最后审核时间:2026年5月
使用原生 Terraform 构建 DOP-C02 考试中的 AWS 服务——每次构建一个代码块,并紧扣考试领域。相同的代码可在 OpenTofu 上运行。
通过本实验,您将使用纯 Terraform 部署一个完整的代码到生产环境的流水线——一个 CodeCommit Git 仓库、一个运行测试套件和打包工件的 CodeBuild 项目、一个部署到目标的 CodeDeploy 应用程序、一个将源代码 → 构建 → 部署串联起来的 CodePipeline 流水线,以及一个探测已部署端点并在其停止响应时发出警报的 CloudWatch Synthetics canary。这是 DOP-C02 的五块参考架构。所有资源都是纯 Terraform。将代码片段放入一个 main.tf 文件中,运行 terraform init,然后逐步运行 terraform apply。
>= 1.5 或 OpenTofu >= 1.6。us-east-1 区域已认证的 AWS CLI。https://example.com;在生产环境中,这会是您应用程序的健康检查端点。aws_s3_bucket 作为流水线源(CodePipeline 支持 S3 源)。大部分按使用量付费,无显著闲置计费:
BUILD_GENERAL1_SMALL 上每构建分钟 $0.005;一次实验构建费用为几美分。整个堆栈运行时每月低于 $5。完成后销毁。
标准开场。Code* 服务是区域性的——选择您的源仓库和目标环境共享的区域。本实验默认为 us-east-1。
terraform {
required_version = ">= 1.5"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.60"
}
}
}
provider "aws" {
region = "us-east-1"
default_tags {
tags = {
Project = "certlabpro-dop-c02"
ManagedBy = "terraform"
}
}
}
resource "aws_s3_bucket" "artifacts" {
bucket_prefix = "certlabpro-dop-c02-artifacts-"
}
resource "aws_s3_bucket_public_access_block" "artifacts" {
bucket = aws_s3_bucket.artifacts.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}CodeCommit 是 AWS 的 Git 主机。DOP-C02 端到端地测试 Code* 套件,形成一个紧密集成的工作流——最常见的考试问题会询问哪种 AWS 原生服务组合可以实现给定结果,而答案几乎总是以 CodeCommit 开始。
default_branch = "main" 与现代 Git 默认值相匹配(CodeCommit 历史性地创建 master 分支)。我们创建的仓库在 apply 后是空的;在实际使用中,您会推送您的第一次提交,并在根目录下包含 buildspec.yml 和 appspec.yml——这些是 CodeBuild(步骤 3)和 CodeDeploy(步骤 4)在每次流水线运行时读取的文件。
resource "aws_codecommit_repository" "app" {
repository_name = "certlabpro-dop-c02-app"
description = "Application source for the DOP-C02 lab pipeline."
default_branch = "main"
}CodeBuild 从您的 buildspec.yml 中运行构建和测试步骤。DOP-C02 在此处测试了托管镜像与自定义镜像之间的权衡——托管镜像零维护但启动较慢;自定义镜像可提供更快的冷启动和可重现的工具链。本实验使用托管的 aws/codebuild/standard:7.0 镜像,该镜像开箱即用地支持 Node、Python、Java、Go、.NET 和 Ruby。
IAM 角色授予 CodeBuild 将构建输出写入 CloudWatch Logs、从 CodeCommit 读取源代码以及将工件写入步骤 1 中 S3 存储桶的权限。LINUX_CONTAINER + BUILD_GENERAL1_SMALL 是最便宜的层级,每构建分钟 $0.005。
resource "aws_iam_role" "codebuild" {
name = "certlabpro-dop-c02-codebuild"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = { Service = "codebuild.amazonaws.com" }
Action = "sts:AssumeRole"
}]
})
}
resource "aws_iam_role_policy" "codebuild" {
name = "build-permissions"
role = aws_iam_role.codebuild.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
Resource = "*"
},
{
Effect = "Allow"
Action = ["s3:GetObject", "s3:PutObject", "s3:ListBucket"]
Resource = [aws_s3_bucket.artifacts.arn, "${aws_s3_bucket.artifacts.arn}/*"]
},
{
Effect = "Allow"
Action = "codecommit:GitPull"
Resource = aws_codecommit_repository.app.arn
},
]
})
}
resource "aws_codebuild_project" "build" {
name = "certlabpro-dop-c02-build"
service_role = aws_iam_role.codebuild.arn
source {
type = "CODEPIPELINE"
buildspec = "buildspec.yml"
}
artifacts {
type = "CODEPIPELINE"
}
environment {
type = "LINUX_CONTAINER"
image = "aws/codebuild/standard:7.0"
compute_type = "BUILD_GENERAL1_SMALL"
privileged_mode = false
}
}CodeDeploy 处理实际的部署——到 EC2、Lambda 或 ECS。DOP-C02 反复测试部署策略轴:AllAtOnce(最便宜、最冒险)、HalfAtATime、OneAtATime、CodeDeployDefault.LambdaCanary10Percent5Minutes(Lambda canary 模式)和 CodeDeployDefault.ECSAllAtOnce。我们为本实验选择 Lambda 计算平台,因为它不需要实际存在 EC2 实例——这使得实验成本低且范围紧凑。
部署配置 CodeDeployDefault.LambdaAllAtOnce 是 Lambda 策略中最简单的。在生产环境中,LambdaCanary10Percent5Minutes 是 DOP-C02 针对风险缓解部署最常推荐的答案:它将 10% 的流量转移到新版本,等待 5 分钟以触发 CloudWatch 警报,如果没有触发,则转移剩余流量。
resource "aws_iam_role" "codedeploy" {
name = "certlabpro-dop-c02-codedeploy"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = { Service = "codedeploy.amazonaws.com" }
Action = "sts:AssumeRole"
}]
})
}
resource "aws_iam_role_policy_attachment" "codedeploy_lambda" {
role = aws_iam_role.codedeploy.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda"
}
resource "aws_codedeploy_app" "app" {
name = "certlabpro-dop-c02-app"
compute_platform = "Lambda"
}
resource "aws_codedeploy_deployment_group" "lambda" {
app_name = aws_codedeploy_app.app.name
deployment_group_name = "default"
service_role_arn = aws_iam_role.codedeploy.arn
deployment_config_name = "CodeDeployDefault.LambdaAllAtOnce"
deployment_style {
deployment_option = "WITH_TRAFFIC_CONTROL"
deployment_type = "BLUE_GREEN"
}
auto_rollback_configuration {
enabled = true
events = ["DEPLOYMENT_FAILURE"]
}
}CodePipeline 是协调器,将前三个步骤连接成一个单一的图:从 CodeCommit 获取源代码,使用 CodeBuild 进行构建,使用 CodeDeploy 进行部署。每个转换都是一个挂钩点——您可以在任意两个阶段之间添加手动批准、并行测试阶段和通知。DOP-C02 的配置管理和 IaC 领域反复测试这种阶段和动作结构。
一旦流水线存在,您就有了 CI/CD。最后一部分——CloudWatch Synthetics——完成了部署可观测性的闭环:canary 是一种托管的无头浏览器脚本(基于 Puppeteer),它按计划运行并将成功/失败报告给 CloudWatch。DOP-C02 的监控和日志记录领域非常重视这种模式:部署更改 → canary 在几分钟内捕获回归 → CodeDeploy 自动回滚(我们在步骤 4 中连接了它)由 canary 的 CloudWatch 警报触发。
下面的 canary 脚本每 5 分钟轮询一次 https://example.com;在生产环境中,您会将其指向应用程序的健康检查端点,并对响应正文和头部进行断言,而不仅仅是 HTTP 200。
# ── CodePipeline ──────────────────────────────────────────────
resource "aws_iam_role" "codepipeline" {
name = "certlabpro-dop-c02-codepipeline"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = { Service = "codepipeline.amazonaws.com" }
Action = "sts:AssumeRole"
}]
})
}
resource "aws_iam_role_policy" "codepipeline" {
name = "pipeline-permissions"
role = aws_iam_role.codepipeline.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Action = [
"codecommit:*",
"codebuild:*",
"codedeploy:*",
"s3:*",
"iam:PassRole",
]
Resource = "*"
}]
})
}
resource "aws_codepipeline" "main" {
name = "certlabpro-dop-c02"
role_arn = aws_iam_role.codepipeline.arn
artifact_store {
location = aws_s3_bucket.artifacts.bucket
type = "S3"
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "AWS"
provider = "CodeCommit"
version = "1"
output_artifacts = ["source"]
configuration = {
RepositoryName = aws_codecommit_repository.app.repository_name
BranchName = "main"
}
}
}
stage {
name = "Build"
action {
name = "Build"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
version = "1"
input_artifacts = ["source"]
output_artifacts = ["build"]
configuration = {
ProjectName = aws_codebuild_project.build.name
}
}
}
}
# ── Synthetics canary ─────────────────────────────────────────
resource "aws_iam_role" "canary" {
name = "certlabpro-dop-c02-canary"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = { Service = "lambda.amazonaws.com" }
Action = "sts:AssumeRole"
}]
})
}
resource "aws_iam_role_policy_attachment" "canary_logs" {
role = aws_iam_role.canary.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
data "archive_file" "canary_src" {
type = "zip"
output_path = "${path.module}/build/canary.zip"
source {
filename = "nodejs/node_modules/index.js"
content = <<-EOT
const synthetics = require("Synthetics");
exports.handler = async () => {
const page = await synthetics.getPage();
const res = await page.goto("https://example.com", { waitUntil: "domcontentloaded" });
if (!res.ok()) throw new Error("Status code " + res.status());
};
EOT
}
}
resource "aws_synthetics_canary" "endpoint" {
name = "certlabpro-dop-c02-endpoint"
artifact_s3_location = "s3://${aws_s3_bucket.artifacts.bucket}/canary/"
execution_role_arn = aws_iam_role.canary.arn
handler = "index.handler"
zip_file = data.archive_file.canary_src.output_path
runtime_version = "syn-nodejs-puppeteer-9.0"
start_canary = true
schedule {
expression = "rate(5 minutes)"
}
}terraform destroy 会销毁本实验中的所有内容。两点注意事项:
destroy 之前清空它(aws s3 rm s3://<bucket> --recursive),或者在销毁前对存储桶资源使用 force_destroy = true 并重新应用一次。start_canary = true——它从 apply 的那一刻起就以 5 分钟的间隔持续运行。每次运行大约 $0.0012;一个被遗忘的实验 canary 运行一周大约 $0.25。虽然便宜,但它是真实的费用。完成后请销毁。DOP-C02 涵盖了广泛的专业领域——用于多账户/多区域 IaC 的 CloudFormation StackSets、Service Catalog、AWS Config 规则 + 补救、Systems Manager OpsCenter + Patch Manager、AWS Health Dashboard 自动化、Trusted Advisor 检查、AWS Backup、EventBridge Pipes、用于跨服务编排的 Step Functions 以及用于分布式追踪的 X-Ray。
我们专注于端到端 CI/CD 流水线,因为它是考试中测试最多的单一架构——其他所有 DOP-C02 模式(Config 规则提供补救、Synthetics 通过 SNS 分页、StackSets 通过 CodePipeline 推出)都以此为基础。首先掌握源到部署链;一旦基础操作熟练,再叠加多账户 StackSets 和跨区域编排。
对于此处未提供的领域,此认证页面的浏览、手册和Editorial部分提供了概念性内容。一个后续的实验,添加 CloudFormation StackSets + Config Rules + Systems Manager Patch Manager,将完善大规模管理运维领域。