TerraformでAWSのネットワーク設定

2020-10-17
2020-10-18

AWSコンソールでポチポチ作ったものをimportしてstate showしてコピペしてきて作ったもの。

タグのうまいつけ方がよく分からない。

Terraformのバージョンは0.13.4

VPCとサブネットのIPアドレスレンジ

workspaceを使ってproductionとstagingのアドレスを定義。

locals {
  cidr_blocks = {
    production = {
      vpc = "10.1.0.0/16"
      public_a = "10.1.1.0/24"
      private_a = "10.1.2.0/24"
      private_c = "10.1.3.0/24"
    }
    staging = {
      vpc = "10.2.0.0/16"
      public_a = "10.2.1.0/24"
      private_a = "10.2.2.0/24"
      private_c = "10.2.3.0/24"
    }
  }
}

VPCの作成

resource "aws_vpc" "brassworks-vpc" {
    cidr_block                       = local.cidr_blocks[terraform.workspace]["vpc"]
    enable_dns_support               = true
    enable_dns_hostnames             = true

    tags                             = {
        "Name" = "brassworks"
    }
}

サブネットの作成

ウェブ用のパブリックサブネットとRDS/Aurora用の2つのプライベートサブネットを作っている。
for_eachを使えばもっとすっきり書ける。

resource "aws_subnet" "public-a" {
    vpc_id                          = aws_vpc.brassworks-vpc.id
    availability_zone               = "ap-northeast-1a"
    cidr_block                      = local.cidr_blocks[terraform.workspace]["public_a"]

    tags                            = {
        "Name" = "brassworks"
    }
}

resource "aws_subnet" "private-a" {
    vpc_id                          = aws_vpc.brassworks-vpc.id
    availability_zone               = "ap-northeast-1a"
    cidr_block                      = local.cidr_blocks[terraform.workspace]["private_a"]

    tags                            = {
        "Name" = "brassworks"
    }
}

resource "aws_subnet" "private-c" {
    vpc_id                          = aws_vpc.brassworks-vpc.id
    availability_zone               = "ap-northeast-1c"
    cidr_block                      = local.cidr_blocks[terraform.workspace]["private_c"]

    tags                            = {
        "Name" = "brassworks"
    }
}

DBサブネットグループ RDS/Aurora用

resource "aws_db_subnet_group" "rds-subnet" {
  name       = "rds-brassworks-subnet"
  subnet_ids = [aws_subnet.private-a.id, aws_subnet.private-c.id]

  tags = {
    Name = "brassworks"
  }
}

Internet Gateway

resource "aws_internet_gateway" "gw" {
    vpc_id = aws_vpc.brassworks-vpc.id
    tags = {
        "Name" = "brassworks"
    }
}

ルートテーブル

サブネットからインターネットへアクセスするためのルートテーブル

resource "aws_route_table" "public" {
    vpc_id = aws_vpc.brassworks-vpc.id
    route = [
      {
        cidr_block = "0.0.0.0/0"
        gateway_id = aws_internet_gateway.gw.id
        egress_only_gateway_id    = ""
        instance_id               = ""
        ipv6_cidr_block           = ""
        nat_gateway_id            = ""
        network_interface_id      = ""
        transit_gateway_id        = ""
        vpc_peering_connection_id = ""
      }
    ]
    tags = {
        "Name" = "brassworks"
    }
}

サブネットとルートテーブルの関連付け

resource "aws_route_table_association" "public-a" {
    subnet_id = aws_subnet.public-a.id
    route_table_id = aws_route_table.public.id
}

セキュリティグループの作成

ウェブサーバー用

aws_security_group_ruleはfor_eachで作った方がいい件。
外からはssh、http、httpsを許可して、内から外へはすべての通信を許可。

resource "aws_security_group" "web" {
    description = "for web"
    name        = "for web"
    vpc_id = aws_vpc.brassworks-vpc.id
}

resource "aws_security_group_rule" "web" {
    cidr_blocks       = [
        "0.0.0.0/0",
    ]
    from_port         = 80
    ipv6_cidr_blocks  = []
    prefix_list_ids   = []
    protocol          = "tcp"
    security_group_id = aws_security_group.web.id
    self              = false
    to_port           = 80
    type              = "ingress"
}

resource "aws_security_group_rule" "web-1" {
    cidr_blocks       = [
        "0.0.0.0/0",
    ]
    from_port         = 22
    ipv6_cidr_blocks  = []
    prefix_list_ids   = []
    protocol          = "tcp"
    security_group_id = aws_security_group.web.id
    self              = false
    to_port           = 22
    type              = "ingress"
}

resource "aws_security_group_rule" "web-2" {
    cidr_blocks       = [
        "0.0.0.0/0",
    ]
    from_port         = 0
    ipv6_cidr_blocks  = []
    prefix_list_ids   = []
    protocol          = "-1"
    security_group_id = aws_security_group.web.id
    self              = false
    to_port           = 0
    type              = "egress"
}

resource "aws_security_group_rule" "web-3" {
    cidr_blocks       = [
        "0.0.0.0/0",
    ]
    from_port         = 443
    ipv6_cidr_blocks  = []
    prefix_list_ids   = []
    protocol          = "tcp"
    security_group_id = aws_security_group.web.id
    self              = false
    to_port           = 443
    type              = "ingress"
}

RDS用

外からはウェブサーバーからのMySQLのみを許可して、内から外へはすべての通信を許可。

resource "aws_security_group" "rds" {
  description = "RDS for brassworks"
  name        = "rds-brassworks"
  vpc_id = aws_vpc.brassworks-vpc.id
}

resource "aws_security_group_rule" "rds" {
    from_port         = 3306
    ipv6_cidr_blocks  = []
    prefix_list_ids   = []
    protocol          = "tcp"
    security_group_id = aws_security_group.rds.id
    source_security_group_id  = aws_security_group.web.id
    to_port           = 3306
    type              = "ingress"
}

resource "aws_security_group_rule" "rds-1" {
    cidr_blocks       = [
        "0.0.0.0/0",
    ]
    from_port         = 0
    ipv6_cidr_blocks  = []
    prefix_list_ids   = []
    protocol          = "-1"
    security_group_id = aws_security_group.rds.id
    self              = false
    to_port           = 0
    type              = "egress"
}

Profile

フルスタック気味のフリーランスプログラマー。

どちらかと言うと得意はインフラ構築とサーバーサイドプログラミングですが、フロントエンドもぼちぼちやっています。

最近の興味範囲はWordPress、AWS、サーバーレス、UIデザイン。

愛車はセロー。カメラはペンタックス。旅好きです。横浜在住。