Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
10
Help us understand the problem. What is going on with this article?
@satoshi_iwashita

terraform で既存のVPCを操作したメモ

More than 3 years have passed since last update.

terraform の全能感いいですね。
terraform 0.4.2 で既存の VPC に対して下記のことを行ったのでメモとして。

なお、インストールは brew install terraform で実施しました。

$  terraform
usage: terraform [--version] [--help] <command> [<args>]

Available commands are:
    apply      Builds or changes infrastructure
    destroy    Destroy Terraform-managed infrastructure
    get        Download and install modules for the configuration
    graph      Create a visual graph of Terraform resources
    init       Initializes Terraform configuration from a module
    output     Read an output from a state file
    plan       Generate and show an execution plan
    push       Upload this Terraform module to Atlas to run
    refresh    Update local state file against real resources
    remote     Configure remote state storage
    show       Inspect Terraform state or plan
    taint      Manually mark a resource for recreation
    version    Prints the Terraform version

$  terraform --version
Terraform v0.4.2

$  ls -l /usr/local/bin/terraform*
lrwxr-xr-x  1 hoge huga 39 Apr 27 14:21 /usr/local/bin/terraform -> ../Cellar/terraform/0.4.2/bin/terraform
lrwxr-xr-x  1 hoge huga 54 Apr 27 14:21 /usr/local/bin/terraform-provider-atlas -> ../Cellar/terraform/0.4.2/bin/terraform-provider-atlas
lrwxr-xr-x  1 hoge huga 52 Apr 27 14:21 /usr/local/bin/terraform-provider-aws -> ../Cellar/terraform/0.4.2/bin/terraform-provider-aws
lrwxr-xr-x  1 hoge huga 59 Apr 27 14:21 /usr/local/bin/terraform-provider-cloudflare -> ../Cellar/terraform/0.4.2/bin/terraform-provider-cloudflare
lrwxr-xr-x  1 hoge huga 59 Apr 27 14:21 /usr/local/bin/terraform-provider-cloudstack -> ../Cellar/terraform/0.4.2/bin/terraform-provider-cloudstack
lrwxr-xr-x  1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-consul -> ../Cellar/terraform/0.4.2/bin/terraform-provider-consul
lrwxr-xr-x  1 hoge huga 61 Apr 27 14:21 /usr/local/bin/terraform-provider-digitalocean -> ../Cellar/terraform/0.4.2/bin/terraform-provider-digitalocean
lrwxr-xr-x  1 hoge huga 52 Apr 27 14:21 /usr/local/bin/terraform-provider-dme -> ../Cellar/terraform/0.4.2/bin/terraform-provider-dme
lrwxr-xr-x  1 hoge huga 57 Apr 27 14:21 /usr/local/bin/terraform-provider-dnsimple -> ../Cellar/terraform/0.4.2/bin/terraform-provider-dnsimple
lrwxr-xr-x  1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-docker -> ../Cellar/terraform/0.4.2/bin/terraform-provider-docker
lrwxr-xr-x  1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-google -> ../Cellar/terraform/0.4.2/bin/terraform-provider-google
lrwxr-xr-x  1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-heroku -> ../Cellar/terraform/0.4.2/bin/terraform-provider-heroku
lrwxr-xr-x  1 hoge huga 56 Apr 27 14:21 /usr/local/bin/terraform-provider-mailgun -> ../Cellar/terraform/0.4.2/bin/terraform-provider-mailgun
lrwxr-xr-x  1 hoge huga 53 Apr 27 14:21 /usr/local/bin/terraform-provider-null -> ../Cellar/terraform/0.4.2/bin/terraform-provider-null
lrwxr-xr-x  1 hoge huga 58 Apr 27 14:21 /usr/local/bin/terraform-provider-openstack -> ../Cellar/terraform/0.4.2/bin/terraform-provider-openstack
lrwxr-xr-x  1 hoge huga 58 Apr 27 14:21 /usr/local/bin/terraform-provider-terraform -> ../Cellar/terraform/0.4.2/bin/terraform-provider-terraform
lrwxr-xr-x  1 hoge huga 56 Apr 27 14:21 /usr/local/bin/terraform-provisioner-file -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-file
lrwxr-xr-x  1 hoge huga 62 Apr 27 14:21 /usr/local/bin/terraform-provisioner-local-exec -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-local-exec
lrwxr-xr-x  1 hoge huga 63 Apr 27 14:21 /usr/local/bin/terraform-provisioner-remote-exec -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-remote-exec

簡単でいい感じです。

なお、ソースからインストールして、/usr/local/bin/terraform ディレクトリを作成し、パスを通してみたところ、 provider aws not found なエラーが出たので /usr/local/bin じゃないとダメなのかもしれません。

やったこと

  • サブネット作成
    • 10.0.0.0/24
    • 10.0.1.0/24
  • ルートテーブル作成
    • nat インスタンスへのデフォルトルート
    • Office へのスタティックルート
  • Network ACL作成
    • 内向き全許可
    • 外向きで 25 ポートだけ拒否

変数

変数は variables.tf とします。
VPC と Office に拠点間 VPN されていることと、VPC 内に nat インスタンスがいる場合などを想定しています。

variables.tf
variable "my-env" {
    default = {
        access_key = "**************"
        secret_key = "************************"
        region = "ap-northeast-1"
        vpc_id = "vpc-******"
        az_b = "ap-northeast-1a"
        az_c = "ap-northeast-1b"
        nat_id = "i-*******"
        office_gw = "vgw-******"z
    }
}

サブネット

subnets.tf
resource "aws_subnet" "test-1" {
    vpc_id = "${var.my-env.vpc_id}"
    cidr_block = "10.0.0.0/24"
    availability_zone = "ap-northeast-1a"
    tags {
        Name = "test-1"
    }
}

resource "aws_subnet" "test-2" {
    vpc_id = "${var.my-env.vpc_id}"
    cidr_block = "10.0.1.0/24"
    availability_zone = "ap-northeast-1b"
    tags {
        Name = "test-2"
    }
}

Route Table

route_table.rb
resource "aws_route_table" "test-rtb" {
    vpc_id = "${var.vpc_id}"
    route {
            cidr_block = "0.0.0.0/0"
            instance_id = "${var.nat_id}"
    }
    route {
            cidr_block = "192.168.1.0/24"
            gateway_id = "${var.office_gw}"
    }
}

resource "aws_route_table_association" "test-1" {
    subnet_id = "${aws_subnet.test-1.id}"
    route_table_id = "${aws_route_table.test-rtb.id}"
}

resource "aws_route_table_association" "test-2" {
    subnet_id = "${aws_subnet.test-2.id}"
    route_table_id = "${aws_route_table.test-rtb.id}"
}

Network ACL

nacl.tf
resource "aws_network_acl" "test-1_acl" {
    vpc_id ="${var.vpc_id}"
    subnet_id = "${aws_subnet.test-1.id}"
    ingress = {
        rule_no = 100
        protocol = "all"
        action = "allow"
        from_port = 0
        to_port = 65535
        cidr_block = "0.0.0.0/0"
    }
    egress {
       rule_no = 50
        protocol = "tcp"
        action = "deny"
        from_port = 25
        to_port = 25
        cidr_block = "0.0.0.0/0"

    egress {
       rule_no = 100
        protocol = "all"
        action = "allow"
        from_port = 0
        to_port = 65535
        cidr_block = "0.0.0.0/0"
    }
}

resource "aws_network_acl" "test-2_acl" {
    vpc_id ="${var.vpc_id}"
    subnet_id = "${aws_subnet.test-2.id}"
    ingress = {
        rule_no = 100
        protocol = "all"
        action = "allow"
        from_port = 0
        to_port = 65535
        cidr_block = "0.0.0.0/0"
    }
    egress {
       rule_no = 50
        protocol = "tcp"
        action = "deny"
        from_port = 25
        to_port = 25
        cidr_block = "0.0.0.0/0"
    }
    egress {
       rule_no = 100
        protocol = "all"
        action = "allow"
        from_port = 0
        to_port = 65535
        cidr_block = "0.0.0.0/0"
    }
}

実行

ファイルは以下の通りになっています。

$ tree
.
├── aws.tf
├── nacl.tf
├── route_tables.tf
├── subnets.tf
└── variables.tf

0 directories, 5 files

適用前に plan で確認し、

$ terraform plan

apply で適用します。

$ terraform apply

これでできてしまいます。すごい。

terraform destroy で簡単に壊せるし、テスト環境を作るときなどに流用しつつ運用できれば楽できそうです。

↓ 参考にさせていただきました
http://ghost.ponpokopon.me/provider-digitalocean-not-found/

10
Help us understand the problem. What is going on with this article?
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away

Comments

No comments
Sign up for free and join this conversation.
Sign Up
If you already have a Qiita account Login
10
Help us understand the problem. What is going on with this article?