一、实践介绍

云产品资源

• 网络

  • DNS
  • VPC

• 负载均衡 ELB

• 云服务器 ECS

• 对象存储 OBS

项目目录结构

$ tree ./
./
├── dev
│   ├── network
│   └── service
├── global
│   └── backend
└── modules
    ├── dns
    ├── ecs
    ├── eip
    ├── security_group
    ├── slb
    └── vpc

12 directories, 0 files

二、项目初始化

统一身份认证服务IAM-AK/SK

Terraform官方: https://registry.terraform.io/browse/providers

Terraform官方的Providers搜索不到huaweicloud,需要额外访问指定地址: https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest

export HW_ACCESS_KEY="anaccesskey"
export HW_SECRET_KEY="asecretkey"
export HW_REGION_NAME="cn-east-3"

地域和可用区

https://developer.huaweicloud.com/endpoint?ECS

Backend-S3(初始化)

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/obs_bucket

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/guides/remote-state-backend

• 这里华为运维调用的是AWS的S3存储的接口方式,这里需要声明如下的AK/SK

  export AWS_ACCESS_KEY_ID="xxxxxx"

  export AWS_SECRET_ACCESS_KEY="xxxxxx"

# 进入项目目录
$ cd erraform-huawei-operator/global/backend
$ tree  ./
./
├── backend.tf
├── main.tf
├── outputs.tf
├── variables.tf
└── versions.tf

0 directories, 7 files

# 声明环境变量
export AWS_ACCESS_KEY_ID=xxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxx
export HW_ACCESS_KEY="xxxxxx"
export HW_SECRET_KEY="xxxxxx"
export HW_REGION_NAME="cn-east-3"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-huawei-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 控制台验证backend

二、网络资源创建(申请VPC)

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/vpc

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/vpc_subnet

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/vpc_route_table

项目依赖module模块"terraform-huawei-operator/modules/vpc"

# 进入项目目录
$ cd terraform-huawei-operator/env/dev/network
$ tree  ./
./
├── backend.tf
├── main.tf
├── outputs.tf
├── variables.tf
├── versions.tf
└── vpc.tf

0 directories, 6 files

# 声明环境变量
export AWS_ACCESS_KEY_ID=xxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxx
export HW_ACCESS_KEY="xxxxxx"
export HW_SECRET_KEY="xxxxxx"
export HW_REGION_NAME="cn-east-3"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-huawei-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 项目这里创建VPC网络是调用modules下的VPC模块进行创建的
• 控制台验证VPC的创建结果

忽略部分

• vpc下的路由表路由条目没有添加

三、安全组和规则(安全组申请)

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/iec_security_group

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/iec_security_group_rule

项目依赖module模块"terraform-huawei-operator/modules/security_group"

# 进入项目目录
$ cd terraform-huawei-operator/env/dev/network
$ vim security_group.tf  # 添加`security_group.tf`文件并配置
locals {
  secgroup_name = "dev-secgroup"
  secgroup_desc = "dev security group"
}

module "dev-security-group" {
  source = "../../../modules/security_group"
  secgroup_name = local.secgroup_name
  secgroup_desc = local.secgroup_desc
}

# 声明环境变量
export AWS_ACCESS_KEY_ID=xxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxx
export HW_ACCESS_KEY="xxxxxx"
export HW_SECRET_KEY="xxxxxx"
export HW_REGION_NAME="cn-east-3"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-huawei-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 项目这里创建安全组是调用modules下的security_group模块进行创建的
• 控制台验证安全组的创建结果

四、创建服务资源(申请ECS)

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/compute_instance

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/data-sources/compute_flavors

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/data-sources/images_image

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/compute_keypair

项目依赖module模块"terraform-huawei-operator/modules/ecs"

# 进入项目目录
$ terraform-huawei-operator/env/dev/service
$ tree  ./
./
├── main.tf
├── outputs.tf
├── backend.tf
├── variables.tf
└── versions.tf

0 directories, 4 files
# 声明环境变量
export AWS_ACCESS_KEY_ID=xxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxx
export HW_ACCESS_KEY="xxxxxx"
export HW_SECRET_KEY="xxxxxx"
export HW_REGION_NAME="cn-east-3"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-huawei-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 项目这里创建ECS是调用modules下的ecs模块进行创建的
• 控制台验证ECS的创建结果

