Skip to content
AGou's Docsv5

Terraform Examples

Terraform 示例

创建自定义vpc、gw、subnet、networkr、eip和instance

Terminal window
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 2.70"
    }
  }
}


provider "aws" {
  profile = "default"
  region  = "us-east-2"
}






# 1. Create vpc


resource "aws_vpc" "prod-vpc" {
  cidr_block = "10.0.0.0/16"
  tags = {
    Name = "production"
  }
}


# 2. Create Internet Gateway


resource "aws_internet_gateway" "gw" {
  vpc_id = aws_vpc.prod-vpc.id




}
# 3. Create Custom Route Table


resource "aws_route_table" "prod-route-table" {
  vpc_id = aws_vpc.prod-vpc.id


  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.gw.id
  }


  route {
    ipv6_cidr_block = "::/0"
    gateway_id      = aws_internet_gateway.gw.id
  }


  tags = {
    Name = "Prod"
  }
}


# 4. Create a Subnet


resource "aws_subnet" "subnet-1" {
  vpc_id            = aws_vpc.prod-vpc.id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "us-east-2a"


  tags = {
    Name = "prod-subnet"
  }
}


# 5. Associate subnet with Route Table


resource "aws_route_table_association" "a" {
  subnet_id      = aws_subnet.subnet-1.id
  route_table_id = aws_route_table.prod-route-table.id
}
# 6. Create Security Group to allow port 22,80,443


resource "aws_security_group" "allow_web" {
  name        = "allow_web_traffic"
  description = "Allow Web inbound traffic"
  vpc_id      = aws_vpc.prod-vpc.id


  ingress {
    description = "HTTPS"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description = "HTTP"
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description = "SSH"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }


  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }


  tags = {
    Name = "allow_web"
  }
}


# 7. Create a network interface with an ip in the subnet that was created in step 4


resource "aws_network_interface" "web-server-nic" {
  subnet_id       = aws_subnet.subnet-1.id
  private_ips     = ["10.0.1.11"]
  security_groups = [aws_security_group.allow_web.id]


}
# 8. Assign an elastic IP to the network interface created in step 7


resource "aws_eip" "one" {
  vpc                       = true
  network_interface         = aws_network_interface.web-server-nic.id
  associate_with_private_ip = "10.0.1.11"
  depends_on                = [aws_internet_gateway.gw]
}


output "server_public_ip" {
  value = aws_eip.one.public_ip
}


# 9. Create Ubuntu server and install/enable apache2


resource "aws_instance" "web-server-instance" {
  ami               = "ami-07efac79022b86107"
  instance_type     = "t2.micro"
  availability_zone = "us-east-2a"
  key_name          = "test-key"


  network_interface {
    device_index         = 0
    network_interface_id = aws_network_interface.web-server-nic.id
  }


  user_data = <<-EOF
                #!/bin/bash
                sudo apt update -y
                sudo apt install apache2 -y
                sudo systemctl start apache2
                sudo bash -c 'echo "<h1>my first server created by Terraform.</h1>" > /var/www/html/index.html'
                EOF
  tags = {
    Name = "web-server"
  }
}


output "server_private_ip" {
  value = aws_instance.web-server-instance.private_ip


}


output "server_id" {
  value = aws_instance.web-server-instance.id
}

创建自定义role并附加规则、绑定到instance

Terminal window
resource "aws_iam_role" "example" {
  name = "example"


  # assume_role_policy is omitted for brevity in this example. See the
  # documentation for aws_iam_role for a complete example.
  assume_role_policy = "..."
}


resource "aws_iam_instance_profile" "example" {
  # Because this expression refers to the role, Terraform can infer
  # automatically that the role must be created first.
  role = aws_iam_role.example.name
}


resource "aws_iam_role_policy" "example" {
  name   = "example"
  role   = aws_iam_role.example.name
  policy = jsonencode({
    "Statement" = [{
      # This policy allows software running on the EC2 instance to
      # access the S3 API.
      "Action" = "s3:*",
      "Effect" = "Allow",
    }],
  })
}


resource "aws_instance" "example" {
  ami           = "ami-a1b2c3d4"
  instance_type = "t2.micro"


  # Terraform can infer from this that the instance profile must
  # be created before the EC2 instance.
  iam_instance_profile = aws_iam_instance_profile.example


  # However, if software running in this EC2 instance needs access
  # to the S3 API in order to boot properly, there is also a "hidden"
  # dependency on the aws_iam_role_policy that Terraform cannot
  # automatically infer, so it must be declared explicitly:
  depends_on = [
    aws_iam_role_policy.example,
  ]
}

参考资料