🛕
OpenTofu を試す
ここでの目標
- バックエンドとしてAzure Blobコンテナを利用してみる
- http プロバイダ を試す
準備
バックエンドとして利用するBlobコンテナを作成しておきます。(既存ストレージアカウントを使用する前提)
$ az storage container create --name <container name> --account-name <storage account name>
tf ファイル
構築時に自PCのグローバルアドレスを取得して利用したいという状況はよくあると思います。こんなとき http プロバイダが利用されます。
ここでは以下のような感じで json 形式でIPアドレスを取得できるサービスを利用してみます。
$ curl -s https://example.net/getaddress/ | jq .
{
"sourceip": "x.x.x.x",
"domainname": "ptr-xxx.example.com"
}
以下の tf ファイルを準備します。
自PCのIPアドレスを調べて出力するだけの内容です。
NSGの許可アドレスとして利用する場合 local.allowed_address_prefix_ssh を指定する感じになります。
$ cat init.tf
terraform {
required_version = ">=0.12"
required_providers {
http = {
source = "hashicorp/http"
version = "~> 3.0"
}
}
backend "azurerm" {
resource_group_name = "management"
storage_account_name = "<storage account name>"
container_name = "<container name>"
key = "terraform.tfstate"
}
}
provider http {
}
data "http" "getaddress" {
url = "https://example.net/getaddress/"
}
locals {
allowed_address_prefix_ssh = jsondecode(data.http.getaddress.response_body).sourceip
}
output "allowed_address_prefix_ssh" {
value = local.allowed_address_prefix_ssh
}
init
$ tofu init
遅ればせながら、環境は以下。
$ tofu --version
OpenTofu v1.6.0
on linux_arm64
+ provider registry.opentofu.org/hashicorp/http v3.4.2
$ uname -a
Linux 9d43bf16a58b 5.4.42-v8+ #1319 SMP PREEMPT Wed May 20 14:18:56 BST 2020 aarch64 aarch64 aarch64 GNU/Linux
$ cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"
plan
$ tofu plan | cat
data.http.getaddress: Reading...
data.http.getaddress: Read complete after 0s [id=https://example.net/getaddress/]
Changes to Outputs:
+ allowed_address_prefix_ssh = "x.x.x.x"
You can apply this plan to save these new output values to the OpenTofu
state, without changing any real infrastructure.
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so OpenTofu can't
guarantee to take exactly these actions if you run "tofu apply" now.
apply
$ tofu apply | cat
data.http.getaddress: Reading...
data.http.getaddress: Read complete after 0s [id=https://example.net/getaddress/]
Changes to Outputs:
+ allowed_address_prefix_ssh = "x.x.x.x"
You can apply this plan to save these new output values to the OpenTofu
state, without changing any real infrastructure.
Do you want to perform these actions?
OpenTofu will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
allowed_address_prefix_ssh = "x.x.x.x"
確認
$ tofu state list
data.http.getaddress
$ tofu show
# data.http.getaddress:
data "http" "getaddress" {
body = jsonencode(
{
domainname = "ptr-xxx.example.com"
sourceip = "x.x.x.x"
}
)
id = "https://example.net/getaddress/"
response_body = jsonencode(
{
domainname = "ptr-xxx.example.com"
sourceip = "x.x.x.x"
}
)
response_body_base64 = "xxxx"
response_headers = {
割愛
}
status_code = 200
url = "https://example.net/getaddress/"
}
Outputs:
allowed_address_prefix_ssh = "x.x.x.x"
-
tofu state show data.http.getaddress
でdata.http.getaddress
の情報だけ出力できる。 -
tofu state rm data.http.getaddress
でdata.http.getaddress
を管理下から除外できる。
destroy
$ tofu destroy | cat
data.http.getaddress: Reading...
data.http.getaddress: Read complete after 0s [id=https://example.net/getaddress/]
Changes to Outputs:
- allowed_address_prefix_ssh = "x.x.x.x" -> null
You can apply this plan to save these new output values to the OpenTofu
state, without changing any real infrastructure.
Do you really want to destroy all resources?
OpenTofu will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
Destroy complete! Resources: 0 destroyed.
確認
$ tofu show
The state file is empty. No resources are represented.
Discussion