← 返回首页
☁️

IaC基础设施即代码

📂 architecture ⏱ 2 min 314 words
架构云原生IaCTerraformPulumi

IaC基础设施即代码

IaC概览

基础设施即代码将云资源配置声明式管理,通过代码实现基础设施的版本控制和自动化部署。

┌─────────────────────────────────────────────┐
│              IaC工作流                       │
├─────────────┬─────────────┬─────────────────┤
│  编写       │   计划      │    应用         │
│  (Write)   │  (Plan)     │   (Apply)       │
├─────────────┼─────────────┼─────────────────┤
│ HCL/JSON   │ 预览变更    │  执行变更       │
└─────────────┴─────────────┴─────────────────┘

Terraform基础

# main.tf - VPC和EC2配置
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
  backend "s3" {
    bucket = "terraform-state"
    key    = "prod/terraform.tfstate"
    region = "us-east-1"
  }
}

provider "aws" {
  region = var.aws_region
}

# VPC
resource "aws_vpc" "main" {
  cidr_block           = var.vpc_cidr
  enable_dns_hostnames = true
  enable_dns_support   = true
  
  tags = {
    Name = "main-vpc"
  }
}

# 子网
resource "aws_subnet" "public" {
  vpc_id                  = aws_vpc.main.id
  cidr_block              = var.public_subnet_cidr
  availability_zone       = "${var.aws_region}a"
  map_public_ip_on_launch = true
  
  tags = {
    Name = "public-subnet"
  }
}

# EC2实例
resource "aws_instance" "web" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = var.instance_type
  subnet_id     = aws_subnet.public.id
  
  tags = {
    Name = "web-server"
  }
}

Terraform模块化

# modules/ecs/main.tf
resource "aws_ecs_cluster" "main" {
  name = var.cluster_name
  
  setting {
    name  = "containerInsights"
    value = "enabled"
  }
}

resource "aws_ecs_service" "app" {
  name            = var.service_name
  cluster         = aws_ecs_cluster.main.id
  task_definition = aws_ecs_task_definition.app.arn
  desired_count   = var.desired_count
  
  deployment_circuit_breaker {
    enable   = true
    rollback = true
  }
}

# 使用模块
module "ecs" {
  source = "./modules/ecs"
  
  cluster_name = "prod-cluster"
  service_name = "api-service"
  desired_count = 3
}

Pulumi多语言IaC

// Pulumi TypeScript
import * as aws from "@pulumi/aws";

const vpc = new aws.ec2.Vpc("main", {
    cidrBlock: "10.0.0.0/16",
    enableDnsHostnames: true,
});

const subnet = new aws.ec2.Subnet("public", {
    vpcId: vpc.id,
    cidrBlock: "10.0.1.0/24",
    availabilityZone: "us-east-1a",
    mapPublicIpOnLaunch: true,
});

const instance = new aws.ec2.Instance("web", {
    ami: "ami-0c55b159cbfafe1f0",
    instanceType: "t3.micro",
    subnetId: subnet.id,
    tags: { Name: "web-server" },
});

export const publicIp = instance.publicIp;

工作区管理

# 多环境配置
# environments/prod/main.tf
module "infrastructure" {
  source = "../../modules/infrastructure"
  
  environment = "prod"
  vpc_cidr    = "10.0.0.0/16"
  instance_type = "m5.large"
}

# environments/staging/main.tf
module "infrastructure" {
  source = "../../modules/infrastructure"
  
  environment = "staging"
  vpc_cidr    = "10.1.0.0/16"
  instance_type = "t3.medium"
}

IaC最佳实践

实践 说明
状态存储 远程状态+状态锁
模块复用 抽象通用基础设施
变量管理 敏感信息用Vault
代码审查 PR审查基础设施变更
自动化 CI/CD流水线执行