16탄-3.테라폼-네이버클라우드 쿠버네티스 네트워크2

by Master Seo

Jan 4. 2024

<1> 시나리오2 = VPC , Subnet, Server

<2> 시나리오2 에서 Server 삭제

<1> 시나리오2 = VPC , Subnet, Server

cd /root/terraform-provider-ncloud-main/examples/vpc/scenario02

[root@quick1 scenario02]# ls

main.tf security.tf variables.tf versions.tf

vpc 1

tf-scn02

10.0.0.0/16

subnet 3

nat1

cd /root/terraform-provider-ncloud-main/examples/vpc/scenario02

파일 4개

main.tf security.tf variables.tf versions.tf

[root@quick1 scenario02]# cp ../scenario01/variables.tf .

cp: overwrite './variables.tf'? y

[root@sssssss scenario02]# more *.tf

::::::::::::::

main.tf

::::::::::::::

# VPC > User scenario > Scenario 2. Public and Private Subnet

# https://docs.ncloud.com/ko/networking/vpc/vpc_userscenario2.html

provider "ncloud" {

support_vpc = true

region = "KR"

access_key = var.access_key

secret_key = var.secret_key

}

resource "ncloud_login_key" "key_scn_02" {

key_name = var.name_scn02

}

# VPC

resource "ncloud_vpc" "vpc_scn_02" {

name = var.name_scn02

ipv4_cidr_block = "10.0.0.0/16"

}

# Subnet

resource "ncloud_subnet" "subnet_scn_02_public" {

name = "${var.name_scn02}-public"

vpc_no = ncloud_vpc.vpc_scn_02.id

subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 0)

// "10.0.0.0/24"

zone = "KR-2"

network_acl_no = ncloud_network_acl.network_acl_02_public.id

subnet_type = "PUBLIC"

// PUBLIC(Public)

}

resource "ncloud_subnet" "subnet_scn_02_private" {

name = "${var.name_scn02}-private"

vpc_no = ncloud_vpc.vpc_scn_02.id

subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 1)

// "10.0.1.0/24"

zone = "KR-2"

network_acl_no = ncloud_network_acl.network_acl_02_private.id

subnet_type = "PRIVATE"

// PRIVATE(Private)

}

resource "ncloud_subnet" "subnet_scn_02_public_natgw" {

vpc_no = ncloud_vpc.vpc_scn_02.id

subnet = cidrsubnet(ncloud_vpc.vpc_scn_02.ipv4_cidr_block, 8, 2)

// "10.0.2.0/24"

zone = "KR-2"

network_acl_no = ncloud_network_acl.network_acl_02_public.id

subnet_type = "PUBLIC"

usage_type = "NATGW"

}

# Network ACL

resource "ncloud_network_acl" "network_acl_02_public" {

vpc_no = ncloud_vpc.vpc_scn_02.id

name = "${var.name_scn02}-public"

}

resource "ncloud_network_acl" "network_acl_02_private" {

vpc_no = ncloud_vpc.vpc_scn_02.id

name = "${var.name_scn02}-private"

}

# Server

resource "ncloud_server" "server_scn_02_public" {

subnet_no = ncloud_subnet.subnet_scn_02_public.id

name = "${var.name_scn02}-public"

server_image_product_code = "SW.VSVR.OS.LNX64.CNTOS.0703.B050"

login_key_name = ncloud_login_key.key_scn_02.key_name

//server_product_code = "SVR.VSVR.STAND.C002.M008.NET.SSD.B050.G002"

}

resource "ncloud_server" "server_scn_02_private" {

subnet_no = ncloud_subnet.subnet_scn_02_private.id

name = "${var.name_scn02}-private"

server_image_product_code = "SW.VSVR.OS.LNX64.CNTOS.0703.B050"

login_key_name = ncloud_login_key.key_scn_02.key_name

//server_product_code = "SVR.VSVR.STAND.C002.M008.NET.SSD.B050.G002"

}

# Public IP

resource "ncloud_public_ip" "public_ip_scn_02" {

server_instance_no = ncloud_server.server_scn_02_public.id

description = "for ${var.name_scn02}"

}

# NAT Gateway

resource "ncloud_nat_gateway" "nat_gateway_scn_02" {

vpc_no = ncloud_vpc.vpc_scn_02.id

subnet_no = ncloud_subnet.subnet_scn_02_public_natgw.id

zone = "KR-2"

name = var.name_scn02

}

# Route Table

resource "ncloud_route" "route_scn_02_nat" {

route_table_no = ncloud_vpc.vpc_scn_02.default_private_route_table_no

destination_cidr_block = "0.0.0.0/0"

target_type = "NATGW"

// NATGW (NAT Gateway) | VPCPEERING (VPC Peering) | VGW (Virtual Private Gateway).

target_name = ncloud_nat_gateway.nat_gateway_scn_02.name

target_no = ncloud_nat_gateway.nat_gateway_scn_02.id

}

data "ncloud_root_password" "scn_02_root_password" {

server_instance_no = ncloud_server.server_scn_02_public.id

private_key = ncloud_login_key.key_scn_02.private_key

}

resource "null_resource" "ls-al" {

connection {

type = "ssh"

host = ncloud_public_ip.public_ip_scn_02.public_ip

user = "root"

port = "22"

password = data.ncloud_root_password.scn_02_root_password.root_password

}

provisioner "remote-exec" {

inline = [

"ls -al",

]

}

depends_on = [

ncloud_public_ip.public_ip_scn_02,

ncloud_server.server_scn_02_public

]

}

# You can add ACG rules remove comment If you want

locals {

default_acg_rules_inbound = [

["TCP", "0.0.0.0/0", "80"],

["TCP", "0.0.0.0/0", "443"],

["TCP", "${var.client_ip}/32", "22"],

["TCP", "${var.client_ip}/32", "3389"],

]

default_acg_rules_outbound = [

["TCP", "0.0.0.0/0", "1-65535"],

["UDP", "0.0.0.0/0", "1-65534"],

["ICMP", "0.0.0.0/0", null]

]

}

resource "ncloud_access_control_group" "acg_scn_02" {

description = "for acc test"

vpc_no = ncloud_vpc.vpc_scn_02.id

}

resource "ncloud_access_control_group_rule" "acg_rule_scn_02" {

access_control_group_no = ncloud_access_control_group.acg_scn_02.id

dynamic "inbound" {

for_each = local.default_acg_rules_inbound

content {

protocol = inbound.value[0]

ip_block = inbound.value[1]

port_range = inbound.value[2]

}

dynamic "outbound" {

for_each = local.default_acg_rules_outbound

content {

protocol = outbound.value[0]

ip_block = outbound.value[1]

port_range = outbound.value[2]

}

::::::::::::::

security.tf

::::::::::::::

# Network ACL Rule

locals {

public_subnet_inbound = [

[1, "TCP", "0.0.0.0/0", "80", "ALLOW"],

[2, "TCP", "0.0.0.0/0", "443", "ALLOW"],

[3, "TCP", "${var.client_ip}/32", "22", "ALLOW"],

[4, "TCP", "${var.client_ip}/32", "3389", "ALLOW"],

[5, "TCP", "0.0.0.0/0", "32768-65535", "ALLOW"],

[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],

[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],

[199, "ICMP", "0.0.0.0/0", null, "DROP"],

]

public_subnet_outbound = [

[1, "TCP", "0.0.0.0/0", "80", "ALLOW"],

[2, "TCP", "0.0.0.0/0", "443", "ALLOW"],

[3, "TCP", "0.0.0.0/0", "9001-65535", "ALLOW"],

[4, "TCP", "${ncloud_server.server_scn_02_private.network_interface[0].private_ip}/32", "8080", "ALLOW"],

// Allow 8080 port to private server

[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],

[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],

[199, "ICMP", "0.0.0.0/0", null, "DROP"]

]

}

resource "ncloud_network_acl_rule" "network_acl_02_rule_public" {

network_acl_no = ncloud_network_acl.network_acl_02_public.id

dynamic "inbound" {

for_each = local.public_subnet_inbound

content {

priority = inbound.value[0]

protocol = inbound.value[1]

ip_block = inbound.value[2]

port_range = inbound.value[3]

rule_action = inbound.value[4]

