LoginSignup
1
0
@hrkkanda

AWSリソースをTerraformにImportする(Network関連_TransitGateway)

Posted at

前提

全体の概略はこちらから
Netowork部分の概略はこちらから

構成図

Module

main.tf

# tgw 
resource "aws_ec2_transit_gateway" "main" {
  default_route_table_association   = "disable"
  default_route_table_propagation   = "disable"
  tags = {
    Name    = "${var.project}-tgw"
    // ... 略
  }
}
# tgw attachment attached vpc of internet gateway 
resource "aws_ec2_transit_gateway_vpc_attachment" "internet" {
  subnet_ids         = var.subnet_internet_id
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  vpc_id             = var.vpc_internet_id
  tags = {
    Name    = "${var.project}-tgw-attachment-internet"
    // ... 略
  }
}
# tgw attachment attached vpc associated with rds
resource "aws_ec2_transit_gateway_vpc_attachment" "database" {
  subnet_ids         = var.subnet_database_id
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  vpc_id             = var.vpc_database_id
  tags = {
    Name    = "${var.project}-tgw-attachment-database"
    // ... 略
  }
}

# tgw route table associated with vpc of database and microservice
resource "aws_ec2_transit_gateway_route_table" "to_internet" {
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  tags = {
    Name    = "${var.project}-tgw-rtb-to-internet"
    // ... 略
  }
}
# route table association
resource "aws_ec2_transit_gateway_route_table_association" "to_internet_from_database" {
  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.database.id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.to_internet.id
}
# route table propagation
resource "aws_ec2_transit_gateway_route_table_propagation" "to_internet" {
  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.internet.id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.to_internet.id
}
# route to the internet
resource "aws_ec2_transit_gateway_route" "to_internet" {
  destination_cidr_block         = "0.0.0.0/0"
  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.internet.id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.to_internet.id
}
# route to block access to vpc of database from other vpcs
resource "aws_ec2_transit_gateway_route" "block_to_database" {
  blackhole                      = true
  destination_cidr_block         = var.vpc_cidr_database
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.to_internet.id
}

# tgw route table associated with proxy vpc
resource "aws_ec2_transit_gateway_route_table" "from_internet" {
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  tags = {
    Name    = "${var.project}-tgw-rtb-from-internet"
    // ... 略
  }
}
# route table association
resource "aws_ec2_transit_gateway_route_table_association" "from_internet_to_vpc" {
  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.internet.id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.from_internet.id
}
# route table propagation
resource "aws_ec2_transit_gateway_route_table_propagation" "from_internet" {
  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.database.id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.from_internet.id
}
# route to vpc of database from proxy vpc
resource "aws_ec2_transit_gateway_route" "from_internet_to_database" {
  destination_cidr_block         = var.vpc_cidr_database
  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.database.id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.from_internet.id
}

# route of vpc route table associated database to the internet
resource "aws_route" "route_database" {
  route_table_id            = var.rtb_database_id
  destination_cidr_block    = "0.0.0.0/0"
  transit_gateway_id        = aws_ec2_transit_gateway.main.id
}
# route of vpc route table associated proxy vpc to other vpcs
resource "aws_route" "route_internet" {
  route_table_id                = var.rtb_internet_id
  destination_prefix_list_id    = aws_ec2_managed_prefix_list.vpc.id
  transit_gateway_id            = aws_ec2_transit_gateway.main.id
}
# prefix list of vpcs cidr except proxy vpc
resource "aws_ec2_managed_prefix_list" "vpc" {
  address_family    = "IPv4"
  max_entries       = 30
  name              = "${var.project}-prefixlist"
  tags = {
    // ... 略
  }
}
# prefix list's entry of vpc's cidr associated with database 
resource "aws_ec2_managed_prefix_list_entry" "database" {
  cidr           = var.vpc_cidr_database
  description    = "${var.project}-vpc-micro-${var.env}"
  prefix_list_id = aws_ec2_managed_prefix_list.vpc.id
}

variables.tf

# common variable 
variable "project" {
    type        = string
    description = "project name"
}
variable "account" {
    type        = string
    description = "prod or no-prod"
}
variable "env" {
    type        = string
    description = "dev, test, stage or prod"
}

# variables for tgw  
variable "vpc_database_id" {
    type        = string
    description = "vpc id associated with database"
}
variable "vpc_cidr_database" {
    type        = string
    description = "vpc cidr associated with database"
}
variable "vpc_internet_id" {
    type        = string
    description = "vpc id associated with proxy vpc"
}
variable "subnet_database_id" {
    type        = list(string)
    description = "subnet id of associated with database"
}
variable "subnet_internet_id" {
    type        = list(string)
    description = "subnet id of associated with proxy vpc"
}

# variables of resources to use tgw attributes  
variable "rtb_database_id" {
    type        = string
    description = "route table id associated with database vpc"
}
variable "rtb_internet_id" {
    type        = string
    description = "route table id associated with proxy vpc"
}

outputs.tf

output "tgw_id"{
  value       = aws_ec2_transit_gateway.main.id
  description = "id of tgw"
}
output "tgw_rtb_to_internet_id"{
  value       = aws_ec2_transit_gateway_route_table.to_internet.id
  description = "id of tgw route table associated with vpcs"
}
output "tgw_rtb_from_internet_id"{
  value       = aws_ec2_transit_gateway_route_table.from_internet.id
  description = "id of tgw route table associated with proxy vpc"
}
output "prefixlist_id" {
  value       = aws_ec2_managed_prefix_list.vpc.id
  description = "prefix list associated tgw id"
}

Import コマンド

基本は👇

$ terraform import module.tgw.{resourceタイプ}.{resource} {importするresourceID}

※Transit Gatewayの場合

$ terraform import module.tgw.aws_ec2_transit_gateway.main tgw-***

以下のリソースは注意!

  • aws_ec2_transit_gateway_route_table_association
    Transit Gateway Attachment と Transit Gateway Route Table の関連付けを定義する設定。
    ImportするリソースIDはTransit Gateway Route TableのID_Transit Gateway AttachmentのID 
terraform import module.tgw.aws_ec2_transit_gateway_route_table_association.to_internet_from_database tgw-rtb-***_tgw-attach-***

👆に代表される複数のリソース間の関連付けを定義する設定はImport時にリソースIDをつなげる文字が異なるので注意されたし

設計思想

  • Transit Gatewayをはじめとするインターネットアクセスの集約に関係するリソースをこのmoduleに定義。
    • マイクロサービスのTransit Gateway Attachmentは分離して別moduleで定義。
      • 集約化に関係するリソースの中で、高価なため開発スケジュールに合わせてデプロイする。
    • Transit Gatewayを宛先とするRoute Table のRouteもこのmoduleで定義。
      • Route Tableの本体は各々のVPCのModuleで定義。
  • インターネットからの戻りのアクセスはプレフィックスリストを使用。
    • database VPCを除き、各々のVPCのmoduleでVPCのCidrがプレフィックスリストに追記される設計。
1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
0