云消息队列 Kafka 版的专业版实例支持使用访问控制列表(ACL)来管理SASL用户对主题和消费组的访问权限。利用Terraform,您可以方便地将ACL权限设置融入基础设施即代码(IaC)流程,例如,通过编写Terraform配置文件来指定用户权限,然后执行Terraform命令来自动应用配置。
前提条件
实例规格类型为专业版。
安装Terraform。支持Terraform 0.13及以上版本。
配置阿里云账号信息。
选择一种阿里云认证方式,为Terraform的执行提供认证信息。本文以环境变量认证方式为例:
export ALICLOUD_ACCESS_KEY="************" export ALICLOUD_SECRET_KEY="************" export ALICLOUD_REGION="cn-hangzhou"
说明为保障数据安全性,建议您按需为RAM用户授予Kafka资源的操作权限。具体操作,请参见RAM主子账号授权。
背景信息
Terraform的alicloud_alikafka_sasl_acl
资源提供了以下参数:
(必填)instance_id:实例ID。
(必填)username:SASL用户名称。必须以字母开头,长度限制在3~64个字符之间,只能包含字母、数字、短划线(-)、下划线(_)。
(必填)acl_resource_type:ACL的资源类型。
Topic:消息主题。
Group:消费组。
Cluster:实例。
TransactionalId:事务ID。
(必填)acl_resource_name:ACL资源名称。应为Topic或Group资源的名称。
(必填)acl_resource_pattern_type:ACL资源的匹配方式。
LITERAL:完全匹配。
PREFIXED:前缀匹配。
(必填)acl_operation_type:ACL资源的可操作类型。
Write:可写。
Read:可读。
更多信息,请参见alicloud_alikafka_sasl_acl。
创建SASL用户并添加权限
本示例在华东1(杭州)地域下创建Topic、SASL用户,并为此用户添加Topic的可写权限,Topic名称为example-topic
,SASL用户名为example
。
创建一个用于存放Terraform资源的项目文件夹,命名为terraform。
执行以下命令,进入项目目录。
cd terraform
执行以下命令,创建名为acl.tf的配置文件。
# 创建Topic。 resource "alicloud_alikafka_topic" "default" { instance_id = "alikafka_post-cn-uax3go6z****" topic = "example-topic" remark = "topic-remark" } # 创建SASL用户。 resource "alicloud_alikafka_sasl_user" "default" { instance_id = "alikafka_post-cn-uax3go6z****" username = "example" password = "tf_example123" } # 为创建的SASL用户添加Topic的可写权限。 resource "alicloud_alikafka_sasl_acl" "default" { instance_id = "alikafka_post-cn-uax3go6z****" username = alicloud_alikafka_sasl_user.default.username acl_resource_type = "Topic" acl_resource_name = alicloud_alikafka_topic.default.topic acl_resource_pattern_type = "LITERAL" acl_operation_type = "Write" }
执行以下命令,初始化Terraform运行环境。
terraform init
预期输出:
Initializing the backend... Initializing provider plugins... - Reusing previous version of hashicorp/alicloud from the dependency lock file - Using previously-installed hashicorp/alicloud v1.211.2 ... Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.
执行以下命令,创建Topic、SASL用户,并为SASL用户添加权限。
terraform apply
预期输出:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # alicloud_alikafka_sasl_acl.default will be created + resource "alicloud_alikafka_sasl_acl" "default" { + acl_operation_type = "Write" + acl_resource_name = "example-topic" + acl_resource_pattern_type = "LITERAL" + acl_resource_type = "Topic" + host = (known after apply) + id = (known after apply) + instance_id = "alikafka_post-cn-uax3go6z****" + username = "example" } # alicloud_alikafka_sasl_user.default will be created + resource "alicloud_alikafka_sasl_user" "default" { + id = (known after apply) + instance_id = "alikafka_post-cn-uax3go6z****" + password = (sensitive value) + username = "example" } # alicloud_alikafka_topic.default will be created + resource "alicloud_alikafka_topic" "default" { + compact_topic = false + id = (known after apply) + instance_id = "alikafka_post-cn-uax3go6z****" + local_topic = false + partition_num = 12 + remark = "topic-remark" + topic = "example-topic" } Plan: 3 to add, 0 to change, 0 to destroy. ... alicloud_alikafka_topic.default: Creating... alicloud_alikafka_sasl_user.default: Creating... alicloud_alikafka_sasl_user.default: Creation complete after 3s [id=alikafka_post-cn-uax3go6z****:example] alicloud_alikafka_topic.default: Still creating... [10s elapsed] alicloud_alikafka_topic.default: Creation complete after 10s [id=alikafka_post-cn-uax3go6z****:example-topic] alicloud_alikafka_sasl_acl.default: Creating... alicloud_alikafka_sasl_acl.default: Still creating... [10s elapsed] alicloud_alikafka_sasl_acl.default: Creation complete after 1m1s [id=alikafka_post-cn-uax3go6z****:example:Topic:example-topic:LITERAL:Write] Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
SASL用户已创建,并被添加了可写权限。
移除SASL用户及权限
在目标项目目录内执行以下命令,运行配置文件。
