diff --git a/.circleci/config.yml b/.circleci/config.yml
deleted file mode 100644
index e8c4b96b0..000000000
--- a/.circleci/config.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-version: 2
-
-terraform: &terraform
- docker:
- - image: hashicorp/terraform:0.12.0
- working_directory: /tmp/workspace/terraform
-
-jobs:
- validate:
- <<: *terraform
- steps:
- - checkout
-# - run:
-# name: Add github.com to ~/.ssh/known_hosts
-# command: mkdir ~/.ssh && ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
- - run:
- name: terraform init
- command: terraform init -input=false
- - run:
- name: Validate Terraform configurations
- command: find . -type f -name "*.tf" -exec dirname {} \;|sort -u | while read m; do (terraform validate -check-variables=false "$m" && echo "√ $m") || exit 1 ; done
- - run:
- name: Check if Terraform configurations are properly formatted
- command: if [[ -n "$(terraform fmt -write=false)" ]]; then echo "Some terraform files need be formatted, run 'terraform fmt' to fix"; exit 1; fi
- - run:
- name: Install tflint
- command: curl -L -o /tmp/tflint.zip https://github.com/wata727/tflint/releases/download/v0.8.2/tflint_linux_amd64.zip && unzip /tmp/tflint.zip -d /usr/local/bin
- - run:
- name: Check Terraform configurations with tflint
- command: tflint
- - persist_to_workspace:
- root: .
- paths: .
-
-workflows:
- version: 2
- build:
- jobs:
- - validate
-# - plan_examples
-# - approve
-# - release
diff --git a/.editorconfig b/.editorconfig
index 71f67183a..88cb25190 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -27,4 +27,4 @@ tab_width = 2
indent_style = tab
[COMMIT_EDITMSG]
-max_line_length = 0
\ No newline at end of file
+max_line_length = 0
diff --git a/.github/contributing.md b/.github/contributing.md
new file mode 100644
index 000000000..b7c27a5cc
--- /dev/null
+++ b/.github/contributing.md
@@ -0,0 +1,34 @@
+# Contributing
+
+When contributing to this repository, please first discuss the change you wish to make via issue,
+email, or any other method with the owners of this repository before making a change.
+
+Please note we have a code of conduct, please follow it in all your interactions with the project.
+
+## Pull Request Process
+
+1. Update the README.md with details of changes including example hcl blocks and [example files](./examples) if appropriate.
+2. Run pre-commit hooks `pre-commit run -a`.
+3. Once all outstanding comments and checklist items have been addressed, your contribution will be merged! Merged PRs will be included in the next release. The terraform-aws-vpc maintainers take care of updating the CHANGELOG as they merge.
+
+## Checklists for contributions
+
+- [ ] Add [semantics prefix](#semantic-pull-requests) to your PR or Commits (at least one of your commit groups)
+- [ ] CI tests are passing
+- [ ] README.md has been updated after any changes to variables and outputs. See https://github.com/terraform-aws-modules/terraform-aws-vpc/#doc-generation
+- [ ] Run pre-commit hooks `pre-commit run -a`
+
+## Semantic Pull Requests
+
+To generate changelog, Pull Requests or Commits must have semantic and must follow conventional specs below:
+
+- `feat:` for new features
+- `fix:` for bug fixes
+- `improvement:` for enhancements
+- `docs:` for documentation and examples
+- `refactor:` for code refactoring
+- `test:` for tests
+- `ci:` for CI purpose
+- `chore:` for chores stuff
+
+The `chore` prefix skipped during changelog generation. It can be used for `chore: update changelog` commit message by example.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
new file mode 100644
index 000000000..b8f1b8a5a
--- /dev/null
+++ b/.github/workflows/pre-commit.yml
@@ -0,0 +1,78 @@
+name: Pre-Commit
+
+on:
+ pull_request:
+ branches:
+ - main
+ - master
+
+env:
+ TERRAFORM_DOCS_VERSION: v0.16.0
+
+jobs:
+ collectInputs:
+ name: Collect workflow inputs
+ runs-on: ubuntu-latest
+ outputs:
+ directories: ${{ steps.dirs.outputs.directories }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Get root directories
+ id: dirs
+ uses: clowdhaus/terraform-composite-actions/directories@v1.3.0
+
+ preCommitMinVersions:
+ name: Min TF pre-commit
+ needs: collectInputs
+ runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Terraform min/max versions
+ id: minMax
+ uses: clowdhaus/terraform-min-max@v1.0.3
+ with:
+ directory: ${{ matrix.directory }}
+
+ - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
+ # Run only validate pre-commit check on min version supported
+ if: ${{ matrix.directory != '.' }}
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+ with:
+ terraform-version: ${{ steps.minMax.outputs.minVersion }}
+ args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
+
+ - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
+ # Run only validate pre-commit check on min version supported
+ if: ${{ matrix.directory == '.' }}
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+ with:
+ terraform-version: ${{ steps.minMax.outputs.minVersion }}
+ args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
+
+ preCommitMaxVersion:
+ name: Max TF pre-commit
+ runs-on: ubuntu-latest
+ needs: collectInputs
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ with:
+ ref: ${{ github.event.pull_request.head.ref }}
+ repository: ${{github.event.pull_request.head.repo.full_name}}
+
+ - name: Terraform min/max versions
+ id: minMax
+ uses: clowdhaus/terraform-min-max@v1.0.3
+
+ - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+ with:
+ terraform-version: ${{ steps.minMax.outputs.maxVersion }}
+ terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 000000000..141937d86
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,32 @@
+name: Release
+
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - main
+ - master
+ paths:
+ - '**/*.py'
+ - '**/*.tf'
+
+jobs:
+ release:
+ name: Release
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ with:
+ persist-credentials: false
+ fetch-depth: 0
+
+ - name: Release
+ uses: cycjimmy/semantic-release-action@v2
+ with:
+ semantic_version: 18.0.0
+ extra_plugins: |
+ @semantic-release/changelog@6.0.0
+ @semantic-release/git@10.0.0
+ env:
+ GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
diff --git a/.gitignore b/.gitignore
index c536226f1..0e7076fb7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,30 @@
-.terraform
-*.tfstate*
-.kitchen
-terraform.tfstate
-terraform.tfvars
-Gemfile.lock
+# Local .terraform directories
+**/.terraform/*
+
+# Terraform lockfile
+.terraform.lock.hcl
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
.idea
diff --git a/.kitchen.yml b/.kitchen.yml
deleted file mode 100644
index beb517ea9..000000000
--- a/.kitchen.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-driver:
- name: "terraform"
- root_module_directory: "examples/test_fixture"
-
-provisioner:
- name: "terraform"
-
-platforms:
- - name: "aws"
-
-verifier:
- name: "awspec"
-
-suites:
- - name: "default"
- verifier:
- name: "awspec"
- patterns:
- - "test/integration/default/test_vpc.rb"
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index e005ca260..b0e03fc88 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,10 +1,28 @@
repos:
-- repo: git://github.com/antonbabenko/pre-commit-terraform
- rev: v1.13.0
- hooks:
- - id: terraform_fmt
- - id: terraform_docs
-- repo: git://github.com/pre-commit/pre-commit-hooks
- rev: v2.2.3
- hooks:
- - id: check-merge-conflict
+ - repo: https://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.58.0
+ hooks:
+ - id: terraform_fmt
+ - id: terraform_validate
+ - id: terraform_docs
+ args:
+ - '--args=--lockfile=false'
+ - id: terraform_tflint
+ args:
+ - '--args=--only=terraform_deprecated_interpolation'
+ - '--args=--only=terraform_deprecated_index'
+ - '--args=--only=terraform_unused_declarations'
+ - '--args=--only=terraform_comment_syntax'
+ - '--args=--only=terraform_documented_outputs'
+ - '--args=--only=terraform_documented_variables'
+ - '--args=--only=terraform_typed_variables'
+ - '--args=--only=terraform_module_pinned_source'
+ - '--args=--only=terraform_naming_convention'
+ - '--args=--only=terraform_required_version'
+ - '--args=--only=terraform_required_providers'
+ - '--args=--only=terraform_standard_module_structure'
+ - '--args=--only=terraform_workspace_remote'
+ - repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v4.0.1
+ hooks:
+ - id: check-merge-conflict
diff --git a/.releaserc.json b/.releaserc.json
new file mode 100644
index 000000000..6e39031cf
--- /dev/null
+++ b/.releaserc.json
@@ -0,0 +1,36 @@
+{
+ "branches": [
+ "main",
+ "master"
+ ],
+ "ci": false,
+ "plugins": [
+ "@semantic-release/commit-analyzer",
+ "@semantic-release/release-notes-generator",
+ [
+ "@semantic-release/github",
+ {
+ "successComment":
+ "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:",
+ "labels": false,
+ "releasedLabels": false
+ }
+ ],
+ [
+ "@semantic-release/changelog",
+ {
+ "changelogFile": "CHANGELOG.md",
+ "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file."
+ }
+ ],
+ [
+ "@semantic-release/git",
+ {
+ "assets": [
+ "CHANGELOG.md"
+ ],
+ "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+ }
+ ]
+ ]
+}
diff --git a/.ruby-version b/.ruby-version
deleted file mode 100644
index 8e8299dcc..000000000
--- a/.ruby-version
+++ /dev/null
@@ -1 +0,0 @@
-2.4.2
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8578537b3..d8423e8d6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,764 @@
-
-## [Unreleased]
+
+## [v3.11.0] - 2021-11-04
+- feat: Add tags to VPC flow logs IAM policy ([#706](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/706))
+
+
+
+## [v3.10.0] - 2021-10-15
+
+- fix: Enabled destination_options only for VPC Flow Logs on S3 ([#703](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/703))
+
+
+
+## [v3.9.0] - 2021-10-15
+
+- feat: Added timeout block to aws_default_route_table resource ([#701](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/701))
+
+
+
+## [v3.8.0] - 2021-10-14
+
+- feat: Added support for VPC Flow Logs in Parquet format ([#700](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/700))
+- docs: Fixed docs in simple-vpc
+- chore: Updated outputs in example ([#690](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/690))
+- Updated pre-commit
+
+
+
+## [v3.7.0] - 2021-08-31
+
+- feat: Add support for naming and tagging subnet groups ([#688](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/688))
+
+
+
+## [v3.6.0] - 2021-08-18
+
+- feat: Added device_name to customer gateway object. ([#681](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/681))
+
+
+
+## [v3.5.0] - 2021-08-15
+
+- fix: Return correct route table when enable_public_redshift is set ([#337](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/337))
+
+
+
+## [v3.4.0] - 2021-08-13
+
+- fix: Update the terraform to support new provider signatures ([#678](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/678))
+
+
+
+## [v3.3.0] - 2021-08-10
+
+- docs: Added ID of aws_vpc_dhcp_options to outputs ([#669](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/669))
+- fix: Fixed mistake in separate private route tables example ([#664](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/664))
+- fix: Fixed SID for assume role policy for flow logs ([#670](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/670))
+
+
+
+## [v3.2.0] - 2021-06-28
+
+- feat: Added database_subnet_group_name variable ([#656](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/656))
+
+
+
+## [v3.1.0] - 2021-06-07
+
+- chore: Removed link to cloudcraft
+- chore: Private DNS cannot be used with S3 endpoint ([#651](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/651))
+- chore: update CI/CD to use stable `terraform-docs` release artifact and discoverable Apache2.0 license ([#643](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/643))
+
+
+
+## [v3.0.0] - 2021-04-26
+
+- refactor: remove existing vpc endpoint configurations from base module and move into sub-module ([#635](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/635))
+
+
+
+## [v2.78.0] - 2021-04-06
+
+- feat: Add outpost support (subnet, NACL, IPv6) ([#542](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/542))
+- chore: update documentation and pin `terraform_docs` version to avoid future changes ([#619](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/619))
+- chore: align ci-cd static checks to use individual minimum Terraform versions ([#606](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/606))
+
+
+
+## [v2.77.0] - 2021-02-23
+
+- feat: add default route table resource to manage default route table, its tags, routes, etc. ([#599](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/599))
+
+
+
+## [v2.76.0] - 2021-02-23
+
+- fix: Remove CreateLogGroup permission from service role ([#550](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/550))
+
+
+
+## [v2.75.0] - 2021-02-23
+
+- feat: add vpc endpoint policies to supported services ([#601](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/601))
+
+
+
+## [v2.74.0] - 2021-02-22
+
+- fix: use filter for getting service type for S3 endpoint and update to allow s3 to use interface endpoint types ([#597](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/597))
+- chore: Updated the conditional creation section of the README ([#584](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/584))
+
+
+
+## [v2.73.0] - 2021-02-22
+
+- chore: Adds database_subnet_group_name as an output variable ([#592](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/592))
+- fix: aws_default_security_group was always dirty when manage_default_security_group was set ([#591](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/591))
+
+
+
+## [v2.72.0] - 2021-02-22
+
+- fix: Correctly manage route tables for database subnets when multiple NAT gateways present ([#518](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/518))
+- chore: add ci-cd workflow for pre-commit checks ([#598](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/598))
+
+
+
+## [v2.71.0] - 2021-02-20
+
+- chore: update documentation based on latest `terraform-docs` which includes module and resource sections ([#594](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/594))
+- feat: Upgraded minimum required versions of AWS provider to 3.10 ([#574](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/574))
+- fix: Specify an endpoint type for S3 VPC endpoint ([#573](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/573))
+- fix: Fixed wrong count in DMS endpoint ([#566](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/566))
+- feat: Adding VPC endpoint for DMS ([#564](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/564))
+- fix: Adding missing RDS endpoint to output.tf ([#563](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/563))
+- docs: Clarifies default_vpc attributes ([#552](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/552))
+- feat: Adding vpc_flow_log_permissions_boundary ([#536](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/536))
+- docs: Updated README and pre-commit ([#537](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/537))
+- feat: Lambda VPC Endpoint ([#534](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/534))
+- Updated README
+- feat: Added Codeartifact API/Repo vpc endpoints ([#515](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/515))
+- fix: Updated min required version of Terraform to 0.12.21 ([#532](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/532))
+- Fixed circleci configs
+- fix: Resource aws_default_network_acl orphaned subnet_ids ([#530](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/530))
+- fix: Removed ignore_changes to work with Terraform 0.14 ([#526](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/526))
+- feat: Added support for Terraform 0.14 ([#525](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/525))
+- revert: Create only required number of NAT gateways ([#492](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/492)) ([#517](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/517))
+- fix: Create only required number of NAT gateways ([#492](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/492))
+- docs: Updated docs with pre-commit
+- feat: Added Textract vpc endpoint ([#509](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/509))
+- fix: Split appstream to appstream_api and appstream_streaming ([#508](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/508))
+- feat: Add support for security groups ids in default sg's rules ([#491](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/491))
+- feat: Added tflint as pre-commit hook ([#507](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/507))
+- feat: add enable_public_s3_endpoint variable for S3 VPC Endpoint for public subnets ([#502](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/502))
+- feat: Add ability to create CodeDeploy endpoint to VPC ([#501](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/501))
+- feat: Add ability to create RDS endpoint to VPC ([#499](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/499))
+- fix: Use database route table instead of private route table for NAT gateway route ([#476](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/476))
+- feat: add arn outputs for: igw, cgw, vgw, default vpc, acls ([#471](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/471))
+- fix: InvalidServiceName for elasticbeanstalk_health ([#484](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/484))
+- feat: bump version of aws provider version to support 3.* ([#479](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/479))
+- fix: bumping terraform version from 0.12.6 to 0.12.7 in circleci to include regexall function ([#474](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/474))
+- docs: Fix typo in nat_public_ips ([#460](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/460))
+- feat: manage default security group ([#382](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/382))
+- feat: add support for disabling IGW for public subnets ([#457](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/457))
+- fix: Reorder tags to allow overriding Name tag in route tables ([#458](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/458))
+- fix: Output list of external_nat_ips when using external eips ([#432](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/432))
+- Updated pre-commit hooks
+- feat: Add support for VPC flow log max_aggregation_interval ([#431](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/431))
+- feat: Add support for tagging egress only internet gateway ([#430](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/430))
+- feat: Enable support for Terraform 0.13 as a valid version by setting minimum version required ([#455](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/455))
+- feat: add vpc_owner_id to outputs ([#428](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/428))
+- docs: Fixed README
+- Merge branch 'master' into master
+- Updated description of vpc_owner_id
+- fix: Fix wrong ACM PCA output ([#450](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/450))
+- feat: Added support for more VPC endpoints ([#369](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/369))
+- feat: Add VPC Endpoint for SES ([#449](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/449))
+- feat: Add routes table association and route attachment outputs ([#398](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/398))
+- fix: Updated outputs in ipv6 example ([#375](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/375))
+- added owner_id output ([#1](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1))
+- docs: Updated required versions of Terraform
+- feat: Add EC2 Auto Scaling VPC endpoint ([#374](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/374))
+- docs: Document create_database_subnet_group requiring database_subnets ([#424](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/424))
+- feat: Add intra subnet VPN route propagation ([#421](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/421))
+- chore: Add badge for latest version number ([#384](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/384))
+- Added tagging for VPC Flow Logs ([#407](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/407))
+- Add support for specifying AZ in VPN Gateway ([#401](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/401))
+- Fixed output of aws_flow_log
+- Add VPC Flow Logs capabilities ([#316](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/316))
+- Added support for both types of values in azs (names and ids) ([#370](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/370))
+- Set minimum terraform version to 0.12.6 (fixes circleci) ([#390](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/390))
+- Updated pre-commit-terraform with terraform-docs 0.8.0 support ([#388](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/388))
+- Added note about Transit Gateway integration ([#386](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/386))
+- fix ipv6 enable ([#340](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/340))
+- Added Customer Gateway resource ([#360](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/360))
+- Update TFLint to v0.12.1 for circleci ([#351](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/351))
+- Add Elastic File System & Cloud Directory VPC Endpoints ([#355](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/355))
+- Fixed spelling mistakes
+- Updated network-acls example with IPv6 rules
+- Added support for `ipv6_cidr_block` in network acls ([#329](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/329))
+- Added VPC Endpoints for AppStream, Athena & Rekognition ([#335](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/335))
+- Add VPC endpoints for CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog & SageMaker(Runtime & API) ([#324](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/324))
+- Added support for EC2 ClassicLink ([#322](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/322))
+- Added support for ICMP rules in Network ACL ([#286](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/286))
+- Added tags to VPC Endpoints ([#292](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/292))
+- Added more VPC endpoints (Glue, STS, Sagemaker Notebook), and all missing outputs ([#311](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/311))
+- Add IPv6 support ([#317](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/317))
+- Fixed README after merge
+- Output var.name ([#303](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/303))
+- Fixed README after merge
+- Additional VPC Endpoints ([#302](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/302))
+- Added Kinesis streams and firehose VPC endpoints ([#301](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/301))
+- adding transfer server vpc end point support
+- adding codebuild, codecommit and git-codecommit vpc end point support
+- adding config vpc end point support
+- adding secrets manager vpc end point support
+- Updated version of pre-commit-terraform
+- Updated pre-commit-terraform to support terraform-docs and Terraform 0.12 ([#288](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/288))
+- Updated VPC endpoint example (fixed [#249](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/249))
+- Update tflint to 0.8.2 for circleci task ([#280](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/280))
+- Fixed broken 2.3.0
+- Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12)
+- Updated Terraform versions in README
+- Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch ([#269](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/269))
+- Upgrade Docker Image to fix CI ([#270](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/270))
+- Fixed merge conflicts
+- Finally, Terraform 0.12 support ([#266](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/266))
+
+
+
+## [v1.73.0] - 2021-02-04
+
+- fix: Fixed multiple VPC endpoint error for S3
+- Add VPC endpoints for AppStream, Athena & Rekognition ([#336](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/336))
+- Fixed Sagemaker resource name in VPC endpoint ([#323](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/323))
+- Fixed name of appmesh VPC endpoint ([#320](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/320))
+- Allow ICMP Network ACL rules ([#252](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/252))
+- Added VPC endpoints from [#311](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/311) to Terraform 0.11 branch ([#319](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/319))
+- Add tags to VPC Endpoints ([#293](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/293))
+- Add VPC endpoints for ELB, CloudTrail, CloudWatch and SNS ([#274](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/274))
+
+
+
+## [v2.70.0] - 2021-02-02
+
+- feat: Upgraded minimum required versions of AWS provider to 3.10 ([#574](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/574))
+
+
+
+## [v2.69.0] - 2021-02-02
+
+- fix: Specify an endpoint type for S3 VPC endpoint ([#573](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/573))
+
+
+
+## [v2.68.0] - 2021-01-29
+
+- fix: Fixed wrong count in DMS endpoint ([#566](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/566))
+
+
+
+## [v2.67.0] - 2021-01-29
+
+- feat: Adding VPC endpoint for DMS ([#564](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/564))
+- fix: Adding missing RDS endpoint to output.tf ([#563](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/563))
+
+
+
+## [v2.66.0] - 2021-01-14
+
+- docs: Clarifies default_vpc attributes ([#552](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/552))
+
+
+
+## [v2.65.0] - 2021-01-14
+
+- feat: Adding vpc_flow_log_permissions_boundary ([#536](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/536))
+
+
+
+## [v2.64.0] - 2020-11-04
+
+- docs: Updated README and pre-commit ([#537](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/537))
+
+
+
+## [v2.63.0] - 2020-10-26
+
+- feat: Lambda VPC Endpoint ([#534](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/534))
+
+
+
+## [v2.62.0] - 2020-10-22
+
+- Updated README
+- feat: Added Codeartifact API/Repo vpc endpoints ([#515](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/515))
+
+
+
+## [v2.61.0] - 2020-10-22
+
+- fix: Updated min required version of Terraform to 0.12.21 ([#532](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/532))
+- Fixed circleci configs
+
+
+
+## [v2.60.0] - 2020-10-21
+
+- fix: Resource aws_default_network_acl orphaned subnet_ids ([#530](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/530))
+
+
+
+## [v2.59.0] - 2020-10-19
+
+- fix: Removed ignore_changes to work with Terraform 0.14 ([#526](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/526))
+
+
+
+## [v2.58.0] - 2020-10-16
+
+- feat: Added support for Terraform 0.14 ([#525](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/525))
+
+
+
+## [v2.57.0] - 2020-10-06
+
+- revert: Create only required number of NAT gateways ([#492](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/492)) ([#517](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/517))
+
+
+
+## [v2.56.0] - 2020-10-06
+
+- fix: Create only required number of NAT gateways ([#492](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/492))
+
+
+
+## [v2.55.0] - 2020-09-28
+
+- docs: Updated docs with pre-commit
+- feat: Added Textract vpc endpoint ([#509](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/509))
+
+
+
+## [v2.54.0] - 2020-09-23
+
+- fix: Split appstream to appstream_api and appstream_streaming ([#508](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/508))
+
+
+
+## [v2.53.0] - 2020-09-23
+
+- feat: Add support for security groups ids in default sg's rules ([#491](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/491))
+
+
+
+## [v2.52.0] - 2020-09-22
+
+- feat: Added tflint as pre-commit hook ([#507](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/507))
+
+
+
+## [v2.51.0] - 2020-09-15
+
+- feat: add enable_public_s3_endpoint variable for S3 VPC Endpoint for public subnets ([#502](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/502))
+
+
+
+## [v2.50.0] - 2020-09-11
+
+- feat: Add ability to create CodeDeploy endpoint to VPC ([#501](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/501))
+
+
+
+## [v2.49.0] - 2020-09-11
+
+- feat: Add ability to create RDS endpoint to VPC ([#499](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/499))
+
+
+
+## [v2.48.0] - 2020-08-17
+
+- fix: Use database route table instead of private route table for NAT gateway route ([#476](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/476))
+
+
+
+## [v2.47.0] - 2020-08-13
+
+- feat: add arn outputs for: igw, cgw, vgw, default vpc, acls ([#471](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/471))
+
+
+
+## [v2.46.0] - 2020-08-13
+
+- fix: InvalidServiceName for elasticbeanstalk_health ([#484](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/484))
+
+
+
+## [v2.45.0] - 2020-08-13
+
+- feat: bump version of aws provider version to support 3.* ([#479](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/479))
+- fix: bumping terraform version from 0.12.6 to 0.12.7 in circleci to include regexall function ([#474](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/474))
+- docs: Fix typo in nat_public_ips ([#460](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/460))
+
+
+
+## [v2.44.0] - 2020-06-21
+
+- feat: manage default security group ([#382](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/382))
+
+
+
+## [v2.43.0] - 2020-06-20
+
+- feat: add support for disabling IGW for public subnets ([#457](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/457))
+
+
+
+## [v2.42.0] - 2020-06-20
+
+- fix: Reorder tags to allow overriding Name tag in route tables ([#458](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/458))
+
+
+
+## [v2.41.0] - 2020-06-20
+
+- fix: Output list of external_nat_ips when using external eips ([#432](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/432))
+
+
+
+## [v2.40.0] - 2020-06-20
+
+- Updated pre-commit hooks
+- feat: Add support for VPC flow log max_aggregation_interval ([#431](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/431))
+- feat: Add support for tagging egress only internet gateway ([#430](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/430))
+
+
+
+## [v2.39.0] - 2020-06-06
+
+- feat: Enable support for Terraform 0.13 as a valid version by setting minimum version required ([#455](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/455))
+
+
+
+## [v2.38.0] - 2020-05-25
+
+- feat: add vpc_owner_id to outputs ([#428](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/428))
+- docs: Fixed README
+- Merge branch 'master' into master
+- Updated description of vpc_owner_id
+- added owner_id output ([#1](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1))
+
+
+
+## [v2.37.0] - 2020-05-25
+
+- fix: Fix wrong ACM PCA output ([#450](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/450))
+
+
+
+## [v2.36.0] - 2020-05-25
+
+- feat: Added support for more VPC endpoints ([#369](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/369))
+
+
+
+## [v2.35.0] - 2020-05-25
+
+- feat: Add VPC Endpoint for SES ([#449](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/449))
+
+
+
+## [v2.34.0] - 2020-05-25
+
+- feat: Add routes table association and route attachment outputs ([#398](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/398))
+- fix: Updated outputs in ipv6 example ([#375](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/375))
+
+
+
+## [v2.33.0] - 2020-04-02
+
+- docs: Updated required versions of Terraform
+- feat: Add EC2 Auto Scaling VPC endpoint ([#374](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/374))
+- docs: Document create_database_subnet_group requiring database_subnets ([#424](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/424))
+
+
+
+## [v2.32.0] - 2020-03-24
+
+- feat: Add intra subnet VPN route propagation ([#421](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/421))
+
+
+
+## [v2.31.0] - 2020-03-20
+
+- chore: Add badge for latest version number ([#384](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/384))
+
+
+
+## [v2.30.0] - 2020-03-19
+
+
+
+
+## [v2.29.0] - 2020-03-13
+
+- Added tagging for VPC Flow Logs ([#407](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/407))
+
+
+
+## [v2.28.0] - 2020-03-11
+
+- Add support for specifying AZ in VPN Gateway ([#401](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/401))
+
+
+
+## [v2.27.0] - 2020-03-11
+
+- Fixed output of aws_flow_log
+
+
+
+## [v2.26.0] - 2020-03-11
+
+- Add VPC Flow Logs capabilities ([#316](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/316))
+
+
+
+## [v2.25.0] - 2020-03-02
+
+- Added support for both types of values in azs (names and ids) ([#370](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/370))
+
+
+
+## [v2.24.0] - 2020-01-23
+
+- Set minimum terraform version to 0.12.6 (fixes circleci) ([#390](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/390))
+
+
+
+## [v2.23.0] - 2020-01-21
+
+- Updated pre-commit-terraform with terraform-docs 0.8.0 support ([#388](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/388))
+
+
+
+## [v2.22.0] - 2020-01-16
+
+- Added note about Transit Gateway integration ([#386](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/386))
+
+
+
+## [v2.21.0] - 2019-11-27
+
+- fix ipv6 enable ([#340](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/340))
+
+
+
+## [v2.20.0] - 2019-11-27
+
+- Added Customer Gateway resource ([#360](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/360))
+- Update TFLint to v0.12.1 for circleci ([#351](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/351))
+
+
+
+## [v2.19.0] - 2019-11-27
+
+- Add Elastic File System & Cloud Directory VPC Endpoints ([#355](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/355))
+
+
+
+## [v2.18.0] - 2019-11-04
+
+- Fixed spelling mistakes
+- Updated network-acls example with IPv6 rules
+- Added support for `ipv6_cidr_block` in network acls ([#329](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/329))
+- Added VPC Endpoints for AppStream, Athena & Rekognition ([#335](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/335))
+- Add VPC endpoints for CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog & SageMaker(Runtime & API) ([#324](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/324))
+- Added support for EC2 ClassicLink ([#322](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/322))
+- Added support for ICMP rules in Network ACL ([#286](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/286))
+- Added tags to VPC Endpoints ([#292](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/292))
+- Added more VPC endpoints (Glue, STS, Sagemaker Notebook), and all missing outputs ([#311](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/311))
+- Add IPv6 support ([#317](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/317))
+- Fixed README after merge
+- Output var.name ([#303](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/303))
+- Fixed README after merge
+- Additional VPC Endpoints ([#302](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/302))
+- Added Kinesis streams and firehose VPC endpoints ([#301](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/301))
+- adding transfer server vpc end point support
+- adding codebuild, codecommit and git-codecommit vpc end point support
+- adding config vpc end point support
+- adding secrets manager vpc end point support
+- Updated version of pre-commit-terraform
+- Updated pre-commit-terraform to support terraform-docs and Terraform 0.12 ([#288](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/288))
+- Updated VPC endpoint example (fixed [#249](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/249))
+- Update tflint to 0.8.2 for circleci task ([#280](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/280))
+- Fixed broken 2.3.0
+- Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12)
+- Updated Terraform versions in README
+- Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch ([#269](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/269))
+- Upgrade Docker Image to fix CI ([#270](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/270))
+- Fixed merge conflicts
+- Finally, Terraform 0.12 support ([#266](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/266))
+
+
+
+## [v1.72.0] - 2019-09-30
+
+- Add VPC endpoints for AppStream, Athena & Rekognition ([#336](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/336))
+- Fixed Sagemaker resource name in VPC endpoint ([#323](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/323))
+- Fixed name of appmesh VPC endpoint ([#320](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/320))
+- Allow ICMP Network ACL rules ([#252](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/252))
+- Added VPC endpoints from [#311](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/311) to Terraform 0.11 branch ([#319](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/319))
+- Add tags to VPC Endpoints ([#293](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/293))
+- Add VPC endpoints for ELB, CloudTrail, CloudWatch and SNS ([#274](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/274))
+
+
+
+## [v2.17.0] - 2019-09-30
+
+- Updated network-acls example with IPv6 rules
+- Added support for `ipv6_cidr_block` in network acls ([#329](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/329))
+
+
+
+## [v2.16.0] - 2019-09-30
+
+- Added VPC Endpoints for AppStream, Athena & Rekognition ([#335](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/335))
+
+
+
+## [v2.15.0] - 2019-09-03
+
+- Add VPC endpoints for CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog & SageMaker(Runtime & API) ([#324](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/324))
+- Added support for EC2 ClassicLink ([#322](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/322))
+- Added support for ICMP rules in Network ACL ([#286](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/286))
+- Added tags to VPC Endpoints ([#292](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/292))
+- Added more VPC endpoints (Glue, STS, Sagemaker Notebook), and all missing outputs ([#311](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/311))
+- Add IPv6 support ([#317](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/317))
+- Fixed README after merge
+- Output var.name ([#303](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/303))
+- Fixed README after merge
+- Additional VPC Endpoints ([#302](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/302))
+- Added Kinesis streams and firehose VPC endpoints ([#301](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/301))
+- adding transfer server vpc end point support
+- adding codebuild, codecommit and git-codecommit vpc end point support
+- adding config vpc end point support
+- adding secrets manager vpc end point support
+- Updated version of pre-commit-terraform
+- Updated pre-commit-terraform to support terraform-docs and Terraform 0.12 ([#288](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/288))
+- Updated VPC endpoint example (fixed [#249](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/249))
+- Update tflint to 0.8.2 for circleci task ([#280](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/280))
+- Fixed broken 2.3.0
+- Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12)
+- Updated Terraform versions in README
+- Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch ([#269](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/269))
+- Upgrade Docker Image to fix CI ([#270](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/270))
+- Fixed merge conflicts
+- Finally, Terraform 0.12 support ([#266](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/266))
+
+
+
+## [v1.71.0] - 2019-09-03
+
+- Fixed Sagemaker resource name in VPC endpoint ([#323](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/323))
+- Fixed name of appmesh VPC endpoint ([#320](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/320))
+- Allow ICMP Network ACL rules ([#252](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/252))
+- Added VPC endpoints from [#311](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/311) to Terraform 0.11 branch ([#319](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/319))
+- Add tags to VPC Endpoints ([#293](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/293))
+- Add VPC endpoints for ELB, CloudTrail, CloudWatch and SNS ([#274](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/274))
+
+
+
+## [v2.14.0] - 2019-09-03
+
+- Added support for EC2 ClassicLink ([#322](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/322))
+
+
+
+## [v2.13.0] - 2019-09-03
+
+- Added support for ICMP rules in Network ACL ([#286](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/286))
+- Added tags to VPC Endpoints ([#292](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/292))
+- Added more VPC endpoints (Glue, STS, Sagemaker Notebook), and all missing outputs ([#311](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/311))
+- Add IPv6 support ([#317](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/317))
+- Fixed README after merge
+- Output var.name ([#303](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/303))
+- Fixed README after merge
+- Additional VPC Endpoints ([#302](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/302))
+- Added Kinesis streams and firehose VPC endpoints ([#301](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/301))
+- adding transfer server vpc end point support
+- adding codebuild, codecommit and git-codecommit vpc end point support
+- adding config vpc end point support
+- adding secrets manager vpc end point support
+- Updated version of pre-commit-terraform
+- Updated pre-commit-terraform to support terraform-docs and Terraform 0.12 ([#288](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/288))
+- Updated VPC endpoint example (fixed [#249](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/249))
+- Update tflint to 0.8.2 for circleci task ([#280](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/280))
+- Fixed broken 2.3.0
+- Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12)
+- Updated Terraform versions in README
+- Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch ([#269](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/269))
+- Upgrade Docker Image to fix CI ([#270](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/270))
+- Fixed merge conflicts
+- Finally, Terraform 0.12 support ([#266](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/266))
+
+
+
+## [v1.70.0] - 2019-09-03
+
+- Allow ICMP Network ACL rules ([#252](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/252))
+
+
+
+## [v1.69.0] - 2019-09-03
+
+- Added VPC endpoints from [#311](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/311) to Terraform 0.11 branch ([#319](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/319))
+
+
+
+## [v1.68.0] - 2019-09-02
+
+- Add tags to VPC Endpoints ([#293](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/293))
+- Add VPC endpoints for ELB, CloudTrail, CloudWatch and SNS ([#274](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/274))
+
+
+
+## [v2.12.0] - 2019-09-02
+
+- Added tags to VPC Endpoints ([#292](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/292))
+
+
+
+## [v2.11.0] - 2019-09-02
+
+- Added more VPC endpoints (Glue, STS, Sagemaker Notebook), and all missing outputs ([#311](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/311))
+
+
+
+## [v2.10.0] - 2019-09-02
+
+- Add IPv6 support ([#317](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/317))
+
+
+
+## [v2.9.0] - 2019-07-21
+
+- Fixed README after merge
+- Output var.name ([#303](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/303))
+
+
+
+## [v2.8.0] - 2019-07-21
+
+- Fixed README after merge
+- Additional VPC Endpoints ([#302](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/302))
+- Added Kinesis streams and firehose VPC endpoints ([#301](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/301))
+- adding transfer server vpc end point support
+- adding codebuild, codecommit and git-codecommit vpc end point support
+- adding config vpc end point support
+- adding secrets manager vpc end point support
+- Updated version of pre-commit-terraform
@@ -12,20 +770,13 @@
## [v2.6.0] - 2019-06-13
-- Updated CHANGELOG
- Updated VPC endpoint example (fixed [#249](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/249))
- Update tflint to 0.8.2 for circleci task ([#280](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/280))
-- Updated CHANGELOG
-- Updated CHANGELOG
- Fixed broken 2.3.0
-- Updated CHANGELOG
- Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12)
-- Updated CHANGELOG
- Updated Terraform versions in README
-- Updated CHANGELOG
- Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch ([#269](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/269))
- Upgrade Docker Image to fix CI ([#270](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/270))
-- Updated CHANGELOG
- Fixed merge conflicts
- Finally, Terraform 0.12 support ([#266](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/266))
@@ -33,41 +784,35 @@
## [v1.67.0] - 2019-06-13
-- Updated CHANGELOG
- Add VPC endpoints for ELB, CloudTrail, CloudWatch and SNS ([#274](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/274))
## [v2.5.0] - 2019-06-05
-- Updated CHANGELOG
## [v2.4.0] - 2019-06-05
-- Updated CHANGELOG
- Fixed broken 2.3.0
## [v2.3.0] - 2019-06-04
-- Updated CHANGELOG
- Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12)
## [v2.2.0] - 2019-05-28
-- Updated CHANGELOG
- Updated Terraform versions in README
## [v2.1.0] - 2019-05-27
-- Updated CHANGELOG
- Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch ([#269](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/269))
- Upgrade Docker Image to fix CI ([#270](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/270))
@@ -75,7 +820,6 @@
## [v2.0.0] - 2019-05-24
-- Updated CHANGELOG
- Fixed merge conflicts
- Finally, Terraform 0.12 support ([#266](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/266))
@@ -83,7 +827,6 @@
## [v1.66.0] - 2019-05-24
-- Updated CHANGELOG
- Added VPC endpoints for SQS (closes [#248](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/248))
- ECS endpoint ([#261](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/261))
@@ -91,14 +834,12 @@
## [v1.65.0] - 2019-05-21
-- Updated CHANGELOG
- Improving DHCP options docs ([#260](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/260))
## [v1.64.0] - 2019-04-25
-- Updated CHANGELOG
- Fixed formatting
- Add Output Of Subnet ARNs ([#242](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/242))
@@ -106,7 +847,6 @@
## [v1.63.0] - 2019-04-25
-- Updated CHANGELOG
- Fixed formatting
- Added ARN of VPC in module output ([#245](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/245))
@@ -114,21 +854,18 @@
## [v1.62.0] - 2019-04-25
-- Updated CHANGELOG
- Add support for KMS VPC endpoint creation ([#243](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/243))
## [v1.61.0] - 2019-04-25
-- Updated CHANGELOG
- Added missing VPC endpoints outputs (resolves [#246](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/246)) ([#247](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/247))
## [v1.60.0] - 2019-03-22
-- Updated CHANGELOG
- Network ACLs ([#238](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/238))
@@ -153,7 +890,6 @@
## [v1.57.0] - 2019-02-21
- Bump version
-- Added CHANGELOG.md ([#221](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/221))
@@ -166,7 +902,6 @@
## [v1.55.0] - 2019-02-14
- Fixed formatting after [#213](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/213)
-- Merge pull request [#213](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/213) from michieldhadamus/ecr-endpoints
- Added subnet ids to ecr endpoints
- Added option to create ECR api and dkr endpoints
@@ -175,34 +910,29 @@
## [v1.54.0] - 2019-02-14
- Fixed formatting after [#205](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/205)
-- Merge pull request [#205](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/205) from tbugfinder/extend_endpoints
- switch to terraform-docs v0.6.0
- add files updated by pre-commit
- add additional endpoints to examples
- fix typo
- add endpoints ec2messages, ssmmessages as those are required by Systems Manager in addition to ec2 and ssm.
-- Merge pull request [#1](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1) from terraform-aws-modules/master
## [v1.53.0] - 2019-01-18
- Reordered vars in count for database_nat_gateway route
-- Merge pull request [#201](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/201) from ebarault/feat/database-route-to-natgw
- adding option to create a route to nat gateway in database subnets
## [v1.52.0] - 2019-01-17
-- Merge pull request [#202](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/202) from terraform-aws-modules/ssm_and_ec2_vpc_endpoints
- Added SSM and EC2 VPC endpoints (fixes [#195](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/195), [#194](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/194))
## [v1.51.0] - 2019-01-10
-- Merge pull request [#199](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/199) from terraform-aws-modules/elasticache_subnet_group
- Added possibility to control creation of elasticache and redshift subnet groups
@@ -215,7 +945,6 @@
## [v1.49.0] - 2018-12-12
-- Merge pull request [#191](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/191) from terraform-aws-modules/feature-db-igw-public-access
- Reverted complete-example
- Added IGW route for DB subnets (based on [#179](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/179))
@@ -229,7 +958,6 @@
## [v1.47.0] - 2018-12-11
-- Merge pull request [#181](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/181) from Miyurz/fix/redshift-name-issue
- Fix for the error: module.vpc.aws_redshift_subnet_group.redshift: only lowercase alphanumeric characters and hyphens allowed in name
@@ -459,7 +1187,6 @@
## [v1.14.0] - 2018-01-11
- Add Redshift subnets ([#54](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/54))
-- [ci skip] Get more Open Source Helpers ([#51](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/51))
@@ -563,14 +1290,12 @@
- [#22](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/22) add vpn gateway feature ([#24](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/24))
- Add cidr_block outputs to public and private subnets ([#19](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/19))
-- Merge pull request [#13](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/13) from felixb/nat-gateway-tags
- Add AZ to natgateway name
## [v1.0.4] - 2017-10-20
-- Merge pull request [#12](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/12) from michalschott/master
- NAT gateway should be tagged too.
@@ -578,14 +1303,12 @@
## [v1.0.3] - 2017-10-12
- Make aws_vpc_endpoint_service conditional
-- Merge pull request [#7](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/7) from eheydrick/variable-descriptions
- Improve variable descriptions
## [v1.0.2] - 2017-09-27
-- Merge pull request [#6](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/6) from mgresko/fix_govcloud
- disable dynamodb data source when not needed
@@ -593,7 +1316,6 @@
## [v1.0.1] - 2017-09-26
- Updated link in README
-- Merge pull request [#3](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/3) from gas-buddy/gasbuddy/eherot/custom_route_tags
- Allow the user to define custom tags for route tables
@@ -609,7 +1331,96 @@
- Initial commit
-[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.7.0...HEAD
+[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.11.0...HEAD
+[v3.11.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.10.0...v3.11.0
+[v3.10.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.9.0...v3.10.0
+[v3.9.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.8.0...v3.9.0
+[v3.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.7.0...v3.8.0
+[v3.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.6.0...v3.7.0
+[v3.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.5.0...v3.6.0
+[v3.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.4.0...v3.5.0
+[v3.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.3.0...v3.4.0
+[v3.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.2.0...v3.3.0
+[v3.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.1.0...v3.2.0
+[v3.1.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v3.0.0...v3.1.0
+[v3.0.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.78.0...v3.0.0
+[v2.78.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.77.0...v2.78.0
+[v2.77.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.76.0...v2.77.0
+[v2.76.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.75.0...v2.76.0
+[v2.75.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.74.0...v2.75.0
+[v2.74.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.73.0...v2.74.0
+[v2.73.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.72.0...v2.73.0
+[v2.72.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.71.0...v2.72.0
+[v2.71.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.73.0...v2.71.0
+[v1.73.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.70.0...v1.73.0
+[v2.70.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.69.0...v2.70.0
+[v2.69.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.68.0...v2.69.0
+[v2.68.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.67.0...v2.68.0
+[v2.67.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.66.0...v2.67.0
+[v2.66.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.65.0...v2.66.0
+[v2.65.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.64.0...v2.65.0
+[v2.64.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.63.0...v2.64.0
+[v2.63.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.62.0...v2.63.0
+[v2.62.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.61.0...v2.62.0
+[v2.61.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.60.0...v2.61.0
+[v2.60.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.59.0...v2.60.0
+[v2.59.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.58.0...v2.59.0
+[v2.58.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.57.0...v2.58.0
+[v2.57.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.56.0...v2.57.0
+[v2.56.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.55.0...v2.56.0
+[v2.55.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.54.0...v2.55.0
+[v2.54.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.53.0...v2.54.0
+[v2.53.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.52.0...v2.53.0
+[v2.52.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.51.0...v2.52.0
+[v2.51.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.50.0...v2.51.0
+[v2.50.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.49.0...v2.50.0
+[v2.49.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.48.0...v2.49.0
+[v2.48.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.47.0...v2.48.0
+[v2.47.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.46.0...v2.47.0
+[v2.46.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.45.0...v2.46.0
+[v2.45.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.44.0...v2.45.0
+[v2.44.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.43.0...v2.44.0
+[v2.43.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.42.0...v2.43.0
+[v2.42.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.41.0...v2.42.0
+[v2.41.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.40.0...v2.41.0
+[v2.40.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.39.0...v2.40.0
+[v2.39.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.38.0...v2.39.0
+[v2.38.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.37.0...v2.38.0
+[v2.37.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.36.0...v2.37.0
+[v2.36.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.35.0...v2.36.0
+[v2.35.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.34.0...v2.35.0
+[v2.34.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.33.0...v2.34.0
+[v2.33.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.32.0...v2.33.0
+[v2.32.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.31.0...v2.32.0
+[v2.31.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.30.0...v2.31.0
+[v2.30.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.29.0...v2.30.0
+[v2.29.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.28.0...v2.29.0
+[v2.28.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.27.0...v2.28.0
+[v2.27.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.26.0...v2.27.0
+[v2.26.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.25.0...v2.26.0
+[v2.25.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.24.0...v2.25.0
+[v2.24.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.23.0...v2.24.0
+[v2.23.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.22.0...v2.23.0
+[v2.22.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.21.0...v2.22.0
+[v2.21.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.20.0...v2.21.0
+[v2.20.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.19.0...v2.20.0
+[v2.19.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.18.0...v2.19.0
+[v2.18.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.72.0...v2.18.0
+[v1.72.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.17.0...v1.72.0
+[v2.17.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.16.0...v2.17.0
+[v2.16.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.15.0...v2.16.0
+[v2.15.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.71.0...v2.15.0
+[v1.71.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.14.0...v1.71.0
+[v2.14.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.13.0...v2.14.0
+[v2.13.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.70.0...v2.13.0
+[v1.70.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.69.0...v1.70.0
+[v1.69.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.68.0...v1.69.0
+[v1.68.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.12.0...v1.68.0
+[v2.12.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.11.0...v2.12.0
+[v2.11.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.10.0...v2.11.0
+[v2.10.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.9.0...v2.10.0
+[v2.9.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.8.0...v2.9.0
+[v2.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.7.0...v2.8.0
[v2.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.6.0...v2.7.0
[v2.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.67.0...v2.6.0
[v1.67.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.5.0...v1.67.0
diff --git a/Gemfile b/Gemfile
deleted file mode 100644
index f1de0394e..000000000
--- a/Gemfile
+++ /dev/null
@@ -1,11 +0,0 @@
-# frozen_string_literal: true
-
-ruby '2.4.2'
-
-source 'https://rubygems.org/' do
- gem 'aws-sdk', '~> 3.0.1'
- gem 'awspec', '~> 1.4.0'
- gem 'kitchen-terraform', '~> 3.1'
- gem 'kitchen-verifier-awspec', '~> 0.1.1'
- gem 'rhcl', '~> 0.1.0'
-end
diff --git a/LICENSE b/LICENSE
index 51fca54c2..d9a10c0d8 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,11 +1,176 @@
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
- http://www.apache.org/licenses/LICENSE-2.0
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
diff --git a/README.md b/README.md
index b69e66985..1cb32454e 100644
--- a/README.md
+++ b/README.md
@@ -1,41 +1,7 @@
# AWS VPC Terraform module
-[](https://www.codetriage.com/terraform-aws-modules/terraform-aws-vpc)
-
Terraform module which creates VPC resources on AWS.
-These types of resources are supported:
-
-* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html)
-* [Subnet](https://www.terraform.io/docs/providers/aws/r/subnet.html)
-* [Route](https://www.terraform.io/docs/providers/aws/r/route.html)
-* [Route table](https://www.terraform.io/docs/providers/aws/r/route_table.html)
-* [Internet Gateway](https://www.terraform.io/docs/providers/aws/r/internet_gateway.html)
-* [Network ACL](https://www.terraform.io/docs/providers/aws/r/network_acl.html)
-* [NAT Gateway](https://www.terraform.io/docs/providers/aws/r/nat_gateway.html)
-* [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html)
-* [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html):
- * Gateway: S3, DynamoDB
- * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS,
- ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing,
- CloudTrail
-* [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
-* [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
-* [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html)
-* [DHCP Options Set](https://www.terraform.io/docs/providers/aws/r/vpc_dhcp_options.html)
-* [Default VPC](https://www.terraform.io/docs/providers/aws/r/default_vpc.html)
-* [Default Network ACL](https://www.terraform.io/docs/providers/aws/r/default_network_acl.html)
-
-Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://cloudcraft.co/?utm_source=terraform-aws-vpc)
-
-
-
-## Terraform versions
-
-Terraform 0.12. Pin module version to `~> v2.0`. Submit pull-requests to `master` branch.
-
-Terraform 0.11. Pin module version to `~> v1.0`. Submit pull-requests to `terraform011` branch.
-
## Usage
```hcl
@@ -68,6 +34,7 @@ To that end, it is possible to assign existing IPs to the NAT Gateways.
This prevents the destruction of the VPC from releasing those IPs, while making it possible that a re-created VPC uses the same IPs.
To achieve this, allocate the IPs outside the VPC module declaration.
+
```hcl
resource "aws_eip" "nat" {
count = 3
@@ -77,6 +44,7 @@ resource "aws_eip" "nat" {
```
Then, pass the allocated IPs as a parameter to this module.
+
```hcl
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
@@ -98,24 +66,24 @@ Passing the IPs into the module is done by setting two variables `reuse_nat_ips
This module supports three scenarios for creating NAT gateways. Each will be explained in further detail in the corresponding sections.
-* One NAT Gateway per subnet (default behavior)
- * `enable_nat_gateway = true`
- * `single_nat_gateway = false`
- * `one_nat_gateway_per_az = false`
-* Single NAT Gateway
- * `enable_nat_gateway = true`
- * `single_nat_gateway = true`
- * `one_nat_gateway_per_az = false`
-* One NAT Gateway per availability zone
- * `enable_nat_gateway = true`
- * `single_nat_gateway = false`
- * `one_nat_gateway_per_az = true`
+- One NAT Gateway per subnet (default behavior)
+ - `enable_nat_gateway = true`
+ - `single_nat_gateway = false`
+ - `one_nat_gateway_per_az = false`
+- Single NAT Gateway
+ - `enable_nat_gateway = true`
+ - `single_nat_gateway = true`
+ - `one_nat_gateway_per_az = false`
+- One NAT Gateway per availability zone
+ - `enable_nat_gateway = true`
+ - `single_nat_gateway = false`
+ - `one_nat_gateway_per_az = true`
If both `single_nat_gateway` and `one_nat_gateway_per_az` are set to `true`, then `single_nat_gateway` takes precedence.
### One NAT Gateway per subnet (default)
-By default, the module will determine the number of NAT Gateways to create based on the the `max()` of the private subnet lists (`database_subnets`, `elasticache_subnets`, `private_subnets`, and `redshift_subnets`). The module **does not** take into account the number of `intra_subnets`, since the latter are designed to have no Internet access via NAT Gateway. For example, if your configuration looks like the following:
+By default, the module will determine the number of NAT Gateways to create based on the the `max()` of the private subnet lists (`database_subnets`, `elasticache_subnets`, `private_subnets`, and `redshift_subnets`). The module **does not** take into account the number of `intra_subnets`, since the latter are designed to have no Internet access via NAT Gateway. For example, if your configuration looks like the following:
```hcl
database_subnets = ["10.0.21.0/24", "10.0.22.0/24"]
@@ -135,8 +103,8 @@ If `single_nat_gateway = true`, then all private subnets will route their Intern
If `one_nat_gateway_per_az = true` and `single_nat_gateway = false`, then the module will place one NAT gateway in each availability zone you specify in `var.azs`. There are some requirements around using this feature flag:
-* The variable `var.azs` **must** be specified.
-* The number of public subnet CIDR blocks specified in `public_subnets` **must** be greater than or equal to the number of availability zones specified in `var.azs`. This is to ensure that each NAT Gateway has a dedicated public subnet to deploy to.
+- The variable `var.azs` **must** be specified.
+- The number of public subnet CIDR blocks specified in `public_subnets` **must** be greater than or equal to the number of availability zones specified in `var.azs`. This is to ensure that each NAT Gateway has a dedicated public subnet to deploy to.
## "private" versus "intra" subnets
@@ -148,9 +116,25 @@ Since AWS Lambda functions allocate Elastic Network Interfaces in proportion to
You can add additional tags with `intra_subnet_tags` as with other subnet types.
+## VPC Flow Log
+
+VPC Flow Log allows to capture IP traffic for a specific network interface (ENI), subnet, or entire VPC. This module supports enabling or disabling VPC Flow Logs for entire VPC. If you need to have VPC Flow Logs for subnet or ENI, you have to manage it outside of this module with [aws_flow_log resource](https://www.terraform.io/docs/providers/aws/r/flow_log.html).
+
+### VPC Flow Log Examples
+
+By default `file_format` is `plain-text`. You can also specify `parquet` to have logs written in Apache Parquet format.
+
+```
+flow_log_file_format = "parquet"
+```
+
+### Permissions Boundary
+
+If your organization requires a permissions boundary to be attached to the VPC Flow Log role, make sure that you specify an ARN of the permissions boundary policy as `vpc_flow_log_permissions_boundary` argument. Read more about required [IAM policy for publishing flow logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-iam).
+
## Conditional creation
-Sometimes you need to have a way to create VPC resources conditionally but Terraform does not allow to use `count` inside `module` block, so the solution is to specify argument `create_vpc`.
+Prior to Terraform 0.13, you were unable to specify `count` in a module block. If you wish to toggle the creation of the module's resources in an older (pre 0.13) version of Terraform, you can use the `create_vpc` argument.
```hcl
# This VPC will not be created
@@ -191,338 +175,418 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
enable_public_redshift = true # <= By default Redshift subnets will be associated with the private route table
```
+## Transit Gateway (TGW) integration
+
+It is possible to integrate this VPC module with [terraform-aws-transit-gateway module](https://github.com/terraform-aws-modules/terraform-aws-transit-gateway) which handles the creation of TGW resources and VPC attachments. See [complete example there](https://github.com/terraform-aws-modules/terraform-aws-transit-gateway/tree/master/examples/complete).
+
## Examples
-* [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc)
-* [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc)
-* [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc)
-* [Network ACL](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/network-acls)
-* Few tests and edge cases examples: [#46](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-46-no-private-subnets), [#44](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-44-asymmetric-private-subnets), [#108](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-108-route-already-exists)
+- [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc)
+- [Simple VPC with secondary CIDR blocks](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/secondary-cidr-blocks)
+- [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) with VPC Endpoints.
+- [VPC with IPv6 enabled](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipv6)
+- [Network ACL](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/network-acls)
+- [VPC Flow Logs](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/vpc-flow-logs)
+- [VPC with Outpost](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/outpost)
+- [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc)
+- [Few tests and edge case examples](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issues)
+
+## Contributing
+
+Report issues/questions/feature requests on in the [issues](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/new) section.
+
+Full contributing [guidelines are covered here](.github/contributing.md).
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.63 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_customer_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) | resource |
+| [aws_db_subnet_group.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
+| [aws_default_network_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource |
+| [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource |
+| [aws_default_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
+| [aws_default_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource |
+| [aws_egress_only_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/egress_only_internet_gateway) | resource |
+| [aws_eip.nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
+| [aws_elasticache_subnet_group.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource |
+| [aws_flow_log.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
+| [aws_iam_policy.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
+| [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
+| [aws_network_acl.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl.outpost](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl_rule.database_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.database_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.elasticache_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.elasticache_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.intra_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.intra_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.outpost_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.outpost_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.private_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.private_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.public_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.public_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.redshift_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.redshift_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_redshift_subnet_group.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_subnet_group) | resource |
+| [aws_route.database_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route.database_ipv6_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route.database_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route.private_ipv6_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route.private_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route.public_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route.public_internet_gateway_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_route_table.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
+| [aws_route_table.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
+| [aws_route_table.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
+| [aws_route_table.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
+| [aws_route_table.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
+| [aws_route_table.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
+| [aws_route_table_association.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.outpost](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_route_table_association.redshift_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
+| [aws_subnet.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.outpost](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_subnet.redshift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
+| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
+| [aws_vpc_dhcp_options.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options) | resource |
+| [aws_vpc_dhcp_options_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options_association) | resource |
+| [aws_vpc_ipv4_cidr_block_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipv4_cidr_block_association) | resource |
+| [aws_vpn_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway) | resource |
+| [aws_vpn_gateway_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_attachment) | resource |
+| [aws_vpn_gateway_route_propagation.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource |
+| [aws_vpn_gateway_route_propagation.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource |
+| [aws_vpn_gateway_route_propagation.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource |
+| [aws_iam_policy_document.flow_log_cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
## Inputs
| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `"64512"` | no |
-| apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | bool | `"false"` | no |
-| apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API GW endpoint | list(string) | `[]` | no |
-| apigw\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | bool | `"false"` | no |
-| azs | A list of availability zones in the region | list(string) | `[]` | no |
-| cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `"0.0.0.0/0"` | no |
-| cloudtrail\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | bool | `"false"` | no |
-| cloudtrail\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | list(string) | `[]` | no |
-| cloudtrail\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | bool | `"false"` | no |
-| create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | bool | `"false"` | no |
-| create\_database\_subnet\_group | Controls if database subnet group should be created | bool | `"true"` | no |
-| create\_database\_subnet\_route\_table | Controls if separate route table for database should be created | bool | `"false"` | no |
-| create\_elasticache\_subnet\_group | Controls if elasticache subnet group should be created | bool | `"true"` | no |
-| create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | bool | `"false"` | no |
-| create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | bool | `"true"` | no |
-| create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | bool | `"false"` | no |
-| create\_vpc | Controls if VPC should be created (it affects almost all resources) | bool | `"true"` | no |
-| database\_acl\_tags | Additional tags for the database subnets network ACL | map(string) | `{}` | no |
-| database\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | bool | `"false"` | no |
-| database\_inbound\_acl\_rules | Database subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| database\_outbound\_acl\_rules | Database subnets outbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| database\_route\_table\_tags | Additional tags for the database route tables | map(string) | `{}` | no |
-| database\_subnet\_group\_tags | Additional tags for the database subnet group | map(string) | `{}` | no |
-| database\_subnet\_suffix | Suffix to append to database subnets name | string | `"db"` | no |
-| database\_subnet\_tags | Additional tags for the database subnets | map(string) | `{}` | no |
-| database\_subnets | A list of database subnets | list(string) | `[]` | no |
-| default\_network\_acl\_egress | List of maps of egress rules to set on the Default Network ACL | list(map(string)) | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no |
-| default\_network\_acl\_ingress | List of maps of ingress rules to set on the Default Network ACL | list(map(string)) | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no |
-| default\_network\_acl\_name | Name to be used on the Default Network ACL | string | `""` | no |
-| default\_network\_acl\_tags | Additional tags for the Default Network ACL | map(string) | `{}` | no |
-| default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | bool | `"false"` | no |
-| default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | bool | `"false"` | no |
-| default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | bool | `"true"` | no |
-| default\_vpc\_name | Name to be used on the Default VPC | string | `""` | no |
-| default\_vpc\_tags | Additional tags for the Default VPC | map(string) | `{}` | no |
-| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true) | string | `""` | no |
-| dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true) | list(string) | `[ "AmazonProvidedDNS" ]` | no |
-| dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true) | list(string) | `[]` | no |
-| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true) | string | `""` | no |
-| dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true) | list(string) | `[]` | no |
-| dhcp\_options\_tags | Additional tags for the DHCP option set (requires enable_dhcp_options set to true) | map(string) | `{}` | no |
-| ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | bool | `"false"` | no |
-| ec2\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | list(string) | `[]` | no |
-| ec2\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| ec2messages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | bool | `"false"` | no |
-| ec2messages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint | list(string) | `[]` | no |
-| ec2messages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| ecr\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint | bool | `"false"` | no |
-| ecr\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR API endpoint | list(string) | `[]` | no |
-| ecr\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| ecr\_dkr\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint | bool | `"false"` | no |
-| ecr\_dkr\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint | list(string) | `[]` | no |
-| ecr\_dkr\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| ecs\_agent\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint | bool | `"false"` | no |
-| ecs\_agent\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint | list(string) | `[]` | no |
-| ecs\_agent\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| ecs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint | bool | `"false"` | no |
-| ecs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS endpoint | list(string) | `[]` | no |
-| ecs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | bool | `"false"` | no |
-| ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list(string) | `[]` | no |
-| ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | map(string) | `{}` | no |
-| elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | bool | `"false"` | no |
-| elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| elasticache\_outbound\_acl\_rules | Elasticache subnets outbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map(string) | `{}` | no |
-| elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no |
-| elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map(string) | `{}` | no |
-| elasticache\_subnets | A list of elasticache subnets | list(string) | `[]` | no |
-| elasticloadbalancing\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint | bool | `"false"` | no |
-| elasticloadbalancing\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint | list(string) | `[]` | no |
-| elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| enable\_apigw\_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | bool | `"false"` | no |
-| enable\_cloudtrail\_endpoint | Should be true if you want to provision a CloudTrail endpoint to the VPC | bool | `"false"` | no |
-| enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | bool | `"false"` | no |
-| enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | bool | `"false"` | no |
-| enable\_dns\_support | Should be true to enable DNS support in the VPC | bool | `"true"` | no |
-| enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | bool | `"false"` | no |
-| enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | bool | `"false"` | no |
-| enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | bool | `"false"` | no |
-| enable\_ecr\_api\_endpoint | Should be true if you want to provision an ecr api endpoint to the VPC | bool | `"false"` | no |
-| enable\_ecr\_dkr\_endpoint | Should be true if you want to provision an ecr dkr endpoint to the VPC | bool | `"false"` | no |
-| enable\_ecs\_agent\_endpoint | Should be true if you want to provision a ECS Agent endpoint to the VPC | bool | `"false"` | no |
-| enable\_ecs\_endpoint | Should be true if you want to provision a ECS endpoint to the VPC | bool | `"false"` | no |
-| enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | bool | `"false"` | no |
-| enable\_elasticloadbalancing\_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | bool | `"false"` | no |
-| enable\_events\_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | bool | `"false"` | no |
-| enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | bool | `"false"` | no |
-| enable\_logs\_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | bool | `"false"` | no |
-| enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | bool | `"false"` | no |
-| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool | `"false"` | no |
-| enable\_public\_redshift | Controls if redshift should have public routing table | bool | `"false"` | no |
-| enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | bool | `"false"` | no |
-| enable\_sns\_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | bool | `"false"` | no |
-| enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | string | `"false"` | no |
-| enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | bool | `"false"` | no |
-| enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | bool | `"false"` | no |
-| enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | bool | `"false"` | no |
-| events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | bool | `"false"` | no |
-| events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list(string) | `[]` | no |
-| events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list(string) | `[]` | no |
-| igw\_tags | Additional tags for the internet gateway | map(string) | `{}` | no |
-| instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no |
-| intra\_acl\_tags | Additional tags for the intra subnets network ACL | map(string) | `{}` | no |
-| intra\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | bool | `"false"` | no |
-| intra\_inbound\_acl\_rules | Intra subnets inbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| intra\_outbound\_acl\_rules | Intra subnets outbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| intra\_route\_table\_tags | Additional tags for the intra route tables | map(string) | `{}` | no |
-| intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no |
-| intra\_subnet\_tags | Additional tags for the intra subnets | map(string) | `{}` | no |
-| intra\_subnets | A list of intra subnets | list(string) | `[]` | no |
-| kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | bool | `"false"` | no |
-| kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list(string) | `[]` | no |
-| kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| logs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint | bool | `"false"` | no |
-| logs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | list(string) | `[]` | no |
-| logs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| manage\_default\_network\_acl | Should be true to adopt and manage Default Network ACL | bool | `"false"` | no |
-| manage\_default\_vpc | Should be true to adopt and manage Default VPC | bool | `"false"` | no |
-| map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | bool | `"true"` | no |
-| monitoring\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint | bool | `"false"` | no |
-| monitoring\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint | list(string) | `[]` | no |
-| monitoring\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| name | Name to be used on all the resources as identifier | string | `""` | no |
-| nat\_eip\_tags | Additional tags for the NAT EIP | map(string) | `{}` | no |
-| nat\_gateway\_tags | Additional tags for the NAT gateways | map(string) | `{}` | no |
-| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | bool | `"false"` | no |
-| private\_acl\_tags | Additional tags for the private subnets network ACL | map(string) | `{}` | no |
-| private\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for private subnets | bool | `"false"` | no |
-| private\_inbound\_acl\_rules | Private subnets inbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| private\_outbound\_acl\_rules | Private subnets outbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| private\_route\_table\_tags | Additional tags for the private route tables | map(string) | `{}` | no |
-| private\_subnet\_suffix | Suffix to append to private subnets name | string | `"private"` | no |
-| private\_subnet\_tags | Additional tags for the private subnets | map(string) | `{}` | no |
-| private\_subnets | A list of private subnets inside the VPC | list(string) | `[]` | no |
-| propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | bool | `"false"` | no |
-| propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | bool | `"false"` | no |
-| public\_acl\_tags | Additional tags for the public subnets network ACL | map(string) | `{}` | no |
-| public\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for public subnets | bool | `"false"` | no |
-| public\_inbound\_acl\_rules | Public subnets inbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| public\_outbound\_acl\_rules | Public subnets outbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| public\_route\_table\_tags | Additional tags for the public route tables | map(string) | `{}` | no |
-| public\_subnet\_suffix | Suffix to append to public subnets name | string | `"public"` | no |
-| public\_subnet\_tags | Additional tags for the public subnets | map(string) | `{}` | no |
-| public\_subnets | A list of public subnets inside the VPC | list(string) | `[]` | no |
-| redshift\_acl\_tags | Additional tags for the redshift subnets network ACL | map(string) | `{}` | no |
-| redshift\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | bool | `"false"` | no |
-| redshift\_inbound\_acl\_rules | Redshift subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| redshift\_outbound\_acl\_rules | Redshift subnets outbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
-| redshift\_route\_table\_tags | Additional tags for the redshift route tables | map(string) | `{}` | no |
-| redshift\_subnet\_group\_tags | Additional tags for the redshift subnet group | map(string) | `{}` | no |
-| redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no |
-| redshift\_subnet\_tags | Additional tags for the redshift subnets | map(string) | `{}` | no |
-| redshift\_subnets | A list of redshift subnets | list(string) | `[]` | no |
-| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | bool | `"false"` | no |
-| secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list(string) | `[]` | no |
-| single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool | `"false"` | no |
-| sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | bool | `"false"` | no |
-| sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list(string) | `[]` | no |
-| sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| sqs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | string | `"false"` | no |
-| sqs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint | list | `[]` | no |
-| sqs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
-| ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | bool | `"false"` | no |
-| ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list(string) | `[]` | no |
-| ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | bool | `"false"` | no |
-| ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list(string) | `[]` | no |
-| ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| tags | A map of tags to add to all resources | map(string) | `{}` | no |
-| vpc\_tags | Additional tags for the VPC | map(string) | `{}` | no |
-| vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no |
-| vpn\_gateway\_tags | Additional tags for the VPN gateway | map(string) | `{}` | no |
+|------|-------------|------|---------|:--------:|
+| [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no |
+| [assign\_ipv6\_address\_on\_creation](#input\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `false` | no |
+| [azs](#input\_azs) | A list of availability zones names or ids in the region | `list(string)` | `[]` | no |
+| [cidr](#input\_cidr) | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | `string` | `"0.0.0.0/0"` | no |
+| [create\_database\_internet\_gateway\_route](#input\_create\_database\_internet\_gateway\_route) | Controls if an internet gateway route for public database access should be created | `bool` | `false` | no |
+| [create\_database\_nat\_gateway\_route](#input\_create\_database\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the database subnets | `bool` | `false` | no |
+| [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Controls if database subnet group should be created (n.b. database\_subnets must also be set) | `bool` | `true` | no |
+| [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Controls if separate route table for database should be created | `bool` | `false` | no |
+| [create\_egress\_only\_igw](#input\_create\_egress\_only\_igw) | Controls if an Egress Only Internet Gateway is created and its related routes. | `bool` | `true` | no |
+| [create\_elasticache\_subnet\_group](#input\_create\_elasticache\_subnet\_group) | Controls if elasticache subnet group should be created | `bool` | `true` | no |
+| [create\_elasticache\_subnet\_route\_table](#input\_create\_elasticache\_subnet\_route\_table) | Controls if separate route table for elasticache should be created | `bool` | `false` | no |
+| [create\_flow\_log\_cloudwatch\_iam\_role](#input\_create\_flow\_log\_cloudwatch\_iam\_role) | Whether to create IAM role for VPC Flow Logs | `bool` | `false` | no |
+| [create\_flow\_log\_cloudwatch\_log\_group](#input\_create\_flow\_log\_cloudwatch\_log\_group) | Whether to create CloudWatch log group for VPC Flow Logs | `bool` | `false` | no |
+| [create\_igw](#input\_create\_igw) | Controls if an Internet Gateway is created for public subnets and the related routes that connect them. | `bool` | `true` | no |
+| [create\_redshift\_subnet\_group](#input\_create\_redshift\_subnet\_group) | Controls if redshift subnet group should be created | `bool` | `true` | no |
+| [create\_redshift\_subnet\_route\_table](#input\_create\_redshift\_subnet\_route\_table) | Controls if separate route table for redshift should be created | `bool` | `false` | no |
+| [create\_vpc](#input\_create\_vpc) | Controls if VPC should be created (it affects almost all resources) | `bool` | `true` | no |
+| [customer\_gateway\_tags](#input\_customer\_gateway\_tags) | Additional tags for the Customer Gateway | `map(string)` | `{}` | no |
+| [customer\_gateways](#input\_customer\_gateways) | Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) | `map(map(any))` | `{}` | no |
+| [database\_acl\_tags](#input\_database\_acl\_tags) | Additional tags for the database subnets network ACL | `map(string)` | `{}` | no |
+| [database\_dedicated\_network\_acl](#input\_database\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for database subnets | `bool` | `false` | no |
+| [database\_inbound\_acl\_rules](#input\_database\_inbound\_acl\_rules) | Database subnets inbound network ACL rules | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [database\_outbound\_acl\_rules](#input\_database\_outbound\_acl\_rules) | Database subnets outbound network ACL rules | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [database\_route\_table\_tags](#input\_database\_route\_table\_tags) | Additional tags for the database route tables | `map(string)` | `{}` | no |
+| [database\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_database\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
+| [database\_subnet\_group\_name](#input\_database\_subnet\_group\_name) | Name of database subnet group | `string` | `null` | no |
+| [database\_subnet\_group\_tags](#input\_database\_subnet\_group\_tags) | Additional tags for the database subnet group | `map(string)` | `{}` | no |
+| [database\_subnet\_ipv6\_prefixes](#input\_database\_subnet\_ipv6\_prefixes) | Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
+| [database\_subnet\_suffix](#input\_database\_subnet\_suffix) | Suffix to append to database subnets name | `string` | `"db"` | no |
+| [database\_subnet\_tags](#input\_database\_subnet\_tags) | Additional tags for the database subnets | `map(string)` | `{}` | no |
+| [database\_subnets](#input\_database\_subnets) | A list of database subnets | `list(string)` | `[]` | no |
+| [default\_network\_acl\_egress](#input\_default\_network\_acl\_egress) | List of maps of egress rules to set on the Default Network ACL | `list(map(string))` | [
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
| no |
+| [default\_network\_acl\_ingress](#input\_default\_network\_acl\_ingress) | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | [
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
| no |
+| [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Name to be used on the Default Network ACL | `string` | `""` | no |
+| [default\_network\_acl\_tags](#input\_default\_network\_acl\_tags) | Additional tags for the Default Network ACL | `map(string)` | `{}` | no |
+| [default\_route\_table\_propagating\_vgws](#input\_default\_route\_table\_propagating\_vgws) | List of virtual gateways for propagation | `list(string)` | `[]` | no |
+| [default\_route\_table\_routes](#input\_default\_route\_table\_routes) | Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route | `list(map(string))` | `[]` | no |
+| [default\_route\_table\_tags](#input\_default\_route\_table\_tags) | Additional tags for the default route table | `map(string)` | `{}` | no |
+| [default\_security\_group\_egress](#input\_default\_security\_group\_egress) | List of maps of egress rules to set on the default security group | `list(map(string))` | `null` | no |
+| [default\_security\_group\_ingress](#input\_default\_security\_group\_ingress) | List of maps of ingress rules to set on the default security group | `list(map(string))` | `null` | no |
+| [default\_security\_group\_name](#input\_default\_security\_group\_name) | Name to be used on the default security group | `string` | `"default"` | no |
+| [default\_security\_group\_tags](#input\_default\_security\_group\_tags) | Additional tags for the default security group | `map(string)` | `{}` | no |
+| [default\_vpc\_enable\_classiclink](#input\_default\_vpc\_enable\_classiclink) | Should be true to enable ClassicLink in the Default VPC | `bool` | `false` | no |
+| [default\_vpc\_enable\_dns\_hostnames](#input\_default\_vpc\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the Default VPC | `bool` | `false` | no |
+| [default\_vpc\_enable\_dns\_support](#input\_default\_vpc\_enable\_dns\_support) | Should be true to enable DNS support in the Default VPC | `bool` | `true` | no |
+| [default\_vpc\_name](#input\_default\_vpc\_name) | Name to be used on the Default VPC | `string` | `""` | no |
+| [default\_vpc\_tags](#input\_default\_vpc\_tags) | Additional tags for the Default VPC | `map(string)` | `{}` | no |
+| [dhcp\_options\_domain\_name](#input\_dhcp\_options\_domain\_name) | Specifies DNS name for DHCP options set (requires enable\_dhcp\_options set to true) | `string` | `""` | no |
+| [dhcp\_options\_domain\_name\_servers](#input\_dhcp\_options\_domain\_name\_servers) | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable\_dhcp\_options set to true) | `list(string)` | [
"AmazonProvidedDNS"
]
| no |
+| [dhcp\_options\_netbios\_name\_servers](#input\_dhcp\_options\_netbios\_name\_servers) | Specify a list of netbios servers for DHCP options set (requires enable\_dhcp\_options set to true) | `list(string)` | `[]` | no |
+| [dhcp\_options\_netbios\_node\_type](#input\_dhcp\_options\_netbios\_node\_type) | Specify netbios node\_type for DHCP options set (requires enable\_dhcp\_options set to true) | `string` | `""` | no |
+| [dhcp\_options\_ntp\_servers](#input\_dhcp\_options\_ntp\_servers) | Specify a list of NTP servers for DHCP options set (requires enable\_dhcp\_options set to true) | `list(string)` | `[]` | no |
+| [dhcp\_options\_tags](#input\_dhcp\_options\_tags) | Additional tags for the DHCP option set (requires enable\_dhcp\_options set to true) | `map(string)` | `{}` | no |
+| [elasticache\_acl\_tags](#input\_elasticache\_acl\_tags) | Additional tags for the elasticache subnets network ACL | `map(string)` | `{}` | no |
+| [elasticache\_dedicated\_network\_acl](#input\_elasticache\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | `bool` | `false` | no |
+| [elasticache\_inbound\_acl\_rules](#input\_elasticache\_inbound\_acl\_rules) | Elasticache subnets inbound network ACL rules | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [elasticache\_outbound\_acl\_rules](#input\_elasticache\_outbound\_acl\_rules) | Elasticache subnets outbound network ACL rules | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [elasticache\_route\_table\_tags](#input\_elasticache\_route\_table\_tags) | Additional tags for the elasticache route tables | `map(string)` | `{}` | no |
+| [elasticache\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_elasticache\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
+| [elasticache\_subnet\_group\_name](#input\_elasticache\_subnet\_group\_name) | Name of elasticache subnet group | `string` | `null` | no |
+| [elasticache\_subnet\_group\_tags](#input\_elasticache\_subnet\_group\_tags) | Additional tags for the elasticache subnet group | `map(string)` | `{}` | no |
+| [elasticache\_subnet\_ipv6\_prefixes](#input\_elasticache\_subnet\_ipv6\_prefixes) | Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
+| [elasticache\_subnet\_suffix](#input\_elasticache\_subnet\_suffix) | Suffix to append to elasticache subnets name | `string` | `"elasticache"` | no |
+| [elasticache\_subnet\_tags](#input\_elasticache\_subnet\_tags) | Additional tags for the elasticache subnets | `map(string)` | `{}` | no |
+| [elasticache\_subnets](#input\_elasticache\_subnets) | A list of elasticache subnets | `list(string)` | `[]` | no |
+| [enable\_classiclink](#input\_enable\_classiclink) | Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic. | `bool` | `null` | no |
+| [enable\_classiclink\_dns\_support](#input\_enable\_classiclink\_dns\_support) | Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic. | `bool` | `null` | no |
+| [enable\_dhcp\_options](#input\_enable\_dhcp\_options) | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | `bool` | `false` | no |
+| [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the VPC | `bool` | `false` | no |
+| [enable\_dns\_support](#input\_enable\_dns\_support) | Should be true to enable DNS support in the VPC | `bool` | `true` | no |
+| [enable\_flow\_log](#input\_enable\_flow\_log) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no |
+| [enable\_ipv6](#input\_enable\_ipv6) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | `bool` | `false` | no |
+| [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no |
+| [enable\_public\_redshift](#input\_enable\_public\_redshift) | Controls if redshift should have public routing table | `bool` | `false` | no |
+| [enable\_vpn\_gateway](#input\_enable\_vpn\_gateway) | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | `bool` | `false` | no |
+| [external\_nat\_ip\_ids](#input\_external\_nat\_ip\_ids) | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse\_nat\_ips) | `list(string)` | `[]` | no |
+| [external\_nat\_ips](#input\_external\_nat\_ips) | List of EIPs to be used for `nat_public_ips` output (used in combination with reuse\_nat\_ips and external\_nat\_ip\_ids) | `list(string)` | `[]` | no |
+| [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided. | `string` | `""` | no |
+| [flow\_log\_cloudwatch\_log\_group\_kms\_key\_id](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs. | `string` | `null` | no |
+| [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs. | `string` | `"/aws/vpc-flow-log/"` | no |
+| [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | `number` | `null` | no |
+| [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided. | `string` | `""` | no |
+| [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs. | `string` | `"cloud-watch-logs"` | no |
+| [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet`. | `string` | `"plain-text"` | no |
+| [flow\_log\_hive\_compatible\_partitions](#input\_flow\_log\_hive\_compatible\_partitions) | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. | `bool` | `false` | no |
+| [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear. | `string` | `null` | no |
+| [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. | `number` | `600` | no |
+| [flow\_log\_per\_hour\_partition](#input\_flow\_log\_per\_hour\_partition) | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. | `bool` | `false` | no |
+| [flow\_log\_traffic\_type](#input\_flow\_log\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. | `string` | `"ALL"` | no |
+| [igw\_tags](#input\_igw\_tags) | Additional tags for the internet gateway | `map(string)` | `{}` | no |
+| [instance\_tenancy](#input\_instance\_tenancy) | A tenancy option for instances launched into the VPC | `string` | `"default"` | no |
+| [intra\_acl\_tags](#input\_intra\_acl\_tags) | Additional tags for the intra subnets network ACL | `map(string)` | `{}` | no |
+| [intra\_dedicated\_network\_acl](#input\_intra\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | `bool` | `false` | no |
+| [intra\_inbound\_acl\_rules](#input\_intra\_inbound\_acl\_rules) | Intra subnets inbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [intra\_outbound\_acl\_rules](#input\_intra\_outbound\_acl\_rules) | Intra subnets outbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [intra\_route\_table\_tags](#input\_intra\_route\_table\_tags) | Additional tags for the intra route tables | `map(string)` | `{}` | no |
+| [intra\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_intra\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
+| [intra\_subnet\_ipv6\_prefixes](#input\_intra\_subnet\_ipv6\_prefixes) | Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
+| [intra\_subnet\_suffix](#input\_intra\_subnet\_suffix) | Suffix to append to intra subnets name | `string` | `"intra"` | no |
+| [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Additional tags for the intra subnets | `map(string)` | `{}` | no |
+| [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no |
+| [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `false` | no |
+| [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `false` | no |
+| [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `false` | no |
+| [manage\_default\_vpc](#input\_manage\_default\_vpc) | Should be true to adopt and manage Default VPC | `bool` | `false` | no |
+| [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Should be false if you do not want to auto-assign public IP on launch | `bool` | `true` | no |
+| [name](#input\_name) | Name to be used on all the resources as identifier | `string` | `""` | no |
+| [nat\_eip\_tags](#input\_nat\_eip\_tags) | Additional tags for the NAT EIP | `map(string)` | `{}` | no |
+| [nat\_gateway\_tags](#input\_nat\_gateway\_tags) | Additional tags for the NAT gateways | `map(string)` | `{}` | no |
+| [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | `bool` | `false` | no |
+| [outpost\_acl\_tags](#input\_outpost\_acl\_tags) | Additional tags for the outpost subnets network ACL | `map(string)` | `{}` | no |
+| [outpost\_arn](#input\_outpost\_arn) | ARN of Outpost you want to create a subnet in. | `string` | `null` | no |
+| [outpost\_az](#input\_outpost\_az) | AZ where Outpost is anchored. | `string` | `null` | no |
+| [outpost\_dedicated\_network\_acl](#input\_outpost\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for outpost subnets | `bool` | `false` | no |
+| [outpost\_inbound\_acl\_rules](#input\_outpost\_inbound\_acl\_rules) | Outpost subnets inbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [outpost\_outbound\_acl\_rules](#input\_outpost\_outbound\_acl\_rules) | Outpost subnets outbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [outpost\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_outpost\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on outpost subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
+| [outpost\_subnet\_ipv6\_prefixes](#input\_outpost\_subnet\_ipv6\_prefixes) | Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
+| [outpost\_subnet\_suffix](#input\_outpost\_subnet\_suffix) | Suffix to append to outpost subnets name | `string` | `"outpost"` | no |
+| [outpost\_subnet\_tags](#input\_outpost\_subnet\_tags) | Additional tags for the outpost subnets | `map(string)` | `{}` | no |
+| [outpost\_subnets](#input\_outpost\_subnets) | A list of outpost subnets inside the VPC | `list(string)` | `[]` | no |
+| [private\_acl\_tags](#input\_private\_acl\_tags) | Additional tags for the private subnets network ACL | `map(string)` | `{}` | no |
+| [private\_dedicated\_network\_acl](#input\_private\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for private subnets | `bool` | `false` | no |
+| [private\_inbound\_acl\_rules](#input\_private\_inbound\_acl\_rules) | Private subnets inbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [private\_outbound\_acl\_rules](#input\_private\_outbound\_acl\_rules) | Private subnets outbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [private\_route\_table\_tags](#input\_private\_route\_table\_tags) | Additional tags for the private route tables | `map(string)` | `{}` | no |
+| [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
+| [private\_subnet\_ipv6\_prefixes](#input\_private\_subnet\_ipv6\_prefixes) | Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
+| [private\_subnet\_suffix](#input\_private\_subnet\_suffix) | Suffix to append to private subnets name | `string` | `"private"` | no |
+| [private\_subnet\_tags](#input\_private\_subnet\_tags) | Additional tags for the private subnets | `map(string)` | `{}` | no |
+| [private\_subnets](#input\_private\_subnets) | A list of private subnets inside the VPC | `list(string)` | `[]` | no |
+| [propagate\_intra\_route\_tables\_vgw](#input\_propagate\_intra\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no |
+| [propagate\_private\_route\_tables\_vgw](#input\_propagate\_private\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no |
+| [propagate\_public\_route\_tables\_vgw](#input\_propagate\_public\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no |
+| [public\_acl\_tags](#input\_public\_acl\_tags) | Additional tags for the public subnets network ACL | `map(string)` | `{}` | no |
+| [public\_dedicated\_network\_acl](#input\_public\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for public subnets | `bool` | `false` | no |
+| [public\_inbound\_acl\_rules](#input\_public\_inbound\_acl\_rules) | Public subnets inbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [public\_outbound\_acl\_rules](#input\_public\_outbound\_acl\_rules) | Public subnets outbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [public\_route\_table\_tags](#input\_public\_route\_table\_tags) | Additional tags for the public route tables | `map(string)` | `{}` | no |
+| [public\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_public\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
+| [public\_subnet\_ipv6\_prefixes](#input\_public\_subnet\_ipv6\_prefixes) | Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
+| [public\_subnet\_suffix](#input\_public\_subnet\_suffix) | Suffix to append to public subnets name | `string` | `"public"` | no |
+| [public\_subnet\_tags](#input\_public\_subnet\_tags) | Additional tags for the public subnets | `map(string)` | `{}` | no |
+| [public\_subnets](#input\_public\_subnets) | A list of public subnets inside the VPC | `list(string)` | `[]` | no |
+| [redshift\_acl\_tags](#input\_redshift\_acl\_tags) | Additional tags for the redshift subnets network ACL | `map(string)` | `{}` | no |
+| [redshift\_dedicated\_network\_acl](#input\_redshift\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | `bool` | `false` | no |
+| [redshift\_inbound\_acl\_rules](#input\_redshift\_inbound\_acl\_rules) | Redshift subnets inbound network ACL rules | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [redshift\_outbound\_acl\_rules](#input\_redshift\_outbound\_acl\_rules) | Redshift subnets outbound network ACL rules | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [redshift\_route\_table\_tags](#input\_redshift\_route\_table\_tags) | Additional tags for the redshift route tables | `map(string)` | `{}` | no |
+| [redshift\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_redshift\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
+| [redshift\_subnet\_group\_name](#input\_redshift\_subnet\_group\_name) | Name of redshift subnet group | `string` | `null` | no |
+| [redshift\_subnet\_group\_tags](#input\_redshift\_subnet\_group\_tags) | Additional tags for the redshift subnet group | `map(string)` | `{}` | no |
+| [redshift\_subnet\_ipv6\_prefixes](#input\_redshift\_subnet\_ipv6\_prefixes) | Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
+| [redshift\_subnet\_suffix](#input\_redshift\_subnet\_suffix) | Suffix to append to redshift subnets name | `string` | `"redshift"` | no |
+| [redshift\_subnet\_tags](#input\_redshift\_subnet\_tags) | Additional tags for the redshift subnets | `map(string)` | `{}` | no |
+| [redshift\_subnets](#input\_redshift\_subnets) | A list of redshift subnets | `list(string)` | `[]` | no |
+| [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
+| [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no |
+| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
+| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| [vpc\_flow\_log\_permissions\_boundary](#input\_vpc\_flow\_log\_permissions\_boundary) | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | `string` | `null` | no |
+| [vpc\_flow\_log\_tags](#input\_vpc\_flow\_log\_tags) | Additional tags for the VPC Flow Logs | `map(string)` | `{}` | no |
+| [vpc\_tags](#input\_vpc\_tags) | Additional tags for the VPC | `map(string)` | `{}` | no |
+| [vpn\_gateway\_az](#input\_vpn\_gateway\_az) | The Availability Zone for the VPN Gateway | `string` | `null` | no |
+| [vpn\_gateway\_id](#input\_vpn\_gateway\_id) | ID of VPN Gateway to attach to the VPC | `string` | `""` | no |
+| [vpn\_gateway\_tags](#input\_vpn\_gateway\_tags) | Additional tags for the VPN gateway | `map(string)` | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
-| azs | A list of availability zones specified as argument to this module |
-| database\_network\_acl\_id | ID of the database network ACL |
-| database\_route\_table\_ids | List of IDs of database route tables |
-| database\_subnet\_arns | List of ARNs of database subnets |
-| database\_subnet\_group | ID of database subnet group |
-| database\_subnets | List of IDs of database subnets |
-| database\_subnets\_cidr\_blocks | List of cidr_blocks of database subnets |
-| default\_network\_acl\_id | The ID of the default network ACL |
-| default\_route\_table\_id | The ID of the default route table |
-| default\_security\_group\_id | The ID of the security group created by default on VPC creation |
-| default\_vpc\_cidr\_block | The CIDR block of the VPC |
-| default\_vpc\_default\_network\_acl\_id | The ID of the default network ACL |
-| default\_vpc\_default\_route\_table\_id | The ID of the default route table |
-| default\_vpc\_default\_security\_group\_id | The ID of the security group created by default on VPC creation |
-| default\_vpc\_enable\_dns\_hostnames | Whether or not the VPC has DNS hostname support |
-| default\_vpc\_enable\_dns\_support | Whether or not the VPC has DNS support |
-| default\_vpc\_id | The ID of the VPC |
-| default\_vpc\_instance\_tenancy | Tenancy of instances spin up within VPC |
-| default\_vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC |
-| elasticache\_network\_acl\_id | ID of the elasticache network ACL |
-| elasticache\_route\_table\_ids | List of IDs of elasticache route tables |
-| elasticache\_subnet\_arns | List of ARNs of elasticache subnets |
-| elasticache\_subnet\_group | ID of elasticache subnet group |
-| elasticache\_subnet\_group\_name | Name of elasticache subnet group |
-| elasticache\_subnets | List of IDs of elasticache subnets |
-| elasticache\_subnets\_cidr\_blocks | List of cidr_blocks of elasticache subnets |
-| igw\_id | The ID of the Internet Gateway |
-| intra\_network\_acl\_id | ID of the intra network ACL |
-| intra\_route\_table\_ids | List of IDs of intra route tables |
-| intra\_subnet\_arns | List of ARNs of intra subnets |
-| intra\_subnets | List of IDs of intra subnets |
-| intra\_subnets\_cidr\_blocks | List of cidr_blocks of intra subnets |
-| nat\_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway |
-| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
-| natgw\_ids | List of NAT Gateway IDs |
-| private\_network\_acl\_id | ID of the private network ACL |
-| private\_route\_table\_ids | List of IDs of private route tables |
-| private\_subnet\_arns | List of ARNs of private subnets |
-| private\_subnets | List of IDs of private subnets |
-| private\_subnets\_cidr\_blocks | List of cidr_blocks of private subnets |
-| public\_network\_acl\_id | ID of the public network ACL |
-| public\_route\_table\_ids | List of IDs of public route tables |
-| public\_subnet\_arns | List of ARNs of public subnets |
-| public\_subnets | List of IDs of public subnets |
-| public\_subnets\_cidr\_blocks | List of cidr_blocks of public subnets |
-| redshift\_network\_acl\_id | ID of the redshift network ACL |
-| redshift\_route\_table\_ids | List of IDs of redshift route tables |
-| redshift\_subnet\_arns | List of ARNs of redshift subnets |
-| redshift\_subnet\_group | ID of redshift subnet group |
-| redshift\_subnets | List of IDs of redshift subnets |
-| redshift\_subnets\_cidr\_blocks | List of cidr_blocks of redshift subnets |
-| vgw\_id | The ID of the VPN Gateway |
-| vpc\_arn | The ARN of the VPC |
-| vpc\_cidr\_block | The CIDR block of the VPC |
-| vpc\_enable\_dns\_hostnames | Whether or not the VPC has DNS hostname support |
-| vpc\_enable\_dns\_support | Whether or not the VPC has DNS support |
-| vpc\_endpoint\_apigw\_dns\_entry | The DNS entries for the VPC Endpoint for APIGW. |
-| vpc\_endpoint\_apigw\_id | The ID of VPC endpoint for APIGW |
-| vpc\_endpoint\_apigw\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for APIGW. |
-| vpc\_endpoint\_cloudtrail\_dns\_entry | The DNS entries for the VPC Endpoint for CloudTrail. |
-| vpc\_endpoint\_cloudtrail\_id | The ID of VPC endpoint for CloudTrail |
-| vpc\_endpoint\_cloudtrail\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudTrail. |
-| vpc\_endpoint\_dynamodb\_id | The ID of VPC endpoint for DynamoDB |
-| vpc\_endpoint\_dynamodb\_pl\_id | The prefix list for the DynamoDB VPC endpoint. |
-| vpc\_endpoint\_ec2\_dns\_entry | The DNS entries for the VPC Endpoint for EC2. |
-| vpc\_endpoint\_ec2\_id | The ID of VPC endpoint for EC2 |
-| vpc\_endpoint\_ec2\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EC2 |
-| vpc\_endpoint\_ec2messages\_dns\_entry | The DNS entries for the VPC Endpoint for EC2MESSAGES. |
-| vpc\_endpoint\_ec2messages\_id | The ID of VPC endpoint for EC2MESSAGES |
-| vpc\_endpoint\_ec2messages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EC2MESSAGES |
-| vpc\_endpoint\_ecr\_api\_dns\_entry | The DNS entries for the VPC Endpoint for ECR API. |
-| vpc\_endpoint\_ecr\_api\_id | The ID of VPC endpoint for ECR API |
-| vpc\_endpoint\_ecr\_api\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECR API. |
-| vpc\_endpoint\_ecr\_dkr\_dns\_entry | The DNS entries for the VPC Endpoint for ECR DKR. |
-| vpc\_endpoint\_ecr\_dkr\_id | The ID of VPC endpoint for ECR DKR |
-| vpc\_endpoint\_ecr\_dkr\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECR DKR. |
-| vpc\_endpoint\_ecs\_agent\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Agent. |
-| vpc\_endpoint\_ecs\_agent\_id | The ID of VPC endpoint for ECS Agent |
-| vpc\_endpoint\_ecs\_agent\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Agent. |
-| vpc\_endpoint\_ecs\_dns\_entry | The DNS entries for the VPC Endpoint for ECS. |
-| vpc\_endpoint\_ecs\_id | The ID of VPC endpoint for ECS |
-| vpc\_endpoint\_ecs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS. |
-| vpc\_endpoint\_ecs\_telemetry\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Telemetry. |
-| vpc\_endpoint\_ecs\_telemetry\_id | The ID of VPC endpoint for ECS Telemetry |
-| vpc\_endpoint\_ecs\_telemetry\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Telemetry. |
-| vpc\_endpoint\_elasticloadbalancing\_dns\_entry | The DNS entries for the VPC Endpoint for Elastic Load Balancing. |
-| vpc\_endpoint\_elasticloadbalancing\_id | The ID of VPC endpoint for Elastic Load Balancing |
-| vpc\_endpoint\_elasticloadbalancing\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Elastic Load Balancing. |
-| vpc\_endpoint\_events\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. |
-| vpc\_endpoint\_events\_id | The ID of VPC endpoint for CloudWatch Events |
-| vpc\_endpoint\_events\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. |
-| vpc\_endpoint\_kms\_dns\_entry | The DNS entries for the VPC Endpoint for KMS. |
-| vpc\_endpoint\_kms\_id | The ID of VPC endpoint for KMS |
-| vpc\_endpoint\_kms\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KMS. |
-| vpc\_endpoint\_logs\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Logs. |
-| vpc\_endpoint\_logs\_id | The ID of VPC endpoint for CloudWatch Logs |
-| vpc\_endpoint\_logs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Logs. |
-| vpc\_endpoint\_monitoring\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Monitoring. |
-| vpc\_endpoint\_monitoring\_id | The ID of VPC endpoint for CloudWatch Monitoring |
-| vpc\_endpoint\_monitoring\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. |
-| vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 |
-| vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. |
-| vpc\_endpoint\_sns\_dns\_entry | The DNS entries for the VPC Endpoint for SNS. |
-| vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS |
-| vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. |
-| vpc\_endpoint\_sqs\_dns\_entry | The DNS entries for the VPC Endpoint for SQS. |
-| vpc\_endpoint\_sqs\_id | The ID of VPC endpoint for SQS |
-| vpc\_endpoint\_sqs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SQS. |
-| vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. |
-| vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM |
-| vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. |
-| vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. |
-| vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES |
-| vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. |
-| vpc\_id | The ID of the VPC |
-| vpc\_instance\_tenancy | Tenancy of instances spin up within VPC |
-| vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC |
-| vpc\_secondary\_cidr\_blocks | List of secondary CIDR blocks of the VPC |
-
+| [azs](#output\_azs) | A list of availability zones specified as argument to this module |
+| [cgw\_arns](#output\_cgw\_arns) | List of ARNs of Customer Gateway |
+| [cgw\_ids](#output\_cgw\_ids) | List of IDs of Customer Gateway |
+| [database\_internet\_gateway\_route\_id](#output\_database\_internet\_gateway\_route\_id) | ID of the database internet gateway route. |
+| [database\_ipv6\_egress\_route\_id](#output\_database\_ipv6\_egress\_route\_id) | ID of the database IPv6 egress route. |
+| [database\_nat\_gateway\_route\_ids](#output\_database\_nat\_gateway\_route\_ids) | List of IDs of the database nat gateway route. |
+| [database\_network\_acl\_arn](#output\_database\_network\_acl\_arn) | ARN of the database network ACL |
+| [database\_network\_acl\_id](#output\_database\_network\_acl\_id) | ID of the database network ACL |
+| [database\_route\_table\_association\_ids](#output\_database\_route\_table\_association\_ids) | List of IDs of the database route table association |
+| [database\_route\_table\_ids](#output\_database\_route\_table\_ids) | List of IDs of database route tables |
+| [database\_subnet\_arns](#output\_database\_subnet\_arns) | List of ARNs of database subnets |
+| [database\_subnet\_group](#output\_database\_subnet\_group) | ID of database subnet group |
+| [database\_subnet\_group\_name](#output\_database\_subnet\_group\_name) | Name of database subnet group |
+| [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets |
+| [database\_subnets\_cidr\_blocks](#output\_database\_subnets\_cidr\_blocks) | List of cidr\_blocks of database subnets |
+| [database\_subnets\_ipv6\_cidr\_blocks](#output\_database\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of database subnets in an IPv6 enabled VPC |
+| [default\_network\_acl\_id](#output\_default\_network\_acl\_id) | The ID of the default network ACL |
+| [default\_route\_table\_id](#output\_default\_route\_table\_id) | The ID of the default route table |
+| [default\_security\_group\_id](#output\_default\_security\_group\_id) | The ID of the security group created by default on VPC creation |
+| [default\_vpc\_arn](#output\_default\_vpc\_arn) | The ARN of the Default VPC |
+| [default\_vpc\_cidr\_block](#output\_default\_vpc\_cidr\_block) | The CIDR block of the Default VPC |
+| [default\_vpc\_default\_network\_acl\_id](#output\_default\_vpc\_default\_network\_acl\_id) | The ID of the default network ACL of the Default VPC |
+| [default\_vpc\_default\_route\_table\_id](#output\_default\_vpc\_default\_route\_table\_id) | The ID of the default route table of the Default VPC |
+| [default\_vpc\_default\_security\_group\_id](#output\_default\_vpc\_default\_security\_group\_id) | The ID of the security group created by default on Default VPC creation |
+| [default\_vpc\_enable\_dns\_hostnames](#output\_default\_vpc\_enable\_dns\_hostnames) | Whether or not the Default VPC has DNS hostname support |
+| [default\_vpc\_enable\_dns\_support](#output\_default\_vpc\_enable\_dns\_support) | Whether or not the Default VPC has DNS support |
+| [default\_vpc\_id](#output\_default\_vpc\_id) | The ID of the Default VPC |
+| [default\_vpc\_instance\_tenancy](#output\_default\_vpc\_instance\_tenancy) | Tenancy of instances spin up within Default VPC |
+| [default\_vpc\_main\_route\_table\_id](#output\_default\_vpc\_main\_route\_table\_id) | The ID of the main route table associated with the Default VPC |
+| [dhcp\_options\_id](#output\_dhcp\_options\_id) | The ID of the DHCP options |
+| [egress\_only\_internet\_gateway\_id](#output\_egress\_only\_internet\_gateway\_id) | The ID of the egress only Internet Gateway |
+| [elasticache\_network\_acl\_arn](#output\_elasticache\_network\_acl\_arn) | ARN of the elasticache network ACL |
+| [elasticache\_network\_acl\_id](#output\_elasticache\_network\_acl\_id) | ID of the elasticache network ACL |
+| [elasticache\_route\_table\_association\_ids](#output\_elasticache\_route\_table\_association\_ids) | List of IDs of the elasticache route table association |
+| [elasticache\_route\_table\_ids](#output\_elasticache\_route\_table\_ids) | List of IDs of elasticache route tables |
+| [elasticache\_subnet\_arns](#output\_elasticache\_subnet\_arns) | List of ARNs of elasticache subnets |
+| [elasticache\_subnet\_group](#output\_elasticache\_subnet\_group) | ID of elasticache subnet group |
+| [elasticache\_subnet\_group\_name](#output\_elasticache\_subnet\_group\_name) | Name of elasticache subnet group |
+| [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets |
+| [elasticache\_subnets\_cidr\_blocks](#output\_elasticache\_subnets\_cidr\_blocks) | List of cidr\_blocks of elasticache subnets |
+| [elasticache\_subnets\_ipv6\_cidr\_blocks](#output\_elasticache\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of elasticache subnets in an IPv6 enabled VPC |
+| [igw\_arn](#output\_igw\_arn) | The ARN of the Internet Gateway |
+| [igw\_id](#output\_igw\_id) | The ID of the Internet Gateway |
+| [intra\_network\_acl\_arn](#output\_intra\_network\_acl\_arn) | ARN of the intra network ACL |
+| [intra\_network\_acl\_id](#output\_intra\_network\_acl\_id) | ID of the intra network ACL |
+| [intra\_route\_table\_association\_ids](#output\_intra\_route\_table\_association\_ids) | List of IDs of the intra route table association |
+| [intra\_route\_table\_ids](#output\_intra\_route\_table\_ids) | List of IDs of intra route tables |
+| [intra\_subnet\_arns](#output\_intra\_subnet\_arns) | List of ARNs of intra subnets |
+| [intra\_subnets](#output\_intra\_subnets) | List of IDs of intra subnets |
+| [intra\_subnets\_cidr\_blocks](#output\_intra\_subnets\_cidr\_blocks) | List of cidr\_blocks of intra subnets |
+| [intra\_subnets\_ipv6\_cidr\_blocks](#output\_intra\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of intra subnets in an IPv6 enabled VPC |
+| [name](#output\_name) | The name of the VPC specified as argument to this module |
+| [nat\_ids](#output\_nat\_ids) | List of allocation ID of Elastic IPs created for AWS NAT Gateway |
+| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| [natgw\_ids](#output\_natgw\_ids) | List of NAT Gateway IDs |
+| [outpost\_network\_acl\_arn](#output\_outpost\_network\_acl\_arn) | ARN of the outpost network ACL |
+| [outpost\_network\_acl\_id](#output\_outpost\_network\_acl\_id) | ID of the outpost network ACL |
+| [outpost\_subnet\_arns](#output\_outpost\_subnet\_arns) | List of ARNs of outpost subnets |
+| [outpost\_subnets](#output\_outpost\_subnets) | List of IDs of outpost subnets |
+| [outpost\_subnets\_cidr\_blocks](#output\_outpost\_subnets\_cidr\_blocks) | List of cidr\_blocks of outpost subnets |
+| [outpost\_subnets\_ipv6\_cidr\_blocks](#output\_outpost\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of outpost subnets in an IPv6 enabled VPC |
+| [private\_ipv6\_egress\_route\_ids](#output\_private\_ipv6\_egress\_route\_ids) | List of IDs of the ipv6 egress route. |
+| [private\_nat\_gateway\_route\_ids](#output\_private\_nat\_gateway\_route\_ids) | List of IDs of the private nat gateway route. |
+| [private\_network\_acl\_arn](#output\_private\_network\_acl\_arn) | ARN of the private network ACL |
+| [private\_network\_acl\_id](#output\_private\_network\_acl\_id) | ID of the private network ACL |
+| [private\_route\_table\_association\_ids](#output\_private\_route\_table\_association\_ids) | List of IDs of the private route table association |
+| [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | List of IDs of private route tables |
+| [private\_subnet\_arns](#output\_private\_subnet\_arns) | List of ARNs of private subnets |
+| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
+| [private\_subnets\_cidr\_blocks](#output\_private\_subnets\_cidr\_blocks) | List of cidr\_blocks of private subnets |
+| [private\_subnets\_ipv6\_cidr\_blocks](#output\_private\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of private subnets in an IPv6 enabled VPC |
+| [public\_internet\_gateway\_ipv6\_route\_id](#output\_public\_internet\_gateway\_ipv6\_route\_id) | ID of the IPv6 internet gateway route. |
+| [public\_internet\_gateway\_route\_id](#output\_public\_internet\_gateway\_route\_id) | ID of the internet gateway route. |
+| [public\_network\_acl\_arn](#output\_public\_network\_acl\_arn) | ARN of the public network ACL |
+| [public\_network\_acl\_id](#output\_public\_network\_acl\_id) | ID of the public network ACL |
+| [public\_route\_table\_association\_ids](#output\_public\_route\_table\_association\_ids) | List of IDs of the public route table association |
+| [public\_route\_table\_ids](#output\_public\_route\_table\_ids) | List of IDs of public route tables |
+| [public\_subnet\_arns](#output\_public\_subnet\_arns) | List of ARNs of public subnets |
+| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| [public\_subnets\_cidr\_blocks](#output\_public\_subnets\_cidr\_blocks) | List of cidr\_blocks of public subnets |
+| [public\_subnets\_ipv6\_cidr\_blocks](#output\_public\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of public subnets in an IPv6 enabled VPC |
+| [redshift\_network\_acl\_arn](#output\_redshift\_network\_acl\_arn) | ARN of the redshift network ACL |
+| [redshift\_network\_acl\_id](#output\_redshift\_network\_acl\_id) | ID of the redshift network ACL |
+| [redshift\_public\_route\_table\_association\_ids](#output\_redshift\_public\_route\_table\_association\_ids) | List of IDs of the public redshidt route table association |
+| [redshift\_route\_table\_association\_ids](#output\_redshift\_route\_table\_association\_ids) | List of IDs of the redshift route table association |
+| [redshift\_route\_table\_ids](#output\_redshift\_route\_table\_ids) | List of IDs of redshift route tables |
+| [redshift\_subnet\_arns](#output\_redshift\_subnet\_arns) | List of ARNs of redshift subnets |
+| [redshift\_subnet\_group](#output\_redshift\_subnet\_group) | ID of redshift subnet group |
+| [redshift\_subnets](#output\_redshift\_subnets) | List of IDs of redshift subnets |
+| [redshift\_subnets\_cidr\_blocks](#output\_redshift\_subnets\_cidr\_blocks) | List of cidr\_blocks of redshift subnets |
+| [redshift\_subnets\_ipv6\_cidr\_blocks](#output\_redshift\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of redshift subnets in an IPv6 enabled VPC |
+| [this\_customer\_gateway](#output\_this\_customer\_gateway) | Map of Customer Gateway attributes |
+| [vgw\_arn](#output\_vgw\_arn) | The ARN of the VPN Gateway |
+| [vgw\_id](#output\_vgw\_id) | The ID of the VPN Gateway |
+| [vpc\_arn](#output\_vpc\_arn) | The ARN of the VPC |
+| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
+| [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support |
+| [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support |
+| [vpc\_flow\_log\_cloudwatch\_iam\_role\_arn](#output\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN of the IAM role used when pushing logs to Cloudwatch log group |
+| [vpc\_flow\_log\_destination\_arn](#output\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs |
+| [vpc\_flow\_log\_destination\_type](#output\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs |
+| [vpc\_flow\_log\_id](#output\_vpc\_flow\_log\_id) | The ID of the Flow Log resource |
+| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+| [vpc\_instance\_tenancy](#output\_vpc\_instance\_tenancy) | Tenancy of instances spin up within VPC |
+| [vpc\_ipv6\_association\_id](#output\_vpc\_ipv6\_association\_id) | The association ID for the IPv6 CIDR block |
+| [vpc\_ipv6\_cidr\_block](#output\_vpc\_ipv6\_cidr\_block) | The IPv6 CIDR block |
+| [vpc\_main\_route\_table\_id](#output\_vpc\_main\_route\_table\_id) | The ID of the main route table associated with this VPC |
+| [vpc\_owner\_id](#output\_vpc\_owner\_id) | The ID of the AWS account that owns the VPC |
+| [vpc\_secondary\_cidr\_blocks](#output\_vpc\_secondary\_cidr\_blocks) | List of secondary CIDR blocks of the VPC |
-## Tests
-
-This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tests through test kitchen. To run them:
-
-1. Install [rvm](https://rvm.io/rvm/install) and the ruby version specified in the [Gemfile](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/Gemfile).
-2. Install bundler and the gems from our Gemfile:
-```
-gem install bundler; bundle install
-```
-3. Test using `bundle exec kitchen test` from the root of the repo.
-
-
## Authors
Module is maintained by [Anton Babenko](https://github.com/antonbabenko) with help from [these awesome contributors](https://github.com/terraform-aws-modules/terraform-aws-vpc/graphs/contributors).
## License
-Apache 2 Licensed. See LICENSE for full details.
+Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/LICENSE) for full details.
diff --git a/UPGRADE-3.0.md b/UPGRADE-3.0.md
new file mode 100644
index 000000000..f1e5d24fa
--- /dev/null
+++ b/UPGRADE-3.0.md
@@ -0,0 +1,52 @@
+# Upgrade from v2.x to v3.x
+
+If you have any questions regarding this upgrade process, please consult the `examples` directory:
+
+- [Complete-VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc)
+
+If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+Previously, VPC endpoints were configured as standalone resources with their own set of variables and attributes. Now, this functionality is provided via a module which loops over a map of maps using `for_each` to generate the desired VPC endpoints. Therefore, to maintain the existing set of functionality while upgrading, you will need to perform the following changes:
+
+1. Move the endpoint resource from the main module to the sub-module. The example state move below is valid for all endpoints you might have configured (reference [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) example for reference), where `ssmmessages` should be updated for and state move performed for each endpoint configured:
+
+```
+terraform state mv 'module.vpc.aws_vpc_endpoint.ssm[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssm"]'
+terraform state mv 'module.vpc.aws_vpc_endpoint.ssmmessages[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssmmessages"]'
+terraform state mv 'module.vpc.aws_vpc_endpoint.ec2[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ec2"]'
+...
