Terraform Examples
Terraform 示例
创建自定义vpc、gw、subnet、networkr、eip和instance
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 2.70" } }}
provider "aws" { profile = "default" region = "us-east-2"}
# 1. Create vpc
resource "aws_vpc" "prod-vpc" { cidr_block = "10.0.0.0/16" tags = { Name = "production" }}
# 2. Create Internet Gateway
resource "aws_internet_gateway" "gw" { vpc_id = aws_vpc.prod-vpc.id
}# 3. Create Custom Route Table
resource "aws_route_table" "prod-route-table" { vpc_id = aws_vpc.prod-vpc.id
route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.gw.id }
route { ipv6_cidr_block = "::/0" gateway_id = aws_internet_gateway.gw.id }
tags = { Name = "Prod" }}
# 4. Create a Subnet
resource "aws_subnet" "subnet-1" { vpc_id = aws_vpc.prod-vpc.id cidr_block = "10.0.1.0/24" availability_zone = "us-east-2a"
tags = { Name = "prod-subnet" }}
# 5. Associate subnet with Route Table
resource "aws_route_table_association" "a" { subnet_id = aws_subnet.subnet-1.id route_table_id = aws_route_table.prod-route-table.id}# 6. Create Security Group to allow port 22,80,443
resource "aws_security_group" "allow_web" { name = "allow_web_traffic" description = "Allow Web inbound traffic" vpc_id = aws_vpc.prod-vpc.id
ingress { description = "HTTPS" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { description = "HTTP" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { description = "SSH" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "allow_web" }}
# 7. Create a network interface with an ip in the subnet that was created in step 4
resource "aws_network_interface" "web-server-nic" { subnet_id = aws_subnet.subnet-1.id private_ips = ["10.0.1.11"] security_groups = [aws_security_group.allow_web.id]
}# 8. Assign an elastic IP to the network interface created in step 7
resource "aws_eip" "one" { vpc = true network_interface = aws_network_interface.web-server-nic.id associate_with_private_ip = "10.0.1.11" depends_on = [aws_internet_gateway.gw]}
output "server_public_ip" { value = aws_eip.one.public_ip}
# 9. Create Ubuntu server and install/enable apache2
resource "aws_instance" "web-server-instance" { ami = "ami-07efac79022b86107" instance_type = "t2.micro" availability_zone = "us-east-2a" key_name = "test-key"
network_interface { device_index = 0 network_interface_id = aws_network_interface.web-server-nic.id }
user_data = <<-EOF #!/bin/bash sudo apt update -y sudo apt install apache2 -y sudo systemctl start apache2 sudo bash -c 'echo "<h1>my first server created by Terraform.</h1>" > /var/www/html/index.html' EOF tags = { Name = "web-server" }}
output "server_private_ip" { value = aws_instance.web-server-instance.private_ip
}
output "server_id" { value = aws_instance.web-server-instance.id}
创建自定义role并附加规则、绑定到instance
resource "aws_iam_role" "example" { name = "example"
# assume_role_policy is omitted for brevity in this example. See the # documentation for aws_iam_role for a complete example. assume_role_policy = "..."}
resource "aws_iam_instance_profile" "example" { # Because this expression refers to the role, Terraform can infer # automatically that the role must be created first. role = aws_iam_role.example.name}
resource "aws_iam_role_policy" "example" { name = "example" role = aws_iam_role.example.name policy = jsonencode({ "Statement" = [{ # This policy allows software running on the EC2 instance to # access the S3 API. "Action" = "s3:*", "Effect" = "Allow", }], })}
resource "aws_instance" "example" { ami = "ami-a1b2c3d4" instance_type = "t2.micro"
# Terraform can infer from this that the instance profile must # be created before the EC2 instance. iam_instance_profile = aws_iam_instance_profile.example
# However, if software running in this EC2 instance needs access # to the S3 API in order to boot properly, there is also a "hidden" # dependency on the aws_iam_role_policy that Terraform cannot # automatically infer, so it must be declared explicitly: depends_on = [ aws_iam_role_policy.example, ]}