准备工作
内容来自:腾讯云 - 云资源自动化 for Terraform 快速开始
1 创建凭证
在首次使用 Terraform 之前,请前往 云 API 密钥页面 申请安全凭证 SecretId 和 SecretKey。若已有可使用的安全凭证,则跳过该步骤。
- 登录 访问管理控制台,在左侧导航栏,选择访问密钥 > API 密钥管理。
- 在 API 密钥管理页面,单击新建密钥,即可以创建一对 SecretId/SecretKey。
2 配置凭证鉴权
2.1 静态凭证鉴权
在用户目录下创建 provider.tf 文件,输入如下内容:
my-secret-id 及 my-secret-key 请替换为 获取凭证 中的 SecretId 和 SecretKey。
provider "tencentcloud" {
secret_id = "my-secret-id"
secret_key = "my-secret-key"
}2.2 环境变量鉴权
请将如下信息添加至环境变量配置:
YOUR_SECRET_ID 及 YOUR_SECRET_KEY 请替换为 获取凭证 中的 SecretId 和 SecretKey。
export TENCENTCLOUD_SECRET_ID=YOUR_SECRET_ID
export TENCENTCLOUD_SECRET_KEY=YOUR_SECRET_KEY3 创建第一个 TencentCloud 资源 VPC
目的:验证是否可以通过 Terraform 创建基础设施。
- 创建
provider.tf文件,指定 provider 配置信息。文件内容如下:
# 密钥
provider "tencentcloud" {
secret_id = "AK********GA3"
secret_key = "lK********q7"
region = "ap-guangzhou"
}
# 指定云供应商
terraform {
required_providers {
tencentcloud = {
source = "tencentcloudstack/tencentcloud" // 第三方云供应商来源
# 通过version指定版本
version = ">=1.60.18" // 版本
}
}
}云供应商可以通过 Terraform Registry 来查询:
查看使用方法以及最新版本:
- 创建
main.tf文件,配置腾讯云 Provider 并创建私有网络 VPC。文件内容如下:
resource "tencentcloud_vpc" "foo" {
name = "ci-temp-test-updated" // 私有网络名字
cidr_block = "10.0.0.0/16" // 网段
dns_servers = ["119.29.29.29", "8.8.8.8"] // DNS
is_multicast = false
tags = { // 标签
"test" = "test"
}
}- 执行以下命令,初始化工作目录并下载插件。
terraform init- 执行以下命令,查看执行计划,显示将要创建的资源详情。
terraform plan- 执行以下命令,创建资源。
terraform apply- 执行以下命令销毁资源。
terraform destroy开始正式部署第一个基础设施
创建 VPC
1 vpc 模块
- 通过 Terraform Registry 搜索 TencentCloud,查看 Modules。
- 找到相关的模块
- 引用方法
- 使用方法
- 输入输出
2 使用模块
- 创建
modules/vpc/main.tf调用 vpc 模块
module "tencentcloud_vpc" {
source = "terraform-tencentcloud-modules/vpc/tencentcloud" // 调用 vpc 模块
version = "1.1.0"
vpc_name = var.vpc_name // 变量
vpc_cidr = var.vpc_cidr
destination_cidrs = ["1.0.1.0/24"] // 暂未设置为变量,路由表
next_type = ["EIP"]
next_hub = ["0"]
tags = {
module = "vpc"
}
vpc_tags = {
test = "vpc"
}
}- 创建
modules/vpc/variables.tf设置模块变量
variable "vpc_name" {
type = string
description = "tencent cloud vpc name"
}
variable "vpc_cidr" {
type = string
description = "tencent cloud vpc cidr"
}- 创建
mian.tf调用 vpc 模块
# 调用 vpc 模块
module "vpc" {
source = "./modules/vpc"
vpc_name = "vpc_test"
vpc_cidr = "10.0.0.0/16"
}- 创建
provider配置region,认证,云商
# 密钥
provider "tencentcloud" {
secret_id = "AKI********A3"
secret_key = "lK*********q7"
region = "ap-guangzhou"
}
terraform {
required_providers {
tencentcloud = {
source = "tencentcloudstack/tencentcloud"
# 通过version指定版本
version = ">=1.60.18"
}
}
}- terraform 部署应用
terraform init
terraform plan
terraform apply- 检查 vpc
- 检查 路由表
结论:
- vpc创建符合预期,期望新增 nat网关 和 子网。
- 路由表里新增 路由策略 nat网关。
3 新增子网
- 修改 vpc 模块 main 文件,新增 子网的内容
module "tencentcloud_vpc" {
source = "terraform-tencentcloud-modules/vpc/tencentcloud"
version = "1.1.0"
# vpc
vpc_name = var.vpc_name
vpc_cidr = var.vpc_cidr
# 子网
subnet_name = var.subnet_name
subnet_cidrs = var.subnet_cidrs
availability_zones = var.availability_zones // 子网可用区
# 路由表
# destination_cidrs = ["1.0.1.0/24"]
# next_type = ["EIP"]
# next_hub = ["0"]
tags = {
module = "vpc"
}
vpc_tags = {
test = "vpc"
}
subnet_tags = {
test = "subnet"
}
}- 修改 vpc 模块 variable 文件,新增子网的变量内容
# vpc
variable "vpc_name" {
type = string
description = "tencent cloud vpc name"
}
variable "vpc_cidr" {
type = string