+```
+
+2. Remove the gateway endpoint route table association separate resources. The route table associations are now managed in the VPC endpoint resource itself via the map of maps provided to the VPC endpoint sub-module. Perform the necessary removals for each route table association and for S3 and/or DynamoDB depending on your configuration:
+
+```
+terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.intra_dynamodb[0]'
+terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.private_dynamodb[0]'
+terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb[0]'
+...
+```
+
+### Variable and output changes
+
+1. Removed variables:
+
+ - `enable_*_endpoint`
+ - `*_endpoint_type`
+ - `*_endpoint_security_group_ids`
+ - `*_endpoint_subnet_ids`
+ - `*_endpoint_private_dns_enabled`
+ - `*_endpoint_policy`
+
+2. Renamed variables:
+
+See the [VPC endpoint sub-module](modules/vpc-endpoints) for the more information on the variables to utilize for VPC endpoints
+
+3. Removed outputs:
+
+ - `vpc_endpoint_*`
+
+4. Renamed outputs:
+
+VPC endpoint outputs are now provided via the VPC endpoint sub-module and can be accessed via lookups. See [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) for further examples of how to access VPC endpoint attributes from outputs
diff --git a/examples/complete-vpc/README.md b/examples/complete-vpc/README.md
index 7a0a4a96d..25ee27547 100644
--- a/examples/complete-vpc/README.md
+++ b/examples/complete-vpc/README.md
@@ -17,20 +17,58 @@ $ terraform apply
Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.63 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [vpc](#module\_vpc) | ../../ | n/a |
+| [vpc\_endpoints](#module\_vpc\_endpoints) | ../../modules/vpc-endpoints | n/a |
+| [vpc\_endpoints\_nocreate](#module\_vpc\_endpoints\_nocreate) | ../../modules/vpc-endpoints | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy_document.dynamodb_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.generic_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc_endpoint_service.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
+
+## Inputs
+
+No inputs.
+
## Outputs
| Name | Description |
|------|-------------|
-| database\_subnets | List of IDs of database subnets |
-| elasticache\_subnets | List of IDs of elasticache subnets |
-| intra\_subnets | List of IDs of intra subnets |
-| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
-| private\_subnets | List of IDs of private subnets |
-| public\_subnets | List of IDs of public subnets |
-| redshift\_subnets | List of IDs of redshift subnets |
-| vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. |
-| vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM |
-| vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. |
-| vpc\_id | The ID of the VPC |
-
+| [cgw\_ids](#output\_cgw\_ids) | List of IDs of Customer Gateway |
+| [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets |
+| [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets |
+| [intra\_subnets](#output\_intra\_subnets) | List of IDs of intra subnets |
+| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
+| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| [redshift\_subnets](#output\_redshift\_subnets) | List of IDs of redshift subnets |
+| [this\_customer\_gateway](#output\_this\_customer\_gateway) | Map of Customer Gateway attributes |
+| [vpc\_endpoint\_lambda\_dns\_entry](#output\_vpc\_endpoint\_lambda\_dns\_entry) | The DNS entries for the VPC Endpoint for Lambda. |
+| [vpc\_endpoint\_lambda\_id](#output\_vpc\_endpoint\_lambda\_id) | The ID of VPC endpoint for Lambda |
+| [vpc\_endpoint\_lambda\_network\_interface\_ids](#output\_vpc\_endpoint\_lambda\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Lambda. |
+| [vpc\_endpoint\_ssm\_dns\_entry](#output\_vpc\_endpoint\_ssm\_dns\_entry) | The DNS entries for the VPC Endpoint for SSM. |
+| [vpc\_endpoint\_ssm\_id](#output\_vpc\_endpoint\_ssm\_id) | The ID of VPC endpoint for SSM |
+| [vpc\_endpoint\_ssm\_network\_interface\_ids](#output\_vpc\_endpoint\_ssm\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for SSM. |
+| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf
index f51519a87..6ce367f7b 100644
--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -2,100 +2,233 @@ provider "aws" {
region = "eu-west-1"
}
-data "aws_security_group" "default" {
- name = "default"
- vpc_id = module.vpc.vpc_id
+locals {
+ name = "complete-example"
+ region = "eu-west-1"
+ tags = {
+ Owner = "user"
+ Environment = "staging"
+ Name = "complete"
+ }
}
+################################################################################
+# VPC Module
+################################################################################
+
module "vpc" {
source = "../../"
- name = "complete-example"
-
- cidr = "10.10.0.0/16"
+ name = local.name
+ cidr = "20.10.0.0/16" # 10.0.0.0/8 is reserved for EC2-Classic
- azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
- private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
- public_subnets = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"]
- database_subnets = ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"]
- elasticache_subnets = ["10.10.31.0/24", "10.10.32.0/24", "10.10.33.0/24"]
- redshift_subnets = ["10.10.41.0/24", "10.10.42.0/24", "10.10.43.0/24"]
- intra_subnets = ["10.10.51.0/24", "10.10.52.0/24", "10.10.53.0/24"]
+ azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
+ private_subnets = ["20.10.1.0/24", "20.10.2.0/24", "20.10.3.0/24"]
+ public_subnets = ["20.10.11.0/24", "20.10.12.0/24", "20.10.13.0/24"]
+ database_subnets = ["20.10.21.0/24", "20.10.22.0/24", "20.10.23.0/24"]
+ elasticache_subnets = ["20.10.31.0/24", "20.10.32.0/24", "20.10.33.0/24"]
+ redshift_subnets = ["20.10.41.0/24", "20.10.42.0/24", "20.10.43.0/24"]
+ intra_subnets = ["20.10.51.0/24", "20.10.52.0/24", "20.10.53.0/24"]
create_database_subnet_group = false
+ manage_default_route_table = true
+ default_route_table_tags = { DefaultRouteTable = true }
+
enable_dns_hostnames = true
enable_dns_support = true
+ enable_classiclink = true
+ enable_classiclink_dns_support = true
+
enable_nat_gateway = true
single_nat_gateway = true
+ customer_gateways = {
+ IP1 = {
+ bgp_asn = 65112
+ ip_address = "1.2.3.4"
+ device_name = "some_name"
+ },
+ IP2 = {
+ bgp_asn = 65112
+ ip_address = "5.6.7.8"
+ }
+ }
+
enable_vpn_gateway = true
enable_dhcp_options = true
dhcp_options_domain_name = "service.consul"
dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
- # VPC endpoint for S3
- enable_s3_endpoint = true
-
- # VPC endpoint for DynamoDB
- enable_dynamodb_endpoint = true
-
- # VPC endpoint for SSM
- enable_ssm_endpoint = true
- ssm_endpoint_private_dns_enabled = true
- ssm_endpoint_security_group_ids = [data.aws_security_group.default.id]
-
- # VPC endpoint for SSMMESSAGES
- enable_ssmmessages_endpoint = true
- ssmmessages_endpoint_private_dns_enabled = true
- ssmmessages_endpoint_security_group_ids = [data.aws_security_group.default.id]
-
- # VPC Endpoint for EC2
- enable_ec2_endpoint = true
- ec2_endpoint_private_dns_enabled = true
- ec2_endpoint_security_group_ids = [data.aws_security_group.default.id]
-
- # VPC Endpoint for EC2MESSAGES
- enable_ec2messages_endpoint = true
- ec2messages_endpoint_private_dns_enabled = true
- ec2messages_endpoint_security_group_ids = [data.aws_security_group.default.id]
-
- # VPC Endpoint for ECR API
- enable_ecr_api_endpoint = true
- ecr_api_endpoint_private_dns_enabled = true
- ecr_api_endpoint_security_group_ids = [data.aws_security_group.default.id]
-
- # VPC Endpoint for ECR DKR
- enable_ecr_dkr_endpoint = true
- ecr_dkr_endpoint_private_dns_enabled = true
- ecr_dkr_endpoint_security_group_ids = [data.aws_security_group.default.id]
-
- # VPC endpoint for KMS
- enable_kms_endpoint = true
- kms_endpoint_private_dns_enabled = true
- kms_endpoint_security_group_ids = [data.aws_security_group.default.id]
-
- # VPC endpoint for ECS
- enable_ecs_endpoint = true
- ecs_endpoint_private_dns_enabled = true
- ecs_endpoint_security_group_ids = [data.aws_security_group.default.id]
-
- # VPC endpoint for ECS telemetry
- enable_ecs_telemetry_endpoint = true
- ecs_telemetry_endpoint_private_dns_enabled = true
- ecs_telemetry_endpoint_security_group_ids = [data.aws_security_group.default.id]
-
- # VPC endpoint for SQS
- enable_sqs_endpoint = true
- sqs_endpoint_private_dns_enabled = true
- sqs_endpoint_security_group_ids = [data.aws_security_group.default.id]
+ # Default security group - ingress/egress rules cleared to deny all
+ manage_default_security_group = true
+ default_security_group_ingress = []
+ default_security_group_egress = []
- tags = {
- Owner = "user"
- Environment = "staging"
- Name = "complete"
+ # VPC Flow Logs (Cloudwatch log group and IAM role will be created)
+ enable_flow_log = true
+ create_flow_log_cloudwatch_log_group = true
+ create_flow_log_cloudwatch_iam_role = true
+ flow_log_max_aggregation_interval = 60
+
+ tags = local.tags
+}
+
+################################################################################
+# VPC Endpoints Module
+################################################################################
+
+module "vpc_endpoints" {
+ source = "../../modules/vpc-endpoints"
+
+ vpc_id = module.vpc.vpc_id
+ security_group_ids = [data.aws_security_group.default.id]
+
+ endpoints = {
+ s3 = {
+ service = "s3"
+ tags = { Name = "s3-vpc-endpoint" }
+ },
+ dynamodb = {
+ service = "dynamodb"
+ service_type = "Gateway"
+ route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
+ policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json
+ tags = { Name = "dynamodb-vpc-endpoint" }
+ },
+ ssm = {
+ service = "ssm"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ },
+ ssmmessages = {
+ service = "ssmmessages"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ },
+ lambda = {
+ service = "lambda"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ },
+ ecs = {
+ service = "ecs"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ },
+ ecs_telemetry = {
+ service = "ecs-telemetry"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ },
+ ec2 = {
+ service = "ec2"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ },
+ ec2messages = {
+ service = "ec2messages"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ },
+ ecr_api = {
+ service = "ecr.api"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ policy = data.aws_iam_policy_document.generic_endpoint_policy.json
+ },
+ ecr_dkr = {
+ service = "ecr.dkr"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ policy = data.aws_iam_policy_document.generic_endpoint_policy.json
+ },
+ kms = {
+ service = "kms"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ },
+ codedeploy = {
+ service = "codedeploy"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ },
+ codedeploy_commands_secure = {
+ service = "codedeploy-commands-secure"
+ private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ },
}
+
+ tags = merge(local.tags, {
+ Project = "Secret"
+ Endpoint = "true"
+ })
}
+module "vpc_endpoints_nocreate" {
+ source = "../../modules/vpc-endpoints"
+
+ create = false
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+data "aws_security_group" "default" {
+ name = "default"
+ vpc_id = module.vpc.vpc_id
+}
+
+# Data source used to avoid race condition
+data "aws_vpc_endpoint_service" "dynamodb" {
+ service = "dynamodb"
+
+ filter {
+ name = "service-type"
+ values = ["Gateway"]
+ }
+}
+
+data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
+ statement {
+ effect = "Deny"
+ actions = ["dynamodb:*"]
+ resources = ["*"]
+
+ principals {
+ type = "*"
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "StringNotEquals"
+ variable = "aws:sourceVpce"
+
+ values = [data.aws_vpc_endpoint_service.dynamodb.id]
+ }
+ }
+}
+
+data "aws_iam_policy_document" "generic_endpoint_policy" {
+ statement {
+ effect = "Deny"
+ actions = ["*"]
+ resources = ["*"]
+
+ principals {
+ type = "*"
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "StringNotEquals"
+ variable = "aws:sourceVpce"
+
+ values = [data.aws_vpc_endpoint_service.dynamodb.id]
+ }
+ }
+}
diff --git a/examples/complete-vpc/outputs.tf b/examples/complete-vpc/outputs.tf
index db1fef127..7dd0b6ddf 100644
--- a/examples/complete-vpc/outputs.tf
+++ b/examples/complete-vpc/outputs.tf
@@ -44,32 +44,41 @@ output "nat_public_ips" {
# VPC endpoints
output "vpc_endpoint_ssm_id" {
description = "The ID of VPC endpoint for SSM"
- value = module.vpc.vpc_endpoint_ssm_id
+ value = module.vpc_endpoints.endpoints["ssm"].id
}
output "vpc_endpoint_ssm_network_interface_ids" {
description = "One or more network interfaces for the VPC Endpoint for SSM."
- value = module.vpc.vpc_endpoint_ssm_network_interface_ids
+ value = module.vpc_endpoints.endpoints["ssm"].network_interface_ids
}
output "vpc_endpoint_ssm_dns_entry" {
description = "The DNS entries for the VPC Endpoint for SSM."
- value = module.vpc.vpc_endpoint_ssm_dns_entry
+ value = module.vpc_endpoints.endpoints["ssm"].dns_entry
}
-//
-//# VPC endpoints
-//output "vpc_endpoint_ec2_id" {
-// description = "The ID of VPC endpoint for EC2"
-// value = "${module.vpc.vpc_endpoint_ec2_id}"
-//}
-//
-//output "vpc_endpoint_ec2_network_interface_ids" {
-// description = "One or more network interfaces for the VPC Endpoint for EC2."
-// value = ["${module.vpc.vpc_endpoint_ec2_network_interface_ids}"]
-//}
-//
-//output "vpc_endpoint_ec2_dns_entry" {
-// description = "The DNS entries for the VPC Endpoint for EC2."
-// value = ["${module.vpc.vpc_endpoint_ec2_dns_entry}"]
-//}
+output "vpc_endpoint_lambda_id" {
+ description = "The ID of VPC endpoint for Lambda"
+ value = module.vpc_endpoints.endpoints["lambda"].id
+}
+
+output "vpc_endpoint_lambda_network_interface_ids" {
+ description = "One or more network interfaces for the VPC Endpoint for Lambda."
+ value = module.vpc_endpoints.endpoints["lambda"].network_interface_ids
+}
+
+output "vpc_endpoint_lambda_dns_entry" {
+ description = "The DNS entries for the VPC Endpoint for Lambda."
+ value = module.vpc_endpoints.endpoints["lambda"].dns_entry
+}
+
+# Customer Gateway
+output "cgw_ids" {
+ description = "List of IDs of Customer Gateway"
+ value = module.vpc.cgw_ids
+}
+
+output "this_customer_gateway" {
+ description = "Map of Customer Gateway attributes"
+ value = module.vpc.this_customer_gateway
+}
diff --git a/examples/complete-vpc/variables.tf b/examples/complete-vpc/variables.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/complete-vpc/versions.tf b/examples/complete-vpc/versions.tf
new file mode 100644
index 000000000..5a9fd0fc5
--- /dev/null
+++ b/examples/complete-vpc/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63"
+ }
+ }
+}
diff --git a/examples/ipv6/README.md b/examples/ipv6/README.md
new file mode 100644
index 000000000..578ba037f
--- /dev/null
+++ b/examples/ipv6/README.md
@@ -0,0 +1,50 @@
+# VPC with IPv6 enabled
+
+Configuration in this directory creates set of VPC resources with IPv6 enabled on VPC and subnets.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [vpc](#module\_vpc) | ../.. | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [ipv6\_association\_id](#output\_ipv6\_association\_id) | The association ID for the IPv6 CIDR block |
+| [ipv6\_cidr\_block](#output\_ipv6\_cidr\_block) | The IPv6 CIDR block |
+| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+
diff --git a/examples/ipv6/main.tf b/examples/ipv6/main.tf
new file mode 100644
index 000000000..ce6709921
--- /dev/null
+++ b/examples/ipv6/main.tf
@@ -0,0 +1,42 @@
+provider "aws" {
+ region = local.region
+}
+
+locals {
+ region = "eu-west-1"
+}
+
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+ source = "../.."
+
+ name = "ipv6"
+ cidr = "10.0.0.0/16"
+
+ azs = ["${local.region}a", "${local.region}b"]
+ private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
+ public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
+ database_subnets = ["10.0.103.0/24", "10.0.104.0/24"]
+
+ enable_nat_gateway = false
+
+ create_database_subnet_route_table = true
+ create_database_internet_gateway_route = true
+
+ enable_ipv6 = true
+ assign_ipv6_address_on_creation = true
+
+ private_subnet_assign_ipv6_address_on_creation = false
+
+ public_subnet_ipv6_prefixes = [0, 1]
+ private_subnet_ipv6_prefixes = [2, 3]
+ database_subnet_ipv6_prefixes = [4, 5]
+
+ tags = {
+ Owner = "user"
+ Environment = "dev"
+ }
+}
diff --git a/examples/ipv6/outputs.tf b/examples/ipv6/outputs.tf
new file mode 100644
index 000000000..9d5581ccb
--- /dev/null
+++ b/examples/ipv6/outputs.tf
@@ -0,0 +1,15 @@
+# VPC
+output "vpc_id" {
+ description = "The ID of the VPC"
+ value = module.vpc.vpc_id
+}
+
+output "ipv6_cidr_block" {
+ description = "The IPv6 CIDR block"
+ value = module.vpc.vpc_ipv6_cidr_block
+}
+
+output "ipv6_association_id" {
+ description = "The association ID for the IPv6 CIDR block"
+ value = module.vpc.vpc_ipv6_association_id
+}
diff --git a/examples/ipv6/variables.tf b/examples/ipv6/variables.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/ipv6/versions.tf b/examples/ipv6/versions.tf
new file mode 100644
index 000000000..5a9fd0fc5
--- /dev/null
+++ b/examples/ipv6/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63"
+ }
+ }
+}
diff --git a/examples/issue-108-route-already-exists/README.md b/examples/issue-108-route-already-exists/README.md
deleted file mode 100644
index 7aa22941a..000000000
--- a/examples/issue-108-route-already-exists/README.md
+++ /dev/null
@@ -1,33 +0,0 @@
-# Issue 108 - VPC
-
-Configuration in this directory creates set of VPC resources to cover issues reported on GitHub:
-
-* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/108#issue-308084655
-* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/102#issuecomment-374877706
-* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44#issuecomment-378679404
-
-## Usage
-
-To run this example you need to execute:
-
-```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
-```
-
-Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
-
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| database\_subnets | List of IDs of database subnets |
-| elasticache\_subnets | List of IDs of elasticache subnets |
-| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
-| private\_subnets | List of IDs of private subnets |
-| public\_subnets | List of IDs of public subnets |
-| vpc\_id | The ID of the VPC |
-
-
diff --git a/examples/issue-108-route-already-exists/main.tf b/examples/issue-108-route-already-exists/main.tf
deleted file mode 100644
index 199b47a9f..000000000
--- a/examples/issue-108-route-already-exists/main.tf
+++ /dev/null
@@ -1,21 +0,0 @@
-provider "aws" {
- region = "us-east-1"
-}
-
-module "vpc" {
- source = "../../"
-
- name = "route-already-exists"
-
- cidr = "10.0.0.0/16"
-
- azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
- private_subnets = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
- public_subnets = ["10.0.254.240/28", "10.0.254.224/28", "10.0.254.208/28"]
-
- single_nat_gateway = true
- enable_nat_gateway = true
-
- enable_s3_endpoint = true
- enable_dynamodb_endpoint = true
-}
diff --git a/examples/issue-108-route-already-exists/outputs.tf b/examples/issue-108-route-already-exists/outputs.tf
deleted file mode 100644
index 51b4e83b7..000000000
--- a/examples/issue-108-route-already-exists/outputs.tf
+++ /dev/null
@@ -1,33 +0,0 @@
-# VPC
-output "vpc_id" {
- description = "The ID of the VPC"
- value = module.vpc.vpc_id
-}
-
-# Subnets
-output "private_subnets" {
- description = "List of IDs of private subnets"
- value = module.vpc.private_subnets
-}
-
-output "public_subnets" {
- description = "List of IDs of public subnets"
- value = module.vpc.public_subnets
-}
-
-output "database_subnets" {
- description = "List of IDs of database subnets"
- value = module.vpc.database_subnets
-}
-
-output "elasticache_subnets" {
- description = "List of IDs of elasticache subnets"
- value = module.vpc.elasticache_subnets
-}
-
-# NAT gateways
-output "nat_public_ips" {
- description = "List of public Elastic IPs created for AWS NAT Gateway"
- value = module.vpc.nat_public_ips
-}
-
diff --git a/examples/issue-44-asymmetric-private-subnets/README.md b/examples/issue-44-asymmetric-private-subnets/README.md
deleted file mode 100644
index 2484554d2..000000000
--- a/examples/issue-44-asymmetric-private-subnets/README.md
+++ /dev/null
@@ -1,31 +0,0 @@
-# Issue 44 - VPC
-
-Configuration in this directory creates set of VPC resources to cover issues reported on GitHub:
-
-* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44
-
-## Usage
-
-To run this example you need to execute:
-
-```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
-```
-
-Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
-
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| database\_subnets | List of IDs of database subnets |
-| elasticache\_subnets | List of IDs of elasticache subnets |
-| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
-| private\_subnets | List of IDs of private subnets |
-| public\_subnets | List of IDs of public subnets |
-| vpc\_id | The ID of the VPC |
-
-
diff --git a/examples/issue-44-asymmetric-private-subnets/main.tf b/examples/issue-44-asymmetric-private-subnets/main.tf
deleted file mode 100644
index 07f3f0fe7..000000000
--- a/examples/issue-44-asymmetric-private-subnets/main.tf
+++ /dev/null
@@ -1,28 +0,0 @@
-# List of AZs and private subnets are not of equal length
-#
-# This example creates resources which are not present in all AZs.
-# This should be seldomly needed from architectural point of view,
-# and it can also lead this module to some edge cases.
-#
-# Github issue: https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44
-module "vpc" {
- source = "../../"
-
- name = "asymmetrical"
-
- cidr = "10.0.0.0/16"
-
- azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
- private_subnets = ["10.0.1.0/24"]
- public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
- database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
-
- create_database_subnet_group = true
- enable_nat_gateway = true
-
- tags = {
- Issue = "44"
- Name = "asymmetrical"
- }
-}
-
diff --git a/examples/issue-46-no-private-subnets/README.md b/examples/issue-46-no-private-subnets/README.md
deleted file mode 100644
index b87e05e37..000000000
--- a/examples/issue-46-no-private-subnets/README.md
+++ /dev/null
@@ -1,31 +0,0 @@
-# Issue 46 - VPC
-
-Configuration in this directory creates set of VPC resources to cover issues reported on GitHub:
-
-* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46
-
-## Usage
-
-To run this example you need to execute:
-
-```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
-```
-
-Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
-
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| database\_subnets | List of IDs of database subnets |
-| elasticache\_subnets | List of IDs of elasticache subnets |
-| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
-| private\_subnets | List of IDs of private subnets |
-| public\_subnets | List of IDs of public subnets |
-| vpc\_id | The ID of the VPC |
-
-
diff --git a/examples/issue-46-no-private-subnets/main.tf b/examples/issue-46-no-private-subnets/main.tf
deleted file mode 100644
index e9e5ec517..000000000
--- a/examples/issue-46-no-private-subnets/main.tf
+++ /dev/null
@@ -1,26 +0,0 @@
-# There are no private subnets in this VPC setup.
-#
-# Github issue: https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46
-module "vpc" {
- source = "../../"
-
- name = "no-private-subnets"
-
- cidr = "10.0.0.0/16"
-
- azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
- public_subnets = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"]
- private_subnets = []
- database_subnets = ["10.0.128.0/24", "10.0.129.0/24"]
- elasticache_subnets = ["10.0.131.0/24", "10.0.132.0/24", "10.0.133.0/24"]
-
- enable_dns_support = true
- enable_dns_hostnames = true
- enable_nat_gateway = false
-
- tags = {
- Issue = "46"
- Name = "no-private-subnets"
- }
-}
-
diff --git a/examples/issue-46-no-private-subnets/outputs.tf b/examples/issue-46-no-private-subnets/outputs.tf
deleted file mode 100644
index 51b4e83b7..000000000
--- a/examples/issue-46-no-private-subnets/outputs.tf
+++ /dev/null
@@ -1,33 +0,0 @@
-# VPC
-output "vpc_id" {
- description = "The ID of the VPC"
- value = module.vpc.vpc_id
-}
-
-# Subnets
-output "private_subnets" {
- description = "List of IDs of private subnets"
- value = module.vpc.private_subnets
-}
-
-output "public_subnets" {
- description = "List of IDs of public subnets"
- value = module.vpc.public_subnets
-}
-
-output "database_subnets" {
- description = "List of IDs of database subnets"
- value = module.vpc.database_subnets
-}
-
-output "elasticache_subnets" {
- description = "List of IDs of elasticache subnets"
- value = module.vpc.elasticache_subnets
-}
-
-# NAT gateways
-output "nat_public_ips" {
- description = "List of public Elastic IPs created for AWS NAT Gateway"
- value = module.vpc.nat_public_ips
-}
-
diff --git a/examples/issues/README.md b/examples/issues/README.md
new file mode 100644
index 000000000..b689ca62e
--- /dev/null
+++ b/examples/issues/README.md
@@ -0,0 +1,72 @@
+# Issues
+
+Configuration in this directory creates set of VPC resources to cover issues reported on GitHub:
+
+- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44
+- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46
+- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/102
+- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/108
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [vpc\_issue\_108](#module\_vpc\_issue\_108) | ../../ | n/a |
+| [vpc\_issue\_44](#module\_vpc\_issue\_44) | ../../ | n/a |
+| [vpc\_issue\_46](#module\_vpc\_issue\_46) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [issue\_108\_database\_subnets](#output\_issue\_108\_database\_subnets) | List of IDs of database subnets |
+| [issue\_108\_elasticache\_subnets](#output\_issue\_108\_elasticache\_subnets) | List of IDs of elasticache subnets |
+| [issue\_108\_nat\_public\_ips](#output\_issue\_108\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| [issue\_108\_private\_subnets](#output\_issue\_108\_private\_subnets) | List of IDs of private subnets |
+| [issue\_108\_public\_subnets](#output\_issue\_108\_public\_subnets) | List of IDs of public subnets |
+| [issue\_108\_vpc\_id](#output\_issue\_108\_vpc\_id) | The ID of the VPC |
+| [issue\_44\_database\_subnets](#output\_issue\_44\_database\_subnets) | List of IDs of database subnets |
+| [issue\_44\_elasticache\_subnets](#output\_issue\_44\_elasticache\_subnets) | List of IDs of elasticache subnets |
+| [issue\_44\_nat\_public\_ips](#output\_issue\_44\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| [issue\_44\_private\_subnets](#output\_issue\_44\_private\_subnets) | List of IDs of private subnets |
+| [issue\_44\_public\_subnets](#output\_issue\_44\_public\_subnets) | List of IDs of public subnets |
+| [issue\_44\_vpc\_id](#output\_issue\_44\_vpc\_id) | The ID of the VPC |
+| [issue\_46\_database\_subnets](#output\_issue\_46\_database\_subnets) | List of IDs of database subnets |
+| [issue\_46\_elasticache\_subnets](#output\_issue\_46\_elasticache\_subnets) | List of IDs of elasticache subnets |
+| [issue\_46\_nat\_public\_ips](#output\_issue\_46\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| [issue\_46\_private\_subnets](#output\_issue\_46\_private\_subnets) | List of IDs of private subnets |
+| [issue\_46\_public\_subnets](#output\_issue\_46\_public\_subnets) | List of IDs of public subnets |
+| [issue\_46\_vpc\_id](#output\_issue\_46\_vpc\_id) | The ID of the VPC |
+
diff --git a/examples/issues/main.tf b/examples/issues/main.tf
new file mode 100644
index 000000000..a838239d3
--- /dev/null
+++ b/examples/issues/main.tf
@@ -0,0 +1,80 @@
+provider "aws" {
+ region = local.region
+}
+
+locals {
+ region = "eu-west-1"
+}
+
+################################################################################
+# Issue 44 - https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44
+################################################################################
+
+module "vpc_issue_44" {
+ source = "../../"
+
+ name = "asymmetrical"
+ cidr = "10.0.0.0/16"
+
+ azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
+ private_subnets = ["10.0.1.0/24"]
+ public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
+ database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
+
+ create_database_subnet_group = true
+ enable_nat_gateway = true
+
+ tags = {
+ Issue = "44"
+ Name = "asymmetrical"
+ }
+}
+
+################################################################################
+# Issue 46 - https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46
+################################################################################
+
+module "vpc_issue_46" {
+ source = "../../"
+
+ name = "no-private-subnets"
+ cidr = "10.0.0.0/16"
+
+ azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
+ public_subnets = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"]
+ private_subnets = []
+ database_subnets = ["10.0.128.0/24", "10.0.129.0/24"]
+ elasticache_subnets = ["10.0.131.0/24", "10.0.132.0/24", "10.0.133.0/24"]
+
+ enable_dns_support = true
+ enable_dns_hostnames = true
+ enable_nat_gateway = false
+
+ tags = {
+ Issue = "46"
+ Name = "no-private-subnets"
+ }
+}
+
+################################################################################
+# Issue 108 - https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/108
+################################################################################
+
+module "vpc_issue_108" {
+ source = "../../"
+
+ name = "route-already-exists"
+ cidr = "10.0.0.0/16"
+
+ azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
+ private_subnets = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
+ public_subnets = ["10.0.254.240/28", "10.0.254.224/28", "10.0.254.208/28"]
+
+ single_nat_gateway = true
+ enable_nat_gateway = true
+
+ tags = {
+ Issue = "108"
+ Name = "route-already-exists"
+ }
+}
diff --git a/examples/issues/outputs.tf b/examples/issues/outputs.tf
new file mode 100644
index 000000000..adcd57608
--- /dev/null
+++ b/examples/issues/outputs.tf
@@ -0,0 +1,110 @@
+################################################################################
+# Issue 44
+################################################################################
+
+# VPC
+output "issue_44_vpc_id" {
+ description = "The ID of the VPC"
+ value = module.vpc_issue_44.vpc_id
+}
+
+# Subnets
+output "issue_44_private_subnets" {
+ description = "List of IDs of private subnets"
+ value = module.vpc_issue_44.private_subnets
+}
+
+output "issue_44_public_subnets" {
+ description = "List of IDs of public subnets"
+ value = module.vpc_issue_44.public_subnets
+}
+
+output "issue_44_database_subnets" {
+ description = "List of IDs of database subnets"
+ value = module.vpc_issue_44.database_subnets
+}
+
+output "issue_44_elasticache_subnets" {
+ description = "List of IDs of elasticache subnets"
+ value = module.vpc_issue_44.elasticache_subnets
+}
+
+# NAT gateways
+output "issue_44_nat_public_ips" {
+ description = "List of public Elastic IPs created for AWS NAT Gateway"
+ value = module.vpc_issue_44.nat_public_ips
+}
+
+################################################################################
+# Issue 46
+################################################################################
+
+# VPC
+output "issue_46_vpc_id" {
+ description = "The ID of the VPC"
+ value = module.vpc_issue_46.vpc_id
+}
+
+# Subnets
+output "issue_46_private_subnets" {
+ description = "List of IDs of private subnets"
+ value = module.vpc_issue_46.private_subnets
+}
+
+output "issue_46_public_subnets" {
+ description = "List of IDs of public subnets"
+ value = module.vpc_issue_46.public_subnets
+}
+
+output "issue_46_database_subnets" {
+ description = "List of IDs of database subnets"
+ value = module.vpc_issue_46.database_subnets
+}
+
+output "issue_46_elasticache_subnets" {
+ description = "List of IDs of elasticache subnets"
+ value = module.vpc_issue_46.elasticache_subnets
+}
+
+# NAT gateways
+output "issue_46_nat_public_ips" {
+ description = "List of public Elastic IPs created for AWS NAT Gateway"
+ value = module.vpc_issue_46.nat_public_ips
+}
+
+################################################################################
+# Issue 108
+################################################################################
+
+# VPC
+output "issue_108_vpc_id" {
+ description = "The ID of the VPC"
+ value = module.vpc_issue_108.vpc_id
+}
+
+# Subnets
+output "issue_108_private_subnets" {
+ description = "List of IDs of private subnets"
+ value = module.vpc_issue_108.private_subnets
+}
+
+output "issue_108_public_subnets" {
+ description = "List of IDs of public subnets"
+ value = module.vpc_issue_108.public_subnets
+}
+
+output "issue_108_database_subnets" {
+ description = "List of IDs of database subnets"
+ value = module.vpc_issue_108.database_subnets
+}
+
+output "issue_108_elasticache_subnets" {
+ description = "List of IDs of elasticache subnets"
+ value = module.vpc_issue_108.elasticache_subnets
+}
+
+# NAT gateways
+output "issue_108_nat_public_ips" {
+ description = "List of public Elastic IPs created for AWS NAT Gateway"
+ value = module.vpc_issue_108.nat_public_ips
+}
diff --git a/examples/issues/variables.tf b/examples/issues/variables.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/issues/versions.tf b/examples/issues/versions.tf
new file mode 100644
index 000000000..5a9fd0fc5
--- /dev/null
+++ b/examples/issues/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63"
+ }
+ }
+}
diff --git a/examples/manage-default-vpc/README.md b/examples/manage-default-vpc/README.md
index 3adff908b..41946bc38 100644
--- a/examples/manage-default-vpc/README.md
+++ b/examples/manage-default-vpc/README.md
@@ -17,11 +17,35 @@ $ terraform apply
Run `terraform destroy` when you don't need these resources.
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [vpc](#module\_vpc) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
## Outputs
| Name | Description |
|------|-------------|
-| default\_vpc\_cidr\_block | The CIDR block of the VPC |
-| default\_vpc\_id | The ID of the Default VPC |
-
+| [default\_vpc\_cidr\_block](#output\_default\_vpc\_cidr\_block) | The CIDR block of the VPC |
+| [default\_vpc\_id](#output\_default\_vpc\_id) | The ID of the Default VPC |
diff --git a/examples/manage-default-vpc/main.tf b/examples/manage-default-vpc/main.tf
index 5f645dd8e..8e3797432 100644
--- a/examples/manage-default-vpc/main.tf
+++ b/examples/manage-default-vpc/main.tf
@@ -1,7 +1,15 @@
provider "aws" {
+ region = local.region
+}
+
+locals {
region = "eu-west-1"
}
+################################################################################
+# VPC Module
+################################################################################
+
module "vpc" {
source = "../../"
diff --git a/examples/manage-default-vpc/variables.tf b/examples/manage-default-vpc/variables.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/manage-default-vpc/versions.tf b/examples/manage-default-vpc/versions.tf
new file mode 100644
index 000000000..5a9fd0fc5
--- /dev/null
+++ b/examples/manage-default-vpc/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63"
+ }
+ }
+}
diff --git a/examples/network-acls/README.md b/examples/network-acls/README.md
index 79305c7cd..26fbc1b04 100644
--- a/examples/network-acls/README.md
+++ b/examples/network-acls/README.md
@@ -1,13 +1,10 @@
# Simple VPC with Network ACLs
-Configuration in this directory creates set of VPC resources along with network ACLs for public subnets.
-
-There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between all 3 availability zones.
+Configuration in this directory creates set of VPC resources along with network ACLs for several subnets.
