tencent cloud

Feedback

Managing TKE Clusters and Node Pools with Terraform

Last updated: 2023-09-05 09:40:15

    Installing Terraform

    Go to the Terraform official website and use the command line to install Terraform directly or download the binary installation package file.

    Verification and Authentication

    Obtaining credentials

    Before using Terraform for the first time, go to the TencentCloud API Key page to apply for SecretId and SecretKey. If you already have them, skip this step.
    1. Log in to the CAM console and select Access Key > Manage API Key in the left sidebar.
    2. On the Manage API Key page, click Create Key to create a pair of SecretId/SecretKey.

    Authentication

    Method 1: (Recommended) Inject access key for the account with environment variables

    Add the following content to the environment variables:
    export TENCENTCLOUD_SECRET_ID="xxx" # Replace it with the `SecretId` of the access key
    export TENCENTCLOUD_SECRET_KEY="xxx" # Replace it with the `SecretKey` of the access key

    Method 2: Enter the access key for the account in the provider block of the Terraform configuration file

    Create a provider.tf file under the user directory and enter the following content:
    Note
    Please ensure the security of the access key in the configuration file.
    provider "tencentcloud" {
    secret_id = "xxx" # Replace it with the `SecretId` of the access key
    secret_key = "xxx" # Replace it with the SecretKey` of the access key
    }

    Creating a TKE Cluster with Terraform

    1. Create a working directory. Then create a Terraform configuration file named main.tf under it.
    Notes
    The main.tf file describes the following Terraform configurations:
    Create a VPC, and create a subnet in the VPC.
    Create a managed TKE cluster.
    Create a node pool in the cluster.
    The content of the main.tf file is as follows:
    # Identify the use of Tencent Cloud Terraform Provider
    terraform {
    required_providers {
    tencentcloud = {
    source = "tencentcloudstack/tencentcloud"
    }
    }
    }
    
    # Define local variables and modify the values as needed when using them in subsequent code blocks.
    locals {
    region = "xxx" # Region, such as `ap-beijing`, i.e. Beijing
    zone1 = "xxx" # An AZ in the region, such as `ap-beijing-1`, i.e. Beijing Zone 1
    vpc_name = "xxx" # Set the VPC name, such as `tke-tf-demo`
    vpc_cidr_block = "xxx" # CIDR block of the VPC, such as `10.0.0.0/16`
    subnet1_name = "xxx" # Name of subnet 1, such as `tke-tf-demo-sub1`
    subnet1_cidr_block = "xxx" # CIDR block of subnet 1, such as `10.0.1.0/24`
    cluster_name = "xxx" # TKE cluster name, such as `tke-tf-demo-cluster`
    network_type = "xxx" # Network mode of the managed TKE cluster, such as `GR`, which indicates Global Route
    cluster_cidr = "xxx" # Container network of the cluster, such as `172.26.0.0/20`. It cannot conflict with the VPC CIDR and other cluster CIDRs in the same VPC.
    cluster_version = "xxx" # Kubernetes version of the TKE cluster, such as `1.22.5`
    }
    
    
    # Basic configuration of the Tencent Cloud `provider`
    provider "tencentcloud" {
    # Enter the `SecretId` and `SecretKey` if you use the configuration file. It is recommended to inject the key with environment variables.
    # secret_id = "xxx"
    # secret_key = "xxx"
    region = local.region
    }
    
    # Declare VPC resources
    resource "tencentcloud_vpc" "vpc_example" {
    name = local.vpc_name
    cidr_block = local.vpc_cidr_block
    }
    
    # Declare subnet resources
    resource "tencentcloud_subnet" "subnet_example" {
    availability_zone = local.zone1
    cidr_block = local.subnet1_cidr_block
    name = local.subnet1_name
    vpc_id = tencentcloud_vpc.vpc_example.id # The VPC ID of the specified subnet resource is the ID of the above VPC.
    }
    
    # Declare TKE cluster resources and create a cluster with the network set as Global Route
    resource "tencentcloud_kubernetes_cluster" "managed_cluster_example" {
    vpc_id = tencentcloud_vpc.vpc_example.id # Reference the VPC ID created above
    cluster_name = local.cluster_name
    network_type = local.network_type
    cluster_cidr = local.cluster_cidr
    cluster_version = local.cluster_version
    }
    
