16탄-3.테라폼-네이버클라우드 쿠버네티스 네트워크2
<1> 시나리오2 = VPC , Subnet, Server
<2> 시나리오2 에서 Server 삭제
<1> 시나리오2 = VPC , Subnet, Server
1
cd /root/terraform-provider-ncloud-main/examples/vpc/scenario02
vi variables.tf
2
[root@sssssss scenario02]# more *.tf
::::::::::::::
main.tf
::::::::::::::
# VPC > User scenario > Scenario 2. Public and Private Subnet
# https://docs.ncloud.com/ko/networking/vpc/vpc_userscenario2.html
provider "ncloud" {
support_vpc = true
region = "KR"
access_key = var.access_key
secret_key = var.secret_key
}
resource "ncloud_login_key" "key_scn_02" {
key_name = var.name_scn02
}
# VPC
resource "ncloud_vpc" "vpc_scn_02" {
name = var.name_scn02
ipv4_cidr_block = "10.0.0.0/16"
}
# Subnet
resource "ncloud_subnet" "subnet_scn_02_public" {
name = "${var.name_scn02}-public"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 0)
// "10.0.0.0/24"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_public.id
subnet_type = "PUBLIC"
// PUBLIC(Public)
}
resource "ncloud_subnet" "subnet_scn_02_private" {
name = "${var.name_scn02}-private"
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 1)
// "10.0.1.0/24"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_private.id
subnet_type = "PRIVATE"
// PRIVATE(Private)
}
resource "ncloud_subnet" "subnet_scn_02_public_natgw" {
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 2)
// "10.0.2.0/24"
zone = "KR-2"
network_acl_no = ncloud_network_acl.network_acl_02_public.id
subnet_type = "PUBLIC"
usage_type = "NATGW"
}
# Network ACL
resource "ncloud_network_acl" "network_acl_02_public" {
vpc_no = ncloud_vpc.vpc_scn_02.id
name = "${var.name_scn02}-public"
}
resource "ncloud_network_acl" "network_acl_02_private" {
vpc_no = ncloud_vpc.vpc_scn_02.id
name = "${var.name_scn02}-private"
}
# Server
resource "ncloud_server" "server_scn_02_public" {
subnet_no = ncloud_subnet.subnet_scn_02_public.id
name = "${var.name_scn02}-public"
server_image_product_code = "SW.VSVR.OS.LNX64.CNTOS.0703.B050"
login_key_name = ncloud_login_key.key_scn_02.key_name
//server_product_code = "SVR.VSVR.STAND.C002.M008.NET.SSD.B050.G002"
}
resource "ncloud_server" "server_scn_02_private" {
subnet_no = ncloud_subnet.subnet_scn_02_private.id
name = "${var.name_scn02}-private"
server_image_product_code = "SW.VSVR.OS.LNX64.CNTOS.0703.B050"
login_key_name = ncloud_login_key.key_scn_02.key_name
//server_product_code = "SVR.VSVR.STAND.C002.M008.NET.SSD.B050.G002"
}
# Public IP
resource "ncloud_public_ip" "public_ip_scn_02" {
server_instance_no = ncloud_server.server_scn_02_public.id
description = "for ${var.name_scn02}"
}
# NAT Gateway
resource "ncloud_nat_gateway" "nat_gateway_scn_02" {
vpc_no = ncloud_vpc.vpc_scn_02.id
subnet_no = ncloud_subnet.subnet_scn_02_public_natgw.id
zone = "KR-2"
name = var.name_scn02
}
# Route Table
resource "ncloud_route" "route_scn_02_nat" {
route_table_no = ncloud_vpc.vpc_scn_02.default_private_route_table_no
destination_cidr_block = "0.0.0.0/0"
target_type = "NATGW"
// NATGW (NAT Gateway) | VPCPEERING (VPC Peering) | VGW (Virtual Private Gateway).
