Backend配置
# 一、Terraform Backend简介
# state
Terraform可以根据state跟踪管理资源,默认文件存储在本地,(local),可以使用backend{}定义远程的存储(remote).
terraform.tfstate
terraform.tfstate.backup
{
"version": 4,
"terraform_version": "1.1.9",
"serial": 5,
"lineage": "5ef63fd0-168d-9d5d-4ce4-6a4f2dc0e5e8",
"output": {},
"resources": [
{
"module": "module.mydns",
"mode": "managed",
"type": "alicloud_dns_record",
"name": "record",
"provider": "provider[\"register.terraform.io/hashicorp/alicloud\"]",
"instances": []
}
]
},{
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
配置远程后端允许许多人在同一个基础设施上工作
# local state存在的问题
1.缺乏灵活性
- 状态文件存储在本地,不便于团队成员协同
- 文件系统损坏,导致状态文件丢失
2.缺乏安全性
- state存在敏感数据,缺乏数据的保护
- 当多人同时变更时,存在状态不一致导致基础设施风险
# remote backend
# 工作原理
# 二、Backend配置阿里云OSS
- OSS Backend这里是基于阿里云的表格存储服务(Tablestore)和对象存储服务(OSS)实现
- 表格存储的是
Lock信息 - 对象储存主要是存放着状态文件(terraform.tfstate)
- 表格存储的是
# 创建对象存储和表格服务
https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket
https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ots_instance
https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ots_table
项目目录: "youdianzhishi-terraform/terraform-backend-demo"
## vim main.tf
provider "alicloud" {
access_key = var.alicloud_access_key
secret_key = var.alicloud_secret_key
region = "cn-shanghai"
alias = "shanghai"
}
## OSS
resource "alicloud_oss_bucket" "terra-backend" {
bucket = "terraform-backend-data-202209"
acl = "private"
}
## tablestore
resource "alicloud_ots_instance" "terra-table" {
name = "terra-table"
description = "terraform tablestore"
accessed_by = "Any"
tags = {
Created = "TF"
For = "Building table"
}
}
resource "alicloud_ots_table" "basic" {
instance_name = alicloud_ots_instance.terra-table.name
table_name = "terra_table"
primary_key {
name = "LockID"
type = "String"
}
time_to_live = -1
max_version = 1
deviation_cell_version_in_sec = 1
}
## vim versions.tf
terraform {
required_version = "1.2.8" // 这里是terraform的版本号,可以通过`terraform -v`获取到
required_providers {
alicloud = {
source = "aliyun/alicloud"
version = "1.183.0"
}
}
}
## vim variables.tf
# variable "alicloud_access_key" {
# type = string
# }
# variable "alicloud_secret_key" {
# type = string
# }
variable "region" {
type = string
description = "region name"
default = "cn-shanghai"
sensitive = true
}
## vim outputs.tf
output "bucket_name" {
value = alicloud_oss_bucket.terra-backend.id
}
output "table_name" {
value = alicloud_ots_table.basic.id
}
## terraform命令
terraform fmt
terraform init
terraform init -pulgin-dir=~/.terraform.d/terraform-plugin-cache # 指定terraform插件缓存目录
terraform validate
terraform plan
terraform apply -auto-approve
terraform destroy -auto-approve
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
**注意: ** 这里要给阿里云RAM开通OSS和Tablestore(OTS)权限
# 工作原理
# 配置过程
1.创建OSS对象存储bucket(存储state文件)
参考仓库目录"youdianzhishi-terraform/terraform-backend-demo"
2.创建Tablestore表格存储(存储state的Lock信息)
参考仓库目录"youdianzhishi-terraform/terraform-backend-demo"
3.创建backent.tf配置Terraform backend
参考仓库目录"youdianzhishi-terraform/terraform-module-example/env/dev"
## vim backend.tf
terraform {
backend "oss" {
access_key = "xxxxxx"
secret_key = "xxxxxx"
bucket = "terraform-backend-data-202209"
prefix = "dev/"
key = "terraform-dev.tfstate"
region = "cn-shanghai"
tablestore_endpoint = "https://terra-table.cn-shanghai.ots.aliyuncs.com"
tablestore_table = "terra_table"
}
}
## terraform命令
terraform fmt
terraform fmt -recursive # 递归格式化
terraform validate
## 重新init
$ terraform init
Initializing modules...
Initializing the backend...
Successfully configured the backend "oss"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Reusing previous version of aliyun/alicloud from the dependency lock file
- Reusing previous version of hashicorp/alicloud from the dependency lock file
- Using previously-installed aliyun/alicloud v1.183.0
- Using previously-installed hashicorp/alicloud v1.185.0
╷
│ Warning: Additional provider information from registry
│
│ The remote registry returned warnings for registry.terraform.io/hashicorp/alicloud:
│ - For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers.