Network ACL rules for inbound and outbound traffic are defined as the following:
-1. Public subnets will have network ACL rules provided
+1. Public and elasticache subnets will have network ACL rules provided
1. Private subnets will be associated with the default network ACL rules (IPV4-only ingress and egress is open for all)
-1. Elasticache subnets will use the default network ACL (created and managed by AWS)
## Usage
@@ -22,18 +19,46 @@ $ terraform apply
Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [vpc](#module\_vpc) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
## Outputs
| Name | Description |
|------|-------------|
-| default\_network\_acl\_id | The ID of the default network ACL |
-| elasticache\_network\_acl\_id | ID of the elasticache network ACL |
-| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
-| private\_network\_acl\_id | ID of the private network ACL |
-| private\_subnets | List of IDs of private subnets |
-| public\_network\_acl\_id | ID of the public network ACL |
-| public\_subnets | List of IDs of public subnets |
-| vpc\_cidr\_block | The CIDR block of the VPC |
-| vpc\_id | The ID of the VPC |
-
+| [default\_network\_acl\_id](#output\_default\_network\_acl\_id) | The ID of the default network ACL |
+| [elasticache\_network\_acl\_arn](#output\_elasticache\_network\_acl\_arn) | ARN of the elasticache network ACL |
+| [elasticache\_network\_acl\_id](#output\_elasticache\_network\_acl\_id) | ID of the elasticache network ACL |
+| [module\_vpc](#output\_module\_vpc) | Module VPC |
+| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| [private\_network\_acl\_arn](#output\_private\_network\_acl\_arn) | ARN of the private network ACL |
+| [private\_network\_acl\_id](#output\_private\_network\_acl\_id) | ID of the private network ACL |
+| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
+| [public\_network\_acl\_arn](#output\_public\_network\_acl\_arn) | ARN of the public network ACL |
+| [public\_network\_acl\_id](#output\_public\_network\_acl\_id) | ID of the public network ACL |
+| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
+| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf
index c1a1dab90..0d820aac8 100644
--- a/examples/network-acls/main.tf
+++ b/examples/network-acls/main.tf
@@ -1,51 +1,10 @@
provider "aws" {
- region = "eu-west-1"
-}
-
-module "vpc" {
- source = "../../"
-
- name = "network-acls-example"
-
- cidr = "10.0.0.0/16"
-
- azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
- private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
- public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
- elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"]
-
- public_dedicated_network_acl = true
- public_inbound_acl_rules = concat(
- local.network_acls["default_inbound"],
- local.network_acls["public_inbound"],
- )
- public_outbound_acl_rules = concat(
- local.network_acls["default_outbound"],
- local.network_acls["public_outbound"],
- )
-
- private_dedicated_network_acl = true
-
- assign_generated_ipv6_cidr_block = true
-
- enable_nat_gateway = false
- single_nat_gateway = true
-
- public_subnet_tags = {
- Name = "overridden-name-public"
- }
-
- tags = {
- Owner = "user"
- Environment = "dev"
- }
-
- vpc_tags = {
- Name = "vpc-name"
- }
+ region = local.region
}
locals {
+ region = "eu-west-1"
+
network_acls = {
default_inbound = [
{
@@ -100,6 +59,14 @@ locals {
protocol = "tcp"
cidr_block = "0.0.0.0/0"
},
+ {
+ rule_number = 140
+ rule_action = "allow"
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ ipv6_cidr_block = "::/0"
+ },
]
public_outbound = [
{
@@ -134,7 +101,100 @@ locals {
protocol = "tcp"
cidr_block = "10.0.100.0/22"
},
+ {
+ rule_number = 140
+ rule_action = "allow"
+ icmp_code = -1
+ icmp_type = 8
+ protocol = "icmp"
+ cidr_block = "10.0.0.0/22"
+ },
+ {
+ rule_number = 150
+ rule_action = "allow"
+ from_port = 90
+ to_port = 90
+ protocol = "tcp"
+ ipv6_cidr_block = "::/0"
+ },
+ ]
+ elasticache_outbound = [
+ {
+ rule_number = 100
+ rule_action = "allow"
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ cidr_block = "0.0.0.0/0"
+ },
+ {
+ rule_number = 110
+ rule_action = "allow"
+ from_port = 443
+ to_port = 443
+ protocol = "tcp"
+ cidr_block = "0.0.0.0/0"
+ },
+ {
+ rule_number = 140
+ rule_action = "allow"
+ icmp_code = -1
+ icmp_type = 12
+ protocol = "icmp"
+ cidr_block = "10.0.0.0/22"
+ },
+ {
+ rule_number = 150
+ rule_action = "allow"
+ from_port = 90
+ to_port = 90
+ protocol = "tcp"
+ ipv6_cidr_block = "::/0"
+ },
]
}
}
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+ source = "../../"
+
+ name = "network-acls-example"
+ cidr = "10.0.0.0/16"
+
+ azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
+ private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+ public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+ elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"]
+
+ public_dedicated_network_acl = true
+ public_inbound_acl_rules = concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])
+ public_outbound_acl_rules = concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])
+ elasticache_outbound_acl_rules = concat(local.network_acls["default_outbound"], local.network_acls["elasticache_outbound"])
+
+ private_dedicated_network_acl = false
+ elasticache_dedicated_network_acl = true
+
+ manage_default_network_acl = true
+
+ enable_ipv6 = true
+
+ enable_nat_gateway = false
+ single_nat_gateway = true
+
+ public_subnet_tags = {
+ Name = "overridden-name-public"
+ }
+
+ tags = {
+ Owner = "user"
+ Environment = "dev"
+ }
+
+ vpc_tags = {
+ Name = "vpc-name"
+ }
+}
diff --git a/examples/network-acls/outputs.tf b/examples/network-acls/outputs.tf
index 577d73980..4c590e764 100644
--- a/examples/network-acls/outputs.tf
+++ b/examples/network-acls/outputs.tf
@@ -10,11 +10,6 @@ output "vpc_cidr_block" {
value = module.vpc.vpc_cidr_block
}
-//output "vpc_ipv6_cidr_block" {
-// description = "The IPv6 CIDR block"
-// value = ["${module.vpc.vpc_ipv6_cidr_block}"]
-//}
-
# Subnets
output "private_subnets" {
description = "List of IDs of private subnets"
@@ -53,3 +48,22 @@ output "default_network_acl_id" {
value = module.vpc.default_network_acl_id
}
+output "public_network_acl_arn" {
+ description = "ARN of the public network ACL"
+ value = module.vpc.public_network_acl_arn
+}
+
+output "private_network_acl_arn" {
+ description = "ARN of the private network ACL"
+ value = module.vpc.private_network_acl_arn
+}
+
+output "elasticache_network_acl_arn" {
+ description = "ARN of the elasticache network ACL"
+ value = module.vpc.elasticache_network_acl_arn
+}
+
+output "module_vpc" {
+ description = "Module VPC"
+ value = module.vpc
+}
diff --git a/examples/network-acls/variables.tf b/examples/network-acls/variables.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/network-acls/versions.tf b/examples/network-acls/versions.tf
new file mode 100644
index 000000000..5a9fd0fc5
--- /dev/null
+++ b/examples/network-acls/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63"
+ }
+ }
+}
diff --git a/examples/outpost/README.md b/examples/outpost/README.md
new file mode 100644
index 000000000..1e43115d0
--- /dev/null
+++ b/examples/outpost/README.md
@@ -0,0 +1,63 @@
+# VPC with Outpost Subnet
+
+Configuration in this directory creates a VPC with public, private, and private outpost subnets.
+
+This configuration uses data-source to find an available Outpost by name. Change it according to your needs in order to run this example.
+
+[Read more about AWS regions, availability zones and local zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions-availability-zones).
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.63 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [vpc](#module\_vpc) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_outposts_outpost.shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/outposts_outpost) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [azs](#output\_azs) | A list of availability zones specified as argument to this module |
+| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| [outpost\_subnets](#output\_outpost\_subnets) | List of IDs of private subnets |
+| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
+| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
+| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+
diff --git a/examples/outpost/main.tf b/examples/outpost/main.tf
new file mode 100644
index 000000000..d923e083d
--- /dev/null
+++ b/examples/outpost/main.tf
@@ -0,0 +1,159 @@
+provider "aws" {
+ region = local.region
+
+ assume_role {
+ role_arn = "arn:aws:iam::562806027032:role/outpost-shared-anton"
+ }
+}
+
+locals {
+ region = "eu-west-1"
+
+ network_acls = {
+ outpost_inbound = [
+ {
+ rule_number = 100
+ rule_action = "allow"
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ cidr_block = "0.0.0.0/0"
+ },
+ {
+ rule_number = 110
+ rule_action = "allow"
+ from_port = 443
+ to_port = 443
+ protocol = "tcp"
+ cidr_block = "0.0.0.0/0"
+ },
+ {
+ rule_number = 120
+ rule_action = "allow"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_block = "0.0.0.0/0"
+ },
+ {
+ rule_number = 130
+ rule_action = "allow"
+ from_port = 3389
+ to_port = 3389
+ protocol = "tcp"
+ cidr_block = "0.0.0.0/0"
+ },
+ {
+ rule_number = 140
+ rule_action = "allow"
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ ipv6_cidr_block = "::/0"
+ },
+ ]
+ outpost_outbound = [
+ {
+ rule_number = 100
+ rule_action = "allow"
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ cidr_block = "0.0.0.0/0"
+ },
+ {
+ rule_number = 110
+ rule_action = "allow"
+ from_port = 443
+ to_port = 443
+ protocol = "tcp"
+ cidr_block = "0.0.0.0/0"
+ },
+ {
+ rule_number = 120
+ rule_action = "allow"
+ from_port = 1433
+ to_port = 1433
+ protocol = "tcp"
+ cidr_block = "10.0.100.0/22"
+ },
+ {
+ rule_number = 130
+ rule_action = "allow"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_block = "10.0.100.0/22"
+ },
+ {
+ rule_number = 140
+ rule_action = "allow"
+ icmp_code = -1
+ icmp_type = 8
+ protocol = "icmp"
+ cidr_block = "10.0.0.0/22"
+ },
+ {
+ rule_number = 150
+ rule_action = "allow"
+ from_port = 90
+ to_port = 90
+ protocol = "tcp"
+ ipv6_cidr_block = "::/0"
+ },
+ ]
+ }
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+data "aws_outposts_outpost" "shared" {
+ name = "SEA19.07"
+}
+
+data "aws_availability_zones" "available" {}
+
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+ source = "../../"
+
+ name = "outpost-example"
+ cidr = "10.0.0.0/16"
+
+ azs = [
+ data.aws_availability_zones.available.names[0],
+ data.aws_availability_zones.available.names[1],
+ data.aws_availability_zones.available.names[2],
+ ]
+ private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+ public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+ # Outpost is using single AZ specified in `outpost_az`
+ outpost_subnets = ["10.0.50.0/24", "10.0.51.0/24"]
+ outpost_arn = data.aws_outposts_outpost.shared.arn
+ outpost_az = data.aws_outposts_outpost.shared.availability_zone
+
+ # IPv6
+ enable_ipv6 = true
+ outpost_subnet_assign_ipv6_address_on_creation = true
+ outpost_subnet_ipv6_prefixes = [2, 3, 4]
+
+ # NAT Gateway
+ enable_nat_gateway = true
+ single_nat_gateway = true
+
+ # Network ACLs
+ outpost_dedicated_network_acl = true
+ outpost_inbound_acl_rules = local.network_acls["outpost_inbound"]
+ outpost_outbound_acl_rules = local.network_acls["outpost_outbound"]
+
+ tags = {
+ Owner = "user"
+ Environment = "dev"
+ }
+}
diff --git a/examples/issue-44-asymmetric-private-subnets/outputs.tf b/examples/outpost/outputs.tf
similarity index 57%
rename from examples/issue-44-asymmetric-private-subnets/outputs.tf
rename to examples/outpost/outputs.tf
index 51b4e83b7..ff40ad182 100644
--- a/examples/issue-44-asymmetric-private-subnets/outputs.tf
+++ b/examples/outpost/outputs.tf
@@ -4,6 +4,12 @@ output "vpc_id" {
value = module.vpc.vpc_id
}
+# CIDR blocks
+output "vpc_cidr_block" {
+ description = "The CIDR block of the VPC"
+ value = module.vpc.vpc_cidr_block
+}
+
# Subnets
output "private_subnets" {
description = "List of IDs of private subnets"
@@ -15,14 +21,9 @@ output "public_subnets" {
value = module.vpc.public_subnets
}
-output "database_subnets" {
- description = "List of IDs of database subnets"
- value = module.vpc.database_subnets
-}
-
-output "elasticache_subnets" {
- description = "List of IDs of elasticache subnets"
- value = module.vpc.elasticache_subnets
+output "outpost_subnets" {
+ description = "List of IDs of private subnets"
+ value = module.vpc.outpost_subnets
}
# NAT gateways
@@ -31,3 +32,8 @@ output "nat_public_ips" {
value = module.vpc.nat_public_ips
}
+# AZs
+output "azs" {
+ description = "A list of availability zones specified as argument to this module"
+ value = module.vpc.azs
+}
diff --git a/examples/outpost/variables.tf b/examples/outpost/variables.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/outpost/versions.tf b/examples/outpost/versions.tf
new file mode 100644
index 000000000..5a9fd0fc5
--- /dev/null
+++ b/examples/outpost/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63"
+ }
+ }
+}
diff --git a/examples/secondary-cidr-blocks/README.md b/examples/secondary-cidr-blocks/README.md
index feb462fe3..29c70c2e2 100644
--- a/examples/secondary-cidr-blocks/README.md
+++ b/examples/secondary-cidr-blocks/README.md
@@ -17,15 +17,39 @@ $ terraform apply
Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [vpc](#module\_vpc) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
## Outputs
| Name | Description |
|------|-------------|
-| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
-| private\_subnets | List of IDs of private subnets |
-| public\_subnets | List of IDs of public subnets |
-| vpc\_cidr\_block | The CIDR block of the VPC |
-| vpc\_id | The ID of the VPC |
-| vpc\_secondary\_cidr\_blocks | List of secondary CIDR blocks of the VPC |
-
+| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
+| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
+| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+| [vpc\_secondary\_cidr\_blocks](#output\_vpc\_secondary\_cidr\_blocks) | List of secondary CIDR blocks of the VPC |
diff --git a/examples/secondary-cidr-blocks/main.tf b/examples/secondary-cidr-blocks/main.tf
index a49b973de..76cb4c551 100644
--- a/examples/secondary-cidr-blocks/main.tf
+++ b/examples/secondary-cidr-blocks/main.tf
@@ -1,7 +1,15 @@
provider "aws" {
+ region = local.region
+}
+
+locals {
region = "eu-west-1"
}
+################################################################################
+# VPC Module
+################################################################################
+
module "vpc" {
source = "../../"
@@ -10,13 +18,14 @@ module "vpc" {
cidr = "10.0.0.0/16"
secondary_cidr_blocks = ["10.1.0.0/16", "10.2.0.0/16"]
- azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+ azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
private_subnets = ["10.0.1.0/24", "10.1.2.0/24", "10.2.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.1.102.0/24", "10.2.103.0/24"]
- assign_generated_ipv6_cidr_block = true
- enable_nat_gateway = true
- single_nat_gateway = true
+ enable_ipv6 = true
+
+ enable_nat_gateway = true
+ single_nat_gateway = true
public_subnet_tags = {
Name = "overridden-name-public"
@@ -31,4 +40,3 @@ module "vpc" {
Name = "vpc-name"
}
}
-
diff --git a/examples/secondary-cidr-blocks/variables.tf b/examples/secondary-cidr-blocks/variables.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/secondary-cidr-blocks/versions.tf b/examples/secondary-cidr-blocks/versions.tf
new file mode 100644
index 000000000..5a9fd0fc5
--- /dev/null
+++ b/examples/secondary-cidr-blocks/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63"
+ }
+ }
+}
diff --git a/examples/simple-vpc/README.md b/examples/simple-vpc/README.md
index ccb7ccecd..7e87d1c36 100644
--- a/examples/simple-vpc/README.md
+++ b/examples/simple-vpc/README.md
@@ -4,6 +4,10 @@ Configuration in this directory creates set of VPC resources which may be suffic
There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between all 3 availability zones.
+This configuration uses Availability Zone IDs and Availability Zone names for demonstration purposes. Normally, you need to specify only names or IDs.
+
+[Read more about AWS regions, availability zones and local zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions-availability-zones).
+
## Usage
To run this example you need to execute:
@@ -17,15 +21,39 @@ $ terraform apply
Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [vpc](#module\_vpc) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
## Outputs
| Name | Description |
|------|-------------|
-| azs | A list of availability zones spefified as argument to this module |
-| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
-| private\_subnets | List of IDs of private subnets |
-| public\_subnets | List of IDs of public subnets |
-| vpc\_cidr\_block | The CIDR block of the VPC |
-| vpc\_id | The ID of the VPC |
-
+| [azs](#output\_azs) | A list of availability zones specified as argument to this module |
+| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
+| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
+| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf
index c0b094835..63de4446e 100644
--- a/examples/simple-vpc/main.tf
+++ b/examples/simple-vpc/main.tf
@@ -1,26 +1,28 @@
provider "aws" {
- region = "eu-west-1"
+ region = local.region
}
-data "aws_security_group" "default" {
- name = "default"
- vpc_id = module.vpc.vpc_id
+locals {
+ region = "eu-west-1"
}
+################################################################################
+# VPC Module
+################################################################################
+
module "vpc" {
source = "../../"
name = "simple-example"
-
cidr = "10.0.0.0/16"
- azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+ azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
- assign_generated_ipv6_cidr_block = true
+ enable_ipv6 = true
- enable_nat_gateway = true
+ enable_nat_gateway = false
single_nat_gateway = true
public_subnet_tags = {
@@ -36,4 +38,3 @@ module "vpc" {
Name = "vpc-name"
}
}
-
diff --git a/examples/simple-vpc/outputs.tf b/examples/simple-vpc/outputs.tf
index 251969ca2..157faec0a 100644
--- a/examples/simple-vpc/outputs.tf
+++ b/examples/simple-vpc/outputs.tf
@@ -10,11 +10,6 @@ output "vpc_cidr_block" {
value = module.vpc.vpc_cidr_block
}
-//output "vpc_ipv6_cidr_block" {
-// description = "The IPv6 CIDR block"
-// value = ["${module.vpc.vpc_ipv6_cidr_block}"]
-//}
-
# Subnets
output "private_subnets" {
description = "List of IDs of private subnets"
@@ -34,7 +29,7 @@ output "nat_public_ips" {
# AZs
output "azs" {
- description = "A list of availability zones spefified as argument to this module"
+ description = "A list of availability zones specified as argument to this module"
value = module.vpc.azs
}
diff --git a/examples/simple-vpc/variables.tf b/examples/simple-vpc/variables.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/simple-vpc/versions.tf b/examples/simple-vpc/versions.tf
new file mode 100644
index 000000000..5a9fd0fc5
--- /dev/null
+++ b/examples/simple-vpc/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63"
+ }
+ }
+}
diff --git a/examples/test_fixture/README.md b/examples/test_fixture/README.md
deleted file mode 100644
index 2fec823b1..000000000
--- a/examples/test_fixture/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# Test fixture of simple VPC
-
-Configuration in this directory creates a set of VPC resources to be tested by test kitchen.
-
-There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between 2 availability zones.
-
-## Usage
-
-To run the tests, from the repo root execute:
-
-```bash
-$ kitchen test
-...
-Finished in 4.25 seconds (files took 2.75 seconds to load)
-20 examples, 0 failures
-
- Finished verifying (0m9.03s).
------> Kitchen is finished. (0m9.40s)
-```
-
-This will destroy any existing test resources, create the resources afresh, run the tests, report back, and destroy the resources.
-
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| region | | string | `"eu-west-1"` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| region | Region we created the resources in. |
-
-
diff --git a/examples/test_fixture/main.tf b/examples/test_fixture/main.tf
deleted file mode 100644
index 5752aba2e..000000000
--- a/examples/test_fixture/main.tf
+++ /dev/null
@@ -1,23 +0,0 @@
-provider "aws" {
- region = var.region
-}
-
-data "aws_availability_zones" "available" {
-}
-
-module "vpc" {
- source = "../.."
- name = "test-example"
- cidr = "10.0.0.0/16"
- azs = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]]
- private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
- public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
- enable_nat_gateway = true
- single_nat_gateway = true
-
- tags = {
- Owner = "user"
- Environment = "dev"
- }
-}
-
diff --git a/examples/test_fixture/outputs.tf b/examples/test_fixture/outputs.tf
deleted file mode 100644
index c6ec3716b..000000000
--- a/examples/test_fixture/outputs.tf
+++ /dev/null
@@ -1,5 +0,0 @@
-output "region" {
- description = "Region we created the resources in."
- value = var.region
-}
-
diff --git a/examples/test_fixture/variables.tf b/examples/test_fixture/variables.tf
deleted file mode 100644
index f8455295f..000000000
--- a/examples/test_fixture/variables.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-variable "region" {
- default = "eu-west-1"
-}
-
diff --git a/examples/vpc-flow-logs/README.md b/examples/vpc-flow-logs/README.md
new file mode 100644
index 000000000..503ccfc1f
--- /dev/null
+++ b/examples/vpc-flow-logs/README.md
@@ -0,0 +1,79 @@
+# VPC with enabled VPC flow log to S3 and CloudWatch logs
+
+Configuration in this directory creates a set of VPC resources with VPC Flow Logs enabled in different configurations:
+
+1. `cloud-watch-logs.tf` - Push logs to a new AWS CloudWatch Log group.
+1. `cloud-watch-logs.tf` - Push logs to an existing AWS CloudWatch Log group using existing IAM role (created outside of this module).
+1. `s3.tf` - Push logs to an existing S3 bucket (created outside of this module).
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+| [random](#requirement\_random) | >= 2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.63 |
+| [random](#provider\_random) | >= 2 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 1.0 |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs) | ../../ | n/a |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_default](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_default) | ../../ | n/a |
+| [vpc\_with\_flow\_logs\_s3\_bucket](#module\_vpc\_with\_flow\_logs\_s3\_bucket) | ../../ | n/a |
+| [vpc\_with\_flow\_logs\_s3\_bucket\_parquet](#module\_vpc\_with\_flow\_logs\_s3\_bucket\_parquet) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_policy.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_iam_policy_document.flow_log_cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.flow_log_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [vpc\_flow\_logs\_s3\_bucket\_vpc\_flow\_log\_destination\_arn](#output\_vpc\_flow\_logs\_s3\_bucket\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs |
+| [vpc\_flow\_logs\_s3\_bucket\_vpc\_flow\_log\_destination\_type](#output\_vpc\_flow\_logs\_s3\_bucket\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs |
+| [vpc\_flow\_logs\_s3\_bucket\_vpc\_flow\_log\_id](#output\_vpc\_flow\_logs\_s3\_bucket\_vpc\_flow\_log\_id) | The ID of the Flow Log resource |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_default\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn](#output\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_default\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN of the IAM role used when pushing logs to Cloudwatch log group |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_default\_vpc\_flow\_log\_destination\_arn](#output\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_default\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_default\_vpc\_flow\_log\_destination\_type](#output\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_default\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_default\_vpc\_flow\_log\_id](#output\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_default\_vpc\_flow\_log\_id) | The ID of the Flow Log resource |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn](#output\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN of the IAM role used when pushing logs to Cloudwatch log group |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_vpc\_flow\_log\_destination\_arn](#output\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_vpc\_flow\_log\_destination\_type](#output\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs |
+| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_vpc\_flow\_log\_id](#output\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_vpc\_flow\_log\_id) | The ID of the Flow Log resource |
+
diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf
new file mode 100644
index 000000000..61562358f
--- /dev/null
+++ b/examples/vpc-flow-logs/main.tf
@@ -0,0 +1,189 @@
+provider "aws" {
+ region = local.region
+}
+
+locals {
+ region = "eu-west-1"
+
+ s3_bucket_name = "vpc-flow-logs-to-s3-${random_pet.this.id}"
+ cloudwatch_log_group_name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}"
+}
+
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc_with_flow_logs_s3_bucket" {
+ source = "../../"
+
+ name = "vpc-flow-logs-s3-bucket"
+ cidr = "10.30.0.0/16"
+
+ azs = ["${local.region}a"]
+ public_subnets = ["10.30.101.0/24"]
+
+ enable_flow_log = true
+ flow_log_destination_type = "s3"
+ flow_log_destination_arn = module.s3_bucket.this_s3_bucket_arn
+
+ vpc_flow_log_tags = {
+ Name = "vpc-flow-logs-s3-bucket"
+ }
+}
+
+module "vpc_with_flow_logs_s3_bucket_parquet" {
+ source = "../../"
+
+ name = "vpc-flow-logs-s3-bucket"
+ cidr = "10.30.0.0/16"
+
+ azs = ["${local.region}a"]
+ public_subnets = ["10.30.101.0/24"]
+
+ enable_flow_log = true
+ flow_log_destination_type = "s3"
+ flow_log_destination_arn = module.s3_bucket.this_s3_bucket_arn
+ flow_log_file_format = "parquet"
+
+ vpc_flow_log_tags = {
+ Name = "vpc-flow-logs-s3-bucket"
+ }
+}
+
+# CloudWatch Log Group and IAM role created automatically
+module "vpc_with_flow_logs_cloudwatch_logs_default" {
+ source = "../../"
+
+ name = "vpc-flow-logs-cloudwatch-logs-default"
+ cidr = "10.10.0.0/16"
+
+ azs = ["${local.region}a"]
+ public_subnets = ["10.10.101.0/24"]
+
+ # Cloudwatch log group and IAM role will be created
+ enable_flow_log = true
+ create_flow_log_cloudwatch_log_group = true
+ create_flow_log_cloudwatch_iam_role = true
+ flow_log_max_aggregation_interval = 60
+
+ vpc_flow_log_tags = {
+ Name = "vpc-flow-logs-cloudwatch-logs-default"
+ }
+}
+
+# CloudWatch Log Group and IAM role created separately
+module "vpc_with_flow_logs_cloudwatch_logs" {
+ source = "../../"
+
+ name = "vpc-flow-logs-cloudwatch-logs"
+ cidr = "10.20.0.0/16"
+
+ azs = ["${local.region}a"]
+ public_subnets = ["10.20.101.0/24"]
+
+ enable_flow_log = true
+ flow_log_destination_type = "cloud-watch-logs"
+ flow_log_destination_arn = aws_cloudwatch_log_group.flow_log.arn
+ flow_log_cloudwatch_iam_role_arn = aws_iam_role.vpc_flow_log_cloudwatch.arn
+
+ vpc_flow_log_tags = {
+ Name = "vpc-flow-logs-cloudwatch-logs"
+ }
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+resource "random_pet" "this" {
+ length = 2
+}
+
+# S3 Bucket
+module "s3_bucket" {
+ source = "terraform-aws-modules/s3-bucket/aws"
+ version = "~> 1.0"
+
+ bucket = local.s3_bucket_name
+ policy = data.aws_iam_policy_document.flow_log_s3.json
+ force_destroy = true
+
+ tags = {
+ Name = "vpc-flow-logs-s3-bucket"
+ }
+}
+
+data "aws_iam_policy_document" "flow_log_s3" {
+ statement {
+ sid = "AWSLogDeliveryWrite"
+
+ principals {
+ type = "Service"
+ identifiers = ["delivery.logs.amazonaws.com"]
+ }
+
+ actions = ["s3:PutObject"]
+
+ resources = ["arn:aws:s3:::${local.s3_bucket_name}/AWSLogs/*"]
+ }
+
+ statement {
+ sid = "AWSLogDeliveryAclCheck"
+
+ principals {
+ type = "Service"
+ identifiers = ["delivery.logs.amazonaws.com"]
+ }
+
+ actions = ["s3:GetBucketAcl"]
+
+ resources = ["arn:aws:s3:::${local.s3_bucket_name}"]
+ }
+}
+
+# Cloudwatch logs
+resource "aws_cloudwatch_log_group" "flow_log" {
+ name = local.cloudwatch_log_group_name
+}
+
+resource "aws_iam_role" "vpc_flow_log_cloudwatch" {
+ name_prefix = "vpc-flow-log-role-"
+ assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role.json
+}
+
+data "aws_iam_policy_document" "flow_log_cloudwatch_assume_role" {
+ statement {
+ principals {
+ type = "Service"
+ identifiers = ["vpc-flow-logs.amazonaws.com"]
+ }
+
+ actions = ["sts:AssumeRole"]
+ }
+}
+
+resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" {
+ role = aws_iam_role.vpc_flow_log_cloudwatch.name
+ policy_arn = aws_iam_policy.vpc_flow_log_cloudwatch.arn
+}
+
+resource "aws_iam_policy" "vpc_flow_log_cloudwatch" {
+ name_prefix = "vpc-flow-log-cloudwatch-"
+ policy = data.aws_iam_policy_document.vpc_flow_log_cloudwatch.json
+}
+
+data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
+ statement {
+ sid = "AWSVPCFlowLogsPushToCloudWatch"
+
+ actions = [
+ "logs:CreateLogGroup",
+ "logs:CreateLogStream",
+ "logs:PutLogEvents",
+ "logs:DescribeLogGroups",
+ "logs:DescribeLogStreams",
+ ]
+
+ resources = ["*"]
+ }
+}
diff --git a/examples/vpc-flow-logs/outputs.tf b/examples/vpc-flow-logs/outputs.tf
new file mode 100644
index 000000000..067426fc7
--- /dev/null
+++ b/examples/vpc-flow-logs/outputs.tf
@@ -0,0 +1,58 @@
+# VPC flow log - Cloudwatch logs (default)
+output "vpc_with_flow_logs_cloudwatch_logs_default_vpc_flow_log_id" {
+ description = "The ID of the Flow Log resource"
+ value = module.vpc_with_flow_logs_cloudwatch_logs_default.vpc_flow_log_id
+}
+
+output "vpc_with_flow_logs_cloudwatch_logs_default_vpc_flow_log_destination_arn" {
+ description = "The ARN of the destination for VPC Flow Logs"
+ value = module.vpc_with_flow_logs_cloudwatch_logs_default.vpc_flow_log_destination_arn
+}
+
+output "vpc_with_flow_logs_cloudwatch_logs_default_vpc_flow_log_destination_type" {
+ description = "The type of the destination for VPC Flow Logs"
+ value = module.vpc_with_flow_logs_cloudwatch_logs_default.vpc_flow_log_destination_type
+}
+
+output "vpc_with_flow_logs_cloudwatch_logs_default_vpc_flow_log_cloudwatch_iam_role_arn" {
+ description = "The ARN of the IAM role used when pushing logs to Cloudwatch log group"
+ value = module.vpc_with_flow_logs_cloudwatch_logs_default.vpc_flow_log_cloudwatch_iam_role_arn
+}
+
+# VPC flow log - Cloudwatch logs (created separately)
+output "vpc_with_flow_logs_cloudwatch_logs_vpc_flow_log_id" {
+ description = "The ID of the Flow Log resource"
+ value = module.vpc_with_flow_logs_cloudwatch_logs.vpc_flow_log_id
+}
+
+output "vpc_with_flow_logs_cloudwatch_logs_vpc_flow_log_destination_arn" {
+ description = "The ARN of the destination for VPC Flow Logs"
+ value = module.vpc_with_flow_logs_cloudwatch_logs.vpc_flow_log_destination_arn
+}
+
+output "vpc_with_flow_logs_cloudwatch_logs_vpc_flow_log_destination_type" {
+ description = "The type of the destination for VPC Flow Logs"
+ value = module.vpc_with_flow_logs_cloudwatch_logs.vpc_flow_log_destination_type
+}
+
+output "vpc_with_flow_logs_cloudwatch_logs_vpc_flow_log_cloudwatch_iam_role_arn" {
+ description = "The ARN of the IAM role used when pushing logs to Cloudwatch log group"
+ value = module.vpc_with_flow_logs_cloudwatch_logs.vpc_flow_log_cloudwatch_iam_role_arn
+}
+
+# VPC flow log - S3 bucket
+output "vpc_flow_logs_s3_bucket_vpc_flow_log_id" {
+ description = "The ID of the Flow Log resource"
+ value = module.vpc_with_flow_logs_s3_bucket.vpc_flow_log_id
+}
+
+output "vpc_flow_logs_s3_bucket_vpc_flow_log_destination_arn" {
+ description = "The ARN of the destination for VPC Flow Logs"
+ value = module.vpc_with_flow_logs_s3_bucket.vpc_flow_log_destination_arn
+}
+
+output "vpc_flow_logs_s3_bucket_vpc_flow_log_destination_type" {
+ description = "The type of the destination for VPC Flow Logs"
+ value = module.vpc_with_flow_logs_s3_bucket.vpc_flow_log_destination_type
+}
+
diff --git a/examples/vpc-flow-logs/variables.tf b/examples/vpc-flow-logs/variables.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/vpc-flow-logs/versions.tf b/examples/vpc-flow-logs/versions.tf
new file mode 100644
index 000000000..8a45d6b8f
--- /dev/null
+++ b/examples/vpc-flow-logs/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63"
+ }
+
+ random = {
+ source = "hashicorp/random"
+ version = ">= 2"
+ }
+ }
+}
diff --git a/examples/vpc-separate-private-route-tables/README.md b/examples/vpc-separate-private-route-tables/README.md
index 0688e3a2c..1f85170c3 100644
--- a/examples/vpc-separate-private-route-tables/README.md
+++ b/examples/vpc-separate-private-route-tables/README.md
@@ -17,16 +17,40 @@ $ terraform apply
Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.63 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [vpc](#module\_vpc) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
## Outputs
| Name | Description |
|------|-------------|
-| database\_subnets | List of IDs of database subnets |
-| elasticache\_subnets | List of IDs of elasticache subnets |
-| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
-| private\_subnets | List of IDs of private subnets |
-| public\_subnets | List of IDs of public subnets |
-| redshift\_subnets | List of IDs of elasticache subnets |
-| vpc\_id | The ID of the VPC |
-
+| [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets |
+| [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets |
+| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
+| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| [redshift\_subnets](#output\_redshift\_subnets) | List of IDs of redshift subnets |
+| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
diff --git a/examples/vpc-separate-private-route-tables/main.tf b/examples/vpc-separate-private-route-tables/main.tf
index 99d996840..b9536fdd2 100644
--- a/examples/vpc-separate-private-route-tables/main.tf
+++ b/examples/vpc-separate-private-route-tables/main.tf
@@ -1,7 +1,15 @@
provider "aws" {
+ region = local.region
+}
+
+locals {
region = "eu-west-1"
}
+################################################################################
+# VPC Module
+################################################################################
+
module "vpc" {
source = "../../"
@@ -9,7 +17,7 @@ module "vpc" {
cidr = "10.10.0.0/16"
- azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+ azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
public_subnets = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"]
database_subnets = ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"]
@@ -29,4 +37,3 @@ module "vpc" {
Name = "separate-private-route-tables"
}
}
-
diff --git a/examples/vpc-separate-private-route-tables/outputs.tf b/examples/vpc-separate-private-route-tables/outputs.tf
index fdd5e8d05..d46af9d68 100644
--- a/examples/vpc-separate-private-route-tables/outputs.tf
+++ b/examples/vpc-separate-private-route-tables/outputs.tf
@@ -23,11 +23,14 @@ output "database_subnets" {
output "elasticache_subnets" {
description = "List of IDs of elasticache subnets"
value = module.vpc.elasticache_subnets
+<<<<<<<< HEAD:examples/vpc-separate-private-route-tables/outputs.tf
}
output "redshift_subnets" {
- description = "List of IDs of elasticache subnets"
+ description = "List of IDs of redshift subnets"
value = module.vpc.redshift_subnets
+========
+>>>>>>>> 57ba0ef08063390636daedcf88f71443281c2b84:examples/issue-44-asymmetric-private-subnets/outputs.tf
}
# NAT gateways
diff --git a/examples/vpc-separate-private-route-tables/variables.tf b/examples/vpc-separate-private-route-tables/variables.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/examples/vpc-separate-private-route-tables/versions.tf b/examples/vpc-separate-private-route-tables/versions.tf
new file mode 100644
index 000000000..5a9fd0fc5
--- /dev/null
+++ b/examples/vpc-separate-private-route-tables/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63"
+ }
+ }
+}
diff --git a/main.tf b/main.tf
index 0d1705d55..3871db2de 100644
--- a/main.tf
+++ b/main.tf
@@ -18,9 +18,10 @@ locals {
)
}
-######
+################################################################################
# VPC
-######
+################################################################################
+
resource "aws_vpc" "mod" {
count = var.create_vpc ? 1 : 0
@@ -28,7 +29,9 @@ resource "aws_vpc" "mod" {
instance_tenancy = var.instance_tenancy
enable_dns_hostnames = var.enable_dns_hostnames
enable_dns_support = var.enable_dns_support
- assign_generated_ipv6_cidr_block = var.assign_generated_ipv6_cidr_block
+ enable_classiclink = var.enable_classiclink
+ enable_classiclink_dns_support = var.enable_classiclink_dns_support
+ assign_generated_ipv6_cidr_block = var.enable_ipv6
tags = merge(
{
@@ -47,9 +50,54 @@ resource "aws_vpc_ipv4_cidr_block_association" "this" {
cidr_block = element(var.secondary_cidr_blocks, count.index)
}
-###################
+resource "aws_default_security_group" "this" {
+ count = var.create_vpc && var.manage_default_security_group ? 1 : 0
+
+ vpc_id = aws_vpc.mod[0].id
+
+ dynamic "ingress" {
+ for_each = var.default_security_group_ingress
+ content {
+ self = lookup(ingress.value, "self", null)
+ cidr_blocks = compact(split(",", lookup(ingress.value, "cidr_blocks", "")))
+ ipv6_cidr_blocks = compact(split(",", lookup(ingress.value, "ipv6_cidr_blocks", "")))
+ prefix_list_ids = compact(split(",", lookup(ingress.value, "prefix_list_ids", "")))
+ security_groups = compact(split(",", lookup(ingress.value, "security_groups", "")))
+ description = lookup(ingress.value, "description", null)
+ from_port = lookup(ingress.value, "from_port", 0)
+ to_port = lookup(ingress.value, "to_port", 0)
+ protocol = lookup(ingress.value, "protocol", "-1")
+ }
+ }
+
+ dynamic "egress" {
+ for_each = var.default_security_group_egress
+ content {
+ self = lookup(egress.value, "self", null)
+ cidr_blocks = compact(split(",", lookup(egress.value, "cidr_blocks", "")))
+ ipv6_cidr_blocks = compact(split(",", lookup(egress.value, "ipv6_cidr_blocks", "")))
+ prefix_list_ids = compact(split(",", lookup(egress.value, "prefix_list_ids", "")))
+ security_groups = compact(split(",", lookup(egress.value, "security_groups", "")))
+ description = lookup(egress.value, "description", null)
+ from_port = lookup(egress.value, "from_port", 0)
+ to_port = lookup(egress.value, "to_port", 0)
+ protocol = lookup(egress.value, "protocol", "-1")
+ }
+ }
+
+ tags = merge(
+ {
+ "Name" = format("%s", var.default_security_group_name)
+ },
+ var.tags,
+ var.default_security_group_tags,
+ )
+}
+
+################################################################################
# DHCP Options Set
-###################
+################################################################################
+
resource "aws_vpc_dhcp_options" "this" {
count = var.create_vpc && var.enable_dhcp_options ? 1 : 0
@@ -68,9 +116,6 @@ resource "aws_vpc_dhcp_options" "this" {
)
}
-###############################
-# DHCP Options Set Association
-###############################
resource "aws_vpc_dhcp_options_association" "this" {
count = var.create_vpc && var.enable_dhcp_options ? 1 : 0
@@ -78,11 +123,12 @@ resource "aws_vpc_dhcp_options_association" "this" {
dhcp_options_id = aws_vpc_dhcp_options.this[0].id
}
-###################
+################################################################################
# Internet Gateway
-###################
+################################################################################
+
resource "aws_internet_gateway" "this" {
- count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0
+ count = var.create_vpc && var.create_igw && length(var.public_subnets) > 0 ? 1 : 0
vpc_id = local.vpc_id
@@ -95,9 +141,60 @@ resource "aws_internet_gateway" "this" {
)
}
-################
+resource "aws_egress_only_internet_gateway" "this" {
+ count = var.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && local.max_subnet_length > 0 ? 1 : 0
+
+ vpc_id = local.vpc_id
+
+ tags = merge(
+ {
+ "Name" = format("%s", var.name)
+ },
+ var.tags,
+ var.igw_tags,
+ )
+}
+
+################################################################################
+# Default route
+################################################################################
+
+resource "aws_default_route_table" "default" {
+ count = var.create_vpc && var.manage_default_route_table ? 1 : 0
+
+ default_route_table_id = aws_vpc.mod[0].default_route_table_id
+ propagating_vgws = var.default_route_table_propagating_vgws
+
+ dynamic "route" {
+ for_each = var.default_route_table_routes
+ content {
+ # One of the following destinations must be provided
+ cidr_block = route.value.cidr_block
+ ipv6_cidr_block = lookup(route.value, "ipv6_cidr_block", null)
+
+ # One of the following targets must be provided
+ egress_only_gateway_id = lookup(route.value, "egress_only_gateway_id", null)
+ gateway_id = lookup(route.value, "gateway_id", null)
+ instance_id = lookup(route.value, "instance_id", null)
+ nat_gateway_id = lookup(route.value, "nat_gateway_id", null)
+ network_interface_id = lookup(route.value, "network_interface_id", null)
+ transit_gateway_id = lookup(route.value, "transit_gateway_id", null)
+ vpc_endpoint_id = lookup(route.value, "vpc_endpoint_id", null)
+ vpc_peering_connection_id = lookup(route.value, "vpc_peering_connection_id", null)
+ }
+ }
+
+ tags = merge(
+ { "Name" = var.name },
+ var.tags,
+ var.default_route_table_tags,
+ )
+}
+
+################################################################################
# Publiс routes
-################
+################################################################################
+
resource "aws_route_table" "public" {
count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0
@@ -113,7 +210,7 @@ resource "aws_route_table" "public" {
}
resource "aws_route" "public_internet_gateway" {
- count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0
+ count = var.create_vpc && var.create_igw && length(var.public_subnets) > 0 ? 1 : 0
route_table_id = aws_route_table.public[0].id
destination_cidr_block = "0.0.0.0/0"
@@ -124,10 +221,19 @@ resource "aws_route" "public_internet_gateway" {
}
}
-#################
+resource "aws_route" "public_internet_gateway_ipv6" {
+ count = var.create_vpc && var.create_igw && var.enable_ipv6 && length(var.public_subnets) > 0 ? 1 : 0
+
+ route_table_id = aws_route_table.public[0].id
+ destination_ipv6_cidr_block = "::/0"
+ gateway_id = aws_internet_gateway.this[0].id
+}
+
+################################################################################
# Private routes
# There are as many routing tables as the number of NAT gateways
-#################
+################################################################################
+
resource "aws_route_table" "private" {
count = var.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0
@@ -144,33 +250,32 @@ resource "aws_route_table" "private" {
var.tags,
var.private_route_table_tags,
)
-
- lifecycle {
- # When attaching VPN gateways it is common to define aws_vpn_gateway_route_propagation
- # resources that manipulate the attributes of the routing table (typically for the private subnets)
- ignore_changes = [propagating_vgws]
- }
}
-#################
+################################################################################
# Database routes
-#################
+################################################################################
+
resource "aws_route_table" "database" {
- count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? 1 : 0
+ count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 1 : length(var.database_subnets) : 0
vpc_id = local.vpc_id
tags = merge(
- var.tags,
- var.database_route_table_tags,
{
- "Name" = "${var.name}-${var.database_subnet_suffix}"
+ "Name" = var.single_nat_gateway || var.create_database_internet_gateway_route ? "${var.name}-${var.database_subnet_suffix}" : format(
+ "%s-${var.database_subnet_suffix}-%s",
+ var.name,
+ element(var.azs, count.index),
+ )
},
+ var.tags,
+ var.database_route_table_tags,
)
}
resource "aws_route" "database_internet_gateway" {
- count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && false == var.create_database_nat_gateway_route ? 1 : 0
+ count = var.create_vpc && var.create_igw && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && false == var.create_database_nat_gateway_route ? 1 : 0
route_table_id = aws_route_table.database[0].id
destination_cidr_block = "0.0.0.0/0"
@@ -182,9 +287,9 @@ resource "aws_route" "database_internet_gateway" {
}
resource "aws_route" "database_nat_gateway" {
- count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && false == var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0
+ count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && false == var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? var.single_nat_gateway ? 1 : length(var.database_subnets) : 0
- route_table_id = element(aws_route_table.private.*.id, count.index)
+ route_table_id = element(aws_route_table.database.*.id, count.index)
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = element(aws_nat_gateway.this.*.id, count.index)
@@ -193,43 +298,58 @@ resource "aws_route" "database_nat_gateway" {
}
}
-#################
+resource "aws_route" "database_ipv6_egress" {
+ count = var.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route ? 1 : 0
+
+ route_table_id = aws_route_table.database[0].id
+ destination_ipv6_cidr_block = "::/0"
+ egress_only_gateway_id = aws_egress_only_internet_gateway.this[0].id
+
+ timeouts {
+ create = "5m"
+ }
+}
+
+################################################################################
