TerraformでAWSのネットワーク設定
AWSコンソールでポチポチ作ったものをimportしてstate showしてコピペしてきて作ったもの。
タグのうまいつけ方がよく分からない。
Terraformのバージョンは0.13.4
VPCとサブネットのIPアドレスレンジ
workspaceを使ってproductionとstagingのアドレスを定義。
locals {
cidr_blocks = {
production = {
vpc = "10.1.0.0/16"
public_a = "10.1.1.0/24"
private_a = "10.1.2.0/24"
private_c = "10.1.3.0/24"
}
staging = {
vpc = "10.2.0.0/16"
public_a = "10.2.1.0/24"
private_a = "10.2.2.0/24"
private_c = "10.2.3.0/24"
}
}
}VPCの作成
resource "aws_vpc" "brassworks-vpc" {
cidr_block = local.cidr_blocks[terraform.workspace]["vpc"]
enable_dns_support = true
enable_dns_hostnames = true
tags = {
"Name" = "brassworks"
}
}サブネットの作成
ウェブ用のパブリックサブネットとRDS/Aurora用の2つのプライベートサブネットを作っている。
for_eachを使えばもっとすっきり書ける。
resource "aws_subnet" "public-a" {
vpc_id = aws_vpc.brassworks-vpc.id
availability_zone = "ap-northeast-1a"
cidr_block = local.cidr_blocks[terraform.workspace]["public_a"]
tags = {
"Name" = "brassworks"
}
}
resource "aws_subnet" "private-a" {
vpc_id = aws_vpc.brassworks-vpc.id
availability_zone = "ap-northeast-1a"
cidr_block = local.cidr_blocks[terraform.workspace]["private_a"]
tags = {
"Name" = "brassworks"
}
}
resource "aws_subnet" "private-c" {
vpc_id = aws_vpc.brassworks-vpc.id
availability_zone = "ap-northeast-1c"
cidr_block = local.cidr_blocks[terraform.workspace]["private_c"]
tags = {
"Name" = "brassworks"
}
}DBサブネットグループ RDS/Aurora用
resource "aws_db_subnet_group" "rds-subnet" {
name = "rds-brassworks-subnet"
subnet_ids = [aws_subnet.private-a.id, aws_subnet.private-c.id]
tags = {
Name = "brassworks"
}
}Internet Gateway
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.brassworks-vpc.id
tags = {
"Name" = "brassworks"
}
}ルートテーブル
サブネットからインターネットへアクセスするためのルートテーブル
resource "aws_route_table" "public" {
vpc_id = aws_vpc.brassworks-vpc.id
route = [
{
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gw.id
egress_only_gateway_id = ""
instance_id = ""
ipv6_cidr_block = ""
nat_gateway_id = ""
network_interface_id = ""
transit_gateway_id = ""
vpc_peering_connection_id = ""
}
]
tags = {
"Name" = "brassworks"
}
}サブネットとルートテーブルの関連付け
resource "aws_route_table_association" "public-a" {
subnet_id = aws_subnet.public-a.id
route_table_id = aws_route_table.public.id
}セキュリティグループの作成
ウェブサーバー用
aws_security_group_ruleはfor_eachで作った方がいい件。
外からはssh、http、httpsを許可して、内から外へはすべての通信を許可。
resource "aws_security_group" "web" {
description = "for web"
name = "for web"
vpc_id = aws_vpc.brassworks-vpc.id
}
resource "aws_security_group_rule" "web" {
cidr_blocks = [
"0.0.0.0/0",
]
from_port = 80
ipv6_cidr_blocks = []
prefix_list_ids = []
protocol = "tcp"
security_group_id = aws_security_group.web.id
self = false
to_port = 80
type = "ingress"
}
resource "aws_security_group_rule" "web-1" {
cidr_blocks = [
"0.0.0.0/0",
]
from_port = 22
ipv6_cidr_blocks = []
prefix_list_ids = []
protocol = "tcp"
security_group_id = aws_security_group.web.id
self = false
to_port = 22
type = "ingress"
}
resource "aws_security_group_rule" "web-2" {
cidr_blocks = [
"0.0.0.0/0",
]
from_port = 0
ipv6_cidr_blocks = []
prefix_list_ids = []
protocol = "-1"
security_group_id = aws_security_group.web.id
self = false
to_port = 0
type = "egress"
}
resource "aws_security_group_rule" "web-3" {
cidr_blocks = [
"0.0.0.0/0",
]
from_port = 443
ipv6_cidr_blocks = []
prefix_list_ids = []
protocol = "tcp"
security_group_id = aws_security_group.web.id
self = false
to_port = 443
type = "ingress"
}RDS用
外からはウェブサーバーからのMySQLのみを許可して、内から外へはすべての通信を許可。
resource "aws_security_group" "rds" {
description = "RDS for brassworks"
name = "rds-brassworks"
vpc_id = aws_vpc.brassworks-vpc.id
}
resource "aws_security_group_rule" "rds" {
from_port = 3306
ipv6_cidr_blocks = []
prefix_list_ids = []
protocol = "tcp"
security_group_id = aws_security_group.rds.id
source_security_group_id = aws_security_group.web.id
to_port = 3306
type = "ingress"
}
resource "aws_security_group_rule" "rds-1" {
cidr_blocks = [
"0.0.0.0/0",
]
from_port = 0
ipv6_cidr_blocks = []
prefix_list_ids = []
protocol = "-1"
security_group_id = aws_security_group.rds.id
self = false
to_port = 0
type = "egress"
}