地球形成装置的安装和使用方法(Google Cloud、AWS、Azure、Datadog),以及通过gcloud生成terraform代码
首先
有一款名为Terraformer的云工具,可以根据现有状态生成Terraform代码(由Google旗下的Waze公司SRE团队开发)。
在这里,我们将总结安装方法并验证了各个云平台(Google Cloud、AWS、Azure、Datadog)的操作结果。
另外,Google Cloud还提供gcloud预览版,可用于生成Terraform代码,也会在此进行说明。
地球改造者 安装
请参考文档中的安装位置进行操作,从 GitHub 下载最新的二进制文件并将其重命名后放置在指定路径上。
操作系统
岩石Linux发布9.1版(蓝玛瑙)
安装步骤 (Shell)
export PROVIDER=all
curl -LO https://github.com/GoogleCloudPlatform/terraformer/releases/download/$(curl -s https://api.github.com/repos/GoogleCloudPlatform/terraformer/releases/latest | grep tag_name | cut -d '"' -f 4)/terraformer-${PROVIDER}-linux-amd64
chmod +x terraformer-${PROVIDER}-linux-amd64
sudo mv terraformer-${PROVIDER}-linux-amd64 /usr/local/bin/terraformer
Ansible Tasks的安装方法
# https://github.com/GoogleCloudPlatform/terraformer#installation
## 0.8.22 = tag_name / latest check "curl -s https://api.github.com/repos/GoogleCloudPlatform/terraformer/releases/latest | grep tag_name"
- name: install terraformer 0.8.22
get_url:
url: https://github.com/GoogleCloudPlatform/terraformer/releases/download/0.8.22/terraformer-all-linux-amd64
dest: /usr/local/bin/terraformer
mode: "+x"
become: yes
※ 0.8.22 是根据当时记录的版本。
请确认是否已安装地表改造者。
安装完成后,请输入命令以确认是否已进入。
$ terraformer -v
version v0.8.22
安装 Google Cloud 的 google-cloud-sdk-config-connector(gcloud terraform 代码生成扩展)。
在安装脚本和存储库上提供了安装方法。
在这里,将介绍使用存储库进行安装。
手动安装方法
根据文档1和文档2的设置进行设定。
由于服务账号可能无法自动创建,因此添加了生成命令(文档)。
sudo tee -a /etc/yum.repos.d/google-cloud-sdk.repo << EOM
[google-cloud-cli]
name=Google Cloud CLI
baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=0
gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOM
sudo dnf install google-cloud-cli
export PROJECT_ID=[]
export PROJECT_NUMBER=[]
gcloud components install config-connector
gcloud services enable cloudasset.googleapis.com --project $PROJECT_ID
gcloud beta services identity create --service=cloudasset.googleapis.com --project $PROJECT_ID
gcloud --project $PROJECT_ID projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:service-$PROJECT_NUMBER@gcp-sa-cloudasset.iam.gserviceaccount.com \
--role=roles/servicenetworking.serviceAgent
gcloud --project $PROJECT_ID projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:service-$PROJECT_NUMBER@gcp-sa-cloudasset.iam.gserviceaccount.com \
--role=roles/storage.objectAdmin
安装方法(Ansible,Terraform)
在本地使用Ansible进行安装配置,使用Terraform在云端进行设置。
name: install yum repository
yum_repository:
name: google-cloud-sdk
description: "Google Cloud SDK repo"
baseurl: https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-x86_64
enabled: no
gpgcheck: yes
repo_gpgcheck: yes
gpgkey:
- https://packages.cloud.google.com/yum/doc/yum-key.gpg
- https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
become: true
- name: install google cloud sdk
dnf:
name: google-cloud-sdk
state: latest
enablerepo: "google-cloud-sdk"
become: true
- name: install google-cloud-sdk components
dnf:
name: "{{ packages }}"
state: latest
update_cache: yes
enablerepo: "google-cloud-sdk"
vars:
packages:
- google-cloud-sdk-config-connector
become: true
resource "google_project_service" "cloudasset_api_enable" {
project = google_project.main.id
disable_dependent_services = true
service = "cloudasset.googleapis.com"
}
resource "google_project_service_identity" "cloudasset_sa" {
