こんにちは。
表題の通り AWS の 3層ネットワークを構築する playbook を用意してみます。
※ 詳細は README を参照ください。
https://github.com/keisukesanuki/aws-vpc-3layer
作るもの
・VPC
・SUBNET
・INTERNETGATEWAY
・NATGATEWAY
・ROUTETABLE
ディレクトリ構造
. ├── README.md ├── ansible.cfg ├── hosts ├── roles │ └── aws_vpc │ ├── tasks │ │ └── main.yml │ └── vars │ └── main.yml └── vpc_create.yml
playbook
---
# tasks file for aws_vpc
- name: create_vpc
ec2_vpc_net:
name: "{{ vpc_name }}"
cidr_block: "{{ vpc_cidr }}"
region: "{{ region }}"
profile: "{{ profile }}"
dns_hostnames: yes
dns_support: yes
register: vpc_info
# PUBLIC_SUBNET 作成
- name: create_public_subnet
ec2_vpc_subnet:
vpc_id: "{{ vpc_info.vpc.id }}"
cidr: "{{ item.pub_subnet_cidr }}"
az: "{{ item.subnet_az }}"
region: "{{ region }}"
resource_tags: { "Name":"{{ item.pub_subnet_name }}" }
profile: "{{ profile }}"
register: pubsub_info
with_items:
- "{{ pub_subnet }}"
# DMZ_SUBNET 作成
- name: create_dmz_subnet
ec2_vpc_subnet:
vpc_id: "{{ vpc_info.vpc.id }}"
cidr: "{{ item.dmz_subnet_cidr }}"
az: "{{ item.subnet_az }}"
region: "{{ region }}"
resource_tags: { "Name":"{{ item.dmz_subnet_name }}" }
profile: "{{ profile }}"
register: pubsub_info
with_items:
- "{{ dmz_subnet }}"
# PRIVATE_SUBNET 作成
- name: create_private_subnet
ec2_vpc_subnet:
vpc_id: "{{ vpc_info.vpc.id }}"
cidr: "{{ item.pri_subnet_cidr }}"
az: "{{ item.subnet_az }}"
region: "{{ region }}"
resource_tags: { "Name":"{{ item.pri_subnet_name }}" }
profile: "{{ profile }}"
register: prisub_info
with_items:
- "{{ pri_subnet }}"
# IGW 作成
- name: create_igw
ec2_vpc_igw:
vpc_id: "{{ vpc_info.vpc.id }}"
region: "{{ region }}"
tags: { "Name":"{{ igw_name }}" }
profile: "{{ profile }}"
register: igw_info
# ROUTETABLE 作成(IGW)
- name: create_route_table
ec2_vpc_route_table:
vpc_id: "{{ vpc_info.vpc.id }}"
subnets: "{{ atache_igw_subnet }}"
routes:
- dest: 0.0.0.0/0
gateway_id: "{{ igw_info.gateway_id }}"
region: "{{ region }}"
profile: "{{ profile }}"
resource_tags: { "Name":"{{ rttable_pub_name }}" }
# NGW の ID を取得
- name: get_subnet_id
shell: aws ec2 describe-subnets --region {{ region }} --profile {{ profile }} --output text | grep -B 1 {{ ngw_subnet_name }} | awk 'NR==1 {print $12}'
register: ngw_subnet_id
#- name: show
# debug:
# msg: "{{ ngw_subnet_id.stdout }}"
# NGW 作成
- name: create_ngw
ec2_vpc_nat_gateway:
subnet_id: "{{ ngw_subnet_id.stdout }}"
region: "{{ region }}"
profile: "{{ profile }}"
register: ngw_info
#- name: show
# debug:
# msg: "{{ ngw_info.nat_gateway_id }}"
# NGW 作成まで待つ
- name: wait_for_ngw
pause:
minutes: 5
# ROUTETABLEの作成(NGW)
- name: create_route_table2
ec2_vpc_route_table:
vpc_id: "{{ vpc_info.vpc.id }}"
subnets: "{{ atache_ngw_subnet }}"
routes:
- dest: 0.0.0.0/0
gateway_id: "{{ ngw_info.nat_gateway_id }}"
region: "{{ region }}"
profile: "{{ profile }}"
resource_tags: { "Name":"{{ rttable_dmz_name }}" }NATGATEWAY の ID が上手く取得できなかったので awscli の結果をパースして ngw_subnet_id に渡しています。
変数定義
---
# vars file for aws_vpc
# REGION
region: "ap-northeast-1"
# PROFILE
profile: "default"
# VPC
vpc_name: "sanuki-wd-vpc2"
vpc_cidr: "10.10.0.0/16"
# IGW
igw_name: "sanuki-igw2"
# NGW
ngw_name: "sanuki-ngw2"
# NGWを作成するサブネット名
ngw_subnet_name: "sanuki-wd-public-subnet2-a"
# ROUTETABLE(PUBLIC)
rttable_pub_name: "sanuki-pub-rt2"
# ROUTETABLE(DMZ)
rttable_dmz_name: "sanuki-dmz-rt2"
# PUBLIC_SUBNET
pub_subnet:
- { pub_subnet_cidr: "10.10.10.0/24" ,subnet_az: "ap-northeast-1a" ,pub_subnet_name: "sanuki-wd-public-subnet2-a" }
- { pub_subnet_cidr: "10.10.20.0/24" ,subnet_az: "ap-northeast-1c" ,pub_subnet_name: "sanuki-wd-public-subnet2-c" }
# DMZ_SUBNET
dmz_subnet:
- { dmz_subnet_cidr: "10.10.30.0/24" ,subnet_az: "ap-northeast-1a" ,dmz_subnet_name: "sanuki-wd-dmz-subnet2-a" }
- { dmz_subnet_cidr: "10.10.40.0/24" ,subnet_az: "ap-northeast-1c" ,dmz_subnet_name: "sanuki-wd-dmz-subnet2-c" }
# PRIVATE_SUBNET
pri_subnet:
- { pri_subnet_cidr: "10.10.50.0/24" ,subnet_az: "ap-northeast-1a" ,pri_subnet_name: "sanuki-wd-private-subnet2-a" }
- { pri_subnet_cidr: "10.10.60.0/24" ,subnet_az: "ap-northeast-1c" ,pri_subnet_name: "sanuki-wd-private-subnet2-c" }
# IGWに紐付けるサブネット
atache_igw_subnet:
- "10.10.10.0/24"
- "10.10.20.0/24"
# NGWに紐付けるサブネット
atache_ngw_subnet:
- "10.10.30.0/24"
- "10.10.40.0/24"NatGateway が片方の AZ にしかないため、冗長性の観点からは ? となりますが、まぁいいでしょう。
↓ 2層の playbook はこちら