以下是 AWS Network ACLs 功能說明:
本篇是實作常用的 AWS Network ACLs 服務之 Terraform 模組,完整的專案程式碼分享在我的 Github 上。
./modules/my_nacls 目錄中:├── configs
│ ├── subnet
│ │ └── my-subnets.yaml
│ └── vpc
│ └── my-vpcs.yaml
├── example.tfvars
├── main.tf
├── modules
│ ├── my_igw
│ ├── my_nacls
│ │ ├── network_acl.tf
│ │ ├── provider.tf
│ │ └── variables.tf
│ ├── my_subnets
│ └── my_vpc
└── variables.tf
my_nacls 模組./modules/my_nacls/provider.tf:provider "aws" {
region = var.aws_region
profile = var.aws_profile
}
./modules/my_nacls/variables.tf:variable "aws_region" {
description = "AWS region"
default = "ap-northeast-1"
}
variable "aws_profile" {
description = "AWS profile"
default = ""
}
variable "project_name" {
type = string
description = "Project name"
default = ""
}
variable "department_name" {
type = string
description = "Department name"
default = "SRE"
}
variable "vpc_id" {
type = string
description = "The id of VPC"
}
./modules/my_nacls/my_nacl.tf 總共會建立五個 Network ACLs 與關聯的 subnets 分別如下:
my_nat_acl
my-intra-ap-northeast-1a
my-intra-ap-northeast-1c
my-intra-ap-northeast-1d
my-nat-server
my_public_acl
my-public-ap-northeast-1a
my-public-ap-northeast-1c
my-public-ap-northeast-1d
my_application_acl
my-application-ap-northeast-1a
my-application-ap-northeast-1c
my-application-ap-northeast-1d
my_persistence_acl
my-persistence-ap-northeast-1a
my-persistence-ap-northeast-1c
my-persistence-ap-northeast-1dresource "aws_network_acl" "my_nat_acl" {
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "0"
icmp_type = "0"
protocol = "-1"
rule_no = "100"
to_port = "0"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "0"
icmp_type = "0"
protocol = "-1"
rule_no = "100"
to_port = "0"
}
subnet_ids = [
var.subnet_intra_a_id,
var.subnet_intra_c_id,
var.subnet_intra_d_id,
var.subnet_nat_server_id
]
tags = {
Department = var.department_name
Name = "${lower(var.project_name)}-nat"
Project = var.project_name
}
tags_all = {
Department = var.department_name
Name = "${lower(var.project_name)}-nat"
Project = var.project_name
}
vpc_id = var.vpc_id
depends_on = [
var.subnet_intra_a_id,
var.subnet_intra_c_id,
var.subnet_intra_d_id,
var.subnet_nat_server_id,
var.vpc_id
]
}
resource "aws_network_acl" "my_public_acl" {
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "-1"
icmp_type = "-1"
protocol = "1"
rule_no = "3"
to_port = "0"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "1"
to_port = "65535"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "1024"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "119"
to_port = "65535"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "22"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "120"
to_port = "22"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "443"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "110"
to_port = "443"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "80"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "100"
to_port = "80"
}
egress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "0"
icmp_code = "-1"
icmp_type = "0"
protocol = "1"
rule_no = "141"
to_port = "0"
}
egress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "0"
icmp_code = "-1"
icmp_type = "8"
protocol = "1"
rule_no = "140"
to_port = "0"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "-1"
icmp_type = "-1"
protocol = "1"
rule_no = "10"
to_port = "0"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "0"
icmp_type = "0"
protocol = "17"
rule_no = "1000"
to_port = "65535"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "1024"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "999"
to_port = "65535"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "443"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "110"
to_port = "443"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "22"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "50"
to_port = "22"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "80"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "100"
to_port = "80"
}
subnet_ids = [
var.subnet_public_a_id,
var.subnet_public_c_id,
var.subnet_public_d_id
]
tags = {
Department = var.department_name
Name = "${lower(var.project_name)}-public"
Project = var.project_name
}
tags_all = {
Department = var.department_name
Name = "${lower(var.project_name)}-public"
Project = var.project_name
}
vpc_id = var.vpc_id
depends_on = [
var.subnet_public_a_id,
var.subnet_public_c_id,
var.subnet_public_d_id,
var.vpc_id
]
}
resource "aws_network_acl" "my_application_acl" {
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "-1"
icmp_type = "-1"
protocol = "1"
rule_no = "140"
to_port = "0"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "0"
icmp_type = "0"
protocol = "-1"
rule_no = "1"
to_port = "0"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "1024"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "130"
to_port = "65535"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "22"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "802"
to_port = "22"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "443"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "110"
to_port = "443"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "80"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "100"
to_port = "80"
}
egress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "23"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "900"
to_port = "65535"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "-1"
icmp_type = "-1"
protocol = "1"
rule_no = "140"
to_port = "0"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "0"
icmp_type = "0"
protocol = "-1"
rule_no = "1002"
to_port = "0"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "0"
icmp_type = "0"
protocol = "17"
rule_no = "1"
to_port = "65535"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "1024"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "130"
to_port = "65535"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "22"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "1000"
to_port = "22"
}
ingress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "22"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "120"
to_port = "22"
}
ingress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "23"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "900"
to_port = "65535"
}
ingress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "80"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "999"
to_port = "80"
}
subnet_ids = [
var.subnet_application_a_id,
var.subnet_application_c_id,
var.subnet_application_d_id
]
tags = {
Department = var.department_name
Name = "${lower(var.project_name)}-application"
Project = var.project_name
}
tags_all = {
Department = var.department_name
Name = "${lower(var.project_name)}-application"
Project = var.project_name
}
vpc_id = var.vpc_id
depends_on = [
var.subnet_application_a_id,
var.subnet_application_c_id,
var.subnet_application_d_id,
var.vpc_id
]
}
resource "aws_network_acl" "my_persistence_acl" {
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "32768"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "130"
to_port = "65535"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "443"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "110"
to_port = "443"
}
egress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "80"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "100"
to_port = "80"
}
egress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "0"
icmp_code = "-1"
icmp_type = "0"
protocol = "1"
rule_no = "141"
to_port = "0"
}
egress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "0"
icmp_code = "-1"
icmp_type = "8"
protocol = "1"
rule_no = "140"
to_port = "0"
}
egress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "23"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "900"
to_port = "65535"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "0"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "1"
to_port = "65535"
}
ingress {
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = "32768"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "130"
to_port = "65535"
}
ingress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "0"
icmp_code = "-1"
icmp_type = "0"
protocol = "1"
rule_no = "141"
to_port = "0"
}
ingress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "0"
icmp_code = "-1"
icmp_type = "8"
protocol = "1"
rule_no = "140"
to_port = "0"
}
ingress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "22"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "120"
to_port = "22"
}
ingress {
action = "allow"
cidr_block = var.vpc_cidr
from_port = "23"
icmp_code = "0"
icmp_type = "0"
protocol = "6"
rule_no = "900"
to_port = "65535"
}
subnet_ids = [
var.subnet_persistence_a_id,
var.subnet_persistence_c_id,
var.subnet_persistence_d_id
]
tags = {
Department = var.department_name
Name = "${lower(var.project_name)}-persistence"
Project = var.project_name
}
tags_all = {
Department = var.department_name
Name = "${lower(var.project_name)}-persistence"
Project = var.project_name
}
vpc_id = var.vpc_id
depends_on = [
var.subnet_persistence_a_id,
var.subnet_persistence_c_id,
var.subnet_persistence_d_id,
var.vpc_id
]
}
example.tfvars:aws_region="ap-northeast-1"
aws_profile="<YOUR_PROFILE>"
project_name="example"
department_name="SRE"
main.tf:terraform {
required_providers {
aws = {
version = "5.15.0"
}
}
backend "s3" {
bucket = "<YOUR_S3_BUCKET_NAME>"
dynamodb_table = "<YOUR_DYNAMODB_TABLE_NAME>"
key = "terraform.tfstate"
region = "ap-northeast-1"
shared_credentials_file = "~/.aws/config"
profile = "<YOUR_PROFILE>"
}
}
# nacl
module "nacl" {
# checkov:skip=CKV_AWS_230: check it later
# checkov:skip=CKV_AWS_229: check it later
# checkov:skip=CKV_AWS_232: check it later
# checkov:skip=CKV_AWS_231: check it later
aws_profile = var.aws_profile
aws_region = var.aws_region
department_name = var.department_name
project_name = var.project_name
vpc_cidr = module.vpc.my_vpcs["my-vpc"].cidr_block
vpc_id = module.vpc.my_vpcs["my-vpc"].id
subnet_public_a_id = module.subnet.subnets["my-public-ap-northeast-1a"].id
subnet_public_c_id = module.subnet.subnets["my-public-ap-northeast-1c"].id
subnet_public_d_id = module.subnet.subnets["my-public-ap-northeast-1d"].id
subnet_application_a_id = module.subnet.subnets["my-application-ap-northeast-1a"].id
subnet_application_c_id = module.subnet.subnets["my-application-ap-northeast-1c"].id
subnet_application_d_id = module.subnet.subnets["my-application-ap-northeast-1d"].id
subnet_intra_a_id = module.subnet.subnets["my-intra-ap-northeast-1a"].id
subnet_intra_c_id = module.subnet.subnets["my-intra-ap-northeast-1c"].id
subnet_intra_d_id = module.subnet.subnets["my-intra-ap-northeast-1d"].id
subnet_persistence_a_id = module.subnet.subnets["my-persistence-ap-northeast-1a"].id
subnet_persistence_c_id = module.subnet.subnets["my-persistence-ap-northeast-1c"].id
subnet_persistence_d_id = module.subnet.subnets["my-persistence-ap-northeast-1d"].id
subnet_nat_server_id = module.subnet.subnets["my-nat-server"].id
source = "./modules/my_nacls"
}
於專案目錄下執行 terraform init && terraform plan --out .plan -var-file=example.tfvars 來確認一下結果:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
+ create
Terraform will perform the following actions:
# module.igw.aws_internet_gateway.my_igw will be created
+ resource "aws_internet_gateway" "my_igw" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "example-igw"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "example-igw"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.nacl.aws_network_acl.my_application_acl will be created
+ resource "aws_network_acl" "my_application_acl" {
+ arn = (known after apply)
+ egress = [
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = -1
+ icmp_type = -1
+ ipv6_cidr_block = ""
