prod

2022-11-02 11:18:05 +09:00
parent 2224a6f6e7
commit fff9000311
9 changed files with 4375 additions and 0 deletions
--- a/terraform/tf-prod-cloud-20221102/.terraform.lock.hcl
+++ b/terraform/tf-prod-cloud-20221102/.terraform.lock.hcl
@@ -0,0 +1,22 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.36.1"
+  constraints = ">= 4.0.0"
+  hashes = [
+    "h1:04NI9x34nwhgghwevSGdsjssqy5zzvMsQg2Qjpmx/n0=",
+    "zh:19b16047b4f15e9b8538a2b925f1e860463984eed7d9bd78e870f3e884e827a7",
+    "zh:3c0db06a9a14b05a77f3fe1fc029a5fb153f4966964790ca8e71ecc3427d83f5",
+    "zh:3c7407a8229005e07bc274cbae6e3a464c441a88810bfc6eceb2414678fd08ae",
+    "zh:3d96fa82c037fafbd3e7f4edc1de32afb029416650f6e392c39182fc74a9e03a",
+    "zh:8f4f540c5f63d847c4b802ca84d148bb6275a3b0723deb09bf933a4800bc7209",
+    "zh:9802cb77472d6bcf24c196ce2ca6d02fac9db91558536325fec85f955b71a8a4",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:a263352433878c89832c2e38f4fd56cf96ae9969c13b5c710d5ba043cbd95743",
+    "zh:aca7954a5f458ceb14bf0c04c961c4e1e9706bf3b854a1e90a97d0b20f0fe6d3",
+    "zh:d78f400332e87a97cce2e080db9d01beb01f38f5402514a6705d6b8167e7730d",
+    "zh:e14bdc49be1d8b7d2543d5c58078c84b76051085e8e6715a895dcfe6034b6098",
+    "zh:f2e400b88c8de170bb5027922226da1e9a6614c03f2a6756c15c3b930c2f460c",
+  ]
+}
--- a/terraform/tf-prod-cloud-20221102/bastion.tf
+++ b/terraform/tf-prod-cloud-20221102/bastion.tf
@@ -0,0 +1,25 @@
+resource "aws_instance" "bastion-k8s-prod-datasaker-io" {
+  ami                         = "ami-0b6591f49cf24e237"
+  instance_type               = "t3.small"
+  count                       = 1
+  key_name                    = "kp-jay-bastion-datasaker"
+  vpc_security_group_ids      = ["${aws_security_group.sg-prod-dmz-datasaker.id}"]
+  subnet_id                   = aws_subnet.sbn-prod-dmz-a.id
+  associate_public_ip_address = true
+  user_data                   = "${file("data.sh")}"
+
+  root_block_device {
+    delete_on_termination = true
+    encrypted             = false
+    tags = {
+      Name    = "bastion-k8s-prod-datasaker-io"
+    }
+    volume_size = 20
+    volume_type = "gp3"
+    iops        = 3000
+  }  
+
+  tags = {
+    Name = "bastion-k8s-prod-datasaker-io"
+  }
+}
--- a/terraform/tf-prod-cloud-20221102/data.sh
+++ b/terraform/tf-prod-cloud-20221102/data.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+
+curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+chmod 700 get_helm.sh
+sh get_helm.sh
--- a/terraform/tf-prod-cloud-20221102/dmz.tf
+++ b/terraform/tf-prod-cloud-20221102/dmz.tf
@@ -0,0 +1,189 @@
+
+
+output "sbn_dmz_prod_a_id" {
+  value = aws_subnet.sbn-prod-dmz-a.id
+}
+
+output "sbn_dmz_prod_b_id" {
+  value = aws_subnet.sbn-prod-dmz-b.id
+}
+
+output "sbn_dmz_prod_c_id" {
+  value = aws_subnet.sbn-prod-dmz-c.id
+}
+
+resource "aws_subnet" "sbn-prod-dmz-a" {
+  availability_zone                           = "ap-northeast-2a"
+  cidr_block                                  = "172.24.0.0/24"
+  enable_resource_name_dns_a_record_on_launch = true
+  private_dns_hostname_type_on_launch         = "resource-name"
+  tags = {
+    "Name"= "sbn-prod-dmz-a.datasaker"
+    "SubnetType"                                    = "Utility"
+    "kubernetes.io/cluster/datasaker"               = "owned"
+    "kubernetes.io/cluster/prod.datasaker.io"  = "shared"
+    "kubernetes.io/role/nlb"                        = "1"
+    "kubernetes.io/role/internal-nlb"               = "1"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_subnet" "sbn-prod-dmz-b" {
+  availability_zone                           = "ap-northeast-2b"
+  cidr_block                                  = "172.24.1.0/24"
+  enable_resource_name_dns_a_record_on_launch = true
+  private_dns_hostname_type_on_launch         = "resource-name"
+  tags = {
+    "Name"                                              = "sbn-prod-dmz-b.datasaker"
+    "SubnetType"                                        = "Utility"
