こんにちは、ENECHANGE CTO室のkazです。エネチェンジ、SIMチェンジ、SMAPのインフラを横断的に担当しています。 インフラが担う箇所が動いてる間は誰にも褒められませんが、それが止まると怒られる。そんな陽の光の当たらないところで生きてる私ですが、ENECHANGEテックブログの記念すべき1本目を担当させていただきます!
ENECHANGEが提供するサービスのインフラは一部を除きAWSを使用しており、AWSの設定はオーケストレーションツールのTerraformとプロビジョニングツールのitamaeで設計・構築しています。これらを使い、インフラを全てコード管理することで、非属人化を実現し、客観的なレビューを可能にしています。 また、TerraformはAWS、GCP、Microsoft Azure、OpenStackなどで使用できます。
今回、Terraformの初期設定〜VPCまで足回りをばーーんと一気に構築したいと思います。
要件
1. vpcを作成 2. InternetGatewayを作成 3. 東京リージョンのAZ(a,c)にpublicサブネットとprivateサブネットを作成 4. privateサブネットをDatastoreのサブネットグループとして指定 5. publicサブネットが使用するRoutetableにInternetGatewayを指定 6. publicサブネットにNatGatewayを作成 7. privateサブネットが使用するRoutetableにNatGatewayを指定
- 図にするとこんな感じ
設定
- まず、OSに適したパッケージを選択し、インストールするディレクトリに解凍します。
- terraformコマンドを投入すると動作確認できます。
hoge\:~$ terraform Usage: terraform [--version] [--help] <command> [args] The available commands for execution are listed below. The most common, useful commands are shown first, followed by less common or more advanced commands. If you're just getting started with Terraform, stick with the common commands. For the other commands, please read the help and docs before usage. Common commands: apply Builds or changes infrastructure console Interactive console for Terraform interpolations destroy Destroy Terraform-managed infrastructure env Workspace management fmt Rewrites config files to canonical format get Download and install modules for the configuration graph Create a visual graph of Terraform resources import Import existing infrastructure into Terraform init Initialize a Terraform working directory output Read an output from a state file plan Generate and show an execution plan providers Prints a tree of the providers used in the configuration push Upload this Terraform module to Atlas to run refresh Update local state file against real resources show Inspect Terraform state or plan taint Manually mark a resource for recreation untaint Manually unmark a resource as tainted validate Validates the Terraform files version Prints the Terraform version workspace Workspace management All other commands: debug Debug output management (experimental) force-unlock Manually unlock the terraform state state Advanced state m anagement[f:id:dev-enechange:20180518014825p:plain]
- TerraformがAWSアカウントを使用できるように環境変数AWS_ACCESS_KEY_ID、AWS_SECRET_ACCESS_KEYにIAMユーザーのAWS資格情報を設定する必要があります。
provider "aws" { access_key = "ACCESS_KEY_HERE" secret_key = "SECRET_KEY_HERE" region = "ap-northeast-1" }
私の環境ではポリシーの異なる複数のIAMユーザを運用しているので、~/. aws/credentialsを参照し、任意のprofileを使用できるようにしています。 ローカルのcredentialsを参照することでmain.tfにハードコードせずに済むので、Git上で管理しやすくなります。
TerraformはHashiCorp Configuration Language (HCL) で書いていきます。
- こんな感じでmain.tfという設定ファイルを作り、そこに使用するプロバイダを記述します。 使用できるプロバイダ一覧はこちら
provider "aws" { region = "ap-northeast-1" profile = "terraform-user001” }
設定ファイル郡
- ベストプラクティスではないですが、Resouce毎に分けてます
. ├── db_subnet_group.tf ├── eip.tf ├── internet_gateway.tf ├── main.tf ├── nat_gateway.tf ├── route_table.tf ├── route_table_association.tf ├── subnet.tf ├── terraform_remote_state.tf ├── variables.tf └── vpc.tf
Configuration
- main.tf
provider "aws" { region = "ap-northeast-1" profile = "terraform-user001" } terraform { backend "s3" { bucket = "terraform-tfstate" key = "<project-name>/network/terraform.tfstate" region = "ap-northeast-1" profile = "terraform-user00-1" } }
- terraform_remote_state
- Stateをローカルではなく、Backend(S3)へ置き、複数人で開発できるようにしています。
- 実は、
terraform-tfstateというバケットはENECHANGEが持っています(;・∀・)- (バケット名は必ず、Amazon S3 内の既存バケット名の中で一意)
- 実は、
- Stateをローカルではなく、Backend(S3)へ置き、複数人で開発できるようにしています。
data "terraform_remote_state" "<project-name>_network" { backend = "s3" config { bucket = "terraform-tfstate" key = "<project-name>/network/terraform.tfstate" region = "ap-northeast-1" profile = "terraform-user001" } }
- variable
- 算術演算するために必要な数だけ記述しています。
variable "<project-name>-eip" { description = "Use EIP" default = { "0" = "true", "1" = "false" } } variable "<project-name>-subnet-names" { description = "publicsubnet uses global IP" type = "list" default = [ "<project-name>-public-a", "<project-name>-public-c", "<project-name>-private-a", "<project-name>-private-c" ] } variable "<project-name>-subnet-cidr_blocks" { description = "Create two public-subnet and two private-subnet" type = "list" default = [ "***.***.***.***/22", "***.***.***.***/22", "***.***.***.***/22", "***.***.***.***/22" ] } variable "<project-name>-subnet-availability_zones" { description = "Use ap-northeast-1a and ap-northeast-1c" type = "list" default = [ "ap-northeast-1a", "ap-northeast-1c" ] } variable "<project-name>-subnet-map_publicip-on-launchs" { description = "instances launched into the subnet should be assigned a public IP address" type = "list" default = [ "true", "false" ] }
resource "aws_eip" "prod-natgw" { count = "${length(var.<project-name>-eip)}" vpc = "${element(var.<project-name>-eip, count.index / 2)}" tags { Name = "<project-name>-natgw" Service = "<project-name>" Environment = "<environment>" Description = "Managed by Terraform" } }
