Building Docker Enterprise 2.1 Cluster Using Terraform

By Sajith Venkit, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

In this article, we will show how you can use Terraform to fully automate the build of a 3-node Docker Enterprise 2.1 cluster on Alibaba Cloud. If you are in the process of planning or setting up an Enterprise Docker Cluster for your containers, in any of the public cloud platforms, this article and the templates will be useful.

Even if you are not building a Docker Enterprise cluster, you may still find this article useful if you’d like to automate your infrastructure build in Alibaba Cloud.

As my objective was to show the art of possible using IaC (Infrastructure as Code) to automate build in Alibaba Cloud, I thought why not do that using the most popular platforms, hence decided to:

  • Build a Containers-as-a-Service platform using Docker Enterprise Edition 2.1 and,
  • Build that platform using Terraform.

Docker Enterprise Edition

One thing that I always loved about Docker is their Simplicity and Customer Centricity. That’s exactly what they have done with the release of Enterprise 2.1 too. With Docker EE 2.1, you now have a freedom of choice as it can:

  • Reliably support both Windows and Linux containers.
  • Be hosted in any cloud platform or on-premise Data Center.
  • Use both Docker Swarm and Kubernetes orchestration interchangeably.

So, if you are an Enterprise customer who is looking to embark on a project to either migrate your legacy applications to Containers or keen to embrace DevOps for development of new applications, I’d strongly recommend Docker EE 2.1 as your CaaS platform.

You can start small and scale your cluster as you grow your container base. You can start utilizing the much simpler Docker Swarm for initial orchestration and switch to Kubernetes later if you really need it.

Docker EE 2.1 cluster also comes with components such as:

  • Docker UCP — which gives a single-pane-of-glass across your cluster.
  • Docker Trusted Registry — to securely host your container images.

It also has enterprise security features like encrypted communication, application isolation, vulnerability scanning for images and much more.


I chose Terraform for this automation as it is pretty much platform agnostic. Though you can’t use the same templates for any cloud service provider it is quite easy to customize to a different provider once it is developed for a specific Cloud platform.

To learn more about Terraform, visit the HashiCorp website or read this good summary by MVP Alberto Roura’s Tech Share article about Terraform.

Building the Docker Enterprise Cluster

1. One Alibaba Cloud ECS Linux server that hosts both Docker UCP and Docker Trusted Registry (DTR). Same node will also be configured as the Docker Swarm Manager and Kubernetes Master.
2. One Linux host which will be automatically joined as a worker node, in the Docker Swarm created by the UCP host.
3. One Windows host which will be automatically joined as a worker node, in the Docker Swarm created by the UCP host.

If you would like to get on with the cluster build right away, go to my GitHub repository and follow the instructions there.

Once you get the pre-requisites ready, you could get the cluster built in less than 30 minutes.

Terraform Files Explained

The terraform configuration files in my GitHub repository, and the bash & powershellscripts, have adequate comments to help you understand them better. In this article, I would like to focus on explaining the purpose of each of those template or script.

Terraform, as you may be aware, helps to deploy the Infrastructure by letting users define what they need, using the High-level Configuration Language (HCL). Terraform will build a detailed execution plan based on this definition and deploy the infrastructure on the platform specified.

Terraform supports a wide range of Cloud service providers and certainly the major Cloud providers and VMWare vSphere for on-premise Data Center.

The complete definition of our Docker Enterprise Cluster could be specified in a single .tfdefinition file but it is recommended to split into multiple .tf files for ease of maintaining and readability. All .tf files in the main folder form part of the root (main) module.

Terraform will load all configuration files (.tf files) in the folder, in alphabetical order. The order of variables, resources, etc. defined within the configuration doesn't matter. Terraform configurations are declarative, so references to other resources and variables do not depend on the order they're defined.


I recommend using UPPER CASE for the input variable names so they stand out from the terraform local variables, defined using locals and terraform resource names. I would also suggest to give the values for variables in a separate terraform.tfvars file, so you can choose to not send this file when sharing with others as it may contain your account secret keys, passwords etc. During execution, if terraform cannot find a .tfvars file and the default values for variables are not defined, it prompts the user.


Network and Security

The vSwitch and Security groups defined in this file will be mapped to our hosts, in the ECS (Elastic Compute Service) definition.

Few points to note:

  • Priority value for the security roles range from 1–100. Smaller the value, higher the priority
  • RDP, WinRM and SSH access are allowed only from a specific IP — your Public IP.
  • Kubernetes, Docker and application access are allowed from anywhere

Compute for Docker UCP Manager

This file defines the main host where Docker UCP and DTR will be installed. As part of Docker UCP installation, it will also initiate creation of Docker Swarm to which the other hosts will join as worker nodes.

Few points to note:

  • internet_max_bandwidth_out attribute ensures a Public IP is assigned as part of VM creation.
  • This Public IP is used in the connection definition for file provisioner to copy the installation scripts and for remote-exec provisioner to run the setup automatically for Docker EE, UCP and DTR
  • ssh key pair for the UCP host and the linux worker node is defined in

Compute for Docker Worker Nodes
This file defines the windows worker node. Key differences from the Linux node definition are:

  • Windows image instead of the Linux image.
  • password attribute instead of the key_name attribute used in Linux for ssh-key pair.
  • user-data attribute which is used for bootstrapping the VM, including configuration of WinRM, so further scripts can be executed using WinRM
  • Connection type is winRM instead of ssh used in Linux host.


Values defined in can be printed anytime using the command terraform output, after a successful execution.

To retrieve further details of the Terraform execution, use terraform show

Scripts to Automate Build of Docker Components

These scripts are used to setup Docker Enterprise, Docker UCP and Docker Trusted Registry as per the documentation in Docker website.

Scripts used to bootstrap Windows host are in the folder win-files. They are called using the remote-exec provisioner in the ECS VM definition.

These scripts are used to setup Docker Enterprise and also to join as worker node. Docker UCP and Docker Trusted Registry cannot be installed on Windows hosts. They can only be worker nodes.

Key point to note in the Windows scripts,

To ensure Invoke-RestMethod works fine when accessing the Docker API, following changes had to be done in the script prior to calling the Docker API.

  1. Change the default TLS version in powershell from 1.0. to 1.2
  2. Ignore the certificate errors when connecting to Docker API


In subsequent articles, we will look at how to scale your cluster with a load balancer and additional nodes and also details on deploying containers using Docker Swarm or Kubernetes orchestration.

Key References

1. Docker Enterprise

2. Terraform

3. My GitHub repository


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store