Infrastructure as Code 基础设施即代码

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

626 字

2 分钟

Infrastructure as Code 基础设施即代码

2023-09-01

运维

工程实践

/

底层原理

凌晨两点，生产环境的数据库服务器配置被手动修改导致宕机，而没有人能说清楚到底改了什么。如果基础设施的每一项变更都像代码一样有版本记录、可审查、可回滚，这类事故就不会发生。Infrastructure as Code（IaC，基础设施即代码） 正是解决这个问题的方法论。

一、IaC 概述#

1. IaC 核心概念#

graph TB subgraph "IaC 优势" A["版本控制"] --> D["可重复"] B["自动化"] --> D C["一致性"] --> D E["审计追踪"] --> D end

特性	说明
声明式	定义期望状态
版本控制	Git 管理基础设施
自动化	减少人工操作
可测试	验证基础设施变更

2. 工具对比#

工具	类型	语言	适用场景
Terraform	声明式	HCL	多云资源管理
Pulumi	声明式	Python/TS	开发者友好
Ansible	过程式	YAML	配置管理
CloudFormation	声明式	JSON/YAML	AWS 专用

二、Terraform 实践#

1. 基础配置#

Terraform 是 HashiCorp 开源的基础设施编排工具，使用 HCL（HashiCorp Configuration Language） 作为配置语言，支持多云资源管理。

1
terraform {
2
  required_providers {
3
    aws = {
4
      source  = "hashicorp/aws"
5
      version = "~> 5.0"
6
    }
7
  }
8

9
  backend "s3" {
10
    bucket = "tf-state-bucket"
11
    key    = "prod/terraform.tfstate"
12
    region = "us-east-1"
13
    dynamodb_table = "tf-locks"
14
  }
15
}
16

17
provider "aws" {
18
  region = "us-east-1"
19
}
20

21
# 变量定义
22
variable "environment" {
23
  type    = string
24
  default = "production"
25
}
26

27
# 资源定义
28
resource "aws_instance" "app" {
29
  ami           = "ami-0c55b159cbfafe1f0"
30
  instance_type = "t3.medium"
31

32
  tags = {
33
    Name        = "app-${var.environment}"
34
    Environment = var.environment
35
  }
36
}

2. 模块化设计#

1
module "vpc" {
2
  source  = "./modules/vpc"
3

4
  environment = var.environment
5
  cidr_block = var.vpc_cidr
6

7
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
8
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]
9

10
  enable_nat_gateway = true
11
  single_nat_gateway = false
12
}
13

14
# modules/vpc/variables.tf
15
variable "environment" {
16
  type = string
17
}
18

19
variable "vpc_cidr" {
20
  type = string
21
}
22

23
variable "private_subnets" {
24
  type = list(string)
25
}
26

27
variable "public_subnets" {
28
  type = list(string)
29
}

3. 状态管理#

State（状态文件） 是 Terraform 追踪真实基础设施与配置映射关系的核心机制，必须妥善存储和保护。

1
# 状态锁定
2
terraform {
3
  backend "s3" {
4
    # DynamoDB 表用于状态锁定
5
    lock_table = "terraform-locks"
6
  }
7
}
8

9
# 导入现有资源
10
terraform import aws_instance.existing i-1234567890abcdef0
11

12
# 查看状态
13
terraform show
14
terraform state list
15
terraform state mv aws_instance.old aws_instance.new

三、Ansible 实践#

Ansible 是 Red Hat 维护的开源自动化工具，采用 Agentless（无代理） 架构，通过 SSH 连接目标主机执行任务。

1. 主机清单#

1
[webservers]
2
web1.example.com ansible_host=10.0.1.1
3
web2.example.com ansible_host=10.0.1.2
4

5
[databases]
6
db1.example.com ansible_host=10.0.2.1
7

8
[production:children]
9
webservers
10
databases
11

12
[production:vars]
13
ansible_user=ubuntu
14
ansible_python_interpreter=/usr/bin/python3

2. Playbook#

Playbook 是 Ansible 的任务编排文件，使用 YAML 格式定义配置、部署和编排的自动化流程。

1
- name: Deploy Application
2
  hosts: webservers
3
  become: yes
4

5
  vars:
6
    app_version: "1.0.0"
7
    app_port: 8080
8

9
  tasks:
10
    - name: Install dependencies
11
      apt:
12
        name:
13
          - nginx
14
          - python3-pip
15
        state: present
16
        update_cache: yes
17

18
    - name: Deploy application
19
      git:
20
        repo: "https://github.com/org/app.git"
21
        dest: /opt/app
22
        version: "{{ app_version }}"
23
        force: yes
24

25
    - name: Configure nginx
26
      template:
27
        src: nginx.conf.j2
28
        dest: /etc/nginx/conf.d/app.conf
29
      notify: Restart nginx
30

31
    - name: Start application
32
      systemd:
33
        name: app
34
        state: started
35
        enabled: yes
36
        daemon_reload: yes
37

38
    - name: Wait for application
39
      wait_for:
40
        port: "{{ app_port }}"
41
        delay: 5
42
        timeout: 60
43

44
  handlers:
45
    - name: Restart nginx
46
      systemd:
47
        name: nginx
48
        state: restarted

