Terraform Providers
Provider nima?
Provider - bu Terraform'ga ma'lum bir platformada (AWS, Azure, GCP va boshqalar) resurslarni boshqarish imkonini beruvchi plagin. Provider'siz Terraform hech narsa qila olmaydi - u xuddi til kabi, lekin hech qanday amaliy ish bajara olmaydi.
Provider'ning vazifasi:
Provider quyidagi vazifalarni bajaradi:
- API bilan aloqa: Cloud provider'ning REST API'si bilan bog'lanish
- Autentifikatsiya: Credentials va tokenlarni boshqarish
- CRUD operatsiyalari: Resource'larni yaratish, o'qish, yangilash, o'chirish
- State tracking: Resource'lar holatini kuzatish
- Error handling: Xatolarni qayta ishlash va ma'lumotli xabarlar berish
Provider arxitekturasi:
┌─────────────────────────────────────────┐
│ Terraform Core │
│ (Go dasturi - business logic) │
└──────────────┬──────────────────────────┘
│
│ Plugin Protocol (gRPC)
│
┌──────────────┴──────────────────────────┐
│ Provider Plugin │
│ (AWS, Azure, GCP provider) │
└──────────────┬──────────────────────────┘
│
│ REST API
│
┌──────────────┴──────────────────────────┐
│ Cloud Provider │
│ (AWS, Azure, GCP infrastructure) │
└─────────────────────────────────────────┘
Provider turlari:
Terraform ekosistemada 3 xil provider mavjud:
1. Official Providers (Rasmiy)
HashiCorp kompaniyasi tomonidan qo'llab-quvvatlanadi va saqlanadi:
- aws - Amazon Web Services
- azurerm - Microsoft Azure
- google - Google Cloud Platform
- kubernetes - Kubernetes
- helm - Helm charts
Xususiyatlari:
- Eng yuqori sifat
- Tez-tez yangilanadi
- To'liq dokumentatsiya
- HashiCorp tomonidan support
2. Partner Providers (Hamkor)
Uchinchi tomon kompaniyalar tomonidan saqlanadi, HashiCorp bilan hamkorlikda:
- datadog - Datadog monitoring
- cloudflare - Cloudflare CDN
- mongodb - MongoDB Atlas
- pagerduty - PagerDuty alerting
Xususiyatlari:
- Kompaniya tomonidan qo'llab-quvvatlanadi
- Yaxshi sifat
- Verified badge
3. Community Providers (Jamoa)
Community tomonidan yaratilgan va saqlanadi:
- random - Random qiymatlar generatsiya
- null - Null resource (provisioner'lar uchun)
- local - Local fayl operatsiyalari
Xususiyatlari:
- Bepul va ochiq manba
- Sifat har xil bo'lishi mumkin
- Community support
Provider Registry
Barcha provider'lar Terraform Registry'da joylashgan: https://registry.terraform.io
Registry orqali siz:
- Provider'larni qidirishingiz
- Dokumentatsiyani o'qishingiz
- Misol konfiguratsiyalarni ko'rishingiz
- Versiyalarni tekshirishingiz mumkin
Provider sozlash
Asosiy sintaksis
Provider'ni sozlash uchun required_providers blokida e'lon qilish va provider blokida konfiguratsiya qilish kerak:
# 1. Provider'ni require qilish
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# 2. Provider'ni konfiguratsiya qilish
provider "aws" {
region = "us-east-1"
}
Provider source
Provider source 3 qismdan iborat:
[hostname/][namespace/]type
Misol:
hashicorp/aws→registry.terraform.io/hashicorp/awsmycorp/custom→registry.terraform.io/mycorp/custom
Hostname (optional):
- Default:
registry.terraform.io - Custom registry uchun:
registry.example.com
Namespace:
- Official:
hashicorp - Partner: kompaniya nomi
- Community: har qanday
Type:
- Provider nomi:
aws,azurerm,google
Provider versiyalash
Provider versiyasini belgilash juda muhim - bu konfiguratsiyaning barqarorligini ta'minlaydi.
