Terraform is available as a managed service in Resource Orchestration Service (ROS). This topic describes the ROS features and resources that are supported by Terraform.

Terraform and provider versions that are supported by ROS

The following table lists the Terraform and provider versions that are supported by ROS.

Terraform versionProvider version
0.12.28
  • alicloud: 1.121.2
  • aws: 3.37.0
  • azurerm: 2.56.0
  • random: 3.1.0
  • template: 2.2.0
  • time: 0.7.0
0.15.3
  • alicloud: 1.123.0
  • aws: 3.42.0
  • azurerm: 2.59.0
  • random: 3.1.0
  • template: 2.2.0
  • time: 0.7.1
1.0.11
  • alicloud: 1.139.0 to 1.201.1
  • aws: 3.63.0 to 4.58.0
  • azurerm: 2.81.0 to 3.47.0
  • random: 3.1.0 to 3.4.3
  • template: 2.2.0
  • time: 0.7.2 to 0.9.1
  • fortios: 1.13.2 to 1.16.0
  • fortimanager: 1.3.4 to 1.7.0
  • helm: 2.3.0 to 2.9.0
  • kubernetes: 2.6.1 to 2.18.1
1.1.9
  • alicloud: 1.139.0 to 1.201.1
  • aws: 3.63.0 to 4.58.0
  • azurerm: 2.81.0 to 3.47.0
  • random: 3.1.0 to 3.4.3
  • template: 2.2.0
  • time: 0.7.2 to 0.9.1
  • fortios: 1.13.2 to 1.16.0
  • fortimanager: 1.3.4 to 1.7.0
  • helm: 2.3.0 to 2.9.0
  • kubernetes: 2.6.1 to 2.18.1
1.2.9
  • alicloud: 1.139.0 to 1.201.1
  • aws: 3.63.0 to 4.58.0
  • azurerm: 2.81.0 to 3.47.0
  • random: 3.1.0 to 3.4.3
  • template: 2.2.0
  • time: 0.7.2 to 0.9.1
  • fortios: 1.13.2 to 1.16.0
  • fortimanager: 1.3.4 to 1.7.0
  • helm: 2.3.0 to 2.9.0
  • kubernetes: 2.6.1 to 2.18.1
Note ROS updates the supported Terraform and provider versions on a regular basis. You can call the GetFeatureDetails operation to query the supported Terraform versions.

ROS features supported by Terraform

ItemSupported featureUnsupported feature
Stack
  • You can preview, create, update, delete, and query stacks.
  • You can query resources, stack events, resource events, outputs, and templates.
  • When you use a stack to create resources, you can add the system tag acs:ros:stackId to specific resources in the stack. For more information about the resources, see the Resources that support system tags list in the ROS resources supported by Terraform section of this topic.
  • When you use a stack to create or update resources, you can propagate the user tags of the stack to specific resources in the stack. For more information, see the Resources that support the user tag propagation of stacks list in the ROS resources supported by Terraform section of this topic.
  • When you use a stack to create or update resources, you can propagate the resource group of the stack to specific resources in the stack. For more information, see the Resources that support the propagation of resource groups of stacks list in the ROS resources supported by Terraform section of this topic.
  • You can specify a timeout period that ranges from 10 to 120 minutes, configure the Parameters, Outputs, and Rules sections of a template, and continue to create a stack after the stack fails to be created. You can configure resource status notifications and deletion protection, and specify whether to retain all or specific resources of a stack when you delete the stack. You can also configure RAM roles, manage tags and resource groups, and audit events before the events are triggered.
  • You can manage change sets.
  • You can detect drift.
  • You can import resources.
  • You can detect risks. For more information about the resources, see the Resources that support risk detection list in the ROS resources supported by Terraform section of this topic.
  • You can cancel an operation on a stack.
You cannot use the rollback on failure feature, attach stack policies, control replacement updates, remediate drift, or configure signals.
Stack group
  • You can create, update, delete, and query stack groups.
  • You can create, update, delete, and query stacks. You can also query and stop operations that are performed on stacks.
  • You can manage tags and resource groups.
  • You can detect drift.
None.
TemplateYou cannot query the RAM policies based on which templates are generated, or automatically query the values of template parameters.
Others
  • You can use Security Token Service (STS).
  • You can query the activation status and the RAM roles of an Alibaba Cloud service.
  • You can query the details of features.
You cannot query resource types.

