provider "aws" {
region = "ap-northeast-2"
}
resource "aws_key_pair" "tf_keypair" {
key_name = "tf_keypair"
public_key = file("C:/ssh/tf_keypair.pub")
tags = {
Description = "TF-KeyPair"
}
}
data "aws_ami" "RecentAMI" {
most_recent = true
owners = ["amazon"]
filter {
name = "owner-alias"
values = ["amazon"]
}
filter {
name = "name"
values = ["amzn2-ami-hvm-*-x86_64-gp2"]
}
}
resource "aws_vpc" "MyVPC1" {
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
tags = {
Name = "MyVPC1"
}
}
resource "aws_vpc" "MyVPC2" {
cidr_block = "172.16.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
tags = {
Name = "MyVPC2"
}
}
resource "aws_internet_gateway" "MyIGW" {
vpc_id = aws_vpc.MyVPC1.id
tags = {
Name = "MyIGW"
}
}
resource "aws_internet_gateway" "MyIGW2" {
vpc_id = aws_vpc.MyVPC2.id
tags = {
Name = "MyIGW2"
}
}
resource "aws_nat_gateway" "MyNAT" {
allocation_id= aws_eip.MyEIP.id
subnet_id = aws_subnet.MyPublicSubnet.id
tags = {
Name = "MyNAT"
}
}
resource "aws_eip" "MyEIP" {
domain = "vpc"
tags = {
Name = "MyEIP"
}
}
resource "aws_nat_gateway" "MyNAT2" {
allocation_id= aws_eip.MyEIP.id
subnet_id = aws_subnet.MyPublicSubnet.id
tags = {
Name = "MyNAT2"
}
}
resource "aws_eip" "MyEIP2" {
domain = "vpc"
tags = {
Name = "MyEIP2"
}
}
resource "aws_subnet" "MyPublicSubnet" {
vpc_id = aws_vpc.MyVPC1.id
cidr_block = "10.0.1.0/24"
map_public_ip_on_launch = true
availability_zone = "ap-northeast-2a"
}
resource "aws_subnet" "MyPrivateSubnet" {
vpc_id = aws_vpc.MyVPC1.id
cidr_block = "10.0.2.0/24"
map_public_ip_on_launch = false
availability_zone = "ap-northeast-2c"
}
resource "aws_subnet" "MyPublicSubnet2" {
vpc_id = aws_vpc.MyVPC2.id
cidr_block = "172.16.3.0/24"
map_public_ip_on_launch = true
availability_zone = "ap-northeast-2a"
}
resource "aws_subnet" "MyPrivateSubnet2" {
vpc_id = aws_vpc.MyVPC2.id
cidr_block = "172.16.4.0/24"
map_public_ip_on_launch = false
availability_zone = "ap-northeast-2c"
}
resource "aws_route_table" "MyPublicRouting" {
vpc_id = aws_vpc.MyVPC1.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.MyIGW.id
}
tags = {
Name = "MyPublicRouting"
}
}
resource "aws_route_table_association" "MyPublicSubnetRoutingAssociation" {
subnet_id = aws_subnet.MyPublicSubnet.id
route_table_id = aws_route_table.MyPublicRouting.id
}
resource "aws_route_table" "MyPrivateRouting" {
vpc_id = aws_vpc.MyVPC1.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_nat_gateway.MyNAT.id
}
tags = {
Name = "MyPrivateRouting"
}
}
resource "aws_route_table_association" "MyPrivateSubnetRoutingAssociation" {
subnet_id = aws_subnet.MyPrivateSubnet.id
route_table_id = aws_route_table.MyPrivateRouting.id
}
resource "aws_route_table" "MyPublicRouting2" {
vpc_id = aws_vpc.MyVPC2.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.MyIGW2.id
}
tags = {
Name = "MyPublicRouting2"
}
}
resource "aws_route_table_association" "MyPublicSubnetRoutingAssociation2" {
subnet_id = aws_subnet.MyPublicSubnet2.id
route_table_id = aws_route_table.MyPublicRouting2.id
}
resource "aws_route_table" "MyPrivateRouting2" {
vpc_id = aws_vpc.MyVPC2.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_nat_gateway.MyNAT2.id
}
tags = {
Name = "MyPrivateRouting2"
}
}
resource "aws_route_table_association" "MyPrivateSubnetRoutingAssociation2" {
subnet_id = aws_subnet.MyPrivateSubnet2.id
route_table_id = aws_route_table.MyPrivateRouting2.id
}
resource "aws_security_group" "MyPublicSecuGroup" {
name = "MyPublicSecGroup"
description = "Permit http https ssh"
vpc_id = aws_vpc.MyVPC1.id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = ["10.0.0.0/16"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "MyPublicSecuGroup"
