Terraform module which creates VPC resources on AWS.
These types of resources are supported:
- VPC
- Subnet
- Route
- Route table
- Internet Gateway
- Network ACL
- NAT Gateway
- VPN Gateway
- VPC Endpoint:
- Gateway: S3, DynamoDB
- Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing, CloudTrail, Secrets Manager, Config, Codebuild, Codecommit, Git-Codecommit, Transfer Server, Kinesis Streams, Kinesis Firehose
- RDS DB Subnet Group
- ElastiCache Subnet Group
- Redshift Subnet Group
- DHCP Options Set
- Default VPC
- Default Network ACL
Sponsored by Cloudcraft - the best way to draw AWS diagrams
Terraform 0.12. Pin module version to ~> v2.0
. Submit pull-requests to master
branch.
Terraform 0.11. Pin module version to ~> v1.0
. Submit pull-requests to terraform011
branch.
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
By default this module will provision new Elastic IPs for the VPC's NAT Gateways. This means that when creating a new VPC, new IPs are allocated, and when that VPC is destroyed those IPs are released. Sometimes it is handy to keep the same IPs even after the VPC is destroyed and re-created. To that end, it is possible to assign existing IPs to the NAT Gateways. This prevents the destruction of the VPC from releasing those IPs, while making it possible that a re-created VPC uses the same IPs.
To achieve this, allocate the IPs outside the VPC module declaration.
resource "aws_eip" "nat" {
count = 3
vpc = true
}
Then, pass the allocated IPs as a parameter to this module.
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
# The rest of arguments are omitted for brevity
enable_nat_gateway = true
single_nat_gateway = false
reuse_nat_ips = true # <= Skip creation of EIPs for the NAT Gateways
external_nat_ip_ids = "${aws_eip.nat.*.id}" # <= IPs specified here as input to the module
}
Note that in the example we allocate 3 IPs because we will be provisioning 3 NAT Gateways (due to single_nat_gateway = false
and having 3 subnets).
If, on the other hand, single_nat_gateway = true
, then aws_eip.nat
would only need to allocate 1 IP.
Passing the IPs into the module is done by setting two variables reuse_nat_ips = true
and external_nat_ip_ids = "${aws_eip.nat.*.id}"
.
This module supports three scenarios for creating NAT gateways. Each will be explained in further detail in the corresponding sections.
- One NAT Gateway per subnet (default behavior)
enable_nat_gateway = true
single_nat_gateway = false
one_nat_gateway_per_az = false
- Single NAT Gateway
enable_nat_gateway = true
single_nat_gateway = true
one_nat_gateway_per_az = false
- One NAT Gateway per availability zone
enable_nat_gateway = true
single_nat_gateway = false
one_nat_gateway_per_az = true
If both single_nat_gateway
and one_nat_gateway_per_az
are set to true
, then single_nat_gateway
takes precedence.
By default, the module will determine the number of NAT Gateways to create based on the the max()
of the private subnet lists (database_subnets
, elasticache_subnets
, private_subnets
, and redshift_subnets
). The module does not take into account the number of intra_subnets
, since the latter are designed to have no Internet access via NAT Gateway. For example, if your configuration looks like the following:
database_subnets = ["10.0.21.0/24", "10.0.22.0/24"]
elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
redshift_subnets = ["10.0.41.0/24", "10.0.42.0/24"]
intra_subnets = ["10.0.51.0/24", "10.0.52.0/24", "10.0.53.0/24"]
Then 5
NAT Gateways will be created since 5
private subnet CIDR blocks were specified.
If single_nat_gateway = true
, then all private subnets will route their Internet traffic through this single NAT gateway. The NAT gateway will be placed in the first public subnet in your public_subnets
block.
If one_nat_gateway_per_az = true
and single_nat_gateway = false
, then the module will place one NAT gateway in each availability zone you specify in var.azs
. There are some requirements around using this feature flag:
- The variable
var.azs
must be specified. - The number of public subnet CIDR blocks specified in
public_subnets
must be greater than or equal to the number of availability zones specified invar.azs
. This is to ensure that each NAT Gateway has a dedicated public subnet to deploy to.
By default, if NAT Gateways are enabled, private subnets will be configured with routes for Internet traffic that point at the NAT Gateways configured by use of the above options.
