From fb3b7818fd36fb8d7c70e07a62fc49dd308776c2 Mon Sep 17 00:00:00 2001 From: Tristan Escalada Date: Sat, 18 Aug 2018 11:54:22 -0400 Subject: [PATCH 01/81] Fixing typo overriden -> overridden (#150) just a typo in the docs and in the public_subnet_tags in the simple example --- README.md | 2 +- examples/simple-vpc/main.tf | 2 +- variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3e10b164e..40f74e2fa 100644 --- a/README.md +++ b/README.md @@ -164,7 +164,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| | azs | A list of availability zones in the region | string | `` | no | -| cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overriden | string | `0.0.0.0/0` | no | +| cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `0.0.0.0/0` | no | | create_database_subnet_group | Controls if database subnet group should be created | string | `true` | no | | create_vpc | Controls if VPC should be created (it affects almost all resources) | string | `true` | no | | database_subnet_group_tags | Additional tags for the database subnet group | string | `` | no | diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf index ac8ca9016..a483abe19 100644 --- a/examples/simple-vpc/main.tf +++ b/examples/simple-vpc/main.tf @@ -17,7 +17,7 @@ module "vpc" { single_nat_gateway = true public_subnet_tags = { - Name = "overriden-name-public" + Name = "overridden-name-public" } tags = { diff --git a/variables.tf b/variables.tf index 8dff348b7..f1c8c83ce 100644 --- a/variables.tf +++ b/variables.tf @@ -9,7 +9,7 @@ variable "name" { } variable "cidr" { - description = "The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overriden" + description = "The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden" default = "0.0.0.0/0" } From 78584e5198eabaa0fda33f8f780eca0fa183f4fe Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sat, 18 Aug 2018 18:44:19 +0200 Subject: [PATCH 02/81] Provide separate route tables for db/elasticache/redshift (#155) * Provide separate route tables for db/elasticache/redshift * Added example for saperate routes * Updated PR with suggestions * Make redshift to use separate subnet route table also * More cleanup and updates * Fixed one more spelling mistake --- README.md | 11 +++++- .../README.md | 33 ++++++++++++++++ .../vpc-separate-private-route-tables/main.tf | 31 +++++++++++++++ .../outputs.tf | 37 ++++++++++++++++++ main.tf | 39 +++++++++++++++++-- outputs.tf | 16 ++++++++ variables.tf | 30 ++++++++++++++ 7 files changed, 193 insertions(+), 4 deletions(-) create mode 100644 examples/vpc-separate-private-route-tables/README.md create mode 100644 examples/vpc-separate-private-route-tables/main.tf create mode 100644 examples/vpc-separate-private-route-tables/outputs.tf diff --git a/README.md b/README.md index 40f74e2fa..fb38b180b 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,11 @@ Terraform version 0.10.3 or newer is required for this module to work. | azs | A list of availability zones in the region | string | `` | no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `0.0.0.0/0` | no | | create_database_subnet_group | Controls if database subnet group should be created | string | `true` | no | +| create_database_subnet_route_table | Controls if separate route table for database should be created | string | `false` | no | +| create_elasticache_subnet_route_table | Controls if separate route table for elasticache should be created | string | `false` | no | +| create_redshift_subnet_route_table | Controls if separate route table for redshift should be created | string | `false` | no | | create_vpc | Controls if VPC should be created (it affects almost all resources) | string | `true` | no | +| database_route_table_tags | Additional tags for the database route tables | string | `` | no | | database_subnet_group_tags | Additional tags for the database subnet group | string | `` | no | | database_subnet_tags | Additional tags for the database subnets | string | `` | no | | database_subnets | A list of database subnets | list | `` | no | @@ -181,6 +185,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | dhcp_options_netbios_node_type | Specify netbios node_type for DHCP options set | string | `` | no | | dhcp_options_ntp_servers | Specify a list of NTP servers for DHCP options set | list | `` | no | | dhcp_options_tags | Additional tags for the DHCP option set | string | `` | no | +| elasticache_route_table_tags | Additional tags for the elasticache route tables | string | `` | no | | elasticache_subnet_tags | Additional tags for the elasticache subnets | string | `` | no | | elasticache_subnets | A list of elasticache subnets | list | `` | no | | enable_dhcp_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `false` | no | @@ -210,6 +215,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | public_route_table_tags | Additional tags for the public route tables | string | `` | no | | public_subnet_tags | Additional tags for the public subnets | string | `` | no | | public_subnets | A list of public subnets inside the VPC | string | `` | no | +| redshift_route_table_tags | Additional tags for the redshift route tables | string | `` | no | | redshift_subnet_group_tags | Additional tags for the redshift subnet group | string | `` | no | | redshift_subnet_tags | Additional tags for the redshift subnets | string | `` | no | | redshift_subnets | A list of redshift subnets | list | `` | no | @@ -224,6 +230,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | |------|-------------| +| database_route_table_ids | List of IDs of database route tables | | database_subnet_group | ID of database subnet group | | database_subnets | List of IDs of database subnets | | database_subnets_cidr_blocks | List of cidr_blocks of database subnets | @@ -239,6 +246,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | default_vpc_id | Default VPC | | default_vpc_instance_tenancy | Tenancy of instances spin up within VPC | | default_vpc_main_route_table_id | The ID of the main route table associated with this VPC | +| elasticache_route_table_ids | List of IDs of elasticache route tables | | elasticache_subnet_group | ID of elasticache subnet group | | elasticache_subnet_group_name | Name of elasticache subnet group | | elasticache_subnets | List of IDs of elasticache subnets | @@ -247,7 +255,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | intra_route_table_ids | List of IDs of intra route tables | | intra_subnets | List of IDs of intra subnets | | intra_subnets_cidr_blocks | List of cidr_blocks of intra subnets | -| nat_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | +| nat_ids | Nat gateway | | nat_public_ips | List of public Elastic IPs created for AWS NAT Gateway | | natgw_ids | List of NAT Gateway IDs | | private_route_table_ids | List of IDs of private route tables | @@ -256,6 +264,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | public_route_table_ids | Route tables | | public_subnets | List of IDs of public subnets | | public_subnets_cidr_blocks | List of cidr_blocks of public subnets | +| redshift_route_table_ids | List of IDs of redshift route tables | | redshift_subnet_group | ID of redshift subnet group | | redshift_subnets | List of IDs of redshift subnets | | redshift_subnets_cidr_blocks | List of cidr_blocks of redshift subnets | diff --git a/examples/vpc-separate-private-route-tables/README.md b/examples/vpc-separate-private-route-tables/README.md new file mode 100644 index 000000000..332c12a25 --- /dev/null +++ b/examples/vpc-separate-private-route-tables/README.md @@ -0,0 +1,33 @@ +# VPC with separate private route tables + +Configuration in this directory creates set of VPC resources which may be sufficient for staging or production environment (look into [simple-vpc](../simple-vpc) for more simplified setup). + +There are public, private, database, ElastiCache, Redshift subnets, NAT Gateways created in each availability zone. **This example sets up separate private route for database, elasticache and redshift subnets.**. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. + + + +## Outputs + +| Name | Description | +|------|-------------| +| database_subnets | List of IDs of database subnets | +| elasticache_subnets | List of IDs of elasticache subnets | +| nat_public_ips | NAT gateways | +| private_subnets | Subnets | +| public_subnets | List of IDs of public subnets | +| redshift_subnets | List of IDs of elasticache subnets | +| vpc_id | VPC | + + diff --git a/examples/vpc-separate-private-route-tables/main.tf b/examples/vpc-separate-private-route-tables/main.tf new file mode 100644 index 000000000..b380a4065 --- /dev/null +++ b/examples/vpc-separate-private-route-tables/main.tf @@ -0,0 +1,31 @@ +provider "aws" { + region = "eu-west-1" +} + +module "vpc" { + source = "../../" + + name = "vpc-separate-private-route-tables" + + cidr = "10.10.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"] + public_subnets = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"] + database_subnets = ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"] + elasticache_subnets = ["10.10.31.0/24", "10.10.32.0/24", "10.10.33.0/24"] + redshift_subnets = ["10.10.41.0/24", "10.10.42.0/24", "10.10.43.0/24"] + + create_database_subnet_route_table = true + create_elasticache_subnet_route_table = true + create_redshift_subnet_route_table = true + + single_nat_gateway = true + enable_nat_gateway = true + + tags = { + Owner = "user" + Environment = "staging" + Name = "separate-private-route-tables" + } +} diff --git a/examples/vpc-separate-private-route-tables/outputs.tf b/examples/vpc-separate-private-route-tables/outputs.tf new file mode 100644 index 000000000..1a4ba6073 --- /dev/null +++ b/examples/vpc-separate-private-route-tables/outputs.tf @@ -0,0 +1,37 @@ +# VPC +output "vpc_id" { + description = "The ID of the VPC" + value = "${module.vpc.vpc_id}" +} + +# Subnets +output "private_subnets" { + description = "List of IDs of private subnets" + value = ["${module.vpc.private_subnets}"] +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = ["${module.vpc.public_subnets}"] +} + +output "database_subnets" { + description = "List of IDs of database subnets" + value = ["${module.vpc.database_subnets}"] +} + +output "elasticache_subnets" { + description = "List of IDs of elasticache subnets" + value = ["${module.vpc.elasticache_subnets}"] +} + +output "redshift_subnets" { + description = "List of IDs of elasticache subnets" + value = ["${module.vpc.redshift_subnets}"] +} + +# NAT gateways +output "nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = ["${module.vpc.nat_public_ips}"] +} diff --git a/main.tf b/main.tf index b40b988a0..79938af9d 100644 --- a/main.tf +++ b/main.tf @@ -98,6 +98,39 @@ resource "aws_route_table" "private" { } } +################# +# Database routes +################# +resource "aws_route_table" "database" { + count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? 1 : 0}" + + vpc_id = "${aws_vpc.this.id}" + + tags = "${merge(var.tags, var.database_route_table_tags, map("Name", "${var.name}-database"))}" +} + +################# +# Redshift routes +################# +resource "aws_route_table" "redshift" { + count = "${var.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0}" + + vpc_id = "${aws_vpc.this.id}" + + tags = "${merge(var.tags, var.redshift_route_table_tags, map("Name", "${var.name}-redshift"))}" +} + +################# +# Elasticache routes +################# +resource "aws_route_table" "elasticache" { + count = "${var.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0}" + + vpc_id = "${aws_vpc.this.id}" + + tags = "${merge(var.tags, var.elasticache_route_table_tags, map("Name", "${var.name}-elasticache"))}" +} + ################# # Intra routes ################# @@ -350,21 +383,21 @@ resource "aws_route_table_association" "database" { count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0}" subnet_id = "${element(aws_subnet.database.*.id, count.index)}" - route_table_id = "${element(aws_route_table.private.*.id, (var.single_nat_gateway ? 0 : count.index))}" + route_table_id = "${element(coalescelist(aws_route_table.database.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_database_subnet_route_table ? 0 : count.index))}" } resource "aws_route_table_association" "redshift" { count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" - route_table_id = "${element(aws_route_table.private.*.id, (var.single_nat_gateway ? 0 : count.index))}" + route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" } resource "aws_route_table_association" "elasticache" { count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0}" subnet_id = "${element(aws_subnet.elasticache.*.id, count.index)}" - route_table_id = "${element(aws_route_table.private.*.id, (var.single_nat_gateway ? 0 : count.index))}" + route_table_id = "${element(coalescelist(aws_route_table.elasticache.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_elasticache_subnet_route_table ? 0 : count.index))}" } resource "aws_route_table_association" "intra" { diff --git a/outputs.tf b/outputs.tf index 33118e555..2fe5dca89 100644 --- a/outputs.tf +++ b/outputs.tf @@ -151,11 +151,27 @@ output "private_route_table_ids" { value = ["${aws_route_table.private.*.id}"] } +output "database_route_table_ids" { + description = "List of IDs of database route tables" + value = ["${coalescelist(aws_route_table.database.*.id, aws_route_table.private.*.id)}"] +} + +output "redshift_route_table_ids" { + description = "List of IDs of redshift route tables" + value = ["${coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id)}"] +} + +output "elasticache_route_table_ids" { + description = "List of IDs of elasticache route tables" + value = ["${coalescelist(aws_route_table.elasticache.*.id, aws_route_table.private.*.id)}"] +} + output "intra_route_table_ids" { description = "List of IDs of intra route tables" value = ["${aws_route_table.intra.*.id}"] } +# Nat gateway output "nat_ids" { description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway" value = ["${aws_eip.nat.*.id}"] diff --git a/variables.tf b/variables.tf index f1c8c83ce..b7f7bd0f3 100644 --- a/variables.tf +++ b/variables.tf @@ -46,6 +46,21 @@ variable "elasticache_subnets" { default = [] } +variable "create_database_subnet_route_table" { + description = "Controls if separate route table for database should be created" + default = false +} + +variable "create_redshift_subnet_route_table" { + description = "Controls if separate route table for redshift should be created" + default = false +} + +variable "create_elasticache_subnet_route_table" { + description = "Controls if separate route table for elasticache should be created" + default = false +} + variable "intra_subnets" { type = "list" description = "A list of intra subnets" @@ -168,6 +183,21 @@ variable "private_route_table_tags" { default = {} } +variable "database_route_table_tags" { + description = "Additional tags for the database route tables" + default = {} +} + +variable "redshift_route_table_tags" { + description = "Additional tags for the redshift route tables" + default = {} +} + +variable "elasticache_route_table_tags" { + description = "Additional tags for the elasticache route tables" + default = {} +} + variable "intra_route_table_tags" { description = "Additional tags for the intra route tables" default = {} From a9e92d2e77d1dd9f328febf63cee2b7b82ba2067 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sun, 19 Aug 2018 14:39:17 +0200 Subject: [PATCH 03/81] Add minimum support for IPv6 to VPC (#156) * Added support for IPv6 to VPC --- README.md | 3 +++ examples/simple-vpc/README.md | 2 ++ examples/simple-vpc/main.tf | 2 ++ examples/simple-vpc/outputs.tf | 11 +++++++++++ main.tf | 9 +++++---- outputs.tf | 18 +++++++++--------- variables.tf | 5 +++++ 7 files changed, 37 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index fb38b180b..b94ffc864 100644 --- a/README.md +++ b/README.md @@ -163,6 +163,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| assign_generated_ipv6_cidr_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `false` | no | | azs | A list of availability zones in the region | string | `` | no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `0.0.0.0/0` | no | | create_database_subnet_group | Controls if database subnet group should be created | string | `true` | no | @@ -278,6 +279,8 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc_endpoint_s3_pl_id | The prefix list for the S3 VPC endpoint. | | vpc_id | VPC | | vpc_instance_tenancy | Tenancy of instances spin up within VPC | +| vpc_ipv6_association_id | The association ID for the IPv6 CIDR block | +| vpc_ipv6_cidr_block | The IPv6 CIDR block | | vpc_main_route_table_id | The ID of the main route table associated with this VPC | diff --git a/examples/simple-vpc/README.md b/examples/simple-vpc/README.md index 891ae91b7..21b858ea4 100644 --- a/examples/simple-vpc/README.md +++ b/examples/simple-vpc/README.md @@ -25,6 +25,8 @@ Note that this example may create resources which can cost money (AWS Elastic IP | nat_public_ips | NAT gateways | | private_subnets | Subnets | | public_subnets | List of IDs of public subnets | +| vpc_cidr_block | CIDR blocks | | vpc_id | VPC | +| vpc_ipv6_cidr_block | The IPv6 CIDR block | diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf index a483abe19..a715edad3 100644 --- a/examples/simple-vpc/main.tf +++ b/examples/simple-vpc/main.tf @@ -13,6 +13,8 @@ module "vpc" { private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + assign_generated_ipv6_cidr_block = true + enable_nat_gateway = true single_nat_gateway = true diff --git a/examples/simple-vpc/outputs.tf b/examples/simple-vpc/outputs.tf index b3aae2e39..230dc9051 100644 --- a/examples/simple-vpc/outputs.tf +++ b/examples/simple-vpc/outputs.tf @@ -4,6 +4,17 @@ output "vpc_id" { value = "${module.vpc.vpc_id}" } +# CIDR blocks +output "vpc_cidr_block" { + description = "The CIDR block of the VPC" + value = ["${module.vpc.vpc_cidr_block}"] +} + +output "vpc_ipv6_cidr_block" { + description = "The IPv6 CIDR block" + value = ["${module.vpc.vpc_ipv6_cidr_block}"] +} + # Subnets output "private_subnets" { description = "List of IDs of private subnets" diff --git a/main.tf b/main.tf index 79938af9d..c1d3eaf75 100644 --- a/main.tf +++ b/main.tf @@ -13,10 +13,11 @@ locals { resource "aws_vpc" "this" { count = "${var.create_vpc ? 1 : 0}" - cidr_block = "${var.cidr}" - instance_tenancy = "${var.instance_tenancy}" - enable_dns_hostnames = "${var.enable_dns_hostnames}" - enable_dns_support = "${var.enable_dns_support}" + cidr_block = "${var.cidr}" + instance_tenancy = "${var.instance_tenancy}" + enable_dns_hostnames = "${var.enable_dns_hostnames}" + enable_dns_support = "${var.enable_dns_support}" + assign_generated_ipv6_cidr_block = "${var.assign_generated_ipv6_cidr_block}" tags = "${merge(map("Name", format("%s", var.name)), var.vpc_tags, var.tags)}" } diff --git a/outputs.tf b/outputs.tf index 2fe5dca89..5498f8595 100644 --- a/outputs.tf +++ b/outputs.tf @@ -49,15 +49,15 @@ output "vpc_main_route_table_id" { value = "${element(concat(aws_vpc.this.*.main_route_table_id, list("")), 0)}" } -//output "vpc_ipv6_association_id" { -// description = "The association ID for the IPv6 CIDR block" -// value = "${element(concat(aws_vpc.this.*.ipv6_association_id, list("")), 0)}" -//} -// -//output "vpc_ipv6_cidr_block" { -// description = "The IPv6 CIDR block" -// value = "${element(concat(aws_vpc.this.*.ipv6_cidr_block, list("")), 0)}" -//} +output "vpc_ipv6_association_id" { + description = "The association ID for the IPv6 CIDR block" + value = "${element(concat(aws_vpc.this.*.ipv6_association_id, list("")), 0)}" +} + +output "vpc_ipv6_cidr_block" { + description = "The IPv6 CIDR block" + value = "${element(concat(aws_vpc.this.*.ipv6_cidr_block, list("")), 0)}" +} # Subnets output "private_subnets" { diff --git a/variables.tf b/variables.tf index b7f7bd0f3..c5c753c9c 100644 --- a/variables.tf +++ b/variables.tf @@ -13,6 +13,11 @@ variable "cidr" { default = "0.0.0.0/0" } +variable "assign_generated_ipv6_cidr_block" { + description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block" + default = false +} + variable "instance_tenancy" { description = "A tenancy option for instances launched into the VPC" default = "default" From 553d76aed1890728326e1de8dc5a9ab01730c5f0 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sun, 19 Aug 2018 15:22:49 +0200 Subject: [PATCH 04/81] Removed IPv6 from outputs (fixed #157) (#158) --- README.md | 2 -- examples/simple-vpc/README.md | 1 - examples/simple-vpc/outputs.tf | 8 ++++---- outputs.tf | 18 +++++++++--------- 4 files changed, 13 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index b94ffc864..44571477d 100644 --- a/README.md +++ b/README.md @@ -279,8 +279,6 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc_endpoint_s3_pl_id | The prefix list for the S3 VPC endpoint. | | vpc_id | VPC | | vpc_instance_tenancy | Tenancy of instances spin up within VPC | -| vpc_ipv6_association_id | The association ID for the IPv6 CIDR block | -| vpc_ipv6_cidr_block | The IPv6 CIDR block | | vpc_main_route_table_id | The ID of the main route table associated with this VPC | diff --git a/examples/simple-vpc/README.md b/examples/simple-vpc/README.md index 21b858ea4..ff94ad03c 100644 --- a/examples/simple-vpc/README.md +++ b/examples/simple-vpc/README.md @@ -27,6 +27,5 @@ Note that this example may create resources which can cost money (AWS Elastic IP | public_subnets | List of IDs of public subnets | | vpc_cidr_block | CIDR blocks | | vpc_id | VPC | -| vpc_ipv6_cidr_block | The IPv6 CIDR block | diff --git a/examples/simple-vpc/outputs.tf b/examples/simple-vpc/outputs.tf index 230dc9051..35eb73359 100644 --- a/examples/simple-vpc/outputs.tf +++ b/examples/simple-vpc/outputs.tf @@ -10,10 +10,10 @@ output "vpc_cidr_block" { value = ["${module.vpc.vpc_cidr_block}"] } -output "vpc_ipv6_cidr_block" { - description = "The IPv6 CIDR block" - value = ["${module.vpc.vpc_ipv6_cidr_block}"] -} +//output "vpc_ipv6_cidr_block" { +// description = "The IPv6 CIDR block" +// value = ["${module.vpc.vpc_ipv6_cidr_block}"] +//} # Subnets output "private_subnets" { diff --git a/outputs.tf b/outputs.tf index 5498f8595..2fe5dca89 100644 --- a/outputs.tf +++ b/outputs.tf @@ -49,15 +49,15 @@ output "vpc_main_route_table_id" { value = "${element(concat(aws_vpc.this.*.main_route_table_id, list("")), 0)}" } -output "vpc_ipv6_association_id" { - description = "The association ID for the IPv6 CIDR block" - value = "${element(concat(aws_vpc.this.*.ipv6_association_id, list("")), 0)}" -} - -output "vpc_ipv6_cidr_block" { - description = "The IPv6 CIDR block" - value = "${element(concat(aws_vpc.this.*.ipv6_cidr_block, list("")), 0)}" -} +//output "vpc_ipv6_association_id" { +// description = "The association ID for the IPv6 CIDR block" +// value = "${element(concat(aws_vpc.this.*.ipv6_association_id, list("")), 0)}" +//} +// +//output "vpc_ipv6_cidr_block" { +// description = "The IPv6 CIDR block" +// value = "${element(concat(aws_vpc.this.*.ipv6_cidr_block, list("")), 0)}" +//} # Subnets output "private_subnets" { From d722430952dc5ba1e551c0329e917456333a4e7b Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 4 Sep 2018 14:54:36 +0200 Subject: [PATCH 05/81] Add secondary CIDR block support (#163) * Add secondary CIDR block support using a local variable to derive the vpc id to ensure the CIDR block operations are applied before the CIDR operations * Add secondary cidr block outputs to module output * Add the wonderful examples from matthiasr's PR located at https://github.com/terraform-aws-modules/terraform-aws-vpc/pull/162 all credit goes to them for this wonderful example * From copy and paste accidentally used variable name that differed from these variables * Resolve typo in secondary_cidr_blocks * Fixed README formatting * Followups for #161 * Added local.vpc_id with description --- README.md | 2 + examples/secondary-cidr-blocks/README.md | 32 +++++++++++++++ examples/secondary-cidr-blocks/main.tf | 33 ++++++++++++++++ examples/secondary-cidr-blocks/outputs.tf | 33 ++++++++++++++++ main.tf | 47 ++++++++++++++--------- outputs.tf | 5 +++ variables.tf | 5 +++ 7 files changed, 139 insertions(+), 18 deletions(-) create mode 100644 examples/secondary-cidr-blocks/README.md create mode 100644 examples/secondary-cidr-blocks/main.tf create mode 100644 examples/secondary-cidr-blocks/outputs.tf diff --git a/README.md b/README.md index 44571477d..e7406a36e 100644 --- a/README.md +++ b/README.md @@ -221,6 +221,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | redshift_subnet_tags | Additional tags for the redshift subnets | string | `` | no | | redshift_subnets | A list of redshift subnets | list | `` | no | | reuse_nat_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `false` | no | +| secondary_cidr_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | string | `` | no | | single_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `false` | no | | tags | A map of tags to add to all resources | string | `` | no | | vpc_tags | Additional tags for the VPC | string | `` | no | @@ -280,6 +281,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc_id | VPC | | vpc_instance_tenancy | Tenancy of instances spin up within VPC | | vpc_main_route_table_id | The ID of the main route table associated with this VPC | +| vpc_secondary_cidr_blocks | List of secondary CIDR blocks of the VPC | diff --git a/examples/secondary-cidr-blocks/README.md b/examples/secondary-cidr-blocks/README.md new file mode 100644 index 000000000..6d7cade4d --- /dev/null +++ b/examples/secondary-cidr-blocks/README.md @@ -0,0 +1,32 @@ +# Simple VPC with secondary CIDR blocks + +Configuration in this directory creates set of VPC resources across multiple CIDR blocks. + +There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between all 3 availability zones. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. + + + +## Outputs + +| Name | Description | +|------|-------------| +| nat_public_ips | NAT gateways | +| private_subnets | Subnets | +| public_subnets | List of IDs of public subnets | +| vpc_cidr_block | CIDR blocks | +| vpc_id | VPC | +| vpc_secondary_cidr_blocks | List of secondary CIDR blocks of the VPC | + + diff --git a/examples/secondary-cidr-blocks/main.tf b/examples/secondary-cidr-blocks/main.tf new file mode 100644 index 000000000..e4cc43231 --- /dev/null +++ b/examples/secondary-cidr-blocks/main.tf @@ -0,0 +1,33 @@ +provider "aws" { + region = "eu-west-1" +} + +module "vpc" { + source = "../../" + + name = "secondary-cidr-blocks-example" + + cidr = "10.0.0.0/16" + secondary_cidr_blocks = ["10.1.0.0/16", "10.2.0.0/16"] + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.1.2.0/24", "10.2.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.1.102.0/24", "10.2.103.0/24"] + + assign_generated_ipv6_cidr_block = true + enable_nat_gateway = true + single_nat_gateway = true + + public_subnet_tags = { + Name = "overridden-name-public" + } + + tags = { + Owner = "user" + Environment = "dev" + } + + vpc_tags = { + Name = "vpc-name" + } +} diff --git a/examples/secondary-cidr-blocks/outputs.tf b/examples/secondary-cidr-blocks/outputs.tf new file mode 100644 index 000000000..7cc6480d8 --- /dev/null +++ b/examples/secondary-cidr-blocks/outputs.tf @@ -0,0 +1,33 @@ +# VPC +output "vpc_id" { + description = "The ID of the VPC" + value = "${module.vpc.vpc_id}" +} + +# CIDR blocks +output "vpc_cidr_block" { + description = "The CIDR block of the VPC" + value = ["${module.vpc.vpc_cidr_block}"] +} + +output "vpc_secondary_cidr_blocks" { + description = "List of secondary CIDR blocks of the VPC" + value = ["${module.vpc.vpc_secondary_cidr_blocks}"] +} + +# Subnets +output "private_subnets" { + description = "List of IDs of private subnets" + value = ["${module.vpc.private_subnets}"] +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = ["${module.vpc.public_subnets}"] +} + +# NAT gateways +output "nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = ["${module.vpc.nat_public_ips}"] +} diff --git a/main.tf b/main.tf index c1d3eaf75..6b41a57a5 100644 --- a/main.tf +++ b/main.tf @@ -5,6 +5,9 @@ terraform { locals { max_subnet_length = "${max(length(var.private_subnets), length(var.elasticache_subnets), length(var.database_subnets), length(var.redshift_subnets))}" nat_gateway_count = "${var.single_nat_gateway ? 1 : (var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length)}" + + # Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free! + vpc_id = "${element(concat(aws_vpc_ipv4_cidr_block_association.this.*.vpc_id, aws_vpc.this.*.id, list("")), 0)}" } ###### @@ -22,6 +25,14 @@ resource "aws_vpc" "this" { tags = "${merge(map("Name", format("%s", var.name)), var.vpc_tags, var.tags)}" } +resource "aws_vpc_ipv4_cidr_block_association" "this" { + count = "${var.create_vpc && length(var.secondary_cidr_blocks) > 0 ? length(var.secondary_cidr_blocks) : 0}" + + vpc_id = "${aws_vpc.this.id}" + + cidr_block = "${element(var.secondary_cidr_blocks, count.index)}" +} + ################### # DHCP Options Set ################### @@ -43,7 +54,7 @@ resource "aws_vpc_dhcp_options" "this" { resource "aws_vpc_dhcp_options_association" "this" { count = "${var.create_vpc && var.enable_dhcp_options ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" dhcp_options_id = "${aws_vpc_dhcp_options.this.id}" } @@ -53,7 +64,7 @@ resource "aws_vpc_dhcp_options_association" "this" { resource "aws_internet_gateway" "this" { count = "${var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" tags = "${merge(map("Name", format("%s", var.name)), var.igw_tags, var.tags)}" } @@ -64,7 +75,7 @@ resource "aws_internet_gateway" "this" { resource "aws_route_table" "public" { count = "${var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" tags = "${merge(map("Name", format("%s-public", var.name)), var.public_route_table_tags, var.tags)}" } @@ -88,7 +99,7 @@ resource "aws_route" "public_internet_gateway" { resource "aws_route_table" "private" { count = "${var.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" tags = "${merge(map("Name", (var.single_nat_gateway ? "${var.name}-private" : format("%s-private-%s", var.name, element(var.azs, count.index)))), var.private_route_table_tags, var.tags)}" @@ -105,7 +116,7 @@ resource "aws_route_table" "private" { resource "aws_route_table" "database" { count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" tags = "${merge(var.tags, var.database_route_table_tags, map("Name", "${var.name}-database"))}" } @@ -116,7 +127,7 @@ resource "aws_route_table" "database" { resource "aws_route_table" "redshift" { count = "${var.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" tags = "${merge(var.tags, var.redshift_route_table_tags, map("Name", "${var.name}-redshift"))}" } @@ -127,7 +138,7 @@ resource "aws_route_table" "redshift" { resource "aws_route_table" "elasticache" { count = "${var.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" tags = "${merge(var.tags, var.elasticache_route_table_tags, map("Name", "${var.name}-elasticache"))}" } @@ -138,7 +149,7 @@ resource "aws_route_table" "elasticache" { resource "aws_route_table" "intra" { count = "${var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" tags = "${merge(map("Name", "${var.name}-intra"), var.intra_route_table_tags, var.tags)}" } @@ -149,7 +160,7 @@ resource "aws_route_table" "intra" { resource "aws_subnet" "public" { count = "${var.create_vpc && length(var.public_subnets) > 0 && (!var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" cidr_block = "${var.public_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" map_public_ip_on_launch = "${var.map_public_ip_on_launch}" @@ -163,7 +174,7 @@ resource "aws_subnet" "public" { resource "aws_subnet" "private" { count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" cidr_block = "${var.private_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" @@ -176,7 +187,7 @@ resource "aws_subnet" "private" { resource "aws_subnet" "database" { count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" cidr_block = "${var.database_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" @@ -199,7 +210,7 @@ resource "aws_db_subnet_group" "database" { resource "aws_subnet" "redshift" { count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" cidr_block = "${var.redshift_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" @@ -222,7 +233,7 @@ resource "aws_redshift_subnet_group" "redshift" { resource "aws_subnet" "elasticache" { count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" cidr_block = "${var.elasticache_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" @@ -243,7 +254,7 @@ resource "aws_elasticache_subnet_group" "elasticache" { resource "aws_subnet" "intra" { count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" cidr_block = "${var.intra_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" @@ -308,7 +319,7 @@ data "aws_vpc_endpoint_service" "s3" { resource "aws_vpc_endpoint" "s3" { count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" service_name = "${data.aws_vpc_endpoint_service.s3.service_name}" } @@ -345,7 +356,7 @@ data "aws_vpc_endpoint_service" "dynamodb" { resource "aws_vpc_endpoint" "dynamodb" { count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" service_name = "${data.aws_vpc_endpoint_service.dynamodb.service_name}" } @@ -421,7 +432,7 @@ resource "aws_route_table_association" "public" { resource "aws_vpn_gateway" "this" { count = "${var.create_vpc && var.enable_vpn_gateway ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" tags = "${merge(map("Name", format("%s", var.name)), var.vpn_gateway_tags, var.tags)}" } @@ -429,7 +440,7 @@ resource "aws_vpn_gateway" "this" { resource "aws_vpn_gateway_attachment" "this" { count = "${var.vpn_gateway_id != "" ? 1 : 0}" - vpc_id = "${aws_vpc.this.id}" + vpc_id = "${local.vpc_id}" vpn_gateway_id = "${var.vpn_gateway_id}" } diff --git a/outputs.tf b/outputs.tf index 2fe5dca89..43393a652 100644 --- a/outputs.tf +++ b/outputs.tf @@ -59,6 +59,11 @@ output "vpc_main_route_table_id" { // value = "${element(concat(aws_vpc.this.*.ipv6_cidr_block, list("")), 0)}" //} +output "vpc_secondary_cidr_blocks" { + description = "List of secondary CIDR blocks of the VPC" + value = ["${aws_vpc_ipv4_cidr_block_association.this.*.cidr_block}"] +} + # Subnets output "private_subnets" { description = "List of IDs of private subnets" diff --git a/variables.tf b/variables.tf index c5c753c9c..c21d2872b 100644 --- a/variables.tf +++ b/variables.tf @@ -18,6 +18,11 @@ variable "assign_generated_ipv6_cidr_block" { default = false } +variable "secondary_cidr_blocks" { + description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool" + default = [] +} + variable "instance_tenancy" { description = "A tenancy option for instances launched into the VPC" default = "default" From 8aa0a9a8bac7315f668ea1a95245e95ebba84010 Mon Sep 17 00:00:00 2001 From: Rupert Broad Date: Fri, 14 Sep 2018 15:23:05 +0200 Subject: [PATCH 06/81] add vars for custom subnet and route table names (#168) * add vars for custom subnet and route table names * revert db suffix to "db" --- main.tf | 20 ++++++++++---------- variables.tf | 25 +++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index 6b41a57a5..57feaf7bb 100644 --- a/main.tf +++ b/main.tf @@ -77,7 +77,7 @@ resource "aws_route_table" "public" { vpc_id = "${local.vpc_id}" - tags = "${merge(map("Name", format("%s-public", var.name)), var.public_route_table_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}", var.name)), var.public_route_table_tags, var.tags)}" } resource "aws_route" "public_internet_gateway" { @@ -101,7 +101,7 @@ resource "aws_route_table" "private" { vpc_id = "${local.vpc_id}" - tags = "${merge(map("Name", (var.single_nat_gateway ? "${var.name}-private" : format("%s-private-%s", var.name, element(var.azs, count.index)))), var.private_route_table_tags, var.tags)}" + tags = "${merge(map("Name", (var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format("%s-${var.private_subnet_suffix}-%s", var.name, element(var.azs, count.index)))), var.private_route_table_tags, var.tags)}" lifecycle { # When attaching VPN gateways it is common to define aws_vpn_gateway_route_propagation @@ -118,7 +118,7 @@ resource "aws_route_table" "database" { vpc_id = "${local.vpc_id}" - tags = "${merge(var.tags, var.database_route_table_tags, map("Name", "${var.name}-database"))}" + tags = "${merge(var.tags, var.database_route_table_tags, map("Name", "${var.name}-${var.database_subnet_suffix}"))}" } ################# @@ -129,7 +129,7 @@ resource "aws_route_table" "redshift" { vpc_id = "${local.vpc_id}" - tags = "${merge(var.tags, var.redshift_route_table_tags, map("Name", "${var.name}-redshift"))}" + tags = "${merge(var.tags, var.redshift_route_table_tags, map("Name", "${var.name}-${var.redshift_subnet_suffix}"))}" } ################# @@ -140,7 +140,7 @@ resource "aws_route_table" "elasticache" { vpc_id = "${local.vpc_id}" - tags = "${merge(var.tags, var.elasticache_route_table_tags, map("Name", "${var.name}-elasticache"))}" + tags = "${merge(var.tags, var.elasticache_route_table_tags, map("Name", "${var.name}-${var.elasticache_subnet_suffix}"))}" } ################# @@ -165,7 +165,7 @@ resource "aws_subnet" "public" { availability_zone = "${element(var.azs, count.index)}" map_public_ip_on_launch = "${var.map_public_ip_on_launch}" - tags = "${merge(map("Name", format("%s-public-%s", var.name, element(var.azs, count.index))), var.public_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.public_subnet_tags, var.tags)}" } ################# @@ -178,7 +178,7 @@ resource "aws_subnet" "private" { cidr_block = "${var.private_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" - tags = "${merge(map("Name", format("%s-private-%s", var.name, element(var.azs, count.index))), var.private_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.private_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.private_subnet_tags, var.tags)}" } ################## @@ -191,7 +191,7 @@ resource "aws_subnet" "database" { cidr_block = "${var.database_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" - tags = "${merge(map("Name", format("%s-db-%s", var.name, element(var.azs, count.index))), var.database_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.database_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.database_subnet_tags, var.tags)}" } resource "aws_db_subnet_group" "database" { @@ -214,7 +214,7 @@ resource "aws_subnet" "redshift" { cidr_block = "${var.redshift_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" - tags = "${merge(map("Name", format("%s-redshift-%s", var.name, element(var.azs, count.index))), var.redshift_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.redshift_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.redshift_subnet_tags, var.tags)}" } resource "aws_redshift_subnet_group" "redshift" { @@ -237,7 +237,7 @@ resource "aws_subnet" "elasticache" { cidr_block = "${var.elasticache_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" - tags = "${merge(map("Name", format("%s-elasticache-%s", var.name, element(var.azs, count.index))), var.elasticache_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.elasticache_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.elasticache_subnet_tags, var.tags)}" } resource "aws_elasticache_subnet_group" "elasticache" { diff --git a/variables.tf b/variables.tf index c21d2872b..7b1e6ae16 100644 --- a/variables.tf +++ b/variables.tf @@ -28,6 +28,31 @@ variable "instance_tenancy" { default = "default" } +variable "public_subnet_suffix" { + description = "Suffix to append to public subnets name" + default = "public" +} + +variable "private_subnet_suffix" { + description = "Suffix to append to private subnets name" + default = "private" +} + +variable "database_subnet_suffix" { + description = "Suffix to append to database subnets name" + default = "db" +} + +variable "redshift_subnet_suffix" { + description = "Suffix to append to redshift subnets name" + default = "redshift" +} + +variable "elasticache_subnet_suffix" { + description = "Suffix to append to elasticache subnets name" + default = "elasticache" +} + variable "public_subnets" { description = "A list of public subnets inside the VPC" default = [] From ce44f3e8b8452c0b371c15d2a62596b080a52ca8 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sat, 15 Sep 2018 13:24:23 +0200 Subject: [PATCH 07/81] Added cloudcraft.co as a sponsor for this module --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index e7406a36e..ae10bd5a2 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,10 @@ These types of resources are supported: * [DHCP Options Set](https://www.terraform.io/docs/providers/aws/r/vpc_dhcp_options.html) * [Default VPC](https://www.terraform.io/docs/providers/aws/r/default_vpc.html) +Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://cloudcraft.co) + +Cloudcraft - the best way to draw AWS diagrams + ## Usage ```hcl From e236321414fb4cf82b6d392187f977698729bb4a Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sat, 15 Sep 2018 13:25:11 +0200 Subject: [PATCH 08/81] Added cloudcraft.co as a sponsor for this module --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ae10bd5a2..99e708914 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ These types of resources are supported: Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://cloudcraft.co) -Cloudcraft - the best way to draw AWS diagrams +Cloudcraft - the best way to draw AWS diagrams ## Usage From 5a147eb0166ef9d20fd27768bb8d357ae31e9553 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sun, 16 Sep 2018 17:34:37 +0200 Subject: [PATCH 09/81] Removed comments starting from # to fix README --- README.md | 21 +++++++++++++-------- outputs.tf | 8 -------- 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 99e708914..6beebfa0f 100644 --- a/README.md +++ b/README.md @@ -177,6 +177,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | create_vpc | Controls if VPC should be created (it affects almost all resources) | string | `true` | no | | database_route_table_tags | Additional tags for the database route tables | string | `` | no | | database_subnet_group_tags | Additional tags for the database subnet group | string | `` | no | +| database_subnet_suffix | Suffix to append to database subnets name | string | `db` | no | | database_subnet_tags | Additional tags for the database subnets | string | `` | no | | database_subnets | A list of database subnets | list | `` | no | | default_vpc_enable_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `false` | no | @@ -191,6 +192,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | dhcp_options_ntp_servers | Specify a list of NTP servers for DHCP options set | list | `` | no | | dhcp_options_tags | Additional tags for the DHCP option set | string | `` | no | | elasticache_route_table_tags | Additional tags for the elasticache route tables | string | `` | no | +| elasticache_subnet_suffix | Suffix to append to elasticache subnets name | string | `elasticache` | no | | elasticache_subnet_tags | Additional tags for the elasticache subnets | string | `` | no | | elasticache_subnets | A list of elasticache subnets | list | `` | no | | enable_dhcp_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `false` | no | @@ -213,15 +215,18 @@ Terraform version 0.10.3 or newer is required for this module to work. | nat_gateway_tags | Additional tags for the NAT gateways | string | `` | no | | one_nat_gateway_per_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `false` | no | | private_route_table_tags | Additional tags for the private route tables | string | `` | no | +| private_subnet_suffix | Suffix to append to private subnets name | string | `private` | no | | private_subnet_tags | Additional tags for the private subnets | string | `` | no | | private_subnets | A list of private subnets inside the VPC | string | `` | no | | propagate_private_route_tables_vgw | Should be true if you want route table propagation | string | `false` | no | | propagate_public_route_tables_vgw | Should be true if you want route table propagation | string | `false` | no | | public_route_table_tags | Additional tags for the public route tables | string | `` | no | +| public_subnet_suffix | Suffix to append to public subnets name | string | `public` | no | | public_subnet_tags | Additional tags for the public subnets | string | `` | no | | public_subnets | A list of public subnets inside the VPC | string | `` | no | | redshift_route_table_tags | Additional tags for the redshift route tables | string | `` | no | | redshift_subnet_group_tags | Additional tags for the redshift subnet group | string | `` | no | +| redshift_subnet_suffix | Suffix to append to redshift subnets name | string | `redshift` | no | | redshift_subnet_tags | Additional tags for the redshift subnets | string | `` | no | | redshift_subnets | A list of redshift subnets | list | `` | no | | reuse_nat_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `false` | no | @@ -249,7 +254,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | default_vpc_default_security_group_id | The ID of the security group created by default on VPC creation | | default_vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support | | default_vpc_enable_dns_support | Whether or not the VPC has DNS support | -| default_vpc_id | Default VPC | +| default_vpc_id | The ID of the VPC | | default_vpc_instance_tenancy | Tenancy of instances spin up within VPC | | default_vpc_main_route_table_id | The ID of the main route table associated with this VPC | | elasticache_route_table_ids | List of IDs of elasticache route tables | @@ -257,32 +262,32 @@ Terraform version 0.10.3 or newer is required for this module to work. | elasticache_subnet_group_name | Name of elasticache subnet group | | elasticache_subnets | List of IDs of elasticache subnets | | elasticache_subnets_cidr_blocks | List of cidr_blocks of elasticache subnets | -| igw_id | Internet Gateway | +| igw_id | The ID of the Internet Gateway | | intra_route_table_ids | List of IDs of intra route tables | | intra_subnets | List of IDs of intra subnets | | intra_subnets_cidr_blocks | List of cidr_blocks of intra subnets | -| nat_ids | Nat gateway | +| nat_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | | nat_public_ips | List of public Elastic IPs created for AWS NAT Gateway | | natgw_ids | List of NAT Gateway IDs | | private_route_table_ids | List of IDs of private route tables | -| private_subnets | Subnets | +| private_subnets | List of IDs of private subnets | | private_subnets_cidr_blocks | List of cidr_blocks of private subnets | -| public_route_table_ids | Route tables | +| public_route_table_ids | List of IDs of public route tables | | public_subnets | List of IDs of public subnets | | public_subnets_cidr_blocks | List of cidr_blocks of public subnets | | redshift_route_table_ids | List of IDs of redshift route tables | | redshift_subnet_group | ID of redshift subnet group | | redshift_subnets | List of IDs of redshift subnets | | redshift_subnets_cidr_blocks | List of cidr_blocks of redshift subnets | -| vgw_id | VPN Gateway | +| vgw_id | The ID of the VPN Gateway | | vpc_cidr_block | The CIDR block of the VPC | | vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support | | vpc_enable_dns_support | Whether or not the VPC has DNS support | | vpc_endpoint_dynamodb_id | The ID of VPC endpoint for DynamoDB | | vpc_endpoint_dynamodb_pl_id | The prefix list for the DynamoDB VPC endpoint. | -| vpc_endpoint_s3_id | VPC Endpoints | +| vpc_endpoint_s3_id | The ID of VPC endpoint for S3 | | vpc_endpoint_s3_pl_id | The prefix list for the S3 VPC endpoint. | -| vpc_id | VPC | +| vpc_id | The ID of the VPC | | vpc_instance_tenancy | Tenancy of instances spin up within VPC | | vpc_main_route_table_id | The ID of the main route table associated with this VPC | | vpc_secondary_cidr_blocks | List of secondary CIDR blocks of the VPC | diff --git a/outputs.tf b/outputs.tf index 43393a652..c19aba155 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,4 +1,3 @@ -# VPC output "vpc_id" { description = "The ID of the VPC" value = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" @@ -64,7 +63,6 @@ output "vpc_secondary_cidr_blocks" { value = ["${aws_vpc_ipv4_cidr_block_association.this.*.cidr_block}"] } -# Subnets output "private_subnets" { description = "List of IDs of private subnets" value = ["${aws_subnet.private.*.id}"] @@ -145,7 +143,6 @@ output "elasticache_subnet_group_name" { value = "${element(concat(aws_elasticache_subnet_group.elasticache.*.name, list("")), 0)}" } -# Route tables output "public_route_table_ids" { description = "List of IDs of public route tables" value = ["${aws_route_table.public.*.id}"] @@ -176,7 +173,6 @@ output "intra_route_table_ids" { value = ["${aws_route_table.intra.*.id}"] } -# Nat gateway output "nat_ids" { description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway" value = ["${aws_eip.nat.*.id}"] @@ -192,13 +188,11 @@ output "natgw_ids" { value = ["${aws_nat_gateway.this.*.id}"] } -# Internet Gateway output "igw_id" { description = "The ID of the Internet Gateway" value = "${element(concat(aws_internet_gateway.this.*.id, list("")), 0)}" } -# VPC Endpoints output "vpc_endpoint_s3_id" { description = "The ID of VPC endpoint for S3" value = "${element(concat(aws_vpc_endpoint.s3.*.id, list("")), 0)}" @@ -214,7 +208,6 @@ output "vpc_endpoint_dynamodb_id" { value = "${element(concat(aws_vpc_endpoint.dynamodb.*.id, list("")), 0)}" } -# VPN Gateway output "vgw_id" { description = "The ID of the VPN Gateway" value = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id, list("")), 0)}" @@ -225,7 +218,6 @@ output "vpc_endpoint_dynamodb_pl_id" { value = "${element(concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, list("")), 0)}" } -# Default VPC output "default_vpc_id" { description = "The ID of the VPC" value = "${element(concat(aws_default_vpc.this.*.id, list("")), 0)}" From b2f628129fdf1782989143a383a3da72ce26ca6d Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Mon, 17 Sep 2018 18:44:25 +0200 Subject: [PATCH 10/81] Updated link to cloudcraft --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6beebfa0f..93fb71dcd 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ These types of resources are supported: * [DHCP Options Set](https://www.terraform.io/docs/providers/aws/r/vpc_dhcp_options.html) * [Default VPC](https://www.terraform.io/docs/providers/aws/r/default_vpc.html) -Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://cloudcraft.co) +Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://cloudcraft.co/?utm_source=terraform-aws-vpc) Cloudcraft - the best way to draw AWS diagrams From 4ca12f9b7e05ea2d52a54a13c61357d2e529bd08 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Mon, 17 Sep 2018 18:47:09 +0200 Subject: [PATCH 11/81] Updated link to cloudcraft --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 93fb71dcd..f9313e9b5 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ These types of resources are supported: Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://cloudcraft.co/?utm_source=terraform-aws-vpc) -Cloudcraft - the best way to draw AWS diagrams +Cloudcraft - the best way to draw AWS diagrams ## Usage From 68e84efc03251bc640e6a6d4553caaeb6d95a9a4 Mon Sep 17 00:00:00 2001 From: Scott Crooks Date: Tue, 18 Sep 2018 10:16:36 +0200 Subject: [PATCH 12/81] Reordering tag merging (#148) --- main.tf | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/main.tf b/main.tf index 57feaf7bb..604945b2c 100644 --- a/main.tf +++ b/main.tf @@ -22,7 +22,7 @@ resource "aws_vpc" "this" { enable_dns_support = "${var.enable_dns_support}" assign_generated_ipv6_cidr_block = "${var.assign_generated_ipv6_cidr_block}" - tags = "${merge(map("Name", format("%s", var.name)), var.vpc_tags, var.tags)}" + tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.vpc_tags)}" } resource "aws_vpc_ipv4_cidr_block_association" "this" { @@ -45,7 +45,7 @@ resource "aws_vpc_dhcp_options" "this" { netbios_name_servers = ["${var.dhcp_options_netbios_name_servers}"] netbios_node_type = "${var.dhcp_options_netbios_node_type}" - tags = "${merge(map("Name", format("%s", var.name)), var.dhcp_options_tags, var.tags)}" + tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.dhcp_options_tags)}" } ############################### @@ -66,7 +66,7 @@ resource "aws_internet_gateway" "this" { vpc_id = "${local.vpc_id}" - tags = "${merge(map("Name", format("%s", var.name)), var.igw_tags, var.tags)}" + tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.igw_tags)}" } ################ @@ -77,7 +77,7 @@ resource "aws_route_table" "public" { vpc_id = "${local.vpc_id}" - tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}", var.name)), var.public_route_table_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}", var.name)), var.tags, var.public_route_table_tags)}" } resource "aws_route" "public_internet_gateway" { @@ -101,7 +101,7 @@ resource "aws_route_table" "private" { vpc_id = "${local.vpc_id}" - tags = "${merge(map("Name", (var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format("%s-${var.private_subnet_suffix}-%s", var.name, element(var.azs, count.index)))), var.private_route_table_tags, var.tags)}" + tags = "${merge(map("Name", (var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format("%s-${var.private_subnet_suffix}-%s", var.name, element(var.azs, count.index)))), var.tags, var.private_route_table_tags)}" lifecycle { # When attaching VPN gateways it is common to define aws_vpn_gateway_route_propagation @@ -151,7 +151,7 @@ resource "aws_route_table" "intra" { vpc_id = "${local.vpc_id}" - tags = "${merge(map("Name", "${var.name}-intra"), var.intra_route_table_tags, var.tags)}" + tags = "${merge(map("Name", "${var.name}-intra"), var.tags, var.intra_route_table_tags)}" } ################ @@ -165,7 +165,7 @@ resource "aws_subnet" "public" { availability_zone = "${element(var.azs, count.index)}" map_public_ip_on_launch = "${var.map_public_ip_on_launch}" - tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.public_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.public_subnet_tags)}" } ################# @@ -178,7 +178,7 @@ resource "aws_subnet" "private" { cidr_block = "${var.private_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" - tags = "${merge(map("Name", format("%s-${var.private_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.private_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.private_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.private_subnet_tags)}" } ################## @@ -191,7 +191,7 @@ resource "aws_subnet" "database" { cidr_block = "${var.database_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" - tags = "${merge(map("Name", format("%s-${var.database_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.database_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.database_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.database_subnet_tags)}" } resource "aws_db_subnet_group" "database" { @@ -201,7 +201,7 @@ resource "aws_db_subnet_group" "database" { description = "Database subnet group for ${var.name}" subnet_ids = ["${aws_subnet.database.*.id}"] - tags = "${merge(map("Name", format("%s", var.name)), var.database_subnet_group_tags, var.tags)}" + tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.database_subnet_group_tags)}" } ################## @@ -214,7 +214,7 @@ resource "aws_subnet" "redshift" { cidr_block = "${var.redshift_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" - tags = "${merge(map("Name", format("%s-${var.redshift_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.redshift_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.redshift_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.redshift_subnet_tags)}" } resource "aws_redshift_subnet_group" "redshift" { @@ -224,7 +224,7 @@ resource "aws_redshift_subnet_group" "redshift" { description = "Redshift subnet group for ${var.name}" subnet_ids = ["${aws_subnet.redshift.*.id}"] - tags = "${merge(map("Name", format("%s", var.name)), var.redshift_subnet_group_tags, var.tags)}" + tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.redshift_subnet_group_tags)}" } ##################### @@ -237,7 +237,7 @@ resource "aws_subnet" "elasticache" { cidr_block = "${var.elasticache_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" - tags = "${merge(map("Name", format("%s-${var.elasticache_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.elasticache_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-${var.elasticache_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.elasticache_subnet_tags)}" } resource "aws_elasticache_subnet_group" "elasticache" { @@ -258,7 +258,7 @@ resource "aws_subnet" "intra" { cidr_block = "${var.intra_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" - tags = "${merge(map("Name", format("%s-intra-%s", var.name, element(var.azs, count.index))), var.intra_subnet_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-intra-%s", var.name, element(var.azs, count.index))), var.tags, var.intra_subnet_tags)}" } ############## @@ -281,7 +281,7 @@ resource "aws_eip" "nat" { vpc = true - tags = "${merge(map("Name", format("%s-%s", var.name, element(var.azs, (var.single_nat_gateway ? 0 : count.index)))), var.nat_eip_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-%s", var.name, element(var.azs, (var.single_nat_gateway ? 0 : count.index)))), var.tags, var.nat_eip_tags)}" } resource "aws_nat_gateway" "this" { @@ -290,7 +290,7 @@ resource "aws_nat_gateway" "this" { allocation_id = "${element(local.nat_gateway_ips, (var.single_nat_gateway ? 0 : count.index))}" subnet_id = "${element(aws_subnet.public.*.id, (var.single_nat_gateway ? 0 : count.index))}" - tags = "${merge(map("Name", format("%s-%s", var.name, element(var.azs, (var.single_nat_gateway ? 0 : count.index)))), var.nat_gateway_tags, var.tags)}" + tags = "${merge(map("Name", format("%s-%s", var.name, element(var.azs, (var.single_nat_gateway ? 0 : count.index)))), var.tags, var.nat_gateway_tags)}" depends_on = ["aws_internet_gateway.this"] } @@ -434,7 +434,7 @@ resource "aws_vpn_gateway" "this" { vpc_id = "${local.vpc_id}" - tags = "${merge(map("Name", format("%s", var.name)), var.vpn_gateway_tags, var.tags)}" + tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.vpn_gateway_tags)}" } resource "aws_vpn_gateway_attachment" "this" { @@ -468,5 +468,5 @@ resource "aws_default_vpc" "this" { enable_dns_hostnames = "${var.default_vpc_enable_dns_hostnames}" enable_classiclink = "${var.default_vpc_enable_classiclink}" - tags = "${merge(map("Name", format("%s", var.default_vpc_name)), var.default_vpc_tags, var.tags)}" + tags = "${merge(map("Name", format("%s", var.default_vpc_name)), var.tags, var.default_vpc_tags)}" } From de5fc660879b8d9e3d86fb9fc5bb8971255b5f16 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Mon, 1 Oct 2018 22:09:39 +0300 Subject: [PATCH 13/81] Added amazon_side_asn to vpn_gateway (#159) * Added amazon_side_asn to vpn_gateway * change to Amazon default ASN (as per API) (#176) https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpn-gateway.html --- README.md | 1 + main.tf | 3 ++- variables.tf | 5 +++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f9313e9b5..aca1b82f6 100644 --- a/README.md +++ b/README.md @@ -167,6 +167,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| amazon_side_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. If you don't specify an ASN, the virtual private gateway is created with the default ASN. | string | `` | no | | assign_generated_ipv6_cidr_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `false` | no | | azs | A list of availability zones in the region | string | `` | no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `0.0.0.0/0` | no | diff --git a/main.tf b/main.tf index 604945b2c..5a8461042 100644 --- a/main.tf +++ b/main.tf @@ -432,7 +432,8 @@ resource "aws_route_table_association" "public" { resource "aws_vpn_gateway" "this" { count = "${var.create_vpc && var.enable_vpn_gateway ? 1 : 0}" - vpc_id = "${local.vpc_id}" + vpc_id = "${local.vpc_id}" + amazon_side_asn = "${var.amazon_side_asn}" tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.vpn_gateway_tags)}" } diff --git a/variables.tf b/variables.tf index 7b1e6ae16..13af9383f 100644 --- a/variables.tf +++ b/variables.tf @@ -173,6 +173,11 @@ variable "vpn_gateway_id" { default = "" } +variable "amazon_side_asn" { + description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN." + default = "64512" +} + variable "propagate_private_route_tables_vgw" { description = "Should be true if you want route table propagation" default = false From 598fbfaee9378b54e31be5ced0446dcc06863cec Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Mon, 1 Oct 2018 22:10:38 +0300 Subject: [PATCH 14/81] Updated README.md after merge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aca1b82f6..3c0a237af 100644 --- a/README.md +++ b/README.md @@ -167,7 +167,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| amazon_side_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. If you don't specify an ASN, the virtual private gateway is created with the default ASN. | string | `` | no | +| amazon_side_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `64512` | no | | assign_generated_ipv6_cidr_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `false` | no | | azs | A list of availability zones in the region | string | `` | no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `0.0.0.0/0` | no | From 67c1e9fc9947b0ebaca413dc49fc0d1e1578f354 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sat, 6 Oct 2018 16:25:18 +0200 Subject: [PATCH 15/81] Fixed #177 - public_subnets should not always be validated --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 5a8461042..f09a07e30 100644 --- a/main.tf +++ b/main.tf @@ -161,7 +161,7 @@ resource "aws_subnet" "public" { count = "${var.create_vpc && length(var.public_subnets) > 0 && (!var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0}" vpc_id = "${local.vpc_id}" - cidr_block = "${var.public_subnets[count.index]}" + cidr_block = "${element(concat(var.public_subnets, list("")), count.index)}" availability_zone = "${element(var.azs, count.index)}" map_public_ip_on_launch = "${var.map_public_ip_on_launch}" From 1e801064ad725c248d5d51120ab259b23c8066eb Mon Sep 17 00:00:00 2001 From: Mayur Nagekar Date: Tue, 16 Oct 2018 14:40:34 +0530 Subject: [PATCH 16/81] Fix for the error: module.vpc.aws_redshift_subnet_group.redshift: only lowercase alphanumeric characters and hyphens allowed in name Read more: https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/180 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index f09a07e30..5aa8c546e 100644 --- a/main.tf +++ b/main.tf @@ -220,7 +220,7 @@ resource "aws_subnet" "redshift" { resource "aws_redshift_subnet_group" "redshift" { count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? 