}
}
resource "aws_security_group" "MyPrivateSecuGroup" {
name = "MyPrivatgeSecGroup"
description = "Permit http https ssh"
vpc_id = aws_vpc.MyVPC1.id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = ["10.0.0.0/16"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "MyPrivateSecuGroup"
}
}
resource "aws_network_interface" "MyWebPrivateAddress" {
subnet_id = aws_subnet.MyPublicSubnet.id
private_ips = ["10.0.1.101"]
security_groups = [aws_security_group.MyPublicSecuGroup.id]
tags = {
Name = "MyWebPrivateAddress1"
}
}
resource "aws_network_interface" "MyWebPrivateAddress2" {
subnet_id = aws_subnet.MyPrivateSubnet.id
private_ips = ["10.0.2.101"]
security_groups = [aws_security_group.MyPublicSecuGroup.id]
tags = {
Name = "MyWebPrivateAddress2"
}
}
resource "aws_network_interface" "MyWebPrivateAddress3" {
subnet_id = aws_subnet.MyPrivateSubnet2.id
private_ips = ["172.16.3.101"]
security_groups = [aws_security_group.MyPrivateSecuGroup.id]
tags = {
Name = "MyWebPrivateAddress3"
}
}
resource "aws_network_interface" "MyWebPrivateAddress4" {
subnet_id = aws_subnet.MyPrivateSubnet2.id
private_ips = ["172.16.4.101"]
security_groups = [aws_security_group.MyPrivateSecuGroup.id]
tags = {
Name = "MyWebPrivateAddress4"
}
}
resource "aws_instance" "MyWeb" {
depends_on = [aws_internet_gateway.MyIGW]
ami = data.aws_ami.RecentAMI.id
instance_type = "t3.micro"
key_name = aws_key_pair.tf_keypair.key_name
network_interface {
network_interface_id = aws_network_interface.MyWebPrivateAddress.id
device_index = 0
}
user_data = <<-EOF
#!/bin/bash
echo "root:aws1234!" | chpasswd
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
yum update -y
yum -y install httpd
echo "<h1>Welcome to AWS WEB Server 01</h1>" > /var/www/html/index.html
systemctl enable --now httpd
EOF
user_data_replace_on_change = true
tags = {
Name = "MyWeb"
}
}
resource "aws_instance" "MyWeb2" {
depends_on = [aws_nat_gateway.MyNAT]
ami = data.aws_ami.RecentAMI.id
instance_type = "t3.micro"
key_name = aws_key_pair.tf_keypair.key_name
network_interface {
network_interface_id = aws_network_interface.MyWebPrivateAddress2.id
device_index = 0
}
user_data = <<-EOF
#!/bin/bash
echo "root:aws1234!" | chpasswd
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
yum update -y
yum -y install httpd
echo "<h1>Welcome to AWS WEB Server 02</h1>" > /var/www/html/index.html
systemctl enable --now httpd
EOF
user_data_replace_on_change = true
tags = {
Name = "MyWeb2"
}
}
resource "aws_instance" "MyWeb3" {
depends_on = [aws_nat_gateway.MyNAT]
ami = data.aws_ami.RecentAMI.id
instance_type = "t3.micro"
key_name = aws_key_pair.tf_keypair.key_name
network_interface {
network_interface_id = aws_network_interface.MyWebPrivateAddress3.id
device_index = 0
}
user_data = <<-EOF
#!/bin/bash
echo "root:aws1234!" | chpasswd
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
yum update -y
yum -y install httpd
echo "<h1>Welcome to AWS WEB Server 03</h1>" > /var/www/html/index.html
systemctl enable --now httpd
EOF
user_data_replace_on_change = true
tags = {
Name = "MyWeb3"
}
}
resource "aws_instance" "MyWeb4" {
depends_on = [aws_nat_gateway.MyNAT]
ami = data.aws_ami.RecentAMI.id
instance_type = "t3.micro"
key_name = aws_key_pair.tf_keypair.key_name
network_interface {
network_interface_id = aws_network_interface.MyWebPrivateAddress4.id
device_index = 0
}
user_data = <<-EOF
#!/bin/bash
echo "root:aws1234!" | chpasswd
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
yum update -y
yum -y install httpd
