前言

由于工作原因偶然接触到了CloudIac，深感其高效和便利性，以往要想在各大云厂商创建一台ECS并进行相应配置难免要在各个不同环节的控制台转圈，加之厂商产品越来越多有时候确实很难分清应该点哪里，而CloudIac更像是对这些复杂操作的进一步封装，大大简化了这一过程。

以下是其官方简介及项目地址

CloudIaC 是中国第一个云原生IaC基础设施即代码开源软件。借鉴了K8S和Terraform，侧重对国内私有云、服务器、网络设备、存储等硬件硬件的管理，是云计算国家标准的“云资源抽象与控制”的发起项目，并获得了阿里云、腾讯云、华为云私有云的官方适配。

CloudIac项目官网：CloudIaC 基础设施即代码

环境准备

• Ubuntu 24.04

• docker & docker-compose

Cloudiac部署

工程结构创建

mkdir -p /usr/yunji/cloudiac/var/{consul,storage,plugin-cache,gitea/data,gitea/config} && cd /usr/yunji/cloudiac/

镜像拉取

# 拉取所有必需镜像
docker pull registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:mysql-8.0.31 
docker pull registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:gitea-latest 
docker pull registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:iac-web-v1.3.9 
docker pull registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:iac-portal-v1.3.13 
docker pull registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:ct-worker-v1.3.13 
docker pull registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:ct-runner-v1.3.13
docker pull registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:consul-latest

# 验证镜像
docker images

若干核心文件配置

• docker-compose-gitea.yml

vim /usr/yunji/cloudiac/docker-compose-gitea.yml

version: '3.2'

services:
  gitea:
    image: registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:gitea-latest
    container_name: gitea
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - DB_TYPE=mysql
      - DB_HOST=${MYSQL_HOST}:3306
      - DB_NAME=gitea
      - DB_USER=${MYSQL_USER}
      - DB_PASSWD=${MYSQL_PASSWORD}
    volumes:
      - ./gitea/data:/data
      - ./gitea/config:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "2222:22"
    restart: always

• docker-compose-runner.yml

vim /usr/yunji/cloudiac/docker-compose-runner.yml

version: "3.2"
services:
  ct-runner:
    container_name: ct-runner
    image: registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:ct-runner-v1.3.13
    volumes:
      - type: bind
        source: /usr/yunji/cloudiac/var
        target: /usr/yunji/cloudiac/var
      - type: bind
        source: /usr/yunji/cloudiac/.env
        target: /usr/yunji/cloudiac/.env
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
      - type: bind
        source: ./config-runner.yml
        target: /usr/yunji/cloudiac/config-runner.yml
    ports:
      - "19030:19030"
    restart: always

• docker-compose.yml

vim /usr/yunji/cloudiac/docker-compose.yml

version: "3.2"
services:
  iac-portal:
    container_name: iac-portal
    image: registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:iac-portal-v1.3.13
    volumes:
      - type: bind
        source: /usr/yunji/cloudiac/var
        target: /usr/yunji/cloudiac/var
      - type: bind
        source: /usr/yunji/cloudiac/.env
        target: /usr/yunji/cloudiac/.env
    ports:
      - "9030:9030"
    depends_on:
      - consul
    restart: always
  iac-web:
    container_name: iac-web
    image: registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:iac-web-v1.3.9
    ports:
      - 80:80
    restart: always
    depends_on:
      - iac-portal
  consul:
    container_name: consul
    image: registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:consul-latest
    volumes:
      - type: bind
        source: /usr/yunji/cloudiac/var/consul
        target: /consul/data   
    ports:
      - "8500:8500"
    command: >
      consul agent -server -bootstrap-expect=1 -ui -bind=0.0.0.0
      -client=0.0.0.0 -enable-script-checks=true -data-dir=/consul/data 
    restart: always

• .env

vim /usr/yunji/cloudiac/.env

# 平台管理员账号密码(均为必填)
# 该账号密码只在系统初始化时使用，后续修改不影响己创建的账号
IAC_ADMIN_EMAIL="admin@example.com"
# 密码要求长度大于 8 且包含字母、数字、特殊字符
IAC_ADMIN_PASSWORD="Xxhmx%En2aMM"

