本記事ã¯
AWSアワード記念ï¼å¤ã®ã‚¢ãƒ‰ãƒ™ãƒ³ãƒˆã‚«ãƒ¬ãƒ³ãƒ€ãƒ¼
14日目ã®è¨˜äº‹ã§ã™ã€‚
🎆ðŸ†
13日目
▶▶ 本記事 ▶▶
15日目
ðŸ†ðŸŽ†
カラスã«è¥²ã‚ã‚ŒãŸãŸã‚ã—ã°ã‚‰ããã®ä»˜è¿‘ã«ã¯è¿‘ã¥ã„ã¦ã„ã¾ã›ã‚“。ä¸æ‘ã§ã™ã€‚
Terraformã®ãƒ©ã‚¤ã‚»ãƒ³ã‚¹å¤‰æ›´ãŒã‚ã£ãŸãŸã‚ã“ã‚Œã‹ã‚‰ã©ã†ãªã‚‹ã®ã‹å¿ƒé…ã—ã¦ã„ã¾ã—ãŸãŒã€IBMãŒHashiCorpã‚’è²·åŽã™ã‚‹ã“ã¨ãŒç™ºè¡¨ã•ã‚ŒãŸãŸã‚è½ã¡ç€ããã†ã§å®‰å¿ƒã—ã¦ã„ã¾ã™ã€‚今後も動å‘を注視ã—ã¦ã„ãã¾ã™ã€‚
本記事ã§ã¯Terraformã®çµ„ã¿è¾¼ã¿é–¢æ•°templatefileã«ã¤ã„ã¦ã”紹介ã—ã¾ã™ã€‚
templatefile関数ã¨ã¯
指定ã•ã‚ŒãŸãƒ‘スã«ã‚るテンプレートファイルをèªã¿å–ã‚Šã€ãã®å†…容をテンプレートã¨ã—ã¦ãƒ¬ãƒ³ãƒ€ãƒªãƒ³ã‚°ã™ã‚‹ã“ã¨ã§ãƒ†ã‚ストファイルやè¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã‚’å‹•çš„ã«ç”Ÿæˆã™ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
ãã®ãŸã‚環境毎ã«å°‘ã—ç•°ãªã‚‹ãƒ•ã‚¡ã‚¤ãƒ«ã‚’使用ã™ã‚‹å¿…è¦ãŒã‚ã‚‹å ´åˆãªã©ã«éžå¸¸ã«ä¾¿åˆ©ãªé–¢æ•°ã§ã™ã€‚
developer.hashicorp.com
AWS環境ã«ãŠã‘ã‚‹templatefile関数ã®æ´»ç”¨æ–¹æ³•ã‚’ã„ãã¤ã‹ã”紹介ã—ã¾ã™ã€‚
1. ユーザーデータ
ユーザーデータã¯EC2インスタンス起動時ã®åˆæœŸè¨å®šã‚„ã€ã‚¹ã‚¯ãƒªãƒ—トを自動実行ã™ã‚‹ãŸã‚ã«ä½¿ç”¨ã•ã‚Œã¾ã™ã€‚
ã“ã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒ‡ãƒ¼ã‚¿ã‚’templatefile関数ã§ç”Ÿæˆã™ã‚‹ã“ã¨ãŒå¯èƒ½ã§ã™ã€‚
ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªæ§‹é€ ã€ãƒ•ã‚¡ã‚¤ãƒ«å†…容ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«ã—ã¦ã„ã¾ã™ã€‚
- ディレクトリ構é€
project/
├── modules/
│ └── ec2/
│ ├── main.tf
│ └── init.tpl
└── env/
├── prod/
│ └── ec2/
│ └── main.tf
└── stage/
└── ec2/
└── main.tf
- modules/ec2/main.tf
- user_dataã§templatefile関数を使用ã—ã¾ã™ã€‚
- åŒãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªä¸Šã®ãƒ†ãƒ³ãƒ—レートファイルinit.tplを指定ã—ã€packagesã¨file_contentを変数ã«ã—ã¦ã„ã¾ã™ã€‚
- user_dataã§templatefile関数を使用ã—ã¾ã™ã€‚
provider "aws" {
region = "ap-northeast-1"
}
variable "packages" {
type = list(string)
}
variable "file_content" {
type = any
}
resource "aws_instance" "example" {
ami = "ami-061a125c7c02edb39"
instance_type = "t2.micro"
iam_instance_profile = "MySessionManagerRole"
user_data = templatefile("${path.module}/init.tpl", {
packages = join(" ", var.packages)
file_content = var.file_content
})
}
- modules/ec2/init.tpl
- user_dataã§ä½¿ç”¨ã™ã‚‹ãƒ†ãƒ³ãƒ—レートファイルã§ã™ã€‚cloud-configå½¢å¼ã«ã—ã¦ã„ã¾ã™ã€‚
- 今回ã®ä¾‹ã§ã¯write_files:ã€runcmd:を使用ã—ã¦ã„ã¾ã™ãŒã€users:ã§ãƒ¦ãƒ¼ã‚¶ãƒ¼ä½œæˆã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ã€‚
- init.tplã«cloud_final_modules:ã‚’è¨å®šã™ã‚‹ã“ã¨ã§ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒ‡ãƒ¼ã‚¿ã‚’利用ã—ã¦ä½œæˆã—ãŸãƒ•ã‚¡ã‚¤ãƒ«ã‚’削除ã—ãŸã‚Šã€ãƒ‘ッケージをアンインストールã—ãŸã¨ã—ã¦ã‚‚å†èµ·å‹•æ™‚ã«ã¯å†ä½œæˆãƒ»å†ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
※既å˜ã®EC2インスタンスã®æ§‹æˆã‚’変更ã™ã‚‹ãŸã‚ã«ã€ã“ã®ãƒ†ãƒ³ãƒ—レートファイルを修æ£ã—ã¦terraform applyã‚’å†å®Ÿè¡Œã—ãŸå ´åˆã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒ‡ãƒ¼ã‚¿ãŒä¿®æ£ã•ã‚Œã¾ã™ãŒå®Ÿè¡Œã¯ã•ã‚Œã¾ã›ã‚“。 æ–°ã—ã„ユーザーデータを実行ã—ãŸã„å ´åˆã«ã¯ã€EC2インスタンス上ã§cloud-init cleanを実行ã—ã¦cloud-initã®ã‚ャッシュをリセットã—ãŸã†ãˆã§ã€å†èµ·å‹•ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
- init.tplã«cloud_final_modules:ã‚’è¨å®šã™ã‚‹ã“ã¨ã§ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒ‡ãƒ¼ã‚¿ã‚’利用ã—ã¦ä½œæˆã—ãŸãƒ•ã‚¡ã‚¤ãƒ«ã‚’削除ã—ãŸã‚Šã€ãƒ‘ッケージをアンインストールã—ãŸã¨ã—ã¦ã‚‚å†èµ·å‹•æ™‚ã«ã¯å†ä½œæˆãƒ»å†ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
- 今回ã®ä¾‹ã§ã¯write_files:ã€runcmd:を使用ã—ã¦ã„ã¾ã™ãŒã€users:ã§ãƒ¦ãƒ¼ã‚¶ãƒ¼ä½œæˆã™ã‚‹ã“ã¨ã‚‚å¯èƒ½ã§ã™ã€‚
- user_dataã§ä½¿ç”¨ã™ã‚‹ãƒ†ãƒ³ãƒ—レートファイルã§ã™ã€‚cloud-configå½¢å¼ã«ã—ã¦ã„ã¾ã™ã€‚
#cloud-config
cloud_final_modules:
- [scripts-user, always]
- [write-files, always]
write_files:
- path: /etc/welcome.txt
permissions: '0644'
owner: root:root
content: |
${file_content}
runcmd:
- yum install -y ${packages}
- env/prod/ec2/main.tf
- prod環境ã®EC2インスタンスã§ä½œæˆã™ã‚‹ãƒ•ã‚¡ã‚¤ãƒ«ã®å†…容ã€ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ãƒ‘ッケージを記述ã—ã¦ã„ã¾ã™ã€‚
module "ec2-instance" {
source = "../../../modules/ec2"
packages = ["amazon-cloudwatch-agent", "git"]
file_content = <<EOF
Welcome to prod server!