+    "kubernetes.io/cluster/datasaker" 			= "owned"
+    "kubernetes.io/cluster/prod.datasaker.io" 	= "shared"
+    "kubernetes.io/role/nlb"                            = "1"
+    "kubernetes.io/role/internal-nlb"                   = "1"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_subnet" "sbn-prod-dmz-c" {
+  availability_zone                           = "ap-northeast-2c"
+  cidr_block                                  = "172.24.2.0/24"
+  enable_resource_name_dns_a_record_on_launch = true
+  private_dns_hostname_type_on_launch         = "resource-name"
+  tags = {
+    "Name"                                              = "sbn-prod-dmz-c.datasaker"
+    "SubnetType"                                        = "Utility"
+    "kubernetes.io/cluster/datasaker" 			= "owned"
+    "kubernetes.io/cluster/prod.datasaker.io" 	= "shared"
+    "kubernetes.io/role/nlb"                            = "1"
+    "kubernetes.io/role/internal-nlb"                   = "1"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_route_table" "rt-prod-datasaker-pub" {
+  tags = {
+    "Name" = "rt-prod-datasaker-pub"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_route" "r-0-0-0-0--0" {
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id = aws_internet_gateway.igw-prod-datasaker.id
+  route_table_id = aws_route_table.rt-prod-datasaker-pub.id
+}
+
+resource "aws_route" "r-__--0" {
+  destination_ipv6_cidr_block = "::/0"
+  gateway_id = aws_internet_gateway.igw-prod-datasaker.id
+  route_table_id = aws_route_table.rt-prod-datasaker-pub.id
+}
+resource "aws_route_table_association" "rta-prod-dmz-a" {
+  route_table_id = aws_route_table.rt-prod-datasaker-pub.id
+  subnet_id      = aws_subnet.sbn-prod-dmz-a.id
+}
+
+resource "aws_route_table_association" "rta-prod-dmz-b" {
+  route_table_id = aws_route_table.rt-prod-datasaker-pub.id
+  subnet_id      = aws_subnet.sbn-prod-dmz-b.id
+}
+
+resource "aws_route_table_association" "rta-prod-dmz-c" {
+  route_table_id = aws_route_table.rt-prod-datasaker-pub.id
+  subnet_id      = aws_subnet.sbn-prod-dmz-c.id
+}
+
+resource "aws_security_group" "sg-prod-dmz-datasaker" {
+  description = "Security group dmz-datasaker"
+  name        = "secg-dmz-datasaker"
+  tags = {
+    "Name" = "sg-prod-dmz-datasaker"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_security_group_rule" "sgr-from-115-178-73-2--32-ingress-tcp-22to22-dmz-prod-datasaker-io" {
+  cidr_blocks       = ["115.178.73.2/32"]
+  from_port         = 22
+  protocol          = "tcp"
+  security_group_id = aws_security_group.sg-prod-dmz-datasaker.id
+  to_port           = 22
+  type              = "ingress"
+}
+
+resource "aws_security_group_rule" "sgr-from-115-178-73-91--32-ingress-tcp-22to22-dmz-prod-datasaker-io" {
+  cidr_blocks       = ["115.178.73.91/32"]
+  from_port         = 22
+  protocol          = "tcp"
+  security_group_id = aws_security_group.sg-prod-dmz-datasaker.id
+  to_port           = 22
+  type              = "ingress"
+}
+
+resource "aws_security_group_rule" "sgr-from-0-0-0-0--0-engress-tcp-all-dmz-prod-datasaker-io" {
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 0
+  protocol          = "tcp"
+  security_group_id = aws_security_group.sg-prod-dmz-datasaker.id
+  to_port           = 65535
+  type              = "egress"
+}
+
+resource "aws_eip" "eip-bastion-prod-datasaker" {
+  vpc      = true
+  tags = {
+    Name    = "eip-bastion-prod-datasaker"
+  }
+}
+
+resource "aws_eip" "eip-natgw-prod-a-datasaker" {
+  vpc      = true
+  tags = {
+    Name    = "eip-natgw-prod-a-datasaker"
+  }
+}
+
+resource "aws_eip" "eip-natgw-prod-b-datasaker" {
+  vpc      = true
+  tags = {
+    Name    = "eip-natgw-prod-b-datasaker"
+  }
+}
+
+resource "aws_eip" "eip-natgw-prod-c-datasaker" {
+  vpc      = true
+  tags = {
+    Name    = "eip-natgw-prod-c-datasaker"
+  }
+}
+
+resource "aws_nat_gateway" "natgw-prod-a-datasaker" {
