前提
全体の概略はこちらから
Netowork部分の概略はこちらから
構成図
Module
main.tf
# proxy vpc
resource "aws_vpc" "vpc_internet" {
cidr_block = var.vpc_cidr_internet
tags = {
Name = "${var.project}-vpc-internet"
Env = var.env
Account = var.account
Project = var.project
}
}
# public subnet allocated in az 1a
resource "aws_subnet" "public_subnet1a" {
vpc_id = aws_vpc.vpc_internet.id
cidr_block = var.subnet_cidr_public1a
availability_zone = "ap-northeast-1a"
tags = {
Name = "${var.project}-publicsubnet-${var.region}a"
// ... 略
}
}
# public subnet allocated in az 1c
resource "aws_subnet" "public_subnet1c" {
vpc_id = aws_vpc.vpc_internet.id
cidr_block = var.subnet_cidr_public1c
availability_zone = "ap-northeast-1c"
tags = {
// ... 略
}
}
# private subnet allocated in az 1a
resource "aws_subnet" "private_subnet1a" {
vpc_id = aws_vpc.vpc_internet.id
cidr_block = var.subnet_cidr_private1a
availability_zone = "ap-northeast-1a"
tags = {
Name = "${var.project}-subnet-${var.region}a-internet"
// ... 略
}
}
# private subnet allocated in az 1c
resource "aws_subnet" "private_subnet1c" {
vpc_id = aws_vpc.vpc_internet.id
cidr_block = var.subnet_cidr_private1c
availability_zone = "ap-northeast-1c"
tags = {
// ... 略
}
}
# internet gateway
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc_internet.id
tags = {
Name = "${var.project}-igw"
// ... 略
}
}
resource "aws_internet_gateway_attachment" "main" {
internet_gateway_id = aws_internet_gateway.igw.id
vpc_id = aws_vpc.vpc_internet.id
}
# nat gateway allocated in az 1a
resource "aws_nat_gateway" "ngw1a" {
allocation_id = aws_eip.eip1a.id
subnet_id = aws_subnet.public_subnet1a.id
tags = {
Name = "${var.project}-ngw-${var.region}a"
// ... 略
}
depends_on = [aws_internet_gateway.igw]
}
resource "aws_eip" "eip1a" {
domain = "vpc"
tags = {
Name = "${var.project}-eip-${var.region}a"
// ... 略
}
}
# nat gateway allocated in az 1c
resource "aws_nat_gateway" "ngw1c" {
allocation_id = aws_eip.eip1c.id
subnet_id = aws_subnet.public_subnet1c.id
tags = {
// ... 略
}
depends_on = [aws_internet_gateway.igw]
}
resource "aws_eip" "eip1c" {
domain = "vpc"
tags = {
// ... 略
}
}
# route table associated private subnet 1a
resource "aws_route_table" "rtb_1a" {
vpc_id = aws_vpc.vpc_internet.id
tags = {
Name = "${var.project}-rtb-privatesubnet-${var.region}a"
// ... 略
}
}
resource "aws_route_table_association" "private1a" {
subnet_id = aws_subnet.private_subnet1a.id
route_table_id = aws_route_table.rtb_1a.id
}
resource "aws_route" "route1a" {
route_table_id = aws_route_table.rtb_1a.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.ngw1a.id
}
# route table associated private subnet 1c
resource "aws_route_table" "rtb_1c" {
vpc_id = aws_vpc.vpc_internet.id
tags = {
// ... 略
}
}
resource "aws_route_table_association" "private1c" {
subnet_id = aws_subnet.private_subnet1c.id
route_table_id = aws_route_table.rtb_1c.id
}
resource "aws_route" "route1c" {
route_table_id = aws_route_table.rtb_1c.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.ngw1c.id
}
# route table associated public subnet
resource "aws_route_table" "rtb_public" {
vpc_id = aws_vpc.vpc_internet.id
tags = {
Name = "${var.project}-rtb-publicsubnet"
// ... 略
}
}
resource "aws_route_table_association" "public1a" {
subnet_id = aws_subnet.public_subnet1a.id
route_table_id = aws_route_table.rtb_public.id
}
resource "aws_route_table_association" "public1c" {
