Use Terraform to assign default roles to ACK when you use ACK for the first time - Container Service for Kubernetes

When you use Container Service for Kubernetes (ACK) for the first time, you must assign default roles to ACK with your Alibaba Cloud account. Only after you assign these roles to ACK, ACK can access resources in other cloud services, create clusters, or save logs. These cloud services include Elastic Compute Service (ECS), Object Storage Service (OSS), Apsara File Storage NAS (NAS), and Server Load Balancer (SLB). This topic describes how to use Terraform to assign default roles to ACK when you use ACK for the first time.

Prerequisites
Step 1: Activate ACK
Step 2: Assign default roles to ACK

Prerequisites

Terraform is installed.
Note
You must install Terraform 0.12.28 or later. You can run the terraform --version command to query the Terraform version.
- By default, Cloud Shell is preinstalled with Terraform and configured with your account information. You do not need to modify the configurations.
- If you do not use Cloud Shell, you can directly install Terraform. For more information, see Install and configure Terraform in the local PC.
Your account information is configured.
You can specify identity information in environment variables.
```
export ALICLOUD_ACCESS_KEY="************"   # Replace the value with the AccessKey ID of your Alibaba Cloud account. 
export ALICLOUD_SECRET_KEY="************"   # Replace the value with the AccessKey secret of your Alibaba Cloud account. 
export ALICLOUD_REGION="cn-beijing"         # Replace the value with the ID of the region in which your cluster resides. 
```
Note
To improve the flexibility and security of permission management, we recommend that you create a Resource Access Management (RAM) user named Terraform. Then, create an AccessKey pair for the RAM user and grant permissions to the RAM user. For more information, see Create a RAM user and Grant permissions to RAM users.

Step 1: Activate ACK

ACK is available for commercial use. You must activate ACK before you can create an ACK cluster.

Run the following command to activate ACK:

provider "alicloud" {
}

// Activate ACK. 
data "alicloud_ack_service" "open" {
    enable = "On"
    type   = "propayasgo"
}

Run the following command to initialize the Terraform environment:
```
terraform init
```
Expected output:
```
Initializing the backend...
Initializing provider plugins...
...
Terraform has been successfully initialized!
...
```
The output shows that Terraform is initialized.

Run the following command to create an ACK cluster:

terraform apply

Expected output:

...
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes
...
alicloud_cs_managed_kubernetes.flannel: Creation complete after 8m26s [id=************]

Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

The output shows that the services are activated.

Step 2: Assign default roles to ACK

When you use ACK for the first time, you must assign default roles to ACK with your Alibaba Cloud account.

Run the following command to check whether default roles are assigned to ACK with your Alibaba Cloud account:

Note

Terraform cannot automatically detect whether default roles are assigned to ACK or automatically assign default roles to ACK. You need to manually check the roles that are assigned to ACK and manually assign the required roles to ACK.

provider "alicloud" {
}

// Check whether default roles are assigned to ACK. 
data "alicloud_ram_roles" "roles" {
    policy_type = "System"
}

// Check the output. 
output "exist_role" {
  value = data.alicloud_ram_roles.roles
}

If some default roles are already assigned to ACK with your Alibaba Cloud account, the assigned roles are displayed in the output. You need to manually assign roles that are not assigned but are required by ACK.

Show information about all required roles

provider "alicloud" {
}

// Create a role. 
resource "alicloud_ram_role" "role" {
    for_each   = {for r in var.roles:r.name => r}
    name = each.value.name
    document= each.value.policy_document
    description = each.value.description
    force       = true
}

// Attach a RAM policy to the role. 
resource "alicloud_ram_role_policy_attachment" "attach" {
  for_each   = {for r in var.roles:r.name => r}
  policy_name = each.value.policy_name
  policy_type = "System"
  role_name   = each.value.name
  depends_on  = [alicloud_ram_role.role]
}

