前提
全体の概略はこちらから
Netowork部分の概略はこちらから
構成図
Module
main.tf
# tgw attach associated with microservice
resource "aws_ec2_transit_gateway_vpc_attachment" "micro" {
subnet_ids = var.subnet_micro_id
transit_gateway_id = var.tgw_id
vpc_id = var.vpc_micro_id
tags = {
Name = "${var.project}-tgw-attachment-micro-${var.env}"
Env = var.env
Account = var.account
Project = var.project
}
}
# route table association
resource "aws_ec2_transit_gateway_route_table_association" "to_internet_from_micro" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.micro.id
transit_gateway_route_table_id = var.tgw_rtb_to_internet_id
}
# route table propagation
resource "aws_ec2_transit_gateway_route_table_propagation" "to_internet" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.micro.id
transit_gateway_route_table_id = var.tgw_rtb_from_internet_id
}
# route to block access to vpc of microservice from other vpcs
resource "aws_ec2_transit_gateway_route" "block_to_micro" {
blackhole = true
destination_cidr_block = var.vpc_cidr_micro
transit_gateway_route_table_id = var.tgw_rtb_to_internet_id
}
# prefix list's entry of vpc's cidr associated with microservice
resource "aws_ec2_managed_prefix_list_entry" "micro" {
cidr = var.vpc_cidr_micro
description = "${var.project}-vpc-${var.env}-micro"
prefix_list_id = var.prefixlist_id
}
variables.tf
# common variable
variable "project" {
type = string
description = "project name"
}
variable "account" {
type = string
description = "prod or no-prod"
}
variable "env" {
type = string
description = "dev, test, stage or prod"
}
# variabled associated with network
variable "tgw_id" {
type = string
description = "id of tgw"
}
variable "tgw_rtb_to_internet_id" {
type = string
description = "id of tgw route table to the internet"
}
variable "tgw_rtb_from_internet_id" {
type = string
description = "id of tgw route table from the internet"
}
variable "vpc_micro_id" {
type = string
description = "id of microservice vpc associated with tgw attachment"
}
variable "vpc_cidr_micro" {
type = string
description = "cidr of microservice vpc associated with tgw attachment"
}
variable "subnet_micro_id" {
type = list(string)
description = "id of microservice subnet associated with tgw attachment"
}
variable "prefixlist_id" {
type = string
description = "prefix list of vpcs cidr except proxy vpc"
}
Import コマンド
基本は👇
$ terraform import module.tgw_attachment_micro[\"dev\"].{resourceタイプ}.{resource名} {importするresourceのID}
※Transit Gateway Attachmentの場合
$ terraform import module.tgw_attachment_micro[\"dev\"].aws_ec2_transit_gateway_vpc_attachment.micro tgw-attach-****
以下のリソースは注意!
- aws_ec2_transit_gateway_route_table_association
Transit Gateway Attachment と Transit Gateway Route Table の関連付けを定義する設定。
ImportするリソースIDはTransit Gateway Route TableのID_Transit Gateway AttachmentのID
terraform import module.tgw_attachment_micro[\"dev\"].aws_ec2_transit_gateway_route_table_association.to_internet_from_micro tgw-rtb-****_tgw-attach-***
- aws_ec2_transit_gateway_route_table_propagation
Transit Gateway Attachment への Transit Gateway Route Table の伝播を定義する設定。
ImportするリソースIDはTransit Gateway Route TableのID_Transit Gateway AttachmentのID
terraform import module.tgw_attachment_micro[\"dev\"].aws_ec2_transit_gateway_route_table_propagation.to_internet tgw-rtb-****_tgw-attach-***
👆に代表される複数のリソース間の関連付けを定義する設定はImport時にリソースIDをつなげる文字が異なるので注意されたし
設計思想
- Transit Gateway Attachmentは時間単位でコストが発生し、かつ高価であるため、開発スケジュール(開発、テスト、ステージング)に合わせてデプロイできるように設計。
- Route Tableの Routeは各環境(開発、テスト、ステージング)の構築に合わせて、アクセス集約元のVPCのRouteTableに追記されるように設計。