# Конфигурируем провайдера Sbercloud
#
terraform {
required_providers {
sbercloud = {
source = "sbercloud-terraform/sbercloud"
version = "1.4.0"
}
}
}
provider "sbercloud" {
region = "ru-moscow-1"
project_name = "ru-moscow-1_test"
access_key = var.access_key
secret_key = var.secret_key
}
# Объявляем необходимые переменные
#
variable "access_key" {
description = "Access Key to access SberCloud"
sensitive = true
}
variable "secret_key" {
description = "Secret Key to access SberCloud"
sensitive = true
}
variable "srv_admin_pass" {
description = "Default admin password for Windows servers"
sensitive = true
}
# Получаем список зон доступности
#
data "sbercloud_availability_zones" "az_list" {}
# Получаем имя типа инстанса для наших ECS
#
data "sbercloud_compute_flavors" "flavor_n_2_8" {
availability_zone = data.sbercloud_availability_zones.az_list.names[0]
performance_type = "normal"
cpu_core_count = 2
memory_size = 8
}
data "sbercloud_compute_flavors" "flavor_n_4_16" {
availability_zone = data.sbercloud_availability_zones.az_list.names[0]
performance_type = "normal"
cpu_core_count = 4
memory_size = 16
}
# Определяем локальные переменные
#
locals {
number_of_az = length(data.sbercloud_availability_zones.az_list.names)
ecs_count = "2"
}
# Создаем VPC
#
resource "sbercloud_vpc" "vpc_01" {
name = "vpc-01"
cidr = "10.0.0.0/16"
}
# Создаем подсети
#
resource "sbercloud_vpc_subnet" "subnet_public" {
name = "snet-public"
cidr = "10.0.0.0/24"
gateway_ip = "10.0.0.1"
primary_dns = "100.125.13.59"
secondary_dns = "8.8.8.8"
vpc_id = sbercloud_vpc.vpc_01.id
}
resource "sbercloud_vpc_subnet" "subnet_private" {
name = "snet-private"
cidr = "10.0.1.0/24"
gateway_ip = "10.0.1.1"
primary_dns = "100.125.13.59"
secondary_dns = "8.8.8.8"
vpc_id = sbercloud_vpc.vpc_01.id
}
resource "sbercloud_vpc_subnet" "subnet_nat_vpn" {
name = "snet-nat_vpn_gw"
cidr = "10.0.2.0/28"
gateway_ip = "10.0.2.1"
primary_dns = "100.125.13.59"
secondary_dns = "8.8.8.8"
vpc_id = sbercloud_vpc.vpc_01.id
}
resource "sbercloud_network_acl_rule" "acl_rule_1" {
name = "allow-snet-office_out"
description = "allow access to subnet 172.16.0.0/20"
action = "allow"
protocol = "any"
source_ip_address = "0.0.0.0/0"
destination_ip_address = "172.16.0.0/20"
enabled = "true"
}
resource "sbercloud_network_acl_rule" "acl_rule_2" {
name = "allow-snet-office_in"
description = "allow access from subnet 172.16.0.0/20"
action = "allow"
protocol = "any"
source_ip_address = "172.16.0.0/20"
destination_ip_address = "0.0.0.0/0"
enabled = "true"
}
resource "sbercloud_network_acl_rule" "acl_rule_3" {
name = "allow-snet-admins_in"
description = "allow access from subnet 172.16.0.0/24"
action = "allow"
protocol = "any"
source_ip_address = "172.16.0.0/24"
destination_ip_address = "0.0.0.0/0"
enabled = "true"
}
resource "sbercloud_network_acl_rule" "acl_rule_4" {
name = "deny-rfc1918_out_1"
description = "deny access to subnet 10.0.0.0/8"
action = "deny"
protocol = "any"
source_ip_address = "0.0.0.0/0"
destination_ip_address = "10.0.0.0/8"
enabled = "true"
}
resource "sbercloud_network_acl_rule" "acl_rule_5" {
name = "deny-rfc1918_out_2"
description = "deny access to subnet 172.16.0.0/12"
action = "deny"
protocol = "any"
source_ip_address = "0.0.0.0/0"
destination_ip_address = "172.16.0.0/12"
enabled = "true"
}
resource "sbercloud_network_acl_rule" "acl_rule_6" {
name = "deny-rfc1918_out_3"
description = "deny access to subnet 192.168.0.0/16"
action = "deny"
protocol = "any"
