Terraform 入门

简介

Terraform 的特点：

• Infrastructure as Code
• Execution Plans
• Resource Graph
• Change Automation

Terraform 工具处在什么位置：

image

image

指引

核心工作流

• Write - Author infrastructure as code.
• Plan - Preview changes before applying.
• Apply - Provision reproducible infrastructure.

其他步骤

• Use provisioners to initialize instances when they're created. 比如 local-exec remote-exec# 自动化 terraform init -input=false to initialize the working directory. terraform plan -out=tfplan -input=false to create a plan and save it to the local file tfplan. terraform apply -input=false tfplan to apply the plan stored in the file tfplan.
• 使用 variable 定义变量，使用 -var/-var-file/TF_VAR_name/UI-Input 给变量赋值
• 使用 output 定义输出
• 使用 module 组织 tf 文件
• Store State Remotely
• 自动化

自定义：Writing Custom Providers

• Plugins are distributed as Go binaries
• schema.Provider type describes the provider's properties:
  • the configuration keys it accepts
  • the resources it supports
  • any callbacks to configure
• Defining Resources schema.Resource: resource_xxx
• Defining Resources properties
  • Create
  • Read: sync the local state with the actual state
  • Update
  • Delete
  • Schema
• 几个原则：
  • 如果 Create callback 返回 error 或者 nil, 但是没有 SetId, 认为资源未创建，状态不保存.
  • 如果 Create callback 返回 error 或者 nil, 有 SetId, 认为资源创建，状态保存.
  • 如果 Update callback 返回 error 或者 nil, 状态保存, 如果 ID 变空, 认为资源被销毁.
  • 如果 Destroy callback 返回 nil, 认为资源被销毁, 状态被删除.
  • 如果 Destroy callback 返回 error, 认为资源仍存在, 状态保存.
  • 如果 create/update 返回时 partial mode 打开, 只有明确打开的 configuration keys 会被保存， resulting in a partial state.

一个provider例子的执行流程

image

命令行工具: terraform cli

配置语言（语法）

• The main purpose of the Terraform language is declaring resources.
• A group of resources can be gathered into a module
• Terraform configuration consists of a root module

<BLOCK TYPE> "<BLOCK LABEL>" "<BLOCK LABEL>" {
  # Block body
  <IDENTIFIER> = <EXPRESSION> # Argument
}

variable "image_id" {
  type = string
}

• 语法：
  • expressions
  • functions
  • settings
• Resource: 定义资源的最小单位
  • Each resource is associated with a single resource type, which determines the kind of infrastructure object it manages and what arguments and other attributes the resource supports.
  • Each resource type in turn belongs to a provider, which is a plugin for Terraform that offers a collection of resource types.
  • Meta-Arguments:
    • depends_on
    • count
    • for_each
    • provider
    • lifecycle
    • provisioner and connection
• Providers: 供应商，比如云平台
  • Meta-Arguments:
    • version
    • alias: 可以用于新建一个provider的多个配置 比如：provider "aws" {alias="west"} 引用：provider = aws.west
• Provisioner: 同 vagrant，启动后的处理
• Input Variables:
  • Input variables serve as parameters for a Terraform module
  • 声明：variable xxx {type=xx, default=xx, description=xx}, 引用：var.<NAME>
  • 赋值方式：
    • In a Terraform Cloud workspace.
    • Individually, with the -var command line option. -var
    • In variable definitions (.tfvars) files, either specified on the command line or automatically loaded. -var-file=
    • As environment variables. TF_VAR_xxx
  • 优先级 (由低到高):
    • Environment variables
    • The terraform.tfvars file, if present.
    • The terraform.tfvars.json file, if present.
    • Any .auto.tfvars or .auto.tfvars.json files, processed in lexical order of their filenames.
    • Any -var and -var-file options on the command line, in the order they are provided. (This includes variables set by a Terraform Cloud workspace.)
• Output Values:
  • 声明：output "xx" { value=xxx, description=xx, sensitive=t/f, depends_on}, 引用：module.<MODULE NAME>.<OUTPUT NAME>
• Local Values:
  • 声明：locals { xx1=yy1, xx2=yy2 }, 引用 local.xxx
• Modules:
  • A module is a container for multiple resources that are used together.
  • Every Terraform configuration has at least one module, known as its root module, which consists of the resources defined in the .tf files in the main working directory.
  • 调用：module xxx { source=xx, version=xx, providers=xx, xx1=yy1, xx2=yy2 }, 其中 source, version, providers 为 meta-arguments 其他为 输入变量
  • 获取调用输出：module.<MODULE NAME>.<OUTPUT NAME>
  • Providers within Modules
• Data Sources:
  • Data sources allow data to be fetched or computed for use elsewhere in Terraform configuration.
  • 是一种特殊的 resource，即 data resource, 声明 data "aws_ami" "example" {}, data "local_file" "foo" { filename = "${path.module}/foo.bar"}, data "template_file" xx {}

