Terraform是HashiCorp公司提供的一种开源工具,用于安全高效地预览、配置和管理云基础架构和资源,帮助开发者自动化地创建、更新阿里云基础设施资源,并进行版本管理。本文介绍如何使用Terraform管理密钥管理服务资源。
前提条件
如果您使用Cloud Shell,Cloud Shell默认安装并配置了Terraform和阿里云账号信息,您无需进行其他操作。如果您不使用Cloud Shell,则需要自行安装Terraform和配置阿里云账号信息。
- 安装版本不低于v0.14的Terraform。具体操作,请参见在本地安装和配置Terraform。
说明 安装后您可以通过
terraform --version命令查看Terraform版本。如果您安装的版本低于v0.14,请重新覆盖安装正确版本。关于Terraform的更多信息,请参考
什么是Terraform。
- 配置阿里云账号信息。
说明 为提高权限管理的灵活性和安全性,建议您创建名为Terraform的RAM用户,并为该RAM用户创建AccessKey和授权。具体操作,请参见
创建RAM用户和
为RAM用户授权。
使用Terraform创建专属KMS密钥
- 创建一个工作目录,并且在工作目录中创建以下名为main.tf和variables.tf的配置文件。
- main.tf:Terraform主文件,定义了将要部署的资源。
# 可以参考相关文档(https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key)了解资源alicloud_kms_key的细节
resource "alicloud_kms_key" "dkms_key" {
description = "${var.description}"
protection_level = "${var.protection_level}"
dkms_instance_id = "${var.dkms_instance_id}"
}
output "dkms_key_id" {
value = alicloud_kms_key.dkms_key.id
}
- variables.tf:包含可传递到main.tf的变量,可帮助您自定义变量。
# 新专属KMS密钥的描述信息
variable "description" {
default = "the new dkms key"
}
# 在指定的天数后,用户主密钥会被删除。在这期间,这个用户主密钥的状态是待删除。在指定的天数后,您将无法取消删除密钥操作。
variable "pending_window_in_days" {
default = "7"
}
# 如果您的专属kms实例是基础版,则这个参数必须设定为SOFTWARE
# 如果您的专属kms实例是标准版,则这个参数必须设定为HSM
variable "protection_level" {
default = "SOFTWARE"
}
# 您的专属KMS实例Id
variable "dkms_instance_id" {
default = "kst-xxxxxxxxxxxxxxx"
}
- 执行
terraform init命令初始化Terraform运行环境。预期输出:
Initializing the backend...
Initializing provider plugins...
- Finding latest version of hashicorp/alicloud...
- Installing hashicorp/alicloud v1.183.0...
- Installed hashicorp/alicloud v1.183.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
╷
│ Warning: Additional provider information from registry
│
│ The remote registry returned warnings for registry.terraform.io/hashicorp/alicloud:
│ - For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers.
╵
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
- 执行
terraform plan命令生成资源规划。预期输出:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# alicloud_kms_key.dkms_key will be created
+ resource "alicloud_kms_key" "dkms_key" {
...
}
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ dkms_key_id = (known after apply)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
- 执行
terraform apply命令创建密钥。预期输出:
...
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
...
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
Outputs:
dkms_key_id = "key-xxxxxxxxxxxxxxxxxx"
成功创建密钥后,您还可以执行如下操作。
- 查看创建的密钥KeyId:
terraform output dkms_key_id
预期输出:"key-xxxxxxxxxxxxxxxxxx"
- 计划删除密钥:
terraform destroy
预期输出:...
Plan: 0 to add, 0 to change, 1 to destroy.
...
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
...
Destroy complete! Resources: 1 destroyed.
使用Terraform创建专属KMS凭据
- 创建一个工作目录,并且在工作目录中创建以下名为main.tf和variables.tf的配置文件。
- main.tf:Terraform主文件,定义了将要部署的资源。
# 可以参考相关文档(https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_secret)了解资源alicloud_kms_secret的细节
resource "alicloud_kms_secret" "dkms_secret" {
secret_name = "secret-simple"
description = "from terraform"
secret_data = "${var.ENV_SECRET_DATA}"
version_id = "${var.version_id}"
encryption_key_id = "${var.encryption_key_id}"
dkms_instance_id = "${var.dkms_instance_id}"
force_delete_without_recovery = true
}
- variables.tf:包含可传递到main.tf的变量,可帮助您自定义变量。
# 凭据版本信息
variable "version_id" {
default = "000000000001"
}
# 使用命令 "export TF_VAR_ENV_SECRET_DATA=xxxxxxxxxx" 来设定凭据数据
variable "ENV_SECRET_DATA" {
default = "Secret data."
#sensitive = true
}
variable "encryption_key_id" {
default = "key-xxxxxxxxxxxxxxxxxx"
}
# 您的专属KMS实例Id
variable "dkms_instance_id" {
default = "kst-xxxxxxxxxxxxxxx"
}
- 执行
terraform init命令初始化Terraform运行环境。预期输出:
Initializing the backend...
Initializing provider plugins...
- Finding latest version of hashicorp/alicloud...
- Installing hashicorp/alicloud v1.183.0...
- Installed hashicorp/alicloud v1.183.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
╷
│ Warning: Additional provider information from registry
│
│ The remote registry returned warnings for registry.terraform.io/hashicorp/alicloud:
│ - For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers.
╵
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
- 执行
terraform plan命令生成资源规划。预期输出:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# alicloud_kms_secret.dkms_secret will be created
+ resource "alicloud_kms_secret" "dkms_secret" {
...
}
Plan: 1 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
- 执行
terraform apply命令创建凭据。预期输出:
...
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
...
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
成功创建凭据后,您还可以执行如下命令删除创建的凭据。
terraform destroy
预期输出:
...
Plan: 0 to add, 0 to change, 1 to destroy.
...
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
...
Destroy complete! Resources: 1 destroyed.