您可以通过Terraform创建并管理凭据。本文以创建凭据为例进行介绍。
概述
KMS使用指定的密钥对凭据进行加密保护,因此在创建凭据前,请先创建密钥。关于凭据的更多信息,请参见凭据管理概述。
了解更多关于凭据的Terraform配置信息,请参见alicloud_kms_secret。
使用限制
Terraform需要为0.14.0及以上版本,建议使用最新版本,您可以登录Terraform官网下载。
前提条件
使用RAM用户登录Terraform时,需要为该RAM用户授予AliyunKMSFullAccess(管理密钥管理服务)和AliyunRAMFullAccess(管理访问控制RAM的权限)权限。具体操作,请参见为RAM用户授权。
操作步骤
重要
建议您对secret_data(凭据值)设置sensitive = true以避免将敏感的凭据值在日志或控制台中打印。更多介绍请参考保护敏感输入变量(Protect Sensitive Input Variables)。
创建一个工作目录,并且在工作目录中创建以下名为
main.tf
的配置文件。在
main.tf
中增加以下内容,创建用于加密凭据值的密钥。重要加密凭据值的密钥必须为对称密钥。
// KMS实例ID variable "kms_instance_id" { default = "kst-gzz650d0533ntu2fm****" } //在KMS实例中创建一个AES密钥 //密钥规格为Aliyun_AES_256,密钥用途是加密解密(ENCRYPT/DECRYPT) resource "alicloud_kms_key" "aes_key" { description = "default_key_encrypt_decrypt description" key_usage = "ENCRYPT/DECRYPT" key_spec = "Aliyun_AES_256" dkms_instance_id = var.kms_instance_id pending_window_in_days = 7 tags = { "Environment" = "Production" "Name" = "KMS-01" "SupportTeam" = "PlatformEngineering" "Contact" = "aliyun@example.com" } }
在
main.tf
中增加以下内容,创建凭据。通用凭据
//创建通用凭据,凭据名称为kms_secret_general1,凭据值为secret_data_kms_secret_general1 resource "alicloud_kms_secret" "kms_secret_general" { secret_name = "kms_secret_general1" description = "secret_data_kms_secret_general" secret_type = "Generic" force_delete_without_recovery = true dkms_instance_id = var.kms_instance_id encryption_key_id = alicloud_kms_key.aes_key.id version_id = "v1" secret_data_type ="text" secret_data = "secret_data_kms_secret_general1" }
RAM凭据
//创建RAM凭据示例 //前提条件是您创建需要托管RAM凭据的RAM用户和AccessKey。 //共分为2个步骤。 //步骤1:授予KMS管理RAM用户的Accesskey的权限 //1.1 创建自定义权限策略AliyunKMSManagedRAMCrendentialsRolePolicy resource "alicloud_ram_policy" "AliyunKMSManagedRAMCrendentialsRolePolicy" { policy_name = "AliyunKMSManagedRAMCrendentialsRolePolicy" policy_document = <<EOF { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:ListAccessKeys", "ram:CreateAccessKey", "ram:DeleteAccessKey", "ram:UpdateAccessKey" ], "Resource": "*" } ] } EOF description = "AliyunKMSManagedRAMCrendentialsRolePolicy" force = true } //1.2 创建RAM角色AliyunKMSManagedRAMCrendentialsRole resource "alicloud_ram_role" "AliyunKMSManagedRAMCrendentialsRole" { name = "AliyunKMSManagedRAMCrendentialsRole" description = "AliyunKMSManagedRAMCrendentialsRole" document = <<EOF { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "kms.aliyuncs.com" ] } } ], "Version": "1" } EOF force = true } // 1.3 为RAM角色AliyunKMSManagedRAMCrendentialsRole授权AliyunKMSManagedRAMCrendentialsRolePolicy resource "alicloud_ram_role_policy_attachment" "attach" { policy_name = alicloud_ram_policy.AliyunKMSManagedRAMCrendentialsRolePolicy.policy_name policy_type = alicloud_ram_policy.AliyunKMSManagedRAMCrendentialsRolePolicy.type role_name = alicloud_ram_role.AliyunKMSManagedRAMCrendentialsRole.name } //步骤2:创建RAM凭据 resource "alicloud_kms_secret" "kms_secret_RAMCredentials" { secret_name = "$Auto" description = "secret_kms_secret_RAMCredentials" secret_type = "RAMCredentials" dkms_instance_id = var.kms_instance_id //用于加密凭据值的密钥ID。 encryption_key_id = alicloud_kms_key.aes_key.id force_delete_without_recovery = true enable_automatic_rotation = true rotation_interval = "7d" extended_config = "{\"SecretSubType\":\"RamUserAccessKey\", \"UserName\":\"exampleUser2\"}" version_id = "V1" secret_data_type ="text" secret_data = "{\"AccessKeys\":[{\"AccessKeyId\":\"********\",\"AccessKeySecret\":\"********\"}]}" }
RDS凭据
以“双账号托管”方式为例介绍如何创建RDS凭据。
//创建RDS凭据 //前提是您已经创建了RDS实例rm-7xv1450tq4pj4****,用户名为rdsuser1和rdsuser2,密码为Admin****。 resource "alicloud_kms_secret" "kms_secret_RDS_MYSQL" { secret_name = "rds_secret/rm-7xv1450tq4pj4****" secret_type = "Rds" dkms_instance_id = var.kms_instance_id //用于加密凭据值的密钥ID。 encryption_key_id = alicloud_kms_key.aes_key.id enable_automatic_rotation = true rotation_interval = "7d" force_delete_without_recovery = true extended_config = "{\"SecretSubType\":\"DoubleUsers\", \"DBInstanceId\":\"rm-7xv1450tq4pj4****\" ,\"CustomData\": {}}" version_id = "V1" secret_data_type = "text" secret_data = "{\"Accounts\":[{\"AccountName\":\"rdsuser1\",\"AccountPassword\":\"Admin****\"},{\"AccountName\":\"rdsuser2\",\"AccountPassword\":\"Admin****\"}]}" }
执行
terraform init
命令初始化Terraform运行环境。执行
terraform plan
命令生成资源规划。执行
terraform apply
命令。