Terraform-Lightsail

Transcript

1. 2020/06/18 גࣜձࣾΤεπʔ ࠤ౻ ༏थ Terraform Ͱ LightsailΛߏஙͯ͠Έͨ ͸͡ΊͯͷTerraform

2. ࣗݾ঺հ 
   ࠤ౻
   ༏थ
   
   !LBCBZBO@
   
   
   
   
   
   
   
   ࣾ಺Ͱ͸ʮ͔͹ͪΌΜʯͱݺ͹Εͯ·͢ɻ
   
   ٶ৓ݝઋ୆ࢢ
   ࡏॅ
   
   גࣜձࣾ
   Τεπʔ
   
   
   
   
   
   ΠϯϑϥΤϯδχΞ
   8FCܥΞϓϦͷ͓٬͞Μ͕ଟ͍Ͱ͢
   
   
   ओʹΦϯϓϨϛε؀ڥͱ"84؀ڥͷߏஙɾ؂ࢹۀ຿
   
   
   ࠷͓ۙ٬͞Μ΋ΦϯϓϨϛε؀ڥ͔Β"84؀ڥ΁ঃʑʹҠߦ

3. ΞδΣϯμ • Terra Formͱ͸ • جૅ஌ࣝ ؆୯ͳ࢓૊Έ ϑΝΠϧߏ଄ ϑΝΠϧͷه๏ •

   Trraform Ͱ Lightsail Λ࡞੒ • ֶश՝୊ • ·ͱΊ

4. TerraForm ͱ͸ • HashiCorpʹΑͬͯ࡞੒͞ΕͨInfrastructure as Code Λ࣮ݱ͢ΔOSS • એݴతͳίʔυ(HCL)ͰΠϯϑϥετϥΫνϟΛهड़Ͱ͖Δ •

   ༷ʑͳΫϥ΢υϕϯμʔͷαʔϏεΛૢ࡞͢Δ͜ͱ͕Ͱ͖Δ • มߋΛ൓ө͢ΔલʹɺมߋՕॴͷ֬ೝ͕ೖΔͷͰ҆৺ͯ͠มߋͰ͖Δɻ

5. جૅ஌ࣝ [࢓૊ฤ] • ࡞ۀ༻σΟϨΫτϦΛ࡞੒ • AWSΫϨσϯγϟϧͷઃఆ • ߏ੒ϑΝΠϧΛ࡞੒ • ॳظԽ͠ɺඞཁͳϓϥάΠϯɾ

   tfstateϑΝΠϧ͕࡞੒͞ΕΔ • ϑΝΠϧ࡞੒ޙʹɺυϥΠϥϯ • σϓϩΠ(ߏங) Ҿ༻ݩ: https://www.terraform.io/

6. جૅ஌ࣝ [ϑΝΠϧߏ଄] • tfstate ϑΝΠϧ tfstateϑΝΠϧʹΑͬͯߏ੒͕؅ཧ͞Ε͍ͯΔɻ νʔϜ։ൃͷ৔߹͸S̏ʹΞοϓϩʔυ • provider.tf ͲͷΫϥ΢υαʔϏεΛ࢖༻͢Δ͔هࡌ

   • backend.tf tfstateϑΝΠϧΛS̏ʹΞοϓϩʔυ͢ΔͨΊʹهࡌ • versions.tf Terraform ͷόʔδϣϯΛهࡌ(Version ̌.̍̎ ΑΓલ͸ه๏ͳͲ͕มΘ͍ͬͯΔ ͨΊ) • main.tf ϦιʔεΛهࡌ

7. جૅ஌ࣝ [֤ϒϩοΫͷ঺հ] • provider ϒϩοΫ ϓϩύΠμʔΛهड़͢Δ (AWS, GCP, AzureͳͲ) Ϧʔδϣϯ΋هࡌ

   • terraform ϒϩοΫ όοΫΤϯυઌ΍Terraform ͷόʔδϣϯΛ໌ࣔతʹࢦఆ • variable ϒϩοΫ ม਺Λఆٛ • resource ϒϩοΫ ࡞੒͍ͨ͠ϦιʔεΛهड़ $ resource "Ϧιʔε໊" "ϩʔΧϧ໊" {} • output ϒϩοΫ • ஋ͷग़ྗ (EIPͳͲඞཁͳ৘ใΛ࡞੒ίϚϯυ࣮ߦޙʹग़ྗͰ͖Δ)

