When you use Container Service for Kubernetes (ACK) for the first time, you must assign default roles to ACK with your Alibaba Cloud account. Only after you assign these roles to ACK, ACK can access resources in other cloud services, create clusters, or save logs. These cloud services include Elastic Compute Service (ECS), Object Storage Service (OSS), Apsara File Storage NAS (NAS), and Server Load Balancer (SLB). This topic describes how to use Terraform to assign default roles to ACK when you use ACK for the first time.
Table of contents
Prerequisites
Terraform is installed.
NoteYou must install Terraform 0.12.28 or later. You can run the terraform --version command to query the Terraform version.
By default, Cloud Shell has preinstalled Terraform and configured your account information. You do not need to modify the configurations.
For more information about how to install Terraform by using a method other than Cloud Shell, see Install and configure Terraform in the local PC.
Your account information is configured.
Run the following commands to create environment variables to store identity authentication information.
Linux environment
export ALICLOUD_ACCESS_KEY="************" # Replace the value with the AccessKey ID of your Alibaba Cloud account. export ALICLOUD_SECRET_KEY="************" # Replace the value with the AccessKey secret of your Alibaba Cloud account. export ALICLOUD_REGION="cn-beijing" # Replace the value with the ID of the region in which your cluster resides.Windows environment
set ALICLOUD_ACCESS_KEY="************" # Replace the value with the AccessKey ID of your Alibaba Cloud account. set ALICLOUD_SECRET_KEY="************" # Replace the value with the AccessKey secret of your Alibaba Cloud account. set ALICLOUD_REGION="cn-beijing" # Replace the value with the ID of the region in which your cluster resides.
NoteTo improve the flexibility and security of permission management, we recommend that you create a Resource Access Management (RAM) user named Terraform. Then, create an AccessKey pair for the RAM user and grant permissions to the RAM user. For more information, see Create a RAM user and Grant permissions to RAM users.
Step 1: Activate ACK
ACK is available for commercial use. You must activate ACK before you can create ACK clusters.
Create a working directory and a file named
main.tfin the directory.Copy the following code to the
main.tffile:Run the following command to initialize the Terraform runtime environment:
terraform initIf the following information is returned, Terraform is initialized:
Initializing the backend... Initializing provider plugins... ... Terraform has been successfully initialized! ...Run the following command to activate ACK:
terraform applyWhen the following information is returned, input
yesand press Enter to activate the service.You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Step 2: Assign default roles to ACK
When you use ACK for the first time, you must assign default roles to ACK with your Alibaba Cloud account.
Add the following code to the
main.tffile and run theterraform applycommand to check whether the roles are already assigned.NoteDue to the limits of Terraform, Terraform cannot automatically check whether all required roles are assigned and automatically assign the missing roles. Therefore, you need to manually query the role information and assign the roles to ACK.
// Check whether the roles are already assigned. data "alicloud_ram_roles" "roles" { policy_type = "System" } // List the roles that are assigned to ACK. output "exist_role" { value = data.alicloud_ram_roles.roles }The following information is returned:
No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: ... exist_role = { "id" = "1788****59" "ids" = tolist([ "3009617019****1438", "3023233020****0278", "3302003419****4675", "3178548808****5924", "3371411011****5177", "3475619590****3519", ]) "name_regex" = tostring(null) "names" = tolist([ "AliyunCASDefaultRole", "AliyunContainerRegistryDefaultRole", "AliyunCSDefaultRole", "AliyunCSKubernetesAuditRole", "AliyunCSManagedArmsRole", "AliyunCSManagedCmsRole", "AliyunCSManagedCsiRole", "AliyunCSManagedKubernetesRole", "AliyunCSManagedLogRole", "AliyunCSManagedNetworkRole", "AliyunCSManagedVKRole", "AliyunCSServerlessKubernetesRole", "AliyunServiceRoleForCSB", "AliyunServiceRoleForECI", "AliyunServiceRoleForGws", "AliyunServiceRoleForResourceDirectory", "AliyunServiceRoleForServiceMesh", ]) "output_file" = tostring(null) "policy_name" = tostring(null) "policy_type" = "System" "roles" = tolist([ { "arn" = "acs:ram::1848450434088535:role/aliyuncasdefaultrole" "assume_role_policy_document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cas.aliyuncs.com"]}}], "Version": "1"} EOT "create_date" = "2023-07-17T03:27:28Z" "description" = "Certificate Management Service assumes this role to access your resources in other Alibaba Cloud services by default." "document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cas.aliyuncs.com"]}}], "Version": "1"} EOT "id" = "300961701980****" "name" = "AliyunCASDefaultRole" "update_date" = "2023-07-17T03:27:28Z" }, { "arn" = "acs:ram::1848450434****:role/aliyuncontainerregistrydefaultrole" "assume_role_policy_document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cr.aliyuncs.com"]}}], "Version": "1"} "id" = "3502335964487******" "name" = "AliyunServiceRoleForServiceMesh" "update_date" = "2022-09-27T10:26:50Z" }, ]) }If only some roles are assigned or no role is assigned, refer to the following role information and assign the roles to ACK:
Run the following command to initialize the Terraform runtime environment:
terraform initIf the following information is returned, Terraform is initialized.
Initializing the backend... Initializing provider plugins... ... Terraform has created a lock file .terraform.lock.hcl to record the providerselections it made above. Include this file in your version control repositoryso that Terraform can guarantee to make the same selections by default whenyou run "terraform init" in the future. Terraform has been successfully initialized! ...Run the
terraform applycommand to assign the roles to ACK:When the following information is returned, input
yesand press Enter to complete the authorization...... Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value:Run the following command to query the assigned roles:
terraform showThe following output indicates that all required roles are assigned:
data "alicloud_ram_roles" "roles" { ... "names" = [ "AliyunCISDefaultRole", "AliyunCSClusterRole", "AliyunCSDefaultRole", ... ] ... }