tencent cloud

Managing TKE Clusters and Node Pools with Terraform
Download PDF
Last updated: 2023-09-05 09:40:15
Managing TKE Clusters and Node Pools with Terraform
Last updated: 2023-09-05 09:40:15
Download PDF

Installing Terraform

Go to the Terraform official website and use the command line to install Terraform directly or download the binary installation package file.

Verification and Authentication

Obtaining credentials

Before using Terraform for the first time, go to the TencentCloud API Key page to apply for SecretId and SecretKey. If you already have them, skip this step.
1. Log in to the CAM console and select Access Key > Manage API Key in the left sidebar.
2. On the Manage API Key page, click Create Key to create a pair of SecretId/SecretKey.

Authentication

Method 1: (Recommended) Inject access key for the account with environment variables

Add the following content to the environment variables:
export TENCENTCLOUD_SECRET_ID="xxx"			# Replace it with the `SecretId` of the access key
export TENCENTCLOUD_SECRET_KEY="xxx"		# Replace it with the `SecretKey` of the access key

Method 2: Enter the access key for the account in the provider block of the Terraform configuration file

Create a provider.tf file under the user directory and enter the following content:
Note
Please ensure the security of the access key in the configuration file.
provider "tencentcloud" {
  secret_id = "xxx"											# Replace it with the `SecretId` of the access key
  secret_key = "xxx"										# Replace it with the SecretKey` of the access key
}

Creating a TKE Cluster with Terraform

1. Create a working directory. Then create a Terraform configuration file named main.tf under it.
Notes
The main.tf file describes the following Terraform configurations:
Create a VPC, and create a subnet in the VPC.
Create a managed TKE cluster.
Create a node pool in the cluster.
The content of the main.tf file is as follows:
   # Identify the use of Tencent Cloud Terraform Provider
   terraform {
     required_providers {
       tencentcloud = {
         source = "tencentcloudstack/tencentcloud"
       }
     }
   }

   # Define local variables and modify the values as needed when using them in subsequent code blocks.
   locals {
       region = "xxx"								# Region, such as `ap-beijing`, i.e. Beijing
       zone1 = "xxx"									# An AZ in the region, such as `ap-beijing-1`, i.e. Beijing Zone 1
       vpc_name = "xxx"							# Set the VPC name, such as `tke-tf-demo`
       vpc_cidr_block = "xxx"				# CIDR block of the VPC, such as `10.0.0.0/16`	
       subnet1_name = "xxx"					# Name of subnet 1, such as `tke-tf-demo-sub1`
       subnet1_cidr_block = "xxx"		# CIDR block of subnet 1, such as `10.0.1.0/24`
       cluster_name = "xxx"					# TKE cluster name, such as `tke-tf-demo-cluster`
       network_type = "xxx"					# Network mode of the managed TKE cluster, such as `GR`, which indicates Global Route
       cluster_cidr = "xxx"					# Container network of the cluster, such as `172.26.0.0/20`. It cannot conflict with the VPC CIDR and other cluster CIDRs in the same VPC.
       cluster_version = "xxx"				# Kubernetes version of the TKE cluster, such as `1.22.5`
   }


   # Basic configuration of the Tencent Cloud `provider`
   provider "tencentcloud" {
       # Enter the `SecretId` and `SecretKey` if you use the configuration file. It is recommended to inject the key with environment variables.
       # secret_id  = "xxx"
       # secret_key = "xxx"
     region = local.region 			
   }

   # Declare VPC resources
   resource "tencentcloud_vpc" "vpc_example" {
     name = local.vpc_name
     cidr_block   = local.vpc_cidr_block
   }

   # Declare subnet resources
   resource "tencentcloud_subnet" "subnet_example" {
     availability_zone = local.zone1
     cidr_block        = local.subnet1_cidr_block
     name              = local.subnet1_name
     vpc_id            = tencentcloud_vpc.vpc_example.id			# The VPC ID of the specified subnet resource is the ID of the above VPC.
   }

   # Declare TKE cluster resources and create a cluster with the network set as Global Route
   resource "tencentcloud_kubernetes_cluster" "managed_cluster_example" {
     vpc_id = tencentcloud_vpc.vpc_example.id 								# Reference the VPC ID created above
     cluster_name = local.cluster_name
     network_type = local.network_type
     cluster_cidr = local.cluster_cidr
     cluster_version = local.cluster_version
   }