+  allocation_id = aws_eip.eip-natgw-prod-a-datasaker.id
+  subnet_id     = aws_subnet.sbn-prod-dmz-a.id
+
+  tags = {
+    Name = "natgw-prod-a-datasaker"
+  }
+  depends_on = [aws_internet_gateway.igw-prod-datasaker]
+}
+
+resource "aws_nat_gateway" "natgw-prod-b-datasaker" {
+  allocation_id = aws_eip.eip-natgw-prod-b-datasaker.id
+  subnet_id     = aws_subnet.sbn-prod-dmz-b.id
+
+  tags = {
+    Name = "natgw-prod-b-datasaker"
+  }
+  depends_on = [aws_internet_gateway.igw-prod-datasaker]
+}
+
+resource "aws_nat_gateway" "natgw-prod-c-datasaker" {
+  allocation_id = aws_eip.eip-natgw-prod-c-datasaker.id
+  subnet_id     = aws_subnet.sbn-prod-dmz-c.id
+
+  tags = {
+    Name = "natgw-prod-c-datasaker"
+  }
+  depends_on = [aws_internet_gateway.igw-prod-datasaker]
+}
+
--- a/terraform/tf-prod-cloud-20221102/prod.tf
+++ b/terraform/tf-prod-cloud-20221102/prod.tf
@@ -0,0 +1,148 @@
+resource "aws_route_table" "private-prod-a-datasaker" {
+  tags = {
+    "Name" = "private-prod-a-datasaker"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_route_table" "private-prod-b-datasaker" {
+  tags = {
+    "Name" = "private-prod-b-datasaker"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_route_table" "private-prod-c-datasaker" {
+  tags = {
+    "Name" = "private-prod-c-datasaker"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_route" "route-private-rt-prod-a-datasaker-0-0-0-0--0" {
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id         = aws_nat_gateway.natgw-prod-a-datasaker.id
+  route_table_id         = aws_route_table.private-prod-a-datasaker.id
+}
+
+resource "aws_route" "route-private-rt-prod-b-datasaker-0-0-0-0--0" {
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id         = aws_nat_gateway.natgw-prod-b-datasaker.id
+  route_table_id         = aws_route_table.private-prod-b-datasaker.id
+}
+
+resource "aws_route" "route-private-rt-prod-c-datasaker-0-0-0-0--0" {
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id         = aws_nat_gateway.natgw-prod-c-datasaker.id
+  route_table_id         = aws_route_table.private-prod-c-datasaker.id
+}
+
+resource "aws_subnet" "sbn-prod-a" {
+  availability_zone                           = "ap-northeast-2a"
+  cidr_block                                  = "172.24.8.0/23"
+  enable_resource_name_dns_a_record_on_launch = true
+  private_dns_hostname_type_on_launch         = "resource-name"
+  tags = {
+    "Name"                                      = "sbn-prod-a-datasaker"
+    "SubnetType"                                = "Private"
+    "kubernetes.io/cluster/datasaker" 		    = "owned"
+    "kubernetes.io/cluster/prod.datasaker.io" 	= "shared"
+    "kubernetes.io/role/nlb"                    = "1"
+    "kubernetes.io/role/internal-nlb"           = "1"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_subnet" "sbn-prod-b" {
+  availability_zone                           = "ap-northeast-2b"
+  cidr_block                                  = "172.24.10.0/23"
+  enable_resource_name_dns_a_record_on_launch = true
+  private_dns_hostname_type_on_launch         = "resource-name"
+  tags = {
+    "Name"                                      = "sbn-prod-b-datasaker"
+    "SubnetType"                                = "Private"
+    "kubernetes.io/cluster/datasaker" 		    = "owned"
+    "kubernetes.io/cluster/prod.datasaker.io" 	= "shared"
+    "kubernetes.io/role/nlb"                    = "1"
+    "kubernetes.io/role/internal-nlb"           = "1"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_subnet" "sbn-prod-c" {
+  availability_zone                           = "ap-northeast-2c"
+  cidr_block                                  = "172.24.12.0/23"
+  enable_resource_name_dns_a_record_on_launch = true
+  private_dns_hostname_type_on_launch         = "resource-name"
+  tags = {
+    "Name"                                      = "sbn-prod-c-datasaker"
+    "SubnetType"                                = "Private"