8. Trraform Ͱ Lightsail Λ࡞੒ [ΞΧ΢ϯτઃఆ] ## AWSΞΧ΢ϯτઃఆ $ export AWS_PROFILE=satyu-lightsail

   $ export AWS_DEFAULT_REGION=ap-northeast-1 ## ֬ೝ $ aws sts get-caller-identity --query Account --output text ---- xxxxxxxxxxxx ---- ## tfstateϑΝΠϧอଘ༻όέοτ࡞੒ # ม਺ఆٛ $ backetName='lightsail-test.tfbackend' $ region='ap-northeast-1' $ aws_profile='satyu-lightsail' # όέοτ࡞੒ $ aws s3api create-bucket --bucket "${backetName}" --create-bucket-configuration LocationConstraint="${region}" # όʔδϣχϯά༗ޮԽ $ aws s3api put-bucket-versioning --bucket "${backetName}" --versioning-configuration Status=Enabled $ aws s3api get-bucket-versioning --bucket "${backetName}" ---- { "Status": "Enabled" } ----

9. Trraform Ͱ Lightsail Λ࡞੒ [֤ϑΝΠϧ࡞੒] # provider.tf (ϓϩύΠμͷઃఆ) ---- provider

   "aws" { region = "ap-northeast-1" } ---- # backend.tf (όοΫΤϯυͷઃఆ) ---- terraform { backend "s3" { } ---- # versions.tf (Terraformόʔδϣϯͷઃఆ) ---- terraform { required_version = ">= 0.12" } ---- ▪ॳظԽ(όοΫΤϯυͷS3όέοτΛࢦఆ) $ terraform init \ -backend=true \ -backend-config="bucket=${backetName}" \ -backend-config="key=terraform.tfstate" \ -backend-config="region=${region}"

10. Trraform Ͱ Lightsail Λ࡞੒ [mainϑΝΠϧ࡞੒] main.tf --- variable "Instance_name" {}

    variable "OS_name" {} variable "Instance_type" {} ## Lightsail Key Pair resource "aws_lightsail_key_pair" "key_pair" { name = "key_pair_${var.Instance_name}" public_key = "${file("./terraform-test.key.pub")}" } ## Get static ip resource "aws_lightsail_static_ip" "static_ip" { name = "${var.Instance_name}_static_ip" } ## Instance Create resource "aws_lightsail_instance" "instance" { name = "${var.Instance_name}" availability_zone = "ap-northeast-1a" blueprint_id = "${var.OS_name}" bundle_id = "${var.Instance_type}" key_pair_name = "${aws_lightsail_key_pair.key_pair.name}" } ## attachment static ip resource "aws_lightsail_static_ip_attachment" "static_ip_attachment" { static_ip_name = "${aws_lightsail_static_ip.static_ip.name}" instance_name = "${aws_lightsail_instance.instance.name}" } output "static_ip" { value = "${aws_lightsail_static_ip.static_ip.ip_address}" } ----

11. Trraform Ͱ Lightsail Λ࡞੒ ▪ߏங಺༰ͷ֬ೝ $ terraform plan -var "Instance_name=lightsail-tf-test"

    -var "OS_name=centos_7_1901_01" -var "Instance_type=nano_2_0" ---- Plan: 4 to add, 0 to change, 0 to destroy. ---- ▪Lightsail࡞੒ $ terraform apply -var "Instance_name=lightsail-tf-test" -var "OS_name=centos_7_1901_01" -var "Instance_type=nano_2_0" ---- Apply complete! Resources: 4 added, 0 changed, 0 destroyed. Outputs: static_ip = 54.250.62.209 ---- ͦΕͧΕɺઃఆ߲ͨ͠໨ʹͳΓ ੩తIP΋औಘͰ͖͍ͯΔɻ

12. ͜͜Ͱ;ͱؾ͖ͮ·ͨ͠ɻɻɻ

13. Lightsail࡞੒͚ͩͳΒAWS CLIͰे෼Ͱ͸...

14. ࣮͸͜Ε͚ͩͰߏஙͰ͖ͪΌ͍·͢ (^^;; ## Πϯελϯε࡞੒ $ aws lightsail create-instances \ --instance-names

    lightsail-tf-test \ --blueprint-id centos_7_1901_01 \ --bundle-id nano_2_0 \ --region ap-northeast-1 \ --availability-zone ap-northeast-1a ## ੩తIPͷऔಘ $ aws lightsail allocate-static-ip --static-ip-name lightsail-tf-test-static-ip ## ੩తIPͷΞλον $ aws lightsail attach-static-ip \ --static-ip-name lightsail-tf-test-static-ip \ --instance-name lightsail-tf-test

15. TerraFormͳͲͷߏ੒؅ཧπʔϧ͸͜ͷΑ͏ʹ༷ʑͳαʔϏεΛར༻͢Δ৔߹ʹศརʂ ͔ͤͬ͘ͳͷͰLightsailߏங࣌ʹ AWS System ManagerͷઃఆΛίʔυԽ

16. AWS System Managerઃఆʹඞཁͳ͜ͱ • IAMϩʔϧͷ࡞੒ (ϙϦγʔ: AmazonSSMManagedInstanceCore) • ϋΠϒϦοτΞΫςΟϕʔγϣϯͷొ࿥ •

    Πϯελϯε΁SSM-AgentͷΠϯετʔϧ • ΞΫςΟϕʔγϣϯίʔυɾΞΫςϕʔγϣϯIDΛొ࿥ • ϚωʔδυΠϯελϯε΁ొ࿥͞Ε͍ͯΔ͜ͱΛ֬ೝ • ηογϣϯϚωʔδϟ઀ଓ֬ೝ