ROS API operations supported by Terraform

FeatureAPI operation
StackPreviewStack, CreateStack, ContinueCreateStack, UpdateStack, DeleteStack, GetStack, ListStacks, ListStackResources, GetStackResource, ListStackEvents, SetDeletionProtection, ListStackOperationRisks, CancelUpdateStack, and CancelStackOperation
Note If you set the StackType parameter to Terraform when you call the GetStack or ListStacks operation, Terraform stacks are queried.
Change set and resource importCreateChangeSet, ExecuteChangeSet, DeleteChangeSet, GetChangeSet, and ListChangeSets
Drift detectionDetectStackDrift, DetectStackGroupDrift, GetStackDriftDetectionStatus, and ListStackResourceDrifts
Note You cannot call the DetectStackResourceDrift operation to detect drifts on multiple resources at the same time.
Stack groupCreateStackGroup, UpdateStackGroup, DeleteStackGroup, GetStackGroup, ListStackGroups, CreateStackInstances, UpdateStackInstances, DeleteStackInstances, GetStackInstance, ListStackInstances, StopStackGroupOperation, GetStackGroupOperation, ListStackGroupOperations, and ListStackGroupOperationResults
TemplateCreateTemplate, UpdateTemplate, DeleteTemplate, GetTemplate, ListTemplates, ListTemplateVersions, SetTemplatePermission, ValidateTemplate, GetTemplateEstimateCost, GetTemplateSummary, and GetTemplateParameterConstraints
TagTagResources, UntagResources, ListTagKeys, ListTagValues, and ListTagResources
Resource groupMoveResourceGroup
OthersGetServiceProvisions and GetFeatureDetails

ROS resources supported by Terraform

Terraform in ROS supports the following resources that are provided by mainstream cloud service providers (CSPs):

  • Alibaba Cloud resources
    Note
    • You can debug Terraform modules online. For more information, visit Alibaba Cloud Terraform Modules.
    • ROS provides a default provider that uses the temporary AccessKey pair or STS credential of your account and the region ID of your stack.

    The following section lists the resources that support price inquiry, system tags, user tag propagation of stacks, resource group propagation of stacks, and risk detection.

