背景・目的
TerraformでNW関係のリソースを作成したときのメモです。
まとめ
| 分類 | 目的 |
|---|---|
| NW | VPCを作成する |
| サブネットを作成する | |
| 複数サブネットを作成する | |
| IGWを作成する | |
| EIPを作成する | |
| NATGWを作成する | |
| ルートテーブルを作成する | |
| S3 | バケットを作成する |
| バケットポリシーを作成する | |
| VPCeを作成する | |
| 全般 | 掃除する |
| プランファイルを使って削除する |
実践
VPC
-
CIDRの変数を定義します
variable "vpc_cidr" { description = "vpc cidr" type = string default = "100.0.0.0/16" } -
VPCを作成します
resource "aws_vpc" "terraform_vpc" { cidr_block = var.vpc_cidr enable_dns_support = true enable_dns_hostnames = true tags = { Name = "terraform_vpc" } } -
terraform applyします -
できました。AZ毎に作っていますが、一つでも問題ありません
サブネット
- サブネットを作成します
### サブネット resource "aws_subnet" "webSubnet01" { vpc_id = aws_vpc.terraform_vpc.id cidr_block = "100.0.0.0/24" availability_zone = "ap-northeast-1a" tags = { Name = "webSubnet01" } } -
terraform applyします - できました
複数サブネット
-
変数を定義します
variable "subnets" { type = map(any) default = { public_subnets = { public01 = { name = "public01", cidr = "100.0.0.0/24", az = "ap-northeast-1a" }, public02 = { name = "public02", cidr = "100.0.1.0/24", az = "ap-northeast-1c" }, public03 = { name = "public03", cidr = "100.0.2.0/24", az = "ap-northeast-1d" }, } private_subnets = { private01 = { name = "private01", cidr = "100.0.10.0/24", az = "ap-northeast-1a" }, private02 = { name = "private02", cidr = "100.0.11.0/24", az = "ap-northeast-1c" }, private03 = { name = "private03", cidr = "100.0.12.0/24", az = "ap-northeast-1d" }, }, db_subnets = { db01 = { name = "db01", cidr = "100.0.20.0/24", az = "ap-northeast-1a" }, db02 = { name = "db02", cidr = "100.0.21.0/24", az = "ap-northeast-1c" }, db03 = { name = "db03", cidr = "100.0.22.0/24", az = "ap-northeast-1d" }, } } } -
サブネットを作成します
resource "aws_subnet" "public_subnets" { for_each = var.subnets.public_subnets vpc_id = aws_vpc.terraform_vpc.id cidr_block = each.value.cidr availability_zone = each.value.az tags = { Name = "${each.value.name}" } } resource "aws_subnet" "private_subnets" { for_each = var.subnets.private_subnets vpc_id = aws_vpc.terraform_vpc.id cidr_block = each.value.cidr availability_zone = each.value.az tags = { Name = "${each.value.name}" } } resource "aws_subnet" "db_subnets" { for_each = var.subnets.db_subnets vpc_id = aws_vpc.terraform_vpc.id cidr_block = each.value.cidr availability_zone = each.value.az tags = { Name = "${each.value.name}" } } -
terraform applyします -
できました
インターネットゲートウェイ
- IGWを作成します
resource "aws_internet_gateway" "terraform_igw" { vpc_id = aws_vpc.terraform_vpc.id tags = { Name = "terraform-igw" } } -
terraform applyします - できました
EIPとNat Gateway
- EIPとNATを作成します
# Elastic IP # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip resource "aws_eip" "nat_eip" { domain = "vpc" tags = { Name = "nat-eip" } } # NAT Gateway # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway resource "aws_nat_gateway" "nat_gateway" { allocation_id = aws_eip.nat_eip.id subnet_id = aws_subnet.public_subnets["public01"].id tags = { Name = "nat-gateway" } } -
terraform applyします - できました
ルートテーブル
- ルートテーブルを作成します
# Public Subnet Route Table # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table resource "aws_route_table" "public_route_table" { for_each = var.subnets.public_subnets vpc_id = aws_vpc.terraform_vpc.id tags = { Name = "public-route-table-${each.key}" } } # Public Subnet Route # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route resource "aws_route" "public_route" { for_each = var.subnets.public_subnets route_table_id = aws_route_table.public_route_table[each.key].id destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.terraform_igw.id } # Associate Route Table # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association resource "aws_route_table_association" "public_route_table_association" { for_each = var.subnets.public_subnets # subnet_id = aws_subnet.public_subnets["public01"].id subnet_id = aws_subnet.public_subnets[each.key].id route_table_id = aws_route_table.public_route_table[each.key].id } # Private Subnet Route Table # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table resource "aws_route_table" "private_route_table" { for_each = var.subnets.private_subnets vpc_id = aws_vpc.terraform_vpc.id tags = { Name = "private-route-table-${each.key}" } } # Private Subnet Route # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route resource "aws_route" "private_route" { for_each = var.subnets.private_subnets route_table_id = aws_route_table.private_route_table[each.key].id nat_gateway_id = aws_nat_gateway.nat_gateway.id destination_cidr_block = "0.0.0.0/0" } # Associate Route Table # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association resource "aws_route_table_association" "private_route_table_association" { for_each = var.subnets.private_subnets subnet_id = aws_subnet.private_subnets[each.key].id route_table_id = aws_route_table.private_route_table[each.key].id } # DB Subnet Route Table # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table resource "aws_route_table" "db_route_table" { for_each = var.subnets.db_subnets vpc_id = aws_vpc.terraform_vpc.id tags = { Name = "db-route-table-${each.key}" } } # Associate Route Table # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association resource "aws_route_table_association" "db_route_table_association01" { for_each = var.subnets.db_subnets subnet_id = aws_subnet.db_subnets[each.key].id route_table_id = aws_route_table.db_route_table[each.key].id } -
terraform applyします - できました
S3 Bucket
バケット
- S3バケットを作成します
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket resource "aws_s3_bucket" "terraform_demo" { bucket = "terraform-demo-${data.aws_caller_identity.this.account_id}" } -
terraform applyします - できました
バケットポリシー
- S3バケットポリシーを作成します
resource "aws_s3_bucket_policy" "terraform_demo" { bucket = aws_s3_bucket.terraform_demo.id policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "AllowSSLRequestsOnly" Effect = "Deny" Principal = "*" Action = "s3:*" Resource = [ aws_s3_bucket.terraform_demo.arn, "${aws_s3_bucket.terraform_demo.arn}/*", ] Condition = { Bool = { "aws:SecureTransport" = "false" } } } ] }) } -
terraform applyします - 作成されました
VPCe(S3 Gateway)
- VPCeを作成します
# VPCe for S3 # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint ## VPCエンドポイント resource "aws_vpc_endpoint" "s3Endpoint" { for_each = var.subnets.private_subnets vpc_id = aws_vpc.terraform_vpc.id service_name = "com.amazonaws.ap-northeast-1.s3" vpc_endpoint_type = "Gateway" route_table_ids = [aws_route_table.private_route_table[each.key].id] } -
terraform applyします - 作成されました
掃除
- 最後に
terraform destroyします - 消えました
Destroy complete! Resources: 38 destroyed.
プランファイルを使って削除する
- SSOログインします
aws sso login --profile プロファイル名 - 環境変数に設定します
export AWS_PROFILE=プロファイル名 - terraform initを実行します
terraform init - 削除プランを取得します
terraform plan -destroy -out=tfplan - プランファイルを使用して削除する
terraform apply "tfplan"
考察
今回は、Terraformでネットワークを作成してみました。今後は他のリソースも作成していきます。
参考