feat: 更新OCI Provider版本至7.20并集成Vault配置

refactor: 重构Terraform配置以使用Consul和Vault存储敏感信息 docs: 添加Vault实施文档和配置指南 chore: 清理不再使用的配置文件和脚本 feat: 添加Nomad集群领导者发现脚本和文档 feat: 实现MCP配置共享方案和同步脚本 style: 更新README中的网络访问注意事项 test: 添加Consul Provider集成测试脚本
2025-09-29 01:42:57 +00:00
parent ad531936dd
commit f72b17a34f
38 changed files with 3741 additions and 888 deletions
--- a/tofu/environments/dev/main.tf
+++ b/tofu/environments/dev/main.tf
@@ -8,13 +8,7 @@ terraform {
    # Oracle Cloud Infrastructure
    oci = {
      source  = "oracle/oci"
-      version = "~> 5.0"
-    }
-    
-    # 华为云
-    huaweicloud = {
-      source  = "huaweicloud/huaweicloud"
-      version = "~> 1.60"
+      version = "~> 7.20"
    }
    
    # 其他常用提供商
@@ -32,6 +26,18 @@ terraform {
      source  = "hashicorp/local"
      version = "~> 2.1"
    }
+    
+    # Consul Provider
+    consul = {
+      source  = "hashicorp/consul"
+      version = "~> 2.22.0"
+    }
+    
+    # HashiCorp Vault Provider
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
  }
  
  # 后端配置
@@ -40,21 +46,87 @@ terraform {
  }
 }

-# Oracle Cloud 提供商配置
-provider "oci" {
-  tenancy_ocid     = var.oci_config.tenancy_ocid
-  user_ocid        = var.oci_config.user_ocid
-  fingerprint      = var.oci_config.fingerprint
-  private_key_path = var.oci_config.private_key_path
-  region           = var.oci_config.region
+# 将从Consul获取的私钥保存到临时文件
+resource "local_file" "oci_kr_private_key" {
+  content  = data.consul_keys.oracle_config.var.private_key
+  filename = "/tmp/oci_kr_private_key.pem"
 }

-# 华为云提供商配置 (仅在需要时配置)
-provider "huaweicloud" {
-  access_key = var.huawei_config.access_key
-  secret_key = var.huawei_config.secret_key
-  region     = var.huawei_config.region
-  alias      = "huawei"
+resource "local_file" "oci_us_private_key" {
+  content  = data.consul_keys.oracle_config_us.var.private_key
+  filename = "/tmp/oci_us_private_key.pem"
+}
+
+# Consul Provider配置
+provider "consul" {
+  address    = "localhost:8500"
+  scheme     = "http"
+  datacenter = "dc1"
+}
+
+# Vault Provider配置
+provider "vault" {
+  address = var.vault_config.address
+  token   = var.vault_token
+}
+
+# 从Consul获取Oracle Cloud配置
+data "consul_keys" "oracle_config" {
+  key {
+    name = "tenancy_ocid"
+    path = "config/dev/oracle/kr/tenancy_ocid"
+  }
+  key {
+    name = "user_ocid"
+    path = "config/dev/oracle/kr/user_ocid"
+  }
+  key {
+    name = "fingerprint"
+    path = "config/dev/oracle/kr/fingerprint"
+  }
+  key {
+    name = "private_key"
+    path = "config/dev/oracle/kr/private_key"
+  }
+}
+
+# 从Consul获取Oracle Cloud美国区域配置
+data "consul_keys" "oracle_config_us" {
+  key {
+    name = "tenancy_ocid"
+    path = "config/dev/oracle/us/tenancy_ocid"
+  }
+  key {
+    name = "user_ocid"
+    path = "config/dev/oracle/us/user_ocid"
+  }
+  key {
+    name = "fingerprint"
+    path = "config/dev/oracle/us/fingerprint"
+  }
+  key {
+    name = "private_key"
+    path = "config/dev/oracle/us/private_key"
+  }
+}
+
+# 使用从Consul获取的配置的OCI Provider
+provider "oci" {
+  tenancy_ocid     = data.consul_keys.oracle_config.var.tenancy_ocid
+  user_ocid        = data.consul_keys.oracle_config.var.user_ocid
+  fingerprint      = data.consul_keys.oracle_config.var.fingerprint
+  private_key_path = local_file.oci_kr_private_key.filename
+  region           = "ap-chuncheon-1"
+}
+
+# 美国区域的OCI Provider
+provider "oci" {
+  alias           = "us"
+  tenancy_ocid    = data.consul_keys.oracle_config_us.var.tenancy_ocid
+  user_ocid       = data.consul_keys.oracle_config_us.var.user_ocid
+  fingerprint     = data.consul_keys.oracle_config_us.var.fingerprint
+  private_key_path = local_file.oci_us_private_key.filename
+  region          = "us-ashburn-1"
 }

 # Oracle Cloud 基础设施
@@ -68,7 +140,15 @@ module "oracle_cloud" {
  vpc_cidr       = var.vpc_cidr
  availability_zones = var.availability_zones
  common_tags    = var.common_tags
-  oci_config     = var.oci_config
+  
+  # 使用从Consul获取的配置
+  oci_config = {
+    tenancy_ocid     = data.consul_keys.oracle_config.var.tenancy_ocid
+    user_ocid        = data.consul_keys.oracle_config.var.user_ocid
+    fingerprint      = data.consul_keys.oracle_config.var.fingerprint
+    private_key_path = local_file.oci_kr_private_key.filename
+    region           = "ap-chuncheon-1"
+  }
  
  # 开发环境特定配置
  instance_count = 1
@@ -79,31 +159,8 @@ module "oracle_cloud" {
  }
 }

-# 华为云基础设施 (可选)
-module "huawei_cloud" {
-  source = "../../providers/huawei-cloud"
-  count  = contains(var.cloud_providers, "huawei") ? 1 : 0
-  
-  environment    = var.environment
-  project_name   = var.project_name
-  owner          = var.owner
-  vpc_cidr       = "10.1.0.0/16"  # 不同的 CIDR 避免冲突
-  availability_zones = var.availability_zones
-  common_tags    = var.common_tags
-  huawei_config  = var.huawei_config
-  
-  providers = {
-    huaweicloud = huaweicloud.huawei
-  }
-}
-
 # 输出
 output "oracle_cloud_outputs" {
  description = "Oracle Cloud 基础设施输出"
  value       = module.oracle_cloud
-}
-
-output "huawei_cloud_outputs" {
-  description = "华为云基础设施输出"
-  value       = length(module.huawei_cloud) > 0 ? module.huawei_cloud[0] : null
 }
--- a/tofu/environments/dev/variables.tf
+++ b/tofu/environments/dev/variables.tf
@@ -130,4 +130,25 @@ variable "do_config" {
    region = "sgp1"
  }
  sensitive = true
+}
+
+# HashiCorp Vault 配置
+variable "vault_config" {
+  description = "HashiCorp Vault 配置"
+  type = object({
+    address = string
+    token   = string
+  })
+  default = {
+    address = "http://localhost:8200"
+    token   = ""
+  }
+  sensitive = true
+}
+
+variable "vault_token" {
+  description = "Vault 访问令牌"
+  type        = string
+  default     = ""
+  sensitive   = true
 }