iT邦幫忙

2019 iT 邦幫忙鐵人賽

DAY 18
1

五、用Terraform建立EC2 instances in Private Subnet

各位邦友,如果各位有跟著做的話,目前已經完成下圖的「上半部」囉,為了完整說明SSH的設定,另外想更進一步熟悉Terraform更多的語法,今天就來繼續完成下圖紅色框框部份的架構。

privateSubnetInstance.tf

把這個檔案跟之前的sample.tf放在一起即可(相同資料夾)

    data "aws_vpc" "default" {
       default = true
    }

    resource "aws_route_table" "RT_private" {
        vpc_id = "${data.aws_vpc.default.id}"
        tags {
            Name = "RT_private"
        }
    }

    resource "aws_route_table_association" "RT_association_private" {
        subnet_id = "${aws_subnet.private_subnet.id}"
        route_table_id = "${aws_route_table.RT_private.id}"
    }

    resource "aws_subnet" "private_subnet" {
        # 172.31.0.0/16
        vpc_id            = "${data.aws_vpc.default.id}"
        availability_zone = "ap-northeast-1a"
        # 172.31.48.0/24`)
        cidr_block        = "${cidrsubnet(data.aws_vpc.default.cidr_block, 8, 48)}"
    }


    resource "aws_instance" "private_subnet_instance" {
      count         = "3"
      ami           = "ami-0689a2637ab83e607"
      instance_type = "t2.micro"
      key_name      = "private_subnet_key"
      subnet_id     = "${aws_subnet.private_subnet.id}"
      vpc_security_group_ids = [
        "${aws_security_group.bastion_to_private.id}"
      ]
      tags {
          Name = "private_subnet_instance_${count.index}"
      }
    }

    resource "aws_security_group" "bastion_to_private" {
        name = "bastion_to_private"
        description = "ssh demo"

        ingress {
            from_port = 22
            to_port = 22
            protocol = "tcp"
            security_groups = [
                "${aws_security_group.bastion_from_bright.id}"
            ]
        }

        egress {
            from_port = 22
            to_port = 22
            protocol = "tcp"
            security_groups = [
                "${aws_security_group.bastion_from_bright.id}"
            ]
        }
    }
  • data "aws_vpc" "default" {...}

    • Data Source Configuration
      讓你在Terraform的設定檔中,可以從Terraform的外部取得「資料來源」,或是定義在另一個設定檔中的「資料來源」,本例就是由Provider(AWS)所提供的VPC(資料)。
    • aws_vpc
      Terraform Doc
    • default=true
      是否是「預設的VPC」
  • resource "aws_route_table" "RT_private" {...}

    • aws_route_table
      Terraform Doc
    • vpc_id="${data.aws_vpc.default.id}"
      這邊也是「插值」的語法(${data...開頭)
  • resource "aws_route_table_association" "RT_association_private" {...}

  • resource "aws_subnet" "private_subnet" {...}:

    • aws_subnet
      Terraform Doc
    • cidr_block="${cidrsubnet(data.aws_vpc.default.cidr_block, 8, 48)}"
      這邊有Terraform內建插值的function可使用,cidrsubnet是幫你換算CIDR的(172.31.0.0/16 >>> 172.31.48.0/24)
  • resource "aws_instance" "private_subnet_instance" {...}

    • count="3"
      相同的資源要有幾個(不是任何資源都可以用這個參數)
    • key_name="private_subnet_key"
      這邊又建立「另一個」key pair喲。(後續再說明…)
  • resource "aws_security_group" "bastion_to_private" {...}
    之前介紹過了,簡單說,就是bastion(public subnet)instance 跟 hosts(private subnet)intances只開放22port

執行計畫:terraform apply

小編不截圖囉,各位看倌自己試試看…


待續…


上一篇
一大堆機器,到底哪一台是哪一台 @@ > SSH III
下一篇
一大堆機器,到底哪一台是哪一台 @@ > SSH V
系列文
AWS高手同事離職後不止30天30

尚未有邦友留言

立即登入留言