Terraform 阿里云 Backend 实践
一、Backend 是什么?
Backend 指 terraform 后端存储,通过前面的各个小实验,我们会注意到,成功地执行了一次terraform apply后,除非资源定义发生变更,否则重复执行 apply 是不会生出新的执行计划的
实现此功能的前提便是 “状态管理”,简单来说,terraform 将每次执行基础设施变更操作时的状态信息保存在一个状态文件中,默认情况位于当前工作目录下的,通常你会看到以下文件
- terraform.tfstate:以 json 格式保存 data 查询结果、resource 资源信息
- terraform.tfstate.backup:计划发生 change 时,开始执行变更前,会备份当前 tfstate 文件,防止由于各种意外导致的 tfstate 损毁
如果我们丢失 tfstate 文件,那么会导致非常严重的后果,Terraform 读取不到基础设施状态,无法销毁回收,造成资源泄漏
二、Backend 分类
目前分为两种 Backend
2.1 本地状态文件
将 tfstate 文件保存在本地,适用于单用户、无安全要求的场景,不过生产环境,强烈建议使用 remote state,原因如下:
- 不利于团队协作
- 本地环境易于丢失(损坏)
- 数据不安全,state 文件明文保存敏感数据,易于泄露敏感信息
- 数据不一致,多人同时对基础设施进行变更时,会出现不一致的问题
2.2 远程状态文件
terraform 支持非常丰富的 remote backend,例如:etcd、artifactory、oss、http、gitlab 等
三、Backend 阿里云 OSS
OSS Backend 是基于阿里云的表格存储服务(Tablestore)和 对象存储服务(OSS)实现
3.1 资源定义
我们按照之前所学的 module 结构,创建一个项目
.
├── env
│ └── aliyun
│ ├── main.tf
│ ├── providers.tf
│ ├── variables.tf
│ └── versions.tf
└── modules
└── aliyun_oss_backend
├── main.tf
├── outputs.tf
└── variables.tf
4 directories, 7 filesoss、ots 资源定义在 modules/aliyun_oss_backend 中
3.1.1 资源定义模块
variables.tf
variable "bucket_name" {
type = string
default = "terraform-backend-data-dayo"
# 唯一性要求较高,建议加入自定义字符(数字
description = "bucket name"
}
variable "bucket_acl" {
type = string
default = "private"
# 唯一性要求较高,建议加入自定义字符(数字
description = "访问模式"
}
variable "ots_instance_name" {
type = string
default = "tf-instance-dayo"
description = "ots instance name"
}
variable "ots_tags" {
type = map(string)
default = {
Created = "TF"
For = "Building table"
}
}
variable "ots_table_name" {
type = string
default = "terraform_table"
description = "ots table name"
}outputs.tf
output "bucket_name" {
value = alicloud_oss_bucket.tf-bucket-dayo-demo.bucket
}
output "table_name" {
value = alicloud_ots_table.basic.table_name
}main.tf
resource "alicloud_oss_bucket" "tf-bucket-dayo-demo" {
bucket = var.bucket_name
acl = var.bucket_acl
}
resource "alicloud_ots_instance" "tf-ots-dayo-demo" {
name = var.ots_instance_name
description = "terraform locks info tablestore"
accessed_by = "Any" # Vpc 允许访问者来源
tags = var.ots_tags
}
resource "alicloud_ots_table" "basic" {
instance_name = alicloud_ots_instance.tf-ots-dayo-demo.name
table_name = var.ots_table_name
max_version = 1
time_to_live = -1
primary_key {
name = "LockID"
type = "String"
}
}3.1.2 创建模块引用
来到 env/aliyun 目录下
老套路,指明我们所使用的 Terraform、Provider 版本
versions.tf
terraform {
required_version= "1.1.9"
required_providers {
alicloud = {
source = "hashicorp/alicloud"
version = "1.197.0"
}
}
}providers.tf
provider "alicloud" {
region = var.ALICLOUD_REGION
access_key = var.ALICLOUD_ACCESS_KEY
secret_key = var.ALICLOUD_SECRET_KEY
}variables.tf
#########################
# Aliyun Provider 认证信息
# 推荐使用环境变量 TF_VAR_*
variable "ALICLOUD_ACCESS_KEY" {
type = string
}
variable "ALICLOUD_SECRET_KEY" {
type = string
}
variable "ALICLOUD_REGION" {
type = string
}main.tf
module "oss_backend" {
source = "../../modules/aliyun_oss_backend/"
bucket_name = "terraform-backend-data-dayo"
bucket_acl = "private"
ots_instance_name = "tf-instance-dayo"
ots_table_name = "terraform_table"
ots_tags = {
Created = "TF"
For = "Building table"
}
}3.2 创建 oss ots 资源
3.2.1 init
既然,我们是要用 oss 存储状态文件,用 ots 保存 lock 信息,那前提一定是得有啊,所以,我们先 init、apply 创建一下资源
$ terraform.exe init
Initializing modules...
