k8s-ocp-yaml
  • 简介
  • 微软云 Azure
    • 2022-10-18-Azure Portal创建k8s集群
    • 2022-10-30-Azure容器镜像仓库
    • 2023-03-08-基于Policy实现tag批量分配与继承
    • 2023-02-24-Terraform 安装与简单demo
    • 2023-03-10-Terraform 创建 private AKS
    • 2023-03-22-Terraform 离线环境使用
    • 2023-03-24-Terraform 踩坑记1-InternalOperationError
  • yaml文件书写注意项
    • 2018-05-29-yaml文件来源
    • 2018-05-29-多资源对象写法
  • kubernetes docs
    • 2020-04-24-kubectl-debug插件及openshift debug模式
    • 2020-04-23-k8s 利用subpathexpr处理日志落盘
    • 2020-04-14-metrics-server 轻量级监控
    • 2020-03-31-helm3 全新版本带来了什么
    • 2019-07-27-k8s openshift troubleshooting故障诊断
    • 2020-02-17-k8s CIS benchmark 安全基准测试
    • 2019-10-14-kubernetes 1.16 单机版在线安装
    • 2019-04-19-kubernetes 1.14 离线安装
    • 2018-11-20-kubernetes dashboard 免密登陆
    • 2018-04-07-kubernetes1.10 install offline
    • 2018-04-02-kubernetes1.9 install online
    • 2018-04-04-kubernetes1.9 HA install online
    • 2018-05-02-helm2 install
  • openshift docs
    • 2021-05-17-podman添加开机自启
    • 2020-06-23-openshift4.4 在线安装(包含allinone)静态ip
    • 2020-02-25-openshift 4.3 离线安装--DHCP方式
    • 2020-03-18-openshift4 operatorhub 离线部署
    • 2019-07-02-openshift origin 3.11 在线安装
    • 2019-09-24-openshift 对接AD域作为用户系统
    • 2019-11-13-openshift jenkins slave pod 自定义模板
  • 应用(deployment,rc,rs,volume,readiness,liveness)
    • 2018-05-31-deployment,rc,rs控制器
    • 2018-05-31-volume 容器存储
    • 2018-07-05-liveness readiness 健康检查
  • Openshift独有resource
    • 2019-08-08-template模板解读
  • docker相关文档
    • 2017-08-10-dockerfile 书写注意
    • 2017-08-10-dockerfile examples
    • 2017-07-19-dockerfile 命令
  • 容器云监控prometheus
    • 2019-10-22-安装部署与监控ingress-controller
    • 2020-05-30-组件功能介绍与监控数据来源
  • 中间件
    • 2020-03-30-kafka的安装与开启ACL权限控制
  • others
    • 2020-06-06-树莓派安装docker环境
  • Last part without title
Powered by GitBook
On this page
  1. 微软云 Azure

2023-02-24-Terraform 安装与简单demo

Terraform 简介与示例

Terraform 是一种安全有效地构建、更改和版本控制基础设施的工具(基础架构自动化的编排工具)。它的目标是 "Write, Plan, and create Infrastructure as Code", 基础架构即代码。

Terraform 几乎可以支持所有市面上能见到的云服务。具体的说就是可以用代码(其实就是配置文件定义)来管理维护 IT 资源,把之前需要手动操作的一部分任务通过程序来自动化的完成,这样的做的结果非常明显:高效、不易出错。

用法与k8s容器平台的helm有点类似,都是声明式资源管理,并对版本有较好的管理,配合git食用更佳。

下文将练习通过Terraform在Azure云上创建资源组、vnet、虚拟机。

其实Azure本身提供了ARM模板配合变量配置文件,也是以声明式创建和管理资源。 但我更好奇Terraform到底有什么魔力,让各大云厂商在官方文档里进行推介,容我一探究竟。

安装 terraform

支持 MAC,Win,Linux https://developer.hashicorp.com/terraform/tutorials/azure-get-started/install-cli

Centos/RHEL

sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo yum -y install terraform

检查版本

[root@centos8 azure-terraform]# terraform version
Terraform v1.3.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/azurerm v3.44.1

开启命令自动补全,执行完重新进入下bas窗口

 touch ~/.bashrc
terraform -install-autocomplete

安装 Azure CLI 及登录认证

https://learn.microsoft.com/zh-cn/cli/azure/install-azure-cli

Azure CLI 的 RPM 包依赖于 python3 包。Centos7 可能会遇到些问题,Centos8没问题。我此处用的Centos8.5

sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
sudo dnf install -y https://packages.microsoft.com/config/rhel/8/packages-microsoft-prod.rpm
sudo dnf install azure-cli

