diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d5886a6d3..071427d75 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.0 + rev: v1.77.1 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/README.md b/README.md index 58c201524..0232463c6 100644 --- a/README.md +++ b/README.md @@ -231,15 +231,17 @@ module "vpc_cidr_from_ipam" { ## Examples -- [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc) -- [Simple VPC with secondary CIDR blocks](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/secondary-cidr-blocks) -- [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) with VPC Endpoints. -- [VPC with IPv6 enabled](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipv6) +- [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete) with VPC Endpoints. +- [VPC using IPAM](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipam) +- [Dualstack IPv4/IPv6 VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipv6-dualstack) +- [IPv6 only subnets/VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipv6-only) +- [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc) - [Network ACL](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/network-acls) -- [VPC Flow Logs](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/vpc-flow-logs) - [VPC with Outpost](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/outpost) -- [VPC CIDR from IPAM](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipam-vpc) -- [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc) +- [VPC with secondary CIDR blocks](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/secondary-cidr-blocks) +- [VPC with unique route tables](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/separate-route-tables) +- [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple) +- [VPC Flow Logs](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/vpc-flow-logs) - [Few tests and edge case examples](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issues) ## Contributing @@ -253,14 +255,14 @@ Full contributing [guidelines are covered here](.github/contributing.md). | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.73 | +| [aws](#provider\_aws) | >= 4.35 | ## Modules @@ -352,38 +354,43 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no | -| [assign\_ipv6\_address\_on\_creation](#input\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `false` | no | +| [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN | `string` | `"64512"` | no | | [azs](#input\_azs) | A list of availability zones names or ids in the region | `list(string)` | `[]` | no | -| [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` | `string` | `"0.0.0.0/0"` | no | +| [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` | `string` | `"10.0.0.0/16"` | no | | [create\_database\_internet\_gateway\_route](#input\_create\_database\_internet\_gateway\_route) | Controls if an internet gateway route for public database access should be created | `bool` | `false` | no | | [create\_database\_nat\_gateway\_route](#input\_create\_database\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the database subnets | `bool` | `false` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Controls if database subnet group should be created (n.b. database\_subnets must also be set) | `bool` | `true` | no | | [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Controls if separate route table for database should be created | `bool` | `false` | no | -| [create\_egress\_only\_igw](#input\_create\_egress\_only\_igw) | Controls if an Egress Only Internet Gateway is created and its related routes. | `bool` | `true` | no | +| [create\_egress\_only\_igw](#input\_create\_egress\_only\_igw) | Controls if an Egress Only Internet Gateway is created and its related routes | `bool` | `true` | no | | [create\_elasticache\_subnet\_group](#input\_create\_elasticache\_subnet\_group) | Controls if elasticache subnet group should be created | `bool` | `true` | no | | [create\_elasticache\_subnet\_route\_table](#input\_create\_elasticache\_subnet\_route\_table) | Controls if separate route table for elasticache should be created | `bool` | `false` | no | | [create\_flow\_log\_cloudwatch\_iam\_role](#input\_create\_flow\_log\_cloudwatch\_iam\_role) | Whether to create IAM role for VPC Flow Logs | `bool` | `false` | no | | [create\_flow\_log\_cloudwatch\_log\_group](#input\_create\_flow\_log\_cloudwatch\_log\_group) | Whether to create CloudWatch log group for VPC Flow Logs | `bool` | `false` | no | -| [create\_igw](#input\_create\_igw) | Controls if an Internet Gateway is created for public subnets and the related routes that connect them. | `bool` | `true` | no | +| [create\_igw](#input\_create\_igw) | Controls if an Internet Gateway is created for public subnets and the related routes that connect them | `bool` | `true` | no | | [create\_redshift\_subnet\_group](#input\_create\_redshift\_subnet\_group) | Controls if redshift subnet group should be created | `bool` | `true` | no | | [create\_redshift\_subnet\_route\_table](#input\_create\_redshift\_subnet\_route\_table) | Controls if separate route table for redshift should be created | `bool` | `false` | no | | [create\_vpc](#input\_create\_vpc) | Controls if VPC should be created (it affects almost all resources) | `bool` | `true` | no | | [customer\_gateway\_tags](#input\_customer\_gateway\_tags) | Additional tags for the Customer Gateway | `map(string)` | `{}` | no | | [customer\_gateways](#input\_customer\_gateways) | Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) | `map(map(any))` | `{}` | no | +| [customer\_owned\_ipv4\_pool](#input\_customer\_owned\_ipv4\_pool) | The customer owned IPv4 address pool. Typically used with the `map_customer_owned_ip_on_launch` argument. The `outpost_arn` argument must be specified when configured | `string` | `null` | no | | [database\_acl\_tags](#input\_database\_acl\_tags) | Additional tags for the database subnets network ACL | `map(string)` | `{}` | no | | [database\_dedicated\_network\_acl](#input\_database\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for database subnets | `bool` | `false` | no | | [database\_inbound\_acl\_rules](#input\_database\_inbound\_acl\_rules) | Database subnets inbound network ACL rules | `list(map(string))` |
[| no | | [database\_outbound\_acl\_rules](#input\_database\_outbound\_acl\_rules) | Database subnets outbound network ACL rules | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [database\_route\_table\_tags](#input\_database\_route\_table\_tags) | Additional tags for the database route tables | `map(string)` | `{}` | no | -| [database\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_database\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | +| [database\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_database\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no | +| [database\_subnet\_enable\_dns64](#input\_database\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | +| [database\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_database\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | +| [database\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_database\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | | [database\_subnet\_group\_name](#input\_database\_subnet\_group\_name) | Name of database subnet group | `string` | `null` | no | | [database\_subnet\_group\_tags](#input\_database\_subnet\_group\_tags) | Additional tags for the database subnet group | `map(string)` | `{}` | no | +| [database\_subnet\_ipv6\_native](#input\_database\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | | [database\_subnet\_ipv6\_prefixes](#input\_database\_subnet\_ipv6\_prefixes) | Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | -| [database\_subnet\_names](#input\_database\_subnet\_names) | Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no | +| [database\_subnet\_names](#input\_database\_subnet\_names) | Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | +| [database\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_database\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | | [database\_subnet\_suffix](#input\_database\_subnet\_suffix) | Suffix to append to database subnets name | `string` | `"db"` | no | | [database\_subnet\_tags](#input\_database\_subnet\_tags) | Additional tags for the database subnets | `map(string)` | `{}` | no | -| [database\_subnets](#input\_database\_subnets) | A list of database subnets | `list(string)` | `[]` | no | +| [database\_subnets](#input\_database\_subnets) | A list of database subnets inside the VPC | `list(string)` | `[]` | no | | [default\_network\_acl\_egress](#input\_default\_network\_acl\_egress) | List of maps of egress rules to set on the Default Network ACL | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [default\_network\_acl\_ingress](#input\_default\_network\_acl\_ingress) | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` |
