腾讯云前置准备
本文主要介绍创建 BYOC 类型仓库涉及的腾讯云平台相关操作,包括 准备私有网络 VPC 和子网、了解资源编排 等。
准备私有网络 VPC 和子网
提示:
- 如果已有符合地域和可用区要求的 VPC 和子网,并期望将 BYOC 仓库部署在此 VPC 内,可以跳过下面创建私有网络 VPC 和子网步骤。
- 当前支持的地域和子网可用区为:
| 云平台 | 地域名称 | 地域 ID | 可用区 ID |
|---|---|---|---|
| 腾讯云 | 北京 | ap-beijing | 3, 6, 7 |
| 腾讯云 | 上海 | ap-shanghai | 2, 5, 8 |
| 腾讯云 | 广州 | ap-guangzhou | 6, 7 |
| 腾讯云 | 新加坡 | ap-singapore | 1, 2, 3, 4 |
创建 BYOC 类型仓库前,如果没有符合要求的已有 VPC 和子网,则需要提前创建私有网络 VPC 和子网,以下是具体操作。
打开腾讯云 私有网络 VPC (opens in a new tab) 控制台,切换到您期望创建 BYOC 仓库的地域,点击 新建,进入 VPC 创建页面。
输入名称、选择 IPv4 CIDR,子网名称,子网 IPv4 CIDR,子网可用区,点击确定完成创建。
了解资源编排(可选)
在您的云账号下通过 CloudShell 执行 Terraform 模板时,会对 VPC、CVM、COS 等云资源进行相关操作,因此需要一系列 CAM 权限。
请使用管理员权限执行 Terraform 模版,或者是联系管理员为你执行这个 Terraform 模版,否则可能会遇到因权限不足导致执行模板失败的情况。
Terraform 模板说明
SelectDB 提供的 Terraform 资源编排模板运行在您的腾讯云账号下,并且模版代码可见、可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接获取 SelectDB 提供的 Terraform 模板:
https://online-bj-1313869400.cos.ap-beijing.myqcloud.com/public/txcloud-byoc.tfTerraform 模板创建出的资源
当您通过腾讯云 CloudShell 运行 Terraform 模板时,会创建以下资源:
- 虚拟机
- 名称:SelectDBAgent(CVM)
- 用途:用于部署 Agent,Prometheus,FluentBit 等程序
- 终端节点
- 名称:SelectDBEndpoint(VPC Endpoint)
- 用途:与 SelectDB Cloud 平台建立私网连接,从而可以拉取管控指令、推送监控和日志
- 存储桶
- 名称:SelectDBBucket(COS Bucket)
- 用途:存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroupForEndpoint,SelectDBSecurityGroup(VPC SecurityGroup)
- 用途:分别绑定在终端节点和 SelectDB 创建出的所有 CVM 实例,并通过安全组规则限定特定端口特定来源的流量出站入站
- 子用户/角色
- 名称:(CAM User / CAM Role)
- SelectDBUser(子用户),SelectDBUserAccessKey(aksk),SelectDBUserPolicy(子用户权限)
- SelectDBControlPlaneRole(管控侧角色),SelectDBControlPlaneRolePolicy(管控侧角色权限),SelectDBDataAccessRole(内核侧角色),SelectDBDataAccessRolePolicy(内核侧角色权限)
- 用途:
- 创建出的子用户具备 Agent 所需的最小权限策略,之后进行的所有管控操作均使用该子用户的身份进行操作
- 创建出的角色将会绑定到 CVM 实例,通过该角色可以获取临时凭据,相较于使用永久 ak/sk 的方式更加安全
- 名称:(CAM User / CAM Role)
注意: 您可以通过查看 terraform.tfstate 状态文件查看创建出的所有资源详情。请勿修改该文件,否则在进行更新或销毁时可能会因状态信息缺失而失败,导致资源泄露。
Terraform 模板创建的子用户的权限说明
初次执行完 Terraform 模板后会创建一个子用户,用于后续在您的 VPC 内管控数据仓库相关组件,以下为该子用户权限示例以及说明:
注意 创建出来的子用户隶属于您的云账号,并只在您的 VPC 内使用,不会外泄。
{
"statement": [
{
"action": [
"cvm:DescribeInstances",
"cvm:DescribeInstanceAttributes",
"cvm:InquiryPriceRunInstances",
"cvm:StartInstances",
"cvm:StopInstances",
"cvm:RebootInstances",
"cvm:TerminateInstances",
"cvm:ModifyInstancesChargeType",
"cvm:AttachCbsStorages",
"cvm:DetachCbsStorages",
"cvm:ModifyCbsStorageAttributes",
"cvm:AttachDisks",
"cvm:DetachDisks",
"cvm:RenewDisk",
"cvm:ResizeDisk",
"clb:DescribeLoadBalancers",
"clb:DescribeLoadBalancersDetail",
"clb:InquiryPriceRefundLoadBalancer",
"clb:InquiryPriceRenewLoadBalancer",
"clb:DescribeListeners",
"clb:DescribeLBListeners",
"clb:CreateListener",
