Terraform module for managing AWS VPC resources.
This module makes use of maps, instead of lists, for many resources. This gives us more flexibility in the configuration and more consistency when making changes. For example, if a public subnet is added and needs to be placed before the already provisioned subnets (i.e. you are as particular about organization as I am), Terraform won't think all subnets need to be deleted/created.
IMPORTANT NOTE: The main branch is used as the module source for the usage examples, in place of the version. It is important to pin the release tag (e.g. ?ref=tags/x.y.z) for the module to the source, when using any portion of this module to provision resources. The main branch may contain undocumented breaking changes.
module "vpc" {
source = "https://github.com/bsakdol/terraform-aws-vpc?ref=main"
name = "example-vpc"
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
private_subnets = {
"10.0.10.0/24" = {
"availability_zone" = "us-east-2a"
},
"10.0.11.0/24" = {
"availability_zone" = "us-east-2b"
}
}
public_subnets = {
"10.0.20.0/24" = {
"availability_zone" = "us-east-2a"
"create_nat_gateway" = true
},
"10.0.21.0/24" = {
"availability_zone" = "us-east-2b"
"create_nat_gateway" = true
}
}
tags = {
Environment = "development"
Owner = "bsakdol"
Terraform = "true"
}
}This module supports different subnet types to provide different methods of connectivity and access:
- Internal Subnet: No internet connectivity to resources created within an internal subnet.
- Private Subnet: Internet connectivity is provided through the NAT Gateway.
- Public Subnet: Internet connectivity is provided through the Internet Gateway. This is accomplished by mapping public IP addresses to instances, by default, on instance launch. It is important to remember, instances in a public subnet are directly accessible from the internet. Ensure proper security measures have been taken to mitigate security risks on instances in public subnets.
NOTE: When provisioning a private subnet, public subnets are also required in order to facilitate provisioning of the NAT Gateway(s). Please see NAT Gateways for more details.
This module provisions a VPC for a high availability environment. In order to accomplish this, one NAT Gateway in each availability zone, where a private subnet exists, will be provisioned. This design ensures, in the event an availability zone becomes unavailable, resource provisioned in the private subnets of different availability zones will still have internet access.
The NAT Gateway is provisioned with an IP address from a public subnet in the same availability zone as the private subnet(s). For this reason, a minimum of one public subnet must be provisioned in each availability zone where a private subnet is provisioned. It is important to note, if more than one public subnet exists in a single availability zone, only one should be assocated with a NAT Gateway.
This module is responsible for managing the NACLs for each of the provisioned subnets. To keep the configuration simple, there are no flags or special attributes to signal Terraform to create the NACLs. Instead, when a subnet type is provisioned, an NACL is also provisioned for the subnets. The NACL for a subnet type is shared for all subnets of the same type, in order to maintain consistency.
By default, when an NACL is provisioned a single rule is implemented to permit all traffic inbound and all traffic outbound. For an example of how to customize the Network ACL rules, please refer to the complete example. For more in-depth information on the available options, please refer to the Terraform documentation for the network-acl resource.
Interface and/or Gateway VPC Endpoints are managed via a sub-module. This provides the flexibility to manage VPC endpoints independently of the VPC, and resources dependant on the VPC. For more information, please reference the README.md for the sub-module.
A sub-module is included to manage VPC Flow Logs with a destination of CloudWatch or S3. This provides the flexibility to manage VPC Flow Logs independently of the VPC. For more information, please reference the README.md for the sub-module.
