VPC Provisioning
In here we will look at how to provision a VPC in AWS that is similar to what we discussed earlier. In addition to what's included in the previous section, I will create a NAT gateway. That allows private subnets to access internet (but not the other way around).
First, as usual let's create a file with the name vars.tf,
variable "AWS_REGION" {
default = "eu-west-1"
}Then let's create a file with the name provider.tf,
provider "aws" {
region = var.AWS_REGION
}Then we can create a file with the name vpc.tf to define out VPC,
# Internet VPC
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
instance_tenancy = "default"
enable_dns_support = "true"
enable_dns_hostnames = "true"
enable_classiclink = "false"
tags = {
Name = "main"
}
}
# Public subnets
resource "aws_subnet" "main-public-1" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
map_public_ip_on_launch = "true"
availability_zone = "eu-west-1a"
tags = {
Name = "main-public-1"
}
}
resource "aws_subnet" "main-public-2" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.2.0/24"
map_public_ip_on_launch = "true"
availability_zone = "eu-west-1b"
tags = {
Name = "main-public-2"
}
}
resource "aws_subnet" "main-public-3" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.3.0/24"
map_public_ip_on_launch = "true"
availability_zone = "eu-west-1c"
tags = {
Name = "main-public-3"
}
}
# Private subnets
resource "aws_subnet" "main-private-1" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.4.0/24"
map_public_ip_on_launch = "false"
availability_zone = "eu-west-1a"
tags = {
Name = "main-private-1"
}
}
resource "aws_subnet" "main-private-2" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.5.0/24"
map_public_ip_on_launch = "false"
availability_zone = "eu-west-1b"
tags = {
Name = "main-private-2"
}
}
resource "aws_subnet" "main-private-3" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.6.0/24"
map_public_ip_on_launch = "false"
availability_zone = "eu-west-1c"
tags = {
Name = "main-private-3"
}
}
# Internet GW
resource "aws_internet_gateway" "main-gw" {
vpc_id = aws_vpc.main.id
tags = {
Name = "main"
}
}
# route tables
resource "aws_route_table" "main-public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main-gw.id
}
tags = {
Name = "main-public-1"
}
}
# route associations public
resource "aws_route_table_association" "main-public-1-a" {
subnet_id = aws_subnet.main-public-1.id
route_table_id = aws_route_table.main-public.id
}
resource "aws_route_table_association" "main-public-2-a" {
subnet_id = aws_subnet.main-public-2.id
route_table_id = aws_route_table.main-public.id
}
resource "aws_route_table_association" "main-public-3-a" {
subnet_id = aws_subnet.main-public-3.id
route_table_id = aws_route_table.main-public.id
}In here, first we define our VPC. It has the IP range of 10.0.0.0/16. Then we set the instance tenancy to default. Which means multiple instances in one physical hardware. The we enable DNS support and hostnames, which gives private host and domain names for instances within the VPC.
Then we define 3 public subnets with their own address spaces. These subnets are linked to the VPC via the vpc_id property. Each subnet will receive it's own public IP address when launching them. Next are the private sunets, but the only difference in there are that those won't get a public IP address when launching.
Next, we fine an internet gateway linked to our VPC that facilitates public internet access. Then we define a route table associated with our VPC to define our routing rules. The routes are associated with the gateway too.
Finally, we definte the route associations for all three public subnets.
Next, create a file with the name nat.tf,
# nat gw
resource "aws_eip" "nat" {
vpc = true
}
resource "aws_nat_gateway" "nat-gw" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.main-public-1.id
depends_on = [aws_internet_gateway.main-gw]
}
# VPC setup for NAT
resource "aws_route_table" "main-private" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat-gw.id
}
tags = {
Name = "main-private-1"
}
}
# route associations private
resource "aws_route_table_association" "main-private-1-a" {
subnet_id = aws_subnet.main-private-1.id
route_table_id = aws_route_table.main-private.id
}
resource "aws_route_table_association" "main-private-2-a" {
subnet_id = aws_subnet.main-private-2.id
route_table_id = aws_route_table.main-private.id
}
resource "aws_route_table_association" "main-private-3-a" {
subnet_id = aws_subnet.main-private-3.id
route_table_id = aws_route_table.main-private.id
}In here we first create a static IP address. Then we define our NAT gateway by associating it with the main gateway. Next we create route associates for out private subnet associated with the NAT gateway.
Initialize the providers,
$ terraform init
Initializing the backend...
Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v3.39.0...