# 查看版本
[root@centos8 azure-terraform]# az version
{
  "azure-cli": "2.45.0",
  "azure-cli-core": "2.45.0",
  "azure-cli-telemetry": "1.0.8",
  "extensions": {}
}

使用Terraform创建资源组

先尝试实现一个最简单场景,了解下大概的使用流程。

创建配置文件

新建一个空目录,并在其中创建一个 main.tf 文件

mkdir azure-terraform
cd azure-terraform/

编辑 main.tf 配置文件

[root@centos8 azure-terraform]# cat main.tf
# We strongly recommend using the required_providers block to set the
# Azure Provider source and version being used
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.44.1"
    }
  }
}

# Configure the Microsoft Azure Provider
provider "azurerm" {
  features {}
}

# Create a resource group
resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

文件的上半部分 terraform/provider 定义了将要使用什么云,及插件的版本,在以下连接的右上角“USE PROVIDER”查看。 resource 部分表示要创建的资源,此处是创建一个资源组,在以下连接的右上角“Documentation”,有所有支持的资源定义解读。 https://registry.terraform.io/providers/hashicorp/azurerm/latest

Azure 权限认证

在通过 Terraform 创建之前,需要先配置权限认证,才能去创建或配置资源。

https://learn.microsoft.com/zh-cn/azure/developer/terraform/authenticate-to-azure?tabs=bash

主要两种方式:

  1. 通过powershell 或者 az cli 进行认证

  2. 通过服务主体。服务主体创建后,可以在环境变量指定ID和密码。也可以配置在main.tf(明文,不安全)

此处就通过最简单的方式,执行 az login 注意如果是国内azure云,也就是21世纪互联运营的那个,需要切到中国区 az cloud set --name AzureCloud

az login
# 查看订阅
az account show
# 切换订阅
az account set --subscription "<subscription_id_or_subscription_name>"

初始化插件

执行 terraform init。 terraform init 会分析 xxx.tf 代码中所使用到的Provider,并尝试下载Provider插件到本地 如果网络连不上多执行几次,国内网络老大难。。。

成功后会看到提示 "Terraform has been successfully initialized!"

可以看到新增了两个隐藏文件,目录下就有 azure privider 的插件

[root@centos8 azure-terraform]# tree
.
└── main.tf

0 directories, 1 file
[root@centos8 azure-terraform]# tree -a
.
├── main.tf
├── .terraform
│   └── providers
│       └── registry.terraform.io
│           └── hashicorp
│               └── azurerm
│                   └── 3.44.1
│                       └── linux_amd64
│                           └── terraform-provider-azurerm_v3.44.1_x5
└── .terraform.lock.hcl

7 directories, 3 files

格式化和校验配置文件(可选操作)

执行 terraform fmt 格式化配置文件,比如对齐。如果自动修改了文件,会列出修改的内容。同时对错误的格式也会指出,建议执行。

terraform validate 验证配置文件,和上面命令有点类似,但是不会去修改文件

terraform plan 预览变更

执行 terraform plan 可以预览一下代码即将产生的变更:

[root@centos8 azure-terraform]# terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are
indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azurerm_resource_group.example will be created
  + resource "azurerm_resource_group" "example" {
      + id       = (known after apply)
      + location = "westeurope"
      + name     = "example-resources"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these
actions if you run "terraform apply" now.

terraform apply 执行变更

运行terraform apply 时,Terraform会首先重新计算一下变更计划,并且像刚才执行plan命令那样把变更计划打印给我们,要求我们人工确认。让我们输入yes,然后回车

[root@centos8 azure-terraform]# terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are
indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azurerm_resource_group.example will be created
  + resource "azurerm_resource_group" "example" {
      + id       = (known after apply)
      + location = "westeurope"
      + name     = "example-resources"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_resource_group.example: Creating...
azurerm_resource_group.example: Creation complete after 6s [id=/subscriptions/3c398848-b31e-427a-aa4e-3b87b2ae6064/resourceGroups/example-resources]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

terraform show 查看当前部署

查看当前部署资源属性和元数据,可以用这些值来配置其他资源

[root@centos8 azure-terraform]# terraform show
# azurerm_resource_group.example:
resource "azurerm_resource_group" "example" {
    id       = "/subscriptions/3c398848-b31e-427a-aa4e-3b87b2ae6064/resourceGroups/example-resources"
    location = "westeurope"
    name     = "example-resources"
}

