This topic describes how to create a namespace, an authorized RAM user, and several container image repositories by using Terraform.
Prerequisites
Before you begin, ensure that you have completed the following operations:- Prepare an Alibaba Cloud account and an AccessKey pair (AccessKey ID and AccessKey secret) to use Terraform. You can go to the Security Management page of the Alibaba Cloud console to create or view your AccessKey pair.
- Install and configure Terraform. For more information, see Install and configure Terraform in the local PC and Use Terraform in Cloud Shell.
Background information
Container Registry provides a secure service for managing application images. It allows you to scan images to precisely detect security vulnerabilities, build images directly from source code hosted on mainstream code repository websites, conveniently authorize access to your images, and manage images throughout their lifecycle. You must use an Alibaba Cloud account to authorize DevOps tools access to container image repositories created in Alibaba Cloud. You can use a Terraform module (cr) to create RAM users and grant them the required permissions on specific repositories to avoid security risks.
Procedure
Write the Terraform code.
In main.tf, declare the module as follows:
provider "alicloud" {} module "cr" { source = "roura356a/cr/alicloud" version = "1.3.0" # The name of the namespace. namespace = "cr_repo_namespace" # The list of authorized repositories. repositories = ["one", "two", "three"] }
In outputs.tf, define the output parameters as follows:
output "cr_namespace" { description = "The CR Namespace's ID" value = module.cr.cr_namespace } output "cr_access_key" { description = "The CR Namespace's Access Key" value = module.cr.cr_access_key } output "cr_user" { description = "The CR Namespace's User" value = module.cr.cr_user } output "ram_user" { description = "The RAM User" value = module.cr.ram_user } output "ram_console_username" { description = "Console login username" value = module.cr.ram_console_username } output "cr_endpoint" { description = "Public endpoint of the registry" value = module.cr.cr_endpoint } output "repository_ids" { description = "List of repository IDs created" value = module.cr.repository_ids } output "disposable_password" { description = "Password to activate the console login profile, forces to reset it" value = module.cr.disposable_password } output "access_key_status" { description = "Status of the created AccessKey" value = module.cr.access_key_status } output "ram_policy_name" { description = "The RAM policy name" value = module.cr.ram_policy_name } output "ram_policy_type" { description = "The RAM policy type" value = module.cr.ram_policy_type } output "ram_policy_attachment" { description = "The RAM policy attachment ID" value = module.cr.ram_policy_attachment }
Run the terraform init command to initialize Terraform configuration files.
terraform init
The command output is as follows:
Initializing modules... Downloading roura356a/cr/alicloud 1.3.0 for cr... - cr in .terraform\modules\cr\roura356a-terraform-alicloud-cr-c60a3d4 Initializing the backend... Initializing provider plugins... - Checking for available provider plugins... - Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.68.0... - Downloading plugin for provider "random" (hashicorp/random) 2.2.1... The following providers do not have any version constraints in configuration, so the latest version was installed. To prevent automatic upgrades to new major versions that may contain breaking changes, it is recommended to add version = "..." constraints to the corresponding provider blocks in configuration, with the constraint strings suggested below. * provider.random: version = "~> 2.2" Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.
Run the terraform apply command to create Container Registry and RAM resources.
terraform apply
The command output is as follows:
module.cr.data.alicloud_account.current: Refreshing state... module.cr.data.alicloud_regions.current: Refreshing state... An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: ... Plan: 10 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes module.cr.random_string.cr_console_password: Creating... ... Apply complete! Resources: 10 added, 0 changed, 0 destroyed. Outputs: access_key_status = Active cr_access_key = LTAI4FfqhU7csppPe****** cr_endpoint = registry.cn-hangzhou.aliyuncs.com cr_namespace = cr_repo_namespace cr_user = cr_repo_namespace-cr-user disposable_password = er1PQu****** ram_console_username = cr_repo_namespace-cr-user@1231579085******.onaliyun.com ram_policy_attachment = user:cr_repo_namespace-cr-policy:Custom:cr_repo_namespace-cr-user ram_policy_name = cr_repo_namespace-cr-policy ram_policy_type = Custom ram_user = cr_repo_namespace-cr-user repository_ids = [ "cr_repo_namespace/one", "cr_repo_namespace/two", "cr_repo_namespace/three", ]
A cr-cr_repo_namespace-ak.json file is generated in the working directory during the creation process. This file stores the key information of the created RAM user that is granted permissions to access the target repositories. The file content is as follows:
{ "AccessKeySecret": "qkxn1AkG6B50******sneyCQDuurcW", "CreateDate": "2020-01-07T07:00:00Z", "Status": "Active", "AccessKeyId": "LTAI4Ff******ppPeLRkJHES" }