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/alicloud versions matching "1.197.0"...
- Using hashicorp/alicloud v1.197.0 from the shared cache directory
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
Process finished with exit code 03.2.2 apply
初始化完成,执行 apply 创建资源
$ tf apply执行返回
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.oss_backend.alicloud_oss_bucket.tf-bucket-dayo-demo will be created
+ resource "alicloud_oss_bucket" "tf-bucket-dayo-demo" {
+ acl = "private"
+ bucket = "terraform-backend-data-dayo"
+ creation_date = (known after apply)
+ extranet_endpoint = (known after apply)
+ force_destroy = false
+ id = (known after apply)
+ intranet_endpoint = (known after apply)
+ location = (known after apply)
+ owner = (known after apply)
+ redundancy_type = "LRS"
+ storage_class = "Standard"
}
# module.oss_backend.alicloud_ots_instance.tf-ots-dayo-demo will be created
+ resource "alicloud_ots_instance" "tf-ots-dayo-demo" {
+ accessed_by = "Any"
+ description = "terraform locks info tablestore"
+ id = (known after apply)
+ instance_type = "HighPerformance"
+ name = "tf-instance-dayo"
+ tags = {
+ "Created" = "TF"
+ "For" = "Building table"
}
}
# module.oss_backend.alicloud_ots_table.basic will be created
+ resource "alicloud_ots_table" "basic" {
+ deviation_cell_version_in_sec = "86400"
+ id = (known after apply)
+ instance_name = "tf-instance-dayo"
+ max_version = 1
+ table_name = "terraform_table"
+ time_to_live = -1
+ primary_key {
+ name = "LockID"
+ type = "String"
}
}
Plan: 3 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
module.oss_backend.alicloud_ots_instance.tf-ots-dayo-demo: Creating...
module.oss_backend.alicloud_oss_bucket.tf-bucket-dayo-demo: Creating...
module.oss_backend.alicloud_ots_instance.tf-ots-dayo-demo: Creation complete after 3s [id=tf-instance-dayo]
module.oss_backend.alicloud_oss_bucket.tf-bucket-dayo-demo: Creation complete after 3s [id=terraform-backend-data-dayo]
module.oss_backend.alicloud_ots_table.basic: Creating...
module.oss_backend.alicloud_ots_table.basic: Still creating... [10s elapsed]
module.oss_backend.alicloud_ots_table.basic: Still creating... [20s elapsed]
module.oss_backend.alicloud_ots_table.basic: Still creating... [30s elapsed]
module.oss_backend.alicloud_ots_table.basic: Still creating... [40s elapsed]
module.oss_backend.alicloud_ots_table.basic: Still creating... [50s elapsed]
module.oss_backend.alicloud_ots_table.basic: Still creating... [1m0s elapsed]