    
    # You can use the following declaration to create a cluster in VPC-CNI mode.
    # resource "tencentcloud_kubernetes_cluster" "managed_cluster_example" {
    # vpc_id = tencentcloud_vpc.vpc_example.id # Reference the VPC ID created above
    # cluster_name = local.cluster_name
    # network_type = "VPC-CNI"
    # eni_subnet_ids = [tencentcloud_subnet.subnet_example.id]
    # service_cidr = "172.16.0.0/24"
    # cluster_version = local.cluster_version
    # }
    2. (Optional) If you use Tencent Cloud TKE for the first time, please grant TKE permissions to access other cloud service resources. If you have granted permissions, skip this step.
    When you log in to the TKE console for the first time, you need to grant TKE permissions to access CVMs, CLBs, CBS, and other cloud resources. For more information, see Description of Role Permissions Related to Service Authorization.
    You can also grant permissions in the Terraform configuration file. To do this, please create a cam.tf file with the following content under the working directory.
    ########################### Please add declaration configuration in the Terraform configuration file as needed. You do not need to add it for roles that have obtained permissions in the console. #############
    
    # Create the preset role `TKE_QCSRole` for the service
    resource "tencentcloud_cam_role" "TKE_QCSRole" {
    name = "TKE_QCSRole"
    document = <<EOF
    {
    "statement": [
    {
    "action":"name/sts:AssumeRole",
    "effect":"allow",
    "principal":{
    "service":"ccs.qcloud.com"
    }
    }
    ],
    "version":"2.0"
    }
    EOF
    description = "The current role is the Tencent Cloud TKE service role, and it will access your other Tencent Cloud resources within the permissions granted by the associated policies."
    }
    
    # Preset policy `QcloudAccessForTKERole`
    data "tencentcloud_cam_policies" "qca" {
    name = "QcloudAccessForTKERole"
    }
    
    # Preset policy `QcloudAccessForTKERoleInOpsManagement`
    data "tencentcloud_cam_policies" "ops_mgr" {
    name = "QcloudAccessForTKERoleInOpsManagement"
    }
    
    # Associate the policy `QcloudAccessForTKERole` with the role `TKE_QCSRole`
    resource "tencentcloud_cam_role_policy_attachment" "QCS_QCA" {
    role_id = lookup(tencentcloud_cam_role.TKE_QCSRole, "id")
    policy_id = data.tencentcloud_cam_policies.qca.policy_list.0.policy_id
    }
    
    # Associate the policy `QcloudAccessForTKERoleInOpsManagement` with the role `TKE_QCSRole`
    resource "tencentcloud_cam_role_policy_attachment" "QCS_OpsMgr" {
    role_id = lookup(tencentcloud_cam_role.TKE_QCSRole, "id")
    policy_id = data.tencentcloud_cam_policies.ops_mgr.policy_list.0.policy_id
    }
    
    ########################### Create the role `TKE_QCSRole` and grant permissions to it with the above declaration ###########################
    ########################### Create the role `IPAMDofTKE_QCSRole` and grant permissions to it with the below declaration ###########################
    
    
    # Create the preset role `IPAMDofTKE_QCSRole` for the service
    resource "tencentcloud_cam_role" "IPAMDofTKE_QCSRole" {
    name = "IPAMDofTKE_QCSRole"
    document = <<EOF
    {
    "statement": [
    {
    "action":"name/sts:AssumeRole",
    "effect":"allow",
    "principal":{
    "service":"ccs.qcloud.com"
    }
    }
    ],
    "version":"2.0"
    }
    EOF
    description = "The current role is the IPAMD service role, and it will access your other Tencent Cloud resources within the permissions granted by the associated policies."
    }
    
    # Preset policy `QcloudAccessForIPAMDofTKERole`
    data "tencentcloud_cam_policies" "qcs_ipamd" {
    name = "QcloudAccessForIPAMDofTKERole"
    }
    
    # Associate the policy `QcloudAccessForIPAMDofTKERole` with the role `IPAMDofTKE_QCSRole`
    resource "tencentcloud_cam_role_policy_attachment" "QCS_Ipamd" {
    role_id = lookup(tencentcloud_cam_role.IPAMDofTKE_QCSRole, "id")
    policy_id = data.tencentcloud_cam_policies.qcs_ipamd.policy_list.0.policy_id
    }
    ########################### Create the role `IPAMDofTKE_QCSRole` and grant permissions to it with the above declaration ###########################
    ########################### Create the role `TKE_QCSLinkedRoleInEKSLog` and grant permissions to it with the below declaration ###########################
    # To enable log collection for super nodes, create the preset role `TKE_QCSLinkedRoleInEKSLog` for the service.
    resource "tencentcloud_cam_service_linked_role" "service_linked_role" {
    qcs_service_name = ["cvm.qcloud.com", "ekslog.tke.cloud.tencent.com"]
    description = "tke log role created by terraform"
    tags = {
    "createdBy" = "terraform"
    }
    }
    3. Run the following command to initialize the environment for Terraform.
    terraform init
    The returned information is as follows:
    Initializing the backend...
    
