Terraform Provider 配置 #
什么是 Provider? #
Provider 是 Terraform 与外部 API 交互的插件,负责理解 API 交互、暴露资源和数据源。每个 Provider 负责管理特定平台或服务的基础设施资源。
text
┌─────────────────────────────────────────────────────────────┐
│ Provider 架构 │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Terraform Core │ │
│ └───────────────────────┬─────────────────────────────┘ │
│ │ │
│ ┌───────────────┼───────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │AWS │ │Azure │ │GCP │ │
│ │Provider │ │Provider │ │Provider │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │AWS API │ │Azure API│ │GCP API │ │
│ └─────────┘ └─────────┘ └─────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
Provider 类型 #
官方 Provider #
text
┌─────────────────────────────────────────────────────────────┐
│ 官方 Provider │
├─────────────────────────────────────────────────────────────┤
│ │
│ 云服务商: │
│ ├── hashicorp/aws AWS │
│ ├── hashicorp/azurerm Azure │
│ ├── hashicorp/google GCP │
│ └── hashicorp/kubernetes Kubernetes │
│ │
│ 基础设施: │
│ ├── hashicorp/vault HashiCorp Vault │
│ ├── hashicorp/consul HashiCorp Consul │
│ ├── hashicorp/nomad HashiCorp Nomad │
│ └── hashicorp/boundary HashiCorp Boundary │
│ │
│ 本地/通用: │
│ ├── hashicorp/local 本地资源 │
│ ├── hashicorp/random 随机资源 │
│ ├── hashicorp/time 时间资源 │
│ ├── hashicorp/tls TLS 证书 │
│ └── hashicorp/http HTTP 数据源 │
│ │
└─────────────────────────────────────────────────────────────┘
合作伙伴 Provider #
text
┌─────────────────────────────────────────────────────────────┐
│ 合作伙伴 Provider │
├─────────────────────────────────────────────────────────────┤
│ │
│ ├── digitalocean/digitalocean DigitalOcean │
│ ├── linode/linode Linode │
│ ├── vultr/vultr Vultr │
│ ├── heroku/heroku Heroku │
│ ├── cloudflare/cloudflare Cloudflare │
│ ├── datadog/datadog Datadog │
│ ├── newrelic/newrelic New Relic │
│ ├── pagerduty/pagerduty PagerDuty │
│ └── slack/slack Slack │
│ │
└─────────────────────────────────────────────────────────────┘
社区 Provider #
text
┌─────────────────────────────────────────────────────────────┐
│ 社区 Provider │
├─────────────────────────────────────────────────────────────┤
│ │
│ 社区维护的 Provider,可能功能不全或稳定性较低 │
│ 使用前请检查: │
│ - 维护状态 │
│ - Star 数量 │
│ - 最近更新时间 │
│ - Issue 处理情况 │
│ │
│ 查找 Provider: │
│ https://registry.terraform.io/browse/providers │
│ │
└─────────────────────────────────────────────────────────────┘
Provider 配置 #
基本配置 #
hcl
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
版本约束 #
hcl
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.31.0"
}
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.0.0, < 4.0.0"
}
google = {
source = "hashicorp/google"
version = "~> 4.0"
}
}
}
版本约束语法:
text
┌─────────────────────────────────────────────────────────────┐
│ 版本约束语法 │
├─────────────────────────────────────────────────────────────┤
│ │
│ "1.0.0" 精确版本 │
│ "!= 1.0.0" 排除特定版本 │
│ "> 1.0.0" 大于 │
│ "< 1.0.0" 小于 │
│ ">= 1.0.0" 大于等于 │
│ "<= 1.0.0" 小于等于 │
│ "~> 1.0" 1.x.x(允许补丁更新) │
│ "~> 1.0.0" 1.0.x(只允许补丁更新) │
│ ">= 1.0.0, < 2.0.0" 范围约束 │
│ │
└─────────────────────────────────────────────────────────────┘
多 Provider 实例 #
hcl
provider "aws" {
region = "us-east-1"
alias = "virginia"
}
provider "aws" {
region = "us-west-2"
alias = "oregon"
}
resource "aws_instance" "east" {
provider = aws.virginia
