AWS


S3 ACLのデフォルト無効化とエラー

記事:


NLBのIPを取得


aws_ec2_instance_state: ec2の起動/停止


route53:

記事:

Import:


EBSでgp3を設定

1GBあたりのストレージ料金は20%程度安い。

3,000IOPSまで無料かつ、ベースラインとして保証される。

スループットは125MB/秒まで無料かつ、ベースラインとして保証される。


default_tags: AWSリソースすべてにデフォルトタグを付ける


AWS Provider Version 4でエラー


AWS Provider Version 3でエラー


is set of object with XX elements


既存リソースの参照


data.aws_instance(s): 既存EC2の参照

data "aws_instances" "web" {
  instance_tags = {
    "Name" = "web-*"
  }

  instance_state_names = ["running", "stopped"]
}

# 参照する場合
# count   = length(data.aws_instances.web.ids)
# data.aws_instances.web.public_ips[count.index]

AWS regionの取得

// "${data.aws_region.main.name}" として参照できる
data "aws_region" "main" {}

AWS account_id/arn/user_idの取得

// "${data.aws_caller_identity.main.account_id}" として参照できる
data "aws_caller_identity" "main" {}

AMI


s3 bucketとobjectの生成

resource "aws_s3_bucket" "example" {
  bucket = "example-bucket"
  acl    = "private"
}

locals {
  s3_objects = [
    {
      key : "index.html"
      source : "contents/index.html"
    },
    {
      key: "top.html"
      source: "contents/top.html"
    }
  ]
}

resource "aws_s3_bucket_object" "object" {
  count  = length(local.s3_objects)
  bucket = aws_s3_bucket.example.id
  key    = local.s3_objects[count.index].key
  source = local.s3_objects[count.index].source
}

root_block_device,ebs_block_deviceで分けて処理をしたい

resource "null_resource" "backup_web_ebs1" {
  count         = length(aws_instance.web)
  provisioner "local-exec" {
    command = <<EOD
aws ec2 create-tags \
--tags Key=backup:DailyBackup7Days,Value=${count.index == 0 ? true : false} \
--resources ${element(aws_instance.web[count.index].ebs_block_device[*].volume_id, 0)} \
--profile ${var.aws_profile} \
--region ${var.aws_region}
EOD
  }
}
locals {
  web_ebs1 = "${flatten(aws_instance.web.*.ebs_block_device)}"
}

resource "null_resource" "backup_web_ebs1" {
  count         = "${length(aws_instance.web.*.id)}"
  provisioner "local-exec" {
    command = <<EOD
aws ec2 create-tags \
--tags Key=backup:DailyBackup7Days,Value=${count.index == 0 ? true : false} \
--resources ${lookup(local.web_ebs1[count.index], "volume_id")} \
--profile ${var.aws_profile} \
--region ${var.aws_region}
EOD
  }
}

aws_instance 内の ebs_block_device の volume_id の参照

output "ebs_test01" {
  value = "${aws_instance.web[0].ebs_block_device}"
}

# 結果
ebs_test01 = [
 {
   "delete_on_termination" = true
   "device_name" = "/dev/sdf"
   "encrypted" = false
   "iops" = 100
   "kms_key_id" = ""
   "snapshot_id" = ""
   "volume_id" = "vol-0123456789abcdef"
   "volume_size" = 5
   "volume_type" = "gp2"
 },
]

output "ebs_test02" {
  value = "${aws_instance.web[0].ebs_block_device[0].volume_id}"
}

# 結果: エラー
# Block type "ebs_block_device" is represented by a set of objects, and set
# elements do not have addressable keys. To find elements matching specific
# criteria, use a "for" expression with an "if" clause.

output "ebs_test03" {
  value = "${element(aws_instance.web[0].ebs_block_device[*].volume_id, 0)}"
}

# 結果
ebs_test03 = vol-0123456789abcdef
output "ebs_test01" {
  value = "${aws_instance.web.*.ebs_block_device}"
}

# result
ebs_test01 = [
    [
        map[delete_on_termination:1 device_name:/dev/sdf encrypted:1 iops:100 snapshot_id: volume_id:vol-0123456789abcdef volume_size:5 volume_type:gp2]
    ],
    [
        map[delete_on_termination:1 device_name:/dev/sdf encrypted:1 iops:100 snapshot_id: volume_id:vol-0f50829f1dfbc02ca volume_size:5 volume_type:gp2]
    ]
]

output "ebs_test02" {
  value = "${lookup(aws_instance.web.0.ebs_block_device[0], "volume_id")}"
}

# result
ebs_test02 = vol-0123456789abcdef

output "ebs_test04" {
  value = "${slice(flatten(aws_instance.web.*.ebs_block_device[0]), 0, 1)}"
}

# result
ebs_test04 = [
    {
        delete_on_termination = 1,
        device_name = /dev/sdf,
        encrypted = 1,
        iops = 100,
        snapshot_id = ,
        volume_id = vol-0123456789abcdef,
        volume_size = 5,
        volume_type = gp2
    }
]

ACM


EC2を作る時は、リソース毎に分ける

AWS上のIDが分かれているリソース(EC2, EBS, SecurityGroup)を作る場合、ID毎にリソースを分けて作成する事で保守性が上がる。


SNSメッセージをSlackへ通知



Lambda


CloudFront


WAF


policy jsonの代わりに aws_iam_policy_document を使う

terraformのドキュメントの例には「policy = <json>」のように書いてある部分もあるが、毎回差分が出る不具合があるので、aws_iam_policy_documentを使うと良さそう。

記事:


既存EC2にIAM roleを付けたい


セキュリティグループのルールはaws_security_group_ruleを使う


No valid credential sources found for AWS Provider.


tfファイル内で複数AWSアカウント、複数リージョンを扱う


VPC Peering


EC2起動時にuser_dataを渡す


セキュリティグループを後から変更しようとするとEC2を作り直してしまう


aws_nat_gateway


複数リソースの指定

variable "ec2_subnets" { default = ["subnet-xxxx","subnet-xxxx","subnet-xxxx"] }

resource "aws_instance" "web" {
...
  count     = 4
  subnet_id = "${var.ec2_subnets[count.index % length(var.ec2_subnets)]}"
}

RDS

AWS: aws_db_instance - Terraform by HashiCorp


EC2-Classic上に作る場合の注意

classic network上にRDSを作る場合にsubnetのエラーが出る。v0.12.30 で確認

Error: Error creating DB Instance: InvalidVPCNetworkStateFault: Cannot create the DB Instance because db subnet group has not been specified which is required for a private DBInstance creation.

解決:


VPCの作成


トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2023-06-19 (月) 16:34:46