Alliot's blog

Terraform初探:创建s3 bucket

  近期开始做 IaC(Infrastructure as Code)相关的工作,期间会用 Terraform 比较多,因此会有一些与之相关的笔记记录。本文是小试牛刀利用 Terraform 来创建一个 AWS S3 bucket 体验 Terraform。

介绍

  Terraform 是 HashiCorp(它家还有令人熟知的 Consul、Vault、Vagrant 等产品)开源的一个 IT 基础架构自动化编排工具, 它能够帮助你利用代码来管理与维护 IT 资源。通过 Terraform 你能够非常方便的利用简单模板语言来创建、配置、管理各大云厂商的云资源(包括但不限于云虚拟机、RDS、Kubernetes 实例、VPC、安全组、负载均衡、对象存储等)。

获得AWS accessKey

  AWS 的权限控制是个很复杂的东西,这里以 IAM 为例,简单的说一下如何获得 access key。
首先登录你的 AWS 账号,然后选择 IAM 模块,选择 “Users”,创建用户或者是选择现有用户,在 “Security credentials” 中创建 Access key(Notice: key 只会在创建的时候出现一次,所以需要自己保存好,后面备用)。
如果你司使用的是类似 Microsoft Active Directory 类似的统一认证(IAM 中没有用户管理设置,并且你不是主账户管理员),那么你可以使用这个SAML to AWS STS Keys Conversion 拓展来获得临时的 access Key。简单介绍一下使用:
  安装好这个浏览器插件后,点击插件图标,勾选 Activated, 然后再登录 AWS 控制台时便会弹出下载一个文件,使用记事本打开会发现里面包含了 access key 信息。
  假如你的组织配置了 sso,则可直接使用 aws configure sso 来配置 profile。通过配置环境变量来指定生效的 profile: export AWS_PROFILE=Alliot-DevOps

使用Terraform创建S3 bucket

创建s3 bucket module

  创建名为 s3 的文件夹:

1
mkdir s3

  接下来我们会创建两个 tf 文件,分别为: bucket.tfvar.tf

定义bucket

编辑 bucket.tf:

1
2
3
4
resource "aws_s3_bucket" "example" {     
bucket = "${var.bucket_name}" # 引用接下来var.tf内定义的变量
acl = "${var.acl_value}"
}

定义变量

  这里我们通过编辑 var.tf 来为上面的 bucket.tf 定义变量:

1
2
3
4
5
variable "bucket_name" {} 

variable "acl_value" {
default = "private"
}

  至此, s3 module 已经定义完成。下面我们开始编写配置。

添加配置

cd .. 去到 s3 的上层目录,创建 main.tf 主配置:

1
2
3
4
5
6
7
8
9
10
11
provider "aws" {
access_key = "${var.aws_access_key}" # 引用变量中AWS的access key
secret_key = "${var.aws_secret_key}" # 引用变量中AWS的secret key
token = "${var.aws_session_token}" # 引用变量中AWS的session token(可选)
region = "${var.region}" # 引用变量中AWS的可用区
}

module "s3" {
source = "./s3"
bucket_name = "fortest" # bucket名需要唯一,不包含大写字母与"_"
}

添加 variable.tf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
variable "aws_access_key" {
default = "xxxxxMOxxx2" # access key
}

variable "aws_secret_key" {
default = "xxxxxxx" # secret key
}

variable "aws_session_token" {
default = "xxx" # session token
}
variable "region" {
default = "ap-southeast-1" # 可用区
}

执行 Terraform

  需要确保当前环境已经安装了 Terraform,如果没有的话,直接按照 Terraform官方文档 来安装即可。
Notice: 后文步骤均在 s3 目录的同级下执行(即 s3 目录内的上一级路径)。

初始化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 初始化,过程中会下载modules依赖等
# terraform init

Initializing modules...