source_ip_address = "0.0.0.0/0"
destination_ip_address = "192.168.0.0/16"
enabled = "true"
}
resource "sbercloud_network_acl_rule" "acl_rule_7" {
name = "allow-any_out"
description = "Allow access to any"
action = "allow"
protocol = "any"
source_ip_address = "0.0.0.0/0"
destination_ip_address = "0.0.0.0/0"
enabled = "true"
}
resource "sbercloud_network_acl_rule" "acl_rule_8" {
name = "allow-heath_check_in"
description = "Allow access for health check"
action = "allow"
protocol = "tcp"
source_ip_address = "100.125.0.0/16"
destination_ip_address = "0.0.0.0/0"
destination_port = "80"
enabled = "true"
}
resource "sbercloud_network_acl" "nacl_01" {
name = "acl-public"
subnets = [sbercloud_vpc_subnet.subnet_public.id]
inbound_rules = [sbercloud_network_acl_rule.acl_rule_3.id,sbercloud_network_acl_rule.acl_rule_8.id]
outbound_rules = [sbercloud_network_acl_rule.acl_rule_4.id,sbercloud_network_acl_rule.acl_rule_5.id,sbercloud_network_acl_rule.acl_rule_6.id,
sbercloud_network_acl_rule.acl_rule_7.id]
}
resource "sbercloud_network_acl" "nacl_02" {
name = "acl-private"
subnets = [sbercloud_vpc_subnet.subnet_private.id]
inbound_rules = [sbercloud_network_acl_rule.acl_rule_2.id]
outbound_rules = [sbercloud_network_acl_rule.acl_rule_1.id,sbercloud_network_acl_rule.acl_rule_4.id,sbercloud_network_acl_rule.acl_rule_5.id,
sbercloud_network_acl_rule.acl_rule_6.id,sbercloud_network_acl_rule.acl_rule_7.id]
}
# Создаем Security groups
#
resource "sbercloud_networking_secgroup" "sg_01" {
name = "sg-01"
description = "Security group allows tcp 22,80 and icmp"
}
resource "sbercloud_networking_secgroup" "sg_02" {
name = "sg-02"
description = "Security group allows any traffic"
}
# Создаем правила для Security groups
#
resource "sbercloud_networking_secgroup_rule" "sg_rule_01" {
direction = "ingress"
ethertype = "IPv4"
protocol = "icmp"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = sbercloud_networking_secgroup.sg_01.id
}
resource "sbercloud_networking_secgroup_rule" "sg_rule_02" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "22"
port_range_max = "22"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = sbercloud_networking_secgroup.sg_01.id
}
resource "sbercloud_networking_secgroup_rule" "sg_rule_03" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "80"
port_range_max = "80"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = sbercloud_networking_secgroup.sg_01.id
}
resource "sbercloud_networking_secgroup_rule" "sg_rule_04" {
direction = "ingress"
ethertype = "IPv4"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = sbercloud_networking_secgroup.sg_02.id
}
resource "sbercloud_vpc_eip" "eip_nat" {
publicip {
type = "5_bgp"
}
bandwidth {
name = "nat_bandwidth"
size = 50
share_type = "PER"
charge_mode = "bandwidth"
}
}
resource "sbercloud_vpc_eip" "eip_elb" {
publicip {
type = "5_bgp"
}
bandwidth {
name = "elb_bandwidth"
size = 50
share_type = "PER"
charge_mode = "bandwidth"
}
}
# Создаем NAT Gateway
#
resource "sbercloud_nat_gateway" "nat_01" {
name = "nat-gw-01"
spec = "1"
vpc_id = sbercloud_vpc.vpc_01.id
subnet_id = sbercloud_vpc_subnet.subnet_nat_vpn.id
}
# Создаем SNAT правила
#
resource "sbercloud_nat_snat_rule" "snat_public_subnet" {
nat_gateway_id = sbercloud_nat_gateway.nat_01.id
subnet_id = sbercloud_vpc_subnet.subnet_public.id
floating_ip_id = sbercloud_vpc_eip.eip_nat.id
}
resource "sbercloud_nat_snat_rule" "snat_private_subnet" {
nat_gateway_id = sbercloud_nat_gateway.nat_01.id
