一鍵創(chuàng)建容器鏡像倉庫和授權RAM賬號
更新時間:
本文介紹如何通過Terraform一鍵創(chuàng)建命名空間和容器鏡像倉庫并授權的RAM賬號。
前提條件
在開始之前,請您確保完成以下操作:
使用Terraform,您需要一個阿里云賬號和訪問密鑰(AccessKey)。 請在阿里云控制臺中的AccessKey管理頁面上創(chuàng)建和查看您的AccessKey。
已經安裝并配置了Terraform,具體操作請參見在本地安裝和配置Terraform和在Cloud Shell中使用Terraform。
背景信息
阿里云容器鏡像服務(Container Registry)提供安全的應用鏡像托管能力,精確的鏡像安全掃描功能,穩(wěn)定的鏡像構建服務,便捷的鏡像授權功能,方便用戶進行鏡像全生命周期管理。當我們的DevOps工具需要訪問、使用在阿里云創(chuàng)建的容器鏡像倉庫時,就需要使用阿里云賬號授權訪問,我們使用Terraform Module(cr)可以一鍵創(chuàng)建具有訪問目標倉庫權限的RAM子賬號,精確授權,規(guī)避安全風險。
操作步驟
編寫Terraform腳本代碼。
在main.tf文件中聲明Module,文件內容如下:
variable "region" { default = "cn-beijing" } provider "alicloud" { region = var.region } resource "random_integer" "default" { min = 10000 max = 99999 } module "cr" { source = "roura356a/cr/alicloud" version = "1.3.1" # 命名空間名稱 namespace = "cr_repo_namespace_auto-${random_integer.default.result}" # 授權倉庫列表 repositories = ["one", "two", "three"] # 此處為了演示方便,設置了一個低安全性的密碼。您在使用此模板時,請務必修改為滿足您要求的安全性高的密碼 password = "YourPassword@123" }在outputs.tf文件中定義輸出參數,文件內容如下:
output "cr_namespace" { description = "The CR Namespace's ID" value = module.cr.cr_namespace } output "cr_access_key" { description = "The CR Namespace's Access Key" value = module.cr.cr_access_key } output "cr_user" { description = "The CR Namespace's User" value = module.cr.cr_user } output "ram_user" { description = "The RAM User" value = module.cr.ram_user } output "ram_console_username" { description = "Console login username" value = module.cr.ram_console_username } output "cr_endpoint" { description = "Public endpoint of the registry" value = module.cr.cr_endpoint } output "repository_ids" { description = "List of repository IDs created" value = module.cr.repository_ids } output "disposable_password" { description = "Password to activate the console login profile, forces to reset it" value = module.cr.disposable_password } output "access_key_status" { description = "Status of the created AccessKey" value = module.cr.access_key_status } output "ram_policy_name" { description = "The RAM policy name" value = module.cr.ram_policy_name } output "ram_policy_type" { description = "The RAM policy type" value = module.cr.ram_policy_type } output "ram_policy_attachment" { description = "The RAM policy attachment ID" value = module.cr.ram_policy_attachment }
運行terraform init初始化。
terraform init命令輸出結果類似如下:
Initializing modules... Downloading roura356a/cr/alicloud 1.3.0 for cr... - cr in .terraform\modules\cr\roura356a-terraform-alicloud-cr-c60a3d4 Initializing the backend... Initializing provider plugins... - Checking for available provider plugins... - Downloading plugin for provider "alicloud" (hashicorp/alicloud) 1.68.0... - Downloading plugin for provider "random" (hashicorp/random) 2.2.1... The following providers do not have any version constraints in configuration, so the latest version was installed. To prevent automatic upgrades to new major versions that may contain breaking changes, it is recommended to add version = "..." constraints to the corresponding provider blocks in configuration, with the constraint strings suggested below. * provider.random: version = "~> 2.2" Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.運行terraform apply開始創(chuàng)建。
terraform apply命令輸出結果類似如下:
module.cr.data.alicloud_account.current: Refreshing state... module.cr.data.alicloud_regions.current: Refreshing state... An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: ... Plan: 10 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes module.cr.random_string.cr_console_password: Creating... ... Apply complete! Resources: 10 added, 0 changed, 0 destroyed. Outputs: access_key_status = Active cr_access_key = LTAI4FfqhU7csppPe****** cr_endpoint = registry.cn-hangzhou.aliyuncs.com cr_namespace = cr_repo_namespace cr_user = cr_repo_namespace-cr-user disposable_password = er1PQu****** ram_console_username = cr_repo_namespace-cr-user@1231579085******.onaliyun.com ram_policy_attachment = user:cr_repo_namespace-cr-policy:Custom:cr_repo_namespace-cr-user ram_policy_name = cr_repo_namespace-cr-policy ram_policy_type = Custom ram_user = cr_repo_namespace-cr-user repository_ids = [ "cr_repo_namespace/one", "cr_repo_namespace/two", "cr_repo_namespace/three", ]同時,會在執(zhí)行目錄下生成文件cr-cr_repo_namespace-ak.json,該文件存儲了創(chuàng)建的具有訪問目標倉庫權限的RAM子賬號的密鑰信息,文件內容如下:
{ "AccessKeySecret": "qkxn1AkG6B50******sneyCQDuurcW", "CreateDate": "2020-01-07T07:00:00Z", "Status": "Active", "AccessKeyId": "LTAI4Ff******ppPeLRkJHES" }
文檔內容是否對您有幫助?