Cloud Infra Architecture (AWS)/AWS 자동배포

terraform 기본 인프라 생성하기 (key pair, ec2, security group)

seongduck 2024. 6. 24. 23:42

서로 다른파일에서 의존성을 가지고 있으므로 모두 선언해줘야 한다.

 

terraform(테라폼으로) key pair 선언하기

vi keypair.tf
#ec2 keypair
resource "tls_private_key" "ec2_key" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "aws_key_pair" "ec2_key" {
    key_name   = "ec2_key.pem"
    public_key = tls_private_key.ec2_key.public_key_openssh
}

resource "local_file" "private_key" {
    content  = tls_private_key.ec2_key.private_key_pem
    filename = "C:/Users/Desktop/ec2_key.pem"
    file_permission = "0600"
}

 

terraform(테라폼으로) Security Group 선언하기

vi sg.tf
#security group for the bastion
#create the aws security group
resource "aws_security_group" "seg-amcamp-bastion" {
  name        = "seg-amcamp-bastion"
  description = "Security group for Bastion"
  vpc_id      = aws_vpc.main.id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["27.122.140.10/32"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}



#security group for the Jenkins
#create the aws security group
resource "aws_security_group" "seg-amcamp-jenkins" {
  name        = "seg-amcamp-jenkins"
  description = "Security group for Jenkins"
  vpc_id      = aws_vpc.main.id

  ingress {
    from_port   = 8080
    to_port     = 8080
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# bastion만 접속 가능하도록
resource "aws_security_group_rule" "seg-amcamp-bastion-to-jenkins" {
  type                     = "ingress"
  from_port                = 22
  to_port                  = 22
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.seg-amcamp-bastion.id
  security_group_id        = aws_security_group.seg-amcamp-jenkins.id
}


#security group for the Gitlab
#create the aws security group
resource "aws_security_group" "seg-amcamp-gitlab" {
  name        = "seg-amcamp-gitlab"
  description = "Security group for Gitlab"
  vpc_id      = aws_vpc.main.id

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# bastion만 접속 가능하도록
resource "aws_security_group_rule" "seg-amcamp-bastion-to-gitlab" {
  type                     = "ingress"
  from_port                = 22
  to_port                  = 22
  protocol                 = "tcp"
  source_security_group_id = aws_security_group.seg-amcamp-bastion.id
  security_group_id        = aws_security_group.seg-amcamp-gitlab.id
}

 

terraform (테라폼으로) ec2 생성하기

vi ec2.tf #아래 파일에서 진행
#bastion Instance Id EC2
#create the bastion EC2
#EC2's OS is Amazon Linux 2
resource "aws_instance" "amcamp-bastion" {
    ami           = "ami-0edc5427d49d09d2a"
    instance_type = "t3.medium"
    availability_zone = "ap-northeast-2a"
    subnet_id     = aws_subnet.sbn-amcamp-public-resource-az2a.id
    security_groups = [aws_security_group.seg-amcamp-bastion.id]

    root_block_device {
        volume_size = 50
    }

    lifecycle {
    ignore_changes = [
        security_groups
    ]
  }

    #key pair enroll "ec2_key"
    key_name = aws_key_pair.ec2_key.key_name

    #User Data
    user_data = <<-EOF
    #!/bin/bash
    echo 'ec2-user:root' | chpasswd
    sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
    cd /etc/cloud
    sudo sed -i 's/ssh_pwauth:   false/ssh_pwauth:   true/' cloud.cfg
    systemctl restart sshd
    EOF

  tags = {
    Name = "amcamp-bastion"
  }
}

# create the EIP
resource "aws_eip" "amcamp-bastion" {
    domain = "vpc"
    tags = {
        Name = "amcamp-bastion"
    }
}

# associate EIP with the bastion
resource "aws_eip_association" "amcamp-bastion" {
    instance_id = aws_instance.amcamp-bastion.id
    allocation_id = aws_eip.amcamp-bastion.id
}




#amcamp-jenkins Instance Id EC2
#create the jenkins EC2
#EC2's OS is Amazon Linux 2
resource "aws_instance" "amcamp-jenkins" {
    ami           = "ami-0edc5427d49d09d2a"
    instance_type = "t3.medium"
    availability_zone = "ap-northeast-2a"
    subnet_id     = aws_subnet.sbn-amcamp-private-resource-az2a.id
    security_groups = [aws_security_group.seg-amcamp-jenkins.id]
    private_ip  = "172.31.190.71" 

    root_block_device {
        volume_size = 50
    }

    lifecycle {
        ignore_changes = [
            security_groups
    ]
  }

    #key pair enroll "ec2_key"
    key_name = aws_key_pair.ec2_key.key_name

    #User Data
    user_data = <<-EOF
    #!/bin/bash
    echo 'ec2-user:root' | chpasswd
    sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
    cd /etc/cloud
    sudo sed -i 's/ssh_pwauth:   false/ssh_pwauth:   true/' cloud.cfg
    systemctl restart sshd
    EOF

  tags = {
    Name = "amcamp-jenkins"
  }
}
  



#amcamp-gitlab Instance Id EC2
#create the gitlab EC2
#EC2's OS is Amazon Linux 2
resource "aws_instance" "amcamp-gitlab" {
    ami           = "ami-0edc5427d49d09d2a"
    instance_type = "t3.medium"
    availability_zone = "ap-northeast-2a"
    subnet_id     = aws_subnet.sbn-amcamp-private-resource-az2a.id
    security_groups = [aws_security_group.seg-amcamp-gitlab.id]
    private_ip  = "172.31.190.72"

    root_block_device {
        volume_size = 50
    }

    #key pair enroll "ec2_key"
    key_name = aws_key_pair.ec2_key.key_name

    lifecycle {
        ignore_changes = [
            security_groups
        ]
  }

    #User Data
    user_data = <<-EOF
    #!/bin/bash
    echo 'ec2-user:root' | chpasswd
    sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
    cd /etc/cloud
    sudo sed -i 's/ssh_pwauth:   false/ssh_pwauth:   true/' cloud.cfg
    systemctl restart sshd
    EOF

  tags = {
    Name = "amcamp-gitlab"
  }
}