雲原生之旅 - 3）Terraform - Create and Maintain Infrastructure as Code

前言工欲善其事，必先利其器。本篇文章我們介紹下 Terraform，為後續創建各種雲資源做準備，比如Kubernetes 關鍵詞：IaC, Infrastructure as Code, Terraform, 基礎架構即代碼，Terraform 例子， Terraform 入門，Terraform ...

前言

工欲善其事，必先利其器。本篇文章我們介紹下 Terraform，為後續創建各種雲資源做準備，比如Kubernetes

關鍵詞：IaC, Infrastructure as Code, Terraform, 基礎架構即代碼，Terraform 例子， Terraform 入門，Terraform 簡介

Terraform 是什麼？

Terraform 是一種安全有效地構建、更改和版本控制基礎設施的工具(基礎架構自動化的編排工具)。它的目標是 "Write, Plan, and create Infrastructure as Code", 基礎架構即代碼。Terraform 幾乎可以支持所有市面上能見到的雲服務。具體的說就是可以用代碼來管理維護 IT 資源，把之前需要手動操作的一部分任務通過程式來自動化的完成，這樣的做的結果非常明顯：高效、不易出錯。

Terraform 絕對是一個非常好用的工具，目前各大雲平臺也都支持的不錯，我很看好它的未來。Terraform 也是用 Go 語言開發的開源項目，你可以在 github 上訪問到它的源代碼以及各種文檔。

### https://www.cnblogs.com/wade-xu/p/16709133.html ###

安裝

我這裡強烈推薦tfenv, 下麵介紹如何在Mac上利用 tfenv 來安裝Terraform。

安裝 tfenv

brew install tfenv

brew link tfenv

利用tfenv 安裝 Terraform

# install latest version
tfenv install latest

# install specific version
tfenv install 1.2.9

列出所有版本

% tfenv list                                                                                                
  1.2.9
  1.0.0
  0.14.2
  0.13.7
* 0.13.5 (set by /usr/local/Cellar/tfenv/2.0.0/version)

* 表示當前使用的版本

切換版本　

# switch to 1.2.9
tfenv use 1.2.9

Switching default version to v1.2.9
Switching completed

卸載

tfenv uninstall 0.14.2

tfenv uninstall latest

### https://www.cnblogs.com/wade-xu/p/16709133.html ###

Provider

我們公司主要用GCP 谷歌雲，所以這裡也用 google 的 provider 來入門Terraform

安裝 Google Cloud SDK Install https://cloud.google.com/sdk/docs/quickstarts

Configure the environment for gcloud:

gcloud auth login

gcloud auth list

確保你的賬號有許可權操作GCP的Project

我的目錄結構如下

providers.tf

 1 terraform {
 2   required_version = ">= 1.2.9"
 3 
 4   required_providers {
 5     google = {
 6       source  = "hashicorp/google"
 7       version = "~> 4"
 8     }
 9   }
10 }
11 
12 provider "google" {
13   project = local.project.project_id
14   region  = local.project.region
15 }

backend.tf

terraform {
  backend "gcs" {
    bucket = "wadexu007"
    prefix = "demo/state"
  }
}

這裡的bucket要提前建好用來存放Terraform state文件。

network.tf

resource "google_compute_network" "default" {
  project                 = local.project.project_id
  name                    = local.project.network_name
  auto_create_subnetworks = true
  routing_mode            = "GLOBAL"
}

Network資源各個參數參考官方文檔。

locals.tf

locals {
  # project details
  project = {
    project_id       = "demo-eng-cn-dev"
    region           = "asia-east2"
    network_name     = "wade-test-network"
  }
}

### https://www.cnblogs.com/wade-xu/p/16709133.html ###

init

在此目錄下執行

terraform init

此目錄下會生成 .terraform 文件夾，init其實就安裝依賴插件到 .terraform 目錄中：

Plan

plan 命令會檢查配置文件並生成執行計劃，如果發現配置文件中有錯誤會報錯。

terraform plan

結果如下

 % terraform plan
Acquiring state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_compute_network.default will be created
  + resource "google_compute_network" "default" {
      + auto_create_subnetworks         = true
      + delete_default_routes_on_create = false
      + gateway_ipv4                    = (known after apply)
      + id                              = (known after apply)
      + internal_ipv6_range             = (known after apply)
      + mtu                             = (known after apply)
      + name                            = "wade-test-network"
      + project                         = "xperiences-eng-cn-dev"
      + routing_mode                    = "GLOBAL"
      + self_link                       = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Apply

