Skip to content

Instantly share code, notes, and snippets.

@stknohg
Last active Sep 18, 2021
Embed
What would you like to do?
TerraformでAWS Storage Gateway (S3 File Gateway)を作るサンプル
data "aws_caller_identity" "current" {}
// System name settings
variable "sysname" {
type = string
default = "mysgw"
}
variable "envname" {
type = string
default = "dev"
}
// VPC settings
data "aws_vpc" "vpc" {
// Set your VPC id
id = "vpc-1234567890"
}
data "aws_subnet" "sgw_subnet" {
// Set your Storage Gateway subnet id
id = "subnet-1234567890"
}
// Other settings
locals {
// Set your EC2 key pair name
ec2_keyname = "my-keypair"
}
provider "aws" {
region = "ap-northeast-1"
}
terraform {
backend "local" {
}
}
//
// Storage Gatewayの構築に必要な前提リソース
//
//
// S3
//
resource "aws_s3_bucket" "sgw" {
bucket = "${var.sysname}-${var.envname}-storage-gateway-${data.aws_caller_identity.current.account_id}"
acl = "private"
}
resource "aws_s3_bucket_public_access_block" "sgw" {
bucket = aws_s3_bucket.sgw.bucket
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
//
// Security Group
//
resource "aws_security_group" "sgw" {
vpc_id = data.aws_vpc.vpc.id
name = "${var.sysname}-${var.envname}-storage-gateway-sg"
description = "Security group for Storage Gateway"
// HTTP for activation
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
description = "HTTP for activation"
cidr_blocks = [data.aws_vpc.vpc.cidr_block]
}
// SMB
ingress {
from_port = 445
to_port = 445
protocol = "tcp"
description = "SMB"
cidr_blocks = [data.aws_vpc.vpc.cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.sysname}-${var.envname}-storage-gateway-sg"
}
}
//
// EC2
//
data "aws_ssm_parameter" "sgw_ami" {
name = "/aws/service/storagegateway/ami/FILE_S3/latest"
}
resource "aws_instance" "sgw" {
instance_type = "m5.xlarge" // AWS推奨スペック
ami = nonsensitive(data.aws_ssm_parameter.sgw_ami.value)
subnet_id = data.aws_subnet.sgw_subnet.id
key_name = local.ec2_keyname
vpc_security_group_ids = [aws_security_group.sgw.id]
iam_instance_profile = "" // Instance profileなし
disable_api_termination = false // 検証用なので削除可
associate_public_ip_address = false // Private subnetに配備
root_block_device {
volume_type = "gp3"
iops = 3000 // default value
throughput = 125 // default value
volume_size = 80 // AMIのデフォルト値
delete_on_termination = true
encrypted = false
tags = {
Name = "${var.sysname}-${var.envname}-storage-gateawy-root"
}
}
ebs_block_device {
// キャッシュ用EBS
device_name = "/dev/sdf"
volume_type = "gp3"
iops = 3000 // default value
throughput = 125 // default value
volume_size = 150 // 最低容量
delete_on_termination = true
encrypted = false
tags = {
Name = "${var.sysname}-${var.envname}-storage-gateawy-cache"
}
}
tags = {
Name = "${var.sysname}-${var.envname}-storage-gateway"
}
lifecycle {
ignore_changes = [associate_public_ip_address]
}
}
//
// Storage Gateway関連のリソース
//
//
// IAM role for Storage Gateway file share
//
data "aws_iam_policy_document" "sgw_fileshare" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["storagegateway.amazonaws.com"]
}
}
}
resource "aws_iam_policy" "sgw_fileshare" {
name = "${var.sysname}-${var.envname}-storage-gateawy-fileshare"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:GetAccelerateConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads"
]
Effect = "Allow"
Resource = "${aws_s3_bucket.sgw.arn}"
},
{
Action = [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
]
Effect = "Allow"
Resource = "${aws_s3_bucket.sgw.arn}/*"
}
]
})
}
resource "aws_iam_role" "sgw_fileshare" {
name = "${var.sysname}-${var.envname}-storage-gateawy-fileshare"
assume_role_policy = data.aws_iam_policy_document.sgw_fileshare.json
managed_policy_arns = [
aws_iam_policy.sgw_fileshare.arn
]
}
//
// Storage Gateway
// ※ リソース作成後も以下のパラメーターは手動で設定する必要有り
// - CloudWatch Logs設定
// - メンテナンス時間
resource "aws_storagegateway_gateway" "sgw" {
// gateway_ip_address = aws_instance.sgw.private_ip
// 今回はTerraformから直接EC2へアクセスできないため事前にAtivation Keyを取得している
activation_key = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
gateway_name = "${var.sysname}-${var.envname}-gateway"
gateway_timezone = "GMT+9:00" // JST
gateway_type = "FILE_S3" // S3 File Storage
smb_guest_password = "P@ssw0rd" // ゲストユーザーパスワード
lifecycle {
ignore_changes = [smb_guest_password]
}
}
// Local Cache 設定
data "aws_storagegateway_local_disk" "sgw" {
gateway_arn = aws_storagegateway_gateway.sgw.arn
disk_node = "/dev/sdf"
}
resource "aws_storagegateway_cache" "sgw" {
gateway_arn = aws_storagegateway_gateway.sgw.arn
disk_id = data.aws_storagegateway_local_disk.sgw.id
}
//
// SMB File share
//
resource "aws_storagegateway_smb_file_share" "sgw" {
authentication = "GuestAccess"
gateway_arn = aws_storagegateway_gateway.sgw.arn
location_arn = aws_s3_bucket.sgw.arn
role_arn = aws_iam_role.sgw_fileshare.arn
file_share_name = "share" // 今回はFSx for Windowsと同様に共有名を share としている
object_acl = "bucket-owner-full-control"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment