全部產品
Search
文件中心

Terraform:在Linux中使用Terraform

更新時間:Jun 25, 2026

本文為您介紹在Linux中,如何快速使用Terraform建立阿里雲資源。

使用Terraform進行基礎設施即代碼(IaC)管理,包含以下幾個主要步驟。

  1. 安裝Terraform。確保您的系統能夠識別並執行Terraform命令。

  2. 配置Terraform。使用統一的方式管理Terraform身份認證資訊。

  3. 編寫Terraform設定檔。設定檔是Terraform的核心,用於描述資源的建立、配置和依賴關係,如建立VPC、ECS、OSS等。

  4. 初始化與建立資源。將基礎設施設計變為現實的關鍵步驟。

  5. 查看和管理資源。在部署後,您也能輕鬆地管理和維護您的基礎設施環境,確保其符合最新的需求和設計。

  6. 資源銷毀。當不再需要所建立的資源時,可以銷毀相應目錄下已建立資源。

1. 安裝Terraform

Terraform是一款基礎設施即代碼(IaC)工具,通過執行Terraform命令來建立、管理和版本控制雲資源。只有在完成安裝後,才能執行Terraform命令,從而實現基礎設施部署的自動化。具體安裝步驟,請參見Terraform安裝

2. 配置Terraform

Terraform身份認證是指在通過Terraform操作阿里雲基礎設施之前,對阿里雲Terraform Provider進行身分識別驗證。只有在身份認證成功後,才能與阿里雲API進行通訊,並建立和管理阿里雲的基礎設施資源。阿里雲Terraform Provider提供多種身份認證方式,有關更多身份認證資訊,請參見相關文檔Terraform 身份認證

本文以在環境變數中使用RAM使用者AccessKey配置身份認證為例:

export ALICLOUD_ACCESS_KEY="<yourAccessKeyID>"
export ALICLOUD_SECRET_KEY="<yourAccessKeySecret>"
export ALICLOUD_REGION="cn-beijing"

3. 編寫Terraform設定檔

設定檔是Terraform的核心,用於定義在雲端或本地部署的基礎設施資源,如RAM、ECS、OSS等。

  1. 建立一個新的檔案夾,例如命名為ram,並在該檔案夾下建立一個Terraform設定檔,例如設定檔名稱為main.tf

    # 建立執行目錄並進入到執行目錄
    mkdir ram && cd ram
    # 建立設定檔並編輯
    touch main.tf && vim main.tf
    

    為每個Terraform專案建立獨立執行目錄可以確保資源群組織清晰,避免狀態檔案混淆,便於版本控制和團隊協作,同時有利於實現環境隔離和模組化管理,提高組態管理的可維護性和安全性。

  2. 編寫Terraform設定檔。本文以建立一個RAM使用者,並為該使用者賦予管理ECS的許可權,為您介紹如何編寫設定檔。

    所需要的資源如下:

