← 返回首页
🏗️

Terraform高级模式

📂 devops ⏱ 2 min 367 words
terraformiac模块状态管理专家实战

Terraform高级模式

模块设计

模块结构

modules/
├── vpc/
│   ├── main.tf
│   ├── variables.tf
│   ├── outputs.tf
│   └── README.md
├── ecs/
│   ├── main.tf
│   ├── variables.tf
│   └── outputs.tf
└── rds/
    ├── main.tf
    ├── variables.tf
    └── outputs.tf

模块实现

# modules/vpc/main.tf
variable "cidr_block" {
  type = string
}

variable "environment" {
  type = string
}

resource "aws_vpc" "this" {
  cidr_block = var.cidr_block
  
  tags = {
    Name        = "${var.environment}-vpc"
    Environment = var.environment
  }
}

resource "aws_subnet" "public" {
  count             = 3
  vpc_id            = aws_vpc.this.id
  cidr_block        = cidrsubnet(var.cidr_block, 8, count.index)
  availability_zone = data.aws_availability_zones.available.names[count.index]
  
  map_public_ip_on_launch = true
  
  tags = {
    Name = "${var.environment}-public-${count.index}"
  }
}

output "vpc_id" {
  value = aws_vpc.this.id
}

output "public_subnet_ids" {
  value = aws_subnet.public[*].id
}

状态管理

远程状态

terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-west-2"
    dynamodb_table = "terraform-locks"
    encrypt        = true
  }
}

状态锁

# 使用DynamoDB进行状态锁
resource "aws_dynamodb_table" "terraform_locks" {
  name         = "terraform-locks"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "LockID"
  
  attribute {
    name = "LockID"
    type = "S"
  }
}

工作区

# 创建工作区
terraform workspace new staging
terraform workspace new production

# 切换工作区
terraform workspace select staging

# 列出工作区
terraform workspace list

# 根据工作区配置
locals {
  environment = terraform.workspace
  
  instance_type = terraform.workspace == "production" ? "m5.large" : "t3.micro"
  
  min_size = terraform.workspace == "production" ? 3 : 1
  max_size = terraform.workspace == "production" ? 10 : 3
}

动态块

resource "aws_security_group" "example" {
  name        = "example"
  description = "Example security group"
  vpc_id      = aws_vpc.main.id
  
  dynamic "ingress" {
    for_each = var.ingress_rules
    content {
      from_port   = ingress.value.from_port
      to_port     = ingress.value.to_port
      protocol    = ingress.value.protocol
      cidr_blocks = ingress.value.cidr_blocks
    }
  }
  
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

实践:完整基础设施

# main.tf
module "vpc" {
  source = "./modules/vpc"
  
  cidr_block  = "10.0.0.0/16"
  environment = var.environment
}

module "ecs" {
  source = "./modules/ecs"
  
  cluster_name = "${var.environment}-cluster"
  vpc_id       = module.vpc.vpc_id
  subnet_ids   = module.vpc.public_subnet_ids
}

module "rds" {
  source = "./modules/rds"
  
  identifier     = "${var.environment}-db"
  engine_version = "14"
  instance_class = var.environment == "production" ? "db.r5.large" : "db.t3.micro"
  
  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnet_ids
}

Plan审查

# 生成执行计划
terraform plan -out=tfplan

# 审查计划
terraform show tfplan

# 使用Infracost估算成本
infracost diff --usage-file usage.yml tfplan

最佳实践

  1. 模块化设计
  2. 远程状态管理
  3. 状态锁定
  4. 工作区隔离
  5. 代码审查
  6. 成本估算

总结

Terraform高级模式包括模块化、状态管理和工作区等。通过这些模式,可以实现可维护、可扩展的基础设施即代码。