╵
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
terraform apply -auto-approve
terraform destroy -auto-approve
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
**注意: ** 这里如果有状态的话,会有合并提示,此时本地的terraform.tfstate文件就可以删除了(.terraform目录中的terraform.tfstate不可以删除)
# 模拟多人在线同时操作同一项目
- 1.这里执行删除之前创建的资源
$ terraform destroy -auto-approve
module.myecs.data.alicloud_images.images_ds: Reading...
module.myvpc.alicloud_vpc.vpc: Refreshing state... [id=vpc-uf6up62mmoxs0o2vr1glv]
alicloud_ots_instance.terra-table: Refreshing state... [id=terra-table]
alicloud_oss_bucket.terra-backend: Refreshing state... [id=terraform-backend-data-202209]
alicloud_ots_table.basic: Refreshing state... [id=terra-table:terra_table]
module.myvpc.alicloud_vswitch.vsw: Refreshing state... [id=vsw-uf6rbrz51u79wwkkoj0tg]
module.mysecgroup.alicloud_security_group.group: Refreshing state... [id=sg-uf650pajfjei25kqra6d]
module.mysecgroup.alicloud_security_group_rule.allow_22_tcp: Refreshing state... [id=sg-uf650pajfjei25kqra6d:ingress:tcp:22/22:intranet:0.0.0.0/0:accept:1]
module.mysecgroup.alicloud_security_group_rule.allow_80_tcp: Refreshing state... [id=sg-uf650pajfjei25kqra6d:ingress:tcp:80/80:intranet:0.0.0.0/0:accept:1]
module.mysecgroup.alicloud_security_group_rule.allow_all_tcp: Refreshing state... [id=sg-uf650pajfjei25kqra6d:egress:tcp:1/65535:intranet:0.0.0.0/0:accept:1]
module.myecs.data.alicloud_images.images_ds: Read complete after 4s [id=849117728]
module.myecs.alicloud_instance.myecs: Refreshing state... [id=i-uf684rg8x8mae96suyjn]
module.mydns.alicloud_dns_record.record: Refreshing state... [id=785176334420716544]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
- destroy
......
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
- 2.打开另外一个项目执行资源创建
$ terraform apply
╷
│ Error: Error acquiring the state lock # 这里提示占用了锁
│
│ Error message: OTSConditionCheckFail Condition check failed. 0005e8b4-6132-aa86-42d7-2b0a00a5f6ca
│ Lock Info:
│ ID: 1ab59afd-9fa1-7a16-67e5-3b04538804c8
│ Path: terraform-backend-data-202209/dev/terraform-dev.tfstate
│ Operation: OperationTypeApply
│ Who: root@centos-base
│ Version: 1.2.8
│ Created: 2022-09-15 10:04:58.962045604 +0000 UTC
│ Info:
│
│
│ Terraform acquires a state lock to protect the state from being written
│ by multiple users at the same time. Please resolve the issue above and try
│ again. For most commands, you can disable locking with the "-lock=false"
│ flag, but this is not recommended.
╵
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# 三、Backend扩展
# 命令行配置backend
- 指定配置文件
$ terraform init -backend-config=/path/to/terraform/backend/file
1
- 指定配置参数
terraform init -backend-config="bucket=terraform-data" -backend-config="prefix=path/mystate" -backend-config="scheme=https"
1
# terraform_remote_state
- 获取remote中state的数据(根模块的output)
output "myecs-public-ip" {
value = module.myecs.ecs_ip
}
data "terraform_reomte_state" "ecs_ip" {
backend = "oss"
config = {
access_key = "xxxxxx"
secret_key = "xxxxxx"
bucket = "terraform-data"
prefix = "path/mystate"
key = "terraform.tfstate"
region = "cn-shanghai"
}
}
output "remote_backend" {
value = data.terraform_remote_state.ecs_ip.output.myecs-public-ip
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# backend实践
- 配置多个backend-config,区分多个文件夹进行管理;
# 不同环境目录配置不同的backend.tf
cd youdianzhishi-terraform/terraform-backend-demo/envirments
tree ./
./
├── dev
│ ├── backend.tf
│ ...
├── prod
│ ├── backend.tf
│ ...
├── stag
│ ├── backend.tf
│ ...
└── test
...
└── backend.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
上次更新: 2024/04/09, 16:48:42
- 01
- AWS NAT-NetWork-Firwalld配置(一)04-09
- 02
- AWS NAT-NetWork-Firwalld配置(二)04-09
- 03
- kubernetes部署minio对象存储01-18