+    "kubernetes.io/cluster/datasaker" 		    = "owned"
+    "kubernetes.io/cluster/prod.datasaker.io" 	= "shared"
+    "kubernetes.io/role/nlb"                    = "1"
+    "kubernetes.io/role/internal-nlb"           = "1"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+
+resource "aws_route_table_association" "rta-prod-a" {
+  route_table_id = aws_route_table.private-prod-a-datasaker.id
+  subnet_id      = aws_subnet.sbn-prod-a.id
+}
+
+resource "aws_route_table_association" "rta-prod-b" {
+  route_table_id = aws_route_table.private-prod-b-datasaker.id
+  subnet_id      = aws_subnet.sbn-prod-b.id
+}
+
+resource "aws_route_table_association" "rta-prod-c" {
+  route_table_id = aws_route_table.private-prod-c-datasaker.id
+  subnet_id      = aws_subnet.sbn-prod-c.id
+}
+
+resource "aws_security_group" "sg-prod-datasaker" {
+  description = "Security group prod-datasaker"
+  name        = "secg-prod-datasaker"
+  tags = {
+    "Name" = "sg-prod-datasaker"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}
+
+
+resource "aws_security_group_rule" "sgr-from-0-0-0-0--0-ingress-tcp-22to22-prod-datasaker-io" {
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 22
+  protocol          = "tcp"
+  security_group_id = aws_security_group.sg-prod-datasaker.id
+  to_port           = 22
+  type              = "ingress"
+}
+
+resource "aws_security_group_rule" "sgr-from-0-0-0-0--0-ingress-icmp-prod-datasaker-io" {
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 8
+  protocol          = "icmp"
+  security_group_id = aws_security_group.sg-prod-datasaker.id
+  to_port           = 8
+  type              = "ingress"
+}
+
+resource "aws_security_group_rule" "sgr-to-0-0-0-0--0-egress-icmp-prod-datasaker-io" {
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 8
+  protocol          = "icmp"
+  security_group_id = aws_security_group.sg-prod-datasaker.id
+  to_port           = 8
+  type              = "egress"
+}
+
+resource "aws_security_group_rule" "sgr-from-0-0-0-0--0-engress-tcp-all-prod-datasaker-io" {
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 0
+  protocol          = "tcp"
+  security_group_id = aws_security_group.sg-prod-datasaker.id
+  to_port           = 65535
+  type              = "egress"
+}
--- a/terraform/tf-prod-cloud-20221102/terraform.tfstate
+++ b/terraform/tf-prod-cloud-20221102/terraform.tfstate
--- a/terraform/tf-prod-cloud-20221102/terraform.tfstate.backup
+++ b/terraform/tf-prod-cloud-20221102/terraform.tfstate.backup
--- a/terraform/tf-prod-cloud-20221102/vpc.tf
+++ b/terraform/tf-prod-cloud-20221102/vpc.tf
@@ -0,0 +1,55 @@
+terraform {
+  required_version = ">= 0.15.0"
+  required_providers {
+    aws = {
+      "configuration_aliases" = [aws.files]
+      "source"                = "hashicorp/aws"
+      "version"               = ">= 4.0.0"
+    }
+  }
+}
+
+provider "aws" {
+  alias  = "files"
+  region = "ap-northeast-2"
+}
+
+output "vpc_prod_datasaker_id" {
+  value = aws_vpc.vpc-prod-datasaker.id
+}
+
+output "vpc_prod_datasaker_cidr_block" {
+  value = aws_vpc.vpc-prod-datasaker.cidr_block
+}
+
+
+
+resource "aws_vpc" "vpc-prod-datasaker" {
+  assign_generated_ipv6_cidr_block = true
+  cidr_block                       = "172.24.0.0/19"
+  enable_dns_hostnames             = true
+  enable_dns_support               = true
+  tags = {
+    "Name" = "vpc-prod-datasaker"
+  }
+}
+
+resource "aws_vpc_dhcp_options" "vpc-dhcp-prod-datasaker" {
+  domain_name         = "ap-northeast-2.compute.internal"
+  domain_name_servers = ["AmazonProvidedDNS"]
+  tags = {
+    "Name" = "vpc-dhcp-prod-datasaker"
+  }
+}
+
+resource "aws_vpc_dhcp_options_association" "vpc-dhcp-asso-prod-datasaker" {
+  dhcp_options_id = aws_vpc_dhcp_options.vpc-dhcp-prod-datasaker.id
+  vpc_id          = aws_vpc.vpc-prod-datasaker.id
+}
+
+resource "aws_internet_gateway" "igw-prod-datasaker" {
+  tags = {
+    "Name" = "igw-prod-datasaker"
+  }
+  vpc_id = aws_vpc.vpc-prod-datasaker.id
+}