subnet_id = sbercloud_vpc_subnet.subnet_private.id
floating_ip_id = sbercloud_vpc_eip.eip_nat.id
}
# Получаем ID для Ubuntu образа
#
data "sbercloud_images_image" "img_ubuntu_20_04" {
name = "Ubuntu 20.04 server 64bit"
most_recent = true
}
#Получаем ID для Windows образа
#
data "sbercloud_images_image" "img_winsrv_2019" {
name = "Windows Server 2019 Datacenter 64bit English"
most_recent = true
}
#Создаем ключевую пару
#
resource "sbercloud_compute_keypair" "keypair_01" {
name = "keypair_01"
public_key = "Тут нужно указать свой публичный ключ"
}
# Создаем 2 сервера на Ubuntu 20.04 в публичной подсети
#
resource "sbercloud_compute_instance" "ecs_pub_srv" {
count = local.ecs_count
name = "pub-srv${count.index+1}"
image_id = data.sbercloud_images_image.img_ubuntu_20_04.id
flavor_id = data.sbercloud_compute_flavors.flavor_n_2_8.ids[0]
security_groups = [sbercloud_networking_secgroup.sg_01.name]
availability_zone = data.sbercloud_availability_zones.az_list.names[count.index % local.number_of_az]
system_disk_type = "SAS"
system_disk_size = 40
user_data = "#!/bin/bash\napt-get update && apt-get -y install nginx && sed -i.bak \"s/nginx\\!/$(hostname)/\" /var/www/html/index.nginx-debian.html"
key_pair = sbercloud_compute_keypair.keypair_01.name
network {
uuid = sbercloud_vpc_subnet.subnet_public.id
}
depends_on = [
sbercloud_nat_snat_rule.snat_public_subnet
]
}
# Создаем 2 сервера на Windows Server 2019 в приватной подсети
#
resource "sbercloud_compute_instance" "ecs_pri_srv" {
count = local.ecs_count
name = "pri-srv${count.index+1}"
image_id = data.sbercloud_images_image.img_winsrv_2019.id
flavor_id = data.sbercloud_compute_flavors.flavor_n_4_16.ids[0]
security_groups = [sbercloud_networking_secgroup.sg_02.name]
availability_zone = data.sbercloud_availability_zones.az_list.names[count.index % local.number_of_az]
system_disk_type = "SAS"
system_disk_size = 60
admin_pass = var.srv_admin_pass
network {
uuid = sbercloud_vpc_subnet.subnet_private.id
}
depends_on = [
sbercloud_nat_snat_rule.snat_private_subnet
]
}
# Создаем Load Balancer
#
resource "sbercloud_lb_loadbalancer" "elb_01" {
name = "elb-01"
vip_subnet_id = sbercloud_vpc_subnet.subnet_public.subnet_id
}
# Привязываем публичный IP к Load Balancer
#
resource "sbercloud_networking_eip_associate" "eip_elb_associate" {
public_ip = sbercloud_vpc_eip.eip_elb.address
port_id = sbercloud_lb_loadbalancer.elb_01.vip_port_id
}
# Создаем ELB listener
#
resource "sbercloud_lb_listener" "web_listener_80" {
name = "HTTP listener"
protocol = "HTTP"
protocol_port = 80
loadbalancer_id = sbercloud_lb_loadbalancer.elb_01.id
}
# Создаем ECS пул для ELB
#
resource "sbercloud_lb_pool" "lb_pool_01" {
name = "Servers group for ELB"
protocol = "HTTP"
lb_method = "ROUND_ROBIN"
listener_id = sbercloud_lb_listener.web_listener_80.id
}
# Создаем ELB health check политику
#
resource "sbercloud_lb_monitor" "elb_health_check_01" {
name = "Health check for Web Servers"
type = "HTTP"
url_path = "/"
expected_codes = "200-202"
delay = 10
timeout = 5
max_retries = 3
pool_id = sbercloud_lb_pool.lb_pool_01.id
}
# Добавляем ВМ в сервер группу для балансировки
#
resource "sbercloud_lb_member" "lb_servers" {
count = local.ecs_count
address = sbercloud_compute_instance.ecs_pub_srv[count.index].access_ip_v4
protocol_port = 80
pool_id = sbercloud_lb_pool.lb_pool_01.id
subnet_id = sbercloud_vpc_subnet.subnet_public.subnet_id
depends_on = [
sbercloud_lb_monitor.elb_health_check_01
]
}