はじめに
Terraform AWS modulesをご存知でしょうか。
普段からterraformでコードを書いている方の中にも「よく知らない」「聞いたことはあるけど使ったことはない」という方も実は多いのではないでしょうか。
この記事では Terraform AWS modules とは一体なんなのかをざっくり説明したいと思います。
そもそも何なの?
Terraform Registryで公開されている、コミュニティにより作成されたモジュール群です。
どこにあるの?
ここにあります。
どうやって使うの?
モジュールは概ねサービス毎に作成されています。
本体となるコードはgithub上で管理されていますが、Terraform Registry上に各モジュールのドキュメントがありますのでまずは自分が使いたいモジュールを選びましょう。(今回はvpcモジュールを例とします)
"Usage"に使い方が書いてありますので、今回はそのままコピペしてリージョンなどを微調整します。
main.tf
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["ap-northeast-1a", "ap-northeast-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
}
プロバイダーは別途定義しておいてください。
provider.tf
terraform {
required_version = ">= 1.6.6"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
backend "local" {
path = "terraform.tfstate"
}
}
provider "aws" {
region = "ap-northeast-1"
}
見た感じ、VPCのほかパブリックサブネットとプライベートサブネットが二つずつ、NATゲートウェイとVPNゲートウェイが作成されそうな気配がしますね。
それではこのまま terraform init , terraform plan を実行してみましょう。
$ terraform plan
Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.vpc.aws_default_network_acl.this[0] will be created
+ resource "aws_default_network_acl" "this" {
+ arn = (known after apply)
+ default_network_acl_id = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "my-vpc-default"
}
+ tags_all = {
+ "Name" = "my-vpc-default"
}
+ vpc_id = (known after apply)
+ egress {
+ action = "allow"
+ from_port = 0
+ ipv6_cidr_block = "::/0"
+ protocol = "-1"
+ rule_no = 101
+ to_port = 0
}
+ egress {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ protocol = "-1"
+ rule_no = 100
+ to_port = 0
}
+ ingress {
+ action = "allow"
+ from_port = 0
+ ipv6_cidr_block = "::/0"
+ protocol = "-1"
+ rule_no = 101
+ to_port = 0
}
+ ingress {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ protocol = "-1"
+ rule_no = 100
+ to_port = 0
}
}
# module.vpc.aws_default_route_table.default[0] will be created
+ resource "aws_default_route_table" "default" {
+ arn = (known after apply)
+ default_route_table_id = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "my-vpc-default"
}
+ tags_all = {
+ "Name" = "my-vpc-default"
}
+ vpc_id = (known after apply)
+ timeouts {
+ create = "5m"
+ update = "5m"
}
}
# module.vpc.aws_default_security_group.this[0] will be created
+ resource "aws_default_security_group" "this" {
+ arn = (known after apply)
+ description = (known after apply)
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = (known after apply)
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags = {
+ "Name" = "my-vpc-default"
}
+ tags_all = {
+ "Name" = "my-vpc-default"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_eip.nat[0] will be created
+ resource "aws_eip" "nat" {
+ allocation_id = (known after apply)
+ arn = (known after apply)
+ association_id = (known after apply)
+ carrier_ip = (known after apply)
+ customer_owned_ip = (known after apply)
+ domain = "vpc"
+ id = (known after apply)
+ instance = (known after apply)
+ network_border_group = (known after apply)
+ network_interface = (known after apply)
+ private_dns = (known after apply)
+ private_ip = (known after apply)
+ ptr_record = (known after apply)
+ public_dns = (known after apply)
+ public_ip = (known after apply)
+ public_ipv4_pool = (known after apply)
+ tags = {
+ "Name" = "my-vpc-ap-northeast-1a"
}
+ tags_all = {
+ "Name" = "my-vpc-ap-northeast-1a"
}
+ vpc = (known after apply)
}
# module.vpc.aws_eip.nat[1] will be created
+ resource "aws_eip" "nat" {
+ allocation_id = (known after apply)
+ arn = (known after apply)
+ association_id = (known after apply)
+ carrier_ip = (known after apply)
+ customer_owned_ip = (known after apply)
+ domain = "vpc"
+ id = (known after apply)
+ instance = (known after apply)
+ network_border_group = (known after apply)
+ network_interface = (known after apply)
+ private_dns = (known after apply)
+ private_ip = (known after apply)
+ ptr_record = (known after apply)
+ public_dns = (known after apply)
+ public_ip = (known after apply)
+ public_ipv4_pool = (known after apply)
+ tags = {
+ "Name" = "my-vpc-ap-northeast-1c"
}
+ tags_all = {
+ "Name" = "my-vpc-ap-northeast-1c"
}
+ vpc = (known after apply)
}
# module.vpc.aws_internet_gateway.this[0] will be created
+ resource "aws_internet_gateway" "this" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "my-vpc"
}
+ tags_all = {
+ "Name" = "my-vpc"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_nat_gateway.this[0] will be created
+ resource "aws_nat_gateway" "this" {
+ allocation_id = (known after apply)
+ association_id = (known after apply)
+ connectivity_type = "public"
+ id = (known after apply)
+ network_interface_id = (known after apply)
+ private_ip = (known after apply)
+ public_ip = (known after apply)
+ secondary_private_ip_address_count = (known after apply)
+ secondary_private_ip_addresses = (known after apply)
+ subnet_id = (known after apply)
+ tags = {
+ "Name" = "my-vpc-ap-northeast-1a"
}
+ tags_all = {
+ "Name" = "my-vpc-ap-northeast-1a"
}
}
# module.vpc.aws_nat_gateway.this[1] will be created
+ resource "aws_nat_gateway" "this" {
+ allocation_id = (known after apply)
+ association_id = (known after apply)
+ connectivity_type = "public"
+ id = (known after apply)
+ network_interface_id = (known after apply)
+ private_ip = (known after apply)
+ public_ip = (known after apply)
+ secondary_private_ip_address_count = (known after apply)
+ secondary_private_ip_addresses = (known after apply)
+ subnet_id = (known after apply)
+ tags = {
+ "Name" = "my-vpc-ap-northeast-1c"
}
+ tags_all = {
+ "Name" = "my-vpc-ap-northeast-1c"
}
}
# module.vpc.aws_route.private_nat_gateway[0] will be created
+ resource "aws_route" "private_nat_gateway" {
+ destination_cidr_block = "0.0.0.0/0"
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ nat_gateway_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = (known after apply)
+ state = (known after apply)
+ timeouts {
+ create = "5m"
}
}
# module.vpc.aws_route.private_nat_gateway[1] will be created
+ resource "aws_route" "private_nat_gateway" {
+ destination_cidr_block = "0.0.0.0/0"
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ nat_gateway_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = (known after apply)
+ state = (known after apply)
+ timeouts {
+ create = "5m"
}
}
# module.vpc.aws_route.public_internet_gateway[0] will be created
+ resource "aws_route" "public_internet_gateway" {
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = (known after apply)
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = (known after apply)
+ state = (known after apply)
+ timeouts {
+ create = "5m"
}
}
# module.vpc.aws_route_table.private[0] will be created
+ resource "aws_route_table" "private" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "my-vpc-private-ap-northeast-1a"
}
+ tags_all = {
+ "Name" = "my-vpc-private-ap-northeast-1a"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_route_table.private[1] will be created
+ resource "aws_route_table" "private" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "my-vpc-private-ap-northeast-1c"
}
+ tags_all = {
+ "Name" = "my-vpc-private-ap-northeast-1c"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_route_table.public[0] will be created
+ resource "aws_route_table" "public" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = (known after apply)
+ tags = {
+ "Name" = "my-vpc-public"
}
+ tags_all = {
+ "Name" = "my-vpc-public"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_route_table_association.private[0] will be created
+ resource "aws_route_table_association" "private" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# module.vpc.aws_route_table_association.private[1] will be created
+ resource "aws_route_table_association" "private" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# module.vpc.aws_route_table_association.public[0] will be created
+ resource "aws_route_table_association" "public" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# module.vpc.aws_route_table_association.public[1] will be created
+ resource "aws_route_table_association" "public" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# module.vpc.aws_subnet.private[0] will be created
+ resource "aws_subnet" "private" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.1.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "my-vpc-private-ap-northeast-1a"
}
+ tags_all = {
+ "Name" = "my-vpc-private-ap-northeast-1a"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_subnet.private[1] will be created
+ resource "aws_subnet" "private" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.2.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "my-vpc-private-ap-northeast-1c"
}
+ tags_all = {
+ "Name" = "my-vpc-private-ap-northeast-1c"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_subnet.public[0] will be created
+ resource "aws_subnet" "public" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.101.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "my-vpc-public-ap-northeast-1a"
}
+ tags_all = {
+ "Name" = "my-vpc-public-ap-northeast-1a"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_subnet.public[1] will be created
+ resource "aws_subnet" "public" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.102.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "my-vpc-public-ap-northeast-1c"
}
+ tags_all = {
+ "Name" = "my-vpc-public-ap-northeast-1c"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_vpc.this[0] will be created
+ resource "aws_vpc" "this" {
+ arn = (known after apply)
+ cidr_block = "10.0.0.0/16"
+ default_network_acl_id = (known after apply)
+ default_route_table_id = (known after apply)
+ default_security_group_id = (known after apply)
+ dhcp_options_id = (known after apply)
+ enable_dns_hostnames = true
+ enable_dns_support = true
+ enable_network_address_usage_metrics = (known after apply)
+ id = (known after apply)
+ instance_tenancy = "default"
+ ipv6_association_id = (known after apply)
+ ipv6_cidr_block = (known after apply)
+ ipv6_cidr_block_network_border_group = (known after apply)
+ main_route_table_id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "my-vpc"
}
+ tags_all = {
+ "Name" = "my-vpc"
}
}
# module.vpc.aws_vpn_gateway.this[0] will be created
+ resource "aws_vpn_gateway" "this" {
+ amazon_side_asn = "64512"
+ arn = (known after apply)
+ id = (known after apply)
+ tags = {
+ "Name" = "my-vpc"
}
+ tags_all = {
+ "Name" = "my-vpc"
}
+ vpc_id = (known after apply)
}
Plan: 24 to add, 0 to change, 0 to destroy.
いっぱい出ました。
サブネットやNATゲートウェイのほか、EIP、ルートテーブルといったリソースも作成されることがわかります。
この通り、モジュールを読み込んでいくつかの変数を入力として与えると関連リソースをまとめて作成することができます。
設定を変えたいときは?
先ほどのplanの結果を見て、「NATゲートウェイをシングル構成にしたかったけどサブネット毎に作成されてる……」と思った方もいると思います。
そんなときは、入力値として
enable_nat_gateway = true
single_nat_gateway = true
one_nat_gateway_per_az = false
のようにしてあげるとNATゲートウェイが一つだけ作成されます。
このように様々な入力値を渡すことで設定をしていくため、ドキュメントの下部に Inputs がまとめて記載されています。
この入力値による設定の制御は少しクセがありますので、後編を執筆する際にもう少し詳しく説明したいと思います。
毎回使った方がいいの?
少ないコードで色々なリソースができて便利!毎回使った方がいいのでは?
と思った方もいらっしゃるかもしれませんが必ずしもそうとは限りません。
いわゆるよくある構成を作るだけであれば非常に簡単に導入できますが、複雑なアーキテクチャを思った通りに構築しようとするとなかなか大変です。
何を入力として渡せばいいのか、何が出力として返ってくるのか、あの設定を変更するにはどうしたらいいのか、などなどドキュメントから読み取りきれない情報はgithub上のソースを見て読み取っていく必要があります。
また、「タグは ignore_changes を使って変更を無視したい」といったような要件にはそもそも対応できない場合もあります。
おわりに
いかがだったでしょうか。
細かい制御が難しい部分もありますが、よくある構成を繰り返し作るような場面ではとても便利です。
なんか難しそう……と敬遠せずにまずは触ってみてください。
(そして「こういうふうに使うと便利!」「こういう要件のときには合わなかった」といった声をもらえるとありがたいです。)