Refer to the official documentation and download page:
export ALICLOUD_ACCESS_KEY="anaccesskey"
export ALICLOUD_SECRET_KEY="asecretkey"# Install / download the plugins
terraform init
# Run the setup in dry mode (no change)
terraform plan
# Run the real setup
terraform apply| # | |
| # Kubernetes setup on AliCloud | |
| # | |
| # You can use this file as is - or split it into multiple files (main.tf, data.tf, vpc.tf, etc.) | |
| # | |
| # Links: | |
| # - https://www.terraform.io/docs/providers/alicloud/ | |
| # | |
| provider "alicloud" { | |
| version = "~> 1.26.0" | |
| region = "cn-shanghai" | |
| } | |
| # | |
| # Create a dedicated VPC | |
| # - https://www.terraform.io/docs/providers/alicloud/r/vpc.html | |
| # | |
| resource "alicloud_vpc" "demo" { | |
| name = "demo" | |
| cidr_block = "10.0.0.0/22" | |
| } | |
| # | |
| # Create NAT gateway | |
| # - https://www.terraform.io/docs/providers/alicloud/r/nat_gateway.html | |
| # | |
| # Notes: | |
| # - set prevent_destroy to true for testing purpose as new NAT gateway spawned | |
| # are charged per day | |
| # | |
| resource "alicloud_nat_gateway" "demo" { | |
| vpc_id = "${alicloud_vpc.demo.id}" | |
| specification = "Small" | |
| lifecycle { | |
| prevent_destroy = true | |
| } | |
| } | |
| # | |
| # Create EIP | |
| # - https://www.terraform.io/docs/providers/alicloud/r/eip.html | |
| # | |
| resource "alicloud_eip" "demo" { | |
| bandwidth = "4" | |
| } | |
| # | |
| # Associate the EIP to the NAT gateway | |
| # - https://www.terraform.io/docs/providers/alicloud/r/eip_association.html | |
| # | |
| resource "alicloud_eip_association" "demo" { | |
| allocation_id = "${alicloud_eip.demo.id}" | |
| instance_id = "${alicloud_nat_gateway.demo.id}" | |
| } | |
| # | |
| # Create the VSwitches - set the IP ranges and assign to the various | |
| # availability zones | |
| # - https://www.terraform.io/docs/providers/alicloud/r/vswitch.html | |
| # | |
| resource "alicloud_vswitch" "demo-az-1" { | |
| vpc_id = "${alicloud_vpc.demo.id}" | |
| cidr_block = "10.0.0.0/24" | |
| availability_zone = "cn-shanghai-a" | |
| name = "demo-cn-shanghai-1" | |
| } | |
| resource "alicloud_vswitch" "demo-az-2" { | |
| vpc_id = "${alicloud_vpc.demo.id}" | |
| cidr_block = "10.0.1.0/24" | |
| availability_zone = "cn-shanghai-b" | |
| name = "demo-cn-shanghai-2" | |
| } | |
| resource "alicloud_vswitch" "demo-az-3" { | |
| vpc_id = "${alicloud_vpc.demo.id}" | |
| cidr_block = "10.0.2.0/24" | |
| availability_zone = "cn-shanghai-c" | |
| name = "demo-cn-shanghai-3" | |
| } | |
| # | |
| # Create SNAT entry - Set source NAT for each vswitch previously | |
| # created | |
| # - https://www.terraform.io/docs/providers/alicloud/r/snat.html | |
| # | |
| # Notes: | |
| # - Set depends_on to ensure we can apply specific target(terraform apply -target=*) in the future | |
| # | |
| resource "alicloud_snat_entry" "demo-az-1" { | |
| snat_table_id = "${alicloud_nat_gateway.demo.snat_table_ids}" | |
| source_vswitch_id = "${alicloud_vswitch.demo-az-1.id}" | |
| snat_ip = "${alicloud_eip.demo.ip_address}" | |
| depends_on = ["alicloud_eip_association.demo"] | |
| } | |
| resource "alicloud_snat_entry" "demo-az-2" { | |
| snat_table_id = "${alicloud_nat_gateway.demo.snat_table_ids}" | |
| source_vswitch_id = "${alicloud_vswitch.demo-az-2.id}" | |
| snat_ip = "${alicloud_eip.demo.ip_address}" | |
| depends_on = ["alicloud_eip_association.demo"] | |
| } | |
| resource "alicloud_snat_entry" "demo-az-3" { | |
| snat_table_id = "${alicloud_nat_gateway.demo.snat_table_ids}" | |
| source_vswitch_id = "${alicloud_vswitch.demo-az-3.id}" | |
| snat_ip = "${alicloud_eip.demo.ip_address}" | |
| depends_on = ["alicloud_eip_association.demo"] | |
| } | |
| # | |
| # Create Multi-AZ Kubernetes cluster | |
| # - https://www.terraform.io/docs/providers/alicloud/r/cs_kubernetes.html | |
| # | |
| # Notes: | |
| # - each instance type must be available in each availability zone | |
| # - the password should be be secure | |
| # - in prod you would want to disable SSH and SLB internet access | |
| # | |
| resource "alicloud_cs_kubernetes" "demo" { | |
| name = "demo" | |
| count = "1" | |
| vswitch_ids = ["${alicloud_vswitch.demo-az-1.id}", "${alicloud_vswitch.demo-az-2.id}", "${alicloud_vswitch.demo-az-3.id}"] | |
| new_nat_gateway = false | |
| master_instance_types = ["ecs.n4.large", "ecs.n4.large", "ecs.n4.large"] | |
| worker_instance_types = ["ecs.n4.large", "ecs.n4.large", "ecs.n4.large"] | |
| worker_numbers = [1, 1, 1] | |
| master_disk_category = "cloud_efficiency" | |
| worker_disk_category = "cloud_efficiency" | |
| master_disk_size = "40" | |
| worker_disk_size = "30" | |
| # TODO: secure the password in vault | |
| password = "1uxADyABf1TmNKf_" | |
| pod_cidr = "172.16.0.0/16" | |
| service_cidr = "172.17.0.0/16" | |
| # TODO: disable those to avoid public access | |
| enable_ssh = true | |
| slb_internet_enabled = true | |
| depends_on = ["alicloud_snat_entry.demo-az-1", "alicloud_snat_entry.demo-az-2", "alicloud_snat_entry.demo-az-3"] | |
| } | |
| # | |
| # Display the connection details - only needed for the demo purpose | |
| # | |
| output "demo_k8s_connections" { | |
| value = "${alicloud_cs_kubernetes.demo.connections}" | |
| } | |
| # | |
| # Next .... setup security group, define the rules, setup misc services | |
| # - https://www.terraform.io/docs/providers/alicloud/r/security_group.html | |
| # - https://www.terraform.io/docs/providers/alicloud/r/security_group_rule.html | |
| # - https://www.terraform.io/docs/providers/alicloud/r/route_entry.html | |
| # - https://www.terraform.io/docs/providers/alicloud/r/db_instance.html | |
| # - etc. | |
| # | |