   # You can use the following declaration to create a cluster in VPC-CNI mode.
   # resource "tencentcloud_kubernetes_cluster" "managed_cluster_example" {
   #   vpc_id = tencentcloud_vpc.vpc_example.id 								# Reference the VPC ID created above
   #   cluster_name = local.cluster_name
   #   network_type = "VPC-CNI"
   #   eni_subnet_ids = [tencentcloud_subnet.subnet_example.id]
   #   service_cidr = "172.16.0.0/24" 
   #   cluster_version = local.cluster_version
   # }
2. (Optional) If you use Tencent Cloud TKE for the first time, please grant TKE permissions to access other cloud service resources. If you have granted permissions, skip this step.
When you log in to the TKE console for the first time, you need to grant TKE permissions to access CVMs, CLBs, CBS, and other cloud resources. For more information, see Description of Role Permissions Related to Service Authorization.
You can also grant permissions in the Terraform configuration file. To do this, please create a cam.tf file with the following content under the working directory.
########################### Please add declaration configuration in the Terraform configuration file as needed. You do not need to add it for roles that have obtained permissions in the console. #############

# Create the preset role `TKE_QCSRole` for the service
resource "tencentcloud_cam_role" "TKE_QCSRole" {
 name        = "TKE_QCSRole"
 document    = <<EOF
{
 "statement": [
{
  "action":"name/sts:AssumeRole",
  "effect":"allow",
  "principal":{
    "service":"ccs.qcloud.com"
  }
}
 ],
 "version":"2.0"
}
EOF
 description = "The current role is the Tencent Cloud TKE service role, and it will access your other Tencent Cloud resources within the permissions granted by the associated policies."
}

# Preset policy `QcloudAccessForTKERole`
data "tencentcloud_cam_policies" "qca" {
 name = "QcloudAccessForTKERole"
}

# Preset policy `QcloudAccessForTKERoleInOpsManagement`
data "tencentcloud_cam_policies" "ops_mgr" {
 name = "QcloudAccessForTKERoleInOpsManagement"
}

# Associate the policy `QcloudAccessForTKERole` with the role `TKE_QCSRole`
resource "tencentcloud_cam_role_policy_attachment" "QCS_QCA" {
 role_id   = lookup(tencentcloud_cam_role.TKE_QCSRole, "id")
 policy_id = data.tencentcloud_cam_policies.qca.policy_list.0.policy_id
}

# Associate the policy `QcloudAccessForTKERoleInOpsManagement` with the role `TKE_QCSRole`
resource "tencentcloud_cam_role_policy_attachment" "QCS_OpsMgr" {
 role_id   = lookup(tencentcloud_cam_role.TKE_QCSRole, "id")
 policy_id = data.tencentcloud_cam_policies.ops_mgr.policy_list.0.policy_id
}

########################### Create the role `TKE_QCSRole` and grant permissions to it with the above declaration ###########################
########################### Create the role `IPAMDofTKE_QCSRole` and grant permissions to it with the below declaration ###########################


# Create the preset role `IPAMDofTKE_QCSRole` for the service
resource "tencentcloud_cam_role" "IPAMDofTKE_QCSRole" {
 name = "IPAMDofTKE_QCSRole"
 document    = <<EOF
{
 "statement": [
{
  "action":"name/sts:AssumeRole",
  "effect":"allow",
  "principal":{
    "service":"ccs.qcloud.com"
  }
}
 ],
 "version":"2.0"
}
EOF
 description = "The current role is the IPAMD service role, and it will access your other Tencent Cloud resources within the permissions granted by the associated policies."
}

# Preset policy `QcloudAccessForIPAMDofTKERole`
data "tencentcloud_cam_policies" "qcs_ipamd" {
 name = "QcloudAccessForIPAMDofTKERole"
}