provider = google-beta
project = google_project.main.name
service = "cloudasset.googleapis.com"
depends_on = [
google_project_service.cloudasset_api_enable,
]
}
resource "google_project_iam_binding" "servicenetworking_serviceagent" {
project = google_project.main.id
role = "roles/servicenetworking.serviceAgent"
members = [
"serviceAccount:service-${google_project.main.number}@gcp-sa-cloudasset.iam.gserviceaccount.com"
]
depends_on = [
google_project_service_identity.cloudasset_sa,
]
}
resource "google_project_iam_binding" "storage_objectadmin" {
project = google_project.main.id
role = "roles/storage.objectAdmin"
members = [
"serviceAccount:service-${google_project.main.number}@gcp-sa-cloudasset.iam.gserviceaccount.com"
]
depends_on = [
google_project_service_identity.cloudasset_sa,
]
}
在谷歌云上的使用方式
Google Cloud 可以使用 Terraformer 和 gcloud 两种方法来生成 Terraform 代码,因此将其分开说明。
造地者
为了配置 Terraform 执行环境,可以在 version.tf 文件中指定 provider 和 version。
mkdir google-terraformer
cd google-terraformer
vi version.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "4.52.0"
}
}
required_version = ">= 0.13"
}
通过在环境变量中创建包含所需执行权限的服务账号密钥和目标项目,并在terraform init中进行初始化。省略了”GOOGLE_APPLICATION_CREDENTIALS”的解释(文件)。
export GOOGLE_APPLICATION_CREDENTIALS=[YOUR TERRORM SERVICE ACCOUT KEY JSON]
export GCP_PROJECT=[YOUR GCP PROJECT ID]
terraform init
在以下中尝试使用Terraformer导入:
为IAM执行需要包含访问者和服务账号的参考权限。
terraformer import google -r project,iam --projects=$GCP_PROJECT
如果不指定-z [地区]选项,则会生成如下所示的Terraform代码结构,而默认值为global,所以必须添加类似-z asia-northeast1的选项才能获取地区资源。
|-- generated
| `-- google
| `-- [GCP_PROJECT]
| |-- iam
| | `-- global
| | |-- outputs.tf
| | |-- project_iam_member.tf
| | |-- provider.tf
| | `-- terraform.tfstate
| `-- project
| `-- global
| |-- outputs.tf
| |-- project.tf
| |-- provider.tf
| `-- terraform.tfstate
`-- version.tf
如果想要将所有内容作为对象,请按照以下方式进行 -r=”*” ,点击下面更详尽的说明(然而,要访问 Terraformer 支持的所有服务可能会导致频繁的错误,因此最好在使用“*”时采用 roles/owner 进行操作)。
terraformer import google -r="*" --projects=$GCP_PROJECT
如果在所有资源上执行,将会按照以下的文件夹结构进行创建
(如果没有资源,则只会创建provider.tf和terraform.tfstate这两个文件,其中只指定provider和version)。
$ ls generated/google/$GCP_PROJECT/
addresses dns healthChecks instances nodeGroups regionHealthChecks resourcePolicies targetHttpProxies vpnTunnels
autoscalers externalVpnGateways httpHealthChecks interconnectAttachments nodeTemplates regionInstanceGroupManagers routers targetHttpsProxies
backendBuckets firewall httpsHealthChecks kms packetMirrorings regionInstanceGroups routes targetInstances
backendServices forwardingRules iam logging project regionSslCertificates schedulerJobs targetPools
bigQuery gcs images memoryStore pubsub regionTargetHttpProxies securityPolicies targetSslProxies
cloudFunctions gke instanceGroupManagers monitoring regionAutoscalers regionTargetHttpsProxies sslCertificates targetTcpProxies
dataProc globalAddresses instanceGroups networkEndpointGroups regionBackendServices regionUrlMaps sslPolicies targetVpnGateways
disks globalForwardingRules instanceTemplates networks regionDisks reservations subnetworks urlMaps
$ ls generated/google/$GCP_PROJECT/cloudFunctions/global/
provider.tf terraform.tfstate
要执行生成的代码,需要先在目标文件夹中移动到该位置,然后再执行。如果直接执行,会出现如下错误:
$ cd generated/google/$GCP_PROJECT/iam/global/
$ terraform init
Initializing the backend...
