
Terraform是一个开源工具,用于安全高效地预配和管理云基础架构和资源。本文为您演示如何通过Terraform创建RDS PostgreSQL实例。





  1. 创建RAM用户:

    1. 访问RAM用户列表,单击创建用户

    2. 设置登录名称rds-test-operator,选择访问方式使用永久 AccessKey 访问

    3. 单击确定,创建RAM用户并保存AccessKey IDAccessKey Secret信息。

  2. 完成授权:

    1. 访问RAM用户列表,单击目标RAM用户操作列的添加权限

    2. 在文本框中搜索AliyunRDS,选择AliyunRDSFullAccess(具有RDS的完全控制权限)。

    3. 在文本框中搜索VPC,选择AliyunVPCFullAccess(具有VPC的完全控制权限)。



    4. 单击确认新增授权,完成授权操作。



  • 使用阿里云Cloud Shell。阿里云Cloud Shell是一款帮助您运维的免费产品,预装了Terraform的组件,并配置好身份凭证(credentials)。因此您可直接在Cloud Shell中运行Terraform的命令。详情请参见Cloud Shell

  • 在本地安装和配置Terraform,请参见在本地安装和配置Terraform

    安装完成后,您可以打开命令行终端,输入terraform version,若返回版本信息表示已成功安装。



  1. 创建执行目录并进入。



    • LinuxmacOS:

      sudo mkdir /usr/local/terraform
      cd /usr/local/rds_terraform


      如果您使用的非root权限用户,则还需要为rds_terraform目录授权,使用sudo chown -R <当前用户名>:<用户所属组名> /usr/local/terraform命令,将rds_terraform文件夹的owner修改为当前用户。

    • Windows:以D盘下创建rds_terraform文件夹为例,进入rds_terraform文件夹。

  2. 在执行目录下,创建Terraform模板(terraform.tf)文件。

    • LinuxmacOS:

      touch terraform.tf
    • Windows:手动创建terraform.tf文件。

  3. 以查询RDS PostgreSQL可用区信息为例,编辑terraform.tf文件,补充如下信息。

    resource "alicloud_vpc" "main" {
      vpc_name       = "alicloud"
      cidr_block = ""
    resource "alicloud_vswitch" "main" {
      vpc_id            = alicloud_vpc.main.id
      cidr_block        = ""
      zone_id = "cn-hangzhou-j"
      depends_on = [alicloud_vpc.main]
    resource "alicloud_db_instance" "instance" {
      engine           = "PostgreSQL"
      engine_version   = "13.0"
      instance_type    = "pg.n2.2c.2m"
      instance_storage = "30"
      instance_charge_type = "Postpaid"
      vswitch_id       = alicloud_vswitch.main.id



  1. 进入D:\rds_terraform目录下,初始化加载模块,包括Provider等模板。

    terraform init


    Initializing the backend...
    Initializing provider plugins...
    - Finding latest version of hashicorp/alicloud...
    - Installing hashicorp/alicloud v1.226.0...
    - Installed hashicorp/alicloud v1.226.0 (signed by HashiCorp)
    Terraform has created a lock file .terraform.lock.hcl to record the provider
    selections it made above. Include this file in your version control repository
    so that Terraform can guarantee to make the same selections by default when
    you run "terraform init" in the future.
    │ Warning: Additional provider information from registry
    │ The remote registry returned warnings for registry.terraform.io/hashicorp/alicloud:
    │ - For users on Terraform 0.13 or greater, this provider has moved to aliyun/alicloud. Please update your source in required_providers.
    Terraform has been successfully initialized!
    You may now begin working with Terraform. Try running "terraform plan" to see
    any changes that are required for your infrastructure. All Terraform commands
    should now work.
    If you ever set or change modules or backend configuration for Terraform,
    rerun this command to reinitialize your working directory. If you forget, other
    commands will detect it and remind you to do so if necessary.
  2. 验证模板语法是否正确。