1 : 0}" - name = "${var.name}" + name = "${lower(var.name)}" description = "Redshift subnet group for ${var.name}" subnet_ids = ["${aws_subnet.redshift.*.id}"] From 57604d2e3837dde13987bc626b7fefe714935ca2 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 11 Dec 2018 20:33:48 +0100 Subject: [PATCH 17/81] Updated pre-commit version with new terraform-docs script --- .pre-commit-config.yaml | 4 +- README.md | 237 +++++++++--------- examples/complete-vpc/README.md | 17 +- .../issue-108-route-already-exists/README.md | 13 +- .../README.md | 13 +- .../issue-46-no-private-subnets/README.md | 13 +- examples/manage-default-vpc/README.md | 5 +- examples/secondary-cidr-blocks/README.md | 13 +- examples/simple-vpc/README.md | 11 +- examples/test_fixture/README.md | 3 +- .../README.md | 15 +- 11 files changed, 167 insertions(+), 177 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c8df55229..6262d4e7a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,10 +1,10 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.7.2 + rev: v1.7.4 hooks: - id: terraform_fmt - id: terraform_docs - repo: git://github.com/pre-commit/pre-commit-hooks - rev: v1.2.3 + rev: v2.0.0 hooks: - id: check-merge-conflict diff --git a/README.md b/README.md index 3c0a237af..2fda390ab 100644 --- a/README.md +++ b/README.md @@ -162,136 +162,135 @@ Terraform version 0.10.3 or newer is required for this module to work. * Few tests and edge cases examples: [#46](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-46-no-private-subnets), [#44](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-44-asymmetric-private-subnets), [#108](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-108-route-already-exists) - ## Inputs | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| amazon_side_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `64512` | no | -| assign_generated_ipv6_cidr_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `false` | no | -| azs | A list of availability zones in the region | string | `` | no | +| amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `64512` | no | +| assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `false` | no | +| azs | A list of availability zones in the region | list | `[]` | no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `0.0.0.0/0` | no | -| create_database_subnet_group | Controls if database subnet group should be created | string | `true` | no | -| create_database_subnet_route_table | Controls if separate route table for database should be created | string | `false` | no | -| create_elasticache_subnet_route_table | Controls if separate route table for elasticache should be created | string | `false` | no | -| create_redshift_subnet_route_table | Controls if separate route table for redshift should be created | string | `false` | no | -| create_vpc | Controls if VPC should be created (it affects almost all resources) | string | `true` | no | -| database_route_table_tags | Additional tags for the database route tables | string | `` | no | -| database_subnet_group_tags | Additional tags for the database subnet group | string | `` | no | -| database_subnet_suffix | Suffix to append to database subnets name | string | `db` | no | -| database_subnet_tags | Additional tags for the database subnets | string | `` | no | -| database_subnets | A list of database subnets | list | `` | no | -| default_vpc_enable_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `false` | no | -| default_vpc_enable_dns_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `false` | no | -| default_vpc_enable_dns_support | Should be true to enable DNS support in the Default VPC | string | `true` | no | -| default_vpc_name | Name to be used on the Default VPC | string | `` | no | -| default_vpc_tags | Additional tags for the Default VPC | string | `` | no | -| dhcp_options_domain_name | Specifies DNS name for DHCP options set | string | `` | no | -| dhcp_options_domain_name_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided | list | `` | no | -| dhcp_options_netbios_name_servers | Specify a list of netbios servers for DHCP options set | list | `` | no | -| dhcp_options_netbios_node_type | Specify netbios node_type for DHCP options set | string | `` | no | -| dhcp_options_ntp_servers | Specify a list of NTP servers for DHCP options set | list | `` | no | -| dhcp_options_tags | Additional tags for the DHCP option set | string | `` | no | -| elasticache_route_table_tags | Additional tags for the elasticache route tables | string | `` | no | -| elasticache_subnet_suffix | Suffix to append to elasticache subnets name | string | `elasticache` | no | -| elasticache_subnet_tags | Additional tags for the elasticache subnets | string | `` | no | -| elasticache_subnets | A list of elasticache subnets | list | `` | no | -| enable_dhcp_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `false` | no | -| enable_dns_hostnames | Should be true to enable DNS hostnames in the VPC | string | `false` | no | -| enable_dns_support | Should be true to enable DNS support in the VPC | string | `true` | no | -| enable_dynamodb_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `false` | no | -| enable_nat_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `false` | no | -| enable_s3_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `false` | no | -| enable_vpn_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `false` | no | -| external_nat_ip_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `` | no | -| igw_tags | Additional tags for the internet gateway | string | `` | no | -| instance_tenancy | A tenancy option for instances launched into the VPC | string | `default` | no | -| intra_route_table_tags | Additional tags for the intra route tables | string | `` | no | -| intra_subnet_tags | Additional tags for the intra subnets | string | `` | no | -| intra_subnets | A list of intra subnets | list | `` | no | -| manage_default_vpc | Should be true to adopt and manage Default VPC | string | `false` | no | -| map_public_ip_on_launch | Should be false if you do not want to auto-assign public IP on launch | string | `true` | no | +| create\_database\_subnet\_group | Controls if database subnet group should be created | string | `true` | no | +| create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `false` | no | +| create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | string | `false` | no | +| create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `false` | no | +| create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `true` | no | +| database\_route\_table\_tags | Additional tags for the database route tables | map | `{}` | no | +| database\_subnet\_group\_tags | Additional tags for the database subnet group | map | `{}` | no | +| database\_subnet\_suffix | Suffix to append to database subnets name | string | `db` | no | +| database\_subnet\_tags | Additional tags for the database subnets | map | `{}` | no | +| database\_subnets | A list of database subnets | list | `[]` | no | +| default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `false` | no | +| default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `false` | no | +| default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `true` | no | +| default\_vpc\_name | Name to be used on the Default VPC | string | `` | no | +| default\_vpc\_tags | Additional tags for the Default VPC | map | `{}` | no | +| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set | string | `` | no | +| dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided | list | `[ "AmazonProvidedDNS" ]` | no | +| dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set | list | `[]` | no | +| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set | string | `` | no | +| dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set | list | `[]` | no | +| dhcp\_options\_tags | Additional tags for the DHCP option set | map | `{}` | no | +| elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map | `{}` | no | +| elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `elasticache` | no | +| elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map | `{}` | no | +| elasticache\_subnets | A list of elasticache subnets | list | `[]` | no | +| enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `false` | no | +| enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `false` | no | +| enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `true` | no | +| enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `false` | no | +| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `false` | no | +| enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `false` | no | +| enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `false` | no | +| external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | +| igw\_tags | Additional tags for the internet gateway | map | `{}` | no | +| instance\_tenancy | A tenancy option for instances launched into the VPC | string | `default` | no | +| intra\_route\_table\_tags | Additional tags for the intra route tables | map | `{}` | no | +| intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | +| intra\_subnets | A list of intra subnets | list | `[]` | no | +| manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `false` | no | +| map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `true` | no | | name | Name to be used on all the resources as identifier | string | `` | no | -| nat_eip_tags | Additional tags for the NAT EIP | string | `` | no | -| nat_gateway_tags | Additional tags for the NAT gateways | string | `` | no | -| one_nat_gateway_per_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `false` | no | -| private_route_table_tags | Additional tags for the private route tables | string | `` | no | -| private_subnet_suffix | Suffix to append to private subnets name | string | `private` | no | -| private_subnet_tags | Additional tags for the private subnets | string | `` | no | -| private_subnets | A list of private subnets inside the VPC | string | `` | no | -| propagate_private_route_tables_vgw | Should be true if you want route table propagation | string | `false` | no | -| propagate_public_route_tables_vgw | Should be true if you want route table propagation | string | `false` | no | -| public_route_table_tags | Additional tags for the public route tables | string | `` | no | -| public_subnet_suffix | Suffix to append to public subnets name | string | `public` | no | -| public_subnet_tags | Additional tags for the public subnets | string | `` | no | -| public_subnets | A list of public subnets inside the VPC | string | `` | no | -| redshift_route_table_tags | Additional tags for the redshift route tables | string | `` | no | -| redshift_subnet_group_tags | Additional tags for the redshift subnet group | string | `` | no | -| redshift_subnet_suffix | Suffix to append to redshift subnets name | string | `redshift` | no | -| redshift_subnet_tags | Additional tags for the redshift subnets | string | `` | no | -| redshift_subnets | A list of redshift subnets | list | `` | no | -| reuse_nat_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `false` | no | -| secondary_cidr_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | string | `` | no | -| single_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `false` | no | -| tags | A map of tags to add to all resources | string | `` | no | -| vpc_tags | Additional tags for the VPC | string | `` | no | -| vpn_gateway_id | ID of VPN Gateway to attach to the VPC | string | `` | no | -| vpn_gateway_tags | Additional tags for the VPN gateway | string | `` | no | +| nat\_eip\_tags | Additional tags for the NAT EIP | map | `{}` | no | +| nat\_gateway\_tags | Additional tags for the NAT gateways | map | `{}` | no | +| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `false` | no | +| private\_route\_table\_tags | Additional tags for the private route tables | map | `{}` | no | +| private\_subnet\_suffix | Suffix to append to private subnets name | string | `private` | no | +| private\_subnet\_tags | Additional tags for the private subnets | map | `{}` | no | +| private\_subnets | A list of private subnets inside the VPC | list | `[]` | no | +| propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | string | `false` | no | +| propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | string | `false` | no | +| public\_route\_table\_tags | Additional tags for the public route tables | map | `{}` | no | +| public\_subnet\_suffix | Suffix to append to public subnets name | string | `public` | no | +| public\_subnet\_tags | Additional tags for the public subnets | map | `{}` | no | +| public\_subnets | A list of public subnets inside the VPC | list | `[]` | no | +| redshift\_route\_table\_tags | Additional tags for the redshift route tables | map | `{}` | no | +| redshift\_subnet\_group\_tags | Additional tags for the redshift subnet group | map | `{}` | no | +| redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `redshift` | no | +| redshift\_subnet\_tags | Additional tags for the redshift subnets | map | `{}` | no | +| redshift\_subnets | A list of redshift subnets | list | `[]` | no | +| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `false` | no | +| secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list | `[]` | no | +| single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `false` | no | +| tags | A map of tags to add to all resources | map | `{}` | no | +| vpc\_tags | Additional tags for the VPC | map | `{}` | no | +| vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `` | no | +| vpn\_gateway\_tags | Additional tags for the VPN gateway | map | `{}` | no | ## Outputs | Name | Description | |------|-------------| -| database_route_table_ids | List of IDs of database route tables | -| database_subnet_group | ID of database subnet group | -| database_subnets | List of IDs of database subnets | -| database_subnets_cidr_blocks | List of cidr_blocks of database subnets | -| default_network_acl_id | The ID of the default network ACL | -| default_route_table_id | The ID of the default route table | -| default_security_group_id | The ID of the security group created by default on VPC creation | -| default_vpc_cidr_block | The CIDR block of the VPC | -| default_vpc_default_network_acl_id | The ID of the default network ACL | -| default_vpc_default_route_table_id | The ID of the default route table | -| default_vpc_default_security_group_id | The ID of the security group created by default on VPC creation | -| default_vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support | -| default_vpc_enable_dns_support | Whether or not the VPC has DNS support | -| default_vpc_id | The ID of the VPC | -| default_vpc_instance_tenancy | Tenancy of instances spin up within VPC | -| default_vpc_main_route_table_id | The ID of the main route table associated with this VPC | -| elasticache_route_table_ids | List of IDs of elasticache route tables | -| elasticache_subnet_group | ID of elasticache subnet group | -| elasticache_subnet_group_name | Name of elasticache subnet group | -| elasticache_subnets | List of IDs of elasticache subnets | -| elasticache_subnets_cidr_blocks | List of cidr_blocks of elasticache subnets | -| igw_id | The ID of the Internet Gateway | -| intra_route_table_ids | List of IDs of intra route tables | -| intra_subnets | List of IDs of intra subnets | -| intra_subnets_cidr_blocks | List of cidr_blocks of intra subnets | -| nat_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | -| nat_public_ips | List of public Elastic IPs created for AWS NAT Gateway | -| natgw_ids | List of NAT Gateway IDs | -| private_route_table_ids | List of IDs of private route tables | -| private_subnets | List of IDs of private subnets | -| private_subnets_cidr_blocks | List of cidr_blocks of private subnets | -| public_route_table_ids | List of IDs of public route tables | -| public_subnets | List of IDs of public subnets | -| public_subnets_cidr_blocks | List of cidr_blocks of public subnets | -| redshift_route_table_ids | List of IDs of redshift route tables | -| redshift_subnet_group | ID of redshift subnet group | -| redshift_subnets | List of IDs of redshift subnets | -| redshift_subnets_cidr_blocks | List of cidr_blocks of redshift subnets | -| vgw_id | The ID of the VPN Gateway | -| vpc_cidr_block | The CIDR block of the VPC | -| vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support | -| vpc_enable_dns_support | Whether or not the VPC has DNS support | -| vpc_endpoint_dynamodb_id | The ID of VPC endpoint for DynamoDB | -| vpc_endpoint_dynamodb_pl_id | The prefix list for the DynamoDB VPC endpoint. | -| vpc_endpoint_s3_id | The ID of VPC endpoint for S3 | -| vpc_endpoint_s3_pl_id | The prefix list for the S3 VPC endpoint. | -| vpc_id | The ID of the VPC | -| vpc_instance_tenancy | Tenancy of instances spin up within VPC | -| vpc_main_route_table_id | The ID of the main route table associated with this VPC | -| vpc_secondary_cidr_blocks | List of secondary CIDR blocks of the VPC | +| database\_route\_table\_ids | List of IDs of database route tables | +| database\_subnet\_group | ID of database subnet group | +| database\_subnets | List of IDs of database subnets | +| database\_subnets\_cidr\_blocks | List of cidr_blocks of database subnets | +| default\_network\_acl\_id | The ID of the default network ACL | +| default\_route\_table\_id | The ID of the default route table | +| default\_security\_group\_id | The ID of the security group created by default on VPC creation | +| default\_vpc\_cidr\_block | The CIDR block of the VPC | +| default\_vpc\_default\_network\_acl\_id | The ID of the default network ACL | +| default\_vpc\_default\_route\_table\_id | The ID of the default route table | +| default\_vpc\_default\_security\_group\_id | The ID of the security group created by default on VPC creation | +| default\_vpc\_enable\_dns\_hostnames | Whether or not the VPC has DNS hostname support | +| default\_vpc\_enable\_dns\_support | Whether or not the VPC has DNS support | +| default\_vpc\_id | The ID of the VPC | +| default\_vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | +| default\_vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | +| elasticache\_route\_table\_ids | List of IDs of elasticache route tables | +| elasticache\_subnet\_group | ID of elasticache subnet group | +| elasticache\_subnet\_group\_name | Name of elasticache subnet group | +| elasticache\_subnets | List of IDs of elasticache subnets | +| elasticache\_subnets\_cidr\_blocks | List of cidr_blocks of elasticache subnets | +| igw\_id | The ID of the Internet Gateway | +| intra\_route\_table\_ids | List of IDs of intra route tables | +| intra\_subnets | List of IDs of intra subnets | +| intra\_subnets\_cidr\_blocks | List of cidr_blocks of intra subnets | +| nat\_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | +| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | +| natgw\_ids | List of NAT Gateway IDs | +| private\_route\_table\_ids | List of IDs of private route tables | +| private\_subnets | List of IDs of private subnets | +| private\_subnets\_cidr\_blocks | List of cidr_blocks of private subnets | +| public\_route\_table\_ids | List of IDs of public route tables | +| public\_subnets | List of IDs of public subnets | +| public\_subnets\_cidr\_blocks | List of cidr_blocks of public subnets | +| redshift\_route\_table\_ids | List of IDs of redshift route tables | +| redshift\_subnet\_group | ID of redshift subnet group | +| redshift\_subnets | List of IDs of redshift subnets | +| redshift\_subnets\_cidr\_blocks | List of cidr_blocks of redshift subnets | +| vgw\_id | The ID of the VPN Gateway | +| vpc\_cidr\_block | The CIDR block of the VPC | +| vpc\_enable\_dns\_hostnames | Whether or not the VPC has DNS hostname support | +| vpc\_enable\_dns\_support | Whether or not the VPC has DNS support | +| vpc\_endpoint\_dynamodb\_id | The ID of VPC endpoint for DynamoDB | +| vpc\_endpoint\_dynamodb\_pl\_id | The prefix list for the DynamoDB VPC endpoint. | +| vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 | +| vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. | +| vpc\_id | The ID of the VPC | +| vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | +| vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | +| vpc\_secondary\_cidr\_blocks | List of secondary CIDR blocks of the VPC | diff --git a/examples/complete-vpc/README.md b/examples/complete-vpc/README.md index c8d26a451..31670d6ce 100644 --- a/examples/complete-vpc/README.md +++ b/examples/complete-vpc/README.md @@ -17,18 +17,17 @@ $ terraform apply Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - ## Outputs | Name | Description | |------|-------------| -| database_subnets | List of IDs of database subnets | -| elasticache_subnets | List of IDs of elasticache subnets | -| intra_subnets | List of IDs of intra subnets | -| nat_public_ips | NAT gateways | -| private_subnets | Subnets | -| public_subnets | List of IDs of public subnets | -| redshift_subnets | List of IDs of redshift subnets | -| vpc_id | VPC | +| database\_subnets | List of IDs of database subnets | +| elasticache\_subnets | List of IDs of elasticache subnets | +| intra\_subnets | List of IDs of intra subnets | +| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | +| private\_subnets | List of IDs of private subnets | +| public\_subnets | List of IDs of public subnets | +| redshift\_subnets | List of IDs of redshift subnets | +| vpc\_id | The ID of the VPC | diff --git a/examples/issue-108-route-already-exists/README.md b/examples/issue-108-route-already-exists/README.md index bd2c57560..7aa22941a 100644 --- a/examples/issue-108-route-already-exists/README.md +++ b/examples/issue-108-route-already-exists/README.md @@ -19,16 +19,15 @@ $ terraform apply Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - ## Outputs | Name | Description | |------|-------------| -| database_subnets | List of IDs of database subnets | -| elasticache_subnets | List of IDs of elasticache subnets | -| nat_public_ips | NAT gateways | -| private_subnets | Subnets | -| public_subnets | List of IDs of public subnets | -| vpc_id | VPC | +| database\_subnets | List of IDs of database subnets | +| elasticache\_subnets | List of IDs of elasticache subnets | +| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | +| private\_subnets | List of IDs of private subnets | +| public\_subnets | List of IDs of public subnets | +| vpc\_id | The ID of the VPC | diff --git a/examples/issue-44-asymmetric-private-subnets/README.md b/examples/issue-44-asymmetric-private-subnets/README.md index 24c4db444..2484554d2 100644 --- a/examples/issue-44-asymmetric-private-subnets/README.md +++ b/examples/issue-44-asymmetric-private-subnets/README.md @@ -17,16 +17,15 @@ $ terraform apply Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - ## Outputs | Name | Description | |------|-------------| -| database_subnets | List of IDs of database subnets | -| elasticache_subnets | List of IDs of elasticache subnets | -| nat_public_ips | NAT gateways | -| private_subnets | Subnets | -| public_subnets | List of IDs of public subnets | -| vpc_id | VPC | +| database\_subnets | List of IDs of database subnets | +| elasticache\_subnets | List of IDs of elasticache subnets | +| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | +| private\_subnets | List of IDs of private subnets | +| public\_subnets | List of IDs of public subnets | +| vpc\_id | The ID of the VPC | diff --git a/examples/issue-46-no-private-subnets/README.md b/examples/issue-46-no-private-subnets/README.md index 958b13289..b87e05e37 100644 --- a/examples/issue-46-no-private-subnets/README.md +++ b/examples/issue-46-no-private-subnets/README.md @@ -17,16 +17,15 @@ $ terraform apply Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - ## Outputs | Name | Description | |------|-------------| -| database_subnets | List of IDs of database subnets | -| elasticache_subnets | List of IDs of elasticache subnets | -| nat_public_ips | NAT gateways | -| private_subnets | Subnets | -| public_subnets | List of IDs of public subnets | -| vpc_id | VPC | +| database\_subnets | List of IDs of database subnets | +| elasticache\_subnets | List of IDs of elasticache subnets | +| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | +| private\_subnets | List of IDs of private subnets | +| public\_subnets | List of IDs of public subnets | +| vpc\_id | The ID of the VPC | diff --git a/examples/manage-default-vpc/README.md b/examples/manage-default-vpc/README.md index 6c509e6ea..3adff908b 100644 --- a/examples/manage-default-vpc/README.md +++ b/examples/manage-default-vpc/README.md @@ -17,12 +17,11 @@ $ terraform apply Run `terraform destroy` when you don't need these resources. - ## Outputs | Name | Description | |------|-------------| -| default_vpc_cidr_block | The CIDR block of the VPC | -| default_vpc_id | Default VPC | +| default\_vpc\_cidr\_block | The CIDR block of the VPC | +| default\_vpc\_id | The ID of the Default VPC | diff --git a/examples/secondary-cidr-blocks/README.md b/examples/secondary-cidr-blocks/README.md index 6d7cade4d..feb462fe3 100644 --- a/examples/secondary-cidr-blocks/README.md +++ b/examples/secondary-cidr-blocks/README.md @@ -17,16 +17,15 @@ $ terraform apply Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - ## Outputs | Name | Description | |------|-------------| -| nat_public_ips | NAT gateways | -| private_subnets | Subnets | -| public_subnets | List of IDs of public subnets | -| vpc_cidr_block | CIDR blocks | -| vpc_id | VPC | -| vpc_secondary_cidr_blocks | List of secondary CIDR blocks of the VPC | +| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | +| private\_subnets | List of IDs of private subnets | +| public\_subnets | List of IDs of public subnets | +| vpc\_cidr\_block | The CIDR block of the VPC | +| vpc\_id | The ID of the VPC | +| vpc\_secondary\_cidr\_blocks | List of secondary CIDR blocks of the VPC | diff --git a/examples/simple-vpc/README.md b/examples/simple-vpc/README.md index ff94ad03c..97c48ea83 100644 --- a/examples/simple-vpc/README.md +++ b/examples/simple-vpc/README.md @@ -17,15 +17,14 @@ $ terraform apply Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - ## Outputs | Name | Description | |------|-------------| -| nat_public_ips | NAT gateways | -| private_subnets | Subnets | -| public_subnets | List of IDs of public subnets | -| vpc_cidr_block | CIDR blocks | -| vpc_id | VPC | +| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | +| private\_subnets | List of IDs of private subnets | +| public\_subnets | List of IDs of public subnets | +| vpc\_cidr\_block | The CIDR block of the VPC | +| vpc\_id | The ID of the VPC | diff --git a/examples/test_fixture/README.md b/examples/test_fixture/README.md index fc2ab69bd..db7173a41 100644 --- a/examples/test_fixture/README.md +++ b/examples/test_fixture/README.md @@ -21,12 +21,11 @@ Finished in 4.25 seconds (files took 2.75 seconds to load) This will destroy any existing test resources, create the resources afresh, run the tests, report back, and destroy the resources. - ## Inputs | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| region | | string | `eu-west-1` | no | +| region | - | string | `eu-west-1` | no | ## Outputs diff --git a/examples/vpc-separate-private-route-tables/README.md b/examples/vpc-separate-private-route-tables/README.md index 332c12a25..0688e3a2c 100644 --- a/examples/vpc-separate-private-route-tables/README.md +++ b/examples/vpc-separate-private-route-tables/README.md @@ -17,17 +17,16 @@ $ terraform apply Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - ## Outputs | Name | Description | |------|-------------| -| database_subnets | List of IDs of database subnets | -| elasticache_subnets | List of IDs of elasticache subnets | -| nat_public_ips | NAT gateways | -| private_subnets | Subnets | -| public_subnets | List of IDs of public subnets | -| redshift_subnets | List of IDs of elasticache subnets | -| vpc_id | VPC | +| database\_subnets | List of IDs of database subnets | +| elasticache\_subnets | List of IDs of elasticache subnets | +| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | +| private\_subnets | List of IDs of private subnets | +| public\_subnets | List of IDs of public subnets | +| redshift\_subnets | List of IDs of elasticache subnets | +| vpc\_id | The ID of the VPC | From 81895e74ab6aa09942b8c348f71a68583bc1023b Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Wed, 12 Dec 2018 13:32:53 +0100 Subject: [PATCH 18/81] Added IGW route for DB subnets (based on #179) --- README.md | 14 ++++++++++++++ examples/complete-vpc/main.tf | 7 ++++++- main.tf | 12 ++++++++++++ variables.tf | 5 +++++ 4 files changed, 37 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2fda390ab..dcb4dfd4a 100644 --- a/README.md +++ b/README.md @@ -150,6 +150,19 @@ module "vpc" { } ``` +## Public access to RDS instances + +Sometimes it is handy to have public access to RDS instances (it is not recommended for production) by specifying these arguments: + +```hcl + create_database_subnet_group = true + create_database_subnet_route_table = true + create_database_internet_gateway_route = true + + enable_dns_hostnames = true + enable_dns_support = true +``` + ## Terraform version Terraform version 0.10.3 or newer is required for this module to work. @@ -170,6 +183,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `false` | no | | azs | A list of availability zones in the region | list | `[]` | no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `0.0.0.0/0` | no | +| create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `false` | no | | create\_database\_subnet\_group | Controls if database subnet group should be created | string | `true` | no | | create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `false` | no | | create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | string | `false` | no | diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 67e3d2bc0..0e49bad0f 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -17,13 +17,18 @@ module "vpc" { redshift_subnets = ["10.10.41.0/24", "10.10.42.0/24", "10.10.43.0/24"] intra_subnets = ["10.10.51.0/24", "10.10.52.0/24", "10.10.53.0/24"] - create_database_subnet_group = false + create_database_subnet_group = true + create_database_subnet_route_table = true + create_database_internet_gateway_route = true enable_nat_gateway = true single_nat_gateway = true enable_vpn_gateway = true + enable_dns_hostnames = true + enable_dns_support = true + enable_s3_endpoint = true enable_dynamodb_endpoint = true diff --git a/main.tf b/main.tf index 5aa8c546e..091c36585 100644 --- a/main.tf +++ b/main.tf @@ -121,6 +121,18 @@ resource "aws_route_table" "database" { tags = "${merge(var.tags, var.database_route_table_tags, map("Name", "${var.name}-${var.database_subnet_suffix}"))}" } +resource "aws_route" "database_internet_gateway" { + count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route ? 1 : 0}" + + route_table_id = "${aws_route_table.database.id}" + destination_cidr_block = "0.0.0.0/0" + gateway_id = "${aws_internet_gateway.this.id}" + + timeouts { + create = "5m" + } +} + ################# # Redshift routes ################# diff --git a/variables.tf b/variables.tf index 13af9383f..8694fbfa4 100644 --- a/variables.tf +++ b/variables.tf @@ -107,6 +107,11 @@ variable "create_database_subnet_group" { default = true } +variable "create_database_internet_gateway_route" { + description = "Controls if an internet gateway route for public database access should be created" + default = false +} + variable "azs" { description = "A list of availability zones in the region" default = [] From 14b42376937fbbfd826d4be914c65021ac61e007 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Wed, 12 Dec 2018 13:35:19 +0100 Subject: [PATCH 19/81] Reverted complete-example --- examples/complete-vpc/main.tf | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 0e49bad0f..67e3d2bc0 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -17,18 +17,13 @@ module "vpc" { redshift_subnets = ["10.10.41.0/24", "10.10.42.0/24", "10.10.43.0/24"] intra_subnets = ["10.10.51.0/24", "10.10.52.0/24", "10.10.53.0/24"] - create_database_subnet_group = true - create_database_subnet_route_table = true - create_database_internet_gateway_route = true + create_database_subnet_group = false enable_nat_gateway = true single_nat_gateway = true enable_vpn_gateway = true - enable_dns_hostnames = true - enable_dns_support = true - enable_s3_endpoint = true enable_dynamodb_endpoint = true From 4e484aa7f4d48172a200f2b59e543830ee55ea1c Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 27 Dec 2018 12:53:07 +0100 Subject: [PATCH 20/81] Added azs to outputs which is an argument --- README.md | 1 + examples/simple-vpc/README.md | 1 + examples/simple-vpc/outputs.tf | 6 ++++++ outputs.tf | 4 ++++ 4 files changed, 12 insertions(+) diff --git a/README.md b/README.md index dcb4dfd4a..5916aac27 100644 --- a/README.md +++ b/README.md @@ -255,6 +255,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | |------|-------------| +| azs | A list of availability zones spefified as argument to this module | | database\_route\_table\_ids | List of IDs of database route tables | | database\_subnet\_group | ID of database subnet group | | database\_subnets | List of IDs of database subnets | diff --git a/examples/simple-vpc/README.md b/examples/simple-vpc/README.md index 97c48ea83..ccb7ccecd 100644 --- a/examples/simple-vpc/README.md +++ b/examples/simple-vpc/README.md @@ -21,6 +21,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Description | |------|-------------| +| azs | A list of availability zones spefified as argument to this module | | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | | private\_subnets | List of IDs of private subnets | | public\_subnets | List of IDs of public subnets | diff --git a/examples/simple-vpc/outputs.tf b/examples/simple-vpc/outputs.tf index 35eb73359..7ab197f4a 100644 --- a/examples/simple-vpc/outputs.tf +++ b/examples/simple-vpc/outputs.tf @@ -31,3 +31,9 @@ output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" value = ["${module.vpc.nat_public_ips}"] } + +# AZs +output "azs" { + description = "A list of availability zones spefified as argument to this module" + value = ["${module.vpc.azs}"] +} diff --git a/outputs.tf b/outputs.tf index c19aba155..64ebabf61 100644 --- a/outputs.tf +++ b/outputs.tf @@ -278,3 +278,7 @@ output "default_vpc_main_route_table_id" { // value = "${element(concat(aws_default_vpc.this.*.ipv6_cidr_block, list("")), 0)}" //} +output "azs" { + description = "A list of availability zones spefified as argument to this module" + value = "${var.azs}" +} From 8a293e73b8263998f283e160692b50b96b660eed Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 10 Jan 2019 10:45:47 +0100 Subject: [PATCH 21/81] Added possibility to control creation of elasticache and redshift subnet groups --- README.md | 4 +++- main.tf | 4 ++-- outputs.tf | 2 +- variables.tf | 22 ++++++++++++++++------ 4 files changed, 22 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 5916aac27..e228ffd79 100644 --- a/README.md +++ b/README.md @@ -186,7 +186,9 @@ Terraform version 0.10.3 or newer is required for this module to work. | create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `false` | no | | create\_database\_subnet\_group | Controls if database subnet group should be created | string | `true` | no | | create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `false` | no | +| create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | string | `true` | no | | create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | string | `false` | no | +| create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | string | `true` | no | | create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `false` | no | | create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `true` | no | | database\_route\_table\_tags | Additional tags for the database route tables | map | `{}` | no | @@ -255,7 +257,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | |------|-------------| -| azs | A list of availability zones spefified as argument to this module | +| azs | A list of availability zones specified as argument to this module | | database\_route\_table\_ids | List of IDs of database route tables | | database\_subnet\_group | ID of database subnet group | | database\_subnets | List of IDs of database subnets | diff --git a/main.tf b/main.tf index 091c36585..a4156ba26 100644 --- a/main.tf +++ b/main.tf @@ -230,7 +230,7 @@ resource "aws_subnet" "redshift" { } resource "aws_redshift_subnet_group" "redshift" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? 1 : 0}" + count = "${var.create_vpc && length(var.redshift_subnets) > 0 && var.create_redshift_subnet_group ? 1 : 0}" name = "${lower(var.name)}" description = "Redshift subnet group for ${var.name}" @@ -253,7 +253,7 @@ resource "aws_subnet" "elasticache" { } resource "aws_elasticache_subnet_group" "elasticache" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? 1 : 0}" + count = "${var.create_vpc && length(var.elasticache_subnets) > 0 && var.create_elasticache_subnet_group ? 1 : 0}" name = "${var.name}" description = "ElastiCache subnet group for ${var.name}" diff --git a/outputs.tf b/outputs.tf index 64ebabf61..8d6b08b6e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -279,6 +279,6 @@ output "default_vpc_main_route_table_id" { //} output "azs" { - description = "A list of availability zones spefified as argument to this module" + description = "A list of availability zones specified as argument to this module" value = "${var.azs}" } diff --git a/variables.tf b/variables.tf index 8694fbfa4..5f423959c 100644 --- a/variables.tf +++ b/variables.tf @@ -81,6 +81,12 @@ variable "elasticache_subnets" { default = [] } +variable "intra_subnets" { + type = "list" + description = "A list of intra subnets" + default = [] +} + variable "create_database_subnet_route_table" { description = "Controls if separate route table for database should be created" default = false @@ -96,17 +102,21 @@ variable "create_elasticache_subnet_route_table" { default = false } -variable "intra_subnets" { - type = "list" - description = "A list of intra subnets" - default = [] -} - variable "create_database_subnet_group" { description = "Controls if database subnet group should be created" default = true } +variable "create_elasticache_subnet_group" { + description = "Controls if elasticache subnet group should be created" + default = true +} + +variable "create_redshift_subnet_group" { + description = "Controls if redshift subnet group should be created" + default = true +} + variable "create_database_internet_gateway_route" { description = "Controls if an internet gateway route for public database access should be created" default = false From ce5212fb0d286104a1fdd4746633e327f5ee04de Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 17 Jan 2019 21:15:41 +0100 Subject: [PATCH 22/81] Added SSM and EC2 VPC endpoints (fixes #195, #194) --- README.md | 94 ++++++++++++++++++-------------- examples/complete-vpc/README.md | 3 + examples/complete-vpc/main.tf | 28 +++++++++- examples/complete-vpc/outputs.tf | 34 ++++++++++++ examples/test_fixture/README.md | 2 +- main.tf | 42 ++++++++++++++ outputs.tf | 72 +++++++++++++++++------- variables.tf | 40 ++++++++++++++ 8 files changed, 251 insertions(+), 64 deletions(-) diff --git a/README.md b/README.md index e228ffd79..46a32b22c 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ These types of resources are supported: * [Internet Gateway](https://www.terraform.io/docs/providers/aws/r/internet_gateway.html) * [NAT Gateway](https://www.terraform.io/docs/providers/aws/r/nat_gateway.html) * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) -* [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html) (S3 and DynamoDB) +* [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html) (Gateway: S3, DynamoDB; Interface: EC2, SSM) * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -179,78 +179,86 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `64512` | no | -| assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `false` | no | +| amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `"64512"` | no | +| assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `"false"` | no | | azs | A list of availability zones in the region | list | `[]` | no | -| cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `0.0.0.0/0` | no | -| create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `false` | no | -| create\_database\_subnet\_group | Controls if database subnet group should be created | string | `true` | no | -| create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `false` | no | -| create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | string | `true` | no | -| create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | string | `false` | no | -| create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | string | `true` | no | -| create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `false` | no | -| create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `true` | no | +| cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `"0.0.0.0/0"` | no | +| create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `"false"` | no | +| create\_database\_subnet\_group | Controls if database subnet group should be created | string | `"true"` | no | +| create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `"false"` | no | +| create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | string | `"true"` | no | +| create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | string | `"false"` | no | +| create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | string | `"true"` | no | +| create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `"false"` | no | +| create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `"true"` | no | | database\_route\_table\_tags | Additional tags for the database route tables | map | `{}` | no | | database\_subnet\_group\_tags | Additional tags for the database subnet group | map | `{}` | no | -| database\_subnet\_suffix | Suffix to append to database subnets name | string | `db` | no | +| database\_subnet\_suffix | Suffix to append to database subnets name | string | `"db"` | no | | database\_subnet\_tags | Additional tags for the database subnets | map | `{}` | no | | database\_subnets | A list of database subnets | list | `[]` | no | -| default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `false` | no | -| default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `false` | no | -| default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `true` | no | -| default\_vpc\_name | Name to be used on the Default VPC | string | `` | no | +| default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `"false"` | no | +| default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `"false"` | no | +| default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `"true"` | no | +| default\_vpc\_name | Name to be used on the Default VPC | string | `""` | no | | default\_vpc\_tags | Additional tags for the Default VPC | map | `{}` | no | -| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set | string | `` | no | +| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set | string | `""` | no | | dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided | list | `[ "AmazonProvidedDNS" ]` | no | | dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set | list | `[]` | no | -| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set | string | `` | no | +| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set | string | `""` | no | | dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set | list | `[]` | no | | dhcp\_options\_tags | Additional tags for the DHCP option set | map | `{}` | no | +| ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | string | `"false"` | no | +| ec2\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | list | `[]` | no | +| ec2\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map | `{}` | no | -| elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `elasticache` | no | +| elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no | | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map | `{}` | no | | elasticache\_subnets | A list of elasticache subnets | list | `[]` | no | -| enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `false` | no | -| enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `false` | no | -| enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `true` | no | -| enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `false` | no | -| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `false` | no | -| enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `false` | no | -| enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `false` | no | +| enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `"false"` | no | +| enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `"false"` | no | +| enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `"true"` | no | +| enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `"false"` | no | +| enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | string | `"false"` | no | +| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no | +| enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | +| enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | +| enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no | | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map | `{}` | no | -| instance\_tenancy | A tenancy option for instances launched into the VPC | string | `default` | no | +| instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | | intra\_route\_table\_tags | Additional tags for the intra route tables | map | `{}` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | | intra\_subnets | A list of intra subnets | list | `[]` | no | -| manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `false` | no | -| map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `true` | no | -| name | Name to be used on all the resources as identifier | string | `` | no | +| manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `"false"` | no | +| map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `"true"` | no | +| name | Name to be used on all the resources as identifier | string | `""` | no | | nat\_eip\_tags | Additional tags for the NAT EIP | map | `{}` | no | | nat\_gateway\_tags | Additional tags for the NAT gateways | map | `{}` | no | -| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `false` | no | +| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `"false"` | no | | private\_route\_table\_tags | Additional tags for the private route tables | map | `{}` | no | -| private\_subnet\_suffix | Suffix to append to private subnets name | string | `private` | no | +| private\_subnet\_suffix | Suffix to append to private subnets name | string | `"private"` | no | | private\_subnet\_tags | Additional tags for the private subnets | map | `{}` | no | | private\_subnets | A list of private subnets inside the VPC | list | `[]` | no | -| propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | string | `false` | no | -| propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | string | `false` | no | +| propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | +| propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | | public\_route\_table\_tags | Additional tags for the public route tables | map | `{}` | no | -| public\_subnet\_suffix | Suffix to append to public subnets name | string | `public` | no | +| public\_subnet\_suffix | Suffix to append to public subnets name | string | `"public"` | no | | public\_subnet\_tags | Additional tags for the public subnets | map | `{}` | no | | public\_subnets | A list of public subnets inside the VPC | list | `[]` | no | | redshift\_route\_table\_tags | Additional tags for the redshift route tables | map | `{}` | no | | redshift\_subnet\_group\_tags | Additional tags for the redshift subnet group | map | `{}` | no | -| redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `redshift` | no | +| redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no | | redshift\_subnet\_tags | Additional tags for the redshift subnets | map | `{}` | no | | redshift\_subnets | A list of redshift subnets | list | `[]` | no | -| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `false` | no | +| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `"false"` | no | | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list | `[]` | no | -| single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `false` | no | +| single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | +| ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `"false"` | no | +| ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list | `[]` | no | +| ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | tags | A map of tags to add to all resources | map | `{}` | no | | vpc\_tags | Additional tags for the VPC | map | `{}` | no | -| vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `` | no | +| vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | | vpn\_gateway\_tags | Additional tags for the VPN gateway | map | `{}` | no | ## Outputs @@ -302,8 +310,14 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc\_enable\_dns\_support | Whether or not the VPC has DNS support | | vpc\_endpoint\_dynamodb\_id | The ID of VPC endpoint for DynamoDB | | vpc\_endpoint\_dynamodb\_pl\_id | The prefix list for the DynamoDB VPC endpoint. | +| vpc\_endpoint\_ec2\_dns\_entry | The DNS entries for the VPC Endpoint for EC2. | +| vpc\_endpoint\_ec2\_id | The ID of VPC endpoint for EC2 | +| vpc\_endpoint\_ec2\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EC2 | | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 | | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. | +| vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. | +| vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM | +| vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. | | vpc\_id | The ID of the VPC | | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | diff --git a/examples/complete-vpc/README.md b/examples/complete-vpc/README.md index 31670d6ce..7a0a4a96d 100644 --- a/examples/complete-vpc/README.md +++ b/examples/complete-vpc/README.md @@ -28,6 +28,9 @@ Note that this example may create resources which can cost money (AWS Elastic IP | private\_subnets | List of IDs of private subnets | | public\_subnets | List of IDs of public subnets | | redshift\_subnets | List of IDs of redshift subnets | +| vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. | +| vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM | +| vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. | | vpc\_id | The ID of the VPC | diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 67e3d2bc0..59da401fc 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -2,6 +2,11 @@ provider "aws" { region = "eu-west-1" } +data "aws_security_group" "default" { + name = "default" + vpc_id = "${module.vpc.vpc_id}" +} + module "vpc" { source = "../../" @@ -19,18 +24,35 @@ module "vpc" { create_database_subnet_group = false + enable_dns_hostnames = true + enable_dns_support = true + enable_nat_gateway = true single_nat_gateway = true enable_vpn_gateway = true - enable_s3_endpoint = true - enable_dynamodb_endpoint = true - enable_dhcp_options = true dhcp_options_domain_name = "service.consul" dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"] + # VPC endpoint for S3 + enable_s3_endpoint = true + + # VPC endpoint for DynamoDB + enable_dynamodb_endpoint = true + + # VPC endpoint for SSM + enable_ssm_endpoint = true + ssm_endpoint_private_dns_enabled = true + ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + + // ssm_endpoint_subnet_ids = ["..."] + + # VPC Endpoint for EC2 + enable_ec2_endpoint = true + ec2_endpoint_private_dns_enabled = true + ec2_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] tags = { Owner = "user" Environment = "staging" diff --git a/examples/complete-vpc/outputs.tf b/examples/complete-vpc/outputs.tf index 3cbd012be..871359d39 100644 --- a/examples/complete-vpc/outputs.tf +++ b/examples/complete-vpc/outputs.tf @@ -40,3 +40,37 @@ output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" value = ["${module.vpc.nat_public_ips}"] } + +# VPC endpoints +output "vpc_endpoint_ssm_id" { + description = "The ID of VPC endpoint for SSM" + value = "${module.vpc.vpc_endpoint_ssm_id}" +} + +output "vpc_endpoint_ssm_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SSM." + value = ["${module.vpc.vpc_endpoint_ssm_network_interface_ids}"] +} + +output "vpc_endpoint_ssm_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SSM." + value = ["${module.vpc.vpc_endpoint_ssm_dns_entry}"] +} + +// +//# VPC endpoints +//output "vpc_endpoint_ec2_id" { +// description = "The ID of VPC endpoint for EC2" +// value = "${module.vpc.vpc_endpoint_ec2_id}" +//} +// +//output "vpc_endpoint_ec2_network_interface_ids" { +// description = "One or more network interfaces for the VPC Endpoint for EC2." +// value = ["${module.vpc.vpc_endpoint_ec2_network_interface_ids}"] +//} +// +//output "vpc_endpoint_ec2_dns_entry" { +// description = "The DNS entries for the VPC Endpoint for EC2." +// value = ["${module.vpc.vpc_endpoint_ec2_dns_entry}"] +//} + diff --git a/examples/test_fixture/README.md b/examples/test_fixture/README.md index db7173a41..2fec823b1 100644 --- a/examples/test_fixture/README.md +++ b/examples/test_fixture/README.md @@ -25,7 +25,7 @@ This will destroy any existing test resources, create the resources afresh, run | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| region | - | string | `eu-west-1` | no | +| region | | string | `"eu-west-1"` | no | ## Outputs diff --git a/main.tf b/main.tf index a4156ba26..f15da46d7 100644 --- a/main.tf +++ b/main.tf @@ -393,6 +393,48 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { route_table_id = "${aws_route_table.public.id}" } +###################### +# VPC Endpoint for SSM +###################### +data "aws_vpc_endpoint_service" "ssm" { + count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" + + service = "ssm" +} + +resource "aws_vpc_endpoint" "ssm" { + count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ssm.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ssm_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ssm_endpoint_private_dns_enabled}" +} + +###################### +# VPC Endpoint for EC2 +###################### +data "aws_vpc_endpoint_service" "ec2" { + count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" + + service = "ec2" +} + +resource "aws_vpc_endpoint" "ec2" { + count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ec2.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ec2_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ec2_endpoint_private_dns_enabled}" +} + ########################## # Route table association ########################## diff --git a/outputs.tf b/outputs.tf index 8d6b08b6e..0fcd28c3f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -193,31 +193,11 @@ output "igw_id" { value = "${element(concat(aws_internet_gateway.this.*.id, list("")), 0)}" } -output "vpc_endpoint_s3_id" { - description = "The ID of VPC endpoint for S3" - value = "${element(concat(aws_vpc_endpoint.s3.*.id, list("")), 0)}" -} - -output "vpc_endpoint_s3_pl_id" { - description = "The prefix list for the S3 VPC endpoint." - value = "${element(concat(aws_vpc_endpoint.s3.*.prefix_list_id, list("")), 0)}" -} - -output "vpc_endpoint_dynamodb_id" { - description = "The ID of VPC endpoint for DynamoDB" - value = "${element(concat(aws_vpc_endpoint.dynamodb.*.id, list("")), 0)}" -} - output "vgw_id" { description = "The ID of the VPN Gateway" value = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id, list("")), 0)}" } -output "vpc_endpoint_dynamodb_pl_id" { - description = "The prefix list for the DynamoDB VPC endpoint." - value = "${element(concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, list("")), 0)}" -} - output "default_vpc_id" { description = "The ID of the VPC" value = "${element(concat(aws_default_vpc.this.*.id, list("")), 0)}" @@ -278,6 +258,58 @@ output "default_vpc_main_route_table_id" { // value = "${element(concat(aws_default_vpc.this.*.ipv6_cidr_block, list("")), 0)}" //} +# VPC Endpoints +output "vpc_endpoint_s3_id" { + description = "The ID of VPC endpoint for S3" + value = "${element(concat(aws_vpc_endpoint.s3.*.id, list("")), 0)}" +} + +output "vpc_endpoint_s3_pl_id" { + description = "The prefix list for the S3 VPC endpoint." + value = "${element(concat(aws_vpc_endpoint.s3.*.prefix_list_id, list("")), 0)}" +} + +output "vpc_endpoint_dynamodb_id" { + description = "The ID of VPC endpoint for DynamoDB" + value = "${element(concat(aws_vpc_endpoint.dynamodb.*.id, list("")), 0)}" +} + +output "vpc_endpoint_dynamodb_pl_id" { + description = "The prefix list for the DynamoDB VPC endpoint." + value = "${element(concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, list("")), 0)}" +} + +output "vpc_endpoint_ssm_id" { + description = "The ID of VPC endpoint for SSM" + value = "${element(concat(aws_vpc_endpoint.ssm.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ssm_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SSM." + value = "${flatten(aws_vpc_endpoint.ssm.*.network_interface_ids)}" +} + +output "vpc_endpoint_ssm_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SSM." + value = "${flatten(aws_vpc_endpoint.ssm.*.dns_entry)}" +} + +output "vpc_endpoint_ec2_id" { + description = "The ID of VPC endpoint for EC2" + value = "${element(concat(aws_vpc_endpoint.ec2.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ec2_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for EC2" + value = "${flatten(aws_vpc_endpoint.ec2.*.network_interface_ids)}" +} + +output "vpc_endpoint_ec2_dns_entry" { + description = "The DNS entries for the VPC Endpoint for EC2." + value = "${flatten(aws_vpc_endpoint.ec2.*.dns_entry)}" +} + +# Static values (arguments) output "azs" { description = "A list of availability zones specified as argument to this module" value = "${var.azs}" diff --git a/variables.tf b/variables.tf index 5f423959c..4c778ada5 100644 --- a/variables.tf +++ b/variables.tf @@ -173,6 +173,46 @@ variable "enable_s3_endpoint" { default = false } +variable "enable_ssm_endpoint" { + description = "Should be true if you want to provision an SSM endpoint to the VPC" + default = false +} + +variable "ssm_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for SSM endpoint" + default = [] +} + +variable "ssm_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "ssm_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint" + default = false +} + +variable "enable_ec2_endpoint" { + description = "Should be true if you want to provision an EC2 endpoint to the VPC" + default = false +} + +variable "ec2_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for EC2 endpoint" + default = [] +} + +variable "ec2_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint" + default = false +} + +variable "ec2_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" default = true From 01601169c00c68f37d5df8a80cc17c88f02c04d0 Mon Sep 17 00:00:00 2001 From: ebarault Date: Fri, 11 Jan 2019 18:47:09 +0100 Subject: [PATCH 23/81] adding option to create a route to nat gateway in database subnets --- main.tf | 13 ++++++++++++- variables.tf | 5 +++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index a4156ba26..d3d1be44d 100644 --- a/main.tf +++ b/main.tf @@ -122,7 +122,7 @@ resource "aws_route_table" "database" { } resource "aws_route" "database_internet_gateway" { - count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route ? 1 : 0}" + count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && !var.create_database_nat_gateway_route ? 1 : 0}" route_table_id = "${aws_route_table.database.id}" destination_cidr_block = "0.0.0.0/0" @@ -133,6 +133,17 @@ resource "aws_route" "database_internet_gateway" { } } +resource "aws_route" "database_nat_gateway" { + count = "${var.create_vpc && var.enable_nat_gateway && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_nat_gateway_route && !var.create_database_internet_gateway_route ? local.nat_gateway_count : 0}" + route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + destination_cidr_block = "0.0.0.0/0" + nat_gateway_id = "${element(aws_nat_gateway.this.