四、申请EIP资源

• ECS不关联EIP,无法连接往外,像一些系统安装软件都无法进行

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/vpc_bandwidth

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/vpc_eip

项目依赖module模块"terraform-huawei-operator/modules/eip"

# 进入项目目录
$ terraform-huawei-operator/env/dev/service
$ vim eip.tf 
locals {
  bandwidth_name = "dev-bandwidth"
  bandwidth_size = 5
  instances      = module.dev-ecs[*].instance_id
}

module "dev-eip" {
  source         = "../../../modules/eip"
  bandwidth_name = local.bandwidth_name
  bandwidth_size = local.bandwidth_size
  instances      = local.instances
}

# 声明环境变量
export AWS_ACCESS_KEY_ID=xxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxx
export HW_ACCESS_KEY="xxxxxx"
export HW_SECRET_KEY="xxxxxx"
export HW_REGION_NAME="cn-east-3"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-huawei-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 项目这里创建EIP是调用modules下的eip模块进行创建的
• 控制台验证EIP的创建结果

五、申请EIB资源

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/lb_loadbalancer

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/lb_listener

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/lb_pool

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/lb_member

https://registry.terraform.io/providers/huaweicloud/huaweicloud/latest/docs/resources/vpc_eip

https://registry.terraform.io/providers/huaweicloud/huaweicloud/1.38.2/docs/resources/vpc_eip_associate

项目依赖module模块"terraform-huawei-operator/modules/eib"

# 进入项目目录
$ terraform-huawei-operator/env/dev/service
$ vim eib.tf
locals {
  lb_name  = "dev-elb"
  env_name = "dev"
}

# 此时创建的还是内部的负载均衡暂时没有公网地址
module "dev-elb" {
  source = "../../../modules/elb"
  # 这里用到的是subnet的子网ID
  subnet_id    = data.terraform_remote_state.network.outputs.subnet_subnet_id
  instance_ips = module.dev-ecs[*].instance_private_ip
  lb_name      = local.lb_name
  env_name     = local.env_name
}

# ELB-EIP
resource "huaweicloud_vpc_eip" "elb-eip" {
  publicip {
    type = "5_bgp"
  }

  bandwidth {
    share_type = "WHOLE"
    id         = module.dev-eip.bandwidth_id
  }
}

# 新版本将`huaweicloud_networking_eip_associate`更新为`huaweicloud_vpc_eip_associate`
resource "huaweicloud_networking_eip_associate" "eip_elb" {
  public_ip = huaweicloud_vpc_eip.elb-eip.address
  port_id   = module.dev-elb.elb_vip_port_id
}


# 声明环境变量
export AWS_ACCESS_KEY_ID=xxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxx
export HW_ACCESS_KEY="xxxxxx"
export HW_SECRET_KEY="xxxxxx"
export HW_REGION_NAME="cn-east-3"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-huawei-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 项目这里创建EIB是调用modules下的eib模块进行创建的
• 控制台验证EIB的创建结果

• 通过ELB绑定的EIP地址访问测试后端服务是否正常

六、申请DNS资源

这里使用的DNS解析是阿里云的,所有项目中会有阿里云的配置内容

# 进入项目目录
$ terraform-huawei-operator/env/dev/service
$ vim dns.tf
locals {
  dns_zone_name = "chsaos.com"
  dns_record    = "deva"
  eip           = huaweicloud_vpc_eip.elb-eip.address
  record_type   = "A"
}

# demo.chsaos.com
resource "alicloud_dns_record" "record" {
  name        = local.dns_zone_name
  host_record = local.dns_record
  type        = local.record_type
  value       = local.eip
}


# 声明华为云环境变量
export AWS_ACCESS_KEY_ID=xxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxx
export HW_ACCESS_KEY="xxxxxx"
export HW_SECRET_KEY="xxxxxx"
export HW_REGION_NAME="cn-east-3"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-huawei-operator/.terraformrc

# 声明阿里云环境变量
export ALICLOUD_ACCESS_KEY="xxxxxx"
export ALICLOUD_SECRET_KEY="xxxxxx"
export ALICLOUD_REGION="cn-shanghai"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-alicloud-operator/.terraformrc


# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 控制台验证DNS的创建结果

• 访问deva.chsaos.com测试后端服务是否正常