本快速入门演示如何使用 Terraform 部署标准内部负载均衡器和两个虚拟机。 其他资源包括 Azure Bastion、NAT 网关、虚拟网络和所需的子网。
使用 Terraform 可以定义、预览和部署云基础结构。 使用 Terraform 时,请使用 HCL 语法来创建配置文件。 利用 HCL 语法,可指定 Azure 这样的云提供程序和构成云基础结构的元素。 创建配置文件后,请创建一个执行计划,利用该计划,可在部署基础结构更改之前先预览这些更改。 验证了更改后,请应用该执行计划以部署基础结构。
- 使用 azurerm_resource_group 创建 Azure 资源组
- 使用 azurerm_virtual_network 创建 Azure 虚拟网络
- 使用 azurerm_subnet 创建 Azure 子网
- 使用 azurerm_public_ip 创建 Azure 公共 IP
- 使用 azurerm_lb 创建 Azure 负载均衡器
- 使用 azurerm_network_interface 创建 Azure 网络接口
- 使用 azurerm_network_interface_backend_address_pool_association 创建 Azure 网络接口负载均衡器后端地址池关联
- 使用 azurerm_linux_virtual_machine 创建 Azure Linux 虚拟机
- 使用 azurerm_virtual_machine_extension 创建 Azure 虚拟机扩展
- 使用 azurerm_nat_gateway 创建 Azure NAT 网关
- 使用 azurerm_bastion_host 创建 Azure Bastion
先决条件
创建具有活动订阅的 Azure 帐户。 可以创建一个试用订阅。
实现 Terraform 代码
本文中的示例代码位于 Azure Terraform GitHub 存储库中。 你可以查看包含当前和以前 Terraform 版本的测试结果的日志文件。 查看更多 文章和示例代码,演示如何使用 Terraform 管理 Azure 资源
创建用于测试和运行示例 Terraform 代码的目录,并将其设为当前目录。
创建名为
providers.tf的文件并插入下列代码。terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "~>4.0" } random = { source = "hashicorp/random" version = "~>3.0" } } } provider "azurerm" { features {} }创建名为
main.tf的文件并插入下列代码。# Create a random name for the resource group resource "random_pet" "rg" { prefix = var.resource_group_name_prefix } # Create a resource group using the generated random name resource "azurerm_resource_group" "example" { location = var.resource_group_location name = random_pet.rg.id } # Create a Virtual Network to host the Virtual Machines # in the Backend Pool of the Load Balancer resource "azurerm_virtual_network" "example" { name = var.virtual_network_name address_space = ["10.0.0.0/16"] location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name } # Create a subnet in the Virtual Network to host the Virtual Machines # in the Backend Pool of the Load Balancer resource "azurerm_subnet" "example" { name = var.subnet_name resource_group_name = azurerm_resource_group.example.name virtual_network_name = azurerm_virtual_network.example.name address_prefixes = ["10.0.1.0/24"] } # Create a subnet in the Virtual Network for creating Azure Bastion # This subnet is required for Azure Bastion to work properly resource "azurerm_subnet" "bastion" { name = "AzureBastionSubnet" resource_group_name = azurerm_resource_group.example.name virtual_network_name = azurerm_virtual_network.example.name address_prefixes = ["10.0.2.0/24"] } # Create Network Security Group and rules to control the traffic # to and from the Virtual Machines in the Backend Pool resource "azurerm_network_security_group" "example" { name = var.network_security_group_name location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name security_rule { name = "ssh" priority = 1022 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "22" source_address_prefix = "*" destination_address_prefix = "10.0.1.0/24" } security_rule { name = "web" priority = 1080 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "80" source_address_prefix = "*" destination_address_prefix = "10.0.1.0/24" } } # Associate the Network Security Group to the subnet to allow the # Network Security Group to control the traffic to and from the subnet resource "azurerm_subnet_network_security_group_association" "example" { subnet_id = azurerm_subnet.example.id network_security_group_id = azurerm_network_security_group.example.id } # Create Public IPs to route traffic from the Load Balancer # to the Virtual Machines in the Backend Pool resource "azurerm_public_ip" "example" { count = 2 name = "${var.public_ip_name}-${count.index}" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name allocation_method = "Static" sku = "Standard" } # Create a NAT Gateway for outbound internet access of the # Virtual Machines in the Backend Pool of the Load Balancer resource "azurerm_nat_gateway" "example" { name = var.nat_gateway location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name sku_name = "Standard" } # Associate one of the Public IPs to the NAT Gateway