+ protocol = "1"
+ rule_no = 140
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "-1"
+ rule_no = 1
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 1024
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 130
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 22
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 802
+ to_port = 22
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 443
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 110
+ to_port = 443
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 80
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 100
+ to_port = 80
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 23
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 900
+ to_port = 65535
},
]
+ id = (known after apply)
+ ingress = [
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = -1
+ icmp_type = -1
+ ipv6_cidr_block = ""
+ protocol = "1"
+ rule_no = 140
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "-1"
+ rule_no = 1002
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "17"
+ rule_no = 1
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 1024
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 130
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 22
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 1000
+ to_port = 22
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 22
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 120
+ to_port = 22
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 23
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 900
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 80
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 999
+ to_port = 80
},
]
+ owner_id = (known after apply)
+ subnet_ids = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "example-application"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "example-application"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.nacl.aws_network_acl.my_nat_acl will be created
+ resource "aws_network_acl" "my_nat_acl" {
+ arn = (known after apply)
+ egress = [
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "-1"
+ rule_no = 100
+ to_port = 0
},
]
+ id = (known after apply)
+ ingress = [
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "-1"
+ rule_no = 100
+ to_port = 0
},
]
+ owner_id = (known after apply)
+ subnet_ids = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "example-nat"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "example-nat"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.nacl.aws_network_acl.my_persistence_acl will be created
+ resource "aws_network_acl" "my_persistence_acl" {
+ arn = (known after apply)
+ egress = [
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 32768
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 130
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 443
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 110
+ to_port = 443
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 80
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 100
+ to_port = 80
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 0
+ icmp_code = -1
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "1"
+ rule_no = 141
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 0
+ icmp_code = -1
+ icmp_type = 8
+ ipv6_cidr_block = ""
+ protocol = "1"
+ rule_no = 140
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 23
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 900
+ to_port = 65535
},
]
+ id = (known after apply)
+ ingress = [
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 1
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 32768
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 130
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 0
+ icmp_code = -1
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "1"
+ rule_no = 141
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 0
+ icmp_code = -1
+ icmp_type = 8
+ ipv6_cidr_block = ""
+ protocol = "1"
+ rule_no = 140
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 22
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 120
+ to_port = 22
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 23
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 900
+ to_port = 65535
},
]
+ owner_id = (known after apply)
+ subnet_ids = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "example-persistence"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "example-persistence"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.nacl.aws_network_acl.my_public_acl will be created
+ resource "aws_network_acl" "my_public_acl" {
+ arn = (known after apply)
+ egress = [
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = -1
+ icmp_type = -1
+ ipv6_cidr_block = ""
+ protocol = "1"
+ rule_no = 3
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 1
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 1024
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 119
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 22
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 120
+ to_port = 22
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 443
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 110
+ to_port = 443
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 80
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 100
+ to_port = 80
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 0
+ icmp_code = -1
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "1"
+ rule_no = 141
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "10.2.0.0/16"
+ from_port = 0
+ icmp_code = -1
+ icmp_type = 8
+ ipv6_cidr_block = ""
+ protocol = "1"
+ rule_no = 140
+ to_port = 0
},
]
+ id = (known after apply)
+ ingress = [
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = -1
+ icmp_type = -1
+ ipv6_cidr_block = ""
+ protocol = "1"
+ rule_no = 10
+ to_port = 0
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 0
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "17"
+ rule_no = 1000
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 1024
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 999
+ to_port = 65535
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 22
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 50
+ to_port = 22
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 443
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 110
+ to_port = 443
},
+ {
+ action = "allow"
+ cidr_block = "0.0.0.0/0"
+ from_port = 80
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 100
+ to_port = 80
},
]
+ owner_id = (known after apply)
+ subnet_ids = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "example-public"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "example-public"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-application-ap-northeast-1a"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.4.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1a"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1a"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-application-ap-northeast-1c"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.5.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1c"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1c"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-application-ap-northeast-1d"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1d"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.6.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1d"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-application-ap-northeast-1d"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-intra-ap-northeast-1a"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.8.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1a"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1a"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-intra-ap-northeast-1c"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.9.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1c"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1c"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-intra-ap-northeast-1d"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1d"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.10.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1d"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-intra-ap-northeast-1d"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-nat-server"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1d"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.3.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-nat-server"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-nat-server"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-persistence-ap-northeast-1a"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.16.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1a"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1a"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-persistence-ap-northeast-1c"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.17.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1c"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1c"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-persistence-ap-northeast-1d"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1d"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.18.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1d"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-persistence-ap-northeast-1d"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-public-ap-northeast-1a"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.0.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1a"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1a"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-public-ap-northeast-1c"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.1.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1c"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1c"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.subnet.aws_subnet.subnets["my-public-ap-northeast-1d"] will be created
+ resource "aws_subnet" "subnets" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "ap-northeast-1d"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.2.2.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_customer_owned_ip_on_launch = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1d"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-public-ap-northeast-1d"
+ "Project" = "example"
}
+ vpc_id = (known after apply)
}
# module.vpc.aws_vpc.my_vpcs["my-vpc"] will be created
+ resource "aws_vpc" "my_vpcs" {
+ arn = (known after apply)
+ assign_generated_ipv6_cidr_block = false
+ cidr_block = "10.2.0.0/16"
+ default_network_acl_id = (known after apply)
+ default_route_table_id = (known after apply)
+ default_security_group_id = (known after apply)
+ dhcp_options_id = (known after apply)
+ enable_dns_hostnames = true
+ enable_dns_support = true
+ enable_network_address_usage_metrics = (known after apply)
+ id = (known after apply)
+ instance_tenancy = "default"
+ ipv6_association_id = (known after apply)
+ ipv6_cidr_block = (known after apply)
+ ipv6_cidr_block_network_border_group = (known after apply)
+ main_route_table_id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Department" = "SRE"
+ "Name" = "my-vpc"
+ "Project" = "example"
}
+ tags_all = {
+ "Department" = "SRE"
+ "Name" = "my-vpc"
+ "Project" = "example"
}
}
Plan: 19 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────────
Saved the plan to: .plan
To perform exactly these actions, run the following command to apply:
terraform apply ".plan"
下一篇文章將會展示實作 Bastion & NAT Server 篇 之 Terraform 模組。
iThome鐵人賽
看影片追技術