terraform で既存のVPCを操作する
terraform の全能感いいですね。
terraform 0.4.2 で既存の VPC に対して下記のことを行ったのでメモです。
なお、インストールは brew install terraform
で実施しました。
$ terraform usage: terraform [--version] [--help] <command> [<args>] Available commands are: apply Builds or changes infrastructure destroy Destroy Terraform-managed infrastructure get Download and install modules for the configuration graph Create a visual graph of Terraform resources init Initializes Terraform configuration from a module output Read an output from a state file plan Generate and show an execution plan push Upload this Terraform module to Atlas to run refresh Update local state file against real resources remote Configure remote state storage show Inspect Terraform state or plan taint Manually mark a resource for recreation version Prints the Terraform version $ terraform --version Terraform v0.4.2 $ ls -l /usr/local/bin/terraform* lrwxr-xr-x 1 hoge huga 39 Apr 27 14:21 /usr/local/bin/terraform -> ../Cellar/terraform/0.4.2/bin/terraform lrwxr-xr-x 1 hoge huga 54 Apr 27 14:21 /usr/local/bin/terraform-provider-atlas -> ../Cellar/terraform/0.4.2/bin/terraform-provider-atlas lrwxr-xr-x 1 hoge huga 52 Apr 27 14:21 /usr/local/bin/terraform-provider-aws -> ../Cellar/terraform/0.4.2/bin/terraform-provider-aws lrwxr-xr-x 1 hoge huga 59 Apr 27 14:21 /usr/local/bin/terraform-provider-cloudflare -> ../Cellar/terraform/0.4.2/bin/terraform-provider-cloudflare lrwxr-xr-x 1 hoge huga 59 Apr 27 14:21 /usr/local/bin/terraform-provider-cloudstack -> ../Cellar/terraform/0.4.2/bin/terraform-provider-cloudstack lrwxr-xr-x 1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-consul -> ../Cellar/terraform/0.4.2/bin/terraform-provider-consul lrwxr-xr-x 1 hoge huga 61 Apr 27 14:21 /usr/local/bin/terraform-provider-digitalocean -> ../Cellar/terraform/0.4.2/bin/terraform-provider-digitalocean lrwxr-xr-x 1 hoge huga 52 Apr 27 14:21 /usr/local/bin/terraform-provider-dme -> ../Cellar/terraform/0.4.2/bin/terraform-provider-dme lrwxr-xr-x 1 hoge huga 57 Apr 27 14:21 /usr/local/bin/terraform-provider-dnsimple -> ../Cellar/terraform/0.4.2/bin/terraform-provider-dnsimple lrwxr-xr-x 1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-docker -> ../Cellar/terraform/0.4.2/bin/terraform-provider-docker lrwxr-xr-x 1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-google -> ../Cellar/terraform/0.4.2/bin/terraform-provider-google lrwxr-xr-x 1 hoge huga 55 Apr 27 14:21 /usr/local/bin/terraform-provider-heroku -> ../Cellar/terraform/0.4.2/bin/terraform-provider-heroku lrwxr-xr-x 1 hoge huga 56 Apr 27 14:21 /usr/local/bin/terraform-provider-mailgun -> ../Cellar/terraform/0.4.2/bin/terraform-provider-mailgun lrwxr-xr-x 1 hoge huga 53 Apr 27 14:21 /usr/local/bin/terraform-provider-null -> ../Cellar/terraform/0.4.2/bin/terraform-provider-null lrwxr-xr-x 1 hoge huga 58 Apr 27 14:21 /usr/local/bin/terraform-provider-openstack -> ../Cellar/terraform/0.4.2/bin/terraform-provider-openstack lrwxr-xr-x 1 hoge huga 58 Apr 27 14:21 /usr/local/bin/terraform-provider-terraform -> ../Cellar/terraform/0.4.2/bin/terraform-provider-terraform lrwxr-xr-x 1 hoge huga 56 Apr 27 14:21 /usr/local/bin/terraform-provisioner-file -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-file lrwxr-xr-x 1 hoge huga 62 Apr 27 14:21 /usr/local/bin/terraform-provisioner-local-exec -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-local-exec lrwxr-xr-x 1 hoge huga 63 Apr 27 14:21 /usr/local/bin/terraform-provisioner-remote-exec -> ../Cellar/terraform/0.4.2/bin/terraform-provisioner-remote-exec
