Skip to content

Latest commit

 

History

History
766 lines (687 loc) · 81.2 KB

README.md

File metadata and controls

766 lines (687 loc) · 81.2 KB

AWS VPC Terraform module

Help Contribute to Open Source GitHub tag (latest by date)

Terraform module which creates VPC resources on AWS.

These types of resources are supported:

Sponsored by Cloudcraft - the best way to draw AWS diagrams

Cloudcraft - the best way to draw AWS diagrams

Terraform versions

Terraform 0.12. Pin module version to ~> v2.0. Submit pull-requests to master branch.

Terraform 0.11. Pin module version to ~> v1.0. Submit pull-requests to terraform011 branch.

Usage

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = true

  tags = {
    Terraform = "true"
    Environment = "dev"
  }
}

External NAT Gateway IPs

By default this module will provision new Elastic IPs for the VPC's NAT Gateways. This means that when creating a new VPC, new IPs are allocated, and when that VPC is destroyed those IPs are released. Sometimes it is handy to keep the same IPs even after the VPC is destroyed and re-created. To that end, it is possible to assign existing IPs to the NAT Gateways. This prevents the destruction of the VPC from releasing those IPs, while making it possible that a re-created VPC uses the same IPs.

To achieve this, allocate the IPs outside the VPC module declaration.

resource "aws_eip" "nat" {
  count = 3

  vpc = true
}

Then, pass the allocated IPs as a parameter to this module.

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  # The rest of arguments are omitted for brevity

  enable_nat_gateway  = true
  single_nat_gateway  = false
  reuse_nat_ips       = true                    # <= Skip creation of EIPs for the NAT Gateways
  external_nat_ip_ids = "${aws_eip.nat.*.id}"   # <= IPs specified here as input to the module
}

Note that in the example we allocate 3 IPs because we will be provisioning 3 NAT Gateways (due to single_nat_gateway = false and having 3 subnets). If, on the other hand, single_nat_gateway = true, then aws_eip.nat would only need to allocate 1 IP. Passing the IPs into the module is done by setting two variables reuse_nat_ips = true and external_nat_ip_ids = "${aws_eip.nat.*.id}".

NAT Gateway Scenarios

This module supports three scenarios for creating NAT gateways. Each will be explained in further detail in the corresponding sections.

  • One NAT Gateway per subnet (default behavior)
    • enable_nat_gateway = true
    • single_nat_gateway = false
    • one_nat_gateway_per_az = false
  • Single NAT Gateway
    • enable_nat_gateway = true
    • single_nat_gateway = true
    • one_nat_gateway_per_az = false
  • One NAT Gateway per availability zone
    • enable_nat_gateway = true
    • single_nat_gateway = false
    • one_nat_gateway_per_az = true

If both single_nat_gateway and one_nat_gateway_per_az are set to true, then single_nat_gateway takes precedence.

One NAT Gateway per subnet (default)

By default, the module will determine the number of NAT Gateways to create based on the the max() of the private subnet lists (database_subnets, elasticache_subnets, private_subnets, and redshift_subnets). The module does not take into account the number of intra_subnets, since the latter are designed to have no Internet access via NAT Gateway. For example, if your configuration looks like the following:

database_subnets    = ["10.0.21.0/24", "10.0.22.0/24"]
elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24"]
private_subnets     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
redshift_subnets    = ["10.0.41.0/24", "10.0.42.0/24"]
intra_subnets       = ["10.0.51.0/24", "10.0.52.0/24", "10.0.53.0/24"]

Then 5 NAT Gateways will be created since 5 private subnet CIDR blocks were specified.

Single NAT Gateway

If single_nat_gateway = true, then all private subnets will route their Internet traffic through this single NAT gateway. The NAT gateway will be placed in the first public subnet in your public_subnets block.

One NAT Gateway per availability zone

If one_nat_gateway_per_az = true and single_nat_gateway = false, then the module will place one NAT gateway in each availability zone you specify in var.azs. There are some requirements around using this feature flag:

  • The variable var.azs must be specified.
  • The number of public subnet CIDR blocks specified in public_subnets must be greater than or equal to the number of availability zones specified in var.azs. This is to ensure that each NAT Gateway has a dedicated public subnet to deploy to.

"private" versus "intra" subnets

By default, if NAT Gateways are enabled, private subnets will be configured with routes for Internet traffic that point at the NAT Gateways configured by use of the above options.

If you need private subnets that should have no Internet routing (in the sense of RFC1918 Category 1 subnets), intra_subnets should be specified. An example use case is configuration of AWS Lambda functions within a VPC, where AWS Lambda functions only need to pass traffic to internal resources or VPC endpoints for AWS services.

Since AWS Lambda functions allocate Elastic Network Interfaces in proportion to the traffic received (read more), it can be useful to allocate a large private subnet for such allocations, while keeping the traffic they generate entirely internal to the VPC.

You can add additional tags with intra_subnet_tags as with other subnet types.

VPC Flow Log

VPC Flow Log allows to capture IP traffic for a specific network interface (ENI), subnet, or entire VPC. This module supports enabling or disabling VPC Flow Logs for entire VPC. If you need to have VPC Flow Logs for subnet or ENI, you have to manage it outside of this module with aws_flow_log resource.

Conditional creation

Sometimes you need to have a way to create VPC resources conditionally but Terraform does not allow to use count inside module block, so the solution is to specify argument create_vpc.

# This VPC will not be created
module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  create_vpc = false
  # ... omitted
}

Public access to RDS instances

Sometimes it is handy to have public access to RDS instances (it is not recommended for production) by specifying these arguments:

  create_database_subnet_group           = true
  create_database_subnet_route_table     = true
  create_database_internet_gateway_route = true

  enable_dns_hostnames = true
  enable_dns_support   = true

Network Access Control Lists (ACL or NACL)

This module can manage network ACL and rules. Once VPC is created, AWS creates the default network ACL, which can be controlled using this module (manage_default_network_acl = true).