    Initializing provider plugins...
    - Finding tencentcloudstack/tencentcloud versions matching "~> 1.78.13"...
    - Installing tencentcloudstack/tencentcloud v1.78.13...
    ...
    
    You may now begin working with Terraform. Try running "terraform plan" to see
    any changes that are required for your infrastructure. All Terraform commands
    should now work.
    
    ...
    4. Run the following command to view the resource plan generated by Terraform based on the configuration file.
    terraform plan
    The returned information is as follows:
    Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
    + create
    
    Terraform will perform the following actions:
    ...
    
    Plan: 3 to add, 0 to change, 0 to destroy.
    ...
    5. Run the following command to create the resource.
    terraform apply
    The returned information is as follows:
    ...
    Plan: 3 to add, 0 to change, 0 to destroy.
    
    Do you want to perform these actions?
    Terraform will perform the actions described above.
    Only 'yes' will be accepted to approve.
    
    Enter a value:
    Enter yes as prompted to create the resource. The following information is returned:
    ...
    Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
    You have completed the creation of the VPC, subnet and managed TKE cluster. You can view these resources in Tencent Cloud console.

    Creating a TKE Node Pool with Terraform

    1. Create a working directory, under which create a Terraform configuration file named nodepool.tf. The content of the nodepool.tf file is as follows:
    # Define local variables and modify the values as needed when using them in subsequent code blocks.
    # You can also reference Terraform related resource instance (such as `tencentcloud_kubernetes_cluster`) to obtain the desired values.
    locals {
    node_pool_name = "xxx" # Node pool name, such as `tke-tf-demo-node-pool`
    max_node_size = xxx # Max number of nodes in the node pool
    min_node_size = xxx # Min number of nodes in the node pool
    cvm_instance_type = "xxx" # CVM instance in the node pool. For valid values, see https://cloud.tencent.com/document/api/213/15749
    cvm_pass_word = "xxx" # Login password for the CVM instance in the node pool. Password length: 8-16 characters.
    security_group_ids = ["sg-xxx", "sg-xxx"] # Array of IDs of security groups associated with the node pool
    }
    
    # Declare TKE node pool resources
    resource "tencentcloud_kubernetes_node_pool" "example_node_pool" {
    cluster_id = tencentcloud_kubernetes_cluster.managed_cluster_example.id # Associate the node pool with the cluster created above
    delete_keep_instance = false # Set it to `false`, which indicates the associated CVM instance is deleted when you delete the node pool.
    max_size = local.max_node_size
    min_size = local.min_node_size
    name = local.node_pool_name
    vpc_id = tencentcloud_vpc.vpc_example.id
    subnet_ids = [tencentcloud_subnet.subnet_example.id] # Array of IDs of subnets associated with the node pool
    auto_scaling_config {
    instance_type = local.cvm_instance_type
    # key_ids = ["xxx"] # Set the login key for the CVM instance in the node pool
    password = local.cvm_pass_word # Set the login password for the CVM instance in the node pool
    security_group_ids = local.security_group_ids
    }
    }
    2. Run the following command to view the resource plan generated by Terraform based on the configuration file.
    terraform plan
    The returned information is as follows:
    Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
    + create
    
    Terraform will perform the following actions:
    ...
    
    Plan: 1 to add, 0 to change, 0 to destroy.
    ...
    3. Run the following command to create the resource.
    terraform apply
    The returned information is as follows:
    ...
    Plan: 1 to add, 0 to change, 0 to destroy.
    
    Do you want to perform these actions?
    Terraform will perform the actions described above.
    Only 'yes' will be accepted to approve.
    
    Enter a value:
    Enter yes as prompted to create the resource. The following information is returned:
    ...
    Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
    You have completed the creation of the node pool. You can view the resources you have created in Tencent Cloud console.

    Cleaning up Resources with Terraform

    You can run the following command to delete the VPCs, subnets and managed TKE clusters you have created.
    terraform destroy
    The returned information is as follows:
    ...
    Plan: 0 to add, 0 to change, 3 to destroy.
    
    Do you really want to destroy all resources?
    Terraform will destroy all your managed infrastructure, as shown above.
    There is no undo. Only 'yes' will be accepted to confirm.
    
    Enter a value:
    Enter yes as prompted to confirm the deletion. The following information is returned:
    ...
    Destroy complete! Resources: 3 destroyed.

    References

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support