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v4.12.1...
- Installed hashicorp/aws v4.12.1 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see

variable "aws_access_key" {
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

创建变更计划

  通过执行 terraform plan 来预览变更计划, 执行后返回类似如下的信息,供预览变更详情:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
+ create

Terraform will perform the following actions:

# module.s3.aws_s3_bucket.example will be created
+ resource "aws_s3_bucket" "example" {
+ acceleration_status = (known after apply)
+ acl = "private"
+ arn = (known after apply)
+ bucket = "fortest"
+ bucket_domain_name = (known after apply)
+ bucket_regional_domain_name = (known after apply)
+ force_destroy = false
+ hosted_zone_id = (known after apply)
+ id = (known after apply)
+ object_lock_enabled = (known after apply)
+ policy = (known after apply)
+ region = (known after apply)
+ request_payer = (known after apply)
+ tags_all = (known after apply)
+ website_domain = (known after apply)
+ website_endpoint = (known after apply)

+ cors_rule {
+ allowed_headers = (known after apply)
+ allowed_methods = (known after apply)
+ allowed_origins = (known after apply)
+ expose_headers = (known after apply)
+ max_age_seconds = (known after apply)
}

+ grant {
+ id = (known after apply)
+ permissions = (known after apply)
+ type = (known after apply)
+ uri = (known after apply)
}

+ lifecycle_rule {
+ abort_incomplete_multipart_upload_days = (known after apply)
+ enabled = (known after apply)
+ id = (known after apply)
+ prefix = (known after apply)
+ tags = (known after apply)

+ expiration {
+ date = (known after apply)
+ days = (known after apply)
+ expired_object_delete_marker = (known after apply)
}

+ noncurrent_version_expiration {
+ days = (known after apply)
}

+ noncurrent_version_transition {
+ days = (known after apply)
+ storage_class = (known after apply)
}

+ transition {
+ date = (known after apply)
+ days = (known after apply)
+ storage_class = (known after apply)
}
}

+ logging {
+ target_bucket = (known after apply)
+ target_prefix = (known after apply)
}

+ object_lock_configuration {
+ object_lock_enabled = (known after apply)

+ rule {
+ default_retention {
+ days = (known after apply)
+ mode = (known after apply)
+ years = (known after apply)
}
}
}

+ replication_configuration {
+ role = (known after apply)

+ rules {
+ delete_marker_replication_status = (known after apply)
+ id = (known after apply)
+ prefix = (known after apply)
+ priority = (known after apply)
+ status = (known after apply)

+ destination {
+ account_id = (known after apply)
+ bucket = (known after apply)
+ replica_kms_key_id = (known after apply)
+ storage_class = (known after apply)

+ access_control_translation {
+ owner = (known after apply)
}

+ metrics {
+ minutes = (known after apply)
+ status = (known after apply)
}

+ replication_time {
+ minutes = (known after apply)
+ status = (known after apply)
}
}

+ filter {
+ prefix = (known after apply)
+ tags = (known after apply)
}

+ source_selection_criteria {
+ sse_kms_encrypted_objects {
+ enabled = (known after apply)
}
}
}
}

+ server_side_encryption_configuration {
+ rule {
+ bucket_key_enabled = (known after apply)

+ apply_server_side_encryption_by_default {
+ kms_master_key_id = (known after apply)
+ sse_algorithm = (known after apply)
}
}
}

+ versioning {
+ enabled = (known after apply)
+ mfa_delete = (known after apply)
}

+ website {
+ error_document = (known after apply)
+ index_document = (known after apply)
+ redirect_all_requests_to = (known after apply)
+ routing_rules = (known after apply)
}
}

Plan: 1 to add, 0 to change, 0 to destroy.

│ Warning: Argument is deprecated

│ with module.s3.aws_s3_bucket.example,
│ on .terraform/modules/s3/bucket.tf line 3, in resource "aws_s3_bucket" "example":
│ 3: acl = "${var.acl_value}"

│ Use the aws_s3_bucket_acl resource instead

│ (and one more similar warning elsewhere)


───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if
you run "terraform apply" now.

应用变更

  执行 terraform apply,即可将变更应用(即在ap-southeast-1可用区创建一个名为 fortest 的 s3 bucket )
期间会让你输入 “yes” 进行确认应用变更。
之后我们通过控制台即可看到 s3 bucket 按照我们的预期创建好了。

销毁

  由于是测试,创建完成后需要销毁实例,直接通过 terraform destroy 并输入 “yes” 确认即可完成实例的销毁。

扩展阅读

Terraform Document : 尽量阅读阅读英文官方文档。
Terraform中文指南

------ 本文结束 ------

本文标题:Terraform初探:创建s3 bucket

文章作者:Alliot

发布时间:2022年05月23日 - 18:05

最后更新:2022年09月28日 - 00:09

原始链接:https://www.iots.vip/post/terraform-create-aws-s3-bucket.html

许可协议: 署名-非商业性使用-相同方式共享 4.0 国际 转载请保留原文链接及作者。

若文章为您解决燃眉之急或是带来些许明朗,不妨打赏 Alliot 一杯香茗或是一杯咖啡