    重要

    建議RAM使用者避免同時支援登入控制台操作和使用AccessKey操作,以確保每個RAM使用者的職責明確,防止混用。

    Resource

    說明

    alicloud_ram_user

    建立RAM使用者

    alicloud_ram_login_profile

    允許RAM使用者登入控制台操作

    alicloud_ram_access_key

    為RAM使用者建立一個AccessKey

    alicloud_ram_policy

    建立一個權限原則

    alicloud_ram_user_policy_attachment

    為RAM使用者增加許可權

    複製以下樣本到main.tf中,然後按Esc鍵退出插入模式,輸入:wq按斷行符號儲存檔案。

    variable "user_name" {
      default = "terraform_user_test"
    }
    variable "user_password" {
      default = "!Test@123456"
    }
    variable "user_display_name" {
      default = "TestAccount"
    }
    variable "user_mobile" {
      default = "86-18688888888"
    }
    variable "user_email" {
      default = "example@example.com"
    }
    resource "alicloud_ram_user" "user" {
      name         = var.user_name
      display_name = var.user_display_name
      mobile       = var.user_mobile
      email        = var.user_email
      comments     = "Terraform create"
      force        = true                   
    }
    resource "alicloud_ram_login_profile" "profile" {
      user_name = alicloud_ram_user.user.name
      password  = var.user_password
    }
    resource "alicloud_ram_access_key" "ak" {
      user_name   = alicloud_ram_user.user.name
      secret_file = "accesskey.txt"
    }
    resource "alicloud_ram_policy" "policy" {
      policy_name     = "tf-example-policy"
      policy_document = <<EOF
      {
        "Statement": [
          {
            "Action": "ecs:*",
            "Effect": "Allow",
            "Resource":"*"
          }
        ],
          "Version": "1"
      }
      EOF
      description     = "this is a policy test"
    }
    resource "alicloud_ram_user_policy_attachment" "attach" {
      policy_name = alicloud_ram_policy.policy.policy_name
      policy_type = alicloud_ram_policy.policy.type
      user_name   = alicloud_ram_user.user.name
    }

4. 初始化與建立資源

Terraform設定檔編寫完成後,需要先初始化工作目錄,然後再建立資源。

4.1 Terraform初始化

在當前終端中運行terraform init命令進行初始化。terraform init命令是使用任何Terraform設定檔之前必須執行的第一個命令,主要目的是初始化一個Terraform工作目錄,包括下載必要的阿里雲供應商外掛程式以及各種其他記錄檔案。

4.2 建立資源

  1. 運行terraform plan建立一個執行計畫,並詳細展示了在執行terraform apply時將建立、修改或銷毀的所有資源資訊。

    # alicloud_ram_user.user will be created
    + resource "alicloud_ram_user" "user" {
        + comments     = "Terraform create"
        + display_name = "TestAccount"
        + email        = "example@example.com"
        + force        = true
        + id           = (known after apply)
        + mobile       = "86-18688888888"
        + name         = "terraform_user_test"
      }
    # alicloud_ram_user_policy_attachment.attach will be created
    + resource "alicloud_ram_user_policy_attachment" "attach" {
        + id          = (known after apply)
        + policy_name = "tf-example-policy"
        + policy_type = (known after apply)
        + user_name   = "terraform_user_test"
      }
    Plan: 5 to add, 0 to change, 0 to destroy.
  2. 運行terraform apply時,將根據terraform plan產生的執行計畫來建立資源。在建立過程中,需要按照提示輸入yes,以繼續建立資源。關於變數如何傳值,請參見Variable中的變數設定方式。

    Plan: 5 to add, 0 to change, 0 to destroy.
    Do you want to perform these actions?
      Terraform will perform the actions described above.
      Only 'yes' will be accepted to approve.
      Enter a value: yes
    alicloud_ram_user.user: Creating...
    alicloud_ram_policy.policy: Creating...
    alicloud_ram_policy.policy: Creation complete after 0s [id=tf-example-policy]
    alicloud_ram_user.user: Creation complete after 1s [id=20xxx18]
    alicloud_ram_login_profile.profile: Creating...
    alicloud_ram_access_key.ak: Creating...
    alicloud_ram_user_policy_attachment.attach: Creating...
    alicloud_ram_user_policy_attachment.attach: Creation complete after 0s [id=user:tf-example-policy:Custom:terraform_user_test]
    alicloud_ram_login_profile.profile: Creation complete after 0s [id=terraform_user_test]
    alicloud_ram_access_key.ak: Creation complete after 1s [id=LTxxxGr]
    Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