Also, each type of subnet may have its own network ACL with custom rules per subnet. Eg, set public_dedicated_network_acl = true to use dedicated network ACL for the public subnets; set values of public_inbound_acl_rules and public_outbound_acl_rules to specify all the NACL rules you need to have on public subnets (see variables.tf for default values and structures).

By default, all subnets are associated with the default network ACL.

Public access to Redshift cluster

Sometimes it is handy to have public access to Redshift clusters (for example if you need to access it by Kinesis - VPC endpoint for Kinesis is not yet supported by Redshift) by specifying these arguments:

  enable_public_redshift = true  # <= By default Redshift subnets will be associated with the private route table

Transit Gateway (TGW) integration

It is possible to integrate this VPC module with terraform-aws-transit-gateway module which handles the creation of TGW resources and VPC attachments. See complete example there.

Examples

Providers

Name Version
aws ~> 2.53

Inputs

Name Description Type Default Required
amazon_side_asn The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. string "64512" no
apigw_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint bool false no
apigw_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for API GW endpoint list(string) [] no
apigw_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
appmesh_envoy_management_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for AppMesh endpoint bool false no
appmesh_envoy_management_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for AppMesh endpoint list(string) [] no
appmesh_envoy_management_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for AppMesh endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
appstream_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for AppStream endpoint bool false no
appstream_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for AppStream endpoint list(string) [] no
appstream_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for AppStream endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
assign_ipv6_address_on_creation Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool false no
athena_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Athena endpoint bool false no
athena_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Athena endpoint list(string) [] no
athena_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Athena endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
azs A list of availability zones names or ids in the region list(string) [] no
cidr The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden string "0.0.0.0/0" no
cloud_directory_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Cloud Directory endpoint bool false no
cloud_directory_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Cloud Directory endpoint list(string) [] no
cloud_directory_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Cloud Directory endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. list(string) [] no
cloudformation_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Cloudformation endpoint bool false no
cloudformation_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Cloudformation endpoint list(string) [] no
cloudformation_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Cloudformation endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
cloudtrail_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint bool false no
cloudtrail_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for CloudTrail endpoint list(string) [] no
cloudtrail_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
codebuild_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint bool false no
codebuild_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Codebuild endpoint list [] no
codebuild_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list [] no
codecommit_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint bool false no
codecommit_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Codecommit endpoint list [] no
codecommit_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list [] no
codepipeline_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for CodePipeline endpoint bool false no
codepipeline_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for CodePipeline endpoint list(string) [] no
codepipeline_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for CodePipeline endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
config_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for config endpoint bool false no
config_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for config endpoint list [] no
config_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list [] no
create_database_internet_gateway_route Controls if an internet gateway route for public database access should be created bool false no
create_database_nat_gateway_route Controls if a nat gateway route should be created to give internet access to the database subnets bool false no
create_database_subnet_group Controls if database subnet group should be created bool true no
create_database_subnet_route_table Controls if separate route table for database should be created bool false no
create_elasticache_subnet_group Controls if elasticache subnet group should be created bool true no
create_elasticache_subnet_route_table Controls if separate route table for elasticache should be created bool false no
create_flow_log_cloudwatch_iam_role Whether to create IAM role for VPC Flow Logs bool false no
create_flow_log_cloudwatch_log_group Whether to create CloudWatch log group for VPC Flow Logs bool false no
create_redshift_subnet_group Controls if redshift subnet group should be created bool true no
create_redshift_subnet_route_table Controls if separate route table for redshift should be created bool false no
create_vpc Controls if VPC should be created (it affects almost all resources) bool true no
customer_gateway_tags Additional tags for the Customer Gateway map(string) {} no
customer_gateways Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) map(map(any)) {} no
database_acl_tags Additional tags for the database subnets network ACL map(string) {} no
database_dedicated_network_acl Whether to use dedicated network ACL (not default) and custom rules for database subnets bool false no
database_inbound_acl_rules Database subnets inbound network ACL rules list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
database_outbound_acl_rules Database subnets outbound network ACL rules list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
database_route_table_tags Additional tags for the database route tables map(string) {} no
database_subnet_assign_ipv6_address_on_creation Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool n/a yes
database_subnet_group_tags Additional tags for the database subnet group map(string) {} no
database_subnet_ipv6_prefixes Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list list [] no
database_subnet_suffix Suffix to append to database subnets name string "db" no
database_subnet_tags Additional tags for the database subnets map(string) {} no
database_subnets A list of database subnets list(string) [] no
default_network_acl_egress List of maps of egress rules to set on the Default Network ACL list(map(string))
[
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
no
default_network_acl_ingress List of maps of ingress rules to set on the Default Network ACL list(map(string))
[
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
no
default_network_acl_name Name to be used on the Default Network ACL string "" no
default_network_acl_tags Additional tags for the Default Network ACL map(string) {} no
default_vpc_enable_classiclink Should be true to enable ClassicLink in the Default VPC bool false no
default_vpc_enable_dns_hostnames Should be true to enable DNS hostnames in the Default VPC bool false no
default_vpc_enable_dns_support Should be true to enable DNS support in the Default VPC bool true no
default_vpc_name Name to be used on the Default VPC string "" no
default_vpc_tags Additional tags for the Default VPC map(string) {} no
dhcp_options_domain_name Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true) string "" no
dhcp_options_domain_name_servers Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true) list(string)
[
"AmazonProvidedDNS"
]
no
dhcp_options_netbios_name_servers Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true) list(string) [] no
dhcp_options_netbios_node_type Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true) string "" no
dhcp_options_ntp_servers Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true) list(string) [] no
dhcp_options_tags Additional tags for the DHCP option set (requires enable_dhcp_options set to true) map(string) {} no
ec2_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint bool false no
ec2_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for EC2 endpoint list(string) [] no
ec2_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
ec2messages_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint bool false no
ec2messages_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint list(string) [] no
ec2messages_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
ecr_api_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint bool false no
ecr_api_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for ECR API endpoint list(string) [] no
ecr_api_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used. list(string) [] no
ecr_dkr_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint bool false no
ecr_dkr_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for ECR DKR endpoint list(string) [] no
ecr_dkr_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. list(string) [] no
ecs_agent_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint bool false no
ecs_agent_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for ECS Agent endpoint list(string) [] no
ecs_agent_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
ecs_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint bool false no
ecs_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for ECS endpoint list(string) [] no
ecs_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
ecs_telemetry_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint bool false no
ecs_telemetry_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint list(string) [] no
ecs_telemetry_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
efs_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for EFS endpoint bool false no
efs_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for EFS endpoint list(string) [] no
efs_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for EFS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. list(string) [] no
elasticache_acl_tags Additional tags for the elasticache subnets network ACL map(string) {} no
elasticache_dedicated_network_acl Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets bool false no
elasticache_inbound_acl_rules Elasticache subnets inbound network ACL rules list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
elasticache_outbound_acl_rules Elasticache subnets outbound network ACL rules list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
elasticache_route_table_tags Additional tags for the elasticache route tables map(string) {} no
elasticache_subnet_assign_ipv6_address_on_creation Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool n/a yes
elasticache_subnet_ipv6_prefixes Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list list [] no
elasticache_subnet_suffix Suffix to append to elasticache subnets name string "elasticache" no
elasticache_subnet_tags Additional tags for the elasticache subnets map(string) {} no
elasticache_subnets A list of elasticache subnets list(string) [] no
elasticloadbalancing_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint bool false no
elasticloadbalancing_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint list(string) [] no
elasticloadbalancing_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
enable_apigw_endpoint Should be true if you want to provision an api gateway endpoint to the VPC bool false no
enable_appmesh_envoy_management_endpoint Should be true if you want to provision a AppMesh endpoint to the VPC bool false no
enable_appstream_endpoint Should be true if you want to provision a AppStream endpoint to the VPC bool false no
enable_athena_endpoint Should be true if you want to provision a Athena endpoint to the VPC bool false no
enable_classiclink Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic. bool n/a yes
enable_classiclink_dns_support Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic. bool n/a yes
enable_cloud_directory_endpoint Should be true if you want to provision an Cloud Directory endpoint to the VPC bool false no
enable_cloudformation_endpoint Should be true if you want to provision a Cloudformation endpoint to the VPC bool false no
enable_cloudtrail_endpoint Should be true if you want to provision a CloudTrail endpoint to the VPC bool false no
enable_codebuild_endpoint Should be true if you want to provision an Codebuild endpoint to the VPC bool false no
enable_codecommit_endpoint Should be true if you want to provision an Codecommit endpoint to the VPC bool false no
enable_codepipeline_endpoint Should be true if you want to provision a CodePipeline endpoint to the VPC bool false no
enable_config_endpoint Should be true if you want to provision an config endpoint to the VPC bool false no
enable_dhcp_options Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type bool false no
enable_dns_hostnames Should be true to enable DNS hostnames in the VPC bool false no
enable_dns_support Should be true to enable DNS support in the VPC bool true no
enable_dynamodb_endpoint Should be true if you want to provision a DynamoDB endpoint to the VPC bool false no
enable_ec2_endpoint Should be true if you want to provision an EC2 endpoint to the VPC bool false no
enable_ec2messages_endpoint Should be true if you want to provision an EC2MESSAGES endpoint to the VPC bool false no
enable_ecr_api_endpoint Should be true if you want to provision an ecr api endpoint to the VPC bool false no
enable_ecr_dkr_endpoint Should be true if you want to provision an ecr dkr endpoint to the VPC bool false no
enable_ecs_agent_endpoint Should be true if you want to provision a ECS Agent endpoint to the VPC bool false no
enable_ecs_endpoint Should be true if you want to provision a ECS endpoint to the VPC bool false no
enable_ecs_telemetry_endpoint Should be true if you want to provision a ECS Telemetry endpoint to the VPC bool false no
enable_efs_endpoint Should be true if you want to provision an EFS endpoint to the VPC bool false no
enable_elasticloadbalancing_endpoint Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC bool false no
enable_events_endpoint Should be true if you want to provision a CloudWatch Events endpoint to the VPC bool false no
enable_flow_log Whether or not to enable VPC Flow Logs bool false no
enable_git_codecommit_endpoint Should be true if you want to provision an Git Codecommit endpoint to the VPC bool false no
enable_glue_endpoint Should be true if you want to provision a Glue endpoint to the VPC bool false no
enable_ipv6 Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. bool false no
enable_kinesis_firehose_endpoint Should be true if you want to provision a Kinesis Firehose endpoint to the VPC bool false no
enable_kinesis_streams_endpoint Should be true if you want to provision a Kinesis Streams endpoint to the VPC bool false no