}

dynamic "outbound" {

for_each = local.public_subnet_outbound

content {

priority = outbound.value[0]

protocol = outbound.value[1]

ip_block = outbound.value[2]

port_range = outbound.value[3]

rule_action = outbound.value[4]

}

locals {

private_subnet_inbound = [

[1, "TCP", "${ncloud_server.server_scn_02_public.network_interface[0].private_ip}/32", "8080", "ALLOW"],

// Allow 8080 port from public server

[2, "TCP", "0.0.0.0/0", "32768-65535", "ALLOW"],

[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],

[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],

[199, "ICMP", "0.0.0.0/0", null, "DROP"],

]

private_subnet_outbound = [

[1, "TCP", "${ncloud_server.server_scn_02_public.network_interface[0].private_ip}/32", "32768-65535", "ALLOW"],

// Allow 32768-65535 port to public server

[197, "TCP", "0.0.0.0/0", "1-65535", "DROP"],

[198, "UDP", "0.0.0.0/0", "1-65535", "DROP"],

[199, "ICMP", "0.0.0.0/0", null, "DROP"]

]

}

resource "ncloud_network_acl_rule" "network_acl_02_private" {

network_acl_no = ncloud_network_acl.network_acl_02_private.id

dynamic "inbound" {

for_each = local.private_subnet_inbound

content {

priority = inbound.value[0]

protocol = inbound.value[1]

ip_block = inbound.value[2]

port_range = inbound.value[3]

rule_action = inbound.value[4]

}

dynamic "outbound" {

for_each = local.private_subnet_outbound

content {

priority = outbound.value[0]

protocol = outbound.value[1]

ip_block = outbound.value[2]

port_range = outbound.value[3]

rule_action = outbound.value[4]

}

::::::::::::::

variables.tf

::::::::::::::

variable name_scn02 {

default = "tf-scn02"

}

variable client_ip {

default = "210.1.17.20"

}

variable access_key {

default = "NWef"

}

variable secret_key {

default = "vo5wY7as"

}

::::::::::::::

versions.tf

::::::::::::::

terraform {

required_providers {

ncloud = {

source = "navercloudplatform/ncloud"

}

required_version = ">= 0.13"

}

[root@sssssss scenario02]#

terraform init

terraform apply -auto-approve

│

│ on main.tf line 12, in resource "ncloud_login_key" "key_scn_02":

│ 12: key_name = var.name_scn02

│

│ An input variable with the name "name_scn02" has not been declared. Did you mean "name_scn01"?

╵

╷

│ Error: Reference to undeclared input variable

│

│ on main.tf line 17, in resource "ncloud_vpc" "vpc_scn_02":

│ 17: name = var.name_scn02

│

│ An input variable with the name "name_scn02" has not been declared. Did you mean "name_scn01"?

결과

vpc 1

tf-scn02

10.0.0.0/16

subnet 3

nacl3

nat1

rt 2

nacl 3

server 2

<2> 시나리오2 에서 Server 삭제

네트워크만 구성

보안그룹도 제거

terraform destroy --auto-approve

https://brunch.co.kr/@topasvga/3596

16탄-4.테라폼-네이버 클라우드-쿠버네티스-네트워크3

<1> LB , node subnet 생성 <2> public lb subnet 1개 추가 생성 후 NKS 생성됨 = 성공 <3> 네이버 클라우드 쿠버네티스 서비스 사용하기 <1> LB , node subnet 생성 cd /root/terraform-provider-ncloud-main/examples/nks [root@ssss

https://brunch.co.kr/@topasvga/3596

감사합니다.

Master Seo 소속 클라우드전문가카페 직업 엔지니어

전) 네이버 엔지니어 7년, 네이버 클라우드 공인강사,마스터, PRO , AWS아키프로, Google프로아키, Azure어드민, CCNP, 맛집,여행 전문가, 좋은 기운을 주는사람

구독자 2,546

매거진의 이전글16탄-2.테라폼-네이버 클라우드 쿠버네티스 네트워크116탄-4.테라폼-네이버 클라우드 쿠버네티스 네트워크3매거진의 다음글