set setting reset

インフラ関連の小ネタと備忘録

terraform で既存のVPCを操作する

terraform の全能感いいですね。
terraform 0.4.2 で既存の VPC に対して下記のことを行ったのでメモです。

なお、インストールは brew install terraform で実施しました。

$  terraform
usage: terraform [--version] [--help] <command> [<args>]

Available commands are:
    apply      Builds or changes infrastructure
    destroy    Destroy Terraform-managed infrastructure
    get        Download and install modules for the configuration
    graph      Create a visual graph of Terraform resources
    init       Initializes Terraform configuration from a module
    output     Read an output from a state file
    plan       Generate and show an execution plan
    push       Upload this Terraform module to Atlas to run
    refresh    Update local state file against real resources
    remote     Configure remote state storage
    show       Inspect Terraform state or plan
    taint      Manually mark a resource for recreation
    version    Prints the Terraform version

$  terraform --version
Terraform v0.4.2

$  ls -l /usr/local/bin/terraform*
lrwxr-xr-x  1 hoge huga 39 Apr 27 14:21 /usr/local/bin/terraform -> ../Cellar/terraform/0.4.2/bin/terraform
lrwxr-xr-x  1 hoge huga 54 Apr 27 14:21 /usr/local/bin/terraform-provider-atlas -> ../Cellar/terraform/0.4.2/bin/terraform-provider-atlas
lrwxr-xr-x  1 hoge huga 52 Apr 27 14:21 /usr/local/bin/terraform-provider-aws -> ../Cellar/terraform/0.4.2/bin/terraform-provider-aws
lrwxr-xr-x  1 hoge huga 59 Apr 27 14:21 /usr/local/bin/terraform-provider-cloudflare -> ../Cellar/terraform/0.4.2/bin/terraform-provider-cloudflare
lrwxr-xr-x  1 hoge huga 59 Apr 27 14:21 /usr/local/bin/terraform-provider-cloudstack -> ../Cellar/terraform/0.4.2/bin/terraform-provider-cloudstack
lrwxr-xr-x  1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-consul -> ../Cellar/terraform/0.4.2/bin/terraform-provider-consul
lrwxr-xr-x  1 hoge huga 61 Apr 27 14:21 /usr/local/bin/terraform-provider-digitalocean -> ../Cellar/terraform/0.4.2/bin/terraform-provider-digitalocean
lrwxr-xr-x  1 hoge huga 52 Apr 27 14:21 /usr/local/bin/terraform-provider-dme -> ../Cellar/terraform/0.4.2/bin/terraform-provider-dme
lrwxr-xr-x  1 hoge huga 57 Apr 27 14:21 /usr/local/bin/terraform-provider-dnsimple -> ../Cellar/terraform/0.4.2/bin/terraform-provider-dnsimple
lrwxr-xr-x  1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-docker -> ../Cellar/terraform/0.4.2/bin/terraform-provider-docker
lrwxr-xr-x  1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-google -> ../Cellar/terraform/0.4.2/bin/terraform-provider-google
lrwxr-xr-x  1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-heroku -> ../Cellar/terraform/0.4.2/bin/terraform-provider-heroku
lrwxr-xr-x  1 hoge huga 56 Apr 27 14:21 /usr/local/bin/terraform-provider-mailgun -> ../Cellar/terraform/0.4.2/bin/terraform-provider-mailgun
lrwxr-xr-x  1 hoge huga 53 Apr 27 14:21 /usr/local/bin/terraform-provider-null -> ../Cellar/terraform/0.4.2/bin/terraform-provider-null
lrwxr-xr-x  1 hoge huga 58 Apr 27 14:21 /usr/local/bin/terraform-provider-openstack -> ../Cellar/terraform/0.4.2/bin/terraform-provider-openstack
lrwxr-xr-x  1 hoge huga 58 Apr 27 14:21 /usr/local/bin/terraform-provider-terraform -> ../Cellar/terraform/0.4.2/bin/terraform-provider-terraform
lrwxr-xr-x  1 hoge huga 56 Apr 27 14:21 /usr/local/bin/terraform-provisioner-file -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-file
lrwxr-xr-x  1 hoge huga 62 Apr 27 14:21 /usr/local/bin/terraform-provisioner-local-exec -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-local-exec
lrwxr-xr-x  1 hoge huga 63 Apr 27 14:21 /usr/local/bin/terraform-provisioner-remote-exec -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-remote-exec

簡単でいい感じです。

なお、ソースからインストールして、/usr/local/bin/terraform ディレクトリを作成し、パスを通してみたところ、 provider aws not found なエラーが出たので /usr/local/bin じゃないとダメなのかもしれません。

やったこと

  • サブネット作成
    • 10.0.0.0/24
    • 10.0.1.0/24
  • ルートテーブル作成
    • nat インスタンスへのデフォルトルート
    • Office へのスタティックルート
  • Network ACL作成
    • 内向き全許可
    • 外向きで 25 ポートだけ拒否

変数

変数は aws.tfvars とします。 VPC と Office に拠点間 VPN されていることと、VPC 内に nat インスタンスがいる場合などを想定しています。

access_key = "**************"
secret_key = "************************"
region = "ap-northeast-1"
vpc_id = "vpc-******"
az_b = "ap-northeast-1a"
az_c = "ap-northeast-1c"
nat_id = "i-*******"
office_gw = "vgw-******"

定義

定義は aws.tf とします。

variable "access_key" {}
variable "secret_key" {}
variable "region" {}
variable "vpc_id" {}
variable "nat_id" {}
variable "office_gw" {}
variable "prod_db_nw" {}

provider "aws" {
        access_key = "${var.access_key}"
        secret_key = "${var.secret_key}"
        region = "${var.region}"
}

resource "aws_subnet" "test-1" {
    vpc_id = "${var.vpc_id}"
    cidr_block = "10.0.0.0/24"
    availability_zone = "ap-northeast-1a"
    tags {
        Name = "test-1"
    }
}

resource "aws_subnet" "test-2" {
    vpc_id = "${var.vpc_id}"
    cidr_block = "10.0.1.0/24"
    availability_zone = "ap-northeast-1b"
    tags {
        Name = "test-2"
    }
}

resource "aws_route_table" "test-rtb" {
    vpc_id = "${var.vpc_id}"
    route {
            cidr_block = "0.0.0.0/0"
            instance_id = "${var.nat_id}"
    }
    route {
            cidr_block = "192.168.1.0/24"
            gateway_id = "${var.office_gw}"
    }
}

resource "aws_route_table_association" "test-1" {
    subnet_id = "${aws_subnet.test-1.id}"
    route_table_id = "${aws_route_table.test-rtb.id}"
}

resource "aws_route_table_association" "test-2" {
    subnet_id = "${aws_subnet.test-2.id}"
    route_table_id = "${aws_route_table.test-rtb.id}"
}

resource "aws_network_acl" "test-1_acl" {
    vpc_id ="${var.vpc_id}"
    subnet_id = "${aws_subnet.test-1.id}"
    ingress = {
        rule_no = 100
        protocol = "all"
        action = "allow"
        from_port = 0
        to_port = 65535
        cidr_block = "0.0.0.0/0"
    }
    egress {
       rule_no = 50
        protocol = "tcp"
        action = "deny"
        from_port = 25
        to_port = 25
        cidr_block = "0.0.0.0/0"

    egress {
       rule_no = 100
        protocol = "all"
        action = "allow"
        from_port = 0
        to_port = 65535
        cidr_block = "0.0.0.0/0"
    }
}

resource "aws_network_acl" "test-2_acl" {
    vpc_id ="${var.vpc_id}"
    subnet_id = "${aws_subnet.test-2.id}"
    ingress = {
        rule_no = 100
        protocol = "all"
        action = "allow"
        from_port = 0
        to_port = 65535
        cidr_block = "0.0.0.0/0"
    }
    egress {
       rule_no = 50
        protocol = "tcp"
        action = "deny"
        from_port = 25
        to_port = 25
        cidr_block = "0.0.0.0/0"

    egress {
       rule_no = 100
        protocol = "all"
        action = "allow"
        from_port = 0
        to_port = 65535
        cidr_block = "0.0.0.0/0"
    }
}

実行

$ terraform -var-file=aws.tfvars

これでできてしまいます。すごい。
terraform destroy で簡単に壊せるし、テスト環境を作るときなどに流用しつつ運用できれば楽できそうです。

バグっぽい

これだと1つでいいのに複数のNW ACLが作成されてしまうので、以下の様にしてまとめようとしたところ、CLASH しました。

resource "aws_network_acl" "test_acl" {
    vpc_id ="${var.vpc_id}"
    subnet_id = [ "${aws_subnet.test-1.id}", "${aws_subnet.test-2.id}" ]
以下略
!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!

Terraform crashed! This is always indicative of a bug within Terraform.
A crash log has been placed at "crash.log" relative to your current
working directory. It would be immensely helpful if you could please
report the crash with Terraform[1] so that we can fix this.

[1]: https://github.com/hashicorp/terraform/issues

!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!

参考にさせていただいたサイト

think-t.hatenablog.com Provider 'digitalocean' not found