Infrastructure as Code

基础设施即代码（IaC）

Guiding Principles

指导原则

Security First: Non-root users, minimal images, secret management
Reproducibility: Pin versions, deterministic builds, locked dependencies
Modularity: Reusable modules, DRY patterns, clear interfaces
State Management: Remote state, locking, backup strategies

安全优先：使用非root用户、最小化镜像、密钥管理
可重复性：固定版本、确定性构建、锁定依赖
模块化：可复用模块、DRY原则、清晰接口
状态管理：远程状态、锁定机制、备份策略

Tool Selection

工具选择

Use Case	Tool
Cloud infrastructure	Terraform
Containers	Docker
Configuration management	Ansible
AWS-native IaC	CloudFormation

使用场景	工具
云基础设施	Terraform
容器	Docker
配置管理	Ansible
AWS原生IaC	CloudFormation

Terraform Quick Reference

Terraform速查指南

Essential Commands

常用命令

bash

terraform init                    # Initialize working directory
terraform plan                    # Preview changes
terraform plan -out=tfplan        # Save plan for apply
terraform apply tfplan            # Apply saved plan
terraform fmt -recursive          # Format all files
terraform validate                # Validate configuration

bash

terraform init                    # 初始化工作目录
terraform plan                    # 预览变更
terraform plan -out=tfplan        # 保存计划用于执行
terraform apply tfplan            # 应用已保存的计划
terraform fmt -recursive          # 格式化所有文件
terraform validate                # 验证配置

Critical Patterns

关键模式

hcl

undefined

hcl

undefined

1. Pin provider versions

1. 固定Provider版本

terraform { required_version = ">= 1.6.0" required_providers { aws = { source = "hashicorp/aws" version = "~> 5.60" } } }

2. Use for_each for stability

2. 使用for_each保证稳定性

resource "aws_subnet" "private" { for_each = var.private_subnets # NOT: count }

resource "aws_subnet" "private" { for_each = var.private_subnets # 不要使用count }

3. Validate inputs

3. 验证输入参数

variable "environment" { type = string validation { condition = can(regex("^(dev|staging|prod)$", var.environment)) error_message = "Must be: dev, staging, prod." } }

variable "environment" { type = string validation { condition = can(regex("^(dev|staging|prod)$", var.environment)) error_message = "必须为：dev、staging、prod。" } }

4. Mark sensitive data

4. 标记敏感数据

variable "db_password" { type = string sensitive = true }

5. Lifecycle protection

5. 生命周期保护

resource "aws_s3_bucket" "state" { lifecycle { prevent_destroy = true } }

undefined

resource "aws_s3_bucket" "state" { lifecycle { prevent_destroy = true } }

undefined

Docker Quick Reference

Docker速查指南

Multi-Stage Build

多阶段构建

dockerfile

undefined

dockerfile

undefined

Build stage

构建阶段

FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci --only=production COPY . . RUN npm run build

Production stage

生产阶段

FROM node:20-alpine WORKDIR /app COPY --from=builder /app/dist ./dist COPY --from=builder /app/node_modules ./node_modules

USER node EXPOSE 3000 CMD ["node", "dist/index.js"]

undefined

FROM node:20-alpine WORKDIR /app COPY --from=builder /app/dist ./dist COPY --from=builder /app/node_modules ./node_modules

USER node EXPOSE 3000 CMD ["node", "dist/index.js"]

undefined

Best Practices

最佳实践

dockerfile

undefined

dockerfile

undefined

Pin versions

固定版本

FROM python:3.12.1-slim-bookworm

Run as non-root

以非root用户运行

RUN useradd -m appuser USER appuser

Layer optimization

分层优化

COPY requirements.txt . RUN pip install -r requirements.txt COPY . .

Health check

健康检查

HEALTHCHECK --interval=30s --timeout=3s
CMD curl -f http://localhost:8080/health || exit 1

undefined

HEALTHCHECK --interval=30s --timeout=3s
CMD curl -f http://localhost:8080/health || exit 1

undefined

Naming Conventions

命名规范

Tool	Convention	Example
Terraform	snake_case	`aws_vpc.main`
Docker	lowercase, hyphens	`my-app:1.0.0`
Ansible	snake_case	`install_packages`
CloudFormation	Hungarian	`pEnvironment` , `rVpc`

工具	规范	示例
Terraform	蛇形命名法（snake_case）	`aws_vpc.main`
Docker	小写字母+连字符	`my-app:1.0.0`
Ansible	蛇形命名法（snake_case）	`install_packages`
CloudFormation	匈牙利命名法	`pEnvironment` , `rVpc`

infrastructure-iac

Original

Translation

Infrastructure as Code

基础设施即代码（IaC）

Guiding Principles

指导原则

Tool Selection

工具选择

Terraform Quick Reference

Terraform速查指南

Essential Commands

常用命令

Critical Patterns

关键模式

1. Pin provider versions

1. 固定Provider版本

2. Use for_each for stability

2. 使用for_each保证稳定性

3. Validate inputs

3. 验证输入参数

4. Mark sensitive data

4. 标记敏感数据

5. Lifecycle protection

5. 生命周期保护

Docker Quick Reference

Docker速查指南

Multi-Stage Build

多阶段构建

Build stage

构建阶段

Production stage

生产阶段

Best Practices

最佳实践

Pin versions

固定版本

Run as non-root

以非root用户运行

Layer optimization

分层优化

Health check

健康检查

Naming Conventions

命名规范

Security Checklist

安全检查清单

Detailed References

详细参考资料