Differences

This shows you the differences between two versions of the page.

--- linux_wiki:terraform [2018/06/14 22:21]
billdozor [File Structure]
+++ linux_wiki:terraform [2019/05/25 23:50] (current)
@@ Line 5: / Line 5: @@
 "Terraform enables you to safely and predictably create, change, and improve infrastructure. It is an open source tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned."
-Site
+Sites
   * Official Site: https://www.terraform.io/
   * Downloads: https://www.terraform.io/downloads.html
   * Getting started: https://www.terraform.io/intro/getting-started/install.html
+  * AWS Provider Reference Doc: https://www.terraform.io/docs/providers/aws/index.html
+\\
 **Checklist**
   * AWS Account
@@ Line 45: / Line 47: @@
 ====== Terraform Example: 2 Tier VPC ======
+**Pre-Req**: AWS account and access keys setup/configured in the previous section.
+\\
 Creating a 2-tier VPC (public and private subnets), utilizing 3 availability zones in US-West (Oregon).
@@ Line 87: / Line 92: @@
 provider "aws" {
   region = "${var.region}"
+  # Name of profile to use from ~/.aws/credentials
   profile = "default"
 }
@@ Line 170: / Line 176: @@
 }</code>
-<code bash outputs.tf># Title: outputs.tf
+<code bash outputs.tf> Title: outputs.tf
 # Description: Outputs from resources saved as variables
+#              If terraform apply is run within this directory, these variables
+#              are displayed at the end of the run.
 # Pull the VPC ID from the site module
@@ Line 177: / Line 185: @@
   value = "${module.site.vpc_id}"
 }</code>
+----
 ==== File Contents: Site Module Files ====
@@ Line 182: / Line 192: @@
 Files in the site/ module directory. Ordered in a way that is easier to follow.
-<code bash nat_gateway.tf></code>
+<code bash variables.tf># Title: site/variables.tf
+# Description: Variables for the module 'site'
+#              Unset variables are expected to be passed in from the calling parent
-<code bash outputs.tf></code>
+# Availability Zones: Inherit from main variables
+variable "availability_zones" { type = "list" }
-<code bash routes.tf></code>
+# VPC CIDR: Inherit from main variables
+variable "vpc_cidr" {}
-<code bash security_groups.tf></code>
+# Public Subnets (with IGW): Inherit from main
+variable "public_subnet01_cidr" {}
+variable "public_subnet02_cidr" {}
+variable "public_subnet03_cidr" {}
-<code bash subnets.tf></code>
+# Private Subnets (no IGW): Inherit from main
+variable "private_subnet01_cidr" {}
+variable "private_subnet02_cidr" {}
+variable "private_subnet03_cidr" {}</code>
-<code bash variables.tf></code>
+<code bash vpc.tf># Title: site/vpc.tf
+# Description: Create a VPC and attach an internet gateway
-<code bash vpc.tf></code>
+####-- VPC --####
+# VPC: Creation
+resource "aws_vpc" "myvpc" {
+  cidr_block = "${var.vpc_cidr}"
+  enable_dns_hostnames = true
+  tags {
+    Name = "myvpc"
+  }
+}
+# VPC: Internet Gateway
+resource "aws_internet_gateway" "myigw" {
+  vpc_id =  "${aws_vpc.myvpc.id}"
+  tags {
+    Name = "myigw"
+  }
+}</code>
+<code bash subnets.tf># Title: site/subnets.tf
+# Description: Create subnets
+####-- Subnets --####
+# Public Subnet 01
+resource "aws_subnet" "subnet01-public" {
+  vpc_id = "${aws_vpc.myvpc.id}"
+  cidr_block = "${var.public_subnet01_cidr}"
+  availability_zone = "${element(var.availability_zones, 0)}"
+  tags {
+    Name = "subnet_public01"
+  }
+}
+# Public Subnet 02
+resource "aws_subnet" "subnet02-public" {
+  vpc_id = "${aws_vpc.myvpc.id}"
+  cidr_block = "${var.public_subnet02_cidr}"
+  availability_zone = "${element(var.availability_zones, 1)}"
