第 1 章:AWS 環境設定
Reference Link
Provider
Provider
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# Configure the AWS Provider
provider "aws" {
region = "us-east-1"
}
# Create a VPC
resource "aws_vpc" "example" {
cidr_block = "10.0.0.0/16"
}
AWS 憑證
AWS 憑證參考順序
- provider 定義文件的參數
- 環境變數
- 共享的憑證文件
- 共享的設定文件
- 容器的憑證
- 實例的憑證與區域
note
憑證為 AWS IAM credentials,顯示所擁有的 AWS 資源的權限
- provider 定義文件的參數
憑證範例
provider "aws" {
region = "us-west-2"
access_key = "my-access-key"
secret_key = "my-secret-key"
}
環境變數
環境變數
provider "aws" {}
export AWS_ACCESS_KEY_ID="anaccesskey"
export AWS_SECRET_ACCESS_KEY="asecretkey"
export AWS_REGION="us-west-2"
terraform plan
共享的憑證與設定文件
- Linux & Mac
- $HOME/.aws/config
- $HOME/.aws/credentials
- Windows
- "%USERPROFILE%.aws\config"
- "%USERPROFILE%.aws\credentials"
若沒有定義 profile,那麼會直接使用預設。使用 profile 或是 AWS_PROFILE。
共享的憑證與設定文件的位址在 parameters、shared_config_files、 shared_credentials_files、AWS_CONFIG_FILE、AWS_SHARED_CREDENTIALS_FILE
provider "aws" {
shared_config_files = ["/Users/tf_user/.aws/conf"]
shared_credentials_files = ["/Users/tf_user/.aws/creds"]
profile = "customprofile"
}
容器憑證
若使用 Terraform on CodeBuild 或是有 IAM Task Role 的 ECS
使用 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI 與 AWS_CONTAINER_CREDENTIALS_FULL_URI
若使用有 IAM Role for Service Accounts (IRSA) Terraform on EKS
使用 AWS_ROLE_ARN 與 AWS_WEB_IDENTITY_TOKEN_FILE
實例的憑證與區域
ec2_metadata_service_endpoint parameter or the AWS_EC2_METADATA_SERVICE_ENDPOINT
使用 IAM Role
provider "aws" {
assume_role {
role_arn = "arn:aws:iam::123456789012:role/ROLE_NAME"
session_name = "SESSION_NAME"
external_id = "EXTERNAL_ID"
}
}
透過 Web Identity 使用 IAM Role
provider "aws" {
assume_role_with_web_identity {
role_arn = "arn:aws:iam::123456789012:role/ROLE_NAME"
session_name = "SESSION_NAME"
web_identity_token_file = "/Users/tf_user/secrets/web-identity-token"
}
}