【AWS】TerraformでTransitGateway構成を作ってみた
TerraformでTransitGateway構成を作ってみた
構成
こんな感じのを作って、EC2同士で疎通が取れることを確認します。
実践!
1.環境構築
1-1.下記ファイルを作成
verson.tf
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } required_version = ">= 1.0.0" }
variables.tf
variable "env" { type = map(any) default = { env = "test" } } variable "region" { description = "The AWS region to deploy resources in" type = string default = "ap-northeast-1" } variable "vpc_network" { type = map(any) default = { ser01 = "10.224.1.0/24" ser02 = "10.224.2.0/24" } } variable "area" { type = map(any) default = { region = "ap-northeast-1" az01 = "ap-northeast-1a" az02 = "ap-northeast-1c" } } variable "sub_network" { type = map(any) default = { sub-1-01 = "10.224.1.0/25" sub-1-02 = "10.224.1.128/25" sub-2-01 = "10.224.2.0/25" sub-2-02 = "10.224.2.128/25" } }
provider.tf
provider "aws" { profile = "testvault" # region = "us-east-1" region = "ap-northeast-1" }
data.tf
data "aws_caller_identity" "current" {}
main.tf
resource "aws_vpc" "vpc_1" { cidr_block = "${var.vpc_network["ser01"]}" tags = { Name = "${var.env["env"]}-vpc-1" } } resource "aws_vpc" "vpc_2" { cidr_block = "${var.vpc_network["ser02"]}" tags = { Name = "${var.env["env"]}-vpc-2" } } resource "aws_subnet" "subnet_1a" { vpc_id = aws_vpc.vpc_1.id cidr_block = "${var.sub_network["sub-1-01"]}" availability_zone = "${var.area["az01"]}" tags = { Name = "${var.env["env"]}-subnet-1a" } } resource "aws_subnet" "subnet_1c" { vpc_id = aws_vpc.vpc_1.id cidr_block = "${var.sub_network["sub-1-02"]}" availability_zone = "${var.area["az02"]}" tags = { Name = "${var.env["env"]}-subnet-1c" } } resource "aws_subnet" "subnet_2a" { vpc_id = aws_vpc.vpc_2.id cidr_block = "${var.sub_network["sub-2-01"]}" availability_zone = "${var.area["az01"]}" tags = { Name = "${var.env["env"]}-subnet-2a" } } resource "aws_subnet" "subnet_2c" { vpc_id = aws_vpc.vpc_2.id cidr_block = "${var.sub_network["sub-2-02"]}" availability_zone = "${var.area["az02"]}" tags = { Name = "${var.env["env"]}-subnet-2c" } } resource "aws_route_table" "rt_1" { vpc_id = aws_vpc.vpc_1.id route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.igw_1.id } route { cidr_block = "${var.vpc_network["ser02"]}" transit_gateway_id = aws_ec2_transit_gateway.tgw_1.id } tags = { Name = "${var.env["env"]}-rt-1" } } resource "aws_route_table" "rt_2" { vpc_id = aws_vpc.vpc_2.id route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.igw_2.id } route { cidr_block = "${var.vpc_network["ser01"]}" transit_gateway_id = aws_ec2_transit_gateway.tgw_1.id } tags = { Name = "${var.env["env"]}-rt-2" } } resource "aws_route_table_association" "rta_1a" { subnet_id = aws_subnet.subnet_1a.id route_table_id = aws_route_table.rt_1.id } resource "aws_route_table_association" "rta_1c" { subnet_id = aws_subnet.subnet_1c.id route_table_id = aws_route_table.rt_1.id } resource "aws_route_table_association" "rta_2a" { subnet_id = aws_subnet.subnet_2a.id route_table_id = aws_route_table.rt_2.id } resource "aws_route_table_association" "rta_2c" { subnet_id = aws_subnet.subnet_2c.id route_table_id = aws_route_table.rt_2.id } resource "aws_internet_gateway" "igw_1" { vpc_id = aws_vpc.vpc_1.id tags = { Name = "${var.env["env"]}-igw-1" } } resource "aws_internet_gateway" "igw_2" { vpc_id = aws_vpc.vpc_2.id tags = { Name = "${var.env["env"]}-igw-2" } } resource "aws_ec2_transit_gateway" "tgw_1" { description = "${var.env["env"]}-tgw-1" default_route_table_association = "disable" default_route_table_propagation = "disable" tags = { Name = "${var.env["env"]}-tgw-1" } } resource "aws_ec2_transit_gateway_vpc_attachment" "tgwa_1" { transit_gateway_id = aws_ec2_transit_gateway.tgw_1.id vpc_id = aws_vpc.vpc_1.id subnet_ids = [aws_subnet.subnet_1a.id, aws_subnet.subnet_1c.id] tags = { Name = "${var.env["env"]}-tgwa-1" } } resource "aws_ec2_transit_gateway_vpc_attachment" "tgwa_2" { transit_gateway_id = aws_ec2_transit_gateway.tgw_1.id vpc_id = aws_vpc.vpc_2.id subnet_ids = [aws_subnet.subnet_2a.id, aws_subnet.subnet_2c.id] tags = { Name = "${var.env["env"]}-tgwa-2" } } resource "aws_ec2_transit_gateway_route_table" "tgwr_1" { transit_gateway_id = aws_ec2_transit_gateway.tgw_1.id tags = { Name ="${var.env["env"]}-tgwr-1" } } resource "aws_ec2_transit_gateway_route_table" "tgwr_2" { transit_gateway_id = aws_ec2_transit_gateway.tgw_1.id tags = { Name ="${var.env["env"]}-tgwr-2" } } resource "aws_ec2_transit_gateway_route" "tgw_route_vpc1_to_vpc2" { destination_cidr_block = "${var.vpc_network["ser02"]}" transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgwr_1.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgwa_2.id } resource "aws_ec2_transit_gateway_route" "tgw_route_vpc2_to_vpc1" { destination_cidr_block = "${var.vpc_network["ser01"]}" transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgwr_2.id transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgwa_1.id } resource "aws_ec2_transit_gateway_route_table_association" "tgw_assoc_1" { transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgwa_1.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgwr_1.id } resource "aws_ec2_transit_gateway_route_table_association" "tgw_assoc_2" { transit_gateway_attachment_id = aws_ec2_transit_gateway_vpc_attachment.tgwa_2.id transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.tgwr_2.id } resource "aws_security_group" "sg_1" { vpc_id = aws_vpc.vpc_1.id ingress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["${var.vpc_network["ser02"]}"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "${var.env["env"]}-sg-1" } } resource "aws_security_group" "sg_2" { vpc_id = aws_vpc.vpc_2.id ingress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["${var.vpc_network["ser01"]}"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "${var.env["env"]}-sg-2" } } resource "aws_instance" "ec2_1" { ami = "ami-023ff3d4ab11b2525" instance_type = "t2.micro" subnet_id = aws_subnet.subnet_1a.id security_groups = [aws_security_group.sg_1.id] iam_instance_profile = aws_iam_instance_profile.instance_profile_1.name associate_public_ip_address = true tags = { Name = "${var.env["env"]}-ec2-1" } } resource "aws_instance" "ec2_2" { ami = "ami-023ff3d4ab11b2525" instance_type = "t2.micro" subnet_id = aws_subnet.subnet_2a.id security_groups = [aws_security_group.sg_2.id] iam_instance_profile = aws_iam_instance_profile.instance_profile_2.name associate_public_ip_address = true tags = { Name = "${var.env["env"]}-ec2-2" } } resource "aws_iam_instance_profile" "instance_profile_1" { name = "${var.env["env"]}-instance-profile-1" role = aws_iam_role.iamrole_1.name } resource "aws_iam_instance_profile" "instance_profile_2" { name = "${var.env["env"]}-instance-profile-2" role = aws_iam_role.iamrole_2.name } resource "aws_iam_role" "iamrole_1" { name = "${var.env["env"]}-iamrole-1" assume_role_policy = jsonencode({ Version = "2012-10-17", Statement = [{ Action = "sts:AssumeRole", Effect = "Allow", Principal = { Service = "ec2.amazonaws.com" } }] }) } resource "aws_iam_role" "iamrole_2" { name = "${var.env["env"]}-iamrole-2" assume_role_policy = jsonencode({ Version = "2012-10-17", Statement = [{ Action = "sts:AssumeRole", Effect = "Allow", Principal = { Service = "ec2.amazonaws.com" } }] }) } resource "aws_iam_role_policy_attachment" "ssm_policy_attachment-1" { role = aws_iam_role.iamrole_1.name policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" } resource "aws_iam_role_policy_attachment" "ssm_policy_attachment-2" { role = aws_iam_role.iamrole_2.name policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" }
1-2.terraform実行
> terraform fmt > terraform init > terraform plan > terraform appy
2.動作確認
2-1.1側EC2のIPアドレス確認
2-2.2側EC2のIPアドレス確認
2-3.1側EC2へSSMで接続し、2側EC2にpingを実行、疎通が通ることを確認
2-4.2側EC2へSSMで接続し、1側EC2にpingを実行、疎通が通ることを確認
3.削除
> terraform destroy
感想
意外と作るリソースが多くて大変