# ...
# ots table 资源创建、销毁都很慢(销毁)
module.oss_backend.alicloud_ots_table.basic: Creation complete after 1m37s [id=tf-instance-dayo:terraform_table]
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.此时,本地是存在一份 terraform.tfstate 文件,里面保存着 “基础设施状态”,我们接下来要做的就是配置使用 remote state
3.2.3 配置 backend
执行目录添加 env/aliyun/backend.tf
terraform {
backend "oss" {
access_key = "LTAI5tH8nYSJKXXXXX"
secret_key = "sMIec7G5WKkfbpXXXXX"
bucket = "terraform-backend-data-dayo"
prefix = "aliyun/"
key = "terraform-aliyun.tfstate"
region = "cn-beijing"
tablestore_table = "terraform_table"
tablestore_endpoint = "https://tf-instance-dayo.cn-beijing.ots.aliyuncs.com"
}
}3.2.4 上传本地 state
我们要把本地 tfstate 文件上传到 oss 中,上传的方法很简单,再次执行 init 即可
$ tf init执行效果,有时可能会遇到这样的错误,无妨,是网络问题,继续尝试执行 init 即可
Initializing modules...
Initializing the backend...
╷
│ Error: Error loading state:
│ error describing table store terraform_table: &url.Error{Op:"Post", URL:"https://tf-instance-dayo.cn-beijing.ots.aliyuncs.com/DescribeTable", Err:(*net.OpError)(0xc000a6a000)}
│
│ Terraform failed to load the default state from the "oss" backend.
│ State migration cannot occur unless the state can be loaded. Backend
│ modification and state migration has been aborted. The state in both the
│ source and the destination remain unmodified. Please resolve the
│ above error and try again.直到提示是否迁移配置到 oss,输入 yes
Initializing the backend...
Do you want to copy existing state to the new backend?
Pre-existing state was found while migrating the previous "local" backend to the
newly configured "oss" backend. No existing state was found in the newly
configured "oss" backend. Do you want to copy this state to the new "oss"
backend? Enter "yes" to copy and "no" to start with an empty state.
Enter a value: yes
Successfully configured the backend "oss"! Terraform will automatically
use this backend unless the backend configuration changes.3.2.5 检查云资源
检查 OSS Bucket 是否存在 tfstat 文件
检查 ots 表格是否存在记录
创建资源时,可能会遇到各种各样的问题,常见的有以下几种
- oss/oss bucket 名字不符合规范
- oss/ots bucket 名字被占用
- 网络异常
基本上按照错误提示,修改重试几次即可
3.3 改造旧项目
通过上面的配置,我们实现了将 tfstate 文件存储在 oss 中,并且操作过程通过 ots 加锁避免资源同时被操作,但是,上面的项目结构不够规范化,接下来,我们要逐步去改造它,让它更贴近实际生产环境
首先,主要工作分为两部分
重新组织 tfstate 文件,按照更新频率、影响范围拆分
模块存储至 Git 配置使用远程模块
3.3.1 目录结构
调整后的目录结构如下:
$ tree -L 4
.
├── env
│ └── dev
│ ├── network
│ │ ├── backend.tf
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ ├── providers.tf
│ │ ├── variables.tf
│ │ └── versions.tf
│ └── service
│ ├── backend.tf
│ ├── dns.tf
│ ├── ecs.tf
│ ├── eip.tf
│ ├── main.tf
│ ├── outputs.tf
│ ├── providers.tf
│ ├── slb.tf
│ ├── system-init-script.sh
│ ├── variables.tf
│ └── versions.tf
└── global
└── backend
├── backend.tf
├── main.tf
├── providers.tf
├── variables.tf
└── versions.tf
6 directories, 22 files- env 目录保存区分环境
- 环境目录下按照 更新频次 划分资源类型 network、service…
- 各资源类型下包含 backend 配置,配置中声明将 tfstate 文件存储到 同一 bucket 的不同目录 中
- 各资源类型使用同一 ots 表,表中自动生成各资源对应 tfstate 锁记录
- global 目录保存 oss、ots、ots table 资源的声明定义
3.3.2 oss、ots
首先,看一下这方面的配置,基本上没有花样
main.tf
locals {
bucket_name = "terraform-backend-data-dayo"
bucket_acl = "private"
ots_instance_name = "tf-instance-dayo"
