一、实践介绍

云产品资源

• 网络

  • DNS Route53
  • VPC

• 负载均衡 ALB

• 云服务器 EC2

• 对象存储 S3

• Amazon DynameDB

二、项目初始化

项目总体目录结构

$ tree  ./
./
├── env
│   └── dev
│       ├── network
│       └── service
├── global
│   └── backend
└── modules
    ├── alb
    ├── ec2
    ├── route_53
    ├── security_group
    └── vpc

13 directories

AWS访问管理IAM-AK/SK

export AWS_ACCESS_KEY_ID="xxxxxx" export AWS_SECRET_ACCESS_KEY="xxxxxx"

分别添加权限:

• AmazonEC2FullAccess
• AmazonS3FullAccess
• AmazonDynamoDBFullAccess

AWS地域和可用区

• https://docs.aws.amazon.com/zh_cn/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

项目初始化

https://registry.terraform.io/providers/hashicorp/aws/latest/docs

项目目录"youdianzhishi-terraform/terraform-aws-operator/global/backend"

# 进入到backend项目目录
$ cd terraform-aws-operator/global/backend
$ tree  ./
./
└── versions.tf

0 directories, 1 file

# 声明环境变量
export AWS_ACCESS_KEY_ID="xxxxxx"
export AWS_SECRET_ACCESS_KEY="xxxxxx"
export AWS_REGION="ap-east-1"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-aws-operator/.terraformrc


# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve

三、Backend配置

• Backend-S3 + DynamoDB

  • https://aws.amazon.com/cn/s3/
  • Amazon Simple Storage Service(Amazon S3)是一种对象存储服务提供行业领先的可扩展性、数据可用性、安全性和性能.

• Backend配置官方文档地址

https://www.terraform.io/language

Terratform Settins ---> Backends ---> Available Backends

https://www.terraform.io/language/settings/backends/s3

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table

https://www.terraform.io/language/settings/backends/s3

# 进入service项目目录
$ cd terraform-aws-operator/global/backend
$ tree .
.
├── backend.tf
├── main.tf
├── outputs.tf
└── versions.tf

0 directories, 4 files

# 声明环境变量
export AWS_ACCESS_KEY_ID="xxxxxx"
export AWS_SECRET_ACCESS_KEY="xxxxxx"
export AWS_REGION="ap-east-1"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-aws-operator/.terraformrc


# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve

备注:

• 控制台验证S3的创建结果

• 控制台验证DynamoDB Table的创建结果

四、申请VPC和Subnet资源

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association

项目依赖module模块"terraform-asw-operator/modules/vpc"

# 进入项目目录
$ cd terraform-aws-operator/env/dev/network
$ tree  ./
./
├── backend.tf
├── main.tf
├── outputs.tf
├── variables.tf
├── versions.tf
└── vpc.tf

0 directories, 6 files

# 声明环境变量
export AWS_ACCESS_KEY_ID="xxxxxx"
export AWS_SECRET_ACCESS_KEY="xxxxxx"
export AWS_REGION="ap-east-1"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-aws-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 项目这里创建VPC网络是调用modules下的VPC模块进行创建的
• 控制台验证VPC的创建结果

五、申请SecurityGroup资源

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

项目依赖module模块"terraform-asw-operator/modules/security_group"

# 进入项目目录
$ cd terraform-aws-operator/env/dev/network
$ vim security_group.tf  # 新增`security_group.tf`的内容部分
locals {
  vpc_id                      = module.dev-vpc.vpc_id
  security_group_ports        = ["22", "80", "443"]
  security_groups_name        = "dev-security-group"
  security_groups_description = "dev Security Group"
}

module "dev-securitygroup" {
  source                      = "../../../modules/security_group"
  vpc_id                      = local.vpc_id
  security_groups_name        = local.security_groups_name
  security_group_ports        = local.security_group_ports
  security_groups_description = local.security_groups_description
}

# 声明环境变量
export AWS_ACCESS_KEY_ID="xxxxxx"
export AWS_SECRET_ACCESS_KEY="xxxxxx"
export AWS_REGION="ap-east-1"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-aws-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 项目这里创建安全组是调用modules下的security-group模块进行创建的
• 控制台验证安全组的创建结果

六、申请EC2资源

https://aws.amazon.com/marketplace/pp/prodview-qkzypm3vjr45g

https://docs.aws.amazon.com/zh_cn/AWSEC2/latest/UserGuide/AMIs.html

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance

remote-data-source: https://www.terraform.io/language/settings/backends/s3

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip

项目依赖module模块"terraform-asw-operator/modules/ec2"

# 进入项目目录
$ cd terraform-aws-operator/env/dev/service
$ mkdir -pv config
$ ssh-keygen -t rsa -m PEM -f config/dev-private-key  # 创建用于ssh连接的private key;(-f:指定文件名,-C:备注)
$ mv config/dev-private-key config/dev-private-key.pem
$ tree  .
.
├── backend.tf
├── config
│   ├── dev-private-key.pem
│   └── dev-private-key.pub
├── ec2.tf
├── main.tf
├── outputs.tf
├── variables.tf
└── versions.tf

1 directory, 8 files

# 声明环境变量
export AWS_ACCESS_KEY_ID="xxxxxx"
export AWS_SECRET_ACCESS_KEY="xxxxxx"
export AWS_REGION="ap-east-1"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-aws-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

# 服务器连接测试
$  ssh -i config/dev-private-key.pem centos@13.213.217.149
The authenticity of host '13.213.217.149 (13.213.217.149)' can't be established.
ECDSA key fingerprint is SHA256:oqbUgbq9wktJJkrxirRN45FLXKBRyfcR+QzrxmvGN1k.
ECDSA key fingerprint is MD5:7f:af:6b:38:9a:04:44:e2:cf:ff:60:c6:60:8c:1a:8e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '13.213.217.149' (ECDSA) to the list of known hosts.
[centos@ip-10-110-10-174 ~]$ sudo -i
[root@ip-10-110-10-174 ~]# ps -ef |grep nginx
root      4232     1  0 11:10 ?        00:00:00 nginx: master process /usr/sbin/nginx
nginx     4233  4232  0 11:10 ?        00:00:00 nginx: worker process
root      4282  4268  0 11:11 pts/0    00:00:00 grep --color=auto nginx

备注:

• 项目这里创建EC2是调用modules下的ec2模块进行创建的
• 控制台验证EC2的创建结果

• 通过EC2公网地址访问测试nginx服务是是否正常

七、申请ELB资源

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener

项目依赖module模块:

​ "terraform-asw-operator/modules/elb"

​ "terraform-asw-operator/modules/security_group"

# 进入项目目录
$ cd terraform-aws-operator/env/dev/service
$ vim alb_security_group.tf  # 添加`alb_security_group.tf`文件创建ALB使用的安装组
locals {
  vpc_id                      = data.terraform_remote_state.network-data.outputs.vpc_id
  security_group_ports        = ["80", "443"]
  security_groups_name        = "dev-alb-security-group"
  security_groups_description = "dev alb Security Group"
}

module "alb-securitygroup" {
  source                      = "../../../modules/security_group"
  vpc_id                      = local.vpc_id
  security_groups_name        = local.security_groups_name
  security_group_ports        = local.security_group_ports
  security_groups_description = local.security_groups_description
}

$ vim alb.tf  # 添加`alb.tf`创建application类型的负载均衡器
locals {
  alb_vpc_id             = data.terraform_remote_state.network-data.outputs.vpc_id
  subnet_ids             = data.terraform_remote_state.network-data.outputs.vpc_subnet_id
  http_target_group_name = "dev-alb-http"
  alb_name               = "dev-http-alb"
  ec2_ids                = [for k, v in module.dev-ec2.aws_instance_info : v.id]
  alb_security_groups    = module.alb-securitygroup.security_groups_info.id
  #   https_target_group_name = "dev-alb-https"
}


module "http-alb" {
  source                 = "../../../modules/alb"
  alb_vpc_id             = local.alb_vpc_id
  subnet_ids             = local.subnet_ids
  alb_name               = local.alb_name
  http_target_group_name = local.http_target_group_name
  ec2_ids                = local.ec2_ids
  alb_security_groups    = local.alb_security_groups
  #   https_target_group_name = local.https_target_group_name
}


# 声明环境变量
export AWS_ACCESS_KEY_ID="xxxxxx"
export AWS_SECRET_ACCESS_KEY="xxxxxx"
export AWS_REGION="ap-east-1"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-aws-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 创建ELB使用的安全组是调用modules下的security_group模块进行创建的
• 创建ELB是调用modules下的elb模块进行创建的
• 控制台验证ELB的创建结果

• 访问ELB的dns地址测试后端的服务是否能正常访问

八、申请DNS资源

https://docs.aws.amazon.com/zh_cn/Route53/latest/DeveloperGuide/dns-configuring.html

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record

项目依赖module模块: "terraform-asw-operator/modules/route_53"

# 进入项目目录
$ cd terraform-aws-operator/env/dev/service
$ vim dns.tf  # 添加`dns.tf.tf`文件
locals {
  route53_zone_name     = "tfops.com"
  zone_name             = "tfops.com"
  route53_zone_env_name = "dev"
  record_name           = "dev.tfops.com"
  record_type           = "CNAME"
  # 生效时间(单位为秒)
  record_ttl            = 60
  record_ip_address     = module.http-alb.alb_info.dns_name 
}

module "dns" {
  source                = "../../../modules/route_53"
  route53_zone_name     = local.route53_zone_name
  zone_name             = local.zone_name
  route53_zone_env_name = local.route53_zone_env_name
  record_name           = local.record_name
  record_type           = local.record_type
  record_ttl            = local.record_ttl
  record_ip_address     = local.record_ip_address
}

# 声明环境变量
export AWS_ACCESS_KEY_ID="xxxxxx"
export AWS_SECRET_ACCESS_KEY="xxxxxx"
export AWS_REGION="ap-east-1"
export TF_CLI_CONFIG_FILE=/home/terraform/youdianzhishi-terraform/terraform-aws-operator/.terraformrc

# 执行terraform命令
$ terraform init 
$ terraform fmt 或 terraform init -recursive
$ terraform validate
$ terraform plan
$ terraform apply 或 terraform apply -auto-approve
$ terraform destroy 或 terraform destroy -auto-approve

备注:

• 创建DNS使用的是调用modules下的route_53模块进行创建的
• 控制台验证DNS的解析结果