在 Terraform 工作空间之间共享资源 [英] Sharing resources between Terraform workspaces
问题描述
我正在使用 AWS 中的 Terraform 部署一个基础设施.此基础架构可以部署到不同的环境中,我正在使用工作区.
部署中的大部分组件应该为每个工作区单独创建,但我有几个关键组件希望在它们之间共享,主要是:
- IAM 角色和权限
- 它们应该使用相同的 API 网关,但每个工作区应该部署到不同的路径和方法
例如:
资源aws_iam_role"lambda_iam_role"{name = "LambdaGeneralRole"政策 = <...>}资源aws_lambda_function"my_lambda"{function_name = "lambda-${terraform.workspace}"角色 = "${aws_iam_role.lambda_iam_role.arn}"}第一个资源是一个 IAM 角色,应该在该 Lambda 的所有实例之间共享,并且不应多次重新创建.
第二个资源是一个 Lambda 函数,其名称取决于当前工作区,因此每个工作区将部署并跟踪不同 Lambda 的状态.
如何在不同的 Terraform 工作区之间共享资源及其状态?
对于共享资源,我在单独的模板中创建它们,然后在需要信息的模板中使用 terraform_remote_state 引用它们关于他们.
以下是我如何实现它,可能还有其他方法可以实现它.YMMV
在共享服务模板(您将放置 IAM 角色的位置)中,我使用 Terraform 后端将共享服务模板的输出数据存储在 Consul 中.您还需要输出您想在其他模板中使用的任何信息.
shared_services 模板
terraform {后端领事"{地址=consul.aa.example.com:8500"路径 = "terraform/shared_services"}}资源aws_iam_role"lambda_iam_role"{name = "LambdaGeneralRole"政策 = <...>}输出lambda_iam_role_arn"{值 = "${aws_iam_role.lambda_iam_role.arn}"}<块引用>
Terraform 中的后端"决定了如何加载状态以及如何执行应用等操作.这种抽象支持非本地文件状态存储、远程执行等.
在单个模板中,您使用 terraform_remote_state 作为数据源调用后端,并且可以使用该模板中的数据.
terraform_remote_state:
从远程后端检索状态元数据
单独的模板
数据terraform_remote_state"shared_services"{后端=领事"配置{地址=consul.aa.example.com:8500"路径 = "terraform/shared_services"}}# 这是你使用 terraform_remote_state 数据源的地方资源aws_lambda_function"my_lambda"{function_name = "lambda-${terraform.workspace}"角色 = "${data.terraform_remote_state.shared_services.lambda_iam_role_arn}"}参考文献:
https://www.terraform.io/docs/state/remote.html
https://www.terraform.io/docs/backends/
https://www.terraform.io/docs/providers/terraform/d/remote_state.html
I have an infrastructure I'm deploying using Terraform in AWS. This infrastructure can be deployed to different environments, for which I'm using workspaces.
Most of the components in the deployment should be created separately for each workspace, but I have several key components that I wish to be shared between them, primarily:
- IAM roles and permissions
- They should use the same API Gateway, but each workspace should deploy to different paths and methods
For example:
resource "aws_iam_role" "lambda_iam_role" {
name = "LambdaGeneralRole"
policy = <...>
}
resource "aws_lambda_function" "my_lambda" {
function_name = "lambda-${terraform.workspace}"
role = "${aws_iam_role.lambda_iam_role.arn}"
}
The first resource is a IAM role that should be shared across all instances of that Lambda, and shouldn't be recreated more than once.
The second resource is a Lambda function whose name depends on the current workspace, so each workspace will deploy and keep track of the state of a different Lambda.
How can I share resources, and their state, between different Terraform workspaces?
For the shared resources, I create them in a separate template and then refer to them using terraform_remote_state in the template where I need information about them.
What follows is how I implement this, there are probably other ways to implement it. YMMV
In the shared services template (where you would put your IAM role) I use Terraform backend to store the output data for the shared services template in Consul. You also need to output any information you want to use in other templates.
shared_services template
terraform {
backend "consul" {
address = "consul.aa.example.com:8500"
path = "terraform/shared_services"
}
}
resource "aws_iam_role" "lambda_iam_role" {
name = "LambdaGeneralRole"
policy = <...>
}
output "lambda_iam_role_arn" {
value = "${aws_iam_role.lambda_iam_role.arn}"
}
A "backend" in Terraform determines how state is loaded and how an operation such as apply is executed. This abstraction enables non-local file state storage, remote execution, etc.
In the individual template you invoke the backend as a data source using terraform_remote_state and can use the data in that template.
terraform_remote_state:
Retrieves state meta data from a remote backend
individual template
data "terraform_remote_state" "shared_services" {
backend = "consul"
config {
address = "consul.aa.example.com:8500"
path = "terraform/shared_services"
}
}
# This is where you use the terraform_remote_state data source
resource "aws_lambda_function" "my_lambda" {
function_name = "lambda-${terraform.workspace}"
role = "${data.terraform_remote_state.shared_services.lambda_iam_role_arn}"
}
References:
https://www.terraform.io/docs/state/remote.html
https://www.terraform.io/docs/backends/
https://www.terraform.io/docs/providers/terraform/d/remote_state.html
这篇关于在 Terraform 工作空间之间共享资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
