All Products
Search
Document Center

Terraform:Create container image repositories and an authorized RAM user

Last Updated:Jan 16, 2024

This topic describes how to create a namespace, an authorized RAM user, and several container image repositories by using Terraform.

Prerequisites

Before you begin, ensure that you have completed the following operations:

Background information

Container Registry provides a secure service for managing application images. It allows you to scan images to precisely detect security vulnerabilities, build images directly from source code hosted on mainstream code repository websites, conveniently authorize access to your images, and manage images throughout their lifecycle. You must use an Alibaba Cloud account to authorize DevOps tools access to container image repositories created in Alibaba Cloud. You can use a Terraform module (cr) to create RAM users and grant them the required permissions on specific repositories to avoid security risks.

Procedure

  1. Write the Terraform code.

    1. In main.tf, declare the module as follows:

      provider "alicloud" {}
      
      module "cr" {
        source  = "roura356a/cr/alicloud"
        version = "1.3.0"
        # The name of the namespace.
        namespace    = "cr_repo_namespace"
        # The list of authorized repositories.
        repositories = ["one", "two", "three"]
      }
    2. In outputs.tf, define the output parameters as follows:

      output "cr_namespace" {
        description = "The CR Namespace's ID"
        value       = module.cr.cr_namespace
      }
      
      output "cr_access_key" {
        description = "The CR Namespace's Access Key"
        value       = module.cr.cr_access_key
      }
      
      output "cr_user" {
        description = "The CR Namespace's User"
        value       = module.cr.cr_user
      }
      
      output "ram_user" {
        description = "The RAM User"
        value       = module.cr.ram_user
      }
      
      output "ram_console_username" {
        description = "Console login username"
        value       = module.cr.ram_console_username
      }
      
      output "cr_endpoint" {
        description = "Public endpoint of the registry"
        value       = module.cr.cr_endpoint
      }
      
      output "repository_ids" {
        description = "List of repository IDs created"
        value       = module.cr.repository_ids
      }
      
      output "disposable_password" {
        description = "Password to activate the console login profile, forces to reset it"
        value       = module.cr.disposable_password
      }
      
      output "access_key_status" {
        description = "Status of the created AccessKey"
        value       = module.cr.access_key_status
      }
      
      output "ram_policy_name" {
        description = "The RAM policy name"
        value       = module.cr.ram_policy_name
      }
      
      output "ram_policy_type" {
        description = "The RAM policy type"
        value       = module.cr.ram_policy_type
      }
      
      output "ram_policy_attachment" {
        description = "The RAM policy attachment ID"
        value       = module.cr.ram_policy_attachment
      }
  2. Run the terraform init command to initialize Terraform configuration files.

    terraform init

    The command output is as follows:

    Initializing modules...
    Downloading roura356a/cr/alicloud 1.3.0 for cr...
    - cr in .terraform\modules\cr\roura356a-terraform-alicloud-cr-c60a3d4
    
    Initializing the backend...
    
    Initializing provider plugins...
    - Checking for available provider plugins...
    - Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.68.0...
    - Downloading plugin for provider "random" (hashicorp/random) 2.2.1...
    
    The following providers do not have any version constraints in configuration,
    so the latest version was installed.
    
    To prevent automatic upgrades to new major versions that may contain breaking
    changes, it is recommended to add version = "..." constraints to the
    corresponding provider blocks in configuration, with the constraint strings
    suggested below.
    
    * provider.random: version = "~> 2.2"
    
    Terraform has been successfully initialized!
    
    You may now begin working with Terraform. Try running "terraform plan" to see
    any changes that are required for your infrastructure. All Terraform commands
    should now work.
    
    If you ever set or change modules or backend configuration for Terraform,
    rerun this command to reinitialize your working directory. If you forget, other
    commands will detect it and remind you to do so if necessary.
  3. Run the terraform apply command to create Container Registry and RAM resources.

    terraform apply

    The command output is as follows:

    module.cr.data.alicloud_account.current: Refreshing state...
    module.cr.data.alicloud_regions.current: Refreshing state...
    
    An execution plan has been generated and is shown below.
    Resource actions are indicated with the following symbols:
      + create
    
    Terraform will perform the following actions:
    
    ...
    
    Plan: 10 to add, 0 to change, 0 to destroy.
    
    Do you want to perform these actions?
      Terraform will perform the actions described above.
      Only 'yes' will be accepted to approve.
    
      Enter a value: yes
    
    module.cr.random_string.cr_console_password: Creating...
    ...
    
    Apply complete! Resources: 10 added, 0 changed, 0 destroyed.
    
    Outputs:
    
    access_key_status = Active
    cr_access_key = LTAI4FfqhU7csppPe******
    cr_endpoint = registry.cn-hangzhou.aliyuncs.com
    cr_namespace = cr_repo_namespace
    cr_user = cr_repo_namespace-cr-user
    disposable_password = er1PQu******
    ram_console_username = cr_repo_namespace-cr-user@1231579085******.onaliyun.com
    ram_policy_attachment = user:cr_repo_namespace-cr-policy:Custom:cr_repo_namespace-cr-user
    ram_policy_name = cr_repo_namespace-cr-policy
    ram_policy_type = Custom
    ram_user = cr_repo_namespace-cr-user
    repository_ids = [
      "cr_repo_namespace/one",
      "cr_repo_namespace/two",
      "cr_repo_namespace/three",
    ]

    A cr-cr_repo_namespace-ak.json file is generated in the working directory during the creation process. This file stores the key information of the created RAM user that is granted permissions to access the target repositories. The file content is as follows:

    {
        "AccessKeySecret": "qkxn1AkG6B50******sneyCQDuurcW",
        "CreateDate": "2020-01-07T07:00:00Z",
        "Status": "Active",
        "AccessKeyId": "LTAI4Ff******ppPeLRkJHES"
    }