IaC/Pulumi
[Pulumi]Create AWS Network:VPC, Subnet, Security Group
- -
pulumi aws api: https://www.pulumi.com/registry/packages/aws/
github: https://github.com/dewble/pulumi-aws-network/tree/v1.0.0
이 글은 IaC 도구인 Pulumi를 사용하여 AWS에 네트워크 리소스를 구축하는 방법을 안내합니다.
1편에서는 VPC, Subnet, Security Group를 생성하고 2편에서 NAT, RouteTable, IGW, VPCE를 생성하게 됩니다.
완성 된 네트워크 구조는 아래 Architecture 에서 확인할 수 있으며 필요한 경우 환경에 맞게 내용을 수정하여 사용할 수 있습니다.
Architecture
💡기본 라우팅 테이블 설정은 배포 후 수동으로 변경(jeff-route-default)했습니다.
Create new pulumi project
Pulumi 프로젝트를 생성합니다. 이는 AWS에 배포할 네트워크 리소스의 기반을 마련합니다.
➜ pulumi new aws-python
This command will walk you through creating a new Pulumi project.
Enter a value or leave blank to accept the (default), and press <ENTER>.
Press ^C at any time to quit.
project name (aws-network): aws-network
project description (A minimal AWS Python Pulumi program): Create AWS network with pulumi
Created project 'aws-network'
Please enter your desired stack name.
To create a stack in an organization, use the format <org-name>/<stack-name> (e.g. `acmecorp/dev`).
stack name (dev): dev
Created stack 'dev'
aws:region: The AWS region to deploy into (us-east-1): ap-northeast-2
Saved config
Installing dependencies...
Creating virtual environment...
Finished creating virtual environment
Updating pip, setuptools, and wheel in virtual environment...
# 중략
Successfully installed pip-24.0 setuptools-69.2.0 wheel-0.43.0
Finished updating
# 중략
Your new project is ready to go! ✨
To perform an initial deployment, run `pulumi up`
이 명령은 새 Pulumi 프로젝트를 생성하는 과정을 안내합니다. 프로젝트 이름, 설명, 스택 이름, 그리고 배포할 AWS 지역 등을 설정할 수 있습니다.
- 프로젝트 이름과 설명 설정: 여기서는 프로젝트 이름을 aws-network로 설정했습니다.
- 스택 이름 설정: 스택은 Pulumi에서 프로젝트의 독립적인 인스턴스입니다. 여기서는 dev를 사용했습니다.
- AWS 지역 설정: AWS에서 리소스를 배포할 지역을 선택합니다. 이 예제에서는 서울 리전인 ap-northeast-2를 사용했습니다.
Create VPC
VPC(Virtual Private Cloud)는 AWS 클라우드에서 격리된 네트워크 공간을 제공합니다. 여기서는 Pulumi를 사용하여 VPC를 생성하는 방법을 다룹니다.
vpc.py 파일에 VPC 생성 로직을 작성합니다. 이 파일은 Pulumi 프로젝트 내에서 VPC 리소스를 정의합니다.
vpc.py:
from pulumi_aws import ec2
def create_vpc(resource_name, cidr_block, tags):
# tags가 None이면 빈 딕셔너리를 사용하도록 수정
tags_with_name = (tags or {}).copy()
tags_with_name["Name"] = resource_name
vpc = ec2.Vpc(
resource_name=resource_name,
cidr_block=cidr_block,
enable_dns_hostnames=True,
enable_dns_support=True,
instance_tenancy="default",
tags=tags_with_name,
)
return vpc
Pulumi.dev.yaml:
프로젝트의 구성 값은 Pulumi.dev.yaml 파일에서 관리됩니다. 이 파일은 AWS 리전, 태그, VPC의 CIDR 블록 등의 정보를 포함합니다.
config:
aws:region: ap-northeast-2
# 형식 namespace:component:configKey
# tags
aws-network:tags:
Project: "jeff"
Service: "network"
Stage: "dev"
# vpc
network:vpc_cidr_block: "10.0.0.0/16"
main.py:
main.py 파일은 Pulumi 프로그램의 진입점입니다. 이 파일에서 vpc.py의 create_vpc 함수를 호출하여 VPC를 생성합니다.
"""An AWS Python Pulumi program"""
import pulumi
from vpc import create_vpc
######## Pulumi 구성 시스템을 사용하여 구성 값을 가져옴 ########
config = pulumi.Config()
# tags
tags = config.require_object("tags")
## project tags 가져오기
project = tags["Project"]
# vpc
vpc_cidr_block = config.require("vpc_cidr_block")
######## Create VPC ########
vpc = create_vpc(f"{project}-vpc", vpc_cidr_block, tags)
######## Export the name of the bucket ########
# vpc
pulumi.export("vpc_id", vpc.id)
**pulumi.Config()**를 사용하여 구성 파일에서 필요한 정보를 읽어옵니다. 이렇게 생성된 VPC의 ID는 pulumi.export를 통해 출력됩니다.
pulumi up:
모든 준비가 완료되면, 터미널에서 pulumi up 명령을 실행하여 VPC를 AWS에 배포합니다. 이 명령은 Pulumi가 인프라 변경 사항을 분석하고, 사용자의 승인을 받은 후 AWS에 VPC를 생성합니다.
➜ pulumi up
Previewing update (dev)
View in Browser (Ctrl+O): <https://app.pulumi.com/dewble/aws-network/dev/previews/9e15f30b-9cdd-435e-b4c0-0ab0cf1391e5>
Type Name Plan
+ pulumi:pulumi:Stack aws-network-dev create
+ └─ aws:ec2:Vpc jeff-vpc create
Outputs:
vpc_id: output
Resources:
+ 2 to create
Do you want to perform this update? yes
Updating (dev)
View in Browser (Ctrl+O): <https://app.pulumi.com/dewble/aws-network/dev/updates/1>
Type Name Status
+ pulumi:pulumi:Stack aws-network-dev created (14s)
+ └─ aws:ec2:Vpc jeff-vpc created (11s)
Outputs:
vpc_id: "vpc-06440e0fb854f5e7c"
Resources:
+ 2 created
Duration: 16s
❗앞으로 반복될 각 파일에 대한 역할은 VPC 생성시 수행한 역할과 동일하여 생략합니다.
Create Subnet
서브넷은 VPC 내에서 IP 주소 범위를 나누는 방법입니다. 서브넷을 사용하면 네트워크를 더 세분화하여 관리할 수 있습니다.
subnet.py:
from pulumi_aws import ec2, get_availability_zones
def create_subnet(
resource_name,
cidr_block,
vpc_id,
availability_zone_index,
map_public_ip_on_launch,
tags,
):
tags_with_name = tags.copy()
tags_with_name["Name"] = resource_name
azs = get_availability_zones()
subnet = ec2.Subnet(
resource_name,
cidr_block=cidr_block,
vpc_id=vpc_id,
availability_zone=azs.names[availability_zone_index],
map_public_ip_on_launch=map_public_ip_on_launch,
tags=tags_with_name,
)
return subnet
서브넷 생성 시 VPC ID를 참조하고, 각 서브넷에 대한 CIDR 블록 및 가용 영역을 지정합니다. 또한, 태그를 통해 서브넷을 식별할 수 있습니다.
