一、实践介绍

云产品资源

• 网络

  • DNS
  • VPC

• 负载均衡

• 云服务器 CVM

• 对象存储 COS

二、初始化项目

项目参考仓库目录"youdianzhishi-terraform/terraform-tencent-operator"

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs

腾讯云CAM-AK/SK

• 腾讯云可用区: https://cloud.tencent.com/document/product/213/6091

# 访问管理CAM-AK/SK
$ export TENCENTCLOUD_SECRET_ID="xxxxxx"
$ export TENCENTCLOUD_SECRET_KEY="xxxxxx"
$ export TENCENTCLOUD_REGION="ap-shanghai"

terraform本地缓存路径配置

• 这里使用的CentOS系统做的terraform项目

# 进入项目目录下
$ cd terraform-tencent-operator
$ vim .terraformrc 
plugin_cache_dir  = "$HOME/.terraform.d/terraform-plugin-cache"
disable_checkpoint = true

provider_installation {
  filesystem_mirror {
    path    = "/root/.terraform.d/terraform-plugin-cache"
    include = ["registry.terraform.io/*/*"]
  }
}



# 进入global项目目录进行tencent plugin的初始化
$ cd terraform-tencent-operator/global/backend
$ tree  ./
./
├── main.tf
├── variables.tf
└── versions.tf

0 directories, 3 files

0 directories, 2 files

$ vim main.tf
provider "tencentcloud" {
  region = var.region
}


$ vim variables.tf
variable "region" {
  type      = string
  default   = "ap-shanghai"
  sensitive = true
}


$ vim versions.tf 
terraform {
  required_providers {
    tencentcloud = {
      source = "tencentcloudstack/tencentcloud"
      version = ">=1.77.10"
    }
  }
} 


# 声明环境变量
export TENCENTCLOUD_SECRET_ID="xxxxxx"
export TENCENTCLOUD_SECRET_KEY="xxxxxx"
export TENCENTCLOUD_REGION="ap-shanghai"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-tencent-operator/.terraformrc


# terraform init操作
## 初次init操作要在`.terraformrc`文件中先去除下面的配置段,不然会有报错
provider_installation {
  filesystem_mirror {
    path    = "/root/.terraform.d/terraform-plugin-cache"
    include = ["registry.terraform.io/*/*"]
  }
}

### 进行init操作(操作完之后再将上面去除的配置段给加上)
$ terraform  init

Initializing the backend...

Initializing provider plugins...
- Finding tencentcloudstack/tencentcloud versions matching ">= 1.77.10"...
- Installing tencentcloudstack/tencentcloud v1.77.10...
- Installed tencentcloudstack/tencentcloud v1.77.10 (signed by a HashiCorp partner, key ID 84F69E1C1BECF459)

Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

报错:

terraform  init

Initializing the backend...

Initializing provider plugins...
- Finding tencentcloudstack/tencentcloud versions matching ">= 1.77.10"...
╷
│ Error: Failed to query available provider packages
│ 
│ Could not retrieve the list of available versions for provider tencentcloudstack/tencentcloud: provider registry.terraform.io/tencentcloudstack/tencentcloud
│ was not found in any of the search locations
│ 
│   - /root/.terraform.d/terraform-plugin-cache

Backend-COS

• 存储桶名称后缀必须包含APPID,否则COS将拒绝创建存储桶.
  • APPID就是用户的ID

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/data-sources/user_info

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/cos_bucket

# 进入项目目录
$ cd terraform-tencent-operator/global/backend
$ tree  ./
./
├── main.tf
├── terraform.tfstate
├── variables.tf
└── versions.tf

0 directories, 4 files


# 执行terraform命令,创建cos
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve



# 项目添加backend
$ ./
./
├── backend.tf
├── main.tf
├── outputs.tf
├── terraform.tfstate
├── variables.tf
└── versions.tf

0 directories, 6 files


# 执行init命令,此时的状态已经同步到远端COS上
terraform  init 

Initializing the backend...
Acquiring state lock. This may take a few moments...
Do you want to copy existing state to the new backend?
  Pre-existing state was found while migrating the previous "local" backend to the
  newly configured "cos" backend. No existing state was found in the newly
  configured "cos" backend. Do you want to copy this state to the new "cos"
  backend? Enter "yes" to copy and "no" to start with an empty state.

  Enter a value: yes


Successfully configured the backend "cos"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Reusing previous version of tencentcloudstack/tencentcloud from the dependency lock file
- Using previously-installed tencentcloudstack/tencentcloud v1.77.10

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

备注:

• 云上的COS已经有backend的状态了

• 此时本地的状态记录文件也可以删除掉了(terraform.tfstate、terraform.tfstate.backup)

• 配置backend init失败,提示没有创建tag权限(在子账号的情况下),需要到CAM授权子账号``QcloudTAGFullAccess`权限

三、创建网络资源(申请VPC)

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/vpc

项目依赖module模块"terraform-tencent-operator/modules/vpc"

# 进入项目目录
$ cd terraform-tencent-operator/env/dev/network
$ tree  ./
./
├── backend.tf
├── main.tf
├── outputs.tf
├── variables.tf
├── versions.tf
└── vpc.tf