Version constraints:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
# Aniq versiya
version = "= 5.0.0"
# Kattaroq yoki teng
version = ">= 5.0.0"
# Kattaroq
version = "> 5.0.0"
# Kichikroq
version = "< 6.0.0"
# Kichikroq yoki teng
version = "<= 5.25.0"
# Teng emas
version = "!= 5.0.0"
# Pessimistic constraint (eng ko'p ishlatiladigan)
version = "~> 5.0" # 5.x, lekin 6.0 emas
version = "~> 5.25" # 5.25.x, lekin 5.26 emas
# Bir nechta shartlar
version = ">= 5.0, < 6.0"
}
}
}
Versiya tanlash strategiyasi:
- Development uchun:
~> 5.0(minor yangilanishlar) - Production uchun:
= 5.25.0(aniq versiya) - Testing uchun:
>= 5.0(yangi xususiyatlarni sinash)
Provider lock file
Terraform provider versiyalarini lock qilish uchun .terraform.lock.hcl faylini yaratadi:
# .terraform.lock.hcl
provider "registry.terraform.io/hashicorp/aws" {
version = "5.25.0"
constraints = "~> 5.0"
hashes = [
"h1:abc123...",
"h1:def456...",
"zh:789xyz...",
]
}
Lock file'ning afzalliklari:
- Barcha jamoada bir xil versiya ishlatiladi
- Build'lar qayta takrorlanadi (reproducible)
- Hash tekshiruv orqali xavfsizlik
Lock file bilan ishlash:
# Lock file yaratish
terraform init
# Provider'larni yangilash
terraform init -upgrade
# Lock file'ni o'chirish
rm .terraform.lock.hcl
terraform init
# Faqat ma'lum provider'ni yangilash
terraform providers lock -platform=linux_amd64 -platform=darwin_amd64 hashicorp/aws
AWS Provider
AWS - eng mashhur cloud provider. Keling, uni batafsil ko'raylik.
Asosiy konfiguratsiya
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
Authentication usullari
AWS provider 4 xil authentication usulini qo'llab-quvvatlaydi. Terraform quyidagi tartibda qidiradi:
1. Static credentials (Tavsiya ETILMAYDI production uchun)
provider "aws" {
region = "us-east-1"
access_key = "AKIAIOSFODNN7EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
Muammo: Credentials kodda ochiq ko'rinadi.
2. Environment variables (Yaxshi usul)
export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_DEFAULT_REGION="us-east-1"
provider "aws" {
# Region environment variable'dan olinadi
}
3. Shared credentials file (Eng yaxshi local uchun)
~/.aws/credentials:
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[production]
aws_access_key_id = AKIAI44QH8DHBEXAMPLE
aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
~/.aws/config:
[default]
region = us-east-1
[profile production]
region = us-west-2
provider "aws" {
profile = "production" # ~/.aws/credentials dan profile
region = "us-west-2"
}
4. IAM Role (Eng yaxshi production uchun)
EC2 yoki ECS'da ishlaganda IAM Role avtomatik ishlatiladi:
provider "aws" {
region = "us-east-1"
# IAM Role avtomatik topiladi
}
Assume role:
provider "aws" {
region = "us-east-1"
assume_role {
role_arn = "arn:aws:iam::123456789012:role/TerraformRole"
session_name = "terraform-session"
external_id = "EXTERNAL_ID"
}
}
AWS Provider sozlamalari
provider "aws" {
region = var.aws_region
profile = var.aws_profile
# Default tags - barcha resurslarga qo'shiladi
default_tags {
tags = {
Environment = var.environment
ManagedBy = "Terraform"
Project = var.project_name
Owner = var.owner_email
}
}
# Ignore tags - bu taglarni Terraform boshqarmaydi
ignore_tags {
keys = [