╷
│ Error: Invalid legacy provider address
│
│ This configuration or its associated state refers to the unqualified provider "google".
│
│ You must complete the Terraform 0.13 upgrade process before upgrading to later versions.
由于 terraformer 是基于 terraform 版本 0.13,所以根据文档执行 replace 命令。
$ terraform state replace-provider registry.terraform.io/-/google hashicorp/google
Terraform will perform the following actions:
~ Updating provider:
- registry.terraform.io/-/google
+ registry.terraform.io/hashicorp/google
...省略...
再次实施后可以无问题地使用。
$ terraform init
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/google versions matching "~> 4.52.0"...
- Installing hashicorp/google v4.52.0...
- Installed hashicorp/google v4.52.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
...省略...
$ terraform plan
...省略...
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
以下是输出代码示例(项目,用户域名已屏蔽)。
resource "google_project_iam_member" "tfer--roles-002F-owneruser-003A-suzuyu-0040-xxxxx-002E-xxxxx-002E-xxxxx" {
member = "user:suzuyu@xxxxx.xxxxx.xxx"
project = "suzuyu-xxx-xxx-xxx"
role = "roles/owner"
}
使用gcloud资源配置bulk-export命令进行批量导出,–resource-format=terraform格式。
按照文档的指示,您可以指定输出文件夹,并限制生成资源的范围,以进行执行。
mkdir tf-output
export GCP_PROJECT=[YOUR GCP PROJECT ID]
gcloud auth activate-service-account [YOUR TERRAFORM SERVICE ACCOUNT] --key-file=[YOUR TERRAFORM SERVICE ACCOUNT KEY FILE]
gcloud beta resource-config bulk-export \
--resource-types=Project,IAMServiceAccount \
--project=$GCP_PROJECT \
--resource-format=terraform \
--path=tf-output
$ gcloud beta resource-config bulk-export \
--resource-types=Project,IAMServiceAccount \
--project=$GCP_PROJECT \
--resource-format=terraform \
--path=tf-output
Exporting resource configurations to [tf-output]...done.
Exported resource configuration(s) to [tf-output].
$ cd tf-output; tree
|-- [MASK Folder Number]
| `-- Project
| `-- [MASK PROJECT ID].tf
`-- projects
`-- [MASK PROJECT ID]
`-- IAMServiceAccount
|-- [MASK PROJECT NUMBER]-compute.tf
`-- [MASK ACCOUNT ID].tf
与上述输出不同,生成的代码仅为.tf代码,不会生成类似于 state 文件的内容。
可以使用以下命令来确认支持的资源类型和类型名称。
% gcloud beta resource-config list-resource-types
┌──────────────────────────────────────┬──────────────┬─────────┬──────┐
│ KRM KIND │ BULK EXPORT? │ EXPORT? │ IAM? │
├──────────────────────────────────────┼──────────────┼─────────┼──────┤
│ AccessContextManagerAccessLevel │ │ │ │
│ AccessContextManagerAccessPolicy │ │ │ x │
│ AccessContextManagerServicePerimeter │ │ │ │
│ ArtifactRegistryRepository │ x │ x │ x │
│ BigQueryDataset │ x │ x │ │
│ BigQueryJob │ │ x │ │
│ BigQueryTable │ x │ x │ x │
│ BigtableAppProfile │ x │ x │ │
│ BigtableGCPolicy │ │ │ │
│ BigtableInstance │ x │ x │ x │
│ BigtableTable │ x │ x │ x │
