprise Network (CEN)." ...... } # alicloud_ram_role_policy_attachment.attach["AliyunCSManagedEdgeRole"]: resource "alicloud_ram_role_policy_attachment" "attach" { id = "role:AliyunCSManagedEdgeRolePolicy:System:AliyunCSManagedEdgeRole" policy_name = "AliyunCSManagedEdgeRolePolicy" policy_type = "System" role_name = "AliyunCSManagedEdgeRole" ..... }
Service roles
AliyunCSManagedLogRole
Description:
The log component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in Simple Log Service (SLS).
Authorization code:
{ name = "AliyunCSManagedLogRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The log component of the cluster uses this role to access your resources in other cloud products." policy_name = "AliyunCSManagedLogRolePolicy" }
AliyunCSManagedCmsRole
Description:
The monitoring component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in CloudMonitor (CMS) and SLS.
Authorization code:
{ name = "AliyunCSManagedCmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The CMS component of the cluster uses this role to access your resources in other cloud products." policy_name = "AliyunCSManagedCmsRolePolicy" }
AliyunCSManagedCsiRole
Description:
The storage component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in services such as ECS, NAS, and OSS.
Authorization code:
{ name = "AliyunCSManagedCsiRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The storage plugin of the cluster uses this role to access your resources in other cloud products." policy_name = "AliyunCSManagedCsiRolePolicy" }
AliyunCSServerlessKubernetesRole
Description:
ACK Edge clusters and ACK serverless clusters use this role to access your resources in services such as ECS, VPC, SLB, and PrivateZone.
Authorization code:
{ name = "AliyunCSServerlessKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The cluster uses this role by default to access your resources in other cloud products." policy_name = "AliyunCSServerlessKubernetesRolePolicy" }
AliyunCSKubernetesAuditRole
Description:
The audit feature component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in SLS.
Authorization code:
{ name = "AliyunCSKubernetesAuditRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The cluster audit feature uses this role to access your resources in other cloud products." policy_name = "AliyunCSKubernetesAuditRolePolicy" }
AliyunCSManagedNetworkRole
Description:
The network component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in ECS and VPC.
Authorization code:
{ name = "AliyunCSManagedNetworkRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The network component of the cluster uses this role to access your resources in other cloud products." policy_name = "AliyunCSManagedNetworkRolePolicy" }
AliyunCSDefaultRole
Description:
Container Service for Kubernetes uses this role during control plane operations to access your resources in services such as ECS, VPC, SLB, ROS, and ESS.
Authorization code:
{ name = "AliyunCSDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The cluster uses this role by default during operations to access your resources in other cloud products." policy_name = "AliyunCSDefaultRolePolicy" }
AliyunCSManagedKubernetesRole
Description:
ACK managed clusters and ACK Edge clusters use this role to access your resources in services such as ECS, VPC, SLB, and Container Registry (ACR).
Authorization code:
{ name = "AliyunCSManagedKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The cluster uses this role by default to access your resources in other cloud products." policy_name = "AliyunCSManagedKubernetesRolePolicy" }
AliyunCSManagedArmsRole
Description:
The Application Real-Time Monitoring Service (ARMS) component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in ARMS.
Authorization code:
{ name = "AliyunCSManagedArmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The ARMS plugin of the cluster uses this role to access your resources in other cloud products." policy_name = "AliyunCSManagedArmsRolePolicy" }
Optional roles
AliyunCISDefaultRole
Description:
The ACK Container Intelligence Service (CIS) uses this role to access your resources in services such as ECS, VPC, and SLB to provide features such as diagnostics and inspection.
Authorization code:
{ name = "AliyunCISDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "Container Service (CS) Intelligence uses this role to access your resources in other cloud products." policy_name = "AliyunCISDefaultRolePolicy" }
AliyunCSManagedAcrRole
Description:
The passwordless image pulling component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in ACR.
Authorization code:
{ name = "AliyunCSManagedAcrRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The passwordless image pulling plugin of the cluster uses this role to access your resources in the ACR service." policy_name = "AliyunCSManagedAcrRolePolicy" }
AliyunCSManagedNlcRole
Description:
The node lifecycle controller of ACK managed clusters and ACK Edge clusters uses this role to access your ECS and ACK node pool resources.
Authorization code:
{ name = "AliyunCSManagedNlcRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The control component of the managed node pool of the cluster uses this role to access your ECS and ACK node pool resources." policy_name = "AliyunCSManagedNlcRolePolicy" }
AliyunCSManagedAutoScalerRole
Description:
The Auto Scaling component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in ESS and ECS.
Authorization code:
{ name = "AliyunCSManagedAutoScalerRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The Auto Scaling component of the cluster uses this role to access your resources in other cloud products." policy_name = "AliyunCSManagedAutoScalerRolePolicy" }
AliyunCSManagedSecurityRole
Description:
The component for encryption at rest and credential management of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in Key Management Service (KMS).
Authorization code:
{ name = "AliyunCSManagedSecurityRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The encryption at rest plugin of the cluster uses this role to access your resources in the KMS service." policy_name = "AliyunCSManagedSecurityRolePolicy" }
AliyunCSManagedCostRole
Description:
The cost analysis component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in the billing management API, ECS, and ECI.
Authorization code:
{ name = "AliyunCSManagedCostRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The cost analysis component of the cluster uses this role to access your resources in the billing management API, ECS, and ECI services." policy_name = "AliyunCSManagedCostRolePolicy" }
AliyunCSManagedNimitzRole
Description:
The control plane component of ACK Edge clusters uses this role to access your resources in Smart Access Gateway, VPC, and Cloud Enterprise Network (CEN).
Authorization code:
{ name = "AliyunCSManagedNimitzRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The network component of ACK LINGJUN clusters uses this role to access your resources in the Intelligent Computing LINGJUN service." policy_name = "AliyunCSManagedNimitzRolePolicy" }
AliyunCSManagedBackupRestoreRole
Description:
The backup center service component of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in Cloud Backup and OSS.
Authorization code:
{ name = "AliyunCSManagedBackupRestoreRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The backup center component of the cluster uses this role to access your resources in the Cloud Backup and OSS services." policy_name = "AliyunCSManagedBackupRestoreRolePolicy" }
AliyunCSManagedEdgeRole
Description:
The control plane component of ACK Edge clusters uses this role to access your resources in Smart Access Gateway, VPC, and Cloud Enterprise Network (CEN).
Authorization code:
{ name = "AliyunCSManagedEdgeRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The control plane component of ACK Edge clusters uses this role to access your resources in Smart Access Gateway, VPC, and Cloud Enterprise Network (CEN)." policy_name = "AliyunCSManagedEdgeRolePolicy" }
AliyunCSManagedCsiProvisionerRole
Description:
The storage component (the csi-provisioner managed component) of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in services such as ECS, NAS, and OSS.
Authorization code:
{ name = "AliyunCSManagedCsiProvisionerRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The storage component (new csi-provisioner component) of ACK managed clusters, ACK Edge clusters, and ACK serverless clusters uses this role to access your resources in the ECS, NAS, and OSS services." policy_name = "AliyunCSManagedCsiProvisionerRolePolicy" }
AliyunOOSLifecycleHook4CSRole
Description:
CloudOps Orchestration Service (OOS) uses this role to access your resources in services such as Container Service for Kubernetes, ECS, and PolarDB.
Authorization code:
{ name = "AliyunOOSLifecycleHook4CSRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "Node pool scaling depends on the OOS service. OOS uses this role to access your resources in other cloud products." policy_name = "AliyunOOSLifecycleHook4CSRolePolicy" }