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
[| no | | [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Name to be used on the Default Network ACL | `string` | `null` | no | @@ -396,8 +403,7 @@ No modules. | [default\_security\_group\_ingress](#input\_default\_security\_group\_ingress) | List of maps of ingress rules to set on the default security group | `list(map(string))` | `[]` | no | | [default\_security\_group\_name](#input\_default\_security\_group\_name) | Name to be used on the default security group | `string` | `null` | no | | [default\_security\_group\_tags](#input\_default\_security\_group\_tags) | Additional tags for the default security group | `map(string)` | `{}` | no | -| [default\_vpc\_enable\_classiclink](#input\_default\_vpc\_enable\_classiclink) | [DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink in the Default VPC | `bool` | `false` | no | -| [default\_vpc\_enable\_dns\_hostnames](#input\_default\_vpc\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the Default VPC | `bool` | `false` | no | +| [default\_vpc\_enable\_dns\_hostnames](#input\_default\_vpc\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the Default VPC | `bool` | `true` | no | | [default\_vpc\_enable\_dns\_support](#input\_default\_vpc\_enable\_dns\_support) | Should be true to enable DNS support in the Default VPC | `bool` | `true` | no | | [default\_vpc\_name](#input\_default\_vpc\_name) | Name to be used on the Default VPC | `string` | `null` | no | | [default\_vpc\_tags](#input\_default\_vpc\_tags) | Additional tags for the Default VPC | `map(string)` | `{}` | no | @@ -412,39 +418,43 @@ No modules. | [elasticache\_inbound\_acl\_rules](#input\_elasticache\_inbound\_acl\_rules) | Elasticache subnets inbound network ACL rules | `list(map(string))` |
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
[| no | | [elasticache\_outbound\_acl\_rules](#input\_elasticache\_outbound\_acl\_rules) | Elasticache subnets outbound network ACL rules | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [elasticache\_route\_table\_tags](#input\_elasticache\_route\_table\_tags) | Additional tags for the elasticache route tables | `map(string)` | `{}` | no | -| [elasticache\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_elasticache\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | +| [elasticache\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_elasticache\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no | +| [elasticache\_subnet\_enable\_dns64](#input\_elasticache\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | +| [elasticache\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_elasticache\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | +| [elasticache\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_elasticache\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | | [elasticache\_subnet\_group\_name](#input\_elasticache\_subnet\_group\_name) | Name of elasticache subnet group | `string` | `null` | no | | [elasticache\_subnet\_group\_tags](#input\_elasticache\_subnet\_group\_tags) | Additional tags for the elasticache subnet group | `map(string)` | `{}` | no | +| [elasticache\_subnet\_ipv6\_native](#input\_elasticache\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | | [elasticache\_subnet\_ipv6\_prefixes](#input\_elasticache\_subnet\_ipv6\_prefixes) | Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | -| [elasticache\_subnet\_names](#input\_elasticache\_subnet\_names) | Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no | +| [elasticache\_subnet\_names](#input\_elasticache\_subnet\_names) | Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | +| [elasticache\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_elasticache\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | | [elasticache\_subnet\_suffix](#input\_elasticache\_subnet\_suffix) | Suffix to append to elasticache subnets name | `string` | `"elasticache"` | no | | [elasticache\_subnet\_tags](#input\_elasticache\_subnet\_tags) | Additional tags for the elasticache subnets | `map(string)` | `{}` | no | -| [elasticache\_subnets](#input\_elasticache\_subnets) | A list of elasticache subnets | `list(string)` | `[]` | no | -| [enable\_classiclink](#input\_enable\_classiclink) | [DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic. | `bool` | `null` | no | -| [enable\_classiclink\_dns\_support](#input\_enable\_classiclink\_dns\_support) | [DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic. | `bool` | `null` | no | +| [elasticache\_subnets](#input\_elasticache\_subnets) | A list of elasticache subnets inside the VPC | `list(string)` | `[]` | no | | [enable\_dhcp\_options](#input\_enable\_dhcp\_options) | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | `bool` | `false` | no | -| [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the VPC | `bool` | `false` | no | +| [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the VPC | `bool` | `true` | no | | [enable\_dns\_support](#input\_enable\_dns\_support) | Should be true to enable DNS support in the VPC | `bool` | `true` | no | | [enable\_flow\_log](#input\_enable\_flow\_log) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no | -| [enable\_ipv6](#input\_enable\_ipv6) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | `bool` | `false` | no | +| [enable\_ipv6](#input\_enable\_ipv6) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | `bool` | `false` | no | | [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no | +| [enable\_network\_address\_usage\_metrics](#input\_enable\_network\_address\_usage\_metrics) | Determines whether network address usage metrics are enabled for the VPC | `bool` | `null` | no | | [enable\_public\_redshift](#input\_enable\_public\_redshift) | Controls if redshift should have public routing table | `bool` | `false` | no | | [enable\_vpn\_gateway](#input\_enable\_vpn\_gateway) | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | `bool` | `false` | no | | [external\_nat\_ip\_ids](#input\_external\_nat\_ip\_ids) | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse\_nat\_ips) | `list(string)` | `[]` | no | | [external\_nat\_ips](#input\_external\_nat\_ips) | List of EIPs to be used for `nat_public_ips` output (used in combination with reuse\_nat\_ips and external\_nat\_ip\_ids) | `list(string)` | `[]` | no | -| [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided. | `string` | `""` | no | -| [flow\_log\_cloudwatch\_log\_group\_kms\_key\_id](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs. | `string` | `null` | no | -| [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs. | `string` | `"/aws/vpc-flow-log/"` | no | -| [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs. | `string` | `""` | no | -| [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | `number` | `null` | no | -| [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided. | `string` | `""` | no | -| [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs. | `string` | `"cloud-watch-logs"` | no | -| [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet`. | `string` | `"plain-text"` | no | -| [flow\_log\_hive\_compatible\_partitions](#input\_flow\_log\_hive\_compatible\_partitions) | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. | `bool` | `false` | no | -| [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear. | `string` | `null` | no | -| [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. | `number` | `600` | no | -| [flow\_log\_per\_hour\_partition](#input\_flow\_log\_per\_hour\_partition) | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. | `bool` | `false` | no | -| [flow\_log\_traffic\_type](#input\_flow\_log\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. | `string` | `"ALL"` | no | +| [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided | `string` | `""` | no | +| [flow\_log\_cloudwatch\_log\_group\_kms\_key\_id](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no | +| [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs | `string` | `"/aws/vpc-flow-log/"` | no | +| [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs | `string` | `""` | no | +| [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs | `number` | `null` | no | +| [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided | `string` | `""` | no | +| [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no | +| [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet` | `string` | `null` | no | +| [flow\_log\_hive\_compatible\_partitions](#input\_flow\_log\_hive\_compatible\_partitions) | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 | `bool` | `false` | no | +| [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear | `string` | `null` | no | +| [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds | `number` | `600` | no | +| [flow\_log\_per\_hour\_partition](#input\_flow\_log\_per\_hour\_partition) | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries | `bool` | `false` | no | +| [flow\_log\_traffic\_type](#input\_flow\_log\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL | `string` | `"ALL"` | no | | [igw\_tags](#input\_igw\_tags) | Additional tags for the internet gateway | `map(string)` | `{}` | no | | [instance\_tenancy](#input\_instance\_tenancy) | A tenancy option for instances launched into the VPC | `string` | `"default"` | no | | [intra\_acl\_tags](#input\_intra\_acl\_tags) | Additional tags for the intra subnets network ACL | `map(string)` | `{}` | no | @@ -452,36 +462,48 @@ No modules. | [intra\_inbound\_acl\_rules](#input\_intra\_inbound\_acl\_rules) | Intra subnets inbound network ACLs | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [intra\_outbound\_acl\_rules](#input\_intra\_outbound\_acl\_rules) | Intra subnets outbound network ACLs | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [intra\_route\_table\_tags](#input\_intra\_route\_table\_tags) | Additional tags for the intra route tables | `map(string)` | `{}` | no | -| [intra\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_intra\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | +| [intra\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_intra\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no | +| [intra\_subnet\_enable\_dns64](#input\_intra\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | +| [intra\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_intra\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | +| [intra\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_intra\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | +| [intra\_subnet\_ipv6\_native](#input\_intra\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | | [intra\_subnet\_ipv6\_prefixes](#input\_intra\_subnet\_ipv6\_prefixes) | Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | -| [intra\_subnet\_names](#input\_intra\_subnet\_names) | Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no | +| [intra\_subnet\_names](#input\_intra\_subnet\_names) | Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | +| [intra\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_intra\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | | [intra\_subnet\_suffix](#input\_intra\_subnet\_suffix) | Suffix to append to intra subnets name | `string` | `"intra"` | no | | [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Additional tags for the intra subnets | `map(string)` | `{}` | no | -| [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no | -| [ipv4\_ipam\_pool\_id](#input\_ipv4\_ipam\_pool\_id) | (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. | `string` | `null` | no | -| [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4\_ipam\_pool\_id. | `number` | `null` | no | -| [ipv6\_cidr](#input\_ipv6\_cidr) | (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`. | `string` | `null` | no | -| [ipv6\_ipam\_pool\_id](#input\_ipv6\_ipam\_pool\_id) | (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`. | `string` | `null` | no | -| [ipv6\_netmask\_length](#input\_ipv6\_netmask\_length) | (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`. | `number` | `null` | no | -| [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `false` | no | -| [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `false` | no | -| [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `false` | no | +| [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets inside the VPC | `list(string)` | `[]` | no | +| [ipv4\_ipam\_pool\_id](#input\_ipv4\_ipam\_pool\_id) | (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR | `string` | `null` | no | +| [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4\_ipam\_pool\_id | `number` | `null` | no | +| [ipv6\_cidr](#input\_ipv6\_cidr) | (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length` | `string` | `null` | no | +| [ipv6\_cidr\_block\_network\_border\_group](#input\_ipv6\_cidr\_block\_network\_border\_group) | By default when an IPv6 CIDR is assigned to a VPC a default ipv6\_cidr\_block\_network\_border\_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones | `string` | `null` | no | +| [ipv6\_ipam\_pool\_id](#input\_ipv6\_ipam\_pool\_id) | (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block` | `string` | `null` | no | +| [ipv6\_netmask\_length](#input\_ipv6\_netmask\_length) | (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56` | `number` | `null` | no | +| [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `true` | no | +| [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `true` | no | +| [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `true` | no | | [manage\_default\_vpc](#input\_manage\_default\_vpc) | Should be true to adopt and manage Default VPC | `bool` | `false` | no | -| [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Should be false if you do not want to auto-assign public IP on launch | `bool` | `true` | no | +| [map\_customer\_owned\_ip\_on\_launch](#input\_map\_customer\_owned\_ip\_on\_launch) | Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The `customer_owned_ipv4_pool` and `outpost_arn` arguments must be specified when set to `true`. Default is `false` | `bool` | `false` | no | +| [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false` | `bool` | `false` | no | | [name](#input\_name) | Name to be used on all the resources as identifier | `string` | `""` | no | | [nat\_eip\_tags](#input\_nat\_eip\_tags) | Additional tags for the NAT EIP | `map(string)` | `{}` | no | -| [nat\_gateway\_destination\_cidr\_block](#input\_nat\_gateway\_destination\_cidr\_block) | Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route. | `string` | `"0.0.0.0/0"` | no | +| [nat\_gateway\_destination\_cidr\_block](#input\_nat\_gateway\_destination\_cidr\_block) | Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route | `string` | `"0.0.0.0/0"` | no | | [nat\_gateway\_tags](#input\_nat\_gateway\_tags) | Additional tags for the NAT gateways | `map(string)` | `{}` | no | -| [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | `bool` | `false` | no | +| [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs` | `bool` | `false` | no | | [outpost\_acl\_tags](#input\_outpost\_acl\_tags) | Additional tags for the outpost subnets network ACL | `map(string)` | `{}` | no | -| [outpost\_arn](#input\_outpost\_arn) | ARN of Outpost you want to create a subnet in. | `string` | `null` | no | -| [outpost\_az](#input\_outpost\_az) | AZ where Outpost is anchored. | `string` | `null` | no | +| [outpost\_arn](#input\_outpost\_arn) | ARN of Outpost you want to create a subnet in | `string` | `null` | no | +| [outpost\_az](#input\_outpost\_az) | AZ where Outpost is anchored | `string` | `null` | no | | [outpost\_dedicated\_network\_acl](#input\_outpost\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for outpost subnets | `bool` | `false` | no | | [outpost\_inbound\_acl\_rules](#input\_outpost\_inbound\_acl\_rules) | Outpost subnets inbound network ACLs | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [outpost\_outbound\_acl\_rules](#input\_outpost\_outbound\_acl\_rules) | Outpost subnets outbound network ACLs | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | -| [outpost\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_outpost\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on outpost subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | +| [outpost\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_outpost\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no | +| [outpost\_subnet\_enable\_dns64](#input\_outpost\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | +| [outpost\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_outpost\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | +| [outpost\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_outpost\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | +| [outpost\_subnet\_ipv6\_native](#input\_outpost\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | | [outpost\_subnet\_ipv6\_prefixes](#input\_outpost\_subnet\_ipv6\_prefixes) | Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | -| [outpost\_subnet\_names](#input\_outpost\_subnet\_names) | Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no | +| [outpost\_subnet\_names](#input\_outpost\_subnet\_names) | Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | +| [outpost\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_outpost\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | | [outpost\_subnet\_suffix](#input\_outpost\_subnet\_suffix) | Suffix to append to outpost subnets name | `string` | `"outpost"` | no | | [outpost\_subnet\_tags](#input\_outpost\_subnet\_tags) | Additional tags for the outpost subnets | `map(string)` | `{}` | no | | [outpost\_subnets](#input\_outpost\_subnets) | A list of outpost subnets inside the VPC | `list(string)` | `[]` | no | @@ -490,9 +512,14 @@ No modules. | [private\_inbound\_acl\_rules](#input\_private\_inbound\_acl\_rules) | Private subnets inbound network ACLs | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [private\_outbound\_acl\_rules](#input\_private\_outbound\_acl\_rules) | Private subnets outbound network ACLs | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [private\_route\_table\_tags](#input\_private\_route\_table\_tags) | Additional tags for the private route tables | `map(string)` | `{}` | no | -| [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | +| [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no | +| [private\_subnet\_enable\_dns64](#input\_private\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | +| [private\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_private\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | +| [private\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_private\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | +| [private\_subnet\_ipv6\_native](#input\_private\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | | [private\_subnet\_ipv6\_prefixes](#input\_private\_subnet\_ipv6\_prefixes) | Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | -| [private\_subnet\_names](#input\_private\_subnet\_names) | Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no | +| [private\_subnet\_names](#input\_private\_subnet\_names) | Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | +| [private\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_private\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | | [private\_subnet\_suffix](#input\_private\_subnet\_suffix) | Suffix to append to private subnets name | `string` | `"private"` | no | | [private\_subnet\_tags](#input\_private\_subnet\_tags) | Additional tags for the private subnets | `map(string)` | `{}` | no | | [private\_subnet\_tags\_per\_az](#input\_private\_subnet\_tags\_per\_az) | Additional tags for the private subnets where the primary key is the AZ | `map(map(string))` | `{}` | no | @@ -505,9 +532,14 @@ No modules. | [public\_inbound\_acl\_rules](#input\_public\_inbound\_acl\_rules) | Public subnets inbound network ACLs | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [public\_outbound\_acl\_rules](#input\_public\_outbound\_acl\_rules) | Public subnets outbound network ACLs | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [public\_route\_table\_tags](#input\_public\_route\_table\_tags) | Additional tags for the public route tables | `map(string)` | `{}` | no | -| [public\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_public\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | +| [public\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_public\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no | +| [public\_subnet\_enable\_dns64](#input\_public\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | +| [public\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_public\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | +| [public\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_public\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | +| [public\_subnet\_ipv6\_native](#input\_public\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | | [public\_subnet\_ipv6\_prefixes](#input\_public\_subnet\_ipv6\_prefixes) | Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | -| [public\_subnet\_names](#input\_public\_subnet\_names) | Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no | +| [public\_subnet\_names](#input\_public\_subnet\_names) | Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | +| [public\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_public\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | | [public\_subnet\_suffix](#input\_public\_subnet\_suffix) | Suffix to append to public subnets name | `string` | `"public"` | no | | [public\_subnet\_tags](#input\_public\_subnet\_tags) | Additional tags for the public subnets | `map(string)` | `{}` | no | | [public\_subnet\_tags\_per\_az](#input\_public\_subnet\_tags\_per\_az) | Additional tags for the public subnets where the primary key is the AZ | `map(map(string))` | `{}` | no | @@ -518,14 +550,19 @@ No modules. | [redshift\_inbound\_acl\_rules](#input\_redshift\_inbound\_acl\_rules) | Redshift subnets inbound network ACL rules | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [redshift\_outbound\_acl\_rules](#input\_redshift\_outbound\_acl\_rules) | Redshift subnets outbound network ACL rules | `list(map(string))` |
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
[| no | | [redshift\_route\_table\_tags](#input\_redshift\_route\_table\_tags) | Additional tags for the redshift route tables | `map(string)` | `{}` | no | -| [redshift\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_redshift\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no | +| [redshift\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_redshift\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no | +| [redshift\_subnet\_enable\_dns64](#input\_redshift\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no | +| [redshift\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_redshift\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no | +| [redshift\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_redshift\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no | | [redshift\_subnet\_group\_name](#input\_redshift\_subnet\_group\_name) | Name of redshift subnet group | `string` | `null` | no | | [redshift\_subnet\_group\_tags](#input\_redshift\_subnet\_group\_tags) | Additional tags for the redshift subnet group | `map(string)` | `{}` | no | +| [redshift\_subnet\_ipv6\_native](#input\_redshift\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no | | [redshift\_subnet\_ipv6\_prefixes](#input\_redshift\_subnet\_ipv6\_prefixes) | Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no | -| [redshift\_subnet\_names](#input\_redshift\_subnet\_names) | Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no | +| [redshift\_subnet\_names](#input\_redshift\_subnet\_names) | Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated | `list(string)` | `[]` | no | +| [redshift\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_redshift\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no | | [redshift\_subnet\_suffix](#input\_redshift\_subnet\_suffix) | Suffix to append to redshift subnets name | `string` | `"redshift"` | no | | [redshift\_subnet\_tags](#input\_redshift\_subnet\_tags) | Additional tags for the redshift subnets | `map(string)` | `{}` | no | -| [redshift\_subnets](#input\_redshift\_subnets) | A list of redshift subnets | `list(string)` | `[]` | no | +| [redshift\_subnets](#input\_redshift\_subnets) | A list of redshift subnets inside the VPC | `list(string)` | `[]` | no | | [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no | | [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no | | [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no | diff --git a/UPGRADE-4.0.md b/UPGRADE-4.0.md new file mode 100644 index 000000000..abf1e2a2b --- /dev/null +++ b/UPGRADE-4.0.md @@ -0,0 +1,66 @@ +# Upgrade from v3.x to v4.x + +If you have any questions regarding this