Provisioner

• 需要设置 connections
• Provisioners Without a Resource resource "null_resource" "cluster"
• 内置 Provisioners
  • File Provisioner：copy files or directories
  • local-exec Provisioner：invokes a local executable after a resource is created.
  • remote-exec Provisioner：invokes a script on a remote resource after it is created

provisioner "file" {
  source      = "conf/myapp.conf"
  destination = "/etc/myapp.conf"

  connection {
    type     = "ssh"
    user     = "root"
    password = "${var.root_password}"
    host     = "${var.host}"
  }
}

resource "aws_instance" "web" {
  # ...

  provisioner "local-exec" {
    command = "echo ${aws_instance.web.private_ip} >> private_ips.txt"
  }
}

resource "aws_instance" "web" {
  # ...

  provisioner "remote-exec" {
    inline = [
      "puppet apply",
      "consul join ${aws_instance.web.private_ip}",
    ]
  }
}

Backends

• A "backend" in Terraform determines how state is loaded and how an operation such as apply is executed. 作用:
  • Execute operations (e.g. plan, apply)
  • Store state
  • Store workspace-defined variables (in the future; not yet implemented)
• Backends may support differing levels of features in Terraform. We differentiate these by calling a backend either standard or enhanced. All backends must implement standard functionality.
  • Standard: State management, functionality covered in State Storage & Locking
  • Enhanced: Everything in standard plus remote operations.

源码

请求流程

image.png

image

命令行(cli)

几个主要的操作

• init：初始化，会执行几个操作
  • 如果设置了 -from-module 会拷贝来源 module 到当前文件夹, 支持 remote path (http/git)
  • Child Module Installation: 获取所有依赖的 module
  • Backend Initialization: 初始化 backend，默认使用 local, backend 是扩展 terraform的一种方式，可以分为两种
    • Standard: 很多云厂商实现了这种，用于存储 state 文件
    • Enhanced: 处理存储 state 文件，还可以执行，比如plan, apply
  • 安装插件 (Plugin): 主要是 providers, 获取的时候会根据名字去 registry.terraform.io 查找信息，安装
• plan：计划执行，会生成可能的新 state 并和旧state 做比较，输出计划
  • 加载 backend
  • load config, 生成一个 Operation, OperationTypePlan 并执行
  • Plan 操作调用 terraform.Context 执行，生成一个 terraform.Graph, 这时候的 graph builder 是一个 PlanGraphBuilder
    • Build graph的操作由几个 GraphTransformer 组成，比如 ConfigTransformer 创建配置中的 Resource, LocalTransformer add local values， OutputTransformer 增加输出
  • Walk terraform.Graph: walkOperation 为 walkPlan, walk 操作会有多个 goroutine (vertex两倍数量) 并发执行(考虑依赖关系)
    • Walk 对每个 vertex 执行 EnterPath，EnterEvalTree 等操作
    • 每个 vertex 如果能 Eval，会被 Evaluation
• apply：执行
• destroy：销毁