ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eedfafcae292f1e1c4e27e9cbde3a70381176598
nexus/wiki/entities/Terraform.md

150 lines
5.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "Terraform"
type: entity
tags:
- devops
- iac
- infrastructure
- automation
created: 2026-04-25
---
# Terraform
## Definition
Terraform 是 HashiCorp 开源的**基础设施即代码 (IaC)** 工具通过声明式配置文件管理云资源。Agentic AI 代理审查 Terraform 脚本,在执行前建议改进,确保基础设施配置的可靠性和安全性。
## Aliases
- Terraform
- Terraform IaC
- Infrastructure as Code
## Relationship with [[Infrastructure-as-Code]]
Terraform 是 [[Infrastructure-as-Code]] 实践的主要实现工具之一:
```
Infrastructure as Code Tools:
├── Terraform ←
├── CloudFormation (AWS)
├── Pulumi
├── Ansible
└── Pulumi
```
## Agentic AI IaC Management
Agentic AI 在 Terraform 工作流中扮演审查者角色:
```
┌─────────────────────────────────────────────────┐
│ Agentic AI IaC Management Workflow │
├─────────────────────────────────────────────────┤
│ │
│ 1. Developer writes Terraform │
│ ↓ │
│ 2. Agentic AI reviews (auto) │
│ ├── Security scan (IAM policies) │
│ ├── Cost estimation │
│ ├── Best practices check │
│ └── Compliance validation │
│ ↓ │
│ 3. AI Suggestions │
│ ├── "S3 bucket should enable encryption" │
│ ├── "Remove hardcoded credentials" │
│ └── "Consider using modules for reuse" │
│ ↓ │
│ 4. Apply (after approval) │
│ │
└─────────────────────────────────────────────────┘
```
## AI Review Capabilities
| Check Type | Description |
|------------|-------------|
| **Security** | IAM 过度权限、公开 S3 访问、硬编码密钥 |
| **Cost** | 资源过度配置、未使用资源识别 |
| **Compliance** | 标签规范、资源命名、区域限制 |
| **Best Practices** | 模块化、状态管理、回滚计划 |
## Example
> Agentic AI reviews Terraform plan:
> ```hcl
> resource "aws_s3_bucket" "data" {
> bucket = "my-sensitive-data"
> }
> ```
>
> AI Detection:
> - ⚠️ **Security Risk**: Bucket is public by default
> - ⚠️ **Missing**: Encryption not enabled
> - ⚠️ **Missing**: Versioning not enabled
>
> AI Suggestions:
> ```hcl
> resource "aws_s3_bucket" "data" {
> bucket = "my-sensitive-data"
>
> server_side_encryption_configuration {
> rule {
> apply_server_side_encryption_by_default {
> sse_algorithm = "AES256"
> }
> }
> }
> }
>
> versioning { enabled = true }
> acl = "private" # Block public access
> ```
## State File Management
Terraform 通过**状态文件 (state file)** 将声明式配置中定义的**期望状态**与云环境的**实际资源状态**进行绑定。关键特性:
- **状态锁定**:防止并发执行导致状态不一致
- **远程状态**:企业级场景需将状态文件存储在 S3+ DynamoDB 锁)等远程后端,支持团队协作
- **差异对比**`terraform plan` 预览实际变更内容再执行,是 Terraform 的核心优势
**来源**: [[ctp-topic-48-terraform-vs-terragrunt]]
## Terragrunt Wrapper
Terragrunt 是 Terraform 的轻量封装,继承所有 Terraform 命令HCL 语法完全兼容)。两者关系:
- `terragrunt plan` = `terraform plan`
- Terragrunt 通过 `remote_state``include` 块实现跨环境配置的 DRY 管理
**来源**: [[ctp-topic-48-terraform-vs-terragrunt]]
## Ecosystem Tools
| 工具 | 类型 | 用途 |
|------|------|------|
| [[Terragrunt]] | 封装 | 多环境 DRY 配置 |
| [[Atlantis]] | CI/CD | Git PR 驱动的 plan/apply |
| Terraform Enterprise | 平台 | 企业 CI + workspaces |
| [[Gruntwork]] | 模块库 | 预建可复用 IaC 模块 |
| Terratest | 测试 | IaC 集成测试Golang |
| tfsec | 安全 | Terraform 静态安全分析 |
**来源**: [[ctp-topic-48-terraform-vs-terragrunt]], [[ctp-topic-56-automated-infrastructure-testing]]
## Related Concepts
- [[Infrastructure-as-Code]] — Terraform 是 IaC 的实现工具
- [[Automated Security Audit]] — AI 审查 Terraform 安全
- [[Cloud-Native]] — IaC 支持 Cloud-Native 实践
- [[Multi-Account Deployment]] — Terraform HCP/Cloud 多账户部署与 CloudFormation StackSets 对比
- [[AWS CloudFormation StackSets]] — AWS 原生多账户 IaC 部署工具,与 Terraform 有功能重叠
## Related Entities
- [[AWS CloudFormation StackSets]]AWS 原生多账户部署服务,与 Terraform 在多账户 IaC 场景形成对比
## Related Sources
- [[how-agentic-ai-can-help-for-cloud-devops]]
Reference in New Issue View Git Blame Copy Permalink