共计 8090 个字符,预计需要花费 21 分钟才能阅读完成。
春节前夕,一款名为《幻兽帕鲁(Palworld)》的游戏火爆出圈,在数天之内销量达到数百万,半月之内玩家达到了数千万之多。为了晋升用户的体验,国内云厂商,诸如阿里云、华为云、腾讯云等纷纷推出幻兽帕鲁服务器,玩家能够在分钟级别内疾速构建出开箱即用的幻兽帕鲁服务器。
对于疾速构建云服务器这件事,很多时候,DevOps 人员可能是通过在管制台上,通过手动点击来疾速创立。然而在云原生时代,有一个 IaC(基础设施即代码)的技术,DevOps 人员无需手动操作,只须要通过自动化即可创立一些云资源。
比方在腾讯云上,一个云服务器是这样的参数:
如果用 IaC 的角度看,其实是这样的:
## instance info
resource "tencentcloud_instance" "cvm_almalinux" {
instance_name = "jh-gitlab"
availability_zone = "ap-ap-shanghai"
image_id = "img-q95tlc25"
instance_type = "S2.MEDIUM2"
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 100
hostname = "jh-gitlab"
allocate_public_ip = true
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
security_groups = ["${tencentcloud_security_group.sg_bj.id}"
]
vpc_id = "${tencentcloud_vpc.vpc_bj.id}"
subnet_id = "${tencentcloud_subnet.subnet_bj_02.id}"
internet_max_bandwidth_out = 10
count = 1
}
## security group
resource "tencentcloud_security_group" "sg_bj" {name = "sg-jh-gitlab"}
resource "tencentcloud_security_group_rule" "sg_bj_1" {security_group_id = "${tencentcloud_security_group.sg_bj.id}"
type = "ingress"
cidr_ip = "0.0.0.0/0"
ip_protocol = "tcp"
port_range = "22,80,443"
policy = "accept"
}
## vpc info
resource "tencentcloud_vpc" "vpc_bj" {
name = "vpc_jh-gitlab"
cidr_block = "10.0.0.0/16"
is_multicast = false
}
## route table info
resource "tencentcloud_route_table" "rtb_vpc_bj" {
vpc_id = tencentcloud_vpc.vpc_bj.id
name = "rtb-vpc-jh-gitlab"
}
## subnet info
resource "tencentcloud_subnet" "subnet_bj_01" {
name = "jh-gitlab"
cidr_block = "10.0.1.0/24"
availability_zone = "ap-shanghai"
vpc_id = "${tencentcloud_vpc.vpc_bj.id}"
route_table_id = "${tencentcloud_route_table.rtb_vpc_bj.id}"
}这些信息都是以 .tf 的格局保留的。也就是 terrafrom 的格局保留的。
对于 terraform 来说,terraform 会将治理的云基础设施和配置的状态以文件的模式存储起来。terraform 会用这个状态和物理世界的理论资源做映射,并且对于这些资源的元数据进行追踪。一般来讲 state 文件是以 terrafrom.tfstate 的模式保留到本地的。然而为了更好的保留该文件,并且做好版本控制、加密等,官网举荐能够将此文件保留到云端。
而极狐 GitLab 就能够存储此文件。terrafrom 反对通过配置 backend(后端)来将 state 文件存储到对应的后端上。极狐 GitLab 除了可能存储 terraform 文件外,还能实现以下性能:
- 对于 Terraform state 文件进行版本控制
- 对 state 文件进行加密
- 对 state 进行锁定 / 解锁
- 通过 gitlab ci 来近程执行 terraform plan 和 terraform apply 命令。
如果须要应用此性能,须要确保极狐 GitLab 设置好了 terraform state 存储的配置。通过我的项目的设置 –> 通用 –> 可见性,我的项目性能,权限 –> 基础设施进行设置。
初始化 terraform state 并将极狐 GitLab 作为 backend
要将极狐 GitLab 配置为 terraform state 的 backend,须要在文件中做如下配置:
terraform {backend "http" {}
}以腾讯云为例来讲,能够在 provider.tf 文件中写入如下配置:
provider "tencentcloud" {
secret_id = "你的腾讯云账号 secret id"
secret_key = "你的腾讯云账号 secret key"
region = "ap-shanghai"
}
terraform {
required_providers {
tencentcloud = {
source = "tencentcloudstack/tencentcloud"
version = "1.81.70"
}
}
backend "http" {}}接下来只须要执行 terraform init 即可。在初始化之前,须要先在极狐 GitLab 上创立一个存储 state 文件的我的项目。可在极狐 GitLab 首页创立我的项目:
能够应用 Omnibus 来装置私有化部署的极狐 GitLab 实例,装置详情能够查看极狐 GitLab 装置官网。
创立结束,能够在我的项目 –> 运维中看到我的项目中存储的 terraform state 文件:
能够看到,新建的我的项目中并没有存储 terraform state 文件。能够依据界面上提醒的 复制 Terraform init 命令来实现初始化,并且将 state 文件存储到此我的项目下。命令内容如下:
terraform init \
-backend-config="address=https://jihulab.com/api/v4/projects/183534/terraform/state/$TF_STATE_NAME" \
-backend-config="lock_address=https://jihulab.com/api/v4/projects/183534/terraform/state/$TF_STATE_NAME/lock" \
-backend-config="unlock_address=https://jihulab.com/api/v4/projects/183534/terraform/state/$TF_STATE_NAME/lock" \
-backend-config="username=majinghe" \
-backend-config="password=$GITLAB_ACCESS_TOKEN" \
-backend-config="lock_method=POST" \
-backend-config="unlock_method=DELETE" \
-backend-config="retry_wait_min=5"这外面有两个环境变量 $TF_STATE_NAME 和 $GITLAB_ACCESS_TOKEN。第一个是 terraform state 文件的名称,第二个是极狐 GitLab 的 access token。将 terraform state 文件的名称设置为 jh-gitlab。
在极狐 GitLab 首页上,点击头像 –> 编辑个人资料 –> 拜访令牌创立集体拜访令牌。
获取拜访令牌的值,并将其以环境变量的模式导入:
export GITLAB_ACCESS_TOKEN="你的集体拜访令牌"
export TF_STATE_NAME="jh-gitlab"接着执行上述的 terrform init xxxx 命令即可:
terraform init \
-backend-config="address=https://jihulab.com/api/v4/projects/183534/terraform/state/$TF_STATE_NAME" \
-backend-config="lock_address=https://jihulab.com/api/v4/projects/183534/terraform/state/$TF_STATE_NAME/lock" \
-backend-config="unlock_address=https://jihulab.com/api/v4/projects/183534/terraform/state/$TF_STATE_NAME/lock" \
-backend-config="username=majinghe" \
-backend-config="password=$GITLAB_ACCESS_TOKEN" \
-backend-config="lock_method=POST" \
-backend-config="unlock_method=DELETE" \
-backend-config="retry_wait_min=5"
Initializing the backend...
