Skip to content

Latest commit

 

History

History
199 lines (173 loc) · 18.6 KB

README.md

File metadata and controls

199 lines (173 loc) · 18.6 KB

Terraform AWS VPC

SUMMARY

A Terraform module to create AWS VPC along with its resources:

  • VPC Default Security Group
  • VPC Default Routing Table
  • NAT Gateway(s) and Internet Gateways
  • Public and Private Subnets

Example

Below is an example how to call and use the module, kindly check the example folder for more detailed output

module "label" {
  source              = "github.com/obytes/terraform-aws-tag.git?ref=v1.0.8"
  project_name        = "pto"
  region              = "eu-west-2"
  environment         = "qa"
  prefix_length_limit = 12
}

module "example1" {
  source                  = "github.com/obytes/terraform-aws-vpc.git?ref=v1.0.9"
  enabled                 = true
  prefix                  = module.label.id
  name                    = "vpc"
  additional_tags         = module.label.tags
  cidr_block              = "172.16.0.0/18"
  enable_dns_hostnames    = true
  enable_nat_gateway      = true
  enable_internet_gateway = true
  create_public_subnets   = true
  max_subnet_count        = 3
  single_nat_gateway      = true
  additional_default_route_table_tags = {
    Managed = "Terraform"
    Default = "Yes"
  }
  additional_public_subnet_tags = {
    "kubernetes.io/cluster/cluster-name" = "shared"
    "kubernetes.io/role/elb"             = 1
  }
  additional_private_subnet_tags = {
    "kubernetes.io/cluster/cluster-name" = "shared"
    "kubernetes.io/role/internal-elb"    = 1
  }
}

Validation

This Module Supports the following validation on Inputs:

  • cidr_blocks : A validation to verify the CIDR Block based don AWS requirements, The allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses).

Subnet Naming Convention

A shortcode of the availability group will be appended to the subnet name

Scenarios

  • NAT Gateways
    • Single NAT Gateway - Default Scenario
      • enable_nat_gateway is set tot true
      • single_nat_gateway is set to true
      • nat_gateway_per_az is set to false
    • NAT Gateway per AZ
      • enable_nat_gateway is set to true
      • single_nat_gateway is set to false
      • nat_gateway_per_az is set to true

Note: if single_nat_gateway and nat_gateway_per_az are both set to true, single_nat_gateway takes precedence.

  • AWS EIPs (Elastic_IPs)

    • Create New EIPs - Default Scenario
      • var.nat_eips_list is empty
    • Re-use Existing EIPs
      • var.nat_eips_list is populated with alist of elastic_ips from your AWS account.
  • Subnet Count

    • Subnet / AZ - Default Scenario
      • enable_private_subnet or var.enable_public_subnet is set to true
      • var.max_subnet_count is set to 0
    • Limited Subnets
      • var.max_subnet_count is not 0 e.g. 1, 4
  • VPC Default Security Group

    • Create custom security group - default scenario
      • var.create_custom_security_group is set to true
      • the security group has no ingress rules
      • the security group allow all egress traffic

Requirements

Name Version
terraform >=0.13.0
aws 3.35.0

Providers

Name Version
aws 3.35.0

Modules

Name Source Version
label github.com/obytes/terraform-aws-tag.git?ref=v1.0.1
nat_label github.com/obytes/terraform-aws-tag.git?ref=v1.0.1
private_label github.com/obytes/terraform-aws-tag.git?ref=v1.0.1
public_label github.com/obytes/terraform-aws-tag.git?ref=v1.0.1
vpc_label github.com/obytes/terraform-aws-tag.git?ref=v1.0.1

Resources

Name Type
aws_default_route_table._ resource
aws_default_security_group._ resource
aws_eip._ resource
aws_internet_gateway._ resource
aws_nat_gateway._ resource
aws_route.private_nat_gateway resource
aws_route.public_internet_gateway resource
aws_route_table.private resource
aws_route_table.public resource
aws_route_table_association.private resource
aws_route_table_association.public resource
aws_subnet.private resource
aws_subnet.public resource
aws_vpc._ resource
aws_vpc_dhcp_options._ resource
aws_vpc_dhcp_options_association.dhcp-assoc resource
aws_availability_zones.azs data source
aws_eip._ data source