If you need private subnets that should have no Internet routing (in the sense of RFC1918 Category 1 subnets), intra_subnets
should be specified. An example use case is configuration of AWS Lambda functions within a VPC, where AWS Lambda functions only need to pass traffic to internal resources or VPC endpoints for AWS services.
Since AWS Lambda functions allocate Elastic Network Interfaces in proportion to the traffic received (read more), it can be useful to allocate a large private subnet for such allocations, while keeping the traffic they generate entirely internal to the VPC.
You can add additional tags with intra_subnet_tags
as with other subnet types.
Sometimes you need to have a way to create VPC resources conditionally but Terraform does not allow to use count
inside module
block, so the solution is to specify argument create_vpc
.
# This VPC will not be created
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
create_vpc = false
# ... omitted
}
Sometimes it is handy to have public access to RDS instances (it is not recommended for production) by specifying these arguments:
create_database_subnet_group = true
create_database_subnet_route_table = true
create_database_internet_gateway_route = true
enable_dns_hostnames = true
enable_dns_support = true
This module can manage network ACL and rules. Once VPC is created, AWS creates the default network ACL, which can be controlled using this module (manage_default_network_acl = true
).
Also, each type of subnet may have its own network ACL with custom rules per subnet. Eg, set public_dedicated_network_acl = true
to use dedicated network ACL for the public subnets; set values of public_inbound_acl_rules
and public_outbound_acl_rules
to specify all the NACL rules you need to have on public subnets (see variables.tf
for default values and structures).
By default, all subnets are associated with the default network ACL.
Sometimes it is handy to have public access to Redshift clusters (for example if you need to access it by Kinesis - VPC endpoint for Kinesis is not yet supported by Redshift) by specifying these arguments:
enable_public_redshift = true # <= By default Redshift subnets will be associated with the private route table
- Simple VPC
- Complete VPC
- Manage Default VPC
- Network ACL
- Few tests and edge cases examples: #46, #44, #108
Name | Description | Type | Default | Required |
---|---|---|---|---|
amazon_side_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | "64512" |
no |
apigw_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | bool | "false" |
no |
apigw_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for API GW endpoint | list(string) | [] |
no |
apigw_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
assign_generated_ipv6_cidr_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | bool | "false" |
no |
azs | A list of availability zones in the region | list(string) | [] |
no |
cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | "0.0.0.0/0" |
no |
cloudtrail_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | bool | "false" |
no |
cloudtrail_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | list(string) | [] |
no |
cloudtrail_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
codebuild_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint | string | "false" |
no |
codebuild_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Codebuild endpoint | list | [] |
no |
codebuild_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | [] |
no |
codecommit_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint | string | "false" |
no |
codecommit_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Codecommit endpoint | list | [] |
no |
codecommit_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | [] |
no |
config_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for config endpoint | string | "false" |
no |
config_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for config endpoint | list | [] |
no |
config_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | [] |
no |
create_database_internet_gateway_route | Controls if an internet gateway route for public database access should be created | bool | "false" |
no |
create_database_nat_gateway_route | Controls if a nat gateway route should be created to give internet access to the database subnets | bool | "false" |
no |
create_database_subnet_group | Controls if database subnet group should be created | bool | "true" |
no |
create_database_subnet_route_table | Controls if separate route table for database should be created | bool | "false" |
no |
create_elasticache_subnet_group | Controls if elasticache subnet group should be created | bool | "true" |
no |
create_elasticache_subnet_route_table | Controls if separate route table for elasticache should be created | bool | "false" |
no |
create_redshift_subnet_group | Controls if redshift subnet group should be created | bool | "true" |
no |
create_redshift_subnet_route_table | Controls if separate route table for redshift should be created | bool | "false" |
no |
create_vpc | Controls if VPC should be created (it affects almost all resources) | bool | "true" |
no |
database_acl_tags | Additional tags for the database subnets network ACL | map(string) | {} |
no |
database_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | bool | "false" |
