与Terraform建立友好关系。(1)

1 年 ago
科, 颖
3 minutes

这是免费的。

我最近开始接触Terraform。
目前只弄了VPC相关的部分,但是我希望今后能继续学习并使用,所以我打算从现在开始发布一些设置的内容。

运行环境

首先,让我们谈谈Terraform的执行环境。

    • Mac OSX 10.11.6

 

    Terraform v0.7.3

安装

这里有一个下载页面。
下载后,只需要将 $PATH 添加进去,就可以方便地使用了。
实际上,我们可以在添加了 $PATH 后检查下载的二进制文件的版本。

$ export PATH=/hoge/terraform:$PATH
$ terraform version
Terraform v0.7.3

最初的设置

为了使用AWS IAM角色进行AWS环境创建,Terraform可以使用它。因此,请先创建一个已授权所需权限的IAM用户。

Terraform可以将环境变量集中定义在terraform.tfvars中。
由于可以在此处定义IAM用户的凭据信息,所以我将写下来。

$ cat terraform.tfvars
access_key = "xxxxxxxxxxxxxxxxx"
secret_key = "xxxxxxxxxxxxxxxxxxxxxxx"
region = "ap-northeast-1"

在Terraform中,您可以通过变量来定义tf文件中可使用的上述变量。
由于上述terraform.tfvars的内容将进入环境变量中,因此需要对其进行定义。

$ cat variables.tf
variable "access_key" {}
variable "secret_key" {}
variable "region" {}

使用上述设定的变量来进行AWS环境的配置。

$ cat aws.tf
provider "aws" {
    access_key = "${var.access_key}"
    secret_key = "${var.secret_key}"
    region = "${var.region}"
}

这样初始设置就完成了。

创建VPC

本次,我们将要创建VPC和VPC流量日志。
实际上定义的内容如下所示。

$ cat aws_vpc.tf
# Create a VPC to launch our instances into
resource "aws_vpc" "vpc-test" {
  cidr_block = "10.200.0.0/16"

  tags {
     Name = "vpc-test"
  }
}

# Create a VPC Flow Logs
resource "aws_flow_log" "vpc-flow-logs-test" {
  log_group_name = "vpc-flow-logs-test"
  iam_role_arn = "${aws_iam_role.test_role.arn}"
  vpc_id = "${aws_vpc.vpc-tesst.id}"
  traffic_type = "ALL"
}

resource "aws_iam_role" "test_role" {
    name = "test_role"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
 ]
}
EOF
}

resource "aws_iam_role_policy" "test_policy" {
    name = "test_policy"
    role = "${aws_iam_role.test_role.id}"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_cloudwatch_log_group" "vpc-flow-logs-test" {
  name = "vpc-flow-logs-test"
  retention_in_days = "7"
}

有一个功能可以对定义的内容进行模拟执行。通过terraform plan -var-file=环境变量定义文件,可以读取定义环境变量的文件并进行试运行。

$ terraform plan -var-file=terraform.tfvars
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.


The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

+ aws_cloudwatch_log_group.vpc-flow-logs-test
    arn:               "<computed>"
    name:              "vpc-flow-logs-test"
    retention_in_days: "7"

+ aws_flow_log.vpc-flow-logs-test
    iam_role_arn:   "${aws_iam_role.test_role.arn}"
    log_group_name: "aws-vpc-vpc-test"
    traffic_type:   "ALL"
    vpc_id:         "${aws_vpc.vpc-test.id}"

+ aws_iam_role.test_role
    arn:                "<computed>"
    assume_role_policy: "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"\",\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Service\": \"vpc-flow-logs.amazonaws.com\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n ]\n}\n"
    name:               "test_role"
    path:               "/"
    unique_id:          "<computed>"

+ aws_iam_role_policy.test_policy
    name:   "test_policy"
    policy: "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\n        \"logs:CreateLogGroup\",\n        \"logs:CreateLogStream\",\n        \"logs:PutLogEvents\",\n        \"logs:DescribeLogGroups\",\n        \"logs:DescribeLogStreams\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"*\"\n    }\n  ]\n}   \n"
    role:   "${aws_iam_role.test_role.id}"

+ aws_vpc.vpc-test
    cidr_block:                "10.200.0.0/16"
    default_network_acl_id:    "<computed>"
    default_route_table_id:    "<computed>"
    default_security_group_id: "<computed>"
    dhcp_options_id:           "<computed>"
    enable_classiclink:        "<computed>"
    enable_dns_hostnames:      "<computed>"
    enable_dns_support:        "<computed>"
    instance_tenancy:          "<computed>"
    main_route_table_id:       "<computed>"
    tags.%:                    "1"
    tags.Name:                 "vpc-test"


Plan: 5 to add, 0 to change, 0 to destroy.

看起来通过了呢。
剩下的就是,可以用terraform destroy删除尝试创建的环境。
真简单呢~接下来我想试着创建剩下的VPC资源和EC2。

广告
将在 10 秒后关闭
bannerAds