    terraform validate


    Success! The configuration is valid.
  3. 预览模板。

    terraform plan


    Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
      + create
    Terraform will perform the following actions:
      # alicloud_db_instance.instance will be created
      + resource "alicloud_db_instance" "instance" {
          + acl                        = (known after apply)
          + auto_upgrade_minor_version = (known after apply)
          + babelfish_port             = (known after apply)
          + ca_type                    = (known after apply)
          + category                   = (known after apply)
          + connection_string          = (known after apply)
          + connection_string_prefix   = (known after apply)
          + create_time                = (known after apply)
          + db_instance_storage_type   = (known after apply)
          + db_instance_type           = (known after apply)
          + db_is_ignore_case          = (known after apply)
          + db_time_zone               = (known after apply)
          + deletion_protection        = false
          + engine                     = "PostgreSQL"
          + engine_version             = "14.0"
          + force_restart              = false
          + ha_config                  = (known after apply)
          + id                         = (known after apply)
          + instance_charge_type       = "Postpaid"
          + instance_storage           = 30
          + instance_type              = "pg.n2.2c.2m"
          + maintain_time              = (known after apply)
          + monitoring_period          = (known after apply)
          + node_id                    = (known after apply)
          + port                       = (known after apply)
          + private_ip_address         = (known after apply)
          + replication_acl            = (known after apply)
          + resource_group_id          = (known after apply)
          + role_arn                   = (known after apply)
          + security_group_id          = (known after apply)
          + security_group_ids         = (known after apply)
          + security_ip_mode           = "normal"
          + security_ips               = (known after apply)
          + server_cert                = (known after apply)
          + server_key                 = (known after apply)
          + sql_collector_config_value = 30
          + sql_collector_status       = (known after apply)
          + ssl_action                 = (known after apply)
          + ssl_connection_string      = (known after apply)
          + ssl_status                 = (known after apply)
          + status                     = (known after apply)
          + target_minor_version       = (known after apply)
          + tcp_connection_type        = (known after apply)
          + tde_status                 = (known after apply)
          + vpc_id                     = (known after apply)
          + vswitch_id                 = (known after apply)
          + zone_id                    = (known after apply)
          + zone_id_slave_a            = (known after apply)
          + zone_id_slave_b            = (known after apply)
          + babelfish_config (known after apply)
          + parameters (known after apply)
          + pg_hba_conf (known after apply)
      # alicloud_vpc.main will be created
      + resource "alicloud_vpc" "main" {
          + cidr_block            = ""
          + create_time           = (known after apply)
          + id                    = (known after apply)
          + ipv6_cidr_block       = (known after apply)
          + ipv6_cidr_blocks      = (known after apply)
          + name                  = (known after apply)
          + resource_group_id     = (known after apply)
          + route_table_id        = (known after apply)
          + router_id             = (known after apply)
          + router_table_id       = (known after apply)
          + secondary_cidr_blocks = (known after apply)
          + status                = (known after apply)
          + user_cidrs            = (known after apply)
          + vpc_name              = "alicloud"
      # alicloud_vswitch.main will be created
      + resource "alicloud_vswitch" "main" {
          + availability_zone    = (known after apply)
          + cidr_block           = ""
          + create_time          = (known after apply)
          + id                   = (known after apply)
          + ipv6_cidr_block      = (known after apply)
          + ipv6_cidr_block_mask = (known after apply)
          + name                 = (known after apply)
          + status               = (known after apply)
          + vpc_id               = (known after apply)
          + vswitch_name         = (known after apply)
          + zone_id              = "cn-hangzhou-j"
      Plan: 3 to add, 0 to change, 0 to destroy.
  4. 应用模板配置。

