Terraform で OCI のラボ環境を作るネットワーク編

今回は Terraform で OCI にリソースを作成して行きます。ざっくりと構成はこんな感じで、サブネットやルートテーブルなど基本的なネットワークのリソースに加えて、オンプレとの VPN 接続とインスタンスの作成まで目指します。

今回は VPN 接続用のリソースまでを含めたネットワーク系のリソースを作成します。

作業用ディレクトリの構成
共通リソース用
ネットワーク用
Terraform 実行
リファレンス

作業用ディレクトリの構成

前回の事前準備で接続用の情報を記載したファイルと合わせて次のようにファイルを作成して行きます。Terraform ではディレクトリ単位でスコープが切られるのでファイルをひとまとめにします。

作業ディレクトリ
├provider.tf
├provider-var.tf
├common.tf
├vcn.tf
└vcn-var.tf

共通リソース用

コンパートメントの情報など、複数のリソースで利用するような情報を common.tf という名前で 1 つのファイルにまとめておきます。

# リソースを作成するコンパートメントの OCID
variable "compartment_id" {
  default = "ocid1.compartment.oc1..****"
}
# テナンシーの AD 名
data "oci_identity_availability_domains" "ADs" {
  compartment_id = var.compartment_id
}
# リソースを管理するためのタグ
variable "defined_tag_name" {
  default = "ProducedBy"
}
variable "defined_tag_value" {
  default = "Terraform"
}

ネットワーク用

ネットワーク関連のリソースをまとめて記載したファイルを用意します。サブネットはプライベートとパブリックの 2 種類を用意します。合わせてルートテーブルやセキュリティリストなどの一部リソースも複数用意します。

VCN
DHCP オプション
ルートテーブル
セキュリティリスト
パブリック IP
インターネットゲートウェイ
NAT ゲートウェイ
サブネット
ダイナミックルーティングゲートウェイ
顧客拠点機器
VPN 接続
VPN 接続トンネル構成

リソースの情報をまとめたファイルを vcn.tf という名前で作成します。

## VCN
resource "oci_core_vcn" "vcn_oci" {
    display_name = var.vcn_oci_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    cidr_blocks = var.vcn_oci_cidr_blocks
    dns_label = var.vcn_oci_dns_label
    is_ipv6enabled = var.vcn_oci_is_ipv6enabled
}

## DHCP Options
resource "oci_core_dhcp_options" "dhcp_options" {
    display_name = var.dhcp_oci_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    vcn_id = oci_core_vcn.vcn_oci.id
    options {
        type = "DomainNameServer"
        server_type = "VcnLocalPlusInternet"
    }
    options {
        type = "SearchDomain"
        search_domain_names = [ "${var.vcn_oci_dns_label}.oraclevcn.com" ]
    }
}
## Internet Gateway

resource "oci_core_internet_gateway" "internet_gateway" {
    display_name = var.internet_gateway_oci_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    vcn_id = oci_core_vcn.vcn_oci.id
    enabled = var.internet_gateway_enabled
}

## Public Route Table
resource "oci_core_route_table" "route_table_public" {
    display_name = var.route_table_public_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    vcn_id = oci_core_vcn.vcn_oci.id
    route_rules {
        destination_type = var.route_public_default_destination_type
        destination = var.route_public_default_destination
        description = var.route_public_default_description
        network_entity_id = oci_core_internet_gateway.internet_gateway.id
    }
    route_rules {
        destination_type = var.route_public_home_A_destination_type
        destination = var.route_public_home_A_destination
        description = var.route_public_home_A_description
        network_entity_id = oci_core_drg.drg_oci.id
    }
    route_rules {
        destination_type = var.route_public_home_B_destination_type
        destination = var.route_public_home_B_destination
        description = var.route_public_home_B_description
        network_entity_id = oci_core_drg.drg_oci.id
    }
    route_rules {
        destination_type = var.route_public_home_C_destination_type
        destination = var.route_public_home_C_destination
        description = var.route_public_home_C_description
        network_entity_id = oci_core_drg.drg_oci.id
    }
}