Pulumi.dev.yaml:
config:
aws:region: ap-northeast-2
# 형식 namespace:component:configKey
# 중략
# subnets
aws-network:subnet_app_cidr_blocks:
- "10.0.8.0/24"
- "10.0.9.0/24"
aws-network:subnet_db_cidr_blocks:
- "10.0.16.0/24"
- "10.0.17.0/24"
aws-network:subnet_public_ingress_cidr_blocks:
- "10.0.24.0/24"
- "10.0.25.0/24"
aws-network:subnet_private_egress_cidr_blocks:
- "10.0.32.0/24"
- "10.0.33.0/24"
aws-network:subnet_public_management_cidr_blocks:
- "10.0.240.0/24"
- "10.0.241.0/24"
main.py:
# 중략
from subnet import create_subnet
######## Pulumi 구성 시스템을 사용하여 구성 값을 가져옴 ########
config = pulumi.Config()
# tags
tags = config.require_object("tags")
## project tags 가져오기
project = tags["Project"]
# vpc
vpc_cidr_block = config.require("vpc_cidr_block")
# subnets
subnet_app_cidr_blocks = config.require_object("subnet_app_cidr_blocks")
subnet_db_cidr_blocks = config.require_object("subnet_db_cidr_blocks")
subnet_public_ingress_cidr_blocks = config.require_object(
"subnet_public_ingress_cidr_blocks"
)
subnet_public_management_cidr_blocks = config.require_object(
"subnet_public_management_cidr_blocks"
)
subnet_private_egress_cidr_blocks = config.require_object(
"subnet_private_egress_cidr_blocks"
)
######## Create Subnets ########
# Create Subnets: app
subnet_private_app_a = create_subnet(
f"{project}-subnet-private-app-a",
subnet_app_cidr_blocks[
0
], # **config.require_object("subnet_app_cidr_blocks") #subnet_app_cidr_blocks[0]
vpc.id,
0, # AZ 인덱스
False, # map_public_ip_on_launch
{**tags, "Type": "Isolated"},
)
subnet_private_app_c = create_subnet(
f"{project}-subnet-private-app-c",
subnet_app_cidr_blocks[1],
vpc.id,
2, # AZ 인덱스
False, # map_public_ip_on_launch
{**tags, "Type": "Isolated"},
)
# Create Subnets: db
subnet_private_db_a = create_subnet(
f"{project}-subnet-private-db-a",
subnet_db_cidr_blocks[0],
vpc.id,
0, # AZ 인덱스
False, # map_public_ip_on_launch
{**tags, "Type": "Isolated"},
)
subnet_private_db_c = create_subnet(
f"{project}-subnet-private-db-c",
subnet_db_cidr_blocks[1],
vpc.id,
2, # AZ 인덱스
False, # map_public_ip_on_launch
{**tags, "Type": "Isolated"},
)
# Create Subnets: public ingress
subnet_public_ingress_a = create_subnet(
f"{project}-subnet-public-ingress-a",
subnet_public_ingress_cidr_blocks[0],
vpc.id,
0, # AZ 인덱스
True, # map_public_ip_on_launch
{**tags, "Type": "Public"},
)
subnet_public_ingress_c = create_subnet(
f"{project}-subnet-public-ingress-c",
subnet_public_ingress_cidr_blocks[1],
vpc.id,
2, # AZ 인덱스
True, # map_public_ip_on_launch
{**tags, "Type": "Public"},
)
# Create Subnets: public management
subnet_public_management_a = create_subnet(
f"{project}-subnet-public-management-a",
subnet_public_management_cidr_blocks[0],
vpc.id,
0, # AZ 인덱스
True, # map_public_ip_on_launch
{**tags, "Type": "Public"},
)
subnet_public_management_c = create_subnet(
f"{project}-subnet-public-management-c",
subnet_public_management_cidr_blocks[1],
vpc.id,
2, # AZ 인덱스
True, # map_public_ip_on_launch
{**tags, "Type": "Public"},
)
# Create Subnets: private egress
subnet_private_egress_a = create_subnet(
f"{project}-subnet-private-egress-a",
subnet_private_egress_cidr_blocks[0],
vpc.id,
0, # AZ 인덱스
False, # map_public_ip_on_launch
{**tags, "Type": "Isolated"},
)
subnet_private_egress_c = create_subnet(
f"{project}-subnet-private-egress-c",
subnet_private_egress_cidr_blocks[1],
vpc.id,
2, # AZ 인덱스
False, # map_public_ip_on_launch
{**tags, "Type": "Isolated"},
)
######## Export the name of the bucket ########
# vpc
pulumi.export("vpc_id", vpc.id)
# subnets
pulumi.export("subnet_private_app_a_id", subnet_private_app_a.id)
pulumi.export("subnet_private_app_c_id", subnet_private_app_c.id)
pulumi.export("subnet_private_db_a_id", subnet_private_db_a.id)
pulumi.export("subnet_private_db_c_id", subnet_private_db_c.id)
pulumi.export("subnet_public_ingress_a_id", subnet_public_ingress_a.id)
pulumi.export("subnet_public_ingress_c_id", subnet_public_ingress_c.id)
pulumi.export("subnet_public_management_a_id", subnet_public_management_a.id)
pulumi.export("subnet_public_management_c_id", subnet_public_management_c.id)
pulumi.export("subnet_private_egress_a_id", subnet_private_egress_a.id)
pulumi.export("subnet_private_egress_c_id", subnet_private_egress_c.id)
pulumi up:
➜ pulumi up
Previewing update (dev)
View in Browser (Ctrl+O): <https://app.pulumi.com/dewble/aws-network/dev/previews/425f93de-de14-4632-8c34-9afe9d14d88b>
Type Name Plan
pulumi:pulumi:Stack aws-network-dev
+ ├─ aws:ec2:Subnet jeff-subnet-private-app-c create
+ ├─ aws:ec2:Subnet jeff-subnet-private-db-c create
+ ├─ aws:ec2:Subnet jeff-subnet-public-ingress-c create
+ ├─ aws:ec2:Subnet jeff-subnet-public-management-c create
+ ├─ aws:ec2:Subnet jeff-subnet-private-egress-a create
+ ├─ aws:ec2:Subnet jeff-subnet-private-app-a create
+ ├─ aws:ec2:Subnet jeff-subnet-public-management-a create
+ ├─ aws:ec2:Subnet jeff-subnet-private-db-a create
+ ├─ aws:ec2:Subnet jeff-subnet-public-ingress-a create
+ └─ aws:ec2:Subnet jeff-subnet-private-egress-c create
Outputs:
+ subnet_private_app_a_id : output
+ subnet_private_app_c_id : output
+ subnet_private_db_a_id : output
+ subnet_private_db_c_id : output
+ subnet_private_egress_a_id : output
+ subnet_private_egress_c_id : output
+ subnet_public_ingress_a_id : output
+ subnet_public_ingress_c_id : output
+ subnet_public_management_a_id: output
+ subnet_public_management_c_id: output
Resources:
+ 10 to create
2 unchanged
Do you want to perform this update? yes
Updating (dev)
View in Browser (Ctrl+O): <https://app.pulumi.com/dewble/aws-network/dev/updates/2>
Type Name Status
pulumi:pulumi:Stack aws-network-dev
+ ├─ aws:ec2:Subnet jeff-subnet-public-management-a created (13s)
+ ├─ aws:ec2:Subnet jeff-subnet-private-app-a created (0.94s)
+ ├─ aws:ec2:Subnet jeff-subnet-private-db-c created (1s)
+ ├─ aws:ec2:Subnet jeff-subnet-private-egress-c created (2s)
+ ├─ aws:ec2:Subnet jeff-subnet-public-management-c created (12s)
+ ├─ aws:ec2:Subnet jeff-subnet-private-egress-a created (2s)
+ ├─ aws:ec2:Subnet jeff-subnet-public-ingress-c created (13s)
+ ├─ aws:ec2:Subnet jeff-subnet-private-app-c created (1s)
+ ├─ aws:ec2:Subnet jeff-subnet-private-db-a created (1s)
+ └─ aws:ec2:Subnet jeff-subnet-public-ingress-a created (11s)
Outputs:
+ subnet_private_app_a_id : "subnet-0408be5378856a5a1"
+ subnet_private_app_c_id : "subnet-028befbbf23656471"
+ subnet_private_db_a_id : "subnet-0d776212b9ce9dd8c"
+ subnet_private_db_c_id : "subnet-019fc6b0a78e0f050"
+ subnet_private_egress_a_id : "subnet-0b8bc53490b62e51e"
+ subnet_private_egress_c_id : "subnet-000bbc63eeb970e24"
+ subnet_public_ingress_a_id : "subnet-04d4637f4b6127961"
+ subnet_public_ingress_c_id : "subnet-0f21617a4fd1c7e69"
+ subnet_public_management_a_id: "subnet-00fef85651d7ac059"
+ subnet_public_management_c_id: "subnet-0591fb3ad29233ef0"
vpc_id : "vpc-06440e0fb854f5e7c"
Resources:
+ 10 created
2 unchanged
Duration: 19s
Create Security Group
보안 그룹은 인스턴스에 대한 인바운드 및 아웃바운드 트래픽을 제어하는 가상 방화벽 역할을 합니다.
security_group.py:
from pulumi_aws import ec2
def create_security_group(
resource_name,
vpc_id,
ingress=None,
egress=None,
description=None,
tags=None,
opts=None,
):
# tags가 None일 경우 빈 딕셔너리를 사용
tags_with_name = (tags or {}).copy()
tags_with_name["Name"] = resource_name
# SecurityGroup 리소스 생성
security_group = ec2.SecurityGroup(
resource_name,
vpc_id=vpc_id,
description=description,
ingress=ingress or [], # None 체크
egress=egress or [], # None 체크
tags=tags_with_name,
opts=opts, # 사용자 정의 opts를 명시적으로 전달
)
return security_group
# 보안 그룹 간의 인그레스 규칙을 설정하는 방법
def create_security_group_rule(
resource_name,
security_group_id,
source_security_group_id,
description,
from_port,
to_port,
protocol,
type,
opts=None,
):
security_group_rule = ec2.SecurityGroupRule(
resource_name,
description=description,
from_port=from_port,
to_port=to_port,
protocol=protocol,
security_group_id=security_group_id,
source_security_group_id=source_security_group_id,
type=type,
opts=opts, # 사용자 정의 opts를 명시적으로 전달
)
return security_group_rule
보안 그룹을 생성할 때, 어떤 트래픽을 허용할지 규칙을 정의합니다. 예를 들어, 특정 포트로 들어오는 트래픽을 허용하거나 차단할 수 있습니다.
Pulumi.dev.yaml:
config:
aws:region: ap-northeast-2
# 형식 namespace:component:configKey
# 중략
# security group
aws-network:security_group_ingress:
description: "Security group for ingress"
ingress:
- protocol: "tcp"
from_port: 80
to_port: 80
cidr_blocks: ["0.0.0.0/0"]
description: "from 0.0.0.0/0:80"
- protocol: "tcp"
from_port: 443
to_port: 443
cidr_blocks: ["0.0.0.0/0"]
description: "from 0.0.0.0/0:443"
- protocol: "tcp"
from_port: 80
to_port: 80
ipv6_cidr_blocks: ["::/0"]
description: "from ::/0:80"
- protocol: "tcp"
from_port: 443
to_port: 443
ipv6_cidr_blocks: ["::/0"]
description: "from ::/0:443"
egress:
- protocol: "-1"
from_port: 0
to_port: 0
cidr_blocks: ["0.0.0.0/0"]
description: "Allow all outbound traffic by default"
aws-network:security_group_management:
description: "Security Group of management server"
egress:
- protocol: "-1"
from_port: 0
to_port: 0
cidr_blocks: ["0.0.0.0/0"]
description: "Allow all outbound traffic by default"
aws-network:security_group_backend:
description: "Security Group of backend app"
egress:
- protocol: "-1"
from_port: 0
to_port: 0
cidr_blocks: ["0.0.0.0/0"]
description: "Allow all outbound traffic by default"
aws-network:security_group_frontend:
description: "Security Group of frontend app"
egress:
- protocol: "-1"
from_port: 0
to_port: 0
cidr_blocks: ["0.0.0.0/0"]
description: "Allow all outbound traffic by default"
aws-network:security_group_internal_lb:
description: "Security group for internal load balancer"
egress:
- protocol: "-1"
from_port: 0
to_port: 0
cidr_blocks: ["0.0.0.0/0"]
description: "Allow all outbound traffic by default"
aws-network:security_group_db:
description: "Security Group of database"
egress:
- protocol: "-1"
from_port: 0
to_port: 0
cidr_blocks: ["0.0.0.0/0"]
description: "Allow all outbound traffic by default"
aws-network:security_group_vpce:
description: "Security Group of VPC Endpoint"
egress:
- protocol: "-1"
from_port: 0
to_port: 0
cidr_blocks: ["0.0.0.0/0"]
description: "Allow all outbound traffic by default"
main.py:
# 중략
from security_group import create_security_group, create_security_group_rule
######## Create Security Groups ########
security_group_ingress = create_security_group(
resource_name=f"{project}-security-group-ingress",
vpc_id=vpc.id,
tags=tags,
**config.require_object(
"security_group_ingress"
), # **security_group_ingress_config,
)
security_group_db = create_security_group(
resource_name=f"{project}-security-group-db",
vpc_id=vpc.id,
tags=tags,
**config.require_object("security_group_db"), # **security_group_db_config,
)
security_group_management = create_security_group(
resource_name=f"{project}-security-group-management",
vpc_id=vpc.id,
tags=tags,
**config.require_object(
"security_group_management"
), # **security_group_management_config,
)
security_group_frontend = create_security_group(
resource_name=f"{project}-security-group-frontend",
vpc_id=vpc.id,
tags=tags,
**config.require_object(
"security_group_frontend"
), # **security_group_frontend_config,
)
security_group_backend = create_security_group(
resource_name=f"{project}-security-group-backend",
vpc_id=vpc.id,
tags=tags,
**config.require_object(
"security_group_backend"
), # **security_group_backend_config,
)
security_group_internal_lb = create_security_group(
resource_name=f"{project}-security-group-internal-lb",
vpc_id=vpc.id,
tags=tags,
**config.require_object(
"security_group_internal_lb"
), # **security_group_internal_lb_config,
)
security_group_vpce = create_security_group(
resource_name=f"{project}-security-group-vpce",
vpc_id=vpc.id,
tags=tags,
**config.require_object("security_group_vpce"), # **security_group_vpce_config,
)
# Create Security Group Rules, 보안 그룹 간의 인그레스 규칙 설정
sg_frontend_from_sg_ingress_rule = create_security_group_rule(
resource_name=f"{project}-sg-frontend-from-sg-ingress",
security_group_id=security_group_frontend.id,
source_security_group_id=security_group_ingress.id,
description="HTTP for Ingress",
from_port=80,
to_port=80,
protocol="tcp",
type="ingress",
)
sg_internal_lb_from_sg_front_rule = create_security_group_rule(
resource_name=f"{project}-sg-internal-lb-from-sg-front",
security_group_id=security_group_internal_lb.id,
source_security_group_id=security_group_frontend.id,
description="HTTP for front container",
from_port=80,
to_port=80,
protocol="tcp",
type="ingress",
)
sg_backend_from_sg_internal_lb_rule = create_security_group_rule(
resource_name=f"{project}-sg-backend-from-sg-internal_lb",
security_group_id=security_group_backend.id,
source_security_group_id=security_group_internal_lb.id,
description="HTTP for internal lb",
from_port=80,
to_port=80,
protocol="tcp",
type="ingress",
)
sg_db_from_sg_backend_rule = create_security_group_rule(
resource_name=f"{project}-sg-db-from-sg-backend",
security_group_id=security_group_db.id,
source_security_group_id=security_group_backend.id,
description="MySQL protocol from backend App",
from_port=3306,
to_port=3306,
protocol="tcp",
type="ingress",
)
sg_db_from_sg_frontend_rule = create_security_group_rule(
resource_name=f"{project}-sg-db-from-sg-frontend",
security_group_id=security_group_db.id,
source_security_group_id=security_group_frontend.id,
description="MySQL protocol from frontend App",
from_port=3306,
to_port=3306,
protocol="tcp",
type="ingress",
)
sg_db_from_sg_management_rule = create_security_group_rule(
resource_name=f"{project}-sg-db-from-sg-management",
security_group_id=security_group_db.id,
source_security_group_id=security_group_management.id,
description="MySQL protocol from management server",
from_port=3306,
to_port=3306,
protocol="tcp",
type="ingress",
)
sg_internal_lb_from_sg_management_rule = create_security_group_rule(
resource_name=f"{project}-sg-internal-lb-from-sg-management",
security_group_id=security_group_internal_lb.id,
source_security_group_id=security_group_management.id,
description="HTTP for management server",
from_port=80,
to_port=80,
protocol="tcp",
type="ingress",
)
sg_vpce_from_sg_backend_rule = create_security_group_rule(
resource_name=f"{project}-sg-vpce-from-sg-backend",
security_group_id=security_group_vpce.id,
source_security_group_id=security_group_backend.id,
description="HTTPS for backend App",
from_port=443,
to_port=443,
protocol="tcp",
type="ingress",
)
sg_vpce_from_sg_frontend_rule = create_security_group_rule(
resource_name=f"{project}-sg-vpce-from-sg-frontend",
security_group_id=security_group_vpce.id,
source_security_group_id=security_group_frontend.id,
description="HTTPS for frontend App",
from_port=443,
to_port=443,
protocol="tcp",
type="ingress",
)
sg_vpce_from_sg_management_rule = create_security_group_rule(
resource_name=f"{project}-sg-vpce-from-sg-management",
security_group_id=security_group_vpce.id,
source_security_group_id=security_group_management.id,
description="HTTPS for management server",
from_port=443,
to_port=443,
protocol="tcp",
type="ingress",
)
######## Export the name of the bucket ########
# 중략
# security group rule
pulumi.export("sg_frontend_from_sg_ingress_rule_id", sg_frontend_from_sg_ingress_rule.id)
pulumi.export(
"sg_internal_lb_from_sg_front_rule_id", sg_internal_lb_from_sg_front_rule.id
)
pulumi.export(
"sg_backend_from_sg_internal_lb_rule_id", sg_backend_from_sg_internal_lb_rule.id
)
pulumi.export("sg_db_from_sg_backend_rule_id", sg_db_from_sg_backend_rule.id)
pulumi.export("sg_db_from_sg_frontend_rule_id", sg_db_from_sg_frontend_rule.id)
pulumi.export("sg_db_from_sg_management_rule_id", sg_db_from_sg_management_rule.id)
pulumi.export(
"sg_internal_lb_from_sg_management_rule_id", sg_internal_lb_from_sg_management_rule.id
)
pulumi.export("sg_vpce_from_sg_backend_rule_id", sg_vpce_from_sg_backend_rule.id)
pulumi.export("sg_vpce_from_sg_frontend_rule_id", sg_vpce_from_sg_frontend_rule.id)
pulumi.export(
"sg_vpce_from_sg_management_rule_id", sg_vpce_from_sg_management_rule.id
)pulumi up:
➜ pulumi up
Previewing update (dev)
View in Browser (Ctrl+O): <https://app.pulumi.com/dewble/aws-network/dev/previews/03e5aa74-640c-4047-8586-0b4a77e5cc25>
Type Name Plan Info
pulumi:pulumi:Stack aws-network-dev
+ ├─ aws:ec2:SecurityGroup jeff-security-group-management create 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-frontend create 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-internal-lb create 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-ingress create 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-backend create 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-db create 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-vpce create 1 warning
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-db-from-sg-frontend create
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-internal-lb-from-sg-management create
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-db-from-sg-backend create
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-vpce-from-sg-management create
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-frontend-from-sg-ingress create
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-db-from-sg-management create
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-backend-from-sg-internal_lb create
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-internal-lb-from-sg-front create
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-vpce-from-sg-frontend create
+ └─ aws:ec2:SecurityGroupRule jeff-sg-vpce-from-sg-backend create
Diagnostics:
aws:ec2:SecurityGroup (jeff-security-group-ingress):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-vpce):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-internal-lb):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-db):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-backend):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-frontend):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-management):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
Outputs:
+ security_group_backend_id : output
+ security_group_db_id : output
+ security_group_frontend_id : output
+ security_group_ingress_id : output
+ security_group_internal_lb_id : output
+ security_group_management_id : output
+ security_group_vpce_id : output
+ sg_backend_from_sg_internal_lb_rule_id : output
+ sg_db_from_sg_backend_rule_id : output
+ sg_db_from_sg_frontend_rule_id : output
+ sg_db_from_sg_management_rule_id : output
+ sg_frontend_from_sg_ingress_rule_id : output
+ sg_internal_lb_from_sg_front_rule_id : output
+ sg_internal_lb_from_sg_management_rule_id: output
+ sg_vpce_from_sg_backend_rule_id : output
+ sg_vpce_from_sg_frontend_rule_id : output
+ sg_vpce_from_sg_management_rule_id : output
Resources:
+ 17 to create
12 unchanged
Do you want to perform this update? yes
Updating (dev)
View in Browser (Ctrl+O): <https://app.pulumi.com/dewble/aws-network/dev/updates/3>
Type Name Status Info
pulumi:pulumi:Stack aws-network-dev
+ ├─ aws:ec2:SecurityGroup jeff-security-group-frontend created (2s) 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-backend created (3s) 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-internal-lb created (2s) 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-management created (3s) 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-db created (2s) 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-ingress created (2s) 1 warning
+ ├─ aws:ec2:SecurityGroup jeff-security-group-vpce created (2s) 1 warning
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-db-from-sg-frontend created (1s)
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-frontend-from-sg-ingress created (1s)
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-vpce-from-sg-frontend created (1s)
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-internal-lb-from-sg-front created (2s)
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-db-from-sg-backend created (1s)
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-backend-from-sg-internal_lb created (2s)
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-vpce-from-sg-backend created (2s)
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-vpce-from-sg-management created (2s)
+ ├─ aws:ec2:SecurityGroupRule jeff-sg-internal-lb-from-sg-management created (2s)
+ └─ aws:ec2:SecurityGroupRule jeff-sg-db-from-sg-management created (2s)
Diagnostics:
aws:ec2:SecurityGroup (jeff-security-group-ingress):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-vpce):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-backend):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-internal-lb):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-frontend):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-management):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
aws:ec2:SecurityGroup (jeff-security-group-db):
warning: Use of inline rules is discouraged as they cannot be used in conjunction with any Security Group Rule resources. Doing so will cause a conflict and may overwrite rules.
Outputs:
+ security_group_backend_id : "sg-0e3b22fb545044914"
+ security_group_db_id : "sg-0edb2ccafcb86fb04"
+ security_group_frontend_id : "sg-001c2820a31f81e13"
+ security_group_ingress_id : "sg-0a50918e2ebb3f4af"
+ security_group_internal_lb_id : "sg-0eed1ac2fd04e9843"
+ security_group_management_id : "sg-066adfe4e7a1e02b5"
+ security_group_vpce_id : "sg-0080f09c3715a8279"
+ sg_backend_from_sg_internal_lb_rule_id : "sgrule-2629722229"
+ sg_db_from_sg_backend_rule_id : "sgrule-196001820"
+ sg_db_from_sg_frontend_rule_id : "sgrule-1102388768"
+ sg_db_from_sg_management_rule_id : "sgrule-2502730656"
+ sg_frontend_from_sg_ingress_rule_id : "sgrule-4234715315"
+ sg_internal_lb_from_sg_front_rule_id : "sgrule-270241600"
+ sg_internal_lb_from_sg_management_rule_id: "sgrule-3296867008"
+ sg_vpce_from_sg_backend_rule_id : "sgrule-2422481157"
+ sg_vpce_from_sg_frontend_rule_id : "sgrule-3665821497"
+ sg_vpce_from_sg_management_rule_id : "sgrule-249971385"
subnet_private_app_a_id : "subnet-0408be5378856a5a1"
subnet_private_app_c_id : "subnet-028befbbf23656471"
subnet_private_db_a_id : "subnet-0d776212b9ce9dd8c"
subnet_private_db_c_id : "subnet-019fc6b0a78e0f050"
subnet_private_egress_a_id : "subnet-0b8bc53490b62e51e"
subnet_private_egress_c_id : "subnet-000bbc63eeb970e24"
subnet_public_ingress_a_id : "subnet-04d4637f4b6127961"
subnet_public_ingress_c_id : "subnet-0f21617a4fd1c7e69"
subnet_public_management_a_id : "subnet-00fef85651d7ac059"
subnet_public_management_c_id : "subnet-0591fb3ad29233ef0"
vpc_id : "vpc-06440e0fb854f5e7c"
Resources:
+ 17 created
12 unchanged
Duration: 14s
'IaC > Pulumi' 카테고리의 다른 글
| [Pulumi]Create AWS Network: NAT, RouteTable, IGW, VPCE (0) | 2024.04.07 |
|---|---|
| [Pulumi]Quick Start with AWS (0) | 2024.04.06 |
Contents
소중한 공감 감사합니다