17. Trraform Ͱ Lightsail Λ࡞੒ [SSM ొ࿥ฤ] main.tf ---- ## session_manager

    resource "aws_iam_role" "SSMServiceRole-tf" { name = "SSMServiceRole-tf" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": {"Service": "ssm.amazonaws.com"}, "Action": "sts:AssumeRole" } } EOF } resource "aws_iam_role_policy_attachment" "role_attach" { role = "${aws_iam_role.SSMServiceRole-tf.name}" policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" } resource "aws_ssm_activation" "activation" { name = "${var.Instance_name}" description = "session_manager_${var.Instance_name}" iam_role = "${aws_iam_role.SSMServiceRole-tf.id}" registration_limit = "1" depends_on = ["aws_iam_role_policy_attachment.role_attach"] } ----

18. Trraform Ͱ Lightsail Λ࡞੒ [SSM ొ࿥ฤ] ## Instance Create resource

    "aws_lightsail_instance" "instance" { name = "${var.Instance_name}" availability_zone = "ap-northeast-1a" blueprint_id = "${var.OS_name}" bundle_id = "${var.Instance_type}" key_pair_name = "${aws_lightsail_key_pair.key_pair.name}" user_data = <<EOF #/bin/bash yum update -y yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm- agent.rpm systemctl stop amazon-ssm-agent amazon-ssm-agent -register -code ${aws_ssm_activation.activation.activation_code} -id $ {aws_ssm_activation.activation.id} -region "ap-northeast-1" systemctl start amazon-ssm-agent systemctl enable amazon-ssm-agent EOF } ϙΠϯτ͸user_dataʹώΞυΩϡϝϯτͰهࡌ͢ΔͱɺTerraformͷม਺͕࢖༻Ͱ͖Δ͜ͱɻ

19. Trraform Ͱ Lightsail Λ࡞੒ [SSM ొ࿥ฤ]

20. Trraform Ͱ Lightsail Λ࡞੒ [SSM ొ࿥ฤ]

21. ֶश՝୊ • EC̎΍VPCͦͷଞͷϦιʔε΋Terraform Ͱߏஙͯ͠Έ͍ͨ ӈਤͷΑ͏ͳWAFͳͲ࢖͏έʔε (ࢀߟ: https://dev.classmethod.jp/articles/terraform-supports-aws-waf-in-v-0-7-8/)

22. ·ͱΊ • ͪΐͬͱ৮ͬͯΈ͚ͨͩͰ͕͢ɺTerraform͸جຊߏจͳͲΘ͔Γ΍͍͢ ެࣜυΩϡϝϯτ΍ɺࣄྫ͕ͨ͘͞Μ͋ΔͷͰݕࡧ͠΍͍͢ νʔϜӡ༻ํ๏͕Πϝʔδग़དྷ͍ͯͳ͍ͷ͕՝୊ • ϑΝΠϧߏ੒΍ઃܭ͸͔ͬ͠Γ͠ͳ͍ͱίʔυԽ͕େมͦ͏ • ҙ֎ͱࢥͬͨ௨Γʹಈ͍ͯ͘ΕΔͷͰָ͍͠ʂʂ

23. ࢀߟจݙ <ॻ੶>
    ࣮ફ5FSSBGPSNɹ"84ʹ͓͚ΔγεςϜઃܭͱϕετϓϥΫςΟε
    ٕज़ͷઘγϦʔζ
    <ࢀߟαΠτ>
    ެࣜ
    IUUQTXXXUFSSBGPSNJPEPDTQSPWJEFSTBXTSMJHIUTBJM@JOTUBODFIUNM
    ࢀߟ
    "NB[PO
    -JHIU4BJMΛγϡοͱ࡞Δ
    IUUQTXXXUFDIDFFEJODDPNFOHJOFFS@CMPH
    

    ࢀߟ
    5FSSBGPSN
    
    ࢓૊Έͱಋೖ෦෼Λ؆୯ʹ·ͱΊͯΈΔ IUUQTRJJUBDPNBOGBOHEJUFNT DDGGDFE
    ࢀߟ
    5FSSBGPSNೖ໳ࢿྉ WରԠ
    dجຊ஌͔ࣝΒઃܭ΍ӡ༻ɺ஌͓ͬͯ͘΂͖UJQT·Ͱd
    IUUQTRJJUBDPNGVLVCBLBJUFNTCFEDD
    

24. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