*.id, count.index)}" + + timeouts { + create = "5m" + } +} + ################# # Redshift routes ################# diff --git a/variables.tf b/variables.tf index 5f423959c..9665bef59 100644 --- a/variables.tf +++ b/variables.tf @@ -122,6 +122,11 @@ variable "create_database_internet_gateway_route" { default = false } +variable "create_database_nat_gateway_route" { + description = "Controls if a nat gateway route should be created to give internet access to the database subnets" + default = false +} + variable "azs" { description = "A list of availability zones in the region" default = [] From 8e2f50e6c8f8fd8b0abcaf2c4150d7446276fcaa Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 18 Jan 2019 12:16:50 +0100 Subject: [PATCH 24/81] Reordered vars in count for database_nat_gateway route --- .pre-commit-config.yaml | 4 ++-- README.md | 1 + main.tf | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6262d4e7a..c8299b7a8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,10 +1,10 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.7.4 + rev: v1.8.1 hooks: - id: terraform_fmt - id: terraform_docs - repo: git://github.com/pre-commit/pre-commit-hooks - rev: v2.0.0 + rev: v2.1.0 hooks: - id: check-merge-conflict diff --git a/README.md b/README.md index 46a32b22c..5bde0c2a6 100644 --- a/README.md +++ b/README.md @@ -184,6 +184,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | azs | A list of availability zones in the region | list | `[]` | no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `"0.0.0.0/0"` | no | | create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `"false"` | no | +| create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | string | `"false"` | no | | create\_database\_subnet\_group | Controls if database subnet group should be created | string | `"true"` | no | | create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `"false"` | no | | create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | string | `"true"` | no | diff --git a/main.tf b/main.tf index 3a5645cc9..48ccf584a 100644 --- a/main.tf +++ b/main.tf @@ -134,7 +134,7 @@ resource "aws_route" "database_internet_gateway" { } resource "aws_route" "database_nat_gateway" { - count = "${var.create_vpc && var.enable_nat_gateway && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_nat_gateway_route && !var.create_database_internet_gateway_route ? local.nat_gateway_count : 0}" + count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && !var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0}" route_table_id = "${element(aws_route_table.private.*.id, count.index)}" destination_cidr_block = "0.0.0.0/0" nat_gateway_id = "${element(aws_nat_gateway.this.*.id, count.index)}" From c1c373687d41066c5762e47b3453c95a6c3d7f19 Mon Sep 17 00:00:00 2001 From: thebugfinder Date: Tue, 22 Jan 2019 08:51:17 +0100 Subject: [PATCH 25/81] add endpoints ec2messages, ssmmessages as those are required by Systems Manager in addition to ec2 and ssm. --- main.tf | 50 ++++++++++++++++++++++++++++++++++++++++++++++---- outputs.tf | 30 ++++++++++++++++++++++++++++++ variables.tf | 40 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 116 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 48ccf584a..6d3b88c7f 100644 --- a/main.tf +++ b/main.tf @@ -404,9 +404,9 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { route_table_id = "${aws_route_table.public.id}" } -###################### +####################### # VPC Endpoint for SSM -###################### +####################### data "aws_vpc_endpoint_service" "ssm" { count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" @@ -425,9 +425,30 @@ resource "aws_vpc_endpoint" "ssm" { private_dns_enabled = "${var.ssm_endpoint_private_dns_enabled}" } -###################### +############################### +# VPC Endpoint for SSMMESSAGES +############################### +data "aws_vpc_endpoint_service" "ssmmessages" { + count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" + + service = "ssmmessages" +} + +resource "aws_vpc_endpoint" "ssmmessages" { + count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ssmmessages.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ssmmessages_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ssmmessages_endpoint_private_dns_enabled}" +} + +####################### # VPC Endpoint for EC2 -###################### +####################### data "aws_vpc_endpoint_service" "ec2" { count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" @@ -446,6 +467,27 @@ resource "aws_vpc_endpoint" "ec2" { private_dns_enabled = "${var.ec2_endpoint_private_dns_enabled}" } +############################### +# VPC Endpoint for EC2MESSAGES +############################### +data "aws_vpc_endpoint_service" "ec2messages" { + count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" + + service = "ec2messages" +} + +resource "aws_vpc_endpoint" "ec2messages" { + count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ec2messages.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ec2messages_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ec2messages_endpoint_private_dns_enabled}" +} + ########################## # Route table association ########################## diff --git a/outputs.tf b/outputs.tf index 0fcd28c3f..14ada0390 100644 --- a/outputs.tf +++ b/outputs.tf @@ -294,6 +294,21 @@ output "vpc_endpoint_ssm_dns_entry" { value = "${flatten(aws_vpc_endpoint.ssm.*.dns_entry)}" } +output "vpc_endpoint_ssmmessages_id" { + description = "The ID of VPC endpoint for SSMMESSAGES" + value = "${element(concat(aws_vpc_endpoint.ssmmessages.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ssmmessages_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SSMMESSAGS." + value = "${flatten(aws_vpc_endpoint.ssmmessages.*.network_interface_ids)}" +} + +output "vpc_endpoint_ssmmessages_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SSMMESSAGES." + value = "${flatten(aws_vpc_endpoint.ssmmessages.*.dns_entry)}" +} + output "vpc_endpoint_ec2_id" { description = "The ID of VPC endpoint for EC2" value = "${element(concat(aws_vpc_endpoint.ec2.*.id, list("")), 0)}" @@ -309,6 +324,21 @@ output "vpc_endpoint_ec2_dns_entry" { value = "${flatten(aws_vpc_endpoint.ec2.*.dns_entry)}" } +output "vpc_endpoint_ec2messages_id" { + description = "The ID of VPC endpoint for EC2MESSAGES" + value = "${element(concat(aws_vpc_endpoint.ec2messages.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ec2messages_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for EC2MESSAGES" + value = "${flatten(aws_vpc_endpoint.ec2messages.*.network_interface_ids)}" +} + +output "vpc_endpoint_ec2messages_dns_entry" { + description = "The DNS entries for the VPC Endpoint for EC2MESSAGES." + value = "${flatten(aws_vpc_endpoint.ec2messages.*.dns_entry)}" +} + # Static values (arguments) output "azs" { description = "A list of availability zones specified as argument to this module" diff --git a/variables.tf b/variables.tf index cff021398..d60ef0f1b 100644 --- a/variables.tf +++ b/variables.tf @@ -198,6 +198,26 @@ variable "ssm_endpoint_private_dns_enabled" { default = false } +variable "enable_ssmmessages_endpoint" { + description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC" + default = false +} + +variable "ssmmessages_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint" + default = [] +} + +variable "ssmmessages_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "ssmmessages_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint" + default = false +} + variable "enable_ec2_endpoint" { description = "Should be true if you want to provision an EC2 endpoint to the VPC" default = false @@ -218,6 +238,26 @@ variable "ec2_endpoint_subnet_ids" { default = [] } +variable "enable_ec2messages_endpoint" { + description = "Should be true if you want to provision an EC2MESSAGES endpoint to the VPC" + default = false +} + +variable "ec2messages_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint" + default = [] +} + +variable "ec2messages_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint" + default = false +} + +variable "ec2messages_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" default = true From f96e59c786573d628d4d15ad3cce876d93037cd5 Mon Sep 17 00:00:00 2001 From: thebugfinder Date: Tue, 22 Jan 2019 08:58:18 +0100 Subject: [PATCH 26/81] fix typo --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 14ada0390..277706622 100644 --- a/outputs.tf +++ b/outputs.tf @@ -300,7 +300,7 @@ output "vpc_endpoint_ssmmessages_id" { } output "vpc_endpoint_ssmmessages_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for SSMMESSAGS." + description = "One or more network interfaces for the VPC Endpoint for SSMMESSAGES." value = "${flatten(aws_vpc_endpoint.ssmmessages.*.network_interface_ids)}" } From 92596fa7359a1fea5d2a7ac702fdc8a58b1fe5c0 Mon Sep 17 00:00:00 2001 From: thebugfinder Date: Fri, 1 Feb 2019 08:41:34 +0100 Subject: [PATCH 27/81] add additional endpoints to examples --- examples/complete-vpc/main.tf | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 59da401fc..d90448803 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -43,16 +43,27 @@ module "vpc" { enable_dynamodb_endpoint = true # VPC endpoint for SSM - enable_ssm_endpoint = true - ssm_endpoint_private_dns_enabled = true - ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + enable_ssm_endpoint = true + ssm_endpoint_private_dns_enabled = true + ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] // ssm_endpoint_subnet_ids = ["..."] + # VPC endpoint for SSMMESSAGES + enable_ssmmessages_endpoint = true + ssmmessages_endpoint_private_dns_enabled = true + ssmmessages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + # VPC Endpoint for EC2 - enable_ec2_endpoint = true - ec2_endpoint_private_dns_enabled = true - ec2_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + enable_ec2_endpoint = true + ec2_endpoint_private_dns_enabled = true + ec2_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + + # VPC Endpoint for EC2MESSAGES + enable_ec2messages_endpoint = true + ec2messages_endpoint_private_dns_enabled = true + ec2messages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + tags = { Owner = "user" Environment = "staging" From d001144718e6e0a94369ee4639d4eacb65c6fafe Mon Sep 17 00:00:00 2001 From: thebugfinder Date: Fri, 1 Feb 2019 08:59:20 +0100 Subject: [PATCH 28/81] add files updated by pre-commit --- README.md | 102 ++++++++++++++++++-------------- examples/complete-vpc/main.tf | 15 ++--- examples/test_fixture/README.md | 2 +- 3 files changed, 65 insertions(+), 54 deletions(-) diff --git a/README.md b/README.md index 5bde0c2a6..c75b4c161 100644 --- a/README.md +++ b/README.md @@ -179,87 +179,95 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `"64512"` | no | -| assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `"false"` | no | +| amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `64512` | no | +| assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `false` | no | | azs | A list of availability zones in the region | list | `[]` | no | -| cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `"0.0.0.0/0"` | no | -| create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `"false"` | no | -| create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | string | `"false"` | no | -| create\_database\_subnet\_group | Controls if database subnet group should be created | string | `"true"` | no | -| create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `"false"` | no | -| create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | string | `"true"` | no | -| create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | string | `"false"` | no | -| create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | string | `"true"` | no | -| create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `"false"` | no | -| create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `"true"` | no | +| cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `0.0.0.0/0` | no | +| create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `false` | no | +| create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | string | `false` | no | +| create\_database\_subnet\_group | Controls if database subnet group should be created | string | `true` | no | +| create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `false` | no | +| create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | string | `true` | no | +| create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | string | `false` | no | +| create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | string | `true` | no | +| create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `false` | no | +| create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `true` | no | | database\_route\_table\_tags | Additional tags for the database route tables | map | `{}` | no | | database\_subnet\_group\_tags | Additional tags for the database subnet group | map | `{}` | no | -| database\_subnet\_suffix | Suffix to append to database subnets name | string | `"db"` | no | +| database\_subnet\_suffix | Suffix to append to database subnets name | string | `db` | no | | database\_subnet\_tags | Additional tags for the database subnets | map | `{}` | no | | database\_subnets | A list of database subnets | list | `[]` | no | -| default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `"false"` | no | -| default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `"false"` | no | -| default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `"true"` | no | -| default\_vpc\_name | Name to be used on the Default VPC | string | `""` | no | +| default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `false` | no | +| default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `false` | no | +| default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `true` | no | +| default\_vpc\_name | Name to be used on the Default VPC | string | `` | no | | default\_vpc\_tags | Additional tags for the Default VPC | map | `{}` | no | -| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set | string | `""` | no | +| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set | string | `` | no | | dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided | list | `[ "AmazonProvidedDNS" ]` | no | | dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set | list | `[]` | no | -| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set | string | `""` | no | +| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set | string | `` | no | | dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set | list | `[]` | no | | dhcp\_options\_tags | Additional tags for the DHCP option set | map | `{}` | no | -| ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | string | `"false"` | no | +| ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | string | `false` | no | | ec2\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | list | `[]` | no | | ec2\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ec2messages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | string | `false` | no | +| ec2messages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint | list | `[]` | no | +| ec2messages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map | `{}` | no | -| elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no | +| elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `elasticache` | no | | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map | `{}` | no | | elasticache\_subnets | A list of elasticache subnets | list | `[]` | no | -| enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `"false"` | no | -| enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `"false"` | no | -| enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `"true"` | no | -| enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `"false"` | no | -| enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | string | `"false"` | no | -| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no | -| enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | -| enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | -| enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no | +| enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `false` | no | +| enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `false` | no | +| enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `true` | no | +| enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `false` | no | +| enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | string | `false` | no | +| enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | string | `false` | no | +| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `false` | no | +| enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `false` | no | +| enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `false` | no | +| enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `false` | no | +| enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `false` | no | | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map | `{}` | no | -| instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | +| instance\_tenancy | A tenancy option for instances launched into the VPC | string | `default` | no | | intra\_route\_table\_tags | Additional tags for the intra route tables | map | `{}` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | | intra\_subnets | A list of intra subnets | list | `[]` | no | -| manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `"false"` | no | -| map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `"true"` | no | -| name | Name to be used on all the resources as identifier | string | `""` | no | +| manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `false` | no | +| map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `true` | no | +| name | Name to be used on all the resources as identifier | string | `` | no | | nat\_eip\_tags | Additional tags for the NAT EIP | map | `{}` | no | | nat\_gateway\_tags | Additional tags for the NAT gateways | map | `{}` | no | -| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `"false"` | no | +| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `false` | no | | private\_route\_table\_tags | Additional tags for the private route tables | map | `{}` | no | -| private\_subnet\_suffix | Suffix to append to private subnets name | string | `"private"` | no | +| private\_subnet\_suffix | Suffix to append to private subnets name | string | `private` | no | | private\_subnet\_tags | Additional tags for the private subnets | map | `{}` | no | | private\_subnets | A list of private subnets inside the VPC | list | `[]` | no | -| propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | -| propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | +| propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | string | `false` | no | +| propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | string | `false` | no | | public\_route\_table\_tags | Additional tags for the public route tables | map | `{}` | no | -| public\_subnet\_suffix | Suffix to append to public subnets name | string | `"public"` | no | +| public\_subnet\_suffix | Suffix to append to public subnets name | string | `public` | no | | public\_subnet\_tags | Additional tags for the public subnets | map | `{}` | no | | public\_subnets | A list of public subnets inside the VPC | list | `[]` | no | | redshift\_route\_table\_tags | Additional tags for the redshift route tables | map | `{}` | no | | redshift\_subnet\_group\_tags | Additional tags for the redshift subnet group | map | `{}` | no | -| redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no | +| redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `redshift` | no | | redshift\_subnet\_tags | Additional tags for the redshift subnets | map | `{}` | no | | redshift\_subnets | A list of redshift subnets | list | `[]` | no | -| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `"false"` | no | +| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `false` | no | | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list | `[]` | no | -| single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | -| ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `"false"` | no | +| single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `false` | no | +| ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `false` | no | | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list | `[]` | no | | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `false` | no | +| ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no | +| ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | tags | A map of tags to add to all resources | map | `{}` | no | | vpc\_tags | Additional tags for the VPC | map | `{}` | no | -| vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | +| vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `` | no | | vpn\_gateway\_tags | Additional tags for the VPN gateway | map | `{}` | no | ## Outputs @@ -314,11 +322,17 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc\_endpoint\_ec2\_dns\_entry | The DNS entries for the VPC Endpoint for EC2. | | vpc\_endpoint\_ec2\_id | The ID of VPC endpoint for EC2 | | vpc\_endpoint\_ec2\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EC2 | +| vpc\_endpoint\_ec2messages\_dns\_entry | The DNS entries for the VPC Endpoint for EC2MESSAGES. | +| vpc\_endpoint\_ec2messages\_id | The ID of VPC endpoint for EC2MESSAGES | +| vpc\_endpoint\_ec2messages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EC2MESSAGES | | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 | | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. | | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. | | vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM | | vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. | +| vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. | +| vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES | +| vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. | | vpc\_id | The ID of the VPC | | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index d90448803..c35c3f2dd 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -43,9 +43,9 @@ module "vpc" { enable_dynamodb_endpoint = true # VPC endpoint for SSM - enable_ssm_endpoint = true - ssm_endpoint_private_dns_enabled = true - ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + enable_ssm_endpoint = true + ssm_endpoint_private_dns_enabled = true + ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] // ssm_endpoint_subnet_ids = ["..."] @@ -53,17 +53,14 @@ module "vpc" { enable_ssmmessages_endpoint = true ssmmessages_endpoint_private_dns_enabled = true ssmmessages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] - # VPC Endpoint for EC2 - enable_ec2_endpoint = true - ec2_endpoint_private_dns_enabled = true - ec2_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] - + enable_ec2_endpoint = true + ec2_endpoint_private_dns_enabled = true + ec2_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] # VPC Endpoint for EC2MESSAGES enable_ec2messages_endpoint = true ec2messages_endpoint_private_dns_enabled = true ec2messages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] - tags = { Owner = "user" Environment = "staging" diff --git a/examples/test_fixture/README.md b/examples/test_fixture/README.md index 2fec823b1..db7173a41 100644 --- a/examples/test_fixture/README.md +++ b/examples/test_fixture/README.md @@ -25,7 +25,7 @@ This will destroy any existing test resources, create the resources afresh, run | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| region | | string | `"eu-west-1"` | no | +| region | - | string | `eu-west-1` | no | ## Outputs From 3caad3222495afce8e5b2dd59e7ef2db6b8a9a69 Mon Sep 17 00:00:00 2001 From: thebugfinder Date: Fri, 1 Feb 2019 20:27:59 +0100 Subject: [PATCH 29/81] switch to terraform-docs v0.6.0 --- README.md | 96 ++++++++++++++++----------------- examples/test_fixture/README.md | 2 +- 2 files changed, 49 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index c75b4c161..08514a572 100644 --- a/README.md +++ b/README.md @@ -179,95 +179,95 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `64512` | no | -| assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `false` | no | +| amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `"64512"` | no | +| assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `"false"` | no | | azs | A list of availability zones in the region | list | `[]` | no | -| cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `0.0.0.0/0` | no | -| create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `false` | no | -| create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | string | `false` | no | -| create\_database\_subnet\_group | Controls if database subnet group should be created | string | `true` | no | -| create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `false` | no | -| create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | string | `true` | no | -| create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | string | `false` | no | -| create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | string | `true` | no | -| create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `false` | no | -| create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `true` | no | +| cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `"0.0.0.0/0"` | no | +| create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `"false"` | no | +| create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | string | `"false"` | no | +| create\_database\_subnet\_group | Controls if database subnet group should be created | string | `"true"` | no | +| create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `"false"` | no | +| create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | string | `"true"` | no | +| create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | string | `"false"` | no | +| create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | string | `"true"` | no | +| create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `"false"` | no | +| create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `"true"` | no | | database\_route\_table\_tags | Additional tags for the database route tables | map | `{}` | no | | database\_subnet\_group\_tags | Additional tags for the database subnet group | map | `{}` | no | -| database\_subnet\_suffix | Suffix to append to database subnets name | string | `db` | no | +| database\_subnet\_suffix | Suffix to append to database subnets name | string | `"db"` | no | | database\_subnet\_tags | Additional tags for the database subnets | map | `{}` | no | | database\_subnets | A list of database subnets | list | `[]` | no | -| default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `false` | no | -| default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `false` | no | -| default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `true` | no | -| default\_vpc\_name | Name to be used on the Default VPC | string | `` | no | +| default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `"false"` | no | +| default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `"false"` | no | +| default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `"true"` | no | +| default\_vpc\_name | Name to be used on the Default VPC | string | `""` | no | | default\_vpc\_tags | Additional tags for the Default VPC | map | `{}` | no | -| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set | string | `` | no | +| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set | string | `""` | no | | dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided | list | `[ "AmazonProvidedDNS" ]` | no | | dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set | list | `[]` | no | -| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set | string | `` | no | +| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set | string | `""` | no | | dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set | list | `[]` | no | | dhcp\_options\_tags | Additional tags for the DHCP option set | map | `{}` | no | -| ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | string | `false` | no | +| ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | string | `"false"` | no | | ec2\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | list | `[]` | no | | ec2\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ec2messages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | string | `false` | no | +| ec2messages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | string | `"false"` | no | | ec2messages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint | list | `[]` | no | | ec2messages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map | `{}` | no | -| elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `elasticache` | no | +| elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no | | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map | `{}` | no | | elasticache\_subnets | A list of elasticache subnets | list | `[]` | no | -| enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `false` | no | -| enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `false` | no | -| enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `true` | no | -| enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `false` | no | -| enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | string | `false` | no | -| enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | string | `false` | no | -| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `false` | no | -| enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `false` | no | -| enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `false` | no | -| enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `false` | no | -| enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `false` | no | +| enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `"false"` | no | +| enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `"false"` | no | +| enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `"true"` | no | +| enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `"false"` | no | +| enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | string | `"false"` | no | +| enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | string | `"false"` | no | +| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no | +| enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | +| enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | +| enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `"false"` | no | +| enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no | | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map | `{}` | no | -| instance\_tenancy | A tenancy option for instances launched into the VPC | string | `default` | no | +| instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | | intra\_route\_table\_tags | Additional tags for the intra route tables | map | `{}` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | | intra\_subnets | A list of intra subnets | list | `[]` | no | -| manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `false` | no | -| map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `true` | no | -| name | Name to be used on all the resources as identifier | string | `` | no | +| manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `"false"` | no | +| map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `"true"` | no | +| name | Name to be used on all the resources as identifier | string | `""` | no | | nat\_eip\_tags | Additional tags for the NAT EIP | map | `{}` | no | | nat\_gateway\_tags | Additional tags for the NAT gateways | map | `{}` | no | -| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `false` | no | +| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `"false"` | no | | private\_route\_table\_tags | Additional tags for the private route tables | map | `{}` | no | -| private\_subnet\_suffix | Suffix to append to private subnets name | string | `private` | no | +| private\_subnet\_suffix | Suffix to append to private subnets name | string | `"private"` | no | | private\_subnet\_tags | Additional tags for the private subnets | map | `{}` | no | | private\_subnets | A list of private subnets inside the VPC | list | `[]` | no | -| propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | string | `false` | no | -| propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | string | `false` | no | +| propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | +| propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | | public\_route\_table\_tags | Additional tags for the public route tables | map | `{}` | no | -| public\_subnet\_suffix | Suffix to append to public subnets name | string | `public` | no | +| public\_subnet\_suffix | Suffix to append to public subnets name | string | `"public"` | no | | public\_subnet\_tags | Additional tags for the public subnets | map | `{}` | no | | public\_subnets | A list of public subnets inside the VPC | list | `[]` | no | | redshift\_route\_table\_tags | Additional tags for the redshift route tables | map | `{}` | no | | redshift\_subnet\_group\_tags | Additional tags for the redshift subnet group | map | `{}` | no | -| redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `redshift` | no | +| redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no | | redshift\_subnet\_tags | Additional tags for the redshift subnets | map | `{}` | no | | redshift\_subnets | A list of redshift subnets | list | `[]` | no | -| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `false` | no | +| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `"false"` | no | | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list | `[]` | no | -| single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `false` | no | -| ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `false` | no | +| single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | +| ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `"false"` | no | | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list | `[]` | no | | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `false` | no | +| ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | tags | A map of tags to add to all resources | map | `{}` | no | | vpc\_tags | Additional tags for the VPC | map | `{}` | no | -| vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `` | no | +| vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | | vpn\_gateway\_tags | Additional tags for the VPN gateway | map | `{}` | no | ## Outputs diff --git a/examples/test_fixture/README.md b/examples/test_fixture/README.md index db7173a41..2fec823b1 100644 --- a/examples/test_fixture/README.md +++ b/examples/test_fixture/README.md @@ -25,7 +25,7 @@ This will destroy any existing test resources, create the resources afresh, run | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| region | - | string | `eu-west-1` | no | +| region | | string | `"eu-west-1"` | no | ## Outputs From 33e8809fe88f495f74cadc2a8e3a8e1c9f78f15d Mon Sep 17 00:00:00 2001 From: Michiel Dhadamus Date: Tue, 12 Feb 2019 14:27:52 +0100 Subject: [PATCH 30/81] Added option to create ECR api and dkr endpoints --- main.tf | 38 ++++++++++++++++++++++++++++++++++++++ variables.tf | 30 ++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) diff --git a/main.tf b/main.tf index 48ccf584a..0cb6ec228 100644 --- a/main.tf +++ b/main.tf @@ -367,6 +367,44 @@ resource "aws_vpc_endpoint_route_table_association" "public_s3" { route_table_id = "${aws_route_table.public.id}" } +########################## +# VPC Endpoint for ECR API +########################## +data "aws_vpc_endpoint_service" "ecr_api" { + count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + + service = "ecr.api" +} + +resource "aws_vpc_endpoint" "ecr_api" { + count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + + vpc_endpoint_type = "Interface" + vpc_id = "${local.vpc_id}" + security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"] + service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}" + private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}" +} + +########################## +# VPC Endpoint for ECR DKR +########################## +data "aws_vpc_endpoint_service" "ecr_dkr" { + count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + + service = "ecr.dkr" +} + +resource "aws_vpc_endpoint" "ecr_dkr" { + count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + + vpc_endpoint_type = "Interface" + vpc_id = "${local.vpc_id}" + security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"] + service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}" + private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" +} + ############################ # VPC Endpoint for DynamoDB ############################ diff --git a/variables.tf b/variables.tf index cff021398..d152ca47d 100644 --- a/variables.tf +++ b/variables.tf @@ -178,6 +178,36 @@ variable "enable_s3_endpoint" { default = false } +variable "enable_ecr_api_endpoint" { + description = "Should be true if you want to provision an ecr api endpoint to the VPC" + default = false +} + +variable "ecr_api_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint" + default = false +} + +variable "ecr_api_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECR API endpoint" + default = [] +} + +variable "enable_ecr_dkr_endpoint" { + description = "Should be true if you want to provision an ecr dkr endpoint to the VPC" + default = false +} + +variable "ecr_dkr_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint" + default = false +} + +variable "ecr_dkr_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECR DKR endpoint" + default = [] +} + variable "enable_ssm_endpoint" { description = "Should be true if you want to provision an SSM endpoint to the VPC" default = false From 176a596fc8b7fbdf267b404c1dce42de83d19108 Mon Sep 17 00:00:00 2001 From: Michiel Dhadamus Date: Tue, 12 Feb 2019 16:33:01 +0100 Subject: [PATCH 31/81] Added subnet ids to ecr endpoints --- main.tf | 2 ++ variables.tf | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/main.tf b/main.tf index 0cb6ec228..fbda01b86 100644 --- a/main.tf +++ b/main.tf @@ -382,6 +382,7 @@ resource "aws_vpc_endpoint" "ecr_api" { vpc_endpoint_type = "Interface" vpc_id = "${local.vpc_id}" security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)}"] service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}" private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}" } @@ -401,6 +402,7 @@ resource "aws_vpc_endpoint" "ecr_dkr" { vpc_endpoint_type = "Interface" vpc_id = "${local.vpc_id}" security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)}"] service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}" private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" } diff --git a/variables.tf b/variables.tf index d152ca47d..9430fefa3 100644 --- a/variables.tf +++ b/variables.tf @@ -183,6 +183,11 @@ variable "enable_ecr_api_endpoint" { default = false } +variable "ecr_api_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used." + default = [] +} + variable "ecr_api_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint" default = false @@ -198,6 +203,11 @@ variable "enable_ecr_dkr_endpoint" { default = false } +variable "ecr_dkr_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used." + default = [] +} + variable "ecr_dkr_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint" default = false From bd089fb5f65a6212ba2f20cadf3ea7313e01235a Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 14 Feb 2019 09:47:47 +0100 Subject: [PATCH 32/81] Fixed formatting after #205 --- README.md | 4 +++- examples/complete-vpc/main.tf | 7 ++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 08514a572..f43bee808 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,9 @@ These types of resources are supported: * [Internet Gateway](https://www.terraform.io/docs/providers/aws/r/internet_gateway.html) * [NAT Gateway](https://www.terraform.io/docs/providers/aws/r/nat_gateway.html) * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) -* [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html) (Gateway: S3, DynamoDB; Interface: EC2, SSM) +* [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): + * Gateway: S3, DynamoDB + * Interface: EC2, SSM, EC2 Messages, SSM Messages * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index c35c3f2dd..8f6e14e25 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -45,22 +45,23 @@ module "vpc" { # VPC endpoint for SSM enable_ssm_endpoint = true ssm_endpoint_private_dns_enabled = true - ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] - - // ssm_endpoint_subnet_ids = ["..."] + ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] # ssm_endpoint_subnet_ids = ["..."] # VPC endpoint for SSMMESSAGES enable_ssmmessages_endpoint = true ssmmessages_endpoint_private_dns_enabled = true ssmmessages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + # VPC Endpoint for EC2 enable_ec2_endpoint = true ec2_endpoint_private_dns_enabled = true ec2_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + # VPC Endpoint for EC2MESSAGES enable_ec2messages_endpoint = true ec2messages_endpoint_private_dns_enabled = true ec2messages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + tags = { Owner = "user" Environment = "staging" From 03eded61e4dd31598ed6cd7089493614d7105b9a Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 14 Feb 2019 09:56:55 +0100 Subject: [PATCH 33/81] Fixed formatting after #213 --- README.md | 10 ++++- examples/complete-vpc/main.tf | 10 +++++ main.tf | 82 ++++++++++++++++++----------------- variables.tf | 80 +++++++++++++++++----------------- 4 files changed, 101 insertions(+), 81 deletions(-) diff --git a/README.md b/README.md index f43bee808..d50399d2f 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ These types of resources are supported: * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): * Gateway: S3, DynamoDB - * Interface: EC2, SSM, EC2 Messages, SSM Messages + * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -216,6 +216,12 @@ Terraform version 0.10.3 or newer is required for this module to work. | ec2messages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | string | `"false"` | no | | ec2messages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint | list | `[]` | no | | ec2messages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ecr\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint | string | `"false"` | no | +| ecr\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR API endpoint | list | `[]` | no | +| ecr\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used. | list | `[]` | no | +| ecr\_dkr\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint | string | `"false"` | no | +| ecr\_dkr\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint | list | `[]` | no | +| ecr\_dkr\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. | list | `[]` | no | | elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map | `{}` | no | | elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no | | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map | `{}` | no | @@ -226,6 +232,8 @@ Terraform version 0.10.3 or newer is required for this module to work. | enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `"false"` | no | | enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | string | `"false"` | no | | enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | string | `"false"` | no | +| enable\_ecr\_api\_endpoint | Should be true if you want to provision an ecr api endpoint to the VPC | string | `"false"` | no | +| enable\_ecr\_dkr\_endpoint | Should be true if you want to provision an ecr dkr endpoint to the VPC | string | `"false"` | no | | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no | | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 8f6e14e25..0f38fda90 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -62,6 +62,16 @@ module "vpc" { ec2messages_endpoint_private_dns_enabled = true ec2messages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + # VPC Endpoint for ECR API + enable_ecr_api_endpoint = true + ecr_api_endpoint_private_dns_enabled = true + ecr_api_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + + # VPC Endpoint for ECR DKR + enable_ecr_dkr_endpoint = true + ecr_dkr_endpoint_private_dns_enabled = true + ecr_dkr_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + tags = { Owner = "user" Environment = "staging" diff --git a/main.tf b/main.tf index 3eb088f0d..6e74a3cb4 100644 --- a/main.tf +++ b/main.tf @@ -367,46 +367,6 @@ resource "aws_vpc_endpoint_route_table_association" "public_s3" { route_table_id = "${aws_route_table.public.id}" } -########################## -# VPC Endpoint for ECR API -########################## -data "aws_vpc_endpoint_service" "ecr_api" { - count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" - - service = "ecr.api" -} - -resource "aws_vpc_endpoint" "ecr_api" { - count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" - - vpc_endpoint_type = "Interface" - vpc_id = "${local.vpc_id}" - security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}" - private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}" -} - -########################## -# VPC Endpoint for ECR DKR -########################## -data "aws_vpc_endpoint_service" "ecr_dkr" { - count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" - - service = "ecr.dkr" -} - -resource "aws_vpc_endpoint" "ecr_dkr" { - count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" - - vpc_endpoint_type = "Interface" - vpc_id = "${local.vpc_id}" - security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}" - private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" -} - ############################ # VPC Endpoint for DynamoDB ############################ @@ -528,6 +488,48 @@ resource "aws_vpc_endpoint" "ec2messages" { private_dns_enabled = "${var.ec2messages_endpoint_private_dns_enabled}" } +########################### +# VPC Endpoint for ECR API +########################### +data "aws_vpc_endpoint_service" "ecr_api" { + count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + + service = "ecr.api" +} + +resource "aws_vpc_endpoint" "ecr_api" { + count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}" +} + +########################### +# VPC Endpoint for ECR DKR +########################### +data "aws_vpc_endpoint_service" "ecr_dkr" { + count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + + service = "ecr.dkr" +} + +resource "aws_vpc_endpoint" "ecr_dkr" { + count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" +} + ########################## # Route table association ########################## diff --git a/variables.tf b/variables.tf index 711802569..3467a87c4 100644 --- a/variables.tf +++ b/variables.tf @@ -178,46 +178,6 @@ variable "enable_s3_endpoint" { default = false } -variable "enable_ecr_api_endpoint" { - description = "Should be true if you want to provision an ecr api endpoint to the VPC" - default = false -} - -variable "ecr_api_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used." - default = [] -} - -variable "ecr_api_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint" - default = false -} - -variable "ecr_api_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ECR API endpoint" - default = [] -} - -variable "enable_ecr_dkr_endpoint" { - description = "Should be true if you want to provision an ecr dkr endpoint to the VPC" - default = false -} - -variable "ecr_dkr_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used." - default = [] -} - -variable "ecr_dkr_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint" - default = false -} - -variable "ecr_dkr_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ECR DKR endpoint" - default = [] -} - variable "enable_ssm_endpoint" { description = "Should be true if you want to provision an SSM endpoint to the VPC" default = false @@ -298,6 +258,46 @@ variable "ec2messages_endpoint_subnet_ids" { default = [] } +variable "enable_ecr_api_endpoint" { + description = "Should be true if you want to provision an ecr api endpoint to the VPC" + default = false +} + +variable "ecr_api_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used." + default = [] +} + +variable "ecr_api_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint" + default = false +} + +variable "ecr_api_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECR API endpoint" + default = [] +} + +variable "enable_ecr_dkr_endpoint" { + description = "Should be true if you want to provision an ecr dkr endpoint to the VPC" + default = false +} + +variable "ecr_dkr_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used." + default = [] +} + +variable "ecr_dkr_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint" + default = false +} + +variable "ecr_dkr_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECR DKR endpoint" + default = [] +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" default = true From b65963edbd9981f686d522ea120d1e874c0fd6f0 Mon Sep 17 00:00:00 2001 From: Kinnaird McQuade Date: Thu, 21 Feb 2019 13:02:55 -0500 Subject: [PATCH 34/81] Added intra subnet suffix. (#220) * Added intra subnet suffix. * Fixed duplicate intra * Fixed tag --- main.tf | 4 ++-- variables.tf | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 6e74a3cb4..fce2925fa 100644 --- a/main.tf +++ b/main.tf @@ -174,7 +174,7 @@ resource "aws_route_table" "intra" { vpc_id = "${local.vpc_id}" - tags = "${merge(map("Name", "${var.name}-intra"), var.tags, var.intra_route_table_tags)}" + tags = "${merge(map("Name", "${var.name}-${var.intra_subnet_suffix}"), var.tags, var.intra_route_table_tags)}" } ################ @@ -281,7 +281,7 @@ resource "aws_subnet" "intra" { cidr_block = "${var.intra_subnets[count.index]}" availability_zone = "${element(var.azs, count.index)}" - tags = "${merge(map("Name", format("%s-intra-%s", var.name, element(var.azs, count.index))), var.tags, var.intra_subnet_tags)}" + tags = "${merge(map("Name", format("%s-${var.intra_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.intra_subnet_tags)}" } ############## diff --git a/variables.tf b/variables.tf index 3467a87c4..b052c6448 100644 --- a/variables.tf +++ b/variables.tf @@ -38,6 +38,11 @@ variable "private_subnet_suffix" { default = "private" } +variable "intra_subnet_suffix" { + description = "Suffix to append to intra subnets name" + default = "intra" +} + variable "database_subnet_suffix" { description = "Suffix to append to database subnets name" default = "db" From b12e9163c4d97db44e9d50427969af3bc06afe16 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 21 Feb 2019 19:16:51 +0100 Subject: [PATCH 35/81] Added CHANGELOG.md (#221) --- .chglog/CHANGELOG.tpl.md | 51 ++++ .chglog/config.yml | 10 + CHANGELOG.md | 531 +++++++++++++++++++++++++++++++++++++++ Makefile | 7 + 4 files changed, 599 insertions(+) create mode 100644 .chglog/CHANGELOG.tpl.md create mode 100644 .chglog/config.yml create mode 100644 CHANGELOG.md create mode 100644 Makefile diff --git a/.chglog/CHANGELOG.tpl.md b/.chglog/CHANGELOG.tpl.md new file mode 100644 index 000000000..389f9114a --- /dev/null +++ b/.chglog/CHANGELOG.tpl.md @@ -0,0 +1,51 @@ +{{ if .Versions -}} + +## [Unreleased] +{{ if .Unreleased.CommitGroups -}} +{{ range .Unreleased.CommitGroups -}} +### {{ .Title }} +{{ range .Commits -}} +- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} +{{ end }} +{{ end -}} +{{ else }} +{{ range .Unreleased.Commits -}} +- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} +{{ end }} +{{ end -}} +{{ end -}} + +{{ range .Versions }} + +## {{ if .Tag.Previous }}[{{ .Tag.Name }}]{{ else }}{{ .Tag.Name }}{{ end }} - {{ datetime "2006-01-02" .Tag.Date }} +{{ if .CommitGroups -}} +{{ range .CommitGroups -}} +### {{ .Title }} +{{ range .Commits -}} +- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} +{{ end }} +{{ end -}} +{{ else }} +{{ range .Commits -}} +- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} +{{ end }} +{{ end -}} + +{{- if .NoteGroups -}} +{{ range .NoteGroups -}} +### {{ .Title }} +{{ range .Notes }} +{{ .Body }} +{{ end }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- if .Versions }} +[Unreleased]: {{ .Info.RepositoryURL }}/compare/{{ $latest := index .Versions 0 }}{{ $latest.Tag.Name }}...HEAD +{{ range .Versions -}} +{{ if .Tag.Previous -}} +[{{ .Tag.Name }}]: {{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }} +{{ end -}} +{{ end -}} +{{ end -}} \ No newline at end of file diff --git a/.chglog/config.yml b/.chglog/config.yml new file mode 100644 index 000000000..5c3fa357c --- /dev/null +++ b/.chglog/config.yml @@ -0,0 +1,10 @@ +style: github +template: CHANGELOG.tpl.md +info: + title: CHANGELOG + repository_url: https://github.com/terraform-aws-modules/terraform-aws-vpc +options: + header: + pattern: "^(.*)$" + pattern_maps: + - Subject diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000..a5fe68bdc --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,531 @@ + +## [Unreleased] + + + + +## [v1.57.0] - 0001-01-01 + + + + +## [v1.56.0] - 2019-02-21 + +- Added intra subnet suffix. ([#220](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/220)) + + + +## [v1.55.0] - 2019-02-14 + +- Fixed formatting after [#213](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/213) +- Merge pull request [#213](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/213) from michieldhadamus/ecr-endpoints +- Added subnet ids to ecr endpoints +- Added option to create ECR api and dkr endpoints + + + +## [v1.54.0] - 2019-02-14 + +- Fixed formatting after [#205](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/205) +- Merge pull request [#205](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/205) from tbugfinder/extend_endpoints +- switch to terraform-docs v0.6.0 +- add files updated by pre-commit +- add additional endpoints to examples +- fix typo +- add endpoints ec2messages, ssmmessages as those are required by Systems Manager in addition to ec2 and ssm. +- Merge pull request [#1](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1) from terraform-aws-modules/master + + + +## [v1.53.0] - 2019-01-18 + +- Reordered vars in count for database_nat_gateway route +- Merge pull request [#201](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/201) from ebarault/feat/database-route-to-natgw +- adding option to create a route to nat gateway in database subnets + + + +## [v1.52.0] - 2019-01-17 + +- Merge pull request [#202](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/202) from terraform-aws-modules/ssm_and_ec2_vpc_endpoints +- Added SSM and EC2 VPC endpoints (fixes [#195](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/195), [#194](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/194)) + + + +## [v1.51.0] - 2019-01-10 + +- Merge pull request [#199](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/199) from terraform-aws-modules/elasticache_subnet_group +- Added possibility to control creation of elasticache and redshift subnet groups + + + +## [v1.50.0] - 2018-12-27 + +- Added azs to outputs which is an argument + + + +## [v1.49.0] - 2018-12-12 + +- Merge pull request [#191](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/191) from terraform-aws-modules/feature-db-igw-public-access +- Reverted complete-example +- Added IGW route for DB subnets (based on [#179](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/179)) + + + +## [v1.48.0] - 2018-12-11 + +- Updated pre-commit version with new terraform-docs script + + + +## [v1.47.0] - 2018-12-11 + +- Merge pull request [#181](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/181) from Miyurz/fix/redshift-name-issue +- Fix for the error: module.vpc.aws_redshift_subnet_group.redshift: only lowercase alphanumeric characters and hyphens allowed in name + + + +## [v1.46.0] - 2018-10-06 + +- Fixed [#177](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/177) - public_subnets should not always be validated + + + +## [v1.45.0] - 2018-10-01 + +- Updated README.md after merge +- Added amazon_side_asn to vpn_gateway ([#159](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/159)) + + + +## [v1.44.0] - 2018-09-18 + +- Reordering tag merging ([#148](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/148)) + + + +## [v1.43.2] - 2018-09-17 + +- Updated link to cloudcraft + + + +## [v1.43.1] - 2018-09-17 + +- Updated link to cloudcraft + + + +## [v1.43.0] - 2018-09-16 + +- Removed comments starting from # to fix README +- Added cloudcraft.co as a sponsor for this module +- Added cloudcraft.co as a sponsor for this module + + + +## [v1.42.0] - 2018-09-14 + +- add vars for custom subnet and route table names ([#168](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/168)) + + + +## [v1.41.0] - 2018-09-04 + +- Add secondary CIDR block support ([#163](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/163)) + + + +## [v1.40.0] - 2018-08-19 + +- Removed IPv6 from outputs (fixed [#157](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/157)) ([#158](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/158)) + + + +## [v1.39.0] - 2018-08-19 + +- Add minimum support for IPv6 to VPC ([#156](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/156)) + + + +## [v1.38.0] - 2018-08-18 + +- Provide separate route tables for db/elasticache/redshift ([#155](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/155)) +- Fixing typo overriden -> overridden ([#150](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/150)) + + + +## [v1.37.0] - 2018-06-22 + +- Removed obsolete default_route_table_tags (fixed [#146](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/146)) + + + +## [v1.36.0] - 2018-06-20 + +- Allow tags override for all resources (fix for [#138](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/138)) ([#145](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/145)) + + + +## [v1.35.0] - 2018-06-20 + +- Updated README after [#141](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/141) +- Add `nat_gateway_tags` input ([#141](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/141)) + + + +## [v1.34.0] - 2018-06-05 + +- Fixed creation of aws_vpc_endpoint_route_table_association when intra_subnets are not set (fixes 137) + + + +## [v1.33.0] - 2018-06-04 + +- Added missing route_table for intra_subnets, and prepare the release +- Adding "intra subnets" as a class ([#135](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/135)) + + + +## [v1.32.0] - 2018-05-24 + +- Prepared release, updated README a bit +- Fix [#117](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/117) - Add `one_nat_gateway_per_az` functionality ([#129](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/129)) + + + +## [v1.31.0] - 2018-05-16 + +- Added pre-commit hook to autogenerate terraform-docs ([#127](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/127)) + + + +## [v1.30.0] - 2018-04-09 + +- Fixed formatting +- Added longer timeouts for aws_route create ([#113](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/113)) + + + +## [v1.29.0] - 2018-04-05 + +- Creates a single private route table when single_nat_gateway is true ([#83](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/83)) + + + +## [v1.28.0] - 2018-04-05 + +- Ensures the correct number of S3 and DDB VPC Endpoint associations ([#90](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/90)) + + + +## [v1.27.0] - 2018-04-05 + +- Removed aws_default_route_table and aws_main_route_table_association, added potentially failed example ([#111](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/111)) + + + +## [v1.26.0] - 2018-03-06 + +- Added default CIDR block as 0.0.0.0/0 ([#93](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/93)) + + + +## [v1.25.0] - 2018-03-02 + +- Fixed complete example +- Make terraform recognize lists when uring variables ([#92](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/92)) + + + +## [v1.24.0-pre] - 2018-03-01 + +- Fixed description +- Fixed aws_vpn_gateway_route_propagation for default route table + + + +## [v1.23.0] - 2018-02-10 + +- Extended aws_vpn_gateway use case. ([#67](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/67)) + + + +## [v1.22.1] - 2018-02-10 + +- Removed classiclink from outputs because it is not present in recent regions ([#78](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/78)) + + + +## [v1.22.0] - 2018-02-09 + +- Added support for default VPC resource ([#75](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/75)) + + + +## [v1.21.0] - 2018-02-09 + +- Added possibility to create VPC conditionally ([#74](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/74)) + + + +## [v1.20.0] - 2018-02-09 + +- Manage Default Route Table under Terraform ([#69](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/69)) + + + +## [v1.19.0] - 2018-02-09 + +- Only create one public route association for s3 endpoint ([#73](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/73)) + + + +## [v1.18.0] - 2018-02-05 + +- Adding tests for vpc, subnets, and route tables ([#31](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/31)) +- Improve documentation about the usage of external NAT gateway IPs ([#66](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/66)) + + + +## [v1.17.0] - 2018-01-21 + +- Issue [#58](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/58): Add ElastiCache subnet group name output. ([#60](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/60)) + + + +## [v1.16.0] - 2018-01-21 + +- Terraform fmt +- Issue [#56](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/56): Added tags for elastic ips ([#61](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/61)) + + + +## [v1.15.0] - 2018-01-19 + +- Lowercase database subnet group name ([#57](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/57)) + + + +## [v1.14.0] - 2018-01-11 + +- Add Redshift subnets ([#54](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/54)) +- [ci skip] Get more Open Source Helpers ([#51](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/51)) + + + +## [v1.13.0] - 2018-01-03 + +- Ignore changes to propagating_vgws of private routing table ([#50](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/50)) + + + +## [v1.12.0] - 2017-12-12 + +- Downgraded require_version from 0.10.13 to 0.10.3 ([#48](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/48)) + + + +## [v1.11.0] - 2017-12-11 + +- Added fix for issue when no private subnets are defined ([#47](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/47)) + + + +## [v1.10.0] - 2017-12-11 + +- Fixing edge case when VPC is not symmetrical with few private subnets ([#45](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/45)) + + + +## [v1.9.1] - 2017-12-07 + +- Minor fix in README + + + +## [v1.9.0] - 2017-12-07 + +- Allow passing in EIPs for the NAT Gateways ([#38](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/38)) + + + +## [v1.8.0] - 2017-12-06 + +- change conditional private routes ([#36](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/36)) + + + +## [v1.7.0] - 2017-12-06 + +- Add extra tags for DHCP option set ([#42](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/42)) +- Add "default_route_table_id" to outputs ([#41](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/41)) + + + +## [v1.6.0] - 2017-12-06 + +- Add support for additional tags on VPC ([#43](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/43)) +- Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) +- Set enable_dns_support=true by default + + + +## [v1.4.1] - 2017-11-23 + +- Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) + + + +## [v1.5.0] - 2017-11-23 + + + + +## [v1.5.1] - 2017-11-23 + +- Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) +- Set enable_dns_support=true by default +- Updated descriptions for DNS variables (closes [#14](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/14)) + + + +## [v1.4.0] - 2017-11-22 + +- Add version requirements in README.md (fixes [#32](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/32)) +- Add version requirements in README.md + + + +## [v1.3.0] - 2017-11-16 + +- make sure outputs are always valid ([#29](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/29)) +- Add tags to the aws_vpc_dhcp_options resource ([#30](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/30)) + + + +## [v1.2.0] - 2017-11-11 + +- Add support for DHCP options set ([#20](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/20)) + + + +## [v1.1.0] - 2017-11-11 + +- [#22](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/22) add vpn gateway feature ([#24](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/24)) +- Add cidr_block outputs to public and private subnets ([#19](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/19)) +- Merge pull request [#13](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/13) from felixb/nat-gateway-tags +- Add AZ to natgateway name + + + +## [v1.0.4] - 2017-10-20 + +- Merge pull request [#12](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/12) from michalschott/master +- NAT gateway should be tagged too. + + + +## [v1.0.3] - 2017-10-12 + +- Make aws_vpc_endpoint_service conditional +- Merge pull request [#7](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/7) from eheydrick/variable-descriptions +- Improve variable descriptions + + + +## [v1.0.2] - 2017-09-27 + +- Merge pull request [#6](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/6) from mgresko/fix_govcloud +- disable dynamodb data source when not needed + + + +## [v1.0.1] - 2017-09-26 + +- Updated link in README +- Merge pull request [#3](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/3) from gas-buddy/gasbuddy/eherot/custom_route_tags +- Allow the user to define custom tags for route tables + + + +## v1.0.0 - 2017-09-12 + +- Updated README +- Updated README +- Aded examples and updated names +- Added descriptions, applied fmt +- Removed parts of readme +- Initial commit +- Initial commit + + +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.57.0...HEAD +[v1.57.