备案控制台
文档
产品文档
输入文档关键字查找
首页 云数据库 RDS RDS PostgreSQL数据库 实践教程 最佳实践 Terraform 使用指南 数据安全性

数据安全性

更新时间:
一键部署
产品详情
相关技术圈
我的收藏

本文介绍如何使用Terraform修改安全组、修改IP白名单、修改SSL配置以及切换高安全模式。

前提条件

  • 已创建RDS PostgreSQL实例,详情请参见创建RDS PostgreSQL实例

  • 实例状态为运行中,您可以通过如下两种方式查看:

    • 参见查询实例详情查看参数status,如果取值为Runing则表示实例状态为运行中。

    • 前往RDS管理控制台,切换到目标地域,找到指定实例后,查看实例状态。

修改安全组

以修改实例安全组为sg-****为例。

  1. 在terraform.tf文件的resource "alicloud_db_instance" "instance" {}中增加security_group_ids配置项,具体配置如下:

    ...
resource "alicloud_db_instance" "instance" {
...
  security_group_ids =  ["sg-****"]
}
    说明

    修改安全组会覆盖原有安全组,后续修改时请在[]中追加即可,使用,分隔。

  2. 运行terraform apply

    出现如下配置信息后,确认配置信息并输入yes,开始修改RDS PostgreSQL实例配置。

    alicloud_db_instance.instance: Refreshing state... [id=pgm-****]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # alicloud_db_instance.instance will be updated in-place
  ~ resource "alicloud_db_instance" "instance" {
        id                         = "pgm-bp1668g9bm4bm9p5"
      ~ security_group_ids         = [
          + "sg-****",
        ]
        # (34 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

    出现类似如下日志时,表示配置成功。

    alicloud_db_instance.instance: Modifying... [id=pgm-****]
alicloud_db_instance.instance: Modifications complete after 4s [id=pgm-****]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

  3. 查看结果。

    • 运行terraform show查看安全组。

      # alicloud_db_instance.instance:
resource "alicloud_db_instance" "instance" {
    client_ca_enabled          = 0
    client_crl_enabled         = 0
    connection_string          = "pgm-****.pg.rds.aliyuncs.com"
    connection_string_prefix   = "pgm-****"
    db_instance_storage_type   = "cloud_essd"
    db_time_zone               = "Asia/Shanghai"
    deletion_protection        = false
    engine                     = "PostgreSQL"
    engine_version             = "13.0"
    force_restart              = false
    ha_config                  = "Manual"
    id                         = "pgm-****"
    instance_charge_type       = "Postpaid"
    instance_name              = "terraformtest"
    instance_storage           = 50
    instance_type              = "pg.n2.2c.2m"
    maintain_time              = "05:00Z-06:00Z"
    manual_ha_time             = "2022-09-30T09:00:00Z"
    monitoring_period          = 300
    period                     = 0
    port                       = "5432"
    private_ip_address         = "192.168.XX.XX"
    resource_group_id          = "rg-****"
    security_group_id          = "sg-****"
    security_group_ids         = [
        "sg-****",
    ]
    security_ip_mode           = "normal"
    security_ips               = [
        "127.0.0.1",
    ]
    sql_collector_config_value = 30
    sql_collector_status       = "Disabled"
    storage_auto_scale         = "Enable"
    storage_threshold          = 30
    storage_upper_bound        = 100
    target_minor_version       = "rds_postgres_1300_20220830"
    tcp_connection_type        = "SHORT"
    vpc_id                     = "vpc-****"
    vswitch_id                 = "vsw-****"
    zone_id                    = "cn-hangzhou-h"

    pg_hba_conf {
        address     = "127.0.0.1"
        database    = "all"
        method      = "md5"
        priority_id = 1
        type        = "host"
        user        = "all"
    }
}

    • 登录RDS控制台查看安全组。安全组

修改IP白名单

以修改白名单为0.0.0.0/0为例。

  1. 在terraform.tf文件的resource "alicloud_db_instance" "instance" {}中增加security_ips配置项,具体配置如下:

    ...
resource "alicloud_db_instance" "instance" {
...
  security_ips =  ["0.0.0.0/0"]
}
    说明

    修改白名单会覆盖原有默认白名单,后续修改时请在[]中追加即可,使用,分隔。

  2. 运行terraform apply

    出现如下配置信息后,确认配置信息并输入yes,开始修改RDS PostgreSQL实例配置。

    alicloud_db_instance.instance: Refreshing state... [id=pgm-****]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # alicloud_db_instance.instance will be updated in-place
  ~ resource "alicloud_db_instance" "instance" {
        id                         = "pgm-****"
      ~ security_ips               = [
          + "0.0.0.0/0",
          - "127.0.0.1",
        ]
        # (35 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

