TERRAFORM 进阶

阅读数:101 2019 年 10 月 8 日 11:28

TERRAFORM 进阶

第 3 章 Terraform 进阶

Terraform 的功能非常丰富,可以通过 Providers 来提供对多平台的支持,通过 Provisioners 来实现本地与远程的脚本调用等功能,支持 ssh 与 winrm 的连接方式,也能作为 Chef Client 的方式运行,通过 Modules 去重用组件提高开发效率,大数 AWS 资源都能通过官方托管的 Module Sources 来重用。

本章节我们将利用更多的 Terraform 功能,来实现较复杂场景的部署。

3.1 部署架构

以上架构要采用常见的三层应用方式,Web 层位于公网,App 与 DB 层位于私有网段,Web 层安全组开放 80 及 22 端口,App 层安全组对 Web 层开放,DB 层安全组对 App 层开放。

TERRAFORM 进阶

3.2 配置文件

新建一个 helloworld2 目录,将下面的四个文件存放到同一目录,文件的易读比较好,这里不对内容做详细解释,有关详细使用方法可以参考如下:

https://www.terraform.io/docs/index.html

https://registry.terraform.io/browse?provider=aws

3.2.1 variable.tf

变量申明, 编辑名为 variable.tf 的文件,内容如下

复制代码
variable "aws_access_key" {}
variable "aws_secret_key" {}
variable "aws_key_pair" {}
variable "aws_region" {}
variable "inst_ami" {}
variable "inst_type" {}

3.2.2 terraform.tfvars

编辑名为 terraform.tfvars 的文件,内容如下

复制代码
aws_access_key = "Access Key"
aws_secret_key = "Secret_Key"
aws_key_pair = "Your Key Pair"
aws_region = "cn-north-1"
inst_ami = "ami-fba67596"
inst_type = "t2.micro"

3.2.3 aws.tf

编辑名为 aws.tf 的文件,内容如下

复制代码
provider "aws" {
access_key = "${var.aws_access_key}"
secret_key = "${var.aws_secret_key}"
region = "${var.aws_region}"
}

3.2.4 main.tf

编辑名为 main.tf 的文件,内容如下

复制代码
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = "myvpc"
cidr = "10.10.0.0/16"
azs = ["cn-north-1a", "cn-north-1b"]
public_subnets = ["10.10.0.0/24", "10.10.10.0/24"]
private_subnets = ["10.10.1.0/24", "10.10.11.0/24"]
database_subnets = ["10.10.2.0/24", "10.10.12.0/24"]
create_database_subnet_group = true
enable_dns_hostnames = true
enable_dns_support = true
enable_dynamodb_endpoint = true
enable_s3_endpoint = true
tags = {
Owner = "user"
Environment = "staging"
}
}
module "websg" {
source = "terraform-aws-modules/security-group/aws"
name = "web-service"
description = "Security group for HTTP and SSH within VPC"
vpc_id = "${module.vpc.vpc_id}"
ingress_rules = ["http-80-tcp", "https-443-tcp", "ssh-tcp", "all-icmp"]
ingress_cidr_blocks = ["0.0.0.0/0"]
ingress_ipv6_cidr_blocks = []
egress_rules = ["all-all"]
egress_cidr_blocks = ["0.0.0.0/0"]
egress_ipv6_cidr_blocks = []
}
module "appsg" {
source = "terraform-aws-modules/security-group/aws"
name = "app-service"
description = "Security group for App within VPC"
vpc_id = "${module.vpc.vpc_id}"
ingress_ipv6_cidr_blocks = []
egress_ipv6_cidr_blocks = []
ingress_with_source_security_group_id = [
{
rule = "all-all"
source_security_group_id = "${module.websg.this_security_group_id}"
},
]
egress_with_source_security_group_id = [
{
rule = "all-all"
source_security_group_id = "${module.websg.this_security_group_id}"
},
]
}
module "dbssg" {
source = "terraform-aws-modules/security-group/aws"
name = "dbs-service"
description = "Security group for Database within VPC"
vpc_id = "${module.vpc.vpc_id}"
ingress_ipv6_cidr_blocks = []
egress_ipv6_cidr_blocks = []
ingress_with_source_security_group_id = [
{
rule = "all-all"
source_security_group_id = "${module.appsg.this_security_group_id}"
},
]
egress_with_source_security_group_id = [
{
rule = "all-all"
source_security_group_id = "${module.appsg.this_security_group_id}"
},
]
}
module "ec2_web_1a" {
source = "terraform-aws-modules/ec2-instance/aws"
name = "web_1a"
instance_count = 1
ami = "${var.inst_ami}"
instance_type = "${var.inst_type}"
key_name = "${var.aws_key_pair}"
monitoring = true
vpc_security_group_ids = ["${module.websg.this_security_group_id}"]
subnet_id = "${module.vpc.public_subnets[0]}"
associate_public_ip_address = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
module "ec2_web_1b" {
source = "terraform-aws-modules/ec2-instance/aws"
name = "web_1b"
instance_count = 1
ami = "${var.inst_ami}"
instance_type = "${var.inst_type}"
key_name = "${var.aws_key_pair}"
monitoring = true
vpc_security_group_ids = ["${module.websg.this_security_group_id}"]
subnet_id = "${module.vpc.public_subnets[1]}"
associate_public_ip_address = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
module "ec2_app_1a" {
source = "terraform-aws-modules/ec2-instance/aws"
name = "app_1a"
instance_count = 2
ami = "${var.inst_ami}"
instance_type = "${var.inst_type}"
key_name = "${var.aws_key_pair}"
monitoring = true
vpc_security_group_ids = ["${module.appsg.this_security_group_id}"]
subnet_id = "${module.vpc.private_subnets[0]}"
associate_public_ip_address = false
tags = {
Terraform = "true"
Environment = "dev"
}
}
module "ec2_app_1b" {
source = "terraform-aws-modules/ec2-instance/aws"
name = "app_1b"
instance_count = 2
ami = "${var.inst_ami}"
instance_type = "${var.inst_type}"
key_name = "${var.aws_key_pair}"
monitoring = true
vpc_security_group_ids = ["${module.appsg.this_security_group_id}"]
subnet_id = "${module.vpc.private_subnets[1]}"
associate_public_ip_address = false
tags = {
Terraform = "true"
Environment = "dev"
}
}
module "mysql01" {
source = "terraform-aws-modules/rds/aws"
identifier = "mysql01"
engine = "mysql"
engine_version = "5.7.11"
instance_class = "db.t2.small"
allocated_storage = 20
storage_type = "gp2"
name = "demodb"
username = "myadmin"
password = "rootroot"
port = "3306"
multi_az = true
vpc_security_group_ids = ["${module.dbssg.this_security_group_id}"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
tags = {
Owner = "user"
Environment = "dev"
}
subnet_ids = ["${module.vpc.database_subnets}"]
family = "mysql5.7"
final_snapshot_identifier = false
backup_retention_period = 0
publicly_accessible = false
parameters = [
{
name = "character_set_client"
value = "utf8"
},
{
name = "character_set_server"
value = "utf8"
},
]
}