description = "tencent cloud vpc cidr"
}
# 子网
variable "subnet_name" {
type = string
description = "tencent cloud subnet name"
}
variable "subnet_cidrs" {
type = list(string)
description = "tencent cloud subnet cidrs"
}
variable "availability_zones" {
type = list(string)
description = "tencent cloud availability zones"
}- 修改 main 文件,输入子网变量的值
# 调用 vpc 模块
module "vpc" {
source = "./modules/vpc"
vpc_name = "vpc_test"
vpc_cidr = "10.0.0.0/16"
subnet_name = "subnet_test"
subnet_cidrs = [ "10.0.1.0/24" ]
availability_zones = [ "ap-guangzhou-1" ]
}- 部署应用
terraform plan
terraform apply- 检查子网
4 新增 Nat网关 和 路由表
先创建 eip,Nat网关绑定 eip。
- 修改
modules/vpc/mian.tf文件,创建 eip
terraform {
required_providers {
tencentcloud = {
source = "tencentcloudstack/tencentcloud"
# 通过version指定版本
version = "1.81.25"
}
}
}
# eip
resource "tencentcloud_eip" "eip" { // 创建 eip 与 nat 网关绑定
name = var.eip_name // eip 名字
type = var.eip_type
internet_max_bandwidth_out = var.eip_internet_max_bandwidth_out
tags = {
eip = var.eip_tag
}
}
module "tencentcloud_vpc" {
source = "terraform-tencentcloud-modules/vpc/tencentcloud" // 调用 vpc 模块
version = "1.1.0"
# vpc
vpc_name = var.vpc_name
vpc_cidr = var.vpc_cidr
# 子网
subnet_name = var.subnet_name
subnet_cidrs = var.subnet_cidrs // 网段
availability_zones = var.availability_zones // 可用区
# nat 网关
enable_nat_gateway = var.enable_nat_gateway // 开启网关
nat_gateway_bandwidth = var.nat_gateway_bandwidth // 带宽
nat_gateway_concurrent = var.nat_gateway_concurrent // 并发规格
nat_public_ips = [tencentcloud_eip.eip.public_ip] // 绑定eip
# 路由表
destination_cidrs = var.destination_cidrs
next_type = var.next_type
next_hub = var.next_hub
vpc_tags = {
vpc = var.vpc_tag
}
subnet_tags = {
subnet = var.subnet_tag
}
nat_gateway_tags = {
nat_gateway = var.nat_gateway_tag
}
}模块里面需要再次声明使用的云商,否则报错。
创建 eip 需要的参数可以查看 腾讯云官方文档 Tencent_eip。
根据参数引用选择需要设置和调整的参数。
- 修改
modules/vpc/variables.tf文件
# vpc
variable "vpc_name" {
type = string
description = "tencent cloud vpc name"
}
variable "vpc_cidr" {
type = string
description = "tencent cloud vpc cidr"
}
# 子网
variable "subnet_name" {
type = string
description = "tencent cloud subnet name"
}
variable "subnet_cidrs" {
type = list(string)
description = "tencent cloud subnet cidrs"
}
variable "availability_zones" {
type = list(string)
description = "tencent cloud availability zones"
}
# nat 网关
variable "enable_nat_gateway" {
type = bool
description = "tencnet cloud enable nat gateway "
}
variable "nat_gateway_bandwidth" {
type = number
description = "tencent cloud nat gateway bandwidth"
}
variable "nat_gateway_concurrent" {
type = number
description = "tencent cloud nat gateway concurrent"
}
# variable "nat_public_ips" {
# type = list(string)
# description = "tencent cloud nat public ips"
# }
# 路由表
variable "destination_cidrs" {
type = list(string)
description = "tencent cloud destination cidrs"
}
variable "next_type" {
type = list(string)
description = "tencent cloud next type"
}
variable "next_hub" {
type = list(string)
description = "tencent cloud next hub"
}
#eip
variable "eip_internet_max_bandwidth_out" {
type = number
description = "tencent cloud internet max bandwidth out"
}
variable "eip_name" {
type = string
description = "tencent cloud eip name"
}
variable "eip_type" {
type = string
description = "tencent cloud eip name"
}
variable "vpc_tag" {
type = string
}
variable "subnet_tag" {
type = string
}
variable "eip_tag" {
type = string
}
variable "nat_gateway_tag" {
type = string
}- 创建
modules/vpc/outputs.tf文件,为了传递给主配置文件
# vpc ID,tke 调用
output "vpc_id" {
value = module.tencentcloud_vpc.vpc_id
}
# 子网ID
output "subnet_id" {
value = module.tencentcloud_vpc.subnet_id
}main.tf调用 vpc 模块
locals {
tag_value = "uisee-hk"
name = "uisee-hk"
}
# 调用 vpc 模块
module "vpc" {
source = "./modules/vpc"
# vpc
vpc_name = local.name
vpc_cidr = "10.0.0.0/16"
vpc_tag = local.tag_value
# 子网
subnet_name = local.name
subnet_cidrs = ["10.0.4.0/22"]
availability_zones = ["ap-hongkong-3"]
subnet_tag = local.tag_value
# nat网关
enable_nat_gateway = true
nat_gateway_bandwidth = 1000
nat_gateway_concurrent = 1000000
nat_gateway_tag = local.tag_value
# nat_public_ips = ["${data.tencentcloud_eips.nat_eip.eip_list[0].public_ip}"]
# nat_public_ips = ["${module.eip.eip_public_ip}"]
# nat网关eip
eip_internet_max_bandwidth_out = 100
eip_name = local.name
eip_type = "EIP"
eip_tag = local.tag_value
# 路由表
destination_cidrs = ["0.0.0.0/0"]
next_type = ["NAT"]
next_hub = ["0"]
}- 检查vpc
- 检查nat网关
- 检查eip
- 查看路由表
创建 安全组
1 安全组 资源
模块功能不完善。 - 20230913
- 查看文档的方式
https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest
- 官方文档
https://cloud.tencent.com/document/product/1653/82884#289725be-6c7f-4328-861e-48f48f1246a0
2 使用 安全组 资源
- 创建
modules/security_group/mian.tf文件
terraform {
required_providers {
tencentcloud = {
source = "tencentcloudstack/tencentcloud"
# 通过version指定版本
version = "1.81.25"
}
}
}
# 创建安全组
resource "tencentcloud_security_group" "security_group" {
name = var.security_group_name
description = var.security_group_des
tags = {
"security_group" = var.security_group_tag
}
}
# 安全组规则
resource "tencentcloud_security_group_lite_rule" "security_group" {
security_group_id = tencentcloud_security_group.security_group.id
ingress = var.security_group_ingress
egress = var.security_group_egress
}- 创建
modules/security_group/variables.tf文件
variable "security_group_name" {
type = string
}
variable "security_group_des" {
type = string
}
variable "security_group_ingress" {
type = list(string)
}
variable "security_group_egress" {
type = list(string)
}
variable "security_group_tag" {
type = string
}- 创建
modules/security_group/output.tf文件
output "security_group_id" {
value = tencentcloud_security_group.security_group.id
}main.tf新增调用 安全组 模块
# 安全组
module "security_group" {
source = "./modules/security_group"
security_group_name = "security_group-test"
security_group_des = "security_group test"
security_group_ingress = [
"ACCEPT#0.0.0.0/0#80#TCP",
"ACCEPT#0.0.0.0/0#22#TCP",
"ACCEPT#0.0.0.0/0#443#TCP",
"ACCEPT#10.0.0.0/16#ALL#ALL",
"ACCEPT#172.16.0.0/22#ALL#ALL",
"DROP#0.0.0.0/0#ALL#ALL"
]
security_group_egress = [
"ACCEPT#0.0.0.0/0#ALL#ALL",
]
security_group_tag = local.tag_value
}- 查看安全组
创建 TKE
1 TKE 资源
模块功能不完善。 - 20230913
需求:
- 创建一个普通节点
- 使用 nodeport 的方式访问服务。
- 创建一个超级节点池,一个按量付费超级节点,一个包年包月的超级节点。
- 包年包月的便宜,按量付费是前者资源不足会使用按量付费,避免资源不够宕机。
包年包月的暂不支持。-20230913
2 使用 TKE 资源
- 创建
modules/tke/mian.tf文件
terraform {
required_providers {
tencentcloud = {
source = "tencentcloudstack/tencentcloud"
# 通过version指定版本
version = "1.81.25"
}
}
}
locals {
vpc_id = var.vpc_id
