如何用Terraform配置AWS上的跨域VPC

Question

我正在尝试创建一个terraform配置，以在不同的区域旋转多个VPC，并在它们之间创建VPC对等连接。

这是我的VPC模块

# Required Variables

variable "region" {}
variable "cluster_name" {}
variable "region_name" {}
variable "nb_nodes" {}
variable "vpc_cidr" {}

# Default Variables

variable "instance_type" {
    default = "t2.nano"
}

variable "public_key_path" {
    default = "id_rsa.pub"
}

variable "private_key_path" {
    default = "id_rsa"
}

variable "ami-username" {
    default = "ubuntu"
}

variable "ami" {
    type = "map"

    default = {
        us-east-1 = "ami-0f9cf087c1f27d9b1"
        us-east-2 = "ami-0653e888ec96eab9b"
    }
}

variable "availability_zone" {
    type = "map"

    default = {
        us-east-1 = "us-east-1a"
        us-east-2 = "us-east-2a"
    }
}

provider "aws" {
    region = "${var.region}"
}

# Network Resources

resource "aws_vpc" "vpc" {
    cidr_block = "${var.vpc_cidr}"
    enable_dns_hostnames = true

    tags {
        Name = "${var.cluster_name}-${var.region_name}-vpc"
    }
}

resource "aws_subnet" "subnet" {
    vpc_id = "${aws_vpc.vpc.id}"
    cidr_block = "${var.vpc_cidr}"
    availability_zone = "${lookup(var.availability_zone, var.region)}"

    tags {
        Name = "${var.cluster_name}-${var.region_name}-subnet"
    }
}

resource "aws_security_group" "sg" {
    name = "vpc_test"
    description = "Allow all"

    ingress {
        from_port   = 0
        to_port     = 0
        protocol    = "-1"
        cidr_blocks = ["0.0.0.0/0"]
    }

    egress {
        from_port   = 0
        to_port     = 0
        protocol    = "-1"
        cidr_blocks = ["0.0.0.0/0"]
    }

    vpc_id="${aws_vpc.vpc.id}"

    tags {
        Name = "${var.cluster_name}-${var.region_name}-security-group"
    }
}

resource "aws_internet_gateway" "gw" {
    vpc_id = "${aws_vpc.vpc.id}"

    tags {
        Name = "${var.cluster_name}-${var.region_name}-gateway"
    }
}

resource "aws_route_table" "public-rt" {
    vpc_id = "${aws_vpc.vpc.id}"

    route {
        cidr_block = "0.0.0.0/0"
        gateway_id = "${aws_internet_gateway.gw.id}"
    }

    tags {
        Name = "${var.cluster_name}-${var.region_name}-subnet-rt"
    }
}

resource "aws_route_table_association" "public-rt" {
    subnet_id = "${aws_subnet.subnet.id}"
    route_table_id = "${aws_route_table.public-rt.id}"
}


# Instance Resources

resource "aws_key_pair" "kp" {
    key_name = "${var.cluster_name}-${var.region_name}-key"
    public_key = "${file("${var.public_key_path}")}"
}

resource "aws_instance" "node" {
    ami = "${lookup(var.ami, var.region)}"
    instance_type = "${var.instance_type}"
    count = "${var.nb_nodes}"

    key_name = "${aws_key_pair.kp.id}"
    subnet_id = "${aws_subnet.subnet.id}"
    vpc_security_group_ids = ["${aws_security_group.sg.id}"]
    source_dest_check = false
    associate_public_ip_address = true

    root_block_device {
        volume_size = 20
    }

    tags {
        Name = "${var.cluster_name}-${var.region_name}-${count.index}"
    }
}

output "region" {
    value = "${var.region}"
}

output "vpc_id" {
    value = "${aws_vpc.vpc.id}"
}

这是创建对等连接的模块。

# Required Variables

variable "request_vpc_id" {}
variable "accept_vpc_id" {}
variable "request_region" {}
variable "accept_region" {}

data "aws_caller_identity" "current" {}

provider "aws" {
    region = "${var.request_region}"
}

resource "aws_vpc_peering_connection" "con" {
    peer_owner_id = "${data.aws_caller_identity.current.account_id}"
    vpc_id        = "${var.request_vpc_id}"
    peer_vpc_id   = "${var.accept_vpc_id}"
    auto_accept   = true
}

如果我这样做，在同一区域创建了2个VPCs，它就可以正常工作。

variable "cluster_name"{
    default = "aws-multi-region"
}

variable "nodes_per_region" {
    default = "1"
}

module "region-1" {
    source  = "./simple_region/"
    region = "us-east-1"
    cluster_name = "${var.cluster_name}"
    region_name = "east"
    vpc_cidr = "10.0.0.0/24"
    nb_nodes = "${var.nodes_per_region}"
}

module "region-2" {
    source  = "./simple_region/"
    region = "us-east-1"
    cluster_name = "${var.cluster_name}"
    region_name = "west"
    vpc_cidr = "11.1.1.0/24"
    nb_nodes = "${var.nodes_per_region}"
}

module "vpc_peer_1" {
    source  = "./vpc_peer/"
    request_region = "${module.region-1.region}"
    request_vpc_id = "${module.region-1.vpc_id}"
    accept_region = "${module.region-2.region}"
    accept_vpc_id = "${module.region-2.vpc_id}"
}

如果我试图在这样的不同地区创建VPCs，问题就来了。

variable "cluster_name"{
    default = "aws-multi-region"
}

variable "nodes_per_region" {
    default = "1"
}

module "region-1" {
    source  = "./simple_region/"
    region = "us-east-1"
    cluster_name = "${var.cluster_name}"
    region_name = "east"
    vpc_cidr = "10.0.0.0/24"
    nb_nodes = "${var.nodes_per_region}"
}

module "region-2" {
    source  = "./simple_region/"
    region = "us-east-2"
    cluster_name = "${var.cluster_name}"
    region_name = "west"
    vpc_cidr = "11.1.1.0/24"
    nb_nodes = "${var.nodes_per_region}"
}

module "vpc_peer_1" {
    source  = "./vpc_peer/"
    request_region = "${module.region-1.region}"
    request_vpc_id = "${module.region-1.vpc_id}"
    accept_region = "${module.region-2.region}"
    accept_vpc_id = "${module.region-2.vpc_id}"
}

我犯了个错误

Error: Error applying plan:

1 error(s) occurred:

* module.vpc_peer_1.aws_vpc_peering_connection.con: 1 error(s) occurred:

* aws_vpc_peering_connection.con: Error waiting for VPC Peering Connection to become available: Error waiting for VPC Peering Connection (pcx-0d423f938490fde63) to become available: Failed due to incorrect VPC-ID, Account ID, or overlapping CIDR range

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

我尝试在aws中手动创建vpc连接，这很好，所以我想知道这是一个terraform错误，还是需要对vpc_peer模块中的区域做些什么。

Answer 1

似乎这就是答案

# Required Variables

variable "request_vpc_id" {}
variable "accept_vpc_id" {}
variable "request_region" {}
variable "accept_region" {}

data "aws_caller_identity" "current" {}

provider "aws" {
    region = "${var.request_region}"
}

provider "aws" {
  alias  = "peer"
  region = "${var.accept_region}"
}

# Requester's side of the connection.
resource "aws_vpc_peering_connection" "peer" {
  vpc_id        = "${var.request_vpc_id}"
  peer_vpc_id   = "${var.accept_vpc_id}"
  peer_owner_id = "${data.aws_caller_identity.current.account_id}"
  peer_region   = "${var.accept_region}"
  auto_accept   = false

  tags = {
    Side = "Requester"
  }
}

# Accepter's side of the connection.
resource "aws_vpc_peering_connection_accepter" "peer" {
  provider                  = "aws.peer"
  vpc_peering_connection_id = "${aws_vpc_peering_connection.peer.id}"
  auto_accept               = true

  tags = {
    Side = "Accepter"
  }
}