Inputs

Name Description Type Default Required
additional_default_route_table_routes List, of routes to be added to the default route table ID
Example,
[
{
cidr_block = "172.17.18.19/30" # Required
ipv6_cidr_block = "::/0" # Optional
destination_prefix_list_id = "pl-0570a1d2d725c16be" # Optional
#One of the following target arguments must be supplied:
egress_only_gateway_id = ""
gateway_id = ""
instance_id = ""
nat_gateway_id = ""
vpc_peering_connection_id = ""
vpc_endpoint_id = ""
transit_gateway_id = ""
network_interface_id = ""
}
]
list(map(string)) [] no
additional_default_route_table_tags Additional, map of tags to be added to the default_route_table tags map(string) null no
additional_private_route_tags Additional, map of tags to be added to the private aws_route_table tags map(string) null no
additional_private_subnet_tags Additional, map of tags to be added to the private aws_subnet resources map(string) null no
additional_public_route_tags Additional, map of tags to be added to the public aws_route_table tags map(string) null no
additional_public_subnet_tags Additional, map of tags to be added to the private aws_subnets resources map(string) null no
additional_tags Additional Tags, tags which can be accessed by module..tags_as_list not added to .. map(string) {} no
azs_list_names A list to include all the AZs you would like to configure such as us-east-1a, us-east-1b list(string) [] no
cidr_block VPC CIDR Block, The allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses). string null no
create_custom_security_group Boolean, to enable the creation of a custom default_security_group
if set to false the AWS default VPC security rule will be applied, for more reference https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#DefaultSecurityGroup
if set to true a new default security group will be created with only egress traffic allowed
bool true no
create_private_subnets Ability to create private subnets in all configured AZs bool true no
create_public_subnets Ability to create private subnets in all configured AZs, if this set to true
the enable_internet_gateway should also be true for the subnets to be associated to IGW
bool false no
default_security_group_egress Egress Rules, List of maps of ingress rules to set on the default security group
Default egress rule is to allow all outgoing connections on any protocol.
Example
[
{
from_port = 80
to_port = 80
protocol = "tcp" #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group#protocol
cidr_blocks = ["0.0.0.0/0"]
description = "Ingress Rule to Allow port 80 protocol TCP from Anywhere"
self = true|false # Whether the security group itself will be added as a source to this egress rule.
}
]
list(map(string))
[
{
"cidr_blocks": "0.0.0.0/0",
"from_port": "0",
"protocol": "-1",
"to_port": "0"
}
]
no
default_security_group_ingress Ingress Rules, List of maps of ingress rules to set on the default security group
Example
[
{
from_port = 80
to_port = 80
protocol = "tcp" #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group#protocol
cidr_blocks = ["0.0.0.0/0"]
description = "Ingress Rule to Allow port 80 protocol TCP from Anywhere"
self = true|false # Whether the security group itself will be added as a source to this egress rule.
}
]
list(map(string)) [] no
enable_dns_hostnames A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false. bool false no
enable_dns_support A boolean flag to enable/disable DNS support in the VPC. Defaults true. bool true no
enable_internet_gateway IGW, This boolean variables controls the creation of Internet Gateway
For IGW to be created this variable and var.create_public_subnets should set to true
bool false no
enable_ipv6_cidr_block Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses,
or the size of the CIDR block. Default is false
bool false no
enable_nat_gateway Should be true if you want to provision NAT Gateways for each of your private networks bool true no
enabled A boolean to enable or disable creation of VPC resources string true no
include_all_azs Boolean, weather to include all Availability Zones in the region where the provider is running
Default is true, set this to false if you would like to have specific azs
bool true no
manage_default_route_table Should be true, to manage the default route table bool true no
map_public_ip_on_lunch (Optional) Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is false. bool false no
max_subnet_count A Number to indicate the max subnets to be created, if not set it will create one subnet/az number 0 no
name The name of the service/solution such as vpc, ec2 that would be append to the prefix string null no
nat_eips_list A List, of NAT IPs to be used by the NAT_GW list(string) [] no
nat_gateway_per_az Should be true if you want only one NAT Gateway per availability zone. bool false no
prefix String or prefix that would be used to tag/Name all the resources created by this module, this prefix will be generated
by obytes/terraform-aws-tag public module
string n/a yes
route_create_timeout A timeout for the aws_route_table creation, default is 5m string "5m" no
route_delete_timeout A timeout for the aws_route_table deletion, default is 5m string "5m" no
single_nat_gateway Should be true if you want to provision a single shared NAT Gateway across all of your private networks bool true no
tgw_route_table_id Transit GW route table ID to be added as a destination for the VPC route tables string null no
transit_routes The destination prefixes (CIDR blocks) that should be forwarded to transit gateway list(string) [] no
vpc_dhcp_domain_name (Optional) the suffix domain name to use by default when resolving non Fully Qualified Domain Names. In other words, this is what ends up being the search value in the /etc/resolv.conf file. string null no
vpc_dhcp_netbios_name_servers (Optional) List of NETBIOS name servers. list(string) [] no
vpc_dhcp_netbios_node_type (Optional) The NetBIOS node type (1, 2, 4, or 8). AWS recommends to specify 2 since broadcast and multicast are not supported in their network. For more information about these node types, see RFC 2132. number null no
vpc_dhcp_ntp_servers (Optional) List of NTP servers to configure. list(string) [] no
vpc_domain_name_servers (Optional) List of name servers to configure in /etc/resolv.conf. If you want to use the default AWS nameservers you should set this to AmazonProvidedDNS. list(string)
[
"AmazonProvidedDNS"
]
no

Outputs

Name Description
availability_zones List of Availability Zones where subnets were created
elastc_ips AWS eip public ips
nat_gw_ids aws nat gateway id(s)
nat_ips IP Addresses in use for NAT
prv_route_table_ids private route table ids
prv_subnet_cidrs Private Subnet cidr_blocks
prv_subnet_ids Private Subnet IDs
pub_route_table_ids Public route table ids
pub_subnet_cidrs Public Subnet cidr_blocks
pub_subnet_ids Public Subnet IDs
vpc_cidr_block CIDR Block of the VPC
vpc_dhcp_dns_list n/a
vpc_id VPC ID
vpc_sg_id Default VPC Security Group
vpc_name VPC Name