echo "<h1>Welcome to AWS WEB Server 04</h1>" > /var/www/html/index.html
systemctl enable --now httpd
EOF
user_data_replace_on_change = true
tags = {
Name = "MyWeb4"
}
}
resource "aws_lb_target_group" "MyNLBtarget" {
name = "MyNLBtarget"
port = 80
protocol = "TCP"
target_type = "instance"
vpc_id = aws_vpc.MyVPC2.id
depends_on = [aws_instance.MyWeb3,aws_instance.MyWeb4]
}
resource "aws_lb" "MyNLB" {
name = "MyNLB"
depends_on = [aws_lb_target_group.MyNLBtarget]
internal = false
load_balancer_type= "network"
subnets = [aws_subnet.MyPrivateSubnet2.id]
tags = {
Name = "MyNLB"
}
}
resource "aws_lb_target_group_attachment" "tg_attach1" {
target_group_arn = aws_lb_target_group.MyNLBtarget.arn
target_id = aws_instance.MyWeb3.id
port = 80
}
resource "aws_lb_target_group_attachment" "tg_attach2" {
target_group_arn = aws_lb_target_group.MyNLBtarget.arn
target_id = aws_instance.MyWeb4.id
port = 80
}
resource "aws_lb_listener" "NLBlistener" {
depends_on=[aws_lb_target_group.MyNLBtarget, aws_lb.MyNLB]
load_balancer_arn = aws_lb.MyNLB.arn
port = 80
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.MyNLBtarget.arn
}
}
VPC에서 보안그룹과 NAT 공유 불가
provider "aws" {
region = "ap-northeast-2"
}
# -------------------------------
# VPC 1 (웹 서버, NLB 포함)
# -------------------------------
resource "aws_vpc" "vpc1" {
cidr_block = "10.0.0.0/16"
}
resource "aws_subnet" "public_subnet_vpc1" {
vpc_id = aws_vpc.vpc1.id
cidr_block = "10.0.1.0/24"
map_public_ip_on_launch = true
availability_zone = "ap-northeast-2a"
}
resource "aws_subnet" "private_subnet_vpc1" {
vpc_id = aws_vpc.vpc1.id
cidr_block = "10.0.2.0/24"
availability_zone = "ap-northeast-2a"
}
resource "aws_internet_gateway" "igw1" {
vpc_id = aws_vpc.vpc1.id
}
resource "aws_route_table" "public_rt_vpc1" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw1.id
}
}
resource "aws_route_table_association" "public_assoc_vpc1" {
subnet_id = aws_subnet.public_subnet_vpc1.id
route_table_id = aws_route_table.public_rt_vpc1.id
}
# -------------------------------
# 보안 그룹: HTTP 80 허용
# -------------------------------
resource "aws_security_group" "web_sg" {
name = "web-sg"
vpc_id = aws_vpc.vpc1.id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# -------------------------------
# 프라이빗 인스턴스 (웹 서버)
# -------------------------------
resource "aws_instance" "web_server" {
ami = "ami-0c9c942bd7bf113a2" # Amazon Linux 2 (서울)
instance_type = "t2.micro"
subnet_id = aws_subnet.private_subnet_vpc1.id
vpc_security_group_ids = [aws_security_group.web_sg.id]
associate_public_ip_address = false
key_name = "your_key_name"
user_data = <<-EOF
#!/bin/bash
yum install -y httpd
echo "Hello from private web server!" > /var/www/html/index.html
systemctl start httpd
systemctl enable httpd
EOF
tags = {
Name = "PrivateWebServer"
}
}
# -------------------------------
# NLB & Target Group & Listener
# -------------------------------
resource "aws_lb" "nlb" {
name = "web-nlb"
internal = false
load_balancer_type = "network"
subnets = [aws_subnet.public_subnet_vpc1.id]
}
resource "aws_lb_target_group" "tg" {
name = "web-target-group"
port = 80
protocol = "TCP"
vpc_id = aws_vpc.vpc1.id
}
resource "aws_lb_target_group_attachment" "tg_attachment" {
target_group_arn = aws_lb_target_group.tg.arn
target_id = aws_instance.web_server.id
port = 80
}
resource "aws_lb_listener" "nlb_listener" {
load_balancer_arn = aws_lb.nlb.arn
port = 80
protocol = "TCP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.tg.arn
}
}
# -------------------------------
# VPC 2 (예시용 VPC)
# -------------------------------
resource "aws_vpc" "vpc2" {
cidr_block = "10.1.0.0/16"
}
