使用 Terraform 在 AWS 中国区域实现自动化部署指南系列（二） TERRAFORM 进阶

使用 Terraform 在 AWS 中国区域实现自动化部署指南系列文章：

使用 Terraform 在 AWS 中国区域实现自动化部署指南系列（一） TERRAFORM 入门

使用 Terraform 在 AWS 中国区域实现自动化部署指南系列（二） TERRAFORM 进阶（本博文）

————

第3章 Terraform进阶

Terraform的功能非常丰富，可以通过Providers来提供对多平台的支持，通过Provisioners来实现本地与远程的脚本调用等功能，支持ssh与winrm的连接方式，也能作为Chef Client的方式运行，通过Modules去重用组件提高开发效率，大数AWS资源都能通过官方托管的Module Sources来重用。

本章节我们将利用更多的Terraform功能，来实现较复杂场景的部署。

3.1 部署架构

以上架构要采用常见的三层应用方式，Web层位于公网，App与DB层位于私有网段，Web层安全组开放80及22端口，App层安全组对Web层开放，DB层安全组对App层开放。

3.2 配置文件

新建一个helloworld2目录，将下面的四个文件存放到同一目录，文件的易读比较好，这里不对内容做详细解释，有关详细使用方法可以参考如下：

https://www.terraform.io/docs/index.html

https://registry.terraform.io/browse?provider=aws

3.2.1 variable.tf

变量申明, 编辑名为variable.tf的文件，内容如下

variable "aws_access_key" {}

variable "aws_secret_key" {}

variable "aws_key_pair" {}

variable "aws_region" {}

variable "inst_ami" {}

variable "inst_type" {}

3.2.2 terraform.tfvars

编辑名为terraform.tfvars的文件，内容如下

aws_access_key =  "Access Key"

aws_secret_key = "Secret_Key"

aws_key_pair =  "Your Key Pair"

aws_region = "cn-north-1"

inst_ami = "ami-fba67596"

inst_type = "t2.micro"

3.2.3 aws.tf

编辑名为aws.tf的文件，内容如下

provider "aws" {

access_key = "${var.aws_access_key}"

secret_key = "${var.aws_secret_key}"

region     = "${var.aws_region}"

}

3.2.4 main.tf

编辑名为main.tf的文件，内容如下

module "vpc" {

source = "terraform-aws-modules/vpc/aws"


name = "myvpc"

cidr = "10.10.0.0/16"


azs              = ["cn-north-1a", "cn-north-1b"]

public_subnets   = ["10.10.0.0/24", "10.10.10.0/24"]

private_subnets  = ["10.10.1.0/24", "10.10.11.0/24"]

database_subnets = ["10.10.2.0/24", "10.10.12.0/24"]


create_database_subnet_group = true

enable_dns_hostnames         = true

enable_dns_support           = true

enable_dynamodb_endpoint     = true

enable_s3_endpoint           = true


tags = {

Owner       = "user"

Environment = "staging"

}

}


module "websg" {

source = "terraform-aws-modules/security-group/aws"


name        = "web-service"

description = "Security group for HTTP and SSH within VPC"

vpc_id      = "${module.vpc.vpc_id}"


ingress_rules            = ["http-80-tcp", "https-443-tcp", "ssh-tcp", "all-icmp"]

ingress_cidr_blocks      = ["0.0.0.0/0"]

ingress_ipv6_cidr_blocks = []

egress_rules             = ["all-all"]

egress_cidr_blocks       = ["0.0.0.0/0"]

egress_ipv6_cidr_blocks  = []

}


module "appsg" {

source = "terraform-aws-modules/security-group/aws"


name        = "app-service"

description = "Security group for App within VPC"

vpc_id      = "${module.vpc.vpc_id}"


ingress_ipv6_cidr_blocks = []

egress_ipv6_cidr_blocks  = []


ingress_with_source_security_group_id = [

{

rule                     = "all-all"

source_security_group_id = "${module.websg.this_security_group_id}"

