///////
Search

VPC & EC2

resource "aws_vpc" "main" { cidr_block = "192.168.0.0/16" enable_dns_hostnames = true enable_dns_support = true tags = { Name = "skills-vpc" } } # Public ## Internet Gateway resource"aws_internet_gateway" "main" { vpc_id = aws_vpc.main.id tags = { Name = "skills-IGW" } } ## Route Table resource "aws_route_table" "public" { vpc_id = aws_vpc.main.id tags = { Name = "skills-public-rt" } } resource "aws_route" "public" { route_table_id = aws_route_table.public.id destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.main.id } ## Public Subnet resource "aws_subnet" "public_a" { vpc_id = aws_vpc.main.id cidr_block = "192.168.1.0/24" availability_zone = "ap-northeast-2a" map_public_ip_on_launch = true tags = { Name = "skills-public-a" } } ## Attach Public Subnet in Route Table resource "aws_route_table_association" "public_a" { subnet_id = aws_subnet.public_a.id route_table_id = aws_route_table.public.id } # Private ## Elastic IP resource "aws_eip" "private_a" { } ## NAT Gateway resource "aws_nat_gateway" "private_a" { depends_on = [aws_internet_gateway.main] allocation_id = aws_eip.private_a.id subnet_id = aws_subnet.public_a.id tags = { Name = "skills-NGW-a" } } ## Route Table resource "aws_route_table" "private_a" { vpc_id = aws_vpc.main.id tags = { Name = "skills-private-a-rt" } } resource "aws_route" "private_a" { route_table_id = aws_route_table.private_a.id destination_cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.private_a.id } resource "aws_subnet" "private_a" { vpc_id = aws_vpc.main.id cidr_block = "192.168.0.0/24" availability_zone = "ap-northeast-2a" tags = { Name = "skills-private-a" } } ## Attach Private Subnet in Route Table resource "aws_route_table_association" "private_a" { subnet_id = aws_subnet.private_a.id route_table_id = aws_route_table.private_a.id } # EC2 ## AMI data "aws_ssm_parameter" "latest_ami" { name = "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64" } ## Keypair resource "tls_private_key" "rsa" { algorithm = "RSA" rsa_bits = 4096 } resource "aws_key_pair" "keypair" { key_name = "skills" public_key = tls_private_key.rsa.public_key_openssh } resource "local_file" "keypair" { content = tls_private_key.rsa.private_key_pem filename = "./skills.pem" } ## Public EC2 resource "aws_instance" "bastion" { ami = data.aws_ssm_parameter.latest_ami.value subnet_id = aws_subnet.public_a.id instance_type = "t3.micro" key_name = aws_key_pair.keypair.key_name vpc_security_group_ids = [aws_security_group.bastion.id] associate_public_ip_address = true iam_instance_profile = aws_iam_instance_profile.bastion.name user_data = <<-EOF #!/bin/bash yum update -y yum install -y jq curl wget sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm sudo systemctl start amazon-ssm-agent curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install ln -s /usr/local/bin/aws /usr/bin/ ln -s /usr/local/bin/aws_completer /usr/bin/ sed -i "s|#PasswordAuthentication no|PasswordAuthentication yes|g" /etc/ssh/sshd_config systemctl restart sshd echo 'Skill39!' | passwd --stdin ec2-user echo 'Skill39!' | passwd --stdin root EOF tags = { Name = "skills-bastion-ec2" } } ## Public Security Group resource "aws_security_group" "bastion" { name = "skills-EC2-SG" vpc_id = aws_vpc.main.id ingress { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] from_port = "22" to_port = "22" } egress { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] from_port = "22" to_port = "22" } egress { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] from_port = "80" to_port = "80" } egress { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] from_port = "443" to_port = "443" } tags = { Name = "skills-EC2-SG" } } ## IAM resource "aws_iam_role" "bastion" { name = "skills-role-bastion" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "ec2.amazonaws.com" } } ] }) managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"] } resource "aws_iam_role_policy_attachment" "bastion_ssm" { policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" role = aws_iam_role.bastion.name } resource "aws_iam_role_policy_attachment" "bastion_s3" { policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" role = aws_iam_role.bastion.name } resource "aws_iam_instance_profile" "bastion" { name = "skills-profile-bastion" role = aws_iam_role.bastion.name } # OutPut ## VPC output "aws_vpc" { value = aws_vpc.main.id } ## Public Subnet output "public_a" { value = aws_subnet.public_a.id } ## Private Subnet output "private_a" { value = aws_subnet.private_a.id } output "bastion" { value = aws_instance.bastion.id } output "bastion-sg" { value = aws_security_group.bastion.id }
