ApsaraDB RDS for PostgreSQL requires the AliyunServiceRoleForRdsPgsqlOnEcs service-linked role to mount elastic network interfaces (ENIs) and establish network connections. You must create this role before you create your first ApsaraDB RDS for PostgreSQL instance. This topic describes how to use Terraform to create and query service-linked roles.
You can run the sample code in this topic with a few clicks. For more information, visit Terraform Explorer.
Prerequisites
RAM user with an AccessKey pair: We recommend that you use a Resource Access Management (RAM) user instead of your Alibaba Cloud account. For more information, see Create a RAM user and Create an AccessKey.
Required RAM permissions: Grant the RAM user the following permissions. For more information, see Grant permissions to RAM users.
{ "Version": "1", "Statement": [ { "Action": [ "ram:CreateServiceLinkedRole", "ram:DeleteServiceLinkedRole", "ram:GetRole", "ram:ListRoles", "ram:AttachPolicyToRole", "ram:ListPoliciesForRole", "ram:CreateRole", "ram:DetachPolicyFromRole", "ram:DeleteRole", "rds:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" } ] }Terraform environment: Prepare your Terraform environment using one of the following methods:
Terraform Explorer: An online runtime environment. No installation is required. For more information, see Use Terraform in Terraform Explorer.
Cloud Shell: Terraform is preinstalled and credentials are preconfigured. For more information, see Use Terraform in Cloud Shell.
Local installation: Install and configure Terraform on your on-premises machine. For more information, see Install and configure Terraform in the local PC.
Resources
The following Terraform resources are used in this topic:
alicloud_rds_service_linked_role: creates a service-linked role.
alicloud_resource_manager_roles: queries the created service-linked roles.
Create a service-linked role
Create a working directory and a file named main.tf in the directory. Add the following configuration:
resource "alicloud_rds_service_linked_role" "default" { service_name = "AliyunServiceRoleForRdsPgsqlOnEcs" }NoteFor more information about service-linked role (SLR) authorization, see Service-linked roles.
Initialize Terraform:
terraform initExpected output:
Initializing the backend... Initializing provider plugins... - Checking for available provider plugins... - Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.90.1... ... You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.Preview the changes:
terraform planCreate the resources:
terraform applyEnter
yeswhen prompted and press Enter. Expected output:Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes alicloud_rds_service_linked_role.default: Creating... alicloud_rds_service_linked_role.default: Creation complete after 3s [id=AliyunServiceRoleForRdsPgsqlOnEcs]Verify the result:
terraform showExpected output:
# alicloud_rds_service_linked_role.default: resource "alicloud_rds_service_linked_role" "default" { arn = "acs:ram::140****:role/aliyunserviceroleforrdspgsqlonecs" id = "AliyunServiceRoleForRdsPgsqlOnEcs" role_id = "399****" role_name = "AliyunServiceRoleForRdsPgsqlOnEcs" service_name = "AliyunServiceRoleForRdsPgsqlOnEcs" }
Query the created service-linked role
Create a working directory and a file named main.tf in the directory. Add the following configuration:
data "alicloud_resource_manager_roles" "slr" { }Initialize Terraform, create an execution plan, and apply the configuration:
terraform init terraform plan terraform applyEnter
yeswhen prompted and press Enter. Expected output:data.alicloud_resource_manager_roles.slr: Reading... data.alicloud_resource_manager_roles.slr: Read complete after 2s [id=163141****] No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. Apply complete! Resources: 0 added, 0 changed, 0 destroyed.Verify the result:
terraform showExpected output (truncated):
# data.alicloud_resource_manager_roles.slr: data "alicloud_resource_manager_roles" "slr" { enable_details = false id = "163141****" ids = [ "AliyunActionTrailDefaultRole", "AliyunAdamAccessingDatabaseRole", ... ] names = [ "AliyunActionTrailDefaultRole", "AliyunAdamAccessingDatabaseRole", ... ] roles = [ { arn = "acs:ram::140****:role/aliyunactiontraildefaultrole" assume_role_policy_document = "" description = "By default, ActionTrail assumes this role to access your cloud resources." id = "AliyunActionTrailDefaultRole" max_session_duration = 3600 role_id = "394****" role_name = "AliyunActionTrailDefaultRole" update_date = "2019-05-07T02:29:41Z" }, ... ] }
Clean up resources
If you no longer need the resources created or managed by Terraform, run the following command to release them. For more information about the terraform destroy command, see Common commands.
terraform destroyComplete sample code
You can run the sample code in this topic with a few clicks. For more information, visit Terraform Explorer.