Last active
April 14, 2020 03:49
-
-
Save takoikatakotako/efc667393d451c93698f7410448b2e5a to your computer and use it in GitHub Desktop.
Terraform を使って Fargate で Nginx を動かします。
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################################ | |
## Credential Infos | |
################################################ | |
provider "aws" { | |
access_key = local.access_key | |
secret_key = local.secret_key | |
region = "ap-northeast-1" | |
} | |
################################################ | |
## Network | |
################################################ | |
resource "aws_vpc" "main" { | |
cidr_block = "10.0.0.0/16" | |
tags = { | |
Name = "main-vpc" | |
} | |
} | |
# Public Subnets | |
resource "aws_subnet" "public_subnet_1a" { | |
vpc_id = aws_vpc.main.id | |
availability_zone = "ap-northeast-1a" | |
cidr_block = "10.0.0.0/24" | |
tags = { | |
Name = "public-1a" | |
} | |
} | |
resource "aws_subnet" "public_subnet_1c" { | |
vpc_id = aws_vpc.main.id | |
availability_zone = "ap-northeast-1c" | |
cidr_block = "10.0.1.0/24" | |
tags = { | |
Name = "public-1c" | |
} | |
} | |
resource "aws_subnet" "public_subnet_1d" { | |
vpc_id = aws_vpc.main.id | |
availability_zone = "ap-northeast-1d" | |
cidr_block = "10.0.3.0/24" | |
tags = { | |
Name = "public-1d" | |
} | |
} | |
# Private Subnets | |
resource "aws_subnet" "private_subnet_1a" { | |
vpc_id = aws_vpc.main.id | |
availability_zone = "ap-northeast-1a" | |
cidr_block = "10.0.10.0/24" | |
tags = { | |
Name = "private-1a" | |
} | |
} | |
resource "aws_subnet" "private_subnet_1c" { | |
vpc_id = aws_vpc.main.id | |
availability_zone = "ap-northeast-1c" | |
cidr_block = "10.0.11.0/24" | |
tags = { | |
Name = "private-1c" | |
} | |
} | |
resource "aws_subnet" "private_subnet_1d" { | |
vpc_id = aws_vpc.main.id | |
availability_zone = "ap-northeast-1d" | |
cidr_block = "10.0.12.0/24" | |
tags = { | |
Name = "private-1d" | |
} | |
} | |
############################################### | |
# Internet Gateway | |
############################################### | |
resource "aws_internet_gateway" "internet_gateway" { | |
vpc_id = aws_vpc.main.id | |
tags = { | |
Name = "internet-gateway" | |
} | |
} | |
resource "aws_route_table" "route_table" { | |
vpc_id = aws_vpc.main.id | |
route { | |
cidr_block = "0.0.0.0/0" | |
gateway_id = aws_internet_gateway.internet_gateway.id | |
} | |
tags = { | |
Name = "route-table" | |
} | |
} | |
resource "aws_route_table_association" "route_table_association_public_a" { | |
subnet_id = aws_subnet.public_subnet_1a.id | |
route_table_id = aws_route_table.route_table.id | |
} | |
resource "aws_route_table_association" "route_table_association_public_c" { | |
subnet_id = aws_subnet.public_subnet_1c.id | |
route_table_id = aws_route_table.route_table.id | |
} | |
resource "aws_route_table_association" "route_table_association_public_d" { | |
subnet_id = aws_subnet.public_subnet_1d.id | |
route_table_id = aws_route_table.route_table.id | |
} | |
############################################### | |
# ECS | |
############################################### | |
resource "aws_ecs_cluster" "nginx_cluster" { | |
name = "nginx-cluster" | |
} | |
resource "aws_ecs_service" "ecs_service" { | |
name = "nginx-service" | |
cluster = aws_ecs_cluster.nginx_cluster.name | |
launch_type = "FARGATE" | |
desired_count = "1" | |
task_definition = aws_ecs_task_definition.task_definition.arn | |
# ECSタスクへ設定するネットワークの設定 | |
network_configuration { | |
subnets = [aws_subnet.public_subnet_1a.id, aws_subnet.public_subnet_1c.id, aws_subnet.public_subnet_1d.id] | |
security_groups = [aws_security_group.security_group.id] | |
assign_public_ip = true | |
} | |
} | |
resource "aws_ecs_task_definition" "task_definition" { | |
family = "nginx-task-definition" | |
requires_compatibilities = ["FARGATE"] | |
cpu = "512" | |
memory = "1024" | |
network_mode = "awsvpc" | |
task_role_arn = aws_iam_role.ecs_app_role.arn | |
execution_role_arn = aws_iam_role.ecs_app_role.arn | |
container_definitions = <<EOL | |
[ | |
{ | |
"essential":true, | |
"image":"nginx:latest", | |
"name":"nginx", | |
"logConfiguration": { | |
"logDriver": "awslogs", | |
"secretOptions": null, | |
"options": { | |
"awslogs-group": "${aws_cloudwatch_log_group.nginx_log_group.name}", | |
"awslogs-region": "ap-northeast-1", | |
"awslogs-stream-prefix": "ecs" | |
} | |
}, | |
"memoryReservation":100, | |
"portMappings": [ | |
{ | |
"containerPort": 80, | |
"hostPort": 80 | |
} | |
] | |
} | |
] | |
EOL | |
} | |
############################################################## | |
# Log Group | |
############################################################## | |
resource "aws_cloudwatch_log_group" "nginx_log_group" { | |
name = "/ecs/nginx-log" | |
} | |
############################################### | |
# Security Group | |
############################################### | |
resource "aws_security_group" "security_group" { | |
name = "nginx-security-group" | |
description = "nginx security group" | |
vpc_id = aws_vpc.main.id | |
tags = { | |
Name = "nginx security group" | |
} | |
ingress { | |
from_port = 80 | |
to_port = 80 | |
protocol = "tcp" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
egress { | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
} | |
############################################################## | |
# IAM | |
############################################################## | |
resource "aws_iam_role" "ecs_app_role" { | |
name = "ecs-app-role" | |
assume_role_policy = data.aws_iam_policy_document.ecs_app_role_policy_document.json | |
} | |
data "aws_iam_policy_document" "ecs_app_role_policy_document" { | |
statement { | |
actions = ["sts:AssumeRole"] | |
principals { | |
type = "Service" | |
identifiers = ["ecs.amazonaws.com", "ecs-tasks.amazonaws.com"] | |
} | |
} | |
} | |
resource "aws_iam_policy" "ecs_app_policy" { | |
name = "ecs-policy" | |
policy = data.aws_iam_policy_document.ecs_policy_document.json | |
} | |
data "aws_iam_policy_document" "ecs_policy_document" { | |
statement { | |
effect = "Allow" | |
actions = [ | |
"ecr:GetAuthorizationToken", | |
"ecr:BatchCheckLayerAvailability", | |
"ecr:GetDownloadUrlForLayer", | |
"ecr:BatchGetImage", | |
"logs:CreateLogStream", | |
"logs:PutLogEvents", | |
"ssm:GetParameters", | |
"secretsmanager:GetSecretValue", | |
"kms:Decrypt" | |
] | |
resources = ["*"] | |
} | |
} | |
resource "aws_iam_role_policy_attachment" "ecs_app_role_policy_attachment" { | |
role = aws_iam_role.ecs_app_role.name | |
policy_arn = aws_iam_policy.ecs_app_policy.arn | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment