iT邦幫忙

2023 iThome 鐵人賽

DAY 11
0
DevOps

大家都在用 Terraform 實作 IaC 為什麼不將程式寫得更簡潔易讀呢?系列 第 11

實作 AWS 常用服務之 Terraform 模組系列 - Network ACLs 篇

  • 分享至 

  • xImage
  •  

AWS Network ACLs 模組實作

以下是 AWS Network ACLs 功能說明:

  • Network ACLs 是用於控制流入和流出 Subnet 的網路流量的安全層。
  • Network ACLs 是有狀態的,它定義了規則,允許或拒絕特定 IP 位址範圍的流量。
  • Network ACLs 通常與 Subnet 相關聯,以提供網路層面的安全性。

本篇是實作常用的 AWS Network ACLs 服務之 Terraform 模組,完整的專案程式碼分享在我的 Github 上。

  1. 先定義整個專案檔案結構 AWS Network ACLs 模組放置於 ./modules/my_nacls 目錄中:
├── configs
│   ├── subnet
│   │   └── my-subnets.yaml
│   └── vpc
│       └── my-vpcs.yaml
├── example.tfvars
├── main.tf
├── modules
│   ├── my_igw
│   ├── my_nacls
│   │   ├── network_acl.tf
│   │   ├── provider.tf
│   │   └── variables.tf
│   ├── my_subnets
│   └── my_vpc
└── variables.tf
  1. 撰寫 my_nacls 模組
  • ./modules/my_nacls/provider.tf:
provider "aws" {
    region  = var.aws_region
    profile = var.aws_profile
}
  • ./modules/my_nacls/variables.tf:
variable "aws_region" {
  description = "AWS region"
  default     = "ap-northeast-1"
}

variable "aws_profile" {
  description = "AWS profile"
  default     = ""
}

variable "project_name" {
  type    = string
  description = "Project name"
  default = ""
}

variable "department_name" {
  type        = string
  description = "Department name"
  default     = "SRE"
}

variable "vpc_id" {
  type        = string
  description = "The id of VPC"
}

  • ./modules/my_nacls/my_nacl.tf 總共會建立五個 Network ACLs 與關聯的 subnets 分別如下:
    • my_nat_acl
      • my-intra-ap-northeast-1a
      • my-intra-ap-northeast-1c
      • my-intra-ap-northeast-1d
      • my-nat-server
    • my_public_acl
      • my-public-ap-northeast-1a
      • my-public-ap-northeast-1c
      • my-public-ap-northeast-1d
    • my_application_acl
      • my-application-ap-northeast-1a
      • my-application-ap-northeast-1c
      • my-application-ap-northeast-1d
    • my_persistence_acl
      • my-persistence-ap-northeast-1a
      • my-persistence-ap-northeast-1c
      • my-persistence-ap-northeast-1d
        代碼內容如下:
resource "aws_network_acl" "my_nat_acl" {
  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "-1"
    rule_no    = "100"
    to_port    = "0"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "-1"
    rule_no    = "100"
    to_port    = "0"
  }

  subnet_ids = [
    var.subnet_intra_a_id,
    var.subnet_intra_c_id,
    var.subnet_intra_d_id,
    var.subnet_nat_server_id
  ]

  tags = {
    Department = var.department_name
    Name       = "${lower(var.project_name)}-nat"
    Project    = var.project_name
  }

  tags_all = {
    Department = var.department_name
    Name       = "${lower(var.project_name)}-nat"
    Project    = var.project_name
  }

  vpc_id = var.vpc_id

  depends_on = [
    var.subnet_intra_a_id,
    var.subnet_intra_c_id,
    var.subnet_intra_d_id,
    var.subnet_nat_server_id,
    var.vpc_id
  ]
}

resource "aws_network_acl" "my_public_acl" {
  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "-1"
    icmp_type  = "-1"
    protocol   = "1"
    rule_no    = "3"
    to_port    = "0"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "1"
    to_port    = "65535"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "1024"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "119"
    to_port    = "65535"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "22"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "120"
    to_port    = "22"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "443"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "110"
    to_port    = "443"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "80"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "100"
    to_port    = "80"
  }

  egress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "0"
    icmp_code  = "-1"
    icmp_type  = "0"
    protocol   = "1"
    rule_no    = "141"
    to_port    = "0"
  }

  egress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "0"
    icmp_code  = "-1"
    icmp_type  = "8"
    protocol   = "1"
    rule_no    = "140"
    to_port    = "0"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "-1"
    icmp_type  = "-1"
    protocol   = "1"
    rule_no    = "10"
    to_port    = "0"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "17"
    rule_no    = "1000"
    to_port    = "65535"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "1024"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "999"
    to_port    = "65535"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "443"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "110"
    to_port    = "443"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "22"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "50"
    to_port    = "22"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "80"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "100"
    to_port    = "80"
  }

  subnet_ids = [
    var.subnet_public_a_id,
    var.subnet_public_c_id,
    var.subnet_public_d_id
  ]

  tags = {
    Department = var.department_name
    Name       = "${lower(var.project_name)}-public"
    Project    = var.project_name
  }

  tags_all = {
    Department = var.department_name
    Name       = "${lower(var.project_name)}-public"
    Project    = var.project_name
  }

  vpc_id = var.vpc_id

  depends_on = [
    var.subnet_public_a_id,
    var.subnet_public_c_id,
    var.subnet_public_d_id,
    var.vpc_id
  ]
}

resource "aws_network_acl" "my_application_acl" {
  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "-1"
    icmp_type  = "-1"
    protocol   = "1"
    rule_no    = "140"
    to_port    = "0"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "-1"
    rule_no    = "1"
    to_port    = "0"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "1024"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "130"
    to_port    = "65535"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "22"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "802"
    to_port    = "22"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "443"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "110"
    to_port    = "443"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "80"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "100"
    to_port    = "80"
  }

  egress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "23"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "900"
    to_port    = "65535"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "-1"
    icmp_type  = "-1"
    protocol   = "1"
    rule_no    = "140"
    to_port    = "0"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "-1"
    rule_no    = "1002"
    to_port    = "0"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "17"
    rule_no    = "1"
    to_port    = "65535"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "1024"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "130"
    to_port    = "65535"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "22"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "1000"
    to_port    = "22"
  }

  ingress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "22"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "120"
    to_port    = "22"
  }

  ingress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "23"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "900"
    to_port    = "65535"
  }

  ingress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "80"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "999"
    to_port    = "80"
  }

  subnet_ids = [
    var.subnet_application_a_id,
    var.subnet_application_c_id,
    var.subnet_application_d_id
  ]

  tags = {
    Department = var.department_name
    Name       = "${lower(var.project_name)}-application"
    Project    = var.project_name
  }

  tags_all = {
    Department = var.department_name
    Name       = "${lower(var.project_name)}-application"
    Project    = var.project_name
  }

  vpc_id = var.vpc_id

  depends_on = [
    var.subnet_application_a_id,
    var.subnet_application_c_id,
    var.subnet_application_d_id,
    var.vpc_id
  ]
}

resource "aws_network_acl" "my_persistence_acl" {
  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "32768"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "130"
    to_port    = "65535"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "443"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "110"
    to_port    = "443"
  }

  egress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "80"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "100"
    to_port    = "80"
  }

  egress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "0"
    icmp_code  = "-1"
    icmp_type  = "0"
    protocol   = "1"
    rule_no    = "141"
    to_port    = "0"
  }

  egress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "0"
    icmp_code  = "-1"
    icmp_type  = "8"
    protocol   = "1"
    rule_no    = "140"
    to_port    = "0"
  }

  egress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "23"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "900"
    to_port    = "65535"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "0"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "1"
    to_port    = "65535"
  }

  ingress {
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = "32768"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "130"
    to_port    = "65535"
  }

  ingress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "0"
    icmp_code  = "-1"
    icmp_type  = "0"
    protocol   = "1"
    rule_no    = "141"
    to_port    = "0"
  }

  ingress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "0"
    icmp_code  = "-1"
    icmp_type  = "8"
    protocol   = "1"
    rule_no    = "140"
    to_port    = "0"
  }

  ingress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "22"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "120"
    to_port    = "22"
  }

  ingress {
    action     = "allow"
    cidr_block = var.vpc_cidr
    from_port  = "23"
    icmp_code  = "0"
    icmp_type  = "0"
    protocol   = "6"
    rule_no    = "900"
    to_port    = "65535"
  }