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
}
resource "aws_instance" "west" {
provider = aws.oregon
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
}
多账号配置 #
hcl
provider "aws" {
region = "us-east-1"
alias = "prod"
assume_role {
role_arn = "arn:aws:iam::123456789012:role/terraform"
}
}
provider "aws" {
region = "us-east-1"
alias = "dev"
assume_role {
role_arn = "arn:aws:iam::987654321098:role/terraform"
}
}
AWS Provider #
认证方式 #
hcl
provider "aws" {
region = "us-east-1"
access_key = "AKIAIOSFODNN7EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
推荐使用环境变量:
bash
export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_DEFAULT_REGION="us-east-1"
或使用 AWS CLI 配置:
bash
aws configure
或使用 IAM 角色:
hcl
provider "aws" {
region = "us-east-1"
assume_role {
role_arn = "arn:aws:iam::123456789012:role/terraform"
session_name = "terraform-session"
}
}
常用配置 #
hcl
provider "aws" {
region = "us-east-1"
default_tags {
tags = {
Environment = "production"
ManagedBy = "terraform"
Project = "my-project"
}
}
}
多区域配置 #
hcl
provider "aws" {
region = "us-east-1"
alias = "us_east_1"
}
provider "aws" {
region = "eu-west-1"
alias = "eu_west_1"
}
provider "aws" {
region = "ap-northeast-1"
alias = "ap_northeast_1"
}
resource "aws_instance" "us_east" {
provider = aws.us_east_1
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
}
resource "aws_instance" "eu_west" {
provider = aws.eu_west_1
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
}
Azure Provider #
认证方式 #
hcl
provider "azurerm" {
features {}
subscription_id = "00000000-0000-0000-0000-000000000000"
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "your-client-secret"
tenant_id = "00000000-0000-0000-0000-000000000000"
}
使用环境变量:
bash
export ARM_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000"
export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
export ARM_CLIENT_SECRET="your-client-secret"
export ARM_TENANT_ID="00000000-0000-0000-0000-000000000000"
使用托管身份:
hcl
provider "azurerm" {
features {}
use_msi = true
subscription_id = "00000000-0000-0000-0000-000000000000"
}
常用配置 #
hcl
provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
virtual_machine {
delete_os_disk_on_deletion = true
delete_data_disks_on_deletion = true
}
}
skip_provider_registration = true
}
GCP Provider #
认证方式 #
hcl
provider "google" {
project = "my-project-id"
region = "us-central1"
zone = "us-central1-a"
credentials = file("service-account.json")
}
使用环境变量:
bash
export GOOGLE_CREDENTIALS='{"type":"service_account",...}'
export GOOGLE_PROJECT="my-project-id"
export GOOGLE_REGION="us-central1"
或使用 gcloud CLI:
bash
gcloud auth application-default login
常用配置 #
hcl
provider "google" {
project = "my-project-id"
region = "us-central1"
default_labels = {
environment = "production"
managed_by = "terraform"
}
}
provider "google-beta" {
project = "my-project-id"
region = "us-central1"
}
Kubernetes Provider #
认证方式 #
hcl
provider "kubernetes" {
config_path = "~/.kube/config"
}
使用 EKS:
hcl
provider "aws" {
region = "us-east-1"
}
data "aws_eks_cluster" "cluster" {
name = "my-cluster"
}
data "aws_eks_cluster_auth" "cluster" {
name = "my-cluster"
}
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
}
使用 AKS:
hcl
provider "azurerm" {
features {}
}
data "azurerm_kubernetes_cluster" "cluster" {