    terraform apply



    Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
      + create
    Terraform will perform the following actions:
      # alicloud_db_instance.instance will be created
      + resource "alicloud_db_instance" "instance" {
          + acl                        = (known after apply)
          + auto_upgrade_minor_version = (known after apply)
          + babelfish_port             = (known after apply)
          + ca_type                    = (known after apply)
          + category                   = (known after apply)
          + connection_string          = (known after apply)
          + connection_string_prefix   = (known after apply)
          + create_time                = (known after apply)
          + db_instance_storage_type   = (known after apply)
          + db_instance_type           = (known after apply)
          + db_is_ignore_case          = (known after apply)
          + db_time_zone               = (known after apply)
          + deletion_protection        = false
          + engine                     = "PostgreSQL"
          + engine_version             = "14.0"
          + force_restart              = false
          + ha_config                  = (known after apply)
          + id                         = (known after apply)
          + instance_charge_type       = "Postpaid"
          + instance_storage           = 30
          + instance_type              = "pg.n2.2c.2m"
          + maintain_time              = (known after apply)
          + monitoring_period          = (known after apply)
          + node_id                    = (known after apply)
          + port                       = (known after apply)
          + private_ip_address         = (known after apply)
          + replication_acl            = (known after apply)
          + resource_group_id          = (known after apply)
          + role_arn                   = (known after apply)
          + security_group_id          = (known after apply)
          + security_group_ids         = (known after apply)
          + security_ip_mode           = "normal"
          + security_ips               = (known after apply)
          + server_cert                = (known after apply)
          + server_key                 = (known after apply)
          + sql_collector_config_value = 30
          + sql_collector_status       = (known after apply)
          + ssl_action                 = (known after apply)
          + ssl_connection_string      = (known after apply)
          + ssl_status                 = (known after apply)
          + status                     = (known after apply)
          + target_minor_version       = (known after apply)
          + tcp_connection_type        = (known after apply)
          + tde_status                 = (known after apply)
          + vpc_id                     = (known after apply)
          + vswitch_id                 = (known after apply)
          + zone_id                    = (known after apply)
          + zone_id_slave_a            = (known after apply)
          + zone_id_slave_b            = (known after apply)
          + babelfish_config (known after apply)
          + parameters (known after apply)
          + pg_hba_conf (known after apply)
      # alicloud_vpc.main will be created
      + resource "alicloud_vpc" "main" {
          + cidr_block            = ""
          + create_time           = (known after apply)
          + id                    = (known after apply)
          + ipv6_cidr_block       = (known after apply)
          + ipv6_cidr_blocks      = (known after apply)
          + name                  = (known after apply)
          + resource_group_id     = (known after apply)
          + route_table_id        = (known after apply)
          + router_id             = (known after apply)
          + router_table_id       = (known after apply)
          + secondary_cidr_blocks = (known after apply)
          + status                = (known after apply)
          + user_cidrs            = (known after apply)
          + vpc_name              = "alicloud"
      # alicloud_vswitch.main will be created
      + resource "alicloud_vswitch" "main" {
          + availability_zone    = (known after apply)
          + cidr_block           = ""
          + create_time          = (known after apply)
          + id                   = (known after apply)
          + ipv6_cidr_block      = (known after apply)
          + ipv6_cidr_block_mask = (known after apply)
          + name                 = (known after apply)
          + status               = (known after apply)
          + vpc_id               = (known after apply)
          + vswitch_name         = (known after apply)
          + zone_id              = "cn-hangzhou-j"
    Plan: 3 to add, 0 to change, 0 to destroy.
    Do you want to perform these actions?
      Terraform will perform the actions described above.
      Only 'yes' will be accepted to approve.
      Enter a value: 



    alicloud_vpc.main: Creating...
    alicloud_vpc.main: Creation complete after 9s [id=vpc-bp1apzkp9l5gkuq0****]
    alicloud_vswitch.main: Creating...
    alicloud_vswitch.main: Creation complete after 4s [id=vsw-bp1lmhzc42h5cc0t8****]
    alicloud_db_instance.instance: Creating...
    alicloud_db_instance.instance: Still creating... [10s elapsed]
    alicloud_db_instance.instance: Still creating... [20s elapsed]
    alicloud_db_instance.instance: Still creating... [6m1s elapsed]
    alicloud_db_instance.instance: Still creating... [6m11s elapsed]
    alicloud_db_instance.instance: Creation complete after 6m20s [id=pgm-bp10ckaa2340****]
    Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
  5. 查看结果。




通过Terraform调用RDS OpenAPI的详细示例,请参见Terraform