Terraform是HashiCorp公司提供的一種開源工具,用于安全高效地預覽、配置和管理云基礎架構和資源,幫助開發者自動化地創建、更新阿里云基礎設施資源,并進行版本管理。本文介紹如何使用Terraform管理密鑰管理服務資源。
前提條件
如果您使用Cloud Shell,Cloud Shell默認安裝并配置了Terraform和阿里云賬號信息,您無需進行其他操作。如果您不使用Cloud Shell,則需要自行安裝Terraform和配置阿里云賬號信息。
安裝版本不低于v0.14的Terraform。具體操作,請參見在本地安裝和配置Terraform。
說明安裝后您可以通過terraform --version命令查看Terraform版本。如果您安裝的版本低于v0.14,請重新覆蓋安裝正確版本。關于Terraform的更多信息,請參考什么是Terraform。
配置阿里云賬號信息。
創建環境變量,用于存放身份認證信息(推薦)。不同操作系統的環境變量配置方法不同,具體操作,請參見在Linux、macOS和Windows系統配置環境變量。
export ALICLOUD_ACCESS_KEY="******" export ALICLOUD_SECRET_KEY="******" export ALICLOUD_REGION="******"通過在配置文件的
provider代碼塊中指定身份認證信息。provider "alicloud" { access_key = "******" secret_key = "******" region = "******" }
使用Terraform創建KMS密鑰
創建一個工作目錄,并且在工作目錄中創建以下名為main.tf和variables.tf的配置文件。
main.tf:Terraform主文件,定義了將要部署的資源。
# 可以參考相關文檔(https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key)了解資源alicloud_kms_key的細節 resource "alicloud_kms_key" "dkms_key" { description = "${var.description}" protection_level = "${var.protection_level}" dkms_instance_id = "${var.dkms_instance_id}" } output "dkms_key_id" { value = alicloud_kms_key.dkms_key.id }variables.tf:包含可傳遞到main.tf的變量,可幫助您自定義變量。
# 新KMS密鑰的描述信息 variable "description" { default = "the new dkms key" } # 在指定的天數后,用戶主密鑰會被刪除。在這期間,這個用戶主密鑰的狀態是待刪除。在指定的天數后,您將無法取消刪除密鑰操作。 variable "pending_window_in_days" { default = "7" } # 如果您的kms實例是軟件密鑰管理實例,則這個參數必須設定為SOFTWARE # 如果您的kms實例是硬件密鑰管理實例,則這個參數必須設定為HSM variable "protection_level" { default = "SOFTWARE" } # 您的KMS實例Id variable "dkms_instance_id" { default = "kst-xxxxxxxxxxxxxxx" }
執行
terraform init命令初始化Terraform運行環境。預期輸出:
Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/alicloud... - Installing hashicorp/alicloud v1.183.0... - Installed hashicorp/alicloud v1.183.0 (signed by HashiCorp) Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. ? │ Warning: Additional provider information from registry │ │ The remote registry returned warnings for registry.terraform.io/hashicorp/alicloud: │ - For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers. ? Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.執行
terraform plan命令生成資源規劃。預期輸出:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # alicloud_kms_key.dkms_key will be created + resource "alicloud_kms_key" "dkms_key" { ... } Plan: 1 to add, 0 to change, 0 to destroy. Changes to Outputs: + dkms_key_id = (known after apply) ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.執行
terraform apply命令創建密鑰。預期輸出:
... Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes ... Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Outputs: dkms_key_id = "key-xxxxxxxxxxxxxxxxxx"成功創建密鑰后,您還可以執行如下操作。
查看創建的密鑰KeyId:
terraform output dkms_key_id預期輸出:
"key-xxxxxxxxxxxxxxxxxx"計劃刪除密鑰:
terraform destroy預期輸出:
... Plan: 0 to add, 0 to change, 1 to destroy. ... Do you really want to destroy all resources? Terraform will destroy all your managed infrastructure, as shown above. There is no undo. Only 'yes' will be accepted to confirm. Enter a value: yes ... Destroy complete! Resources: 1 destroyed.
使用Terraform創建KMS憑據
創建一個工作目錄,并且在工作目錄中創建以下名為main.tf和variables.tf的配置文件。
main.tf:Terraform主文件,定義了將要部署的資源。
# 可以參考相關文檔(https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_secret)了解資源alicloud_kms_secret的細節 resource "alicloud_kms_secret" "dkms_secret" { secret_name = "secret-simple" description = "from terraform" secret_data = "${var.ENV_SECRET_DATA}" version_id = "${var.version_id}" encryption_key_id = "${var.encryption_key_id}" dkms_instance_id = "${var.dkms_instance_id}" force_delete_without_recovery = true }variables.tf:包含可傳遞到main.tf的變量,可幫助您自定義變量。
# 憑據版本信息 variable "version_id" { default = "000000000001" } # 使用命令 "export TF_VAR_ENV_SECRET_DATA=xxxxxxxxxx" 來設定憑據數據 variable "ENV_SECRET_DATA" { default = "Secret data." #sensitive = true } variable "encryption_key_id" { default = "key-xxxxxxxxxxxxxxxxxx" } # 您的KMS實例Id variable "dkms_instance_id" { default = "kst-xxxxxxxxxxxxxxx" }
執行
terraform init命令初始化Terraform運行環境。預期輸出:
Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/alicloud... - Installing hashicorp/alicloud v1.183.0... - Installed hashicorp/alicloud v1.183.0 (signed by HashiCorp) Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. ? │ Warning: Additional provider information from registry │ │ The remote registry returned warnings for registry.terraform.io/hashicorp/alicloud: │ - For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers. ? Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.執行
terraform plan命令生成資源規劃。預期輸出:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # alicloud_kms_secret.dkms_secret will be created + resource "alicloud_kms_secret" "dkms_secret" { ... } Plan: 1 to add, 0 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.執行
terraform apply命令創建憑據。預期輸出:
... Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes ... Apply complete! Resources: 1 added, 0 changed, 0 destroyed.成功創建憑據后,您還可以執行如下命令刪除創建的憑據。
terraform destroy預期輸出:
... Plan: 0 to add, 0 to change, 1 to destroy. ... Do you really want to destroy all resources? Terraform will destroy all your managed infrastructure, as shown above. There is no undo. Only 'yes' will be accepted to confirm. Enter a value: yes ... Destroy complete! Resources: 1 destroyed.
文檔內容是否對您有幫助?