/terraform-aws-vpc-1

AWS VPC Module

Primary LanguageHCLApache License 2.0Apache-2.0

AWS VPC Module

This module can be used to deploy a pragmatic VPC with various subnets types in # AZs. Common deployment examples can be found in examples/. Subnet CIDRs can be explicitly set via list of string argument cidrs or set via a number netmask argument.

Usage

The example below builds a VPC with public and private subnets in 3 AZs. Each subnet calulates a CIDR based on the netmask argument passed. The public subnets build nat gateways in each AZ but optionally can be switched to single_az.

module "vpc" {
  source   = "aws-ia/vpc/aws"
  version = ">= 1.0.0"

  name           = "multi-az-vpc"
  cidr_block = "10.0.0.0/20"
  az_count       = 3

  subnets = {
    public = {
      name_prefix               = "my-public" # omit to prefix with "public"
      netmask                   = 24
      nat_gateway_configuration = "all_azs" # options: "single_az", "none"
    }

    private = {
      # omitting name_prefix defaults value to "private"
      # name_prefix  = "private"
      netmask      = 24
      route_to_nat = true
    }
  }

  vpc_flow_logs = {
    log_destination_type = "cloud-watch-logs"
    retention_in_days    = 180
  }
}

Updating a VPC with new or removed subnets

If using netmask to calculate subnets and you wish to either add or remove subnets (ex: adding / removing an AZ), you may have to change from using netmask for some subnets and set to explicit instead. Private subnets are always calculated before public.

When changing to explicit cidrs, subnets are always ordered by AZ. 0 -> a, 1 -> b, etc.

Example: Changing from 2 azs to 3

Before:

cidr_block = "10.0.0.0/16"
az_count = 2

subnets = {
  public = {
   netmask = 24
  }

  private = {
   netmask = 24
  }
}

After:

cidr_block = "10.0.0.0/16"
az_count = 3

subnets = {
  public = {
   cidrs = ["10.0.0.0/24", "10.0.1.0/24", "10.0.4.0/24"]
  }

  private = {
   cidrs = ["10.0.2.0/24", "10.0.3.0/24", "10.0.5.0/24"]
  }
}

The above example will cause only creating 2 new subnets in az c of the region being used.

Requirements

Name Version
terraform >= 0.15.0
aws >= 3.72.0
awscc >= 0.15.0

Providers

Name Version
aws >= 3.72.0
awscc >= 0.15.0

Modules

Name Source Version
calculate_subnets ./modules/calculate_subnets n/a
flow_logs ./modules/flow_logs n/a
tags aws-ia/label/aws 0.0.4

Resources

Name Type
aws_eip.nat resource
aws_internet_gateway.main resource
aws_nat_gateway.main resource
aws_route.private_to_nat resource
aws_route.public_to_igw resource
aws_subnet.private resource
aws_subnet.public resource
aws_vpc.main resource
aws_vpc_ipv4_cidr_block_association.secondary resource
awscc_ec2_route_table.private resource
awscc_ec2_route_table.public resource
awscc_ec2_subnet_route_table_association.private resource
awscc_ec2_subnet_route_table_association.public resource
aws_availability_zones.current data source
aws_vpc_ipam_preview_next_cidr.main data source
awscc_ec2_vpc.main data source

Inputs

Name Description Type Default Required
az_count Searches region for # of AZs to use and takes a slice based on count. Assume slice is sorted a-z. number n/a yes
name Name to give VPC. Note: does not effect subnet names, which get assigned name based on name_prefix. string n/a yes
subnets Configuration of subnets to build in VPC. Valid key restriction information found in variables.tf. any n/a yes
cidr_block CIDR range to assign to VPC if creating VPC or to associte as a secondary CIDR. Overridden by var.vpc_id output from data.aws_vpc. string null no
tags Tags to apply to all resources. map(string) {} no
vpc_enable_dns_hostnames Indicates whether the instances launched in the VPC get DNS hostnames. If enabled, instances in the VPC get DNS hostnames; otherwise, they do not. Disabled by default for nondefault VPCs. bool true no
vpc_enable_dns_support Indicates whether the DNS resolution is supported for the VPC. If enabled, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC network range "plus two" succeed. If disabled, the Amazon provided DNS service in the VPC that resolves public DNS hostnames to IP addresses is not enabled. Enabled by default. bool true no
vpc_flow_logs Whether or not to create VPC flow logs and which type. Options: "cloudwatch", "s3", "none". By default creates flow logs to cloudwatch. Variable overrides null value types for some keys, defined in defaults.tf. 
object({
    log_destination = optional(string)
    iam_role_arn    = optional(string)
    kms_key_id      = optional(string)

    log_destination_type = string
    retention_in_days    = optional(number)
    tags                 = optional(map(string))
    traffic_type         = optional(string)
    destination_options = optional(object({
      file_format                = optional(string)
      hive_compatible_partitions = optional(bool)
      per_hour_partition         = optional(bool)
    }))
  })
 
{
  "log_destination_type": "none"
}
 no
vpc_id VPC ID to use if not creating VPC. string null no
vpc_instance_tenancy The allowed tenancy of instances launched into the VPC. string "default" no
vpc_ipv4_ipam_pool_id Set to use IPAM to get CIDR block. string null no
vpc_ipv4_netmask_length Set to use IPAM to get CIDR block using a specified netmask. Must be set with var.vpc_ipv4_ipam_pool_id. string null no
vpc_secondary_cidr If true the module will create a aws_vpc_ipv4_cidr_block_association and subnets for that secondary cidr. If using IPAM for both primary and secondary CIDRs, you may only call this module serially (aka using -target, etc). bool false no

Outputs

Name Description
subnets Subnets grouped by type.
vpc VPC Resource Information. Full output of aws_vpc.