Last active
September 18, 2021 03:43
-
-
Save stknohg/d5387c0c7070ec15fe9c219a008d19d4 to your computer and use it in GitHub Desktop.
TerraformでAWS Storage Gateway (S3 File Gateway)を作るサンプル
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "aws_caller_identity" "current" {} | |
// System name settings | |
variable "sysname" { | |
type = string | |
default = "mysgw" | |
} | |
variable "envname" { | |
type = string | |
default = "dev" | |
} | |
// VPC settings | |
data "aws_vpc" "vpc" { | |
// Set your VPC id | |
id = "vpc-1234567890" | |
} | |
data "aws_subnet" "sgw_subnet" { | |
// Set your Storage Gateway subnet id | |
id = "subnet-1234567890" | |
} | |
// Other settings | |
locals { | |
// Set your EC2 key pair name | |
ec2_keyname = "my-keypair" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
provider "aws" { | |
region = "ap-northeast-1" | |
} | |
terraform { | |
backend "local" { | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// Storage Gatewayの構築に必要な前提リソース | |
// | |
// | |
// S3 | |
// | |
resource "aws_s3_bucket" "sgw" { | |
bucket = "${var.sysname}-${var.envname}-storage-gateway-${data.aws_caller_identity.current.account_id}" | |
acl = "private" | |
} | |
resource "aws_s3_bucket_public_access_block" "sgw" { | |
bucket = aws_s3_bucket.sgw.bucket | |
block_public_acls = true | |
block_public_policy = true | |
ignore_public_acls = true | |
restrict_public_buckets = true | |
} | |
// | |
// Security Group | |
// | |
resource "aws_security_group" "sgw" { | |
vpc_id = data.aws_vpc.vpc.id | |
name = "${var.sysname}-${var.envname}-storage-gateway-sg" | |
description = "Security group for Storage Gateway" | |
// HTTP for activation | |
ingress { | |
from_port = 80 | |
to_port = 80 | |
protocol = "tcp" | |
description = "HTTP for activation" | |
cidr_blocks = [data.aws_vpc.vpc.cidr_block] | |
} | |
// SMB | |
ingress { | |
from_port = 445 | |
to_port = 445 | |
protocol = "tcp" | |
description = "SMB" | |
cidr_blocks = [data.aws_vpc.vpc.cidr_block] | |
} | |
egress { | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
tags = { | |
Name = "${var.sysname}-${var.envname}-storage-gateway-sg" | |
} | |
} | |
// | |
// EC2 | |
// | |
data "aws_ssm_parameter" "sgw_ami" { | |
name = "/aws/service/storagegateway/ami/FILE_S3/latest" | |
} | |
resource "aws_instance" "sgw" { | |
instance_type = "m5.xlarge" // AWS推奨スペック | |
ami = nonsensitive(data.aws_ssm_parameter.sgw_ami.value) | |
subnet_id = data.aws_subnet.sgw_subnet.id | |
key_name = local.ec2_keyname | |
vpc_security_group_ids = [aws_security_group.sgw.id] | |
iam_instance_profile = "" // Instance profileなし | |
disable_api_termination = false // 検証用なので削除可 | |
associate_public_ip_address = false // Private subnetに配備 | |
root_block_device { | |
volume_type = "gp3" | |
iops = 3000 // default value | |
throughput = 125 // default value | |
volume_size = 80 // AMIのデフォルト値 | |
delete_on_termination = true | |
encrypted = false | |
tags = { | |
Name = "${var.sysname}-${var.envname}-storage-gateawy-root" | |
} | |
} | |
ebs_block_device { | |
// キャッシュ用EBS | |
device_name = "/dev/sdf" | |
volume_type = "gp3" | |
iops = 3000 // default value | |
throughput = 125 // default value | |
volume_size = 150 // 最低容量 | |
delete_on_termination = true | |
encrypted = false | |
tags = { | |
Name = "${var.sysname}-${var.envname}-storage-gateawy-cache" | |
} | |
} | |
tags = { | |
Name = "${var.sysname}-${var.envname}-storage-gateway" | |
} | |
lifecycle { | |
ignore_changes = [associate_public_ip_address] | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// | |
// Storage Gateway関連のリソース | |
// | |
// | |
// IAM role for Storage Gateway file share | |
// | |
data "aws_iam_policy_document" "sgw_fileshare" { | |
statement { | |
actions = ["sts:AssumeRole"] | |
principals { | |
type = "Service" | |
identifiers = ["storagegateway.amazonaws.com"] | |
} | |
} | |
} | |
resource "aws_iam_policy" "sgw_fileshare" { | |
name = "${var.sysname}-${var.envname}-storage-gateawy-fileshare" | |
policy = jsonencode({ | |
Version = "2012-10-17" | |
Statement = [ | |
{ | |
Action = [ | |
"s3:GetAccelerateConfiguration", | |
"s3:GetBucketLocation", | |
"s3:GetBucketVersioning", | |
"s3:ListBucket", | |
"s3:ListBucketVersions", | |
"s3:ListBucketMultipartUploads" | |
] | |
Effect = "Allow" | |
Resource = "${aws_s3_bucket.sgw.arn}" | |
}, | |
{ | |
Action = [ | |
"s3:AbortMultipartUpload", | |
"s3:DeleteObject", | |
"s3:DeleteObjectVersion", | |
"s3:GetObject", | |
"s3:GetObjectAcl", | |
"s3:GetObjectVersion", | |
"s3:ListMultipartUploadParts", | |
"s3:PutObject", | |
"s3:PutObjectAcl" | |
] | |
Effect = "Allow" | |
Resource = "${aws_s3_bucket.sgw.arn}/*" | |
} | |
] | |
}) | |
} | |
resource "aws_iam_role" "sgw_fileshare" { | |
name = "${var.sysname}-${var.envname}-storage-gateawy-fileshare" | |
assume_role_policy = data.aws_iam_policy_document.sgw_fileshare.json | |
managed_policy_arns = [ | |
aws_iam_policy.sgw_fileshare.arn | |
] | |
} | |
// | |
// Storage Gateway | |
// ※ リソース作成後も以下のパラメーターは手動で設定する必要有り | |
// - CloudWatch Logs設定 | |
// - メンテナンス時間 | |
resource "aws_storagegateway_gateway" "sgw" { | |
// gateway_ip_address = aws_instance.sgw.private_ip | |
// 今回はTerraformから直接EC2へアクセスできないため事前にAtivation Keyを取得している | |
activation_key = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" | |
gateway_name = "${var.sysname}-${var.envname}-gateway" | |
gateway_timezone = "GMT+9:00" // JST | |
gateway_type = "FILE_S3" // S3 File Storage | |
smb_guest_password = "P@ssw0rd" // ゲストユーザーパスワード | |
lifecycle { | |
ignore_changes = [smb_guest_password] | |
} | |
} | |
// Local Cache 設定 | |
data "aws_storagegateway_local_disk" "sgw" { | |
gateway_arn = aws_storagegateway_gateway.sgw.arn | |
disk_node = "/dev/sdf" | |
} | |
resource "aws_storagegateway_cache" "sgw" { | |
gateway_arn = aws_storagegateway_gateway.sgw.arn | |
disk_id = data.aws_storagegateway_local_disk.sgw.id | |
} | |
// | |
// SMB File share | |
// | |
resource "aws_storagegateway_smb_file_share" "sgw" { | |
authentication = "GuestAccess" | |
gateway_arn = aws_storagegateway_gateway.sgw.arn | |
location_arn = aws_s3_bucket.sgw.arn | |
role_arn = aws_iam_role.sgw_fileshare.arn | |
file_share_name = "share" // 今回はFSx for Windowsと同様に共有名を share としている | |
object_acl = "bucket-owner-full-control" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment