HCL2
terraformで使う独自の構文(HashiCorpLanguage2)
ブロックタイプ
locals 外部から変更できないローカル変数
variable 外から変更可能な変数
terraform terraformの設定
provider プロバイダ
resource terraform管理対象となるリソース
locals 外部から参照できるようにする値
VPC サブネット ルートテーブル インターネットゲートウェイの設定
network.tf
# ---------------------------------------------
# VPC
# ---------------------------------------------
resource "aws_vpc" "vpc" {
cidr_block = "192.168.0.0/20"
instance_tenancy = "default"
enable_dns_support = true
enable_dns_hostnames = true
assign_generated_ipv6_cidr_block = false
tags = {
Name = "${var.project}-${var.environment}-vpc"
Project = var.project
Env = var.environment
}
}
# ---------------------------------------------
# Subnet
# ---------------------------------------------
resource "aws_subnet" "public_subnet_1a" {
vpc_id = aws_vpc.vpc.id
availability_zone = "ap-northeast-1a"
cidr_block = "192.168.1.0/24"
map_public_ip_on_launch = true
tags = {
Name = "${var.project}-${var.environment}-public-subnet-1a"
Project = var.project
Env = var.environment
Type = "public"
}
}
resource "aws_subnet" "public_subnet_1c" {
vpc_id = aws_vpc.vpc.id
availability_zone = "ap-northeast-1c"
cidr_block = "192.168.2.0/24"
map_public_ip_on_launch = true
tags = {
Name = "${var.project}-${var.environment}-public-subnet-1c"
Project = var.project
Env = var.environment
Type = "public"
}
}
resource "aws_subnet" "private_subnet_1a" {
vpc_id = aws_vpc.vpc.id
availability_zone = "ap-northeast-1a"
cidr_block = "192.168.3.0/24"
map_public_ip_on_launch = false
tags = {
Name = "${var.project}-${var.environment}-private-subnet-1a"
Project = var.project
Env = var.environment
Type = "private"
}
}
resource "aws_subnet" "private_subnet_1c" {
vpc_id = aws_vpc.vpc.id
availability_zone = "ap-northeast-1c"
cidr_block = "192.168.4.0/24"
map_public_ip_on_launch = false
tags = {
Name = "${var.project}-${var.environment}-private-subnet-1c"
Project = var.project
Env = var.environment
Type = "private"
}
}
# ---------------------------------------------
# Route Table
# ---------------------------------------------
resource "aws_route_table" "public_rt" {
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.project}-${var.environment}-public-rt"
Project = var.project
Env = var.environment
Type = "public"
}
}
resource "aws_route_table_association" "public_rt_1a" {
route_table_id = aws_route_table.public_rt.id
subnet_id = aws_subnet.public_subnet_1a.id
}
resource "aws_route_table_association" "public_rt_1c" {
route_table_id = aws_route_table.public_rt.id
subnet_id = aws_subnet.public_subnet_1c.id
}
resource "aws_route_table" "private_rt" {
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.project}-${var.environment}-private-rt"
Project = var.project
Env = var.environment
Type = "private"
}
}
resource "aws_route_table_association" "private_rt_1a" {
route_table_id = aws_route_table.private_rt.id
subnet_id = aws_subnet.private_subnet_1a.id
}
resource "aws_route_table_association" "private_rt_1c" {
route_table_id = aws_route_table.private_rt.id
subnet_id = aws_subnet.private_subnet_1c.id
}
# ---------------------------------------------
# Internet Gateway
# ---------------------------------------------
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.project}-${var.environment}-igw"
Project = var.project
Env = var.environment
}
}
resource "aws_route" "public_rt_igw_r" {
route_table_id = aws_route_table.public_rt.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
ファイアウォール(SG)作成
以下のセキュリティグループを作成する
- Webサーバー用
- APサーバー用
- DBサーバー用
- 運用管理用
security_group.tf
# ---------------------------------------------
# Security Group
# ---------------------------------------------
# web security group
resource "aws_security_group" "web_sg" {
name = "${var.project}-${var.environment}-web-sg"
description = "web front role security group"
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.project}-${var.environment}-web-sg"
Project = var.project
Env = var.environment
}
}
resource "aws_security_group_rule" "web_in_http" {
security_group_id = aws_security_group.web_sg.id
type = "ingress"
protocol = "tcp"
from_port = 80
to_port = 80
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "web_in_https" {
security_group_id = aws_security_group.web_sg.id
type = "ingress"
protocol = "tcp"
from_port = 443
to_port = 443
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "web_out_tcp3000" {
security_group_id = aws_security_group.web_sg.id
type = "egress"
protocol = "tcp"
from_port = 3000
to_port = 3000
source_security_group_id = aws_security_group.app_sg.id
}
# app security group
resource "aws_security_group" "app_sg" {
name = "${var.project}-${var.environment}-app-sg"
description = "application server role security group"
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.project}-${var.environment}-app-sg"
Project = var.project
Env = var.environment
}
}
resource "aws_security_group_rule" "app_in_tcp3000" {
security_group_id = aws_security_group.app_sg.id
type = "ingress"
protocol = "tcp"
from_port = 3000
to_port = 3000
source_security_group_id = aws_security_group.web_sg.id
}
resource "aws_security_group_rule" "app_out_http" {
security_group_id = aws_security_group.app_sg.id
type = "egress"
protocol = "tcp"
from_port = 80
to_port = 80
prefix_list_ids = [data.aws_prefix_list.s3_pl.id]
}
resource "aws_security_group_rule" "app_out_https" {
security_group_id = aws_security_group.app_sg.id
type = "egress"
protocol = "tcp"
from_port = 443
to_port = 443
prefix_list_ids = [data.aws_prefix_list.s3_pl.id]
}
resource "aws_security_group_rule" "app_out_tcp3306" {
security_group_id = aws_security_group.app_sg.id
type = "egress"
protocol = "tcp"
from_port = 3306
to_port = 3306
source_security_group_id = aws_security_group.db_sg.id
}
# opmng security group
resource "aws_security_group" "opmng_sg" {
name = "${var.project}-${var.environment}-opmng-sg"
description = "operation and management role security group"
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.project}-${var.environment}-opmng-sg"
Project = var.project
Env = var.environment
}
}
resource "aws_security_group_rule" "opmng_in_ssh" {
security_group_id = aws_security_group.opmng_sg.id
type = "ingress"
protocol = "tcp"
from_port = 22
to_port = 22
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "opmng_in_tcp3000" {
security_group_id = aws_security_group.opmng_sg.id
type = "ingress"
protocol = "tcp"
from_port = 3000
to_port = 3000
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "opmng_out_http" {
security_group_id = aws_security_group.opmng_sg.id
type = "egress"
protocol = "tcp"
from_port = 80
to_port = 80
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "opmng_out_https" {
security_group_id = aws_security_group.opmng_sg.id
type = "egress"
protocol = "tcp"
from_port = 443
to_port = 443
cidr_blocks = ["0.0.0.0/0"]
}
# db security group
resource "aws_security_group" "db_sg" {
name = "${var.project}-${var.environment}-db-sg"
description = "database role security group"
vpc_id = aws_vpc.vpc.id
tags = {
Name = "${var.project}-${var.environment}-db-sg"
Project = var.project
Env = var.environment
}
}
resource "aws_security_group_rule" "db_in_tcp3306" {
security_group_id = aws_security_group.db_sg.id
type = "ingress"
protocol = "tcp"
from_port = 3306
to_port = 3306
source_security_group_id = aws_security_group.app_sg.id
}