# Redshift routes
-#################
+################################################################################
+
resource "aws_route_table" "redshift" {
count = var.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0
vpc_id = local.vpc_id
tags = merge(
- var.tags,
- var.redshift_route_table_tags,
{
"Name" = "${var.name}-${var.redshift_subnet_suffix}"
},
+ var.tags,
+ var.redshift_route_table_tags,
)
}
-#################
+################################################################################
# Elasticache routes
-#################
+################################################################################
+
resource "aws_route_table" "elasticache" {
count = var.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0
vpc_id = local.vpc_id
tags = merge(
- var.tags,
- var.elasticache_route_table_tags,
{
"Name" = "${var.name}-${var.elasticache_subnet_suffix}"
},
+ var.tags,
+ var.elasticache_route_table_tags,
)
}
-#################
+################################################################################
# Intra routes
-#################
+################################################################################
+
resource "aws_route_table" "intra" {
count = var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0
@@ -244,16 +364,21 @@ resource "aws_route_table" "intra" {
)
}
-################
+################################################################################
# Public subnet
-################
+################################################################################
+
resource "aws_subnet" "public" {
count = var.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0
- vpc_id = local.vpc_id
- cidr_block = element(concat(var.public_subnets, [""]), count.index)
- availability_zone = element(var.azs, count.index)
- map_public_ip_on_launch = var.map_public_ip_on_launch
+ vpc_id = local.vpc_id
+ cidr_block = element(concat(var.public_subnets, [""]), count.index)
+ availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
+ availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
+ map_public_ip_on_launch = var.map_public_ip_on_launch
+ assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.public_subnet_assign_ipv6_address_on_creation
+
+ ipv6_cidr_block = var.enable_ipv6 && length(var.public_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.mod[0].ipv6_cidr_block, 8, var.public_subnet_ipv6_prefixes[count.index]) : null
tags = merge(
{
@@ -268,15 +393,20 @@ resource "aws_subnet" "public" {
)
}
-#################
+################################################################################
# Private subnet
-#################
+################################################################################
+
resource "aws_subnet" "private" {
count = var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0
- vpc_id = local.vpc_id
- cidr_block = var.private_subnets[count.index]
- availability_zone = element(var.azs, count.index)
+ vpc_id = local.vpc_id
+ cidr_block = var.private_subnets[count.index]
+ availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
+ availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
+ assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.private_subnet_assign_ipv6_address_on_creation
+
+ ipv6_cidr_block = var.enable_ipv6 && length(var.private_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.mod[0].ipv6_cidr_block, 8, var.private_subnet_ipv6_prefixes[count.index]) : null
tags = merge(
{
@@ -291,15 +421,49 @@ resource "aws_subnet" "private" {
)
}
-##################
+################################################################################
+# Outpost subnet
+################################################################################
+
+resource "aws_subnet" "outpost" {
+ count = var.create_vpc && length(var.outpost_subnets) > 0 ? length(var.outpost_subnets) : 0
+
+ vpc_id = local.vpc_id
+ cidr_block = var.outpost_subnets[count.index]
+ availability_zone = var.outpost_az
+ assign_ipv6_address_on_creation = var.outpost_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.outpost_subnet_assign_ipv6_address_on_creation
+
+ ipv6_cidr_block = var.enable_ipv6 && length(var.outpost_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.mod[0].ipv6_cidr_block, 8, var.outpost_subnet_ipv6_prefixes[count.index]) : null
+
+ outpost_arn = var.outpost_arn
+
+ tags = merge(
+ {
+ "Name" = format(
+ "%s-${var.outpost_subnet_suffix}-%s",
+ var.name,
+ var.outpost_az,
+ )
+ },
+ var.tags,
+ var.outpost_subnet_tags,
+ )
+}
+
+################################################################################
# Database subnet
-##################
+################################################################################
+
resource "aws_subnet" "database" {
count = var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0
- vpc_id = local.vpc_id
- cidr_block = var.database_subnets[count.index]
- availability_zone = element(var.azs, count.index)
+ vpc_id = local.vpc_id
+ cidr_block = var.database_subnets[count.index]
+ availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
+ availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
+ assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.database_subnet_assign_ipv6_address_on_creation
+
+ ipv6_cidr_block = var.enable_ipv6 && length(var.database_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.mod[0].ipv6_cidr_block, 8, var.database_subnet_ipv6_prefixes[count.index]) : null
tags = merge(
{
@@ -317,28 +481,33 @@ resource "aws_subnet" "database" {
resource "aws_db_subnet_group" "database" {
count = var.create_vpc && length(var.database_subnets) > 0 && var.create_database_subnet_group ? 1 : 0
- name = lower(var.name)
+ name = lower(coalesce(var.database_subnet_group_name, var.name))
description = "Database subnet group for ${var.name}"
subnet_ids = aws_subnet.database.*.id
tags = merge(
{
- "Name" = format("%s", var.name)
+ "Name" = format("%s", lower(coalesce(var.database_subnet_group_name, var.name)))
},
var.tags,
var.database_subnet_group_tags,
)
}
-##################
+################################################################################
# Redshift subnet
-##################
+################################################################################
+
resource "aws_subnet" "redshift" {
count = var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0
- vpc_id = local.vpc_id
- cidr_block = var.redshift_subnets[count.index]
- availability_zone = element(var.azs, count.index)
+ vpc_id = local.vpc_id
+ cidr_block = var.redshift_subnets[count.index]
+ availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
+ availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
+ assign_ipv6_address_on_creation = var.redshift_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.redshift_subnet_assign_ipv6_address_on_creation
+
+ ipv6_cidr_block = var.enable_ipv6 && length(var.redshift_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.mod[0].ipv6_cidr_block, 8, var.redshift_subnet_ipv6_prefixes[count.index]) : null
tags = merge(
{
@@ -356,28 +525,33 @@ resource "aws_subnet" "redshift" {
resource "aws_redshift_subnet_group" "redshift" {
count = var.create_vpc && length(var.redshift_subnets) > 0 && var.create_redshift_subnet_group ? 1 : 0
- name = lower(var.name)
+ name = lower(coalesce(var.redshift_subnet_group_name, var.name))
description = "Redshift subnet group for ${var.name}"
subnet_ids = aws_subnet.redshift.*.id
tags = merge(
{
- "Name" = format("%s", var.name)
+ "Name" = format("%s", coalesce(var.redshift_subnet_group_name, var.name))
},
var.tags,
var.redshift_subnet_group_tags,
)
}
-#####################
+################################################################################
# ElastiCache subnet
-#####################
+################################################################################
+
resource "aws_subnet" "elasticache" {
count = var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0
- vpc_id = local.vpc_id
- cidr_block = var.elasticache_subnets[count.index]
- availability_zone = element(var.azs, count.index)
+ vpc_id = local.vpc_id
+ cidr_block = var.elasticache_subnets[count.index]
+ availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
+ availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
+ assign_ipv6_address_on_creation = var.elasticache_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.elasticache_subnet_assign_ipv6_address_on_creation
+
+ ipv6_cidr_block = var.enable_ipv6 && length(var.elasticache_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.mod[0].ipv6_cidr_block, 8, var.elasticache_subnet_ipv6_prefixes[count.index]) : null
tags = merge(
{
@@ -395,20 +569,33 @@ resource "aws_subnet" "elasticache" {
resource "aws_elasticache_subnet_group" "elasticache" {
count = var.create_vpc && length(var.elasticache_subnets) > 0 && var.create_elasticache_subnet_group ? 1 : 0
- name = var.name
+ name = coalesce(var.elasticache_subnet_group_name, var.name)
description = "ElastiCache subnet group for ${var.name}"
subnet_ids = aws_subnet.elasticache.*.id
+
+ tags = merge(
+ {
+ "Name" = format("%s", coalesce(var.elasticache_subnet_group_name, var.name))
+ },
+ var.tags,
+ var.elasticache_subnet_group_tags,
+ )
}
-#####################################################
-# intra subnets - private subnet without NAT gateway
-#####################################################
+################################################################################
+# Intra subnets - private subnet without NAT gateway
+################################################################################
+
resource "aws_subnet" "intra" {
count = var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0
- vpc_id = local.vpc_id
- cidr_block = var.intra_subnets[count.index]
- availability_zone = element(var.azs, count.index)
+ vpc_id = local.vpc_id
+ cidr_block = var.intra_subnets[count.index]
+ availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
+ availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
+ assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.intra_subnet_assign_ipv6_address_on_creation
+
+ ipv6_cidr_block = var.enable_ipv6 && length(var.intra_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.mod[0].ipv6_cidr_block, 8, var.intra_subnet_ipv6_prefixes[count.index]) : null
tags = merge(
{
@@ -423,14 +610,38 @@ resource "aws_subnet" "intra" {
)
}
-#######################
+################################################################################
# Default Network ACLs
-#######################
+################################################################################
+
resource "aws_default_network_acl" "this" {
count = var.create_vpc && var.manage_default_network_acl ? 1 : 0
default_network_acl_id = element(concat(aws_vpc.mod.*.default_network_acl_id, [""]), 0)
+ # The value of subnet_ids should be any subnet IDs that are not set as subnet_ids
+ # for any of the non-default network ACLs
+ subnet_ids = setsubtract(
+ compact(flatten([
+ aws_subnet.public.*.id,
+ aws_subnet.private.*.id,
+ aws_subnet.intra.*.id,
+ aws_subnet.database.*.id,
+ aws_subnet.redshift.*.id,
+ aws_subnet.elasticache.*.id,
+ aws_subnet.outpost.*.id,
+ ])),
+ compact(flatten([
+ aws_network_acl.public.*.subnet_ids,
+ aws_network_acl.private.*.subnet_ids,
+ aws_network_acl.intra.*.subnet_ids,
+ aws_network_acl.database.*.subnet_ids,
+ aws_network_acl.redshift.*.subnet_ids,
+ aws_network_acl.elasticache.*.subnet_ids,
+ aws_network_acl.outpost.*.subnet_ids,
+ ]))
+ )
+
dynamic "ingress" {
for_each = var.default_network_acl_ingress
content {
@@ -467,15 +678,12 @@ resource "aws_default_network_acl" "this" {
var.tags,
var.default_network_acl_tags,
)
-
- lifecycle {
- ignore_changes = [subnet_ids]
- }
}
-########################
+################################################################################
# Public Network ACLs
-########################
+################################################################################
+
resource "aws_network_acl" "public" {
count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0
@@ -496,13 +704,16 @@ resource "aws_network_acl_rule" "public_inbound" {
network_acl_id = aws_network_acl.public[0].id
- egress = false
- rule_number = var.public_inbound_acl_rules[count.index]["rule_number"]
- rule_action = var.public_inbound_acl_rules[count.index]["rule_action"]
- from_port = var.public_inbound_acl_rules[count.index]["from_port"]
- to_port = var.public_inbound_acl_rules[count.index]["to_port"]
- protocol = var.public_inbound_acl_rules[count.index]["protocol"]
- cidr_block = var.public_inbound_acl_rules[count.index]["cidr_block"]
+ egress = false
+ rule_number = var.public_inbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.public_inbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.public_inbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.public_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_network_acl_rule" "public_outbound" {
@@ -510,18 +721,22 @@ resource "aws_network_acl_rule" "public_outbound" {
network_acl_id = aws_network_acl.public[0].id
- egress = true
- rule_number = var.public_outbound_acl_rules[count.index]["rule_number"]
- rule_action = var.public_outbound_acl_rules[count.index]["rule_action"]
- from_port = var.public_outbound_acl_rules[count.index]["from_port"]
- to_port = var.public_outbound_acl_rules[count.index]["to_port"]
- protocol = var.public_outbound_acl_rules[count.index]["protocol"]
- cidr_block = var.public_outbound_acl_rules[count.index]["cidr_block"]
+ egress = true
+ rule_number = var.public_outbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.public_outbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.public_outbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.public_outbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.public_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
-#######################
+################################################################################
# Private Network ACLs
-#######################
+################################################################################
+
resource "aws_network_acl" "private" {
count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0
@@ -542,13 +757,16 @@ resource "aws_network_acl_rule" "private_inbound" {
network_acl_id = aws_network_acl.private[0].id
- egress = false
- rule_number = var.private_inbound_acl_rules[count.index]["rule_number"]
- rule_action = var.private_inbound_acl_rules[count.index]["rule_action"]
- from_port = var.private_inbound_acl_rules[count.index]["from_port"]
- to_port = var.private_inbound_acl_rules[count.index]["to_port"]
- protocol = var.private_inbound_acl_rules[count.index]["protocol"]
- cidr_block = var.private_inbound_acl_rules[count.index]["cidr_block"]
+ egress = false
+ rule_number = var.private_inbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.private_inbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.private_inbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.private_inbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.private_inbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.private_inbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.private_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_network_acl_rule" "private_outbound" {
@@ -556,18 +774,75 @@ resource "aws_network_acl_rule" "private_outbound" {
network_acl_id = aws_network_acl.private[0].id
- egress = true
- rule_number = var.private_outbound_acl_rules[count.index]["rule_number"]
- rule_action = var.private_outbound_acl_rules[count.index]["rule_action"]
- from_port = var.private_outbound_acl_rules[count.index]["from_port"]
- to_port = var.private_outbound_acl_rules[count.index]["to_port"]
- protocol = var.private_outbound_acl_rules[count.index]["protocol"]
- cidr_block = var.private_outbound_acl_rules[count.index]["cidr_block"]
+ egress = true
+ rule_number = var.private_outbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.private_outbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.private_outbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.private_outbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.private_outbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.private_outbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.private_outbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.private_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+################################################################################
+# Outpost Network ACLs
+################################################################################
+
+resource "aws_network_acl" "outpost" {
+ count = var.create_vpc && var.outpost_dedicated_network_acl && length(var.outpost_subnets) > 0 ? 1 : 0
+
+ vpc_id = element(concat(aws_vpc.mod.*.id, [""]), 0)
+ subnet_ids = aws_subnet.outpost.*.id
+
+ tags = merge(
+ {
+ "Name" = format("%s-${var.outpost_subnet_suffix}", var.name)
+ },
+ var.tags,
+ var.outpost_acl_tags,
+ )
+}
+
+resource "aws_network_acl_rule" "outpost_inbound" {
+ count = var.create_vpc && var.outpost_dedicated_network_acl && length(var.outpost_subnets) > 0 ? length(var.outpost_inbound_acl_rules) : 0
+
+ network_acl_id = aws_network_acl.outpost[0].id
+
+ egress = false
+ rule_number = var.outpost_inbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.outpost_inbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.outpost_inbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.outpost_inbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.outpost_inbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.outpost_inbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.outpost_inbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.outpost_inbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.outpost_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+resource "aws_network_acl_rule" "outpost_outbound" {
+ count = var.create_vpc && var.outpost_dedicated_network_acl && length(var.outpost_subnets) > 0 ? length(var.outpost_outbound_acl_rules) : 0
+
+ network_acl_id = aws_network_acl.outpost[0].id
+
+ egress = true
+ rule_number = var.outpost_outbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.outpost_outbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.outpost_outbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.outpost_outbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.outpost_outbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.outpost_outbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.outpost_outbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
-########################
+################################################################################
# Intra Network ACLs
-########################
+################################################################################
+
resource "aws_network_acl" "intra" {
count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0
@@ -588,13 +863,16 @@ resource "aws_network_acl_rule" "intra_inbound" {
network_acl_id = aws_network_acl.intra[0].id
- egress = false
- rule_number = var.intra_inbound_acl_rules[count.index]["rule_number"]
- rule_action = var.intra_inbound_acl_rules[count.index]["rule_action"]
- from_port = var.intra_inbound_acl_rules[count.index]["from_port"]
- to_port = var.intra_inbound_acl_rules[count.index]["to_port"]
- protocol = var.intra_inbound_acl_rules[count.index]["protocol"]
- cidr_block = var.intra_inbound_acl_rules[count.index]["cidr_block"]
+ egress = false
+ rule_number = var.intra_inbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.intra_inbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.intra_inbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.intra_inbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.intra_inbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.intra_inbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.intra_inbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.intra_inbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.intra_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_network_acl_rule" "intra_outbound" {
@@ -602,18 +880,22 @@ resource "aws_network_acl_rule" "intra_outbound" {
network_acl_id = aws_network_acl.intra[0].id
- egress = true
- rule_number = var.intra_outbound_acl_rules[count.index]["rule_number"]
- rule_action = var.intra_outbound_acl_rules[count.index]["rule_action"]
- from_port = var.intra_outbound_acl_rules[count.index]["from_port"]
- to_port = var.intra_outbound_acl_rules[count.index]["to_port"]
- protocol = var.intra_outbound_acl_rules[count.index]["protocol"]
- cidr_block = var.intra_outbound_acl_rules[count.index]["cidr_block"]
+ egress = true
+ rule_number = var.intra_outbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.intra_outbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.intra_outbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.intra_outbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.intra_outbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.intra_outbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.intra_outbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.intra_outbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.intra_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
-########################
+################################################################################
# Database Network ACLs
-########################
+################################################################################
+
resource "aws_network_acl" "database" {
count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0
@@ -634,13 +916,16 @@ resource "aws_network_acl_rule" "database_inbound" {
network_acl_id = aws_network_acl.database[0].id
- egress = false
- rule_number = var.database_inbound_acl_rules[count.index]["rule_number"]
- rule_action = var.database_inbound_acl_rules[count.index]["rule_action"]
- from_port = var.database_inbound_acl_rules[count.index]["from_port"]
- to_port = var.database_inbound_acl_rules[count.index]["to_port"]
- protocol = var.database_inbound_acl_rules[count.index]["protocol"]
- cidr_block = var.database_inbound_acl_rules[count.index]["cidr_block"]
+ egress = false
+ rule_number = var.database_inbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.database_inbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.database_inbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.database_inbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.database_inbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.database_inbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.database_inbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.database_inbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.database_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_network_acl_rule" "database_outbound" {
@@ -648,18 +933,22 @@ resource "aws_network_acl_rule" "database_outbound" {
network_acl_id = aws_network_acl.database[0].id
- egress = true
- rule_number = var.database_outbound_acl_rules[count.index]["rule_number"]
- rule_action = var.database_outbound_acl_rules[count.index]["rule_action"]
- from_port = var.database_outbound_acl_rules[count.index]["from_port"]
- to_port = var.database_outbound_acl_rules[count.index]["to_port"]
- protocol = var.database_outbound_acl_rules[count.index]["protocol"]
- cidr_block = var.database_outbound_acl_rules[count.index]["cidr_block"]
+ egress = true
+ rule_number = var.database_outbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.database_outbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.database_outbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.database_outbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.database_outbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.database_outbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.database_outbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.database_outbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.database_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
-########################
+################################################################################
# Redshift Network ACLs
-########################
+################################################################################
+
resource "aws_network_acl" "redshift" {
count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0
@@ -680,13 +969,16 @@ resource "aws_network_acl_rule" "redshift_inbound" {
network_acl_id = aws_network_acl.redshift[0].id
- egress = false
- rule_number = var.redshift_inbound_acl_rules[count.index]["rule_number"]
- rule_action = var.redshift_inbound_acl_rules[count.index]["rule_action"]
- from_port = var.redshift_inbound_acl_rules[count.index]["from_port"]
- to_port = var.redshift_inbound_acl_rules[count.index]["to_port"]
- protocol = var.redshift_inbound_acl_rules[count.index]["protocol"]
- cidr_block = var.redshift_inbound_acl_rules[count.index]["cidr_block"]
+ egress = false
+ rule_number = var.redshift_inbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.redshift_inbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.redshift_inbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.redshift_inbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.redshift_inbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_network_acl_rule" "redshift_outbound" {
@@ -694,18 +986,22 @@ resource "aws_network_acl_rule" "redshift_outbound" {
network_acl_id = aws_network_acl.redshift[0].id
- egress = true
- rule_number = var.redshift_outbound_acl_rules[count.index]["rule_number"]
- rule_action = var.redshift_outbound_acl_rules[count.index]["rule_action"]
- from_port = var.redshift_outbound_acl_rules[count.index]["from_port"]
- to_port = var.redshift_outbound_acl_rules[count.index]["to_port"]
- protocol = var.redshift_outbound_acl_rules[count.index]["protocol"]
- cidr_block = var.redshift_outbound_acl_rules[count.index]["cidr_block"]
+ egress = true
+ rule_number = var.redshift_outbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.redshift_outbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.redshift_outbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.redshift_outbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.redshift_outbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
-###########################
+################################################################################
# Elasticache Network ACLs
-###########################
+################################################################################
+
resource "aws_network_acl" "elasticache" {
count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0
@@ -726,13 +1022,16 @@ resource "aws_network_acl_rule" "elasticache_inbound" {
network_acl_id = aws_network_acl.elasticache[0].id
- egress = false
- rule_number = var.elasticache_inbound_acl_rules[count.index]["rule_number"]
- rule_action = var.elasticache_inbound_acl_rules[count.index]["rule_action"]
- from_port = var.elasticache_inbound_acl_rules[count.index]["from_port"]
- to_port = var.elasticache_inbound_acl_rules[count.index]["to_port"]
- protocol = var.elasticache_inbound_acl_rules[count.index]["protocol"]
- cidr_block = var.elasticache_inbound_acl_rules[count.index]["cidr_block"]
+ egress = false
+ rule_number = var.elasticache_inbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.elasticache_inbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.elasticache_inbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.elasticache_inbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.elasticache_inbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_network_acl_rule" "elasticache_outbound" {
@@ -740,18 +1039,22 @@ resource "aws_network_acl_rule" "elasticache_outbound" {
network_acl_id = aws_network_acl.elasticache[0].id
- egress = true
- rule_number = var.elasticache_outbound_acl_rules[count.index]["rule_number"]
- rule_action = var.elasticache_outbound_acl_rules[count.index]["rule_action"]
- from_port = var.elasticache_outbound_acl_rules[count.index]["from_port"]
- to_port = var.elasticache_outbound_acl_rules[count.index]["to_port"]
- protocol = var.elasticache_outbound_acl_rules[count.index]["protocol"]
- cidr_block = var.elasticache_outbound_acl_rules[count.index]["cidr_block"]
+ egress = true
+ rule_number = var.elasticache_outbound_acl_rules[count.index]["rule_number"]
+ rule_action = var.elasticache_outbound_acl_rules[count.index]["rule_action"]
+ from_port = lookup(var.elasticache_outbound_acl_rules[count.index], "from_port", null)
+ to_port = lookup(var.elasticache_outbound_acl_rules[count.index], "to_port", null)
+ icmp_code = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_code", null)
+ icmp_type = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_type", null)
+ protocol = var.elasticache_outbound_acl_rules[count.index]["protocol"]
+ cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block", null)
+ ipv6_cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
-##############
+################################################################################
# NAT Gateway
-##############
+################################################################################
+
# Workaround for interpolation not being able to "short-circuit" the evaluation of the conditional branch that doesn't end up being used
# Source: https://github.com/hashicorp/terraform/issues/11566#issuecomment-289417805
#
@@ -824,471 +1127,18 @@ resource "aws_route" "private_nat_gateway" {
}
}
-######################
-# VPC Endpoint for S3
-######################
-data "aws_vpc_endpoint_service" "s3" {
- count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
-
- service = "s3"
-}
-
-resource "aws_vpc_endpoint" "s3" {
- count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.s3[0].service_name
-}
-
-resource "aws_vpc_endpoint_route_table_association" "private_s3" {
- count = var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0
-
- vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
- route_table_id = element(aws_route_table.private.*.id, count.index)
-}
-
-resource "aws_vpc_endpoint_route_table_association" "intra_s3" {
- count = var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0
-
- vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
- route_table_id = element(aws_route_table.intra.*.id, 0)
-}
-
-resource "aws_vpc_endpoint_route_table_association" "public_s3" {
- count = var.create_vpc && var.enable_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0
-
- vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
- route_table_id = aws_route_table.public[0].id
-}
-
-############################
-# VPC Endpoint for DynamoDB
-############################
-data "aws_vpc_endpoint_service" "dynamodb" {
- count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
-
- service = "dynamodb"
-}
-
-resource "aws_vpc_endpoint" "dynamodb" {
- count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
+resource "aws_route" "private_ipv6_egress" {
+ count = var.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? length(var.private_subnets) : 0
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.dynamodb[0].service_name
+ route_table_id = element(aws_route_table.private.*.id, count.index)
+ destination_ipv6_cidr_block = "::/0"
+ egress_only_gateway_id = element(aws_egress_only_internet_gateway.this.*.id, 0)
}
-resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" {
- count = var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0
-
- vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
- route_table_id = element(aws_route_table.private.*.id, count.index)
-}
-
-resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" {
- count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0
-
- vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
- route_table_id = element(aws_route_table.intra.*.id, 0)
-}
-
-resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
- count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0
-
- vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
- route_table_id = aws_route_table.public[0].id
-}
-
-
-#######################
-# VPC Endpoint for SQS
-#######################
-data "aws_vpc_endpoint_service" "sqs" {
- count = var.create_vpc && var.enable_sqs_endpoint ? 1 : 0
-
- service = "sqs"
-}
-
-resource "aws_vpc_endpoint" "sqs" {
- count = var.create_vpc && var.enable_sqs_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.sqs[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.sqs_endpoint_security_group_ids
- subnet_ids = coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.sqs_endpoint_private_dns_enabled
-}
-
-#######################
-# VPC Endpoint for SSM
-#######################
-data "aws_vpc_endpoint_service" "ssm" {
- count = var.create_vpc && var.enable_ssm_endpoint ? 1 : 0
-
- service = "ssm"
-}
-
-resource "aws_vpc_endpoint" "ssm" {
- count = var.create_vpc && var.enable_ssm_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.ssm[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.ssm_endpoint_security_group_ids
- subnet_ids = coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.ssm_endpoint_private_dns_enabled
-}
-
-###############################
-# VPC Endpoint for SSMMESSAGES
-###############################
-data "aws_vpc_endpoint_service" "ssmmessages" {
- count = var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0
-
- service = "ssmmessages"
-}
-
-resource "aws_vpc_endpoint" "ssmmessages" {
- count = var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.ssmmessages[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.ssmmessages_endpoint_security_group_ids
- subnet_ids = coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.ssmmessages_endpoint_private_dns_enabled
-}
-
-#######################
-# VPC Endpoint for EC2
-#######################
-data "aws_vpc_endpoint_service" "ec2" {
- count = var.create_vpc && var.enable_ec2_endpoint ? 1 : 0
-
- service = "ec2"
-}
-
-resource "aws_vpc_endpoint" "ec2" {
- count = var.create_vpc && var.enable_ec2_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.ec2[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.ec2_endpoint_security_group_ids
- subnet_ids = coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.ec2_endpoint_private_dns_enabled
-}
-
-###############################
-# VPC Endpoint for EC2MESSAGES
-###############################
-data "aws_vpc_endpoint_service" "ec2messages" {
- count = var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0
-
- service = "ec2messages"
-}
-
-resource "aws_vpc_endpoint" "ec2messages" {
- count = var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.ec2messages[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.ec2messages_endpoint_security_group_ids
- subnet_ids = coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.ec2messages_endpoint_private_dns_enabled
-}
-
-###########################
-# VPC Endpoint for ECR API
-###########################
-data "aws_vpc_endpoint_service" "ecr_api" {
- count = var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0
-
- service = "ecr.api"
-}
-
-resource "aws_vpc_endpoint" "ecr_api" {
- count = var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.ecr_api[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.ecr_api_endpoint_security_group_ids
- subnet_ids = coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.ecr_api_endpoint_private_dns_enabled
-}
-
-###########################
-# VPC Endpoint for ECR DKR
-###########################
-data "aws_vpc_endpoint_service" "ecr_dkr" {
- count = var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0
-
- service = "ecr.dkr"
-}
-
-resource "aws_vpc_endpoint" "ecr_dkr" {
- count = var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.ecr_dkr[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.ecr_dkr_endpoint_security_group_ids
- subnet_ids = coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.ecr_dkr_endpoint_private_dns_enabled
-}
-
-#######################
-# VPC Endpoint for API Gateway
-#######################
-data "aws_vpc_endpoint_service" "apigw" {
- count = var.create_vpc && var.enable_apigw_endpoint ? 1 : 0
-
- service = "execute-api"
-}
-
-resource "aws_vpc_endpoint" "apigw" {
- count = var.create_vpc && var.enable_apigw_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.apigw[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.apigw_endpoint_security_group_ids
- subnet_ids = coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.apigw_endpoint_private_dns_enabled
-}
-
-#######################
-# VPC Endpoint for KMS
-#######################
-data "aws_vpc_endpoint_service" "kms" {
- count = var.create_vpc && var.enable_kms_endpoint ? 1 : 0
-
- service = "kms"
-}
-
-resource "aws_vpc_endpoint" "kms" {
- count = var.create_vpc && var.enable_kms_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.kms[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.kms_endpoint_security_group_ids
- subnet_ids = coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.kms_endpoint_private_dns_enabled
-}
-
-#######################
-# VPC Endpoint for ECS
-#######################
-data "aws_vpc_endpoint_service" "ecs" {
- count = var.create_vpc && var.enable_ecs_endpoint ? 1 : 0
-
- service = "ecs"
-}
-
-resource "aws_vpc_endpoint" "ecs" {
- count = var.create_vpc && var.enable_ecs_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.ecs[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.ecs_endpoint_security_group_ids
- subnet_ids = coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.ecs_endpoint_private_dns_enabled
-}
-
-
-#######################
-# VPC Endpoint for ECS Agent
-#######################
-data "aws_vpc_endpoint_service" "ecs_agent" {
- count = var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0
-
- service = "ecs-agent"
-}
-
-resource "aws_vpc_endpoint" "ecs_agent" {
- count = var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.ecs_agent[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.ecs_agent_endpoint_security_group_ids
- subnet_ids = coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.ecs_agent_endpoint_private_dns_enabled
-}
-
-
-#######################
-# VPC Endpoint for ECS Telemetry
-#######################
-data "aws_vpc_endpoint_service" "ecs_telemetry" {
- count = var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0
-
- service = "ecs-telemetry"
-}
-
-resource "aws_vpc_endpoint" "ecs_telemetry" {
- count = var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.ecs_telemetry[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.ecs_telemetry_endpoint_security_group_ids
- subnet_ids = coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.ecs_telemetry_endpoint_private_dns_enabled
-}
-
-
-#######################
-# VPC Endpoint for SNS
-#######################
-data "aws_vpc_endpoint_service" "sns" {
- count = var.create_vpc && var.enable_sns_endpoint ? 1 : 0
-
- service = "sns"
-}
-
-resource "aws_vpc_endpoint" "sns" {
- count = var.create_vpc && var.enable_sns_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.sns[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.sns_endpoint_security_group_ids
- subnet_ids = coalescelist(var.sns_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.sns_endpoint_private_dns_enabled
-}
-
-
-#######################
-# VPC Endpoint for CloudWatch Monitoring
-#######################
-data "aws_vpc_endpoint_service" "monitoring" {
- count = var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0
-
- service = "monitoring"
-}
-
-resource "aws_vpc_endpoint" "monitoring" {
- count = var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.monitoring[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.monitoring_endpoint_security_group_ids
- subnet_ids = coalescelist(var.monitoring_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.monitoring_endpoint_private_dns_enabled
-}
-
-
-#######################
-# VPC Endpoint for CloudWatch Logs
-#######################
-data "aws_vpc_endpoint_service" "logs" {
- count = var.create_vpc && var.enable_logs_endpoint ? 1 : 0
-
- service = "logs"
-}
-
-resource "aws_vpc_endpoint" "logs" {
- count = var.create_vpc && var.enable_logs_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.logs[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.logs_endpoint_security_group_ids
- subnet_ids = coalescelist(var.logs_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.logs_endpoint_private_dns_enabled
-}
-
-
-#######################
-# VPC Endpoint for CloudWatch Events
-#######################
-data "aws_vpc_endpoint_service" "events" {
- count = var.create_vpc && var.enable_events_endpoint ? 1 : 0
-
- service = "events"
-}
-
-resource "aws_vpc_endpoint" "events" {
- count = var.create_vpc && var.enable_events_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.events[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.events_endpoint_security_group_ids
- subnet_ids = coalescelist(var.events_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.events_endpoint_private_dns_enabled
-}
-
-
-#######################
-# VPC Endpoint for Elastic Load Balancing
-#######################
-data "aws_vpc_endpoint_service" "elasticloadbalancing" {
- count = var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0
-
- service = "elasticloadbalancing"
-}
-
-resource "aws_vpc_endpoint" "elasticloadbalancing" {
- count = var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.elasticloadbalancing[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.elasticloadbalancing_endpoint_security_group_ids
- subnet_ids = coalescelist(var.elasticloadbalancing_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.elasticloadbalancing_endpoint_private_dns_enabled
-}
-
-
-#######################
-# VPC Endpoint for CloudTrail
-#######################
-data "aws_vpc_endpoint_service" "cloudtrail" {
- count = var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0
-
- service = "cloudtrail"
-}
-
-resource "aws_vpc_endpoint" "cloudtrail" {
- count = var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0
-
- vpc_id = local.vpc_id
- service_name = data.aws_vpc_endpoint_service.cloudtrail[0].service_name
- vpc_endpoint_type = "Interface"
-
- security_group_ids = var.cloudtrail_endpoint_security_group_ids
- subnet_ids = coalescelist(var.cloudtrail_endpoint_subnet_ids, aws_subnet.private.*.id)
- private_dns_enabled = var.cloudtrail_endpoint_private_dns_enabled
-}
-
-
-##########################
+################################################################################
# Route table association
-##########################
+################################################################################
+
resource "aws_route_table_association" "private" {
count = var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0
@@ -1299,13 +1149,23 @@ resource "aws_route_table_association" "private" {
)
}
+resource "aws_route_table_association" "outpost" {
+ count = var.create_vpc && length(var.outpost_subnets) > 0 ? length(var.outpost_subnets) : 0
+
+ subnet_id = element(aws_subnet.outpost.*.id, count.index)
+ route_table_id = element(
+ aws_route_table.private.*.id,
+ var.single_nat_gateway ? 0 : count.index,
+ )
+}
+
resource "aws_route_table_association" "database" {
count = var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0
subnet_id = element(aws_subnet.database.*.id, count.index)
route_table_id = element(
coalescelist(aws_route_table.database.*.id, aws_route_table.private.*.id),
- var.single_nat_gateway || var.create_database_subnet_route_table ? 0 : count.index,
+ var.create_database_subnet_route_table ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 0 : count.index : count.index,
)
}
@@ -1356,14 +1216,37 @@ resource "aws_route_table_association" "public" {
route_table_id = aws_route_table.public[0].id
}
-##############
+################################################################################
+# Customer Gateways
+################################################################################
+
+resource "aws_customer_gateway" "this" {
+ for_each = var.customer_gateways
+
+ bgp_asn = each.value["bgp_asn"]
+ ip_address = each.value["ip_address"]
+ device_name = lookup(each.value, "device_name", null)
+ type = "ipsec.1"
+
+ tags = merge(
+ {
+ Name = format("%s-%s", var.name, each.key)
+ },
+ var.tags,
+ var.customer_gateway_tags,
+ )
+}
+
+################################################################################
# VPN Gateway
-##############
+################################################################################
+
resource "aws_vpn_gateway" "this" {
count = var.create_vpc && var.enable_vpn_gateway ? 1 : 0
- vpc_id = local.vpc_id
- amazon_side_asn = var.amazon_side_asn
+ vpc_id = local.vpc_id
+ amazon_side_asn = var.amazon_side_asn
+ availability_zone = var.vpn_gateway_az
tags = merge(
{
@@ -1407,9 +1290,23 @@ resource "aws_vpn_gateway_route_propagation" "private" {
)
}
-###########
+resource "aws_vpn_gateway_route_propagation" "intra" {
+ count = var.create_vpc && var.propagate_intra_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.intra_subnets) : 0
+
+ route_table_id = element(aws_route_table.intra.*.id, count.index)
+ vpn_gateway_id = element(
+ concat(
+ aws_vpn_gateway.this.*.id,
+ aws_vpn_gateway_attachment.this.*.vpn_gateway_id,
+ ),
+ count.index,
+ )
+}
+
+################################################################################
# Defaults
-###########
+################################################################################
+
resource "aws_default_vpc" "this" {
count = var.manage_default_vpc ? 1 : 0
@@ -1425,4 +1322,3 @@ resource "aws_default_vpc" "this" {
var.default_vpc_tags,
)
}
-
diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md
new file mode 100644
index 000000000..e5d758b2b
--- /dev/null
+++ b/modules/vpc-endpoints/README.md
@@ -0,0 +1,95 @@
+# AWS VPC Endpoints Terraform sub-module
+
+Terraform sub-module which creates VPC endpoint resources on AWS.