│ CloudBuildTrigger │ │ │ │
│ CloudIdentityGroup │ │ │ │
│ ComputeAddress │ x │ x │ │
│ ComputeAddress │ x │ x │ │
│ ComputeBackendBucket │ x │ x │ x │
│ ComputeBackendService │ x │ x │ │
│ ComputeBackendService │ x │ x │ │
│ ComputeDisk │ x │ x │ x │
│ ComputeDisk │ x │ x │ x │
│ ComputeExternalVPNGateway │ x │ x │ │
│ ComputeFirewall │ x │ x │ │
│ ComputeForwardingRule │ x │ x │ │
│ ComputeForwardingRule │ x │ x │ │
│ ComputeHTTPHealthCheck │ x │ x │ │
│ ComputeHTTPSHealthCheck │ x │ x │ │
│ ComputeHealthCheck │ x │ x │ │
│ ComputeHealthCheck │ x │ x │ │
│ ComputeImage │ x │ x │ x │
│ ComputeInstance │ x │ x │ x │
│ ComputeInstance │ x │ │ x │
│ ComputeInstanceGroup │ x │ x │ │
│ ComputeInstanceTemplate │ x │ x │ │
│ ComputeInterconnectAttachment │ x │ x │ │
│ ComputeNetwork │ x │ x │ │
│ ComputeNetworkEndpointGroup │ x │ x │ │
│ ComputeNetworkPeering │ │ │ │
│ ComputeNodeGroup │ x │ x │ │
│ ComputeNodeTemplate │ x │ x │ │
│ ComputeProjectMetadata │ │ │ │
│ ComputeRegionNetworkEndpointGroup │ │ │ │
│ ComputeReservation │ x │ x │ │
│ ComputeResourcePolicy │ x │ x │ │
│ ComputeRoute │ x │ x │ │
│ ComputeRouter │ x │ x │ │
│ ComputeRouterInterface │ │ │ │
│ ComputeRouterNAT │ │ │ │
│ ComputeRouterPeer │ │ │ │
│ ComputeSSLCertificate │ x │ x │ │
│ ComputeSSLCertificate │ x │ x │ │
│ ComputeSSLPolicy │ x │ x │ │
│ ComputeSecurityPolicy │ x │ x │ │
│ ComputeSharedVPCHostProject │ │ │ │
│ ComputeSharedVPCServiceProject │ │ │ │
│ ComputeSnapshot │ x │ x │ x │
│ ComputeSubnetwork │ x │ x │ x │
│ ComputeTargetGRPCProxy │ │ x │ │
│ ComputeTargetHTTPProxy │ x │ x │ │
│ ComputeTargetHTTPProxy │ x │ x │ │
│ ComputeTargetHTTPSProxy │ x │ x │ │
│ ComputeTargetHTTPSProxy │ x │ x │ │
│ ComputeTargetInstance │ x │ x │ │
│ ComputeTargetPool │ x │ x │ │
│ ComputeTargetSSLProxy │ │ x │ │
│ ComputeTargetTCPProxy │ x │ x │ │
│ ComputeTargetVPNGateway │ x │ x │ │
│ ComputeURLMap │ x │ x │ │
│ ComputeURLMap │ x │ x │ │
│ ComputeVPNGateway │ x │ x │ │
│ ComputeVPNTunnel │ x │ x │ │
│ ContainerCluster │ x │ x │ │
│ ContainerNodePool │ x │ │ │
│ DataflowFlexTemplateJob │ │ │ │
│ DataflowJob │ │ │ │
│ DNSManagedZone │ x │ x │ │
│ DNSPolicy │ x │ x │ │
│ DNSRecordSet │ │ │ │
│ FirestoreIndex │ │ │ │
│ IAMCustomRole │ x │ │ │
│ IAMServiceAccount │ x │ │ x │
│ IAMServiceAccountKey │ │ │ │
│ KMSCryptoKey │ x │ │ x │
│ KMSKeyRing │ x │ x │ x │
│ LoggingLogSink │ x │ │ │
│ MemcacheInstance │ x │ x │ │
│ MonitoringAlertPolicy │ x │ │ │
│ MonitoringNotificationChannel │ │ │ │
│ PubSubSchema │ │ x │ │
│ PubSubSubscription │ x │ x │ x │
│ PubSubTopic │ x │ x │ x │
│ RedisInstance │ x │ x │ │
│ Folder │ x │ x │ x │
│ Project │ x │ x │ x │
│ ResourceManagerLien │ │ │ │
│ ResourceManagerPolicy │ │ │ │
│ SecretManagerSecret │ x │ x │ x │
│ SecretManagerSecretVersion │ x │ │ │
│ ServiceDirectoryEndpoint │ │ x │ │
│ ServiceDirectoryNamespace │ x │ x │ x │
│ ServiceDirectoryService │ │ x │ x │
│ ServiceNetworkingConnection │ │ │ │
│ Service │ x │ x │ │
│ SourceRepoRepository │ x │ x │ x │
│ SpannerDatabase │ x │ x │ x │
│ SpannerInstance │ x │ x │ x │
│ SQLDatabase │ │ x │ │
│ SQLInstance │ x │ x │ │
│ SQLSSLCert │ │ │ │
│ SQLUser │ │ │ │
│ StorageBucket │ x │ │ x │
│ StorageBucketAccessControl │ │ │ │
│ StorageDefaultObjectAccessControl │ │ │ │
│ StorageNotification │ │ │ │
│ StorageTransferJob │ │ │ │
└──────────────────────────────────────┴──────────────┴─────────┴──────┘
需要执行对所有正在支持的资源执行操作,必须指定“–resource-types”,但是如果尝试创建 Cloud Storage 存储桶,并且组织策略不允许使用 us 地区,则会产生以下错误。
Exporting resource configurations to [tf-output]...done.
ERROR: (gcloud.beta.resource-config.bulk-export) Error executing export:: [error in 'config-connector' version '1.93.0': error creating temporary bucket and prefix: error creating bucket 'export-cftg36ie05dncbtar7q0': googleapi: Error 412: 'us' violates constraint 'constraints/gcp.resourceLocations', conditionNotMet
]
通过事先创建存储桶并在-storage-path中指定,可以避免这个问题
(在存储桶中授予服务帐号”serviceAccount:service-${google_project.main.number}@gcp-sa-cloudasset.iam.gserviceaccount.com”存储传统对象/存储桶的所有者权限并执行操作)。
$ export STORAGE_NAME=[YOUR STORAGE NAME]
$ gcloud beta resource-config bulk-export \
--project=$GCP_PROJECT \
--resource-format=terraform \
--storage-path=gs://$STORAGE_NAME/ --path=tf-output
Exporting resource configurations to [tf-output]...done.
Exported resource configuration(s) to [tf-output].
在AWS上的使用方式
为了配置执行环境,可以在version.tf文件中指定provider和version。
mkdir ~/aws-terraformer
cd ~/aws-terraformer
vi version.tf
terraform {
required_providers {
google = {
source = "hashicorp/aws"
version = "4.56.0"
}
}
required_version = ">= 0.13"
}
在环境变量中创建包含必要执行权限的访问ID和访问秘钥,然后使用terraform init进行初始化。(省略了AWS_ACCESS_KEY_ID和AWS_SECRET_ACCESS_KEY的说明)
export AWS_ACCESS_KEY_ID="anaccesskey"
export AWS_SECRET_ACCESS_KEY="asecretkey"
terraform init
terraformer import aws --resources=s3,vpc --regions=ap-northeast-1 --profile=""
$ tree
.
|-- generated
| `-- aws
| |-- s3
| | |-- outputs.tf
| | |-- provider.tf
| | |-- s3_bucket.tf
| | `-- terraform.tfstate
| `-- vpc
| |-- outputs.tf
| |-- provider.tf
| |-- terraform.tfstate
| `-- vpc.tf
`-- version.tf
进行生成文件的操作确认
在执行状态文件迁移后才执行(文档)
cd ~/aws-terraformer/generated/aws/s3/
terraform state replace-provider -auto-approve "registry.terraform.io/-/aws" "hashicorp/aws"
terraform init
terraform plan
运行时没有变化。你的基础设施和配置相匹配。如果出现警告:此参数已弃用,说明 terraformer 输出的代码可能支持旧版本。
执行对所有资源的操作将生成以下资源
$ terraformer import aws --resources="*" --regions=ap-northeast-1 --profile=""
...出力省略...
