-
Notifications
You must be signed in to change notification settings - Fork 23
/
main.tf
84 lines (74 loc) · 2.87 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
provider "alicloud" {
access_key = var.master_account_access_key
secret_key = var.master_account_secret_key
region = var.region
alias = "master_account"
}
provider "alicloud" {
access_key = var.master_account_access_key
secret_key = var.master_account_secret_key
region = var.region
alias = "cmdb_account"
assume_role {
role_arn = "acs:ram::${var.cmdb_account_uid}:role/ResourceDirectoryAccountAccessRole"
session_name = "AccountLandingZoneSetup"
session_expiration = 999
}
}
# 在cmdb账号下创建用于存储配置数据的project和logstore
resource "alicloud_log_project" "example" {
provider = alicloud.cmdb_account
name = var.project_name
description = "create by terraform"
}
resource "alicloud_log_store" "example" {
provider = alicloud.cmdb_account
project = alicloud_log_project.example.name
name = var.logstore_name
}
# 查询企业管理账号下的所有成员账号
data "alicloud_resource_manager_accounts" "rd" {
provider = alicloud.master_account
}
data "alicloud_account" "master" {
provider = alicloud.master_account
}
# 将企业管理账号和旗下的所有成员设为全局账号组,当RD中新增/删除成员账号时,账号组会自动扩容/收缩
# 注意: 企业管理账号中只能存在一个全局账号组
resource "alicloud_config_aggregator" "example" {
provider = alicloud.master_account
aggregator_type = "RD"
aggregator_accounts {
account_id = data.alicloud_account.master.id
account_name = "master"
account_type = "ResourceDirectory"
}
dynamic "aggregator_accounts" {
for_each = data.alicloud_resource_manager_accounts.rd.accounts
content {
account_id = aggregator_accounts.value.account_id
account_name = aggregator_accounts.value.display_name
account_type = "ResourceDirectory"
}
}
aggregator_name = "tf-test"
description = "create by terraform"
}
# alicloud_config_delivery_channel只能将region设为cn-shanghai/ap-northeast-1
provider "alicloud" {
access_key = var.master_account_access_key
secret_key = var.master_account_secret_key
region = "cn-shanghai"
alias = "master_account_shanghai"
}
# 设置数据投递,使用cmdb下的aliyunserviceroleforconfig角色,将数据投递到之前创建的project和logstore中
resource "alicloud_config_delivery_channel" "example" {
provider = alicloud.master_account_shanghai
# 开启数据投递,注意:使用terraform destroy时不会自动关闭数据投递,需要手动前往控制台关闭
status = "1"
description = "create by terraform"
delivery_channel_name = "tf--delivery-channel"
delivery_channel_assume_role_arn = "acs:ram::${var.cmdb_account_uid}:role/aliyunserviceroleforconfig"
delivery_channel_type = "SLS"
delivery_channel_target_arn = "acs:log:${var.region}:${var.cmdb_account_uid}:project/${alicloud_log_project.example.name}/logstore/${alicloud_log_store.example.name}"
}