2019年2月 AWSで学んだことについてまとめる

  • Feb 14, 2019
  • AWS

仕事や個人でAWSを触る機会が増えたので、雰囲気で扱うのが厳しくなってきた。 なので勉強したことをまとめておく。

ぶっちゃけまだわかってない部分が多すぎるけど、現状を知るのも大事なはず。

terraformの命名がナンセンスなのはご愛嬌

構成図

WIP

Route53

data "aws_route53_zone" "parent" {
  name         = "takeokunn.xyz."
  private_zone = false
}

resource "aws_route53_zone" "takeokunn-xyz-public" {
  name = "takeokunn.xyz"
}

resource "aws_route53_record" "takeokunn-xyz-NS" {
  zone_id = "${data.aws_route53_zone.parent.zone_id}"
  name    = "takeokunn.xyz"
  type    = "NS"
  ttl     = "172800"
  records = [
    "${aws_route53_zone.takeokunn-xyz-public.name_servers.0}",
    "${aws_route53_zone.takeokunn-xyz-public.name_servers.1}",
    "${aws_route53_zone.takeokunn-xyz-public.name_servers.2}",
    "${aws_route53_zone.takeokunn-xyz-public.name_servers.3}",
  ]
}

resource "aws_route53_record" "takeokunn-xyz-A" {
  zone_id = "${aws_route53_zone.takeokunn-xyz-public.zone_id}"
  name    = "takeokunn.xyz"
  type    = "A"
  set_identifier = "takeokunn-xyz-A"

  alias {
    name                   = "${aws_alb.takeokunn-xyz.dns_name}"
    zone_id                = "${aws_alb.takeokunn-xyz.zone_id}"
    evaluate_target_health = true
  }

  geolocation_routing_policy {
    country = "*"
  }
}

resource "aws_route53_record" "takeokunn-xyz-CNAME" {
  count = "${length(aws_acm_certificate.takeokunn-xyz.domain_validation_options)}"
  zone_id = "${aws_route53_zone.takeokunn-xyz-public.zone_id}"
  name = "${lookup(aws_acm_certificate.takeokunn-xyz.domain_validation_options[count.index],"resource_record_name")}"
  type = "${lookup(aws_acm_certificate.takeokunn-xyz.domain_validation_options[count.index],"resource_record_type")}"
  ttl = "300"
  records = ["${lookup(aws_acm_certificate.takeokunn-xyz.domain_validation_options[count.index], "resource_record_value")}"]
}

大体抑えとけばよいのは1点

  • routing policy
  • public/private dns

routing policy

public/private dns

AWS Certificate Manager

resource "aws_acm_certificate" "takeokunn-xyz" {
  domain_name       = "takeokunn.xyz"
  validation_method = "DNS"

  tags {
    Environment = "production"
  }
}

参考

VPC

resource "aws_vpc" "takeokunn-xyz" {
  cidr_block           = "10.10.128.0/18"
  enable_dns_hostnames = true
  instance_tenancy     = "default"

  tags {
    "Name" = "takeokunn-xyz"
  }
}

resource "aws_internet_gateway" "takeokunn-xyz" {
  vpc_id = "${aws_vpc.takeokunn-xyz.id}"

  tags {
    Name = "takeokunn-xyz"
  }
}

resource "aws_route_table" "public" {
  vpc_id = "${aws_vpc.takeokunn-xyz.id}"

  tags {
    "Name" = "takeokunn-xyz-public"
  }
}

resource "aws_route_table_association" "public" {
  count          = "${length(data.aws_availability_zones.available.names)}"
  route_table_id = "${aws_route_table.public.id}"
  subnet_id      = "${element(aws_subnet.public.*.id, count.index)}"
}

resource "aws_route" "public-default" {
  route_table_id         = "${aws_route_table.public.id}"
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = "${aws_internet_gateway.takeokunn-xyz.id}"
  depends_on             = ["aws_route_table.public"]
}

大体抑えとけば良いのは以下の3点

  • IP CIDR
  • Network ACL
  • Route Table

IP CIDR

CIDRは、IPアドレスとサブネットマスクを一緒に表記する方法

Network ACL

Route Table

Subnet

resource "aws_subnet" "public" {
  count             = "${length(local.azs)}"
  vpc_id            = "${aws_vpc.takeokunn-xyz.id}"
  cidr_block        = "${cidrsubnet(aws_vpc.takeokunn-xyz.cidr_block, 2, count.index + 2)}"
  availability_zone = "${element(local.azs, count.index)}"

  tags {
    Name = "takeokunn-xyz-public-${element(local.azs, count.index)}"
  }
}

大体抑えとけば良いのは以下の2点

  • availablity zone
  • cidr_block

availablity zone

cidr_block

VPC内に収めるようにcidr_blockを設定する

Load Balancer

resource "aws_alb" "takeokunn-xyz" {
  name            = "takeokunn-xyz-alb"
  internal        = false
  security_groups    = ["${aws_security_group.lb.id}"]
  subnets            = ["${aws_subnet.public.*.id}"]

  enable_deletion_protection = false

  tags {
    Environment = "production"
  }

  access_logs {
    bucket  = "${aws_s3_bucket.alb_logs.bucket}"
    prefix = "takeokunn-xyz-alb"
  }
}

resource "aws_alb_target_group" "takeokunn-xyz" {
  name     = "takeokunn-xyz"
  port     = 80
  protocol = "HTTP"
  vpc_id   = "${aws_vpc.takeokunn-xyz.id}"
  deregistration_delay = 30

  health_check {
    interval            = 150
    path                = "/"
    port                = "traffic-port"
    protocol            = "HTTP"
    timeout             = 5
    unhealthy_threshold = 2
    matcher             = "200"
  }
}

resource "aws_alb_listener" "http-redirect" {
  load_balancer_arn = "${aws_alb.takeokunn-xyz.arn}"
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

resource "aws_alb_listener" "takeokunn-xyz-https" {
  load_balancer_arn = "${aws_alb.takeokunn-xyz.arn}"
  port = "443"
  protocol = "HTTPS"
  certificate_arn = "${aws_acm_certificate.takeokunn-xyz.arn}"

  default_action {
    target_group_arn = "${aws_alb_target_group.takeokunn-xyz.arn}"
    type = "forward"
  }
}

resource "aws_lb_target_group_attachment" "takeokunn-xyz" {
  target_group_arn = "${aws_alb_target_group.takeokunn-xyz.arn}"
  target_id        = "${aws_instance.takeokunn-xyz.id}"
  port             = 80
}

大体抑えとけば良いのは以下の2点

  • listener
  • target group

listener / target group

Esaltic IPs

resource "aws_eip" "ec2" {
  instance = "${aws_instance.takeokunn-xyz.id}"
  vpc      = true
  tags {
    "Name" = "takeokunn.xyz"
  }
}

わからないこと

  • IAM周り
    • そもそもちゃんと調べきれていない
    • 実際にterraformでどうやって運用していくのかわかっていない
  • EC2
    • AMI周り
    • Elastic Bolume Store周り
  • Auto Scaling
    • 仕組み
  • S3
    • そもそもちゃんと調べきれていない
  • terraform運用
    • directory分けた時の実行の仕方
    • tfstateの扱い方(s3で管理など)