terraform destroy
预期输出:
alicloud_alikafka_sasl_user.default: Refreshing state... [id=alikafka_post-cn-uax3go6z****:example] alicloud_alikafka_topic.default: Refreshing state... [id=alikafka_post-cn-uax3go6z****:example-topic] alicloud_alikafka_sasl_acl.default: Refreshing state... [id=alikafka_post-cn-uax3go6z****:example:Topic:example-topic:LITERAL:Write] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: - destroy Terraform will perform the following actions: # alicloud_alikafka_sasl_acl.default will be destroyed - resource "alicloud_alikafka_sasl_acl" "default" { - acl_operation_type = "Write" -> null - acl_resource_name = "example-topic" -> null - acl_resource_pattern_type = "LITERAL" -> null - acl_resource_type = "Topic" -> null - host = "*" -> null - id = "alikafka_post-cn-uax3go6z****:example:Topic:example-topic:LITERAL:Write" -> null - instance_id = "alikafka_post-cn-uax3go6z****" -> null - username = "example" -> null } # alicloud_alikafka_sasl_user.default will be destroyed - resource "alicloud_alikafka_sasl_user" "default" { - id = "alikafka_post-cn-uax3go6z****:example" -> null - instance_id = "alikafka_post-cn-uax3go6z****" -> null - password = (sensitive value) - type = "plain" -> null - username = "example" -> null } # alicloud_alikafka_topic.default will be destroyed - resource "alicloud_alikafka_topic" "default" { - compact_topic = false -> null - id = "alikafka_post-cn-uax3go6z****:example-topic" -> null - instance_id = "alikafka_post-cn-uax3go6z****" -> null - local_topic = false -> null - partition_num = 12 -> null - remark = "topic-remark" -> null - tags = {} -> null - topic = "example-topic" -> null } Plan: 0 to add, 0 to change, 3 to destroy. ... alicloud_alikafka_sasl_acl.default: Destroying... [id=alikafka_post-cn-uax3go6zz00f:example:Topic:example-topic:LITERAL:Write] alicloud_alikafka_sasl_acl.default: Still destroying... [id=alikafka_post-cn-uax3go6z****:example:Topic:example-topic:LITERAL:Write, 10s elapsed] alicloud_alikafka_sasl_acl.default: Destruction complete after 1m1s alicloud_alikafka_sasl_user.default: Destroying... [id=alikafka_post-cn-uax3go6z****:example] alicloud_alikafka_topic.default: Destroying... [id=alikafka_post-cn-uax3go6z****:example-topic] alicloud_alikafka_sasl_user.default: Destruction complete after 1s alicloud_alikafka_topic.default: Still destroying... [id=alikafka_post-cn-uax3go6z****:example-topic, 10s elapsed] alicloud_alikafka_topic.default: Destruction complete after 15s Destroy complete! Resources: 3 destroyed.
SASL用户及权限已成功移除。
查询SASL用户权限
创建一个用于存放Terraform资源的项目文件夹,命名为terraform。
执行以下命令,进入项目目录。
cd terraform
执行以下命令,创建名为main.tf的配置文件。
data "alicloud_alikafka_sasl_acls" "sasl_acls_ds" { instance_id = "<Kafka实例ID>" username = "<SASL用户名称>" # ACL的资源类型,请参见上文背景信息中acl_resource_type参数解释。 acl_resource_type = "<ACL资源类型>" acl_resource_name = "<ACL资源名称>" output_file = "saslAcls.txt" } output "first_sasl_acl_username" { # 输出列表中的第一个SASL用户名称。请注意,索引[0]在这里表示列表中的第一项。 value = "${data.alicloud_alikafka_sasl_acls.sasl_acls_ds.acls.0.username}" }
执行以下命令,初始化Terraform运行环境。
terraform init
预期输出:
Initializing provider plugins... - Reusing previous version of hashicorp/alicloud from the dependency lock file - Using previously-installed hashicorp/alicloud v1.211.2 Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.
执行以下命令,查询列表中的第一个SASL用户权限。
terraform apply
预期输出:
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: first_sasl_acl_username = "wbtest"
也可在
saslAcls.txt
文件中查看SASL用户支持的资源类型、资源名称、匹配模式、操作类型等信息。[ { "acl_operation_type": "Read", "acl_resource_name": "testtopic", "acl_resource_pattern_type": "LITERAL", "acl_resource_type": "Topic", "host": "*", "username": "wbtes****" } ]
相关文档
您也可以通过控制台和API调用方式为SASL用户授权,请参见SASL用户授权和CreateAcl - 创建ACL。
如果您想了解
alicloud_alikafka_sasl_acl
提供的更多参数,请参见alicloud_alikafka_sasl_acl。