簡単でいい感じです。
なお、ソースからインストールして、/usr/local/bin/terraform
ディレクトリを作成し、パスを通してみたところ、 provider aws not found
なエラーが出たので /usr/local/bin
じゃないとダメなのかもしれません。
やったこと
- サブネット作成
- 10.0.0.0/24
- 10.0.1.0/24
- ルートテーブル作成
- nat インスタンスへのデフォルトルート
- Office へのスタティックルート
- Network ACL作成
- 内向き全許可
- 外向きで 25 ポートだけ拒否
変数
変数は aws.tfvars とします。 VPC と Office に拠点間 VPN されていることと、VPC 内に nat インスタンスがいる場合などを想定しています。
access_key = "**************" secret_key = "************************" region = "ap-northeast-1" vpc_id = "vpc-******" az_b = "ap-northeast-1a" az_c = "ap-northeast-1c" nat_id = "i-*******" office_gw = "vgw-******"
定義
定義は aws.tf とします。
variable "access_key" {} variable "secret_key" {} variable "region" {} variable "vpc_id" {} variable "nat_id" {} variable "office_gw" {} variable "prod_db_nw" {} provider "aws" { access_key = "${var.access_key}" secret_key = "${var.secret_key}" region = "${var.region}" } resource "aws_subnet" "test-1" { vpc_id = "${var.vpc_id}" cidr_block = "10.0.0.0/24" availability_zone = "ap-northeast-1a" tags { Name = "test-1" } } resource "aws_subnet" "test-2" { vpc_id = "${var.vpc_id}" cidr_block = "10.0.1.0/24" availability_zone = "ap-northeast-1b" tags { Name = "test-2" } } resource "aws_route_table" "test-rtb" { vpc_id = "${var.vpc_id}" route { cidr_block = "0.0.0.0/0" instance_id = "${var.nat_id}" } route { cidr_block = "192.168.1.0/24" gateway_id = "${var.office_gw}" } } resource "aws_route_table_association" "test-1" { subnet_id = "${aws_subnet.test-1.id}" route_table_id = "${aws_route_table.test-rtb.id}" } resource "aws_route_table_association" "test-2" { subnet_id = "${aws_subnet.test-2.id}" route_table_id = "${aws_route_table.test-rtb.id}" } resource "aws_network_acl" "test-1_acl" { vpc_id ="${var.vpc_id}" subnet_id = "${aws_subnet.test-1.id}" ingress = { rule_no = 100 protocol = "all" action = "allow" from_port = 0 to_port = 65535 cidr_block = "0.0.0.0/0" } egress { rule_no = 50 protocol = "tcp" action = "deny" from_port = 25 to_port = 25 cidr_block = "0.0.0.0/0" egress { rule_no = 100 protocol = "all" action = "allow" from_port = 0 to_port = 65535 cidr_block = "0.0.0.0/0" } } resource "aws_network_acl" "test-2_acl" { vpc_id ="${var.vpc_id}" subnet_id = "${aws_subnet.test-2.id}" ingress = { rule_no = 100 protocol = "all" action = "allow" from_port = 0 to_port = 65535 cidr_block = "0.0.0.0/0" } egress { rule_no = 50 protocol = "tcp" action = "deny" from_port = 25 to_port = 25 cidr_block = "0.0.0.0/0" egress { rule_no = 100 protocol = "all" action = "allow" from_port = 0 to_port = 65535 cidr_block = "0.0.0.0/0" } }
実行
$ terraform -var-file=aws.tfvars
これでできてしまいます。すごい。
terraform destroy
で簡単に壊せるし、テスト環境を作るときなどに流用しつつ運用できれば楽できそうです。
バグっぽい
これだと1つでいいのに複数のNW ACLが作成されてしまうので、以下の様にしてまとめようとしたところ、CLASH しました。
resource "aws_network_acl" "test_acl" { vpc_id ="${var.vpc_id}" subnet_id = [ "${aws_subnet.test-1.id}", "${aws_subnet.test-2.id}" ] 以下略
!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!! Terraform crashed! This is always indicative of a bug within Terraform. A crash log has been placed at "crash.log" relative to your current working directory. It would be immensely helpful if you could please report the crash with Terraform[1] so that we can fix this. [1]: https://github.com/hashicorp/terraform/issues !!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!