},

]


egress_with_source_security_group_id = [

{

rule                     = "all-all"

source_security_group_id = "${module.websg.this_security_group_id}"

},

]

}


module "dbssg" {

source = "terraform-aws-modules/security-group/aws"


name        = "dbs-service"

description = "Security group for Database within VPC"

vpc_id      = "${module.vpc.vpc_id}"


ingress_ipv6_cidr_blocks = []

egress_ipv6_cidr_blocks  = []


ingress_with_source_security_group_id = [

{

rule                     = "all-all"

source_security_group_id = "${module.appsg.this_security_group_id}"

},

]


egress_with_source_security_group_id = [

{

rule                     = "all-all"

source_security_group_id = "${module.appsg.this_security_group_id}"

},

]

}


module "ec2_web_1a" {

source = "terraform-aws-modules/ec2-instance/aws"


name  = "web_1a"

instance_count = 1


ami                         = "${var.inst_ami}"

instance_type               = "${var.inst_type}"

key_name                    = "${var.aws_key_pair}"

monitoring                  = true

vpc_security_group_ids      = ["${module.websg.this_security_group_id}"]

subnet_id                   = "${module.vpc.public_subnets[0]}"

associate_public_ip_address = true


tags = {

Terraform   = "true"

Environment = "dev"

}

}


module "ec2_web_1b" {

source = "terraform-aws-modules/ec2-instance/aws"


name  = "web_1b"

instance_count = 1


ami                         = "${var.inst_ami}"

instance_type               = "${var.inst_type}"

key_name                    = "${var.aws_key_pair}"

monitoring                  = true

vpc_security_group_ids      = ["${module.websg.this_security_group_id}"]

subnet_id                   = "${module.vpc.public_subnets[1]}"

associate_public_ip_address = true


tags = {

Terraform   = "true"

Environment = "dev"

}

}


module "ec2_app_1a" {

source = "terraform-aws-modules/ec2-instance/aws"


name  = "app_1a"

instance_count = 2


ami                         = "${var.inst_ami}"

instance_type               = "${var.inst_type}"

key_name                    = "${var.aws_key_pair}"

monitoring                  = true

vpc_security_group_ids      = ["${module.appsg.this_security_group_id}"]

subnet_id                   = "${module.vpc.private_subnets[0]}"

associate_public_ip_address = false


tags = {

Terraform   = "true"

Environment = "dev"

}

}


module "ec2_app_1b" {

source = "terraform-aws-modules/ec2-instance/aws"


name  = "app_1b"

instance_count = 2


ami                         = "${var.inst_ami}"

instance_type               = "${var.inst_type}"

key_name                    = "${var.aws_key_pair}"

monitoring                  = true

vpc_security_group_ids      = ["${module.appsg.this_security_group_id}"]

subnet_id                   = "${module.vpc.private_subnets[1]}"

associate_public_ip_address = false


tags = {

Terraform   = "true"

Environment = "dev"

}

}


module "mysql01" {

source = "terraform-aws-modules/rds/aws"


identifier             = "mysql01"

engine                 = "mysql"

engine_version         = "5.7.11"

instance_class         = "db.t2.small"

allocated_storage      = 20

storage_type           = "gp2"

name                   = "demodb"

username               = "myadmin"

password               = "rootroot"

port                   = "3306"

multi_az               = true

vpc_security_group_ids = ["${module.dbssg.this_security_group_id}"]

maintenance_window     = "Mon:00:00-Mon:03:00"

backup_window          = "03:00-06:00"


tags = {

Owner       = "user"

Environment = "dev"

}


subnet_ids                = ["${module.vpc.database_subnets}"]

family                    = "mysql5.7"

final_snapshot_identifier = false

backup_retention_period   = 0

publicly_accessible       = false


parameters = [

{

name  = "character_set_client"

value = "utf8"

},

{

name  = "character_set_server"

value = "utf8"

},

]

}