    Note You can call the GetFeatureDetails operation to query the types of resources that support price inquiry, system tags, user tag propagation of stacks, resource group propagation of stacks, and risk detection.
    • Resources that support price inquiry
      • Elastic Compute Service (ECS): alicloud_instance, alicloud_ecs_disk, alicloud_disk, alicloud_ecs_dedicated_host, and alicloud_ecs_instance_set
      • Virtual Private Cloud (VPC): alicloud_eip_address, alicloud_eip, alicloud_common_bandwidth_package, alicloud_nat_gateway, alicloud_vpn_gateway, alicloud_eipanycast_anycast_eip_address, alicloud_vpc_ipv6_gateway, and alicloud_router_interface
      • Server Load Balancer (SLB): alicloud_slb_load_balancer and alicloud_slb
      • ApsaraDB RDS: alicloud_db_instance and alicloud_db_readonly_instance
      • ApsaraDB for Redis: alicloud_kvstore_instance
      • PolarDB: alicloud_polardb_cluster
      • ApsaraDB for MongoDB: alicloud_mongodb_instance, alicloud_mongodb_serverless_instance, and alicloud_mongodb_sharding_instance
      • Cloud Enterprise Network (CEN): alicloud_cen_bandwidth_package
      • Alibaba Cloud Marketplace: alicloud_market_order
      • PolarDB-X 1.0: alicloud_drds_instance
      • Elastic Container Instance: alicloud_eci_container_group and alicloud_eci_image_cache
      • E-MapReduce (EMR): alicloud_emr_cluster
      • Elasticsearch: alicloud_elasticsearch_instance
      • Serverless App Engine (SAE): alicloud_sae_application
      • AnalyticDB for PostgreSQL: alicloud_gpdb_elastic_instance and alicloud_gpdb_instance
      • Global Accelerator (GA): alicloud_ga_accelerator
      • AnalyticDB for MySQL: alicloud_adb_cluster and alicloud_adb_db_cluster
      • Apsara File Storage NAS (NAS): alicloud_nas_file_system
      • Message Queue for Apache Kafka: alicloud_alikafka_instance
      • Microservices Engine (MSE): alicloud_mse_cluster
      • Application Load Balancer (ALB): alicloud_alb_load_balancer
      • Data Transmission Service (DTS): alicloud_dts_migration_instance and alicloud_dts_synchronization_instance
      • Elastic Desktop Service (EDS): alicloud_ecd_desktop
      • ROS: alicloud_ros_stack
      • Container Service for Kubernetes (ACK): alicloud_cs_kubernetes, alicloud_cs_edge_kubernetes, alicloud_cs_managed_kubernetes, and alicloud_cs_serverless_kubernetes
      • Time Series Database (TSDB): alicloud_tsdb_instance
      • Elastic High Performance Computing (E-HPC): alicloud_ehpc_cluster
      • ApsaraDB for ClickHouse: alicloud_click_house_db_cluster
      • Web Application Firewall (WAF): alicloud_waf_instance
      • ApsaraDB MyBase: alicloud_cddc_dedicated_host
    • Resources that support system tags
      • ECS: alicloud_instance, alicloud_ecs_disk, alicloud_disk, alicloud_ecs_dedicated_host, alicloud_security_group, alicloud_key_pair, alicloud_ecs_launch_template, alicloud_ecs_network_interface, alicloud_image_copy, alicloud_image, alicloud_ecs_snapshot, alicloud_launch_template, alicloud_snapshot, alicloud_snapshot_policy, alicloud_network_interface, alicloud_ecs_instance_set, alicloud_ecs_auto_snapshot_policy, alicloud_ecs_dedicated_host_cluster, and alicloud_ecs_key_pair
