本文為您介紹在Linux中,如何快速使用Terraform建立阿里雲資源。
使用Terraform進行基礎設施即代碼(IaC)管理,包含以下幾個主要步驟。
-
安裝Terraform。確保您的系統能夠識別並執行Terraform命令。
-
配置Terraform。使用統一的方式管理Terraform身份認證資訊。
-
編寫Terraform設定檔。設定檔是Terraform的核心,用於描述資源的建立、配置和依賴關係,如建立VPC、ECS、OSS等。
-
初始化與建立資源。將基礎設施設計變為現實的關鍵步驟。
-
查看和管理資源。在部署後,您也能輕鬆地管理和維護您的基礎設施環境,確保其符合最新的需求和設計。
-
資源銷毀。當不再需要所建立的資源時,可以銷毀相應目錄下已建立資源。
1. 安裝Terraform
Terraform是一款基礎設施即代碼(IaC)工具,通過執行Terraform命令來建立、管理和版本控制雲資源。只有在完成安裝後,才能執行Terraform命令,從而實現基礎設施部署的自動化。具體安裝步驟,請參見Terraform安裝。
2. 配置Terraform
Terraform身份認證是指在通過Terraform操作阿里雲基礎設施之前,對阿里雲Terraform Provider進行身分識別驗證。只有在身份認證成功後,才能與阿里雲API進行通訊,並建立和管理阿里雲的基礎設施資源。阿里雲Terraform Provider提供多種身份認證方式,有關更多身份認證資訊,請參見相關文檔Terraform 身份認證。
本文以在環境變數中使用RAM使用者AccessKey配置身份認證為例:
export ALICLOUD_ACCESS_KEY="<yourAccessKeyID>"
export ALICLOUD_SECRET_KEY="<yourAccessKeySecret>"
export ALICLOUD_REGION="cn-beijing"
3. 編寫Terraform設定檔
設定檔是Terraform的核心,用於定義在雲端或本地部署的基礎設施資源,如RAM、ECS、OSS等。
-
建立一個新的檔案夾,例如命名為ram,並在該檔案夾下建立一個Terraform設定檔,例如設定檔名稱為main.tf。
# 建立執行目錄並進入到執行目錄 mkdir ram && cd ram # 建立設定檔並編輯 touch main.tf && vim main.tf為每個Terraform專案建立獨立執行目錄可以確保資源群組織清晰,避免狀態檔案混淆,便於版本控制和團隊協作,同時有利於實現環境隔離和模組化管理,提高組態管理的可維護性和安全性。
-
編寫Terraform設定檔。本文以建立一個RAM使用者,並為該使用者賦予管理ECS的許可權,為您介紹如何編寫設定檔。
所需要的資源如下:
重要建議RAM使用者避免同時支援登入控制台操作和使用AccessKey操作,以確保每個RAM使用者的職責明確,防止混用。
Resource
說明
建立RAM使用者
允許RAM使用者登入控制台操作
為RAM使用者建立一個AccessKey
建立一個權限原則
為RAM使用者增加許可權
複製以下樣本到main.tf中,然後按
Esc鍵退出插入模式,輸入:wq按斷行符號儲存檔案。variable "user_name" { default = "terraform_user_test" } variable "user_password" { default = "!Test@123456" } variable "user_display_name" { default = "TestAccount" } variable "user_mobile" { default = "86-18688888888" } variable "user_email" { default = "example@example.com" } resource "alicloud_ram_user" "user" { name = var.user_name display_name = var.user_display_name mobile = var.user_mobile email = var.user_email comments = "Terraform create" force = true } resource "alicloud_ram_login_profile" "profile" { user_name = alicloud_ram_user.user.name password = var.user_password } resource "alicloud_ram_access_key" "ak" { user_name = alicloud_ram_user.user.name secret_file = "accesskey.txt" } resource "alicloud_ram_policy" "policy" { policy_name = "tf-example-policy" policy_document = <<EOF { "Statement": [ { "Action": "ecs:*", "Effect": "Allow", "Resource":"*" } ], "Version": "1" } EOF description = "this is a policy test" } resource "alicloud_ram_user_policy_attachment" "attach" { policy_name = alicloud_ram_policy.policy.policy_name policy_type = alicloud_ram_policy.policy.type user_name = alicloud_ram_user.user.name }
4. 初始化與建立資源
Terraform設定檔編寫完成後,需要先初始化工作目錄,然後再建立資源。
4.1 Terraform初始化
在當前終端中運行terraform init命令進行初始化。terraform init命令是使用任何Terraform設定檔之前必須執行的第一個命令,主要目的是初始化一個Terraform工作目錄,包括下載必要的阿里雲供應商外掛程式以及各種其他記錄檔案。
4.2 建立資源
-
運行
terraform plan建立一個執行計畫,並詳細展示了在執行terraform apply時將建立、修改或銷毀的所有資源資訊。# alicloud_ram_user.user will be created + resource "alicloud_ram_user" "user" { + comments = "Terraform create" + display_name = "TestAccount" + email = "example@example.com" + force = true + id = (known after apply) + mobile = "86-18688888888" + name = "terraform_user_test" } # alicloud_ram_user_policy_attachment.attach will be created + resource "alicloud_ram_user_policy_attachment" "attach" { + id = (known after apply) + policy_name = "tf-example-policy" + policy_type = (known after apply) + user_name = "terraform_user_test" } Plan: 5 to add, 0 to change, 0 to destroy. -