"CreatedBy",
"aws:cloudformation:stack-name",
]
key_prefixes = [
"kubernetes.io/",
"k8s.io/",
]
}
# Endpoints - custom endpoints uchun
endpoints {
ec2 = "http://localhost:4566" # LocalStack
s3 = "http://localhost:4566"
}
# Retry sozlamalari
max_retries = 3
# Allowed account IDs - xavfsizlik uchun
allowed_account_ids = [
"123456789012",
]
# Forbidden account IDs
forbidden_account_ids = [
"999999999999",
]
}
Multi-region setup
Bir nechta region'larda ishlash uchun alias ishlatiladi:
# Default region
provider "aws" {
region = "us-east-1"
}
# US West region
provider "aws" {
alias = "west"
region = "us-west-2"
}
# EU region
provider "aws" {
alias = "eu"
region = "eu-west-1"
}
# Default provider ishlatish
resource "aws_instance" "east" {
ami = "ami-east-123"
instance_type = "t2.micro"
}
# US West provider ishlatish
resource "aws_instance" "west" {
provider = aws.west
ami = "ami-west-456"
instance_type = "t2.micro"
}
# EU provider ishlatish
resource "aws_s3_bucket" "eu_bucket" {
provider = aws.eu
bucket = "my-eu-bucket"
}
Multi-account setup
Bir nechta AWS account'larda ishlash:
# Development account
provider "aws" {
alias = "dev"
region = "us-east-1"
profile = "dev-account"
assume_role {
role_arn = "arn:aws:iam::111111111111:role/TerraformRole"
}
}
# Production account
provider "aws" {
alias = "prod"
region = "us-east-1"
profile = "prod-account"
assume_role {
role_arn = "arn:aws:iam::222222222222:role/TerraformRole"
}
}
# Dev account'da resurs
resource "aws_vpc" "dev_vpc" {
provider = aws.dev
cidr_block = "10.0.0.0/16"
}
# Prod account'da resurs
resource "aws_vpc" "prod_vpc" {
provider = aws.prod
cidr_block = "10.1.0.0/16"
}
Azure Provider
Microsoft Azure uchun provider konfiguratsiyasi.
Asosiy setup
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0"
}
}
}
provider "azurerm" {
features {} # Required!
subscription_id = var.subscription_id
tenant_id = var.tenant_id
}
Authentication
1. Azure CLI (Local development)
# Azure CLI login
az login
# Subscription tanlash
az account set --subscription="SUBSCRIPTION_ID"
provider "azurerm" {
features {}
# Azure CLI credentials avtomatik ishlatiladi
}
2. Service Principal (Production)
# Service Principal yaratish
az ad sp create-for-rbac --name "terraform-sp" --role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID"
provider "azurerm" {
features {}
subscription_id = "00000000-0000-0000-0000-000000000000"
client_id = "00000000-0000-0000-0000-000000000000"
client_secret = "client-secret-value"
tenant_id = "00000000-0000-0000-0000-000000000000"
}
3. Managed Identity (Azure VM'da)
provider "azurerm" {
features {}
use_msi = true
}
Azure Provider features
provider "azurerm" {
features {
# Resource Group
resource_group {
prevent_deletion_if_contains_resources = true
}
# Key Vault
key_vault {
purge_soft_delete_on_destroy = true
recover_soft_deleted_key_vaults = true
}
# Virtual Machine
virtual_machine {
delete_os_disk_on_deletion = true
graceful_shutdown = false
skip_shutdown_and_force_delete = false
}
# Virtual Machine Scale Set
virtual_machine_scale_set {
roll_instances_when_required = true
force_delete = false
scale_to_zero_before_deletion = true
}
}
}
Google Cloud Provider
Google Cloud Platform uchun provider.