      • VPC: alicloud_eip_address, alicloud_eip, alicloud_common_bandwidth_package, alicloud_nat_gateway, alicloud_vpn_gateway, alicloud_vpc, alicloud_vswitch, alicloud_route_table, and alicloud_vpc_ipv6_gateway
      • SLB: alicloud_slb_load_balancer, alicloud_slb, alicloud_slb_acl, and alicloud_slb_server_certificate
      • ApsaraDB RDS: alicloud_db_instance, alicloud_db_readonly_instance, alicloud_rds_clone_db_instance, and alicloud_rds_upgrade_db_instance
      • ApsaraDB for Redis: alicloud_kvstore_instance
      • PolarDB: alicloud_polardb_cluster
      • ApsaraDB for MongoDB: alicloud_mongodb_instance, alicloud_mongodb_serverless_instance, and alicloud_mongodb_sharding_instance
      • Elasticsearch: alicloud_elasticsearch_instance
      • AnalyticDB for PostgreSQL: alicloud_gpdb_elastic_instance and alicloud_gpdb_instance
      • Certificate Management Service (CAS): alicloud_cas_certificate and alicloud_ssl_certificates_service_certificate
      • Object Storage Service (OSS): alicloud_oss_bucket, alicloud_oos_execution, and alicloud_oos_template
      • Alibaba Cloud DNS PrivateZone: alicloud_pvtz_zone
      • Anti-DDoS: alicloud_ddosbgp_instance and alicloud_ddoscoo_instance
      • Bastionhost (BH): alicloud_bastionhost_instance
      • Auto Scaling: alicloud_ess_scaling_group
      • ROS: alicloud_ros_template, alicloud_ros_stack, and alicloud_ros_stack_group
      • Message Queue for Apache Kafka: alicloud_alikafka_instance, alicloud_alikafka_consumer_group, and alicloud_alikafka_topic
      • Alibaba Cloud DNS (DNS): alicloud_alidns_domain
      • DTS: alicloud_dts_migration_instance and alicloud_dts_synchronization_instance
      • ACK: alicloud_cs_managed_kubernetes, alicloud_cs_serverless_kubernetes, alicloud_cs_edge_kubernetes, and alicloud_cs_kubernetes
      • ALB: alicloud_alb_security_policy, alicloud_alb_server_group, alicloud_alb_acl, and alicloud_alb_load_balancer
      • Message Queue for Apache RocketMQ: alicloud_ons_instance
      • NAS: alicloud_nas_file_system
      • ApsaraDB MyBase: alicloud_cddc_dedicated_host
      • DBAudit: alicloud_yundun_dbaudit_instance
      • Function Compute: alicloud_fc_service
      • AnalyticDB for MySQL: alicloud_adb_cluster
      • Alibaba Cloud CDN (CDN): alicloud_cdn_domain_new
      • ApsaraDB for HBase: alicloud_hbase_instance
      • E-HPC: alicloud_ehpc_cluster
    • Resources that support user tag propagation of stacks
      • ECS: alicloud_instance, alicloud_ecs_disk, alicloud_disk, alicloud_ecs_dedicated_host, alicloud_security_group, alicloud_key_pair, alicloud_ecs_launch_template, alicloud_ecs_network_interface, alicloud_image_copy, alicloud_image, alicloud_ecs_snapshot, alicloud_launch_template, alicloud_snapshot, alicloud_network_interface, alicloud_ecs_key_pair, alicloud_ecs_instance_set, alicloud_ecs_auto_snapshot_policy, alicloud_snapshot_policy, and alicloud_ecs_dedicated_host_cluster
