terraform - 切换到新工作区时,Terraform 尝试再次创建 S3 后端
问题描述
我正在关注这个优秀的 terraform 指南。我目前正在探索该州的第三篇文章。特别是在展示 terraform 工作空间的地方。所以,我有以下内容main.tf:
provider "aws" {
region = "us-east-2"
}
resource "aws_s3_bucket" "terraform_state" {
bucket = "mark-kharitonov-terraform-up-and-running-state"
# Enable versioning so we can see the full revision history of our
# state files
versioning {
enabled = true
}
# Enable server-side encryption by default
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
resource "aws_dynamodb_table" "terraform_locks" {
name = "terraform-up-and-running-locks"
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
}
terraform {
backend "s3" {
# Replace this with your bucket name!
bucket = "mark-kharitonov-terraform-up-and-running-state"
key = "workspaces-example/terraform.tfstate"
region = "us-east-2"
# Replace this with your DynamoDB table name!
dynamodb_table = "terraform-up-and-running-locks"
encrypt = true
}
}
output "s3_bucket_arn" {
value = aws_s3_bucket.terraform_state.arn
description = "The ARN of the S3 bucket"
}
output "dynamodb_table_name" {
value = aws_dynamodb_table.terraform_locks.name
description = "The name of the DynamoDB table"
}
resource "aws_instance" "example" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
}
这一切都很棒:
C:\work\terraform [master ≡]> terraform workspace show
default
C:\work\terraform [master ≡]> terraform apply
Acquiring state lock. This may take a few moments...
aws_dynamodb_table.terraform_locks: Refreshing state... [id=terraform-up-and-running-locks]
aws_instance.example: Refreshing state... [id=i-01120238707b3ba8e]
aws_s3_bucket.terraform_state: Refreshing state... [id=mark-kharitonov-terraform-up-and-running-state]
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Releasing state lock. This may take a few moments...
Outputs:
dynamodb_table_name = terraform-up-and-running-locks
s3_bucket_arn = arn:aws:s3:::mark-kharitonov-terraform-up-and-running-state
C:\work\terraform [master ≡]>
现在我正在尝试遵循指南 - 创建一个新的工作区并在那里应用代码:
C:\work\terraform [master ≡]> terraform workspace new example1
Created and switched to workspace "example1"!
You're now on a new, empty workspace. Workspaces isolate their state,
so if you run "terraform plan" Terraform will not see any existing state
for this configuration.
C:\work\terraform [master ≡]> terraform plan
Acquiring state lock. This may take a few moments...
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_dynamodb_table.terraform_locks will be created
+ resource "aws_dynamodb_table" "terraform_locks" {
...
+ name = "terraform-up-and-running-locks"
...
}
# aws_instance.example will be created
+ resource "aws_instance" "example" {
+ ami = "ami-0c55b159cbfafe1f0"
...
}
# aws_s3_bucket.terraform_state will be created
+ resource "aws_s3_bucket" "terraform_state" {
...
+ bucket = "mark-kharitonov-terraform-up-and-running-state"
...
}
Plan: 3 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
Releasing state lock. This may take a few moments...
C:\work\terraform [master ≡]>
问题从这里开始。在指南中,该terraform plan命令报告将只创建一个资源 - EC2 实例。这意味着 terraform 将为后端重用相同的 S3 存储桶,并为锁重用相同的 DynamoDB 表。但就我而言,terraform 告诉我它想要创建所有 3 种资源,包括 S3 存储桶。这肯定会失败(已经尝试过)。
那么,我做错了什么?什么不见了?
解决方案
创建一个新的工作空间实际上是从头开始。指南步骤在这方面有点令人困惑,但他们正在制定两个计划以实现最终结果。第一个创建状态 S3 存储桶和锁定 DynamoDB 表,第二个计划仅包含他们正在创建的实例,但使用terraform代码块告诉该计划将其状态存储在哪里。
在您的示例中,您既要设置状态位置,又要在同一计划中创建它。这意味着当您创建一个新工作区时,它会再次尝试创建该状态位置,因为该工作区不知道其他工作区的状态。
最后,重要的是要知道使用工作空间通过将工作空间名称附加到远程状态路径来为每个工作空间创建唯一的状态文件。例如,如果您的状态位置是mark-kharitonov-terraform-up-and-running-state路径,workspaces-example那么您可能会看到以下内容:
- 默认状态:
mark-kharitonov-terraform-up-and-running-state/workspaces-example/default/terraform.tfstate - 其他状态:
mark-kharitonov-terraform-up-and-running-state/workspaces-example/other/terraform.tfstate
编辑:
明确如何获得指南结果。您需要在单独的文件夹中创建两个单独的计划(工作目录中的所有计划将同时运行)。所以创建一个层次结构,如:
- 计划 >
- 状态 >
- 主文件
- 实例 >
- 主文件
- 状态 >
在您的plans/state/main.tf文件中放置您的状态位置内容:
provider "aws" {
region = "us-east-2"
}
resource "aws_s3_bucket" "terraform_state" {
bucket = "mark-kharitonov-terraform-up-and-running-state"
# Enable versioning so we can see the full revision history of our
# state files
versioning {
enabled = true
}
# Enable server-side encryption by default
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
resource "aws_dynamodb_table" "terraform_locks" {
name = "terraform-up-and-running-locks"
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
}
output "s3_bucket_arn" {
value = aws_s3_bucket.terraform_state.arn
description = "The ARN of the S3 bucket"
}
然后在您的plans/instance/main.tf文件中,您可以使用块引用创建的状态位置,terraform并且只需要以下内容:
terraform {
backend "s3" {
# Replace this with your bucket name!
bucket = "mark-kharitonov-terraform-up-and-running-state"
key = "workspaces-example/terraform.tfstate"
region = "us-east-2"
# Replace this with your DynamoDB table name!
dynamodb_table = "terraform-up-and-running-locks"
encrypt = true
}
}
resource "aws_instance" "example" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
}
推荐阅读
- bazel - 如何将 `config_setting()` 加载到我的 `.bzl` 文件中?
- dask - df.loc[df.index.intesection(mylabels)] 的 dask 等价物
- service - 每个由 ejabberd 管理的 MUC 频道机器人
- google-cloud-trace - 在 UI 中查看 stackTrace?
- wordpress - 在 WP 中打开带有密码保护的 Pdf
- c - 我应该为哈希表中的存储桶使用什么数据结构?
- c# - 如何删除或隐藏枢轴的页面选择
- python - 来自 scikit-learn 随机森林的令人困惑的概率
- awk - 在 awk 中使用标准输出作为输入
- asp.net - 使用 IAuthenticationFilter 时 HttpContext.Current 为空