- Installed hashicorp/aws v3.39.0 (self-signed, key ID 34365D9472D7468F)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.Apply the changes,
$ terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_eip.nat will be created
+ resource "aws_eip" "nat" {
+ allocation_id = (known after apply)
+ association_id = (known after apply)
+ carrier_ip = (known after apply)
+ customer_owned_ip = (known after apply)
+ domain = (known after apply)
+ id = (known after apply)
+ instance = (known after apply)
+ network_border_group = (known after apply)
+ network_interface = (known after apply)
+ private_dns = (known after apply)
+ private_ip = (known after apply)
+ public_dns = (known after apply)
+ public_ip = (known after apply)
+ public_ipv4_pool = (known after apply)
+ tags_all = (known after apply)
+ vpc = true
}
# aws_internet_gateway.main-gw will be created
+ resource "aws_internet_gateway" "main-gw" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "main"
}
+ tags_all = {
+ "Name" = "main"
}
+ vpc_id = (known after apply)
}
# aws_nat_gateway.nat-gw will be created
+ resource "aws_nat_gateway" "nat-gw" {
+ allocation_id = (known after apply)
+ id = (known after apply)
+ network_interface_id = (known after apply)
+ private_ip = (known after apply)
+ public_ip = (known after apply)
+ subnet_id = (known after apply)
+ tags_all = (known after apply)
}
# aws_route_table.main-private will be created
+ resource "aws_route_table" "main-private" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = [
+ {
+ carrier_gateway_id = ""
+ cidr_block = "0.0.0.0/0"
+ destination_prefix_list_id = ""
+ egress_only_gateway_id = ""
+ gateway_id = ""
+ instance_id = ""
+ ipv6_cidr_block = ""
+ local_gateway_id = ""
+ nat_gateway_id = (known after apply)
+ network_interface_id = ""
+ transit_gateway_id = ""
+ vpc_endpoint_id = ""
+ vpc_peering_connection_id = ""
},
]
+ tags = {
+ "Name" = "main-private-1"
}
+ tags_all = {
+ "Name" = "main-private-1"
}
+ vpc_id = (known after apply)
}
# aws_route_table.main-public will be created
+ resource "aws_route_table" "main-public" {
+ arn = (known after apply)
+ id = (known after apply)
+ owner_id = (known after apply)
+ propagating_vgws = (known after apply)
+ route = [
+ {
+ carrier_gateway_id = ""
+ cidr_block = "0.0.0.0/0"
+ destination_prefix_list_id = ""
+ egress_only_gateway_id = ""
+ gateway_id = (known after apply)
+ instance_id = ""
+ ipv6_cidr_block = ""
+ local_gateway_id = ""
+ nat_gateway_id = ""
+ network_interface_id = ""
+ transit_gateway_id = ""
+ vpc_endpoint_id = ""
+ vpc_peering_connection_id = ""
},
]
+ tags = {
+ "Name" = "main-public-1"
}
+ tags_all = {
+ "Name" = "main-public-1"
}
+ vpc_id = (known after apply)
}
# aws_route_table_association.main-private-1-a will be created
+ resource "aws_route_table_association" "main-private-1-a" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_route_table_association.main-private-2-a will be created
+ resource "aws_route_table_association" "main-private-2-a" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_route_table_association.main-private-3-a will be created
+ resource "aws_route_table_association" "main-private-3-a" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_route_table_association.main-public-1-a will be created
+ resource "aws_route_table_association" "main-public-1-a" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_route_table_association.main-public-2-a will be created
+ resource "aws_route_table_association" "main-public-2-a" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_route_table_association.main-public-3-a will be created
+ resource "aws_route_table_association" "main-public-3-a" {
+ id = (known after apply)
+ route_table_id = (known after apply)
+ subnet_id = (known after apply)
}
# aws_subnet.main-private-1 will be created
+ resource "aws_subnet" "main-private-1" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "eu-west-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.4.0/24"
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "main-private-1"
}
+ tags_all = {
+ "Name" = "main-private-1"
}
+ vpc_id = (known after apply)
}
# aws_subnet.main-private-2 will be created
+ resource "aws_subnet" "main-private-2" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "eu-west-1b"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.5.0/24"
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "main-private-2"
}
+ tags_all = {
+ "Name" = "main-private-2"
}
+ vpc_id = (known after apply)
}
# aws_subnet.main-private-3 will be created
+ resource "aws_subnet" "main-private-3" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "eu-west-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.6.0/24"
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "main-private-3"
}
+ tags_all = {
+ "Name" = "main-private-3"
}
+ vpc_id = (known after apply)
}
# aws_subnet.main-public-1 will be created
+ resource "aws_subnet" "main-public-1" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "eu-west-1a"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.1.0/24"
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ map_public_ip_on_launch = true
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "main-public-1"
}
+ tags_all = {
+ "Name" = "main-public-1"
}
+ vpc_id = (known after apply)
}
# aws_subnet.main-public-2 will be created
+ resource "aws_subnet" "main-public-2" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "eu-west-1b"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.2.0/24"
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ map_public_ip_on_launch = true
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "main-public-2"
}
+ tags_all = {
+ "Name" = "main-public-2"
}
+ vpc_id = (known after apply)
}
# aws_subnet.main-public-3 will be created
+ resource "aws_subnet" "main-public-3" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = "eu-west-1c"
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.3.0/24"
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ map_public_ip_on_launch = true
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "main-public-3"
}
+ tags_all = {
+ "Name" = "main-public-3"
}
+ vpc_id = (known after apply)
}
# aws_vpc.main will be created
+ resource "aws_vpc" "main" {
+ arn = (known after apply)
+ assign_generated_ipv6_cidr_block = false
+ cidr_block = "10.0.0.0/16"
+ default_network_acl_id = (known after apply)
+ default_route_table_id = (known after apply)
+ default_security_group_id = (known after apply)
+ dhcp_options_id = (known after apply)
+ enable_classiclink = false
+ enable_classiclink_dns_support = (known after apply)
+ enable_dns_hostnames = true
+ enable_dns_support = true
+ id = (known after apply)
+ instance_tenancy = "default"
+ ipv6_association_id = (known after apply)
+ ipv6_cidr_block = (known after apply)
+ main_route_table_id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "main"
}
+ tags_all = {
+ "Name" = "main"
}
}
Plan: 18 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_eip.nat: Creating...