###3.3 部署运行

3.3.1 初始化

运行 terraform init 进行初始化,等待插件与 Module 自动下载

TERRAFORM 进阶

3.3.2 查看计划

运行 terraform plan 执行计划,暂时忽略这个报错,有可能是安全组相互引用的问题,在后面分段运行即可。

TERRAFORM 进阶

3.3.3 分块运行

由于资源相互引用,请按下面的顺序执行,也可以放一个 shell 脚本里面。运行过程有可能遇到时间过长,在控制台上看到资源都已经建好,请耐心等待。

1)terraform apply -target=module.vpc ### 创建 VPC 及相关资源

请留意最后一行,表示增加 29 个资源

Apply complete! Resources: 29(27) added, 0 changed, 0 destroyed.
TERRAFORM 进阶

2)terraform apply -target=module.websg ### 创建 Web 层安全组

TERRAFORM 进阶

3)terraform apply -target=module.appsg ### 创建 App 层安全组
TERRAFORM 进阶

4)terraform apply -target=module.dbssg ### 创建 DB 层安全组

TERRAFORM 进阶

5)terraform apply -target=module.ec2_web_1a ### 创建 EC2 Web
TERRAFORM 进阶

6)terraform apply -target=module.ec2_web_1b ### 创建 EC2 Web

TERRAFORM 进阶

7)terraform apply -target=module.ec2_app_1a ### 创建 2 个 EC2 APP
TERRAFORM 进阶

8)terraform apply -target=module.ec2_app_1b ### 创建 2 个 EC2 APP

TERRAFORM 进阶

9)terraform apply -target=module. mysql01 ### 创建多 AZ MySQL 实例

TERRAFORM 进阶

3.4 环境检查

3.4.1 VPC 相关

TERRAFORM 进阶TERRAFORM 进阶TERRAFORM 进阶TERRAFORM 进阶TERRAFORM 进阶TERRAFORM 进阶
TERRAFORM 进阶

3.4.2 EC2 相关

TERRAFORM 进阶

3.4.3 MySQL 相关

TERRAFORM 进阶

3.5 资源回收

terraform destroy ### 将自动删除所有创建的资源即可
————

使用 Terraform 在 AWS 中国区域实现自动化部署指南系列(一) TERRAFORM 入门

使用 Terraform 在 AWS 中国区域实现自动化部署指南系列(二) TERRAFORM 进阶(本博文)

作者介绍:

韩旭明
亚马逊 AWS 合作伙伴解决方案架构师。历任惠普,埃森哲等公司,为中国石油,国家电网等客户提供服务,十八年工作经历中,在众多项目中担任解决方案架构师、咨询经理等职务,为客户提供云计算咨询、架构设计、实施,IT 运维管理等,并在云计算的架构,安全,与运维管理有丰富经验。

本文转载自 AWS 技术博客。

原文链接:
https://amazonaws-china.com/cn/blogs/china/aws-china-region-guide-series-terraform2/

欲了解 AWS 的更多信息,请访问【AWS 技术专区】

评论

发布