您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Terraform 计划在 Amazon 弹性计算云中部署 Amazon Linux 2 实例,并将其连接到 Azure ArcUse a Terraform plan to deploy an Amazon Linux 2 instance on Amazon Elastic Compute Cloud and connect it to Azure Arc

本文提供了有关使用提供的 Terraform 计划部署 AMAZON WEB SERVICES (AWS) Amazon 弹性计算云 (EC2) Linux 2 实例并将其连接为启用了 Azure Arc 的服务器资源的指南。This article provides guidance for using the provided Terraform plan to deploy an Amazon Web Services (AWS) Amazon Elastic Compute Cloud (EC2) Linux 2 instance and connect it as an Azure Arc enabled server resource.

先决条件Prerequisites

  1. 克隆 Azure Arc Jumpstart 存储库。Clone the Azure Arc Jumpstart repository.

    git clone https://github.com/microsoft/azure_arc.git
    
  2. 安装或更新 Azure CLIInstall or update Azure CLI. Azure CLI 应运行版本2.7.0 或更高版本。Azure CLI should be running version 2.7.0 or later. 使用 az --version 检查当前安装的版本。Use az --version to check your current installed version.

  3. 生成 ssh 密钥 (或使用现有 ssh 密钥) Generate SSH key (or use existing SSH key)

  4. 创建免费的 AWS 帐户Create free AWS account

  5. 安装 Terraform >= 0.12Install Terraform >= 0.12

  6. 创建 Azure 服务主体。Create an Azure service principal.

    若要将 AWS 虚拟机连接到 Azure Arc,需要具有 "参与者" 角色分配的 Azure 服务主体。To connect the AWS virtual machine to Azure Arc, an Azure service principal assigned with the Contributor role is required. 若要创建它,请登录到 Azure 帐户,并运行以下命令:To create it, sign in to your Azure account and run the following commands:

    az login
    az ad sp create-for-rbac -n "http://AzureArcAWS" --role contributor
    

    输出应如下所示:Output should look similar to this:

    {
      "appId": "XXXXXXXXXXXXXXXXXXXXXXXX",
      "displayName": "AzureArcAWS",
      "name": "http://AzureArcAWS",
      "password": "XXXXXXXXXXXXXXXXXXXXXXXX",
      "tenant": "XXXXXXXXXXXXXXXXXXXXXXXX"
    }
    

    备注

    我们强烈建议你将服务主体的范围限定为特定的 Azure 订阅和资源组We highly recommend that you scope the service principal to a specific Azure subscription and resource group.

创建 AWS 标识Create an AWS identity

为了使 Terraform 能够在 AWS 中创建资源,我们需要创建一个具有适当权限的新 AWS IAM 角色,并将 Terraform 配置为使用该角色。In order for Terraform to create resources in AWS, we will need to create a new AWS IAM role with appropriate permissions and configure Terraform to use it.

  1. 登录到 AWS 管理控制台Sign in to the AWS management console

  2. 登录后,选择左上角的 " 服务 " 下拉列表。After signing in, select the Services dropdown in the top left. 在 " 安全、标识和符合性" 下,选择 " IAM " 以访问 " 标识和访问管理" 页Under Security, Identity, and Compliance, select IAM to access the identity and access management page

    AWS cloud 控制台的屏幕截图。

    AWS cloud console 的标识和访问管理的屏幕截图。

  3. 单击左侧菜单中的 " 用户 ",然后选择 " 添加用户 " 以创建新的 IAM 用户。Click on Users from the left menu, and then select Add user to create a new IAM user.

    如何在 AWS cloud 控制台中创建新用户的屏幕截图。

  4. 在 "添加用户" 页上,为用户命名 Terraform 并选择 "编程访问" 复选框,然后选择 "下一步"On the Add User page, name the user Terraform and select the Programmatic Access check box, and then select Next

    如何在 AWS cloud 控制台中创建新用户的第二个屏幕截图。

  5. 在 "设置权限" 页上,选择 "直接附加现有策略",然后选中 " AmazonEC2FullAccess " 旁边的框,如屏幕截图中所示,然后选择 "下一步"On the Set Permissions page, select Attach existing policies directly and then check the box next to AmazonEC2FullAccess as seen in the screenshot, and then select Next

    如何在 AWS cloud 控制台中创建新用户的第三个屏幕截图。

  6. 在 " 标记 " 页上,分配带有键的标记 azure-arc-demo ,然后选择 " 下一步 " 以转到 "审阅" 页。On the Tags page, assign a tag with a key of azure-arc-demo, then select Next to proceed to the review page.

