terraform で既存のVPCを操作する
terraform の全能感いいですね。
terraform 0.4.2 で既存の VPC に対して下記のことを行ったのでメモです。
なお、インストールは brew install terraform で実施しました。
$ terraform
usage: terraform [--version] [--help] <command> [<args>]
Available commands are:
apply Builds or changes infrastructure
destroy Destroy Terraform-managed infrastructure
get Download and install modules for the configuration
graph Create a visual graph of Terraform resources
init Initializes Terraform configuration from a module
output Read an output from a state file
plan Generate and show an execution plan
push Upload this Terraform module to Atlas to run
refresh Update local state file against real resources
remote Configure remote state storage
show Inspect Terraform state or plan
taint Manually mark a resource for recreation
version Prints the Terraform version
$ terraform --version
Terraform v0.4.2
$ ls -l /usr/local/bin/terraform*
lrwxr-xr-x 1 hoge huga 39 Apr 27 14:21 /usr/local/bin/terraform -> ../Cellar/terraform/0.4.2/bin/terraform
lrwxr-xr-x 1 hoge huga 54 Apr 27 14:21 /usr/local/bin/terraform-provider-atlas -> ../Cellar/terraform/0.4.2/bin/terraform-provider-atlas
lrwxr-xr-x 1 hoge huga 52 Apr 27 14:21 /usr/local/bin/terraform-provider-aws -> ../Cellar/terraform/0.4.2/bin/terraform-provider-aws
lrwxr-xr-x 1 hoge huga 59 Apr 27 14:21 /usr/local/bin/terraform-provider-cloudflare -> ../Cellar/terraform/0.4.2/bin/terraform-provider-cloudflare
lrwxr-xr-x 1 hoge huga 59 Apr 27 14:21 /usr/local/bin/terraform-provider-cloudstack -> ../Cellar/terraform/0.4.2/bin/terraform-provider-cloudstack
lrwxr-xr-x 1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-consul -> ../Cellar/terraform/0.4.2/bin/terraform-provider-consul
lrwxr-xr-x 1 hoge huga 61 Apr 27 14:21 /usr/local/bin/terraform-provider-digitalocean -> ../Cellar/terraform/0.4.2/bin/terraform-provider-digitalocean
lrwxr-xr-x 1 hoge huga 52 Apr 27 14:21 /usr/local/bin/terraform-provider-dme -> ../Cellar/terraform/0.4.2/bin/terraform-provider-dme
lrwxr-xr-x 1 hoge huga 57 Apr 27 14:21 /usr/local/bin/terraform-provider-dnsimple -> ../Cellar/terraform/0.4.2/bin/terraform-provider-dnsimple
lrwxr-xr-x 1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-docker -> ../Cellar/terraform/0.4.2/bin/terraform-provider-docker
lrwxr-xr-x 1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-google -> ../Cellar/terraform/0.4.2/bin/terraform-provider-google
lrwxr-xr-x 1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-heroku -> ../Cellar/terraform/0.4.2/bin/terraform-provider-heroku
lrwxr-xr-x 1 hoge huga 56 Apr 27 14:21 /usr/local/bin/terraform-provider-mailgun -> ../Cellar/terraform/0.4.2/bin/terraform-provider-mailgun
lrwxr-xr-x 1 hoge huga 53 Apr 27 14:21 /usr/local/bin/terraform-provider-null -> ../Cellar/terraform/0.4.2/bin/terraform-provider-null
lrwxr-xr-x 1 hoge huga 58 Apr 27 14:21 /usr/local/bin/terraform-provider-openstack -> ../Cellar/terraform/0.4.2/bin/terraform-provider-openstack
lrwxr-xr-x 1 hoge huga 58 Apr 27 14:21 /usr/local/bin/terraform-provider-terraform -> ../Cellar/terraform/0.4.2/bin/terraform-provider-terraform
lrwxr-xr-x 1 hoge huga 56 Apr 27 14:21 /usr/local/bin/terraform-provisioner-file -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-file
lrwxr-xr-x 1 hoge huga 62 Apr 27 14:21 /usr/local/bin/terraform-provisioner-local-exec -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-local-exec