enable_kms_endpoint Should be true if you want to provision a KMS endpoint to the VPC bool false no
enable_logs_endpoint Should be true if you want to provision a CloudWatch Logs endpoint to the VPC bool false no
enable_monitoring_endpoint Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC bool false no
enable_nat_gateway Should be true if you want to provision NAT Gateways for each of your private networks bool false no
enable_public_redshift Controls if redshift should have public routing table bool false no
enable_rekognition_endpoint Should be true if you want to provision a Rekognition endpoint to the VPC bool false no
enable_s3_endpoint Should be true if you want to provision an S3 endpoint to the VPC bool false no
enable_sagemaker_api_endpoint Should be true if you want to provision a SageMaker API endpoint to the VPC bool false no
enable_sagemaker_notebook_endpoint Should be true if you want to provision a Sagemaker Notebook endpoint to the VPC bool false no
enable_sagemaker_runtime_endpoint Should be true if you want to provision a SageMaker Runtime endpoint to the VPC bool false no
enable_secretsmanager_endpoint Should be true if you want to provision an Secrets Manager endpoint to the VPC bool false no
enable_servicecatalog_endpoint Should be true if you want to provision a Service Catalog endpoint to the VPC bool false no
enable_sns_endpoint Should be true if you want to provision a SNS endpoint to the VPC bool false no
enable_sqs_endpoint Should be true if you want to provision an SQS endpoint to the VPC bool false no
enable_ssm_endpoint Should be true if you want to provision an SSM endpoint to the VPC bool false no
enable_ssmmessages_endpoint Should be true if you want to provision a SSMMESSAGES endpoint to the VPC bool false no
enable_storagegateway_endpoint Should be true if you want to provision a Storage Gateway endpoint to the VPC bool false no
enable_sts_endpoint Should be true if you want to provision a STS endpoint to the VPC bool false no
enable_transfer_endpoint Should be true if you want to provision a Transfer endpoint to the VPC bool false no
enable_transferserver_endpoint Should be true if you want to provision a Transfer Server endpoint to the VPC bool false no
enable_vpn_gateway Should be true if you want to create a new VPN Gateway resource and attach it to the VPC bool false no
events_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint bool false no
events_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint list(string) [] no
events_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
external_nat_ip_ids List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) list(string) [] no
flow_log_cloudwatch_iam_role_arn The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided. string "" no
flow_log_cloudwatch_log_group_kms_key_id The ARN of the KMS Key to use when encrypting log data for VPC flow logs. string n/a yes
flow_log_cloudwatch_log_group_name_prefix Specifies the name prefix of CloudWatch Log Group for VPC flow logs. string "/aws/vpc-flow-log/" no
flow_log_cloudwatch_log_group_retention_in_days Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. number n/a yes
flow_log_destination_arn The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided. string "" no
flow_log_destination_type Type of flow log destination. Can be s3 or cloud-watch-logs. string "cloud-watch-logs" no
flow_log_log_format The fields to include in the flow log record, in the order in which they should appear. string n/a yes
flow_log_traffic_type The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. string "ALL" no
git_codecommit_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint bool false no
git_codecommit_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint list [] no
git_codecommit_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list [] no
glue_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Glue endpoint bool false no
glue_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Glue endpoint list(string) [] no
glue_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Glue endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
igw_tags Additional tags for the internet gateway map(string) {} no
instance_tenancy A tenancy option for instances launched into the VPC string "default" no
intra_acl_tags Additional tags for the intra subnets network ACL map(string) {} no
intra_dedicated_network_acl Whether to use dedicated network ACL (not default) and custom rules for intra subnets bool false no
intra_inbound_acl_rules Intra subnets inbound network ACLs list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
intra_outbound_acl_rules Intra subnets outbound network ACLs list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
intra_route_table_tags Additional tags for the intra route tables map(string) {} no
intra_subnet_assign_ipv6_address_on_creation Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool n/a yes
intra_subnet_ipv6_prefixes Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list list [] no
intra_subnet_suffix Suffix to append to intra subnets name string "intra" no
intra_subnet_tags Additional tags for the intra subnets map(string) {} no
intra_subnets A list of intra subnets list(string) [] no
kinesis_firehose_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint bool false no
kinesis_firehose_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint list(string) [] no
kinesis_firehose_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
kinesis_streams_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint bool false no
kinesis_streams_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint list(string) [] no
kinesis_streams_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
kms_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint bool false no
kms_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for KMS endpoint list(string) [] no
kms_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
logs_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint bool false no
logs_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint list(string) [] no
logs_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
manage_default_network_acl Should be true to adopt and manage Default Network ACL bool false no
manage_default_vpc Should be true to adopt and manage Default VPC bool false no
map_public_ip_on_launch Should be false if you do not want to auto-assign public IP on launch bool true no
monitoring_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint bool false no
monitoring_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint list(string) [] no
monitoring_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
name Name to be used on all the resources as identifier string "" no
nat_eip_tags Additional tags for the NAT EIP map(string) {} no
nat_gateway_tags Additional tags for the NAT gateways map(string) {} no
one_nat_gateway_per_az Should be true if you want only one NAT Gateway per availability zone. Requires var.azs to be set, and the number of public_subnets created to be greater than or equal to the number of availability zones specified in var.azs. bool false no
private_acl_tags Additional tags for the private subnets network ACL map(string) {} no
private_dedicated_network_acl Whether to use dedicated network ACL (not default) and custom rules for private subnets bool false no
private_inbound_acl_rules Private subnets inbound network ACLs list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
private_outbound_acl_rules Private subnets outbound network ACLs list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
private_route_table_tags Additional tags for the private route tables map(string) {} no
private_subnet_assign_ipv6_address_on_creation Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool n/a yes
private_subnet_ipv6_prefixes Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list list [] no
private_subnet_suffix Suffix to append to private subnets name string "private" no
private_subnet_tags Additional tags for the private subnets map(string) {} no
private_subnets A list of private subnets inside the VPC list(string) [] no
propagate_intra_route_tables_vgw Should be true if you want route table propagation bool false no
propagate_private_route_tables_vgw Should be true if you want route table propagation bool false no
propagate_public_route_tables_vgw Should be true if you want route table propagation bool false no
public_acl_tags Additional tags for the public subnets network ACL map(string) {} no
public_dedicated_network_acl Whether to use dedicated network ACL (not default) and custom rules for public subnets bool false no
public_inbound_acl_rules Public subnets inbound network ACLs list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
public_outbound_acl_rules Public subnets outbound network ACLs list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
public_route_table_tags Additional tags for the public route tables map(string) {} no
public_subnet_assign_ipv6_address_on_creation Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool n/a yes
public_subnet_ipv6_prefixes Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list list [] no
public_subnet_suffix Suffix to append to public subnets name string "public" no
public_subnet_tags Additional tags for the public subnets map(string) {} no
public_subnets A list of public subnets inside the VPC list(string) [] no
redshift_acl_tags Additional tags for the redshift subnets network ACL map(string) {} no
redshift_dedicated_network_acl Whether to use dedicated network ACL (not default) and custom rules for redshift subnets bool false no
redshift_inbound_acl_rules Redshift subnets inbound network ACL rules list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
redshift_outbound_acl_rules Redshift subnets outbound network ACL rules list(map(string))
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
no
redshift_route_table_tags Additional tags for the redshift route tables map(string) {} no
redshift_subnet_assign_ipv6_address_on_creation Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch bool n/a yes
redshift_subnet_group_tags Additional tags for the redshift subnet group map(string) {} no
redshift_subnet_ipv6_prefixes Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list list [] no
redshift_subnet_suffix Suffix to append to redshift subnets name string "redshift" no
redshift_subnet_tags Additional tags for the redshift subnets map(string) {} no
redshift_subnets A list of redshift subnets list(string) [] no
rekognition_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Rekognition endpoint bool false no
rekognition_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Rekognition endpoint list(string) [] no
rekognition_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
reuse_nat_ips Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable bool false no
sagemaker_api_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint bool false no
sagemaker_api_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for SageMaker API endpoint list(string) [] no
sagemaker_api_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for SageMaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
sagemaker_notebook_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Sagemaker Notebook endpoint bool false no
sagemaker_notebook_endpoint_region Region to use for Sagemaker Notebook endpoint string "" no
sagemaker_notebook_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Sagemaker Notebook endpoint list(string) [] no
sagemaker_notebook_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Sagemaker Notebook endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
sagemaker_runtime_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for SageMaker Runtime endpoint bool false no
sagemaker_runtime_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for SageMaker Runtime endpoint list(string) [] no
sagemaker_runtime_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for SageMaker Runtime endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
secondary_cidr_blocks List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool list(string) [] no
secretsmanager_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint bool false no
secretsmanager_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint list(string) [] no
secretsmanager_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
servicecatalog_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Service Catalog endpoint bool false no
servicecatalog_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Service Catalog endpoint list(string) [] no
servicecatalog_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Service Catalog endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
single_nat_gateway Should be true if you want to provision a single shared NAT Gateway across all of your private networks bool false no
sns_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint bool false no
sns_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for SNS endpoint list(string) [] no
sns_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
sqs_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint bool false no
sqs_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for SQS endpoint list [] no
sqs_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list [] no
ssm_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint bool false no
ssm_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for SSM endpoint list(string) [] no
ssm_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
ssmmessages_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint bool false no
ssmmessages_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint list(string) [] no
ssmmessages_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
storagegateway_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Storage Gateway endpoint bool false no
storagegateway_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Storage Gateway endpoint list(string) [] no
storagegateway_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Storage Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
sts_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for STS endpoint bool false no
sts_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for STS endpoint list(string) [] no
sts_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for STS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
tags A map of tags to add to all resources map(string) {} no
transfer_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Transfer endpoint bool false no
transfer_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Transfer endpoint list(string) [] no
transfer_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Transfer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. list(string) [] no
transferserver_endpoint_private_dns_enabled Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint bool false no
transferserver_endpoint_security_group_ids The ID of one or more security groups to associate with the network interface for Transfer Server endpoint list(string) [] no
transferserver_endpoint_subnet_ids The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. list(string) [] no
vpc_endpoint_tags Additional tags for the VPC Endpoints map(string) {} no
vpc_flow_log_tags Additional tags for the VPC Flow Logs map(string) {} no
vpc_tags Additional tags for the VPC map(string) {} no
vpn_gateway_az The Availability Zone for the VPN Gateway string n/a yes
vpn_gateway_id ID of VPN Gateway to attach to the VPC string "" no
vpn_gateway_tags Additional tags for the VPN gateway map(string) {} no

Outputs

Name Description
azs A list of availability zones specified as argument to this module
cgw_ids List of IDs of Customer Gateway
database_network_acl_id ID of the database network ACL
database_route_table_ids List of IDs of database route tables
database_subnet_arns List of ARNs of database subnets
database_subnet_group ID of database subnet group
database_subnets List of IDs of database subnets
database_subnets_cidr_blocks List of cidr_blocks of database subnets
database_subnets_ipv6_cidr_blocks List of IPv6 cidr_blocks of database subnets in an IPv6 enabled VPC
default_network_acl_id The ID of the default network ACL
default_route_table_id The ID of the default route table
default_security_group_id The ID of the security group created by default on VPC creation
default_vpc_cidr_block The CIDR block of the VPC
default_vpc_default_network_acl_id The ID of the default network ACL
default_vpc_default_route_table_id The ID of the default route table
default_vpc_default_security_group_id The ID of the security group created by default on VPC creation
default_vpc_enable_dns_hostnames Whether or not the VPC has DNS hostname support
default_vpc_enable_dns_support Whether or not the VPC has DNS support
default_vpc_id The ID of the VPC
default_vpc_instance_tenancy Tenancy of instances spin up within VPC
default_vpc_main_route_table_id The ID of the main route table associated with this VPC
egress_only_internet_gateway_id The ID of the egress only Internet Gateway
elasticache_network_acl_id ID of the elasticache network ACL
elasticache_route_table_ids List of IDs of elasticache route tables
elasticache_subnet_arns List of ARNs of elasticache subnets
elasticache_subnet_group ID of elasticache subnet group
elasticache_subnet_group_name Name of elasticache subnet group
elasticache_subnets List of IDs of elasticache subnets
elasticache_subnets_cidr_blocks List of cidr_blocks of elasticache subnets
elasticache_subnets_ipv6_cidr_blocks List of IPv6 cidr_blocks of elasticache subnets in an IPv6 enabled VPC
igw_id The ID of the Internet Gateway
intra_network_acl_id ID of the intra network ACL
intra_route_table_ids List of IDs of intra route tables
intra_subnet_arns List of ARNs of intra subnets
intra_subnets List of IDs of intra subnets
intra_subnets_cidr_blocks List of cidr_blocks of intra subnets
intra_subnets_ipv6_cidr_blocks List of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC
name The name of the VPC specified as argument to this module
nat_ids List of allocation ID of Elastic IPs created for AWS NAT Gateway
nat_public_ips List of public Elastic IPs created for AWS NAT Gateway
natgw_ids List of NAT Gateway IDs
private_network_acl_id ID of the private network ACL
private_route_table_ids List of IDs of private route tables
private_subnet_arns List of ARNs of private subnets
private_subnets List of IDs of private subnets
private_subnets_cidr_blocks List of cidr_blocks of private subnets
private_subnets_ipv6_cidr_blocks List of IPv6 cidr_blocks of private subnets in an IPv6 enabled VPC
public_network_acl_id ID of the public network ACL
public_route_table_ids List of IDs of public route tables
public_subnet_arns List of ARNs of public subnets
public_subnets List of IDs of public subnets
public_subnets_cidr_blocks List of cidr_blocks of public subnets
public_subnets_ipv6_cidr_blocks List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC
redshift_network_acl_id ID of the redshift network ACL
redshift_route_table_ids List of IDs of redshift route tables
redshift_subnet_arns List of ARNs of redshift subnets
redshift_subnet_group ID of redshift subnet group
redshift_subnets List of IDs of redshift subnets
redshift_subnets_cidr_blocks List of cidr_blocks of redshift subnets
redshift_subnets_ipv6_cidr_blocks List of IPv6 cidr_blocks of redshift subnets in an IPv6 enabled VPC
this_customer_gateway Map of Customer Gateway attributes
vgw_id The ID of the VPN Gateway
vpc_arn The ARN of the VPC
vpc_cidr_block The CIDR block of the VPC
vpc_enable_dns_hostnames Whether or not the VPC has DNS hostname support
vpc_enable_dns_support Whether or not the VPC has DNS support
vpc_endpoint_apigw_dns_entry The DNS entries for the VPC Endpoint for APIGW.
vpc_endpoint_apigw_id The ID of VPC endpoint for APIGW
vpc_endpoint_apigw_network_interface_ids One or more network interfaces for the VPC Endpoint for APIGW.
vpc_endpoint_appmesh_envoy_management_dns_entry The DNS entries for the VPC Endpoint for AppMesh.
vpc_endpoint_appmesh_envoy_management_id The ID of VPC endpoint for AppMesh
vpc_endpoint_appmesh_envoy_management_network_interface_ids One or more network interfaces for the VPC Endpoint for AppMesh.
vpc_endpoint_appstream_dns_entry The DNS entries for the VPC Endpoint for AppStream.
vpc_endpoint_appstream_id The ID of VPC endpoint for AppStream
vpc_endpoint_appstream_network_interface_ids One or more network interfaces for the VPC Endpoint for AppStream.
vpc_endpoint_athena_dns_entry The DNS entries for the VPC Endpoint for Athena.
vpc_endpoint_athena_id The ID of VPC endpoint for Athena
vpc_endpoint_athena_network_interface_ids One or more network interfaces for the VPC Endpoint for Athena.
vpc_endpoint_cloud_directory_dns_entry The DNS entries for the VPC Endpoint for Cloud Directory.
vpc_endpoint_cloud_directory_id The ID of VPC endpoint for Cloud Directory
vpc_endpoint_cloud_directory_network_interface_ids One or more network interfaces for the VPC Endpoint for Cloud Directory.
