云生态下的基础架构资源管理利器Terraform

About Terraform

Terraform （https://www.terraform.io/） 是HashiCorp旗下的一款开源（Go语言开发）的DevOps 基础架构资源管理运维工具，可以看下对应的DevOps工具链：

Terraform可以安全高效的构建、更改和合并多个云厂商的各种服务资源，当前支持有阿里云、AWS、微软Azure、Vmware、Google Cloud Platform等多个云厂商云产品的资源创建。

Write, Plan, and Create Infrastructure as Code

Terraform通过模板配置文件定义所有资源类型（有如主机，OS，存储类型，中间件，网络VPC，SLB，DB，Cache等）和资源的数量、规格类型、资源创建依赖关系，基于资源厂商的OpenAPI快速创建一键创建定义的资源列表，同时也支持资源的一键销毁。

通过模板配置化的方式，我们可以得知整个资源关系，也可以做相应的资源版本化管理，甚至可以把该资源模板直接复制建立多可用区的服务，包括资源的弹性伸缩，可以说在提高运维自动化生产力上是一个绝好的利器。

这里引用@箫竹 一次分享中提供的一个创建阿里云资源的Terraform产品介绍图 ：

最左边栏通过一个main.tf文件（只需要是.tf 文件）定义了ECS（镜像、实例类型）、VPC（CIDR、VPC Name）、OSS资源（ACL、实例Name）信息，通过Terraform 对资源配置参数做解析，调用阿里cloud OpenAPI 进行资源校验于创建，同时把整个资源创建状态化到一个.tf.state文件中，基于该文件则可以得知资源创建的所有信息，包括资源数量调整，规格调整，实例变更都依赖这种非常重要的文件。 具体后续综合一些案例，比如Terraform 实现WordPress的一键自动化搭建，可以更好的理解该产品的执行过程。

下面先讲述下Terraform的安装，模板配置文件的编写，后续再专门写几个案例作为分享。

Install Terraform

Terraform 可以随意部署在任意的C端上，只要可以连通公网即可（Initializing provider plugins and Call Cloud OpenAPI）
通过 https://www.terraform.io/downloads.html 下载对应平台的可执行二进制包，解压出来Executable Binary 放指定目录，配置好相应的PATH则可使用terraform 指令。

wangzhipengs-MacBook-Pro:~ wangzhipeng$ which terraform
/usr/local/bin/terraform
wangzhipengs-MacBook-Pro:~ wangzhipeng$ terraform 
Usage: terraform [--version] [--help] <command> [args]

The available commands for execution are listed below.
The most common, useful commands are shown first, followed by
less common or more advanced commands. If you're just getting
started with Terraform, stick with the common commands. For the
other commands, please read the help and docs before usage.

Common commands:
    apply              Builds or changes infrastructure
    console            Interactive console for Terraform interpolations
    destroy            Destroy Terraform-managed infrastructure
    env                Workspace management
    fmt                Rewrites config files to canonical format
    get                Download and install modules for the configuration
    graph              Create a visual graph of Terraform resources
    import             Import existing infrastructure into Terraform
    init               Initialize a Terraform working directory
    output             Read an output from a state file
    plan               Generate and show an execution plan
    providers          Prints a tree of the providers used in the configuration
    push               Upload this Terraform module to Atlas to run
    refresh            Update local state file against real resources
    show               Inspect Terraform state or plan
    taint              Manually mark a resource for recreation
    untaint            Manually unmark a resource as tainted
    validate           Validates the Terraform files
    version            Prints the Terraform version
    workspace          Workspace management

All other commands:
    debug              Debug output management (experimental)
    force-unlock       Manually unlock the terraform state
    state              Advanced state management

这里需要特别说明一下的是目前Terraform官网的版本只支持阿里cloud比较有效的几个大产品的resource，因此如果要创建阿里cloud多个resource需要引入阿里cloud的provider：
https://github.com/alibaba/terraform-provider/releases
通过下载alicloud的provider binary (bin/terraform-provider-alicloud) 放置到Terraform的安装目录下。

Build Infrastructure

整个架构资源创建的过程，可以分成如下四部分：

通过一个*.tf 后缀的模板文件，描述指定厂商的所有资源配置信息，比如说创建一个alicloud ECS的模板配置：

# Configure the Alicloud Provider
provider "alicloud" {
  access_key = "${var.access_key}"
  secret_key = "${var.secret_key}"
  region     = "${var.region}"
}

# Create a web server
resource "alicloud_instance" "web" {
  # cn-beijing
  provider          = "alicloud"
  availability_zone = "cn-beijing-a"
  image_id          = "ubuntu_140405_32_40G_cloudinit_20161115.vhd"

  internet_charge_type  = "PayByBandwidth"

  instance_type        = "ecs.n1.medium"
  io_optimized         = "optimized"
  system_disk_category = "cloud_efficiency"
  security_groups      = ["${alicloud_security_group.default.id}"]
  instance_name        = "web"
}

# Create security group
resource "alicloud_security_group" "default" {
  name        = "default"
  provider    = "alicloud"
  description = "default"
}

# Output message
output "ecs instance name" {
  value = "${alicloud_instance.web.instance_name}"
}

output "ecs private ip" {
  value = "${alicloud_instance.web.private_ip}"
}

如上access_key，secret_key 填写创建资源账号的AK，该Config File涵盖了Region，可用区，ECS镜像，带宽计费方式，实例规格，IO类型，存储类型，安全组，实例名称多个信息。
完成如上配置信息后，需要通过terraform init 做cloud provider plugins的初始化操作：

wangzhipengs-MacBook-Pro:terraform_dir wangzhipeng$ terraform init

Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "alicloud" (0.1.0)...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.alicloud: version = "~> 0.1"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