lrwxr-xr-x 1 hoge huga 63 Apr 27 14:21 /usr/local/bin/terraform-provisioner-remote-exec -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-remote-exec
簡単でいい感じです。
なお、ソースからインストールして、/usr/local/bin/terraform ディレクトリを作成し、パスを通してみたところ、 provider aws not found なエラーが出たので /usr/local/bin じゃないとダメなのかもしれません。
やったこと
- サブネット作成
- 10.0.0.0/24
- 10.0.1.0/24
- ルートテーブル作成
- nat インスタンスへのデフォルトルート
- Office へのスタティックルート
- Network ACL作成
- 内向き全許可
- 外向きで 25 ポートだけ拒否
変数
変数は aws.tfvars とします。 VPC と Office に拠点間 VPN されていることと、VPC 内に nat インスタンスがいる場合などを想定しています。
access_key = "**************" secret_key = "************************" region = "ap-northeast-1" vpc_id = "vpc-******" az_b = "ap-northeast-1a" az_c = "ap-northeast-1c" nat_id = "i-*******" office_gw = "vgw-******"
定義
定義は aws.tf とします。
variable "access_key" {}
variable "secret_key" {}
variable "region" {}
variable "vpc_id" {}
variable "nat_id" {}
variable "office_gw" {}
variable "prod_db_nw" {}
provider "aws" {
access_key = "${var.access_key}"
secret_key = "${var.secret_key}"
region = "${var.region}"
}
resource "aws_subnet" "test-1" {
vpc_id = "${var.vpc_id}"
cidr_block = "10.0.0.0/24"
availability_zone = "ap-northeast-1a"
tags {
Name = "test-1"
}
}
resource "aws_subnet" "test-2" {
vpc_id = "${var.vpc_id}"
cidr_block = "10.0.1.0/24"
availability_zone = "ap-northeast-1b"
tags {
Name = "test-2"
}
}
resource "aws_route_table" "test-rtb" {
vpc_id = "${var.vpc_id}"
route {
cidr_block = "0.0.0.0/0"
instance_id = "${var.nat_id}"
}
route {
cidr_block = "192.168.1.0/24"
gateway_id = "${var.office_gw}"
}
}
resource "aws_route_table_association" "test-1" {
subnet_id = "${aws_subnet.test-1.id}"
route_table_id = "${aws_route_table.test-rtb.id}"
}
resource "aws_route_table_association" "test-2" {
subnet_id = "${aws_subnet.test-2.id}"
route_table_id = "${aws_route_table.test-rtb.id}"
}
resource "aws_network_acl" "test-1_acl" {
vpc_id ="${var.vpc_id}"
subnet_id = "${aws_subnet.test-1.id}"
ingress = {
rule_no = 100
protocol = "all"
action = "allow"
from_port = 0
to_port = 65535
cidr_block = "0.0.0.0/0"
}
egress {
rule_no = 50
protocol = "tcp"
action = "deny"
from_port = 25
to_port = 25
cidr_block = "0.0.0.0/0"
egress {
rule_no = 100
protocol = "all"
action = "allow"
from_port = 0
to_port = 65535
cidr_block = "0.0.0.0/0"
}
}
resource "aws_network_acl" "test-2_acl" {
vpc_id ="${var.vpc_id}"
subnet_id = "${aws_subnet.test-2.id}"
ingress = {
rule_no = 100
protocol = "all"
action = "allow"
from_port = 0
to_port = 65535
cidr_block = "0.0.0.0/0"
}
egress {
rule_no = 50
protocol = "tcp"
action = "deny"
from_port = 25
to_port = 25
cidr_block = "0.0.0.0/0"
egress {
rule_no = 100
protocol = "all"
action = "allow"
from_port = 0
to_port = 65535
cidr_block = "0.0.0.0/0"
}
}
実行
$ terraform -var-file=aws.tfvars
これでできてしまいます。すごい。
terraform destroy で簡単に壊せるし、テスト環境を作るときなどに流用しつつ運用できれば楽できそうです。
バグっぽい
これだと1つでいいのに複数のNW ACLが作成されてしまうので、以下の様にしてまとめようとしたところ、CLASH しました。
resource "aws_network_acl" "test_acl" {
vpc_id ="${var.vpc_id}"
subnet_id = [ "${aws_subnet.test-1.id}", "${aws_subnet.test-2.id}" ]
以下略
!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!! Terraform crashed! This is always indicative of a bug within Terraform. A crash log has been placed at "crash.log" relative to your current working directory. It would be immensely helpful if you could please report the crash with Terraform[1] so that we can fix this. [1]: https://github.com/hashicorp/terraform/issues !!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!
