阿里云体验之Terraform&RAM

Posted on

背景

完整配置文件地址

目标: 通过创建一个demo应用熟悉企业上云的基本流程

应用名: miniweb

规划用户体系

image-20200611110619908

由于项目比较简单,所以就假设有六个角色,这里角色可以使用用户组实现

  • 超级管理员: 拥有全部权限
  • 系统管理员: 拥有除RAM,财务之外的所有权限
  • 开发工程师: 有机器权限
  • DBA: 拥有数据库权限
  • 财务: 拥有财务相关权限
  • 普通用户: 没有任何权限,留作备用

1.1 创建用户组

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# 创建超级管理员组
resource "alicloud_ram_group" "cloud_admin_group" {
  name     = "CloudAdminGroup"
  comments = "超级管理员组"
  force    = true
}

# 创建系统管理员组
resource "alicloud_ram_group" "system_admin_group" {
  name     = "SystemAdminGroup"
  comments = "系统管理员组"
  force    = true
}

# 创建财务组
resource "alicloud_ram_group" "billing_admin_group" {
  name     = "BillingAdminGroup"
  comments = "财务组"
  force    = true
}

# 创建普通用户组
resource "alicloud_ram_group" "common_user_group" {
  name     = "CommonUserGroup"
  comments = "普通用户组"
  force    = true
}



# 创建开发用户组
resource "alicloud_ram_group" "dev_group" {
  name     = "DevGroup"
  comments = "开发组"
  force    = true
}

# 创建DBA用户组
resource "alicloud_ram_group" "dba_group" {
  name     = "DBAGroup"
  comments = "DBA组"
  force    = true
}

1.2 为用户组授权

这里运维的权限比较特殊,需要自定义策略,其他都是系统自带的策略

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# 创建运维权限策略
resource "alicloud_ram_policy" "system_admin_policy" {
  name        = "CustomSystemAdminAccess"
  document    = <<EOF
  {
    "Statement": [
        {
            "Effect": "Allow",
            "NotAction":
                [
                    "ram:*",
                    "ims:*",
                    "resourcemanager:*",
                    "bss:*",
                    "bssapi:*",
                    "efc:*"
                ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action":
                [
                    "ram:GetRole",
                    "ram:ListRoles",
                    "ram:CreateServiceLinkedRole",
                    "ram:DeleteServiceLinkedRole",
                    "bss:DescribeOrderList",
                    "bss:DescribeOrderDetail",
                    "bss:PayOrder",
                    "bss:CancelOrder"
                ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}
  EOF
  description = "ops policy"
  force       = true
}



# 为超级管理员组授权
resource "alicloud_ram_group_policy_attachment" "cloud_admin_group_policy_attachment" {
  policy_name = "AdministratorAccess"
  policy_type = "System"
  group_name  = alicloud_ram_group.cloud_admin_group.name
}


# 为财务组授权AliyunBSSFullAccess
resource "alicloud_ram_group_policy_attachment" "bss_group_policy_attachment_AliyunBSSFullAccess" {
  policy_name = "AliyunBSSFullAccess"
  policy_type = "System"
  group_name  = alicloud_ram_group.billing_admin_group.name
}

# 为财务组授权AliyunFinanceConsoleFullAccess
resource "alicloud_ram_group_policy_attachment" "cloud_admin_group_policy_attachment_AliyunFinanceConsoleFullAccess" {
  policy_name = "AliyunFinanceConsoleFullAccess"
  policy_type = "System"
  group_name  = alicloud_ram_group.billing_admin_group.name
}

# 为运维用户组授权
resource "alicloud_ram_group_policy_attachment" "system_admin_group_policy_attachment" {
  policy_name = alicloud_ram_policy.system_admin_policy.name
  policy_type = alicloud_ram_policy.system_admin_policy.type
  group_name  = alicloud_ram_group.system_admin_group.name
}

# 为开发用户组授权
resource "alicloud_ram_group_policy_attachment" "dev_group_policy_attachment" {
  policy_name = "AliyunECSFullAccess"
  policy_type = "System"
  group_name  = alicloud_ram_group.dev_group.name
}

# 为DBA用户组授权
resource "alicloud_ram_group_policy_attachment" "dba_group_policy_attachment" {
  policy_name = "AliyunRDSFullAccess"
  policy_type = "System"
  group_name  = alicloud_ram_group.dba_group.name
}

1.3 创建用户

这里为admin用户创建了一把AK

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# 创建用户: admin
resource "alicloud_ram_user" "user_admin" {
  name         = "admin"
  display_name = "管理员"
}

# admin 创建AK
resource "alicloud_ram_access_key" "admin_ak" {
  user_name   = alicloud_ram_user.user_admin.name
  secret_file = "./admin_ak.txt"
}

# 创建运维用户
resource "alicloud_ram_user" "user_ops_1" {
  name         = "ops_cheng"
  display_name = "程运维"
}
# 创建开发用户
resource "alicloud_ram_user" "user_dev_1" {
  name         = "dev_wang"
  display_name = "王开发"
}
# 创建DBA用户
resource "alicloud_ram_user" "user_dba_1" {
  name         = "dba_li"
  display_name = "李数据"
}

# 创建财务用户
resource "alicloud_ram_user" "user_bill_1" {
  name         = "bill_zhao"
  display_name = "赵管钱"
}

# 将admin加入超级管理员组
resource "alicloud_ram_group_membership" "membership_admin" {
  group_name = alicloud_ram_group.cloud_admin_group.name
  user_names = [alicloud_ram_user.user_admin.name]
}

# 将运维用户加入运维组
resource "alicloud_ram_group_membership" "membership_ops" {
  group_name = alicloud_ram_group.system_admin_group.name
  user_names = [alicloud_ram_user.user_ops_1.name]
}
# 将开发用户加入开发组
resource "alicloud_ram_group_membership" "membership_dev" {
  group_name = alicloud_ram_group.dev_group.name
  user_names = [alicloud_ram_user.user_dev_1.name]
}
# 将DBA用户加入DBA
resource "alicloud_ram_group_membership" "membership_dba" {
  group_name = alicloud_ram_group.dba_group.name
  user_names = [alicloud_ram_user.user_dba_1.name]
}


# 将财务用户加入财务组
resource "alicloud_ram_group_membership" "membership_bill" {
  group_name = alicloud_ram_group.billing_admin_group.name
  user_names = [alicloud_ram_user.user_bill_1.name]
}