Access model in Alibaba Cloud
StreamNative leverages advanced RAM features in Alibaba Cloud to ensure minimal and precise access, allowing for efficient management of only necessary resources:- Bootstrap/Provisioning Role: This role handles the provisioning and maintenance of the underlying infrastructure like VPCs, ACK clusters (and associated node groups, and so on), RAM resources, and is also utilized for troubleshooting during incidents by StreamNative’s SRE team. This role is also for automated management tasks and interacts with the ACK cluster to deploy and manage Pulsar clusters
- Support Role: This role is used by the StreamNative SRE and Support team for troubleshooting during incidents.
- An external ID for role assumption, enhancing security when third parties access your Alibaba account (See Use external IDs to prevent the confused deputy issue.
- Tag-based access, through the
Vendor: StreamNative
tag, is used where applicable to enforce resources that are created with these tags and access is limited to only resources with the tag (See Use tags to control access to resources). - All RAM policies are statically created by the customer (via StreamNative Vendor Access Terraform module) to limit access.
Provision Alibaba Cloud Access
StreamNative facilitates the setup of necessary policies and roles through a module. This module can be provisioned in a standalone Terraform project (as documented here), but can also be integrated into existing Terraform projects. For full documentation of inputs and outputs of the Terraform module, see the module’s README on GitHub.Prerequisites
- New to Terraform? Learn the Terraform Alibaba Cloud Getting Started Tutorial to get a basic introduction.
- Install Terraform, version 1.3.0 or greater.
- Ensure you have created an organization through the StreamNative Cloud Console
Step 1: Create a new project and instantiate the module
Terraform works by having Terraform codes (in the form of*.tf
files) and state files that represent the current resources. If you are using Terraform locally, without a remote state store, these files should be checked into source control for future updates. Create a new folder and add a file called main.tf
with the following content, replacing the referenced variables.
<YOUR_SNCLOUD_ORG_ID>
: your StreamNative Cloud organization ID. This is typically an ID likeo-xxxxx
. This can be found in your organization list or the top header of the application. If you have multiple organizations, you can put multiple organization id in this list
git
as source control, you need to use the git init
command to initialize this folder as a git project.
Step 2: Initialize the Terraform
While the above Terraform code is all needed, the module needs to be downloaded to this Terraform project. To do so, runterraform init
.
This will download the module and required dependencies.
Step 3: Create a shell with the correct Alibaba Cloud credentials
Terraform requires Alibaba Cloud credentials with the proper permissions in the target account to create the resources to grant access. The permissions required by the module are all Alibaba Cloud RAM permissions, specifically to managed roles, policies, and attachments. The Alibaba Cloud Managed Access policies ofAliyunRAMFullAccess
are sufficient to perform these operations.
All of the Terraform Alibaba Cloud credentials mechanisms are compatible with the Terraform module.
If you are new to Terraform and Alibaba Cloud, the following steps will provide credentials in your shell:
- Follow the steps to create an access key and secret for your user.
- Set the
ALIBABA_CLOUD_ACCESS_KEY_ID
,ALIBABA_CLOUD_ACCESS_KEY_SECRET
, andALIBABA_CLOUD_REGION
environment variables from the generated credentials.
Step 4: Run the Terraform
After initialization, and with credentials in the shell, the next step is to run the Terraform withterraform apply
.
This will create a Terraform plan which shows all the resources to be created.