--- title: "Terraform" type: entity tags: - devops - iac - infrastructure - automation created: 2026-04-25 --- # Terraform ## Definition Terraform 是 HashiCorp 开源的**基础设施即代码 (IaC)** 工具,通过声明式配置文件管理云资源。Agentic AI 代理审查 Terraform 脚本,在执行前建议改进,确保基础设施配置的可靠性和安全性。 ## Aliases - Terraform - Terraform IaC - Infrastructure as Code ## Relationship with [[Infrastructure-as-Code]] Terraform 是 [[Infrastructure-as-Code]] 实践的主要实现工具之一: ``` Infrastructure as Code Tools: ├── Terraform ← ├── CloudFormation (AWS) ├── Pulumi ├── Ansible └── Pulumi ``` ## Agentic AI IaC Management Agentic AI 在 Terraform 工作流中扮演审查者角色: ``` ┌─────────────────────────────────────────────────┐ │ Agentic AI IaC Management Workflow │ ├─────────────────────────────────────────────────┤ │ │ │ 1. Developer writes Terraform │ │ ↓ │ │ 2. Agentic AI reviews (auto) │ │ ├── Security scan (IAM policies) │ │ ├── Cost estimation │ │ ├── Best practices check │ │ └── Compliance validation │ │ ↓ │ │ 3. AI Suggestions │ │ ├── "S3 bucket should enable encryption" │ │ ├── "Remove hardcoded credentials" │ │ └── "Consider using modules for reuse" │ │ ↓ │ │ 4. Apply (after approval) │ │ │ └─────────────────────────────────────────────────┘ ``` ## AI Review Capabilities | Check Type | Description | |------------|-------------| | **Security** | IAM 过度权限、公开 S3 访问、硬编码密钥 | | **Cost** | 资源过度配置、未使用资源识别 | | **Compliance** | 标签规范、资源命名、区域限制 | | **Best Practices** | 模块化、状态管理、回滚计划 | ## Example > Agentic AI reviews Terraform plan: > ```hcl > resource "aws_s3_bucket" "data" { > bucket = "my-sensitive-data" > } > ``` > > AI Detection: > - ⚠️ **Security Risk**: Bucket is public by default > - ⚠️ **Missing**: Encryption not enabled > - ⚠️ **Missing**: Versioning not enabled > > AI Suggestions: > ```hcl > resource "aws_s3_bucket" "data" { > bucket = "my-sensitive-data" > > server_side_encryption_configuration { > rule { > apply_server_side_encryption_by_default { > sse_algorithm = "AES256" > } > } > } > } > > versioning { enabled = true } > acl = "private" # Block public access > ``` ## State File Management Terraform 通过**状态文件 (state file)** 将声明式配置中定义的**期望状态**与云环境的**实际资源状态**进行绑定。关键特性: - **状态锁定**:防止并发执行导致状态不一致 - **远程状态**:企业级场景需将状态文件存储在 S3(+ DynamoDB 锁)等远程后端,支持团队协作 - **差异对比**:`terraform plan` 预览实际变更内容再执行,是 Terraform 的核心优势 **来源**: [[ctp-topic-48-terraform-vs-terragrunt]] ## Terragrunt Wrapper Terragrunt 是 Terraform 的轻量封装,继承所有 Terraform 命令(HCL 语法完全兼容)。两者关系: - `terragrunt plan` = `terraform plan` - Terragrunt 通过 `remote_state` 和 `include` 块实现跨环境配置的 DRY 管理 **来源**: [[ctp-topic-48-terraform-vs-terragrunt]] ## Ecosystem Tools | 工具 | 类型 | 用途 | |------|------|------| | [[Terragrunt]] | 封装 | 多环境 DRY 配置 | | [[Atlantis]] | CI/CD | Git PR 驱动的 plan/apply | | Terraform Enterprise | 平台 | 企业 CI + workspaces | | [[Gruntwork]] | 模块库 | 预建可复用 IaC 模块 | | Terratest | 测试 | IaC 集成测试(Golang) | | tfsec | 安全 | Terraform 静态安全分析 | **来源**: [[ctp-topic-48-terraform-vs-terragrunt]], [[ctp-topic-56-automated-infrastructure-testing]] ## Related Concepts - [[Infrastructure-as-Code]] — Terraform 是 IaC 的实现工具 - [[Automated Security Audit]] — AI 审查 Terraform 安全 - [[Cloud-Native]] — IaC 支持 Cloud-Native 实践 - [[Multi-Account Deployment]] — Terraform HCP/Cloud 多账户部署与 CloudFormation StackSets 对比 - [[AWS CloudFormation StackSets]] — AWS 原生多账户 IaC 部署工具,与 Terraform 有功能重叠 ## Related Entities - [[AWS CloudFormation StackSets]]:AWS 原生多账户部署服务,与 Terraform 在多账户 IaC 场景形成对比 ## Related Sources - [[how-agentic-ai-can-help-for-cloud-devops]]