// <project-name> vpc resource "aws_vpc" "<project-name>" { cidr_block = "***.***.***.***/16" instance_tenancy = "default" enable_dns_support = "true" enable_dns_hostnames = "true" tags { Name = "<project-name>" Service = "<project-name>" Description = "Managed by Terraform" } }
// internet gateway resource "aws_internet_gateway" "<project-name>" { vpc_id = "${aws_vpc.<project-name>.id}" tags { Name = "<project-name>-igw" Service = "<project-name>" Description = "Managed by Terraform" } }
resource "aws_nat_gateway" "<project-name>-natgw" { count = "${length(var.<project-name>-eip)}" allocation_id = "${element(aws_eip.natgw.*.id, count.index)}" subnet_id = "${element(aws_subnet.<project-name>-subnets.*.id, count.index)}" tags { Name = "<project-name>-natgw" Service = "<project-name>" Description = "Managed by Terraform" } }
resource "aws_subnet" "<project-name>-subnet" { vpc_id = "${aws_vpc.<project-name>.id}" count = "${length(var.<project-name>-subnet-names)}" availability_zone = "${element(var.<project-name>-subnet-availability_zones, count.index)}" cidr_block = "${element(var.<project-name>-subnet-cidr_blocks, count.index)}" map_public_ip_on_launch = "${lookup(var.<project-name>-subnet-map_publicip-on-launchs, count.index / 2)}" tags { Name = "${element(var.<project-name>-subnet-name, count.index)}" Service = "<project-name>" Environment = "<environment>" Description = "Managed by Terraform" } }
// <project-name>-subnet public-routetable resource "aws_route_table" "<project-name>-public_route_table" { vpc_id = "${aws_vpc.<project-name>.id}" count = 2 route { cidr_block = "0.0.0.0/0" gateway_id = "${aws_internet_gateway.<project-name>.id}" } tags { Name = "${element(var.<project-name>-subnet-names, count.index)}" Service = "<project-name>" Environment = "<environment>" Description = "Managed by Terraform" } } // <project-name>-subnet private-routetable resource "aws_route_table" "<project-name>-private_route_tables" { vpc_id = "${aws_vpc.<project-name>.id}" count = 2 route { cidr_block = "0.0.0.0/0" nat_gateway_id = "${element(aws_nat_gateway.<project-name>-natgw.*.id, count.index)}" } tags { Name = "${element(var.<project-name>-subnet-names, count.index + 2)}" Service = "<project-name>" Environment = "<environment>" Description = "Managed by Terraform" } }
// <project-name>-public allocate resource "aws_route_table_association" "<project-name>-public" { count = 2 subnet_id = "${element(aws_subnet.<project-name>-subnets.*.id, count.index)}" route_table_id = "${element(aws_route_table.<project-name>-public_route_tables.*.id, count.index)}" } // <project-name>-private allocate resource "aws_route_table_association" "<project-name>-private" { count = 2 subnet_id = "${element(aws_subnet.<project-name>-subnets.*.id, count.index + 2)}" route_table_id = "${element(aws_route_table.<project-name>-private_route_tables.*.id, count.index)}" }
resource "aws_db_subnet_group" "<project-name>-datastore" { name = "<project-name>-datastore" subnet_ids = [ "${element(aws_subnet.<project-name>-subnets.*.id, 2)}", "${element(aws_subnet.<project-name>-subnets.*.id, 3)}" ] tags { Name = "<project-name>-datastore" Service = "<project-name>" Environment = "<environment>" Description = "Managed by Terraform" } }
初期化
- terraform initでTerraform設定ファイルを含む作業ディレクトリを初期化します。
- ここでsyntaxエラーなどがあればエラーが発生します。
- TF_LOG=[TRACE,DEBUG,INFO,WARN,ERROR]として環境変数にセットしデバッグログ出力が可能になります。
$ TF_LOG=DEBUG terraform init 2018/05/29 15:20:41 [INFO] Terraform version: 0.11.7 2018/05/29 15:20:41 [INFO] Go runtime version: go1.10.1 (snip) To prevent automatic upgrades to new major versions that may contain breaking changes, it is recommended to add version = "..." constraints to the corresponding provider blocks in configuration, with the constraint strings suggested below. * provider.aws: version = "~> 1.20" Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary.
- terraform planで実行計画を作成します。
$ terraform plan Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. ------------------------------------------------------------------------ An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: (snip) ------------------------------------------------------------------------ Note: You didn't specify an "-out" parameter to save this plan, so Terraform can't guarantee that exactly these actions will be performed if "terraform apply" is subsequently run.
- terraform applyで作成した実行計画に基づいた構成を作成します。
- yesと入力すると処理が走ります
$ terraform apply An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: (snip) Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value:
まとめ
これくらいの構成であれば、この程度の量の設定ファイルで済んでしまいます。 アプリケーション側で設定値が頻繁に変わるようなケースもあるので、terraformで全部管理しようとすると疲弊しちゃいますので、本末転倒。 ステークホルダーと協議しながら管理していきましょう。
これから、運用で蓄積したTipsなど、公開していけたらいいなと思います。