no |
database_inbound_acl_rules | Database subnets inbound network ACL rules | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
database_outbound_acl_rules | Database subnets outbound network ACL rules | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
database_route_table_tags | Additional tags for the database route tables | map(string) | {} |
no |
database_subnet_group_tags | Additional tags for the database subnet group | map(string) | {} |
no |
database_subnet_suffix | Suffix to append to database subnets name | string | "db" |
no |
database_subnet_tags | Additional tags for the database subnets | map(string) | {} |
no |
database_subnets | A list of database subnets | list(string) | [] |
no |
default_network_acl_egress | List of maps of egress rules to set on the Default Network ACL | list(map(string)) | [ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ] |
no |
default_network_acl_ingress | List of maps of ingress rules to set on the Default Network ACL | list(map(string)) | [ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ] |
no |
default_network_acl_name | Name to be used on the Default Network ACL | string | "" |
no |
default_network_acl_tags | Additional tags for the Default Network ACL | map(string) | {} |
no |
default_vpc_enable_classiclink | Should be true to enable ClassicLink in the Default VPC | bool | "false" |
no |
default_vpc_enable_dns_hostnames | Should be true to enable DNS hostnames in the Default VPC | bool | "false" |
no |
default_vpc_enable_dns_support | Should be true to enable DNS support in the Default VPC | bool | "true" |
no |
default_vpc_name | Name to be used on the Default VPC | string | "" |
no |
default_vpc_tags | Additional tags for the Default VPC | map(string) | {} |
no |
dhcp_options_domain_name | Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true) | string | "" |
no |
dhcp_options_domain_name_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true) | list(string) | [ "AmazonProvidedDNS" ] |
no |
dhcp_options_netbios_name_servers | Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true) | list(string) | [] |
no |
dhcp_options_netbios_node_type | Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true) | string | "" |
no |
dhcp_options_ntp_servers | Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true) | list(string) | [] |
no |
dhcp_options_tags | Additional tags for the DHCP option set (requires enable_dhcp_options set to true) | map(string) | {} |
no |
ec2_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | bool | "false" |
no |
ec2_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | list(string) | [] |
no |
ec2_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
ec2messages_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | bool | "false" |
no |
ec2messages_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint | list(string) | [] |
no |
ec2messages_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
ecr_api_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint | bool | "false" |
no |
ecr_api_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ECR API endpoint | list(string) | [] |
no |
ecr_api_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used. | list(string) | [] |
no |
ecr_dkr_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint | bool | "false" |
no |
ecr_dkr_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint | list(string) | [] |
no |
ecr_dkr_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. | list(string) | [] |
no |
ecs_agent_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint | bool | "false" |
no |
ecs_agent_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint | list(string) | [] |
no |
ecs_agent_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
ecs_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint | bool | "false" |
no |
ecs_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ECS endpoint | list(string) | [] |
no |
ecs_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
ecs_telemetry_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | bool | "false" |
no |
ecs_telemetry_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list(string) | [] |
no |
ecs_telemetry_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
elasticache_acl_tags | Additional tags for the elasticache subnets network ACL | map(string) | {} |
no |
elasticache_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | bool | "false" |
no |
elasticache_inbound_acl_rules | Elasticache subnets inbound network ACL rules | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
elasticache_outbound_acl_rules | Elasticache subnets outbound network ACL rules | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
elasticache_route_table_tags | Additional tags for the elasticache route tables | map(string) | {} |
no |
elasticache_subnet_suffix | Suffix to append to elasticache subnets name | string | "elasticache" |
no |
elasticache_subnet_tags | Additional tags for the elasticache subnets | map(string) | {} |
no |
elasticache_subnets | A list of elasticache subnets | list(string) | [] |
no |
elasticloadbalancing_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint | bool | "false" |
no |
elasticloadbalancing_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint | list(string) | [] |
no |
elasticloadbalancing_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
enable_apigw_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | bool | "false" |
no |
enable_cloudtrail_endpoint | Should be true if you want to provision a CloudTrail endpoint to the VPC | bool | "false" |
no |
enable_codebuild_endpoint | Should be true if you want to provision an Codebuild endpoint to the VPC | string | "false" |
no |
enable_codecommit_endpoint | Should be true if you want to provision an Codecommit endpoint to the VPC | string | "false" |
no |
enable_config_endpoint | Should be true if you want to provision an config endpoint to the VPC | string | "false" |
no |
enable_dhcp_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | bool | "false" |
no |
enable_dns_hostnames | Should be true to enable DNS hostnames in the VPC | bool | "false" |
no |
enable_dns_support | Should be true to enable DNS support in the VPC | bool | "true" |
no |
enable_dynamodb_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | bool | "false" |
no |
enable_ec2_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | bool | "false" |
no |
enable_ec2messages_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | bool | "false" |
no |
enable_ecr_api_endpoint | Should be true if you want to provision an ecr api endpoint to the VPC | bool | "false" |
no |
enable_ecr_dkr_endpoint | Should be true if you want to provision an ecr dkr endpoint to the VPC | bool | "false" |
no |
enable_ecs_agent_endpoint | Should be true if you want to provision a ECS Agent endpoint to the VPC | bool | "false" |
no |
enable_ecs_endpoint | Should be true if you want to provision a ECS endpoint to the VPC | bool | "false" |
no |
enable_ecs_telemetry_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | bool | "false" |
no |
enable_elasticloadbalancing_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | bool | "false" |
no |
enable_events_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | bool | "false" |
no |
enable_git_codecommit_endpoint | Should be true if you want to provision an Git Codecommit endpoint to the VPC | string | "false" |
no |
enable_kinesis_firehose_endpoint | Should be true if you want to provision a Kinesis Firehose endpoint to the VPC | bool | "false" |
no |
enable_kinesis_streams_endpoint | Should be true if you want to provision a Kinesis Streams endpoint to the VPC | bool | "false" |
no |
enable_kms_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | bool | "false" |
no |
enable_logs_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | bool | "false" |
no |
enable_monitoring_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | bool | "false" |
no |
enable_nat_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool | "false" |
no |
enable_public_redshift | Controls if redshift should have public routing table | bool | "false" |
no |
enable_s3_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | bool | "false" |
no |
enable_secretsmanager_endpoint | Should be true if you want to provision an Secrets Manager endpoint to the VPC | bool | "false" |
no |
enable_sns_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | bool | "false" |
no |
enable_sqs_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | string | "false" |
no |
enable_ssm_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | bool | "false" |
no |
enable_ssmmessages_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | bool | "false" |
no |
enable_transferserver_endpoint | Should be true if you want to provision a Transer Server endpoint to the VPC | bool | "false" |
no |
enable_vpn_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | bool | "false" |
no |
events_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | bool | "false" |
no |
events_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list(string) | [] |
no |
events_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
external_nat_ip_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list(string) | [] |
no |
git_codecommit_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint | string | "false" |
no |
git_codecommit_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint | list | [] |
no |
git_codecommit_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | [] |
no |
igw_tags | Additional tags for the internet gateway | map(string) | {} |
no |
instance_tenancy | A tenancy option for instances launched into the VPC | string | "default" |
no |
intra_acl_tags | Additional tags for the intra subnets network ACL | map(string) | {} |
no |
intra_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | bool | "false" |
no |
intra_inbound_acl_rules | Intra subnets inbound network ACLs | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
intra_outbound_acl_rules | Intra subnets outbound network ACLs | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
intra_route_table_tags | Additional tags for the intra route tables | map(string) | {} |
no |
intra_subnet_suffix | Suffix to append to intra subnets name | string | "intra" |
no |
intra_subnet_tags | Additional tags for the intra subnets | map(string) | {} |
no |
intra_subnets | A list of intra subnets | list(string) | [] |
no |
kinesis_firehose_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint | bool | "false" |
no |
kinesis_firehose_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint | list(string) | [] |
no |
kinesis_firehose_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
kinesis_streams_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint | bool | "false" |
no |
kinesis_streams_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint | list(string) | [] |
no |
kinesis_streams_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
kms_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | bool | "false" |
no |
kms_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list(string) | [] |
no |
kms_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
logs_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint | bool | "false" |
no |
logs_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | list(string) | [] |
no |
logs_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
manage_default_network_acl | Should be true to adopt and manage Default Network ACL | bool | "false" |
no |
manage_default_vpc | Should be true to adopt and manage Default VPC | bool | "false" |
no |
map_public_ip_on_launch | Should be false if you do not want to auto-assign public IP on launch | bool | "true" |
no |
monitoring_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint | bool | "false" |
no |
monitoring_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint | list(string) | [] |
no |
monitoring_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
name | Name to be used on all the resources as identifier | string | "" |
no |
nat_eip_tags | Additional tags for the NAT EIP | map(string) | {} |
no |
nat_gateway_tags | Additional tags for the NAT gateways | map(string) | {} |
no |
one_nat_gateway_per_az | Should be true if you want only one NAT Gateway per availability zone. Requires var.azs to be set, and the number of public_subnets created to be greater than or equal to the number of availability zones specified in var.azs . |
bool | "false" |
no |
private_acl_tags | Additional tags for the private subnets network ACL | map(string) | {} |
no |
private_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for private subnets | bool | "false" |
no |
private_inbound_acl_rules | Private subnets inbound network ACLs | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
private_outbound_acl_rules | Private subnets outbound network ACLs | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
private_route_table_tags | Additional tags for the private route tables | map(string) | {} |
no |
private_subnet_suffix | Suffix to append to private subnets name | string | "private" |
no |
private_subnet_tags | Additional tags for the private subnets | map(string) | {} |
no |
private_subnets | A list of private subnets inside the VPC | list(string) | [] |
no |
propagate_private_route_tables_vgw | Should be true if you want route table propagation | bool | "false" |
no |
propagate_public_route_tables_vgw | Should be true if you want route table propagation | bool | "false" |
no |
public_acl_tags | Additional tags for the public subnets network ACL | map(string) | {} |
no |
public_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for public subnets | bool | "false" |
no |
public_inbound_acl_rules | Public subnets inbound network ACLs | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
public_outbound_acl_rules | Public subnets outbound network ACLs | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
public_route_table_tags | Additional tags for the public route tables | map(string) | {} |
no |
public_subnet_suffix | Suffix to append to public subnets name | string | "public" |
no |
public_subnet_tags | Additional tags for the public subnets | map(string) | {} |
no |
public_subnets | A list of public subnets inside the VPC | list(string) | [] |
no |
redshift_acl_tags | Additional tags for the redshift subnets network ACL | map(string) | {} |
no |
redshift_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | bool | "false" |
no |
redshift_inbound_acl_rules | Redshift subnets inbound network ACL rules | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
redshift_outbound_acl_rules | Redshift subnets outbound network ACL rules | list(map(string)) | [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] |
no |
redshift_route_table_tags | Additional tags for the redshift route tables | map(string) | {} |
no |
redshift_subnet_group_tags | Additional tags for the redshift subnet group | map(string) | {} |
no |
redshift_subnet_suffix | Suffix to append to redshift subnets name | string | "redshift" |
no |
redshift_subnet_tags | Additional tags for the redshift subnets | map(string) | {} |
no |
redshift_subnets | A list of redshift subnets | list(string) | [] |
no |
reuse_nat_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | bool | "false" |
no |
secondary_cidr_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list(string) | [] |
no |
secretsmanager_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint | bool | "false" |
no |
secretsmanager_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint | list(string) | [] |
no |
secretsmanager_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
single_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool | "false" |
no |
sns_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | bool | "false" |
no |
sns_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list(string) | [] |
no |
sns_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
sqs_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | string | "false" |
no |
sqs_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint | list | [] |
no |
sqs_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | [] |
no |
ssm_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | bool | "false" |
no |
ssm_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list(string) | [] |
no |
ssm_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
ssmmessages_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | bool | "false" |
no |
ssmmessages_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list(string) | [] |
no |
ssmmessages_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
tags | A map of tags to add to all resources | map(string) | {} |
no |
transferserver_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint | bool | "false" |
no |
transferserver_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Transfer Server endpoint | list(string) | [] |
no |
transferserver_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | [] |
no |
vpc_tags | Additional tags for the VPC | map(string) | {} |
no |
vpn_gateway_id | ID of VPN Gateway to attach to the VPC | string | "" |
no |
vpn_gateway_tags | Additional tags for the VPN gateway | map(string) | {} |
no |
Name | Description |
---|---|
azs | A list of availability zones specified as argument to this module |
database_network_acl_id | ID of the database network ACL |
database_route_table_ids | List of IDs of database route tables |
database_subnet_arns | List of ARNs of database subnets |
database_subnet_group | ID of database subnet group |
database_subnets | List of IDs of database subnets |
database_subnets_cidr_blocks | List of cidr_blocks of database subnets |
default_network_acl_id | The ID of the default network ACL |
default_route_table_id | The ID of the default route table |
default_security_group_id | The ID of the security group created by default on VPC creation |
default_vpc_cidr_block | The CIDR block of the VPC |
default_vpc_default_network_acl_id | The ID of the default network ACL |
default_vpc_default_route_table_id | The ID of the default route table |
default_vpc_default_security_group_id | The ID of the security group created by default on VPC creation |
default_vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support |
default_vpc_enable_dns_support | Whether or not the VPC has DNS support |
default_vpc_id | The ID of the VPC |
default_vpc_instance_tenancy | Tenancy of instances spin up within VPC |
default_vpc_main_route_table_id | The ID of the main route table associated with this VPC |
elasticache_network_acl_id | ID of the elasticache network ACL |
elasticache_route_table_ids | List of IDs of elasticache route tables |
elasticache_subnet_arns | List of ARNs of elasticache subnets |
elasticache_subnet_group | ID of elasticache subnet group |
elasticache_subnet_group_name | Name of elasticache subnet group |
elasticache_subnets | List of IDs of elasticache subnets |
elasticache_subnets_cidr_blocks | List of cidr_blocks of elasticache subnets |
igw_id | The ID of the Internet Gateway |
intra_network_acl_id | ID of the intra network ACL |
intra_route_table_ids | List of IDs of intra route tables |
intra_subnet_arns | List of ARNs of intra subnets |
intra_subnets | List of IDs of intra subnets |
intra_subnets_cidr_blocks | List of cidr_blocks of intra subnets |
name | The name of the VPC specified as argument to this module |
nat_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway |
nat_public_ips | List of public Elastic IPs created for AWS NAT Gateway |
natgw_ids | List of NAT Gateway IDs |
private_network_acl_id | ID of the private network ACL |
private_route_table_ids | List of IDs of private route tables |
private_subnet_arns | List of ARNs of private subnets |
private_subnets | List of IDs of private subnets |
private_subnets_cidr_blocks | List of cidr_blocks of private subnets |
public_network_acl_id | ID of the public network ACL |
public_route_table_ids | List of IDs of public route tables |
public_subnet_arns | List of ARNs of public subnets |
public_subnets | List of IDs of public subnets |
public_subnets_cidr_blocks | List of cidr_blocks of public subnets |
redshift_network_acl_id | ID of the redshift network ACL |
redshift_route_table_ids | List of IDs of redshift route tables |
redshift_subnet_arns | List of ARNs of redshift subnets |
redshift_subnet_group | ID of redshift subnet group |
redshift_subnets | List of IDs of redshift subnets |
redshift_subnets_cidr_blocks | List of cidr_blocks of redshift subnets |
vgw_id | The ID of the VPN Gateway |
vpc_arn | The ARN of the VPC |
vpc_cidr_block | The CIDR block of the VPC |
vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support |
vpc_enable_dns_support | Whether or not the VPC has DNS support |
vpc_endpoint_apigw_dns_entry | The DNS entries for the VPC Endpoint for APIGW. |
vpc_endpoint_apigw_id | The ID of VPC endpoint for APIGW |
vpc_endpoint_apigw_network_interface_ids | One or more network interfaces for the VPC Endpoint for APIGW. |
vpc_endpoint_cloudtrail_dns_entry | The DNS entries for the VPC Endpoint for CloudTrail. |