在使用 apply 命令執行實際的部署時，預設會先執行 plan 命令併進入交互模式等待用戶確認操作。

terraform apply

輸入 Yes

Tips: 可以使用 -auto-approve 選項跳過這些步驟直接執行部署操作。

terraform apply -auto-approve

GCS bucket 裡面的 Terraform 狀態文件 gs://wadexu007/demo/state/default.tfstate 如下

{
  "version": 4,
  "terraform_version": "1.2.9",
  "serial": 1,
  "lineage": "30210d18-6dd5-a542-5b0d-xxxxxxxx",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "google_compute_network",
      "name": "default",
      "provider": "provider[\"registry.terraform.io/hashicorp/google\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "auto_create_subnetworks": true,
            "delete_default_routes_on_create": false,
            "description": "",
            "enable_ula_internal_ipv6": false,
            "gateway_ipv4": "",
            "id": "projects/demo-eng-cn-dev/global/networks/wade-test-network",
            "internal_ipv6_range": "",
            "mtu": 0,
            "name": "wade-test-network",
            "project": "demo-eng-cn-dev",
            "routing_mode": "GLOBAL",
            "self_link": "https://www.googleapis.com/compute/v1/projects/demo-eng-cn-dev/global/networks/wade-test-network",
            "timeouts": null
          },
          "sensitive_attributes": [],
          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2xxxxxxxxxxxxxxxxxxxxx9"
        }
      ]
    }
  ]
}

GCP控制台查看新建的資源

Destory

terraform destroy

銷毀資源，務必小心

% terraform destroy 
Acquiring state lock. This may take a few moments...
google_compute_network.default: Refreshing state... [id=projects/demo-eng-cn-dev/global/networks/wade-test-network]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # google_compute_network.default will be destroyed
  - resource "google_compute_network" "default" {
      - auto_create_subnetworks         = true -> null
      - delete_default_routes_on_create = false -> null
      - enable_ula_internal_ipv6        = false -> null
      - id                              = "projects/demo-eng-cn-dev/global/networks/wade-test-network" -> null
      - mtu                             = 0 -> null
      - name                            = "wade-test-network" -> null
      - project                         = "demo-eng-cn-dev" -> null
      - routing_mode                    = "GLOBAL" -> null
      - self_link                       = "https://www.googleapis.com/compute/v1/projects/demo-eng-cn-dev/global/networks/wade-test-network" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

google_compute_network.default: Destroying... [id=projects/xperiences-eng-cn-dev/global/networks/wade-test-network]
google_compute_network.default: Still destroying... [id=projects/demo-eng-cn-dev/global/networks/wade-test-network, 10s elapsed]
google_compute_network.default: Still destroying... [id=projects/demo-eng-cn-dev/global/networks/wade-test-network, 20s elapsed]
google_compute_network.default: Still destroying... [id=projects/demo-eng-cn-dev/global/networks/wade-test-network, 30s elapsed]
google_compute_network.default: Still destroying... [id=projects/demo-eng-cn-dev/global/networks/wade-test-network, 40s elapsed]
google_compute_network.default: Still destroying... [id=projects/demo-eng-cn-dev/global/networks/wade-test-network, 50s elapsed]
google_compute_network.default: Destruction complete after 54s
Releasing state lock. This may take a few moments...

Destroy complete! Resources: 1 destroyed.

附上我的learning by doing 代碼供參考。

總結

Terraform 用法很簡單，支持的雲廠商也很多，只要查看對應文檔創建你的資源就行, 上述例子僅僅入門，玩法很多，還可以module化，這樣不同的環境只需要source一下module，傳入不同的參數就行。

除了建雲資源，其它比如 Jenkins，Spinnaker， DNS，Vault 都可以用Terraform來建，所有infra 用代碼來實現，人管代碼，代碼管基礎設施，避免管理員直接控制台操作基礎設施，後面再運用上Atlantis 將Terraform 在Git上運行，所有change走PR， review之後apply change，這也是GitOps的一種最佳實踐。

另外，Terraform 也支持開發自己的provider。

感謝閱讀，如果您覺得本文的內容對您的學習有所幫助，您可以打賞和推薦，您的鼓勵是我創作的動力。

Learning by Doing