"clb:CreateLoadBalancerListeners",
"clb:SetLoadBalancerStartStatus",
"clb:DeleteListener",
"clb:DeleteLoadBalancerListeners",
"clb:DescribeTargets",
"clb:DescribeTargetGroupInstances",
"clb:RegisterTargets",
"clb:DeregisterTargets",
"clb:CreateRule",
"clb:CreateListenerRules",
"clb:DeleteRule",
"clb:SetSecurityGroupForLoadbalancers",
"clb:SetLoadBalancerSecurityGroups"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"resource-created-by&selectdb"
]
}
},
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cvm:RunInstances",
"cvm:PurgeInstances",
"cvm:RenewInstances",
"cvm:ViewModifyInstancesAttribute",
"cvm:ModifyInstancesAttribute",
"cvm:ResetInstancesType",
"cvm:DescribeSecurityGroups",
"cvm:DescribeSecurityGroupPolicys",
"cvm:CreateSecurityGroup",
"cvm:CreateSecurityGroupPolicy",
"cvm:ModifySecurityGroupPolicys",
"cvm:ModifySecurityGroupAttributes",
"cvm:AssociateSecurityGroups",
"cvm:DisassociateSecurityGroups",
"cvm:DeleteSecurityGroup",
"cvm:DeleteSecurityGroupPolicy",
"cvm:CreateCbsStorages",
"cvm:ResizeCbsStorage",
"cvm:DescribeDisks",
"cvm:CreateDisks",
"cvm:ModifyDiskAttributes",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnet",
"vpc:DescribeSubnetEx",
"vpc:ModifyVpcEndPointAttribute",
"clb:DescribeTaskStatus",
"clb:InquiryPriceCreateLoadBalancer",
"clb:CreateLoadBalancer",
"clb:DeleteLoadBalancer",
"clb:DeleteLoadBalancers",
"clb:DescribeLoadBalancerListeners",
"clb:DescribeTargetGroups",
"clb:DescribeTargetGroupList",
"clb:CreateTargetGroup",
"clb:ModifyTargetGroupAttribute",
"clb:DeleteTargetGroups",
"clb:BatchRegisterTargets",
"clb:BatchDeregisterTargets",
"clb:RegisterTargetGroupInstances",
"clb:DeregisterTargetGroupInstances",
"clb:AssociateTargetGroups",
"clb:DisassociateTargetGroups",
"clb:RegisterInstancesWithLoadBalancer",
"clb:DeregisterInstancesFromLoadBalancer",
"clb:ModifyRule",
"clb:SetSecurityGroups",
"tag:TagResources",
"tag:UnTagResources"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"finance:*"
],
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cos:*"
],
"effect": "allow",
"resource": [
"qcs::cos:ap-guangzhou:uid/1314238582:pgtest-v2-1314238582",
"qcs::cos:ap-guangzhou:uid/1314238582:pgtest-v2-1314238582/*"
]
},
{
"action": [
"cam:PassRole"
],
"effect": "allow",
"resource": [
"qcs::cam::uin/100027752159:roleName/selectdb-data-access-role-8mevoxfz"
]
}
],
"version": "2.0"
}具体权限划分如下:
-
CVM 权限:
- 管理 CVM 实例