JSON
복사
resource "aws_vpc" "main" { cidr_block = "192.168.0.0/16" enable_dns_hostnames = true enable_dns_support = true tags = { Name = "skills-vpc" } } # Public ## Internet Gateway resource"aws_internet_gateway" "main" { vpc_id = aws_vpc.main.id tags = { Name = "skills-IGW" } } ## Route Table resource "aws_route_table" "public" { vpc_id = aws_vpc.main.id tags = { Name = "skills-public-rt" } } resource "aws_route" "public" { route_table_id = aws_route_table.public.id destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.main.id } ## Public Subnet resource "aws_subnet" "public_a" { vpc_id = aws_vpc.main.id cidr_block = "192.168.1.0/24" availability_zone = "ap-northeast-2a" map_public_ip_on_launch = true tags = { Name = "skills-public-a" } } ## Attach Public Subnet in Route Table resource "aws_route_table_association" "public_a" { subnet_id = aws_subnet.public_a.id route_table_id = aws_route_table.public.id } # Private ## Elastic IP resource "aws_eip" "private_a" { } ## NAT Gateway resource "aws_nat_gateway" "private_a" { depends_on = [aws_internet_gateway.main] allocation_id = aws_eip.private_a.id subnet_id = aws_subnet.public_a.id tags = { Name = "skills-NGW-a" } } ## Route Table resource "aws_route_table" "private_a" { vpc_id = aws_vpc.main.id tags = { Name = "skills-private-a-rt" } } resource "aws_route" "private_a" { route_table_id = aws_route_table.private_a.id destination_cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.private_a.id } resource "aws_subnet" "private_a" { vpc_id = aws_vpc.main.id cidr_block = "192.168.0.0/24" availability_zone = "ap-northeast-2a" tags = { Name = "skills-private-a" } } ## Attach Private Subnet in Route Table resource "aws_route_table_association" "private_a" { subnet_id = aws_subnet.private_a.id route_table_id = aws_route_table.private_a.id } # EC2 ## AMI data "aws_ssm_parameter" "latest_ami" { name = "/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64" } ## Keypair resource "tls_private_key" "rsa" { algorithm = "RSA" rsa_bits = 4096 } resource "aws_key_pair" "keypair" { key_name = "skills" public_key = tls_private_key.rsa.public_key_openssh } resource "local_file" "keypair" { content = tls_private_key.rsa.private_key_pem filename = "./skills.pem" } ## Public EC2 resource "aws_instance" "bastion" { ami = data.aws_ssm_parameter.latest_ami.value subnet_id = aws_subnet.public_a.id instance_type = "t3.micro" key_name = aws_key_pair.keypair.key_name vpc_security_group_ids = [aws_security_group.bastion.id] associate_public_ip_address = true iam_instance_profile = aws_iam_instance_profile.bastion.name user_data = <<-EOF #!/bin/bash yum update -y yum install -y jq curl wget curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install ln -s /usr/local/bin/aws /usr/bin/ ln -s /usr/local/bin/aws_completer /usr/bin/ sed -i "s|#PasswordAuthentication no|PasswordAuthentication yes|g" /etc/ssh/sshd_config systemctl restart sshd echo 'Skill39!' | passwd --stdin ec2-user echo 'Skill39!' | passwd --stdin root EOF tags = { Name = "skills-bastion-ec2" } } ## Public Security Group resource "aws_security_group" "bastion" { name = "skills-EC2-SG" vpc_id = aws_vpc.main.id ingress { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] from_port = "22" to_port = "22" } egress { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] from_port = "22" to_port = "22" } egress { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] from_port = "80" to_port = "80" } egress { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] from_port = "443" to_port = "443" } tags = { Name = "skills-EC2-SG" } } ## IAM resource "aws_iam_role" "bastion" { name = "skills-role-bastion" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "ec2.amazonaws.com" } } ] }) managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"] } resource "aws_iam_instance_profile" "bastion" { name = "skills-profile-bastion" role = aws_iam_role.bastion.name } # OutPut ## VPC output "aws_vpc" { value = aws_vpc.main.id } ## Public Subnet output "public_a" { value = aws_subnet.public_a.id } ## Private Subnet output "private_a" { value = aws_subnet.private_a.id } output "bastion" { value = aws_instance.bastion.id } output "bastion-sg" { value = aws_security_group.bastion.id }
JSON
복사