此时会在当前目录下创建一个.terraform目录，保存有该平台下的provider可执行文件。
上面信息也做了提示，我们可以running "terraform plan" 查看将要创建的资源信息：

wangzhipengs-MacBook-Pro:terraform_dir wangzhipeng$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + alicloud_instance.web
      id:                   <computed>
      allocate_public_ip:   "false"
      availability_zone:    "cn-beijing-a"
      host_name:            <computed>
      image_id:             "ubuntu_140405_32_40G_cloudinit_20161115.vhd"
      instance_name:        "web"
      instance_type:        "ecs.n1.medium"
      internet_charge_type: "PayByBandwidth"
      io_optimized:         "optimized"
      private_ip:           <computed>
      public_ip:            <computed>
      security_groups.#:    <computed>
      status:               <computed>
      subnet_id:            <computed>
      system_disk_category: "cloud_efficiency"
      system_disk_size:     <computed>

  + alicloud_security_group.default
      id:                   <computed>
      description:          "default"
      name:                 "default"


Plan: 2 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

通过apply可以预览模板对应创建2个资源，已经对应的属性信息：

• alicloud_instance.web
• alicloud_security_group.default （该安全组暂时未设置自定义放行规则）
  其中computed标识为暂时无法得知最终创建出来的信息，所以也可以理解成系统默认分配。

接下通过指令terraform apply执行资源创建：

wangzhipengs-MacBook-Pro:terraform_dir wangzhipeng$ terraform apply
alicloud_security_group.default: Creating...
  description: "" => "default"
  name:        "" => "default"
alicloud_security_group.default: Creation complete after 1s (ID: sg-2zec9v8aq2hgb244qrqf)
alicloud_instance.web: Creating...
  allocate_public_ip:         "" => "false"
  availability_zone:          "" => "cn-beijing-a"
  host_name:                  "" => "<computed>"
  image_id:                   "" => "ubuntu_140405_32_40G_cloudinit_20161115.vhd"
  instance_name:              "" => "web"
  instance_type:              "" => "ecs.n1.medium"
  internet_charge_type:       "" => "PayByBandwidth"
  io_optimized:               "" => "optimized"
  private_ip:                 "" => "<computed>"
  public_ip:                  "" => "<computed>"
  security_groups.#:          "" => "1"
  security_groups.2344301974: "" => "sg-2zec9v8aq2hgb244qrqf"
  status:                     "" => "<computed>"
  subnet_id:                  "" => "<computed>"
  system_disk_category:       "" => "cloud_efficiency"
  system_disk_size:           "" => "<computed>"
alicloud_instance.web: Still creating... (10s elapsed)
alicloud_instance.web: Still creating... (20s elapsed)
alicloud_instance.web: Still creating... (30s elapsed)
alicloud_instance.web: Still creating... (40s elapsed)
alicloud_instance.web: Still creating... (50s elapsed)
alicloud_instance.web: Creation complete after 51s (ID: i-2zedvfowy4m39sg1xdig)

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

ecs instance name = web
ecs private ip = 10.31.28.93

分钟级功夫该ECS就创建好了

Input/Output Variables

回顾上面通过Terraform 创建资源的过程，最关键的还是如何描述模板配置信息，这里主要说明一下参数配置2个输入输出的变量实现。

# Configure the Alicloud Provider
provider "alicloud" {
  access_key = "${var.access_key}"
  secret_key = "${var.secret_key}"
  region     = "${var.region}"
}

我们可以在当前文件，但最好另创建一个*.tf后缀结尾文件，存放对应的ak和region信息，这样我们就可以把一些变量信息提取出来避免硬编码，这对整个配置文件具备更好的可维护性：

wangzhipengs-MacBook-Pro:terraform_dir wangzhipeng$ cat variable.tf
variable "access_key" {
  default = "xxx"
}
variable "secret_key" {
  default = "xxx"
}
variable "region" {
  default = "cn-beijing"
}

此外，如上配置指定了output的变量信息，本身如果不指定output的内容也不影响整个资源创建的过程，但通过输出output的信息可以彻底脱离控制台，对于如下的output变量信息也可以存放在另一个*.tf后缀文件，对于resource的输出变量可以参阅每个provider resource的attribute信息。

# Output message
output "ecs instance name" {
  value = "${alicloud_instance.web.instance_name}"
}

output "ecs private ip" {
  value = "${alicloud_instance.web.private_ip}"
}

Destroy Infrastructure

资源使用后如果想要释放，以往通过控制台，往往需要存在资源依赖，导致资源释放的时候需要先释放被依赖的资源，所以整个资源释放的过程还是比较繁琐的，甚至可能存在忘记释放个别资源造成资源浪费，Terraform通过指令terraform destroy 可以一键释放资源：

wangzhipengs-MacBook-Pro:terraform_dir wangzhipeng$ terraform destroy
alicloud_security_group.default: Refreshing state... (ID: sg-2zec9v8aq2hgb244qrqf)
alicloud_instance.web: Refreshing state... (ID: i-2zedvfowy4m39sg1xdig)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  - alicloud_instance.web

  - alicloud_security_group.default


Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

alicloud_instance.web: Destroying... (ID: i-2zedvfowy4m39sg1xdig)
alicloud_instance.web: Still destroying... (ID: i-2zedvfowy4m39sg1xdig, 10s elapsed)
alicloud_instance.web: Destruction complete after 11s
alicloud_security_group.default: Destroying... (ID: sg-2zec9v8aq2hgb244qrqf)
alicloud_security_group.default: Destruction complete after 1s

Destroy complete! Resources: 2 destroyed.