vpc_endpoint_cloudtrail_id | The ID of VPC endpoint for CloudTrail |
vpc_endpoint_cloudtrail_network_interface_ids | One or more network interfaces for the VPC Endpoint for CloudTrail. |
vpc_endpoint_dynamodb_id | The ID of VPC endpoint for DynamoDB |
vpc_endpoint_dynamodb_pl_id | The prefix list for the DynamoDB VPC endpoint. |
vpc_endpoint_ec2_dns_entry | The DNS entries for the VPC Endpoint for EC2. |
vpc_endpoint_ec2_id | The ID of VPC endpoint for EC2 |
vpc_endpoint_ec2_network_interface_ids | One or more network interfaces for the VPC Endpoint for EC2 |
vpc_endpoint_ec2messages_dns_entry | The DNS entries for the VPC Endpoint for EC2MESSAGES. |
vpc_endpoint_ec2messages_id | The ID of VPC endpoint for EC2MESSAGES |
vpc_endpoint_ec2messages_network_interface_ids | One or more network interfaces for the VPC Endpoint for EC2MESSAGES |
vpc_endpoint_ecr_api_dns_entry | The DNS entries for the VPC Endpoint for ECR API. |
vpc_endpoint_ecr_api_id | The ID of VPC endpoint for ECR API |
vpc_endpoint_ecr_api_network_interface_ids | One or more network interfaces for the VPC Endpoint for ECR API. |
vpc_endpoint_ecr_dkr_dns_entry | The DNS entries for the VPC Endpoint for ECR DKR. |
vpc_endpoint_ecr_dkr_id | The ID of VPC endpoint for ECR DKR |
vpc_endpoint_ecr_dkr_network_interface_ids | One or more network interfaces for the VPC Endpoint for ECR DKR. |
vpc_endpoint_ecs_agent_dns_entry | The DNS entries for the VPC Endpoint for ECS Agent. |
vpc_endpoint_ecs_agent_id | The ID of VPC endpoint for ECS Agent |
vpc_endpoint_ecs_agent_network_interface_ids | One or more network interfaces for the VPC Endpoint for ECS Agent. |
vpc_endpoint_ecs_dns_entry | The DNS entries for the VPC Endpoint for ECS. |
vpc_endpoint_ecs_id | The ID of VPC endpoint for ECS |
vpc_endpoint_ecs_network_interface_ids | One or more network interfaces for the VPC Endpoint for ECS. |
vpc_endpoint_ecs_telemetry_dns_entry | The DNS entries for the VPC Endpoint for ECS Telemetry. |
vpc_endpoint_ecs_telemetry_id | The ID of VPC endpoint for ECS Telemetry |
vpc_endpoint_ecs_telemetry_network_interface_ids | One or more network interfaces for the VPC Endpoint for ECS Telemetry. |
vpc_endpoint_elasticloadbalancing_dns_entry | The DNS entries for the VPC Endpoint for Elastic Load Balancing. |
vpc_endpoint_elasticloadbalancing_id | The ID of VPC endpoint for Elastic Load Balancing |
vpc_endpoint_elasticloadbalancing_network_interface_ids | One or more network interfaces for the VPC Endpoint for Elastic Load Balancing. |
vpc_endpoint_events_dns_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. |
vpc_endpoint_events_id | The ID of VPC endpoint for CloudWatch Events |
vpc_endpoint_events_network_interface_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. |
vpc_endpoint_kms_dns_entry | The DNS entries for the VPC Endpoint for KMS. |
vpc_endpoint_kms_id | The ID of VPC endpoint for KMS |
vpc_endpoint_kms_network_interface_ids | One or more network interfaces for the VPC Endpoint for KMS. |
vpc_endpoint_logs_dns_entry | The DNS entries for the VPC Endpoint for CloudWatch Logs. |
vpc_endpoint_logs_id | The ID of VPC endpoint for CloudWatch Logs |
vpc_endpoint_logs_network_interface_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Logs. |
vpc_endpoint_monitoring_dns_entry | The DNS entries for the VPC Endpoint for CloudWatch Monitoring. |
vpc_endpoint_monitoring_id | The ID of VPC endpoint for CloudWatch Monitoring |
vpc_endpoint_monitoring_network_interface_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. |
vpc_endpoint_s3_id | The ID of VPC endpoint for S3 |
vpc_endpoint_s3_pl_id | The prefix list for the S3 VPC endpoint. |
vpc_endpoint_sns_dns_entry | The DNS entries for the VPC Endpoint for SNS. |
vpc_endpoint_sns_id | The ID of VPC endpoint for SNS |
vpc_endpoint_sns_network_interface_ids | One or more network interfaces for the VPC Endpoint for SNS. |
vpc_endpoint_sqs_dns_entry | The DNS entries for the VPC Endpoint for SQS. |
vpc_endpoint_sqs_id | The ID of VPC endpoint for SQS |
vpc_endpoint_sqs_network_interface_ids | One or more network interfaces for the VPC Endpoint for SQS. |
vpc_endpoint_ssm_dns_entry | The DNS entries for the VPC Endpoint for SSM. |
vpc_endpoint_ssm_id | The ID of VPC endpoint for SSM |
vpc_endpoint_ssm_network_interface_ids | One or more network interfaces for the VPC Endpoint for SSM. |
vpc_endpoint_ssmmessages_dns_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. |
vpc_endpoint_ssmmessages_id | The ID of VPC endpoint for SSMMESSAGES |
vpc_endpoint_ssmmessages_network_interface_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. |
vpc_id | The ID of the VPC |
vpc_instance_tenancy | Tenancy of instances spin up within VPC |
vpc_main_route_table_id | The ID of the main route table associated with this VPC |
vpc_secondary_cidr_blocks | List of secondary CIDR blocks of the VPC |
This module has been packaged with awspec tests through test kitchen. To run them:
- Install rvm and the ruby version specified in the Gemfile.
- Install bundler and the gems from our Gemfile:
gem install bundler; bundle install
- Test using
bundle exec kitchen test
from the root of the repo.
Module is maintained by Anton Babenko with help from these awesome contributors.
Apache 2 Licensed. See LICENSE for full details.