前提
全体の概略はこちらから
Netowork部分の概略はこちらから
構成図
Module
main.tf
# tgw
resource "aws_ec2_transit_gateway" "main" {
default_route_table_association = "disable"
default_route_table_propagation = "disable"
tags = {
Name = "${var.project}-tgw"
// ... 略
}
}
# tgw attachment attached vpc of internet gateway
resource "aws_ec2_transit_gateway_vpc_attachment" "internet" {
subnet_ids = var.subnet_internet_id
transit_gateway_id = aws_ec2_transit_gateway.main.id
vpc_id = var.vpc_internet_id
tags = {
Name = "${var.project}-tgw-attachment-internet"
// ... 略
}
}
# tgw attachment attached vpc associated with rds
resource "aws_ec2_transit_gateway_vpc_attachment" "database" {
subnet_ids = var.subnet_database_id
transit_gateway_id = aws_ec2_transit_gateway.main.id
vpc_id = var.vpc_database_id
tags = {
Name = "${var.project}-tgw-attachment-database"
// ... 略
}
}
# tgw route table associated with vpc of database and microservice
resource "aws_ec2_transit_gateway_route_table" "to_internet" {
transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = {
Name = "${var.project}-tgw-rtb-to-internet"
// ... 略
}
}
# route table association
resource "aws_ec2_transit_gateway_route_table_association" "to_internet_from_database" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.database.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.to_internet.id
}
# route table propagation
resource "aws_ec2_transit_gateway_route_table_propagation" "to_internet" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.internet.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.to_internet.id
}
# route to the internet
resource "aws_ec2_transit_gateway_route" "to_internet" {
destination_cidr_block = "0.0.0.0/0"
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.internet.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.to_internet.id
}
# route to block access to vpc of database from other vpcs
resource "aws_ec2_transit_gateway_route" "block_to_database" {
blackhole = true
destination_cidr_block = var.vpc_cidr_database
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.to_internet.id
}
# tgw route table associated with proxy vpc
resource "aws_ec2_transit_gateway_route_table" "from_internet" {
transit_gateway_id = aws_ec2_transit_gateway.main.id
tags = {
Name = "${var.project}-tgw-rtb-from-internet"
// ... 略
}
}
# route table association
resource "aws_ec2_transit_gateway_route_table_association" "from_internet_to_vpc" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.internet.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.from_internet.id
}
# route table propagation
resource "aws_ec2_transit_gateway_route_table_propagation" "from_internet" {
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.database.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.from_internet.id
}
# route to vpc of database from proxy vpc
resource "aws_ec2_transit_gateway_route" "from_internet_to_database" {
destination_cidr_block = var.vpc_cidr_database
transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.database.id
transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.from_internet.id
}
# route of vpc route table associated database to the internet
resource "aws_route" "route_database" {
route_table_id = var.rtb_database_id
destination_cidr_block = "0.0.0.0/0"
transit_gateway_id = aws_ec2_transit_gateway.main.id
}
# route of vpc route table associated proxy vpc to other vpcs
resource "aws_route" "route_internet" {
route_table_id = var.rtb_internet_id
destination_prefix_list_id = aws_ec2_managed_prefix_list.vpc.id
transit_gateway_id = aws_ec2_transit_gateway.main.id
}
# prefix list of vpcs cidr except proxy vpc
resource "aws_ec2_managed_prefix_list" "vpc" {
address_family = "IPv4"
max_entries = 30
name = "${var.project}-prefixlist"
tags = {
// ... 略
}
}
# prefix list's entry of vpc's cidr associated with database
resource "aws_ec2_managed_prefix_list_entry" "database" {
cidr = var.vpc_cidr_database
description = "${var.project}-vpc-micro-${var.env}"
prefix_list_id = aws_ec2_managed_prefix_list.vpc.id
}
variables.tf
# common variable
variable "project" {
type = string
description = "project name"
}
variable "account" {
type = string
description = "prod or no-prod"
}
variable "env" {
type = string
description = "dev, test, stage or prod"
}
# variables for tgw
variable "vpc_database_id" {
type = string
description = "vpc id associated with database"
}
variable "vpc_cidr_database" {
type = string
description = "vpc cidr associated with database"
}
variable "vpc_internet_id" {
type = string
description = "vpc id associated with proxy vpc"
}
variable "subnet_database_id" {
type = list(string)
description = "subnet id of associated with database"
}
variable "subnet_internet_id" {
type = list(string)
description = "subnet id of associated with proxy vpc"
}
# variables of resources to use tgw attributes
variable "rtb_database_id" {
type = string
description = "route table id associated with database vpc"
}
variable "rtb_internet_id" {
type = string
description = "route table id associated with proxy vpc"
}
outputs.tf
output "tgw_id"{
value = aws_ec2_transit_gateway.main.id
description = "id of tgw"
}
output "tgw_rtb_to_internet_id"{
value = aws_ec2_transit_gateway_route_table.to_internet.id
description = "id of tgw route table associated with vpcs"
}
output "tgw_rtb_from_internet_id"{
value = aws_ec2_transit_gateway_route_table.from_internet.id
description = "id of tgw route table associated with proxy vpc"
}
output "prefixlist_id" {
value = aws_ec2_managed_prefix_list.vpc.id
description = "prefix list associated tgw id"
}
Import コマンド
基本は👇
$ terraform import module.tgw.{resourceタイプ}.{resource名} {importするresourceのID}
※Transit Gatewayの場合
$ terraform import module.tgw.aws_ec2_transit_gateway.main tgw-***
以下のリソースは注意!
- aws_ec2_transit_gateway_route_table_association
Transit Gateway Attachment と Transit Gateway Route Table の関連付けを定義する設定。
ImportするリソースIDはTransit Gateway Route TableのID_Transit Gateway AttachmentのID
terraform import module.tgw.aws_ec2_transit_gateway_route_table_association.to_internet_from_database tgw-rtb-***_tgw-attach-***
👆に代表される複数のリソース間の関連付けを定義する設定はImport時にリソースIDをつなげる文字が異なるので注意されたし
設計思想
- Transit Gatewayをはじめとするインターネットアクセスの集約に関係するリソースをこのmoduleに定義。
- マイクロサービスのTransit Gateway Attachmentは分離して別moduleで定義。
- 集約化に関係するリソースの中で、高価なため開発スケジュールに合わせてデプロイする。
- Transit Gatewayを宛先とするRoute Table のRouteもこのmoduleで定義。
- Route Tableの本体は各々のVPCのModuleで定義。
- マイクロサービスのTransit Gateway Attachmentは分離して別moduleで定義。
- インターネットからの戻りのアクセスはプレフィックスリストを使用。
- database VPCを除き、各々のVPCのmoduleでVPCのCidrがプレフィックスリストに追記される設計。