从本文档起,作者计划在AWS上做一系列DevOps/IaC相关实验,本文是第二篇,使用Terraform创建VPC网络。
本次实验架构图
Terraform代码
执行主文件main.tf
#terraform code to deploy VPC in AWS
data aws_availability_zones available {
state = available
}
resource aws_vpc IacVPC {
cidr_block = ${var.vpc_cidr_block}
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = ${var.vpc_name}
}
}
resource aws_subnet IacVPC_PublicSubnet1 {
cidr_block = ${var.PublicSubnet1_cidr_block}
map_public_ip_on_launch = true
vpc_id = aws_vpc.IacVPC.id
availability_zone = data.aws_availability_zones.available.names[0]
tags = {
Name = ${var.vpc_name}-PublicSubnet1
}
}
resource aws_subnet IacVPC_PublicSubnet2 {
cidr_block = ${var.PublicSubnet2_cidr_block}
map_public_ip_on_launch = true
vpc_id = aws_vpc.IacVPC.id
availability_zone = data.aws_availability_zones.available.names[1]
tags = {
Name = ${var.vpc_name}-PublicSubnet2
}
}
resource aws_subnet IacVPC_AppSubnet1 {
cidr_block = ${var.AppSubnet1_cidr_block}
vpc_id = aws_vpc.IacVPC.id
availability_zone = data.aws_availability_zones.available.names[0]
tags = {
Name = ${var.vpc_name}-AppSubnet1
}
}
resource aws_subnet IacVPC_AppSubnet2 {
cidr_block = ${var.AppSubnet2_cidr_block}
vpc_id = aws_vpc.IacVPC.id
availability_zone = data.aws_availability_zones.available.names[1]
tags = {
Name = ${var.vpc_name}-AppSubnet2
}
}
resource aws_subnet IacVPC_DBSubnet1 {
cidr_block = ${var.DBSubnet1_cidr_block}
vpc_id = aws_vpc.IacVPC.id
availability_zone = data.aws_availability_zones.available.names[0]
tags = {
Name = ${var.vpc_name}-DBSubnet1
}
}
resource aws_subnet IacVPC_DBSubnet2 {
cidr_block = ${var.DBSubnet2_cidr_block}
vpc_id = aws_vpc.IacVPC.id
availability_zone = data.aws_availability_zones.available.names[1]
tags = {
Name = ${var.vpc_name}-DBSubnet2
}
}
resource aws_internet_gateway IacIGW {
vpc_id = aws_vpc.IacVPC.id
}
resource aws_route_table RouteTablePublic {
vpc_id = aws_vpc.IacVPC.id
depends_on = [ aws_internet_gateway.IacIGW ]
tags = {
Name = ${var.vpc_name}-public-route-table
}
route {
cidr_block = 0.0.0.0/0
gateway_id = aws_internet_gateway.IacIGW.id
}
}
resource aws_route_table_association AssociationForRouteTablePublic0 {
subnet_id = aws_subnet.IacVPC_PublicSubnet1.id
route_table_id = aws_route_table.RouteTablePublic.id
}
resource aws_route_table_association AssociationForRouteTablePublic1 {
subnet_id = aws_subnet.IacVPC_PublicSubnet2.id
route_table_id = aws_route_table.RouteTablePublic.id
}
resource aws_eip EIPNAT1 {
tags = {
Name = ${var.vpc_name}-EIP-NAT1
}
}
resource aws_eip EIPNAT2 {
tags = {
Name = ${var.vpc_name}-EIP-NAT2
}
}
resource aws_nat_gateway NATGW1 {
subnet_id = aws_subnet.IacVPC_PublicSubnet1.id
connectivity_type = public
allocation_id = aws_eip.EIPNAT1.id
tags = {
Name = NATGW1
}
}
resource aws_nat_gateway NATGW2 {
subnet_id = aws_subnet.IacVPC_PublicSubnet2.id
connectivity_type = public
allocation_id = aws_eip.EIPNAT2.id
tags = {
Name = NATGW2
}
}
resource aws_route_table RouteTablePrivate1 {
vpc_id = aws_vpc.IacVPC.id
depends_on = [ aws_nat_gateway.NATGW1 ]
tags = {
Name = ${var.vpc_name}-private-route-table-1
}
route {
cidr_block = 0.0.0.0/0
nat_gateway_id = aws_nat_gateway.NATGW1.id
}
}
resource aws_route_table_association AssociationForRouteTablePrivate1a {
subnet_id = aws_subnet.IacVPC_AppSubnet1.id
route_table_id = aws_route_table.RouteTablePrivate1.id
}
resource aws_route_table_association AssociationForRouteTablePrivate1b {
subnet_id = aws_subnet.IacVPC_DBSubnet1.id
route_table_id = aws_route_table.RouteTablePrivate1.id