3. Roles 结构#

Roles（角色） 是 Ansible 组织 Playbook 的标准方式，将任务、变量、模板和处理器按目录结构分离。

1
# roles 应用结构
2
roles/
3
├── common/
4
│   ├── tasks/
5
│   │   └── main.yml
6
│   ├── handlers/
7
│   │   └── main.yml
8
│   └── templates/
9
│       └── motd.j2
10
├── nginx/
11
│   ├── tasks/
12
│   │   └── main.yml
13
│   ├── handlers/
14
│   │   └── main.yml
15
│   └── templates/
16
│       └── nginx.conf.j2
17
└── app/
18
    ├── tasks/
19
    │   └── main.yml
20
    ├── templates/
21
    │   └── app.conf.j2
22
    └── vars/
23
        └── main.yml

四、Pulumi 实践#

Pulumi 是新一代 IaC 工具，允许使用通用编程语言（如 TypeScript、Python、Go）定义基础设施，相比 HCL 更适合开发者。

1. TypeScript 示例#

1
import * as pulumi from "@pulumi/pulumi";
2
import * as aws from "@pulumi/aws";
3

4
// 创建 VPC
5
const vpc = new aws.ec2.Vpc("app-vpc", {
6
  cidrBlock: "10.0.0.0/16",
7
  enableDnsHostnames: true,
8
  enableDnsSupport: true,
9
  tags: {
10
    Name: "app-vpc",
11
    Environment: pulumi.getStack(),
12
  },
13
});
14

15
// 创建子网
16
const subnet = new aws.ec2.Subnet("app-subnet", {
17
  vpcId: vpc.id,
18
  cidrBlock: "10.0.1.0/24",
19
  availabilityZone: "us-east-1a",
20
  tags: {
21
    Name: "app-subnet",
22
  },
23
});
24

25
// 创建 ECS 集群
26
const cluster = new aws.ecs.Cluster("app-cluster", {
27
  name: "app-cluster",
28
  settings: [
29
    {
30
      name: "containerInsights",
31
      value: "enabled",
32
    },
33
  ],
34
});
35

36
// 导出
37
export const vpcId = vpc.id;
38
export const clusterName = cluster.name;
39
export const subnetId = subnet.id;

2. 跨云部署#

1
import * as aws from "@pulumi/aws";
2
import * as azure from "@pulumi/azure-native";
3
import * as gcp from "@pulumi/gcp";
4

5
// 统一的网络接口
6
interface NetworkConfig {
7
  vpcCidr: string;
8
  tags: Record<string, string>;
9
}
10

11
// AWS VPC
12
export function createAwsNetwork(config: NetworkConfig) {
13
  return new aws.ec2.Vpc("vpc", {
14
    cidrBlock: config.vpcCidr,
15
    tags: config.tags,
16
  });
17
}
18

19
// Azure Virtual Network
20
export function createAzureNetwork(config: NetworkConfig) {
21
  return new azure.network.VirtualNetwork("vnet", {
22
    resourceGroupName: "my-rg",
23
    addressSpace: [config.vpcCidr],
24
    tags: config.tags,
25
  });
26
}
27

28
// GCP Network
29
export function createGcpNetwork(config: NetworkConfig) {
30
  return new gcp.compute.Network("network", {
31
    autoCreateSubnetworks: false,
32
    routingConfig: {
33
      routingMode: "REGIONAL",
34
    },
35
  });
36
}

五、CI/CD 集成#

1. Terraform CI/CD#

1
name: Terraform CI/CD
2

3
on:
4
  push:
5
    branches: [main]
6
  pull_request:
7

8
jobs:
9
  terraform:
10
    runs-on: ubuntu-latest
11
    steps:
12
      - uses: actions/checkout@v4
13

14
      - uses: hashicorp/setup-terraform@v3
15
        with:
16
          terraform_version: 1.6.0
17

18
      - name: Terraform Init
19
        run: terraform init
20
        env:
21
          TF_VAR aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
22
          TF_VAR aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
23

24
      - name: Terraform Format Check
25
        run: terraform fmt -check
26

27
      - name: Terraform Validate
28
        run: terraform validate
29

30
      - name: Terraform Plan
31
        run: terraform plan -no-color
32
        env:
33
          TF_VAR aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
34
          TF_VAR aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
35

36
      - name: Terraform Apply
37
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
38
        run: terraform apply -auto-approve
39
        env:
40
          TF_VAR aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
41
          TF_VAR aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

2. Ansible CI/CD#

1
name: Ansible CI/CD
2

3
on:
4
  push:
5
    paths:
6
      - "ansible/**"
7
      - "inventory/**"
8

9
jobs:
10
  ansible-lint:
11
    runs-on: ubuntu-latest
12
    steps:
13
      - uses: actions/checkout@v4
14

15
      - name: Install ansible-lint
16
        run: pip install ansible-lint
17

18
      - name: Run ansible-lint
19
        run: ansible-lint
20

21
  molecule-test:
22
    runs-on: ubuntu-latest
23
    steps:
24
      - uses: actions/checkout@v4
25

26
      - name: Molecule Test
27
        run: |
28
          pip install molecule ansible
29
          molecule test

六、总结#

graph TB A["IaC 工具"] --> B["Terraform"] A --> C["Ansible"] A --> D["Pulumi"] B --> E["声明式 HCL"] C --> F["过程式 YAML"] D --> G["声明式代码"]

工具	优势	劣势
Terraform	多云支持、状态管理	HCL 学习曲线
Ansible	简单易用、Agentless	过程式、难以测试
Pulumi	开发者友好、类型安全	相对较新

最佳实践：