Terraform module which create RAM policies on Alibaba Cloud.
terraform-alicloud-ram-policy
English | 简体中文
Terraform module can create custom policies on Alibaba Cloud.
These types of resources are supported:
Usage
module "ram-policy" {
source = "terraform-alicloud-modules/ram-policy/alicloud"
policies = [
#########################################
# Create policies using default actions #
#########################################
{
# name is the name of the policy, default to a name with prefix `terraform-ram-policy-`
name = "test"
# defined_action is the default resource operation specified by the system. You can refer to the `policies.tf` file.
defined_actions = join(",", ["instance-create", "vpc-create", "vswitch-create", "security-group-create"])
effect = "Allow"
force = "true"
},
########################################
# Create policies using custom actions #
########################################
{
#actions is the action of custom specific resource.
#resources is the specific object authorized to customize.
actions = join(",", ["ecs:ModifyInstanceAttribute", "vpc:ModifyVpc", "vswitch:ModifyVSwitch"])
resources = join(",", ["acs:ecs:*:*:instance/i-001", "acs:vpc:*:*:vpc/v-001", "acs:vpc:*:*:vswitch/vsw-001"])
effect = "Deny"
},
#########################################################
# Create policies using both default and custom actions #
#########################################################
{
defined_actions = join(",", ["security-group-read", "security-group-rule-read"])
actions = join(",", ["ecs:JoinSecurityGroup", "ecs:LeaveSecurityGroup"])
resources = join(",", ["acs:ecs:cn-qingdao:*:instance/*", "acs:ecs:cn-qingdao:*:security-group/*"])
effect = "Allow"
}
]
}
Examples
Notes
From the version v1.1.0, the module has removed the following provider
setting:
provider "alicloud" {
version = ">=1.64.0"
profile = var.profile != "" ? var.profile : null
shared_credentials_file = var.shared_credentials_file != "" ? var.shared_credentials_file : null
region = var.region != "" ? var.region : null
skip_region_validation = var.skip_region_validation
configuration_source = "terraform-alicloud-modules/ram-policy"
}
If you still want to use the provider
setting to apply this module, you can specify a supported version, like 1.0.0:
module "ram-policy" {
source = "terraform-alicloud-modules/ram-policy/alicloud"
version = "1.0.0"
region = "cn-shenzhen"
profile = "Your-Profile-Name"
policies = [
{
name = "test"
defined_actions = join(",", ["instance-create", "vpc-create", "vswitch-create", "security-group-create"])
effect = "Allow"
force = "true"
}
]
// ...
}
If you want to upgrade the module to 1.1.0 or higher in-place, you can define a provider which same region with previous region:
provider "alicloud" {
region = "cn-shenzhen"
profile = "Your-Profile-Name"
}
module "ram-policy" {
source = "terraform-alicloud-modules/ram-policy/alicloud"
policies = [
{
name = "test"
defined_actions = join(",", ["instance-create", "vpc-create", "vswitch-create", "security-group-create"])
effect = "Allow"
force = "true"
}
]
// ...
}
or specify an alias provider with a defined region to the module using providers
:
provider "alicloud" {
region = "cn-shenzhen"
profile = "Your-Profile-Name"
alias = "sz"
}
module "ram-policy" {
source = "terraform-alicloud-modules/ram-policy/alicloud"
providers = {
alicloud = alicloud.sz
}
policies = [
{
name = "test"
defined_actions = join(",", ["instance-create", "vpc-create", "vswitch-create", "security-group-create"])
effect = "Allow"
force = "true"
}
]
// ...
}
and then run terraform init
and terraform apply
to make the defined provider effect to the existing module state.
More details see How to use provider in the module
Terraform versions
Name | Version |
---|---|
terraform | >= 0.12.0 |
alicloud | >= 1.64.0 |
Authors
Created and maintained by Alibaba Cloud Terraform Team([email protected])
License
Apache 2 Licensed. See LICENSE for full details.