}
resource aws_route_table RouteTablePrivate2 {
vpc_id = aws_vpc.IacVPC.id
depends_on = [ aws_nat_gateway.NATGW2 ]
tags = {
Name = ${var.vpc_name}-private-route-table-2
}
route {
cidr_block = 0.0.0.0/0
nat_gateway_id = aws_nat_gateway.NATGW2.id
}
}
resource aws_route_table_association AssociationForRouteTablePrivate2a {
subnet_id = aws_subnet.IacVPC_AppSubnet2.id
route_table_id = aws_route_table.RouteTablePrivate2.id
}
resource aws_route_table_association AssociationForRouteTablePrivate2b {
subnet_id = aws_subnet.IacVPC_DBSubnet2.id
route_table_id = aws_route_table.RouteTablePrivate2.id
}
声明参数variables.tf
#define variable for VPC deploy
variable aws_region {
type = string
}
variable vpc_name {
type = string
}
variable vpc_cidr_block {
type = string
}
variable PublicSubnet1_cidr_block {
type = string
}
variable PublicSubnet2_cidr_block {
type = string
}
variable AppSubnet1_cidr_block {
type = string
}
variable AppSubnet2_cidr_block {
type = string
}
variable DBSubnet1_cidr_block {
type = string
}
variable DBSubnet2_cidr_block {
type = string
}
参数文件vpc.tfvars
#Provide parameter
aws_region = ap-northeast-1
vpc_name = MgtVPC
vpc_cidr_block = 10.10.0.0/16
PublicSubnet1_cidr_block= 10.10.0.0/24
PublicSubnet2_cidr_block= 10.10.1.0/24
AppSubnet1_cidr_block = 10.10.2.0/24
AppSubnet2_cidr_block = 10.10.3.0/24
DBSubnet1_cidr_block = 10.10.4.0/24
DBSubnet2_cidr_block = 10.10.5.0/24
Provider文件
#provider info
terraform {
required_providers {
aws = {
source = hashicorp/aws
version = 3.63.0
}
}
backend s3 {
bucket = garyterraform
region = ap-northeast-1
key = aws/ec2/
}
}
provider aws {
region = ${var.aws_region}
}
output文件
#provide outputs of vpc
output IacVPC {
description = VPC ID
value = aws_vpc.IacVPC.id
}
output PublicSubnet1 {
description = Public Subnet 1 ID
value = aws_subnet.IacVPC_PublicSubnet1.id
}
output PublicSubnet2 {
description = Public Subnet 2 ID
value = aws_subnet.IacVPC_PublicSubnet2.id
}
output AppSubnet1 {
description = App Subnet 1 ID
value = aws_subnet.IacVPC_AppSubnet1.id
}
output AppSubnet2 {
description = App Subnet 2 ID
value = aws_subnet.IacVPC_AppSubnet2.id
}
output DBSubnet1 {
description = DB Subnet 1 ID
value = aws_subnet.IacVPC_DBSubnet1.id
}
output DBSubnet2 {
description = DB Subnet 2 ID
value = aws_subnet.IacVPC_DBSubnet2.id
}
执行Terraform代码
在文件所在目录,查看当前目录
$ ll
total 24
-rw-r--r-- 1 ec2-user ec2-user 4656 Nov 28 13:01 main.tf
-rw-r--r-- 1 ec2-user ec2-user 742 Nov 28 12:56 output.tf
-rw-rw-r-- 1 ec2-user ec2-user 324 Nov 28 12:55 provider.tf
-rw-r--r-- 1 ec2-user ec2-user 525 Nov 28 13:02 variables.tf
-rw-r--r-- 1 ec2-user ec2-user 402 Nov 28 13:03 vpc.tfvars
执行Terraform plan
本例中,使用的terraform虚拟机iam role profile具有账号adaministrator权限
terraform plan --var-file=vpc.tfvars
输出
......
Plan: 21 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ AppSubnet1 = (known after apply)
+ AppSubnet2 = (known after apply)
+ DBSubnet1 = (known after apply)
+ DBSubnet2 = (known after apply)
+ IacVPC = (known after apply)
+ PublicSubnet1 = (known after apply)
+ PublicSubnet2 = (known after apply)
执行Terraform apply
terraform apply --var-file=vpc.tfvars
输出
Apply complete! Resources: 21 added, 0 changed, 0 destroyed.
Outputs:
AppSubnet1 = subnet-07cc489a625fb14ce
AppSubnet2 = subnet-045dca9d5d99e3641
DBSubnet1 = subnet-0ce0b7460b3b5cb8e
DBSubnet2 = subnet-01bfbac75067cd391
IacVPC = vpc-0925de65bf92063c1
PublicSubnet1 = subnet-0dd8158c152d28833
PublicSubnet2 = subnet-0929a5584a44be731
查看已创建VPC
在Portal上查看刚刚创建的VPC