# 加密密钥配置(必填)
# 敏感数据使用该密钥进行加密
SECRET_KEY="WZS3kY.S3be^"

# IaC 对外提供服务的地址(必填), 示例: http://cloudiac.example.com
# 该地址需要带协议(http/https)，结尾不可以加 "/"
PORTAL_ADDRESS="XXX.XXX.XXX.XXX"     #<——————————————————————————————————————————此处需改为本机公网地址

# consul 地址(必填)，示例: private.host.ip:8500
# 需要配置为机器的内网 ip:port，不可使用 127.0.0.1
CONSUL_ADDRESS="XXX.XXX.XXX.XXX:8500"#<——————————————————————————————————————————此处需改为本机内网地址

# IaC Store 服务地址(选填)，示例：http://store.cloudiac.org
REGISTRY_ADDRESS=""

# 使用 https 向外（比如runner）发送请求的时候是否允许使用不安全证书
HTTP_CLIENT_INSECURE=false

# mysql 配置(必填)
MYSQL_HOST=XXX.XXX.XXX.XXX           #<——————————————————————————————————————————此处需改为本机公网地址
MYSQL_PORT=3306
MYSQL_DATABASE=cloudiac
MYSQL_USER=admin
MYSQL_PASSWORD="Yunjikeji#123"

# portal 服务注册信息配置 (均为必填)
## portal 服务的 IP 地址， 容器化部署时无需修改, 手动部署时配置为内网 IP
SERVICE_IP=XXX.XXX.XXX.XXX
## portal 服务注册的 id(需要保证唯一)
SERVICE_ID=iac-portal-01
## portal 服务注册的 tags
SERVICE_TAGS="iac-portal;portal-01"

# docker reigstry 地址，为空时使用 docker hub
DOCKER_REGISTRY="registry.idcos.com/"

# logger 配置
LOG_DEVEL="info"

# SMTP 配置(该配置只影响邮件通知的发送，不配置不影响其他功能)
## example: smtp.example.com:25
SMTP_ADDRESS=""
## example: user@example.com
SMTP_USERNAME=""
SMTP_PASSWORD=""
## example: support@example.com
SMTP_FROM=""
SMTP_FROM_NAME=IaC

# KAFKA配置，配置后每次执行部署任务都会将环境的最新全量资源详情通过 kafka 消息发送
KAFKA_TOPIC="IAC_TASK_REPLY"
KAFKA_GROUP_ID=""
KAFKA_PARTITION=0
## example: KAFKA_BROKERS: ["kafka.example.com:9092", "..."]
KAFKA_BROKERS=[]
KAFKA_SASL_USERNAME=""
KAFKA_SASL_PASSWORD=""

######### 以下为 runner 配置 #############
# runner 服务注册配置(均为必填)
## runner 服务的 IP 地址， 容器化部署时无需修改, 手动部署时配置为内网 IP
RUNNER_SERVICE_IP=ct-runner
## runner 服务注册的 id(需要保证唯一)
RUNNER_SERVICE_ID=ct-runner-01
RUNNER_SERVICE_TAGS="ct-runner;runner-01"

## 是否开启 offline mode，默认为 false
RUNNER_OFFLINE_MODE="true"
RUNNER_PRIVILEGED="true"

• config-runner.yml

vim /usr/yunji/cloudiac/config-runner.yml

listen: "0.0.0.0:19030"
secretKey: "${SECRET_KEY}"
default_tf_version: "${DEFAULT_TF_VERSION}"
tf_versions: "${TF_VERSIONS}"

runner:
  default_image: "registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:ct-worker-v1.3.13"

  ## 保存任务运行信息(脚本、日志等)
  storage_path: "var/storage"

  ## 预置资源(providers, terraform.py 等)
  #assets_path: "assets"

  # 当前版本依赖的 assets 己经打包到了 ct-worker 镜像中
  assets_path: ""
  # 任务结束后是否保留容器，默认配置，可使用环境变量(CLOUDIAC_RESERVER_CONTAINER)覆盖
  reserver_container: ${RUNNER_RESERVER_CONTAINER}
  ## plugins 缓存
  plugin_cache_path: "var/plugin-cache"
  ## provider plugin cache 缓存模式,默认为公共缓存，所有容器公用
  provider_cache_mod: "${RUNNER_PROVIDER_CACHE_MOD}"
  ## 是否开启 offline 模式(默认为 false)
  offline_mode: ${RUNNER_OFFLINE_MODE}
  # 是否开启privileged（默认为false）
  privileged: ${RUNNER_PRIVILEGED}