運行
terraform apply時,將根據terraform plan產生的執行計畫來建立資源。在建立過程中,需要按照提示輸入yes,以繼續建立資源。關於變數如何傳值,請參見Variable中的變數設定方式。Plan: 5 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes alicloud_ram_user.user: Creating... alicloud_ram_policy.policy: Creating... alicloud_ram_policy.policy: Creation complete after 0s [id=tf-example-policy] alicloud_ram_user.user: Creation complete after 1s [id=20xxx18] alicloud_ram_login_profile.profile: Creating... alicloud_ram_access_key.ak: Creating... alicloud_ram_user_policy_attachment.attach: Creating... alicloud_ram_user_policy_attachment.attach: Creation complete after 0s [id=user:tf-example-policy:Custom:terraform_user_test] alicloud_ram_login_profile.profile: Creation complete after 0s [id=terraform_user_test] alicloud_ram_access_key.ak: Creation complete after 1s [id=LTxxxGr] Apply complete! Resources: 5 added, 0 changed, 0 destroyed.
5. 查看和管理資源
在部署後,您也能輕鬆地管理和維護您的基礎設施環境,確保其符合最新的需求和設計。
5.1 查看資源
-
通過
terraform show命令查看資源的詳細資料。[root@iZ2***tZ ram]# terraform show # alicloud_ram_access_key.ak: resource "alicloud_ram_access_key" "ak" { id = "LTAxxxxxxxxxxxxxxxxxxxiGr" secret = (sensitive value) secret_file = "accesskey.txt" status = "Active" user_name = "terraform_user_test" } # alicloud_ram_login_profile.profile: resource "alicloud_ram_login_profile" "profile" { id = "terraform_user_test" mfa_bind_required = true password = (sensitive value) password_reset_required = false user_name = "terraform_user_test" } # alicloud_ram_policy.policy: resource "alicloud_ram_policy" "policy" { attachment_count = 0 default_version = "v1" description = "this is a policy test" document = <<-EOT { "Statement": [ { "Action": "ecs:*", "Effect": "Allow", "Resource":"*" } ], "Version": "1" } EOT } -
通過
terraform state list命令列出所有已建立的資源。[root@iZxxxmtZ ram]# terraform state list alicloud_ram_access_key.ak alicloud_ram_login_profile.profile alicloud_ram_policy.policy alicloud_ram_user.user alicloud_ram_user_policy_attachment.attach -
通過
terraform state show <資源類型>.<資源名稱>查看某個資源的詳細資料。[root@iZxxx tZ ram]# terraform state show alicloud_ram_user.user # alicloud_ram_user.user: resource "alicloud_ram_user" "user" { comments = "Terraform create" display_name = "TestAccount" email = "example@example.com" force = true id = "208475129836212018" mobile = "86-18688888888" name = "terraform_user_test" } -
通過 阿里雲控制台 查看已建立資源資訊。
5.2 管理資源
Terraform在完成資源的建立和修改後,會將資源的狀態和屬性資訊儲存在terraform.tfstate檔案中。我們可以使用terraform state相關命令對state進行管理。更多資訊,請參見狀態原理介紹。
5.3 資源變更
-
修改設定檔(如main.tf)中需要變更的資源定義,例如您希望收縮RAM使用者的許可權,只允許使用者具有Elastic Compute Service查詢許可權。
-
運行命令
vim main.tf,然後按i鍵進入編輯狀態。 -
複製以下代碼,並將其替換到main.tf檔案中對應的alicloud_ram_policy部分。
resource "alicloud_ram_policy" "policy" { policy_name = "tf-example-policy" policy_document = <<EOF { "Statement": [ { "Action": [ "ecs:Get*", "ecs:List*", "ecs:Describe*" ], "Effect": "Allow", "Resource":"*" } ], "Version": "1" } EOF description = "this is a policy test" } -
按下Esc,輸入:wq儲存。
-
-
運行
terraform plan命令預覽所做的變更。Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the follow ~ update in-place Terraform will perform the following actions: # alicloud_ram_policy.policy will be updated in-place ~ resource "alicloud_ram_policy" "policy" { id = "tf-example-policy" name = "tf-example-policy" ~ policy_document = <<-EOT { "Statement": [ { - "Action": "ecs:*", + "Action": [ + "ecs:Get*", + "ecs:List*", + "ecs:Describe*" + ], "Effect": "Allow", "Resource":"*" } ], "Version": "1" } EOT # (8 unchanged attributes hidden) # (1 unchanged block hidden) } Plan: 0 to add, 1 to change, 0 to destroy. -
