Alibaba Cloud Provider

The Alibaba Cloud provider is used to interact with the many resources supported by Alibaba Cloud. The provider needs to be configured with the proper credentials before it can be used.

Use the navigation on the left to read about the available resources.

Example Usage

# Configure the AliCloud Provider

provider "alicloud" {
  access_key = var.access_key
  secret_key = var.secret_key
  # If not set, cn-beijing will be used.
  region = var.region
}

variable "name" {
  default = "terraform-example"
}

data "alicloud_zones" "default" {
  available_disk_category     = "cloud_efficiency"
  available_resource_creation = "VSwitch"
}

# Create a new ECS instance for VPC
resource "alicloud_vpc" "vpc" {
  vpc_name   = var.name
  cidr_block = "172.16.0.0/16"
}

resource "alicloud_vswitch" "vswitch" {
  vpc_id       = alicloud_vpc.vpc.id
  cidr_block   = "172.16.0.0/24"
  zone_id      = data.alicloud_zones.default.zones.0.id
  vswitch_name = var.name
}

# Create a new Security in a VPC
resource "alicloud_security_group" "group" {
  name        = var.name
  description = "foo"
  vpc_id      = alicloud_vpc.vpc.id
}
# Create a kms to encrypt the disk
resource "alicloud_kms_key" "key" {
  description            = "Hello KMS"
  pending_window_in_days = "7"
  status                 = "Enabled"
}

resource "alicloud_instance" "instance" {
  # cn-beijing
  availability_zone = data.alicloud_zones.default.zones.0.id
  security_groups   = alicloud_security_group.group.*.id

  # series III
  instance_type              = "ecs.n4.large"
  system_disk_category       = "cloud_efficiency"
  system_disk_name           = var.name
  system_disk_description    = "system_disk_description"
  image_id                   = "ubuntu_18_04_64_20G_alibase_20190624.vhd"
  instance_name              = var.name
  vswitch_id                 = alicloud_vswitch.vswitch.id
  internet_max_bandwidth_out = 10
  data_disks {
    name        = "data-disk"
    size        = 20
    category    = "cloud_efficiency"
    description = "disk-description"
    encrypted   = true
    kms_key_id  = alicloud_kms_key.key.id
  }
}

Authentication

The Alicloud provider accepts several ways to enter credentials for authentication. The following methods are supported, in this order, and explained below:

Static credentials

Static credentials can be provided by adding access_key, secret_key and region in-line in the alicloud provider block:

Usage:

provider "alicloud" {
  access_key = var.access_key
  secret_key = var.secret_key
  region     = var.region
}

Environment variables

You can provide your credentials via ALICLOUD_ACCESS_KEY and ALICLOUD_SECRET_KEY environment variables, representing your Alibaba Cloud access key and secret key respectively. ALICLOUD_REGION is also used, if applicable:

provider "alicloud" {}

Usage:

$ export ALICLOUD_ACCESS_KEY="<Your-Access-Key-ID>"
$ export ALICLOUD_SECRET_KEY="<Your-Access-Key-Secret>"
$ export ALICLOUD_REGION="cn-beijing"
$ terraform plan

Shared Credentials File

You can use an Alibaba Cloud credentials or configuration file to specify your credentials. The default location is $HOME/.aliyun/config.json on Linux and macOS, or "%USERPROFILE%\.aliyun/config.json" on Windows. You can optionally specify a different location in the Terraform configuration by providing the shared_credentials_file argument or using the ALICLOUD_SHARED_CREDENTIALS_FILE environment variable. This method also supports a profile configuration and matching ALICLOUD_PROFILE environment variable:

Usage:

provider "alicloud" {
  region                  = "cn-hangzhou"
  shared_credentials_file = "/Users/tf_user/.aliyun/creds"
  profile                 = "customprofile"
}

ECS Instance Role

If you're running Terraform from an ECS instance with RAM Instance using RAM Role, Terraform will just access the metadata URL: http://100.100.100.200/latest/meta-data/ram/security-credentials/<ecs_role_name> to obtain the STS credential. Refer to details Access other Cloud Product APIs by the Instance RAM Role.

This is a preferred approach over any other when running in ECS as you can avoid hard coding credentials. Instead these are leased on-the-fly by Terraform which reduces the chance of leakage.

Usage:

provider "alicloud" {
  ecs_role_name = "terraform-provider-alicloud"
  region        = var.region
}

Assuming A RAM Role

If provided with a role ARN, Terraform will attempt to assume this role using the supplied credentials.

Usage:

provider "alicloud" {
  access_key = "<One-AccessKeyId-With-AssumeRole-Policy>"
  secret_key = "<One-AccessKeySecret-With-AssumeRole-Policy>"
  assume_role {
    role_arn           = "acs:ram::ACCOUNT_ID:role/ROLE_NAME"
    policy             = "Policy Content"
    session_name       = "A Role Session Name"
    session_expiration = 999
  }
}

Assuming A RAM Role With OIDC

If provided with a role ARN and a token from a service account OpenID Connect (OIDC), the Alibaba CLoud Provider will attempt to assume this role using the supplied credentials.

NOTE: Assuming-Role-With-OIDC is a no-AK auth type, and there is no need setting access_key and secret_key while using it.

Usage:

provider "alicloud" {
  assume_role_with_oidc {
    oidc_provider_arn = "acs:ram::ACCOUNT_ID:oidc-provider/ROLE_NAME"
    role_arn          = "acs:ram::ACCOUNT_ID:role/ROLE_NAME"
    oidc_token_file   = "/Users/tf_user/secrets/rrsa-tokens/token"
    role_session_name = "A Role Session Name"
  }
}

Sidecar Credentials

You can deploy a sidecar to storage alibaba cloud credentials. Then, you can optionally specify a credentials URI in the Terraform configuration by providing the credentials_uri argument or using the ALICLOUD_CREDENTIALS_URI environment variable to get the credentials automatically. The Sidecar Credentials is available since v1.141.0.

Usage:

provider "alicloud" {
  region          = "cn-hangzhou"
  credentials_uri = "<Your-Credential-URI>"
}

Custom User-Agent Information

By default, the underlying AlibabaCloud client used by the Terraform AliCloud Provider creates requests with User-Agent headers including information about Terraform and AlibabaCloud Go SDK versions. To provide additional information in the User-Agent headers, the provider variable configuration_source or TF_APPEND_USER_AGENT environment variable can be set and its value will be directly added to HTTP requests.

Usage:

provider "alicloud" {
  region               = "cn-hangzhou"
  configuration_source = "ArgoAgent/argo-12345678 NodeID/1234"
}

or

$ export TF_APPEND_USER_AGENT="ArgoAgent/argo-12345678 NodeID/1234 (Optional Extra Information)"

Argument Reference

In addition to generic provider arguments (e.g. alias and version), the following arguments are supported in the Alibaba Cloud provider block:

assume_role Configuration Block

assume_role_with_oidc Configuration Block

The assume_role_with_oidc configuration block supports the following arguments:

endpoints

NOTE: Due to certain API restrictions, the endpoints pointing to the area should be consistent with the region_id.

Testing

Credentials must be provided via the ALICLOUD_ACCESS_KEY, ALICLOUD_SECRET_KEY and ALICLOUD_REGION environment variables in order to run acceptance tests.