consul:
  address: "${CONSUL_ADDRESS}"
  id: "${RUNNER_SERVICE_ID}"
  ip: "${RUNNER_SERVICE_IP}"
  port: 19030
  tags: "${RUNNER_SERVICE_TAGS}"
  interval: 5s
  timeout: 3s
  deregister_after: "1m"
  consul_acl: ${CONSUL_ACL}
  consul_acl_token: "${CONSUL_ACL_TOKEN}"
  consul_tls: ${CONSUL_TLS}
  consul_cert_path: "${CONSUL_CERT_PATH}"

log:
  log_level: "${LOG_LEVEL}"
  ## 日志保存路径，不指定则仅打印到标准输出
  log_path: ""
  log_max_days: 7

MySQL服务部署

# 创建docker-compose-db.yml
vim /usr/yunji/cloudiac/docker-compose-db.yml

version: "3.2"
services:
  mysql:
    container_name: mysql
    image: "registry.cn-hangzhou.aliyuncs.com/idcos-cloudiac/public:mysql-8.0.31"
    command: [
        "--character-set-server=utf8mb4",
        "--collation-server=utf8mb4_unicode_ci",
        "--sql_mode=STRICT_TRANS_TABLES,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION"
    ]
    volumes:
      - type: bind
        source: /usr/yunji/cloudiac/var/mysql
        target: /var/lib/mysql
    ports:
      - "3306:3306"
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=yes
      - MYSQL_USER
      - MYSQL_PASSWORD
      - MYSQL_DATABASE
    restart: always

启动MySQL

mkdir -p /usr/yunji/cloudiac/var/mysql
docker-compose -f docker-compose-db.yml up -d

由于在docker-compose配置文件中添加了环境参数 MYSQL_RANDOM_ROOT_PASSWORD=yes，因此启动时会将生成的随机Root密码以stdout标准模式输出，这里需要通过docker logs来获取输出

docker logs mysql

mysql -uroot -p # 输入上面获得的密码
> CREATE DATABASE gitea;
> GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%';
> FLUSH PRIVILEGES;

启动所有服务

cd /usr/yunji/cloudiac
docker-compose -f docker-compose-gitea.yml up -d
docker-compose -f docker-compose.yml up -d
docker-compose -f docker-compose-runner.yml up -d

初始化验证

gitea初始化

初始化成功

登陆 CloudIac成功

Cloudiac全自动创建阿里云服务器

Terraform源码编写

main.tf

# 定义资源所在地域
provider "alicloud" {
  region = "cn-hangzhou"
}

# 创建VPC
resource "alicloud_vpc" "vpc" {
  vpc_name   = "tf-ecs-vpc"
  cidr_block = "172.16.0.0/12"
}

# 创建交换机
resource "alicloud_vswitch" "vsw" {
  vpc_id     = alicloud_vpc.vpc.id
  cidr_block = "172.16.0.0/21"
  zone_id    = "cn-hangzhou-b"
}

# 创建安全组
resource "alicloud_security_group" "secu_group" {
  name        = "tf-ecs-sg"
  vpc_id      = alicloud_vpc.vpc.id
  description = "Security group for ECS"
}

# 规则--允许ssh
resource "alicloud_security_group_rule" "allow_ssh" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "22/22"
  priority          = 1
  security_group_id = alicloud_security_group.secu_group.id
  cidr_ip           = "0.0.0.0/0"
}

# 定义ECS实例
resource "alicloud_instance" "instance" {
  instance_name        = "tf-ecs-instance"
  instance_type        = "ecs.c9i.large"
  image_id             = "centos_7_9_x64_20G_alibase_20220524.vhd"
  security_groups      = [alicloud_security_group.secu_group.id]
  vswitch_id           = alicloud_vswitch.vsw.id
  system_disk_category = "cloud_essd"
  system_disk_size     = 40
}

上传源码至gitea代码仓库

• 创建仓库

• 上传源码

CloudIac配置VCS用于绑定Gitea仓库

• 创建组织

• 添加VCS

配置资源帐号

创建Stack

部署

• Plan测试

  

• 执行部署&审批结果

  缺少圆子！！！

  

  充值一手！

  
  
  
  Money Power！

• 销毁

  

  成功拿回圆子！

  至此，成功实现自动化创建云资源