Using Terraform to Provision VPCs in AWS
Your manager has tasked you with creating a highly available, secure environment to contain an incoming client’s business applications. The platform needs to be internet facing in order for customers to access web applications while ensuring the backend, which contains databases and file servers housing proprietary information, is protected from intrusion. Lastly, provisioning should be easily repeatable and allow for rapid modifications.
What tools could be used to implement your manager’s request?
This document details how to meet all of these requirements using Terraform to provision a highly available VPC across two availability zones within an AWS region.
Requirements
· An AWS account
· AWS User Access Key IDs
· AWS cli installed and pre-configured
· Terraform installation
Clone the GitHub Repository
Open a command prompt, and create a local directory called “VPC-Project”.
Clone the AWS Terraform scripts from the GitHub repository by issuing the following command from the local directory:
git clone https://github.com/cawoodruff/ProvisionVPCwithTerraform.git
This copies all the files in the ProvisionVPCwithTerraform repository
Let’s examine the contents of each file.
The terraform.tfvars file contains variables that the vpc-main.tf file will reference to obtain AWS specifics, like region, availability zones and the vpc_cidr, to use to create the client’s environment.
The variables.tf file defines more variables along with their descriptors.
The vpc-main.tf file is broken into several sections for readability.
Terraform is cloud agnostic, meaning it can be used across multiple cloud platforms. The Terraform code must indicate which cloud vendor to use. This is done using “provider”.
Note the region is pulled from terraform.tfvars file, which can be updated to point to other regions and availability zones as needed. This is one way that meets the repeatability requirement mentioned earlier.
The VPC resource is defined next. It also pulls the vpc_cidr from the terraform.tfvars configuration file.
Next, multiple subnets are defined and assigned across two predefined availability zones.
The Internet Gateway and NAT Gateway resources are defined and assigned within the newly created VPC.
Last to be defined are the public and private routing tables.
Build The Infrastructure
These steps assume awscli has been installed and configured with the AWS user’s Access key ID and Secret Access key. Information for doing so can be found here.
A less secure way to provide these credentials to Terraform is to add key definitions directly into the terraform.tfvars file as shown below.
This is not a best practice.
Run “terraform init” to initialize the directory containing the configuration files.
Next, run “terraform plan”.
This allows Terraform to examine the code and determine what additions/changes/deletions need to be made in AWS.
Run “terraform apply -var-file terraform.tfvars” to start the provisioning process.
Verify the New Environment
All of the components are now found in AWS.
The main VPC is created with the correct CIDR block.
Eight subnets are created and ready for use.
Private and public routing tables are created and associated to each subnet.
The internet gateway has been created and attached to the new VPC.
Tearing Down the Infrastructure
The infrastructure can be deleted using one command.
Run “terraform destroy”, and all AWS elements defined in your code will be deleted.