      • VPC: alicloud_eip_address, alicloud_eip, alicloud_common_bandwidth_package, alicloud_nat_gateway, alicloud_vpn_gateway, alicloud_vpc, alicloud_vswitch, alicloud_vpc_ipv6_gateway, and alicloud_route_table
      • SLB: alicloud_slb_load_balancer, alicloud_slb, alicloud_slb_server_certificate, and alicloud_slb_acl
      • ApsaraDB RDS: alicloud_db_instance, alicloud_db_readonly_instance, alicloud_rds_clone_db_instance, and alicloud_rds_upgrade_db_instance
      • ApsaraDB for Redis: alicloud_kvstore_instance
      • PolarDB: alicloud_polardb_cluster
      • ApsaraDB for MongoDB: alicloud_mongodb_instance, alicloud_mongodb_serverless_instance, and alicloud_mongodb_sharding_instance
      • CEN: alicloud_cen_bandwidth_package and alicloud_cen_instance
      • PolarDB-X 1.0: alicloud_drds_instance
      • EMR: alicloud_emr_cluster
      • Elasticsearch: alicloud_elasticsearch_instance
      • AnalyticDB for PostgreSQL: alicloud_gpdb_elastic_instance and alicloud_gpdb_instance
      • AnalyticDB for MySQL: alicloud_adb_db_cluster and alicloud_adb_cluster
      • ALB: alicloud_alb_acl, alicloud_alb_server_group, alicloud_alb_load_balancer, and alicloud_alb_security_policy
      • DNS: alicloud_alidns_domain, alicloud_dns_domain, and alicloud_dns
      • BH: alicloud_bastionhost_instance
      • CAS: alicloud_cas_certificate and alicloud_ssl_certificates_service_certificate
      • ApsaraDB MyBase: alicloud_cddc_dedicated_host
      • CDN: alicloud_cdn_domain_new
      • ACK: alicloud_cs_kubernetes, alicloud_cs_edge_kubernetes, alicloud_cs_managed_kubernetes, and alicloud_cs_serverless_kubernetes
      • Dynamic Route for CDN (DCDN): alicloud_dcdn_domain and alicloud_dcdn_ipa_domain
      • Anti-DDoS: alicloud_ddosbgp_instance and alicloud_ddoscoo_instance
      • DTS: alicloud_dts_synchronization_instance and alicloud_dts_migration_instance
      • Hybrid Backup Recovery (HBR): alicloud_hbr_replication_vault, alicloud_hbr_vault, alicloud_hbr_hana_instance, and alicloud_hbr_ecs_backup_client
      • ApsaraDB for HBase: alicloud_hbase_instance
      • Message Queue for Apache Kafka: alicloud_alikafka_instance, alicloud_alikafka_topic, and alicloud_alikafka_consumer_group
      • NAS: alicloud_nas_file_system
      • Operation Orchestration Service (OOS): alicloud_oos_template and alicloud_oos_execution
      • Alibaba Cloud DNS PrivateZone: alicloud_pvtz_zone
      • ROS: alicloud_ros_template and alicloud_ros_stack
      • SAE: alicloud_sae_application
      • DBAudit: alicloud_yundun_dbaudit_instance
      • API Gateway: alicloud_api_gateway_group, alicloud_api_gateway_api, and alicloud_api_gateway_app
      • Function Compute: alicloud_fc_service
      • Auto Scaling: alicloud_ess_scaling_group
      • OSS: alicloud_oss_bucket
      • ApsaraVideo VOD (VOD): alicloud_vod_domain
      • Message Queue for Apache RocketMQ: alicloud_ons_instance