to route # traffic from the Virtual Machines to the internet resource "azurerm_nat_gateway_public_ip_association" "example" { nat_gateway_id = azurerm_nat_gateway.example.id public_ip_address_id = azurerm_public_ip.example[0].id } # Associate the NAT Gateway to subnet to route # traffic from the Virtual Machines to the internet resource "azurerm_subnet_nat_gateway_association" "example" { subnet_id = azurerm_subnet.example.id nat_gateway_id = azurerm_nat_gateway.example.id } # Create Network Interfaces # The Network Interfaces will be associated with the # Virtual Machines created later resource "azurerm_network_interface" "example" { count = 3 name = "${var.network_interface_name}-${count.index}" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name ip_configuration { name = "ipconfig-${count.index}" subnet_id = azurerm_subnet.example.id private_ip_address_allocation = "Dynamic" primary = true } } # Create Azure Bastion for accessing the Virtual Machines # The Bastion Host will be used to access the Virtual # Machines in the Backend Pool of the Load Balancer resource "azurerm_bastion_host" "example" { name = var.bastion_name location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name sku = "Standard" ip_configuration { name = "ipconfig" subnet_id = azurerm_subnet.bastion.id public_ip_address_id = azurerm_public_ip.example[1].id } } # Associate Network Interface to the Backend Pool of the Load Balancer # The Network Interface will be used to route traffic to the Virtual # Machines in the Backend Pool resource "azurerm_network_interface_backend_address_pool_association" "example" { count = 2 network_interface_id = azurerm_network_interface.example[count.index].id ip_configuration_name = "ipconfig-${count.index}" backend_address_pool_id = azurerm_lb_backend_address_pool.example.id } # Generate a random password for the VM admin users resource "random_password" "example" { length = 16 special = true lower = true upper = true numeric = true } # Create three Virtual Machines in the Backend Pool of the Load Balancer resource "azurerm_linux_virtual_machine" "example" { count = 3 name = "${var.virtual_machine_name}-${count.index}" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name network_interface_ids = [azurerm_network_interface.example[count.index].id] size = var.virtual_machine_size os_disk { name = "${var.disk_name}-${count.index}" caching = "ReadWrite" storage_account_type = var.redundancy_type } source_image_reference { publisher = "Canonical" offer = "0001-com-ubuntu-server-jammy" sku = "22_04-lts-gen2" version = "latest" } admin_username = var.username admin_password = coalesce(var.password, random_password.example.result) disable_password_authentication = false } # Enable virtual machine extension and install Nginx # The script will update the package list, install Nginx, # and create a simple HTML page resource "azurerm_virtual_machine_extension" "example" { count = 2 name = "Nginx" virtual_machine_id = azurerm_linux_virtual_machine.example[count.index].id publisher = "Microsoft.Azure.Extensions" type = "CustomScript" type_handler_version = "2.0" settings = <<SETTINGS { "commandToExecute": "sudo apt-get update && sudo apt-get install nginx -y && echo \"Hello World from $(hostname)\" > /var/www/html/index.html && sudo systemctl restart nginx" } SETTINGS } # Create an Internal Load Balancer to distribute traffic to the # Virtual Machines in the Backend Pool resource "azurerm_lb" "example" { name = var.load_balancer_name location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name sku = "Standard" frontend_ip_configuration { name = "frontend-ip" subnet_id = azurerm_subnet.example.id private_ip_address_allocation = "Dynamic" } } # Create a Backend Address Pool for the Load Balancer resource "azurerm_lb_backend_address_pool" "example" { loadbalancer_id = azurerm_lb.example.id name = "test-pool" } # Create a Load Balancer Probe to check the health of the # Virtual Machines in the Backend Pool resource "azurerm_lb_probe" "example" { loadbalancer_id = azurerm_lb.example.id name = "test-probe" port = 80 } # Create a Load Balancer Rule to define how traffic will be # distributed to the Virtual Machines in the Backend Pool resource "azurerm_lb_rule" "example" { loadbalancer_id = azurerm_lb.example.id name = "test-rule" protocol = "Tcp" frontend_port = 80 backend_port = 80 disable_outbound_snat = true frontend_ip_configuration_name = "frontend-ip" probe_id = azurerm_lb_probe.example.id backend_address_pool_ids = [azurerm_lb_backend_address_pool.example.id] }创建名为