EOF
}
- env/stage/ec2/main.tf
- packages, file_content以外ã¯env/prod/main.tfã¨åŒæ§˜ã®å†…容ã§ã™ã€‚
module "ec2-instance" {
source = "../../../modules/ec2"
packages = ["git"]
file_content = <<EOF
Welcome to stage server!
EOF
}
env/prod/ec2/ã§terrafom applyを実行ã—ã¦EC2インスタンスを作æˆã—ã¾ã™ã€‚
以下ã¯prod環境ã®EC2インスタンスã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒ‡ãƒ¼ã‚¿ãƒ»ãƒ•ã‚¡ã‚¤ãƒ«ãƒ»ãƒ‘ッケージã®ç¢ºèªçµæžœã§ã™ã€‚
åŒæ§˜ã«env/stage/ec2/ã§terrafom applyを実行ã—ã¾ã™ã€‚
以下ã¯stage環境EC2インスタンスã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒ‡ãƒ¼ã‚¿ãƒ»ãƒ•ã‚¡ã‚¤ãƒ«ãƒ»ãƒ‘ッケージã®ç¢ºèªçµæžœã§ã™ã€‚
2. IAMãƒãƒªã‚·ãƒ¼ã€ãƒãƒ¼ãƒ«
main.tfã«IAMãƒãƒªã‚·ãƒ¼ã‚„ãƒãƒ¼ãƒ«ã‚’記述ã™ã‚‹ã¨è¿½åŠ ã™ã‚‹ãŸã³ã«ãƒ•ã‚¡ã‚¤ãƒ«ãŒè‚¥å¤§åŒ–ã—ã¦ã„ãã€ç›®å½“ã¦ã®ãƒãƒªã‚·ãƒ¼ãƒ»ãƒãƒ¼ãƒ«ã‚’探ã™ã“ã¨ãŒæ‰‹é–“ã«ãªã‚Šã¾ã™ã€‚
ã“れをé¿ã‘ã‚‹ãŸã‚ã«templatefile関数を使用ã—ã¾ã™ã€‚
- ディレクトリ構é€
project/
├── modules/
│ └── iam/
│ ├── main.tf
│ ├── iam_policy.json.tpl
│ └── iam_role.json.tpl
└── env/
├── prod/
│ └── iam/
│ └── main.tf
└── stage/
└── iam/
└── main.tf
- modules/ec2/main.tf
- aws_iam_policyリソースã®policyã¨ã€aws_iam_roleリソースã®assume_role_policyã§templatefile関数を使用ã—ã¾ã™ã€‚
- åŒãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªä¸Šã®ãƒ†ãƒ³ãƒ—レートファイルiam_policy.json.tplã¨iam_role.json.tplを指定ã—ã€iam_policy.json.tplã¯actionsã¨resourcesを変数ã«ã€iam_role.json.tplã¯serviceを変数ã«ã—ã¦ã„ã¾ã™ã€‚
- aws_iam_policyリソースã®policyã¨ã€aws_iam_roleリソースã®assume_role_policyã§templatefile関数を使用ã—ã¾ã™ã€‚
variable "policies" {
description = "List of IAM policies"
type = list(object({
name = string
actions = list(string)
resources = list(string)
}))
}
variable "roles" {
description = "List of IAM roles"
type = list(object({
name = string
service = string
policies = list(string)
}))
}
resource "aws_iam_policy" "example" {
for_each = { for p in var.policies : p.name => p }
name = each.value.name
policy = templatefile("${path.module}/iam_policy.json.tpl", {
actions = jsonencode(each.value.actions)
resources = jsonencode(each.value.resources)
})
}
resource "aws_iam_role" "example" {
for_each = { for r in var.roles : r.name => r }
name = each.value.name
assume_role_policy = templatefile("${path.module}/iam_role.json.tpl", {
service = each.value.service
})
}
resource "aws_iam_role_policy_attachment" "example" {
for_each = { for r in var.roles : r.name => r }
role = aws_iam_role.example[each.key].name
policy_arn = lookup({ for p in var.policies : p.name => aws_iam_policy.example[p.name].arn }, each.value.policies[0])
}
- modules/iam/iam_policy.json.tpl
- policyã§ä½¿ç”¨ã™ã‚‹ãƒ†ãƒ³ãƒ—レートファイルã§ã™ã€‚
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ${actions},
"Resource": ${resources}
}
]
}
- modules/iam/iam_role.json.tpl
- assume_role_policyã§ä½¿ç”¨ã™ã‚‹ãƒ†ãƒ³ãƒ—レートファイルã§ã™ã€‚
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "${service}"
},
"Action": "sts:AssumeRole"
}
]
}
- env/prod/iam/main.tf
- prod環境ã§ä½œæˆã™ã‚‹IAMãƒãƒªã‚·ãƒ¼ã€ãƒãƒ¼ãƒ«ã‚’記述ã—ã¦ã„ã¾ã™ã€‚
module "iam" {
source = "../../../modules/iam"
policies = [
{
name = "prod_policy_1"
actions = ["s3:ListBucket", "s3:GetObject"]
resources = ["arn:aws:s3:::prod-bucket-name", "arn:aws:s3:::prod-bucket-name/*"]
},
{
name = "prod_policy_2"
actions = ["ec2:DescribeInstances"]
resources = ["*"]
}
]
roles = [
{
name = "prod_role_1"
service = "ec2.amazonaws.com"
policies = ["prod_policy_1"]
},
{
name = "prod_role_2"
service = "lambda.amazonaws.com"
policies = ["prod_policy_2"]
}
]
}
- env/stage/iam/main.tf
- stage環境ã§ä½œæˆã™ã‚‹IAMãƒãƒªã‚·ãƒ¼ã€ãƒãƒ¼ãƒ«ã‚’記述ã—ã¦ã„ã¾ã™ã€‚
module "iam" {
source = "../../../modules/iam"
policies = [
{
name = "stage_policy_1"
actions = ["s3:ListBucket", "s3:GetObject"]
resources = ["arn:aws:s3:::stage-bucket-name", "arn:aws:s3:::stage-bucket-name/*"]
},
{
name = "stage_policy_2"
actions = ["ec2:DescribeInstances"]
resources = ["*"]
}
]
roles = [
{
name = "stage_role_1"
service = "ec2.amazonaws.com"
policies = ["stage_policy_1"]
},
{
name = "stage_role_2"
service = "lambda.amazonaws.com"
policies = ["stage_policy_2"]
}
]
}
env/prod/iam/ã§terrafom applyを実行ã—ã¦IAMãƒãƒªã‚·ãƒ¼ã€ãƒãƒ¼ãƒ«ã‚’作æˆã—ã¾ã™ã€‚
以下ã¯prod環境IAMãƒãƒªã‚·ãƒ¼ã€ãƒãƒ¼ãƒ«ã®ç¢ºèªçµæžœã§ã™ã€‚
åŒæ§˜ã«env/stage/iam/ã§terrafom applyを実行ã—ã¾ã™ã€‚
以下ã¯stage環境IAMãƒãƒªã‚·ãƒ¼ã€ãƒãƒ¼ãƒ«ã®ç¢ºèªçµæžœã§ã™ã€‚
3. Terraformè¨å®šãƒ•ã‚¡ã‚¤ãƒ«
Terraformè¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã®æ‹¡å¼µåã¯.tfã§ã‚ã‚Šã€ã‚¤ãƒ³ãƒ•ãƒ©ãƒªã‚½ãƒ¼ã‚¹ã‚’定義ã™ã‚‹main.tfã€å¤‰æ•°å®£è¨€ã‚’è¡Œã†variables.tfã€å‡ºåŠ›å€¤ã‚’定義ã™ã‚‹outputs.tfãªã©ãŒã‚ã‚Šã¾ã™ã€‚
templatefile関数を使用ã™ã‚‹ã“ã¨ã§Terraformè¨å®šãƒ•ã‚¡ã‚¤ãƒ«(tfファイル)自体を動的ã«ä½œæˆã™ã‚‹ã“ã¨ãŒå¯èƒ½ã§ã™ã€‚
