背景・目的

TerraformでNW関係のリソースを作成したときのメモです。

まとめ

分類	目的
NW	VPCを作成する
	サブネットを作成する
	複数サブネットを作成する
	IGWを作成する
	EIPを作成する
	NATGWを作成する
	ルートテーブルを作成する
S3	バケットを作成する
	バケットポリシーを作成する
	VPCeを作成する
全般	掃除する

実践

VPC

CIDRの変数を定義します

variable "vpc_cidr" {
  description = "vpc cidr"
  type        = string
  default     = "100.0.0.0/16"
}

VPCを作成します

resource "aws_vpc" "terraform_vpc" {
  cidr_block           = var.vpc_cidr
  enable_dns_support   = true
  enable_dns_hostnames = true
  tags = {
    Name = "terraform_vpc"
  }
}

terraform applyします
できました。AZ毎に作っていますが、一つでも問題ありません

サブネット

サブネットを作成します

### サブネット
resource "aws_subnet" "webSubnet01" {
  vpc_id = aws_vpc.terraform_vpc.id
  cidr_block = "100.0.0.0/24"
  availability_zone = "ap-northeast-1a"
  tags = {
    Name = "webSubnet01"
  }
}

terraform applyします
できました

複数サブネット

変数を定義します

variable "subnets" {
  type = map(any)
  default = {
    public_subnets = {
      public01 = {
        name = "public01",
        cidr = "100.0.0.0/24",
        az   = "ap-northeast-1a"
      },
      public02 = {
        name = "public02",
        cidr = "100.0.1.0/24",
        az   = "ap-northeast-1c"
      },
      public03 = {
        name = "public03",
        cidr = "100.0.2.0/24",
        az   = "ap-northeast-1d"
      },
    }
    private_subnets = {
      private01 = {
        name = "private01",
        cidr = "100.0.10.0/24",
        az   = "ap-northeast-1a"
      },
      private02 = {
        name = "private02",
        cidr = "100.0.11.0/24",
        az   = "ap-northeast-1c"
      },
      private03 = {
        name = "private03",
        cidr = "100.0.12.0/24",
        az   = "ap-northeast-1d"
      },
    },
    db_subnets = {
      db01 = {
        name = "db01",
        cidr = "100.0.20.0/24",
        az   = "ap-northeast-1a"
      },
      db02 = {
        name = "db02",
        cidr = "100.0.21.0/24",
        az   = "ap-northeast-1c"
      },
      db03 = {
        name = "db03",
        cidr = "100.0.22.0/24",
        az   = "ap-northeast-1d"
      },
    }
  }
}

サブネットを作成します

resource "aws_subnet" "public_subnets" {
  for_each = var.subnets.public_subnets

  vpc_id = aws_vpc.terraform_vpc.id

  cidr_block        = each.value.cidr
  availability_zone = each.value.az

  tags = {
    Name = "${each.value.name}"
  }
}

resource "aws_subnet" "private_subnets" {
  for_each = var.subnets.private_subnets

  vpc_id = aws_vpc.terraform_vpc.id

  cidr_block        = each.value.cidr
  availability_zone = each.value.az

  tags = {
    Name = "${each.value.name}"
  }
}

resource "aws_subnet" "db_subnets" {
  for_each = var.subnets.db_subnets

  vpc_id = aws_vpc.terraform_vpc.id

  cidr_block        = each.value.cidr
  availability_zone = each.value.az

  tags = {
    Name = "${each.value.name}"
  }
}

terraform applyします
できました

インターネットゲートウェイ

IGWを作成します

resource "aws_internet_gateway" "terraform_igw" {
  vpc_id = aws_vpc.terraform_vpc.id

  tags = {
    Name = "terraform-igw"
  }

}

terraform applyします
できました

EIPとNat Gateway

EIPとNATを作成します

# Elastic IP
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip
resource "aws_eip" "nat_eip" {
  domain = "vpc"
  
  tags = {
    Name = "nat-eip"
  }

}

# NAT Gateway
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway
resource "aws_nat_gateway" "nat_gateway" {
  allocation_id = aws_eip.nat_eip.id
  subnet_id     = aws_subnet.public_subnets["public01"].id

  tags = {
    Name = "nat-gateway"
  }
  
}

terraform applyします
できました

ルートテーブル

ルートテーブルを作成します


# Public Subnet Route Table
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table
resource "aws_route_table" "public_route_table" {
  for_each = var.subnets.public_subnets
  vpc_id   = aws_vpc.terraform_vpc.id

  tags = {
    Name = "public-route-table-${each.key}"
  }
}

# Public Subnet Route
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route
resource "aws_route" "public_route" {
  for_each               = var.subnets.public_subnets
  route_table_id         = aws_route_table.public_route_table[each.key].id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_internet_gateway.terraform_igw.id

}

# Associate Route Table
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association
resource "aws_route_table_association" "public_route_table_association" {
  for_each = var.subnets.public_subnets

  # subnet_id      = aws_subnet.public_subnets["public01"].id
  subnet_id      = aws_subnet.public_subnets[each.key].id
  route_table_id = aws_route_table.public_route_table[each.key].id
}

# Private Subnet Route Table
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table
resource "aws_route_table" "private_route_table" {
  for_each = var.subnets.private_subnets
  vpc_id   = aws_vpc.terraform_vpc.id

  tags = {
    Name = "private-route-table-${each.key}"
  }
}

# Private Subnet Route
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route
resource "aws_route" "private_route" {
  for_each               = var.subnets.private_subnets
  route_table_id         = aws_route_table.private_route_table[each.key].id
  nat_gateway_id         = aws_nat_gateway.nat_gateway.id
  destination_cidr_block = "0.0.0.0/0"
}

# Associate Route Table
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association
resource "aws_route_table_association" "private_route_table_association" {
  for_each = var.subnets.private_subnets

  subnet_id      = aws_subnet.private_subnets[each.key].id
  route_table_id = aws_route_table.private_route_table[each.key].id

}

# DB Subnet Route Table
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table
resource "aws_route_table" "db_route_table" {
  for_each = var.subnets.db_subnets
  vpc_id   = aws_vpc.terraform_vpc.id

  tags = {
    Name = "db-route-table-${each.key}"
  }
}

# Associate Route Table
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association
resource "aws_route_table_association" "db_route_table_association01" {
  for_each = var.subnets.db_subnets

  subnet_id      = aws_subnet.db_subnets[each.key].id
  route_table_id = aws_route_table.db_route_table[each.key].id
}

terraform applyします
できました

S3 Bucket

バケット

S3バケットを作成します

# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
resource "aws_s3_bucket" "terraform_demo" {
  bucket = "terraform-demo-${data.aws_caller_identity.this.account_id}"
}

terraform applyします
できました

バケットポリシー

S3バケットポリシーを作成します

resource "aws_s3_bucket_policy" "terraform_demo" {
  bucket = aws_s3_bucket.terraform_demo.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid       = "AllowSSLRequestsOnly"
        Effect    = "Deny"
        Principal = "*"
        Action    = "s3:*"
        Resource = [
          aws_s3_bucket.terraform_demo.arn,
          "${aws_s3_bucket.terraform_demo.arn}/*",
        ]
        Condition = {
          Bool = {
            "aws:SecureTransport" = "false"
          }
        }
      }
    ]
  })
}

terraform applyします
作成されました

VPCe(S3 Gateway)

VPCeを作成します

# VPCe for S3
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint
## VPCエンドポイント
resource "aws_vpc_endpoint" "s3Endpoint" {
  for_each          = var.subnets.private_subnets
  vpc_id            = aws_vpc.terraform_vpc.id
  service_name      = "com.amazonaws.ap-northeast-1.s3"
  vpc_endpoint_type = "Gateway"
  route_table_ids   = [aws_route_table.private_route_table[each.key].id]
}

terraform applyします
作成されました

掃除

最後にterraform destroyします

消えました

Destroy complete! Resources: 38 destroyed.

考察

今回は、Terraformでネットワークを作成してみました。今後は他のリソースも作成していきます。

Terraformのメモ