配置云消息队列 Kafka 版的白名单后,配置在白名单中的IP地址与端口才允许访问云消息队列 Kafka 版实例。本文介绍如何通过Terraform的alicloud_alikafka_instance_allowed_ip_attachment资源添加以及删除白名单。
前提条件
安装Terraform。支持Terraform 0.13及以上版本。
配置阿里云账号信息。
选择一种阿里云认证方式,为Terraform的执行提供认证信息。本文以环境变量认证方式为例:
export ALICLOUD_ACCESS_KEY="************" export ALICLOUD_SECRET_KEY="************" export ALICLOUD_REGION="cn-hangzhou"说明为保障数据安全性,建议您按需为RAM用户授予Kafka资源的操作权限。具体操作,请参见RAM主子账号授权。
背景信息
Terraform的alicloud_alikafka_instance_allowed_ip_attachment资源提供了以下参数:
(必需)allowed_ip:白名单,可以是地址块。
(必需)allowed_type:白名单类型。
vpc:专有网络VPC。
internet:公网。
(必需)instance_id:实例ID。
(必需)port_range:端口范围。
9092/9092:专有网络VPC。
9093/9093:公网。
添加白名单
本示例以华东1(杭州)地域下的实例为例,为实例添加白名单。
创建一个用于存放Terraform资源的项目文件夹,命名为terraform。
执行以下命令,进入项目目录。
cd terraform执行以下命令,创建名为allowed_ip.tf的配置文件。
resource "alicloud_alikafka_instance_allowed_ip_attachment" "default" { allowed_ip = var.allowed_ip # 设置白名单类型为专有网络VPC。 allowed_type = "vpc" instance_id = "<实例ID>" # 设置端口范围。 port_range = "9092/9092" } variable "allowed_ip" { description = "Allowed IP Description" type = string } output "allowed_ip" { value = var.allowed_ip description = "Name Description" }执行以下命令,初始化Terraform运行环境。
terraform init预期输出:
Initializing provider plugins... - Using previously-installed hashicorp/alicloud v1.211.2 Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.依次执行以下命令,添加白名单。
执行以下命令,执行配置文件。
terraform apply根据提示输入要添加的IP或者网段。
预期输出:
... Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # alicloud_alikafka_instance_allowed_ip_attachment.default will be created + resource "alicloud_alikafka_instance_allowed_ip_attachment" "default" { + allowed_ip = "221.11.XX.XX" + allowed_type = "vpc" + id = (known after apply) + instance_id = "alikafka_post-cn-uax3go6z****" + port_range = "9092/9092" } Plan: 1 to add, 0 to change, 0 to destroy. Changes to Outputs: + allowed_ip = "221.11.XX.XX" ... alicloud_alikafka_instance_allowed_ip_attachment.default: Creating... alicloud_alikafka_instance_allowed_ip_attachment.default: Creation complete after 2s [id=alikafka_post-cn-uax3go6z****:vpc:9092/9092:221.11.XX.XX] Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Outputs: allowed_ip = "221.11.XX.XX"
IP白名单已成功添加。
删除白名单
在目标项目目录内执行以下命令,运行配置文件。
terraform destroy根据提示输入IP或网段。
预期输出:
alicloud_alikafka_instance_allowed_ip_attachment.default: Refreshing state... [id=alikafka_post-cn-5yd3eegy****:vpc:9092/9092:221.11.XX.XX] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: - destroy Terraform will perform the following actions: # alicloud_alikafka_instance_allowed_ip_attachment.default will be destroyed - resource "alicloud_alikafka_instance_allowed_ip_attachment" "default" { - allowed_ip = "221.11.16.219" -> null - allowed_type = "vpc" -> null - id = "alikafka_post-cn-5yd3eegy****:vpc:9092/9092:221.11.XX.XX" -> null - instance_id = "alikafka_post-cn-5yd3eegy****" -> null - port_range = "9092/9092" -> null } Plan: 0 to add, 0 to change, 1 to destroy. Changes to Outputs: - allowed_ip = "221.11.XX.XX" -> null ... alicloud_alikafka_instance_allowed_ip_attachment.default: Destroying... [id=alikafka_post-cn-5yd3eegy****:vpc:9092/9092:221.11.XX.XX] alicloud_alikafka_instance_allowed_ip_attachment.default: Destruction complete after 1s Destroy complete! Resources: 1 destroyed.IP白名单已成功删除。
相关文档
您也可以通过控制台和API调用方式设置IP白名单,请参见配置白名单和UpdateAllowedIp - 变更IP白名单。
如果您想了解
alicloud_alikafka_instance_allowed_ip_attachment提供的更多参数,请参见alicloud_alikafka_instance_allowed_ip_attachment。
- 本页导读 (1)