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.56.0...v1.57.0 +[v1.56.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.55.0...v1.56.0 +[v1.55.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.54.0...v1.55.0 +[v1.54.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.53.0...v1.54.0 +[v1.53.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.52.0...v1.53.0 +[v1.52.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.51.0...v1.52.0 +[v1.51.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.50.0...v1.51.0 +[v1.50.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.49.0...v1.50.0 +[v1.49.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.48.0...v1.49.0 +[v1.48.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.47.0...v1.48.0 +[v1.47.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.46.0...v1.47.0 +[v1.46.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.45.0...v1.46.0 +[v1.45.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.44.0...v1.45.0 +[v1.44.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.43.2...v1.44.0 +[v1.43.2]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.43.1...v1.43.2 +[v1.43.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.43.0...v1.43.1 +[v1.43.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.42.0...v1.43.0 +[v1.42.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.41.0...v1.42.0 +[v1.41.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.40.0...v1.41.0 +[v1.40.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.39.0...v1.40.0 +[v1.39.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.38.0...v1.39.0 +[v1.38.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.37.0...v1.38.0 +[v1.37.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.36.0...v1.37.0 +[v1.36.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.35.0...v1.36.0 +[v1.35.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.34.0...v1.35.0 +[v1.34.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.33.0...v1.34.0 +[v1.33.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.32.0...v1.33.0 +[v1.32.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.31.0...v1.32.0 +[v1.31.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.30.0...v1.31.0 +[v1.30.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.29.0...v1.30.0 +[v1.29.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.28.0...v1.29.0 +[v1.28.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.27.0...v1.28.0 +[v1.27.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.26.0...v1.27.0 +[v1.26.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.25.0...v1.26.0 +[v1.25.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.24.0-pre...v1.25.0 +[v1.24.0-pre]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.23.0...v1.24.0-pre +[v1.23.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.22.1...v1.23.0 +[v1.22.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.22.0...v1.22.1 +[v1.22.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.21.0...v1.22.0 +[v1.21.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.20.0...v1.21.0 +[v1.20.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.19.0...v1.20.0 +[v1.19.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.18.0...v1.19.0 +[v1.18.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.17.0...v1.18.0 +[v1.17.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.16.0...v1.17.0 +[v1.16.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.15.0...v1.16.0 +[v1.15.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.14.0...v1.15.0 +[v1.14.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.13.0...v1.14.0 +[v1.13.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.12.0...v1.13.0 +[v1.12.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.11.0...v1.12.0 +[v1.11.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.10.0...v1.11.0 +[v1.10.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.9.1...v1.10.0 +[v1.9.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.9.0...v1.9.1 +[v1.9.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.8.0...v1.9.0 +[v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 +[v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 +[v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 +[v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 +[v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 +[v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 +[v1.1.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.0.4...v1.1.0 +[v1.0.4]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.0.3...v1.0.4 +[v1.0.3]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.0.2...v1.0.3 +[v1.0.2]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.0.1...v1.0.2 +[v1.0.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.0.0...v1.0.1 diff --git a/Makefile b/Makefile new file mode 100644 index 000000000..558dac5a6 --- /dev/null +++ b/Makefile @@ -0,0 +1,7 @@ +.PHONY: changelog release + +changelog: + git-chglog -o CHANGELOG.md --next-tag `semtag final -s minor -o` + +release: + semtag final -s minor From ad7164bbc82942475d57ffeda12331c5dc744684 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 21 Feb 2019 19:18:50 +0100 Subject: [PATCH 36/81] Bump version --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a5fe68bdc..40a4af6bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,9 @@ -## [v1.57.0] - 0001-01-01 +## [v1.57.0] - 2019-02-21 +- Added CHANGELOG.md ([#221](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/221)) From 2aca6d247e3c684661ef6c4986d15ff99c5350c1 Mon Sep 17 00:00:00 2001 From: tharun-allu Date: Fri, 1 Mar 2019 00:34:45 -0800 Subject: [PATCH 37/81] API gateway Endpoint (#225) --- README.md | 8 ++++-- examples/issue-224-vpcendpoint-apigw/main.tf | 30 ++++++++++++++++++++ main.tf | 22 ++++++++++++++ variables.tf | 20 +++++++++++++ 4 files changed, 77 insertions(+), 3 deletions(-) create mode 100644 examples/issue-224-vpcendpoint-apigw/main.tf diff --git a/README.md b/README.md index d50399d2f..8caa3c8b4 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ These types of resources are supported: * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): * Gateway: S3, DynamoDB - * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR + * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -133,7 +133,7 @@ If `one_nat_gateway_per_az = true` and `single_nat_gateway = false`, then the mo By default, if NAT Gateways are enabled, private subnets will be configured with routes for Internet traffic that point at the NAT Gateways configured by use of the above options. If you need private subnets that should have no Internet routing (in the sense of [RFC1918 Category 1 subnets](https://tools.ietf.org/html/rfc1918)), `intra_subnets` should be specified. An example use case is configuration of AWS Lambda functions within a VPC, where AWS Lambda functions only need to pass traffic to internal resources or VPC endpoints for AWS services. - + Since AWS Lambda functions allocate Elastic Network Interfaces in proportion to the traffic received ([read more](https://docs.aws.amazon.com/lambda/latest/dg/vpc.html)), it can be useful to allocate a large private subnet for such allocations, while keeping the traffic they generate entirely internal to the VPC. You can add additional tags with `intra_subnet_tags` as with other subnet types. @@ -238,6 +238,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `"false"` | no | +| enable\_apigw\_endpoint | Should be true if you want to provision a API Gateway endpoint to the VPC | string | `"false"` | no | | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no | | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map | `{}` | no | @@ -271,8 +272,10 @@ Terraform version 0.10.3 or newer is required for this module to work. | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `"false"` | no | | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list | `[]` | no | +| apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API Gateway endpoint | list | `[]` | no | | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no | +| apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API Gateway endpoint | string | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | tags | A map of tags to add to all resources | map | `{}` | no | @@ -369,4 +372,3 @@ Module is maintained by [Anton Babenko](https://github.com/antonbabenko) with he ## License Apache 2 Licensed. See LICENSE for full details. - diff --git a/examples/issue-224-vpcendpoint-apigw/main.tf b/examples/issue-224-vpcendpoint-apigw/main.tf new file mode 100644 index 000000000..252f885e7 --- /dev/null +++ b/examples/issue-224-vpcendpoint-apigw/main.tf @@ -0,0 +1,30 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_security_group" "default" { + name = "default" + vpc_id = "${module.vpc.vpc_id}" +} + +module "vpc" { + source = "../../" + + name = "complete-example" + + cidr = "10.15.0.0/16" + + azs = ["us-east-1a"] + private_subnets = ["10.15.1.0/24"] + + # VPC endpoint for API gateway + enable_apigw_endpoint = true + apigw_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + apigw_endpoint_private_dns_enabled = true + + tags = { + Owner = "user" + Environment = "test" + Name = "test-224" + } +} diff --git a/main.tf b/main.tf index fce2925fa..85f98c7e3 100644 --- a/main.tf +++ b/main.tf @@ -530,6 +530,28 @@ resource "aws_vpc_endpoint" "ecr_dkr" { private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" } +####################### +# VPC Endpoint for API Gateway +####################### +data "aws_vpc_endpoint_service" "apigw" { + count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" + + service = "execute-api" +} + +resource "aws_vpc_endpoint" "apigw" { + count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.apigw.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.apigw_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}" +} + + ########################## # Route table association ########################## diff --git a/variables.tf b/variables.tf index b052c6448..6103b3d9d 100644 --- a/variables.tf +++ b/variables.tf @@ -208,6 +208,26 @@ variable "enable_ssmmessages_endpoint" { default = false } +variable "enable_apigw_endpoint" { + description = "Should be true if you want to provision an api gateway endpoint to the VPC" + default = false +} + +variable "apigw_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for API GW endpoint" + default = [] +} + +variable "apigw_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint" + default = false +} + +variable "apigw_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + variable "ssmmessages_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint" default = [] From 417c3018b4419c98e0d1c21048a7077199245c93 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 1 Mar 2019 09:36:12 +0100 Subject: [PATCH 38/81] Updated changelog --- CHANGELOG.md | 24 ++++++++++++++++-------- README.md | 8 +++++--- main.tf | 1 - 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40a4af6bd..6b2cbfd54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,16 @@ + +## [v1.58.0] - 2019-03-01 + +- API gateway Endpoint ([#225](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/225)) + + ## [v1.57.0] - 2019-02-21 +- Bump version - Added CHANGELOG.md ([#221](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/221)) @@ -378,13 +385,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -462,7 +469,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.57.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.58.0...HEAD +[v1.58.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.57.0...v1.58.0 [v1.57.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.56.0...v1.57.0 [v1.56.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.55.0...v1.56.0 [v1.55.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.54.0...v1.55.0 @@ -519,9 +527,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 diff --git a/README.md b/README.md index 8caa3c8b4..afc2b474d 100644 --- a/README.md +++ b/README.md @@ -182,6 +182,9 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| | amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `"64512"` | no | +| apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | string | `"false"` | no | +| apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API GW endpoint | list | `[]` | no | +| apigw\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `"false"` | no | | azs | A list of availability zones in the region | list | `[]` | no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `"0.0.0.0/0"` | no | @@ -226,6 +229,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no | | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map | `{}` | no | | elasticache\_subnets | A list of elasticache subnets | list | `[]` | no | +| enable\_apigw\_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | string | `"false"` | no | | enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `"false"` | no | | enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `"false"` | no | | enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `"true"` | no | @@ -238,12 +242,12 @@ Terraform version 0.10.3 or newer is required for this module to work. | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `"false"` | no | -| enable\_apigw\_endpoint | Should be true if you want to provision a API Gateway endpoint to the VPC | string | `"false"` | no | | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no | | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map | `{}` | no | | instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | | intra\_route\_table\_tags | Additional tags for the intra route tables | map | `{}` | no | +| intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | | intra\_subnets | A list of intra subnets | list | `[]` | no | | manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `"false"` | no | @@ -272,10 +276,8 @@ Terraform version 0.10.3 or newer is required for this module to work. | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `"false"` | no | | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list | `[]` | no | -| apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API Gateway endpoint | list | `[]` | no | | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no | -| apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API Gateway endpoint | string | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | tags | A map of tags to add to all resources | map | `{}` | no | diff --git a/main.tf b/main.tf index 85f98c7e3..be59a2788 100644 --- a/main.tf +++ b/main.tf @@ -551,7 +551,6 @@ resource "aws_vpc_endpoint" "apigw" { private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}" } - ########################## # Route table association ########################## From 7a52ef6eea2335420fe1646cfafd31831761d1c3 Mon Sep 17 00:00:00 2001 From: Kyle <1kylecameron@gmail.com> Date: Sat, 2 Mar 2019 07:39:03 -0500 Subject: [PATCH 39/81] docs: Update comment in docs (#226) --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index be59a2788..a84b737e1 100644 --- a/main.tf +++ b/main.tf @@ -94,7 +94,7 @@ resource "aws_route" "public_internet_gateway" { ################# # Private routes -# There are so many routing tables as the largest amount of subnets of each type (really?) +# There are as many routing tables as the number of NAT gateways ################# resource "aws_route_table" "private" { count = "${var.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0}" From 9b859ff5ac69e4318b476dd2d413e93a179d6ee5 Mon Sep 17 00:00:00 2001 From: bmihaescu Date: Tue, 5 Mar 2019 13:09:13 +0200 Subject: [PATCH 40/81] Redshift public subnets (#222) * add public subnet for redshift to enable access for kinesis * fix redshift subnet group name * fix redshift public association * add public redshift to documentation * fix doc typo * update code after review --- README.md | 9 +++++++++ main.tf | 9 ++++++++- variables.tf | 5 +++++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index afc2b474d..53b4b68d6 100644 --- a/README.md +++ b/README.md @@ -165,6 +165,14 @@ Sometimes it is handy to have public access to RDS instances (it is not recommen enable_dns_support = true ``` +## Public access to Redshift cluster + +Sometimes it is handy to have public access to Redshift clusters (for example if you need to access it by Kinesis - VPC endpoint for Kinesis is not yet supported by Redshift) by specifying these arguments: + +```hcl + enable_public_redshift = true # <= Default it will be placed into private subnet route table +``` + ## Terraform version Terraform version 0.10.3 or newer is required for this module to work. @@ -271,6 +279,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no | | redshift\_subnet\_tags | Additional tags for the redshift subnets | map | `{}` | no | | redshift\_subnets | A list of redshift subnets | list | `[]` | no | +| enable\_public\_redshift | Should be true if you want Redshift cluster to be placed into public subnet route table | string | `"false"` | no | | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `"false"` | no | | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list | `[]` | no | | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | diff --git a/main.tf b/main.tf index a84b737e1..00da5959c 100644 --- a/main.tf +++ b/main.tf @@ -569,12 +569,19 @@ resource "aws_route_table_association" "database" { } resource "aws_route_table_association" "redshift" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" + count = "${var.enable_public_redshift == false && var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" } +resource "aws_route_table_association" "redshift_public" { + count = "${var.enable_public_redshift && var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" + + subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" + route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.public.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" +} + resource "aws_route_table_association" "elasticache" { count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0}" diff --git a/variables.tf b/variables.tf index 6103b3d9d..2cde7136d 100644 --- a/variables.tf +++ b/variables.tf @@ -102,6 +102,11 @@ variable "create_redshift_subnet_route_table" { default = false } +variable "enable_public_redshift" { + description = "Controls if redshift should have public routing table" + default = false +} + variable "create_elasticache_subnet_route_table" { description = "Controls if separate route table for elasticache should be created" default = false From b4aa52c565a18e2d7a110168e3cd0dfabd554a1a Mon Sep 17 00:00:00 2001 From: bmihaescu Date: Tue, 5 Mar 2019 13:09:13 +0200 Subject: [PATCH 41/81] Redshift public subnets (#222) --- README.md | 5 +++++ main.tf | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/README.md b/README.md index 53b4b68d6..ed75dced6 100644 --- a/README.md +++ b/README.md @@ -170,7 +170,11 @@ Sometimes it is handy to have public access to RDS instances (it is not recommen Sometimes it is handy to have public access to Redshift clusters (for example if you need to access it by Kinesis - VPC endpoint for Kinesis is not yet supported by Redshift) by specifying these arguments: ```hcl +<<<<<<< HEAD enable_public_redshift = true # <= Default it will be placed into private subnet route table +======= + enable_public_redshift = true # <= By default Redshift subnets will be associated with the private route table +>>>>>>> Redshift public subnets (#222) ``` ## Terraform version @@ -247,6 +251,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | enable\_ecr\_api\_endpoint | Should be true if you want to provision an ecr api endpoint to the VPC | string | `"false"` | no | | enable\_ecr\_dkr\_endpoint | Should be true if you want to provision an ecr dkr endpoint to the VPC | string | `"false"` | no | | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no | +| enable\_public\_redshift | Controls if redshift should have public routing table | string | `"false"` | no | | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `"false"` | no | diff --git a/main.tf b/main.tf index 00da5959c..47ff4584b 100644 --- a/main.tf +++ b/main.tf @@ -569,14 +569,22 @@ resource "aws_route_table_association" "database" { } resource "aws_route_table_association" "redshift" { +<<<<<<< HEAD count = "${var.enable_public_redshift == false && var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" +======= + count = "${var.create_vpc && length(var.redshift_subnets) > 0 && !var.enable_public_redshift ? length(var.redshift_subnets) : 0}" +>>>>>>> Redshift public subnets (#222) subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" } resource "aws_route_table_association" "redshift_public" { +<<<<<<< HEAD count = "${var.enable_public_redshift && var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" +======= + count = "${var.create_vpc && length(var.redshift_subnets) > 0 && var.enable_public_redshift ? length(var.redshift_subnets) : 0}" +>>>>>>> Redshift public subnets (#222) subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.public.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" From cffc6ea2af4646102c83c3b60df04ed1c3e11c89 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 5 Mar 2019 12:17:54 +0100 Subject: [PATCH 42/81] Resolved conflicts after merge --- README.md | 5 ----- main.tf | 8 -------- 2 files changed, 13 deletions(-) diff --git a/README.md b/README.md index ed75dced6..c5f7f2175 100644 --- a/README.md +++ b/README.md @@ -170,11 +170,7 @@ Sometimes it is handy to have public access to RDS instances (it is not recommen Sometimes it is handy to have public access to Redshift clusters (for example if you need to access it by Kinesis - VPC endpoint for Kinesis is not yet supported by Redshift) by specifying these arguments: ```hcl -<<<<<<< HEAD - enable_public_redshift = true # <= Default it will be placed into private subnet route table -======= enable_public_redshift = true # <= By default Redshift subnets will be associated with the private route table ->>>>>>> Redshift public subnets (#222) ``` ## Terraform version @@ -284,7 +280,6 @@ Terraform version 0.10.3 or newer is required for this module to work. | redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no | | redshift\_subnet\_tags | Additional tags for the redshift subnets | map | `{}` | no | | redshift\_subnets | A list of redshift subnets | list | `[]` | no | -| enable\_public\_redshift | Should be true if you want Redshift cluster to be placed into public subnet route table | string | `"false"` | no | | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `"false"` | no | | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list | `[]` | no | | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | diff --git a/main.tf b/main.tf index 47ff4584b..1013fd594 100644 --- a/main.tf +++ b/main.tf @@ -569,22 +569,14 @@ resource "aws_route_table_association" "database" { } resource "aws_route_table_association" "redshift" { -<<<<<<< HEAD - count = "${var.enable_public_redshift == false && var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" -======= count = "${var.create_vpc && length(var.redshift_subnets) > 0 && !var.enable_public_redshift ? length(var.redshift_subnets) : 0}" ->>>>>>> Redshift public subnets (#222) subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" } resource "aws_route_table_association" "redshift_public" { -<<<<<<< HEAD - count = "${var.enable_public_redshift && var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" -======= count = "${var.create_vpc && length(var.redshift_subnets) > 0 && var.enable_public_redshift ? length(var.redshift_subnets) : 0}" ->>>>>>> Redshift public subnets (#222) subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.public.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" From b5b23cdd5b52a0ab29018c4ecb27e722648e0d62 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 5 Mar 2019 12:20:21 +0100 Subject: [PATCH 43/81] Updated changelog --- CHANGELOG.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b2cbfd54..7f38596d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,17 @@ + +## [v1.59.0] - 2019-03-05 + +- Redshift public subnets ([#222](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/222)) +- docs: Update comment in docs ([#226](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/226)) + + ## [v1.58.0] - 2019-03-01 +- Updated changelog - API gateway Endpoint ([#225](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/225)) @@ -469,7 +477,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.58.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.59.0...HEAD +[v1.59.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.58.0...v1.59.0 [v1.58.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.57.0...v1.58.0 [v1.57.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.56.0...v1.57.0 [v1.56.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.55.0...v1.56.0 From 65b893a6d8aff32b42a87a1838647c8dd6632bf4 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 22 Mar 2019 14:40:44 +0100 Subject: [PATCH 44/81] Network ACLs (#238) * Add variables for network ACLs Add variables for specifying network ACLs for public, private, and intra subnets. The ACLs are defined in a list, with sets of seven elements for the rule number, rule action, from port, to port, protocol, and cidr block. * Add variables for network ACL tags Add variables to specify additional tags for public, private, and intra network ACL resources. * Add resources for network ACLs Add aws_network_acl and aws_network_acl_rule resources to specify inbound and outbound network ACL rules for public, private, and intra subnets. * Add resource for default network ACL Add a aws_default_network_acl resource to adopt the default network ACL in the VPC. * Adjust spacing to match code style Remove the empty lines after comment blocks for network ACLs to match the style of the rest of this module. * Copy simple-vpc example as network-acls Copy the simple-vpc example and adapt it to demonstrate the configuration of network ACLs. A set of inbound and outbound ACLs are specified in main.tf. * Rename variables from _acls to _acl_rules Clarify the variables for specifying ACL rules by renaming them from *_acls to *_acl_rules. The values are used to create rules, not create ACLs. * Add nacl resources and variables for other subnets Add aws_network_acl and aws_network_acl_rule resources for database, redshift, and elasticache subnets, along with corresponding variables. This provides network ACL coverage to all subnet types produced by this module. * Create ACLs only if there are subnets For each subnet type, only create ACL resources if there are subnets defined. For example, if database_subnets is empty, then don't create ACL resources for database subnets. * Add missing variables for ACL tags Add the missing variable declarations for database_acl_tags, redshift_acl_tags, and elasticache_acl_tags. * Make ACL singular in description for _acl_tags A single ACL is created for each of the subnet types. Update the variable descriptions to reflect this. * Convert rules to nested list of maps Convert the NACL rule specifications from a list of lists to a list of maps, as suggested by @jczerniak. This improves the readability of rules. * Restructure example config to use locals Restructure the network ACL rules in the network-acls example to use local variables to specify the rules, split between default and custom rules. * Follow-up for #174 --- README.md | 46 +++++ examples/network-acls/README.md | 39 ++++ examples/network-acls/main.tf | 136 ++++++++++++++ examples/network-acls/outputs.tf | 54 ++++++ main.tf | 258 ++++++++++++++++++++++++++ outputs.tf | 30 ++++ variables.tf | 299 +++++++++++++++++++++++++++++++ 7 files changed, 862 insertions(+) create mode 100644 examples/network-acls/README.md create mode 100644 examples/network-acls/main.tf create mode 100644 examples/network-acls/outputs.tf diff --git a/README.md b/README.md index c5f7f2175..1f1663a7c 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ These types of resources are supported: * [Route](https://www.terraform.io/docs/providers/aws/r/route.html) * [Route table](https://www.terraform.io/docs/providers/aws/r/route_table.html) * [Internet Gateway](https://www.terraform.io/docs/providers/aws/r/internet_gateway.html) +* [Network ACL](https://www.terraform.io/docs/providers/aws/r/network_acl.html) * [NAT Gateway](https://www.terraform.io/docs/providers/aws/r/nat_gateway.html) * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): @@ -21,6 +22,7 @@ These types of resources are supported: * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) * [DHCP Options Set](https://www.terraform.io/docs/providers/aws/r/vpc_dhcp_options.html) * [Default VPC](https://www.terraform.io/docs/providers/aws/r/default_vpc.html) +* [Default Network ACL](https://www.terraform.io/docs/providers/aws/r/default_network_acl.html) Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://cloudcraft.co/?utm_source=terraform-aws-vpc) @@ -165,6 +167,14 @@ Sometimes it is handy to have public access to RDS instances (it is not recommen enable_dns_support = true ``` +## Network Access Control Lists (ACL or NACL) + +This module can manage network ACL and rules. Once VPC is created, AWS creates the default network ACL, which can be controlled using this module (`manage_default_network_acl = true`). + +Also, each type of subnet may have its own network ACL with custom rules per subnet. Eg, set `public_dedicated_network_acl = true` to use dedicated network ACL for the public subnets; set values of `public_inbound_acl_rules` and `public_outbound_acl_rules` to specify all the NACL rules you need to have on public subnets (see `variables.tf` for default values and structures). + +By default, all subnets are associated with the default network ACL. + ## Public access to Redshift cluster Sometimes it is handy to have public access to Redshift clusters (for example if you need to access it by Kinesis - VPC endpoint for Kinesis is not yet supported by Redshift) by specifying these arguments: @@ -182,6 +192,7 @@ Terraform version 0.10.3 or newer is required for this module to work. * [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc) * [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) * [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc) +* [Network ACL](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/network-acls) * Few tests and edge cases examples: [#46](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-46-no-private-subnets), [#44](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-44-asymmetric-private-subnets), [#108](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-108-route-already-exists) @@ -205,11 +216,19 @@ Terraform version 0.10.3 or newer is required for this module to work. | create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | string | `"true"` | no | | create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `"false"` | no | | create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `"true"` | no | +| database\_acl\_tags | Additional tags for the database subnets network ACL | map | `{}` | no | +| database\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | string | `"false"` | no | +| database\_inbound\_acl\_rules | Database subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| database\_outbound\_acl\_rules | Database subnets outbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | database\_route\_table\_tags | Additional tags for the database route tables | map | `{}` | no | | database\_subnet\_group\_tags | Additional tags for the database subnet group | map | `{}` | no | | database\_subnet\_suffix | Suffix to append to database subnets name | string | `"db"` | no | | database\_subnet\_tags | Additional tags for the database subnets | map | `{}` | no | | database\_subnets | A list of database subnets | list | `[]` | no | +| default\_network\_acl\_egress | List of maps of egress rules to set on the Default Network ACL | list | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no | +| default\_network\_acl\_ingress | List of maps of ingress rules to set on the Default Network ACL | list | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no | +| default\_network\_acl\_name | Name to be used on the Default Network ACL | string | `""` | no | +| default\_network\_acl\_tags | Additional tags for the Default Network ACL | map | `{}` | no | | default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `"false"` | no | | default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `"false"` | no | | default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `"true"` | no | @@ -233,6 +252,10 @@ Terraform version 0.10.3 or newer is required for this module to work. | ecr\_dkr\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint | string | `"false"` | no | | ecr\_dkr\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint | list | `[]` | no | | ecr\_dkr\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. | list | `[]` | no | +| elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | map | `{}` | no | +| elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | string | `"false"` | no | +| elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| elasticache\_outbound\_acl\_rules | Elasticache subnets outbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map | `{}` | no | | elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no | | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map | `{}` | no | @@ -255,26 +278,43 @@ Terraform version 0.10.3 or newer is required for this module to work. | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map | `{}` | no | | instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | +| intra\_acl\_tags | Additional tags for the intra subnets network ACL | map | `{}` | no | +| intra\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | string | `"false"` | no | +| intra\_inbound\_acl\_rules | Intra subnets inbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| intra\_outbound\_acl\_rules | Intra subnets outbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | intra\_route\_table\_tags | Additional tags for the intra route tables | map | `{}` | no | | intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | | intra\_subnets | A list of intra subnets | list | `[]` | no | +| manage\_default\_network\_acl | Should be true to adopt and manage Default Network ACL | string | `"false"` | no | | manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `"false"` | no | | map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `"true"` | no | | name | Name to be used on all the resources as identifier | string | `""` | no | | nat\_eip\_tags | Additional tags for the NAT EIP | map | `{}` | no | | nat\_gateway\_tags | Additional tags for the NAT gateways | map | `{}` | no | | one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `"false"` | no | +| private\_acl\_tags | Additional tags for the private subnets network ACL | map | `{}` | no | +| private\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for private subnets | string | `"false"` | no | +| private\_inbound\_acl\_rules | Private subnets inbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| private\_outbound\_acl\_rules | Private subnets outbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | private\_route\_table\_tags | Additional tags for the private route tables | map | `{}` | no | | private\_subnet\_suffix | Suffix to append to private subnets name | string | `"private"` | no | | private\_subnet\_tags | Additional tags for the private subnets | map | `{}` | no | | private\_subnets | A list of private subnets inside the VPC | list | `[]` | no | | propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | | propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | +| public\_acl\_tags | Additional tags for the public subnets network ACL | map | `{}` | no | +| public\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for public subnets | string | `"false"` | no | +| public\_inbound\_acl\_rules | Public subnets inbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| public\_outbound\_acl\_rules | Public subnets outbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | public\_route\_table\_tags | Additional tags for the public route tables | map | `{}` | no | | public\_subnet\_suffix | Suffix to append to public subnets name | string | `"public"` | no | | public\_subnet\_tags | Additional tags for the public subnets | map | `{}` | no | | public\_subnets | A list of public subnets inside the VPC | list | `[]` | no | +| redshift\_acl\_tags | Additional tags for the redshift subnets network ACL | map | `{}` | no | +| redshift\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | string | `"false"` | no | +| redshift\_inbound\_acl\_rules | Redshift subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| redshift\_outbound\_acl\_rules | Redshift subnets outbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | redshift\_route\_table\_tags | Additional tags for the redshift route tables | map | `{}` | no | | redshift\_subnet\_group\_tags | Additional tags for the redshift subnet group | map | `{}` | no | | redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no | @@ -299,6 +339,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | |------|-------------| | azs | A list of availability zones specified as argument to this module | +| database\_network\_acl\_id | ID of the database network ACL | | database\_route\_table\_ids | List of IDs of database route tables | | database\_subnet\_group | ID of database subnet group | | database\_subnets | List of IDs of database subnets | @@ -315,24 +356,29 @@ Terraform version 0.10.3 or newer is required for this module to work. | default\_vpc\_id | The ID of the VPC | | default\_vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | default\_vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | +| elasticache\_network\_acl\_id | ID of the elasticache network ACL | | elasticache\_route\_table\_ids | List of IDs of elasticache route tables | | elasticache\_subnet\_group | ID of elasticache subnet group | | elasticache\_subnet\_group\_name | Name of elasticache subnet group | | elasticache\_subnets | List of IDs of elasticache subnets | | elasticache\_subnets\_cidr\_blocks | List of cidr_blocks of elasticache subnets | | igw\_id | The ID of the Internet Gateway | +| intra\_network\_acl\_id | ID of the intra network ACL | | intra\_route\_table\_ids | List of IDs of intra route tables | | intra\_subnets | List of IDs of intra subnets | | intra\_subnets\_cidr\_blocks | List of cidr_blocks of intra subnets | | nat\_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | | natgw\_ids | List of NAT Gateway IDs | +| private\_network\_acl\_id | ID of the private network ACL | | private\_route\_table\_ids | List of IDs of private route tables | | private\_subnets | List of IDs of private subnets | | private\_subnets\_cidr\_blocks | List of cidr_blocks of private subnets | +| public\_network\_acl\_id | ID of the public network ACL | | public\_route\_table\_ids | List of IDs of public route tables | | public\_subnets | List of IDs of public subnets | | public\_subnets\_cidr\_blocks | List of cidr_blocks of public subnets | +| redshift\_network\_acl\_id | ID of the redshift network ACL | | redshift\_route\_table\_ids | List of IDs of redshift route tables | | redshift\_subnet\_group | ID of redshift subnet group | | redshift\_subnets | List of IDs of redshift subnets | diff --git a/examples/network-acls/README.md b/examples/network-acls/README.md new file mode 100644 index 000000000..79305c7cd --- /dev/null +++ b/examples/network-acls/README.md @@ -0,0 +1,39 @@ +# Simple VPC with Network ACLs + +Configuration in this directory creates set of VPC resources along with network ACLs for public subnets. + +There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between all 3 availability zones. + +Network ACL rules for inbound and outbound traffic are defined as the following: +1. Public subnets will have network ACL rules provided +1. Private subnets will be associated with the default network ACL rules (IPV4-only ingress and egress is open for all) +1. Elasticache subnets will use the default network ACL (created and managed by AWS) + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. + + +## Outputs + +| Name | Description | +|------|-------------| +| default\_network\_acl\_id | The ID of the default network ACL | +| elasticache\_network\_acl\_id | ID of the elasticache network ACL | +| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | +| private\_network\_acl\_id | ID of the private network ACL | +| private\_subnets | List of IDs of private subnets | +| public\_network\_acl\_id | ID of the public network ACL | +| public\_subnets | List of IDs of public subnets | +| vpc\_cidr\_block | The CIDR block of the VPC | +| vpc\_id | The ID of the VPC | + + diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf new file mode 100644 index 000000000..0e3f6a29c --- /dev/null +++ b/examples/network-acls/main.tf @@ -0,0 +1,136 @@ +provider "aws" { + region = "eu-west-1" +} + +module "vpc" { + source = "../../" + + name = "network-acls-example" + + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"] + + public_dedicated_network_acl = true + public_inbound_acl_rules = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}" + public_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}" + + private_dedicated_network_acl = true + + assign_generated_ipv6_cidr_block = true + + enable_nat_gateway = false + single_nat_gateway = true + + public_subnet_tags = { + Name = "overridden-name-public" + } + + tags = { + Owner = "user" + Environment = "dev" + } + + vpc_tags = { + Name = "vpc-name" + } +} + +locals { + network_acls = { + default_inbound = [ + { + rule_number = 900 + rule_action = "allow" + from_port = 1024 + to_port = 65535 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + ] + + default_outbound = [ + { + rule_number = 900 + rule_action = "allow" + from_port = 32768 + to_port = 65535 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + ] + + public_inbound = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + { + rule_number = 110 + rule_action = "allow" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + { + rule_number = 120 + rule_action = "allow" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + { + rule_number = 130 + rule_action = "allow" + from_port = 3389 + to_port = 3389 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + ] + + public_outbound = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + { + rule_number = 110 + rule_action = "allow" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + { + rule_number = 120 + rule_action = "allow" + from_port = 1433 + to_port = 1433 + protocol = "tcp" + cidr_block = "10.0.100.0/22" + }, + { + rule_number = 130 + rule_action = "allow" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_block = "10.0.100.0/22" + }, + ] + } +} diff --git a/examples/network-acls/outputs.tf b/examples/network-acls/outputs.tf new file mode 100644 index 000000000..535d5f43e --- /dev/null +++ b/examples/network-acls/outputs.tf @@ -0,0 +1,54 @@ +# VPC +output "vpc_id" { + description = "The ID of the VPC" + value = "${module.vpc.vpc_id}" +} + +# CIDR blocks +output "vpc_cidr_block" { + description = "The CIDR block of the VPC" + value = ["${module.vpc.vpc_cidr_block}"] +} + +//output "vpc_ipv6_cidr_block" { +// description = "The IPv6 CIDR block" +// value = ["${module.vpc.vpc_ipv6_cidr_block}"] +//} + +# Subnets +output "private_subnets" { + description = "List of IDs of private subnets" + value = ["${module.vpc.private_subnets}"] +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = ["${module.vpc.public_subnets}"] +} + +# NAT gateways +output "nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = ["${module.vpc.nat_public_ips}"] +} + +# Network ACLs +output "public_network_acl_id" { + description = "ID of the public network ACL" + value = "${module.vpc.public_network_acl_id}" +} + +output "private_network_acl_id" { + description = "ID of the private network ACL" + value = "${module.vpc.private_network_acl_id}" +} + +output "elasticache_network_acl_id" { + description = "ID of the elasticache network ACL" + value = "${module.vpc.elasticache_network_acl_id}" +} + +output "default_network_acl_id" { + description = "The ID of the default network ACL" + value = "${module.vpc.default_network_acl_id}" +} diff --git a/main.tf b/main.tf index 1013fd594..28fd09de4 100644 --- a/main.tf +++ b/main.tf @@ -284,6 +284,264 @@ resource "aws_subnet" "intra" { tags = "${merge(map("Name", format("%s-${var.intra_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.intra_subnet_tags)}" } +####################### +# Default Network ACLs +####################### +resource "aws_default_network_acl" "this" { + count = "${var.create_vpc && var.manage_default_network_acl ? 1 : 0}" + + default_network_acl_id = "${element(concat(aws_vpc.this.*.default_network_acl_id, list("")), 0)}" + + ingress = "${var.default_network_acl_ingress}" + egress = "${var.default_network_acl_egress}" + + tags = "${merge(map("Name", format("%s", var.default_network_acl_name)), var.tags, var.default_network_acl_tags)}" + + lifecycle { + ignore_changes = ["subnet_ids"] + } +} + +######################## +# Public Network ACLs +######################## +resource "aws_network_acl" "public" { + count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.public.*.id}"] + + tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}", var.name)), var.tags, var.public_acl_tags)}" +} + +resource "aws_network_acl_rule" "public_inbound" { + count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.public.id}" + + egress = false + rule_number = "${lookup(var.public_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.public_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.public_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.public_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.public_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.public_inbound_acl_rules[count.index], "cidr_block")}" +} + +resource "aws_network_acl_rule" "public_outbound" { + count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.public.id}" + + egress = true + rule_number = "${lookup(var.public_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.public_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.public_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.public_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.public_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.public_outbound_acl_rules[count.index], "cidr_block")}" +} + +####################### +# Private Network ACLs +####################### +resource "aws_network_acl" "private" { + count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.private.*.id}"] + + tags = "${merge(map("Name", format("%s-${var.private_subnet_suffix}", var.name)), var.tags, var.private_acl_tags)}" +} + +resource "aws_network_acl_rule" "private_inbound" { + count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.private.id}" + + egress = false + rule_number = "${lookup(var.private_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.private_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.private_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.private_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.private_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.private_inbound_acl_rules[count.index], "cidr_block")}" +} + +resource "aws_network_acl_rule" "private_outbound" { + count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.private.id}" + + egress = true + rule_number = "${lookup(var.private_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.private_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.private_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.private_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.private_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.private_outbound_acl_rules[count.index], "cidr_block")}" +} + +######################## +# Intra Network ACLs +######################## +resource "aws_network_acl" "intra" { + count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.intra.*.id}"] + + tags = "${merge(map("Name", format("%s-${var.intra_subnet_suffix}", var.name)), var.tags, var.intra_acl_tags)}" +} + +resource "aws_network_acl_rule" "intra_inbound" { + count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.intra.id}" + + egress = false + rule_number = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.intra_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.intra_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.intra_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.intra_inbound_acl_rules[count.index], "cidr_block")}" +} + +resource "aws_network_acl_rule" "intra_outbound" { + count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.intra.id}" + + egress = true + rule_number = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.intra_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.intra_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.intra_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.intra_outbound_acl_rules[count.index], "cidr_block")}" +} + +######################## +# Database Network ACLs +######################## +resource "aws_network_acl" "database" { + count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.database.*.id}"] + + tags = "${merge(map("Name", format("%s-${var.database_subnet_suffix}", var.name)), var.tags, var.database_acl_tags)}" +} + +resource "aws_network_acl_rule" "database_inbound" { + count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.database.id}" + + egress = false + rule_number = "${lookup(var.database_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.database_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.database_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.database_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.database_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.database_inbound_acl_rules[count.index], "cidr_block")}" +} + +resource "aws_network_acl_rule" "database_outbound" { + count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.database.id}" + + egress = true + rule_number = "${lookup(var.database_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.database_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.database_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.database_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.database_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.database_outbound_acl_rules[count.index], "cidr_block")}" +} + +######################## +# Redshift Network ACLs +######################## +resource "aws_network_acl" "redshift" { + count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.redshift.*.id}"] + + tags = "${merge(map("Name", format("%s-${var.redshift_subnet_suffix}", var.name)), var.tags, var.redshift_acl_tags)}" +} + +resource "aws_network_acl_rule" "redshift_inbound" { + count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.redshift.id}" + + egress = false + rule_number = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.redshift_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block")}" +} + +resource "aws_network_acl_rule" "redshift_outbound" { + count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.redshift.id}" + + egress = true + rule_number = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.redshift_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block")}" +} + +########################### +# Elasticache Network ACLs +########################### +resource "aws_network_acl" "elasticache" { + count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.elasticache.*.id}"] + + tags = "${merge(map("Name", format("%s-${var.elasticache_subnet_suffix}", var.name)), var.tags, var.elasticache_acl_tags)}" +} + +resource "aws_network_acl_rule" "elasticache_inbound" { + count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.elasticache.id}" + + egress = false + rule_number = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.elasticache_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block")}" +} + +resource "aws_network_acl_rule" "elasticache_outbound" { + count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0}" + + network_acl_id = "${aws_network_acl.elasticache.id}" + + egress = true + rule_number = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.elasticache_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block")}" +} + ############## # NAT Gateway ############## diff --git a/outputs.tf b/outputs.tf index 277706622..d885ce35e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -258,6 +258,36 @@ output "default_vpc_main_route_table_id" { // value = "${element(concat(aws_default_vpc.this.*.ipv6_cidr_block, list("")), 0)}" //} +output "public_network_acl_id" { + description = "ID of the public network ACL" + value = "${element(concat(aws_network_acl.public.*.id, list("")), 0)}" +} + +output "private_network_acl_id" { + description = "ID of the private network ACL" + value = "${element(concat(aws_network_acl.private.*.id, list("")), 0)}" +} + +output "intra_network_acl_id" { + description = "ID of the intra network ACL" + value = "${element(concat(aws_network_acl.intra.*.id, list("")), 0)}" +} + +output "database_network_acl_id" { + description = "ID of the database network ACL" + value = "${element(concat(aws_network_acl.database.*.id, list("")), 0)}" +} + +output "redshift_network_acl_id" { + description = "ID of the redshift network ACL" + value = "${element(concat(aws_network_acl.redshift.*.id, list("")), 0)}" +} + +output "elasticache_network_acl_id" { + description = "ID of the elasticache network ACL" + value = "${element(concat(aws_network_acl.elasticache.*.id, list("")), 0)}" +} + # VPC Endpoints output "vpc_endpoint_s3_id" { description = "The ID of VPC endpoint for S3" diff --git a/variables.tf b/variables.tf index 2cde7136d..9d6911bb6 100644 --- a/variables.tf +++ b/variables.tf @@ -443,6 +443,36 @@ variable "intra_subnet_tags" { default = {} } +variable "public_acl_tags" { + description = "Additional tags for the public subnets network ACL" + default = {} +} + +variable "private_acl_tags" { + description = "Additional tags for the private subnets network ACL" + default = {} +} + +variable "intra_acl_tags" { + description = "Additional tags for the intra subnets network ACL" + default = {} +} + +variable "database_acl_tags" { + description = "Additional tags for the database subnets network ACL" + default = {} +} + +variable "redshift_acl_tags" { + description = "Additional tags for the redshift subnets network ACL" + default = {} +} + +variable "elasticache_acl_tags" { + description = "Additional tags for the elasticache subnets network ACL" + default = {} +} + variable "dhcp_options_tags" { description = "Additional tags for the DHCP option set" default = {} @@ -525,3 +555,272 @@ variable "default_vpc_tags" { description = "Additional tags for the Default VPC" default = {} } + +variable "manage_default_network_acl" { + description = "Should be true to adopt and manage Default Network ACL" + default = false +} + +variable "default_network_acl_name" { + description = "Name to be used on the Default Network ACL" + default = "" +} + +variable "default_network_acl_tags" { + description = "Additional tags for the Default Network ACL" + default = {} +} + +variable "public_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" + default = false +} + +variable "private_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" + default = false +} + +variable "intra_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" + default = false +} + +variable "database_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" + default = false +} + +variable "redshift_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets" + default = false +} + +variable "elasticache_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets" + default = false +} + +variable "default_network_acl_ingress" { + description = "List of maps of ingress rules to set on the Default Network ACL" + + default = [{ + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + { + rule_no = 101 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_block = "::/0" + }, + ] +} + +variable "default_network_acl_egress" { + description = "List of maps of egress rules to set on the Default Network ACL" + + default = [{ + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + { + rule_no = 101 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_block = "::/0" + }, + ] +} + +variable "public_inbound_acl_rules" { + description = "Public subnets inbound network ACLs" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "public_outbound_acl_rules" { + description = "Public subnets outbound network ACLs" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "private_inbound_acl_rules" { + description = "Private subnets inbound network ACLs" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "private_outbound_acl_rules" { + description = "Private subnets outbound network ACLs" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "intra_inbound_acl_rules" { + description = "Intra subnets inbound network ACLs" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "intra_outbound_acl_rules" { + description = "Intra subnets outbound network ACLs" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "database_inbound_acl_rules" { + description = "Database subnets inbound network ACL rules" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "database_outbound_acl_rules" { + description = "Database subnets outbound network ACL rules" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "redshift_inbound_acl_rules" { + description = "Redshift subnets inbound network ACL rules" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "redshift_outbound_acl_rules" { + description = "Redshift subnets outbound network ACL rules" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "elasticache_inbound_acl_rules" { + description = "Elasticache subnets inbound network ACL rules" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "elasticache_outbound_acl_rules" { + description = "Elasticache subnets outbound network ACL rules" + + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} From 2870b5fc56f29dbd9c707cbcc0f6eb078afcfec5 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 22 Mar 2019 14:42:03 +0100 Subject: [PATCH 45/81] Updated CHANGELOG --- CHANGELOG.