target_name = ncloud_nat_gateway.nat_gateway_scn_02.name
target_no = ncloud_nat_gateway.nat_gateway_scn_02.id
}
data "ncloud_root_password" "scn_02_root_password" {
server_instance_no = ncloud_server.server_scn_02_public.id
private_key = ncloud_login_key.key_scn_02.private_key
}
resource "null_resource" "ls-al" {
connection {
type = "ssh"
host = ncloud_public_ip.public_ip_scn_02.public_ip
user = "root"
port = "22"
password = data.ncloud_root_password.scn_02_root_password.root_password
}
provisioner "remote-exec" {
inline = [
"ls -al",
]
}
depends_on = [
ncloud_public_ip.public_ip_scn_02,
ncloud_server.server_scn_02_public
]
}
# You can add ACG rules remove comment If you want
/*
locals {
default_acg_rules_inbound = [
["TCP", "0.0.0.0/0", "80"],
["TCP", "0.0.0.0/0", "443"],
["TCP", "${var.client_ip}/32", "22"],
["TCP", "${var.client_ip}/32", "3389"],
]
default_acg_rules_outbound = [
["TCP", "0.0.0.0/0", "1-65535"],
["UDP", "0.0.0.0/0", "1-65534"],
["ICMP", "0.0.0.0/0", null]
]
}
resource "ncloud_access_control_group" "acg_scn_02" {
description = "for acc test"
vpc_no = ncloud_vpc.vpc_scn_02.id
}
resource "ncloud_access_control_group_rule" "acg_rule_scn_02" {
access_control_group_no = ncloud_access_control_group.acg_scn_02.id
dynamic "inbound" {
for_each = local.default_acg_rules_inbound
content {
protocol = inbound.value[0]
ip_block = inbound.value[1]
port_range = inbound.value[2]
}
}
dynamic "outbound" {
for_each = local.default_acg_rules_outbound
content {
protocol = outbound.value[0]
ip_block = outbound.value[1]
port_range = outbound.value[2]
}
}
}
*/
::::::::::::::
security.tf
::::::::::::::
# Network ACL Rule
locals {
public_subnet_inbound = [
[1, "TCP", "0.0.0.0/0", "80", "ALLOW"],
[2, "TCP", "0.0.0.0/0", "443", "ALLOW"],
[3, "TCP", "${var.client_ip}/32", "22", "ALLOW"],
[4, "TCP", "${var.client_ip}/32", "3389", "ALLOW"],
[5, "TCP", "0.0.0.0/0", "32768-65535", "ALLOW"],
[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],
[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],
[199, "ICMP", "0.0.0.0/0", null, "DROP"],
]
public_subnet_outbound = [
[1, "TCP", "0.0.0.0/0", "80", "ALLOW"],
[2, "TCP", "0.0.0.0/0", "443", "ALLOW"],
[3, "TCP", "0.0.0.0/0", "9001-65535", "ALLOW"],
[4, "TCP", "${ncloud_server.server_scn_02_private.network_interface[0].private_ip}/32", "8080", "ALLOW"],
// Allow 8080 port to private server
[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],
[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],
[199, "ICMP", "0.0.0.0/0", null, "DROP"]
]
}
resource "ncloud_network_acl_rule" "network_acl_02_rule_public" {
network_acl_no = ncloud_network_acl.network_acl_02_public.id
dynamic "inbound" {
for_each = local.public_subnet_inbound
content {
priority = inbound.value[0]
protocol = inbound.value[1]
ip_block = inbound.value[2]
port_range = inbound.value[3]
rule_action = inbound.value[4]
}
}
dynamic "outbound" {
for_each = local.public_subnet_outbound
content {
priority = outbound.value[0]
protocol = outbound.value[1]
ip_block = outbound.value[2]
port_range = outbound.value[3]
rule_action = outbound.value[4]
}
}
}
locals {
private_subnet_inbound = [
[1, "TCP", "${ncloud_server.server_scn_02_public.network_interface[0].private_ip}/32", "8080", "ALLOW"],
// Allow 8080 port from public server
[2, "TCP", "0.0.0.0/0", "32768-65535", "ALLOW"],
[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],
[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],
[199, "ICMP", "0.0.0.0/0", null, "DROP"],
]
private_subnet_outbound = [
[1, "TCP", "${ncloud_server.server_scn_02_public.network_interface[0].private_ip}/32", "32768-65535", "ALLOW"],
// Allow 32768-65535 port to public server
[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],
[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],
[199, "ICMP", "0.0.0.0/0", null, "DROP"]
]
}
resource "ncloud_network_acl_rule" "network_acl_02_private" {
network_acl_no = ncloud_network_acl.network_acl_02_private.id
dynamic "inbound" {
for_each = local.private_subnet_inbound
content {
priority = inbound.value[0]
protocol = inbound.value[1]
ip_block = inbound.value[2]
port_range = inbound.value[3]
rule_action = inbound.value[4]
}
}
dynamic "outbound" {
for_each = local.private_subnet_outbound
content {
priority = outbound.value[0]
protocol = outbound.value[1]
ip_block = outbound.value[2]
port_range = outbound.value[3]
rule_action = outbound.value[4]
}
}
}
::::::::::::::
variables.tf
::::::::::::::
variable name_scn02 {
default = "tf-scn02"
}
variable client_ip {
default = "223.130.137.181"
}
variable access_key {
default = "NWef"
}
variable secret_key {
default = "vo5wY7as"
}
::::::::::::::
versions.tf
::::::::::::::
terraform {
required_providers {
ncloud = {
source = "navercloudplatform/ncloud"
}
}
required_version = ">= 0.13"
}
[root@sssssss scenario02]#
3
terraform apply -auto-approve
vpc 1
tf-scn02
10.0.0.0/16
subnet 3
nacl3
nat1
rt2
nacl 3
server 2
<2> 시나리오2 에서 Server 삭제
1
네트워크만 구성
보안그룹도 제거
2
terraform destroy --auto-approve
다음
https://brunch.co.kr/@topasvga/3596
감사합니다.
