AWSリソースをTerraformにImportする（Network関連_internetVPC）

前提

全体の概略はこちらから
Netowork部分の概略はこちらから

構成図

Module

main.tf

# proxy vpc
resource "aws_vpc" "vpc_internet" {
    cidr_block  = var.vpc_cidr_internet
    tags = {
        Name    = "${var.project}-vpc-internet"
        Env     = var.env
        Account = var.account
        Project = var.project
    }   
}
# public subnet allocated in az 1a
resource "aws_subnet" "public_subnet1a" {
    vpc_id     = aws_vpc.vpc_internet.id
    cidr_block = var.subnet_cidr_public1a
    availability_zone   = "ap-northeast-1a"
    tags = {
        Name    = "${var.project}-publicsubnet-${var.region}a"
        // ... 略
    }   
}
# public subnet allocated in az 1c
resource "aws_subnet" "public_subnet1c" {
    vpc_id     = aws_vpc.vpc_internet.id
    cidr_block = var.subnet_cidr_public1c
    availability_zone   = "ap-northeast-1c"
    tags = {
        // ... 略
    }   
}
# private subnet allocated in az 1a
resource "aws_subnet" "private_subnet1a" {
    vpc_id     = aws_vpc.vpc_internet.id
    cidr_block = var.subnet_cidr_private1a
    availability_zone   = "ap-northeast-1a"
    tags = {
        Name    = "${var.project}-subnet-${var.region}a-internet"
        // ... 略
    }   
}
# private subnet allocated in az 1c
resource "aws_subnet" "private_subnet1c" {
    vpc_id     = aws_vpc.vpc_internet.id
    cidr_block = var.subnet_cidr_private1c
    availability_zone   = "ap-northeast-1c"
    tags = {
        // ... 略
    }   
}
# internet gateway
resource "aws_internet_gateway" "igw" {
    vpc_id = aws_vpc.vpc_internet.id
    tags = {
        Name    = "${var.project}-igw"
        // ... 略
    }   
}
resource "aws_internet_gateway_attachment" "main" {
    internet_gateway_id = aws_internet_gateway.igw.id
    vpc_id              = aws_vpc.vpc_internet.id
}
# nat gateway allocated in az 1a
resource "aws_nat_gateway" "ngw1a" {
    allocation_id = aws_eip.eip1a.id
    subnet_id     = aws_subnet.public_subnet1a.id
    tags = {
        Name    = "${var.project}-ngw-${var.region}a"
        // ... 略
    }   
  depends_on = [aws_internet_gateway.igw]
}
resource "aws_eip" "eip1a" {
    domain   = "vpc"
    tags = {
        Name    = "${var.project}-eip-${var.region}a"
        // ... 略
    }   
}
# nat gateway allocated in az 1c
resource "aws_nat_gateway" "ngw1c" {
    allocation_id = aws_eip.eip1c.id
    subnet_id     = aws_subnet.public_subnet1c.id
    tags = {
        // ... 略
    }   
  depends_on = [aws_internet_gateway.igw]
}
resource "aws_eip" "eip1c" {
    domain   = "vpc"
    tags = {
        // ... 略
    }   
}

# route table associated private subnet 1a
resource "aws_route_table" "rtb_1a" {
    vpc_id = aws_vpc.vpc_internet.id
    tags = {
        Name    = "${var.project}-rtb-privatesubnet-${var.region}a"
        // ... 略
    }   
}
resource "aws_route_table_association" "private1a" {
    subnet_id      = aws_subnet.private_subnet1a.id
    route_table_id = aws_route_table.rtb_1a.id
}
resource "aws_route" "route1a" {
  route_table_id            = aws_route_table.rtb_1a.id
  destination_cidr_block    = "0.0.0.0/0"
  nat_gateway_id = aws_nat_gateway.ngw1a.id
}

# route table associated private subnet 1c
resource "aws_route_table" "rtb_1c" {
    vpc_id = aws_vpc.vpc_internet.id
    tags = {
        // ... 略
    }   
}
resource "aws_route_table_association" "private1c" {
    subnet_id      = aws_subnet.private_subnet1c.id
    route_table_id = aws_route_table.rtb_1c.id
}
resource "aws_route" "route1c" {
  route_table_id            = aws_route_table.rtb_1c.id
  destination_cidr_block    = "0.0.0.0/0"
  nat_gateway_id = aws_nat_gateway.ngw1c.id
}