5. 查看和管理資源

在部署後,您也能輕鬆地管理和維護您的基礎設施環境,確保其符合最新的需求和設計。

5.1 查看資源

  1. 通過terraform show命令查看資源的詳細資料。

    [root@iZ2***tZ ram]# terraform show
    # alicloud_ram_access_key.ak:
    resource "alicloud_ram_access_key" "ak" {
        id          = "LTAxxxxxxxxxxxxxxxxxxxiGr"
        secret      = (sensitive value)
        secret_file = "accesskey.txt"
        status      = "Active"
        user_name   = "terraform_user_test"
    }
    # alicloud_ram_login_profile.profile:
    resource "alicloud_ram_login_profile" "profile" {
        id                     = "terraform_user_test"
        mfa_bind_required      = true
        password               = (sensitive value)
        password_reset_required = false
        user_name              = "terraform_user_test"
    }
    # alicloud_ram_policy.policy:
    resource "alicloud_ram_policy" "policy" {
        attachment_count = 0
        default_version  = "v1"
        description      = "this is a policy test"
        document         = <<-EOT
            {
                "Statement": [
                    {
                        "Action": "ecs:*",
                        "Effect": "Allow",
                        "Resource":"*"
                    }
                ],
                "Version": "1"
            }
        EOT
    }
  2. 通過terraform state list命令列出所有已建立的資源。

    [root@iZxxxmtZ ram]# terraform state list
    alicloud_ram_access_key.ak
    alicloud_ram_login_profile.profile
    alicloud_ram_policy.policy
    alicloud_ram_user.user
    alicloud_ram_user_policy_attachment.attach
  3. 通過terraform state show <資源類型>.<資源名稱>查看某個資源的詳細資料。

    [root@iZxxx          tZ ram]# terraform state show alicloud_ram_user.user
    # alicloud_ram_user.user:
    resource "alicloud_ram_user" "user" {
        comments     = "Terraform create"
        display_name = "TestAccount"
        email        = "example@example.com"
        force        = true
        id           = "208475129836212018"
        mobile       = "86-18688888888"
        name         = "terraform_user_test"
    }
  4. 通過 阿里雲控制台 查看已建立資源資訊。

5.2 管理資源

Terraform在完成資源的建立和修改後,會將資源的狀態和屬性資訊儲存在terraform.tfstate檔案中。我們可以使用terraform state相關命令對state進行管理。更多資訊,請參見狀態原理介紹

5.3 資源變更

  1. 修改設定檔(如main.tf)中需要變更的資源定義,例如您希望收縮RAM使用者的許可權,只允許使用者具有Elastic Compute Service查詢許可權。

    1. 運行命令vim main.tf,然後按i鍵進入編輯狀態。

    2. 複製以下代碼,並將其替換到main.tf檔案中對應的alicloud_ram_policy部分。

      resource "alicloud_ram_policy" "policy" {
        policy_name     = "tf-example-policy"
        policy_document = <<EOF
        {
          "Statement": [
            {
              "Action": [
                "ecs:Get*",
                "ecs:List*",
                "ecs:Describe*"
              ],
              "Effect": "Allow",
              "Resource":"*"
            }
          ],
            "Version": "1"
        }
        EOF
        description     = "this is a policy test"
      }
    3. 按下Esc,輸入:wq儲存。

  2. 運行terraform plan命令預覽所做的變更。

    Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the follow
      ~ update in-place
    Terraform will perform the following actions:
      # alicloud_ram_policy.policy will be updated in-place
      ~ resource "alicloud_ram_policy" "policy" {
            id                = "tf-example-policy"
            name              = "tf-example-policy"
          ~ policy_document   = <<-EOT
                {
                    "Statement": [
                        {
              -             "Action": "ecs:*",
              +             "Action": [
              +         "ecs:Get*",
              +         "ecs:List*",
              +         "ecs:Describe*"
              +             ],
                            "Effect": "Allow",
                            "Resource":"*"
                        }
                    ],
                        "Version": "1"
                }
            EOT
            # (8 unchanged attributes hidden)
            # (1 unchanged block hidden)
        }
    Plan: 0 to add, 1 to change, 0 to destroy.
  3. 如果變更符合預期,運行terraform apply命令,以將這些變更應用於您的基礎設施。運行此命令時,Terraform會要求您確認是否確實要進行這些變更,輸入 yes 並斷行符號後,變更會被應用。

    Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the follow
      ~ update in-place
    Terraform will perform the following actions:
      # alicloud_ram_policy.policy will be updated in-place
      ~ resource "alicloud_ram_policy" "policy" {
            id               = "tf-example-policy"
            name             = "tf-example-policy"
          ~ policy_document  = <<-EOT
                {
                    "Statement": [
                        {
              -             "Action": "ecs:*",
              +             "Action": [
              +   "ecs:Get*",
              +   "ecs:List*",
              +   "ecs:Describe*"
              +             ],
                            "Effect": "Allow",
                            "Resource":"*"
                        }
                    ],
                    "Version": "1"
                }
            EOT
            # (8 unchanged attributes hidden)
            # (1 unchanged block hidden)
        }
    Plan: 0 to add, 1 to change, 0 to destroy.
    Do you want to perform these actions?
      Terraform will perform the actions described above.
      Only 'yes' will be accepted to approve.
      Enter a value: yes
    alicloud_ram_policy.policy: Modifying... [id-tf-example-policy]
    alicloud_ram_policy.policy: Modifications complete after 0s [id-tf-example-policy]
    Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

6. 資源銷毀

當不再需要所建立的資源時,可以通過terraform destroy命令銷毀所有已建立的資源。

重要

針對建立的權限原則進行資源銷毀時,當權限原則存在多個版本時,Terraform destroy無法直接銷毀資源。您可以在alicloud_ram_policy中添加force參數,並將其值設定為true,以表示強制移除所有版本的許可權。若該許可權被其他RAM使用者或RAM動作項目參考,會自動解除關聯關係後執行刪除,請謹慎使用force屬性。

Plan: 0 to add, 0 to change, 5 to destroy.
Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.
  Enter a value: yes
alicloud_ram_access_key.ak: Destroying... [id=LTxxxGr]
alicloud_ram_login_profile.profile: Destroying... [id=terraform_user_test]
alicloud_ram_user_policy_attachment.attach: Destroying... [id=user:tf-example-policy:Custom:terraform_user_test]
alicloud_ram_user_policy_attachment.attach: Destruction complete after 0s
alicloud_ram_policy.policy: Destroying... [id=tf-example-policy]
alicloud_ram_login_profile.profile: Destruction complete after 0s
alicloud_ram_policy.policy: Destruction complete after 1s
alicloud_ram_access_key.ak: Destruction complete after 1s
alicloud_ram_user.user: Destroying... [id=2xxx18]
alicloud_ram_user.user: Destruction complete after 1s

完整樣本

為了便於您快速體驗 Terraform,本文提供了完整的 Terraform 代碼,您可以一鍵複製後直接運行。

variable "user_name" {
  default = "terraform_user_test"
}
variable "user_password" {
  default = "!Test@123456"
}
variable "user_display_name" {
  default = "TestAccount"
}
variable "user_mobile" {
  default = "86-18688888888"
}
variable "user_email" {
  default = "example@example.com"
}
resource "alicloud_ram_user" "user" {
  name         = var.user_name
  display_name = var.user_display_name
  mobile       = var.user_mobile
  email        = var.user_email
  comments     = "Terraform create"
  force        = true                   
}
resource "alicloud_ram_login_profile" "profile" {
  user_name = alicloud_ram_user.user.name
  password  = var.user_password
}
resource "alicloud_ram_access_key" "ak" {
  user_name   = alicloud_ram_user.user.name
  secret_file = "accesskey.txt"
}
resource "alicloud_ram_policy" "policy" {
  policy_name     = "tf-example-policy"
  policy_document = <<EOF
  {
    "Statement": [
      {
        "Action": "ecs:*",
        "Effect": "Allow",
        "Resource":"*"
      }
    ],
      "Version": "1"
  }
  EOF
  description     = "this is a policy test"
}
resource "alicloud_ram_user_policy_attachment" "attach" {
  policy_name = alicloud_ram_policy.policy.policy_name
  policy_type = alicloud_ram_policy.policy.type
  user_name   = alicloud_ram_user.user.name
}

相關文檔