+  tags {
+    Name = "subnet_public02"
+  }
+}
+# Public Subnet 03
+resource "aws_subnet" "subnet03-public" {
+  vpc_id = "${aws_vpc.myvpc.id}"
+  cidr_block = "${var.public_subnet03_cidr}"
+  availability_zone = "${element(var.availability_zones, 2)}"
+  tags {
+    Name = "subnet_public03"
+  }
+}
+# Private Subnet 01
+resource "aws_subnet" "subnet01-private" {
+  vpc_id = "${aws_vpc.myvpc.id}"
+  cidr_block = "${var.private_subnet01_cidr}"
+  availability_zone = "${element(var.availability_zones, 0)}"
+  tags {
+    Name = "subnet_private01"
+  }
+}
+# Private Subnet 02
+resource "aws_subnet" "subnet02-private" {
+  vpc_id = "${aws_vpc.myvpc.id}"
+  cidr_block = "${var.private_subnet02_cidr}"
+  availability_zone = "${element(var.availability_zones, 1)}"
+  tags {
+    Name = "subnet_private02"
+  }
+}
+# Private Subnet 03
+resource "aws_subnet" "subnet03-private" {
+  vpc_id = "${aws_vpc.myvpc.id}"
+  cidr_block = "${var.private_subnet03_cidr}"
+  availability_zone = "${element(var.availability_zones, 2)}"
+  tags {
+    Name = "subnet_private03"
+  }
+}</code>
+<code bash nat_gateway.tf># Title: site/nat_gateway.tf
+# Description: Create a NAT gateway for private subnets
+# Note: For true high availabity, you will want:
+#       -An EIP and NAT GW per public subnet
+#       -Route table per private subnet to route to NAT GW in same AZ
+# Create the required Elastic IPs to be assigned to the NAT Gateways
+resource "aws_eip" "eip_nat01" {
+  vpc = true
+}
+resource "aws_eip" "eip_nat02" {
+  vpc = true
+}
+resource "aws_eip" "eip_nat03" {
+  vpc = true
+}
+# Create the NAT Gateways
+resource "aws_nat_gateway" "nat_gw01" {
+  subnet_id = "${aws_subnet.subnet01-public.id}"
+  allocation_id = "${aws_eip.eip_nat01.id}"
+  tags { Name = "nat_gw01" }
+  # Dependencies: Internet Gateway and EIP
+  depends_on = ["aws_internet_gateway.myigw", "aws_eip.eip_nat01"]
+}
+resource "aws_nat_gateway" "nat_gw02" {
+  subnet_id = "${aws_subnet.subnet02-public.id}"
+  allocation_id = "${aws_eip.eip_nat02.id}"
+  tags { Name = "nat_gw02" }
+  # Dependencies: Internet Gateway and EIP
+  depends_on = ["aws_internet_gateway.myigw", "aws_eip.eip_nat02"]
+}
+resource "aws_nat_gateway" "nat_gw03" {
+  subnet_id = "${aws_subnet.subnet03-public.id}"
+  allocation_id = "${aws_eip.eip_nat03.id}"
+  tags { Name = "nat_gw03" }
+  # Dependencies: Internet Gateway and EIP
+  depends_on = ["aws_internet_gateway.myigw", "aws_eip.eip_nat03"]
+}
+# Route to the NAT Gateway provided elsewhere (in private route table)</code>
+<code bash routes.tf>#Title: site/routes.tf
+# Description: Route tables for subnets
+####-- Routes --####
+##-- Public Subnet Routes --##
+# Public Route Table - Default Route to Internet Gateway
+resource "aws_route_table" "rt_public" {
+  vpc_id = "${aws_vpc.myvpc.id}"
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = "${aws_internet_gateway.myigw.id}"
+  }
+  tags {
+    Name = "rt_public"
+  }
+}
+# Associate Subnet Public 01 with Route Table
+resource "aws_route_table_association" "rt_assoc_public01" {
+  subnet_id = "${aws_subnet.subnet01-public.id}"
+  route_table_id = "${aws_route_table.rt_public.id}"
+}
+# Associate Subnet Public 02 with Route Table
+resource "aws_route_table_association" "rt_assoc_public02" {
+  subnet_id = "${aws_subnet.subnet02-public.id}"
+  route_table_id = "${aws_route_table.rt_public.id}"
+}
+# Associate Subnet Public 03 with Route Table
+resource "aws_route_table_association" "rt_assoc_public03" {
+  subnet_id = "${aws_subnet.subnet03-public.id}"
