本篇紀載使用 Terraform 規劃可複用基礎建設的藍圖。
主設定檔
- 設定主要的啟動區域在 us-west-2
- 設定要使用的系統映像檔案 (此部分有其他系統,需要自行去搜尋)
main.tf:
provider "aws" {
region = "us-west-2" #1
}
data "aws_ami" "ubuntu" { #2
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}機器單位資源設定檔
- 選擇 main.tf 所使用的 ami 映象檔 (ubuntu 會依照 main.tf #1 名稱變更)
- 設定開啟 t2.micro 的 instance
- 套用 security_group 的 "web" 的設定
- 設定 ssh-key pair (預先在 ec2 上建立好 key-pair,再填上)
- 取得公開 ip ,套用在某個 resource
ec2.tf:
resource "aws_instance" "web" {
ami = data.aws_ami.ubuntu.id #1
instance_type = "t2.micro" #2
vpc_security_group_ids = [ aws_security_group.web.id ] #3
user_data = <<-EOF
#!/bin/bash
apt-get install -y apache2
echo `hostname` > /var/www/html/index.html
EOF
tags = {
Name = "terraform-101-first-ec2"
}
#選擇 EC2 上已存在的 key pair
key_name = "tp-key" #4
associate_public_ip_address = true
}
# 取得一個公開的 IP ,然後套用在 instance 上
resource "aws_eip" "tpkkk-app" { #5
instance = aws_instance.web.id
vpc = true
}設定檔
- 設定開放 inbound
- 設定開放 outbound
- 特別授權某個 group 可以訪問 inbound (ingress)
- 特別授權某個 group 可以訪問 inbound (ingress)
security-group.tf:
resource "aws_security_group" "web" {
name_prefix = "terraform-101-web-"
description = "allow all outcomming traffic"
#特別開放 0.0.0.0/0 address inbound (專門設定 address rule 的) #1
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
#特別開放 22 ssh port inbound (專門設定 address rule 的) #1
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
#專門設定 all outbound rule #2
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "terraform-101-web-sg"
}
}
# 單獨給 security group 可以訪問的 inbound rule (不是設定 address rule 的)
resource "aws_security_group_rule" "web-rule" { #3
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
source_security_group_id = aws_security_group.web.id
security_group_id = aws_security_group.web.id
}
# 單獨給 security group 可以訪問的 inbound rule (不是設定 address rule 的)
resource "aws_security_group_rule" "ssh-rule" { #4
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = aws_security_group.web.id
security_group_id = aws_security_group.web.id
}
佈署指令
- 使用 terraform init 進行初始化 (只需一次)
- 使用 terraform plan -out=xxxxxx 每次要佈署都要使用這個方式建立一個計劃輸出檔
- 使用 terraform deploy xxxxx (剛才輸入的計劃輸出檔) 直接在 AWS 掛上你的計劃
如果不使用資源,或是要更換 plan,記得要先做 terraform destroy 清場。
Reference:
https://github.com/telus/terraform-aws_instance
https://github.com/terraform-aws-modules/terraform-aws-ec2-instance/tree/master/examples
https://qiita.com/kou_pg_0131/items/45cdde3d27bd75f1bfd5
https://ithelp.ithome.com.tw/articles/10207145
https://medium.com/@mailtojacklai/terraform-terraform%E5%85%A5%E9%96%80%E7%AD%86%E8%A8%9801-8aa9e294aef
https://chentsungyu.github.io/2020/04/12/DevOps/Terraform/[DevOps]%20Terraform%E5%85%A5%E9%96%80(4)%20-%20%E5%88%A9%E7%94%A8Terraform%E4%BE%86%E6%93%8D%E4%BD%9CAWS%20EC2/
https://shazi7804.github.io/terraform-manage-guide/aws-use-case/web-instance.html
沒有留言:
張貼留言