Получение идентификатора аккаунта
Если вы используете или , Terraform использует несколько подходов для получения фактического идентификатора учетной записи, чтобы сравнить его с разрешенными или запрещенными идентификаторами.
Подходы к аутентификации различаются у разных провайдеров:
- Экземпляр EC2 с профилем экземпляра IAM — всегда используется API метаданных . Представлено в Terraform .
-
Все остальные провайдеры (переменная окружения,файл с общими учетными данными,…)попробуют два подхода в следующем порядке
- — обычно полезно для пользователей IAM. Это также означает, что каждый пользователь должен иметь право вызывать для себя.
- — должен работать как для пользователей IAM, так и для федеративных ролей IAM, представленных в Terraform .
- — это особенно полезно для профилей, интегрированных с IdP, которые не могут использовать . Это также означает, что каждый федеративный пользователь должен принять на себя роль IAM, которая позволяет использовать . Используется в Terraform . Раньше не было лучшего способа получить идентификатор учетной записи из API при использовании федеративной учетной записи, пока была представлена sts: GetCallerIdentity .
2018 HashiCorp По лицензии MPL 2.0.https://www.terraform.io/docs/providers/aws/index.html
»Review resource configuration
Open the file in your editor to review the sample configuration.
Networking components
The first resources defined are the VPC and subnets, using the module.
Warning: For simplicity, this RDS tutorial instance is publicly
accessible. Avoid configuring database instances in public subnets in
production, since it increases the risk of security attacks.
Subnet group
The next resource is an , which designates a collection of
subnets that your RDS instance can be provisioned in. This subnet group uses
the subnets created by the VPC module.
This subnet group resource is an optional parameter in your
block below. Without it, Terraform creates your RDS instances in the default
VPC.
Database instance
Review the configuration.
Note the following arguments.
- and : The credentials for the root user.
- : Set to for this tutorial’s configuration. Use the default of for production systems.
- : Set to to disable taking a final backup when you destroy the database later in this tutorial.
You can review all of the supported arguments on the
resource documentation
page.
Parameter group
Now review the definition for the .
This configuration enables connection logging for all instances using this
parameter group. Note that the parameter must correspond with the
engine version of the RDS instance.
The parameter group resource contains all of the database-level settings for your RDS
instance, which will be specific to the database engine and version you use.
Custom parameter groups are optional, and AWS
will create the instance using a default parameter group if you do not supply
one. However, you cannot modify the settings of a default parameter
group, and changing the associated parameter group for an AWS instance always
requires a reboot, so it is best to use a custom one to support modifications
over the RDS life cycle.
Input variables
Note that the root user password relies on an input variable.
Open the file to review its configuration.
Take note of the meta-argument for the variable.
This argument tells Terraform to hide the password from the output during
Terraform operations. However, Terraform will store the password in plaintext
in the state file.
Tip: To learn more about sensitive variables, check out the Protect
Sensitive Input Variables
tutorial.
Output variables
Now review the contents of the file.
These outputs return details for the RDS instance that you will use to
construct the database connection string later in this tutorial.
»Provision resources
Now that you have reviewed the configuration, provision the RDS instance and
associated resources.
First, set the variable as an environment variable.
Copy
Initialize the Terraform configuration.
Copy
Next, apply the configuration. Respond to the prompt to confirm.
Copy
Terraform will now provision your resources. It may take 5-7 minutes for AWS to
provision the RDS instance.
Verify your configuration by using the endpoint, the password, and username
outputs to connect to the database using psql. Enter the password when prompted.
Copy
You are now connected to the database instance, verifying that the resource is
provisioned as expected.
Create a new database called «hashicorp» within this instance.
Copy
Now verify that the database is included in the list of databases
in the instance by using the command. Along with the database you
created, the list includes the default databases created in Postgres RDS
instances.
Copy
You will use this database to verify replication later in this tutorial.
Leave the terminal by typing .
Copy
»Modify instance configuration
In addition to initially provisioning resources, you will likely need to modify
the RDS configuration over the instance life cycle.
In , change the allocated storage from 5 to 10GB.
Apply your changes. Respond to to the prompt to confirm.
Copy
Even after the apply completes successfully, the change will still be pending.
Verify by running .
Copy
Though some RDS configuration changes are safe to apply immediately, others (such
as ) require an instance reboot or may cause performance
degradation (such as ). By default, AWS will defer applying
any changes that can cause degradation or outage until your next scheduled
maintenance window. For a detailed breakdown of which attributes require a
reboot, consult the AWS RDS
documentation.
To make the changes take effect immediately, add the
argument to and set it to .
Apply your changes again. The proposed modifications will include the
still-pending storage resize and the argument. Respond to
the prompt to apply your changes.
Copy
This apply step will take longer than the previous one since Terraform will
wait for the instance reboot to complete.
Once this update is complete, run .
Copy
There are no pending changes remaining, confirming that Terraform resized the RDS instance. You can also verify this by navigating to your instance in the
for your region and reviewing the database instances.
Warning: Use the argument with caution since it can allow unexpected instance reboots and downtime.
»Next steps
Terraform allows you to easily provision and manage AWS RDS instances using
infrastructure as code. Since data storage resources are critical components of
infrastructure, a declarative way to manage the resources over their life cycle
will add an extra level of safety and consistency.
To learn more about managing RDS and other databases with HashiCorp tools:
-
Review the provider documentation for the
resource. -
Check out the RDS
module
to learn more about configuration options of RDS and related resources. -
Follow the tutorial for generating dynamic database credentials using HashiCorp Vault.