Terraform

Posted on 2023-07-05 Edited on 2023-07-07

Terraform - https://www.terraform.io/

Terraform is a provisioning focus tool.

provisioning - 置备是创建和设置 IT 基础架构的过程，包括为管理用户和系统对各种资源访问权限所需执行的步骤。置备是部署服务器、应用、网络组件、存储、边缘设备等的早期阶段。

置备与配置管理 - configuration-management 不同，但它们都属于部署过程中的步骤。一旦置备了系统，下一步就是配置系统，并在一段时间内使其保持一致。

如何组合使用

Provisioning + Config management = Terraform + Ansible
Provisioning + Server Templating = Terraform + packer
Provisioning + Orchestration Tool = Terraform + kubernetes，通常在AWS中会使用EKS服务。

Terraform Architecture

如何编写Terraform的代码？

根据上图架构中，我们需要参考如下，AWS Provider 的文档，通过其中的代码，provisioning地构建AWS的IT基础设施。

https://registry.terraform.io/providers/hashicorp/aws/latest/docs

如何执行Terraform？

all terraform cli docs are here ==> https://developer.hashicorp.com/terraform/tutorials/cli

1.terraform init

➜  02-overview git:(main) pwd
/Users/xxx/Documents/source_code/devops-directive-terraform-course/02-overview
➜  02-overview git:(main) ls
README.md main.tf
➜  02-overview git:(main) terraform -help  
Usage: terraform [global options] <subcommand> [args]

The available commands for execution are listed below.
The primary workflow commands are given first, followed by
less common or more advanced commands.

Main commands:
  init          Prepare your working directory for other commands
  validate      Check whether the configuration is valid
  plan          Show changes required by the current configuration
  apply         Create or update infrastructure
  destroy       Destroy previously-created infrastructure

All other commands:
  console       Try Terraform expressions at an interactive command prompt
  fmt           Reformat your configuration in the standard style
  force-unlock  Release a stuck lock on the current workspace
  get           Install or upgrade remote Terraform modules
  graph         Generate a Graphviz graph of the steps in an operation
  import        Associate existing infrastructure with a Terraform resource
  login         Obtain and save credentials for a remote host
  logout        Remove locally-stored credentials for a remote host
  metadata      Metadata related commands
  output        Show output values from your root module
  providers     Show the providers required for this configuration
  refresh       Update the state to match remote systems
  show          Show the current state or a saved plan
  state         Advanced state management
  taint         Mark a resource instance as not fully functional
  test          Experimental support for module integration testing
  untaint       Remove the 'tainted' state from a resource instance
  version       Show the current Terraform version
  workspace     Workspace management

Global options (use these before the subcommand, if any):
  -chdir=DIR    Switch to a different working directory before executing the
                given subcommand.
  -help         Show this help output, or the help for a specified subcommand.
  -version      An alias for the "version" subcommand.
➜  02-overview git:(main) terraform init 

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/aws versions matching "~> 3.0"...
- Installing hashicorp/aws v3.76.1...
- Installed hashicorp/aws v3.76.1 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

➜  02-overview git:(main) tree
.
|____main.tf
|____.terraform
| |____providers
| | |____registry.terraform.io
| | | |____hashicorp
| | | | |____aws
| | | | | |____3.76.1
| | | | | | |____darwin_arm64
| | | | | | | |____terraform-provider-aws_v3.76.1_x5
|____README.md
|____.terraform.lock.hcl

2.terraform plan

# terraform plan
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_instance.example will be created
  + resource "aws_instance" "example" {
      + ami                          = "ami-0829e595217a759b9"
      + arn                          = (known after apply)
           + tags                         = {
          + "Name"  = "int32bit-test-ft"
          + "Owner" = "int32bit"
        }
      + vpc_security_group_ids       = (known after apply)
      + ...

Plan: 1 to add, 0 to change, 0 to destroy.

3.terraform apply

# terraform apply
Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_instance.example: Creating...
aws_instance.example: Still creating... [10s elapsed]
aws_instance.example: Still creating... [20s elapsed]
aws_instance.example: Creation complete after 20s [id=i-0bb96d24b6e6d37eb]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

4.terraform destroy

5.adfs

在实际企业环境中，aws 的使用通常是需要多重身份验证的，所以多数使用 ADFS (multi factor authentication with active directory)。

其中最常用的工具是 https://github.com/venth/aws-adfs，通过证书 / 身份（如SSO）/ 密码登陆aws，terraform也是如此。

实际项目结构

而且，在复杂的系统部署中，可以针对每一个module的tf中，添加 shell 脚本，如针对compute.tf单独运行的shell脚本，让每一个脚本（手动）执行，即每一terraform部署完成后，确认执行结果。分步骤地，解耦地完成复杂系统的部署工作，切能够按照企业要求，完成安全，网络，EKS等规则要求。

Reference

all terraform providers ==> https://registry.terraform.io/browse/providers

terraform Course ==> https://www.youtube.com/watch?v=7xngnjfIlK4&t=8s