subnet_id = aws_subnet.public_subnet1c.id
route_table_id = aws_route_table.rtb_public.id
}
resource "aws_route" "route_public" {
route_table_id = aws_route_table.rtb_public.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
# security group associated network interface
resource "aws_security_group" "sg_internet" {
name = "${var.project}-sg-internet"
vpc_id = aws_vpc.vpc_internet.id
tags = {
Name = "${var.project}-sg-internet"
// ... 略
}
}
resource "aws_vpc_security_group_egress_rule" "https" {
security_group_id = aws_security_group.sg_internet.id
description = "https"
cidr_ipv4 = "0.0.0.0/0"
from_port = 443
ip_protocol = "tcp"
to_port = 443
}
# network interface 1a
resource "aws_network_interface" "a" {
subnet_id = aws_subnet.private_subnet1a.id
security_groups = [aws_security_group.sg_internet.id]
tags = {
Name = "${var.project}-eni-internet-${var.region}a"
// ... 略
}
}
# network interface 1c
resource "aws_network_interface" "c" {
subnet_id = aws_subnet.private_subnet1c.id
security_groups = [aws_security_group.sg_internet.id]
tags = {
// ... 略
}
}
variable.tf
# common variable
variable "project" {
type = string
description = "project name"
}
variable "account" {
type = string
description = "prod or no-prod"
}
variable "env" {
type = string
description = "dev, test, stage or prod"
}
variable "region" {
type = string
description = "aws region which resources are allocated in"
}
# variables of cidr
variable "vpc_cidr_internet" {
type = string
description = "cidr of proxy vpc"
}
variable "subnet_cidr_public1a" {
type = string
description = "cidr of public subnet 1a"
}
variable "subnet_cidr_public1c" {
type = string
description = "cidr of public subnet 1c"
}
variable "subnet_cidr_private1a" {
type = string
description = "cidr of private subnet 1a"
}
variable "subnet_cidr_private1c" {
type = string
description = "cidr of private subnet 1c"
}
outputs.tf
output "vpc_internet_id"{
value = aws_vpc.vpc_internet.id
description = "id of proxy vpc"
}
output "subnet_private1a_id"{
value = aws_subnet.private_subnet1a.id
description = "id of private subnet 1a which tgw attachment is attached"
}
output "subnet_private1c_id"{
value = aws_subnet.private_subnet1c.id
description = "id of private subnet 1c which tgw attachment is attached"
}
output "rtb_public_id"{
value = aws_route_table.rtb_public.id
description = "id of route table which route is added by other module"
}
Import コマンド
基本は👇
$ terraform import module.vpc_internet.{resourceタイプ}.{resource名} {importするresourceのID}
以下のリソースは注意!
- aws_route_table_association
subentとルートテーブルの明示的な関連付けを定義する設定。
ImportするリソースIDはサブネットID/ルートテーブルID
$ terraform import module.vpc_internet.aws_route_table_association.database1a subnet-***/rtb-***
- aws_internet_gateway_attachment
Internet GatewayとVPCの関連付けを定義する設定。
ImportするリソースIDはインターネットGW ID:VPC ID
$ terraform import module.vpc_internet.aws_route_table_association.database1a igw-***:vpc-***
- aws_route
ルートテーブルの各ルートを定義する設定。
ImportするリソースIDはルートテーブルID_CIDR
※VPC endpoint(Gateway)のルートのImportはVPC endpointのImportで実施されるので行わない
$ terraform import module.vpc_internet.aws_route.route_public rtb-***_0.0.0.0/0
👆に代表される複数のリソース間の関連付けを定義する設定はImport時にリソースIDをつなげる文字が異なるので注意されたし
他Moduleで構築したリソース
- インターネットへのアウトバウンド通信の戻りのroute
- 各環境のmicro VPCへインターネットからの戻りの通信の設定
- Transit GatewayのIDが必要なため、Transit Gatewayが作成されるまで作成不可
- 開発、テスト、ステージングのmicro VPCが追加されるごとに各VPCへの戻りのルートが追加されるように設計