A Terraform module to create AWS VPC along with its resources:
- VPC Default Security Group
- VPC Default Routing Table
- NAT Gateway(s) and Internet Gateways
- Public and Private Subnets
Below is an example how to call and use the module, kindly check the example folder for more detailed output
module "label" {
source = "github.com/obytes/terraform-aws-tag.git?ref=v1.0.8"
project_name = "pto"
region = "eu-west-2"
environment = "qa"
prefix_length_limit = 12
}
module "example1" {
source = "github.com/obytes/terraform-aws-vpc.git?ref=v1.0.9"
enabled = true
prefix = module.label.id
name = "vpc"
additional_tags = module.label.tags
cidr_block = "172.16.0.0/18"
enable_dns_hostnames = true
enable_nat_gateway = true
enable_internet_gateway = true
create_public_subnets = true
max_subnet_count = 3
single_nat_gateway = true
additional_default_route_table_tags = {
Managed = "Terraform"
Default = "Yes"
}
additional_public_subnet_tags = {
"kubernetes.io/cluster/cluster-name" = "shared"
"kubernetes.io/role/elb" = 1
}
additional_private_subnet_tags = {
"kubernetes.io/cluster/cluster-name" = "shared"
"kubernetes.io/role/internal-elb" = 1
}
}
This Module Supports the following validation on Inputs:
cidr_blocks
: A validation to verify the CIDR Block based don AWS requirements, The allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses).
A shortcode of the availability group will be appended to the subnet name
- NAT Gateways
- Single NAT Gateway - Default Scenario
enable_nat_gateway
is set tot truesingle_nat_gateway
is set to truenat_gateway_per_az
is set to false
- NAT Gateway per AZ
enable_nat_gateway
is set to truesingle_nat_gateway
is set to falsenat_gateway_per_az
is set to true
- Single NAT Gateway - Default Scenario
Note: if
single_nat_gateway
andnat_gateway_per_az
are both set to true,single_nat_gateway
takes precedence.
-
AWS EIPs (Elastic_IPs)
- Create New EIPs - Default Scenario
var.nat_eips_list
is empty
- Re-use Existing EIPs
var.nat_eips_list
is populated with alist of elastic_ips from your AWS account.
- Create New EIPs - Default Scenario
-
Subnet Count
- Subnet / AZ - Default Scenario
enable_private_subnet
orvar.enable_public_subnet
is set to truevar.max_subnet_count
is set to 0
- Limited Subnets
var.max_subnet_count
is not 0 e.g. 1, 4
- Subnet / AZ - Default Scenario
-
VPC Default Security Group
- Create custom security group - default scenario
var.create_custom_security_group
is set to true- the security group has no ingress rules
- the security group allow all egress traffic
- Create custom security group - default scenario
Name | Version |
---|---|
terraform | >=0.13.0 |
aws | 3.35.0 |
Name | Version |
---|---|
aws | 3.35.0 |
Name | Source | Version |
---|---|---|
label | github.com/obytes/terraform-aws-tag.git?ref=v1.0.1 | |
nat_label | github.com/obytes/terraform-aws-tag.git?ref=v1.0.1 | |
private_label | github.com/obytes/terraform-aws-tag.git?ref=v1.0.1 | |
public_label | github.com/obytes/terraform-aws-tag.git?ref=v1.0.1 | |
vpc_label | github.com/obytes/terraform-aws-tag.git?ref=v1.0.1 |
Name | Type |
---|---|
aws_default_route_table._ | resource |
aws_default_security_group._ | resource |
aws_eip._ | resource |
aws_internet_gateway._ | resource |
aws_nat_gateway._ | resource |
aws_route.private_nat_gateway | resource |
aws_route.public_internet_gateway | resource |
aws_route_table.private | resource |
aws_route_table.public | resource |
aws_route_table_association.private | resource |
aws_route_table_association.public | resource |
aws_subnet.private | resource |
aws_subnet.public | resource |
aws_vpc._ | resource |
aws_vpc_dhcp_options._ | resource |
aws_vpc_dhcp_options_association.dhcp-assoc | resource |
aws_availability_zones.azs | data source |
aws_eip._ | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_default_route_table_routes | List, of routes to be added to the default route table ID Example, [ { cidr_block = "172.17.18.19/30" # Required ipv6_cidr_block = "::/0" # Optional destination_prefix_list_id = "pl-0570a1d2d725c16be" # Optional #One of the following target arguments must be supplied: egress_only_gateway_id = "" gateway_id = "" instance_id = "" nat_gateway_id = "" vpc_peering_connection_id = "" vpc_endpoint_id = "" transit_gateway_id = "" network_interface_id = "" } ] |
list(map(string)) |
[] |
no |
additional_default_route_table_tags | Additional, map of tags to be added to the default_route_table tags |
map(string) |
null |
no |
additional_private_route_tags | Additional, map of tags to be added to the private aws_route_table tags |
map(string) |
null |
no |
additional_private_subnet_tags | Additional, map of tags to be added to the private aws_subnet resources |
map(string) |
null |
no |
additional_public_route_tags | Additional, map of tags to be added to the public aws_route_table tags |
map(string) |
null |
no |
additional_public_subnet_tags | Additional, map of tags to be added to the private aws_subnets resources |
map(string) |
null |
no |
additional_tags | Additional Tags, tags which can be accessed by module..tags_as_list not added to .. | map(string) |
{} |
no |
azs_list_names | A list to include all the AZs you would like to configure such as us-east-1a , us-east-1b |
list(string) |
[] |
no |
cidr_block | VPC CIDR Block, The allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses). | string |
null |
no |
create_custom_security_group | Boolean, to enable the creation of a custom default_security_group if set to false the AWS default VPC security rule will be applied, for more reference https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#DefaultSecurityGroupif set to true a new default security group will be created with only egress traffic allowed |
bool |
true |
no |
create_private_subnets | Ability to create private subnets in all configured AZs | bool |
true |
no |
create_public_subnets | Ability to create private subnets in all configured AZs, if this set to true the enable_internet_gateway should also be true for the subnets to be associated to IGW |
bool |
false |
no |
default_security_group_egress | Egress Rules, List of maps of ingress rules to set on the default security group Default egress rule is to allow all outgoing connections on any protocol. Example [ { from_port = 80 to_port = 80 protocol = "tcp" #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group#protocol cidr_blocks = ["0.0.0.0/0"] description = "Ingress Rule to Allow port 80 protocol TCP from Anywhere" self = true|false # Whether the security group itself will be added as a source to this egress rule. } ] |
list(map(string)) |
[ |
no |
default_security_group_ingress | Ingress Rules, List of maps of ingress rules to set on the default security group Example [ { from_port = 80 to_port = 80 protocol = "tcp" #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group#protocol cidr_blocks = ["0.0.0.0/0"] description = "Ingress Rule to Allow port 80 protocol TCP from Anywhere" self = true|false # Whether the security group itself will be added as a source to this egress rule. } ] |
list(map(string)) |
[] |
no |
enable_dns_hostnames | A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false. | bool |
false |
no |
enable_dns_support | A boolean flag to enable/disable DNS support in the VPC. Defaults true. | bool |
true |
no |
enable_internet_gateway | IGW, This boolean variables controls the creation of Internet Gateway For IGW to be created this variable and var.create_public_subnets should set to true |
bool |
false |
no |
enable_ipv6_cidr_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. Default is false |
bool |
false |
no |
enable_nat_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool |
true |
no |
enabled | A boolean to enable or disable creation of VPC resources | string |
true |
no |
include_all_azs | Boolean, weather to include all Availability Zones in the region where the provider is running Default is true , set this to false if you would like to have specific azs |
bool |
true |
no |
manage_default_route_table | Should be true, to manage the default route table | bool |
true |
no |
map_public_ip_on_lunch | (Optional) Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is false. | bool |
false |
no |
max_subnet_count | A Number to indicate the max subnets to be created, if not set it will create one subnet/az | number |
0 |
no |
name | The name of the service/solution such as vpc, ec2 that would be append to the prefix | string |
null |
no |
nat_eips_list | A List, of NAT IPs to be used by the NAT_GW | list(string) |
[] |
no |
nat_gateway_per_az | Should be true if you want only one NAT Gateway per availability zone. | bool |
false |
no |
prefix | String or prefix that would be used to tag/Name all the resources created by this module, this prefix will be generated by obytes/terraform-aws-tag public module |
string |
n/a | yes |
route_create_timeout | A timeout for the aws_route_table creation, default is 5m | string |
"5m" |
no |
route_delete_timeout | A timeout for the aws_route_table deletion, default is 5m | string |
"5m" |
no |
single_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool |
true |
no |
tgw_route_table_id | Transit GW route table ID to be added as a destination for the VPC route tables | string |
null |
no |
transit_routes | The destination prefixes (CIDR blocks) that should be forwarded to transit gateway | list(string) |
[] |
no |
vpc_dhcp_domain_name | (Optional) the suffix domain name to use by default when resolving non Fully Qualified Domain Names. In other words, this is what ends up being the search value in the /etc/resolv.conf file. | string |
null |
no |
vpc_dhcp_netbios_name_servers | (Optional) List of NETBIOS name servers. | list(string) |
[] |
no |
vpc_dhcp_netbios_node_type | (Optional) The NetBIOS node type (1, 2, 4, or 8). AWS recommends to specify 2 since broadcast and multicast are not supported in their network. For more information about these node types, see RFC 2132. | number |
null |
no |
vpc_dhcp_ntp_servers | (Optional) List of NTP servers to configure. | list(string) |
[] |
no |
vpc_domain_name_servers | (Optional) List of name servers to configure in /etc/resolv.conf. If you want to use the default AWS nameservers you should set this to AmazonProvidedDNS. | list(string) |
[ |
no |
Name | Description |
---|---|
availability_zones | List of Availability Zones where subnets were created |
elastc_ips | AWS eip public ips |
nat_gw_ids | aws nat gateway id(s) |
nat_ips | IP Addresses in use for NAT |
prv_route_table_ids | private route table ids |
prv_subnet_cidrs | Private Subnet cidr_blocks |
prv_subnet_ids | Private Subnet IDs |
pub_route_table_ids | Public route table ids |
pub_subnet_cidrs | Public Subnet cidr_blocks |
pub_subnet_ids | Public Subnet IDs |
vpc_cidr_block | CIDR Block of the VPC |
vpc_dhcp_dns_list | n/a |
vpc_id | VPC ID |
vpc_sg_id | Default VPC Security Group |
vpc_name | VPC Name |