# terraform state list  命令可以列出创建的资源列表
[root@centos8 azure-terraform]# terraform state list
azurerm_resource_group.example

apply 完成后将变更操作时的状态信息保存在一个状态文件中,默认情况下会保存在当前工作目录下的terraform.tfstate文件里。不要手动修改这个文件。 再次执行 apply 的时候会检查 tfstate 文件,如果没有这个文件,会认为是第一次创建。 同时下一步 destroy 删除资源的时候也依赖这个文件。 同时 tfstate 中的密码都是明文的,存储需注意安全。

[root@centos8 azure-terraform]# cat terraform.tfstate
{
  "version": 4,
  "terraform_version": "1.3.9",
  "serial": 1,
  "lineage": "27786e94-4a19-71cc-43e4-e2d1dfa1f851",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "azurerm_resource_group",
      "name": "example",
      "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "id": "/subscriptions/3c398848-b31e-427a-aa4e-3b87b2ae6064/resourceGroups/example-resources",
            "location": "westeurope",
            "name": "example-resources",
            "tags": null,
            "timeouts": null
          },
          "sensitive_attributes": [],
          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo1NDAwMDAwMDAwMDAwLCJkZWxldGUiOjU0MDAwMDAwMDAwMDAsInJlYWQiOjMwMDAwMDAwMDAwMCwidXBkYXRlIjo1NDAwMDAwMDAwMDAwfX0="
        }
      ]
    }
  ],
  "check_results": null
}

terraform destroy 清理资源

会列出要清理的对象进行确认,清理之后会自动把 tfstate 文件备份 terraform.tfstate.backup 。原文件 terraform.tfstate 中 resource 部分会被清空了。

创建 vnet 和虚拟机

main.tf 增加vnet,sub,vm 等配置文件。注意下变量的引用,vnet 会引用RG名称,网卡引用subnet id

[root@centos8 azure-terraform]# cat main.tf
# We strongly recommend using the required_providers block to set the
# Azure Provider source and version being used
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.44.1"
    }
  }
}

# Configure the Microsoft Azure Provider
provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "main" {
  name     = "${var.prefix}-resources"
  location = var.location
}

resource "azurerm_virtual_network" "main" {
  name                = "${var.prefix}-network"
  address_space       = ["10.0.0.0/22"]
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name
}

resource "azurerm_subnet" "internal" {
  name                 = "internal"
  resource_group_name  = azurerm_resource_group.main.name
  virtual_network_name = azurerm_virtual_network.main.name
  address_prefixes     = ["10.0.2.0/24"]
}

resource "azurerm_network_interface" "main" {
  name                = "${var.prefix}-nic"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.internal.id
    private_ip_address_allocation = "Dynamic"
  }
}

resource "azurerm_linux_virtual_machine" "main" {
  name                            = "${var.prefix}-vm"
  resource_group_name             = azurerm_resource_group.main.name
  location                        = azurerm_resource_group.main.location
  size                            = "Standard_D2s_v3"
  admin_username                  = "${var.username}"
  admin_password                  = "${var.password}"
  disable_password_authentication = false
  network_interface_ids = [
    azurerm_network_interface.main.id,
  ]

  source_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "18.04-LTS"
    version   = "latest"
  }

  os_disk {
    storage_account_type = "Standard_LRS"
    caching              = "ReadWrite"
  }
}

variables.tf 定义资源名称前缀,地区,vm的用户名密码

[root@centos8 azure-terraform]# cat variables.tf
variable "prefix" {
  description = "The prefix which should be used for all resources in this example"
  type    = string
  default = "demo"
}

variable "location" {
  description = "The Azure Region in which all resources in this example should be created."
  type    = string
  default = "eastus"
}

variable "username" {
  description = "The virtual machine username."
  type    = string
  default = "caifeng"
}

variable "password" {
  description = "The virtual machine password."
  type    = string
  default = "abcdef@123"
}

terraform apply 更新变更,可以在portal 上查看RG,VM信息。 state list 查看资源列表。

[root@centos8 azure-terraform]# terraform apply

[root@centos8 azure-terraform]# terraform state list
azurerm_linux_virtual_machine.main
azurerm_network_interface.main
azurerm_resource_group.main
azurerm_subnet.internal
azurerm_virtual_network.main

参考文档

https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/azure-configuration https://registry.terraform.io/providers/hashicorp/azurerm/latest https://lonegunmanb.github.io/introduction-terraform/

关注我的github,后续更新会同步上去

https://github.com/cai11745/hybrid-cloud

Previous2023-03-08-基于Policy实现tag批量分配与继承Next2023-03-10-Terraform 创建 private AKS

Last updated 1 year ago