\u6700\u8fd1\u56e0\u4e3a\u559c\u6b22\u73a9github actions\uff0c\u6211\u5728aws\u73af\u5883\u4e0b\u5c1d\u8bd5\u4e86\u4f7f\u7528teraform + ansible\u8fdb\u884c\u90e8\u7f72\u3002
\n\u6211\u6210\u529f\u642d\u5efa\u4e86EC2\u5b9e\u4f8b\uff0c\u5e76\u5b89\u88c5\u4e86httpd\u3002<\/p>\n
\u30fb\u9884\u5148\u51c6\u5907
\n\u30fb\u76ee\u5f55\u7ed3\u6784
\n\u30fb\u521b\u5efa\u5b58\u50a8\u6876
\n\u30fb\u521b\u5efaIAM\u7528\u6237
\n\u30fb\u521b\u5efaTerraform\u4ee3\u7801
\n\u30fb\u521b\u5efaAnsible\u4ee3\u7801
\n\u30fb\u521b\u5efaGitHub Actions
\n\u30fb\u6267\u884cGitHub Actions\u5e76\u83b7\u53d6\u7ed3\u679c<\/p>\n
\u251c\u2500\u2500 README.md\r\n\u251c\u2500\u2500 ansible\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 ansible.cfg\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 ec2.ini\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 ec2.py\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 roles\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 common\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 files\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 main.yml\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 tasks\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 nginx\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 files\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 tasks\r\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 main.yml\r\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 sandbox.yml\r\n\u2514\u2500\u2500 terraform\r\n \u251c\u2500\u2500 backend.tf\r\n \u251c\u2500\u2500 data.tf\r\n \u251c\u2500\u2500 main.tf\r\n \u251c\u2500\u2500 output\r\n \u251c\u2500\u2500 output.tf\r\n \u251c\u2500\u2500 provider.tf\r\n \u2514\u2500\u2500 variables.tf\r\n\r\n<\/code><\/pre>\n\u521b\u5efa S3 \u5b58\u50a8\u6876<\/h2>\n
\u521b\u5efa\u4e00\u4e2a\u7528\u4e8e\u4fdd\u5b58tfstate\u7684\u5b58\u50a8\u6876\u3002<\/p>\n
% aws s3 mb s3:\/\/tf-sandbox-masa3521\r\nmake_bucket: tf-sandbox-masa3521\r\n<\/code><\/pre>\n\u521b\u5efaIAM\u7528\u6237<\/h2>\n
\u521b\u5efa\u7528\u4e8e\u8fd0\u884c Terraform \u548c Ansible \u7684 IAM \u7528\u6237\u3002
\n\u7531\u4e8e\u9700\u8981\u4ece\u53c2\u6570\u5b58\u50a8\uff08Parameter Store\uff09\u4e2d\u83b7\u53d6 EC2\u3001S3 \u548c\u5bc6\u94a5\u76f8\u5173\u4fe1\u606f\uff0c\u56e0\u6b64\u9700\u8981\u6388\u4e88\u76f8\u5e94\u7684\u6743\u9650\u3002<\/p>\n
% aws iam create-user --user-name<\/span> cicd_user\r\n\r\n{<\/span>\r\n \"User\"<\/span>: {<\/span>\r\n \"Path\"<\/span>: \"\/\"<\/span>,\r\n \"UserName\"<\/span>: \"cicd_user\"<\/span>,\r\n \"UserId\"<\/span>: \"***************\"<\/span>,\r\n \"Arn\"<\/span>: \"arn:aws:iam::***************:user\/cicd_user\"<\/span>,\r\n \"CreateDate\"<\/span>: \"2020-05-21T15:05:18Z\"<\/span>\r\n }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n% aws iam create-access-key --user-name<\/span> cicd_user\r\n{<\/span>\r\n \"AccessKey\"<\/span>: {<\/span>\r\n \"UserName\"<\/span>: \"cicd_user\"<\/span>,\r\n \"AccessKeyId\"<\/span>: \"***************\"<\/span>,\r\n \"Status\"<\/span>: \"Active\"<\/span>,\r\n \"SecretAccessKey\"<\/span>: \"***************\"<\/span>,\r\n \"CreateDate\"<\/span>: \"2020-05-22T00:42:37Z\"<\/span>\r\n }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n% aws iam attach-user-policy --policy-arn<\/span> arn:aws:iam::aws:policy\/AmazonS3FullAccess --user-name<\/span> cicd_user\r\n% aws iam attach-user-policy --policy-arn<\/span> arn:aws:iam::aws:policy\/AmazonEC2FullAccess --user-name<\/span> cicd_user\r\n% aws iam attach-user-policy --policy-arn<\/span> arn:aws:iam::aws:policy\/AmazonSSMReadOnlyAccess --user-name<\/span> cicd_user\r\n% aws iam list-attached-user-policies --user-name<\/span> cicd_user\r\n{<\/span>\r\n \"AttachedPolicies\"<\/span>: [<\/span>\r\n {<\/span>\r\n \"PolicyName\"<\/span>: \"AmazonEC2FullAccess\"<\/span>,\r\n \"PolicyArn\"<\/span>: \"arn:aws:iam::aws:policy\/AmazonEC2FullAccess\"<\/span>\r\n }<\/span>,\r\n {<\/span>\r\n \"PolicyName\"<\/span>: \"AmazonS3FullAccess\"<\/span>,\r\n \"PolicyArn\"<\/span>: \"arn:aws:iam::aws:policy\/AmazonS3FullAccess\"<\/span>\r\n }<\/span>,\r\n {<\/span>\r\n \"PolicyName\"<\/span>: \"AmazonSSMReadOnlyAccess\"<\/span>,\r\n \"PolicyArn\"<\/span>: \"arn:aws:iam::aws:policy\/AmazonSSMReadOnlyAccess\"<\/span>\r\n }<\/span>\r\n ]<\/span>\r\n}<\/span>\r\n\r\n<\/code><\/pre>\n\u5236\u4f5c\u5bc6\u94a5<\/h2>\n
\u521b\u5efa\u9002\u7528\u4e8e EC2 \u7684\u516c\u94a5\/\u79c1\u94a5\u5e76\u5c06\u5176\u6ce8\u518c\u5230\u53c2\u6570\u5b58\u50a8\u3002<\/p>\n
% ssh-keygen -t<\/span> rsa -b<\/span> 4096 \r\n<\/code><\/pre>\n% aws ssm put-parameter --name<\/span> \"publickey\"<\/span> \\<\/span>\r\n --type<\/span> SecureString \\<\/span>\r\n --value<\/span> \"<\/span>$(<\/span>cat <\/span>id_rsa.pub)<\/span>\"<\/span>\r\n\r\n{<\/span>\r\n \"Version\"<\/span>: 1,\r\n \"Tier\"<\/span>: \"Standard\"<\/span>\r\n}<\/span>\r\n\r\n% aws ssm put-parameter --name<\/span> \"pravatekey\"<\/span> \\<\/span>\r\n --type<\/span> SecureString \\<\/span>\r\n --value<\/span> \"<\/span>$(<\/span>cat <\/span>id_rsa)<\/span>\"<\/span>\r\n\r\n{<\/span>\r\n \"Version\"<\/span>: 1,\r\n \"Tier\"<\/span>: \"Standard\"<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n\u521b\u5efaTerraform\u4ee3\u7801<\/h2>\n\n- \n
data.tf\u3067\u516c\u958b\u9375\u3092\u30d1\u30e9\u30e1\u30fc\u30bf\u30b9\u30c8\u30a2\u304b\u3089\u53d6\u5f97<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
backend.tf\u3067tfstate\u3092\u30ea\u30e2\u30fc\u30c8\u3067\u7ba1\u7406<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
output.tf\u3067\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u30b0\u30eb\u30fc\u30d7\u306egroupid\u3092\u30d5\u30a1\u30a4\u30eb\u306b\u51fa\u529b \u203b\u5f8c\u306egithub-actions\u3067\u4f7f\u7528<\/ul>\n
provider<\/span> \"aws\"<\/span> {<\/span>\r\n profile<\/span> =<\/span> \"default\"<\/span>\r\n version<\/span> =<\/span> \"= 2.61\"<\/span>\r\n region<\/span> =<\/span> \"ap-northeast-1\"<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\nterraform<\/span> {<\/span>\r\n backend<\/span> \"s3\"<\/span> {<\/span>\r\n bucket<\/span> =<\/span> \"tf-sandbox-masa3521\"<\/span>\r\n region<\/span> =<\/span> \"ap-northeast-1\"<\/span>\r\n key<\/span> =<\/span> \"terraform.tfstate\"<\/span>\r\n encrypt<\/span> =<\/span> true<\/span>\r\n }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\ndata<\/span> \"aws_ssm_parameter\"<\/span> \"publickey\"<\/span> {<\/span>\r\n name<\/span> =<\/span> \"publickey\"<\/span>\r\n with_decryption<\/span> =<\/span> true<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\nvariable<\/span> \"region\"<\/span> {<\/span>\r\n default<\/span> =<\/span> \"ap-northeast-1\"<\/span>\r\n}<\/span>\r\n\r\nvariable<\/span> \"system\"<\/span> {<\/span>\r\n default<\/span> =<\/span> \"sandbox\"<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\nresource<\/span> \"local_file\"<\/span> \"sgroupid\"<\/span> {<\/span>\r\n filename<\/span> =<\/span> \".\/group_id\"<\/span>\r\n content<\/span> =<\/span> aws_security_group<\/span>.<\/span>sandboxSG<\/span>.<\/span>id<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n\r\nresource<\/span> \"aws_vpc\"<\/span> \"sandboxVPC\"<\/span> {<\/span>\r\n cidr_block<\/span> =<\/span> \"10.1.0.0\/16\"<\/span>\r\n instance_tenancy<\/span> =<\/span> \"default\"<\/span>\r\n enable_dns_support<\/span> =<\/span> \"true\"<\/span>\r\n enable_dns_hostnames<\/span> =<\/span> \"false\"<\/span>\r\n tags<\/span> =<\/span> {<\/span>\r\n Name<\/span> =<\/span> var<\/span>.<\/span>system<\/span>\r\n Env<\/span> =<\/span> terraform<\/span>.<\/span>workspace<\/span>\r\n }<\/span>\r\n}<\/span>\r\n\r\nresource<\/span> \"aws_route_table\"<\/span> \"sanbboxRT\"<\/span> {<\/span>\r\n vpc_id<\/span> =<\/span> aws_vpc<\/span>.<\/span>sandboxVPC<\/span>.<\/span>id<\/span>\r\n\r\n route<\/span> {<\/span>\r\n cidr_block<\/span> =<\/span> \"0.0.0.0\/0\"<\/span>\r\n gateway_id<\/span> =<\/span> aws_internet_gateway<\/span>.<\/span>