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f38596d7..f991f22a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,18 @@ + +## [v1.60.0] - 2019-03-22 + +- Network ACLs ([#238](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/238)) + + ## [v1.59.0] - 2019-03-05 +- Updated changelog +- Resolved conflicts after merge +- Redshift public subnets ([#222](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/222)) - Redshift public subnets ([#222](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/222)) - docs: Update comment in docs ([#226](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/226)) @@ -477,7 +486,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.59.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.60.0...HEAD +[v1.60.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.59.0...v1.60.0 [v1.59.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.58.0...v1.59.0 [v1.58.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.57.0...v1.58.0 [v1.57.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.56.0...v1.57.0 From 0bc8d6f4bbd923d08b66deb19bc80b50079f3950 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 25 Apr 2019 20:32:09 +0200 Subject: [PATCH 46/81] Added missing VPC endpoints outputs (resolves #246) (#247) --- README.md | 9 ++++++++ examples/simple-vpc/main.tf | 5 +++++ outputs.tf | 45 +++++++++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+) diff --git a/README.md b/README.md index 1f1663a7c..bc130db59 100644 --- a/README.md +++ b/README.md @@ -387,6 +387,9 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc\_cidr\_block | The CIDR block of the VPC | | vpc\_enable\_dns\_hostnames | Whether or not the VPC has DNS hostname support | | vpc\_enable\_dns\_support | Whether or not the VPC has DNS support | +| vpc\_endpoint\_apigw\_dns\_entry | The DNS entries for the VPC Endpoint for APIGW. | +| vpc\_endpoint\_apigw\_id | The ID of VPC endpoint for APIGW | +| vpc\_endpoint\_apigw\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for APIGW. | | vpc\_endpoint\_dynamodb\_id | The ID of VPC endpoint for DynamoDB | | vpc\_endpoint\_dynamodb\_pl\_id | The prefix list for the DynamoDB VPC endpoint. | | vpc\_endpoint\_ec2\_dns\_entry | The DNS entries for the VPC Endpoint for EC2. | @@ -395,6 +398,12 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc\_endpoint\_ec2messages\_dns\_entry | The DNS entries for the VPC Endpoint for EC2MESSAGES. | | vpc\_endpoint\_ec2messages\_id | The ID of VPC endpoint for EC2MESSAGES | | vpc\_endpoint\_ec2messages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EC2MESSAGES | +| vpc\_endpoint\_ecr\_api\_dns\_entry | The DNS entries for the VPC Endpoint for ECR API. | +| vpc\_endpoint\_ecr\_api\_id | The ID of VPC endpoint for ECR API | +| vpc\_endpoint\_ecr\_api\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECR API. | +| vpc\_endpoint\_ecr\_dkr\_dns\_entry | The DNS entries for the VPC Endpoint for ECR DKR. | +| vpc\_endpoint\_ecr\_dkr\_id | The ID of VPC endpoint for ECR DKR | +| vpc\_endpoint\_ecr\_dkr\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECR DKR. | | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 | | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. | | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. | diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf index a715edad3..decd0b0c5 100644 --- a/examples/simple-vpc/main.tf +++ b/examples/simple-vpc/main.tf @@ -2,6 +2,11 @@ provider "aws" { region = "eu-west-1" } +data "aws_security_group" "default" { + name = "default" + vpc_id = "${module.vpc.vpc_id}" +} + module "vpc" { source = "../../" diff --git a/outputs.tf b/outputs.tf index d885ce35e..48b91376f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -369,6 +369,51 @@ output "vpc_endpoint_ec2messages_dns_entry" { value = "${flatten(aws_vpc_endpoint.ec2messages.*.dns_entry)}" } +output "vpc_endpoint_ecr_api_id" { + description = "The ID of VPC endpoint for ECR API" + value = "${element(concat(aws_vpc_endpoint.ecr_api.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ecr_api_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECR API." + value = "${flatten(aws_vpc_endpoint.ecr_api.*.network_interface_ids)}" +} + +output "vpc_endpoint_ecr_api_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECR API." + value = "${flatten(aws_vpc_endpoint.ecr_api.*.dns_entry)}" +} + +output "vpc_endpoint_ecr_dkr_id" { + description = "The ID of VPC endpoint for ECR DKR" + value = "${element(concat(aws_vpc_endpoint.ecr_dkr.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ecr_dkr_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECR DKR." + value = "${flatten(aws_vpc_endpoint.ecr_dkr.*.network_interface_ids)}" +} + +output "vpc_endpoint_ecr_dkr_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECR DKR." + value = "${flatten(aws_vpc_endpoint.ecr_dkr.*.dns_entry)}" +} + +output "vpc_endpoint_apigw_id" { + description = "The ID of VPC endpoint for APIGW" + value = "${element(concat(aws_vpc_endpoint.apigw.*.id, list("")), 0)}" +} + +output "vpc_endpoint_apigw_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for APIGW." + value = "${flatten(aws_vpc_endpoint.apigw.*.network_interface_ids)}" +} + +output "vpc_endpoint_apigw_dns_entry" { + description = "The DNS entries for the VPC Endpoint for APIGW." + value = "${flatten(aws_vpc_endpoint.apigw.*.dns_entry)}" +} + # Static values (arguments) output "azs" { description = "A list of availability zones specified as argument to this module" From 39f13386f8b7cd0090324ea793d1a462e4ce04f5 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 25 Apr 2019 20:32:51 +0200 Subject: [PATCH 47/81] Updated CHANGELOG --- CHANGELOG.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f991f22a2..b3b104c83 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,16 @@ + +## [v1.61.0] - 2019-04-25 + +- Added missing VPC endpoints outputs (resolves [#246](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/246)) ([#247](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/247)) + + ## [v1.60.0] - 2019-03-22 +- Updated CHANGELOG - Network ACLs ([#238](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/238)) @@ -486,7 +493,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.60.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.61.0...HEAD +[v1.61.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.60.0...v1.61.0 [v1.60.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.59.0...v1.60.0 [v1.59.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.58.0...v1.59.0 [v1.58.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.57.0...v1.58.0 From 08c765965afc636a5ef45ee520e8e73cb12eccb5 Mon Sep 17 00:00:00 2001 From: Nikos Loutas Date: Thu, 25 Apr 2019 20:37:30 +0200 Subject: [PATCH 48/81] Add support for KMS VPC endpoint creation (#243) --- README.md | 9 +++++++- examples/complete-vpc/main.tf | 7 ++++++ main.tf | 21 ++++++++++++++++++ outputs.tf | 15 +++++++++++++ variables.tf | 40 ++++++++++++++++++++++++----------- 5 files changed, 79 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index bc130db59..d7322128c 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ These types of resources are supported: * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): * Gateway: S3, DynamoDB - * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway + * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway, KMS * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -269,6 +269,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | string | `"false"` | no | | enable\_ecr\_api\_endpoint | Should be true if you want to provision an ecr api endpoint to the VPC | string | `"false"` | no | | enable\_ecr\_dkr\_endpoint | Should be true if you want to provision an ecr dkr endpoint to the VPC | string | `"false"` | no | +| enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | string | `"false"` | no | | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no | | enable\_public\_redshift | Controls if redshift should have public routing table | string | `"false"` | no | | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | @@ -286,6 +287,9 @@ Terraform version 0.10.3 or newer is required for this module to work. | intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | | intra\_subnets | A list of intra subnets | list | `[]` | no | +| kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | string | `"false"` | no | +| kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list | `[]` | no | +| kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | manage\_default\_network\_acl | Should be true to adopt and manage Default Network ACL | string | `"false"` | no | | manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `"false"` | no | | map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `"true"` | no | @@ -404,6 +408,9 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc\_endpoint\_ecr\_dkr\_dns\_entry | The DNS entries for the VPC Endpoint for ECR DKR. | | vpc\_endpoint\_ecr\_dkr\_id | The ID of VPC endpoint for ECR DKR | | vpc\_endpoint\_ecr\_dkr\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECR DKR. | +| vpc\_endpoint\_kms\_dns\_entry | The DNS entries for the VPC Endpoint for KMS. | +| vpc\_endpoint\_kms\_id | The ID of VPC endpoint for KMS | +| vpc\_endpoint\_kms\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KMS. | | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 | | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. | | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. | diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 0f38fda90..cee1fbcc2 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -72,6 +72,13 @@ module "vpc" { ecr_dkr_endpoint_private_dns_enabled = true ecr_dkr_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + # VPC endpoint for KMS + enable_kms_endpoint = true + kms_endpoint_private_dns_enabled = true + kms_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + + # kms_endpoint_subnet_ids = ["..."] + tags = { Owner = "user" Environment = "staging" diff --git a/main.tf b/main.tf index 28fd09de4..1b6f3fa42 100644 --- a/main.tf +++ b/main.tf @@ -809,6 +809,27 @@ resource "aws_vpc_endpoint" "apigw" { private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}" } +####################### +# VPC Endpoint for KMS +####################### +data "aws_vpc_endpoint_service" "kms" { + count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" + + service = "kms" +} + +resource "aws_vpc_endpoint" "kms" { + count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.kms.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.kms_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}" +} + ########################## # Route table association ########################## diff --git a/outputs.tf b/outputs.tf index 48b91376f..af8afc500 100644 --- a/outputs.tf +++ b/outputs.tf @@ -369,6 +369,21 @@ output "vpc_endpoint_ec2messages_dns_entry" { value = "${flatten(aws_vpc_endpoint.ec2messages.*.dns_entry)}" } +output "vpc_endpoint_kms_id" { + description = "The ID of VPC endpoint for KMS" + value = "${element(concat(aws_vpc_endpoint.kms.*.id, list("")), 0)}" +} + +output "vpc_endpoint_kms_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for KMS." + value = "${flatten(aws_vpc_endpoint.kms.*.network_interface_ids)}" +} + +output "vpc_endpoint_kms_dns_entry" { + description = "The DNS entries for the VPC Endpoint for KMS." + value = "${flatten(aws_vpc_endpoint.kms.*.dns_entry)}" +} + output "vpc_endpoint_ecr_api_id" { description = "The ID of VPC endpoint for ECR API" value = "${element(concat(aws_vpc_endpoint.ecr_api.*.id, list("")), 0)}" diff --git a/variables.tf b/variables.tf index 9d6911bb6..94f9011f5 100644 --- a/variables.tf +++ b/variables.tf @@ -69,25 +69,21 @@ variable "private_subnets" { } variable "database_subnets" { - type = "list" description = "A list of database subnets" default = [] } variable "redshift_subnets" { - type = "list" description = "A list of redshift subnets" default = [] } variable "elasticache_subnets" { - type = "list" description = "A list of elasticache subnets" default = [] } variable "intra_subnets" { - type = "list" description = "A list of intra subnets" default = [] } @@ -174,8 +170,8 @@ variable "reuse_nat_ips" { variable "external_nat_ip_ids" { description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)" - type = "list" - default = [] + + default = [] } variable "enable_dynamodb_endpoint" { @@ -328,6 +324,26 @@ variable "ecr_dkr_endpoint_security_group_ids" { default = [] } +variable "enable_kms_endpoint" { + description = "Should be true if you want to provision a KMS endpoint to the VPC" + default = false +} + +variable "kms_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for KMS endpoint" + default = [] +} + +variable "kms_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "kms_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint" + default = false +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" default = true @@ -505,20 +521,20 @@ variable "dhcp_options_domain_name" { variable "dhcp_options_domain_name_servers" { description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided" - type = "list" - default = ["AmazonProvidedDNS"] + + default = ["AmazonProvidedDNS"] } variable "dhcp_options_ntp_servers" { description = "Specify a list of NTP servers for DHCP options set" - type = "list" - default = [] + + default = [] } variable "dhcp_options_netbios_name_servers" { description = "Specify a list of netbios servers for DHCP options set" - type = "list" - default = [] + + default = [] } variable "dhcp_options_netbios_node_type" { From 1b5d9e673c09417014dc6e9fd3353ef87a575dd7 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 25 Apr 2019 20:43:44 +0200 Subject: [PATCH 49/81] Updated CHANGELOG --- CHANGELOG.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b3b104c83..7308a82a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,16 @@ + +## [v1.62.0] - 2019-04-25 + +- Add support for KMS VPC endpoint creation ([#243](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/243)) + + ## [v1.61.0] - 2019-04-25 +- Updated CHANGELOG - Added missing VPC endpoints outputs (resolves [#246](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/246)) ([#247](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/247)) @@ -409,13 +416,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -493,7 +500,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.61.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.62.0...HEAD +[v1.62.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.61.0...v1.62.0 [v1.61.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.60.0...v1.61.0 [v1.60.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.59.0...v1.60.0 [v1.59.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.58.0...v1.59.0 @@ -554,9 +562,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 From be5e3d3bf6462461c7db3915ab689525713c8bf9 Mon Sep 17 00:00:00 2001 From: Rafael Bernardo Date: Thu, 25 Apr 2019 15:53:17 -0300 Subject: [PATCH 50/81] Added ARN of VPC in module output (#245) I need in my policy generator the arn of vpc so I would like to include this --- outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/outputs.tf b/outputs.tf index af8afc500..045009bd8 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,6 +3,11 @@ output "vpc_id" { value = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" } +output "vpc_arn" { + description = "The ARN of the VPC" + value = "${element(concat(aws_vpc.this.*.arn, list("")), 0)}" +} + output "vpc_cidr_block" { description = "The CIDR block of the VPC" value = "${element(concat(aws_vpc.this.*.cidr_block, list("")), 0)}" From d4212d69a4c2df3d4b12a5e6a9e4e597771ad86a Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 25 Apr 2019 20:54:08 +0200 Subject: [PATCH 51/81] Fixed formatting --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d7322128c..98917a3db 100644 --- a/README.md +++ b/README.md @@ -388,6 +388,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | redshift\_subnets | List of IDs of redshift subnets | | redshift\_subnets\_cidr\_blocks | List of cidr_blocks of redshift subnets | | vgw\_id | The ID of the VPN Gateway | +| vpc\_arn | The ARN of the VPC | | vpc\_cidr\_block | The CIDR block of the VPC | | vpc\_enable\_dns\_hostnames | Whether or not the VPC has DNS hostname support | | vpc\_enable\_dns\_support | Whether or not the VPC has DNS support | From c2734e4b1ef0b45ec7c7dab0df7e8272e1e27a99 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 25 Apr 2019 20:54:20 +0200 Subject: [PATCH 52/81] Updated CHANGELOG --- CHANGELOG.md | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7308a82a0..56a40bd2a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,17 @@ + +## [v1.63.0] - 2019-04-25 + +- Fixed formatting +- Added ARN of VPC in module output ([#245](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/245)) + + ## [v1.62.0] - 2019-04-25 +- Updated CHANGELOG - Add support for KMS VPC endpoint creation ([#243](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/243)) @@ -416,13 +424,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -500,7 +508,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.62.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.63.0...HEAD +[v1.63.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.62.0...v1.63.0 [v1.62.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.61.0...v1.62.0 [v1.61.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.60.0...v1.61.0 [v1.60.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.59.0...v1.60.0 @@ -562,9 +571,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 From 215217f27e5c92f127f17e64aa98c766bb87ad52 Mon Sep 17 00:00:00 2001 From: Blaine Schanfeldt Date: Thu, 25 Apr 2019 11:56:00 -0700 Subject: [PATCH 53/81] Add Output Of Subnet ARNs (#242) * Add Output Of Subnet ARNs Facilitates resource access manager, subnet sharing across accounts * Update Readme For Subnet ARN Output --- README.md | 6 ++++++ outputs.tf | 30 ++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/README.md b/README.md index 98917a3db..c5eedabad 100644 --- a/README.md +++ b/README.md @@ -347,6 +347,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | database\_route\_table\_ids | List of IDs of database route tables | | database\_subnet\_group | ID of database subnet group | | database\_subnets | List of IDs of database subnets | +| database\_subnet\_arns | List of ARNs of database subnets | | database\_subnets\_cidr\_blocks | List of cidr_blocks of database subnets | | default\_network\_acl\_id | The ID of the default network ACL | | default\_route\_table\_id | The ID of the default route table | @@ -365,11 +366,13 @@ Terraform version 0.10.3 or newer is required for this module to work. | elasticache\_subnet\_group | ID of elasticache subnet group | | elasticache\_subnet\_group\_name | Name of elasticache subnet group | | elasticache\_subnets | List of IDs of elasticache subnets | +| elasticache\_subnet\_arns | List of ARNs of elasticache subnets | | elasticache\_subnets\_cidr\_blocks | List of cidr_blocks of elasticache subnets | | igw\_id | The ID of the Internet Gateway | | intra\_network\_acl\_id | ID of the intra network ACL | | intra\_route\_table\_ids | List of IDs of intra route tables | | intra\_subnets | List of IDs of intra subnets | +| intra\_subnet\_arns | List of ARNs of intra subnets | | intra\_subnets\_cidr\_blocks | List of cidr_blocks of intra subnets | | nat\_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | @@ -377,15 +380,18 @@ Terraform version 0.10.3 or newer is required for this module to work. | private\_network\_acl\_id | ID of the private network ACL | | private\_route\_table\_ids | List of IDs of private route tables | | private\_subnets | List of IDs of private subnets | +| private\_subnet\_arns | List of ARNs of private subnets | | private\_subnets\_cidr\_blocks | List of cidr_blocks of private subnets | | public\_network\_acl\_id | ID of the public network ACL | | public\_route\_table\_ids | List of IDs of public route tables | | public\_subnets | List of IDs of public subnets | +| public\_subnet\_arns | List of ARNs of public subnets | | public\_subnets\_cidr\_blocks | List of cidr_blocks of public subnets | | redshift\_network\_acl\_id | ID of the redshift network ACL | | redshift\_route\_table\_ids | List of IDs of redshift route tables | | redshift\_subnet\_group | ID of redshift subnet group | | redshift\_subnets | List of IDs of redshift subnets | +| redshift\_subnet\_arns | List of ARNs of redshift subnets | | redshift\_subnets\_cidr\_blocks | List of cidr_blocks of redshift subnets | | vgw\_id | The ID of the VPN Gateway | | vpc\_arn | The ARN of the VPC | diff --git a/outputs.tf b/outputs.tf index 045009bd8..425af581e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -73,6 +73,11 @@ output "private_subnets" { value = ["${aws_subnet.private.*.id}"] } +output "private_subnet_arns" { + description = "List of ARNs of private subnets" + value = ["${aws_subnet.private.*.arn}"] +} + output "private_subnets_cidr_blocks" { description = "List of cidr_blocks of private subnets" value = ["${aws_subnet.private.*.cidr_block}"] @@ -83,6 +88,11 @@ output "public_subnets" { value = ["${aws_subnet.public.*.id}"] } +output "public_subnet_arns" { + description = "List of ARNs of public subnets" + value = ["${aws_subnet.public.*.arn}"] +} + output "public_subnets_cidr_blocks" { description = "List of cidr_blocks of public subnets" value = ["${aws_subnet.public.*.cidr_block}"] @@ -93,6 +103,11 @@ output "database_subnets" { value = ["${aws_subnet.database.*.id}"] } +output "database_subnet_arns" { + description = "List of ARNs of database subnets" + value = ["${aws_subnet.database.*.arn}"] +} + output "database_subnets_cidr_blocks" { description = "List of cidr_blocks of database subnets" value = ["${aws_subnet.database.*.cidr_block}"] @@ -108,6 +123,11 @@ output "redshift_subnets" { value = ["${aws_subnet.redshift.*.id}"] } +output "redshift_subnet_arns" { + description = "List of ARNs of redshift subnets" + value = ["${aws_subnet.redshift.*.arn}"] +} + output "redshift_subnets_cidr_blocks" { description = "List of cidr_blocks of redshift subnets" value = ["${aws_subnet.redshift.*.cidr_block}"] @@ -123,6 +143,11 @@ output "elasticache_subnets" { value = ["${aws_subnet.elasticache.*.id}"] } +output "elasticache_subnet_arns" { + description = "List of ARNs of elasticache subnets" + value = ["${aws_subnet.elasticache.*.arn}"] +} + output "elasticache_subnets_cidr_blocks" { description = "List of cidr_blocks of elasticache subnets" value = ["${aws_subnet.elasticache.*.cidr_block}"] @@ -133,6 +158,11 @@ output "intra_subnets" { value = ["${aws_subnet.intra.*.id}"] } +output "intra_subnet_arns" { + description = "List of ARNs of intra subnets" + value = ["${aws_subnet.intra.*.arn}"] +} + output "intra_subnets_cidr_blocks" { description = "List of cidr_blocks of intra subnets" value = ["${aws_subnet.intra.*.cidr_block}"] From 9fe9cb690e320230b74c1787a78a962b13c396c4 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 25 Apr 2019 20:59:40 +0200 Subject: [PATCH 54/81] Fixed formatting --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index c5eedabad..0f1c1f9b0 100644 --- a/README.md +++ b/README.md @@ -345,9 +345,9 @@ Terraform version 0.10.3 or newer is required for this module to work. | azs | A list of availability zones specified as argument to this module | | database\_network\_acl\_id | ID of the database network ACL | | database\_route\_table\_ids | List of IDs of database route tables | +| database\_subnet\_arns | List of ARNs of database subnets | | database\_subnet\_group | ID of database subnet group | | database\_subnets | List of IDs of database subnets | -| database\_subnet\_arns | List of ARNs of database subnets | | database\_subnets\_cidr\_blocks | List of cidr_blocks of database subnets | | default\_network\_acl\_id | The ID of the default network ACL | | default\_route\_table\_id | The ID of the default route table | @@ -363,35 +363,35 @@ Terraform version 0.10.3 or newer is required for this module to work. | default\_vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | | elasticache\_network\_acl\_id | ID of the elasticache network ACL | | elasticache\_route\_table\_ids | List of IDs of elasticache route tables | +| elasticache\_subnet\_arns | List of ARNs of elasticache subnets | | elasticache\_subnet\_group | ID of elasticache subnet group | | elasticache\_subnet\_group\_name | Name of elasticache subnet group | | elasticache\_subnets | List of IDs of elasticache subnets | -| elasticache\_subnet\_arns | List of ARNs of elasticache subnets | | elasticache\_subnets\_cidr\_blocks | List of cidr_blocks of elasticache subnets | | igw\_id | The ID of the Internet Gateway | | intra\_network\_acl\_id | ID of the intra network ACL | | intra\_route\_table\_ids | List of IDs of intra route tables | -| intra\_subnets | List of IDs of intra subnets | | intra\_subnet\_arns | List of ARNs of intra subnets | +| intra\_subnets | List of IDs of intra subnets | | intra\_subnets\_cidr\_blocks | List of cidr_blocks of intra subnets | | nat\_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | | natgw\_ids | List of NAT Gateway IDs | | private\_network\_acl\_id | ID of the private network ACL | | private\_route\_table\_ids | List of IDs of private route tables | -| private\_subnets | List of IDs of private subnets | | private\_subnet\_arns | List of ARNs of private subnets | +| private\_subnets | List of IDs of private subnets | | private\_subnets\_cidr\_blocks | List of cidr_blocks of private subnets | | public\_network\_acl\_id | ID of the public network ACL | | public\_route\_table\_ids | List of IDs of public route tables | -| public\_subnets | List of IDs of public subnets | | public\_subnet\_arns | List of ARNs of public subnets | +| public\_subnets | List of IDs of public subnets | | public\_subnets\_cidr\_blocks | List of cidr_blocks of public subnets | | redshift\_network\_acl\_id | ID of the redshift network ACL | | redshift\_route\_table\_ids | List of IDs of redshift route tables | +| redshift\_subnet\_arns | List of ARNs of redshift subnets | | redshift\_subnet\_group | ID of redshift subnet group | | redshift\_subnets | List of IDs of redshift subnets | -| redshift\_subnet\_arns | List of ARNs of redshift subnets | | redshift\_subnets\_cidr\_blocks | List of cidr_blocks of redshift subnets | | vgw\_id | The ID of the VPN Gateway | | vpc\_arn | The ARN of the VPC | From 8c238b81ca830463c104c293796d4bbce7559f93 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 25 Apr 2019 20:59:50 +0200 Subject: [PATCH 55/81] Updated CHANGELOG --- CHANGELOG.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56a40bd2a..e1fc702ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,17 @@ + +## [v1.64.0] - 2019-04-25 + +- Fixed formatting +- Add Output Of Subnet ARNs ([#242](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/242)) + + ## [v1.63.0] - 2019-04-25 +- Updated CHANGELOG - Fixed formatting - Added ARN of VPC in module output ([#245](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/245)) @@ -508,7 +516,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.63.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.64.0...HEAD +[v1.64.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.63.0...v1.64.0 [v1.63.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.62.0...v1.63.0 [v1.62.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.61.0...v1.62.0 [v1.61.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.60.0...v1.61.0 From 661d211bacf39d529ccfc6b7f39cf236aebe17e4 Mon Sep 17 00:00:00 2001 From: Andreas Wittig Date: Tue, 21 May 2019 12:05:29 +0200 Subject: [PATCH 56/81] Improving DHCP options docs (#260) * Improving DHCP options docs * generating README from variables description --- README.md | 12 ++++++------ variables.tf | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 0f1c1f9b0..039c699cd 100644 --- a/README.md +++ b/README.md @@ -234,12 +234,12 @@ Terraform version 0.10.3 or newer is required for this module to work. | default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `"true"` | no | | default\_vpc\_name | Name to be used on the Default VPC | string | `""` | no | | default\_vpc\_tags | Additional tags for the Default VPC | map | `{}` | no | -| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set | string | `""` | no | -| dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided | list | `[ "AmazonProvidedDNS" ]` | no | -| dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set | list | `[]` | no | -| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set | string | `""` | no | -| dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set | list | `[]` | no | -| dhcp\_options\_tags | Additional tags for the DHCP option set | map | `{}` | no | +| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true) | string | `""` | no | +| dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true) | list | `[ "AmazonProvidedDNS" ]` | no | +| dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true) | list | `[]` | no | +| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true) | string | `""` | no | +| dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true) | list | `[]` | no | +| dhcp\_options\_tags | Additional tags for the DHCP option set (requires enable_dhcp_options set to true) | map | `{}` | no | | ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | string | `"false"` | no | | ec2\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | list | `[]` | no | | ec2\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | diff --git a/variables.tf b/variables.tf index 94f9011f5..33b79d6c5 100644 --- a/variables.tf +++ b/variables.tf @@ -490,7 +490,7 @@ variable "elasticache_acl_tags" { } variable "dhcp_options_tags" { - description = "Additional tags for the DHCP option set" + description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" default = {} } @@ -515,30 +515,30 @@ variable "enable_dhcp_options" { } variable "dhcp_options_domain_name" { - description = "Specifies DNS name for DHCP options set" + description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)" default = "" } variable "dhcp_options_domain_name_servers" { - description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided" + description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)" default = ["AmazonProvidedDNS"] } variable "dhcp_options_ntp_servers" { - description = "Specify a list of NTP servers for DHCP options set" + description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)" default = [] } variable "dhcp_options_netbios_name_servers" { - description = "Specify a list of netbios servers for DHCP options set" + description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)" default = [] } variable "dhcp_options_netbios_node_type" { - description = "Specify netbios node_type for DHCP options set" + description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)" default = "" } From c1395ddd740aad3d7104e3dba89523e295be8470 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 21 May 2019 12:06:35 +0200 Subject: [PATCH 57/81] Updated CHANGELOG --- CHANGELOG.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1fc702ae..0c41d22d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,16 @@ + +## [v1.65.0] - 2019-05-21 + +- Improving DHCP options docs ([#260](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/260)) + + ## [v1.64.0] - 2019-04-25 +- Updated CHANGELOG - Fixed formatting - Add Output Of Subnet ARNs ([#242](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/242)) @@ -516,7 +523,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.64.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.65.0...HEAD +[v1.65.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.64.0...v1.65.0 [v1.64.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.63.0...v1.64.0 [v1.63.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.62.0...v1.63.0 [v1.62.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.61.0...v1.62.0 From 03e8c62a59bd24906fb8da30d1d15b4d9df18358 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Fri, 24 May 2019 20:00:30 +0300 Subject: [PATCH 58/81] ECS endpoint (#261) * add ecs vpc endpoints * add ecs vpcendpoints outputs * add ecs vpc endpoints to readme inputs/outputs table * add ecs vpc endpoints to readme endpoint list --- README.md | 20 +++++++++++++++- main.tf | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++ outputs.tf | 45 +++++++++++++++++++++++++++++++++++ variables.tf | 60 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 190 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 039c699cd..ce7b774a0 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ These types of resources are supported: * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): * Gateway: S3, DynamoDB - * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway, KMS + * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -333,6 +333,15 @@ Terraform version 0.10.3 or newer is required for this module to work. | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ecs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint | string | `"false"` | no | +| ecs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS endpoint | list | `[]` | no | +| ecs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ecs\_agent\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint | string | `"false"` | no | +| ecs\_agent\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint | list | `[]` | no | +| ecs\_agent\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | string | `"false"` | no | +| ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list | `[]` | no | +| ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | tags | A map of tags to add to all resources | map | `{}` | no | | vpc\_tags | Additional tags for the VPC | map | `{}` | no | | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | @@ -426,6 +435,15 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. | | vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES | | vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. | +| vpc\_endpoint\_ecs\_dns\_entry | The DNS entries for the VPC Endpoint for ECS. | +| vpc\_endpoint\_ecs\_id | The ID of VPC endpoint for ECS | +| vpc\_endpoint\_ecs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS. | +| vpc\_endpoint\_ecs\_agent\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Agent. | +| vpc\_endpoint\_ecs\_agent\_id | The ID of VPC endpoint for ECS Agent | +| vpc\_endpoint\_ecs\_agent\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Agent. | +| vpc\_endpoint\_ecs\_telemetry\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Telemetry. | +| vpc\_endpoint\_ecs\_telemetry\_id | The ID of VPC endpoint for ECS Telemetry | +| vpc\_endpoint\_ecs\_telemetry\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Telemetry. | | vpc\_id | The ID of the VPC | | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | diff --git a/main.tf b/main.tf index 1b6f3fa42..9a2f89232 100644 --- a/main.tf +++ b/main.tf @@ -830,6 +830,72 @@ resource "aws_vpc_endpoint" "kms" { private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}" } + +####################### +# VPC Endpoint for ECS +####################### +data "aws_vpc_endpoint_service" "ecs" { + count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" + + service = "ecs" +} + +resource "aws_vpc_endpoint" "ecs" { + count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_endpoint_private_dns_enabled}" +} + + +####################### +# VPC Endpoint for ECS Agent +####################### +data "aws_vpc_endpoint_service" "ecs_agent" { + count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" + + service = "ecs-agent" +} + +resource "aws_vpc_endpoint" "ecs_agent" { + count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs_agent.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_agent_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_agent_endpoint_private_dns_enabled}" +} + + +####################### +# VPC Endpoint for ECS Telemetry +####################### +data "aws_vpc_endpoint_service" "ecs_telemetry" { + count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" + + service = "ecs-telemetry" +} + +resource "aws_vpc_endpoint" "ecs_telemetry" { + count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_telemetry_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_telemetry_endpoint_private_dns_enabled}" +} + ########################## # Route table association ########################## diff --git a/outputs.tf b/outputs.tf index 425af581e..107d801b8 100644 --- a/outputs.tf +++ b/outputs.tf @@ -464,6 +464,51 @@ output "vpc_endpoint_apigw_dns_entry" { value = "${flatten(aws_vpc_endpoint.apigw.*.dns_entry)}" } +output "vpc_endpoint_ecs_id" { + description = "The ID of VPC endpoint for ECS" + value = "${element(concat(aws_vpc_endpoint.ecs.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ecs_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS." + value = "${flatten(aws_vpc_endpoint.ecs.*.network_interface_ids)}" +} + +output "vpc_endpoint_ecs_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS." + value = "${flatten(aws_vpc_endpoint.ecs.*.dns_entry)}" +} + +output "vpc_endpoint_ecs_agent_id" { + description = "The ID of VPC endpoint for ECS Agent" + value = "${element(concat(aws_vpc_endpoint.ecs_agent.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ecs_agent_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS Agent." + value = "${flatten(aws_vpc_endpoint.ecs_agent.*.network_interface_ids)}" +} + +output "vpc_endpoint_ecs_agent_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS Agent." + value = "${flatten(aws_vpc_endpoint.ecs_agent.*.dns_entry)}" +} + +output "vpc_endpoint_ecs_telemetry_id" { + description = "The ID of VPC endpoint for ECS Telemetry" + value = "${element(concat(aws_vpc_endpoint.ecs_telemetry.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ecs_telemetry_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS Telemetry." + value = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.network_interface_ids)}" +} + +output "vpc_endpoint_ecs_telemetry_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS Telemetry." + value = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry)}" +} + # Static values (arguments) output "azs" { description = "A list of availability zones specified as argument to this module" diff --git a/variables.tf b/variables.tf index 33b79d6c5..9c24a808f 100644 --- a/variables.tf +++ b/variables.tf @@ -344,6 +344,66 @@ variable "kms_endpoint_private_dns_enabled" { default = false } +variable "enable_ecs_endpoint" { + description = "Should be true if you want to provision a ECS endpoint to the VPC" + default = false +} + +variable "ecs_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS endpoint" + default = [] +} + +variable "ecs_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "ecs_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint" + default = false +} + +variable "enable_ecs_agent_endpoint" { + description = "Should be true if you want to provision a ECS Agent endpoint to the VPC" + default = false +} + +variable "ecs_agent_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS Agent endpoint" + default = [] +} + +variable "ecs_agent_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "ecs_agent_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint" + default = false +} + +variable "enable_ecs_telemetry_endpoint" { + description = "Should be true if you want to provision a ECS Telemetry endpoint to the VPC" + default = false +} + +variable "ecs_telemetry_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint" + default = [] +} + +variable "ecs_telemetry_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "ecs_telemetry_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint" + default = false +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" default = true From 8ab27d0e29d9c70bd5686b3b023d148fe6c84907 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 24 May 2019 22:03:00 +0200 Subject: [PATCH 59/81] Added VPC endpoints for SQS (closes #248) --- .pre-commit-config.yaml | 4 +-- README.md | 58 +++++++++++++++++++++-------------- examples/complete-vpc/main.tf | 17 ++++++++-- main.tf | 33 ++++++++++++++++---- outputs.tf | 15 +++++++++ variables.tf | 24 +++++++++++++-- 6 files changed, 116 insertions(+), 35 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c8299b7a8..23497e143 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,10 +1,10 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.8.1 + rev: v1.11.0 hooks: - id: terraform_fmt - id: terraform_docs - repo: git://github.com/pre-commit/pre-commit-hooks - rev: v2.1.0 + rev: v2.2.3 hooks: - id: check-merge-conflict diff --git a/README.md b/README.md index ce7b774a0..4754b333f 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ These types of resources are supported: * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): * Gateway: S3, DynamoDB - * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry + * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -28,6 +28,12 @@ Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://cloudcraft Cloudcraft - the best way to draw AWS diagrams +## Terraform versions + +For Terraform 0.12 use version `v2.*` of this module. + +If you are using Terraform 0.11 you can use versions `v1.*`. + ## Usage ```hcl @@ -183,10 +189,6 @@ Sometimes it is handy to have public access to Redshift clusters (for example if enable_public_redshift = true # <= By default Redshift subnets will be associated with the private route table ``` -## Terraform version - -Terraform version 0.10.3 or newer is required for this module to work. - ## Examples * [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc) @@ -252,6 +254,15 @@ Terraform version 0.10.3 or newer is required for this module to work. | ecr\_dkr\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint | string | `"false"` | no | | ecr\_dkr\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint | list | `[]` | no | | ecr\_dkr\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. | list | `[]` | no | +| ecs\_agent\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint | string | `"false"` | no | +| ecs\_agent\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint | list | `[]` | no | +| ecs\_agent\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ecs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint | string | `"false"` | no | +| ecs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS endpoint | list | `[]` | no | +| ecs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | string | `"false"` | no | +| ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list | `[]` | no | +| ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | map | `{}` | no | | elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | string | `"false"` | no | | elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | @@ -269,10 +280,14 @@ Terraform version 0.10.3 or newer is required for this module to work. | enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | string | `"false"` | no | | enable\_ecr\_api\_endpoint | Should be true if you want to provision an ecr api endpoint to the VPC | string | `"false"` | no | | enable\_ecr\_dkr\_endpoint | Should be true if you want to provision an ecr dkr endpoint to the VPC | string | `"false"` | no | +| enable\_ecs\_agent\_endpoint | Should be true if you want to provision a ECS Agent endpoint to the VPC | string | `"false"` | no | +| enable\_ecs\_endpoint | Should be true if you want to provision a ECS endpoint to the VPC | string | `"false"` | no | +| enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | string | `"false"` | no | | enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | string | `"false"` | no | | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no | | enable\_public\_redshift | Controls if redshift should have public routing table | string | `"false"` | no | | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | +| enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | string | `"false"` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `"false"` | no | | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no | @@ -327,21 +342,15 @@ Terraform version 0.10.3 or newer is required for this module to work. | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `"false"` | no | | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list | `[]` | no | | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | +| sqs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | string | `"false"` | no | +| sqs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint | list | `[]` | no | +| sqs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `"false"` | no | | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list | `[]` | no | | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ecs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint | string | `"false"` | no | -| ecs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS endpoint | list | `[]` | no | -| ecs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ecs\_agent\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint | string | `"false"` | no | -| ecs\_agent\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint | list | `[]` | no | -| ecs\_agent\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | string | `"false"` | no | -| ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list | `[]` | no | -| ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | tags | A map of tags to add to all resources | map | `{}` | no | | vpc\_tags | Additional tags for the VPC | map | `{}` | no | | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | @@ -424,26 +433,29 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc\_endpoint\_ecr\_dkr\_dns\_entry | The DNS entries for the VPC Endpoint for ECR DKR. | | vpc\_endpoint\_ecr\_dkr\_id | The ID of VPC endpoint for ECR DKR | | vpc\_endpoint\_ecr\_dkr\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECR DKR. | +| vpc\_endpoint\_ecs\_agent\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Agent. | +| vpc\_endpoint\_ecs\_agent\_id | The ID of VPC endpoint for ECS Agent | +| vpc\_endpoint\_ecs\_agent\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Agent. | +| vpc\_endpoint\_ecs\_dns\_entry | The DNS entries for the VPC Endpoint for ECS. | +| vpc\_endpoint\_ecs\_id | The ID of VPC endpoint for ECS | +| vpc\_endpoint\_ecs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS. | +| vpc\_endpoint\_ecs\_telemetry\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Telemetry. | +| vpc\_endpoint\_ecs\_telemetry\_id | The ID of VPC endpoint for ECS Telemetry | +| vpc\_endpoint\_ecs\_telemetry\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Telemetry. | | vpc\_endpoint\_kms\_dns\_entry | The DNS entries for the VPC Endpoint for KMS. | | vpc\_endpoint\_kms\_id | The ID of VPC endpoint for KMS | | vpc\_endpoint\_kms\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KMS. | | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 | | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. | +| vpc\_endpoint\_sqs\_dns\_entry | The DNS entries for the VPC Endpoint for SQS. | +| vpc\_endpoint\_sqs\_id | The ID of VPC endpoint for SQS | +| vpc\_endpoint\_sqs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SQS. | | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. | | vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM | | vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. | | vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. | | vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES | | vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. | -| vpc\_endpoint\_ecs\_dns\_entry | The DNS entries for the VPC Endpoint for ECS. | -| vpc\_endpoint\_ecs\_id | The ID of VPC endpoint for ECS | -| vpc\_endpoint\_ecs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS. | -| vpc\_endpoint\_ecs\_agent\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Agent. | -| vpc\_endpoint\_ecs\_agent\_id | The ID of VPC endpoint for ECS Agent | -| vpc\_endpoint\_ecs\_agent\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Agent. | -| vpc\_endpoint\_ecs\_telemetry\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Telemetry. | -| vpc\_endpoint\_ecs\_telemetry\_id | The ID of VPC endpoint for ECS Telemetry | -| vpc\_endpoint\_ecs\_telemetry\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Telemetry. | | vpc\_id | The ID of the VPC | | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index cee1fbcc2..2d5d71183 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -45,7 +45,7 @@ module "vpc" { # VPC endpoint for SSM enable_ssm_endpoint = true ssm_endpoint_private_dns_enabled = true - ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] # ssm_endpoint_subnet_ids = ["..."] + ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] # VPC endpoint for SSMMESSAGES enable_ssmmessages_endpoint = true @@ -77,7 +77,20 @@ module "vpc" { kms_endpoint_private_dns_enabled = true kms_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] - # kms_endpoint_subnet_ids = ["..."] + # VPC endpoint for ECS + enable_ecs_endpoint = true + ecs_endpoint_private_dns_enabled = true + ecs_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + + # VPC endpoint for ECS telemetry + enable_ecs_telemetry_endpoint = true + ecs_telemetry_endpoint_private_dns_enabled = true + ecs_telemetry_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + + # VPC endpoint for SQS + enable_sqs_endpoint = true + sqs_endpoint_private_dns_enabled = true + sqs_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] tags = { Owner = "user" diff --git a/main.tf b/main.tf index 9a2f89232..86bfccc2a 100644 --- a/main.tf +++ b/main.tf @@ -122,7 +122,7 @@ resource "aws_route_table" "database" { } resource "aws_route" "database_internet_gateway" { - count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && !var.create_database_nat_gateway_route ? 1 : 0}" + count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && ! var.create_database_nat_gateway_route ? 1 : 0}" route_table_id = "${aws_route_table.database.id}" destination_cidr_block = "0.0.0.0/0" @@ -134,7 +134,7 @@ resource "aws_route" "database_internet_gateway" { } resource "aws_route" "database_nat_gateway" { - count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && !var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0}" + count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && ! var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0}" route_table_id = "${element(aws_route_table.private.*.id, count.index)}" destination_cidr_block = "0.0.0.0/0" nat_gateway_id = "${element(aws_nat_gateway.this.*.id, count.index)}" @@ -181,7 +181,7 @@ resource "aws_route_table" "intra" { # Public subnet ################ resource "aws_subnet" "public" { - count = "${var.create_vpc && length(var.public_subnets) > 0 && (!var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0}" + count = "${var.create_vpc && length(var.public_subnets) > 0 && (! var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0}" vpc_id = "${local.vpc_id}" cidr_block = "${element(concat(var.public_subnets, list("")), count.index)}" @@ -558,7 +558,7 @@ locals { } resource "aws_eip" "nat" { - count = "${var.create_vpc && (var.enable_nat_gateway && !var.reuse_nat_ips) ? local.nat_gateway_count : 0}" + count = "${var.create_vpc && (var.enable_nat_gateway && ! var.reuse_nat_ips) ? local.nat_gateway_count : 0}" vpc = true @@ -662,6 +662,27 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { route_table_id = "${aws_route_table.public.id}" } +####################### +# VPC Endpoint for SQS +####################### +data "aws_vpc_endpoint_service" "sqs" { + count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" + + service = "sqs" +} + +resource "aws_vpc_endpoint" "sqs" { + count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sqs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sqs_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sqs_endpoint_private_dns_enabled}" +} + ####################### # VPC Endpoint for SSM ####################### @@ -888,7 +909,7 @@ resource "aws_vpc_endpoint" "ecs_telemetry" { count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecs.service_name}" + service_name = "${data.aws_vpc_endpoint_service.ecs_telemetry.service_name}" vpc_endpoint_type = "Interface" security_group_ids = ["${var.ecs_telemetry_endpoint_security_group_ids}"] @@ -914,7 +935,7 @@ resource "aws_route_table_association" "database" { } resource "aws_route_table_association" "redshift" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 && !var.enable_public_redshift ? length(var.redshift_subnets) : 0}" + count = "${var.create_vpc && length(var.redshift_subnets) > 0 && ! var.enable_public_redshift ? length(var.redshift_subnets) : 0}" subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" diff --git a/outputs.tf b/outputs.tf index 107d801b8..fc8a43b9e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -344,6 +344,21 @@ output "vpc_endpoint_dynamodb_pl_id" { value = "${element(concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, list("")), 0)}" } +output "vpc_endpoint_sqs_id" { + description = "The ID of VPC endpoint for SQS" + value = "${element(concat(aws_vpc_endpoint.sqs.*.id, list("")), 0)}" +} + +output "vpc_endpoint_sqs_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SQS." + value = "${flatten(aws_vpc_endpoint.sqs.*.network_interface_ids)}" +} + +output "vpc_endpoint_sqs_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SQS." + value = "${flatten(aws_vpc_endpoint.sqs.*.dns_entry)}" +} + output "vpc_endpoint_ssm_id" { description = "The ID of VPC endpoint for SSM" value = "${element(concat(aws_vpc_endpoint.ssm.*.id, list("")), 0)}" diff --git a/variables.tf b/variables.tf index 9c24a808f..eb2b4d897 100644 --- a/variables.tf +++ b/variables.tf @@ -184,6 +184,26 @@ variable "enable_s3_endpoint" { default = false } +variable "enable_sqs_endpoint" { + description = "Should be true if you want to provision an SQS endpoint to the VPC" + default = false +} + +variable "sqs_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for SQS endpoint" + default = [] +} + +variable "sqs_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "sqs_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint" + default = false +} + variable "enable_ssm_endpoint" { description = "Should be true if you want to provision an SSM endpoint to the VPC" default = false @@ -687,7 +707,7 @@ variable "default_network_acl_ingress" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - }, + }, { rule_no = 101 action = "allow" @@ -709,7 +729,7 @@ variable "default_network_acl_egress" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - }, + }, { rule_no = 101 action = "allow" From 3d33b1fcf476b3b12c6fad57b125191f624e1636 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 24 May 2019 22:03:42 +0200 Subject: [PATCH 60/81] Updated CHANGELOG --- CHANGELOG.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c41d22d1..646bae804 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,17 @@ + +## [v1.66.0] - 2019-05-24 + +- Added VPC endpoints for SQS (closes [#248](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/248)) +- ECS endpoint ([#261](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/261)) + + ## [v1.65.0] - 2019-05-21 +- Updated CHANGELOG - Improving DHCP options docs ([#260](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/260)) @@ -523,7 +531,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.65.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.66.0...HEAD +[v1.66.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.65.0...v1.66.0 [v1.65.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.64.0...v1.65.0 [v1.64.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.63.0...v1.64.0 [v1.63.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.62.0...v1.63.0 From 4ae9806072ed210d066dd07cd59522482e4b6ac9 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 24 May 2019 23:04:12 +0200 Subject: [PATCH 61/81] Finally, Terraform 0.12 support (#266) * run terraform 0.12upgrade * Cleanup for Terraform 0.12 (closes #265, #228) --- .pre-commit-config.yaml | 2 +- examples/complete-vpc/main.tf | 23 +- examples/complete-vpc/outputs.tf | 23 +- .../issue-108-route-already-exists/main.tf | 1 + .../issue-108-route-already-exists/outputs.tf | 13 +- examples/issue-224-vpcendpoint-apigw/main.tf | 5 +- .../main.tf | 1 + .../outputs.tf | 13 +- examples/issue-46-no-private-subnets/main.tf | 1 + .../issue-46-no-private-subnets/outputs.tf | 13 +- examples/manage-default-vpc/main.tf | 1 + examples/manage-default-vpc/outputs.tf | 5 +- examples/network-acls/main.tf | 14 +- examples/network-acls/outputs.tf | 19 +- examples/secondary-cidr-blocks/main.tf | 1 + examples/secondary-cidr-blocks/outputs.tf | 13 +- examples/simple-vpc/main.tf | 3 +- examples/simple-vpc/outputs.tf | 13 +- examples/test_fixture/main.tf | 8 +- examples/test_fixture/outputs.tf | 3 +- examples/test_fixture/variables.tf | 1 + .../vpc-separate-private-route-tables/main.tf | 1 + .../outputs.tf | 15 +- main.tf | 1099 +++++++++++------ outputs.tf | 241 ++-- variables.tf | 268 +++- 26 files changed, 1239 insertions(+), 561 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 23497e143..1439c3f4f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -3,7 +3,7 @@ repos: rev: v1.11.0 hooks: - id: terraform_fmt - - id: terraform_docs +# - id: terraform_docs # not yet compatible with Terraform 0.12 - repo: git://github.com/pre-commit/pre-commit-hooks rev: v2.2.3 hooks: diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 2d5d71183..f51519a87 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -4,7 +4,7 @@ provider "aws" { data "aws_security_group" "default" { name = "default" - vpc_id = "${module.vpc.vpc_id}" + vpc_id = module.vpc.vpc_id } module "vpc" { @@ -45,52 +45,52 @@ module "vpc" { # VPC endpoint for SSM enable_ssm_endpoint = true ssm_endpoint_private_dns_enabled = true - ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ssm_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC endpoint for SSMMESSAGES enable_ssmmessages_endpoint = true ssmmessages_endpoint_private_dns_enabled = true - ssmmessages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ssmmessages_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC Endpoint for EC2 enable_ec2_endpoint = true ec2_endpoint_private_dns_enabled = true - ec2_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ec2_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC Endpoint for EC2MESSAGES enable_ec2messages_endpoint = true ec2messages_endpoint_private_dns_enabled = true - ec2messages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ec2messages_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC Endpoint for ECR API enable_ecr_api_endpoint = true ecr_api_endpoint_private_dns_enabled = true - ecr_api_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ecr_api_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC Endpoint for ECR DKR enable_ecr_dkr_endpoint = true ecr_dkr_endpoint_private_dns_enabled = true - ecr_dkr_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ecr_dkr_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC endpoint for KMS enable_kms_endpoint = true kms_endpoint_private_dns_enabled = true - kms_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + kms_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC endpoint for ECS enable_ecs_endpoint = true ecs_endpoint_private_dns_enabled = true - ecs_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ecs_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC endpoint for ECS telemetry enable_ecs_telemetry_endpoint = true ecs_telemetry_endpoint_private_dns_enabled = true - ecs_telemetry_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ecs_telemetry_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC endpoint for SQS enable_sqs_endpoint = true sqs_endpoint_private_dns_enabled = true - sqs_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + sqs_endpoint_security_group_ids = [data.aws_security_group.default.id] tags = { Owner = "user" @@ -98,3 +98,4 @@ module "vpc" { Name = "complete" } } + diff --git a/examples/complete-vpc/outputs.tf b/examples/complete-vpc/outputs.tf index 871359d39..db1fef127 100644 --- a/examples/complete-vpc/outputs.tf +++ b/examples/complete-vpc/outputs.tf @@ -1,60 +1,60 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${module.vpc.database_subnets}"] + value = module.vpc.database_subnets } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.elasticache_subnets}"] + value = module.vpc.elasticache_subnets } output "redshift_subnets" { description = "List of IDs of redshift subnets" - value = ["${module.vpc.redshift_subnets}"] + value = module.vpc.redshift_subnets } output "intra_subnets" { description = "List of IDs of intra subnets" - value = ["${module.vpc.intra_subnets}"] + value = module.vpc.intra_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } # VPC endpoints output "vpc_endpoint_ssm_id" { description = "The ID of VPC endpoint for SSM" - value = "${module.vpc.vpc_endpoint_ssm_id}" + value = module.vpc.vpc_endpoint_ssm_id } output "vpc_endpoint_ssm_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for SSM." - value = ["${module.vpc.vpc_endpoint_ssm_network_interface_ids}"] + value = module.vpc.vpc_endpoint_ssm_network_interface_ids } output "vpc_endpoint_ssm_dns_entry" { description = "The DNS entries for the VPC Endpoint for SSM." - value = ["${module.vpc.vpc_endpoint_ssm_dns_entry}"] + value = module.vpc.vpc_endpoint_ssm_dns_entry } // @@ -73,4 +73,3 @@ output "vpc_endpoint_ssm_dns_entry" { // description = "The DNS entries for the VPC Endpoint for EC2." // value = ["${module.vpc.vpc_endpoint_ec2_dns_entry}"] //} - diff --git a/examples/issue-108-route-already-exists/main.tf b/examples/issue-108-route-already-exists/main.tf index 199b47a9f..74f0af0c6 100644 --- a/examples/issue-108-route-already-exists/main.tf +++ b/examples/issue-108-route-already-exists/main.tf @@ -19,3 +19,4 @@ module "vpc" { enable_s3_endpoint = true enable_dynamodb_endpoint = true } + diff --git a/examples/issue-108-route-already-exists/outputs.tf b/examples/issue-108-route-already-exists/outputs.tf index 26f69ebd4..51b4e83b7 100644 --- a/examples/issue-108-route-already-exists/outputs.tf +++ b/examples/issue-108-route-already-exists/outputs.tf @@ -1,32 +1,33 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${module.vpc.database_subnets}"] + value = module.vpc.database_subnets } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.elasticache_subnets}"] + value = module.vpc.elasticache_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } + diff --git a/examples/issue-224-vpcendpoint-apigw/main.tf b/examples/issue-224-vpcendpoint-apigw/main.tf index 252f885e7..2ae222af1 100644 --- a/examples/issue-224-vpcendpoint-apigw/main.tf +++ b/examples/issue-224-vpcendpoint-apigw/main.tf @@ -4,7 +4,7 @@ provider "aws" { data "aws_security_group" "default" { name = "default" - vpc_id = "${module.vpc.vpc_id}" + vpc_id = module.vpc.vpc_id } module "vpc" { @@ -19,7 +19,7 @@ module "vpc" { # VPC endpoint for API gateway enable_apigw_endpoint = true - apigw_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + apigw_endpoint_security_group_ids = [data.aws_security_group.default.id] apigw_endpoint_private_dns_enabled = true tags = { @@ -28,3 +28,4 @@ module "vpc" { Name = "test-224" } } + diff --git a/examples/issue-44-asymmetric-private-subnets/main.tf b/examples/issue-44-asymmetric-private-subnets/main.tf index 1a1c4cf0c..07f3f0fe7 100644 --- a/examples/issue-44-asymmetric-private-subnets/main.tf +++ b/examples/issue-44-asymmetric-private-subnets/main.tf @@ -25,3 +25,4 @@ module "vpc" { Name = "asymmetrical" } } + diff --git a/examples/issue-44-asymmetric-private-subnets/outputs.tf b/examples/issue-44-asymmetric-private-subnets/outputs.tf index 26f69ebd4..51b4e83b7 100644 --- a/examples/issue-44-asymmetric-private-subnets/outputs.tf +++ b/examples/issue-44-asymmetric-private-subnets/outputs.tf @@ -1,32 +1,33 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${module.vpc.database_subnets}"] + value = module.vpc.database_subnets } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.elasticache_subnets}"] + value = module.vpc.elasticache_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } + diff --git a/examples/issue-46-no-private-subnets/main.tf b/examples/issue-46-no-private-subnets/main.tf index 8cb816e4c..e9e5ec517 100644 --- a/examples/issue-46-no-private-subnets/main.tf +++ b/examples/issue-46-no-private-subnets/main.tf @@ -23,3 +23,4 @@ module "vpc" { Name = "no-private-subnets" } } + diff --git a/examples/issue-46-no-private-subnets/outputs.tf b/examples/issue-46-no-private-subnets/outputs.tf index 26f69ebd4..51b4e83b7 100644 --- a/examples/issue-46-no-private-subnets/outputs.tf +++ b/examples/issue-46-no-private-subnets/outputs.tf @@ -1,32 +1,33 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${module.vpc.database_subnets}"] + value = module.vpc.database_subnets } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.elasticache_subnets}"] + value = module.vpc.elasticache_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } + diff --git a/examples/manage-default-vpc/main.tf b/examples/manage-default-vpc/main.tf index 73da2c763..5f645dd8e 100644 --- a/examples/manage-default-vpc/main.tf +++ b/examples/manage-default-vpc/main.tf @@ -11,3 +11,4 @@ module "vpc" { default_vpc_name = "default" default_vpc_enable_dns_hostnames = true } + diff --git a/examples/manage-default-vpc/outputs.tf b/examples/manage-default-vpc/outputs.tf index f41e2d898..ce193dd8d 100644 --- a/examples/manage-default-vpc/outputs.tf +++ b/examples/manage-default-vpc/outputs.tf @@ -1,10 +1,11 @@ # Default VPC output "default_vpc_id" { description = "The ID of the Default VPC" - value = "${module.vpc.default_vpc_id}" + value = module.vpc.default_vpc_id } output "default_vpc_cidr_block" { description = "The CIDR block of the VPC" - value = "${module.vpc.default_vpc_cidr_block}" + value = module.vpc.default_vpc_cidr_block } + diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index 0e3f6a29c..c1a1dab90 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -15,8 +15,14 @@ module "vpc" { elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"] public_dedicated_network_acl = true - public_inbound_acl_rules = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}" - public_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}" + public_inbound_acl_rules = concat( + local.network_acls["default_inbound"], + local.network_acls["public_inbound"], + ) + public_outbound_acl_rules = concat( + local.network_acls["default_outbound"], + local.network_acls["public_outbound"], + ) private_dedicated_network_acl = true @@ -51,7 +57,6 @@ locals { cidr_block = "0.0.0.0/0" }, ] - default_outbound = [ { rule_number = 900 @@ -62,7 +67,6 @@ locals { cidr_block = "0.0.0.0/0" }, ] - public_inbound = [ { rule_number = 100 @@ -97,7 +101,6 @@ locals { cidr_block = "0.0.0.0/0" }, ] - public_outbound = [ { rule_number = 100 @@ -134,3 +137,4 @@ locals { ] } } + diff --git a/examples/network-acls/outputs.tf b/examples/network-acls/outputs.tf index 535d5f43e..577d73980 100644 --- a/examples/network-acls/outputs.tf +++ b/examples/network-acls/outputs.tf @@ -1,13 +1,13 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # CIDR blocks output "vpc_cidr_block" { description = "The CIDR block of the VPC" - value = ["${module.vpc.vpc_cidr_block}"] + value = module.vpc.vpc_cidr_block } //output "vpc_ipv6_cidr_block" { @@ -18,37 +18,38 @@ output "vpc_cidr_block" { # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } # Network ACLs output "public_network_acl_id" { description = "ID of the public network ACL" - value = "${module.vpc.public_network_acl_id}" + value = module.vpc.public_network_acl_id } output "private_network_acl_id" { description = "ID of the private network ACL" - value = "${module.vpc.private_network_acl_id}" + value = module.vpc.private_network_acl_id } output "elasticache_network_acl_id" { description = "ID of the elasticache network ACL" - value = "${module.vpc.elasticache_network_acl_id}" + value = module.vpc.elasticache_network_acl_id } output "default_network_acl_id" { description = "The ID of the default network ACL" - value = "${module.vpc.default_network_acl_id}" + value = module.vpc.default_network_acl_id } + diff --git a/examples/secondary-cidr-blocks/main.tf b/examples/secondary-cidr-blocks/main.tf index e4cc43231..a49b973de 100644 --- a/examples/secondary-cidr-blocks/main.tf +++ b/examples/secondary-cidr-blocks/main.tf @@ -31,3 +31,4 @@ module "vpc" { Name = "vpc-name" } } + diff --git a/examples/secondary-cidr-blocks/outputs.tf b/examples/secondary-cidr-blocks/outputs.tf index 7cc6480d8..c110ed2ab 100644 --- a/examples/secondary-cidr-blocks/outputs.tf +++ b/examples/secondary-cidr-blocks/outputs.tf @@ -1,33 +1,34 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # CIDR blocks output "vpc_cidr_block" { description = "The CIDR block of the VPC" - value = ["${module.vpc.vpc_cidr_block}"] + value = module.vpc.vpc_cidr_block } output "vpc_secondary_cidr_blocks" { description = "List of secondary CIDR blocks of the VPC" - value = ["${module.vpc.vpc_secondary_cidr_blocks}"] + value = module.vpc.vpc_secondary_cidr_blocks } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } + diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf index decd0b0c5..c0b094835 100644 --- a/examples/simple-vpc/main.tf +++ b/examples/simple-vpc/main.tf @@ -4,7 +4,7 @@ provider "aws" { data "aws_security_group" "default" { name = "default" - vpc_id = "${module.vpc.vpc_id}" + vpc_id = module.vpc.vpc_id } module "vpc" { @@ -36,3 +36,4 @@ module "vpc" { Name = "vpc-name" } } + diff --git a/examples/simple-vpc/outputs.tf b/examples/simple-vpc/outputs.tf index 7ab197f4a..251969ca2 100644 --- a/examples/simple-vpc/outputs.tf +++ b/examples/simple-vpc/outputs.tf @@ -1,13 +1,13 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # CIDR blocks output "vpc_cidr_block" { description = "The CIDR block of the VPC" - value = ["${module.vpc.vpc_cidr_block}"] + value = module.vpc.vpc_cidr_block } //output "vpc_ipv6_cidr_block" { @@ -18,22 +18,23 @@ output "vpc_cidr_block" { # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } # AZs output "azs" { description = "A list of availability zones spefified as argument to this module" - value = ["${module.vpc.azs}"] + value = module.vpc.azs } + diff --git a/examples/test_fixture/main.tf b/examples/test_fixture/main.tf index b0eb37ea0..5752aba2e 100644 --- a/examples/test_fixture/main.tf +++ b/examples/test_fixture/main.tf @@ -1,14 +1,15 @@ provider "aws" { - region = "${var.region}" + region = var.region } -data "aws_availability_zones" "available" {} +data "aws_availability_zones" "available" { +} module "vpc" { source = "../.." name = "test-example" cidr = "10.0.0.0/16" - azs = ["${data.aws_availability_zones.available.names[0]}", "${data.aws_availability_zones.available.names[1]}"] + azs = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]] private_subnets = ["10.0.1.0/24", "10.0.2.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] enable_nat_gateway = true @@ -19,3 +20,4 @@ module "vpc" { Environment = "dev" } } + diff --git a/examples/test_fixture/outputs.tf b/examples/test_fixture/outputs.tf index 4c89ae958..c6ec3716b 100644 --- a/examples/test_fixture/outputs.tf +++ b/examples/test_fixture/outputs.tf @@ -1,4 +1,5 @@ output "region" { description = "Region we created the resources in." - value = "${var.region}" + value = var.region } + diff --git a/examples/test_fixture/variables.tf b/examples/test_fixture/variables.tf index a3986dc92..f8455295f 100644 --- a/examples/test_fixture/variables.tf +++ b/examples/test_fixture/variables.tf @@ -1,3 +1,4 @@ variable "region" { default = "eu-west-1" } + diff --git a/examples/vpc-separate-private-route-tables/main.tf b/examples/vpc-separate-private-route-tables/main.tf index b380a4065..99d996840 100644 --- a/examples/vpc-separate-private-route-tables/main.tf +++ b/examples/vpc-separate-private-route-tables/main.tf @@ -29,3 +29,4 @@ module "vpc" { Name = "separate-private-route-tables" } } + diff --git a/examples/vpc-separate-private-route-tables/outputs.tf b/examples/vpc-separate-private-route-tables/outputs.tf index 1a4ba6073..fdd5e8d05 100644 --- a/examples/vpc-separate-private-route-tables/outputs.tf +++ b/examples/vpc-separate-private-route-tables/outputs.tf @@ -1,37 +1,38 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${module.vpc.database_subnets}"] + value = module.vpc.database_subnets } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.elasticache_subnets}"] + value = module.vpc.elasticache_subnets } output "redshift_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.redshift_subnets}"] + value = module.vpc.redshift_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } + diff --git a/main.tf b/main.tf index 86bfccc2a..aa2ae9658 100644 --- a/main.tf +++ b/main.tf @@ -1,91 +1,123 @@ -terraform { - required_version = ">= 0.10.3" # introduction of Local Values configuration language feature -} - locals { - max_subnet_length = "${max(length(var.private_subnets), length(var.elasticache_subnets), length(var.database_subnets), length(var.redshift_subnets))}" - nat_gateway_count = "${var.single_nat_gateway ? 1 : (var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length)}" + max_subnet_length = max( + length(var.private_subnets), + length(var.elasticache_subnets), + length(var.database_subnets), + length(var.redshift_subnets), + ) + nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length # Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free! - vpc_id = "${element(concat(aws_vpc_ipv4_cidr_block_association.this.*.vpc_id, aws_vpc.this.*.id, list("")), 0)}" + vpc_id = element( + concat( + aws_vpc_ipv4_cidr_block_association.this.*.vpc_id, + aws_vpc.this.*.id, + [""], + ), + 0, + ) } ###### # VPC ###### resource "aws_vpc" "this" { - count = "${var.create_vpc ? 1 : 0}" + count = var.create_vpc ? 1 : 0 - cidr_block = "${var.cidr}" - instance_tenancy = "${var.instance_tenancy}" - enable_dns_hostnames = "${var.enable_dns_hostnames}" - enable_dns_support = "${var.enable_dns_support}" - assign_generated_ipv6_cidr_block = "${var.assign_generated_ipv6_cidr_block}" + cidr_block = var.cidr + instance_tenancy = var.instance_tenancy + enable_dns_hostnames = var.enable_dns_hostnames + enable_dns_support = var.enable_dns_support + assign_generated_ipv6_cidr_block = var.assign_generated_ipv6_cidr_block - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.vpc_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.vpc_tags, + ) } resource "aws_vpc_ipv4_cidr_block_association" "this" { - count = "${var.create_vpc && length(var.secondary_cidr_blocks) > 0 ? length(var.secondary_cidr_blocks) : 0}" + count = var.create_vpc && length(var.secondary_cidr_blocks) > 0 ? length(var.secondary_cidr_blocks) : 0 - vpc_id = "${aws_vpc.this.id}" + vpc_id = aws_vpc.this[0].id - cidr_block = "${element(var.secondary_cidr_blocks, count.index)}" + cidr_block = element(var.secondary_cidr_blocks, count.index) } ################### # DHCP Options Set ################### resource "aws_vpc_dhcp_options" "this" { - count = "${var.create_vpc && var.enable_dhcp_options ? 1 : 0}" + count = var.create_vpc && var.enable_dhcp_options ? 1 : 0 - domain_name = "${var.dhcp_options_domain_name}" - domain_name_servers = ["${var.dhcp_options_domain_name_servers}"] - ntp_servers = ["${var.dhcp_options_ntp_servers}"] - netbios_name_servers = ["${var.dhcp_options_netbios_name_servers}"] - netbios_node_type = "${var.dhcp_options_netbios_node_type}" + domain_name = var.dhcp_options_domain_name + domain_name_servers = var.dhcp_options_domain_name_servers + ntp_servers = var.dhcp_options_ntp_servers + netbios_name_servers = var.dhcp_options_netbios_name_servers + netbios_node_type = var.dhcp_options_netbios_node_type - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.dhcp_options_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.dhcp_options_tags, + ) } ############################### # DHCP Options Set Association ############################### resource "aws_vpc_dhcp_options_association" "this" { - count = "${var.create_vpc && var.enable_dhcp_options ? 1 : 0}" + count = var.create_vpc && var.enable_dhcp_options ? 1 : 0 - vpc_id = "${local.vpc_id}" - dhcp_options_id = "${aws_vpc_dhcp_options.this.id}" + vpc_id = local.vpc_id + dhcp_options_id = aws_vpc_dhcp_options.this[0].id } ################### # Internet Gateway ################### resource "aws_internet_gateway" "this" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.igw_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.igw_tags, + ) } ################ # Publiс routes ################ resource "aws_route_table" "public" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}", var.name)), var.tags, var.public_route_table_tags)}" + tags = merge( + { + "Name" = format("%s-${var.public_subnet_suffix}", var.name) + }, + var.tags, + var.public_route_table_tags, + ) } resource "aws_route" "public_internet_gateway" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0 - route_table_id = "${aws_route_table.public.id}" + route_table_id = aws_route_table.public[0].id destination_cidr_block = "0.0.0.0/0" - gateway_id = "${aws_internet_gateway.this.id}" + gateway_id = aws_internet_gateway.this[0].id timeouts { create = "5m" @@ -97,16 +129,26 @@ resource "aws_route" "public_internet_gateway" { # There are as many routing tables as the number of NAT gateways ################# resource "aws_route_table" "private" { - count = "${var.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0}" - - vpc_id = "${local.vpc_id}" - - tags = "${merge(map("Name", (var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format("%s-${var.private_subnet_suffix}-%s", var.name, element(var.azs, count.index)))), var.tags, var.private_route_table_tags)}" + count = var.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0 + + vpc_id = local.vpc_id + + tags = merge( + { + "Name" = var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format( + "%s-${var.private_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.private_route_table_tags, + ) lifecycle { # When attaching VPN gateways it is common to define aws_vpn_gateway_route_propagation # resources that manipulate the attributes of the routing table (typically for the private subnets) - ignore_changes = ["propagating_vgws"] + ignore_changes = [propagating_vgws] } } @@ -114,19 +156,25 @@ resource "aws_route_table" "private" { # Database routes ################# resource "aws_route_table" "database" { - count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(var.tags, var.database_route_table_tags, map("Name", "${var.name}-${var.database_subnet_suffix}"))}" + tags = merge( + var.tags, + var.database_route_table_tags, + { + "Name" = "${var.name}-${var.database_subnet_suffix}" + }, + ) } resource "aws_route" "database_internet_gateway" { - count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && ! var.create_database_nat_gateway_route ? 1 : 0}" + count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && false == var.create_database_nat_gateway_route ? 1 : 0 - route_table_id = "${aws_route_table.database.id}" + route_table_id = aws_route_table.database[0].id destination_cidr_block = "0.0.0.0/0" - gateway_id = "${aws_internet_gateway.this.id}" + gateway_id = aws_internet_gateway.this[0].id timeouts { create = "5m" @@ -134,10 +182,11 @@ resource "aws_route" "database_internet_gateway" { } resource "aws_route" "database_nat_gateway" { - count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && ! var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && false == var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0 + + route_table_id = element(aws_route_table.private.*.id, count.index) destination_cidr_block = "0.0.0.0/0" - nat_gateway_id = "${element(aws_nat_gateway.this.*.id, count.index)}" + nat_gateway_id = element(aws_nat_gateway.this.*.id, count.index) timeouts { create = "5m" @@ -148,157 +197,279 @@ resource "aws_route" "database_nat_gateway" { # Redshift routes ################# resource "aws_route_table" "redshift" { - count = "${var.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(var.tags, var.redshift_route_table_tags, map("Name", "${var.name}-${var.redshift_subnet_suffix}"))}" + tags = merge( + var.tags, + var.redshift_route_table_tags, + { + "Name" = "${var.name}-${var.redshift_subnet_suffix}" + }, + ) } ################# # Elasticache routes ################# resource "aws_route_table" "elasticache" { - count = "${var.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(var.tags, var.elasticache_route_table_tags, map("Name", "${var.name}-${var.elasticache_subnet_suffix}"))}" + tags = merge( + var.tags, + var.elasticache_route_table_tags, + { + "Name" = "${var.name}-${var.elasticache_subnet_suffix}" + }, + ) } ################# # Intra routes ################# resource "aws_route_table" "intra" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(map("Name", "${var.name}-${var.intra_subnet_suffix}"), var.tags, var.intra_route_table_tags)}" + tags = merge( + { + "Name" = "${var.name}-${var.intra_subnet_suffix}" + }, + var.tags, + var.intra_route_table_tags, + ) } ################ # Public subnet ################ resource "aws_subnet" "public" { - count = "${var.create_vpc && length(var.public_subnets) > 0 && (! var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0}" - - vpc_id = "${local.vpc_id}" - cidr_block = "${element(concat(var.public_subnets, list("")), count.index)}" - availability_zone = "${element(var.azs, count.index)}" - map_public_ip_on_launch = "${var.map_public_ip_on_launch}" - - tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.public_subnet_tags)}" + count = var.create_vpc && length(var.public_subnets) > 0 && false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs) ? length(var.public_subnets) : 0 + + vpc_id = local.vpc_id + cidr_block = element(concat(var.public_subnets, [""]), count.index) + availability_zone = element(var.azs, count.index) + map_public_ip_on_launch = var.map_public_ip_on_launch + + tags = merge( + { + "Name" = format( + "%s-${var.public_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.public_subnet_tags, + ) } ################# # Private subnet ################# resource "aws_subnet" "private" { - count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0}" + count = var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0 - vpc_id = "${local.vpc_id}" - cidr_block = "${var.private_subnets[count.index]}" - availability_zone = "${element(var.azs, count.index)}" + vpc_id = local.vpc_id + cidr_block = var.private_subnets[count.index] + availability_zone = element(var.azs, count.index) - tags = "${merge(map("Name", format("%s-${var.private_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.private_subnet_tags)}" + tags = merge( + { + "Name" = format( + "%s-${var.private_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.private_subnet_tags, + ) } ################## # Database subnet ################## resource "aws_subnet" "database" { - count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0}" + count = var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0 - vpc_id = "${local.vpc_id}" - cidr_block = "${var.database_subnets[count.index]}" - availability_zone = "${element(var.azs, count.index)}" + vpc_id = local.vpc_id + cidr_block = var.database_subnets[count.index] + availability_zone = element(var.azs, count.index) - tags = "${merge(map("Name", format("%s-${var.database_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.database_subnet_tags)}" + tags = merge( + { + "Name" = format( + "%s-${var.database_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.database_subnet_tags, + ) } resource "aws_db_subnet_group" "database" { - count = "${var.create_vpc && length(var.database_subnets) > 0 && var.create_database_subnet_group ? 1 : 0}" + count = var.create_vpc && length(var.database_subnets) > 0 && var.create_database_subnet_group ? 1 : 0 - name = "${lower(var.name)}" + name = lower(var.name) description = "Database subnet group for ${var.name}" - subnet_ids = ["${aws_subnet.database.*.id}"] + subnet_ids = aws_subnet.database.*.id - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.database_subnet_group_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.database_subnet_group_tags, + ) } ################## # Redshift subnet ################## resource "aws_subnet" "redshift" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" + count = var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0 - vpc_id = "${local.vpc_id}" - cidr_block = "${var.redshift_subnets[count.index]}" - availability_zone = "${element(var.azs, count.index)}" + vpc_id = local.vpc_id + cidr_block = var.redshift_subnets[count.index] + availability_zone = element(var.azs, count.index) - tags = "${merge(map("Name", format("%s-${var.redshift_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.redshift_subnet_tags)}" + tags = merge( + { + "Name" = format( + "%s-${var.redshift_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.redshift_subnet_tags, + ) } resource "aws_redshift_subnet_group" "redshift" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 && var.create_redshift_subnet_group ? 1 : 0}" + count = var.create_vpc && length(var.redshift_subnets) > 0 && var.create_redshift_subnet_group ? 1 : 0 - name = "${lower(var.name)}" + name = lower(var.name) description = "Redshift subnet group for ${var.name}" - subnet_ids = ["${aws_subnet.redshift.*.id}"] + subnet_ids = aws_subnet.redshift.*.id - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.redshift_subnet_group_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.redshift_subnet_group_tags, + ) } ##################### # ElastiCache subnet ##################### resource "aws_subnet" "elasticache" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0}" + count = var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0 - vpc_id = "${local.vpc_id}" - cidr_block = "${var.elasticache_subnets[count.index]}" - availability_zone = "${element(var.azs, count.index)}" + vpc_id = local.vpc_id + cidr_block = var.elasticache_subnets[count.index] + availability_zone = element(var.azs, count.index) - tags = "${merge(map("Name", format("%s-${var.elasticache_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.elasticache_subnet_tags)}" + tags = merge( + { + "Name" = format( + "%s-${var.elasticache_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.elasticache_subnet_tags, + ) } resource "aws_elasticache_subnet_group" "elasticache" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 && var.create_elasticache_subnet_group ? 1 : 0}" + count = var.create_vpc && length(var.elasticache_subnets) > 0 && var.create_elasticache_subnet_group ? 1 : 0 - name = "${var.name}" + name = var.name description = "ElastiCache subnet group for ${var.name}" - subnet_ids = ["${aws_subnet.elasticache.*.id}"] + subnet_ids = aws_subnet.elasticache.*.id } ##################################################### # intra subnets - private subnet without NAT gateway ##################################################### resource "aws_subnet" "intra" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0}" + count = var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0 - vpc_id = "${local.vpc_id}" - cidr_block = "${var.intra_subnets[count.index]}" - availability_zone = "${element(var.azs, count.index)}" + vpc_id = local.vpc_id + cidr_block = var.intra_subnets[count.index] + availability_zone = element(var.azs, count.index) - tags = "${merge(map("Name", format("%s-${var.intra_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.intra_subnet_tags)}" + tags = merge( + { + "Name" = format( + "%s-${var.intra_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.intra_subnet_tags, + ) } ####################### # Default Network ACLs ####################### resource "aws_default_network_acl" "this" { - count = "${var.create_vpc && var.manage_default_network_acl ? 1 : 0}" - - default_network_acl_id = "${element(concat(aws_vpc.this.*.default_network_acl_id, list("")), 0)}" - - ingress = "${var.default_network_acl_ingress}" - egress = "${var.default_network_acl_egress}" + count = var.create_vpc && var.manage_default_network_acl ? 1 : 0 + + default_network_acl_id = element(concat(aws_vpc.this.*.default_network_acl_id, [""]), 0) + + dynamic "ingress" { + for_each = var.default_network_acl_ingress + content { + action = ingress.value.action + cidr_block = lookup(ingress.value, "cidr_block", null) + from_port = ingress.value.from_port + icmp_code = lookup(ingress.value, "icmp_code", null) + icmp_type = lookup(ingress.value, "icmp_type", null) + ipv6_cidr_block = lookup(ingress.value, "ipv6_cidr_block", null) + protocol = ingress.value.protocol + rule_no = ingress.value.rule_no + to_port = ingress.value.to_port + } + } + dynamic "egress" { + for_each = var.default_network_acl_egress + content { + action = egress.value.action + cidr_block = lookup(egress.value, "cidr_block", null) + from_port = egress.value.from_port + icmp_code = lookup(egress.value, "icmp_code", null) + icmp_type = lookup(egress.value, "icmp_type", null) + ipv6_cidr_block = lookup(egress.value, "ipv6_cidr_block", null) + protocol = egress.value.protocol + rule_no = egress.value.rule_no + to_port = egress.value.to_port + } + } - tags = "${merge(map("Name", format("%s", var.default_network_acl_name)), var.tags, var.default_network_acl_tags)}" + tags = merge( + { + "Name" = format("%s", var.default_network_acl_name) + }, + var.tags, + var.default_network_acl_tags, + ) lifecycle { - ignore_changes = ["subnet_ids"] + ignore_changes = [subnet_ids] } } @@ -306,240 +477,276 @@ resource "aws_default_network_acl" "this" { # Public Network ACLs ######################## resource "aws_network_acl" "public" { - count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.public.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.public.*.id - tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}", var.name)), var.tags, var.public_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.public_subnet_suffix}", var.name) + }, + var.tags, + var.public_acl_tags, + ) } resource "aws_network_acl_rule" "public_inbound" { - count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0}" + count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.public.id}" + network_acl_id = aws_network_acl.public[0].id egress = false - rule_number = "${lookup(var.public_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.public_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.public_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.public_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.public_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.public_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.public_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.public_inbound_acl_rules[count.index]["rule_action"] + from_port = var.public_inbound_acl_rules[count.index]["from_port"] + to_port = var.public_inbound_acl_rules[count.index]["to_port"] + protocol = var.public_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.public_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "public_outbound" { - count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0}" + count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.public.id}" + network_acl_id = aws_network_acl.public[0].id egress = true - rule_number = "${lookup(var.public_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.public_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.public_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.public_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.public_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.public_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.public_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.public_outbound_acl_rules[count.index]["rule_action"] + from_port = var.public_outbound_acl_rules[count.index]["from_port"] + to_port = var.public_outbound_acl_rules[count.index]["to_port"] + protocol = var.public_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.public_outbound_acl_rules[count.index]["cidr_block"] } ####################### # Private Network ACLs ####################### resource "aws_network_acl" "private" { - count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.private.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.private.*.id - tags = "${merge(map("Name", format("%s-${var.private_subnet_suffix}", var.name)), var.tags, var.private_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.private_subnet_suffix}", var.name) + }, + var.tags, + var.private_acl_tags, + ) } resource "aws_network_acl_rule" "private_inbound" { - count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0}" + count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.private.id}" + network_acl_id = aws_network_acl.private[0].id egress = false - rule_number = "${lookup(var.private_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.private_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.private_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.private_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.private_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.private_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.private_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.private_inbound_acl_rules[count.index]["rule_action"] + from_port = var.private_inbound_acl_rules[count.index]["from_port"] + to_port = var.private_inbound_acl_rules[count.index]["to_port"] + protocol = var.private_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.private_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "private_outbound" { - count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0}" + count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.private.id}" + network_acl_id = aws_network_acl.private[0].id egress = true - rule_number = "${lookup(var.private_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.private_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.private_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.private_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.private_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.private_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.private_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.private_outbound_acl_rules[count.index]["rule_action"] + from_port = var.private_outbound_acl_rules[count.index]["from_port"] + to_port = var.private_outbound_acl_rules[count.index]["to_port"] + protocol = var.private_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.private_outbound_acl_rules[count.index]["cidr_block"] } ######################## # Intra Network ACLs ######################## resource "aws_network_acl" "intra" { - count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.intra.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.intra.*.id - tags = "${merge(map("Name", format("%s-${var.intra_subnet_suffix}", var.name)), var.tags, var.intra_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.intra_subnet_suffix}", var.name) + }, + var.tags, + var.intra_acl_tags, + ) } resource "aws_network_acl_rule" "intra_inbound" { - count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0}" + count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.intra.id}" + network_acl_id = aws_network_acl.intra[0].id egress = false - rule_number = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.intra_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.intra_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.intra_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.intra_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.intra_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.intra_inbound_acl_rules[count.index]["rule_action"] + from_port = var.intra_inbound_acl_rules[count.index]["from_port"] + to_port = var.intra_inbound_acl_rules[count.index]["to_port"] + protocol = var.intra_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.intra_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "intra_outbound" { - count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0}" + count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.intra.id}" + network_acl_id = aws_network_acl.intra[0].id egress = true - rule_number = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.intra_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.intra_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.intra_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.intra_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.intra_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.intra_outbound_acl_rules[count.index]["rule_action"] + from_port = var.intra_outbound_acl_rules[count.index]["from_port"] + to_port = var.intra_outbound_acl_rules[count.index]["to_port"] + protocol = var.intra_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.intra_outbound_acl_rules[count.index]["cidr_block"] } ######################## # Database Network ACLs ######################## resource "aws_network_acl" "database" { - count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.database.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.database.*.id - tags = "${merge(map("Name", format("%s-${var.database_subnet_suffix}", var.name)), var.tags, var.database_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.database_subnet_suffix}", var.name) + }, + var.tags, + var.database_acl_tags, + ) } resource "aws_network_acl_rule" "database_inbound" { - count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0}" + count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.database.id}" + network_acl_id = aws_network_acl.database[0].id egress = false - rule_number = "${lookup(var.database_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.database_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.database_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.database_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.database_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.database_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.database_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.database_inbound_acl_rules[count.index]["rule_action"] + from_port = var.database_inbound_acl_rules[count.index]["from_port"] + to_port = var.database_inbound_acl_rules[count.index]["to_port"] + protocol = var.database_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.database_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "database_outbound" { - count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0}" + count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.database.id}" + network_acl_id = aws_network_acl.database[0].id egress = true - rule_number = "${lookup(var.database_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.database_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.database_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.database_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.database_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.database_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.database_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.database_outbound_acl_rules[count.index]["rule_action"] + from_port = var.database_outbound_acl_rules[count.index]["from_port"] + to_port = var.database_outbound_acl_rules[count.index]["to_port"] + protocol = var.database_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.database_outbound_acl_rules[count.index]["cidr_block"] } ######################## # Redshift Network ACLs ######################## resource "aws_network_acl" "redshift" { - count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.redshift.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.redshift.*.id - tags = "${merge(map("Name", format("%s-${var.redshift_subnet_suffix}", var.name)), var.tags, var.redshift_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.redshift_subnet_suffix}", var.name) + }, + var.tags, + var.redshift_acl_tags, + ) } resource "aws_network_acl_rule" "redshift_inbound" { - count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0}" + count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.redshift.id}" + network_acl_id = aws_network_acl.redshift[0].id egress = false - rule_number = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.redshift_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.redshift_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.redshift_inbound_acl_rules[count.index]["rule_action"] + from_port = var.redshift_inbound_acl_rules[count.index]["from_port"] + to_port = var.redshift_inbound_acl_rules[count.index]["to_port"] + protocol = var.redshift_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.redshift_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "redshift_outbound" { - count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0}" + count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.redshift.id}" + network_acl_id = aws_network_acl.redshift[0].id egress = true - rule_number = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.redshift_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.redshift_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.redshift_outbound_acl_rules[count.index]["rule_action"] + from_port = var.redshift_outbound_acl_rules[count.index]["from_port"] + to_port = var.redshift_outbound_acl_rules[count.index]["to_port"] + protocol = var.redshift_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.redshift_outbound_acl_rules[count.index]["cidr_block"] } ########################### # Elasticache Network ACLs ########################### resource "aws_network_acl" "elasticache" { - count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.elasticache.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.elasticache.*.id - tags = "${merge(map("Name", format("%s-${var.elasticache_subnet_suffix}", var.name)), var.tags, var.elasticache_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.elasticache_subnet_suffix}", var.name) + }, + var.tags, + var.elasticache_acl_tags, + ) } resource "aws_network_acl_rule" "elasticache_inbound" { - count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0}" + count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.elasticache.id}" + network_acl_id = aws_network_acl.elasticache[0].id egress = false - rule_number = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.elasticache_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.elasticache_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.elasticache_inbound_acl_rules[count.index]["rule_action"] + from_port = var.elasticache_inbound_acl_rules[count.index]["from_port"] + to_port = var.elasticache_inbound_acl_rules[count.index]["to_port"] + protocol = var.elasticache_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.elasticache_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "elasticache_outbound" { - count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0}" + count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.elasticache.id}" + network_acl_id = aws_network_acl.elasticache[0].id egress = true - rule_number = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.elasticache_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.elasticache_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.elasticache_outbound_acl_rules[count.index]["rule_action"] + from_port = var.elasticache_outbound_acl_rules[count.index]["from_port"] + to_port = var.elasticache_outbound_acl_rules[count.index]["to_port"] + protocol = var.elasticache_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.elasticache_outbound_acl_rules[count.index]["cidr_block"] } ############## @@ -554,34 +761,63 @@ resource "aws_network_acl_rule" "elasticache_outbound" { # # but then when count of aws_eip.nat.*.id is zero, this would throw a resource not found error on aws_eip.nat.*.id. locals { - nat_gateway_ips = "${split(",", (var.reuse_nat_ips ? join(",", var.external_nat_ip_ids) : join(",", aws_eip.nat.*.id)))}" + nat_gateway_ips = split( + ",", + var.reuse_nat_ips ? join(",", var.external_nat_ip_ids) : join(",", aws_eip.nat.*.id), + ) } resource "aws_eip" "nat" { - count = "${var.create_vpc && (var.enable_nat_gateway && ! var.reuse_nat_ips) ? local.nat_gateway_count : 0}" + count = var.create_vpc && var.enable_nat_gateway && false == var.reuse_nat_ips ? local.nat_gateway_count : 0 vpc = true - tags = "${merge(map("Name", format("%s-%s", var.name, element(var.azs, (var.single_nat_gateway ? 0 : count.index)))), var.tags, var.nat_eip_tags)}" + tags = merge( + { + "Name" = format( + "%s-%s", + var.name, + element(var.azs, var.single_nat_gateway ? 0 : count.index), + ) + }, + var.tags, + var.nat_eip_tags, + ) } resource "aws_nat_gateway" "this" { - count = "${var.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0}" - - allocation_id = "${element(local.nat_gateway_ips, (var.single_nat_gateway ? 0 : count.index))}" - subnet_id = "${element(aws_subnet.public.*.id, (var.single_nat_gateway ? 0 : count.index))}" - - tags = "${merge(map("Name", format("%s-%s", var.name, element(var.azs, (var.single_nat_gateway ? 0 : count.index)))), var.tags, var.nat_gateway_tags)}" - - depends_on = ["aws_internet_gateway.this"] + count = var.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0 + + allocation_id = element( + local.nat_gateway_ips, + var.single_nat_gateway ? 0 : count.index, + ) + subnet_id = element( + aws_subnet.public.*.id, + var.single_nat_gateway ? 0 : count.index, + ) + + tags = merge( + { + "Name" = format( + "%s-%s", + var.name, + element(var.azs, var.single_nat_gateway ? 0 : count.index), + ) + }, + var.tags, + var.nat_gateway_tags, + ) + + depends_on = [aws_internet_gateway.this] } resource "aws_route" "private_nat_gateway" { - count = "${var.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0}" + count = var.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0 - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + route_table_id = element(aws_route_table.private.*.id, count.index) destination_cidr_block = "0.0.0.0/0" - nat_gateway_id = "${element(aws_nat_gateway.this.*.id, count.index)}" + nat_gateway_id = element(aws_nat_gateway.this.*.id, count.index) timeouts { create = "5m" @@ -592,74 +828,95 @@ resource "aws_route" "private_nat_gateway" { # VPC Endpoint for S3 ###################### data "aws_vpc_endpoint_service" "s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0 service = "s3" } resource "aws_vpc_endpoint" "s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.s3.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.s3[0].service_name } resource "aws_vpc_endpoint_route_table_association" "private_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0}" + count = var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + vpc_endpoint_id = aws_vpc_endpoint.s3[0].id + route_table_id = element(aws_route_table.private.*.id, count.index) } resource "aws_vpc_endpoint_route_table_association" "intra_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${element(aws_route_table.intra.*.id, 0)}" + vpc_endpoint_id = aws_vpc_endpoint.s3[0].id + route_table_id = element(aws_route_table.intra.*.id, 0) } resource "aws_vpc_endpoint_route_table_association" "public_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.enable_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${aws_route_table.public.id}" + vpc_endpoint_id = aws_vpc_endpoint.s3[0].id + route_table_id = aws_route_table.public[0].id } ############################ # VPC Endpoint for DynamoDB ############################ data "aws_vpc_endpoint_service" "dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0 service = "dynamodb" } resource "aws_vpc_endpoint" "dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.dynamodb.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.dynamodb[0].service_name } resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0}" + count = var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id + route_table_id = element(aws_route_table.private.*.id, count.index) } resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${element(aws_route_table.intra.*.id, 0)}" + vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id + route_table_id = element(aws_route_table.intra.*.id, 0) } resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${aws_route_table.public.id}" + vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id + route_table_id = aws_route_table.public[0].id +} + +####################### +# VPC Endpoint for SQS +####################### +data "aws_vpc_endpoint_service" "sqs" { + count = var.create_vpc && var.enable_sqs_endpoint ? 1 : 0 + + service = "sqs" +} + +resource "aws_vpc_endpoint" "sqs" { + count = var.create_vpc && var.enable_sqs_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.sqs[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.sqs_endpoint_security_group_ids + subnet_ids = coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.sqs_endpoint_private_dns_enabled } ####################### @@ -687,168 +944,233 @@ resource "aws_vpc_endpoint" "sqs" { # VPC Endpoint for SSM ####################### data "aws_vpc_endpoint_service" "ssm" { - count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ssm_endpoint ? 1 : 0 service = "ssm" } resource "aws_vpc_endpoint" "ssm" { - count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ssm_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ssm.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ssm[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ssm_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ssm_endpoint_private_dns_enabled}" + security_group_ids = var.ssm_endpoint_security_group_ids + subnet_ids = coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ssm_endpoint_private_dns_enabled } ############################### # VPC Endpoint for SSMMESSAGES ############################### data "aws_vpc_endpoint_service" "ssmmessages" { - count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0 service = "ssmmessages" } resource "aws_vpc_endpoint" "ssmmessages" { - count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ssmmessages.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ssmmessages[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ssmmessages_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ssmmessages_endpoint_private_dns_enabled}" + security_group_ids = var.ssmmessages_endpoint_security_group_ids + subnet_ids = coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ssmmessages_endpoint_private_dns_enabled } ####################### # VPC Endpoint for EC2 ####################### data "aws_vpc_endpoint_service" "ec2" { - count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ec2_endpoint ? 1 : 0 service = "ec2" } resource "aws_vpc_endpoint" "ec2" { - count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ec2_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ec2.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ec2[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ec2_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ec2_endpoint_private_dns_enabled}" + security_group_ids = var.ec2_endpoint_security_group_ids + subnet_ids = coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ec2_endpoint_private_dns_enabled } ############################### # VPC Endpoint for EC2MESSAGES ############################### data "aws_vpc_endpoint_service" "ec2messages" { - count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0 service = "ec2messages" } resource "aws_vpc_endpoint" "ec2messages" { - count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ec2messages.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ec2messages[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ec2messages_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ec2messages_endpoint_private_dns_enabled}" + security_group_ids = var.ec2messages_endpoint_security_group_ids + subnet_ids = coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ec2messages_endpoint_private_dns_enabled } ########################### # VPC Endpoint for ECR API ########################### data "aws_vpc_endpoint_service" "ecr_api" { - count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0 service = "ecr.api" } resource "aws_vpc_endpoint" "ecr_api" { - count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ecr_api[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}" + security_group_ids = var.ecr_api_endpoint_security_group_ids + subnet_ids = coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ecr_api_endpoint_private_dns_enabled } ########################### # VPC Endpoint for ECR DKR ########################### data "aws_vpc_endpoint_service" "ecr_dkr" { - count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0 service = "ecr.dkr" } resource "aws_vpc_endpoint" "ecr_dkr" { - count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ecr_dkr[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" + security_group_ids = var.ecr_dkr_endpoint_security_group_ids + subnet_ids = coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ecr_dkr_endpoint_private_dns_enabled } ####################### # VPC Endpoint for API Gateway ####################### data "aws_vpc_endpoint_service" "apigw" { - count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_apigw_endpoint ? 1 : 0 service = "execute-api" } resource "aws_vpc_endpoint" "apigw" { - count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_apigw_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.apigw.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.apigw[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.apigw_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}" + security_group_ids = var.apigw_endpoint_security_group_ids + subnet_ids = coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.apigw_endpoint_private_dns_enabled } ####################### # VPC Endpoint for KMS ####################### data "aws_vpc_endpoint_service" "kms" { - count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_kms_endpoint ? 1 : 0 service = "kms" } resource "aws_vpc_endpoint" "kms" { - count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_kms_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.kms.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.kms[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.kms_endpoint_security_group_ids + subnet_ids = coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.kms_endpoint_private_dns_enabled +} + +####################### +# VPC Endpoint for ECS +####################### +data "aws_vpc_endpoint_service" "ecs" { + count = var.create_vpc && var.enable_ecs_endpoint ? 1 : 0 + + service = "ecs" +} + +resource "aws_vpc_endpoint" "ecs" { + count = var.create_vpc && var.enable_ecs_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ecs[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.kms_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}" + security_group_ids = var.ecs_endpoint_security_group_ids + subnet_ids = coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ecs_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for ECS Agent +####################### +data "aws_vpc_endpoint_service" "ecs_agent" { + count = var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0 + + service = "ecs-agent" +} + +resource "aws_vpc_endpoint" "ecs_agent" { + count = var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ecs_agent[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.ecs_agent_endpoint_security_group_ids + subnet_ids = coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ecs_agent_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for ECS Telemetry +####################### +data "aws_vpc_endpoint_service" "ecs_telemetry" { + count = var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0 + + service = "ecs-telemetry" +} + +resource "aws_vpc_endpoint" "ecs_telemetry" { + count = var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ecs_telemetry[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.ecs_telemetry_endpoint_security_group_ids + subnet_ids = coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ecs_telemetry_endpoint_private_dns_enabled } @@ -921,96 +1243,139 @@ resource "aws_vpc_endpoint" "ecs_telemetry" { # Route table association ########################## resource "aws_route_table_association" "private" { - count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0}" + count = var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0 - subnet_id = "${element(aws_subnet.private.*.id, count.index)}" - route_table_id = "${element(aws_route_table.private.*.id, (var.single_nat_gateway ? 0 : count.index))}" + subnet_id = element(aws_subnet.private.*.id, count.index) + route_table_id = element( + aws_route_table.private.*.id, + var.single_nat_gateway ? 0 : count.index, + ) } resource "aws_route_table_association" "database" { - count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0}" + count = var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0 - subnet_id = "${element(aws_subnet.database.*.id, count.index)}" - route_table_id = "${element(coalescelist(aws_route_table.database.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_database_subnet_route_table ? 0 : count.index))}" + subnet_id = element(aws_subnet.database.*.id, count.index) + route_table_id = element( + coalescelist(aws_route_table.database.*.id, aws_route_table.private.*.id), + var.single_nat_gateway || var.create_database_subnet_route_table ? 0 : count.index, + ) } resource "aws_route_table_association" "redshift" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 && ! var.enable_public_redshift ? length(var.redshift_subnets) : 0}" + count = var.create_vpc && length(var.redshift_subnets) > 0 && false == var.enable_public_redshift ? length(var.redshift_subnets) : 0 - subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" - route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" + subnet_id = element(aws_subnet.redshift.*.id, count.index) + route_table_id = element( + coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id), + var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index, + ) } resource "aws_route_table_association" "redshift_public" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 && var.enable_public_redshift ? length(var.redshift_subnets) : 0}" + count = var.create_vpc && length(var.redshift_subnets) > 0 && var.enable_public_redshift ? length(var.redshift_subnets) : 0 - subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" - route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.public.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" + subnet_id = element(aws_subnet.redshift.*.id, count.index) + route_table_id = element( + coalescelist(aws_route_table.redshift.*.id, aws_route_table.public.*.id), + var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index, + ) } resource "aws_route_table_association" "elasticache" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0}" + count = var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0 - subnet_id = "${element(aws_subnet.elasticache.*.id, count.index)}" - route_table_id = "${element(coalescelist(aws_route_table.elasticache.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_elasticache_subnet_route_table ? 0 : count.index))}" + subnet_id = element(aws_subnet.elasticache.*.id, count.index) + route_table_id = element( + coalescelist( + aws_route_table.elasticache.*.id, + aws_route_table.private.*.id, + ), + var.single_nat_gateway || var.create_elasticache_subnet_route_table ? 0 : count.index, + ) } resource "aws_route_table_association" "intra" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0}" + count = var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0 - subnet_id = "${element(aws_subnet.intra.*.id, count.index)}" - route_table_id = "${element(aws_route_table.intra.*.id, 0)}" + subnet_id = element(aws_subnet.intra.*.id, count.index) + route_table_id = element(aws_route_table.intra.*.id, 0) } resource "aws_route_table_association" "public" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_subnets) : 0}" + count = var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_subnets) : 0 - subnet_id = "${element(aws_subnet.public.*.id, count.index)}" - route_table_id = "${aws_route_table.public.id}" + subnet_id = element(aws_subnet.public.*.id, count.index) + route_table_id = aws_route_table.public[0].id } ############## # VPN Gateway ############## resource "aws_vpn_gateway" "this" { - count = "${var.create_vpc && var.enable_vpn_gateway ? 1 : 0}" + count = var.create_vpc && var.enable_vpn_gateway ? 1 : 0 - vpc_id = "${local.vpc_id}" - amazon_side_asn = "${var.amazon_side_asn}" + vpc_id = local.vpc_id + amazon_side_asn = var.amazon_side_asn - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.vpn_gateway_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.vpn_gateway_tags, + ) } resource "aws_vpn_gateway_attachment" "this" { - count = "${var.vpn_gateway_id != "" ? 1 : 0}" + count = var.vpn_gateway_id != "" ? 1 : 0 - vpc_id = "${local.vpc_id}" - vpn_gateway_id = "${var.vpn_gateway_id}" + vpc_id = local.vpc_id + vpn_gateway_id = var.vpn_gateway_id } resource "aws_vpn_gateway_route_propagation" "public" { - count = "${var.create_vpc && var.propagate_public_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? 1 : 0}" + count = var.create_vpc && var.propagate_public_route_tables_vgw && var.enable_vpn_gateway || var.vpn_gateway_id != "" ? 1 : 0 - route_table_id = "${element(aws_route_table.public.*.id, count.index)}" - vpn_gateway_id = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id), count.index)}" + route_table_id = element(aws_route_table.public.*.id, count.index) + vpn_gateway_id = element( + concat( + aws_vpn_gateway.this.*.id, + aws_vpn_gateway_attachment.this.*.vpn_gateway_id, + ), + count.index, + ) } resource "aws_vpn_gateway_route_propagation" "private" { - count = "${var.create_vpc && var.propagate_private_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.private_subnets) : 0}" + count = var.create_vpc && var.propagate_private_route_tables_vgw && var.enable_vpn_gateway || var.vpn_gateway_id != "" ? length(var.private_subnets) : 0 - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" - vpn_gateway_id = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id), count.index)}" + route_table_id = element(aws_route_table.private.*.id, count.index) + vpn_gateway_id = element( + concat( + aws_vpn_gateway.this.*.id, + aws_vpn_gateway_attachment.this.*.vpn_gateway_id, + ), + count.index, + ) } ########### # Defaults ########### resource "aws_default_vpc" "this" { - count = "${var.manage_default_vpc ? 1 : 0}" + count = var.manage_default_vpc ? 1 : 0 - enable_dns_support = "${var.default_vpc_enable_dns_support}" - enable_dns_hostnames = "${var.default_vpc_enable_dns_hostnames}" - enable_classiclink = "${var.default_vpc_enable_classiclink}" + enable_dns_support = var.default_vpc_enable_dns_support + enable_dns_hostnames = var.default_vpc_enable_dns_hostnames + enable_classiclink = var.default_vpc_enable_classiclink - tags = "${merge(map("Name", format("%s", var.default_vpc_name)), var.tags, var.default_vpc_tags)}" + tags = merge( + { + "Name" = format("%s", var.default_vpc_name) + }, + var.tags, + var.default_vpc_tags, + ) } + diff --git a/outputs.tf b/outputs.tf index fc8a43b9e..ad16b5ecb 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,46 +1,46 @@ output "vpc_id" { description = "The ID of the VPC" - value = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + value = concat(aws_vpc.this.*.id, [""])[0] } output "vpc_arn" { description = "The ARN of the VPC" - value = "${element(concat(aws_vpc.this.*.arn, list("")), 0)}" + value = concat(aws_vpc.this.*.arn, [""])[0] } output "vpc_cidr_block" { description = "The CIDR block of the VPC" - value = "${element(concat(aws_vpc.this.*.cidr_block, list("")), 0)}" + value = concat(aws_vpc.this.*.cidr_block, [""])[0] } output "default_security_group_id" { description = "The ID of the security group created by default on VPC creation" - value = "${element(concat(aws_vpc.this.*.default_security_group_id, list("")), 0)}" + value = concat(aws_vpc.this.*.default_security_group_id, [""])[0] } output "default_network_acl_id" { description = "The ID of the default network ACL" - value = "${element(concat(aws_vpc.this.*.default_network_acl_id, list("")), 0)}" + value = concat(aws_vpc.this.*.default_network_acl_id, [""])[0] } output "default_route_table_id" { description = "The ID of the default route table" - value = "${element(concat(aws_vpc.this.*.default_route_table_id, list("")), 0)}" + value = concat(aws_vpc.this.*.default_route_table_id, [""])[0] } output "vpc_instance_tenancy" { description = "Tenancy of instances spin up within VPC" - value = "${element(concat(aws_vpc.this.*.instance_tenancy, list("")), 0)}" + value = concat(aws_vpc.this.*.instance_tenancy, [""])[0] } output "vpc_enable_dns_support" { description = "Whether or not the VPC has DNS support" - value = "${element(concat(aws_vpc.this.*.enable_dns_support, list("")), 0)}" + value = concat(aws_vpc.this.*.enable_dns_support, [""])[0] } output "vpc_enable_dns_hostnames" { description = "Whether or not the VPC has DNS hostname support" - value = "${element(concat(aws_vpc.this.*.enable_dns_hostnames, list("")), 0)}" + value = concat(aws_vpc.this.*.enable_dns_hostnames, [""])[0] } //output "vpc_enable_classiclink" { @@ -50,7 +50,7 @@ output "vpc_enable_dns_hostnames" { output "vpc_main_route_table_id" { description = "The ID of the main route table associated with this VPC" - value = "${element(concat(aws_vpc.this.*.main_route_table_id, list("")), 0)}" + value = concat(aws_vpc.this.*.main_route_table_id, [""])[0] } //output "vpc_ipv6_association_id" { @@ -65,212 +65,216 @@ output "vpc_main_route_table_id" { output "vpc_secondary_cidr_blocks" { description = "List of secondary CIDR blocks of the VPC" - value = ["${aws_vpc_ipv4_cidr_block_association.this.*.cidr_block}"] + value = aws_vpc_ipv4_cidr_block_association.this.*.cidr_block } output "private_subnets" { description = "List of IDs of private subnets" - value = ["${aws_subnet.private.*.id}"] + value = aws_subnet.private.*.id } output "private_subnet_arns" { description = "List of ARNs of private subnets" - value = ["${aws_subnet.private.*.arn}"] + value = aws_subnet.private.*.arn } output "private_subnets_cidr_blocks" { description = "List of cidr_blocks of private subnets" - value = ["${aws_subnet.private.*.cidr_block}"] + value = aws_subnet.private.*.cidr_block } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${aws_subnet.public.*.id}"] + value = aws_subnet.public.*.id } output "public_subnet_arns" { description = "List of ARNs of public subnets" - value = ["${aws_subnet.public.*.arn}"] + value = aws_subnet.public.*.arn } output "public_subnets_cidr_blocks" { description = "List of cidr_blocks of public subnets" - value = ["${aws_subnet.public.*.cidr_block}"] + value = aws_subnet.public.*.cidr_block } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${aws_subnet.database.*.id}"] + value = aws_subnet.database.*.id } output "database_subnet_arns" { description = "List of ARNs of database subnets" - value = ["${aws_subnet.database.*.arn}"] + value = aws_subnet.database.*.arn } output "database_subnets_cidr_blocks" { description = "List of cidr_blocks of database subnets" - value = ["${aws_subnet.database.*.cidr_block}"] + value = aws_subnet.database.*.cidr_block } output "database_subnet_group" { description = "ID of database subnet group" - value = "${element(concat(aws_db_subnet_group.database.*.id, list("")), 0)}" + value = concat(aws_db_subnet_group.database.*.id, [""])[0] } output "redshift_subnets" { description = "List of IDs of redshift subnets" - value = ["${aws_subnet.redshift.*.id}"] + value = aws_subnet.redshift.*.id } output "redshift_subnet_arns" { description = "List of ARNs of redshift subnets" - value = ["${aws_subnet.redshift.*.arn}"] + value = aws_subnet.redshift.*.arn } output "redshift_subnets_cidr_blocks" { description = "List of cidr_blocks of redshift subnets" - value = ["${aws_subnet.redshift.*.cidr_block}"] + value = aws_subnet.redshift.*.cidr_block } output "redshift_subnet_group" { description = "ID of redshift subnet group" - value = "${element(concat(aws_redshift_subnet_group.redshift.*.id, list("")), 0)}" + value = concat(aws_redshift_subnet_group.redshift.*.id, [""])[0] } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${aws_subnet.elasticache.*.id}"] + value = aws_subnet.elasticache.*.id } output "elasticache_subnet_arns" { description = "List of ARNs of elasticache subnets" - value = ["${aws_subnet.elasticache.*.arn}"] + value = aws_subnet.elasticache.*.arn } output "elasticache_subnets_cidr_blocks" { description = "List of cidr_blocks of elasticache subnets" - value = ["${aws_subnet.elasticache.*.cidr_block}"] + value = aws_subnet.elasticache.*.cidr_block } output "intra_subnets" { description = "List of IDs of intra subnets" - value = ["${aws_subnet.intra.*.id}"] + value = aws_subnet.intra.*.id } output "intra_subnet_arns" { description = "List of ARNs of intra subnets" - value = ["${aws_subnet.intra.*.arn}"] + value = aws_subnet.intra.*.arn } output "intra_subnets_cidr_blocks" { description = "List of cidr_blocks of intra subnets" - value = ["${aws_subnet.intra.*.cidr_block}"] + value = aws_subnet.intra.*.cidr_block } output "elasticache_subnet_group" { description = "ID of elasticache subnet group" - value = "${element(concat(aws_elasticache_subnet_group.elasticache.*.id, list("")), 0)}" + value = concat(aws_elasticache_subnet_group.elasticache.*.id, [""])[0] } output "elasticache_subnet_group_name" { description = "Name of elasticache subnet group" - value = "${element(concat(aws_elasticache_subnet_group.elasticache.*.name, list("")), 0)}" + value = concat(aws_elasticache_subnet_group.elasticache.*.name, [""])[0] } output "public_route_table_ids" { description = "List of IDs of public route tables" - value = ["${aws_route_table.public.*.id}"] + value = aws_route_table.public.*.id } output "private_route_table_ids" { description = "List of IDs of private route tables" - value = ["${aws_route_table.private.*.id}"] + value = aws_route_table.private.*.id } output "database_route_table_ids" { description = "List of IDs of database route tables" - value = ["${coalescelist(aws_route_table.database.*.id, aws_route_table.private.*.id)}"] + value = length(aws_route_table.database.*.id) > 0 ? aws_route_table.database.*.id : aws_route_table.private.*.id } output "redshift_route_table_ids" { description = "List of IDs of redshift route tables" - value = ["${coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id)}"] + value = length(aws_route_table.redshift.*.id) > 0 ? aws_route_table.redshift.*.id : aws_route_table.private.*.id } output "elasticache_route_table_ids" { description = "List of IDs of elasticache route tables" - value = ["${coalescelist(aws_route_table.elasticache.*.id, aws_route_table.private.*.id)}"] + value = length(aws_route_table.elasticache.*.id) > 0 ? aws_route_table.elasticache.*.id : aws_route_table.private.*.id } output "intra_route_table_ids" { description = "List of IDs of intra route tables" - value = ["${aws_route_table.intra.*.id}"] + value = aws_route_table.intra.*.id } output "nat_ids" { description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway" - value = ["${aws_eip.nat.*.id}"] + value = aws_eip.nat.*.id } output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${aws_eip.nat.*.public_ip}"] + value = aws_eip.nat.*.public_ip } output "natgw_ids" { description = "List of NAT Gateway IDs" - value = ["${aws_nat_gateway.this.*.id}"] + value = aws_nat_gateway.this.*.id } output "igw_id" { description = "The ID of the Internet Gateway" - value = "${element(concat(aws_internet_gateway.this.*.id, list("")), 0)}" + value = concat(aws_internet_gateway.this.*.id, [""])[0] } output "vgw_id" { description = "The ID of the VPN Gateway" - value = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id, list("")), 0)}" + value = concat( + aws_vpn_gateway.this.*.id, + aws_vpn_gateway_attachment.this.*.vpn_gateway_id, + [""], + )[0] } output "default_vpc_id" { description = "The ID of the VPC" - value = "${element(concat(aws_default_vpc.this.*.id, list("")), 0)}" + value = concat(aws_default_vpc.this.*.id, [""])[0] } output "default_vpc_cidr_block" { description = "The CIDR block of the VPC" - value = "${element(concat(aws_default_vpc.this.*.cidr_block, list("")), 0)}" + value = concat(aws_default_vpc.this.*.cidr_block, [""])[0] } output "default_vpc_default_security_group_id" { description = "The ID of the security group created by default on VPC creation" - value = "${element(concat(aws_default_vpc.this.*.default_security_group_id, list("")), 0)}" + value = concat(aws_default_vpc.this.*.default_security_group_id, [""])[0] } output "default_vpc_default_network_acl_id" { description = "The ID of the default network ACL" - value = "${element(concat(aws_default_vpc.this.*.default_network_acl_id, list("")), 0)}" + value = concat(aws_default_vpc.this.*.default_network_acl_id, [""])[0] } output "default_vpc_default_route_table_id" { description = "The ID of the default route table" - value = "${element(concat(aws_default_vpc.this.*.default_route_table_id, list("")), 0)}" + value = concat(aws_default_vpc.this.*.default_route_table_id, [""])[0] } output "default_vpc_instance_tenancy" { description = "Tenancy of instances spin up within VPC" - value = "${element(concat(aws_default_vpc.this.*.instance_tenancy, list("")), 0)}" + value = concat(aws_default_vpc.this.*.instance_tenancy, [""])[0] } output "default_vpc_enable_dns_support" { description = "Whether or not the VPC has DNS support" - value = "${element(concat(aws_default_vpc.this.*.enable_dns_support, list("")), 0)}" + value = concat(aws_default_vpc.this.*.enable_dns_support, [""])[0] } output "default_vpc_enable_dns_hostnames" { description = "Whether or not the VPC has DNS hostname support" - value = "${element(concat(aws_default_vpc.this.*.enable_dns_hostnames, list("")), 0)}" + value = concat(aws_default_vpc.this.*.enable_dns_hostnames, [""])[0] } //output "default_vpc_enable_classiclink" { @@ -280,7 +284,7 @@ output "default_vpc_enable_dns_hostnames" { output "default_vpc_main_route_table_id" { description = "The ID of the main route table associated with this VPC" - value = "${element(concat(aws_default_vpc.this.*.main_route_table_id, list("")), 0)}" + value = concat(aws_default_vpc.this.*.main_route_table_id, [""])[0] } //output "default_vpc_ipv6_association_id" { @@ -295,53 +299,68 @@ output "default_vpc_main_route_table_id" { output "public_network_acl_id" { description = "ID of the public network ACL" - value = "${element(concat(aws_network_acl.public.*.id, list("")), 0)}" + value = concat(aws_network_acl.public.*.id, [""])[0] } output "private_network_acl_id" { description = "ID of the private network ACL" - value = "${element(concat(aws_network_acl.private.*.id, list("")), 0)}" + value = concat(aws_network_acl.private.*.id, [""])[0] } output "intra_network_acl_id" { description = "ID of the intra network ACL" - value = "${element(concat(aws_network_acl.intra.*.id, list("")), 0)}" + value = concat(aws_network_acl.intra.*.id, [""])[0] } output "database_network_acl_id" { description = "ID of the database network ACL" - value = "${element(concat(aws_network_acl.database.*.id, list("")), 0)}" + value = concat(aws_network_acl.database.*.id, [""])[0] } output "redshift_network_acl_id" { description = "ID of the redshift network ACL" - value = "${element(concat(aws_network_acl.redshift.*.id, list("")), 0)}" + value = concat(aws_network_acl.redshift.*.id, [""])[0] } output "elasticache_network_acl_id" { description = "ID of the elasticache network ACL" - value = "${element(concat(aws_network_acl.elasticache.*.id, list("")), 0)}" + value = concat(aws_network_acl.elasticache.*.id, [""])[0] } # VPC Endpoints output "vpc_endpoint_s3_id" { description = "The ID of VPC endpoint for S3" - value = "${element(concat(aws_vpc_endpoint.s3.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.s3.*.id, [""])[0] } output "vpc_endpoint_s3_pl_id" { description = "The prefix list for the S3 VPC endpoint." - value = "${element(concat(aws_vpc_endpoint.s3.*.prefix_list_id, list("")), 0)}" + value = concat(aws_vpc_endpoint.s3.*.prefix_list_id, [""])[0] } output "vpc_endpoint_dynamodb_id" { description = "The ID of VPC endpoint for DynamoDB" - value = "${element(concat(aws_vpc_endpoint.dynamodb.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.dynamodb.*.id, [""])[0] } output "vpc_endpoint_dynamodb_pl_id" { description = "The prefix list for the DynamoDB VPC endpoint." - value = "${element(concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, list("")), 0)}" + value = concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, [""])[0] +} + +output "vpc_endpoint_sqs_id" { + description = "The ID of VPC endpoint for SQS" + value = concat(aws_vpc_endpoint.sqs.*.id, [""])[0] +} + +output "vpc_endpoint_sqs_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SQS." + value = flatten(aws_vpc_endpoint.sqs.*.network_interface_ids) +} + +output "vpc_endpoint_sqs_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SQS." + value = flatten(aws_vpc_endpoint.sqs.*.dns_entry) } output "vpc_endpoint_sqs_id" { @@ -361,122 +380,167 @@ output "vpc_endpoint_sqs_dns_entry" { output "vpc_endpoint_ssm_id" { description = "The ID of VPC endpoint for SSM" - value = "${element(concat(aws_vpc_endpoint.ssm.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ssm.*.id, [""])[0] } output "vpc_endpoint_ssm_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for SSM." - value = "${flatten(aws_vpc_endpoint.ssm.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ssm.*.network_interface_ids) } output "vpc_endpoint_ssm_dns_entry" { description = "The DNS entries for the VPC Endpoint for SSM." - value = "${flatten(aws_vpc_endpoint.ssm.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ssm.*.dns_entry) } output "vpc_endpoint_ssmmessages_id" { description = "The ID of VPC endpoint for SSMMESSAGES" - value = "${element(concat(aws_vpc_endpoint.ssmmessages.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ssmmessages.*.id, [""])[0] } output "vpc_endpoint_ssmmessages_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for SSMMESSAGES." - value = "${flatten(aws_vpc_endpoint.ssmmessages.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ssmmessages.*.network_interface_ids) } output "vpc_endpoint_ssmmessages_dns_entry" { description = "The DNS entries for the VPC Endpoint for SSMMESSAGES." - value = "${flatten(aws_vpc_endpoint.ssmmessages.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ssmmessages.*.dns_entry) } output "vpc_endpoint_ec2_id" { description = "The ID of VPC endpoint for EC2" - value = "${element(concat(aws_vpc_endpoint.ec2.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ec2.*.id, [""])[0] } output "vpc_endpoint_ec2_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for EC2" - value = "${flatten(aws_vpc_endpoint.ec2.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ec2.*.network_interface_ids) } output "vpc_endpoint_ec2_dns_entry" { description = "The DNS entries for the VPC Endpoint for EC2." - value = "${flatten(aws_vpc_endpoint.ec2.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ec2.*.dns_entry) } output "vpc_endpoint_ec2messages_id" { description = "The ID of VPC endpoint for EC2MESSAGES" - value = "${element(concat(aws_vpc_endpoint.ec2messages.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ec2messages.*.id, [""])[0] } output "vpc_endpoint_ec2messages_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for EC2MESSAGES" - value = "${flatten(aws_vpc_endpoint.ec2messages.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ec2messages.*.network_interface_ids) } output "vpc_endpoint_ec2messages_dns_entry" { description = "The DNS entries for the VPC Endpoint for EC2MESSAGES." - value = "${flatten(aws_vpc_endpoint.ec2messages.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ec2messages.*.dns_entry) } output "vpc_endpoint_kms_id" { description = "The ID of VPC endpoint for KMS" - value = "${element(concat(aws_vpc_endpoint.kms.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.kms.*.id, [""])[0] } output "vpc_endpoint_kms_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for KMS." - value = "${flatten(aws_vpc_endpoint.kms.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.kms.*.network_interface_ids) } output "vpc_endpoint_kms_dns_entry" { description = "The DNS entries for the VPC Endpoint for KMS." - value = "${flatten(aws_vpc_endpoint.kms.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.kms.*.dns_entry) } output "vpc_endpoint_ecr_api_id" { description = "The ID of VPC endpoint for ECR API" - value = "${element(concat(aws_vpc_endpoint.ecr_api.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ecr_api.*.id, [""])[0] } output "vpc_endpoint_ecr_api_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for ECR API." - value = "${flatten(aws_vpc_endpoint.ecr_api.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ecr_api.*.network_interface_ids) } output "vpc_endpoint_ecr_api_dns_entry" { description = "The DNS entries for the VPC Endpoint for ECR API." - value = "${flatten(aws_vpc_endpoint.ecr_api.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ecr_api.*.dns_entry) } output "vpc_endpoint_ecr_dkr_id" { description = "The ID of VPC endpoint for ECR DKR" - value = "${element(concat(aws_vpc_endpoint.ecr_dkr.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ecr_dkr.*.id, [""])[0] } output "vpc_endpoint_ecr_dkr_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for ECR DKR." - value = "${flatten(aws_vpc_endpoint.ecr_dkr.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ecr_dkr.*.network_interface_ids) } output "vpc_endpoint_ecr_dkr_dns_entry" { description = "The DNS entries for the VPC Endpoint for ECR DKR." - value = "${flatten(aws_vpc_endpoint.ecr_dkr.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ecr_dkr.*.dns_entry) } output "vpc_endpoint_apigw_id" { description = "The ID of VPC endpoint for APIGW" - value = "${element(concat(aws_vpc_endpoint.apigw.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.apigw.*.id, [""])[0] } output "vpc_endpoint_apigw_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for APIGW." - value = "${flatten(aws_vpc_endpoint.apigw.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.apigw.*.network_interface_ids) } output "vpc_endpoint_apigw_dns_entry" { description = "The DNS entries for the VPC Endpoint for APIGW." - value = "${flatten(aws_vpc_endpoint.apigw.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.apigw.*.dns_entry) +} + +output "vpc_endpoint_ecs_id" { + description = "The ID of VPC endpoint for ECS" + value = concat(aws_vpc_endpoint.ecs.*.id, [""])[0] +} + +output "vpc_endpoint_ecs_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS." + value = flatten(aws_vpc_endpoint.ecs.*.network_interface_ids) +} + +output "vpc_endpoint_ecs_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS." + value = flatten(aws_vpc_endpoint.ecs.*.dns_entry) +} + +output "vpc_endpoint_ecs_agent_id" { + description = "The ID of VPC endpoint for ECS Agent" + value = concat(aws_vpc_endpoint.ecs_agent.*.id, [""])[0] +} + +output "vpc_endpoint_ecs_agent_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS Agent." + value = flatten(aws_vpc_endpoint.ecs_agent.*.network_interface_ids) +} + +output "vpc_endpoint_ecs_agent_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS Agent." + value = flatten(aws_vpc_endpoint.ecs_agent.*.dns_entry) +} + +output "vpc_endpoint_ecs_telemetry_id" { + description = "The ID of VPC endpoint for ECS Telemetry" + value = concat(aws_vpc_endpoint.ecs_telemetry.*.id, [""])[0] +} + +output "vpc_endpoint_ecs_telemetry_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS Telemetry." + value = flatten(aws_vpc_endpoint.ecs_telemetry.*.network_interface_ids) +} + +output "vpc_endpoint_ecs_telemetry_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS Telemetry." + value = flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry) } output "vpc_endpoint_ecs_id" { @@ -527,5 +591,6 @@ output "vpc_endpoint_ecs_telemetry_dns_entry" { # Static values (arguments) output "azs" { description = "A list of availability zones specified as argument to this module" - value = "${var.azs}" + value = var.azs } + diff --git a/variables.tf b/variables.tf index eb2b4d897..9ea9ac4ba 100644 --- a/variables.tf +++ b/variables.tf @@ -1,5 +1,6 @@ variable "create_vpc" { description = "Controls if VPC should be created (it affects almost all resources)" + type = bool default = true } @@ -15,172 +16,225 @@ variable "cidr" { variable "assign_generated_ipv6_cidr_block" { description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block" + type = bool default = false } variable "secondary_cidr_blocks" { description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool" + type = list(string) default = [] } variable "instance_tenancy" { description = "A tenancy option for instances launched into the VPC" + type = string default = "default" } variable "public_subnet_suffix" { description = "Suffix to append to public subnets name" + type = string default = "public" } variable "private_subnet_suffix" { description = "Suffix to append to private subnets name" + type = string default = "private" } variable "intra_subnet_suffix" { description = "Suffix to append to intra subnets name" + type = string default = "intra" } variable "database_subnet_suffix" { description = "Suffix to append to database subnets name" + type = string default = "db" } variable "redshift_subnet_suffix" { description = "Suffix to append to redshift subnets name" + type = string default = "redshift" } variable "elasticache_subnet_suffix" { description = "Suffix to append to elasticache subnets name" + type = string default = "elasticache" } variable "public_subnets" { description = "A list of public subnets inside the VPC" + type = list(string) default = [] } variable "private_subnets" { description = "A list of private subnets inside the VPC" + type = list(string) default = [] } variable "database_subnets" { description = "A list of database subnets" + type = list(string) default = [] } variable "redshift_subnets" { description = "A list of redshift subnets" + type = list(string) default = [] } variable "elasticache_subnets" { description = "A list of elasticache subnets" + type = list(string) default = [] } variable "intra_subnets" { description = "A list of intra subnets" + type = list(string) default = [] } variable "create_database_subnet_route_table" { description = "Controls if separate route table for database should be created" + type = bool default = false } variable "create_redshift_subnet_route_table" { description = "Controls if separate route table for redshift should be created" + type = bool default = false } variable "enable_public_redshift" { description = "Controls if redshift should have public routing table" + type = bool default = false } variable "create_elasticache_subnet_route_table" { description = "Controls if separate route table for elasticache should be created" + type = bool default = false } variable "create_database_subnet_group" { description = "Controls if database subnet group should be created" + type = bool default = true } variable "create_elasticache_subnet_group" { description = "Controls if elasticache subnet group should be created" + type = bool default = true } variable "create_redshift_subnet_group" { description = "Controls if redshift subnet group should be created" + type = bool default = true } variable "create_database_internet_gateway_route" { description = "Controls if an internet gateway route for public database access should be created" + type = bool default = false } variable "create_database_nat_gateway_route" { description = "Controls if a nat gateway route should be created to give internet access to the database subnets" + type = bool default = false } variable "azs" { description = "A list of availability zones in the region" + type = list(string) default = [] } variable "enable_dns_hostnames" { description = "Should be true to enable DNS hostnames in the VPC" + type = bool default = false } variable "enable_dns_support" { description = "Should be true to enable DNS support in the VPC" + type = bool default = true } variable "enable_nat_gateway" { description = "Should be true if you want to provision NAT Gateways for each of your private networks" + type = bool default = false } variable "single_nat_gateway" { description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks" + type = bool default = false } variable "one_nat_gateway_per_az" { description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`." + type = bool default = false } variable "reuse_nat_ips" { description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable" + type = bool default = false } variable "external_nat_ip_ids" { description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)" - - default = [] + type = list(string) + default = [] } variable "enable_dynamodb_endpoint" { description = "Should be true if you want to provision a DynamoDB endpoint to the VPC" + type = bool default = false } variable "enable_s3_endpoint" { description = "Should be true if you want to provision an S3 endpoint to the VPC" + type = bool + default = false +} + +variable "enable_sqs_endpoint" { + description = "Should be true if you want to provision an SQS endpoint to the VPC" + default = false +} + +variable "sqs_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for SQS endpoint" + default = [] +} + +variable "sqs_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "sqs_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint" default = false } @@ -206,161 +260,265 @@ variable "sqs_endpoint_private_dns_enabled" { variable "enable_ssm_endpoint" { description = "Should be true if you want to provision an SSM endpoint to the VPC" + type = bool default = false } variable "ssm_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for SSM endpoint" + type = list(string) default = [] } variable "ssm_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "ssm_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint" + type = bool default = false } variable "enable_ssmmessages_endpoint" { description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC" + type = bool default = false } variable "enable_apigw_endpoint" { description = "Should be true if you want to provision an api gateway endpoint to the VPC" + type = bool default = false } variable "apigw_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for API GW endpoint" + type = list(string) default = [] } variable "apigw_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint" + type = bool default = false } variable "apigw_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "ssmmessages_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint" + type = list(string) default = [] } variable "ssmmessages_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "ssmmessages_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint" + type = bool default = false } variable "enable_ec2_endpoint" { description = "Should be true if you want to provision an EC2 endpoint to the VPC" + type = bool default = false } variable "ec2_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for EC2 endpoint" + type = list(string) default = [] } variable "ec2_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint" + type = bool default = false } variable "ec2_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "enable_ec2messages_endpoint" { description = "Should be true if you want to provision an EC2MESSAGES endpoint to the VPC" + type = bool default = false } variable "ec2messages_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint" + type = list(string) default = [] } variable "ec2messages_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint" + type = bool default = false } variable "ec2messages_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "enable_ecr_api_endpoint" { description = "Should be true if you want to provision an ecr api endpoint to the VPC" + type = bool default = false } variable "ecr_api_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used." + type = list(string) default = [] } variable "ecr_api_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint" + type = bool default = false } variable "ecr_api_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for ECR API endpoint" + type = list(string) default = [] } variable "enable_ecr_dkr_endpoint" { description = "Should be true if you want to provision an ecr dkr endpoint to the VPC" + type = bool default = false } variable "ecr_dkr_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used." + type = list(string) default = [] } variable "ecr_dkr_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint" + type = bool default = false } variable "ecr_dkr_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for ECR DKR endpoint" + type = list(string) default = [] } variable "enable_kms_endpoint" { description = "Should be true if you want to provision a KMS endpoint to the VPC" + type = bool default = false } variable "kms_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for KMS endpoint" + type = list(string) default = [] } variable "kms_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "kms_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint" + type = bool + default = false +} + +variable "enable_ecs_endpoint" { + description = "Should be true if you want to provision a ECS endpoint to the VPC" + type = bool + default = false +} + +variable "ecs_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS endpoint" + type = list(string) + default = [] +} + +variable "ecs_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "ecs_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint" + type = bool + default = false +} + +variable "enable_ecs_agent_endpoint" { + description = "Should be true if you want to provision a ECS Agent endpoint to the VPC" + type = bool + default = false +} + +variable "ecs_agent_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS Agent endpoint" + type = list(string) + default = [] +} + +variable "ecs_agent_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "ecs_agent_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint" + type = bool + default = false +} + +variable "enable_ecs_telemetry_endpoint" { + description = "Should be true if you want to provision a ECS Telemetry endpoint to the VPC" + type = bool + default = false +} + +variable "ecs_telemetry_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint" + type = list(string) + default = [] +} + +variable "ecs_telemetry_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "ecs_telemetry_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint" + type = bool default = false } @@ -426,11 +584,13 @@ variable "ecs_telemetry_endpoint_private_dns_enabled" { variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" + type = bool default = true } variable "enable_vpn_gateway" { description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC" + type = bool default = false } @@ -446,267 +606,316 @@ variable "amazon_side_asn" { variable "propagate_private_route_tables_vgw" { description = "Should be true if you want route table propagation" + type = bool default = false } variable "propagate_public_route_tables_vgw" { description = "Should be true if you want route table propagation" + type = bool default = false } variable "tags" { description = "A map of tags to add to all resources" + type = map(string) default = {} } variable "vpc_tags" { description = "Additional tags for the VPC" + type = map(string) default = {} } variable "igw_tags" { description = "Additional tags for the internet gateway" + type = map(string) default = {} } variable "public_subnet_tags" { description = "Additional tags for the public subnets" + type = map(string) default = {} } variable "private_subnet_tags" { description = "Additional tags for the private subnets" + type = map(string) default = {} } variable "public_route_table_tags" { description = "Additional tags for the public route tables" + type = map(string) default = {} } variable "private_route_table_tags" { description = "Additional tags for the private route tables" + type = map(string) default = {} } variable "database_route_table_tags" { description = "Additional tags for the database route tables" + type = map(string) default = {} } variable "redshift_route_table_tags" { description = "Additional tags for the redshift route tables" + type = map(string) default = {} } variable "elasticache_route_table_tags" { description = "Additional tags for the elasticache route tables" + type = map(string) default = {} } variable "intra_route_table_tags" { description = "Additional tags for the intra route tables" + type = map(string) default = {} } variable "database_subnet_tags" { description = "Additional tags for the database subnets" + type = map(string) default = {} } variable "database_subnet_group_tags" { description = "Additional tags for the database subnet group" + type = map(string) default = {} } variable "redshift_subnet_tags" { description = "Additional tags for the redshift subnets" + type = map(string) default = {} } variable "redshift_subnet_group_tags" { description = "Additional tags for the redshift subnet group" + type = map(string) default = {} } variable "elasticache_subnet_tags" { description = "Additional tags for the elasticache subnets" + type = map(string) default = {} } variable "intra_subnet_tags" { description = "Additional tags for the intra subnets" + type = map(string) default = {} } variable "public_acl_tags" { description = "Additional tags for the public subnets network ACL" + type = map(string) default = {} } variable "private_acl_tags" { description = "Additional tags for the private subnets network ACL" + type = map(string) default = {} } variable "intra_acl_tags" { description = "Additional tags for the intra subnets network ACL" + type = map(string) default = {} } variable "database_acl_tags" { description = "Additional tags for the database subnets network ACL" + type = map(string) default = {} } variable "redshift_acl_tags" { description = "Additional tags for the redshift subnets network ACL" + type = map(string) default = {} } variable "elasticache_acl_tags" { description = "Additional tags for the elasticache subnets network ACL" + type = map(string) default = {} } variable "dhcp_options_tags" { description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" + type = map(string) default = {} } variable "nat_gateway_tags" { description = "Additional tags for the NAT gateways" + type = map(string) default = {} } variable "nat_eip_tags" { description = "Additional tags for the NAT EIP" + type = map(string) default = {} } variable "vpn_gateway_tags" { description = "Additional tags for the VPN gateway" + type = map(string) default = {} } variable "enable_dhcp_options" { description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type" + type = bool default = false } variable "dhcp_options_domain_name" { description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)" + type = string default = "" } variable "dhcp_options_domain_name_servers" { description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)" - - default = ["AmazonProvidedDNS"] + type = list(string) + default = ["AmazonProvidedDNS"] } variable "dhcp_options_ntp_servers" { description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)" - - default = [] + type = list(string) + default = [] } variable "dhcp_options_netbios_name_servers" { description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)" - - default = [] + type = list(string) + default = [] } variable "dhcp_options_netbios_node_type" { description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)" + type = string default = "" } variable "manage_default_vpc" { description = "Should be true to adopt and manage Default VPC" + type = bool default = false } variable "default_vpc_name" { description = "Name to be used on the Default VPC" + type = string default = "" } variable "default_vpc_enable_dns_support" { description = "Should be true to enable DNS support in the Default VPC" + type = bool default = true } variable "default_vpc_enable_dns_hostnames" { description = "Should be true to enable DNS hostnames in the Default VPC" + type = bool default = false } variable "default_vpc_enable_classiclink" { description = "Should be true to enable ClassicLink in the Default VPC" + type = bool default = false } variable "default_vpc_tags" { description = "Additional tags for the Default VPC" + type = map(string) default = {} } variable "manage_default_network_acl" { description = "Should be true to adopt and manage Default Network ACL" + type = bool default = false } variable "default_network_acl_name" { description = "Name to be used on the Default Network ACL" + type = string default = "" } variable "default_network_acl_tags" { description = "Additional tags for the Default Network ACL" + type = map(string) default = {} } variable "public_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" + type = bool default = false } variable "private_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" + type = bool default = false } variable "intra_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" + type = bool default = false } variable "database_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" + type = bool default = false } variable "redshift_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets" + type = bool default = false } variable "elasticache_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets" + type = bool default = false } variable "default_network_acl_ingress" { description = "List of maps of ingress rules to set on the Default Network ACL" + type = list(map(string)) - default = [{ - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" + default = [ + { + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" }, { rule_no = 101 @@ -721,14 +930,16 @@ variable "default_network_acl_ingress" { variable "default_network_acl_egress" { description = "List of maps of egress rules to set on the Default Network ACL" + type = list(map(string)) - default = [{ - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" + default = [ + { + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" }, { rule_no = 101 @@ -743,6 +954,7 @@ variable "default_network_acl_egress" { variable "public_inbound_acl_rules" { description = "Public subnets inbound network ACLs" + type = list(map(string)) default = [ { @@ -758,6 +970,7 @@ variable "public_inbound_acl_rules" { variable "public_outbound_acl_rules" { description = "Public subnets outbound network ACLs" + type = list(map(string)) default = [ { @@ -773,6 +986,7 @@ variable "public_outbound_acl_rules" { variable "private_inbound_acl_rules" { description = "Private subnets inbound network ACLs" + type = list(map(string)) default = [ { @@ -788,6 +1002,7 @@ variable "private_inbound_acl_rules" { variable "private_outbound_acl_rules" { description = "Private subnets outbound network ACLs" + type = list(map(string)) default = [ { @@ -803,6 +1018,7 @@ variable "private_outbound_acl_rules" { variable "intra_inbound_acl_rules" { description = "Intra subnets inbound network ACLs" + type = list(map(string)) default = [ { @@ -818,6 +1034,7 @@ variable "intra_inbound_acl_rules" { variable "intra_outbound_acl_rules" { description = "Intra subnets outbound network ACLs" + type = list(map(string)) default = [ { @@ -833,6 +1050,7 @@ variable "intra_outbound_acl_rules" { variable "database_inbound_acl_rules" { description = "Database subnets inbound network ACL rules" + type = list(map(string)) default = [ { @@ -848,6 +1066,7 @@ variable "database_inbound_acl_rules" { variable "database_outbound_acl_rules" { description = "Database subnets outbound network ACL rules" + type = list(map(string)) default = [ { @@ -863,6 +1082,7 @@ variable "database_outbound_acl_rules" { variable "redshift_inbound_acl_rules" { description = "Redshift subnets inbound network ACL rules" + type = list(map(string)) default = [ { @@ -878,6 +1098,7 @@ variable "redshift_inbound_acl_rules" { variable "redshift_outbound_acl_rules" { description = "Redshift subnets outbound network ACL rules" + type = list(map(string)) default = [ { @@ -893,6 +1114,7 @@ variable "redshift_outbound_acl_rules" { variable "elasticache_inbound_acl_rules" { description = "Elasticache subnets inbound network ACL rules" + type = list(map(string)) default = [ { @@ -908,6 +1130,7 @@ variable "elasticache_inbound_acl_rules" { variable "elasticache_outbound_acl_rules" { description = "Elasticache subnets outbound network ACL rules" + type = list(map(string)) default = [ { @@ -920,3 +1143,4 @@ variable "elasticache_outbound_acl_rules" { }, ] } + From 0588b3403b6653f3e35387f4da7fc00d32975116 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 24 May 2019 23:08:22 +0200 Subject: [PATCH 62/81] Fixed merge conflicts --- main.tf | 87 ---------------------------------------------------- outputs.tf | 60 ------------------------------------ variables.tf | 80 ----------------------------------------------- 3 files changed, 227 deletions(-) diff --git a/main.tf b/main.tf index aa2ae9658..6214e2d8e 100644 --- a/main.tf +++ b/main.tf @@ -919,27 +919,6 @@ resource "aws_vpc_endpoint" "sqs" { private_dns_enabled = var.sqs_endpoint_private_dns_enabled } -####################### -# VPC Endpoint for SQS -####################### -data "aws_vpc_endpoint_service" "sqs" { - count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" - - service = "sqs" -} - -resource "aws_vpc_endpoint" "sqs" { - count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.sqs.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.sqs_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.sqs_endpoint_private_dns_enabled}" -} - ####################### # VPC Endpoint for SSM ####################### @@ -1173,72 +1152,6 @@ resource "aws_vpc_endpoint" "ecs_telemetry" { private_dns_enabled = var.ecs_telemetry_endpoint_private_dns_enabled } - -####################### -# VPC Endpoint for ECS -####################### -data "aws_vpc_endpoint_service" "ecs" { - count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" - - service = "ecs" -} - -resource "aws_vpc_endpoint" "ecs" { - count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecs.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecs_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecs_endpoint_private_dns_enabled}" -} - - -####################### -# VPC Endpoint for ECS Agent -####################### -data "aws_vpc_endpoint_service" "ecs_agent" { - count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" - - service = "ecs-agent" -} - -resource "aws_vpc_endpoint" "ecs_agent" { - count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecs_agent.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecs_agent_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecs_agent_endpoint_private_dns_enabled}" -} - - -####################### -# VPC Endpoint for ECS Telemetry -####################### -data "aws_vpc_endpoint_service" "ecs_telemetry" { - count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" - - service = "ecs-telemetry" -} - -resource "aws_vpc_endpoint" "ecs_telemetry" { - count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecs_telemetry.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecs_telemetry_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecs_telemetry_endpoint_private_dns_enabled}" -} - ########################## # Route table association ########################## diff --git a/outputs.tf b/outputs.tf index ad16b5ecb..03626018d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -348,21 +348,6 @@ output "vpc_endpoint_dynamodb_pl_id" { value = concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, [""])[0] } -output "vpc_endpoint_sqs_id" { - description = "The ID of VPC endpoint for SQS" - value = concat(aws_vpc_endpoint.sqs.*.id, [""])[0] -} - -output "vpc_endpoint_sqs_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for SQS." - value = flatten(aws_vpc_endpoint.sqs.*.network_interface_ids) -} - -output "vpc_endpoint_sqs_dns_entry" { - description = "The DNS entries for the VPC Endpoint for SQS." - value = flatten(aws_vpc_endpoint.sqs.*.dns_entry) -} - output "vpc_endpoint_sqs_id" { description = "The ID of VPC endpoint for SQS" value = "${element(concat(aws_vpc_endpoint.sqs.*.id, list("")), 0)}" @@ -498,51 +483,6 @@ output "vpc_endpoint_apigw_dns_entry" { value = flatten(aws_vpc_endpoint.apigw.*.dns_entry) } -output "vpc_endpoint_ecs_id" { - description = "The ID of VPC endpoint for ECS" - value = concat(aws_vpc_endpoint.ecs.*.id, [""])[0] -} - -output "vpc_endpoint_ecs_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for ECS." - value = flatten(aws_vpc_endpoint.ecs.*.network_interface_ids) -} - -output "vpc_endpoint_ecs_dns_entry" { - description = "The DNS entries for the VPC Endpoint for ECS." - value = flatten(aws_vpc_endpoint.ecs.*.dns_entry) -} - -output "vpc_endpoint_ecs_agent_id" { - description = "The ID of VPC endpoint for ECS Agent" - value = concat(aws_vpc_endpoint.ecs_agent.*.id, [""])[0] -} - -output "vpc_endpoint_ecs_agent_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for ECS Agent." - value = flatten(aws_vpc_endpoint.ecs_agent.*.network_interface_ids) -} - -output "vpc_endpoint_ecs_agent_dns_entry" { - description = "The DNS entries for the VPC Endpoint for ECS Agent." - value = flatten(aws_vpc_endpoint.ecs_agent.*.dns_entry) -} - -output "vpc_endpoint_ecs_telemetry_id" { - description = "The ID of VPC endpoint for ECS Telemetry" - value = concat(aws_vpc_endpoint.ecs_telemetry.*.id, [""])[0] -} - -output "vpc_endpoint_ecs_telemetry_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for ECS Telemetry." - value = flatten(aws_vpc_endpoint.ecs_telemetry.*.network_interface_ids) -} - -output "vpc_endpoint_ecs_telemetry_dns_entry" { - description = "The DNS entries for the VPC Endpoint for ECS Telemetry." - value = flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry) -} - output "vpc_endpoint_ecs_id" { description = "The ID of VPC endpoint for ECS" value = "${element(concat(aws_vpc_endpoint.ecs.*.id, list("")), 0)}" diff --git a/variables.tf b/variables.tf index 9ea9ac4ba..de3106f28 100644 --- a/variables.tf +++ b/variables.tf @@ -238,26 +238,6 @@ variable "sqs_endpoint_private_dns_enabled" { default = false } -variable "enable_sqs_endpoint" { - description = "Should be true if you want to provision an SQS endpoint to the VPC" - default = false -} - -variable "sqs_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for SQS endpoint" - default = [] -} - -variable "sqs_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - default = [] -} - -variable "sqs_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint" - default = false -} - variable "enable_ssm_endpoint" { description = "Should be true if you want to provision an SSM endpoint to the VPC" type = bool @@ -522,66 +502,6 @@ variable "ecs_telemetry_endpoint_private_dns_enabled" { default = false } -variable "enable_ecs_endpoint" { - description = "Should be true if you want to provision a ECS endpoint to the VPC" - default = false -} - -variable "ecs_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ECS endpoint" - default = [] -} - -variable "ecs_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - default = [] -} - -variable "ecs_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint" - default = false -} - -variable "enable_ecs_agent_endpoint" { - description = "Should be true if you want to provision a ECS Agent endpoint to the VPC" - default = false -} - -variable "ecs_agent_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ECS Agent endpoint" - default = [] -} - -variable "ecs_agent_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - default = [] -} - -variable "ecs_agent_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint" - default = false -} - -variable "enable_ecs_telemetry_endpoint" { - description = "Should be true if you want to provision a ECS Telemetry endpoint to the VPC" - default = false -} - -variable "ecs_telemetry_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint" - default = [] -} - -variable "ecs_telemetry_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - default = [] -} - -variable "ecs_telemetry_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint" - default = false -} - variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" type = bool From 2c28de57178827f03ff39787733163b92eddae43 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 24 May 2019 23:09:22 +0200 Subject: [PATCH 63/81] Updated CHANGELOG --- CHANGELOG.md | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 646bae804..42db54527 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,17 @@ + +## [v2.0.0] - 2019-05-24 + +- Fixed merge conflicts +- Finally, Terraform 0.12 support ([#266](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/266)) + + ## [v1.66.0] - 2019-05-24 +- Updated CHANGELOG - Added VPC endpoints for SQS (closes [#248](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/248)) - ECS endpoint ([#261](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/261)) @@ -447,13 +455,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -531,7 +539,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.66.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.0.0...HEAD +[v2.0.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.66.0...v2.0.0 [v1.66.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.65.0...v1.66.0 [v1.65.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.64.0...v1.65.0 [v1.64.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.63.0...v1.64.0 @@ -597,9 +606,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 From 7192ee69d6ebef24f4f193f3b9da58c116a86756 Mon Sep 17 00:00:00 2001 From: Niklas Wagner Date: Mon, 27 May 2019 04:10:07 +0200 Subject: [PATCH 64/81] Upgrade Docker Image to fix CI (#270) --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index daf483b61..3cff84f58 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,7 +2,7 @@ version: 2 terraform: &terraform docker: - - image: hashicorp/terraform:0.10.4 + - image: hashicorp/terraform:0.12.0 working_directory: /tmp/workspace/terraform jobs: From 158b7d79ece06815cea20e64aa5bd15a5b197efe Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Mon, 27 May 2019 19:04:48 +0300 Subject: [PATCH 65/81] Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch (#269) --- README.md | 40 ++++- .../issue-108-route-already-exists/main.tf | 1 - main.tf | 134 ++++++++++++++++ outputs.tf | 90 +++++++++++ variables.tf | 144 ++++++++++++++++++ 5 files changed, 407 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4754b333f..0f3be4eee 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,9 @@ These types of resources are supported: * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): * Gateway: S3, DynamoDB - * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry + * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, + ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing, + CloudTrail * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -263,6 +265,24 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | string | `"false"` | no | | ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list | `[]` | no | | ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | string | `"false"` | no | +| sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list | `[]` | no | +| sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| cloudtrail\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | string | `"false"` | no | +| cloudtrail\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | list | `[]` | no | +| cloudtrail\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| elasticloadbalancing\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint | string | `"false"` | no | +| elasticloadbalancing\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint | list | `[]` | no | +| elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| logs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint | string | `"false"` | no | +| logs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | list | `[]` | no | +| logs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | string | `"false"` | no | +| events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list | `[]` | no | +| events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| monitoring\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint | string | `"false"` | no | +| monitoring\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint | list | `[]` | no | +| monitoring\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | map | `{}` | no | | elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | string | `"false"` | no | | elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | @@ -456,6 +476,24 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. | | vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES | | vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. | +| vpc\_endpoint\_sns\_dns\_entry | The DNS entries for the VPC Endpoint for SNS. | +| vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS | +| vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. | +| vpc\_endpoint\_cloudtrail\_dns\_entry | The DNS entries for the VPC Endpoint for CloudTrail. | +| vpc\_endpoint\_cloudtrail\_id | The ID of VPC endpoint for CloudTrail | +| vpc\_endpoint\_cloudtrail\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudTrail. | +| vpc\_endpoint\_elasticloadbalancing\_dns\_entry | The DNS entries for the VPC Endpoint for Elastic Load Balancing. | +| vpc\_endpoint\_elasticloadbalancing\_id | The ID of VPC endpoint for Elastic Load Balancing | +| vpc\_endpoint\_elasticloadbalancing\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Elastic Load Balancing. | +| vpc\_endpoint\_monitoring\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Monitoring. | +| vpc\_endpoint\_monitoring\_id | The ID of VPC endpoint for CloudWatch Monitoring | +| vpc\_endpoint\_monitoring\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. | +| vpc\_endpoint\_logs\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Logs. | +| vpc\_endpoint\_logs\_id | The ID of VPC endpoint for CloudWatch Logs | +| vpc\_endpoint\_logs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Logs. | +| vpc\_endpoint\_events\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. | +| vpc\_endpoint\_events\_id | The ID of VPC endpoint for CloudWatch Events | +| vpc\_endpoint\_events\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. | | vpc\_id | The ID of the VPC | | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | diff --git a/examples/issue-108-route-already-exists/main.tf b/examples/issue-108-route-already-exists/main.tf index 74f0af0c6..199b47a9f 100644 --- a/examples/issue-108-route-already-exists/main.tf +++ b/examples/issue-108-route-already-exists/main.tf @@ -19,4 +19,3 @@ module "vpc" { enable_s3_endpoint = true enable_dynamodb_endpoint = true } - diff --git a/main.tf b/main.tf index 6214e2d8e..e711af12b 100644 --- a/main.tf +++ b/main.tf @@ -898,6 +898,7 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { route_table_id = aws_route_table.public[0].id } + ####################### # VPC Endpoint for SQS ####################### @@ -1152,6 +1153,139 @@ resource "aws_vpc_endpoint" "ecs_telemetry" { private_dns_enabled = var.ecs_telemetry_endpoint_private_dns_enabled } + +####################### +# VPC Endpoint for SNS +####################### +data "aws_vpc_endpoint_service" "sns" { + count = var.create_vpc && var.enable_sns_endpoint ? 1 : 0 + + service = "sns" +} + +resource "aws_vpc_endpoint" "sns" { + count = var.create_vpc && var.enable_sns_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.sns[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.sns_endpoint_security_group_ids + subnet_ids = coalescelist(var.sns_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.sns_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for CloudWatch Monitoring +####################### +data "aws_vpc_endpoint_service" "monitoring" { + count = var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0 + + service = "monitoring" +} + +resource "aws_vpc_endpoint" "monitoring" { + count = var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.monitoring[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.monitoring_endpoint_security_group_ids + subnet_ids = coalescelist(var.monitoring_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.monitoring_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for CloudWatch Logs +####################### +data "aws_vpc_endpoint_service" "logs" { + count = var.create_vpc && var.enable_logs_endpoint ? 1 : 0 + + service = "logs" +} + +resource "aws_vpc_endpoint" "logs" { + count = var.create_vpc && var.enable_logs_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.logs[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.logs_endpoint_security_group_ids + subnet_ids = coalescelist(var.logs_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.logs_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for CloudWatch Events +####################### +data "aws_vpc_endpoint_service" "events" { + count = var.create_vpc && var.enable_events_endpoint ? 1 : 0 + + service = "events" +} + +resource "aws_vpc_endpoint" "events" { + count = var.create_vpc && var.enable_events_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.events[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.events_endpoint_security_group_ids + subnet_ids = coalescelist(var.events_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.events_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for Elastic Load Balancing +####################### +data "aws_vpc_endpoint_service" "elasticloadbalancing" { + count = var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0 + + service = "elasticloadbalancing" +} + +resource "aws_vpc_endpoint" "elasticloadbalancing" { + count = var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.elasticloadbalancing[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.elasticloadbalancing_endpoint_security_group_ids + subnet_ids = coalescelist(var.elasticloadbalancing_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.elasticloadbalancing_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for CloudTrail +####################### +data "aws_vpc_endpoint_service" "cloudtrail" { + count = var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0 + + service = "cloudtrail" +} + +resource "aws_vpc_endpoint" "cloudtrail" { + count = var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.cloudtrail[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.cloudtrail_endpoint_security_group_ids + subnet_ids = coalescelist(var.cloudtrail_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.cloudtrail_endpoint_private_dns_enabled +} + + ########################## # Route table association ########################## diff --git a/outputs.tf b/outputs.tf index 03626018d..71164fcd6 100644 --- a/outputs.tf +++ b/outputs.tf @@ -528,6 +528,96 @@ output "vpc_endpoint_ecs_telemetry_dns_entry" { value = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry)}" } +output "vpc_endpoint_sns_id" { + description = "The ID of VPC endpoint for SNS" + value = concat(aws_vpc_endpoint.sns.*.id, [""])[0] +} + +output "vpc_endpoint_sns_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SNS." + value = flatten(aws_vpc_endpoint.sns.*.network_interface_ids) +} + +output "vpc_endpoint_sns_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SNS." + value = flatten(aws_vpc_endpoint.sns.