"cvm:DescribeInstances", "cvm:DescribeInstanceAttributes", "cvm:InquiryPriceRunInstances", "cvm:RunInstances", "cvm:StartInstances", "cvm:StopInstances", "cvm:PurgeInstances", "cvm:RebootInstances", "cvm:TerminateInstances", "cvm:RenewInstances", "cvm:ViewModifyInstancesAttribute", "cvm:ModifyInstancesAttribute", "cvm:ModifyInstancesChargeType", "cvm:ResetInstancesType", "cvm:CreateCbsStorages", "cvm:AttachCbsStorages", "cvm:DetachCbsStorages", "cvm:ResizeCbsStorage", "cvm:ModifyCbsStorageAttributes", "cvm:DescribeDisks", "cvm:CreateDisks", "cvm:AttachDisks", "cvm:DetachDisks", "cvm:RenewDisk", "cvm:ResizeDisk", "cvm:ModifyDiskAttributes",- 管理 CVM 安全组
"cvm:DescribeSecurityGroups", "cvm:DescribeSecurityGroupPolicy", "cvm:CreateSecurityGroup", "cvm:CreateSecurityGroupPolicy", "cvm:ModifySecurityGroupAttributes", "cvm:ModifySingleSecurityGroupPolicy", "cvm:ModifySecurityGroupPolicys", "cvm:AssociateSecurityGroups", "cvm:DisassociateSecurityGroups", "cvm:DeleteSecurityGroup", "cvm:DeleteSecurityGroupPolicy",- 管理标签
"tag:TagResources", "tag:UnTagResources" -
VPC & CLB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcEx", "vpc:DescribeSubnet", "vpc:DescribeSubnetEx",- 管理负载均衡器 CLB 资源
"clb:DescribeTaskStatus", "clb:DescribeLoadBalancers", "clb:DescribeLoadBalancersDetail", "clb:InquiryPriceCreateLoadBalancer", "clb:InquiryPriceRefundLoadBalancer", "clb:InquiryPriceRenewLoadBalancer", "clb:CreateLoadBalancer", "clb:DeleteLoadBalancer", "clb:DeleteLoadBalancers", "clb:DescribeListeners", "clb:DescribeLBListeners", "clb:DescribeLoadBalancerListeners", "clb:CreateListener", "clb:CreateLoadBalancerListeners", "clb:SetLoadBalancerStartStatus", "clb:DeleteListener", "clb:DeleteLoadBalancerListeners", "clb:DescribeTargets", "clb:DescribeTargetGroupInstances", "clb:RegisterTargets", "clb:DeregisterTargets", "clb:DescribeTargetGroups", "clb:DescribeTargetGroupList", "clb:CreateTargetGroup", "clb:ModifyTargetGroupAttribute", "clb:DeleteTargetGroups", "clb:BatchRegisterTargets", "clb:BatchDeregisterTargets", "clb:RegisterTargetGroupInstances", "clb:DeregisterTargetGroupInstances", "clb:AssociateTargetGroups", "clb:DisassociateTargetGroups", "clb:RegisterInstancesWithLoadBalancer", "clb:DeregisterInstancesFromLoadBalancer", "clb:CreateRule", "clb:CreateListenerRules", "clb:ModifyRule", "clb:DeleteRule", "clb:SetSecurityGroups", "clb:SetSecurityGroupForLoadbalancers", "clb:SetLoadBalancerSecurityGroups" -
Finance 权限:
- 允许购买 CVM 和 LB 资源
{ "action": [ "finance:*" ], "effect": "allow", "resource": [ "qcs::cvm:::*", "qcs::clb:::*" ] }, -
COS 权限:
- 管理 COS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "action": [ "cos:*" ], "effect": "allow", "resource": [ "qcs::cos::uid/*:selectdb-bucket-*", "qcs::cos::uid/*:selectdb-bucket-*/*" ] }, -
CAM 权限:
- 允许将刚建出来的内核侧数据访问角色传递给虚机(MS/FE/BE)
{ "action": [ "cam:PassRole" ], "effect": "allow", "resource": [ "qcs::cam::uin/*:roleName/selectdb-data-access-role-*" ] }