+
+## Usage
+
+See [`examples`](../../examples) directory for working examples to reference:
+
+```hcl
+module "endpoints" {
+ source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+
+ vpc_id = "vpc-12345678"
+ security_group_ids = ["sg-12345678"]
+
+ endpoints = {
+ s3 = {
+ # interface endpoint
+ service = "s3"
+ tags = { Name = "s3-vpc-endpoint" }
+ },
+ dynamodb = {
+ # gateway endpoint
+ service = "dynamodb"
+ route_table_ids = ["rt-12322456", "rt-43433343", "rt-11223344"]
+ tags = { Name = "dynamodb-vpc-endpoint" }
+ },
+ sns = {
+ service = "sns"
+ subnet_ids = ["subnet-12345678", "subnet-87654321"]
+ tags = { Name = "sns-vpc-endpoint" }
+ },
+ sqs = {
+ service = "sqs"
+ private_dns_enabled = true
+ security_group_ids = ["sg-987654321"]
+ subnet_ids = ["subnet-12345678", "subnet-87654321"]
+ tags = { Name = "sqs-vpc-endpoint" }
+ },
+ }
+
+ tags = {
+ Owner = "user"
+ Environment = "dev"
+ }
+}
+```
+
+## Examples
+
+- [Complete-VPC](../../examples/complete-vpc) with VPC Endpoints.
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13.1 |
+| [aws](#requirement\_aws) | >= 3.28 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.28 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [create](#input\_create) | Determines whether resources will be created | `bool` | `true` | no |
+| [endpoints](#input\_endpoints) | A map of interface and/or gateway endpoints containing their properties and configurations | `any` | `{}` | no |
+| [security\_group\_ids](#input\_security\_group\_ids) | Default security group IDs to associate with the VPC endpoints | `list(string)` | `[]` | no |
+| [subnet\_ids](#input\_subnet\_ids) | Default subnets IDs to associate with the VPC endpoints | `list(string)` | `[]` | no |
+| [tags](#input\_tags) | A map of tags to use on all resources | `map(string)` | `{}` | no |
+| [timeouts](#input\_timeouts) | Define maximum timeout for creating, updating, and deleting VPC endpoint resources | `map(string)` | `{}` | no |
+| [vpc\_id](#input\_vpc\_id) | The ID of the VPC in which the endpoint will be used | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [endpoints](#output\_endpoints) | Array containing the full resource object and attributes for all endpoints created |
+
diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf
new file mode 100644
index 000000000..58b3270ee
--- /dev/null
+++ b/modules/vpc-endpoints/main.tf
@@ -0,0 +1,42 @@
+locals {
+ endpoints = var.create ? var.endpoints : tomap({})
+}
+
+################################################################################
+# Endpoint(s)
+################################################################################
+
+data "aws_vpc_endpoint_service" "this" {
+ for_each = local.endpoints
+
+ service = lookup(each.value, "service", null)
+ service_name = lookup(each.value, "service_name", null)
+
+ filter {
+ name = "service-type"
+ values = [lookup(each.value, "service_type", "Interface")]
+ }
+}
+
+resource "aws_vpc_endpoint" "this" {
+ for_each = local.endpoints
+
+ vpc_id = var.vpc_id
+ service_name = data.aws_vpc_endpoint_service.this[each.key].service_name
+ vpc_endpoint_type = lookup(each.value, "service_type", "Interface")
+ auto_accept = lookup(each.value, "auto_accept", null)
+
+ security_group_ids = lookup(each.value, "service_type", "Interface") == "Interface" ? distinct(concat(var.security_group_ids, lookup(each.value, "security_group_ids", []))) : null
+ subnet_ids = lookup(each.value, "service_type", "Interface") == "Interface" ? distinct(concat(var.subnet_ids, lookup(each.value, "subnet_ids", []))) : null
+ route_table_ids = lookup(each.value, "service_type", "Interface") == "Gateway" ? lookup(each.value, "route_table_ids", null) : null
+ policy = lookup(each.value, "policy", null)
+ private_dns_enabled = lookup(each.value, "service_type", "Interface") == "Interface" ? lookup(each.value, "private_dns_enabled", null) : null
+
+ tags = merge(var.tags, lookup(each.value, "tags", {}))
+
+ timeouts {
+ create = lookup(var.timeouts, "create", "10m")
+ update = lookup(var.timeouts, "update", "10m")
+ delete = lookup(var.timeouts, "delete", "10m")
+ }
+}
diff --git a/modules/vpc-endpoints/outputs.tf b/modules/vpc-endpoints/outputs.tf
new file mode 100644
index 000000000..88aa989fa
--- /dev/null
+++ b/modules/vpc-endpoints/outputs.tf
@@ -0,0 +1,4 @@
+output "endpoints" {
+ description = "Array containing the full resource object and attributes for all endpoints created"
+ value = aws_vpc_endpoint.this
+}
diff --git a/modules/vpc-endpoints/variables.tf b/modules/vpc-endpoints/variables.tf
new file mode 100644
index 000000000..afcebc3d0
--- /dev/null
+++ b/modules/vpc-endpoints/variables.tf
@@ -0,0 +1,41 @@
+variable "create" {
+ description = "Determines whether resources will be created"
+ type = bool
+ default = true
+}
+
+variable "vpc_id" {
+ description = "The ID of the VPC in which the endpoint will be used"
+ type = string
+ default = null
+}
+
+variable "endpoints" {
+ description = "A map of interface and/or gateway endpoints containing their properties and configurations"
+ type = any
+ default = {}
+}
+
+variable "security_group_ids" {
+ description = "Default security group IDs to associate with the VPC endpoints"
+ type = list(string)
+ default = []
+}
+
+variable "subnet_ids" {
+ description = "Default subnets IDs to associate with the VPC endpoints"
+ type = list(string)
+ default = []
+}
+
+variable "tags" {
+ description = "A map of tags to use on all resources"
+ type = map(string)
+ default = {}
+}
+
+variable "timeouts" {
+ description = "Define maximum timeout for creating, updating, and deleting VPC endpoint resources"
+ type = map(string)
+ default = {}
+}
diff --git a/modules/vpc-endpoints/versions.tf b/modules/vpc-endpoints/versions.tf
new file mode 100644
index 000000000..ab4d354a9
--- /dev/null
+++ b/modules/vpc-endpoints/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.28"
+ }
+ }
+}
diff --git a/outputs.tf b/outputs.tf
index 6d3174eff..6466d880a 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -43,31 +43,31 @@ output "vpc_enable_dns_hostnames" {
value = concat(aws_vpc.mod.*.enable_dns_hostnames, [""])[0]
}
-//output "vpc_enable_classiclink" {
-// description = "Whether or not the VPC has Classiclink enabled"
-// value = "${element(concat(aws_vpc.mod.*.enable_classiclink, list("")), 0)}"
-//}
-
output "vpc_main_route_table_id" {
description = "The ID of the main route table associated with this VPC"
value = concat(aws_vpc.mod.*.main_route_table_id, [""])[0]
}
-//output "vpc_ipv6_association_id" {
-// description = "The association ID for the IPv6 CIDR block"
-// value = "${element(concat(aws_vpc.mod.*.ipv6_association_id, list("")), 0)}"
-//}
-//
-//output "vpc_ipv6_cidr_block" {
-// description = "The IPv6 CIDR block"
-// value = "${element(concat(aws_vpc.mod.*.ipv6_cidr_block, list("")), 0)}"
-//}
+output "vpc_ipv6_association_id" {
+ description = "The association ID for the IPv6 CIDR block"
+ value = concat(aws_vpc.mod.*.ipv6_association_id, [""])[0]
+}
+
+output "vpc_ipv6_cidr_block" {
+ description = "The IPv6 CIDR block"
+ value = concat(aws_vpc.mod.*.ipv6_cidr_block, [""])[0]
+}
output "vpc_secondary_cidr_blocks" {
description = "List of secondary CIDR blocks of the VPC"
value = aws_vpc_ipv4_cidr_block_association.this.*.cidr_block
}
+output "vpc_owner_id" {
+ description = "The ID of the AWS account that owns the VPC"
+ value = concat(aws_vpc.mod.*.owner_id, [""])[0]
+}
+
output "private_subnets" {
description = "List of IDs of private subnets"
value = aws_subnet.private.*.id
@@ -83,6 +83,11 @@ output "private_subnets_cidr_blocks" {
value = aws_subnet.private.*.cidr_block
}
+output "private_subnets_ipv6_cidr_blocks" {
+ description = "List of IPv6 cidr_blocks of private subnets in an IPv6 enabled VPC"
+ value = aws_subnet.private.*.ipv6_cidr_block
+}
+
output "public_subnets" {
description = "List of IDs of public subnets"
value = aws_subnet.public.*.id
@@ -98,6 +103,31 @@ output "public_subnets_cidr_blocks" {
value = aws_subnet.public.*.cidr_block
}
+output "public_subnets_ipv6_cidr_blocks" {
+ description = "List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC"
+ value = aws_subnet.public.*.ipv6_cidr_block
+}
+
+output "outpost_subnets" {
+ description = "List of IDs of outpost subnets"
+ value = aws_subnet.outpost.*.id
+}
+
+output "outpost_subnet_arns" {
+ description = "List of ARNs of outpost subnets"
+ value = aws_subnet.outpost.*.arn
+}
+
+output "outpost_subnets_cidr_blocks" {
+ description = "List of cidr_blocks of outpost subnets"
+ value = aws_subnet.outpost.*.cidr_block
+}
+
+output "outpost_subnets_ipv6_cidr_blocks" {
+ description = "List of IPv6 cidr_blocks of outpost subnets in an IPv6 enabled VPC"
+ value = aws_subnet.outpost.*.ipv6_cidr_block
+}
+
output "database_subnets" {
description = "List of IDs of database subnets"
value = aws_subnet.database.*.id
@@ -113,11 +143,21 @@ output "database_subnets_cidr_blocks" {
value = aws_subnet.database.*.cidr_block
}
+output "database_subnets_ipv6_cidr_blocks" {
+ description = "List of IPv6 cidr_blocks of database subnets in an IPv6 enabled VPC"
+ value = aws_subnet.database.*.ipv6_cidr_block
+}
+
output "database_subnet_group" {
description = "ID of database subnet group"
value = concat(aws_db_subnet_group.database.*.id, [""])[0]
}
+output "database_subnet_group_name" {
+ description = "Name of database subnet group"
+ value = concat(aws_db_subnet_group.database.*.name, [""])[0]
+}
+
output "redshift_subnets" {
description = "List of IDs of redshift subnets"
value = aws_subnet.redshift.*.id
@@ -133,6 +173,11 @@ output "redshift_subnets_cidr_blocks" {
value = aws_subnet.redshift.*.cidr_block
}
+output "redshift_subnets_ipv6_cidr_blocks" {
+ description = "List of IPv6 cidr_blocks of redshift subnets in an IPv6 enabled VPC"
+ value = aws_subnet.redshift.*.ipv6_cidr_block
+}
+
output "redshift_subnet_group" {
description = "ID of redshift subnet group"
value = concat(aws_redshift_subnet_group.redshift.*.id, [""])[0]
@@ -153,6 +198,11 @@ output "elasticache_subnets_cidr_blocks" {
value = aws_subnet.elasticache.*.cidr_block
}
+output "elasticache_subnets_ipv6_cidr_blocks" {
+ description = "List of IPv6 cidr_blocks of elasticache subnets in an IPv6 enabled VPC"
+ value = aws_subnet.elasticache.*.ipv6_cidr_block
+}
+
output "intra_subnets" {
description = "List of IDs of intra subnets"
value = aws_subnet.intra.*.id
@@ -168,6 +218,11 @@ output "intra_subnets_cidr_blocks" {
value = aws_subnet.intra.*.cidr_block
}
+output "intra_subnets_ipv6_cidr_blocks" {
+ description = "List of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC"
+ value = aws_subnet.intra.*.ipv6_cidr_block
+}
+
output "elasticache_subnet_group" {
description = "ID of elasticache subnet group"
value = concat(aws_elasticache_subnet_group.elasticache.*.id, [""])[0]
@@ -195,7 +250,7 @@ output "database_route_table_ids" {
output "redshift_route_table_ids" {
description = "List of IDs of redshift route tables"
- value = length(aws_route_table.redshift.*.id) > 0 ? aws_route_table.redshift.*.id : aws_route_table.private.*.id
+ value = length(aws_route_table.redshift.*.id) > 0 ? aws_route_table.redshift.*.id : (var.enable_public_redshift ? aws_route_table.public.*.id : aws_route_table.private.*.id)
}
output "elasticache_route_table_ids" {
@@ -208,414 +263,275 @@ output "intra_route_table_ids" {
value = aws_route_table.intra.*.id
}
-output "nat_ids" {
- description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway"
- value = aws_eip.nat.*.id
-}
-
-output "nat_public_ips" {
- description = "List of public Elastic IPs created for AWS NAT Gateway"
- value = aws_eip.nat.*.public_ip
-}
-
-output "natgw_ids" {
- description = "List of NAT Gateway IDs"
- value = aws_nat_gateway.this.*.id
-}
-
-output "igw_id" {
- description = "The ID of the Internet Gateway"
- value = concat(aws_internet_gateway.this.*.id, [""])[0]
-}
-
-output "vgw_id" {
- description = "The ID of the VPN Gateway"
- value = concat(
- aws_vpn_gateway.this.*.id,
- aws_vpn_gateway_attachment.this.*.vpn_gateway_id,
- [""],
- )[0]
-}
-
-output "default_vpc_id" {
- description = "The ID of the VPC"
- value = concat(aws_default_vpc.this.*.id, [""])[0]
-}
-
-output "default_vpc_cidr_block" {
- description = "The CIDR block of the VPC"
- value = concat(aws_default_vpc.this.*.cidr_block, [""])[0]
-}
-
-output "default_vpc_default_security_group_id" {
- description = "The ID of the security group created by default on VPC creation"
- value = concat(aws_default_vpc.this.*.default_security_group_id, [""])[0]
-}
-
-output "default_vpc_default_network_acl_id" {
- description = "The ID of the default network ACL"
- value = concat(aws_default_vpc.this.*.default_network_acl_id, [""])[0]
-}
-
-output "default_vpc_default_route_table_id" {
- description = "The ID of the default route table"
- value = concat(aws_default_vpc.this.*.default_route_table_id, [""])[0]
-}
-
-output "default_vpc_instance_tenancy" {
- description = "Tenancy of instances spin up within VPC"
- value = concat(aws_default_vpc.this.*.instance_tenancy, [""])[0]
-}
-
-output "default_vpc_enable_dns_support" {
- description = "Whether or not the VPC has DNS support"
- value = concat(aws_default_vpc.this.*.enable_dns_support, [""])[0]
-}
-
-output "default_vpc_enable_dns_hostnames" {
- description = "Whether or not the VPC has DNS hostname support"
- value = concat(aws_default_vpc.this.*.enable_dns_hostnames, [""])[0]
-}
-
-//output "default_vpc_enable_classiclink" {
-// description = "Whether or not the VPC has Classiclink enabled"
-// value = "${element(concat(aws_default_vpc.this.*.enable_classiclink, list("")), 0)}"
-//}
-
-output "default_vpc_main_route_table_id" {
- description = "The ID of the main route table associated with this VPC"
- value = concat(aws_default_vpc.this.*.main_route_table_id, [""])[0]
-}
-
-//output "default_vpc_ipv6_association_id" {
-// description = "The association ID for the IPv6 CIDR block"
-// value = "${element(concat(aws_default_vpc.this.*.ipv6_association_id, list("")), 0)}"
-//}
-//
-//output "default_vpc_ipv6_cidr_block" {
-// description = "The IPv6 CIDR block"
-// value = "${element(concat(aws_default_vpc.this.*.ipv6_cidr_block, list("")), 0)}"
-//}
-
-output "public_network_acl_id" {
- description = "ID of the public network ACL"
- value = concat(aws_network_acl.public.*.id, [""])[0]
+output "public_internet_gateway_route_id" {
+ description = "ID of the internet gateway route."
+ value = concat(aws_route.public_internet_gateway.*.id, [""])[0]
}
-output "private_network_acl_id" {
- description = "ID of the private network ACL"
- value = concat(aws_network_acl.private.*.id, [""])[0]
+output "public_internet_gateway_ipv6_route_id" {
+ description = "ID of the IPv6 internet gateway route."
+ value = concat(aws_route.public_internet_gateway_ipv6.*.id, [""])[0]
}
-output "intra_network_acl_id" {
- description = "ID of the intra network ACL"
- value = concat(aws_network_acl.intra.*.id, [""])[0]
+output "database_internet_gateway_route_id" {
+ description = "ID of the database internet gateway route."
+ value = concat(aws_route.database_internet_gateway.*.id, [""])[0]
}
-output "database_network_acl_id" {
- description = "ID of the database network ACL"
- value = concat(aws_network_acl.database.*.id, [""])[0]
+output "database_nat_gateway_route_ids" {
+ description = "List of IDs of the database nat gateway route."
+ value = aws_route.database_nat_gateway.*.id
}
-output "redshift_network_acl_id" {
- description = "ID of the redshift network ACL"
- value = concat(aws_network_acl.redshift.*.id, [""])[0]
+output "database_ipv6_egress_route_id" {
+ description = "ID of the database IPv6 egress route."
+ value = concat(aws_route.database_ipv6_egress.*.id, [""])[0]
}
-output "elasticache_network_acl_id" {
- description = "ID of the elasticache network ACL"
- value = concat(aws_network_acl.elasticache.*.id, [""])[0]
+output "private_nat_gateway_route_ids" {
+ description = "List of IDs of the private nat gateway route."
+ value = aws_route.private_nat_gateway.*.id
}
-# VPC Endpoints
-output "vpc_endpoint_s3_id" {
- description = "The ID of VPC endpoint for S3"
- value = concat(aws_vpc_endpoint.s3.*.id, [""])[0]
+output "private_ipv6_egress_route_ids" {
+ description = "List of IDs of the ipv6 egress route."
+ value = aws_route.private_ipv6_egress.*.id
}
-output "vpc_endpoint_s3_pl_id" {
- description = "The prefix list for the S3 VPC endpoint."
- value = concat(aws_vpc_endpoint.s3.*.prefix_list_id, [""])[0]
+output "private_route_table_association_ids" {
+ description = "List of IDs of the private route table association"
+ value = aws_route_table_association.private.*.id
}
-output "vpc_endpoint_dynamodb_id" {
- description = "The ID of VPC endpoint for DynamoDB"
- value = concat(aws_vpc_endpoint.dynamodb.*.id, [""])[0]
+output "database_route_table_association_ids" {
+ description = "List of IDs of the database route table association"
+ value = aws_route_table_association.database.*.id
}
-output "vpc_endpoint_dynamodb_pl_id" {
- description = "The prefix list for the DynamoDB VPC endpoint."
- value = concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, [""])[0]
+output "redshift_route_table_association_ids" {
+ description = "List of IDs of the redshift route table association"
+ value = aws_route_table_association.redshift.*.id
}
-output "vpc_endpoint_sqs_id" {
- description = "The ID of VPC endpoint for SQS"
- value = "${element(concat(aws_vpc_endpoint.sqs.*.id, list("")), 0)}"
+output "redshift_public_route_table_association_ids" {
+ description = "List of IDs of the public redshidt route table association"
+ value = aws_route_table_association.redshift_public.*.id
}
-output "vpc_endpoint_sqs_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for SQS."
- value = "${flatten(aws_vpc_endpoint.sqs.*.network_interface_ids)}"
+output "elasticache_route_table_association_ids" {
+ description = "List of IDs of the elasticache route table association"
+ value = aws_route_table_association.elasticache.*.id
}
-output "vpc_endpoint_sqs_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for SQS."
- value = "${flatten(aws_vpc_endpoint.sqs.*.dns_entry)}"
+output "intra_route_table_association_ids" {
+ description = "List of IDs of the intra route table association"
+ value = aws_route_table_association.intra.*.id
}
-output "vpc_endpoint_ssm_id" {
- description = "The ID of VPC endpoint for SSM"
- value = concat(aws_vpc_endpoint.ssm.*.id, [""])[0]
+output "public_route_table_association_ids" {
+ description = "List of IDs of the public route table association"
+ value = aws_route_table_association.public.*.id
}
-output "vpc_endpoint_ssm_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for SSM."
- value = flatten(aws_vpc_endpoint.ssm.*.network_interface_ids)
+output "dhcp_options_id" {
+ description = "The ID of the DHCP options"
+ value = concat(aws_vpc_dhcp_options.this.*.id, [""])[0]
}
-output "vpc_endpoint_ssm_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for SSM."
- value = flatten(aws_vpc_endpoint.ssm.*.dns_entry)
-}
-
-output "vpc_endpoint_ssmmessages_id" {
- description = "The ID of VPC endpoint for SSMMESSAGES"
- value = concat(aws_vpc_endpoint.ssmmessages.*.id, [""])[0]
-}
-
-output "vpc_endpoint_ssmmessages_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for SSMMESSAGES."
- value = flatten(aws_vpc_endpoint.ssmmessages.*.network_interface_ids)
-}
-
-output "vpc_endpoint_ssmmessages_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for SSMMESSAGES."
- value = flatten(aws_vpc_endpoint.ssmmessages.*.dns_entry)
-}
-
-output "vpc_endpoint_ec2_id" {
- description = "The ID of VPC endpoint for EC2"
- value = concat(aws_vpc_endpoint.ec2.*.id, [""])[0]
-}
-
-output "vpc_endpoint_ec2_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for EC2"
- value = flatten(aws_vpc_endpoint.ec2.*.network_interface_ids)
-}
-
-output "vpc_endpoint_ec2_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for EC2."
- value = flatten(aws_vpc_endpoint.ec2.*.dns_entry)
-}
-
-output "vpc_endpoint_ec2messages_id" {
- description = "The ID of VPC endpoint for EC2MESSAGES"
- value = concat(aws_vpc_endpoint.ec2messages.*.id, [""])[0]
-}
-
-output "vpc_endpoint_ec2messages_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for EC2MESSAGES"
- value = flatten(aws_vpc_endpoint.ec2messages.*.network_interface_ids)
-}
-
-output "vpc_endpoint_ec2messages_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for EC2MESSAGES."
- value = flatten(aws_vpc_endpoint.ec2messages.*.dns_entry)
-}
-
-output "vpc_endpoint_kms_id" {
- description = "The ID of VPC endpoint for KMS"
- value = concat(aws_vpc_endpoint.kms.*.id, [""])[0]
+output "nat_ids" {
+ description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway"
+ value = aws_eip.nat.*.id
}
-output "vpc_endpoint_kms_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for KMS."
- value = flatten(aws_vpc_endpoint.kms.*.network_interface_ids)
+output "nat_public_ips" {
+ description = "List of public Elastic IPs created for AWS NAT Gateway"
+ value = var.reuse_nat_ips ? var.external_nat_ips : aws_eip.nat.*.public_ip
}
-output "vpc_endpoint_kms_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for KMS."
- value = flatten(aws_vpc_endpoint.kms.*.dns_entry)
+output "natgw_ids" {
+ description = "List of NAT Gateway IDs"
+ value = aws_nat_gateway.this.*.id
}
-output "vpc_endpoint_ecr_api_id" {
- description = "The ID of VPC endpoint for ECR API"
- value = concat(aws_vpc_endpoint.ecr_api.*.id, [""])[0]
+output "igw_id" {
+ description = "The ID of the Internet Gateway"
+ value = concat(aws_internet_gateway.this.*.id, [""])[0]
}
-output "vpc_endpoint_ecr_api_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for ECR API."
- value = flatten(aws_vpc_endpoint.ecr_api.*.network_interface_ids)
+output "igw_arn" {
+ description = "The ARN of the Internet Gateway"
+ value = concat(aws_internet_gateway.this.*.arn, [""])[0]
}
-output "vpc_endpoint_ecr_api_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for ECR API."
- value = flatten(aws_vpc_endpoint.ecr_api.*.dns_entry)
+output "egress_only_internet_gateway_id" {
+ description = "The ID of the egress only Internet Gateway"
+ value = concat(aws_egress_only_internet_gateway.this.*.id, [""])[0]
}
-output "vpc_endpoint_ecr_dkr_id" {
- description = "The ID of VPC endpoint for ECR DKR"
- value = concat(aws_vpc_endpoint.ecr_dkr.*.id, [""])[0]
+output "cgw_ids" {
+ description = "List of IDs of Customer Gateway"
+ value = [for k, v in aws_customer_gateway.this : v.id]
}
-output "vpc_endpoint_ecr_dkr_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for ECR DKR."
- value = flatten(aws_vpc_endpoint.ecr_dkr.*.network_interface_ids)
+output "cgw_arns" {
+ description = "List of ARNs of Customer Gateway"
+ value = [for k, v in aws_customer_gateway.this : v.arn]
}
-output "vpc_endpoint_ecr_dkr_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for ECR DKR."
- value = flatten(aws_vpc_endpoint.ecr_dkr.*.dns_entry)
+output "this_customer_gateway" {
+ description = "Map of Customer Gateway attributes"
+ value = aws_customer_gateway.this
}
-output "vpc_endpoint_apigw_id" {
- description = "The ID of VPC endpoint for APIGW"
- value = concat(aws_vpc_endpoint.apigw.*.id, [""])[0]
+output "vgw_id" {
+ description = "The ID of the VPN Gateway"
+ value = concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id, [""])[0]
}
-output "vpc_endpoint_apigw_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for APIGW."
- value = flatten(aws_vpc_endpoint.apigw.*.network_interface_ids)
+output "vgw_arn" {
+ description = "The ARN of the VPN Gateway"
+ value = concat(aws_vpn_gateway.this.*.arn, [""])[0]
}
-output "vpc_endpoint_apigw_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for APIGW."
- value = flatten(aws_vpc_endpoint.apigw.*.dns_entry)
+output "default_vpc_id" {
+ description = "The ID of the Default VPC"
+ value = concat(aws_default_vpc.this.*.id, [""])[0]
}
-output "vpc_endpoint_ecs_id" {
- description = "The ID of VPC endpoint for ECS"
- value = "${element(concat(aws_vpc_endpoint.ecs.*.id, list("")), 0)}"
+output "default_vpc_arn" {
+ description = "The ARN of the Default VPC"
+ value = concat(aws_default_vpc.this.*.arn, [""])[0]
}
-output "vpc_endpoint_ecs_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for ECS."
- value = "${flatten(aws_vpc_endpoint.ecs.*.network_interface_ids)}"
+output "default_vpc_cidr_block" {
+ description = "The CIDR block of the Default VPC"
+ value = concat(aws_default_vpc.this.*.cidr_block, [""])[0]
}
-output "vpc_endpoint_ecs_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for ECS."
- value = "${flatten(aws_vpc_endpoint.ecs.*.dns_entry)}"
+output "default_vpc_default_security_group_id" {
+ description = "The ID of the security group created by default on Default VPC creation"
+ value = concat(aws_default_vpc.this.*.default_security_group_id, [""])[0]
}
-output "vpc_endpoint_ecs_agent_id" {
- description = "The ID of VPC endpoint for ECS Agent"
- value = "${element(concat(aws_vpc_endpoint.ecs_agent.*.id, list("")), 0)}"
+output "default_vpc_default_network_acl_id" {
+ description = "The ID of the default network ACL of the Default VPC"
+ value = concat(aws_default_vpc.this.*.default_network_acl_id, [""])[0]
}
-output "vpc_endpoint_ecs_agent_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for ECS Agent."
- value = "${flatten(aws_vpc_endpoint.ecs_agent.*.network_interface_ids)}"
+output "default_vpc_default_route_table_id" {
+ description = "The ID of the default route table of the Default VPC"
+ value = concat(aws_default_vpc.this.*.default_route_table_id, [""])[0]
}
-output "vpc_endpoint_ecs_agent_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for ECS Agent."
- value = "${flatten(aws_vpc_endpoint.ecs_agent.*.dns_entry)}"
+output "default_vpc_instance_tenancy" {
+ description = "Tenancy of instances spin up within Default VPC"
+ value = concat(aws_default_vpc.this.*.instance_tenancy, [""])[0]
}
-output "vpc_endpoint_ecs_telemetry_id" {
- description = "The ID of VPC endpoint for ECS Telemetry"
- value = "${element(concat(aws_vpc_endpoint.ecs_telemetry.*.id, list("")), 0)}"
+output "default_vpc_enable_dns_support" {
+ description = "Whether or not the Default VPC has DNS support"
+ value = concat(aws_default_vpc.this.*.enable_dns_support, [""])[0]
}
-output "vpc_endpoint_ecs_telemetry_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for ECS Telemetry."
- value = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.network_interface_ids)}"
+output "default_vpc_enable_dns_hostnames" {
+ description = "Whether or not the Default VPC has DNS hostname support"
+ value = concat(aws_default_vpc.this.*.enable_dns_hostnames, [""])[0]
}
-output "vpc_endpoint_ecs_telemetry_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for ECS Telemetry."