name = "my-cluster"
resource_group_name = "my-resource-group"
}
provider "kubernetes" {
host = data.azurerm_kubernetes_cluster.cluster.kube_config[0].host
client_certificate = base64decode(data.azurerm_kubernetes_cluster.cluster.kube_config[0].client_certificate)
client_key = base64decode(data.azurerm_kubernetes_cluster.cluster.kube_config[0].client_key)
cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.cluster.kube_config[0].cluster_ca_certificate)
}
其他常用 Provider #
Docker Provider #
hcl
provider "docker" {
host = "unix:///var/run/docker.sock"
}
resource "docker_image" "nginx" {
name = "nginx:latest"
}
resource "docker_container" "nginx" {
image = docker_image.nginx.image_id
name = "nginx-server"
ports {
internal = 80
external = 8080
}
}
Helm Provider #
hcl
provider "helm" {
kubernetes {
config_path = "~/.kube/config"
}
}
resource "helm_release" "nginx" {
name = "nginx-ingress"
repository = "https://kubernetes.github.io/ingress-nginx"
chart = "ingress-nginx"
namespace = "ingress-nginx"
create_namespace = true
}
Cloudflare Provider #
hcl
provider "cloudflare" {
api_token = var.cloudflare_api_token
}
resource "cloudflare_record" "www" {
zone_id = var.cloudflare_zone_id
name = "www"
value = aws_instance.web.public_ip
type = "A"
ttl = 300
}
Vault Provider #
hcl
provider "vault" {
address = "https://vault.example.com"
token = var.vault_token
}
data "vault_generic_secret" "aws" {
path = "secret/aws"
}
provider "aws" {
access_key = data.vault_generic_secret.aws.data["access_key"]
secret_key = data.vault_generic_secret.aws.data["secret_key"]
region = "us-east-1"
}
Provider 配置最佳实践 #
1. 分离配置文件 #
text
┌─────────────────────────────────────────────────────────────┐
│ 文件组织 │
├─────────────────────────────────────────────────────────────┤
│ │
│ providers.tf Provider 配置 │
│ versions.tf 版本约束 │
│ main.tf 主要资源 │
│ variables.tf 变量定义 │
│ outputs.tf 输出定义 │
│ │
└─────────────────────────────────────────────────────────────┘
2. 使用变量传递敏感信息 #
hcl
variable "aws_access_key" {
type = string
sensitive = true
}
variable "aws_secret_key" {
type = string
sensitive = true
}
provider "aws" {
access_key = var.aws_access_key
secret_key = var.aws_secret_key
region = var.region
}
3. 使用默认标签 #
hcl
provider "aws" {
region = var.region
default_tags {
tags = {
Environment = var.environment
ManagedBy = "terraform"
Project = var.project_name
}
}
}
4. 锁定版本 #
hcl
terraform {
required_version = ">= 1.0.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "5.31.0"
}
}
}
5. 使用工作空间区分环境 #
hcl
provider "aws" {
region = lookup({
dev = "us-east-1"
prod = "us-west-2"
}, terraform.workspace, "us-east-1")
}
Provider 故障排除 #
常见错误 #
text
┌─────────────────────────────────────────────────────────────┐
│ 常见错误 │
├─────────────────────────────────────────────────────────────┤
│ │
│ 1. Provider not found │
│ → 运行 terraform init │
│ → 检查 source 路径 │
│ │
│ 2. Authentication failed │
│ → 检查凭证配置 │
│ → 验证环境变量 │
│ │
│ 3. Version conflict │
│ → 更新版本约束 │
│ → 运行 terraform init -upgrade │
│ │
│ 4. Rate limiting │
│ → 添加重试配置 │
│ → 减少并行度 │
│ │
└─────────────────────────────────────────────────────────────┘
调试 Provider #
bash
TF_LOG=DEBUG terraform plan
TF_LOG=TRACE terraform apply 2>&1 | grep -i provider
下一步 #
掌握了 Provider 配置后,接下来学习 资源管理,深入了解 Terraform 资源的定义和管理!
最后更新:2026-03-29