ots_table_name = "terraform_table"
ots_tags = {
Created = "TF"
For = "Building table"
}
}
resource "alicloud_oss_bucket" "tf-bucket-dayo-demo" {
bucket = local.bucket_name
acl = local.bucket_acl
}
resource "alicloud_ots_instance" "tf-ots-dayo-demo" {
name = local.ots_instance_name
description = "terraform locks info tablestore"
accessed_by = "Any" # Vpc 允许访问者来源
tags = local.ots_tags
}
resource "alicloud_ots_table" "basic" {
instance_name = local.ots_instance_name
table_name = local.ots_table_name
max_version = 1
time_to_live = -1
primary_key {
name = "LockID"
type = "String"
}
}providers.tf
provider "alicloud" {
region = var.ALICLOUD_REGION
access_key = var.ALICLOUD_ACCESS_KEY
secret_key = var.ALICLOUD_SECRET_KEY
}variables.tf
#########################
# Aliyun Provider 认证信息
variable "ALICLOUD_ACCESS_KEY" {
type = string
}
variable "ALICLOUD_SECRET_KEY" {
type = string
}
variable "ALICLOUD_REGION" {
type = string
}versions.tf
terraform {
required_version= "1.1.9"
required_providers {
alicloud = {
source = "hashicorp/alicloud"
version = "1.197.0"
}
}
}老规矩,先生成本地 tfstate 文件,执行 init、apply 创建资源
$ tf init
$ tf apply拷贝 backend.tf 文件到 global/backend/ 目录
terraform {
backend "oss" {
access_key = "LTAI5tH8nYSJK8y79czjBXQT"
secret_key = "sMIec7G5WKkfbpXXX"
bucket = "terraform-backend-data-dayo"
prefix = "global/backend"
key = "terraform-global-backend.tfstate"
region = "cn-beijing"
tablestore_table = "terraform_table"
tablestore_endpoint = "https://tf-instance-dayo.cn-beijing.ots.aliyuncs.com"
}
}再次执行 init,迁移 backend.tf 文件
$ tf init检查 oss、ots、ots table 创建情况及表中数据,确定无误后删除本地 tfstate、tfstate.backup 文件
3.3.3 模块编写
(1)vpc
main.tf
// VPC 网络定义
resource "alicloud_vpc" "default" {
vpc_name = var.vpc_name
cidr_block = var.vpc_cidr_block
}
//switch 交换机
resource "alicloud_vswitch" "default" {
// 参数资源引用:<resource type>.<name>.<attribute>
vswitch_name = var.vsw_name
vpc_id = alicloud_vpc.default.id
cidr_block = var.vsw_cidr_block
// 使用上面 data 查询到的 zone
zone_id = data.alicloud_zones.default.zones[0].id
}
// 获取可用区
data "alicloud_zones" "default" {
// 查询条件,拥有 ecs.s6-c1m1.small 的可用区 "ecs.s6-c1m1.small"
available_instance_type = var.ecs_spec
// 展示详细信息
enable_details = true
output_file = "data/alicloud_zones.json"
}variables.tf
variable "vpc_name" {
type = string
}
variable "vsw_name" {
type = string
}
variable "vpc_cidr_block" {
type = string
description = "vpc 网段"
default = "172.16.0.0/12"
}
variable "vsw_cidr_block" {
type = string
description = "交换机网段"
default = "172.16.0.0/21"
}
variable "ecs_spec" {
type = string
description = "ECS 规格(搜索条件)"
}outputs.tf
output "vpc_id" {
value = alicloud_vpc.default.id
}
output "vsw_id" {
# 暴露 vsw_id
value = alicloud_vswitch.default.id
}(2)security_group
main.tf
resource "alicloud_security_group" "default" {
name = var.sg_name
description = "terraform security group resource"
vpc_id = var.vpc_id
security_group_type = "normal" // normal 普通级 enterprise 企业级
}
resource "alicloud_security_group_rule" "allow_80_tcp" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "80/80"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group_rule" "allow_22_tcp" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "intranet"