  subnet_ids = [
    var.subnet_persistence_a_id,
    var.subnet_persistence_c_id,
    var.subnet_persistence_d_id
  ]

  tags = {
    Department = var.department_name
    Name       = "${lower(var.project_name)}-persistence"
    Project    = var.project_name
  }

  tags_all = {
    Department = var.department_name
    Name       = "${lower(var.project_name)}-persistence"
    Project    = var.project_name
  }

  vpc_id = var.vpc_id

  depends_on = [
    var.subnet_persistence_a_id,
    var.subnet_persistence_c_id,
    var.subnet_persistence_d_id,
    var.vpc_id
  ]
}


  1. 撰寫專案相關程式
  • example.tfvars:
aws_region="ap-northeast-1"
aws_profile="<YOUR_PROFILE>"
project_name="example"
department_name="SRE"
  • main.tf:
terraform {
  required_providers {
    aws = {
      version = "5.15.0"
    }
  }

  backend "s3" {
    bucket                  = "<YOUR_S3_BUCKET_NAME>"
    dynamodb_table          = "<YOUR_DYNAMODB_TABLE_NAME>"
    key                     = "terraform.tfstate"
    region                  = "ap-northeast-1"
    shared_credentials_file = "~/.aws/config"
    profile                 = "<YOUR_PROFILE>"
  }
}



# nacl
module "nacl" {
  # checkov:skip=CKV_AWS_230: check it later
  # checkov:skip=CKV_AWS_229: check it later
  # checkov:skip=CKV_AWS_232: check it later
  # checkov:skip=CKV_AWS_231: check it later
  aws_profile             = var.aws_profile
  aws_region              = var.aws_region
  department_name         = var.department_name
  project_name            = var.project_name
  vpc_cidr                = module.vpc.my_vpcs["my-vpc"].cidr_block
  vpc_id                  = module.vpc.my_vpcs["my-vpc"].id
  subnet_public_a_id      = module.subnet.subnets["my-public-ap-northeast-1a"].id
  subnet_public_c_id      = module.subnet.subnets["my-public-ap-northeast-1c"].id
  subnet_public_d_id      = module.subnet.subnets["my-public-ap-northeast-1d"].id
  subnet_application_a_id = module.subnet.subnets["my-application-ap-northeast-1a"].id
  subnet_application_c_id = module.subnet.subnets["my-application-ap-northeast-1c"].id
  subnet_application_d_id = module.subnet.subnets["my-application-ap-northeast-1d"].id
  subnet_intra_a_id       = module.subnet.subnets["my-intra-ap-northeast-1a"].id
  subnet_intra_c_id       = module.subnet.subnets["my-intra-ap-northeast-1c"].id
  subnet_intra_d_id       = module.subnet.subnets["my-intra-ap-northeast-1d"].id
  subnet_persistence_a_id = module.subnet.subnets["my-persistence-ap-northeast-1a"].id
  subnet_persistence_c_id = module.subnet.subnets["my-persistence-ap-northeast-1c"].id
  subnet_persistence_d_id = module.subnet.subnets["my-persistence-ap-northeast-1d"].id
  subnet_nat_server_id    = module.subnet.subnets["my-nat-server"].id

  source = "./modules/my_nacls"
}


Terraform 執行計畫

於專案目錄下執行 terraform init && terraform plan --out .plan -var-file=example.tfvars 來確認一下結果:


Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

Terraform will perform the following actions:

  # module.igw.aws_internet_gateway.my_igw will be created
  + resource "aws_internet_gateway" "my_igw" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "Department" = "SRE"
          + "Name"       = "example-igw"
          + "Project"    = "example"
        }
      + tags_all = {
          + "Department" = "SRE"
          + "Name"       = "example-igw"
          + "Project"    = "example"
        }
      + vpc_id   = (known after apply)
    }

  # module.nacl.aws_network_acl.my_application_acl will be created
  + resource "aws_network_acl" "my_application_acl" {
      + arn        = (known after apply)
      + egress     = [
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = -1
              + icmp_type       = -1
              + ipv6_cidr_block = ""
              + protocol        = "1"
              + rule_no         = 140
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "-1"
              + rule_no         = 1
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 1024
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 130
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 22
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 802
              + to_port         = 22
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 443
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 110
              + to_port         = 443
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 80
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 100
              + to_port         = 80
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 23
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 900
              + to_port         = 65535
            },
        ]
      + id         = (known after apply)
      + ingress    = [
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = -1
              + icmp_type       = -1
              + ipv6_cidr_block = ""
              + protocol        = "1"
              + rule_no         = 140
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "-1"
              + rule_no         = 1002
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "17"
              + rule_no         = 1
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 1024
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 130
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 22
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 1000
              + to_port         = 22
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 22
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 120
              + to_port         = 22
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 23
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 900
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 80
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 999
              + to_port         = 80
            },
        ]
      + owner_id   = (known after apply)
      + subnet_ids = (known after apply)
      + tags       = {
          + "Department" = "SRE"
          + "Name"       = "example-application"
          + "Project"    = "example"
        }
      + tags_all   = {
          + "Department" = "SRE"
          + "Name"       = "example-application"
          + "Project"    = "example"
        }
      + vpc_id     = (known after apply)
    }

  # module.nacl.aws_network_acl.my_nat_acl will be created
  + resource "aws_network_acl" "my_nat_acl" {
      + arn        = (known after apply)
      + egress     = [
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "-1"
              + rule_no         = 100
              + to_port         = 0
            },
        ]
      + id         = (known after apply)
      + ingress    = [
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "-1"
              + rule_no         = 100
              + to_port         = 0
            },
        ]
      + owner_id   = (known after apply)
      + subnet_ids = (known after apply)
      + tags       = {
          + "Department" = "SRE"
          + "Name"       = "example-nat"
          + "Project"    = "example"
        }
      + tags_all   = {
          + "Department" = "SRE"
          + "Name"       = "example-nat"
          + "Project"    = "example"
        }
      + vpc_id     = (known after apply)
    }

  # module.nacl.aws_network_acl.my_persistence_acl will be created
  + resource "aws_network_acl" "my_persistence_acl" {
      + arn        = (known after apply)
      + egress     = [
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 32768
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 130
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 443
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 110
              + to_port         = 443
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 80
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 100
              + to_port         = 80
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 0
              + icmp_code       = -1
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "1"
              + rule_no         = 141
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 0
              + icmp_code       = -1
              + icmp_type       = 8
              + ipv6_cidr_block = ""
              + protocol        = "1"
              + rule_no         = 140
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 23
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 900
              + to_port         = 65535
            },
        ]
      + id         = (known after apply)
      + ingress    = [
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 1
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 32768
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 130
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 0
              + icmp_code       = -1
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "1"
              + rule_no         = 141
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 0
              + icmp_code       = -1
              + icmp_type       = 8
              + ipv6_cidr_block = ""
              + protocol        = "1"
              + rule_no         = 140
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 22
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 120
              + to_port         = 22
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 23
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 900
              + to_port         = 65535
            },
        ]
      + owner_id   = (known after apply)
      + subnet_ids = (known after apply)
      + tags       = {
          + "Department" = "SRE"
          + "Name"       = "example-persistence"
          + "Project"    = "example"
        }
      + tags_all   = {
          + "Department" = "SRE"
          + "Name"       = "example-persistence"
          + "Project"    = "example"
        }
      + vpc_id     = (known after apply)
    }