Successfully configured the backend "http"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding tencentcloudstack/tencentcloud versions matching "1.81.70"...
- Installing tencentcloudstack/tencentcloud v1.81.70...
- Installed tencentcloudstack/tencentcloud v1.81.70 (verified checksum)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
╷
│ Warning: Incomplete lock file information for providers
│
│ Due to your customized provider installation methods, Terraform was forced to calculate lock file checksums locally
│ for the following providers:
│ - tencentcloudstack/tencentcloud
│
│ The current .terraform.lock.hcl file only includes checksums for linux_amd64, so Terraform running on another
│ platform will fail to install these providers.
│
│ To calculate additional checksums for another platform, run:
│ terraform providers lock -platform=linux_amd64
│ (where linux_amd64 is the platform to generate)
╵
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.此时能够看到 terraform 初始化胜利 Terraform has been successfully initialized!
接着执行 terraform plan:
terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with
the following symbols:
+ create
Terraform will perform the following actions:
# tencentcloud_vpc.vpc_xiaoamge will be created
+ resource "tencentcloud_vpc" "vpc_xiaoamge" {+ assistant_cidrs = (known after apply)
+ cidr_block = "10.0.0.0/16"
+ create_time = (known after apply)
+ default_route_table_id = (known after apply)
+ dns_servers = (known after apply)
+ docker_assistant_cidrs = (known after apply)
+ id = (known after apply)
+ is_default = (known after apply)
+ is_multicast = true
+ name = "vpc_xiaomage"
}
Plan: 1 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if
you run "terraform apply" now.紧接着就能够在后面创立的我的项目下看到对应的 state 文件 jh-gitlab 了。
当然在 DevOps 最佳实际中,所有的 terraform 文件也能够存储在极狐 GitLab 我的项目中,做好版本控制,terraform 命令的执行也能够和极狐 GitLab CI/CD 集成起来。
将 terraform 相干的文件存储在极狐 GitLab 的我的项目中,比方 provider.tf、variable.tf、cvm.tf 等。
而后在我的项目根目录下创立一个 .gitlab-ci.yml 文件,内容如下:
variables:
TF_DIR: ${CI_PROJECT_DIR}
TF_STATE_NAME: "jh-gitlab"
ADDRESS: "https://jihulab.com/api/v4/projects/183534/terraform/state/$TF_STATE_NAME"
# Stages of the pipeline
stages:
- validate
- plan
# Image which will use in each stage
image:
name: hashicorp/terraform:light
entrypoint: [""]
# Script to be executed before each stage
default:
tags:
- terraform
before_script:
- terraform --version
- export GITLAB_ACCESS_TOKEN=$JH_ACCESS_TOKEN
- cd ${TF_DIR}
- cp .terraformrc ~/
- terraform init -reconfigure
-backend-config="address=https://jihulab.com/api/v4/projects/183534/terraform/state/$TF_STATE_NAME"
-backend-config="lock_address=https://jihulab.com/api/v4/projects/183534/terraform/state/$TF_STATE_NAME/lock"
-backend-config="unlock_address=https://jihulab.com/api/v4/projects/183534/terraform/state/$TF_STATE_NAME/lock"
-backend-config="username=majinghe"
-backend-config="password=$GITLAB_ACCESS_TOKEN"
-backend-config="lock_method=POST"
-backend-config="unlock_method=DELETE"
-backend-config="retry_wait_min=5"
# To validate terraform files configuration
validate:
stage: validate
script:
- terraform validate
# To check the plan of the infrastructure
plan:
stage: plan
script:
- terraform plan
dependencies:
- validate须要将 provider 须要的三个敏感信息:secret-id、secret-key 和极狐 GitLab acess token 以环境变量的模式存储到极狐 GitLab 上:
触发 CI/CD 流水线,能够看到流水线构建的后果:
其中,validate stage 的构建日志如下:
其中,plan stage 的构建日至如下:
其余的步骤诸如 apply、destory 也能够间接写在 CI/CD 流水线中,因为执行此步骤会间接创立对应的云资源或者删除对应的云资源,故不在此演示,然而原理是一样的。
应用 terraform 实现 IaC,通过操作代码就能实现云计算资源的创立和配置,整个过程能对变更做到版本控制,不便平安审计,而且用户无需间接操作云计算资源,权限治理也变得更加平安容易了。
应用下面的办法疾速创立幻兽帕鲁游戏服务器,就会体验幻兽帕鲁游戏带来的酸爽体验了。