## Public Security List
resource "oci_core_security_list" "security_list_public" {
    display_name = var.security_list_public_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    vcn_id = oci_core_vcn.vcn_oci.id
}

## Public Subnet
resource "oci_core_subnet" "subnet_public" {
    display_name = var.subnet_public_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    vcn_id = oci_core_vcn.vcn_oci.id
    dhcp_options_id = oci_core_dhcp_options.dhcp_options.id
    route_table_id = oci_core_route_table.route_table_public.id
    security_list_ids = [
        oci_core_security_list.security_list_public.id
    ]
    cidr_block = var.subnet_public_cidr_block
    availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[0],"name")}"
    dns_label = var.subnet_public_dns_label
    prohibit_internet_ingress = var.subnet_public_prohibit_internet_ingress
    prohibit_public_ip_on_vnic = var.subnet_public_prohibit_public_ip_on_vnic
}

## Public IP - NAT Gateway
resource "oci_core_public_ip" "public_ip_ngw" {
    display_name = var.pip_ngw_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    lifetime = var.pip_ngw_lifetime
}

## NAT Gateway
resource "oci_core_nat_gateway" "nat_gateway" {
    display_name = var.nat_gateway_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    vcn_id = oci_core_vcn.vcn_oci.id
    block_traffic = var.nat_gateway_block_traffic
    public_ip_id = oci_core_public_ip.public_ip_ngw.id
}

## Private Route Table
resource "oci_core_route_table" "route_table_private" {
    display_name = var.route_table_private_display_name
    compartment_id = var.compartment_id
    vcn_id = oci_core_vcn.vcn_oci.id
    route_rules {
        destination_type = var.route_private_default_destination_type
        destination = var.route_private_default_destination
        description = var.route_private_default_description
        network_entity_id = oci_core_nat_gateway.nat_gateway.id
    }
    route_rules {
        destination_type = var.route_private_home_A_destination_type
        destination = var.route_private_home_A_destination
        description = var.route_private_home_A_description
        network_entity_id = oci_core_drg.drg_oci.id
    }
    route_rules {
        destination_type = var.route_private_home_B_destination_type
        destination = var.route_private_home_B_destination
        description = var.route_private_home_B_description
        network_entity_id = oci_core_drg.drg_oci.id
    }
    route_rules {
        destination_type = var.route_private_home_C_destination_type
        destination = var.route_private_home_C_destination
        description = var.route_private_home_C_description
        network_entity_id = oci_core_drg.drg_oci.id
    }
}

## Private Security List
resource "oci_core_security_list" "security_list_private" {
    display_name = var.security_list_private_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    vcn_id = oci_core_vcn.vcn_oci.id
}

## Private Subnet
resource "oci_core_subnet" "subnet_private" {
    display_name = var.subnet_private_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    vcn_id = oci_core_vcn.vcn_oci.id
    dhcp_options_id = oci_core_dhcp_options.dhcp_options.id
    route_table_id = oci_core_route_table.route_table_private.id
    security_list_ids = [
        oci_core_security_list.security_list_private.id
    ]
    cidr_block = var.subnet_private_cidr_block
    availability_domain = "${lookup(data.oci_identity_availability_domains.ADs.availability_domains[0],"name")}"
    dns_label = var.subnet_private_dns_label
    prohibit_internet_ingress = var.subnet_private_prohibit_internet_ingress
    prohibit_public_ip_on_vnic = var.subnet_private_prohibit_public_ip_on_vnic
}

## Dynamic Routing Gateway
resource "oci_core_drg" "drg_oci" {
    display_name = var.drg_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
}
resource "oci_core_drg_attachment" "drg_attachment" {
    display_name = var.drg_attachment_display_name
    drg_id = oci_core_drg.drg_oci.id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    network_details {
        id = oci_core_vcn.vcn_oci.id
        type = var.drg_attachment_network_details_type
    }
}

## CPE - home
resource "oci_core_cpe" "cpe_home" {
    display_name = var.cpe_home_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    ip_address = var.cpe_home_ip_address
}