+  route_table_id = "${aws_route_table.rt_public.id}"
+}
+##-- Private Subnet Routes --##
+# Private Route Tables - Default Route to NAT GW in each AZ
+resource "aws_route_table" "rt_private01" {
+  vpc_id = "${aws_vpc.myvpc.id}"
+  route {
+    cidr_block = "0.0.0.0/0"
+    nat_gateway_id = "${aws_nat_gateway.nat_gw01.id}"
+  }
+  tags {
+    Name = "rt_private01"
+  }
+}
+resource "aws_route_table" "rt_private02" {
+  vpc_id = "${aws_vpc.myvpc.id}"
+  route {
+    cidr_block = "0.0.0.0/0"
+    nat_gateway_id = "${aws_nat_gateway.nat_gw02.id}"
+  }
+  tags {
+    Name = "rt_private02"
+  }
+}
+resource "aws_route_table" "rt_private03" {
+  vpc_id = "${aws_vpc.myvpc.id}"
+  route {
+    cidr_block = "0.0.0.0/0"
+    nat_gateway_id = "${aws_nat_gateway.nat_gw03.id}"
+  }
+  tags {
+    Name = "rt_private03"
+  }
+}
+# Associate Subnet Private 01 with Route Table
+resource "aws_route_table_association" "rt_assoc_private01" {
+  subnet_id = "${aws_subnet.subnet01-private.id}"
+  route_table_id = "${aws_route_table.rt_private01.id}"
+}
+# Associate Subnet Private 02 with Route Table
+resource "aws_route_table_association" "rt_assoc_private02" {
+  subnet_id = "${aws_subnet.subnet02-private.id}"
+  route_table_id = "${aws_route_table.rt_private02.id}"
+}
+# Associate Subnet Private 03 with Route Table
+resource "aws_route_table_association" "rt_assoc_private03" {
+  subnet_id = "${aws_subnet.subnet03-private.id}"
+  route_table_id = "${aws_route_table.rt_private03.id}"
+}</code>
+<code bash security_groups.tf># Title: site/security_groups.tf
+# Description: Security groups for resources in subnets.
+####-- Security Groups --####
+# Create default locked down security groups for private and public subnets
+# Security Group: Public Subnets
+resource "aws_security_group" "sg_public_default" {
+  name = "sg_public_default"
+  description = "Default public facing security group"
+  tags = { Name = "sg_public_default" }
+  vpc_id = "${aws_vpc.myvpc.id}"
+  ##-- Ingress/Inbound Rules --##
+  # No ingress/inbound rules by default
+  #ingress {
+  #}
+  ##-- Egress/Outbound Rules --##
+  # Allow all egress/outbound traffic
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+# Security Group: Private Subnets
+resource "aws_security_group" "sg_private_default" {
+  name = "sg_private_default"
+  description = "Default private facing security group"
+  tags = { Name = "sg_private_default" }
+  vpc_id = "${aws_vpc.myvpc.id}"
+  ##-- Ingress/Inbound Rules --##
+  # Allow all ssh traffic from default public security group
+  ingress {
+    from_port = 22
+    to_port = 22
+    protocol = "tcp"
+    security_groups = ["${aws_security_group.sg_public_default.id}"]
+  }
+  # Allow all traffic within the private security group
+  ingress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    self = "true"
+  }
+  ##-- Egress/Outbound Rules --##
+  # Allow all egress/outbound traffic
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}</code>
+<code bash outputs.tf># Title: site/outputs.tf
+# Description: Outputs from resources saved as variables
+#              Accessible via "${module.site.variable_name}"
+# Set output variable from resource format
+# output "variable_name" {
+#   value = "${aws_resource.name.attribute}"
+# }
+# Store the VPC ID
+output "vpc_id" {
+  value = "${aws_vpc.myvpc.id}"
+}
+# Store the Public Subnet ID
+output "subnet01_public_id" {
+  value = "${aws_subnet.subnet01-public.id}"
+}
+# Store the Public Security Group ID
+output "sg_public_default_id" {
+  value = "${aws_security_group.sg_public_default.id}"
+}</code>
 ----