vpc_endpoint_cloudformation_dns_entry The DNS entries for the VPC Endpoint for Cloudformation.
vpc_endpoint_cloudformation_id The ID of VPC endpoint for Cloudformation
vpc_endpoint_cloudformation_network_interface_ids One or more network interfaces for the VPC Endpoint for Cloudformation.
vpc_endpoint_cloudtrail_dns_entry The DNS entries for the VPC Endpoint for CloudTrail.
vpc_endpoint_cloudtrail_id The ID of VPC endpoint for CloudTrail
vpc_endpoint_cloudtrail_network_interface_ids One or more network interfaces for the VPC Endpoint for CloudTrail.
vpc_endpoint_codebuild_dns_entry The DNS entries for the VPC Endpoint for codebuild.
vpc_endpoint_codebuild_id The ID of VPC endpoint for codebuild
vpc_endpoint_codebuild_network_interface_ids One or more network interfaces for the VPC Endpoint for codebuild.
vpc_endpoint_codecommit_dns_entry The DNS entries for the VPC Endpoint for codecommit.
vpc_endpoint_codecommit_id The ID of VPC endpoint for codecommit
vpc_endpoint_codecommit_network_interface_ids One or more network interfaces for the VPC Endpoint for codecommit.
vpc_endpoint_codepipeline_dns_entry The DNS entries for the VPC Endpoint for CodePipeline.
vpc_endpoint_codepipeline_id The ID of VPC endpoint for CodePipeline
vpc_endpoint_codepipeline_network_interface_ids One or more network interfaces for the VPC Endpoint for CodePipeline.
vpc_endpoint_config_dns_entry The DNS entries for the VPC Endpoint for config.
vpc_endpoint_config_id The ID of VPC endpoint for config
vpc_endpoint_config_network_interface_ids One or more network interfaces for the VPC Endpoint for config.
vpc_endpoint_dynamodb_id The ID of VPC endpoint for DynamoDB
vpc_endpoint_dynamodb_pl_id The prefix list for the DynamoDB VPC endpoint.
vpc_endpoint_ec2_dns_entry The DNS entries for the VPC Endpoint for EC2.
vpc_endpoint_ec2_id The ID of VPC endpoint for EC2
vpc_endpoint_ec2_network_interface_ids One or more network interfaces for the VPC Endpoint for EC2
vpc_endpoint_ec2messages_dns_entry The DNS entries for the VPC Endpoint for EC2MESSAGES.
vpc_endpoint_ec2messages_id The ID of VPC endpoint for EC2MESSAGES
vpc_endpoint_ec2messages_network_interface_ids One or more network interfaces for the VPC Endpoint for EC2MESSAGES
vpc_endpoint_ecr_api_dns_entry The DNS entries for the VPC Endpoint for ECR API.
vpc_endpoint_ecr_api_id The ID of VPC endpoint for ECR API
vpc_endpoint_ecr_api_network_interface_ids One or more network interfaces for the VPC Endpoint for ECR API.
vpc_endpoint_ecr_dkr_dns_entry The DNS entries for the VPC Endpoint for ECR DKR.
vpc_endpoint_ecr_dkr_id The ID of VPC endpoint for ECR DKR
vpc_endpoint_ecr_dkr_network_interface_ids One or more network interfaces for the VPC Endpoint for ECR DKR.
vpc_endpoint_ecs_agent_dns_entry The DNS entries for the VPC Endpoint for ECS Agent.
vpc_endpoint_ecs_agent_id The ID of VPC endpoint for ECS Agent
vpc_endpoint_ecs_agent_network_interface_ids One or more network interfaces for the VPC Endpoint for ECS Agent.
vpc_endpoint_ecs_dns_entry The DNS entries for the VPC Endpoint for ECS.
vpc_endpoint_ecs_id The ID of VPC endpoint for ECS
vpc_endpoint_ecs_network_interface_ids One or more network interfaces for the VPC Endpoint for ECS.
vpc_endpoint_ecs_telemetry_dns_entry The DNS entries for the VPC Endpoint for ECS Telemetry.
vpc_endpoint_ecs_telemetry_id The ID of VPC endpoint for ECS Telemetry
vpc_endpoint_ecs_telemetry_network_interface_ids One or more network interfaces for the VPC Endpoint for ECS Telemetry.
vpc_endpoint_efs_dns_entry The DNS entries for the VPC Endpoint for EFS.
vpc_endpoint_efs_id The ID of VPC endpoint for EFS
vpc_endpoint_efs_network_interface_ids One or more network interfaces for the VPC Endpoint for EFS.
vpc_endpoint_elasticloadbalancing_dns_entry The DNS entries for the VPC Endpoint for Elastic Load Balancing.
vpc_endpoint_elasticloadbalancing_id The ID of VPC endpoint for Elastic Load Balancing
vpc_endpoint_elasticloadbalancing_network_interface_ids One or more network interfaces for the VPC Endpoint for Elastic Load Balancing.
vpc_endpoint_events_dns_entry The DNS entries for the VPC Endpoint for CloudWatch Events.
vpc_endpoint_events_id The ID of VPC endpoint for CloudWatch Events
vpc_endpoint_events_network_interface_ids One or more network interfaces for the VPC Endpoint for CloudWatch Events.
vpc_endpoint_git_codecommit_dns_entry The DNS entries for the VPC Endpoint for git_codecommit.
vpc_endpoint_git_codecommit_id The ID of VPC endpoint for git_codecommit
vpc_endpoint_git_codecommit_network_interface_ids One or more network interfaces for the VPC Endpoint for git_codecommit.
vpc_endpoint_glue_dns_entry The DNS entries for the VPC Endpoint for Glue.
vpc_endpoint_glue_id The ID of VPC endpoint for Glue
vpc_endpoint_glue_network_interface_ids One or more network interfaces for the VPC Endpoint for Glue.
vpc_endpoint_kinesis_firehose_dns_entry The DNS entries for the VPC Endpoint for Kinesis Firehose.
vpc_endpoint_kinesis_firehose_id The ID of VPC endpoint for Kinesis Firehose
vpc_endpoint_kinesis_firehose_network_interface_ids One or more network interfaces for the VPC Endpoint for Kinesis Firehose.
vpc_endpoint_kinesis_streams_dns_entry The DNS entries for the VPC Endpoint for Kinesis Streams.
vpc_endpoint_kinesis_streams_id The ID of VPC endpoint for Kinesis Streams
