五、用Terraform建立EC2 instances in Private Subnet

各位邦友，如果各位有跟著做的話，目前已經完成下圖的「上半部」囉，為了完整說明SSH的設定，另外想更進一步熟悉Terraform更多的語法，今天就來繼續完成下圖紅色框框部份的架構。

privateSubnetInstance.tf

把這個檔案跟之前的sample.tf放在一起即可(相同資料夾)

    data "aws_vpc" "default" {
       default = true
    }

    resource "aws_route_table" "RT_private" {
        vpc_id = "${data.aws_vpc.default.id}"
        tags {
            Name = "RT_private"
        }
    }

    resource "aws_route_table_association" "RT_association_private" {
        subnet_id = "${aws_subnet.private_subnet.id}"
        route_table_id = "${aws_route_table.RT_private.id}"
    }

    resource "aws_subnet" "private_subnet" {
        # 172.31.0.0/16
        vpc_id            = "${data.aws_vpc.default.id}"
        availability_zone = "ap-northeast-1a"
        # 172.31.48.0/24`)
        cidr_block        = "${cidrsubnet(data.aws_vpc.default.cidr_block, 8, 48)}"
    }


    resource "aws_instance" "private_subnet_instance" {
      count         = "3"
      ami           = "ami-0689a2637ab83e607"
      instance_type = "t2.micro"
      key_name      = "private_subnet_key"
      subnet_id     = "${aws_subnet.private_subnet.id}"
      vpc_security_group_ids = [
        "${aws_security_group.bastion_to_private.id}"
      ]
      tags {
          Name = "private_subnet_instance_${count.index}"
      }
    }

    resource "aws_security_group" "bastion_to_private" {
        name = "bastion_to_private"
        description = "ssh demo"

        ingress {
            from_port = 22
            to_port = 22
            protocol = "tcp"
            security_groups = [
                "${aws_security_group.bastion_from_bright.id}"
            ]
        }

        egress {
            from_port = 22
            to_port = 22
            protocol = "tcp"
            security_groups = [
                "${aws_security_group.bastion_from_bright.id}"
            ]
        }
    }

• data "aws_vpc" "default" {...}：

  • Data Source Configuration
    讓你在Terraform的設定檔中，可以從Terraform的外部取得「資料來源」，或是定義在另一個設定檔中的「資料來源」，本例就是由Provider(AWS)所提供的VPC(資料)。
  • aws_vpc
    Terraform Doc
  • default=true
    是否是「預設的VPC」

• resource "aws_route_table" "RT_private" {...}：

  • aws_route_table
    Terraform Doc
  • vpc_id="${data.aws_vpc.default.id}"
    這邊也是「插值」的語法(${data...開頭)

• resource "aws_route_table_association" "RT_association_private" {...}：

  • aws_route_table_association
    Terraform Doc
    設定哪個route table關聯哪個subnet

• resource "aws_subnet" "private_subnet" {...}:

  • aws_subnet
    Terraform Doc
  • cidr_block="${cidrsubnet(data.aws_vpc.default.cidr_block, 8, 48)}"
    這邊有Terraform內建插值的function可使用，cidrsubnet是幫你換算CIDR的(172.31.0.0/16 >>> 172.31.48.0/24)

• resource "aws_instance" "private_subnet_instance" {...}：

  • count="3"
    相同的資源要有幾個(不是任何資源都可以用這個參數)
  • key_name="private_subnet_key"
    這邊又建立「另一個」key pair喲。(後續再說明…)

• resource "aws_security_group" "bastion_to_private" {...}：
  之前介紹過了，簡單說，就是bastion(public subnet)instance 跟 hosts(private subnet)intances只開放22port

執行計畫：terraform apply

小編不截圖囉，各位看倌自己試試看…

待續…