policy = "accept"
port_range = "22/22"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}variables.tf
variable "sg_name" {
type = string
}
variable "vpc_id" {
type = string
}outputs.tf
output "sg_id" {
value = alicloud_security_group.default.id
}(3)ecs
main.tf
resource "alicloud_instance" "default" {
availability_zone = data.alicloud_zones.default.zones[0].id
vswitch_id = var.vsw_id
security_groups = [var.sg_id]
// 使用 data 查询结果中的第一个镜像
image_id = data.alicloud_images.images_ds.images[0].id
instance_type = var.ecs_spec
internet_max_bandwidth_out = var.instance_internet_max_bandwidth_out
# ECS 实例名称前缀
instance_name = var.ecs_name
# ECS 付费模式:PrePaid 包年包月、PostPaid 按量付费
instance_charge_type = var.instance_charge_type
# ECS 带宽计费模式:PayByTraffic 按使用流量、PayByBandwidth 按固定带宽
internet_charge_type = var.internet_charge_type
# ECS 实例登录密码
password = var.instance_password
system_disk_category = var.os_disk_category
user_data = data.template_file.shell.rendered
}
data "alicloud_zones" "default" {
// 查询条件,拥有 ecs.s6-c1m1.small 的可用区 "ecs.s6-c1m1.small"
available_instance_type = var.ecs_spec
// 展示详细信息
enable_details = true
output_file = "data/alicloud_zones.json"
}
// 获取示例类型
// data.alicloud_instance_types.default.instance_types[0].id
#data "alicloud_instance_types" "default" {
# availability_zone = data.alicloud_zones.default.zones[0].id
# cpu_core_count = 1
# memory_size = 1
# output_file = "data/instance_types.json"
#}
# 查询系统镜像
data "alicloud_images" "images_ds" {
owners = "system"
# "^centos_7"
name_regex = var.image_name_regex
architecture = "x86_64"
output_file = "data/images.json"
}
# 系统初始化脚本
data "template_file" "shell" {
template = file(var.os_init_script)
}variables.tf
variable "ecs_name" {
type = string
}
variable "ecs_spec" {
type = string
description = "ECS 规格"
}
variable "os_disk_category" {
/* ECS 系统磁盘类型:
cloud 普通云盘
cloud_efficiency 高效云盘
cloud_ssd 云 SSD
cloud_essd ESSD 云盘 */
type = string
}
variable "image_name_regex" {
# 系统镜像正则表达式查询
type = string
}
variable "os_init_script" {
type = string
}
variable "vsw_id" {
type = string
}
variable "sg_id" {}
#########################
# ECS 实例
variable "instance_password" {
description = "instance root password"
type = string
default = "L0tusCh1ng"
}
variable "instance_internet_max_bandwidth_out" {
default = "1"
description = "ECS internet max bandwidth out"
type = string
}
variable "internet_charge_type" {
default = "PayByTraffic"
description = "带宽计费方式"
type = string
}
variable "instance_charge_type" {
default = "PostPaid"
description = "实例计费方式"
type = string
}outputs.tf
output "ecs_public_ip" {
value = alicloud_instance.default.public_ip
}
output "ecs_image_id" {
value = alicloud_instance.default.image_id
}
output "ecs_spec" {
value = alicloud_instance.default.instance_type
}
output "ecs_id" {
value = alicloud_instance.default.id
}(4)slb
main.tf
# SLB 实例
resource "alicloud_slb_load_balancer" "slb" {
load_balancer_name = var.slb_name
address_type = var.address_type
payment_type = var.payment_type
vswitch_id = var.vsw_id