subnet_id = var.subnet_id
sg_id = var.sg_id
}
resource "tencentcloud_kubernetes_cluster" "example" {
cluster_name = var.cluster_name //集群名字
cluster_desc = var.cluster_desc // 集群描述
vpc_id = local.vpc_id // 集群vpc
cluster_version = var.cluster_version //集群版本
cluster_deploy_type = "MANAGED_CLUSTER" //集群类型
container_runtime = "containerd" //容器运行时
deletion_protection = true // 开启集群删除保护
network_type = "VPC-CNI" // 网络插件
eni_subnet_ids = [local.subnet_id] // 子网ID
service_cidr = var.service_cidr // svc 网段
cluster_max_pod_num = var.cluster_max_pod_num // 每个节点最大pod数量,
cluster_max_service_num = var.cluster_max_service_num // 集群中的最大服务数,最大256
}
# 开启集群公网访问
resource "tencentcloud_kubernetes_cluster_endpoint" "example" {
cluster_id = tencentcloud_kubernetes_cluster.example.id
cluster_internet = true
cluster_intranet = true
cluster_internet_security_group = local.sg_id
cluster_intranet_subnet_id = local.subnet_id
depends_on = [ # wait for the node pool ready
tencentcloud_kubernetes_cluster.example,
tencentcloud_kubernetes_node_pool.example,
tencentcloud_kubernetes_serverless_node_pool.example
]
}
# 基本节点池
resource "tencentcloud_kubernetes_node_pool" "example" {
name = var.node_pool_name // 节点名字
cluster_id = tencentcloud_kubernetes_cluster.example.id // TKE 集群ID
vpc_id = local.vpc_id // vpc id
subnet_ids = [local.subnet_id] // 子网 id
retry_policy = "INCREMENTAL_INTERVALS" // 重试策略
multi_zone_subnet_policy = "EQUALITY" // 多可用区子网策略
node_os = var.node_os // 节点的系统
max_size = 1 // 最大最小节点数
min_size = 1
desired_capacity = 1 // 节点所需容量
enable_auto_scale = true // 开启自动伸缩
auto_scaling_config {
instance_type = var.instance_type // node 类型
system_disk_type = var.system_disk_type // 系统盘
system_disk_size = var.system_disk_size
orderly_security_group_ids = [local.sg_id] // 安全组
data_disk { // 数据盘
disk_type = var.disk_type
disk_size = var.disk_size
}
internet_charge_type = var.internet_charge_type // 公网类型
internet_max_bandwidth_out = var.internet_max_bandwidth_out // 最大带宽
public_ip_assigned = var.public_ip_assigned // 分配IP
password = var.password // 密码
enhanced_security_service = var.enhanced_security_service // 开启云安全服务
enhanced_monitor_service = var.enhanced_monitor_service // 开启云监控
host_name = "12.123.0.0"
host_name_style = "ORIGINAL"
}
labels = { // k8s 节点标签
"type" = "node_pool",
}
taints { // k8s 节点污点
key = var.taints_key // 污点的键值,影响
value = var.taints_value
effect = var.taints_effect
}
node_config { //节点配置
extra_args = [ // 与节点相关的自定义参数信息
"root-dir=/var/lib/kubelet"
]
}
}
# 超级节点
resource "tencentcloud_kubernetes_serverless_node_pool" "example" { // 创建超级节点池
cluster_id = tencentcloud_kubernetes_cluster.example.id
name = var.serverless_node_pool_name
serverless_nodes {
display_name = var.serverless_node_name
subnet_id = local.subnet_id
}
security_group_ids = [local.sg_id]
labels = {
"type" = "serverless_node_pool",
}
}- 创建
modules/tke/variables.tf设置模块变量
variable "vpc_id" {
type = string
}
variable "subnet_id" {
type = string
}
variable "sg_id" {
type = string
}
variable "cluster_name" {
type = string
}
variable "cluster_desc" {
type = string
}
variable "cluster_version" {
type = string
}
variable "service_cidr" {
type = string
}
variable "cluster_max_pod_num" {
type = number
}
variable "cluster_max_service_num" {
type = number
}
# 基本节点池
variable "node_pool_name" {
type = string
}
variable "node_os" {
type = string
}
variable "instance_type" {
type = string
}
variable "system_disk_type" {
type = string
}
variable "system_disk_size" {
type = string
}
variable "disk_type" {
type = string
}
variable "disk_size" {
type = number
}
variable "internet_charge_type" {
type = string
}
variable "password" {
type = string
}
variable "internet_max_bandwidth_out" {
type = number
}
variable "public_ip_assigned" {
type = bool
}
variable "enhanced_security_service" {
type = bool
}
variable "enhanced_monitor_service" {
type = bool
}
variable "taints_key" {
type = string
}
variable "taints_value" {
type = string
}
variable "taints_effect" {
type = string
}
variable "serverless_node_pool_name" {
type = string
}
variable "serverless_node_name" {
type = string
}- 创建
modules/tke/output.tf文件
# 证书
output "kube_config" {
value = tencentcloud_kubernetes_cluster.example.kube_config
}
- 修改
main.tf文件,调用tke
locals {
tag_value = "abc-hk"
name = "abc-hk"
}
# 调用 vpc 模块
module "vpc" {
source = "./modules/vpc"
# vpc
vpc_name = local.name
vpc_cidr = "10.0.0.0/16"
vpc_tag = local.tag_value
# 子网
subnet_name = local.name
subnet_cidrs = ["10.0.4.0/22"]
availability_zones = ["ap-hongkong-3"]
subnet_tag = local.tag_value
# nat网关
enable_nat_gateway = true
nat_gateway_bandwidth = 1000
nat_gateway_concurrent = 1000000
nat_gateway_tag = local.tag_value
# nat_public_ips = ["${data.tencentcloud_eips.nat_eip.eip_list[0].public_ip}"]
# nat_public_ips = ["${module.eip.eip_public_ip}"]
# nat网关eip
eip_internet_max_bandwidth_out = 100
eip_name = local.name
eip_type = "EIP"
eip_tag = local.tag_value
# 路由表
destination_cidrs = ["0.0.0.0/0"]
next_type = ["NAT"]
next_hub = ["0"]
}
# 安全组
module "security_group" {
source = "./modules/security_group"
security_group_name = "security_group-test"
security_group_des = "security_group test"
security_group_ingress = [
"ACCEPT#0.0.0.0/0#80#TCP",
"ACCEPT#0.0.0.0/0#22#TCP",
"ACCEPT#0.0.0.0/0#443#TCP",
"ACCEPT#10.0.0.0/16#ALL#ALL",
"ACCEPT#172.16.0.0/22#ALL#ALL",
"DROP#0.0.0.0/0#ALL#ALL"
]
security_group_egress = [
"ACCEPT#0.0.0.0/0#ALL#ALL",
]
security_group_tag = local.tag_value
}
#创建 tke
module "tke" {
source = "./modules/tke"
vpc_id = module.vpc.vpc_id
subnet_id = module.vpc.subnet_id[0]
sg_id = module.security_group.security_group_id
cluster_name = local.name //集群名字
cluster_desc = local.name // 集群描述
cluster_version = "1.26.1" //集群版本
service_cidr = "10.1.0.0/24" // svc 网段
cluster_max_pod_num = 256 // 每个节点最大pod数量,
cluster_max_service_num = 256 // 集群中的最大服务数,最大256
# 基本节点池
node_pool_name = "abc-hk-node_pool" // 节点名字
node_os = "tlinux3.1x86_64"
instance_type = "SA2.2XLARGE16" // node 类型
system_disk_type = "CLOUD_SSD" // 系统盘
system_disk_size = "100"
disk_type = "CLOUD_SSD" // 数据盘
disk_size = 100
internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR" // 公网类型
internet_max_bandwidth_out = 100 // 最大带宽
public_ip_assigned = true // 分配IP
password = "ABCDEFG@1234" // 密码
enhanced_security_service = true // 开启云安全服务
enhanced_monitor_service = true // 开启云监控
taints_key = "test_taint" // 污点的键值
taints_value = "taint_value"
taints_effect = "PreferNoSchedule"
# 超级节点池
serverless_node_pool_name = "abc-hk-serverless_node_pool"
serverless_node_name = "abc-hk-serverless_node1"
}- 查看创建的 tke
