本文来自:极狐GitLab 开发者社区
作者:KaliArch
利用极狐GitLab CI 实现基础设施编排自动化后,用户就能够应用极狐GitLab 进行基础设施治理:提交基础设施变更后,会触发 MR 进行极狐GitLab CI 流水线执行,从而实现基础设施 DevOps 流程。
Terraform + 极狐GitLab CI 架构解析
流程图
流程详解开发或运维人员编写基于 Terraform 的指标云资源清单文件,同时我的项目内治理极狐GitLab CI 流程,在 K8s 不同 NS 下注册有对应的 Runner,在不同分支下能够触发不同 NS 下的 CI 流程:
- 开发或运维人员提交代码;
- 部署在对应名称空间下的 Runner 执行流程,创立运行单个 Stage 的 Pod 来运行 Terraform 对应命令,例如 init/fmt/play/apply 等;
- 如果要对云上资源进行变更,批改代码,再次提交 MR,触发更新流水线;
- 如果须要销毁,依据 CI 文件配置提交 Build 为 Destroy,触发云上销毁动作。
Terraform + 极狐GitLab CI 预置条件
- 极狐GitLab 服务器;
- 注册有我的项目的极狐GitLab Runner;
- K8s 集群;
- 腾讯云 AK 账号。
开启极狐GitLab CI + Terraform 实战
极狐GitLab CI 配置
.gitlab.yaml
variables:# PHASE: BUILD|DESTROYPHASE: DESTROY# PROXY: http://squiduser:xxzx789@43.134.199.162:3128# PROXY: http://squiduser:xxzx789@43.154.230.17:3128REGION: "ap-guangzhou"PLAN_JSON: plan.jsonBACKEND_CONF: "backend_oss.conf"before_script:# - apk add --no-cache curl git jq- apk add --no-cache jq- export http_proxy=${SQUID_PROXY}- export https_proxy=${SQUID_PROXY}- export TENCENTCLOUD_SECRET_KEY=${TENCENTCLOUD_SECRET_KEY}- export TENCENTCLOUD_SECRET_ID=${TENCENTCLOUD_SECRET_ID}- export TF_REGISTRY_CLIENT_TIMEOUT=120000- export CHECKPOINT_TIMEOUT=500000- export TF_REGISTRY_DISCOVERY_RETRY=5- alias convert_report="jq -r '([.resource_changes[]?.change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"# 配置缓存cache: paths: - ${CI_PROJECT_DIR}/.terraform/*stages: - init - validate - plan - deployInit: image: name: hashicorp/terraform:0.14.0 entrypoint: [""] stage: init retry: max: 2 when: - script_failure tags: - gitlab-runner-k8s-new script: - terraform version - terraform init -backend-config=${BACKEND_CONF} only: - devValidate: image: name: hashicorp/terraform:0.14.0 entrypoint: [""] stage: validate tags: - gitlab-runner-k8s-new retry: 2 script: - terraform init -backend-config=${BACKEND_CONF} - terraform validate - terraform fmt -check -recursive || echo 0 cache: paths: - ${CI_PROJECT_DIR}/.terraform/* policy: pull allow_failure: truePlan: image: name: hashicorp/terraform:0.14.0 entrypoint: [""] stage: plan retry: 2 tags: - gitlab-runner-k8s-new artifacts: paths: - plan.bin - app_config.zip expire_in: 2 week script: - terraform init -backend-config=${BACKEND_CONF} - terraform plan -input=false -out=plan.bin -var region=${REGION} - terraform show --json "plan.bin" | convert_report > ${PLAN_JSON}- cat ${PLAN_JSON}only:variables:- $PHASE == "BUILD"Apply:image:name: hashicorp/terraform:0.14.0entrypoint: [""] when: manualstage: deployretry: 2tags:- gitlab-runner-k8s-newscript:- terraform init -backend-config=${BACKEND_CONF}- terraform apply -auto-approve -input=false plan.binonly:variables:- $PHASE == "BUILD"environment:name: snunvDestroy:image:name: hashicorp/terraform:0.14.0entrypoint: [""] stage: deployretry: 2tags:- gitlab-runner-k8s-newscript:- terraform init -backend-config=${BACKEND_CONF}- terraform destroy -auto-approve -var region=${REGION}only:variables:- $PHASE == "DESTROY"环境配置
利用极狐GitLab CI/CD 的 Environment 进行环境治理。
Terraform 资源
provider "tencentcloud" { region = var.region}terraform { required_providers { tencentcloud = { source = "registry.terraform.io/tencentcloudstack/tencentcloud" version = ">=1.61.5" } } backend "cos" {}}# 输出变量variable "region" { type = string}# 再次仅为一个查问示例data "tencentcloud_instances" "cvm" {}# 输入output "result" { value = { cvm_result = { for k, v in data.tencentcloud_instances.cvm : k => v }, count = data.tencentcloud_instances.cvm.instance_list[*] }}为了 Terraform 后端 Backend 平安,将其存储为独自文件,可在不同分支或环境进行批改。
region = "ap-beijing"bucket = "tfproject-1253xxxx830"prefix = "samxxxxitlab/dexxxxxt"测试
- Init
- Plan
- 手动利用 Apply
查看利用创立出的 VPC。
- 制品下载
- 销毁
批改极狐GitLab CI文件,销毁。
注意事项
- 须要 K8s 集群配置 PV 存储卷来实现跨 Stage 的工作 Cache;
- 应用极狐GitLab CI 环境治理来对执行 CI/CD 的人员暗藏密钥信息;
- 前期能够应用极狐GitLab 来进行变量治理;
通过以上 3 步,就能实现简略的 Terraform + 极狐GitLab CI 基础设施编排集成,开启基础设施自动化治理啦。