※Terraformã¯ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªå†…ã™ã¹ã¦ã®tfファイルをèªã¿å–ã‚‹ãŸã‚ã€æ‹¡å¼µåãŒ.tfã§ã‚ã‚Œã°ãƒ•ã‚¡ã‚¤ãƒ«åã¯è‡ªç”±ã«å¤‰æ›´å¯èƒ½ã§ã™ã€‚
- ディレクトリ構é€
project/
├── modules/
│ └── s3/
│ ├── main.tf
│ └── s3.tf.tpl
└── env/
├── prod/
│ └── s3/
│ └── main.tf
└── stage/
└── s3/
└── main.tf
- modules/s3/main.tf
- local_fileリソースã®contentã§templatefile関数を使用ã—ã¾ã™ã€‚
- åŒãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªä¸Šã®ãƒ†ãƒ³ãƒ—レートファイルs3.tf.tplを指定ã—ã€bucket_nameを変数ã«ã—ã¦ã„ã¾ã™ã€‚
- local_fileリソースã®contentã§templatefile関数を使用ã—ã¾ã™ã€‚
provider "aws" {
region = "ap-northeast-1"
}
variable "bucket_names" {
type = list(string)
}
variable "file_path" {
type = string
}
resource "local_file" "s3_buckets" {
count = length(var.bucket_names)
filename = "${var.file_path}/s3_${var.bucket_names[count.index]}.tf"
content = templatefile("${path.module}/s3.tf.tpl", {
bucket_name = var.bucket_names[count.index]
})
}
- modules/s3/s3.tf.tpl
- contentã§ä½¿ç”¨ã™ã‚‹ãƒ†ãƒ³ãƒ—レートファイルã§ã™ã€‚
resource "aws_s3_bucket" "${bucket_name}" {
bucket = "${bucket_name}"
acl = "private"
}
- env/prod/s3/main.tf
- prod環境ã§ä½œæˆã™ã‚‹s3ãƒã‚±ãƒƒãƒˆã‚’記述ã—ã¦ã„ã¾ã™ã€‚
module "s3" {
source = "../../../modules/s3"
bucket_names = ["prod-bucket-example-1", "prod-bucket-example-2", "prod-bucket-example-3"]
file_path = "."
}
- env/stage/s3/main.tf
- stage環境ã§ä½œæˆã™ã‚‹s3ãƒã‚±ãƒƒãƒˆã‚’記述ã—ã¦ã„ã¾ã™ã€‚
module "s3" {
source = "../../../modules/s3"
bucket_names = ["stage-bucket-example-1", "stage-bucket-example-2", "stage-bucket-example-3"]
file_path = "."
}
env/prod/s3/ã§terrafom applyを実行ã™ã‚‹ã¨Terraformè¨å®šãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆprod-bucket-example-1.tfã€prod-bucket-example-2.tfã€prod-bucket-example-3.tf)ãŒä½œæˆã•ã‚Œã¾ã™ã€‚
ãã—ã¦å†åº¦terraform applyを実行ã™ã‚‹ã¨ä½œæˆã•ã‚ŒãŸãƒ•ã‚¡ã‚¤ãƒ«ã‚’èªã¿å–ã‚Šã€S3ãƒã‚±ãƒƒãƒˆã‚’作æˆã—ã¾ã™ã€‚
以下ã¯prod環境s3ãƒã‚±ãƒƒãƒˆã®ç¢ºèªçµæžœã§ã™ã€‚
åŒæ§˜ã«env/stage/s3/ã§terrafom applyã‚’2回実行ã—ã¾ã™ã€‚
以下ã¯stage環境s3ãƒã‚±ãƒƒãƒˆã®ç¢ºèªçµæžœã§ã™ã€‚
最後ã«
templatefile関数ã®æ´»ç”¨æ–¹æ³•ã‚’3ã¤ã”紹介ã—ã¾ã—ãŸãŒã€ã»ã‹ã«ã‚‚様々ãªæ´»ç”¨æ–¹æ³•ãŒã‚ã‚‹ã‹ã¨æ€ã„ã¾ã™ã€‚
本記事ãŒTerraformを使用ã™ã‚‹çš†æ§˜ã®å‚考ã¨ãªã‚Šã€templatefile関数ã®æ–°ã—ã„活用方法を見ã¤ã‘ã‚‹ãŸã‚ã®åŠ©ã‘ã¨ãªã‚Šã¾ã—ãŸã‚‰å¹¸ã„ã§ã™ã€‚
