中文|English
This solution uses Terraform automation. It uses Terraform to create a new access control policy and bind it to the resource folder specified by the user.
- Terraform is installed in the current environment.
- You have obtained the AccessKeys of RAM users in the management account, and the users have permissions to complete the operations. Go to the Alibaba Cloud account, create a RAM user, generate an AccessKey, and grant the user the
AliyunResourceDirectoryFullAccesspermission. - The resource directory service is enabled for the user, and the access control policy service in resource directories is also enabled.
- Download the code and decompress it to a directory.
- Open the
settings.tfvarsfile with the editor and modify the configuration items in the file.
- Set access_key and secret_key respectively to the values of AccessKey ID and AccessKey secret in prerequisites.
- Modify the
control_policyandresource_manager_folder_idsconfigurations based on your needs.
# Policy name
control_policy_name = "policy1"
# Policy description
description = ""
# Scope where the policy takes effect
effect_scope = "RAM"
# Policy configurations
policy_document = {
"Version":"1",
"Statement": [
{
"Effect":"Deny",
"Action": [
"ram:UpdateRole",
"ram:DeleteRole",
"ram:AttachPolicyToRole",
"ram:DetachPolicyFromRole"
],
"Resource":"acs:ram:*:*:role/ResourceDirectoryAccountAccessRole"
}
]
}
# The ID group of the bound resource folder
resource_manager_folder_ids = ["fd-Zn1wkx2Dws","fd-5wKgZmg0ng"]
- Run the
terraform initcommand in the directory. - Run the
terraform plan -var-file=settings.tfvarscommand and check whether any error occurs. If an error occurs, check whether the configuration items are valid in Step 2.
- Run the
terraform apply -var-file=settings.tfvarscommand. Enteryesafter the self-check succeeds. When the command is executed successfully, check whether the policy is created and bound to the specified resource folder.
- You can check whether the policy is created and bound in the console.