    AWS 云控制台中标记的屏幕截图。

  7. 验证所有内容是否正确,然后选择 " 创建用户"。Verify that everything is correct, then select Create user.

    第四个屏幕截图:如何在 AWS cloud 控制台中创建新用户。

  8. 创建用户后,你将看到用户的 "访问密钥 ID" 和 "密钥访问密钥"。After the user is created, you will see the user's access key ID and secret access key. 在选择 " 关闭" 之前复制这些值。Copy these values down before selecting Close. 在下一页上,可以看到有关此内容的示例。On the next page, you can see an example of what this should look like. 获得这些密钥后,即可将其与 Terraform 一起使用,以创建 AWS 资源。Once you have these keys, you will be able to use them with Terraform to create AWS resources.

    在 AWS cloud 控制台中成功创建用户的屏幕截图。

配置 TerraformConfigure Terraform

在执行 Terraform 计划之前,必须导出将由计划使用的环境变量。Before executing the Terraform plan, you must export the environment variables which will be used by the plan. 这些变量基于你的 Azure 订阅和租户、Azure 服务主体,以及你刚刚创建的 AWS IAM 用户和密钥。These variables are based on your Azure subscription and tenant, the Azure service principal, and the AWS IAM user and keys you just created.

  1. 使用命令检索 Azure 订阅 ID 和租户 ID az account listRetrieve your Azure subscription ID and tenant ID using the az account list command.

  2. Terraform 计划在 Microsoft Azure 和 AWS 中都创建了资源。The Terraform plan creates resources in both Microsoft Azure and AWS. 然后,它将在 AWS EC2 虚拟机上执行脚本,以安装 Azure Arc 代理和所有必要的项目。It then executes a script on an AWS EC2 virtual machine to install the Azure Arc agent and all necessary artifacts. 此脚本需要某些有关 AWS 和 Azure 环境的信息。This script requires certain information about your AWS and Azure environments. scripts/vars.sh用适当的值编辑和更新每个变量。Edit scripts/vars.sh and update each of the variables with the appropriate values.

    • TF_VAR_subscription_id= 你的 Azure 订阅 IDTF_VAR_subscription_id= your Azure subscription ID
    • TF_VAR_client_id= 你的 Azure 服务主体应用程序 IDTF_VAR_client_id= your Azure service principal application ID
    • TF_VAR_client_secret = 你的 Azure 服务主体密码TF_VAR_client_secret = your Azure service principal password
    • TF_VAR_tenant_id= 你的 Azure 租户 IDTF_VAR_tenant_id= your Azure tenant ID
    • AWS_ACCESS_KEY_ID = AWS 访问密钥AWS_ACCESS_KEY_ID = AWS access key
    • AWS_SECRET_ACCESS_KEY = AWS 密钥AWS_SECRET_ACCESS_KEY = AWS secret key
  3. 在 Azure CLI 中,导航到克隆的存储库的 azure_arc_servers_jumpstart/aws/al2/terraform 目录。From the Azure CLI, navigate to the azure_arc_servers_jumpstart/aws/al2/terraform directory of the cloned repo.

  4. 使用 source 命令导出你编辑的环境变量,如下 scripts/vars.sh 所示。Export the environment variables you edited by running scripts/vars.sh with the source command as shown below. Terraform 要求对其进行设置,以便计划正确执行。Terraform requires these to be set for the plan to execute properly. 请注意,在 Terraform 部署过程中,此脚本还会在 AWS 虚拟机上以远程方式自动执行。Note that this script will also be automatically executed remotely on the AWS virtual machine as part of the Terraform deployment.

    source ./scripts/vars.sh
    
  5. 请确保 SSH 密钥在 ~/.ssh 和命名为 id_rsa.pubid_rsaMake sure your SSH keys are available in ~/.ssh and named id_rsa.pub and id_rsa. 如果你按照上面的 ssh-ssh-keygen 指南创建你的密钥,则应该已正确设置此项。If you followed the ssh-keygen guide above to create your key then this should already be setup correctly. 如果没有,则可能需要修改 main.tf 才能使用具有不同路径的密钥。If not, you may need to modify main.tf to use a key with a different path.

