This topic describes how to use Terraform to assign service roles to Container Service for Kubernetes (ACK) when you use ACK for the first time.
You can run the sample code in this topic with one click. Click here to run the sample code.
Prerequisites
By default, an Alibaba Cloud account has full permissions on all resources that belong to this account. Security risks may arise if the credentials of an Alibaba Cloud account are leaked. We recommend that you use Resource Access Management (RAM) users to manage resources. When you create a RAM user, you need to create an AccessKey pair for the RAM user. For more information, see Create a RAM user and Create an AccessKey pair.
The following policy is attached to the RAM user that you use to run commands in Terraform. The policy includes the minimum permissions required to run commands in Terraform. For more information, see Grant permissions to a RAM user.
The following policy provides the permissions to create, view, and delete RAM roles. The policy also provides the permissions to manage policies for RAM roles.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:GetRole", "ram:ListRoles", "ram:AttachPolicyToRole", "ram:ListPoliciesForRole", "ram:CreateRole", "ram:DetachPolicyFromRole", "ram:DeleteRole" ], "Resource": "*" } ] }The runtime environment for Terraform is prepared by using one of the following methods:
Use Terraform in Terraform Explorer: Alibaba Cloud provides an online runtime environment for Terraform. You can log on to the environment to use Terraform without the need to install Terraform. This method is suitable for scenarios where you need to use and debug Terraform in a low-cost, efficient, and convenient manner.
Use Terraform in Cloud Shell: Cloud Shell is preinstalled with Terraform and configured with your identity credentials. You can run Terraform commands in Cloud Shell. This method is suitable for scenarios where you need to use and access Terraform in a low-cost, efficient, and convenient manner.
Install and configure Terraform on your on-premises machine: This method is suitable for scenarios where network connections are unstable or a custom development environment is needed.
Required resources
alicloud_ack_service: automatically activates ACK.
alicloud_ram_role: creates a RAM role.
alicloud_ram_role_policy_attachment: attaches a policy to a RAM role.
alicloud_ram_roles: lists RAM roles within the current Alibaba Cloud account that match the specified filter options.
Step 1: Activate ACK
You must activate ACK before you can create ACK clusters.
Create a working directory and a file named main.tf under the directory. Then, copy the following content to the main.tf file.
// Activate ACK. data "alicloud_ack_service" "open" { enable = "On" type = "propayasgo" }Run the following command to initialize the Terraform runtime environment:
terraform initIf the following information is returned, Terraform is initialized:
Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.Run the following command to activate ACK:
terraform applyDuring command execution, follow the instructions to type and press Enter. Wait until the command is run. If the following information is returned, ACK is activated.
You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Step 2: Assign service roles to ACK
When you use ACK for the first time, you must assign service roles to ACK with your Alibaba Cloud account.
Copy the following code block to the
main.tffile:// The RAM roles that you want to assign. variable "roles" { type = list(object({ name = string policy_document = string description = string policy_name = string })) default = [ { name = "AliyunCSManagedLogRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedLogRolePolicy" }, { name = "AliyunCSManagedCmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCmsRolePolicy" }, { name = "AliyunCSManagedCsiRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCsiRolePolicy" }, { name = "AliyunCSManagedCsiPluginRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCsiPluginRolePolicy" }, { name = "AliyunCSManagedCsiProvisionerRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCsiProvisionerRolePolicy" }, { name = "AliyunCSManagedVKRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The VK component of ACK Serverless clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedVKRolePolicy" }, { name = "AliyunCSServerlessKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "By default, ACK clusters assume this role to access your cloud resources." policy_name = "AliyunCSServerlessKubernetesRolePolicy" }, { name = "AliyunCSKubernetesAuditRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSKubernetesAuditRolePolicy" }, { name = "AliyunCSManagedNetworkRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedNetworkRolePolicy" }, { name = "AliyunCSDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters." policy_name = "AliyunCSDefaultRolePolicy" }, { name = "AliyunCSManagedKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "By default, ACK clusters assume this role to access your cloud resources." policy_name = "AliyunCSManagedKubernetesRolePolicy" }, { name = "AliyunCSManagedArmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The Application Real-Time Monitoring Service (ARMS) plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedArmsRolePolicy" }, { name = "AliyunCISDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "Container Intelligence Service (CIS) assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCISDefaultRolePolicy" }, { name = "AliyunOOSLifecycleHook4CSRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "Operation Orchestration Service (OOS) assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools." policy_name = "AliyunOOSLifecycleHook4CSRolePolicy" }, { name = "AliyunCSManagedAutoScalerRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedAutoScalerRolePolicy" } ] } // Query RAM roles. data "alicloud_ram_roles" "roles" { policy_type = "Custom" name_regex = "^Aliyun.*Role$" } locals { # Query the RAM roles that you want to assign. all_role_names = [for role in var.roles : role.name] # Query the RAM roles that already exist. created_role_names = [for role in data.alicloud_ram_roles.roles.roles : role.name] # Compare the two sets of RAM roles to obtain the RAM roles that you want to assign but do not exist. complement_names = setsubtract(local.all_role_names, local.created_role_names) # The RAM roles that need to be created. complement_roles = [for role in var.roles : role if contains(local.complement_names, role.name)] } // Create RAM roles. resource "alicloud_ram_role" "role" { for_each = { for r in local.complement_roles : r.name => r } name = each.value.name document = each.value.policy_document description = each.value.description force = true } // Attach system policies to RAM roles. resource "alicloud_ram_role_policy_attachment" "attach" { for_each = { for r in local.complement_roles : r.name => r } policy_name = each.value.policy_name policy_type = "System" role_name = each.value.name depends_on = [alicloud_ram_role.role] }NoteThe preceding sample code shows the configurations of an input variable that serves as the parameters for Terraform. For more information about the parameter values in the preceding sample code, see Appendix. You must specify service roles in the code. You can select service roles based on your business requirements.
Create an execution plan and preview the changes.
terraform planRun the following command to apply the execution plan and assign service roles to ACK:
terraform applyDuring command execution, follow the instructions to type and press Enter. Wait until the command is run. If the following information is returned, ACK is activated.
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.Verify the results.
Run the terraform show command
Run the following command to query the resources that have been created by Terraform:
terraform show
Log on to the RAM console
Log on to the RAM console to view the created roles.
Delete resources
If you no longer need to use the preceding resources created or managed by Terraform, run the following command to delete the resources: For more information about the terraform destroy command, see Common commands.
terraform destroyComplete sample code
Appendix
Service roles
AliyunCSManagedLogRole
Description:
The logging component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Simple Log Service.
Authorization code:
{ name = "AliyunCSManagedLogRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The logging component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedLogRolePolicy" }
AliyunCSManagedCmsRole
Description:
The monitoring component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as CloudMonitor and Simple Log Service.
Authorization code:
{ name = "AliyunCSManagedCmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The CMS component of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCmsRolePolicy" }
AliyunCSManagedCsiRole
Description:
The volume plug-in of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in other cloud services, such as Elastic Compute Service (ECS), File Storage NAS (NAS), and Object Storage Service (OSS).
Authorization code:
{ name = "AliyunCSManagedCsiRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The volume plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedCsiRolePolicy" }
AliyunCSManagedCsiPluginRole
Description:
Authorization code:
{ name = "AliyunCSManagedCsiPluginRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The volume plug-in (new csi-plugin) of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in ECS." policy_name = "AliyunCSManagedCsiPluginRolePolicy" }
AliyunCSManagedCsiProvisionerRole
Description:
The new csi-provisioner component of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in ECS, NAS, and OSS.
Authorization code:
{ name = "AliyunCSManagedCsiProvisionerRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The volume plug-in (new csi-provisioner) of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in ECS, NAS, and OSS." policy_name = "AliyunCSManagedCsiProvisionerRolePolicy" }
AliyunCSServerlessKubernetesRole
Description:
ACK Edge clusters and ACK Serverless clusters assume this role to access your resources in other cloud services, such as ECS, Virtual Private Cloud (VPC), Server Load Balancer (SLB), and Alibaba Cloud DNS PrivateZone.
Authorization code:
{ name = "AliyunCSServerlessKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "By default, ACK Serverless clusters assume this role to access your resources in other cloud services." policy_name = "AliyunCSServerlessKubernetesRolePolicy" }
AliyunCSKubernetesAuditRole
Description:
The auditing component of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in Simple Log Service.
Authorization code:
{ name = "AliyunCSKubernetesAuditRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The auditing feature of ACK assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSKubernetesAuditRolePolicy" }
AliyunCSManagedNetworkRole
Description:
The network plug-in of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assume this role to access your resources in ECS and VPC.
Authorization code:
{ name = "AliyunCSManagedNetworkRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The network plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedNetworkRolePolicy" }
AliyunCSDefaultRole
Description:
ACK assumes this role to access your resources in other cloud services, such as ECS, VPC, SLB, Resource Orchestration Service (ROS), and Auto Scaling, when managing ACK clusters.
Authorization code:
{ name = "AliyunCSDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "By default, ACK assumes this role to access your resources in other Alibaba Cloud services when managing ACK clusters." policy_name = "AliyunCSDefaultRolePolicy" }
AliyunCSManagedKubernetesRole
Description:
ACK managed clusters and ACK Edge clusters assume this role to access your resources in other cloud services, such as ECS, VPC, SLB, and Container Registry.
Authorization code:
{ name = "AliyunCSManagedKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "By default, ACK clusters assume this role to access your cloud resources." policy_name = "AliyunCSManagedKubernetesRolePolicy" }
AliyunCSManagedArmsRole
Description:
The ARMS component of ACK Edge clusters and ACK Serverless clusters assumes this role to access your resources in ARMS.
Authorization code:
{ name = "AliyunCSManagedArmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The ARMS plug-in of ACK clusters assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedArmsRolePolicy" }AliyunCISDefaultRole
Description:
CIS assumes this role to access your resources in other cloud services, such as ECS, VPC, and SLB, to perform diagnostics and inspections.
Authorization code:
{ name = "AliyunCISDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "CIS assumes this role to access your resources in other Alibaba Cloud services." policy_name = "AliyunCISDefaultRolePolicy" }
Optional roles
AliyunCSManagedAcrRole
Description:
The Secret-free image pulling plug-in of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in Container Registry.
Authorization code:
{ name = "AliyunCSManagedAcrRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The Secret-free image pulling component of ACK clusters assumes this role to pull images from Container Registry." policy_name = "AliyunCSManagedAcrRolePolicy" }
AliyunCSManagedNlcRole
Description:
The node lifecycle controller of ACK managed clusters and ACK Edge clusters assumes this role to access your node pool resources in ECS and ACK.
Authorization code:
{ name = "AliyunCSManagedNlcRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The managed node pool controller of ACK clusters assumes this role to access your node pool resources in ECS and ACK." policy_name = "AliyunCSManagedNlcRolePolicy" }
AliyunCSManagedAutoScalerRole
Description:
The auto scaling component of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your node pool resources in ECS and ACK.
Authorization code:
{ name = "AliyunCSManagedAutoScalerRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The auto scaling component of ACK clusters assumes this role to access your node pool resources in other Alibaba Cloud services." policy_name = "AliyunCSManagedAutoScalerRolePolicy" }
AliyunCSManagedSecurityRole
Description:
The Secret encryption and credential management component of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in Key Management Service (KMS).
Authorization code:
{ name = "AliyunCSManagedSecurityRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The Secret encryption component of ACK clusters assumes this role to access your node pool resources in KMS." policy_name = "AliyunCSManagedSecurityRolePolicy" }
AliyunCSManagedCostRole
Description:
The cost analysis component of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in ECS and Elastic Container Instance, and call API operations of Bills Management.
Authorization code:
{ name = "AliyunCSManagedCostRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The cost analysis component of ACK clusters assumes this role to access your resources in ECS and Elastic Container Instance, and call API operations of Bills Management." policy_name = "AliyunCSManagedCostRolePolicy" }
AliyunCSManagedNimitzRole
Description:
The control component of ACK Edge clusters assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN).
Authorization code:
{ name = "AliyunCSManagedNimitzRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The network plug-in of ACK Lingjun clusters assumes this role to access your resources in Intelligent Computing LINGJUN." policy_name = "AliyunCSManagedNimitzRolePolicy" }
AliyunCSManagedBackupRestoreRole
Description:
The backup center component of ACK managed clusters, ACK Edge clusters, and ACK Serverless clusters assumes this role to access your resources in Cloud Backup and OSS.
Authorization code:
{ name = "AliyunCSManagedBackupRestoreRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The backup center component of ACK clusters assumes this role to access your resources in Cloud Backup and OSS." policy_name = "AliyunCSManagedBackupRestoreRolePolicy" }
AliyunCSManagedEdgeRole
Description:
The control component of ACK Edge clusters assumes this role to access your resources in SAG, VPC, and CEN.
Authorization code:
{ name = "AliyunCSManagedEdgeRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "The control component of ACK Edge clusters assumes this role to access your resources in SAG, VPC, and Cloud CEN." policy_name = "AliyunCSManagedEdgeRolePolicy" }
AliyunOOSLifecycleHook4CSRole
Description:
OOS assumes this role to access your resources in other cloud services, such as ACK, ECS, and PolarDB.
Authorization code:
{ name = "AliyunOOSLifecycleHook4CSRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "OOS assumes this role to access your resources in other Alibaba Cloud services. ACK relies on OOS to scale node pools." policy_name = "AliyunOOSLifecycleHook4CSRolePolicy" }
References
For more information about Terraform, see What is Terraform?
ROS provides Terraform-based management that allows you to use Terraform templates in the ROS console to automatically deploy and manage resources. For more information, see Create a Terraform stack.