# Associate the policy `QcloudAccessForIPAMDofTKERole` with the role `IPAMDofTKE_QCSRole`
resource "tencentcloud_cam_role_policy_attachment" "QCS_Ipamd" {
 role_id   = lookup(tencentcloud_cam_role.IPAMDofTKE_QCSRole, "id")
 policy_id = data.tencentcloud_cam_policies.qcs_ipamd.policy_list.0.policy_id
}
########################### Create the role `IPAMDofTKE_QCSRole` and grant permissions to it with the above declaration ###########################
########################### Create the role `TKE_QCSLinkedRoleInEKSLog` and grant permissions to it with the below declaration ###########################
# To enable log collection for super nodes, create the preset role `TKE_QCSLinkedRoleInEKSLog` for the service.
resource "tencentcloud_cam_service_linked_role" "service_linked_role" {
  qcs_service_name = ["cvm.qcloud.com", "ekslog.tke.cloud.tencent.com"]
  description      = "tke log role created by terraform"
  tags = {
    "createdBy" = "terraform"
  }
}
3. Run the following command to initialize the environment for Terraform.
terraform init
The returned information is as follows:
Initializing the backend...

Initializing provider plugins...
- Finding tencentcloudstack/tencentcloud versions matching "~> 1.78.13"...
- Installing tencentcloudstack/tencentcloud v1.78.13...
...

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

...
4. Run the following command to view the resource plan generated by Terraform based on the configuration file.
terraform plan
The returned information is as follows:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:
...

Plan: 3 to add, 0 to change, 0 to destroy.
...
5. Run the following command to create the resource.
terraform apply
The returned information is as follows:
...
Plan: 3 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:
Enter yes as prompted to create the resource. The following information is returned:
...
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
You have completed the creation of the VPC, subnet and managed TKE cluster. You can view these resources in Tencent Cloud console.

Creating a TKE Node Pool with Terraform

1. Create a working directory, under which create a Terraform configuration file named nodepool.tf. The content of the nodepool.tf file is as follows:
# Define local variables and modify the values as needed when using them in subsequent code blocks.
# You can also reference Terraform related resource instance (such as `tencentcloud_kubernetes_cluster`) to obtain the desired values.
locals {
    node_pool_name = "xxx"				# Node pool name, such as `tke-tf-demo-node-pool`
    max_node_size = xxx						# Max number of nodes in the node pool
    min_node_size = xxx						# Min number of nodes in the node pool
    cvm_instance_type = "xxx"			# CVM instance in the node pool. For valid values, see https://cloud.tencent.com/document/api/213/15749
    cvm_pass_word = "xxx"					# Login password for the CVM instance in the node pool. Password length: 8-16 characters.
    security_group_ids = ["sg-xxx", "sg-xxx"] 						# Array of IDs of security groups associated with the node pool
}

# Declare TKE node pool resources
resource "tencentcloud_kubernetes_node_pool" "example_node_pool" {
  cluster_id = tencentcloud_kubernetes_cluster.managed_cluster_example.id # Associate the node pool with the cluster created above
  delete_keep_instance = false                   # Set it to `false`, which indicates the associated CVM instance is deleted when you delete the node pool.
  max_size   = local.max_node_size
  min_size   = local.min_node_size
  name       = local.node_pool_name
  vpc_id     = tencentcloud_vpc.vpc_example.id
  subnet_ids = [tencentcloud_subnet.subnet_example.id] # Array of IDs of subnets associated with the node pool
  auto_scaling_config {
    instance_type = local.cvm_instance_type
    # key_ids = ["xxx"]                                # Set the login key for the CVM instance in the node pool
    password = local.cvm_pass_word                     # Set the login password for the CVM instance in the node pool
    security_group_ids = local.security_group_ids
  }
}
2. Run the following command to view the resource plan generated by Terraform based on the configuration file.
terraform plan
The returned information is as follows:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:
...

Plan: 1 to add, 0 to change, 0 to destroy.
...
3. Run the following command to create the resource.
terraform apply
The returned information is as follows:
...
Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:
Enter yes as prompted to create the resource. The following information is returned:
...
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
You have completed the creation of the node pool. You can view the resources you have created in Tencent Cloud console.

Cleaning up Resources with Terraform

You can run the following command to delete the VPCs, subnets and managed TKE clusters you have created.
terraform destroy
The returned information is as follows:
...
Plan: 0 to add, 0 to change, 3 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value:
Enter yes as prompted to confirm the deletion. The following information is returned:
...
Destroy complete! Resources: 3 destroyed.

References

Terraform documentation
Tencent Cloud Terraform Provider
Tencent Cloud General TKE cluster
Tencent Cloud TKE Node Pool
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback