terraform-aws-network
This module creates the basic network resources for a region.
The following resources will be created:
- Virtual Private Cloud (VPC)
- Enable DNS Hostname - A DNS hostname is a name that uniquely and absolutely names a computer; it’s composed of a host name and a domain name. DNS servers resolve DNS hostnames to their corresponding IP addresses.
- VPC Flow Logs
- AWS Cloudwatch log groups
- Subnets
- Public
- Private
- Secure
- Transit
- Internet Gateway
- Route tables for the Public, Private, Secure and Transit subnets
- Associate all Route Tables created to the correct subnet
- Nat Gateway
- Network Access Control List (NACL) for all subnets
- Database Subnet group - Provides an RDS DB subnet group resources
- S3 VPC endpoint
Usage
module "network" {
source = "git::https://github.com/DNXLabs/terraform-aws-network.git"
# To use a specific version, replace <version> with the desired release (eg: 2.3.1):
# source = "git::https://github.com/DNXLabs/terraform-aws-network.git?ref=<version>"
name = "MyVPC" #required
vpc_cidr = "10.1.0.0/16" #required
# Add other module-specific variables here
newbits = 8 # will create /24 subnets
multi_nat = false
}
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.5.1 |
| terraform | >= 1.5.1 |
Providers
| Name | Version |
|---|---|
| aws | n/a |
Inputs
| Name | Description | Type | Default | Required |
|——|————-|——|———|:——–:|
| attachInternetGateway | To attach or not the internet gateway within the public subnet. | bool | true | no |
| byoip | Enable module to use your own Elastic IPs (Bring Your Own IP) | bool | false | no |
| cf_export_name | Name prefix for the export resources of the cloud formation output | string | "" | no |
| create_dbsubgroup_private | Create Private Subgroup | bool | false | no |
| create_dbsubgroup_public | Create Public Subgroup | bool | false | no |
| create_dbsubgroup_secure | Create Secure Subgroup | bool | true | no |
| db_subnet_group_secure_name_compat | Use previous DB subnet group name (
".amazonaws.com",
".github.com"
]</pre> | no |
| firewall\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `14` | no |
| kms\_key\_arn | The ARN of the KMS Key to use when encrypting log data. | `string` | `""` | no |
| kubernetes\_clusters | List of kubernetes cluster names to creates tags in public and private subnets of this VPC | `list(string)` | `[]` | no |
| kubernetes\_clusters\_secure | List of kubernetes cluster names to creates tags in secure subnets of this VPC | `list(string)` | `[]` | no |
| kubernetes\_clusters\_type | Use either 'owned' or 'shared' for kubernetes cluster tags | `string` | `"shared"` | no |
| max\_az | Max number of AZs | `number` | `3` | no |
| multi\_nat | Number of NAT Instances, 'true' will yield one per AZ while 'false' creates one NAT | `bool` | `false` | no |
| name | Name prefix for the resources of this stack | `string` | n/a | yes |
| name\_pattern | Name pattern to use for resources. Options: default, kebab | `string` | `"default"` | no |
| name\_suffix | Adds a name suffix to all resources created | `string` | `""` | no |
| nat | Deploy NAT instance(s) | `bool` | `true` | no |
| network\_firewall | Enable or disable VPC Network Firewall | `bool` | `false` | no |
| newbits | Number of bits to add to the vpc cidr when building subnets | `number` | `5` | no |
| private\_nacl\_allow\_cidrs | CIDRs to allow traffic from private subnet | `list(string)` | `[]` | no |
| private\_netnum\_offset | Start with this subnet for private ones, plus number of AZs | `number` | `5` | no |
| public\_nacl\_allow\_cidrs | CIDRs to allow traffic from public subnet | `list(string)` | `[]` | no |
| public\_nacl\_icmp | Allows ICMP traffic to and from the public subnet | `bool` | `true` | no |
| public\_nacl\_inbound\_tcp\_ports | TCP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | `list(string)` | <pre>[
"80",
"443",
"22",
"1194"
]</pre> | no |
| public\_nacl\_inbound\_udp\_ports | UDP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | `list(string)` | `[]` | no |
| public\_nacl\_outbound\_tcp\_ports | TCP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | <pre>[
"0"
]</pre> | no |
| public\_nacl\_outbound\_udp\_ports | UDP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | <pre>[
"0"
]</pre> | no |
| public\_netnum\_offset | Start with this subnet for public ones, plus number of AZs | `number` | `0` | no |
| secure\_nacl\_allow\_cidrs | CIDRs to allow traffic from secure subnet | `list(string)` | `[]` | no |
| secure\_nacl\_allow\_public | Allow traffic between public and secure | `bool` | `false` | no |
| secure\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `10` | no |
| tags | Extra tags to attach to resources | `map(string)` | `{}` | no |
| transit\_nacl\_inbound\_tcp\_ports | TCP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | `list(string)` | <pre>[
"1194"
]</pre> | no |
| transit\_nacl\_inbound\_udp\_ports | UDP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | `list(string)` | <pre>[
"1194"
]</pre> | no |
| transit\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `15` | no |
| transit\_subnet | Create a transit subnet for VPC peering (only central account) | `bool` | `false` | no |
| vpc\_cidr | Network CIDR for the VPC | `string` | n/a | yes |
| vpc\_cidr\_summ | Define cidr used to summarize subnets by tier | `string` | `"/0"` | no |
| vpc\_endpoint\_dynamodb\_gateway | Enable or disable VPC Endpoint for DynamoDB (Gateway) | `bool` | `true` | no |
| vpc\_endpoint\_s3\_gateway | Enable or disable VPC Endpoint for S3 Gateway | `bool` | `true` | no |
| vpc\_endpoint\_s3\_policy | A policy to attach to the endpoint that controls access to the service | `string` | `" {
\"Statement\": [
{
\"Action\": \"*\",\"Effect\": \"Allow\",\"Resource\": \"*\",\"Principal\": \"*\"
}
]
}
"` | no |
| vpc\_endpoints | AWS services to create a VPC endpoint on private subnets for (e.g: ssm, ec2, ecr.dkr) | <pre>list(object(
{
name = string
policy = optional(string)
allowed_cidrs = optional(list(string))
}
))</pre> | `[]` | no |
| vpc\_flow\_logs | Enable or disable VPC Flow Logs | `bool` | `true` | no |
| vpc\_flow\_logs\_retention | Retention in days for VPC Flow Logs CloudWatch Log Group | `number` | `365` | no |
Outputs
| Name | Description |
|---|---|
| cidr_block | CIDR for VPC created |
| db_subnet_group_private_id | n/a |
| db_subnet_group_public_id | n/a |
| db_subnet_group_secure_id | n/a |
| firewall_subnet_cidrs | List of firewall subnet CIDRs |
| firewall_subnet_ids | List of firewall subnet IDs |
| internet_gateway_id | ID of Internet Gateway created |
| nat_gateway | n/a |
| nat_gateway_ids | List of NAT Gateway IDs |
| private_nacl_id | n/a |
| private_nacls | n/a |
| private_route_table_id | n/a |
| private_subnet_cidrs | List of private subnet CIDRs |
| private_subnet_ids | List of private subnet IDs |
| private_subnets | n/a |
| public_nacl_id | n/a |
| public_nacls | n/a |
| public_route_table_id | n/a |
| public_subnet_cidrs | List of public subnet CIDRs |
| public_subnet_ids | List of public subnet IDs |
| public_subnets | n/a |
| secure_db_subnet | n/a |
| secure_nacl_id | n/a |
| secure_nacls | n/a |
| secure_route_table_id | n/a |
| secure_subnet_cidrs | List of secure subnet CIDRs |
| secure_subnet_ids | List of secure subnet IDs |
| secure_subnets | n/a |
| transit_nacl_id | n/a |
| transit_route_table_id | n/a |
| transit_subnets | n/a |
| vpc_id | ID for VPC created |
Authors
Module managed by DNX Solutions.
License
Apache 2 Licensed. See LICENSE for full details.