variables.tf的文件并插入下列代码。variable "resource_group_location" { type = string default = "chinaeast" description = "Location of the resource group." } variable "resource_group_name_prefix" { type = string default = "rg" description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription." } variable "username" { type = string default = "azureadmin" description = "The username for the local account that will be created on the new VM." } variable "password" { type = string default = "" description = "The password for the local account that will be created on the new VM. If left blank, a random password is generated." } variable "virtual_network_name" { type = string default = "test-vnet" description = "Name of the Virtual Network." } variable "subnet_name" { type = string default = "test-subnet" description = "Name of the subnet." } variable "network_security_group_name" { type = string default = "test-nsg" description = "Name of the Network Security Group." } variable "network_interface_name" { type = string default = "test-nic" description = "Name of the Network Interface." } variable "public_ip_name" { type = string default = "test-pip" description = "Name of the Public IP." } variable "nat_gateway" { type = string default = "test-nat" description = "Name of the NAT gateway." } variable "bastion_name" { type = string default = "test-bastion" description = "Name of the Bastion." } variable "virtual_machine_name" { type = string default = "test-vm" description = "Name of the Virtual Machine." } variable "virtual_machine_size" { type = string default = "Standard_B2s" description = "Size or SKU of the Virtual Machine." } variable "disk_name" { type = string default = "test-disk" description = "Name of the OS disk of the Virtual Machine." } variable "redundancy_type" { type = string default = "Standard_LRS" description = "Storage redundancy type of the OS disk." } variable "load_balancer_name" { type = string default = "test-lb" description = "Name of the Load Balancer." }创建名为
outputs.tf的文件并插入下列代码。output "resource_group_name" { value = azurerm_resource_group.example.name } output "private_ip_address" { value = "http://${azurerm_lb.example.private_ip_address}" } output "vm_password" { value = azurerm_linux_virtual_machine.example[0].admin_password sensitive = true }
重要
如果使用 4.x azurerm 提供程序,则必须在运行 Terraform 命令之前 显式指定要向 Azure 进行身份验证的 Azure 订阅 ID 。
一种指定 Azure 订阅 ID 的方法是在名为 providers 的环境变量中指定订阅 ID,而不是将其放在 ARM_SUBSCRIPTION_ID 块中。
有关详细信息,请参阅 Azure 提供程序参考文档。
初始化 Terraform
运行 terraform init,将 Terraform 部署进行初始化。 此命令将下载管理 Azure 资源所需的 Azure 提供程序。
terraform init -upgrade
要点:
- 参数
-upgrade可将必要的提供程序插件升级到符合配置版本约束的最新版本。
创建 Terraform 执行计划
运行 terraform plan 以创建执行计划。
terraform plan -out main.tfplan
应用 Terraform 执行计划
运行 terraform apply,将执行计划应用到云基础结构。
terraform apply main.tfplan
要点:
- 示例
terraform apply命令假设你先前运行了terraform plan -out main.tfplan。 - 如果为
-out参数指定了不同的文件名,请在对terraform apply的调用中使用该相同文件名。 - 如果未使用
-out参数,请调用不带任何参数的terraform apply。
验证结果
显示 Azure 资源组名称。
terraform output -raw resource_group_name(可选)显示 VM(虚拟机)密码。
terraform output -raw vm_password显示前端专用 IP 地址。
terraform output -raw private_ip_address使用 Bastion 登录到未与负载均衡器后端池关联的 VM。
运行 curl 命令,使用负载均衡器的前端专用 IP 地址访问 Nginx Web 服务器的自定义网页。
curl http://<Frontend IP address>
清理资源
不再需要通过 Terraform 创建的资源时,请执行以下步骤:
运行 terraform plan 并指定
destroy标志。terraform plan -destroy -out main.destroy.tfplan运行 terraform apply 以应用执行计划。
terraform apply main.destroy.tfplan
Azure 上的 Terraform 故障排除
排查在 Azure 上使用 Terraform 时遇到的常见问题