aws_vpc.main: Creating...
aws_eip.nat: Creation complete after 2s [id=eipalloc-00b0f9c9c25f05705]
aws_vpc.main: Still creating... [10s elapsed]
aws_vpc.main: Creation complete after 20s [id=vpc-0cc692aadcb1dc178]
aws_subnet.main-public-2: Creating...
aws_subnet.main-private-3: Creating...
aws_subnet.main-public-1: Creating...
aws_subnet.main-public-3: Creating...
aws_subnet.main-private-2: Creating...
aws_internet_gateway.main-gw: Creating...
aws_subnet.main-private-1: Creating...
aws_subnet.main-private-3: Creation complete after 2s [id=subnet-0ce1c3882fa89d56c]
aws_subnet.main-private-1: Creation complete after 2s [id=subnet-067feb7809d9093aa]
aws_subnet.main-private-2: Creation complete after 2s [id=subnet-02bbbcc77865d97e8]
aws_internet_gateway.main-gw: Creation complete after 4s [id=igw-04561a30b0b8cc288]
aws_route_table.main-public: Creating...
aws_route_table.main-public: Creation complete after 3s [id=rtb-0d0fd6d42ef5a5b31]
aws_subnet.main-public-2: Still creating... [10s elapsed]
aws_subnet.main-public-1: Still creating... [10s elapsed]
aws_subnet.main-public-3: Still creating... [10s elapsed]
aws_subnet.main-public-2: Creation complete after 14s [id=subnet-0c2652d02cb6f767f]
aws_route_table_association.main-public-2-a: Creating...
aws_subnet.main-public-1: Creation complete after 14s [id=subnet-08761673caed3ae80]
aws_route_table_association.main-public-1-a: Creating...
aws_nat_gateway.nat-gw: Creating...
aws_subnet.main-public-3: Creation complete after 15s [id=subnet-05280001cdecdf22b]
aws_route_table_association.main-public-3-a: Creating...
aws_route_table_association.main-public-2-a: Creation complete after 1s [id=rtbassoc-085d166836c26a76a]
aws_route_table_association.main-public-1-a: Creation complete after 1s [id=rtbassoc-03b6ca91849a7696f]
aws_route_table_association.main-public-3-a: Creation complete after 0s [id=rtbassoc-0c8d4b459dc7f648e]
aws_nat_gateway.nat-gw: Still creating... [10s elapsed]
aws_nat_gateway.nat-gw: Still creating... [20s elapsed]
aws_nat_gateway.nat-gw: Still creating... [30s elapsed]
aws_nat_gateway.nat-gw: Still creating... [40s elapsed]
aws_nat_gateway.nat-gw: Still creating... [50s elapsed]
aws_nat_gateway.nat-gw: Still creating... [1m0s elapsed]
aws_nat_gateway.nat-gw: Still creating... [1m10s elapsed]
aws_nat_gateway.nat-gw: Still creating... [1m20s elapsed]
aws_nat_gateway.nat-gw: Still creating... [1m30s elapsed]
aws_nat_gateway.nat-gw: Still creating... [1m40s elapsed]
aws_nat_gateway.nat-gw: Creation complete after 1m48s [id=nat-090bdb50866592e94]
aws_route_table.main-private: Creating...
aws_route_table.main-private: Creation complete after 5s [id=rtb-05812ab250b695096]
aws_route_table_association.main-private-3-a: Creating...
aws_route_table_association.main-private-2-a: Creating...
aws_route_table_association.main-private-1-a: Creating...
aws_route_table_association.main-private-3-a: Creation complete after 1s [id=rtbassoc-07996f2d411c43f07]
aws_route_table_association.main-private-2-a: Creation complete after 1s [id=rtbassoc-0848fd49dd66c22a0]
aws_route_table_association.main-private-1-a: Creation complete after 1s [id=rtbassoc-0331080e3a27930b0]
Apply complete! Resources: 18 added, 0 changed, 0 destroyed.Don't forget to clean up once experiments are done,
$ terraform destroyLast updated