## IPsec config
resource "oci_core_ipsec" "ip_sec_home" {
    display_name = var.ip_sec_home_display_name
    compartment_id = var.compartment_id
    freeform_tags = {"${var.defined_tag_name}"= "${var.defined_tag_value}"}
    cpe_id = oci_core_cpe.cpe_home.id
    drg_id = oci_core_drg.drg_oci.id
    static_routes = var.ip_sec_connection_static_routes
}
data "oci_core_ipsec_connection_tunnels" "ipsec_tunnels_home" {
    ipsec_id = oci_core_ipsec.ip_sec_home.id
}

## IPsec tunnel - home
resource "oci_core_ipsec_connection_tunnel_management" "ip_sec_tunnel_home_1" {
    display_name = var.ip_sec_tunnel_home_1_display_name
    ipsec_id = oci_core_ipsec.ip_sec_home.id
    tunnel_id = data.oci_core_ipsec_connection_tunnels.ipsec_tunnels_home.ip_sec_connection_tunnels[0].id
    routing = var.ip_sec_tunnel_home_1_routing
    shared_secret = var.ip_sec_tunnel_home_1_shared_secret
    ike_version = "V2"
}
resource "oci_core_ipsec_connection_tunnel_management" "ip_sec_tunnel_home_2" {
    display_name = var.ip_sec_tunnel_home_2_display_name
    ipsec_id = oci_core_ipsec.ip_sec_home.id
    tunnel_id = data.oci_core_ipsec_connection_tunnels.ipsec_tunnels_home.ip_sec_connection_tunnels[1].id
    routing = var.ip_sec_tunnel_home_2_routing
    shared_secret = var.ip_sec_tunnel_home_2_shared_secret
    ike_version = "V2"
}

また、変数用のファイルとして vcn-var.tf を次のような内容で作成します。一部情報だけマスクしてありますのでご留意ください。ほとんどの情報はデフォルトの値として埋め込んでみました。

## VCN
variable "vcn_oci_display_name" {
  default = "vcn-snyoci-jpe-lab"
}
variable "vcn_oci_cidr_blocks" {
  default = [
      "10.4.1.0/24"
  ]
}
variable "vcn_oci_dns_label" {
  default = "snyocijpelab"
}
variable "vcn_oci_is_ipv6enabled" {
  default = false
}

## DHCP Options
variable "dhcp_oci_display_name" {
  default = "dhcp-snyoci-jpe-lab"
}
variable "internet_gateway_enabled" {
  default = true
}

## Internete Gateway
variable "internet_gateway_oci_display_name" {
  default = "igw-snyoci-jpe-lab"
}

## Route Table - Public
variable "route_table_public_display_name" {
  default = "rt-public-snyoci-jpe-lab"
}
variable "route_public_default_destination_type" {
  default = "CIDR_BLOCK"
}
variable "route_public_default_destination" {
  default = "0.0.0.0/0"
}
variable "route_public_default_description" {
  default = "Default route for public subnet"
}
variable "route_public_home_A_destination_type" {
  default = "CIDR_BLOCK"
}
variable "route_public_home_A_destination" {
  default = "10.0.0.0/16"
}
variable "route_public_home_A_description" {
  default = "Home class A route for public subnet"
}
variable "route_public_home_B_destination_type" {
  default = "CIDR_BLOCK"
}
variable "route_public_home_B_destination" {
  default = "172.16.0.0/16"
}
variable "route_public_home_B_description" {
  default = "Home class B route for public subnet"
}
variable "route_public_home_C_destination_type" {
  default = "CIDR_BLOCK"
}
variable "route_public_home_C_destination" {
  default = "192.168.0.0/20"
}
variable "route_public_home_C_description" {
  default = "Home class C route for public subnet"
}

## Security List - Public
variable "security_list_public_display_name" {
  default = "sl-public-snyoci-jpe-lab"
}

## Subnet - Public
variable "subnet_public_display_name" {
  default = "snet-public-snyoci-jpe-lab"
}
variable "subnet_public_cidr_block" {
  default = "10.4.1.0/26"
}
variable "subnet_public_dns_label" {
  default = "public"
}
variable "subnet_public_prohibit_internet_ingress" {
  default = false
}
variable "subnet_public_prohibit_public_ip_on_vnic" {
  default = false
}

