Skip to content

alibabacloud-automation/terraform-alicloud-service-linked-role

BranchesTags

Repository files navigation

terraform-alicloud-service-linked-role

English | 简体中文

Terraform Module used to create several service linked roles and system defined service role automatically Alibaba Cloud.

These types of resources are supported:

Terraform versions

Name Version
terraform >= 0.13.0
alicloud >= 1.159.0

Usage

Service Linked Role

Creating service linked roles using service name

You can create several service linked roles by specifying product name, like ack_one, adb, alikafka, etc.

module "slr-with-service-name" {
  source = "terraform-alicloud-modules/service-linked-role/alicloud"
  service_linked_role_with_service_names = [
    "ack_one",
    "actiontrail",
    "alidns",
    "adb",
    "gpdb",
    "ddos_bgp",
    "api_gateway",
    "alb"
  ]
}

If you don't want to create all linked roles in some product name, you can set exclude_service_linked_role_with_role_names to ignore them.

module "slr-with-service-name" {
  source = "terraform-alicloud-modules/service-linked-role/alicloud"
  service_linked_role_with_service_names = [
    "ack_one",
    "actiontrail",
    "alidns",
    "adb",
    "gpdb",
    "ddos_bgp",
    "api_gateway",
    "alb"
  ]
  exclude_service_role_with_role_names = [
    "AliyunServiceRoleForApiGatewayConnectUserVpc",
    "AliyunServiceRoleForApigatewayPutEventsToEventBridge",
    "AliyunServiceRoleForApiGatewayIntegrateWithMicroservices"
  ]
}

Creating service linked roles using role name

You can create several service linked roles by specifying role name.

module "slr-with-role-name" {
  source = "terraform-alicloud-modules/service-linked-role/alicloud"
  service_linked_role_with_role_names = [
    "AliyunServiceRoleForAlikafkaConnector",
    "AliyunServiceRoleForAlikafkaInstanceEncryption",
    "AliyunServiceRoleForAlikafka",
    "AliyunServiceRoleForAlikafkaETL"
  ]
}

Creating service linked roles using service id

You can create several service linked roles by specifying service id, like "adcp.aliyuncs.com", "actiontrail.aliyuncs.com", etc.

module "slr-with-service-ids" {
  source = "terraform-alicloud-modules/service-linked-role/alicloud"
  service_linked_role_with_service_ids = [
    "network-insights.ecs.aliyuncs.com",
    "workbench.ecs.aliyuncs.com"
  ]
}

Service Role

Creating service roles using service name

You can create several service roles by specifying product name, like ack_one, adb, alikafka, etc.

module "sr-with-service-name" {
  source = "terraform-alicloud-modules/service-linked-role/alicloud"
  service_role_with_service_names = [
    "ack_one",
    "actiontrail",
    "alikafka",
    "alidns",
    "adb",
  ]
}

If you don't want to create all roles in some product name, you can set exclude_service_role_with_role_names to ignore them.

module "sr-with-service-name" {
  source = "terraform-alicloud-modules/service-linked-role/alicloud"
  service_role_with_service_names = [
    "ack_one",
    "actiontrail",
    "alikafka",
    "alidns",
    "adb",
  ]
  exclude_service_role_with_role_names = [
    "AliyunAnalyticDBAccessingDTSRole",
    "AliyunAnalyticDBAccessingLogRole"
  ]
}

Creating service roles using role name

You can create several service roles by specifying role name.

module "sr-with-role-name" {
  source = "terraform-alicloud-modules/service-linked-role/alicloud"
  service_role_with_role_names = [
    "AliyunCSDefaultRole",
    "AliyunCISDefaultRole",
    "AliyunCSServerlessKubernetesRole",
    "AliyunCSKubernetesAuditRole",
    "AliyunCSManagedAcrRole"
  ]
}

Creating service roles using self defined roles

You can create several service roles by specifying role name, document, description and policy name.

module "slr-with-self-defined-roles" {
  source = "terraform-alicloud-modules/service-linked-role/alicloud"
  service_role_with_self_roles = [
    {
      name        = "AliyunARMSAccessingECSRole"
      description = "The ARMS will use this role to access your resources in other services."
      policy_type = "System"
      policy_name = "AliyunARMSAccessingECSRolePolicy"
      document    = <<EOF
          {
            "Statement": [
              {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                  "Service": [
                    "arms.aliyuncs.com"
                  ]
                }
              }
            ],
            "Version": "1"
          }
        EOF
    },
    {
      name        = "AliyunARMSDefaultRole"
      description = "The ARMS will use this role to access your resources in other services."
      policy_name = "AliyunARMSRolePolicy"
      policy_type = "System"
      document    = <<EOF
          {
            "Statement": [
              {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                  "Service": [
                    "arms.aliyuncs.com"
                  ]
                }
              }
            ],
            "Version": "1"
          }
        EOF
    }
  ]
}

Examples

Notes

Avoid Error EntityAlreadyExists.Role

If you have used module terraform-alicloud-enable enabled the following services, it will create some service linked roles synchronously. When using this module, you should use the exclude_service_role_with_role_names to skip them to avoid error EntityAlreadyExists.Role.

enabled service synchronously created slr
alicloud_cen_transit_router_service AliyunServiceRoleForCEN
alicloud_privatelink_service AliyunServiceRoleForPrivatelink
alicloud_log_service AliyunServiceRoleForSLSAudit

Destroy Failure

Currently, deleting the following service linked role may get failure. Once happened, please open an issue or contract us.

service name deleting failed slr
api_gateway AliyunServiceRoleForApiGateway
AliyunServiceRoleForApiGatewayConnectUserVpc
AliyunServiceRoleForApiGatewayIntegrateWithMicroservices
AliyunServiceRoleForApiGatewayMonitoring
AliyunServiceRoleForApigatewayPutEventsToEventBridge
bss_open_api AliyunServiceRoleForBssOpenApi
cdn AliyunServiceRoleForCDNLogDelivery
dcdn AliyunServiceRoleForDCDNLogDelivery
ecs AliyunServiceRoleForECSArchiving
ehpc AliyunServiceRoleForEHPCManagedNetwork
eflo AliyunServiceRoleForEfloCnp
AliyunServiceRoleForEfloVcc
elasticsearch AliyunServiceRoleForElasticsearch
fc AliyunServiceRoleForFC
iot AliyunServiceRoleForIoTCloudSource
kms AliyunServiceRoleForKMSKeyStore
AliyunServiceRoleForKMSSecretsManagerForECS
AliyunServiceRoleForKMSSecretsManagerForRDS
nas AliyunServiceRoleForNasLogDelivery
ots AliyunServiceRoleForOTSDataDelivery
ocean_base AliyunServiceRoleForOceanBaseEncryption
AliyunServiceRoleForOceanBaseSecurityGroup
AliyunServiceRoleForOceanBaseTenantInstance
AliyunServiceRoleForOceanbaseMigrationAssessment
rds AliyunServiceRoleForRds
AliyunServiceRoleForRdsMyBaseProprietary
sls AliyunServiceRoleForSLSAlert
open_search AliyunServiceRoleForSearchEngine
imp AliyunServiceRolePolicyForImp

Authors

Created and maintained by Alibaba Cloud Terraform Team(terraform@alibabacloud.com)

License

MIT Licensed. See LICENSE for full details.

Reference

About

Terraform Module used to create several service linked roles automatically Alibaba Cloud.

registry.terraform.io/modules/terraform-alicloud-modules/service-linked-role/alicloud/latest

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases 2

v1.1.0 Latest
Apr 2, 2024
+ 1 release

Packages

No packages published

Contributors 5

Languages