      If you want to propagate the user tags of stacks to resources that belong to a RAM user or RAM role, you must attach the AliyunTagAdministratorAccess system policy to the RAM user or RAM role and call oss:GetBucketTagging. The following sample code provides an example on how to configure a custom RAM policy:

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "tag:*",
        "*:ListTagResources",
        "*:TagResources",
        "*:UntagResources",
        "*:UnTagResources",
        "vod:TagVodResources",
        "vod:UnTagVodResources",
        "dcdn:TagDcdnResources",
        "dcdn:UntagDcdnResources",
        "ecs:DescribeResourceByTags",
        "*:DescribeTags",
        "*:DescribeTagKeys",
        "*:ListTagKeys",
        "*:ListTagValues",
        "ecs:AddTags",
        "ecs:RemoveTags",
        "slb:AddTags",
        "slb:RemoveTags",
        "rds:AddTagsToResource",
        "rds:DescribeDBInstanceByTags",
        "rds:RemoveTagsFromResource",
        "oss:PutBucketTagging",
        "oss:GetBucketTagging",
        "oss:DeleteBucketTagging",
        "oss:GetBucketTagging",
        "live:TagLiveResources",
        "live:ListLiveTagResources",
        "live:UnTagLiveResources"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
    • Resources that support resource group propagation of stacks
      Note If you want to propagate the resource groups of stacks to resources that belong to a RAM user or RAM role, you must grant the required permissions to the RAM user or RAM role. For more information, see Services that work with Resource Group.
      • ECS: alicloud_instance, alicloud_ecs_disk, alicloud_disk, alicloud_ecs_dedicated_host, alicloud_security_group, alicloud_key_pair, alicloud_ecs_launch_template, alicloud_ecs_network_interface, alicloud_image_copy, alicloud_image, alicloud_snapshot, alicloud_ecs_key_pair, alicloud_launch_template, alicloud_ecs_instance_set, alicloud_snapshot_policy, alicloud_network_interface, alicloud_ecs_auto_snapshot_policy, and alicloud_ecs_snapshot
      • VPC: alicloud_vpc, alicloud_common_bandwidth_package, alicloud_eip_address, and alicloud_eip
      • SLB: alicloud_slb_load_balancer, alicloud_slb_server_certificate, alicloud_slb_acl, and alicloud_slb
      • ApsaraDB RDS: alicloud_db_instance, alicloud_db_readonly_instance, alicloud_rds_upgrade_db_instance, and alicloud_rds_clone_db_instance
      • ApsaraDB for Redis: alicloud_kvstore_instance
      • PolarDB: alicloud_polardb_cluster
      • ApsaraDB for MongoDB: alicloud_mongodb_instance, alicloud_mongodb_serverless_instance, and alicloud_mongodb_sharding_instance
      • Elastic Container Instance: alicloud_eci_container_group and alicloud_eci_image_cache
      • PolarDB-X 1.0: alicloud_drds_instance
      • EMR: alicloud_emr_cluster
      • Elasticsearch: alicloud_elasticsearch_instance
      • CAS: alicloud_cas_certificate and alicloud_ssl_certificates_service_certificate
      • ROS: alicloud_ros_stack, alicloud_ros_stack_group, and alicloud_ros_template
      • Alibaba Cloud DNS PrivateZone: alicloud_pvtz_zone
      • ACK: alicloud_cs_kubernetes, alicloud_cs_edge_kubernetes, alicloud_cs_managed_kubernetes, and alicloud_cs_serverless_kubernetes
      • ApsaraDB for HBase: alicloud_hbase_instance
      • ALB: alicloud_alb_acl, alicloud_alb_security_policy, alicloud_alb_load_balancer, and alicloud_alb_server_group
      • OOS: alicloud_oos_state_configuration, alicloud_oos_template, alicloud_oos_secret_parameter, and alicloud_oos_parameter
      • DNS: alicloud_dns_domain, alicloud_dns, alicloud_alidns_gtm_instance, and alicloud_alidns_domain
      • Anti-DDoS: alicloud_ddoscoo_instance and alicloud_ddosbgp_instance
      • BH: alicloud_bastionhost_instance
      • Enterprise Distributed Application Service (EDAS): alicloud_edas_k8s_application, alicloud_edas_cluster, alicloud_edas_k8s_cluster, and alicloud_edas_application
      • CDN: alicloud_cdn_domain_new
      • WAF: alicloud_waf_domain
      • ApsaraDB for Cassandra: alicloud_cassandra_cluster
      • DCDN: alicloud_dcdn_domain and alicloud_dcdn_ipa_domain
      • OpenSearch: alicloud_open_search_app_group
      • DBAudit: alicloud_yundun_dbaudit_instance
      • HBR: alicloud_hbr_vault and alicloud_hbr_replication_vault
      • CEN: alicloud_cen_bandwidth_package and alicloud_cen_instance
      • AnalyticDB for MySQL: alicloud_adb_cluster and alicloud_adb_db_cluster
      • Message Queue for Apache Kafka: alicloud_alikafka_instance
      • Lindorm: alicloud_lindorm_instance
    • Resources that support risk detetction
      • ECS: alicloud_instance, alicloud_ecs_instance_set, alicloud_ecs_disk, alicloud_ecs_dedicated_host, alicloud_security_group, and alicloud_security_group_rule
      • VPC: alicloud_eip, alicloud_eip_address, alicloud_vpn_gateway, alicloud_snat_entry, and alicloud_nat_gateway
      • SLB: alicloud_slb_load_balancer and alicloud_slb
      • ApsaraDB RDS: alicloud_db_instance
      • ApsaraDB for Redis: alicloud_kvstore_instance
      • ApsaraDB for MongoDB: alicloud_mongodb_instance and alicloud_mongodb_sharding_instance
      • Resource Access Management (RAM): alicloud_ram_role
  • AWS resources
  • Azure resources