load_balancer_spec = var.load_balancer_spec
}
# SLB 虚拟服务器组
resource "alicloud_slb_server_group" "demo7_server" {
load_balancer_id = alicloud_slb_load_balancer.slb.id
name = var.server_group_name
}
# 虚拟服务器添加 ecs 成员(slb ecs 绑定关系)
resource "alicloud_slb_server_group_server_attachment" "default" {
count = length(var.backend_server_ids)
server_group_id = alicloud_slb_server_group.demo7_server.id
server_id = var.backend_server_ids[count.index]
port = var.backend_server_port
weight = var.backend_server_weight
}
# SLB 端口监听
resource "alicloud_slb_listener" "default" {
load_balancer_id = alicloud_slb_load_balancer.slb.id
backend_port = var.backend_server_port
frontend_port = var.frontend_slb_port
protocol = var.protocol
scheduler = var.lb_scheduler
bandwidth = var.bandwidth
server_group_id = alicloud_slb_server_group.demo7_server.id
}variables.tf
variable "vsw_id" {}
# SLB 实例
variable "slb_name" {}
variable "address_type" {}
variable "payment_type" {}
variable "load_balancer_spec" {}
# SLB 虚拟服务器组
variable "server_group_name" {}
# SLB 虚拟服务器组成员
variable "backend_server_ids" {}
variable "backend_server_port" {}
variable "backend_server_weight" {}
# SLB 端口监听
variable "frontend_slb_port" {}
variable "protocol" {}
/*
rr 轮训
wrr 加权轮训
sch 源哈希
*/
variable "lb_scheduler" {}
variable "bandwidth" {}outputs.tf
output "slb_id" {
value = alicloud_slb_load_balancer.slb.id
}(5)eip
main.tf
resource "alicloud_eip_address" "eip" {
}
resource "alicloud_eip_association" "eip_asso" {
allocation_id = alicloud_eip_address.eip.id
# EIP 绑定到 SLB 上
instance_id = var.slb_instance_id
}variables.tf
variable "slb_instance_id" {}outputs.tf
output "eip_ipaddress" {
# 返回 eip IP 地址,以供 dns A 记录解析
value = alicloud_eip_address.eip.ip_address
}(6)dns
main.tf
resource "alicloud_alidns_record" "dns" {
domain_name = var.domain_name
rr = var.host_record
type = var.record_type
value = var.ip_address
remark = "terraform alidns demo"
status = var.record_status
ttl = var.ttl
}variables.tf
variable "host_record" {}
variable "record_type" {}
variable "record_status" {}
variable "domain_name" {}
variable "ip_address" {}
variable "ttl" {}outputs.tf
output "web_access_url" {
# 返回 web 访问地址,以便于复制到浏览器快速访问检查结果
value = format("http://%s.%s/", var.host_record, var.domain_name)
}创建 terraform-aliyun-modules 目录,将各资源模块编写完成后放入其中
3.3.4 远程仓库
访问 coding.net 创建项目、创建代码仓库
获取本机 ssh 公钥,添加到用户公钥设置中
$ cat ~/.ssh/id_rsa.pub设置 ignore
# terraform
**/.terraform/*
*.tfstate
*.tfstate.*
.terraform.lock.hcl切换本地目录到 terraform-aliyun-modules,初始化 git 目录
$ git init检查 status
$ git status如果 git status 中依旧存在未被忽略的文件,执行下面的命令
$ git rm -rf --cached .
$ git status添加远程仓库地址,提交并推送
$ git remote add origin git@e.coding.net:LotusChing/terraform/terraform-aliyun-modules.git
$ git add *
$ git commit -m "first"
$ git push -u origin master3.3.5 环境配置
回到 env/dev/network 目录,先处理网络资源,providers、variables、versions 等 tf 文件保持不变
(1)network
providers.tf
provider "alicloud" {
region = var.ALICLOUD_REGION
access_key = var.ALICLOUD_ACCESS_KEY
secret_key = var.ALICLOUD_SECRET_KEY
}variables.tf
#########################
# Aliyun Provider 认证信息
variable "ALICLOUD_ACCESS_KEY" {