*.dns_entry) +} + +output "vpc_endpoint_monitoring_id" { + description = "The ID of VPC endpoint for CloudWatch Monitoring" + value = concat(aws_vpc_endpoint.monitoring.*.id, [""])[0] +} + +output "vpc_endpoint_monitoring_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring." + value = flatten(aws_vpc_endpoint.monitoring.*.network_interface_ids) +} + +output "vpc_endpoint_monitoring_dns_entry" { + description = "The DNS entries for the VPC Endpoint for CloudWatch Monitoring." + value = flatten(aws_vpc_endpoint.monitoring.*.dns_entry) +} + +output "vpc_endpoint_logs_id" { + description = "The ID of VPC endpoint for CloudWatch Logs" + value = concat(aws_vpc_endpoint.logs.*.id, [""])[0] +} + +output "vpc_endpoint_logs_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for CloudWatch Logs." + value = flatten(aws_vpc_endpoint.logs.*.network_interface_ids) +} + +output "vpc_endpoint_logs_dns_entry" { + description = "The DNS entries for the VPC Endpoint for CloudWatch Logs." + value = flatten(aws_vpc_endpoint.logs.*.dns_entry) +} + +output "vpc_endpoint_events_id" { + description = "The ID of VPC endpoint for CloudWatch Events" + value = concat(aws_vpc_endpoint.events.*.id, [""])[0] +} + +output "vpc_endpoint_events_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for CloudWatch Events." + value = flatten(aws_vpc_endpoint.events.*.network_interface_ids) +} + +output "vpc_endpoint_events_dns_entry" { + description = "The DNS entries for the VPC Endpoint for CloudWatch Events." + value = flatten(aws_vpc_endpoint.events.*.dns_entry) +} + +output "vpc_endpoint_elasticloadbalancing_id" { + description = "The ID of VPC endpoint for Elastic Load Balancing" + value = concat(aws_vpc_endpoint.elasticloadbalancing.*.id, [""])[0] +} + +output "vpc_endpoint_elasticloadbalancing_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for Elastic Load Balancing." + value = flatten(aws_vpc_endpoint.elasticloadbalancing.*.network_interface_ids) +} + +output "vpc_endpoint_elasticloadbalancing_dns_entry" { + description = "The DNS entries for the VPC Endpoint for Elastic Load Balancing." + value = flatten(aws_vpc_endpoint.elasticloadbalancing.*.dns_entry) +} + +output "vpc_endpoint_cloudtrail_id" { + description = "The ID of VPC endpoint for CloudTrail" + value = concat(aws_vpc_endpoint.cloudtrail.*.id, [""])[0] +} + +output "vpc_endpoint_cloudtrail_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for CloudTrail." + value = flatten(aws_vpc_endpoint.cloudtrail.*.network_interface_ids) +} + +output "vpc_endpoint_cloudtrail_dns_entry" { + description = "The DNS entries for the VPC Endpoint for CloudTrail." + value = flatten(aws_vpc_endpoint.cloudtrail.*.dns_entry) +} + # Static values (arguments) output "azs" { description = "A list of availability zones specified as argument to this module" diff --git a/variables.tf b/variables.tf index de3106f28..e063fe2cb 100644 --- a/variables.tf +++ b/variables.tf @@ -502,6 +502,150 @@ variable "ecs_telemetry_endpoint_private_dns_enabled" { default = false } +variable "enable_sns_endpoint" { + description = "Should be true if you want to provision a SNS endpoint to the VPC" + type = bool + default = false +} + +variable "sns_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for SNS endpoint" + type = list(string) + default = [] +} + +variable "sns_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "sns_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint" + type = bool + default = false +} + +variable "enable_monitoring_endpoint" { + description = "Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC" + type = bool + default = false +} + +variable "monitoring_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint" + type = list(string) + default = [] +} + +variable "monitoring_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "monitoring_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint" + type = bool + default = false +} + +variable "enable_elasticloadbalancing_endpoint" { + description = "Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC" + type = bool + default = false +} + +variable "elasticloadbalancing_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint" + type = list(string) + default = [] +} + +variable "elasticloadbalancing_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "elasticloadbalancing_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint" + type = bool + default = false +} + +variable "enable_events_endpoint" { + description = "Should be true if you want to provision a CloudWatch Events endpoint to the VPC" + type = bool + default = false +} + +variable "events_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint" + type = list(string) + default = [] +} + +variable "events_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "events_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint" + type = bool + default = false +} + +variable "enable_logs_endpoint" { + description = "Should be true if you want to provision a CloudWatch Logs endpoint to the VPC" + type = bool + default = false +} + +variable "logs_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint" + type = list(string) + default = [] +} + +variable "logs_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "logs_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint" + type = bool + default = false +} + +variable "enable_cloudtrail_endpoint" { + description = "Should be true if you want to provision a CloudTrail endpoint to the VPC" + type = bool + default = false +} + +variable "cloudtrail_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CloudTrail endpoint" + type = list(string) + default = [] +} + +variable "cloudtrail_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "cloudtrail_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint" + type = bool + default = false +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" type = bool From 615fb5cf609a5b28f087d7198f04755f0190a7a4 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Mon, 27 May 2019 09:07:10 -0700 Subject: [PATCH 66/81] Updated CHANGELOG --- CHANGELOG.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42db54527..19d5de28e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,17 @@ + +## [v2.1.0] - 2019-05-27 + +- Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch ([#269](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/269)) +- Upgrade Docker Image to fix CI ([#270](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/270)) + + ## [v2.0.0] - 2019-05-24 +- Updated CHANGELOG - Fixed merge conflicts - Finally, Terraform 0.12 support ([#266](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/266)) @@ -539,7 +547,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.0.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.1.0...HEAD +[v2.1.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.0.0...v2.1.0 [v2.0.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.66.0...v2.0.0 [v1.66.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.65.0...v1.66.0 [v1.65.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.64.0...v1.65.0 From 1a5a5a52718fab9da7af02b5e933d3e62d11ffcf Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 28 May 2019 08:48:43 -0700 Subject: [PATCH 67/81] Updated Terraform versions in README --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 0f3be4eee..374759a45 100644 --- a/README.md +++ b/README.md @@ -32,9 +32,9 @@ Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://cloudcraft ## Terraform versions -For Terraform 0.12 use version `v2.*` of this module. +Terraform 0.12. Pin module version to `~> v2.0`. Submit pull-requests to `master` branch. -If you are using Terraform 0.11 you can use versions `v1.*`. +Terraform 0.11. Pin module version to `~> v1.0`. Submit pull-requests to `terraform011` branch. ## Usage @@ -85,14 +85,14 @@ module "vpc" { enable_nat_gateway = true single_nat_gateway = false - reuse_nat_ips = true # <= Skip creation of EIPs for the NAT Gateways - external_nat_ip_ids = ["${aws_eip.nat.*.id}"] # <= IPs specified here as input to the module + reuse_nat_ips = true # <= Skip creation of EIPs for the NAT Gateways + external_nat_ip_ids = "${aws_eip.nat.*.id}" # <= IPs specified here as input to the module } ``` Note that in the example we allocate 3 IPs because we will be provisioning 3 NAT Gateways (due to `single_nat_gateway = false` and having 3 subnets). If, on the other hand, `single_nat_gateway = true`, then `aws_eip.nat` would only need to allocate 1 IP. -Passing the IPs into the module is done by setting two variables `reuse_nat_ips = true` and `external_nat_ip_ids = ["${aws_eip.nat.*.id}"]`. +Passing the IPs into the module is done by setting two variables `reuse_nat_ips = true` and `external_nat_ip_ids = "${aws_eip.nat.*.id}"`. ## NAT Gateway Scenarios From c28b5af13eb428ac663038e8ab0631b74d19b323 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 28 May 2019 08:49:02 -0700 Subject: [PATCH 68/81] Updated CHANGELOG --- CHANGELOG.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 19d5de28e..8f830f44e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,16 @@ + +## [v2.2.0] - 2019-05-28 + +- Updated Terraform versions in README + + ## [v2.1.0] - 2019-05-27 +- Updated CHANGELOG - Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch ([#269](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/269)) - Upgrade Docker Image to fix CI ([#270](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/270)) @@ -463,13 +470,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -547,7 +554,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.1.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.2.0...HEAD +[v2.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.1.0...v2.2.0 [v2.1.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.0.0...v2.1.0 [v2.0.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.66.0...v2.0.0 [v1.66.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.65.0...v1.66.0 @@ -615,9 +623,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 From b253c94c6774270b100d419102de5d5d9c425c00 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 4 Jun 2019 21:11:05 +0200 Subject: [PATCH 69/81] Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12) --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index e711af12b..650ea43c9 100644 --- a/main.tf +++ b/main.tf @@ -248,7 +248,7 @@ resource "aws_route_table" "intra" { # Public subnet ################ resource "aws_subnet" "public" { - count = var.create_vpc && length(var.public_subnets) > 0 && false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs) ? length(var.public_subnets) : 0 + count = var.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets)) >= length(var.azs) ? length(var.public_subnets) : 0 vpc_id = local.vpc_id cidr_block = element(concat(var.public_subnets, [""]), count.index) @@ -1382,7 +1382,7 @@ resource "aws_vpn_gateway_attachment" "this" { } resource "aws_vpn_gateway_route_propagation" "public" { - count = var.create_vpc && var.propagate_public_route_tables_vgw && var.enable_vpn_gateway || var.vpn_gateway_id != "" ? 1 : 0 + count = var.create_vpc && var.propagate_public_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? 1 : 0 route_table_id = element(aws_route_table.public.*.id, count.index) vpn_gateway_id = element( @@ -1395,7 +1395,7 @@ resource "aws_vpn_gateway_route_propagation" "public" { } resource "aws_vpn_gateway_route_propagation" "private" { - count = var.create_vpc && var.propagate_private_route_tables_vgw && var.enable_vpn_gateway || var.vpn_gateway_id != "" ? length(var.private_subnets) : 0 + count = var.create_vpc && var.propagate_private_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.private_subnets) : 0 route_table_id = element(aws_route_table.private.*.id, count.index) vpn_gateway_id = element( From 06e592066e965d17219943ae9328fa9e20ce5c18 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 4 Jun 2019 21:12:10 +0200 Subject: [PATCH 70/81] Updated CHANGELOG --- CHANGELOG.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f830f44e..4910fd0cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,16 @@ + +## [v2.3.0] - 2019-06-04 + +- Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12) + + ## [v2.2.0] - 2019-05-28 +- Updated CHANGELOG - Updated Terraform versions in README @@ -470,13 +477,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -554,7 +561,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.2.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.3.0...HEAD +[v2.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.2.0...v2.3.0 [v2.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.1.0...v2.2.0 [v2.1.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.0.0...v2.1.0 [v2.0.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.66.0...v2.0.0 @@ -623,9 +631,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 From 19081397f0d9f43fb51b16c7436a2487da509e9d Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Wed, 5 Jun 2019 09:02:21 +0200 Subject: [PATCH 71/81] Fixed broken 2.3.0 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 650ea43c9..456a6bb0c 100644 --- a/main.tf +++ b/main.tf @@ -248,7 +248,7 @@ resource "aws_route_table" "intra" { # Public subnet ################ resource "aws_subnet" "public" { - count = var.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets)) >= length(var.azs) ? length(var.public_subnets) : 0 + count = var.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0 vpc_id = local.vpc_id cidr_block = element(concat(var.public_subnets, [""]), count.index) From 458d5ecf406e1612cf63c502b891ea6fe793ce07 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Wed, 5 Jun 2019 09:02:38 +0200 Subject: [PATCH 72/81] Updated CHANGELOG --- CHANGELOG.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4910fd0cc..2491af624 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,16 @@ + +## [v2.4.0] - 2019-06-05 + +- Fixed broken 2.3.0 + + ## [v2.3.0] - 2019-06-04 +- Updated CHANGELOG - Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12) @@ -561,7 +568,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.3.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.4.0...HEAD +[v2.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.3.0...v2.4.0 [v2.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.2.0...v2.3.0 [v2.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.1.0...v2.2.0 [v2.1.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.0.0...v2.1.0 From de1fda12d8472c7fa90d0a594377506abe5fafef Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Wed, 5 Jun 2019 10:33:27 +0200 Subject: [PATCH 73/81] Updated CHANGELOG --- CHANGELOG.md | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2491af624..203921adf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,15 @@ + +## [v2.5.0] - 0001-01-01 + + + ## [v2.4.0] - 2019-06-05 +- Updated CHANGELOG - Fixed broken 2.3.0 @@ -484,13 +490,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -568,7 +574,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.4.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.5.0...HEAD +[v2.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.4.0...v2.5.0 [v2.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.3.0...v2.4.0 [v2.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.2.0...v2.3.0 [v2.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.1.0...v2.2.0 @@ -639,9 +646,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 From 5b3e48d6fa934167895de9881c437bcb8a1f0053 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Thu, 6 Jun 2019 10:48:15 +0300 Subject: [PATCH 74/81] Update tflint to 0.8.2 for circleci task (#280) --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 3cff84f58..e8c4b96b0 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -24,7 +24,7 @@ jobs: command: if [[ -n "$(terraform fmt -write=false)" ]]; then echo "Some terraform files need be formatted, run 'terraform fmt' to fix"; exit 1; fi - run: name: Install tflint - command: curl -L -o /tmp/tflint.zip https://github.com/wata727/tflint/releases/download/v0.4.2/tflint_linux_amd64.zip && unzip /tmp/tflint.zip -d /usr/local/bin + command: curl -L -o /tmp/tflint.zip https://github.com/wata727/tflint/releases/download/v0.8.2/tflint_linux_amd64.zip && unzip /tmp/tflint.zip -d /usr/local/bin - run: name: Check Terraform configurations with tflint command: tflint From ef915dc8771361d9c630a8e4d92e0e7929cb4097 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 13 Jun 2019 17:50:53 +0200 Subject: [PATCH 75/81] Updated VPC endpoint example (fixed #249) --- examples/issue-224-vpcendpoint-apigw/main.tf | 25 ++++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/examples/issue-224-vpcendpoint-apigw/main.tf b/examples/issue-224-vpcendpoint-apigw/main.tf index 2ae222af1..d91c10334 100644 --- a/examples/issue-224-vpcendpoint-apigw/main.tf +++ b/examples/issue-224-vpcendpoint-apigw/main.tf @@ -2,24 +2,39 @@ provider "aws" { region = "us-east-1" } -data "aws_security_group" "default" { - name = "default" - vpc_id = module.vpc.vpc_id +################# +# Security group +################# +module "http_sg" { + source = "terraform-aws-modules/security-group/aws//modules/http-80" + version = "~> 3.0" + + name = "http-sg" + description = "Security group with HTTP ports open for everybody (IPv4 CIDR), egress ports are all world open" + vpc_id = module.vpc.vpc_id + + ingress_cidr_blocks = ["0.0.0.0/0"] } +###### +# VPC +###### module "vpc" { source = "../../" - name = "complete-example" + name = "vpcendpoint-example" cidr = "10.15.0.0/16" azs = ["us-east-1a"] private_subnets = ["10.15.1.0/24"] + enable_dns_hostnames = true + enable_dns_support = true + # VPC endpoint for API gateway enable_apigw_endpoint = true - apigw_endpoint_security_group_ids = [data.aws_security_group.default.id] + apigw_endpoint_security_group_ids = [module.http_sg.this_security_group_id] apigw_endpoint_private_dns_enabled = true tags = { From d72689bf4df1eac47ca7bd3a40a70faebb1b06cd Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 13 Jun 2019 17:51:29 +0200 Subject: [PATCH 76/81] Updated CHANGELOG --- CHANGELOG.md | 48 +++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 39 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 203921adf..8f7300769 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,37 @@ + +## [v2.6.0] - 2019-06-13 + +- Updated VPC endpoint example (fixed [#249](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/249)) +- Update tflint to 0.8.2 for circleci task ([#280](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/280)) +- Updated CHANGELOG +- Updated CHANGELOG +- Fixed broken 2.3.0 +- Updated CHANGELOG +- Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12) +- Updated CHANGELOG +- Updated Terraform versions in README +- Updated CHANGELOG +- Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch ([#269](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/269)) +- Upgrade Docker Image to fix CI ([#270](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/270)) +- Updated CHANGELOG +- Fixed merge conflicts +- Finally, Terraform 0.12 support ([#266](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/266)) + + + +## [v1.67.0] - 2019-06-13 + +- Updated CHANGELOG +- Add VPC endpoints for ELB, CloudTrail, CloudWatch and SNS ([#274](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/274)) + + -## [v2.5.0] - 0001-01-01 +## [v2.5.0] - 2019-06-05 +- Updated CHANGELOG @@ -490,13 +518,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -574,7 +602,9 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.5.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.6.0...HEAD +[v2.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.67.0...v2.6.0 +[v1.67.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.5.0...v1.67.0 [v2.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.4.0...v2.5.0 [v2.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.3.0...v2.4.0 [v2.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.2.0...v2.3.0 @@ -646,9 +676,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 From 99b5eb887fcdd6588b73ccc261e2bfd402289cb1 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Mon, 17 Jun 2019 12:52:21 +0200 Subject: [PATCH 77/81] Updated pre-commit-terraform to support terraform-docs and Terraform 0.12 (#288) --- .pre-commit-config.yaml | 4 +- README.md | 346 ++++++++++++++++++++-------------------- 2 files changed, 178 insertions(+), 172 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1439c3f4f..e005ca260 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,9 +1,9 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.11.0 + rev: v1.13.0 hooks: - id: terraform_fmt -# - id: terraform_docs # not yet compatible with Terraform 0.12 + - id: terraform_docs - repo: git://github.com/pre-commit/pre-commit-hooks rev: v2.2.3 hooks: diff --git a/README.md b/README.md index 374759a45..b69e66985 100644 --- a/README.md +++ b/README.md @@ -205,176 +205,182 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| | amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `"64512"` | no | -| apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | string | `"false"` | no | -| apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API GW endpoint | list | `[]` | no | -| apigw\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `"false"` | no | -| azs | A list of availability zones in the region | list | `[]` | no | +| apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | bool | `"false"` | no | +| apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API GW endpoint | list(string) | `[]` | no | +| apigw\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | bool | `"false"` | no | +| azs | A list of availability zones in the region | list(string) | `[]` | no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `"0.0.0.0/0"` | no | -| create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `"false"` | no | -| create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | string | `"false"` | no | -| create\_database\_subnet\_group | Controls if database subnet group should be created | string | `"true"` | no | -| create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | string | `"false"` | no | -| create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | string | `"true"` | no | -| create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | string | `"false"` | no | -| create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | string | `"true"` | no | -| create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `"false"` | no | -| create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `"true"` | no | -| database\_acl\_tags | Additional tags for the database subnets network ACL | map | `{}` | no | -| database\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | string | `"false"` | no | -| database\_inbound\_acl\_rules | Database subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| database\_outbound\_acl\_rules | Database subnets outbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| database\_route\_table\_tags | Additional tags for the database route tables | map | `{}` | no | -| database\_subnet\_group\_tags | Additional tags for the database subnet group | map | `{}` | no | +| cloudtrail\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | bool | `"false"` | no | +| cloudtrail\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | list(string) | `[]` | no | +| cloudtrail\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | bool | `"false"` | no | +| create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | bool | `"false"` | no | +| create\_database\_subnet\_group | Controls if database subnet group should be created | bool | `"true"` | no | +| create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | bool | `"false"` | no | +| create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | bool | `"true"` | no | +| create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | bool | `"false"` | no | +| create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | bool | `"true"` | no | +| create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | bool | `"false"` | no | +| create\_vpc | Controls if VPC should be created (it affects almost all resources) | bool | `"true"` | no | +| database\_acl\_tags | Additional tags for the database subnets network ACL | map(string) | `{}` | no | +| database\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | bool | `"false"` | no | +| database\_inbound\_acl\_rules | Database subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| database\_outbound\_acl\_rules | Database subnets outbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| database\_route\_table\_tags | Additional tags for the database route tables | map(string) | `{}` | no | +| database\_subnet\_group\_tags | Additional tags for the database subnet group | map(string) | `{}` | no | | database\_subnet\_suffix | Suffix to append to database subnets name | string | `"db"` | no | -| database\_subnet\_tags | Additional tags for the database subnets | map | `{}` | no | -| database\_subnets | A list of database subnets | list | `[]` | no | -| default\_network\_acl\_egress | List of maps of egress rules to set on the Default Network ACL | list | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no | -| default\_network\_acl\_ingress | List of maps of ingress rules to set on the Default Network ACL | list | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no | +| database\_subnet\_tags | Additional tags for the database subnets | map(string) | `{}` | no | +| database\_subnets | A list of database subnets | list(string) | `[]` | no | +| default\_network\_acl\_egress | List of maps of egress rules to set on the Default Network ACL | list(map(string)) | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no | +| default\_network\_acl\_ingress | List of maps of ingress rules to set on the Default Network ACL | list(map(string)) | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no | | default\_network\_acl\_name | Name to be used on the Default Network ACL | string | `""` | no | -| default\_network\_acl\_tags | Additional tags for the Default Network ACL | map | `{}` | no | -| default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `"false"` | no | -| default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `"false"` | no | -| default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `"true"` | no | +| default\_network\_acl\_tags | Additional tags for the Default Network ACL | map(string) | `{}` | no | +| default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | bool | `"false"` | no | +| default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | bool | `"false"` | no | +| default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | bool | `"true"` | no | | default\_vpc\_name | Name to be used on the Default VPC | string | `""` | no | -| default\_vpc\_tags | Additional tags for the Default VPC | map | `{}` | no | +| default\_vpc\_tags | Additional tags for the Default VPC | map(string) | `{}` | no | | dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true) | string | `""` | no | -| dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true) | list | `[ "AmazonProvidedDNS" ]` | no | -| dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true) | list | `[]` | no | +| dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true) | list(string) | `[ "AmazonProvidedDNS" ]` | no | +| dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true) | list(string) | `[]` | no | | dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true) | string | `""` | no | -| dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true) | list | `[]` | no | -| dhcp\_options\_tags | Additional tags for the DHCP option set (requires enable_dhcp_options set to true) | map | `{}` | no | -| ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | string | `"false"` | no | -| ec2\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | list | `[]` | no | -| ec2\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ec2messages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | string | `"false"` | no | -| ec2messages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint | list | `[]` | no | -| ec2messages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ecr\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint | string | `"false"` | no | -| ecr\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR API endpoint | list | `[]` | no | -| ecr\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used. | list | `[]` | no | -| ecr\_dkr\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint | string | `"false"` | no | -| ecr\_dkr\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint | list | `[]` | no | -| ecr\_dkr\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. | list | `[]` | no | -| ecs\_agent\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint | string | `"false"` | no | -| ecs\_agent\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint | list | `[]` | no | -| ecs\_agent\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ecs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint | string | `"false"` | no | -| ecs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS endpoint | list | `[]` | no | -| ecs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | string | `"false"` | no | -| ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list | `[]` | no | -| ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | string | `"false"` | no | -| sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list | `[]` | no | -| sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| cloudtrail\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | string | `"false"` | no | -| cloudtrail\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | list | `[]` | no | -| cloudtrail\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| elasticloadbalancing\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint | string | `"false"` | no | -| elasticloadbalancing\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint | list | `[]` | no | -| elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| logs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint | string | `"false"` | no | -| logs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | list | `[]` | no | -| logs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | string | `"false"` | no | -| events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list | `[]` | no | -| events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| monitoring\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint | string | `"false"` | no | -| monitoring\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint | list | `[]` | no | -| monitoring\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | map | `{}` | no | -| elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | string | `"false"` | no | -| elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| elasticache\_outbound\_acl\_rules | Elasticache subnets outbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map | `{}` | no | +| dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true) | list(string) | `[]` | no | +| dhcp\_options\_tags | Additional tags for the DHCP option set (requires enable_dhcp_options set to true) | map(string) | `{}` | no | +| ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | bool | `"false"` | no | +| ec2\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | list(string) | `[]` | no | +| ec2\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| ec2messages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | bool | `"false"` | no | +| ec2messages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint | list(string) | `[]` | no | +| ec2messages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| ecr\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint | bool | `"false"` | no | +| ecr\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR API endpoint | list(string) | `[]` | no | +| ecr\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used. | list(string) | `[]` | no | +| ecr\_dkr\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint | bool | `"false"` | no | +| ecr\_dkr\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint | list(string) | `[]` | no | +| ecr\_dkr\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. | list(string) | `[]` | no | +| ecs\_agent\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint | bool | `"false"` | no | +| ecs\_agent\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint | list(string) | `[]` | no | +| ecs\_agent\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| ecs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint | bool | `"false"` | no | +| ecs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS endpoint | list(string) | `[]` | no | +| ecs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | bool | `"false"` | no | +| ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list(string) | `[]` | no | +| ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | map(string) | `{}` | no | +| elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | bool | `"false"` | no | +| elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| elasticache\_outbound\_acl\_rules | Elasticache subnets outbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map(string) | `{}` | no | | elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no | -| elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map | `{}` | no | -| elasticache\_subnets | A list of elasticache subnets | list | `[]` | no | -| enable\_apigw\_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | string | `"false"` | no | -| enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `"false"` | no | -| enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `"false"` | no | -| enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `"true"` | no | -| enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `"false"` | no | -| enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | string | `"false"` | no | -| enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | string | `"false"` | no | -| enable\_ecr\_api\_endpoint | Should be true if you want to provision an ecr api endpoint to the VPC | string | `"false"` | no | -| enable\_ecr\_dkr\_endpoint | Should be true if you want to provision an ecr dkr endpoint to the VPC | string | `"false"` | no | -| enable\_ecs\_agent\_endpoint | Should be true if you want to provision a ECS Agent endpoint to the VPC | string | `"false"` | no | -| enable\_ecs\_endpoint | Should be true if you want to provision a ECS endpoint to the VPC | string | `"false"` | no | -| enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | string | `"false"` | no | -| enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | string | `"false"` | no | -| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no | -| enable\_public\_redshift | Controls if redshift should have public routing table | string | `"false"` | no | -| enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | +| elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map(string) | `{}` | no | +| elasticache\_subnets | A list of elasticache subnets | list(string) | `[]` | no | +| elasticloadbalancing\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint | bool | `"false"` | no | +| elasticloadbalancing\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint | list(string) | `[]` | no | +| elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| enable\_apigw\_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | bool | `"false"` | no | +| enable\_cloudtrail\_endpoint | Should be true if you want to provision a CloudTrail endpoint to the VPC | bool | `"false"` | no | +| enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | bool | `"false"` | no | +| enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | bool | `"false"` | no | +| enable\_dns\_support | Should be true to enable DNS support in the VPC | bool | `"true"` | no | +| enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | bool | `"false"` | no | +| enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | bool | `"false"` | no | +| enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | bool | `"false"` | no | +| enable\_ecr\_api\_endpoint | Should be true if you want to provision an ecr api endpoint to the VPC | bool | `"false"` | no | +| enable\_ecr\_dkr\_endpoint | Should be true if you want to provision an ecr dkr endpoint to the VPC | bool | `"false"` | no | +| enable\_ecs\_agent\_endpoint | Should be true if you want to provision a ECS Agent endpoint to the VPC | bool | `"false"` | no | +| enable\_ecs\_endpoint | Should be true if you want to provision a ECS endpoint to the VPC | bool | `"false"` | no | +| enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | bool | `"false"` | no | +| enable\_elasticloadbalancing\_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | bool | `"false"` | no | +| enable\_events\_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | bool | `"false"` | no | +| enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | bool | `"false"` | no | +| enable\_logs\_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | bool | `"false"` | no | +| enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | bool | `"false"` | no | +| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool | `"false"` | no | +| enable\_public\_redshift | Controls if redshift should have public routing table | bool | `"false"` | no | +| enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | bool | `"false"` | no | +| enable\_sns\_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | bool | `"false"` | no | | enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | string | `"false"` | no | -| enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | -| enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `"false"` | no | -| enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no | -| external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | -| igw\_tags | Additional tags for the internet gateway | map | `{}` | no | +| enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | bool | `"false"` | no | +| enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | bool | `"false"` | no | +| enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | bool | `"false"` | no | +| events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | bool | `"false"` | no | +| events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list(string) | `[]` | no | +| events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list(string) | `[]` | no | +| igw\_tags | Additional tags for the internet gateway | map(string) | `{}` | no | | instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | -| intra\_acl\_tags | Additional tags for the intra subnets network ACL | map | `{}` | no | -| intra\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | string | `"false"` | no | -| intra\_inbound\_acl\_rules | Intra subnets inbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| intra\_outbound\_acl\_rules | Intra subnets outbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| intra\_route\_table\_tags | Additional tags for the intra route tables | map | `{}` | no | +| intra\_acl\_tags | Additional tags for the intra subnets network ACL | map(string) | `{}` | no | +| intra\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | bool | `"false"` | no | +| intra\_inbound\_acl\_rules | Intra subnets inbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| intra\_outbound\_acl\_rules | Intra subnets outbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| intra\_route\_table\_tags | Additional tags for the intra route tables | map(string) | `{}` | no | | intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no | -| intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | -| intra\_subnets | A list of intra subnets | list | `[]` | no | -| kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | string | `"false"` | no | -| kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list | `[]` | no | -| kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| manage\_default\_network\_acl | Should be true to adopt and manage Default Network ACL | string | `"false"` | no | -| manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `"false"` | no | -| map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `"true"` | no | +| intra\_subnet\_tags | Additional tags for the intra subnets | map(string) | `{}` | no | +| intra\_subnets | A list of intra subnets | list(string) | `[]` | no | +| kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | bool | `"false"` | no | +| kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list(string) | `[]` | no | +| kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| logs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint | bool | `"false"` | no | +| logs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | list(string) | `[]` | no | +| logs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| manage\_default\_network\_acl | Should be true to adopt and manage Default Network ACL | bool | `"false"` | no | +| manage\_default\_vpc | Should be true to adopt and manage Default VPC | bool | `"false"` | no | +| map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | bool | `"true"` | no | +| monitoring\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint | bool | `"false"` | no | +| monitoring\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint | list(string) | `[]` | no | +| monitoring\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | name | Name to be used on all the resources as identifier | string | `""` | no | -| nat\_eip\_tags | Additional tags for the NAT EIP | map | `{}` | no | -| nat\_gateway\_tags | Additional tags for the NAT gateways | map | `{}` | no | -| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `"false"` | no | -| private\_acl\_tags | Additional tags for the private subnets network ACL | map | `{}` | no | -| private\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for private subnets | string | `"false"` | no | -| private\_inbound\_acl\_rules | Private subnets inbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| private\_outbound\_acl\_rules | Private subnets outbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| private\_route\_table\_tags | Additional tags for the private route tables | map | `{}` | no | +| nat\_eip\_tags | Additional tags for the NAT EIP | map(string) | `{}` | no | +| nat\_gateway\_tags | Additional tags for the NAT gateways | map(string) | `{}` | no | +| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | bool | `"false"` | no | +| private\_acl\_tags | Additional tags for the private subnets network ACL | map(string) | `{}` | no | +| private\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for private subnets | bool | `"false"` | no | +| private\_inbound\_acl\_rules | Private subnets inbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| private\_outbound\_acl\_rules | Private subnets outbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| private\_route\_table\_tags | Additional tags for the private route tables | map(string) | `{}` | no | | private\_subnet\_suffix | Suffix to append to private subnets name | string | `"private"` | no | -| private\_subnet\_tags | Additional tags for the private subnets | map | `{}` | no | -| private\_subnets | A list of private subnets inside the VPC | list | `[]` | no | -| propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | -| propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | -| public\_acl\_tags | Additional tags for the public subnets network ACL | map | `{}` | no | -| public\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for public subnets | string | `"false"` | no | -| public\_inbound\_acl\_rules | Public subnets inbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| public\_outbound\_acl\_rules | Public subnets outbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| public\_route\_table\_tags | Additional tags for the public route tables | map | `{}` | no | +| private\_subnet\_tags | Additional tags for the private subnets | map(string) | `{}` | no | +| private\_subnets | A list of private subnets inside the VPC | list(string) | `[]` | no | +| propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | bool | `"false"` | no | +| propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | bool | `"false"` | no | +| public\_acl\_tags | Additional tags for the public subnets network ACL | map(string) | `{}` | no | +| public\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for public subnets | bool | `"false"` | no | +| public\_inbound\_acl\_rules | Public subnets inbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| public\_outbound\_acl\_rules | Public subnets outbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| public\_route\_table\_tags | Additional tags for the public route tables | map(string) | `{}` | no | | public\_subnet\_suffix | Suffix to append to public subnets name | string | `"public"` | no | -| public\_subnet\_tags | Additional tags for the public subnets | map | `{}` | no | -| public\_subnets | A list of public subnets inside the VPC | list | `[]` | no | -| redshift\_acl\_tags | Additional tags for the redshift subnets network ACL | map | `{}` | no | -| redshift\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | string | `"false"` | no | -| redshift\_inbound\_acl\_rules | Redshift subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| redshift\_outbound\_acl\_rules | Redshift subnets outbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | -| redshift\_route\_table\_tags | Additional tags for the redshift route tables | map | `{}` | no | -| redshift\_subnet\_group\_tags | Additional tags for the redshift subnet group | map | `{}` | no | +| public\_subnet\_tags | Additional tags for the public subnets | map(string) | `{}` | no | +| public\_subnets | A list of public subnets inside the VPC | list(string) | `[]` | no | +| redshift\_acl\_tags | Additional tags for the redshift subnets network ACL | map(string) | `{}` | no | +| redshift\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | bool | `"false"` | no | +| redshift\_inbound\_acl\_rules | Redshift subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| redshift\_outbound\_acl\_rules | Redshift subnets outbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| redshift\_route\_table\_tags | Additional tags for the redshift route tables | map(string) | `{}` | no | +| redshift\_subnet\_group\_tags | Additional tags for the redshift subnet group | map(string) | `{}` | no | | redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no | -| redshift\_subnet\_tags | Additional tags for the redshift subnets | map | `{}` | no | -| redshift\_subnets | A list of redshift subnets | list | `[]` | no | -| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `"false"` | no | -| secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list | `[]` | no | -| single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | +| redshift\_subnet\_tags | Additional tags for the redshift subnets | map(string) | `{}` | no | +| redshift\_subnets | A list of redshift subnets | list(string) | `[]` | no | +| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | bool | `"false"` | no | +| secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list(string) | `[]` | no | +| single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool | `"false"` | no | +| sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | bool | `"false"` | no | +| sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list(string) | `[]` | no | +| sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | sqs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | string | `"false"` | no | | sqs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint | list | `[]` | no | | sqs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `"false"` | no | -| ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list | `[]` | no | -| ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no | -| ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no | -| ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| tags | A map of tags to add to all resources | map | `{}` | no | -| vpc\_tags | Additional tags for the VPC | map | `{}` | no | +| ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | bool | `"false"` | no | +| ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list(string) | `[]` | no | +| ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | bool | `"false"` | no | +| ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list(string) | `[]` | no | +| ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| tags | A map of tags to add to all resources | map(string) | `{}` | no | +| vpc\_tags | Additional tags for the VPC | map(string) | `{}` | no | | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | -| vpn\_gateway\_tags | Additional tags for the VPN gateway | map | `{}` | no | +| vpn\_gateway\_tags | Additional tags for the VPN gateway | map(string) | `{}` | no | ## Outputs @@ -439,6 +445,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_apigw\_dns\_entry | The DNS entries for the VPC Endpoint for APIGW. | | vpc\_endpoint\_apigw\_id | The ID of VPC endpoint for APIGW | | vpc\_endpoint\_apigw\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for APIGW. | +| vpc\_endpoint\_cloudtrail\_dns\_entry | The DNS entries for the VPC Endpoint for CloudTrail. | +| vpc\_endpoint\_cloudtrail\_id | The ID of VPC endpoint for CloudTrail | +| vpc\_endpoint\_cloudtrail\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudTrail. | | vpc\_endpoint\_dynamodb\_id | The ID of VPC endpoint for DynamoDB | | vpc\_endpoint\_dynamodb\_pl\_id | The prefix list for the DynamoDB VPC endpoint. | | vpc\_endpoint\_ec2\_dns\_entry | The DNS entries for the VPC Endpoint for EC2. | @@ -462,11 +471,26 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_ecs\_telemetry\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Telemetry. | | vpc\_endpoint\_ecs\_telemetry\_id | The ID of VPC endpoint for ECS Telemetry | | vpc\_endpoint\_ecs\_telemetry\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Telemetry. | +| vpc\_endpoint\_elasticloadbalancing\_dns\_entry | The DNS entries for the VPC Endpoint for Elastic Load Balancing. | +| vpc\_endpoint\_elasticloadbalancing\_id | The ID of VPC endpoint for Elastic Load Balancing | +| vpc\_endpoint\_elasticloadbalancing\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Elastic Load Balancing. | +| vpc\_endpoint\_events\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. | +| vpc\_endpoint\_events\_id | The ID of VPC endpoint for CloudWatch Events | +| vpc\_endpoint\_events\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. | | vpc\_endpoint\_kms\_dns\_entry | The DNS entries for the VPC Endpoint for KMS. | | vpc\_endpoint\_kms\_id | The ID of VPC endpoint for KMS | | vpc\_endpoint\_kms\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KMS. | +| vpc\_endpoint\_logs\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Logs. | +| vpc\_endpoint\_logs\_id | The ID of VPC endpoint for CloudWatch Logs | +| vpc\_endpoint\_logs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Logs. | +| vpc\_endpoint\_monitoring\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Monitoring. | +| vpc\_endpoint\_monitoring\_id | The ID of VPC endpoint for CloudWatch Monitoring | +| vpc\_endpoint\_monitoring\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. | | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 | | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. | +| vpc\_endpoint\_sns\_dns\_entry | The DNS entries for the VPC Endpoint for SNS. | +| vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS | +| vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. | | vpc\_endpoint\_sqs\_dns\_entry | The DNS entries for the VPC Endpoint for SQS. | | vpc\_endpoint\_sqs\_id | The ID of VPC endpoint for SQS | | vpc\_endpoint\_sqs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SQS. | @@ -476,24 +500,6 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. | | vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES | | vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. | -| vpc\_endpoint\_sns\_dns\_entry | The DNS entries for the VPC Endpoint for SNS. | -| vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS | -| vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. | -| vpc\_endpoint\_cloudtrail\_dns\_entry | The DNS entries for the VPC Endpoint for CloudTrail. | -| vpc\_endpoint\_cloudtrail\_id | The ID of VPC endpoint for CloudTrail | -| vpc\_endpoint\_cloudtrail\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudTrail. | -| vpc\_endpoint\_elasticloadbalancing\_dns\_entry | The DNS entries for the VPC Endpoint for Elastic Load Balancing. | -| vpc\_endpoint\_elasticloadbalancing\_id | The ID of VPC endpoint for Elastic Load Balancing | -| vpc\_endpoint\_elasticloadbalancing\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Elastic Load Balancing. | -| vpc\_endpoint\_monitoring\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Monitoring. | -| vpc\_endpoint\_monitoring\_id | The ID of VPC endpoint for CloudWatch Monitoring | -| vpc\_endpoint\_monitoring\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. | -| vpc\_endpoint\_logs\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Logs. | -| vpc\_endpoint\_logs\_id | The ID of VPC endpoint for CloudWatch Logs | -| vpc\_endpoint\_logs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Logs. | -| vpc\_endpoint\_events\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. | -| vpc\_endpoint\_events\_id | The ID of VPC endpoint for CloudWatch Events | -| vpc\_endpoint\_events\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. | | vpc\_id | The ID of the VPC | | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | From 31de3d0a08d5d1ef7849f7eb4d2c6280bb202e44 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Mon, 17 Jun 2019 12:52:35 +0200 Subject: [PATCH 78/81] Updated CHANGELOG --- CHANGELOG.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f7300769..8578537b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,16 @@ + +## [v2.7.0] - 2019-06-17 + +- Updated pre-commit-terraform to support terraform-docs and Terraform 0.12 ([#288](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/288)) + + ## [v2.6.0] - 2019-06-13 +- Updated CHANGELOG - Updated VPC endpoint example (fixed [#249](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/249)) - Update tflint to 0.8.2 for circleci task ([#280](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/280)) - Updated CHANGELOG @@ -518,13 +525,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -602,7 +609,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.6.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.7.0...HEAD +[v2.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.6.0...v2.7.0 [v2.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.67.0...v2.6.0 [v1.67.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.5.0...v1.67.0 [v2.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.4.0...v2.5.0 @@ -676,9 +684,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 From 039bddc8c2fe63bb28d8e64f4160d2c7153dff4e Mon Sep 17 00:00:00 2001 From: Sebastian Geidies Date: Fri, 6 Jul 2018 15:13:53 +0200 Subject: [PATCH 79/81] Enable backwards compatibility --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index f3bc35109..c536226f1 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ terraform.tfstate terraform.tfvars Gemfile.lock +.idea From fb7731be2d3a36820a2771958edbd970186a9725 Mon Sep 17 00:00:00 2001 From: "ugur.guneri" Date: Mon, 3 May 2021 16:15:10 +0200 Subject: [PATCH 80/81] KAN-380 terraform 0.12 upgrade --- .terraform-version | 1 + 1 file changed, 1 insertion(+) create mode 100644 .terraform-version diff --git a/.terraform-version b/.terraform-version new file mode 100644 index 000000000..0801881ee --- /dev/null +++ b/.terraform-version @@ -0,0 +1 @@ +0.12.11 From b948883e575fb433f8b15705b1f0b0a6996eca6f Mon Sep 17 00:00:00 2001 From: "ugur.guneri" Date: Thu, 6 May 2021 12:33:06 +0200 Subject: [PATCH 81/81] enable backwards compatibility --- main.tf | 20 ++++++++++---------- outputs.tf | 20 ++++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/main.tf b/main.tf index 456a6bb0c..0d1705d55 100644 --- a/main.tf +++ b/main.tf @@ -11,7 +11,7 @@ locals { vpc_id = element( concat( aws_vpc_ipv4_cidr_block_association.this.*.vpc_id, - aws_vpc.this.*.id, + aws_vpc.mod.*.id, [""], ), 0, @@ -21,7 +21,7 @@ locals { ###### # VPC ###### -resource "aws_vpc" "this" { +resource "aws_vpc" "mod" { count = var.create_vpc ? 1 : 0 cidr_block = var.cidr @@ -42,7 +42,7 @@ resource "aws_vpc" "this" { resource "aws_vpc_ipv4_cidr_block_association" "this" { count = var.create_vpc && length(var.secondary_cidr_blocks) > 0 ? length(var.secondary_cidr_blocks) : 0 - vpc_id = aws_vpc.this[0].id + vpc_id = aws_vpc.mod[0].id cidr_block = element(var.secondary_cidr_blocks, count.index) } @@ -429,7 +429,7 @@ resource "aws_subnet" "intra" { resource "aws_default_network_acl" "this" { count = var.create_vpc && var.manage_default_network_acl ? 1 : 0 - default_network_acl_id = element(concat(aws_vpc.this.*.default_network_acl_id, [""]), 0) + default_network_acl_id = element(concat(aws_vpc.mod.*.default_network_acl_id, [""]), 0) dynamic "ingress" { for_each = var.default_network_acl_ingress @@ -479,7 +479,7 @@ resource "aws_default_network_acl" "this" { resource "aws_network_acl" "public" { count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0 - vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + vpc_id = element(concat(aws_vpc.mod.*.id, [""]), 0) subnet_ids = aws_subnet.public.*.id tags = merge( @@ -525,7 +525,7 @@ resource "aws_network_acl_rule" "public_outbound" { resource "aws_network_acl" "private" { count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0 - vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + vpc_id = element(concat(aws_vpc.mod.*.id, [""]), 0) subnet_ids = aws_subnet.private.*.id tags = merge( @@ -571,7 +571,7 @@ resource "aws_network_acl_rule" "private_outbound" { resource "aws_network_acl" "intra" { count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0 - vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + vpc_id = element(concat(aws_vpc.mod.*.id, [""]), 0) subnet_ids = aws_subnet.intra.*.id tags = merge( @@ -617,7 +617,7 @@ resource "aws_network_acl_rule" "intra_outbound" { resource "aws_network_acl" "database" { count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0 - vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + vpc_id = element(concat(aws_vpc.mod.*.id, [""]), 0) subnet_ids = aws_subnet.database.*.id tags = merge( @@ -663,7 +663,7 @@ resource "aws_network_acl_rule" "database_outbound" { resource "aws_network_acl" "redshift" { count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0 - vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + vpc_id = element(concat(aws_vpc.mod.*.id, [""]), 0) subnet_ids = aws_subnet.redshift.*.id tags = merge( @@ -709,7 +709,7 @@ resource "aws_network_acl_rule" "redshift_outbound" { resource "aws_network_acl" "elasticache" { count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0 - vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + vpc_id = element(concat(aws_vpc.mod.*.id, [""]), 0) subnet_ids = aws_subnet.elasticache.*.id tags = merge( diff --git a/outputs.tf b/outputs.tf index 71164fcd6..cbeedb2d9 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,46 +1,46 @@ output "vpc_id" { description = "The ID of the VPC" - value = concat(aws_vpc.this.*.id, [""])[0] + value = concat(aws_vpc.mod.*.id, [""])[0] } output "vpc_arn" { description = "The ARN of the VPC" - value = concat(aws_vpc.this.*.arn, [""])[0] + value = concat(aws_vpc.mod.*.arn, [""])[0] } output "vpc_cidr_block" { description = "The CIDR block of the VPC" - value = concat(aws_vpc.this.*.cidr_block, [""])[0] + value = concat(aws_vpc.mod.*.cidr_block, [""])[0] } output "default_security_group_id" { description = "The ID of the security group created by default on VPC creation" - value = concat(aws_vpc.this.*.default_security_group_id, [""])[0] + value = concat(aws_vpc.mod.*.default_security_group_id, [""])[0] } output "default_network_acl_id" { description = "The ID of the default network ACL" - value = concat(aws_vpc.this.*.default_network_acl_id, [""])[0] + value = concat(aws_vpc.mod.*.default_network_acl_id, [""])[0] } output "default_route_table_id" { description = "The ID of the default route table" - value = concat(aws_vpc.this.*.default_route_table_id, [""])[0] + value = concat(aws_vpc.mod.*.default_route_table_id, [""])[0] } output "vpc_instance_tenancy" { description = "Tenancy of instances spin up within VPC" - value = concat(aws_vpc.this.*.instance_tenancy, [""])[0] + value = concat(aws_vpc.mod.*.instance_tenancy, [""])[0] } output "vpc_enable_dns_support" { description = "Whether or not the VPC has DNS support" - value = concat(aws_vpc.this.*.enable_dns_support, [""])[0] + value = concat(aws_vpc.mod.*.enable_dns_support, [""])[0] } output "vpc_enable_dns_hostnames" { description = "Whether or not the VPC has DNS hostname support" - value = concat(aws_vpc.this.*.enable_dns_hostnames, [""])[0] + value = concat(aws_vpc.mod.*.enable_dns_hostnames, [""])[0] } //output "vpc_enable_classiclink" { @@ -50,7 +50,7 @@ output "vpc_enable_dns_hostnames" { output "vpc_main_route_table_id" { description = "The ID of the main route table associated with this VPC" - value = concat(aws_vpc.this.*.main_route_table_id, [""])[0] + value = concat(aws_vpc.mod.*.main_route_table_id, [""])[0] } //output "vpc_ipv6_association_id" {