- value = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry)}"
+output "default_vpc_main_route_table_id" {
+ description = "The ID of the main route table associated with the Default VPC"
+ value = concat(aws_default_vpc.this.*.main_route_table_id, [""])[0]
}
-output "vpc_endpoint_sns_id" {
- description = "The ID of VPC endpoint for SNS"
- value = concat(aws_vpc_endpoint.sns.*.id, [""])[0]
+output "public_network_acl_id" {
+ description = "ID of the public network ACL"
+ value = concat(aws_network_acl.public.*.id, [""])[0]
}
-output "vpc_endpoint_sns_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for SNS."
- value = flatten(aws_vpc_endpoint.sns.*.network_interface_ids)
+output "public_network_acl_arn" {
+ description = "ARN of the public network ACL"
+ value = concat(aws_network_acl.public.*.arn, [""])[0]
}
-output "vpc_endpoint_sns_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for SNS."
- value = flatten(aws_vpc_endpoint.sns.*.dns_entry)
+output "private_network_acl_id" {
+ description = "ID of the private network ACL"
+ value = concat(aws_network_acl.private.*.id, [""])[0]
}
-output "vpc_endpoint_monitoring_id" {
- description = "The ID of VPC endpoint for CloudWatch Monitoring"
- value = concat(aws_vpc_endpoint.monitoring.*.id, [""])[0]
+output "private_network_acl_arn" {
+ description = "ARN of the private network ACL"
+ value = concat(aws_network_acl.private.*.arn, [""])[0]
}
-output "vpc_endpoint_monitoring_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring."
- value = flatten(aws_vpc_endpoint.monitoring.*.network_interface_ids)
+output "outpost_network_acl_id" {
+ description = "ID of the outpost network ACL"
+ value = concat(aws_network_acl.outpost.*.id, [""])[0]
}
-output "vpc_endpoint_monitoring_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for CloudWatch Monitoring."
- value = flatten(aws_vpc_endpoint.monitoring.*.dns_entry)
+output "outpost_network_acl_arn" {
+ description = "ARN of the outpost network ACL"
+ value = concat(aws_network_acl.outpost.*.arn, [""])[0]
}
-output "vpc_endpoint_logs_id" {
- description = "The ID of VPC endpoint for CloudWatch Logs"
- value = concat(aws_vpc_endpoint.logs.*.id, [""])[0]
+output "intra_network_acl_id" {
+ description = "ID of the intra network ACL"
+ value = concat(aws_network_acl.intra.*.id, [""])[0]
}
-output "vpc_endpoint_logs_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for CloudWatch Logs."
- value = flatten(aws_vpc_endpoint.logs.*.network_interface_ids)
+output "intra_network_acl_arn" {
+ description = "ARN of the intra network ACL"
+ value = concat(aws_network_acl.intra.*.arn, [""])[0]
}
-output "vpc_endpoint_logs_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for CloudWatch Logs."
- value = flatten(aws_vpc_endpoint.logs.*.dns_entry)
+output "database_network_acl_id" {
+ description = "ID of the database network ACL"
+ value = concat(aws_network_acl.database.*.id, [""])[0]
}
-output "vpc_endpoint_events_id" {
- description = "The ID of VPC endpoint for CloudWatch Events"
- value = concat(aws_vpc_endpoint.events.*.id, [""])[0]
+output "database_network_acl_arn" {
+ description = "ARN of the database network ACL"
+ value = concat(aws_network_acl.database.*.arn, [""])[0]
}
-output "vpc_endpoint_events_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for CloudWatch Events."
- value = flatten(aws_vpc_endpoint.events.*.network_interface_ids)
+output "redshift_network_acl_id" {
+ description = "ID of the redshift network ACL"
+ value = concat(aws_network_acl.redshift.*.id, [""])[0]
}
-output "vpc_endpoint_events_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for CloudWatch Events."
- value = flatten(aws_vpc_endpoint.events.*.dns_entry)
+output "redshift_network_acl_arn" {
+ description = "ARN of the redshift network ACL"
+ value = concat(aws_network_acl.redshift.*.arn, [""])[0]
}
-output "vpc_endpoint_elasticloadbalancing_id" {
- description = "The ID of VPC endpoint for Elastic Load Balancing"
- value = concat(aws_vpc_endpoint.elasticloadbalancing.*.id, [""])[0]
+output "elasticache_network_acl_id" {
+ description = "ID of the elasticache network ACL"
+ value = concat(aws_network_acl.elasticache.*.id, [""])[0]
}
-output "vpc_endpoint_elasticloadbalancing_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for Elastic Load Balancing."
- value = flatten(aws_vpc_endpoint.elasticloadbalancing.*.network_interface_ids)
+output "elasticache_network_acl_arn" {
+ description = "ARN of the elasticache network ACL"
+ value = concat(aws_network_acl.elasticache.*.arn, [""])[0]
}
-output "vpc_endpoint_elasticloadbalancing_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for Elastic Load Balancing."
- value = flatten(aws_vpc_endpoint.elasticloadbalancing.*.dns_entry)
+# VPC flow log
+output "vpc_flow_log_id" {
+ description = "The ID of the Flow Log resource"
+ value = concat(aws_flow_log.this.*.id, [""])[0]
}
-output "vpc_endpoint_cloudtrail_id" {
- description = "The ID of VPC endpoint for CloudTrail"
- value = concat(aws_vpc_endpoint.cloudtrail.*.id, [""])[0]
+output "vpc_flow_log_destination_arn" {
+ description = "The ARN of the destination for VPC Flow Logs"
+ value = local.flow_log_destination_arn
}
-output "vpc_endpoint_cloudtrail_network_interface_ids" {
- description = "One or more network interfaces for the VPC Endpoint for CloudTrail."
- value = flatten(aws_vpc_endpoint.cloudtrail.*.network_interface_ids)
+output "vpc_flow_log_destination_type" {
+ description = "The type of the destination for VPC Flow Logs"
+ value = var.flow_log_destination_type
}
-output "vpc_endpoint_cloudtrail_dns_entry" {
- description = "The DNS entries for the VPC Endpoint for CloudTrail."
- value = flatten(aws_vpc_endpoint.cloudtrail.*.dns_entry)
+output "vpc_flow_log_cloudwatch_iam_role_arn" {
+ description = "The ARN of the IAM role used when pushing logs to Cloudwatch log group"
+ value = local.flow_log_iam_role_arn
}
# Static values (arguments)
@@ -624,3 +540,7 @@ output "azs" {
value = var.azs
}
+output "name" {
+ description = "The name of the VPC specified as argument to this module"
+ value = var.name
+}
diff --git a/test/integration/default/test_vpc.rb b/test/integration/default/test_vpc.rb
deleted file mode 100755
index 7a74a4518..000000000
--- a/test/integration/default/test_vpc.rb
+++ /dev/null
@@ -1,42 +0,0 @@
-# frozen_string_literal: true
-
-require 'awspec'
-require 'aws-sdk'
-require 'rhcl'
-
-# should strive to randomize the region for more robust testing
-example_main = Rhcl.parse(File.open('examples/test_fixture/main.tf'))
-vpc_name = example_main['module']['vpc']['name']
-user_tag = example_main['module']['vpc']['tags']['Owner']
-environment_tag = example_main['module']['vpc']['tags']['Environment']
-state_file = 'terraform.tfstate.d/kitchen-terraform-default-aws/terraform.tfstate'
-tf_state = JSON.parse(File.open(state_file).read)
-region = tf_state['modules'][0]['outputs']['region']['value']
-ENV['AWS_REGION'] = region
-
-ec2 = Aws::EC2::Client.new(region: region)
-azs = ec2.describe_availability_zones
-zone_names = azs.to_h[:availability_zones].first(2).map { |az| az[:zone_name] }
-
-describe vpc(vpc_name.to_s) do
- it { should exist }
- it { should be_available }
- it { should have_tag('Name').value(vpc_name.to_s) }
- it { should have_tag('Owner').value(user_tag.to_s) }
- it { should have_tag('Environment').value(environment_tag.to_s) }
- it { should have_route_table("#{vpc_name}-public") }
- zone_names.each do |az|
- it { should have_route_table("#{vpc_name}-private-#{az}") }
- end
-end
-
-zone_names.each do |az|
- describe subnet("#{vpc_name}-public-#{az}") do
- it { should exist }
- it { should be_available }
- it { should belong_to_vpc(vpc_name.to_s) }
- it { should have_tag('Name').value("#{vpc_name}-public-#{az}") }
- it { should have_tag('Owner').value(user_tag.to_s) }
- it { should have_tag('Environment').value(environment_tag.to_s) }
- end
-end
diff --git a/variables.tf b/variables.tf
index e063fe2cb..051743468 100644
--- a/variables.tf
+++ b/variables.tf
@@ -6,652 +6,340 @@ variable "create_vpc" {
variable "name" {
description = "Name to be used on all the resources as identifier"
+ type = string
default = ""
}
variable "cidr" {
description = "The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden"
+ type = string
default = "0.0.0.0/0"
}
-variable "assign_generated_ipv6_cidr_block" {
- description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block"
+variable "enable_ipv6" {
+ description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block."
type = bool
default = false
}
-variable "secondary_cidr_blocks" {
- description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool"
+variable "private_subnet_ipv6_prefixes" {
+ description = "Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
-variable "instance_tenancy" {
- description = "A tenancy option for instances launched into the VPC"
- type = string
- default = "default"
-}
-
-variable "public_subnet_suffix" {
- description = "Suffix to append to public subnets name"
- type = string
- default = "public"
-}
-
-variable "private_subnet_suffix" {
- description = "Suffix to append to private subnets name"
- type = string
- default = "private"
-}
-
-variable "intra_subnet_suffix" {
- description = "Suffix to append to intra subnets name"
- type = string
- default = "intra"
-}
-
-variable "database_subnet_suffix" {
- description = "Suffix to append to database subnets name"
- type = string
- default = "db"
-}
-
-variable "redshift_subnet_suffix" {
- description = "Suffix to append to redshift subnets name"
- type = string
- default = "redshift"
-}
-
-variable "elasticache_subnet_suffix" {
- description = "Suffix to append to elasticache subnets name"
- type = string
- default = "elasticache"
-}
-
-variable "public_subnets" {
- description = "A list of public subnets inside the VPC"
- type = list(string)
- default = []
-}
-
-variable "private_subnets" {
- description = "A list of private subnets inside the VPC"
- type = list(string)
- default = []
-}
-
-variable "database_subnets" {
- description = "A list of database subnets"
+variable "public_subnet_ipv6_prefixes" {
+ description = "Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
-variable "redshift_subnets" {
- description = "A list of redshift subnets"
- type = list(string)
- default = []
-}
-
-variable "elasticache_subnets" {
- description = "A list of elasticache subnets"
- type = list(string)
- default = []
-}
-
-variable "intra_subnets" {
- description = "A list of intra subnets"
- type = list(string)
- default = []
-}
-
-variable "create_database_subnet_route_table" {
- description = "Controls if separate route table for database should be created"
- type = bool
- default = false
-}
-
-variable "create_redshift_subnet_route_table" {
- description = "Controls if separate route table for redshift should be created"
- type = bool
- default = false
-}
-
-variable "enable_public_redshift" {
- description = "Controls if redshift should have public routing table"
- type = bool
- default = false
-}
-
-variable "create_elasticache_subnet_route_table" {
- description = "Controls if separate route table for elasticache should be created"
- type = bool
- default = false
-}
-
-variable "create_database_subnet_group" {
- description = "Controls if database subnet group should be created"
- type = bool
- default = true
-}
-
-variable "create_elasticache_subnet_group" {
- description = "Controls if elasticache subnet group should be created"
- type = bool
- default = true
-}
-
-variable "create_redshift_subnet_group" {
- description = "Controls if redshift subnet group should be created"
- type = bool
- default = true
-}
-
-variable "create_database_internet_gateway_route" {
- description = "Controls if an internet gateway route for public database access should be created"
- type = bool
- default = false
-}
-
-variable "create_database_nat_gateway_route" {
- description = "Controls if a nat gateway route should be created to give internet access to the database subnets"
- type = bool
- default = false
-}
-
-variable "azs" {
- description = "A list of availability zones in the region"
+variable "outpost_subnet_ipv6_prefixes" {
+ description = "Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
-variable "enable_dns_hostnames" {
- description = "Should be true to enable DNS hostnames in the VPC"
- type = bool
- default = false
-}
-
-variable "enable_dns_support" {
- description = "Should be true to enable DNS support in the VPC"
- type = bool
- default = true
-}
-
-variable "enable_nat_gateway" {
- description = "Should be true if you want to provision NAT Gateways for each of your private networks"
- type = bool
- default = false
-}
-
-variable "single_nat_gateway" {
- description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks"
- type = bool
- default = false
-}
-
-variable "one_nat_gateway_per_az" {
- description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`."
- type = bool
- default = false
-}
-
-variable "reuse_nat_ips" {
- description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable"
- type = bool
- default = false
-}
-
-variable "external_nat_ip_ids" {
- description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)"
+variable "database_subnet_ipv6_prefixes" {
+ description = "Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
-variable "enable_dynamodb_endpoint" {
- description = "Should be true if you want to provision a DynamoDB endpoint to the VPC"
- type = bool
- default = false
-}
-
-variable "enable_s3_endpoint" {
- description = "Should be true if you want to provision an S3 endpoint to the VPC"
- type = bool
- default = false
-}
-
-variable "enable_sqs_endpoint" {
- description = "Should be true if you want to provision an SQS endpoint to the VPC"
- default = false
-}
-
-variable "sqs_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for SQS endpoint"
- default = []
-}
-
-variable "sqs_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
- default = []
-}
-
-variable "sqs_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint"
- default = false
-}
-
-variable "enable_ssm_endpoint" {
- description = "Should be true if you want to provision an SSM endpoint to the VPC"
- type = bool
- default = false
-}
-
-variable "ssm_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for SSM endpoint"
+variable "redshift_subnet_ipv6_prefixes" {
+ description = "Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
-variable "ssm_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+variable "elasticache_subnet_ipv6_prefixes" {
+ description = "Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
-variable "ssm_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint"
- type = bool
- default = false
-}
-
-variable "enable_ssmmessages_endpoint" {
- description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC"
- type = bool
- default = false
-}
-
-variable "enable_apigw_endpoint" {
- description = "Should be true if you want to provision an api gateway endpoint to the VPC"
- type = bool
- default = false
-}
-
-variable "apigw_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for API GW endpoint"
+variable "intra_subnet_ipv6_prefixes" {
+ description = "Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
-variable "apigw_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint"
+variable "assign_ipv6_address_on_creation" {
+ description = "Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
default = false
}
-variable "apigw_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
- type = list(string)
- default = []
-}
-
-variable "ssmmessages_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint"
- type = list(string)
- default = []
-}
-
-variable "ssmmessages_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
- type = list(string)
- default = []
-}
-
-variable "ssmmessages_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint"
+variable "private_subnet_assign_ipv6_address_on_creation" {
+ description = "Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
- default = false
+ default = null
}
-variable "enable_ec2_endpoint" {
- description = "Should be true if you want to provision an EC2 endpoint to the VPC"
+variable "public_subnet_assign_ipv6_address_on_creation" {
+ description = "Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
- default = false
-}
-
-variable "ec2_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for EC2 endpoint"
- type = list(string)
- default = []
+ default = null
}
-variable "ec2_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint"
+variable "outpost_subnet_assign_ipv6_address_on_creation" {
+ description = "Assign IPv6 address on outpost subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
- default = false
+ default = null
}
-variable "ec2_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
- type = list(string)
- default = []
-}
-
-variable "enable_ec2messages_endpoint" {
- description = "Should be true if you want to provision an EC2MESSAGES endpoint to the VPC"
+variable "database_subnet_assign_ipv6_address_on_creation" {
+ description = "Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
- default = false
+ default = null
}
-variable "ec2messages_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint"
- type = list(string)
- default = []
-}
-
-variable "ec2messages_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint"
+variable "redshift_subnet_assign_ipv6_address_on_creation" {
+ description = "Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
- default = false
-}
-
-variable "ec2messages_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
- type = list(string)
- default = []
+ default = null
}
-variable "enable_ecr_api_endpoint" {
- description = "Should be true if you want to provision an ecr api endpoint to the VPC"
+variable "elasticache_subnet_assign_ipv6_address_on_creation" {
+ description = "Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
- default = false
-}
-
-variable "ecr_api_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used."
- type = list(string)
- default = []
+ default = null
}
-variable "ecr_api_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint"
+variable "intra_subnet_assign_ipv6_address_on_creation" {
+ description = "Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
- default = false
+ default = null
}
-variable "ecr_api_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for ECR API endpoint"
+variable "secondary_cidr_blocks" {
+ description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool"
type = list(string)
default = []
}
-variable "enable_ecr_dkr_endpoint" {
- description = "Should be true if you want to provision an ecr dkr endpoint to the VPC"
- type = bool
- default = false
-}
-
-variable "ecr_dkr_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used."
- type = list(string)
- default = []
+variable "instance_tenancy" {
+ description = "A tenancy option for instances launched into the VPC"
+ type = string
+ default = "default"
}
-variable "ecr_dkr_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint"
- type = bool
- default = false
+variable "public_subnet_suffix" {
+ description = "Suffix to append to public subnets name"
+ type = string
+ default = "public"
}
-variable "ecr_dkr_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for ECR DKR endpoint"
- type = list(string)
- default = []
+variable "private_subnet_suffix" {
+ description = "Suffix to append to private subnets name"
+ type = string
+ default = "private"
}
-variable "enable_kms_endpoint" {
- description = "Should be true if you want to provision a KMS endpoint to the VPC"
- type = bool
- default = false
+variable "outpost_subnet_suffix" {
+ description = "Suffix to append to outpost subnets name"
+ type = string
+ default = "outpost"
}
-variable "kms_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for KMS endpoint"
- type = list(string)
- default = []
+variable "intra_subnet_suffix" {
+ description = "Suffix to append to intra subnets name"
+ type = string
+ default = "intra"
}
-variable "kms_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
- type = list(string)
- default = []
+variable "database_subnet_suffix" {
+ description = "Suffix to append to database subnets name"
+ type = string
+ default = "db"
}
-variable "kms_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint"
- type = bool
- default = false
+variable "redshift_subnet_suffix" {
+ description = "Suffix to append to redshift subnets name"
+ type = string
+ default = "redshift"
}
-variable "enable_ecs_endpoint" {
- description = "Should be true if you want to provision a ECS endpoint to the VPC"
- type = bool
- default = false
+variable "elasticache_subnet_suffix" {
+ description = "Suffix to append to elasticache subnets name"
+ type = string
+ default = "elasticache"
}
-variable "ecs_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for ECS endpoint"
+variable "public_subnets" {
+ description = "A list of public subnets inside the VPC"
type = list(string)
default = []
}
-variable "ecs_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+variable "private_subnets" {
+ description = "A list of private subnets inside the VPC"
type = list(string)
default = []
}
-variable "ecs_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint"
- type = bool
- default = false
-}
-
-variable "enable_ecs_agent_endpoint" {
- description = "Should be true if you want to provision a ECS Agent endpoint to the VPC"
- type = bool
- default = false
-}
-
-variable "ecs_agent_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for ECS Agent endpoint"
+variable "outpost_subnets" {
+ description = "A list of outpost subnets inside the VPC"
type = list(string)
default = []
}
-variable "ecs_agent_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+variable "database_subnets" {
+ description = "A list of database subnets"
type = list(string)
default = []
}
-variable "ecs_agent_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint"
- type = bool
- default = false
-}
-
-variable "enable_ecs_telemetry_endpoint" {
- description = "Should be true if you want to provision a ECS Telemetry endpoint to the VPC"
- type = bool
- default = false
+variable "redshift_subnets" {
+ description = "A list of redshift subnets"
+ type = list(string)
+ default = []
}
-variable "ecs_telemetry_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint"
+variable "elasticache_subnets" {
+ description = "A list of elasticache subnets"
type = list(string)
default = []
}
-variable "ecs_telemetry_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+variable "intra_subnets" {
+ description = "A list of intra subnets"
type = list(string)
default = []
}
-variable "ecs_telemetry_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint"
+variable "create_database_subnet_route_table" {
+ description = "Controls if separate route table for database should be created"
type = bool
default = false
}
-variable "enable_sns_endpoint" {
- description = "Should be true if you want to provision a SNS endpoint to the VPC"
+variable "create_redshift_subnet_route_table" {
+ description = "Controls if separate route table for redshift should be created"
type = bool
default = false
}
-variable "sns_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for SNS endpoint"
- type = list(string)
- default = []
-}
-
-variable "sns_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
- type = list(string)
- default = []
-}
-
-variable "sns_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint"
+variable "enable_public_redshift" {
+ description = "Controls if redshift should have public routing table"
type = bool
default = false
}
-variable "enable_monitoring_endpoint" {
- description = "Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC"
+variable "create_elasticache_subnet_route_table" {
+ description = "Controls if separate route table for elasticache should be created"
type = bool
default = false
}
-variable "monitoring_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint"
- type = list(string)
- default = []
+variable "create_database_subnet_group" {
+ description = "Controls if database subnet group should be created (n.b. database_subnets must also be set)"
+ type = bool
+ default = true
}
-variable "monitoring_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
- type = list(string)
- default = []
+variable "create_elasticache_subnet_group" {
+ description = "Controls if elasticache subnet group should be created"
+ type = bool
+ default = true
}
-variable "monitoring_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint"
+variable "create_redshift_subnet_group" {
+ description = "Controls if redshift subnet group should be created"
type = bool
- default = false
+ default = true
}
-variable "enable_elasticloadbalancing_endpoint" {
- description = "Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC"
+variable "create_database_internet_gateway_route" {
+ description = "Controls if an internet gateway route for public database access should be created"
type = bool
default = false
}
-variable "elasticloadbalancing_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint"
- type = list(string)
- default = []
+variable "create_database_nat_gateway_route" {
+ description = "Controls if a nat gateway route should be created to give internet access to the database subnets"
+ type = bool
+ default = false
}
-variable "elasticloadbalancing_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+variable "azs" {
+ description = "A list of availability zones names or ids in the region"
type = list(string)
default = []
}
-variable "elasticloadbalancing_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint"
+variable "enable_dns_hostnames" {
+ description = "Should be true to enable DNS hostnames in the VPC"
type = bool
default = false
}
-variable "enable_events_endpoint" {
- description = "Should be true if you want to provision a CloudWatch Events endpoint to the VPC"
+variable "enable_dns_support" {
+ description = "Should be true to enable DNS support in the VPC"
type = bool
- default = false
+ default = true
}
-variable "events_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint"
- type = list(string)
- default = []
+variable "enable_classiclink" {
+ description = "Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic."
+ type = bool
+ default = null
}
-variable "events_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
- type = list(string)
- default = []
+variable "enable_classiclink_dns_support" {
+ description = "Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic."
+ type = bool
+ default = null
}
-variable "events_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint"
+variable "enable_nat_gateway" {
+ description = "Should be true if you want to provision NAT Gateways for each of your private networks"
type = bool
default = false
}
-variable "enable_logs_endpoint" {
- description = "Should be true if you want to provision a CloudWatch Logs endpoint to the VPC"
+variable "single_nat_gateway" {
+ description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks"
type = bool
default = false
}
-variable "logs_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint"
- type = list(string)
- default = []
-}
-
-variable "logs_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
- type = list(string)
- default = []
-}
-
-variable "logs_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint"
+variable "one_nat_gateway_per_az" {
+ description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`."
type = bool
default = false
}
-variable "enable_cloudtrail_endpoint" {
- description = "Should be true if you want to provision a CloudTrail endpoint to the VPC"
+variable "reuse_nat_ips" {
+ description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable"
type = bool
default = false
}
-variable "cloudtrail_endpoint_security_group_ids" {
- description = "The ID of one or more security groups to associate with the network interface for CloudTrail endpoint"
+variable "external_nat_ip_ids" {
+ description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)"
type = list(string)
default = []
}
-variable "cloudtrail_endpoint_subnet_ids" {
- description = "The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+variable "external_nat_ips" {
+ description = "List of EIPs to be used for `nat_public_ips` output (used in combination with reuse_nat_ips and external_nat_ip_ids)"
type = list(string)
default = []
}
-variable "cloudtrail_endpoint_private_dns_enabled" {
- description = "Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint"
- type = bool
- default = false
-}
-
variable "map_public_ip_on_launch" {
description = "Should be false if you do not want to auto-assign public IP on launch"
type = bool
default = true
}
+variable "customer_gateways" {
+ description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)"
+ type = map(map(any))
+ default = {}
+}
+
variable "enable_vpn_gateway" {
description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC"
type = bool
@@ -660,14 +348,28 @@ variable "enable_vpn_gateway" {
variable "vpn_gateway_id" {
description = "ID of VPN Gateway to attach to the VPC"
+ type = string
default = ""
}
variable "amazon_side_asn" {
description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN."
+ type = string
default = "64512"
}
+variable "vpn_gateway_az" {
+ description = "The Availability Zone for the VPN Gateway"
+ type = string
+ default = null
+}
+
+variable "propagate_intra_route_tables_vgw" {
+ description = "Should be true if you want route table propagation"
+ type = bool
+ default = false
+}
+
variable "propagate_private_route_tables_vgw" {
description = "Should be true if you want route table propagation"
type = bool
@@ -680,6 +382,30 @@ variable "propagate_public_route_tables_vgw" {
default = false
}
+variable "manage_default_route_table" {
+ description = "Should be true to manage default route table"
+ type = bool
+ default = false
+}
+
+variable "default_route_table_propagating_vgws" {
+ description = "List of virtual gateways for propagation"
+ type = list(string)
+ default = []
+}
+
+variable "default_route_table_routes" {
+ description = "Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route"
+ type = list(map(string))
+ default = []
+}
+
+variable "default_route_table_tags" {
+ description = "Additional tags for the default route table"
+ type = map(string)
+ default = {}
+}
+
variable "tags" {
description = "A map of tags to add to all resources"
type = map(string)
@@ -710,6 +436,12 @@ variable "private_subnet_tags" {
default = {}
}
+variable "outpost_subnet_tags" {
+ description = "Additional tags for the outpost subnets"
+ type = map(string)
+ default = {}
+}
+
variable "public_route_table_tags" {
description = "Additional tags for the public route tables"
type = map(string)
@@ -746,6 +478,12 @@ variable "intra_route_table_tags" {
default = {}
}
+variable "database_subnet_group_name" {
+ description = "Name of database subnet group"
+ type = string
+ default = null
+}
+
variable "database_subnet_tags" {
description = "Additional tags for the database subnets"
type = map(string)
@@ -764,12 +502,30 @@ variable "redshift_subnet_tags" {
default = {}
}
+variable "redshift_subnet_group_name" {
+ description = "Name of redshift subnet group"
+ type = string
+ default = null
+}
+
variable "redshift_subnet_group_tags" {
description = "Additional tags for the redshift subnet group"
type = map(string)
default = {}
}
+variable "elasticache_subnet_group_name" {
+ description = "Name of elasticache subnet group"
+ type = string
+ default = null
+}
+
+variable "elasticache_subnet_group_tags" {
+ description = "Additional tags for the elasticache subnet group"
+ type = map(string)
+ default = {}
+}
+
variable "elasticache_subnet_tags" {
description = "Additional tags for the elasticache subnets"
type = map(string)
@@ -794,6 +550,12 @@ variable "private_acl_tags" {
default = {}
}
+variable "outpost_acl_tags" {
+ description = "Additional tags for the outpost subnets network ACL"
+ type = map(string)
+ default = {}
+}
+
variable "intra_acl_tags" {
description = "Additional tags for the intra subnets network ACL"
type = map(string)
@@ -836,12 +598,30 @@ variable "nat_eip_tags" {
default = {}
}
+variable "customer_gateway_tags" {
+ description = "Additional tags for the Customer Gateway"
+ type = map(string)
+ default = {}
+}
+
variable "vpn_gateway_tags" {
description = "Additional tags for the VPN gateway"
type = map(string)
default = {}
}
+variable "vpc_flow_log_tags" {
+ description = "Additional tags for the VPC Flow Logs"
+ type = map(string)
+ default = {}
+}
+
+variable "vpc_flow_log_permissions_boundary" {
+ description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role"
+ type = string
+ default = null
+}
+
variable "enable_dhcp_options" {
description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type"
type = bool
@@ -944,6 +724,12 @@ variable "private_dedicated_network_acl" {
default = false
}
+variable "outpost_dedicated_network_acl" {
+ description = "Whether to use dedicated network ACL (not default) and custom rules for outpost subnets"
+ type = bool
+ default = false
+}
+
variable "intra_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets"
type = bool
@@ -1080,6 +866,38 @@ variable "private_outbound_acl_rules" {
]
}
+variable "outpost_inbound_acl_rules" {
+ description = "Outpost subnets inbound network ACLs"
+ type = list(map(string))
+
+ default = [
+ {
+ rule_number = 100
+ rule_action = "allow"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_block = "0.0.0.0/0"
+ },
+ ]
+}
+
+variable "outpost_outbound_acl_rules" {
+ description = "Outpost subnets outbound network ACLs"
+ type = list(map(string))
+
+ default = [
+ {
+ rule_number = 100
+ rule_action = "allow"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_block = "0.0.0.0/0"
+ },
+ ]
+}
+
variable "intra_inbound_acl_rules" {
description = "Intra subnets inbound network ACLs"
type = list(map(string))
@@ -1208,3 +1026,151 @@ variable "elasticache_outbound_acl_rules" {
]
}
+variable "manage_default_security_group" {
+ description = "Should be true to adopt and manage default security group"
+ type = bool
+ default = false
+}
+
+variable "default_security_group_name" {
+ description = "Name to be used on the default security group"
+ type = string
+ default = "default"
+}
+
+variable "default_security_group_ingress" {
+ description = "List of maps of ingress rules to set on the default security group"
+ type = list(map(string))
+ default = null
+}
+
+variable "enable_flow_log" {
+ description = "Whether or not to enable VPC Flow Logs"
+ type = bool
+ default = false
+}
+
+variable "default_security_group_egress" {
+ description = "List of maps of egress rules to set on the default security group"
+ type = list(map(string))
+ default = null
+}
+
+variable "default_security_group_tags" {
+ description = "Additional tags for the default security group"
+ type = map(string)
+ default = {}
+}
+
+variable "create_flow_log_cloudwatch_log_group" {
+ description = "Whether to create CloudWatch log group for VPC Flow Logs"
+ type = bool
+ default = false
+}
+
+variable "create_flow_log_cloudwatch_iam_role" {
+ description = "Whether to create IAM role for VPC Flow Logs"
+ type = bool
+ default = false
+}
+
+variable "flow_log_traffic_type" {
+ description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL."
+ type = string
+ default = "ALL"
+}
+
+variable "flow_log_destination_type" {
+ description = "Type of flow log destination. Can be s3 or cloud-watch-logs."
+ type = string
+ default = "cloud-watch-logs"
+}
+
+variable "flow_log_log_format" {
+ description = "The fields to include in the flow log record, in the order in which they should appear."
+ type = string
+ default = null
+}
+
+variable "flow_log_destination_arn" {
+ description = "The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided."
+ type = string
+ default = ""
+}
+
+variable "flow_log_cloudwatch_iam_role_arn" {
+ description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided."
+ type = string
+ default = ""
+}
+
+variable "flow_log_cloudwatch_log_group_name_prefix" {
+ description = "Specifies the name prefix of CloudWatch Log Group for VPC flow logs."
+ type = string
+ default = "/aws/vpc-flow-log/"
+}
+
+variable "flow_log_cloudwatch_log_group_retention_in_days" {
+ description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs."
+ type = number
+ default = null
+}
+
+variable "flow_log_cloudwatch_log_group_kms_key_id" {
+ description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs."
+ type = string
+ default = null
+}
+
+variable "flow_log_max_aggregation_interval" {
+ description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds."
+ type = number
+ default = 600
+}
+
+variable "create_igw" {
+ description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them."
+ type = bool
+ default = true
+}
+
+variable "create_egress_only_igw" {
+ description = "Controls if an Egress Only Internet Gateway is created and its related routes."
+ type = bool
+ default = true
+}
+
+variable "outpost_arn" {
+ description = "ARN of Outpost you want to create a subnet in."
+ type = string
+ default = null
+}
+
+variable "outpost_az" {
+ description = "AZ where Outpost is anchored."
+ type = string
+ default = null
+}
+
+variable "flow_log_file_format" {
+ description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`."
+ type = string
+ default = "plain-text"
+ validation {
+ condition = can(regex("^(plain-text|parquet)$",
+ var.flow_log_file_format))
+ error_message = "ERROR valid values: plain-text, parquet."
+ }
+}
+
+variable "flow_log_hive_compatible_partitions" {
+ description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3."
+ type = bool
+ default = false
+}
+
+variable "flow_log_per_hour_partition" {
+ description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries."
+ type = bool
+ default = false
+}
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 000000000..a3612bfe2
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13.1"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.42"
+ }
+ }
+}
diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
new file mode 100644
index 000000000..89da1d88a
--- /dev/null
+++ b/vpc-flow-logs.tf
@@ -0,0 +1,103 @@
+locals {
+ # Only create flow log if user selected to create a VPC as well
+ enable_flow_log = var.create_vpc && var.enable_flow_log
+
+ create_flow_log_cloudwatch_iam_role = local.enable_flow_log && var.flow_log_destination_type != "s3" && var.create_flow_log_cloudwatch_iam_role
+ create_flow_log_cloudwatch_log_group = local.enable_flow_log && var.flow_log_destination_type != "s3" && var.create_flow_log_cloudwatch_log_group
+
+ flow_log_destination_arn = local.create_flow_log_cloudwatch_log_group ? aws_cloudwatch_log_group.flow_log[0].arn : var.flow_log_destination_arn
+ flow_log_iam_role_arn = var.flow_log_destination_type != "s3" && local.create_flow_log_cloudwatch_iam_role ? aws_iam_role.vpc_flow_log_cloudwatch[0].arn : var.flow_log_cloudwatch_iam_role_arn
+}
+
+################################################################################
+# Flow Log
+################################################################################
+
+resource "aws_flow_log" "this" {
+ count = local.enable_flow_log ? 1 : 0
+
+ log_destination_type = var.flow_log_destination_type
+ log_destination = local.flow_log_destination_arn
+ log_format = var.flow_log_log_format
+ iam_role_arn = local.flow_log_iam_role_arn
+ traffic_type = var.flow_log_traffic_type
+ vpc_id = local.vpc_id
+ max_aggregation_interval = var.flow_log_max_aggregation_interval
+
+ tags = merge(var.tags, var.vpc_flow_log_tags)
+}
+
+################################################################################
+# Flow Log CloudWatch
+################################################################################
+
+resource "aws_cloudwatch_log_group" "flow_log" {
+ count = local.create_flow_log_cloudwatch_log_group ? 1 : 0
+
+ name = "${var.flow_log_cloudwatch_log_group_name_prefix}${local.vpc_id}"
+ retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days
+ kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_id
+
+ tags = merge(var.tags, var.vpc_flow_log_tags)
+}
+
+resource "aws_iam_role" "vpc_flow_log_cloudwatch" {
+ count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
+
+ name_prefix = "vpc-flow-log-role-"
+ assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role[0].json
+ permissions_boundary = var.vpc_flow_log_permissions_boundary
+
+ tags = merge(var.tags, var.vpc_flow_log_tags)
+}
+
+data "aws_iam_policy_document" "flow_log_cloudwatch_assume_role" {
+ count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
+
+ statement {
+ sid = "AWSVPCFlowLogsAssumeRole"
+
+ principals {
+ type = "Service"
+ identifiers = ["vpc-flow-logs.amazonaws.com"]
+ }
+
+ effect = "Allow"
+
+ actions = ["sts:AssumeRole"]
+ }
+}
+
+resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" {
+ count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
+
+ role = aws_iam_role.vpc_flow_log_cloudwatch[0].name
+ policy_arn = aws_iam_policy.vpc_flow_log_cloudwatch[0].arn
+}
+
+resource "aws_iam_policy" "vpc_flow_log_cloudwatch" {
+ count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
+
+ name_prefix = "vpc-flow-log-to-cloudwatch-"
+ policy = data.aws_iam_policy_document.vpc_flow_log_cloudwatch[0].json
+ tags = merge(var.tags, var.vpc_flow_log_tags)
+}
+
+data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
+ count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
+
+ statement {
+ sid = "AWSVPCFlowLogsPushToCloudWatch"
+
+ effect = "Allow"
+
+ actions = [
+ "logs:CreateLogStream",
+ "logs:PutLogEvents",
+ "logs:DescribeLogGroups",
+ "logs:DescribeLogStreams",
+ ]
+
+ resources = ["*"]
+ }
+}