/terraform-aws-vpc

A Terraform module that creates a customizable VPC and a privately deployed bastion host in an ASG behind an ELB with optionally a CNAME for it.

Primary LanguageHCLApache License 2.0Apache-2.0

Terraform Module VPC

lint test Tag License

A Terraform module that creates a customizable VPC (based on the official VPC module) and optionally allows to provision a ELB protected bastion host with route53 controlled DNS name and unlimited number of SSH keys.

Usage example

module "vpc" {
  source  = "github.com/Flaconi/terraform-modules-vpc?ref=v2.1.0"

  vpc_cidr            = "12.0.0.0/16"
  vpc_subnet_azs      = ["eu-central-1a", "eu-central-1b", "eu-central-1c"]
  vpc_private_subnets = ["12.0.1.0/24", "12.0.2.0/24", "12.0.3.0/24"]
  vpc_public_subnets  = ["12.0.101.0/24", "12.0.102.0/24", "12.0.103.0/24"]

  vpc_enable_nat_gateway  = true
  vpc_enable_vpn_gateway  = false
  vpc_enable_bastion_host = true

  name = "my-project"

  bastion_ssh_keys                = ["ssh-ed25519 AAAAC3Nznte5aaCdi1a1Lzaai/tX6Mc2E+S6g3lrClL09iBZ5cW2OZdSIqomcMko 2 mysshkey"]
  bastion_route53_public_dns_name = "my-project.example.com"
  bastion_subdomain               = "bastion-host"
}

Examples

Providers

Name Version
aws >= 5
null >= 3

Requirements

Name Version
terraform >= 1.0
aws >= 5
null >= 3

Required Inputs

The following input variables are required:

Description: The VPC CIDR to use for this VPC.

Type: string

Description: A list of AZ's to use to spawn subnets over

Type: list(string)

Description: A list of private subnet CIDR's

Type: list(string)

Description: A list of public subnet CIDR's

Type: list(string)

Description: The name(-prefix) to prepend/apply to all Name tags on all VPC resources

Type: string

Optional Inputs

The following input variables are optional (have default values):

Description: A boolean that enables or disables NAT gateways for private subnets

Type: bool

Default: true

Description: Should be true if you want only one NAT Gateway per availability zone. Requires var.azs to be set, and the number of public_subnets created to be greater than or equal to the number of availability zones specified in var.azs

Type: bool

Default: true

Description: Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable

Type: bool

Default: false

Description: "List of names used to select the allocated EIP(s) that will be associated with the NAT GW(s). These EIPs can be managed outside of this module but they should be with Terraform and should be part of the same state as this module's resources. In case you have an uneven distribution of subnets in your AZs (i.e. you use 2 AZs but create 3 private subnets) and you want to use externally managed EIPs with one NAT GW per AZ, you have to provide as many EIPs as NAT GWs. Otherwise you will see this in the EIPs state message: Elastic IP address [eipalloc-xxx] is already associated."

Type: list(string)

Default: []

Description: Should be true to enable DNS hostnames in the VPC

Type: bool

Default: false

Description: Should be true to enable DNS support in the VPC

Type: bool

Default: true

Description: A boolean that enables or disables a VPN gateways for the VPC

Type: bool

Default: false

Description: Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)

Type: map(map(any))

Default: {}

Description: A boolean that enables or disables the deployment of a bastion host in the private subnet with an ELB in front of it

Type: bool

Default: false

Description: List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool

Type: list(string)

Default: []

Description: A map of additional tags to apply to all VPC resources

Type: map(string)

Default: {}

Description: A map of additional tags to apply to the VPC

Type: map(string)

Default: {}

Description: A map of additional tags to apply to all public subnets

Type: map(string)

Default:

{
  "Visibility": "public"
}

Description: A map of additional tags to apply to all private subnets

Type: map(string)

Default:

{
  "Visibility": "private"
}

Description: If not empty will overwrite the bastion host name specified by 'name'

Type: string

Default: ""

Description: User name used for SSH-connections.

Type: string

Default: "ec2-user"

Description: A list of public ssh keys to add to authorized_keys file

Type: list(string)

Default: []

Description: A list of CIDR's from which one can connect to the bastion host ELB

Type: list(string)

Default:

[
  "0.0.0.0/0"
]

Description: List of one or more security groups to be added to the load balancer

Type: list(string)

Default: []

Description: If set, the bastion ELB will be assigned this public DNS name via Route53.

Type: string

Default: ""

Description: EC2 AMI ID for bastion host.

Type: string

Default: null

Description: EC2 instance type of bastion host.

Type: string

Default: "t2.micro"

Description: The number of Bastion host server nodes to deploy.

Type: number

Default: 1

Description: Should be true to adopt and manage default security group

Type: bool

Default: true

Description: List of maps of ingress rules to set on the default security group

Type: list(map(string))

Default:

[
  {
    "from_port": 0,
    "protocol": -1,
    "self": true,
    "to_port": 0
  }
]

Description: List of maps of egress rules to set on the default security group

Type: list(map(string))

Default:

[
  {
    "from_port": 0,
    "protocol": "-1",
    "self": true,
    "to_port": 0
  }
]

Outputs

Name Description
bastion_asg_name Autoscaling group name of the bastion host. (or empty string if bastion host is disabled)
bastion_elb_fqdn The auto-generated FQDN of the bastion ELB.
bastion_elb_security_group_id The ID of the SSH security group of the bastion host that can be attached to any other private instance in order to ssh into it. (or empty string if bastion host is disabled)
bastion_launch_template_name Launch template name of the bastion host. (or empty string if bastion host is disabled)
bastion_route53_public_dns_name The route53 public dns name of the bastion ELB if set.
bastion_security_group_id The ID of the SSH security group of the bastion host that can be attached to any other private instance in order to ssh into it. (or empty string if bastion host is disabled)
cgw_ids List of IDs of Customer Gateway
name The name of the VPC
private_route_table_ids List of IDs of private route tables
private_subnets List of IDs of private subnets
private_subnets_cidr_blocks List of cidr_blocks of private subnets
public_route_table_ids List of IDs of public route tables
public_subnets List of IDs of public subnets
public_subnets_cidr_blocks List of cidr_blocks of public subnets
vgw_id The ID of the VPN Gateway
vpc_cidr_block The CIDR block of the VPC
vpc_id The ID of the VPC

License

Apache 2.0

Copyright (c) 2018-2021 Flaconi GmbH