如果變更符合預期,運行
terraform apply命令,以將這些變更應用於您的基礎設施。運行此命令時,Terraform會要求您確認是否確實要進行這些變更,輸入yes並斷行符號後,變更會被應用。Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the follow ~ update in-place Terraform will perform the following actions: # alicloud_ram_policy.policy will be updated in-place ~ resource "alicloud_ram_policy" "policy" { id = "tf-example-policy" name = "tf-example-policy" ~ policy_document = <<-EOT { "Statement": [ { - "Action": "ecs:*", + "Action": [ + "ecs:Get*", + "ecs:List*", + "ecs:Describe*" + ], "Effect": "Allow", "Resource":"*" } ], "Version": "1" } EOT # (8 unchanged attributes hidden) # (1 unchanged block hidden) } Plan: 0 to add, 1 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes alicloud_ram_policy.policy: Modifying... [id-tf-example-policy] alicloud_ram_policy.policy: Modifications complete after 0s [id-tf-example-policy] Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
6. 資源銷毀
當不再需要所建立的資源時,可以通過terraform destroy命令銷毀所有已建立的資源。
針對建立的權限原則進行資源銷毀時,當權限原則存在多個版本時,Terraform destroy無法直接銷毀資源。您可以在alicloud_ram_policy中添加force參數,並將其值設定為true,以表示強制移除所有版本的許可權。若該許可權被其他RAM使用者或RAM動作項目參考,會自動解除關聯關係後執行刪除,請謹慎使用force屬性。
Plan: 0 to add, 0 to change, 5 to destroy.
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
alicloud_ram_access_key.ak: Destroying... [id=LTxxxGr]
alicloud_ram_login_profile.profile: Destroying... [id=terraform_user_test]
alicloud_ram_user_policy_attachment.attach: Destroying... [id=user:tf-example-policy:Custom:terraform_user_test]
alicloud_ram_user_policy_attachment.attach: Destruction complete after 0s
alicloud_ram_policy.policy: Destroying... [id=tf-example-policy]
alicloud_ram_login_profile.profile: Destruction complete after 0s
alicloud_ram_policy.policy: Destruction complete after 1s
alicloud_ram_access_key.ak: Destruction complete after 1s
alicloud_ram_user.user: Destroying... [id=2xxx18]
alicloud_ram_user.user: Destruction complete after 1s
完整樣本
為了便於您快速體驗 Terraform,本文提供了完整的 Terraform 代碼,您可以一鍵複製後直接運行。
variable "user_name" {
default = "terraform_user_test"
}
variable "user_password" {
default = "!Test@123456"
}
variable "user_display_name" {
default = "TestAccount"
}
variable "user_mobile" {
default = "86-18688888888"
}
variable "user_email" {
default = "example@example.com"
}
resource "alicloud_ram_user" "user" {
name = var.user_name
display_name = var.user_display_name
mobile = var.user_mobile
email = var.user_email
comments = "Terraform create"
force = true
}
resource "alicloud_ram_login_profile" "profile" {
user_name = alicloud_ram_user.user.name
password = var.user_password
}
resource "alicloud_ram_access_key" "ak" {
user_name = alicloud_ram_user.user.name
secret_file = "accesskey.txt"
}
resource "alicloud_ram_policy" "policy" {
policy_name = "tf-example-policy"
policy_document = <<EOF
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource":"*"
}
],
"Version": "1"
}
EOF
description = "this is a policy test"
}
resource "alicloud_ram_user_policy_attachment" "attach" {
policy_name = alicloud_ram_policy.policy.policy_name
policy_type = alicloud_ram_policy.policy.type
user_name = alicloud_ram_user.user.name
}