Asosiy setup
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 5.0"
}
}
}
provider "google" {
project = var.project_id
region = "us-central1"
zone = "us-central1-a"
}
Authentication
1. Service Account Key (Local)
# Service account key yuklab olish
# GCP Console → IAM & Admin → Service Accounts → Create Key (JSON)
provider "google" {
credentials = file("service-account-key.json")
project = "my-project-id"
region = "us-central1"
}
2. Application Default Credentials
# gcloud auth
gcloud auth application-default login
provider "google" {
project = "my-project-id"
region = "us-central1"
# ADC avtomatik ishlatiladi
}
3. Service Account (GCE'da)
provider "google" {
project = "my-project-id"
region = "us-central1"
# GCE service account avtomatik ishlatiladi
}
Provider meta-arguments
Provider'larga qo'llaniladigan maxsus argumentlar:
alias
Bir xil provider'dan bir nechta instance yaratish uchun:
provider "aws" {
region = "us-east-1"
}
provider "aws" {
alias = "west"
region = "us-west-2"
}
resource "aws_instance" "main" {
# Default provider
ami = "ami-123"
}
resource "aws_instance" "backup" {
provider = aws.west # Alias ishlatish
ami = "ami-456"
}
version (Deprecated)
Eski usul, required_providers dan foydalanish tavsiya etiladi:
# Eski usul (ishlatmang)
provider "aws" {
version = "~> 5.0"
region = "us-east-1"
}
# Yangi usul (to'g'ri)
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
Provider configuration best practices
1. Versiyani doim belgilang
# ✅ To'g'ri
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# ❌ Noto'g'ri
provider "aws" {
region = "us-east-1"
}
2. Credentials'ni kodga yozmang
# ❌ Noto'g'ri - xavfsizlik muammosi
provider "aws" {
access_key = "AKIAIOSFODNN7EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
# ✅ To'g'ri - environment variables
export AWS_ACCESS_KEY_ID="..."
export AWS_SECRET_ACCESS_KEY="..."
provider "aws" {
region = "us-east-1"
}
3. Alohida fayl yarating
providers.tf:
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.0"
}
}
}
provider "aws" {
region = var.aws_region
default_tags {
tags = var.common_tags
}
}
4. Default tags ishlatish
provider "aws" {
region = "us-east-1"
default_tags {
tags = {
Environment = "production"
ManagedBy = "Terraform"
Project = "MyApp"
CostCenter = "Engineering"
}
}
}
# Endi barcha resurslar avtomatik bu taglarni oladi
resource "aws_instance" "web" {
ami = "ami-123"
tags = {
Name = "web-server" # Default tags bilan birlashadi
}
}
Provider troubleshooting
Debug logging
# Provider debug logging
export TF_LOG=DEBUG
export TF_LOG_PATH=terraform-debug.log
terraform apply
# Faqat provider log'lari
export TF_LOG_PROVIDER=TRACE
Provider cache
Provider'larni cache qilish tezlikni oshiradi:
# Plugin cache directory
export TF_PLUGIN_CACHE_DIR="$HOME/.terraform.d/plugin-cache"
mkdir -p $TF_PLUGIN_CACHE_DIR
~/.terraformrc:
plugin_cache_dir = "$HOME/.terraform.d/plugin-cache"
Provider mirror
Offline yoki private registry uchun:
# ~/.terraformrc
provider_installation {
filesystem_mirror {
path = "/usr/share/terraform/providers"
include = ["registry.terraform.io/*/*"]
}
direct {
exclude = ["registry.terraform.io/*/*"]
}
}
Xulosa
Provider'lar Terraform'ning asosi. Ular:
✅ Cloud API bilan aloqa o'rnatadi ✅ Resource'larni boshqaradi ✅ Authentication'ni handle qiladi ✅ Multi-cloud infrastructure'ni qo'llab-quvvatlaydi
Keyingi mavzuda Resources va Data Sources haqida batafsil gaplashamiz!