type = string
}
variable "ALICLOUD_SECRET_KEY" {
type = string
}
variable "ALICLOUD_REGION" {
type = string
}versions.tf
terraform {
required_version= "1.1.9"
required_providers {
alicloud = {
source = "hashicorp/alicloud"
version = "1.197.0"
}
}
}这里的 backend.tf 需要注意,配置文件中需要做一定修改
terraform {
backend "oss" {
# 阿里云账户 AK、SK
access_key = "LTAI5tH8XXX"
secret_key = "sMIec7G5WKkfbpXXX"
# bucket 实例,可以多环境使用同一实例,用 prefix 区分开即可
bucket = "terraform-backend-data-dayo"
# 规则:<project>/<env>/<resource>
prefix = "demo7/dev/network"
# tfstate 文件名称,建议参考 prefix 格式
key = "terraform-demo7-dev-network.tfstate"
region = "cn-beijing"
# ots table,可以多环境使用同一张表,表内会存在多条 tfstate 信息 记录
tablestore_table = "terraform_table"
# ots 实例访问地址
tablestore_endpoint = "https://tf-instance-dayo.cn-beijing.ots.aliyuncs.com"
}
}main.tf
locals {
# vpc 参数
vpc_name = "demo7-dev-vpc"
vsw_name = "demo7-dev-vsw"
ecs_spec = "ecs.s6-c1m1.small"
# sg 安全组参数
sg_name = "demo7-dev-sg"
}
module "demo7-dev-vpc" {
# git::ssh://git@e.coding.net/<username>/<project>/<git_repo>.git//<sub_dir>
source = "git::ssh://git@e.coding.net/LotusChing/terraform/terraform-aliyun-modules.git//vpc"
vpc_name = local.vpc_name
vsw_name = local.vsw_name
# 搜索拥有特定 ecs 规格资源的可用区(zones)
ecs_spec = local.ecs_spec
}
module "demo7-dev-sg" {
source = "git::ssh://git@e.coding.net/LotusChing/terraform/terraform-aliyun-modules.git//security_group"
sg_name = local.sg_name
vpc_id = module.demo7-dev-vpc.vpc_id
}outputs.tf
output "vpc_id" {
# 返回值,供以 service 目录中的资源(通过 data 查询 tfstate 间接使用)
value = module.demo7-dev-vpc.vpc_id
}
output "vsw_id" {
# 返回值,供以 service 目录中的资源(通过 data 查询 tfstate 间接使用)
value = module.demo7-dev-vpc.vsw_id
}
output "sg_id" {
# 返回值,供以 service 目录中的资源(通过 data 查询 tfstate 间接使用)
value = module.demo7-dev-sg.sg_id
}(2)service
providers、variables、versions 等 tf 文件保持不变,略过
service 目录中单独存放一份 backend,主要原因是此目录中的资源变更频率较高,为了单独抽离出来
terraform {
backend "oss" {
# 阿里云账户 AK、SK
access_key = "LTAI5tH8XXX"
secret_key = "sMIec7G5WKkfbpXXX"
# bucket 实例,可以多环境使用同一实例,用 prefix 区分开即可
bucket = "terraform-backend-data-dayo"
# 规则:<project>/<env>/<resource>
prefix = "demo7/dev/service"
# tfstate 文件名称,建议参考 prefix 格式
key = "terraform-demo7-dev-service.tfstate"
region = "cn-beijing"
# ots table,可以多环境使用同一张表,表内会存在多条 tfstate 信息 记录
tablestore_table = "terraform_table"
# ots 实例访问地址
tablestore_endpoint = "https://tf-instance-dayo.cn-beijing.ots.aliyuncs.com"
}
}main.tf
# 通过 远程存储 获取网络资源信息,如 vsw_id sg_id 等
data "terraform_remote_state" "network-data" {
backend = "oss"
config = {
access_key = "LTAI5tH8XXX"
secret_key = "sMIec7G5WKkfbpXXXXXX"
bucket = "terraform-backend-data-dayo"
prefix = "demo7/dev/network"
key = "terraform-demo7-dev-network.tfstate"
region = "cn-beijing"
}
}outputs.tf
output "ecs_ids" {
value = module.demo7-dev-ecs[*].ecs_id
}
output "ecs_images" {
value = module.demo7-dev-ecs[*].ecs_image_id
}
output "ecs_spec" {
value = module.demo7-dev-ecs[*].ecs_spec
}
output "ecs_public_ip" {
value = module.demo7-dev-ecs[*].ecs_public_ip
}
output "eip_address" {
value = module.demo7-dev-eip.eip_ipaddress
}
output "web_url" {
value = module.demo7-dev-dns.web_access_url
