第 2 章:AWS 網路設定
Reference Link
VPC
VPC
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
VPC association
關聯 VPC
resource "aws_vpc_ipv4_cidr_block_association" "secondary_cidr" {
vpc_id = aws_vpc.main.id
cidr_block = "172.20.0.0/16"
}
關聯 VPC IPV6
resource "aws_vpc_ipv6_cidr_block_association" "test" {
ipv6_ipam_pool_id = aws_vpc_ipam_pool.test.id
vpc_id = aws_vpc.test.id
}
VPC DHCP
VPC DHCP
resource "aws_vpc_dhcp_options" "dns_resolver" {
domain_name_servers = ["8.8.8.8", "8.8.4.4"]
}
VPC DHCP 設定
resource "aws_vpc_dhcp_options" "foo" {
domain_name = "service.consul"
domain_name_servers = ["127.0.0.1", "10.0.0.2"]
ntp_servers = ["127.0.0.1"]
netbios_name_servers = ["127.0.0.1"]
netbios_node_type = 2
tags = {
Name = "foo-name"
}
}
關聯 DHCP
resource "aws_vpc_dhcp_options_association" "dns_resolver" {
vpc_id = aws_vpc.foo.id
dhcp_options_id = aws_vpc_dhcp_options.foo.id
}
Subnet
Subnet
resource "aws_subnet" "main" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
tags = {
Name = "Main"
}
}
Internet Gateway
Internet Gateway
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.main.id
tags = {
Name = "main"
}
}
關聯 Internet Gateway
resource "aws_internet_gateway_attachment" "example" {
internet_gateway_id = aws_internet_gateway.example.id
vpc_id = aws_vpc.example.id
}
resource "aws_vpc" "example" {
cidr_block = "10.1.0.0/16"
}
resource "aws_internet_gateway" "example" {}
NAT Gateway
NAT Gateway
resource "aws_nat_gateway" "example" {
allocation_id = aws_eip.example.id
subnet_id = aws_subnet.example.id
tags = {
Name = "gw NAT"
}
# To ensure proper ordering, it is recommended to add an explicit dependency
# on the Internet Gateway for the VPC.
depends_on = [aws_internet_gateway.example]
}
Route
Route
resource "aws_route" "r" {
route_table_id = aws_route_table.testing.id
destination_cidr_block = "10.0.1.0/22"
vpc_peering_connection_id = "pcx-45ff3dc1"
}
Route table
Route table
resource "aws_route_table" "example" {
vpc_id = aws_vpc.example.id
route {
cidr_block = "10.0.1.0/24"
gateway_id = aws_internet_gateway.example.id
}
route {
ipv6_cidr_block = "::/0"
egress_only_gateway_id = aws_egress_only_internet_gateway.example.id
}
tags = {
Name = "example"
}
}
Route table association
關聯 Route table 至 subnet
resource "aws_route_table_association" "a" {
subnet_id = aws_subnet.foo.id
route_table_id = aws_route_table.bar.id
}
關聯 Route table 至 internet gateway
resource "aws_route_table_association" "b" {
gateway_id = aws_internet_gateway.foo.id
route_table_id = aws_route_table.bar.id
}
security group
security group
resource "aws_security_group" "allow_tls" {
name = "allow_tls"
description = "Allow TLS inbound traffic and all outbound traffic"
vpc_id = aws_vpc.main.id
tags = {
Name = "allow_tls"
}
}
security group policy
security group policy IPv4
resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4" {
security_group_id = aws_security_group.allow_tls.id
cidr_ipv4 = aws_vpc.main.cidr_block
from_port = 443
ip_protocol = "tcp"
to_port = 443
}
security group policy IPv6
resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv6" {
security_group_id = aws_security_group.allow_tls.id
cidr_ipv6 = aws_vpc.main.ipv6_cidr_block
from_port = 443
ip_protocol = "tcp"
to_port = 443
}
security group policy IPv4 egress
resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
security_group_id = aws_security_group.allow_tls.id
cidr_ipv4 = "0.0.0.0/0"
ip_protocol = "-1" # semantically equivalent to all ports
}
security group policy IPv6 egress
resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv6" {
security_group_id = aws_security_group.allow_tls.id
cidr_ipv6 = "::/0"
ip_protocol = "-1" # semantically equivalent to all ports
}
security group rule
resource "aws_security_group_rule" "example" {
type = "ingress"
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = [aws_vpc.example.cidr_block]
ipv6_cidr_blocks = [aws_vpc.example.ipv6_cidr_block]
security_group_id = "sg-123456"
}