Terraform初探：创建s3 bucket

　　近期开始做 IaC（Infrastructure as Code）相关的工作，期间会用 Terraform 比较多，因此会有一些与之相关的笔记记录。本文是小试牛刀利用 Terraform 来创建一个 AWS S3 bucket 体验 Terraform。

介绍

　　Terraform 是 HashiCorp（它家还有令人熟知的 Consul、Vault、Vagrant 等产品）开源的一个 IT 基础架构自动化编排工具，它能够帮助你利用代码来管理与维护 IT 资源。通过 Terraform 你能够非常方便的利用简单模板语言来创建、配置、管理各大云厂商的云资源（包括但不限于云虚拟机、RDS、Kubernetes 实例、VPC、安全组、负载均衡、对象存储等）。

获得AWS accessKey

　　AWS 的权限控制是个很复杂的东西，这里以 IAM 为例，简单的说一下如何获得 access key。
首先登录你的 AWS 账号，然后选择 IAM 模块，选择 “Users”，创建用户或者是选择现有用户，在 “Security credentials” 中创建 Access key（Notice： key 只会在创建的时候出现一次，所以需要自己保存好，后面备用）。
如果你司使用的是类似 Microsoft Active Directory 类似的统一认证（IAM 中没有用户管理设置，并且你不是主账户管理员），那么你可以使用这个SAML to AWS STS Keys Conversion 拓展来获得临时的 access Key。简单介绍一下使用：
　　安装好这个浏览器插件后，点击插件图标，勾选 Activated，然后再登录 AWS 控制台时便会弹出下载一个文件，使用记事本打开会发现里面包含了 access key 信息。
　　假如你的组织配置了 sso，则可直接使用 aws configure sso 来配置 profile。通过配置环境变量来指定生效的 profile: export AWS_PROFILE=Alliot-DevOps。

使用Terraform创建S3 bucket

创建s3 bucket module

　　创建名为 s3 的文件夹：

mkdir s3

　　接下来我们会创建两个 tf 文件，分别为： bucket.tf 与 var.tf。

定义bucket

编辑 bucket.tf:

resource "aws_s3_bucket" "example" {     
    bucket = "${var.bucket_name}"     # 引用接下来var.tf内定义的变量 
    acl = "${var.acl_value}"   
}

定义变量

　　这里我们通过编辑 var.tf 来为上面的 bucket.tf 定义变量：

variable "bucket_name" {} 

variable "acl_value" {
    default = "private"
}

　　至此， s3 module 已经定义完成。下面我们开始编写配置。

添加配置

cd .. 去到 s3 的上层目录，创建 main.tf 主配置：

provider "aws" {
    access_key = "${var.aws_access_key}"   # 引用变量中AWS的access key
    secret_key = "${var.aws_secret_key}"   # 引用变量中AWS的secret key
    token = "${var.aws_session_token}"     # 引用变量中AWS的session token(可选)
    region = "${var.region}"               # 引用变量中AWS的可用区
}

module "s3" {
    source = "./s3"
    bucket_name = "fortest"                # bucket名需要唯一，不包含大写字母与"_"
}

添加 variable.tf：

variable "aws_access_key" {
    default = "xxxxxMOxxx2"    # access key 
}

variable "aws_secret_key" {
    default = "xxxxxxx"        # secret key
}

variable "aws_session_token" {
    default = "xxx"            # session token 
}  
variable "region" {
    default = "ap-southeast-1" # 可用区  
}

执行 Terraform

　　需要确保当前环境已经安装了 Terraform，如果没有的话，直接按照 Terraform官方文档来安装即可。
Notice: 后文步骤均在 s3 目录的同级下执行（即 s3 目录内的上一级路径）。

初始化

# 初始化，过程中会下载modules依赖等
# terraform init

Initializing modules...

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v4.12.1...
- Installed hashicorp/aws v4.12.1 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see

variable "aws_access_key" {
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

创建变更计划

　　通过执行 terraform plan 来预览变更计划，执行后返回类似如下的信息，供预览变更详情：

# terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create

Terraform will perform the following actions:

  # module.s3.aws_s3_bucket.example will be created
  + resource "aws_s3_bucket" "example" {
      + acceleration_status         = (known after apply)
      + acl                         = "private"
      + arn                         = (known after apply)
      + bucket                      = "fortest"
      + bucket_domain_name          = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule {
          + allowed_headers = (known after apply)
          + allowed_methods = (known after apply)
          + allowed_origins = (known after apply)
          + expose_headers  = (known after apply)
          + max_age_seconds = (known after apply)
        }

      + grant {
          + id          = (known after apply)
          + permissions = (known after apply)
          + type        = (known after apply)
          + uri         = (known after apply)
        }

      + lifecycle_rule {
          + abort_incomplete_multipart_upload_days = (known after apply)
          + enabled                                = (known after apply)
          + id                                     = (known after apply)
          + prefix                                 = (known after apply)
          + tags                                   = (known after apply)

          + expiration {
              + date                         = (known after apply)
              + days                         = (known after apply)
              + expired_object_delete_marker = (known after apply)
            }

          + noncurrent_version_expiration {
              + days = (known after apply)
            }

          + noncurrent_version_transition {
              + days          = (known after apply)
              + storage_class = (known after apply)
            }

          + transition {
              + date          = (known after apply)
              + days          = (known after apply)
              + storage_class = (known after apply)
            }
        }

      + logging {
          + target_bucket = (known after apply)
          + target_prefix = (known after apply)
        }

      + object_lock_configuration {
          + object_lock_enabled = (known after apply)

          + rule {
              + default_retention {
                  + days  = (known after apply)
                  + mode  = (known after apply)
                  + years = (known after apply)
                }
            }
        }

      + replication_configuration {
          + role = (known after apply)

          + rules {
              + delete_marker_replication_status = (known after apply)
              + id                               = (known after apply)
              + prefix                           = (known after apply)
              + priority                         = (known after apply)
              + status                           = (known after apply)

              + destination {
                  + account_id         = (known after apply)
                  + bucket             = (known after apply)
                  + replica_kms_key_id = (known after apply)
                  + storage_class      = (known after apply)

                  + access_control_translation {
                      + owner = (known after apply)
                    }

                  + metrics {
                      + minutes = (known after apply)
                      + status  = (known after apply)
                    }

                  + replication_time {
                      + minutes = (known after apply)
                      + status  = (known after apply)
                    }
                }

              + filter {
                  + prefix = (known after apply)
                  + tags   = (known after apply)
                }

              + source_selection_criteria {
                  + sse_kms_encrypted_objects {
                      + enabled = (known after apply)
                    }
                }
            }
        }

      + server_side_encryption_configuration {
          + rule {
              + bucket_key_enabled = (known after apply)

              + apply_server_side_encryption_by_default {
                  + kms_master_key_id = (known after apply)
                  + sse_algorithm     = (known after apply)
                }
            }
        }

      + versioning {
          + enabled    = (known after apply)
          + mfa_delete = (known after apply)
        }

      + website {
          + error_document           = (known after apply)
          + index_document           = (known after apply)
          + redirect_all_requests_to = (known after apply)
          + routing_rules            = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Warning: Argument is deprecated
│
│   with module.s3.aws_s3_bucket.example,
│   on .terraform/modules/s3/bucket.tf line 3, in resource "aws_s3_bucket" "example":
│    3:     acl = "${var.acl_value}"
│
│ Use the aws_s3_bucket_acl resource instead
│
│ (and one more similar warning elsewhere)
╵

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if
you run "terraform apply" now.