Before you can provision a BYOC infrastructure pool, you will need to authorize the StreamNative Cloud control plane to access your cloud accounts. This enables StreamNative to provision and manage clusters within your Alibaba Cloud account. This document describes how to grant such access to StreamNative Cloud for an Alibaba Cloud account.

Access model in Alibaba Cloud

StreamNative leverages advanced RAM features in Alibaba Cloud to ensure minimal and precise access, allowing for efficient management of only necessary resources:
  • Bootstrap/Provisioning Role: This role handles the provisioning and maintenance of the underlying infrastructure like VPCs, ACK clusters (and associated node groups, and so on), RAM resources, and is also utilized for troubleshooting during incidents by StreamNative’s SRE team. This role is also for automated management tasks and interacts with the ACK cluster to deploy and manage Pulsar clusters
  • Support Role: This role is used by the StreamNative SRE and Support team for troubleshooting during incidents.
Both roles use a same permission policy that allows StreamNative’s cloud manager role to assume these roles within the customer’s account. These roles are safeguarded using several Alibaba Cloud security features:

Provision Alibaba Cloud Access

StreamNative facilitates the setup of necessary policies and roles through a module. This module can be provisioned in a standalone Terraform project (as documented here), but can also be integrated into existing Terraform projects. For full documentation of inputs and outputs of the Terraform module, see the module’s README on GitHub.

Prerequisites

If you run into issues, please contact StreamNative Support team.

Step 1: Create a new project and instantiate the module

Terraform works by having Terraform codes (in the form of *.tf files) and state files that represent the current resources. If you are using Terraform locally, without a remote state store, these files should be checked into source control for future updates. Create a new folder and add a file called main.tf with the following content, replacing the referenced variables. 
provider "alicloud" {
  region = "ap-southeast-1"
}

module "vendor_access" {
  source          = "github.com/streamnative/terraform-managed-cloud//modules/alicloud/vendor-access?ref=v3.22.0"
  organization_ids = ["<YOUR_SNCLOUD_ORG_ID>"]
}
  • <YOUR_SNCLOUD_ORG_ID>: your StreamNative Cloud organization ID. This is typically an ID like o-xxxxx. This can be found in your organization list or the top header of the application. If you have multiple organizations, you can put multiple organization id in this list
If you are using git as source control, you need to use the git init command to initialize this folder as a git project.

Step 2: Initialize the Terraform

While the above Terraform code is all needed, the module needs to be downloaded to this Terraform project. To do so, run terraform init. This will download the module and required dependencies.

Step 3: Create a shell with the correct Alibaba Cloud credentials

Terraform requires Alibaba Cloud credentials with the proper permissions in the target account to create the resources to grant access. The permissions required by the module are all Alibaba Cloud RAM permissions, specifically to managed roles, policies, and attachments. The Alibaba Cloud Managed Access policies of AliyunRAMFullAccess are sufficient to perform these operations. All of the Terraform Alibaba Cloud credentials mechanisms are compatible with the Terraform module. If you are new to Terraform and Alibaba Cloud, the following steps will provide credentials in your shell:
  1. Follow the steps to create an access key and secret for your user.
  2. Set the ALIBABA_CLOUD_ACCESS_KEY_IDALIBABA_CLOUD_ACCESS_KEY_SECRET, and ALIBABA_CLOUD_REGION environment variables from the generated credentials.

Step 4: Run the Terraform

After initialization, and with credentials in the shell, the next step is to run the Terraform with terraform apply. This will create a Terraform plan which shows all the resources to be created.

Step 5: Annotate the account ID to be used by StreamNative

Once completed, please note the account ID of the Alibaba Cloud account you have granted access to StreamNative Cloud. You will use this account ID to create a Cloud Connection.

Next steps

After granting access, you can set up a Cloud Connection to allow the StreamNative Cloud control plane to interact with your Alibaba Cloud account.