# route table associated public subnet
resource "aws_route_table" "rtb_public" {
    vpc_id = aws_vpc.vpc_internet.id
    tags = {
        Name    = "${var.project}-rtb-publicsubnet"
        // ... 略
    }   
}
resource "aws_route_table_association" "public1a" {
    subnet_id      = aws_subnet.public_subnet1a.id
    route_table_id = aws_route_table.rtb_public.id
}
resource "aws_route_table_association" "public1c" {
    subnet_id      = aws_subnet.public_subnet1c.id
    route_table_id = aws_route_table.rtb_public.id
}
resource "aws_route" "route_public" {
  route_table_id            = aws_route_table.rtb_public.id
  destination_cidr_block    = "0.0.0.0/0"
  gateway_id                = aws_internet_gateway.igw.id
}

# security group associated network interface
resource "aws_security_group" "sg_internet" {
    name        = "${var.project}-sg-internet"
    vpc_id      = aws_vpc.vpc_internet.id
    tags = {
        Name    = "${var.project}-sg-internet"
        // ... 略
    }
}
resource "aws_vpc_security_group_egress_rule" "https" {
    security_group_id = aws_security_group.sg_internet.id
    description       = "https"
    cidr_ipv4   = "0.0.0.0/0"
    from_port   = 443
    ip_protocol = "tcp"
    to_port     = 443
}

# network interface 1a
resource "aws_network_interface" "a" {
    subnet_id       = aws_subnet.private_subnet1a.id
    security_groups = [aws_security_group.sg_internet.id]
    tags = {
        Name    = "${var.project}-eni-internet-${var.region}a"
        // ... 略
    }
}
# network interface 1c
resource "aws_network_interface" "c" {
    subnet_id       = aws_subnet.private_subnet1c.id
    security_groups = [aws_security_group.sg_internet.id]
    tags = {
        // ... 略
    }
}

variable.tf

# common variable 
variable "project" {
    type        = string
    description = "project name"
}
variable "account" {
    type        = string
    description = "prod or no-prod"
}
variable "env" {
    type        = string
    description = "dev, test, stage or prod"
}
variable "region" {
    type        = string
    description = "aws region which resources are allocated in"
}

# variables of cidr
variable "vpc_cidr_internet" {
    type        = string
    description = "cidr of proxy vpc"
}
variable "subnet_cidr_public1a" {
    type        = string
    description = "cidr of public subnet 1a"
}
variable "subnet_cidr_public1c" {
    type        = string
    description = "cidr of public subnet 1c"
}
variable "subnet_cidr_private1a" {
    type        = string
    description = "cidr of private subnet 1a"
}
variable "subnet_cidr_private1c" {
    type        = string
    description = "cidr of private subnet 1c"
}

outputs.tf

output "vpc_internet_id"{
  value       = aws_vpc.vpc_internet.id
  description = "id of proxy vpc"
}
output "subnet_private1a_id"{
  value       = aws_subnet.private_subnet1a.id
  description = "id of private subnet 1a which tgw attachment is attached"
}
output "subnet_private1c_id"{
  value       = aws_subnet.private_subnet1c.id
  description = "id of private subnet 1c which tgw attachment is attached"
}
output "rtb_public_id"{
  value       = aws_route_table.rtb_public.id
  description = "id of route table which route is added by other module"
}

Import コマンド

基本は👇

$ terraform import module.vpc_internet.{resourceタイプ}.{resource名} {importするresourceのID}

以下のリソースは注意！

• aws_route_table_association
  subentとルートテーブルの明示的な関連付けを定義する設定。
  ImportするリソースIDはサブネットID/ルートテーブルID

$ terraform import module.vpc_internet.aws_route_table_association.database1a subnet-***/rtb-***

• aws_internet_gateway_attachment
  Internet GatewayとVPCの関連付けを定義する設定。
  ImportするリソースIDはインターネットGW ID:VPC ID

$ terraform import module.vpc_internet.aws_route_table_association.database1a igw-***:vpc-***

• aws_route
  ルートテーブルの各ルートを定義する設定。
  ImportするリソースIDはルートテーブルID_CIDR
  ※VPC endpoint(Gateway)のルートのImportはVPC endpointのImportで実施されるので行わない

$ terraform import module.vpc_internet.aws_route.route_public rtb-***_0.0.0.0/0

👆に代表される複数のリソース間の関連付けを定義する設定はImport時にリソースIDをつなげる文字が異なるので注意されたし

他Moduleで構築したリソース

• インターネットへのアウトバウンド通信の戻りのroute
  • 各環境のmicro VPCへインターネットからの戻りの通信の設定
  • Transit GatewayのIDが必要なため、Transit Gatewayが作成されるまで作成不可
  • 開発、テスト、ステージングのmicro VPCが追加されるごとに各VPCへの戻りのルートが追加されるように設計