// View the roles required by ACK. 
variable "roles" {
  type = list(object({
    name = string
    policy_document = string
    description = string
    policy_name = string
  }))
  default = [
    {
      name = "AliyunCSManagedLogRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "The Log Service component in an ACK cluster assumes this role to access resources in other cloud services."
      policy_name = "AliyunCSManagedLogRolePolicy"
    },
    {
      name = "AliyunCSManagedCmsRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "The CloudMonitor component in an ACK cluster assumes this role to access resources in other cloud services."
      policy_name = "AliyunCSManagedCmsRolePolicy"
    },
    {
      name = "AliyunCSManagedCsiRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "The volume plug-in in an ACK cluster assumes this role to access resources in other cloud services."
      policy_name = "AliyunCSManagedCsiRolePolicy"
    },
    {
      name = "AliyunCSManagedVKRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "The Virtual Kubelet component in an ACK cluster assumes this role to access resources in other cloud services."
      policy_name = "AliyunCSManagedVKRolePolicy"
    },
    {
      name = "AliyunCSClusterRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "ACK assumes this role to access resources in other cloud services during the application runtime."
      policy_name = "AliyunCSClusterRolePolicy"
    },
    {
      name = "AliyunCSServerlessKubernetesRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "Serverless Kubernetes (ASK) clusters assume this role to access resources in other cloud services."
      policy_name = "AliyunCSServerlessKubernetesRolePolicy"
    },
    {
      name = "AliyunCSKubernetesAuditRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "The auditing feature of ACK assumes this role to access resources in other cloud services."
      policy_name = "AliyunCSKubernetesAuditRolePolicy"
   },
    {
      name = "AliyunCSManagedNetworkRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "The network component in an ACK cluster assumes this role to access resources in other cloud services."
      policy_name = "AliyunCSManagedNetworkRolePolicy"
    },
    {
      name = "AliyunCSDefaultRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "ACK assumes this role to access resources in other cloud services when ACK performs operations on an ACK cluster."
      policy_name = "AliyunCSDefaultRolePolicy"
    },
    {
      name = "AliyunCSManagedKubernetesRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "ACK managed clusters assume this role to access resources in other cloud services."
      policy_name = "AliyunCSManagedKubernetesRolePolicy"
    }
  ,
    {
      name = "AliyunCSManagedArmsRole"
      policy_document="{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}"
      description = "The ARMS monitoring agent in an ACK cluster assumes this role to access resources in other cloud services."
      policy_name = "AliyunCSManagedArmsRolePolicy"
    }
  ]
}

If no roles are assigned to ACK, you must assign all of the preceding roles to ACK with your Alibaba Cloud account.

Run the following command to initialize the Terraform environment:

terraform init

Expected output:

Initializing the backend...
Initializing provider plugins...
...
Terraform has created a lock file .terraform.lock.hcl to record the providerselections it made above. Include this file in your version control repositoryso that Terraform can guarantee to make the same selections by default whenyou run "terraform init" in the future.
Terraform has been successfully initialized!
...

The output shows that Terraform is initialized.

Run the following command to assign default roles to ACK:

terraform apply

Expected output:

.....
Do you want to perform these actions?  
 Terraform will perform the actions described above.  
 Only 'yes' will be accepted to approve.  Enter a value:

Enter yes and press the Enter key to complete the authorization.

Run the following command to query the roles that are assigned to ACK:
```
terraform show
```
Expected output:
```
data "alicloud_ram_roles" "roles" {
  ...
  "names"       = [
    "AliyunContainerRegistryDefaultRole",
    "AliyunECIContainerGroupRole",
    ...
  ]
  ...
}
```
If all roles required by ACK are displayed in the output, it indicates that the roles are assigned to ACK.

Container Service for Kubernetes:Use Terraform to assign default roles to ACK when you use ACK for the first time

Table of contents

Prerequisites

Step 1: Activate ACK

Step 2: Assign default roles to ACK