}system-init-script.sh
#!/bin/sh
yum -y install nginx
systemctl enable nginx --now
echo `hostname` > /usr/share/nginx/html/index.html① ecs
ecs.tf
locals {
ecs_count = 2
ecs_name = "demo7-dev-ecs"
ecs_spec = "ecs.s6-c1m1.small"
image_name_regex = "^centos_7"
# 高效云盘
os_disk_category = "cloud_efficiency"
os_init_script = "system-init-script.sh"
sg_id = data.terraform_remote_state.network-data.outputs.sg_id
vsw_id = data.terraform_remote_state.network-data.outputs.vsw_id
}
module "demo7-dev-ecs" {
count = local.ecs_count
source = "git::ssh://git@e.coding.net/LotusChing/terraform/terraform-aliyun-modules.git//ecs"
ecs_name = "${local.ecs_name}-${count.index}"
ecs_spec = local.ecs_spec
image_name_regex = local.image_name_regex
os_disk_category = local.os_disk_category
os_init_script = local.os_init_script
sg_id = local.sg_id
vsw_id = local.vsw_id
}② slb
slb.tf
locals {
# 1. SLB 实例
slb_name = "demo7-dev-slb"
address_type = "intranet"
payment_type = "PayAsYouGo"
load_balancer_spec = "slb.s1.small"
# 2. 虚拟服务器组
server_group_name = "demo7-dev-webservers"
# 3. 虚拟服务器中成员
backend_server_ids = module.demo7-dev-ecs[*].ecs_id
backend_server_port = 80
backend_server_weight = 100
# 4. SLB 端口监听
protocol = "http"
bandwidth = 10
lb_scheduler = "rr"
frontend_slb_port = 80
}
module "demo7-dev-slb" {
source = "git::ssh://git@e.coding.net/LotusChing/terraform/terraform-aliyun-modules.git//slb"
# 1. SLB 实例
slb_name = local.slb_name
address_type = local.address_type
payment_type = local.payment_type
load_balancer_spec = local.load_balancer_spec
vsw_id = data.terraform_remote_state.network-data.outputs.vsw_id
# 2. 虚拟服务器组
server_group_name = local.server_group_name
# 3. 虚拟服务器中成员
backend_server_ids = local.backend_server_ids
backend_server_port = local.backend_server_port
backend_server_weight = local.backend_server_weight
# 4. SLB 端口监听
protocol = local.protocol
bandwidth = local.bandwidth
lb_scheduler = local.lb_scheduler
frontend_slb_port = local.frontend_slb_port
}③ eip
eip.tf
locals {
slb_instance_id = module.demo7-dev-slb.slb_id
}
module "demo7-dev-eip" {
source = "git::ssh://git@e.coding.net/LotusChing/terraform/terraform-aliyun-modules.git//eip"
slb_instance_id = local.slb_instance_id
}④ dns
dns.tf
locals {
domain_name = "yo-yo.fun"
host_record = "dev.demo7"
record_type = "A"
ip_address = module.demo7-dev-eip.eip_ipaddress
# 开启禁用解析记录 ENABLE、DISABLE
record_status = "ENABLE"
ttl = "600"
}
module "demo7-dev-dns" {
source = "git::ssh://git@e.coding.net/LotusChing/terraform/terraform-aliyun-modules.git//dns"
domain_name = local.domain_name
host_record = local.host_record
record_type = local.record_type
ip_address = local.ip_address
record_status = local.record_status
ttl = local.ttl
}3.3.6 创建资源
准备完以上文件,便可以开始创建资源,首先从 network 开始
$ cd env/dev/network
# 语法检查
$ tf validate
# 此步会下载 git 中存放的 modules
$ tf init
# 查看预计创建的资源对象
$ tf plan
# 执行创建,可能会出现网络错误等异常,重试几次可以
# 完成后检查 vpc、vsw 控制台
$ tf apply接着,创建 service 目录中的资源
$ cd env/dev/service
# 语法检查
$ tf validate
# 此步会下载 git 中存放的 modules
$ tf init
# 查看预计创建的资源对象
$ tf plan
# 执行创建,可能会出现网络错误等异常,重试几次可以
# 完成后检查 ecs、slb、dns 控制台
$ tf apply