0 directories, 6 files


# 声明环境变量
export TENCENTCLOUD_SECRET_ID="xxxxxx"
export TENCENTCLOUD_SECRET_KEY="xxxxxx"
export TENCENTCLOUD_REGION="ap-shanghai"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-tencent-operator/.terraformrc


# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve

备注:

• 项目这里创建VPC网络是调用modules下的VPC模块进行创建的
• 控制台验证VPC的创建结果

四、安全组资源申请

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/security_group

项目依赖module模块"terraform-tencent-operator/modules/security_group"

# 进入network项目目录创建`network.tf`文件
$ cd terraform-tencent-operator/env/dev/network
$ vim security_group.tf
locals {
  security_group_name = "dev-security-group"
  security_group_desc = "dev env security group"
}

module "dev-security-group" {
  source              = "../../../modules/security_group"
  security_group_name = local.security_group_name
  security_group_desc = local.security_group_desc
}


# 声明环境变量
export TENCENTCLOUD_SECRET_ID="xxxxxx"
export TENCENTCLOUD_SECRET_KEY="xxxxxx"
export TENCENTCLOUD_REGION="ap-shanghai"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-tencent-operator/.terraformrc


# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve

备注:

• 项目这里创建安全组是依赖moduels下面"security_group"的创建的
• 控制台验证安全组的创建结果

五、创建服务资源(申请CVM)

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/instance

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/data-sources/images

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/data-sources/instance_types

项目依赖module模块"terraform-tencent-operator/modules/cvm"

# 进入service项目目录
$ cd terraform-tencent-operator/env/dev/service
$ tree  ./
./
├── backend.tf
├── cvm.tf
├── main.tf
├── outputs.tf
├── variables.tf
└── versions.tf

0 directories, 6 files


# 声明环境变量
export TENCENTCLOUD_SECRET_ID="xxxxxx"
export TENCENTCLOUD_SECRET_KEY="xxxxxx"
export TENCENTCLOUD_REGION="ap-shanghai"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-tencent-operator/.terraformrc


# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve

备注:

• 项目这里创建安全组是依赖moduels下面"cvm"的创建的
• 控制台验证CVM的创建结果

六、负载均衡CLB(申请CLB)

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/clb_instance

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/clb_listener

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/clb_listener_rule

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/clb_attachment

项目依赖module模块"terraform-tencent-operator/modules/clb"

这里的CLB是直接分配公网IP地址的,不像阿里云上可以单独绑定EIP

# 进入service项目目录
$ cd terraform-tencent-operator/env/dev/service
$ vim clb.tf  # 添加并编辑`clb.tf`文件
locals {
  clb_name          = "dev-clb"
  vpc_ids           = data.terraform_remote_state.network-data.outputs.dev_vpc_id
  subnet_ids        = data.terraform_remote_state.network-data.outputs.dev_subnet_id
  env_name          = "dev"
  listener_name     = "dev-listener"
  listener_port     = 80
  listener_protocol = "TCP"
  scheduler         = "WRR"
  instance_ids      = module.dev-cvm[*].instance_id
  backend_port      = 80
  backend_weight    = 100
}

module "dev-clb" {
  source            = "../../../modules/clb"
  clb_name          = local.clb_name
  vpc_id            = local.vpc_ids
  subnet_id         = local.subnet_ids
  env_name          = local.env_name
  listener_name     = local.listener_name
  listener_port     = local.listener_port
  listener_protocol = local.listener_protocol
  scheduler         = local.scheduler
  instance_ids      = local.instance_ids
  backend_port      = local.backend_port
  backend_weight    = local.backend_weight
}


# 声明环境变量
export TENCENTCLOUD_SECRET_ID="xxxxxx"
export TENCENTCLOUD_SECRET_KEY="xxxxxx"
export TENCENTCLOUD_REGION="ap-shanghai"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-tencent-operator/.terraformrc


# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve

备注:

• 项目这里创建安全组是依赖moduels下面"clb"的创建的
• 控制台验证CLB的创建结果

CLB遗漏点

参考文档: https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/clb_instance

• 删除保护
• 带宽上限
• CLB的安全组
• 日志服务CLS(七层)

七、申请DNS

https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/dnspod_record

项目依赖module模块"terraform-tencent-operator/env/dev/service/dns.tf

# 进入service项目目录
$ cd terraform-tencent-operator/env/dev/service
$ vim dns.tf  # 添加并编辑`dns.tf`文件
resource "tencentcloud_dnspod_record" "tfdemo" {
  domain      = "china-jiajia.org"
  record_type = "A"
  record_line = "默认"
  value       = module.dev-clb.clb_instance_vip[0]
  sub_domain = "tfdemo"
}


# 声明环境变量
export TENCENTCLOUD_SECRET_ID="xxxxxx"
export TENCENTCLOUD_SECRET_KEY="xxxxxx"
export TENCENTCLOUD_REGION="ap-shanghai"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-tencent-operator/.terraformrc


# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve

备注:

• 控制台验证DNS的创建结果

八、腾讯云COS Backend 状态锁定与释放

• Backend: https://www.tencentcloud.com/zh/document/product/1043/44213
• COS Backend 状态锁定与释放: https://cloud.tencent.com/document/product/1213/75215