$ ls generated/aws/
acm cloud9 codecommit devicefarm ecs emr iot msk resourcegroups ses swf waf_regional
alb cloudformation codedeploy docdb efs eni kinesis nacl route53 sfn transit_gateway wafv2_regional
api_gateway cloudfront codepipeline dynamodb eip es kms nat route_table sg vpc workspaces
appsync cloudhsm cognito ebs eks firehose lambda opsworks s3 sns vpc_peering xray
auto_scaling cloudtrail config ec2_instance elastic_beanstalk glue logs organization secretsmanager sqs vpn_connection
batch cloudwatch customer_gateway ecr elasticache iam media_package qldb securityhub ssm vpn_gateway
budgets codebuild datapipeline ecrpublic elb igw media_store rds servicecatalog subnet waf
在Azure中的使用方法
为了配置执行环境,可以在version.tf文件中指定provider和version。
mkdir ~/azure-terraformer
cd ~/azure-terraformer
vi version.tf
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.45.0"
}
}
required_version = ">= 0.13"
}
请在环境变量中创建执行所需的权限,并使用terraform init命令进行初始化(请参阅文档)。
export ARM_SUBSCRIPTION_ID=12345678-abcd-efgh-ijkl-123456789abc
export ARM_CLIENT_ID=87654321-4321-abcd-efgh-123456789abc
export ARM_CLIENT_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
export ARM_TENANT_ID=abcdefgh-abcd-4321-efgh-123456789abc
terraform init
在指定的资源组中选择资源,执行 terraformer import。
export RGNAME="[YOUR RG NAME]"
terraformer import azure -r resource_group
terraformer import azure -R $RGNAME -r virtual_network,resource_group
terraformer import azure -r resource_group --filter=resource_group=/subscriptions/$ARM_SUBSCRIPTION_ID/resourceGroups/$RGNAME
按照以下的组织方式生成
$ tree
.
|-- generated
| `-- azurerm
| |-- resource_group
| | |-- outputs.tf
| | |-- provider.tf
| | |-- resource_group.tf
| | `-- terraform.tfstate
| `-- virtual_network
| |-- outputs.tf
| |-- provider.tf
| |-- terraform.tfstate
| |-- variables.tf
| `-- virtual_network.tf
`-- version.tf
在执行文件生成的动作确认之前,请先进行文件迁移的状态确认(请参考文档)。
cd ~/azure-terraformer/generated/azurerm/resource_group/
terraform state replace-provider -auto-approve "registry.terraform.io/-/azurerm" "hashicorp/azurerm"
terraform init
terraform plan
│ Error: Insufficient features blocks
│
│ on provider.tf line 1, in provider "azurerm":
│ 1: provider "azurerm" {
│
│ At least 1 "features" blocks are required.
╵
由于上述错误,需要添加功能。
provider "azurerm" {
version = "~> 3.45.0"
+ features {}
}
terraform {
required_providers {
azurerm = {
version = "~> 3.45.0"
}
}
}
再次实施后将变得可执行。
$ terraform plan
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
╷
│ Warning: Version constraints inside provider configuration blocks are deprecated
│
│ on provider.tf line 2, in provider "azurerm":
│ 2: version = "~> 3.45.0"
│
│ Terraform 0.13 and earlier allowed provider version constraints inside the provider configuration block, but that is now deprecated and will be removed in a future version of
│ Terraform. To silence this warning, move the provider version constraint into the required_providers block.
╵
警告出现,但基本上运作正常。
如果将所有资源作为目标进行输出,将会输出如下所示的资源
$ terraformer import azure -r "*"
...出力省略...