  # module.nacl.aws_network_acl.my_public_acl will be created
  + resource "aws_network_acl" "my_public_acl" {
      + arn        = (known after apply)
      + egress     = [
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = -1
              + icmp_type       = -1
              + ipv6_cidr_block = ""
              + protocol        = "1"
              + rule_no         = 3
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 1
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 1024
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 119
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 22
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 120
              + to_port         = 22
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 443
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 110
              + to_port         = 443
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 80
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 100
              + to_port         = 80
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 0
              + icmp_code       = -1
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "1"
              + rule_no         = 141
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "10.2.0.0/16"
              + from_port       = 0
              + icmp_code       = -1
              + icmp_type       = 8
              + ipv6_cidr_block = ""
              + protocol        = "1"
              + rule_no         = 140
              + to_port         = 0
            },
        ]
      + id         = (known after apply)
      + ingress    = [
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = -1
              + icmp_type       = -1
              + ipv6_cidr_block = ""
              + protocol        = "1"
              + rule_no         = 10
              + to_port         = 0
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 0
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "17"
              + rule_no         = 1000
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 1024
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 999
              + to_port         = 65535
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 22
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 50
              + to_port         = 22
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 443
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 110
              + to_port         = 443
            },
          + {
              + action          = "allow"
              + cidr_block      = "0.0.0.0/0"
              + from_port       = 80
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 100
              + to_port         = 80
            },
        ]
      + owner_id   = (known after apply)
      + subnet_ids = (known after apply)
      + tags       = {
          + "Department" = "SRE"
          + "Name"       = "example-public"
          + "Project"    = "example"
        }
      + tags_all   = {
          + "Department" = "SRE"
          + "Name"       = "example-public"
          + "Project"    = "example"
        }
      + vpc_id     = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-application-ap-northeast-1a"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1a"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.4.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-application-ap-northeast-1a"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-application-ap-northeast-1a"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-application-ap-northeast-1c"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1c"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.5.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-application-ap-northeast-1c"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-application-ap-northeast-1c"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-application-ap-northeast-1d"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1d"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.6.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-application-ap-northeast-1d"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-application-ap-northeast-1d"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-intra-ap-northeast-1a"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1a"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.8.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-intra-ap-northeast-1a"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-intra-ap-northeast-1a"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-intra-ap-northeast-1c"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1c"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.9.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-intra-ap-northeast-1c"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-intra-ap-northeast-1c"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-intra-ap-northeast-1d"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1d"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.10.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-intra-ap-northeast-1d"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-intra-ap-northeast-1d"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-nat-server"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1d"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.3.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-nat-server"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-nat-server"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-persistence-ap-northeast-1a"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1a"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.16.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-persistence-ap-northeast-1a"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-persistence-ap-northeast-1a"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-persistence-ap-northeast-1c"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1c"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.17.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-persistence-ap-northeast-1c"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-persistence-ap-northeast-1c"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-persistence-ap-northeast-1d"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1d"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.18.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-persistence-ap-northeast-1d"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-persistence-ap-northeast-1d"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-public-ap-northeast-1a"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1a"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.0.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-public-ap-northeast-1a"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-public-ap-northeast-1a"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-public-ap-northeast-1c"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1c"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.1.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-public-ap-northeast-1c"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-public-ap-northeast-1c"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.subnet.aws_subnet.subnets["my-public-ap-northeast-1d"] will be created
  + resource "aws_subnet" "subnets" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "ap-northeast-1d"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.2.2.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_customer_owned_ip_on_launch                = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Department" = "SRE"
          + "Name"       = "my-public-ap-northeast-1d"
          + "Project"    = "example"
        }
      + tags_all                                       = {
          + "Department" = "SRE"
          + "Name"       = "my-public-ap-northeast-1d"
          + "Project"    = "example"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.vpc.aws_vpc.my_vpcs["my-vpc"] will be created
  + resource "aws_vpc" "my_vpcs" {
      + arn                                  = (known after apply)
      + assign_generated_ipv6_cidr_block     = false
      + cidr_block                           = "10.2.0.0/16"
      + default_network_acl_id               = (known after apply)
      + default_route_table_id               = (known after apply)
      + default_security_group_id            = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_dns_hostnames                 = true
      + enable_dns_support                   = true
      + enable_network_address_usage_metrics = (known after apply)
      + id                                   = (known after apply)
      + instance_tenancy                     = "default"
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + ipv6_cidr_block_network_border_group = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + tags                                 = {
          + "Department" = "SRE"
          + "Name"       = "my-vpc"
          + "Project"    = "example"
        }
      + tags_all                             = {
          + "Department" = "SRE"
          + "Name"       = "my-vpc"
          + "Project"    = "example"
        }
    }

Plan: 19 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────────

Saved the plan to: .plan

To perform exactly these actions, run the following command to apply:
    terraform apply ".plan"

下一篇文章將會展示實作 Bastion & NAT Server 篇 之 Terraform 模組。


上一篇
實作 AWS 常用服務之 Terraform 模組系列 - Internet Gateway 篇
下一篇
實作 AWS 常用服務之 Terraform 模組系列 - Bastion & NAT Server 篇
系列文
大家都在用 Terraform 實作 IaC 為什麼不將程式寫得更簡潔易讀呢?30
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言