    出现类似如下日志时,表示配置成功。

    alicloud_db_instance.instance: Modifying... [id=pgm-****]
alicloud_db_instance.instance: Modifications complete after 6s [id=pgm-****]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

  3. 查看结果。

    • 运行terraform show查看IP白名单。

      # alicloud_db_instance.instance:
resource "alicloud_db_instance" "instance" {
    client_ca_enabled          = 0
    client_crl_enabled         = 0
    connection_string          = "pgm-****.pg.rds.aliyuncs.com"
    connection_string_prefix   = "pgm-****"
    db_instance_storage_type   = "cloud_essd"
    db_time_zone               = "Asia/Shanghai"
    deletion_protection        = false
    engine                     = "PostgreSQL"
    engine_version             = "13.0"
    force_restart              = false
    ha_config                  = "Manual"
    id                         = "pgm-****"
    instance_charge_type       = "Postpaid"
    instance_name              = "terraformtest"
    instance_storage           = 50
    instance_type              = "pg.n2.2c.2m"
    maintain_time              = "05:00Z-06:00Z"
    manual_ha_time             = "2022-09-30T09:00:00Z"
    monitoring_period          = 300
    period                     = 0
    port                       = "5432"
    private_ip_address         = "192.168.XX.XX"
    resource_group_id          = "rg-****"
    security_group_id          = "sg-****"
    security_group_ids         = [
        "sg-****",
    ]
    security_ip_mode           = "normal"
    security_ips               = [
        "0.0.0.0/0",
    ]
    sql_collector_config_value = 30
    sql_collector_status       = "Disabled"
    storage_auto_scale         = "Enable"
    storage_threshold          = 30
    storage_upper_bound        = 100
    target_minor_version       = "rds_postgres_1300_20220830"
    tcp_connection_type        = "SHORT"
    vpc_id                     = "vpc-****"
    vswitch_id                 = "vsw-****"
    zone_id                    = "cn-hangzhou-h"

    pg_hba_conf {
        address     = "127.0.0.1"
        database    = "all"
        method      = "md5"
        priority_id = 1
        type        = "host"
        user        = "all"
    }
}

    • 登录RDS控制台查看IP白名单。白名单

修改SSL设置

以开启SSL加密为例。

  1. 在terraform.tf文件的resource "alicloud_db_instance" "instance" {}中增加ssl_action配置项,具体配置如下:

    ...
resource "alicloud_db_instance" "instance" {
...
  ssl_action  =  "Open"
}

  2. 运行terraform apply

    出现如下配置信息后,确认配置信息并输入yes,开始开启SSL加密。

    alicloud_db_instance.instance: Refreshing state... [id=pgm-****]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # alicloud_db_instance.instance will be updated in-place
  ~ resource "alicloud_db_instance" "instance" {
        id                         = "pgm-****"
      + ssl_action                 = "Open"
        # (36 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

    出现类似如下日志时,表示配置成功。

    alicloud_db_instance.instance: Modifying... [id=pgm-****]
alicloud_db_instance.instance: Still modifying... [id=pgm-****, 10s elapsed]
...
alicloud_db_instance.instance: Still modifying... [id=pgm-****, 6m31s elapsed]
alicloud_db_instance.instance: Modifications complete after 6m35s [id=pgm-****]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

  3. 查看结果。

    • 运行terraform show查看SSL设置。

      # alicloud_db_instance.instance:
resource "alicloud_db_instance" "instance" {
    acl                        = "prefer"
    ca_type                    = "aliyun"
    client_ca_enabled          = 0
    client_crl_enabled         = 0
    connection_string          = "pgm-****.pg.rds.aliyuncs.com"
    connection_string_prefix   = "pgm-****"
    db_instance_storage_type   = "cloud_essd"
    db_time_zone               = "Asia/Shanghai"
    deletion_protection        = false
    engine                     = "PostgreSQL"
    engine_version             = "13.0"
    force_restart              = false
    ha_config                  = "Auto"
    id                         = "pgm-****"
    instance_charge_type       = "Postpaid"
    instance_name              = "terraformtest"
    instance_storage           = 50
    instance_type              = "pg.n2.2c.2m"
    maintain_time              = "05:00Z-06:00Z"
    monitoring_period          = 300
    period                     = 0
    port                       = "5432"
    private_ip_address         = "192.168.XX.XX"
    replication_acl            = "prefer"
    resource_group_id          = "rg-****"
    security_group_id          = "sg-****"
    security_group_ids         = [
        "sg-****",
    ]
    security_ip_mode           = "normal"
    security_ips               = [
        "0.0.0.0/0",
    ]
    server_cert                = <<-EOT
        -----BEGIN CERTIFICATE-----
        MIIE7jCCA9agAwIBAgICO3****2
        N9xwKlPQ65q/kux0yErtwhAD
        -----END CERTIFICATE-----
    EOT
    server_key                 = <<-EOT
        -----BEGIN RSA PRIVATE KEY-----
        MIIJKQIBAAKCAgEAux0yE****e+VAdGp
        -----END RSA PRIVATE KEY-----
    EOT
    sql_collector_config_value = 30
    sql_collector_status       = "Disabled"
    ssl_action                 = "Open"
    ssl_status                 = "0"
    storage_auto_scale         = "Enable"
    storage_threshold          = 30
    storage_upper_bound        = 100
    target_minor_version       = "rds_postgres_1300_20220830"
    tcp_connection_type        = "SHORT"
    vpc_id                     = "vpc-****"
    vswitch_id                 = "vsw-****"
    zone_id                    = "cn-hangzhou-h"

    pg_hba_conf {
        address     = "127.0.0.1"
        database    = "all"
        method      = "md5"
        priority_id = 1
        type        = "host"
        user        = "all"
    }
}

    • 登录RDS控制台查看SSL设置。SSL

切换高安全白名单模式(仅本地盘实例适用)

  1. 在terraform.tf文件的resource "alicloud_db_instance" "instance" {}中增加security_ip_mode配置项,具体配置如下:

    ...
resource "alicloud_db_instance" "instance" {
...
  security_ip_mode = "safety"
}
    说明

    高安全模式无法切换回通用模式。

  2. 运行terraform apply

    出现如下配置信息后,确认配置信息并输入yes,开始修改RDS PostgreSQL实例配置。

    alicloud_db_instance.instance: Refreshing state... [id=pgm-****]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # alicloud_db_instance.instance will be updated in-place
  ~ resource "alicloud_db_instance" "instance" {
      ~ security_ip_mode           = "normal" -> "safety"
        # (33 unchanged attributes hidden)
        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

    出现类似如下日志时,表示配置成功。

    alicloud_db_instance.instance: Modifying... [id=pgm-****]
alicloud_db_instance.instance: Modifications complete after 3s [id=pgm-****]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

  3. 查看结果。

    • 运行terraform show查看白名单模式。

      # alicloud_db_instance.instance:
resource "alicloud_db_instance" "instance" {
    acl                        = "prefer"
    ca_type                    = "aliyun"
    client_ca_enabled          = 0
    client_crl_enabled         = 0
    connection_string          = "pgm-****.pg.rds.aliyuncs.com"
    connection_string_prefix   = "pgm-****"
    db_instance_storage_type   = "cloud_essd"
    db_time_zone               = "Asia/Shanghai"
    deletion_protection        = false
    engine                     = "PostgreSQL"
    engine_version             = "13.0"
    force_restart              = false
    ha_config                  = "Auto"
    id                         = "pgm-****"
    instance_charge_type       = "Postpaid"
    instance_name              = "terraformtest"
    instance_storage           = 50
    instance_type              = "pg.n2.2c.2m"
    maintain_time              = "05:00Z-06:00Z"
    monitoring_period          = 300
    period                     = 0
    port                       = "5432"
    private_ip_address         = "192.168.XX.XX"
    replication_acl            = "prefer"
    resource_group_id          = "rg-****"
    security_group_id          = "sg-****"
    security_group_ids         = [
        "sg-****",
    ]
    security_ip_mode           = "safety"
    security_ip_mode           = "normal"
    security_ips               = [
        "0.0.0.0/0",
    ]
    server_cert                = <<-EOT
        -----BEGIN CERTIFICATE-----
        MIIE7jCCA9agAwIBAgICO3****2
        N9xwKlPQ65q/kux0yErtwhAD
        -----END CERTIFICATE-----
    EOT
    server_key                 = <<-EOT
        -----BEGIN RSA PRIVATE KEY-----
        MIIJKQIBAAKCAgEAux0yE****e+VAdGp
        -----END RSA PRIVATE KEY-----
    EOT
    sql_collector_config_value = 30
    sql_collector_status       = "Disabled"
    ssl_action                 = "Open"
    ssl_status                 = "0"
    storage_auto_scale         = "Enable"
    storage_threshold          = 30
    storage_upper_bound        = 100
    target_minor_version       = "rds_postgres_1300_20220830"
    tcp_connection_type        = "SHORT"
    vpc_id                     = "vpc-****"
    vswitch_id                 = "vsw-****"
    zone_id                    = "cn-hangzhou-h"

    pg_hba_conf {
        address     = "127.0.0.1"
        database    = "all"
        method      = "md5"
        priority_id = 1
        type        = "host"
        user        = "all"
    }
}

    • 登录RDS控制台查看白名单模式。高安全白名单

文档推荐
  • 本页导读 (1)
文档反馈