$ ls generated/azurerm/
analysis cosmosdb disk load_balancer network_watcher purview security_center_contact storage_container virtual_network
app_service data_factory dns management_lock private_dns resource_group security_center_subscription_pricing subnet
application_gateway database eventhub network_interface private_endpoint route_table ssh_public_key synapse
container databricks keyvault network_security_group public_ip scaleset storage_account virtual_machine
在Datadog中的使用方法
为了准备执行环境,可以在provider.tf文件中指定provider和version。
mkdir ~/datadog-terraformer
cd ~/datadog-terraformer
vi provider.tf
# https://github.com/GoogleCloudPlatform/terraformer/blob/master/docs/datadog.md#2-set-up-a-template-terraform-workspace
terraform {
required_providers {
datadog = {
source = "DataDog/datadog"
# https://registry.terraform.io/providers/DataDog/datadog/latest
version = "3.21.0"
}
}
}
provider "datadog" {
# Configuration options
}
请在环境变量中创建执行所需的权限,并使用terraform init进行初始化(请参考文档)。
terraform init
設定環境變數,使用 terraformer 在目標上執行所有資源操作。
export DATADOG_API_KEY=[Datadog API key] # More information on this at https://docs.datadoghq.com/account_management/api-app-keys/
export DATADOG_HOST=[Datadog API host] # https://api.datadoghq.eu which can be found at https://docs.datadoghq.com/getting_started/site/#access-the-datadog-site
export DATADOG_APP_KEY=[Datadog APP key] # More information on this at https://docs.datadoghq.com/account_management/api-app-keys/
terraformer import datadog --resources="*"
实施后会生成以下几种类型的内容
$ ls generated/datadog/
dashboard downtime logs_archive logs_index logs_pipeline_order role synthetics_private_location
dashboard_json integration_gcp logs_archive_order logs_index_order metric_metadata service_level_objective synthetics_test
dashboard_list integration_slack_channel logs_custom_pipeline logs_integration_pipeline monitor synthetics_global_variable user
以下是生成代码示例(手动设置)。
resource "datadog_monitor" "tfer--monitor_25024807" {
escalation_message = ""
evaluation_delay = "0"
include_tags = "true"
locked = "false"
message = "{{#is_alert}} BGP Neighbor down {{/is_alert}}\n{{#is_alert_recovery}} BGP Neighbor Up {{/is_alert_recovery}}\n@slack-HomeLab-datadog-monitoring"
monitor_thresholds {
critical = "1"
}
name = "GCP BGP Session State Change Project Name [ {{project_id}} ]"
new_group_delay = "0"
new_host_delay = "300"
no_data_timeframe = "0"
notify_audit = "false"
notify_no_data = "false"
priority = "0"
query = "min(last_5m):avg:gcp.router.bgp.session_up{project_id:suzuyu-project} < 1"
renotify_interval = "0"
renotify_occurrences = "0"
require_full_window = "false"
timeout_h = "0"
type = "metric alert"
}
进行操作验证。
替换state文件的提供者并添加provider.tf的source参数,否则会出现错误。
cd ~/datadog-terraformer/generated/datadog/monitor/
terraform state replace-provider -auto-approve "registry.terraform.io/-/datadog" "DataDog/datadog"
vi provider.tf
terraform {
required_providers {
datadog = {
+ source = "Datadog/datadog"
version = "~> 3.21.0"
}
}
}
确认 terraform plan 是否能正常运行
export DD_API_KEY=$DATADOG_API_KEY
export DD_HOST=$DATADOG_HOST
export DD_APP_KEY=$DATADOG_APP_KEY
terraform init
terraform plan
总结
安装并使用Terraformer 在每个云平台上生成和运行代码,直到完成修复。
生成的Terraformer 代码是基于较旧版本的前提条件生成的,所以可能需要进行修复。
通过使用它作为参考或用于非IaC云环境,发现它可能对处理相关云平台很有用。
gcloud生成的过程与Terraformer不同,需进行API启用、服务账号生成、授权分配、区域配置到临时存储桶等操作,根据环境的不同可能会有不同的使用体验,但由于是预览版,所以最好关注以后的更新。
可以考虑