  6. 运行 terraform init 命令,该命令将下载 Terraform AzureRM 提供程序。Run the terraform init command which will download the Terraform AzureRM provider.

    "Terraform init" 命令的屏幕截图。

部署Deployment

  1. 运行 terraform apply --auto-approve 命令并等待计划完成。Run the terraform apply --auto-approve command and wait for the plan to finish. 完成后,将会在新的资源组中部署 AWS Amazon Linux 2 EC2 实例,并将其作为新的启用了 Azure Arc 的服务器进行连接。Upon completion, you will have an AWS Amazon Linux 2 EC2 instance deployed and connected as a new Azure Arc enabled server inside a new resource group.

  2. 打开 Azure 门户并导航到 arc-servers-demo 资源组。Open the Azure portal and navigate to the arc-servers-demo resource group. 在 AWS 中创建的虚拟机将显示为资源。The virtual machine created in AWS will be visible as a resource.

    显示 Azure 门户中启用了 Azure Arc 的服务器的屏幕截图。

半自动部署 (可选) Semi-automated deployment (optional)

正如您可能已经注意到的,运行的最后一步是将 VM 注册为启用了新的 Azure Arc 服务器资源。As you may have noticed, the last step of the run is to register the VM as a new Azure Arc enabled server resource.

"Azcmagent connect" 命令的屏幕截图。

如果要演示/控制实际注册过程,请执行以下操作:If you want to demo/control the actual registration process, do the following:

  1. install_arc_agent.sh.tmpl 脚本模板中,注释掉 run connect command 部分并保存文件。In the install_arc_agent.sh.tmpl script template, comment out the run connect command section and save the file.

    注释掉 "azcmagent connect" 命令的屏幕截图。

  2. 通过运行获取 AWS VM 的公共 IP terraform outputGet the public IP of the AWS VM by running terraform output.

    Terraform 输出的屏幕截图。

  3. 使用 SSH 连接到 VM ssh ec2-user@xx.xx.xx.xx ,其中 xx.xx.xx.xx 是主机 IP。SSH to the VM using the ssh ec2-user@xx.xx.xx.xx, where xx.xx.xx.xx is the host IP.

    连接到 EC2 服务器的 SSH 密钥的屏幕截图。

  4. 导出所有环境变量 vars.shExport all the environment variables in vars.sh

    "Var.sh" 中已导出环境变量的屏幕截图。

  5. 运行以下命令:Run the following command:

    azcmagent connect --service-principal-id $TF_VAR_client_id --service-principal-secret $TF_VAR_client_secret --resource-group "Arc-Servers-Demo" --tenant-id $TF_VAR_tenant_id --location "westus2" --subscription-id $TF_VAR_subscription_id
    

    "Azcmagent connect" 命令的另一个屏幕截图。

  6. 完成后,VM 将注册到 Azure Arc,并通过 Azure 门户在资源组中可见。When complete, your VM will be registered with Azure Arc and visible in the resource group via the Azure portal.

删除部署Delete the deployment

若要删除在此演示中创建的所有资源,请使用命令,如下 terraform destroy --auto-approve 所示。To delete all the resources you created as part of this demo, use the terraform destroy --auto-approve command as shown below. "Terraform 销毁" 命令的屏幕截图。A screenshot of the terraform destroy command.

或者,你可以通过从 AWS 控制台中终止 AWS EC2 实例来直接删除该实例。Alternatively, you can delete the AWS EC2 instance directly by terminating it from the AWS console. 如何在 AWS 控制台中终止实例的屏幕截图。A screenshot of how to terminate an instance in the AWS console.