vpc_endpoint_kinesis_streams_network_interface_ids One or more network interfaces for the VPC Endpoint for Kinesis Streams.
vpc_endpoint_kms_dns_entry The DNS entries for the VPC Endpoint for KMS.
vpc_endpoint_kms_id The ID of VPC endpoint for KMS
vpc_endpoint_kms_network_interface_ids One or more network interfaces for the VPC Endpoint for KMS.
vpc_endpoint_logs_dns_entry The DNS entries for the VPC Endpoint for CloudWatch Logs.
vpc_endpoint_logs_id The ID of VPC endpoint for CloudWatch Logs
vpc_endpoint_logs_network_interface_ids One or more network interfaces for the VPC Endpoint for CloudWatch Logs.
vpc_endpoint_monitoring_dns_entry The DNS entries for the VPC Endpoint for CloudWatch Monitoring.
vpc_endpoint_monitoring_id The ID of VPC endpoint for CloudWatch Monitoring
vpc_endpoint_monitoring_network_interface_ids One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring.
vpc_endpoint_rekognition_dns_entry The DNS entries for the VPC Endpoint for Rekognition.
vpc_endpoint_rekognition_id The ID of VPC endpoint for Rekognition
vpc_endpoint_rekognition_network_interface_ids One or more network interfaces for the VPC Endpoint for Rekognition.
vpc_endpoint_s3_id The ID of VPC endpoint for S3
vpc_endpoint_s3_pl_id The prefix list for the S3 VPC endpoint.
vpc_endpoint_sagemaker_api_dns_entry The DNS entries for the VPC Endpoint for SageMaker API.
vpc_endpoint_sagemaker_api_id The ID of VPC endpoint for SageMaker API
vpc_endpoint_sagemaker_api_network_interface_ids One or more network interfaces for the VPC Endpoint for SageMaker API.
vpc_endpoint_sagemaker_runtime_dns_entry The DNS entries for the VPC Endpoint for SageMaker Runtime.
vpc_endpoint_sagemaker_runtime_id The ID of VPC endpoint for SageMaker Runtime
vpc_endpoint_sagemaker_runtime_network_interface_ids One or more network interfaces for the VPC Endpoint for SageMaker Runtime.
vpc_endpoint_secretsmanager_dns_entry The DNS entries for the VPC Endpoint for secretsmanager.
vpc_endpoint_secretsmanager_id The ID of VPC endpoint for secretsmanager
vpc_endpoint_secretsmanager_network_interface_ids One or more network interfaces for the VPC Endpoint for secretsmanager.
vpc_endpoint_servicecatalog_dns_entry The DNS entries for the VPC Endpoint for Service Catalog.
vpc_endpoint_servicecatalog_id The ID of VPC endpoint for Service Catalog
vpc_endpoint_servicecatalog_network_interface_ids One or more network interfaces for the VPC Endpoint for Service Catalog.
vpc_endpoint_sns_dns_entry The DNS entries for the VPC Endpoint for SNS.
vpc_endpoint_sns_id The ID of VPC endpoint for SNS
vpc_endpoint_sns_network_interface_ids One or more network interfaces for the VPC Endpoint for SNS.
vpc_endpoint_sqs_dns_entry The DNS entries for the VPC Endpoint for SQS.
vpc_endpoint_sqs_id The ID of VPC endpoint for SQS
vpc_endpoint_sqs_network_interface_ids One or more network interfaces for the VPC Endpoint for SQS.
vpc_endpoint_ssm_dns_entry The DNS entries for the VPC Endpoint for SSM.
vpc_endpoint_ssm_id The ID of VPC endpoint for SSM
vpc_endpoint_ssm_network_interface_ids One or more network interfaces for the VPC Endpoint for SSM.
vpc_endpoint_ssmmessages_dns_entry The DNS entries for the VPC Endpoint for SSMMESSAGES.
vpc_endpoint_ssmmessages_id The ID of VPC endpoint for SSMMESSAGES
vpc_endpoint_ssmmessages_network_interface_ids One or more network interfaces for the VPC Endpoint for SSMMESSAGES.
vpc_endpoint_storagegateway_dns_entry The DNS entries for the VPC Endpoint for Storage Gateway.
vpc_endpoint_storagegateway_id The ID of VPC endpoint for Storage Gateway
vpc_endpoint_storagegateway_network_interface_ids One or more network interfaces for the VPC Endpoint for Storage Gateway.
vpc_endpoint_sts_dns_entry The DNS entries for the VPC Endpoint for STS.
vpc_endpoint_sts_id The ID of VPC endpoint for STS
vpc_endpoint_sts_network_interface_ids One or more network interfaces for the VPC Endpoint for STS.
vpc_endpoint_transfer_dns_entry The DNS entries for the VPC Endpoint for Transfer.
vpc_endpoint_transfer_id The ID of VPC endpoint for Transfer
vpc_endpoint_transfer_network_interface_ids One or more network interfaces for the VPC Endpoint for Transfer.
vpc_endpoint_transferserver_dns_entry The DNS entries for the VPC Endpoint for transferserver.
vpc_endpoint_transferserver_id The ID of VPC endpoint for transferserver
vpc_endpoint_transferserver_network_interface_ids One or more network interfaces for the VPC Endpoint for transferserver
vpc_flow_log_cloudwatch_iam_role_arn The ARN of the IAM role used when pushing logs to Cloudwatch log group
vpc_flow_log_destination_arn The ARN of the destination for VPC Flow Logs
vpc_flow_log_destination_type The type of the destination for VPC Flow Logs
vpc_flow_log_id The ID of the Flow Log resource
vpc_id The ID of the VPC
vpc_instance_tenancy Tenancy of instances spin up within VPC
vpc_ipv6_association_id The association ID for the IPv6 CIDR block
vpc_ipv6_cidr_block The IPv6 CIDR block
vpc_main_route_table_id The ID of the main route table associated with this VPC
vpc_secondary_cidr_blocks List of secondary CIDR blocks of the VPC

Tests

This module has been packaged with awspec tests through test kitchen. To run them:

  1. Install rvm and the ruby version specified in the Gemfile.
  2. Install bundler and the gems from our Gemfile:
gem install bundler; bundle install
  1. Test using bundle exec kitchen test from the root of the repo.

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.