| Name | Version |
|---|---|
| terraform | >= 1.1 |
| aws | >= 4.8 |
| Name | Version |
|---|---|
| aws | >= 4.8 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cidr_block | The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using ipv4_netmask_length. |
string |
null |
no |
| dhcp_options | A map of to manage the DHCP options attributes for the VPC. For information about the arguments relevant for this resource type, see Argument Reference. |
any |
{} |
no |
| dhcp_options_tags | A map of tags to assign to the DHCP options. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| eip_nat_tags | A map of tags to assign to the EIP resources for the NAT Gateways. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| enable_dns_hostnames | A boolean flag to enable/disable DNS hostnames in the VPC. | bool |
false |
no |
| enable_dns_support | A boolean flag to enable/disable DNS support in the VPC. | bool |
true |
no |
| igw_tags | A map of tags to assign to the internet gateway resource. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| instance_tenancy | A tenancy option for instances launched into the VPC. | string |
null |
no |
| internal_route_table_tags | A map of tags to assign to the internal route table resource. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| internal_subnets | A map of attributes to define internal subnets for the VPC. | any |
{} |
no |
| internal_subnets_tags | A map of tags to assign to the internal subnets resources. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| manage_vpc | A boolean flag to control whether or not to manage VPC resources. | bool |
true |
no |
| name | Name to be used as an identifier of all managed resources. | string |
null |
no |
| nat_gateway_tags | A map of tags to assign to the NAT Gateway resources. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| network_acl_internal_egress | A map of egress rules applied to the internal subnets network ACL. | map(any) |
{ |
no |
| network_acl_internal_ingress | A map of ingress rules applied to the internal subnets network ACL. | map(any) |
{ |
no |
| network_acl_internal_tags | A map of tags to assign to the Network ACL applied to the internal subnets. | map(string) |
{} |
no |
| network_acl_private_egress | A map of egress rules applied to the internal subnets network ACL. | map(any) |
{ |
no |
| network_acl_private_ingress | A map of ingress rules applied to the internal subnets network ACL. | map(any) |
{ |
no |
| network_acl_private_tags | A map of tags to assign to the Network ACL applied to the private subnets. | map(string) |
{} |
no |
| network_acl_public_egress | A map of egress rules applied to the internal subnets network ACL. | map(any) |
{ |
no |
| network_acl_public_ingress | A map of ingress rules applied to the internal subnets network ACL. | map(any) |
{ |
no |
| network_acl_public_tags | A map of tags to assign to the Network ACL applied to the public subnets. | map(string) |
{} |
no |
| private_route_table_tags | A map of tags to assign to the private route table resource. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| private_subnets | A map of attributes to define private subnets for the VPC. | any |
{} |
no |
| private_subnets_tags | A map of tags to assign to the private subnets resources. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| public_route_table_tags | A map of tags to assign to the public route table resource. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| public_subnets | A map of attributes to define public subnets for the VPC. | any |
{} |
no |
| public_subnets_tags | A map of tags to assign to the public subnets resources. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| tags | A map of tags to assign to the resource. If configured with a providerdefault_tags configuration block present, tags with matching keys willoverwrite those defined at the provider-level. |
map(string) |
{} |
no |
| vpc_ipv4_cidr_block_associations | A map of additional IPv4 CIDR blocks to associate with the VPC. Requirescidr_block, ipv4_ipam_pool_id, or ipv4_netmask_length to be defined.Argument Reference |
any |
{} |
no |
| vpc_tags | A map of tags to assign to the VPC resource. Resource specific tags will override all other tags. |
map(string) |
{} |
no |
| Name | Description |
|---|---|
| arn | Amazon Resource Name (ARN) of VPC. |
| default_network_acl_id | The ID of the network ACL created by default on VPC creation. |
| default_route_table_id | The ID of the route table created by default on VPC creation. |
| default_security_group_id | The ID of the security group created by default on VPC creation. |
| dhcp_options | A map of DHCP options and attributes. |
| enable_dns_hostnames | Whether or not the VPC has DNS hostname support. |
| enable_dns_support | Whether or not the VPC has DNS support. |
| id | The ID of the VPC. |
| instance_tenancy | Tenancy of the instances created within the VPC. |
| internet_gateway | A map of internet gateway attributes. |
| ipv4_cidr_block_associations | A map of IPv4 CIDR block associations and attributes. |
| main_route_table_id | The ID of the main route table associated with this VPC. |
| nat_elastic_ips | A map of Elastic IPs used for the NAT Gateways. |
| nat_gateways | A map of NAT Gateway attributes. |
| network_acl_internal | A map of internal subnets network ACL attributes. |
| network_acl_private | A map of private subnets network ACL attributes. |
| network_acl_public | A map of public subnets network ACL attributes. |
| owner_id | The ID of the AWS account that owns the VPC. |
| route_tables | A map of route tables and attributes. |
| subnets | A map of subnet types, subnets, and associated attributes. |
| tags_all | A map of tags assigned to the VPC, including those inherited from the provider default_tags configuration block. |
| vpc_all | A map of VPC attributes. |