Internet Gateway 是一種 VPC 元件,允許 VPC 中的資源與 public Internet 進行通信。它充當了 VPC 內部資源和外部 Internet 之間的網路出口。要使 VPC 中的資源能夠連接 Internet,您需要將其關聯到 Internet Gateway,並設定好對映的 Route Table。
本篇是實作常用的 AWS Ingetnet Gateway 服務之 Terraform 模組,完整的專案程式碼分享在我的 Github 上。
./modules/my_igw 目錄中:├── configs
│ ├── subnet
│ │ └── my-subnets.yaml
│ └── vpc
│ └── my-vpcs.yaml
├── example.tfvars
├── main.tf
├── modules
│ ├── my_igw
│ │ ├── internet_gateway.tf
│ │ ├── outputs.tf
│ │ ├── provider.tf
│ │ └── variables.tf
│ ├── my_subnets
│ └── my_vpc
└── variables.tf
my_igw 模組./modules/my_igw/outputs.tf:output "igw_id" {
value = aws_internet_gateway.my_igw.id
}
./modules/my_igw/provider.tf:provider "aws" {
region = var.aws_region
profile = var.aws_profile
}
./modules/my_igw/variables.tf:variable "aws_region" {
description = "AWS region"
default = "ap-northeast-1"
}
variable "aws_profile" {
description = "AWS profile"
default = ""
}
variable "project_name" {
type = string
description = "Project name"
default = ""
}
variable "department_name" {
type = string
description = "Department name"
default = "SRE"
}
variable "vpc_id" {
type = string
description = "The id of VPC"
}
./modules/my_igw/internet_gateway.tf:resource "aws_internet_gateway" "my_igw" {
tags = {
Department = var.department_name
Name = "${lower(var.project_name)}-igw"
Project = var.project_name
}
tags_all = {
Department = var.department_name
Name = "${lower(var.project_name)}-igw"
Project = var.project_name
}
vpc_id = var.vpc_id
depends_on = [
var.vpc_id
]
}
example.tfvars:aws_region="ap-northeast-1"
aws_profile="<YOUR_PROFILE>"
project_name="example"
department_name="SRE"
main.tf:terraform {
required_providers {
aws = {
version = "5.15.0"
}
}
backend "s3" {
bucket = "<YOUR_S3_BUCKET_NAME>"
dynamodb_table = "<YOUR_DYNAMODB_TABLE_NAME>"
key = "terraform.tfstate"
region = "ap-northeast-1"
shared_credentials_file = "~/.aws/config"
profile = "<YOUR_PROFILE>"
}
}
# vpc
module "vpc" {
aws_profile = var.aws_profile
aws_region = var.aws_region
department_name = var.department_name
project_name = var.project_name
vpc_path = "./configs/vpc/my-vpcs.yaml"
source = "./modules/my_vpc"
}
# subnet
module "subnet" {
aws_profile = var.aws_profile
aws_region = var.aws_region
department_name = var.department_name
project_name = var.project_name
vpc_id = module.vpc.my_vpcs["my-vpc"].id
subnet_path = "./configs/subnet/my-subnets.yaml"
source = "./modules/my_subnets"
}
module "igw" {
aws_profile = var.aws_profile
aws_region = var.aws_region
department_name = var.department_name
project_name = var.project_name
vpc_id = module.vpc.my_vpcs["my-vpc"].id
source = "./modules/my_igw"
}
於專案目錄下執行 terraform init && terraform plan --out .plan -var-file=example.tfvars 來確認一下結果:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
+ create
Terraform will perform the following actions:
# module.igw.aws_internet_gateway.my_igw will be created
+ resource "aws_internet_gateway" "my_igw" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "example-igw"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "example-igw"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-application-ap-northeast-1a"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.4.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1a"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1a"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-application-ap-northeast-1c"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.5.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1c"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1c"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-application-ap-northeast-1d"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1d"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.6.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1d"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1d"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-intra-ap-northeast-1a"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.8.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1a"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1a"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-intra-ap-northeast-1c"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.9.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1c"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1c"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-intra-ap-northeast-1d"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1d"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.10.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1d"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1d"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-nat-server"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1d"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.3.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-nat-server"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-nat-server"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-persistence-ap-northeast-1a"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.16.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1a"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1a"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-persistence-ap-northeast-1c"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.17.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1c"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1c"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-persistence-ap-northeast-1d"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1d"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.18.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1d"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1d"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-public-ap-northeast-1a"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.0.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1a"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1a"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-public-ap-northeast-1c"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.1.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1c"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1c"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-public-ap-northeast-1d"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1d"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.2.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1d"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1d"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_vpc.my_vpcs["my-vpc"] will be created
+ resource "aws_vpc" "my_vpcs" {
+ arn = (known after apply)
+ assign_generated_ipv6_cidr_block = false
+ cidr_block = "10.2.0.0/16"
+ default_network_acl_id = (known after apply)
+ default_route_table_id = (known after apply)
+ default_security_group_id = (known after apply)
+ dhcp_options_id = (known after apply)
+ enable_dns_hostnames = true
+ enable_dns_support = true
+ enable_network_address_usage_metrics = (known after apply)
+ id = (known after apply)
+ instance_tenancy = "default"
+ ipv6_association_id = (known after apply)
+ ipv6_cidr_block = (known after apply)
+ ipv6_cidr_block_network_border_group = (known after apply)
+ main_route_table_id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-vpc"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-vpc"
+ "Project" = "example"
}
}
Plan: 15 to add, 0 to change, 0 to destroy.
──────────────────────────────────────────────────────────────────────────────────
Saved the plan to: .plan
To perform exactly these actions, run the following command to apply:
terraform apply ".plan"
Releasing state lock. This may take a few moments...
下一篇文章將會展示實作 AWS Network ACLs 之 Terraform 模組。
iThome鐵人賽
看影片追技術