This topic describes how to create a role and bind a permission policy to the role by using Terraform.

Procedure

  1. Create a Resource Access Management (RAM) role.
    1. Create the terraform.tf file, enter the following content, and save the file to the current working directory.
      resource "alicloud_ram_role" "role" {
        name = "testRole"
        document = <<EOF
          {
            "Statement": [
              {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                  "Service": [
                    "apigateway.aliyuncs.com",
                    "ecs.aliyuncs.com"
                  ]
                }
              }
            ],
            "Version": "1"
          }
      EOF
        description = "this is a role test."
        force       = true
      }
    2. Run the terraform apply command to create the RAM role.
    3. Run the terraform show command to view the created RAM role.
  2. Create a custom permission policy.
    1. In terraform.tf, add the following content:
      resource "alicloud_ram_policy" "policy" {
        name = "testPolicy"
        document = <<EOF
          {
            "Statement": [
              {
                "Action": [
                  "oss:ListObjects",
                  "oss:GetObject"
                ],
                "Effect": "Deny",
                "Resource": [
                  "acs:oss:*:*:mybucket",
                  "acs:oss:*:*:mybucket/*"
                ]
              }
            ],
              "Version": "1"
          }
      EOF
        description = "this is a policy test"
        force       = true
      }
    2. Run the terraform apply command to create the permission policy.
    3. Run the terraform show command to view the created permission policy.
  3. Bind the permission policy to the role.
    1. In terraform.tf, add the following content:
      resource "alicloud_ram_role_policy_attachment" "attach" {
        policy_name = alicloud_ram_policy.policy.name
        role_name   = alicloud_ram_role.role.name
        policy_type = alicloud_ram_policy.policy.type
      }
    2. Run the terraform apply command to bind the permission policy to the role.
    3. Run the terraform show command to view the custom permissions of the role.

Example

provider "alicloud" {
}

resource "alicloud_ram_role" "role" {
  name = "testRole"
  document = <<EOF
    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "apigateway.aliyuncs.com",
              "ecs.aliyuncs.com"
            ]
          }
        }
      ],
      "Version": "1"
    }
EOF
  description = "this is a role test."
  force       = true
}

resource "alicloud_ram_policy" "policy" {
  name = "testPolicy"
  document = <<EOF
    {
      "Statement": [
        {
          "Action": [
            "oss:ListObjects",
            "oss:GetObject"
          ],
          "Effect": "Deny",
          "Resource": [
            "acs:oss:*:*:mybucket",
            "acs:oss:*:*:mybucket/*"
          ]
        }
      ],
        "Version": "1"
    }
EOF
  description = "this is a policy test"
  force       = true
}

resource "alicloud_ram_role_policy_attachment" "attach" {
  policy_name = alicloud_ram_policy.policy.name
  role_name   = alicloud_ram_role.role.name
  policy_type = alicloud_ram_policy.policy.type
}