因此,我们在我们的组织中使用了相当广泛的terraform,并且我还有一些关于其他人如何进行VPC对等的问题。连接的初始创建非常简单。我们从我们刚刚创建的VPC拉入,引用另一个VPC,然后填充路由表等。问题出在我们刚才所看到的VPC上。我们现在必须手动转到其他网络堆栈并手动添加CIDR/PCX ID作为变量。我写了一个脚本,可以让我们更轻松地处理这个脚本,但我想问问任何人是否正在动态地针对AWS对任何现有VPC执行查找并自动将现有PCX添加到该VPC的路由表中。Terraform和VPC对等
一个很有价值的例子是OPS VPC。我们有OPS,然后是dev,prod,qa,stg,uat,cte等等。所以当我们创建CTE vpc时,它会自动创建一个pcx并将其链接到ops和路由到ops。然而ops不知道这个新的pcx。所以我们必须手动添加它。我希望ops能够对其自己进行资源查找,并为其找到的任何新VPC/PCX提供自己的资源。
TLDR;双向VPC对等的一种方式是更具动态性
我们最终只是围绕这个写了一个包装脚本。每当我们添加一个新的VPC时,我们会前往操作VPC目录并执行这个脚本,它将动态地填充variables.tf文件和所有必要的变量来设置OPS vpc对等连接/路由。
示例脚本:
#!/bin/bash
region=$(find . -name "*vars.tf"|cut -d/ -f2|cut -d- -f1-3)
profile=$(find . -name "*vars.tf" -exec grep 'variable "profile"' {} \; |awk '{print $6}'|tr -d '"')
account=$(pwd|cut -d/ -f5|cut -d- -f1)
getData(){
for id in ${ids[@]}; do
output=$(aws ec2 describe-vpc-peering-connections --region $region --profile $account --vpc-peering-connection-ids $id)
cidr=$(echo "$output"|jq '.VpcPeeringConnections[].RequesterVpcInfo.CidrBlock'|tr -d '"')
if [[ $1 == cidr ]]; then
echo $cidr
elif [[ $1 == id ]]; then
echo $id
fi
done
}
checkOps() {
pwd|grep 'ops' &>/dev/null
}
populateRoutes() {
if ! checkOps; then
echo "Must be run from the ops directory"
exit 1
fi
ids=($(aws ec2 describe-vpc-peering-connections --region $region --profile $account --filters "Name=status-code,Values=active"|jq '.VpcPeeringConnections[].VpcPeeringConnectionId'|tr -d '"'))
if ((${#ids[@]} == 0)); then
echo "No update necessary"
exit 0
fi
cidr_list=($(getData cidr))
cidr_format=$(echo "${cidr_list[@]}"|tr ' ' ',')
echo $cidr_format
id_list=($(getData id))
id_format=$(echo "${id_list[@]}"|tr ' ' ',')
echo $id_format
if ((${#cidr_list[@]} != ${#id_list[@]})); then
echo "CIDR List and ID List do not match"
exit 1
fi
sed -i "/pcx_count/c\variable\ \"pcx_count\"\ \{\ default \=\ \"${#ids[@]}\" \}" ./variables.tf
sed -i "/ops_cidrs/c\variable\ \"ops_cidrs\"\ \{\ default\ \=\ \"$cidr_format\"\ \}" ./variables.tf
sed -i "/pcx_ids/c\variable\ \"pcx_ids\"\ \{\ default\ \=\ \"$id_format\"\ \}" ./variables.tf
}
populateRoutes
假设你正在使用remote state backend,你可以拉在OPS网络堆栈作为remote state data source,然后修改其路由表从哪个短暂的堆栈,你希望它是能够路由到。
会尽量做一个小例子(显然缺少很多锅炉板):
# my_ops_stack.tf
provider "aws" {
region = "eu-west-1"
}
module "ops_stack" {
source = "/my/modules/ops_stack"
cidr = "10.1.0.0/16"
// other vars probably
}
// the outputs which will be accessible
// via the remote state data source:
output "routing_table_id" {
value = "${module.ops_stack.routing_table_id}"
}
output "vpc_id" {
value = "${module.ops_stack.vpc_id}"
}
output "vpc_cidr" {
value = "10.1.0.0/16"
}
我现在就configure这个堆栈使用terraform CLI(this will soon be possible in config)的远程状态后端:
# Run in the same folder as my_ops_stack.tf
terraform remote config \
-backend=s3 \
-backend-config="bucket=my-state-bucket" \
-backend-config="key=ops-stack/terraform.tfstate" \
-backend-config="region=eu-west-1"
现在国家后端配置,任何应用堆栈的变化将同步到后端:
terraform apply
# the usual stuff... but now synced with s3!
现在,在新的临时堆的模板(DEV,督促,QA,STG,UAT,CTE等):
# my_dev_stack.tf
provider "aws" {
region = "eu-west-1"
}
// Pull in your ops stack from the remote backend:
data "terraform_remote_state" "ops_stack" {
backend = "s3"
config {
bucket = "my-state-bucket"
key = "ops-stack/terraform.tfstate"
region = "eu-west-1"
}
}
// Create your dev stack
module "dev_stack" {
source = "/my/modules/dev_stack"
cidr = "10.2.0.0/16"
// The ops_stack vpc id for creating the peering connection:
ops_vpc_id = "${data.terraform_remote_state.ops_stack.vpc_id}"
// Maybe some security group rules you wanna setup
allow_access_from = "${data.terraform_remote_state.ops_stack.vpc_cidr}"
// other vars probably
}
// And use its outputs to add a route to the
// ops vpc routing table from the dev stack!
resource "aws_route" "ops_to_dev" {
route_table_id = "${data.terraform_remote_state.ops_stack.routing_table_id}"
destination_cidr_block = "10.2.0.0/16" // dev_stack's cidr
vpc_peering_connection_id = "${module.dev_stack.vpcx_id}"
}
一旦你用短暂的栈完成,你可以放心地摧毁它甚至会在操作堆栈中清理它的路线。
希望这是你以后的样子!