Backend 구성

Backend용 S3 버킷과 lock을 위한 dynamoDB 생성

S3 bucket as backend

• 테라폼의 상태를 저장하기 위해 S3 버킷을 생성합니다.

• S3 버킷에 최신 상태를 유지할 수 있기 때문에 협업이 가능합니다.

DynamoDB Table for Lock

• 동시에 같은 파일을 수정하지 못하도록 하기 위해 DynamoDB에 작업에 대한 Lock을 생성합니다.

실습

1. terraform/init/dayone-id/init.tf 파일을 수정합니다.

vim terraform/init/dayone-id/init.tf

provider "aws" {
  region = "ap-northeast-2" # Please use the default region ID
  version = "~> 2.49.0" # Please choose any version or delete this line if you want the latest version
}

# S3 bucket for backend
resource "aws_s3_bucket" "tfstate" {
  bucket = "${var.account_id}-apnortheast2-tfstate"

  versioning {
    enabled = true # Prevent from deleting tfstate file
  }
}

# DynamoDB for terraform state lock
resource "aws_dynamodb_table" "terraform_state_lock" {
  name           = "terraform-lock"
  hash_key       = "LockID"
  billing_mode   = "PAY_PER_REQUEST"

  attribute {
    name = "LockID"
    type = "S"
  }
}

variable "account_id" {
 default = "dayone-id" # Please use the account alias for id
}

2. Terraform init을 진행합니다.

$ terraform init

Initializing the backend...

Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "aws" (hashicorp/aws) 2.49.0...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

3. 생성 리소스를 확인합니다.

$ terraform plan -parallelism=30
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_dynamodb_table.terraform_state_lock will be created
  + resource "aws_dynamodb_table" "terraform_state_lock" {
      + arn              = (known after apply)
      + billing_mode     = "PAY_PER_REQUEST"
      + hash_key         = "LockID"
      + id               = (known after apply)
      + name             = "terraform-lock"
      + stream_arn       = (known after apply)
      + stream_label     = (known after apply)
      + stream_view_type = (known after apply)

      + attribute {
          + name = "LockID"
          + type = "S"
        }

      + point_in_time_recovery {
          + enabled = (known after apply)
        }

      + server_side_encryption {
          + enabled     = (known after apply)
          + kms_key_arn = (known after apply)
        }
    }

  # aws_s3_bucket.tfstate will be created
  + resource "aws_s3_bucket" "tfstate" {
      + acceleration_status         = (known after apply)
      + acl                         = "private"
      + arn                         = (known after apply)
      + bucket                      = "dayone-id-apnortheast2-tfstate"
      + bucket_domain_name          = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + versioning {
          + enabled    = true
          + mfa_delete = false
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Plan: 2 to add, 0 to change, 0 to destroy. 이 나오면 정상입니다.

4. 이제 리소를 생성합니다.

$ terraform apply -parallelism=30
(... 중략 ...)
Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes <------ 정확히 yes라고 입력하셔야 합니다.

aws_dynamodb_table.terraform_state_lock: Creating...
aws_s3_bucket.tfstate: Creating...
aws_s3_bucket.tfstate: Creation complete after 3s [id=dayone-id-apnortheast2-tfstate]
aws_dynamodb_table.terraform_state_lock: Creation complete after 7s [id=terraform-lock]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Apply complete! Resources: 2 added, 0 changed, 0 destroyed. 문구가 나오면 성공입니다.

결과 스크린샷

S3 bucket 확인

DynamoDB 테이블 확인

Multi Account 세팅

• 위의 동일한 절차를 다른 계정에도 적용해야 합니다. 해당 계정을 리소스 생성 정보는 계정 내의 버킷에 저장됩니다.

먼저, 사용할 계정의 IAM 초기화 사용자를 생성하셔야 합니다. (첫 세팅만 사용)

page초기화 IAM 사용자 생성

위의 실습 단계를 다시 진행합니다.

• terraform/init/dayone-prod 폴더를 생성하고, dayone-id에 있는 내용을 복사합니다.

$ cp -r dayone-id dayone-prod

• init.tf 파일에서 account_id 이름을 수정합니다.

vim terraform/init/dayone-prod/init.tf

variable "account_id" {
 default = "dayone-prod" # Please change this value!!
}

이후 작업은 동일합니다.

• terraform init

• terraform plan -parallelism=30

• terraform apply -parallelism=30

초기화 IAM 사용자는 IAM 세팅 때도 필요합니다. 해당 작업이 끝난 후 삭제하시면 됩니다.