## Public IP - NAT Gateway
variable "pip_ngw_display_name" {
  default = "pip-ngw-snyoci-jpe-lab"
}
variable "pip_ngw_lifetime" {
  default = "RESERVED"
}

## NAT Gateweay
variable "nat_gateway_display_name" {
  default = "ngw-snyoci-jpe-lab"
}
variable "nat_gateway_block_traffic" {
  default = false
}
## Route Table - Private
variable "route_table_private_display_name" {
  default = "rt-private-snyoci-jpe-lab"
}
variable "route_private_default_destination_type" {
  default = "CIDR_BLOCK"
}
variable "route_private_default_destination" {
  default = "0.0.0.0/0"
}
variable "route_private_default_description" {

  default = "Default route for private subnet"
}
variable "route_private_home_A_destination_type" {
  default = "CIDR_BLOCK"
}
variable "route_private_home_A_destination" {
  default = "10.0.0.0/16"
}
variable "route_private_home_A_description" {
  default = "Home class A route for private subnet"
}
variable "route_private_home_B_destination_type" {
  default = "CIDR_BLOCK"
}
variable "route_private_home_B_destination" {
  default = "172.16.0.0/16"
}
variable "route_private_home_B_description" {
  default = "Home class B route for private subnet"
}
variable "route_private_home_C_destination_type" {
  default = "CIDR_BLOCK"
}
variable "route_private_home_C_destination" {
  default = "192.168.0.0/20"
}
variable "route_private_home_C_description" {
  default = "Home class C route for private subnet"
}
## Security List - private
variable "security_list_private_display_name" {
  default = "sl-private-snyoci-jpe-lab"
}

## Subnet - private
variable "subnet_private_display_name" {
  default = "snet-private-snyoci-jpe-lab"
}
variable "subnet_private_cidr_block" {
  default = "10.4.1.64/26"
}
variable "subnet_private_dns_label" {
  default = "private"
}
variable "subnet_private_prohibit_internet_ingress" {
  default = true
}
variable "subnet_private_prohibit_public_ip_on_vnic" {
  default = true
}

## Dynamic Routing Gateway
variable "drg_display_name" {
  default = "drg-snyoci-jpe-lab"
}

## DRG attachment
variable "drg_attachment_display_name" {
  default = "drg-attach-snyoci-jpe-lab"
}
variable "drg_attachment_network_details_type" {
  default = "VCN"
}

## CPE - home
variable "cpe_home_display_name" {
  default = "cpe-home-snyoci-jpe-lab"
}
variable "cpe_home_ip_address" {
  default = "****"
}

## IPsec config - home
variable "ip_sec_home_display_name" {
  default = "ipsec-home-snyoci-jpe-lab"
}
variable "ip_sec_connection_static_routes" {
  default = [
    "10.0.0.0/8",
    "172.16.0.0/16",
    "192.168.0.0/20"
  ]
}

## IPsec tunnel - home
variable "ip_sec_tunnel_home_1_display_name" {
  default = "ipsec-tunnel-home-1-snyoci-jpe-lab"
}
variable "ip_sec_tunnel_home_1_routing" {
  default = "STATIC"
}
variable "ip_sec_tunnel_home_1_shared_secret" {
  default = "****"
}
variable "ip_sec_tunnel_home_2_display_name" {
  default = "ipsec-tunnel-home-2-snyoci-jpe-lab"
}
variable "ip_sec_tunnel_home_2_routing" {
  default = "STATIC"
}
variable "ip_sec_tunnel_home_2_shared_secret" {
  default = "****"
}

Terraform 実行

Terraform は次のコマンドでリソースを作成します。

初期化: terraform init
構文確認: terraform plan
デプロイ実行: terraform apply
リソース削除: terraform destroy

plan コマンドで構文的なチェックを済ませてから、apply コマンドで実際に作成を試すという流れです。構文的なチェックは変数宣言の重複など基本的なことだけで、システム的に受け入れられる値であるかなどは apply してみないとわからないことが多かったです。

各リソースで必要なパラメーターなどはリファレンスを参考にしながら埋めてきます。

リファレンス

ネットワーク関連で参照したリファレンスは次のとおりです。