upgrade process, please consult the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/) directory: + +If you find a bug, please open an issue with supporting configuration to reproduce. + +## List of backwards incompatible changes + +- The minimum required Terraform version is now 1.0 +- The minimum required AWS provider version is now 4.x (4.35.0 at time of writing) +- `assign_ipv6_address_on_creation` has been removed; use the respective subnet type equivalent instead (i.e. - `public_subnet_assign_ipv6_address_on_creation`) +- `enable_classiclink` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730 +- `enable_classiclink_dns_support` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730 + +## Additional changes + +### Modified + +- `map_public_ip_on_launch` now defaults to `false` +- `enable_dns_hostnames` now defaults to `true` +- `enable_dns_support` now defaults to `true` +- `manage_default_security_group` now defaults to `true` +- `manage_default_route_table` now defaults to `true` +- `manage_default_network_acl` now defaults to `true` +- The default name for the default security group, route table, and network ACL has changed to fallback to append `-default` to the VPC name if a specific name is not provided +- The default fallback value for outputs has changed from an empty string to `null` + +### Variable and output changes + +1. Removed variables: + + - `assign_ipv6_address_on_creation` has been removed; use the respective subnet type equivalent instead (i.e. - `public_subnet_assign_ipv6_address_on_creation`) + - `enable_classiclink` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730 + - `enable_classiclink_dns_support` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730 + +2. Renamed variables: + + - None + +3. Added variables: + + - VPC + - `ipv6_cidr_block_network_border_group` + - `enable_network_address_usage_metrics` + - Subnets + - `*_subnet_enable_dns64` for each subnet type + - `*_subnet_enable_resource_name_dns_aaaa_record_on_launch` for each subnet type + - `*_subnet_enable_resource_name_dns_a_record_on_launch` for each subnet type + - `*_subnet_ipv6_native` for each subnet type + - `*_subnet_private_dns_hostname_type_on_launch` for each subnet type + +4. Removed outputs: + + - None + +5. Renamed outputs: + + - None + +6. Added outputs: + + - None + +### State Changes + +None diff --git a/examples/complete-vpc/README.md b/examples/complete/README.md similarity index 98% rename from examples/complete-vpc/README.md rename to examples/complete/README.md index a2f01eec1..ff1b25d3f 100644 --- a/examples/complete-vpc/README.md +++ b/examples/complete/README.md @@ -21,14 +21,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.73 | +| [aws](#provider\_aws) | >= 4.35 | ## Modules @@ -43,6 +43,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Type | |------|------| | [aws_security_group.vpc_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_iam_policy_document.dynamodb_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.generic_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | diff --git a/examples/complete-vpc/main.tf b/examples/complete/main.tf similarity index 86% rename from examples/complete-vpc/main.tf rename to examples/complete/main.tf index 9c2ebc74d..3a629d3ac 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete/main.tf @@ -2,10 +2,15 @@ provider "aws" { region = local.region } +data "aws_availability_zones" "available" {} + locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" + name = "ex-${basename(path.cwd)}" region = "eu-west-1" + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + tags = { Example = local.name GithubRepo = "terraform-aws-vpc" @@ -21,15 +26,15 @@ module "vpc" { source = "../../" name = local.name - cidr = "10.0.0.0/16" + cidr = local.vpc_cidr - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"] - database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"] - elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24", "10.0.33.0/24"] - redshift_subnets = ["10.0.41.0/24", "10.0.42.0/24", "10.0.43.0/24"] - intra_subnets = ["10.0.51.0/24", "10.0.52.0/24", "10.0.53.0/24"] + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] + database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)] + elasticache_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 12)] + redshift_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 16)] + intra_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)] private_subnet_names = ["Private Subnet One", "Private Subnet Two"] # public_subnet_names omitted to show default name generation for all three subnets @@ -38,16 +43,10 @@ module "vpc" { redshift_subnet_names = ["Redshift Subnet One", "Redshift Subnet Two", "Redshift Subnet Three"] intra_subnet_names = [] - create_database_subnet_group = false - - manage_default_network_acl = true - default_network_acl_tags = { Name = "${local.name}-default" } - - manage_default_route_table = true - default_route_table_tags = { Name = "${local.name}-default" } - - manage_default_security_group = true - default_security_group_tags = { Name = "${local.name}-default" } + create_database_subnet_group = false + manage_default_network_acl = false + manage_default_route_table = false + manage_default_security_group = false enable_dns_hostnames = true enable_dns_support = true diff --git a/examples/complete-vpc/outputs.tf b/examples/complete/outputs.tf similarity index 100% rename from examples/complete-vpc/outputs.tf rename to examples/complete/outputs.tf diff --git a/examples/complete-vpc/variables.tf b/examples/complete/variables.tf similarity index 100% rename from examples/complete-vpc/variables.tf rename to examples/complete/variables.tf diff --git a/examples/ipam-vpc/versions.tf b/examples/complete/versions.tf similarity index 60% rename from examples/ipam-vpc/versions.tf rename to examples/complete/versions.tf index 979baa847..4d4bddd64 100644 --- a/examples/ipam-vpc/versions.tf +++ b/examples/complete/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.73" + version = ">= 4.35" } } } diff --git a/examples/ipam-vpc/README.md b/examples/ipam/README.md similarity index 98% rename from examples/ipam-vpc/README.md rename to examples/ipam/README.md index 78cf09ad4..1ebc7eb55 100644 --- a/examples/ipam-vpc/README.md +++ b/examples/ipam/README.md @@ -29,14 +29,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.73 | +| [aws](#provider\_aws) | >= 4.35 | ## Modules @@ -54,6 +54,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP | [aws_vpc_ipam_pool.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool) | resource | | [aws_vpc_ipam_pool_cidr.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool_cidr) | resource | | [aws_vpc_ipam_preview_next_cidr.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_preview_next_cidr) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | ## Inputs diff --git a/examples/ipam-vpc/main.tf b/examples/ipam/main.tf similarity index 96% rename from examples/ipam-vpc/main.tf rename to examples/ipam/main.tf index 898304583..d43851202 100644 --- a/examples/ipam-vpc/main.tf +++ b/examples/ipam/main.tf @@ -2,11 +2,13 @@ provider "aws" { region = local.region } +data "aws_availability_zones" "available" {} + locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" + name = "ex-${basename(path.cwd)}" region = "eu-west-1" - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + azs = slice(data.aws_availability_zones.available.names, 0, 3) preview_partition = cidrsubnets(aws_vpc_ipam_preview_next_cidr.this.cidr, 2, 2, 2) tags = { diff --git a/examples/ipam-vpc/outputs.tf b/examples/ipam/outputs.tf similarity index 100% rename from examples/ipam-vpc/outputs.tf rename to examples/ipam/outputs.tf diff --git a/examples/ipam-vpc/variables.tf b/examples/ipam/variables.tf similarity index 100% rename from examples/ipam-vpc/variables.tf rename to examples/ipam/variables.tf diff --git a/examples/ipv6/versions.tf b/examples/ipam/versions.tf similarity index 60% rename from examples/ipv6/versions.tf rename to examples/ipam/versions.tf index 979baa847..4d4bddd64 100644 --- a/examples/ipv6/versions.tf +++ b/examples/ipam/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.73" + version = ">= 4.35" } } } diff --git a/examples/ipv6/README.md b/examples/ipv6-dualstack/README.md similarity index 97% rename from examples/ipv6/README.md rename to examples/ipv6-dualstack/README.md index 318fc4d40..942a71cb5 100644 --- a/examples/ipv6/README.md +++ b/examples/ipv6-dualstack/README.md @@ -19,12 +19,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.35 | ## Modules @@ -34,7 +36,9 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | ## Inputs diff --git a/examples/ipv6-dualstack/main.tf b/examples/ipv6-dualstack/main.tf new file mode 100644 index 000000000..b6a1cb4c4 --- /dev/null +++ b/examples/ipv6-dualstack/main.tf @@ -0,0 +1,49 @@ +provider "aws" { + region = local.region +} + +data "aws_availability_zones" "available" {} + +locals { + name = "ex-${basename(path.cwd)}" + region = "eu-west-1" + + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + tags = { + Example = local.name + GithubRepo = "terraform-aws-vpc" + GithubOrg = "terraform-aws-modules" + } +} + +################################################################################ +# VPC Module +################################################################################ + +module "vpc" { + source = "../.." + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] + database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)] + + enable_nat_gateway = false + + create_database_subnet_route_table = true + create_database_internet_gateway_route = true + + enable_ipv6 = true + public_subnet_assign_ipv6_address_on_creation = true + + public_subnet_ipv6_prefixes = [0, 1, 2] + private_subnet_ipv6_prefixes = [3, 4, 5] + database_subnet_ipv6_prefixes = [6, 7, 8] + + tags = local.tags +} diff --git a/examples/ipv6/outputs.tf b/examples/ipv6-dualstack/outputs.tf similarity index 100% rename from examples/ipv6/outputs.tf rename to examples/ipv6-dualstack/outputs.tf diff --git a/examples/ipv6/variables.tf b/examples/ipv6-dualstack/variables.tf similarity index 100% rename from examples/ipv6/variables.tf rename to examples/ipv6-dualstack/variables.tf diff --git a/examples/complete-vpc/versions.tf b/examples/ipv6-dualstack/versions.tf similarity index 60% rename from examples/complete-vpc/versions.tf rename to examples/ipv6-dualstack/versions.tf index 979baa847..4d4bddd64 100644 --- a/examples/complete-vpc/versions.tf +++ b/examples/ipv6-dualstack/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.73" + version = ">= 4.35" } } } diff --git a/examples/ipv6-only/README.md b/examples/ipv6-only/README.md new file mode 100644 index 000000000..1ce72714b --- /dev/null +++ b/examples/ipv6-only/README.md @@ -0,0 +1,158 @@ +# IPv6 Only VPC + +Configuration in this directory creates set of VPC resources with IPv6 only enabled on VPC and subnets. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.35 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [vpc](#module\_vpc) | ../.. | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [cgw\_arns](#output\_cgw\_arns) | List of ARNs of Customer Gateway | +| [cgw\_ids](#output\_cgw\_ids) | List of IDs of Customer Gateway | +| [database\_internet\_gateway\_route\_id](#output\_database\_internet\_gateway\_route\_id) | ID of the database internet gateway route | +| [database\_ipv6\_egress\_route\_id](#output\_database\_ipv6\_egress\_route\_id) | ID of the database IPv6 egress route | +| [database\_nat\_gateway\_route\_ids](#output\_database\_nat\_gateway\_route\_ids) | List of IDs of the database nat gateway route | +| [database\_network\_acl\_arn](#output\_database\_network\_acl\_arn) | ARN of the database network ACL | +| [database\_network\_acl\_id](#output\_database\_network\_acl\_id) | ID of the database network ACL | +| [database\_route\_table\_association\_ids](#output\_database\_route\_table\_association\_ids) | List of IDs of the database route table association | +| [database\_route\_table\_ids](#output\_database\_route\_table\_ids) | List of IDs of database route tables | +| [database\_subnet\_arns](#output\_database\_subnet\_arns) | List of ARNs of database subnets | +| [database\_subnet\_group](#output\_database\_subnet\_group) | ID of database subnet group | +| [database\_subnet\_group\_name](#output\_database\_subnet\_group\_name) | Name of database subnet group | +| [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets | +| [database\_subnets\_cidr\_blocks](#output\_database\_subnets\_cidr\_blocks) | List of cidr\_blocks of database subnets | +| [database\_subnets\_ipv6\_cidr\_blocks](#output\_database\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of database subnets in an IPv6 enabled VPC | +| [default\_network\_acl\_id](#output\_default\_network\_acl\_id) | The ID of the default network ACL | +| [default\_route\_table\_id](#output\_default\_route\_table\_id) | The ID of the default route table | +| [default\_security\_group\_id](#output\_default\_security\_group\_id) | The ID of the security group created by default on VPC creation | +| [default\_vpc\_arn](#output\_default\_vpc\_arn) | The ARN of the Default VPC | +| [default\_vpc\_cidr\_block](#output\_default\_vpc\_cidr\_block) | The CIDR block of the Default VPC | +| [default\_vpc\_default\_network\_acl\_id](#output\_default\_vpc\_default\_network\_acl\_id) | The ID of the default network ACL of the Default VPC | +| [default\_vpc\_default\_route\_table\_id](#output\_default\_vpc\_default\_route\_table\_id) | The ID of the default route table of the Default VPC | +| [default\_vpc\_default\_security\_group\_id](#output\_default\_vpc\_default\_security\_group\_id) | The ID of the security group created by default on Default VPC creation | +| [default\_vpc\_enable\_dns\_hostnames](#output\_default\_vpc\_enable\_dns\_hostnames) | Whether or not the Default VPC has DNS hostname support | +| [default\_vpc\_enable\_dns\_support](#output\_default\_vpc\_enable\_dns\_support) | Whether or not the Default VPC has DNS support | +| [default\_vpc\_id](#output\_default\_vpc\_id) | The ID of the Default VPC | +| [default\_vpc\_instance\_tenancy](#output\_default\_vpc\_instance\_tenancy) | Tenancy of instances spin up within Default VPC | +| [default\_vpc\_main\_route\_table\_id](#output\_default\_vpc\_main\_route\_table\_id) | The ID of the main route table associated with the Default VPC | +| [dhcp\_options\_id](#output\_dhcp\_options\_id) | The ID of the DHCP options | +| [egress\_only\_internet\_gateway\_id](#output\_egress\_only\_internet\_gateway\_id) | The ID of the egress only Internet Gateway | +| [elasticache\_network\_acl\_arn](#output\_elasticache\_network\_acl\_arn) | ARN of the elasticache network ACL | +| [elasticache\_network\_acl\_id](#output\_elasticache\_network\_acl\_id) | ID of the elasticache network ACL | +| [elasticache\_route\_table\_association\_ids](#output\_elasticache\_route\_table\_association\_ids) | List of IDs of the elasticache route table association | +| [elasticache\_route\_table\_ids](#output\_elasticache\_route\_table\_ids) | List of IDs of elasticache route tables | +| [elasticache\_subnet\_arns](#output\_elasticache\_subnet\_arns) | List of ARNs of elasticache subnets | +| [elasticache\_subnet\_group](#output\_elasticache\_subnet\_group) | ID of elasticache subnet group | +| [elasticache\_subnet\_group\_name](#output\_elasticache\_subnet\_group\_name) | Name of elasticache subnet group | +| [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets | +| [elasticache\_subnets\_cidr\_blocks](#output\_elasticache\_subnets\_cidr\_blocks) | List of cidr\_blocks of elasticache subnets | +| [elasticache\_subnets\_ipv6\_cidr\_blocks](#output\_elasticache\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of elasticache subnets in an IPv6 enabled VPC | +| [igw\_arn](#output\_igw\_arn) | The ARN of the Internet Gateway | +| [igw\_id](#output\_igw\_id) | The ID of the Internet Gateway | +| [intra\_network\_acl\_arn](#output\_intra\_network\_acl\_arn) | ARN of the intra network ACL | +| [intra\_network\_acl\_id](#output\_intra\_network\_acl\_id) | ID of the intra network ACL | +| [intra\_route\_table\_association\_ids](#output\_intra\_route\_table\_association\_ids) | List of IDs of the intra route table association | +| [intra\_route\_table\_ids](#output\_intra\_route\_table\_ids) | List of IDs of intra route tables | +| [intra\_subnet\_arns](#output\_intra\_subnet\_arns) | List of ARNs of intra subnets | +| [intra\_subnets](#output\_intra\_subnets) | List of IDs of intra subnets | +| [intra\_subnets\_cidr\_blocks](#output\_intra\_subnets\_cidr\_blocks) | List of cidr\_blocks of intra subnets | +| [intra\_subnets\_ipv6\_cidr\_blocks](#output\_intra\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of intra subnets in an IPv6 enabled VPC | +| [nat\_ids](#output\_nat\_ids) | List of allocation ID of Elastic IPs created for AWS NAT Gateway | +| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway | +| [natgw\_ids](#output\_natgw\_ids) | List of NAT Gateway IDs | +| [outpost\_network\_acl\_arn](#output\_outpost\_network\_acl\_arn) | ARN of the outpost network ACL | +| [outpost\_network\_acl\_id](#output\_outpost\_network\_acl\_id) | ID of the outpost network ACL | +| [outpost\_subnet\_arns](#output\_outpost\_subnet\_arns) | List of ARNs of outpost subnets | +| [outpost\_subnets](#output\_outpost\_subnets) | List of IDs of outpost subnets | +| [outpost\_subnets\_cidr\_blocks](#output\_outpost\_subnets\_cidr\_blocks) | List of cidr\_blocks of outpost subnets | +| [outpost\_subnets\_ipv6\_cidr\_blocks](#output\_outpost\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of outpost subnets in an IPv6 enabled VPC | +| [private\_ipv6\_egress\_route\_ids](#output\_private\_ipv6\_egress\_route\_ids) | List of IDs of the ipv6 egress route | +| [private\_nat\_gateway\_route\_ids](#output\_private\_nat\_gateway\_route\_ids) | List of IDs of the private nat gateway route | +| [private\_network\_acl\_arn](#output\_private\_network\_acl\_arn) | ARN of the private network ACL | +| [private\_network\_acl\_id](#output\_private\_network\_acl\_id) | ID of the private network ACL | +| [private\_route\_table\_association\_ids](#output\_private\_route\_table\_association\_ids) | List of IDs of the private route table association | +| [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | List of IDs of private route tables | +| [private\_subnet\_arns](#output\_private\_subnet\_arns) | List of ARNs of private subnets | +| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets | +| [private\_subnets\_cidr\_blocks](#output\_private\_subnets\_cidr\_blocks) | List of cidr\_blocks of private subnets | +| [private\_subnets\_ipv6\_cidr\_blocks](#output\_private\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of private subnets in an IPv6 enabled VPC | +| [public\_internet\_gateway\_ipv6\_route\_id](#output\_public\_internet\_gateway\_ipv6\_route\_id) | ID of the IPv6 internet gateway route | +| [public\_internet\_gateway\_route\_id](#output\_public\_internet\_gateway\_route\_id) | ID of the internet gateway route | +| [public\_network\_acl\_arn](#output\_public\_network\_acl\_arn) | ARN of the public network ACL | +| [public\_network\_acl\_id](#output\_public\_network\_acl\_id) | ID of the public network ACL | +| [public\_route\_table\_association\_ids](#output\_public\_route\_table\_association\_ids) | List of IDs of the public route table association | +| [public\_route\_table\_ids](#output\_public\_route\_table\_ids) | List of IDs of public route tables | +| [public\_subnet\_arns](#output\_public\_subnet\_arns) | List of ARNs of public subnets | +| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets | +| [public\_subnets\_cidr\_blocks](#output\_public\_subnets\_cidr\_blocks) | List of cidr\_blocks of public subnets | +| [public\_subnets\_ipv6\_cidr\_blocks](#output\_public\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of public subnets in an IPv6 enabled VPC | +| [redshift\_network\_acl\_arn](#output\_redshift\_network\_acl\_arn) | ARN of the redshift network ACL | +| [redshift\_network\_acl\_id](#output\_redshift\_network\_acl\_id) | ID of the redshift network ACL | +| [redshift\_public\_route\_table\_association\_ids](#output\_redshift\_public\_route\_table\_association\_ids) | List of IDs of the public redshift route table association | +| [redshift\_route\_table\_association\_ids](#output\_redshift\_route\_table\_association\_ids) | List of IDs of the redshift route table association | +| [redshift\_route\_table\_ids](#output\_redshift\_route\_table\_ids) | List of IDs of redshift route tables | +| [redshift\_subnet\_arns](#output\_redshift\_subnet\_arns) | List of ARNs of redshift subnets | +| [redshift\_subnet\_group](#output\_redshift\_subnet\_group) | ID of redshift subnet group | +| [redshift\_subnets](#output\_redshift\_subnets) | List of IDs of redshift subnets | +| [redshift\_subnets\_cidr\_blocks](#output\_redshift\_subnets\_cidr\_blocks) | List of cidr\_blocks of redshift subnets | +| [redshift\_subnets\_ipv6\_cidr\_blocks](#output\_redshift\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of redshift subnets in an IPv6 enabled VPC | +| [this\_customer\_gateway](#output\_this\_customer\_gateway) | Map of Customer Gateway attributes | +| [vgw\_arn](#output\_vgw\_arn) | The ARN of the VPN Gateway | +| [vgw\_id](#output\_vgw\_id) | The ID of the VPN Gateway | +| [vpc\_arn](#output\_vpc\_arn) | The ARN of the VPC | +| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC | +| [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support | +| [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support | +| [vpc\_flow\_log\_cloudwatch\_iam\_role\_arn](#output\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN of the IAM role used when pushing logs to Cloudwatch log group | +| [vpc\_flow\_log\_destination\_arn](#output\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs | +| [vpc\_flow\_log\_destination\_type](#output\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs | +| [vpc\_flow\_log\_id](#output\_vpc\_flow\_log\_id) | The ID of the Flow Log resource | +| [vpc\_id](#output\_vpc\_id) | The ID of the VPC | +| [vpc\_instance\_tenancy](#output\_vpc\_instance\_tenancy) | Tenancy of instances spin up within VPC | +| [vpc\_ipv6\_association\_id](#output\_vpc\_ipv6\_association\_id) | The association ID for the IPv6 CIDR block | +| [vpc\_ipv6\_cidr\_block](#output\_vpc\_ipv6\_cidr\_block) | The IPv6 CIDR block | +| [vpc\_main\_route\_table\_id](#output\_vpc\_main\_route\_table\_id) | The ID of the main route table associated with this VPC | +| [vpc\_owner\_id](#output\_vpc\_owner\_id) | The ID of the AWS account that owns the VPC | +| [vpc\_secondary\_cidr\_blocks](#output\_vpc\_secondary\_cidr\_blocks) | List of secondary CIDR blocks of the VPC | + diff --git a/examples/ipv6-only/main.tf b/examples/ipv6-only/main.tf new file mode 100644 index 000000000..ba737316d --- /dev/null +++ b/examples/ipv6-only/main.tf @@ -0,0 +1,43 @@ +provider "aws" { + region = local.region +} + +data "aws_availability_zones" "available" {} + +locals { + name = "ex-${basename(path.cwd)}" + region = "eu-west-1" + + tags = { + Example = local.name + GithubRepo = "terraform-aws-vpc" + GithubOrg = "terraform-aws-modules" + } +} + +################################################################################ +# VPC Module +################################################################################ + +module "vpc" { + source = "../.." + + name = local.name + + azs = slice(data.aws_availability_zones.available.names, 0, 3) + enable_ipv6 = true + + public_subnet_ipv6_native = true + public_subnet_ipv6_prefixes = [0, 1, 2] + private_subnet_ipv6_native = true + private_subnet_ipv6_prefixes = [3, 4, 5] + + # RDS currently only supports dual-stack so IPv4 CIDRs will need to be provided for subnets + # database_subnet_ipv6_native = true + # database_subnet_ipv6_prefixes = [6, 7, 8] + + enable_nat_gateway = false + create_egress_only_igw = true + + tags = local.tags +} diff --git a/examples/simple-vpc/outputs.tf b/examples/ipv6-only/outputs.tf similarity index 100% rename from examples/simple-vpc/outputs.tf rename to examples/ipv6-only/outputs.tf diff --git a/examples/simple-vpc/variables.tf b/examples/ipv6-only/variables.tf similarity index 100% rename from examples/simple-vpc/variables.tf rename to examples/ipv6-only/variables.tf diff --git a/examples/simple-vpc/versions.tf b/examples/ipv6-only/versions.tf similarity index 60% rename from examples/simple-vpc/versions.tf rename to examples/ipv6-only/versions.tf index 979baa847..4d4bddd64 100644 --- a/examples/simple-vpc/versions.tf +++ b/examples/ipv6-only/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.73" + version = ">= 4.35" } } } diff --git a/examples/ipv6/main.tf b/examples/ipv6/main.tf deleted file mode 100644 index 60f885196..000000000 --- a/examples/ipv6/main.tf +++ /dev/null @@ -1,46 +0,0 @@ -provider "aws" { - region = local.region -} - -locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" - region = "eu-west-1" - - tags = { - Example = local.name - GithubRepo = "terraform-aws-vpc" - GithubOrg = "terraform-aws-modules" - } -} - -################################################################################ -# VPC Module -################################################################################ - -module "vpc" { - source = "../.." - - name = "ipv6" - cidr = "10.0.0.0/16" - - azs = ["${local.region}a", "${local.region}b"] - private_subnets = ["10.0.1.0/24", "10.0.2.0/24"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] - database_subnets = ["10.0.103.0/24", "10.0.104.0/24"] - - enable_nat_gateway = false - - create_database_subnet_route_table = true - create_database_internet_gateway_route = true - - enable_ipv6 = true - assign_ipv6_address_on_creation = true - - private_subnet_assign_ipv6_address_on_creation = false - - public_subnet_ipv6_prefixes = [0, 1] - private_subnet_ipv6_prefixes = [2, 3] - database_subnet_ipv6_prefixes = [4, 5] - - tags = local.tags -} diff --git a/examples/issues/README.md b/examples/issues/README.md index db0005bf7..d63c00636 100644 --- a/examples/issues/README.md +++ b/examples/issues/README.md @@ -24,12 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.35 | ## Modules @@ -41,7 +43,9 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | ## Inputs diff --git a/examples/issues/main.tf b/examples/issues/main.tf index f031d62cd..9e23b806f 100644 --- a/examples/issues/main.tf +++ b/examples/issues/main.tf @@ -2,10 +2,14 @@ provider "aws" { region = local.region } +data "aws_availability_zones" "available" {} + locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" + name = "ex-${basename(path.cwd)}" region = "eu-west-1" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + tags = { Example = local.name GithubRepo = "terraform-aws-vpc" @@ -23,7 +27,7 @@ module "vpc_issue_44" { name = "asymmetrical" cidr = "10.0.0.0/16" - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + azs = local.azs private_subnets = ["10.0.1.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"] @@ -47,7 +51,7 @@ module "vpc_issue_46" { name = "no-private-subnets" cidr = "10.0.0.0/16" - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + azs = local.azs public_subnets = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"] private_subnets = [] database_subnets = ["10.0.128.0/24", "10.0.129.0/24"] @@ -73,7 +77,7 @@ module "vpc_issue_108" { name = "route-already-exists" cidr = "10.0.0.0/16" - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + azs = local.azs private_subnets = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"] public_subnets = ["10.0.254.240/28", "10.0.254.224/28", "10.0.254.208/28"] diff --git a/examples/issues/versions.tf b/examples/issues/versions.tf index 979baa847..4d4bddd64 100644 --- a/examples/issues/versions.tf +++ b/examples/issues/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.73" + version = ">= 4.35" } } } diff --git a/examples/manage-default-vpc/README.md b/examples/manage-default-vpc/README.md index 84d13f378..2943f2a4f 100644 --- a/examples/manage-default-vpc/README.md +++ b/examples/manage-default-vpc/README.md @@ -21,8 +21,8 @@ Run `terraform destroy` when you don't need these resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers diff --git a/examples/manage-default-vpc/main.tf b/examples/manage-default-vpc/main.tf index 98034a049..ec8c532da 100644 --- a/examples/manage-default-vpc/main.tf +++ b/examples/manage-default-vpc/main.tf @@ -3,7 +3,7 @@ provider "aws" { } locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" + name = "ex-${basename(path.cwd)}" region = "eu-west-1" tags = { diff --git a/examples/manage-default-vpc/versions.tf b/examples/manage-default-vpc/versions.tf index 979baa847..4d4bddd64 100644 --- a/examples/manage-default-vpc/versions.tf +++ b/examples/manage-default-vpc/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.73" + version = ">= 4.35" } } } diff --git a/examples/network-acls/README.md b/examples/network-acls/README.md index a8cd19f4a..c4f9fd0d0 100644 --- a/examples/network-acls/README.md +++ b/examples/network-acls/README.md @@ -23,12 +23,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.35 | ## Modules @@ -38,7 +40,9 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | ## Inputs diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index b285a9b1e..35c3a2211 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -2,10 +2,15 @@ provider "aws" { region = local.region } +data "aws_availability_zones" "available" {} + locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" + name = "ex-${basename(path.cwd)}" region = "eu-west-1" + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + tags = { Example = local.name GithubRepo = "terraform-aws-vpc" @@ -170,12 +175,12 @@ module "vpc" { source = "../../" name = local.name - cidr = "10.0.0.0/16" + cidr = local.vpc_cidr - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] - elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"] + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] + elasticache_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)] public_dedicated_network_acl = true public_inbound_acl_rules = concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"]) diff --git a/examples/network-acls/versions.tf b/examples/network-acls/versions.tf index 979baa847..4d4bddd64 100644 --- a/examples/network-acls/versions.tf +++ b/examples/network-acls/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.73" + version = ">= 4.35" } } } diff --git a/examples/outpost/README.md b/examples/outpost/README.md index 7c534ef16..772268e80 100644 --- a/examples/outpost/README.md +++ b/examples/outpost/README.md @@ -23,14 +23,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.73 | +| [aws](#provider\_aws) | >= 4.35 | ## Modules diff --git a/examples/outpost/main.tf b/examples/outpost/main.tf index f5e04361f..b65e8d75a 100644 --- a/examples/outpost/main.tf +++ b/examples/outpost/main.tf @@ -6,10 +6,15 @@ provider "aws" { } } +data "aws_availability_zones" "available" {} + locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" + name = "ex-${basename(path.cwd)}" region = "eu-west-1" + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + tags = { Example = local.name GithubRepo = "terraform-aws-vpc" @@ -112,16 +117,6 @@ locals { } } -################################################################################ -# Supporting Resources -################################################################################ - -data "aws_outposts_outpost" "shared" { - name = "SEA19.07" -} - -data "aws_availability_zones" "available" {} - ################################################################################ # VPC Module ################################################################################ @@ -130,15 +125,11 @@ module "vpc" { source = "../../" name = local.name - cidr = "10.0.0.0/16" + cidr = local.vpc_cidr - azs = [ - data.aws_availability_zones.available.names[0], - data.aws_availability_zones.available.names[1], - data.aws_availability_zones.available.names[2], - ] - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] # Outpost is using single AZ specified in `outpost_az` outpost_subnets = ["10.0.50.0/24", "10.0.51.0/24"] @@ -161,3 +152,11 @@ module "vpc" { tags = local.tags } + +################################################################################ +# Supporting Resources +################################################################################ + +data "aws_outposts_outpost" "shared" { + name = "SEA19.07" +} diff --git a/examples/outpost/versions.tf b/examples/outpost/versions.tf index 979baa847..4d4bddd64 100644 --- a/examples/outpost/versions.tf +++ b/examples/outpost/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.73" + version = ">= 4.35" } } } diff --git a/examples/secondary-cidr-blocks/README.md b/examples/secondary-cidr-blocks/README.md index 58cbef9f1..86536ec76 100644 --- a/examples/secondary-cidr-blocks/README.md +++ b/examples/secondary-cidr-blocks/README.md @@ -21,12 +21,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.35 | ## Modules @@ -36,7 +38,9 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | ## Inputs diff --git a/examples/secondary-cidr-blocks/main.tf b/examples/secondary-cidr-blocks/main.tf index 9aabe2ad0..5c963bb94 100644 --- a/examples/secondary-cidr-blocks/main.tf +++ b/examples/secondary-cidr-blocks/main.tf @@ -2,10 +2,16 @@ provider "aws" { region = local.region } +data "aws_availability_zones" "available" {} + locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" + name = "ex-${basename(path.cwd)}" region = "eu-west-1" + vpc_cidr = "10.0.0.0/16" + secondary_cidr_blocks = ["10.1.0.0/16", "10.2.0.0/16"] + azs = slice(data.aws_availability_zones.available.names, 0, 3) + tags = { Example = local.name GithubRepo = "terraform-aws-vpc" @@ -21,26 +27,19 @@ module "vpc" { source = "../../" name = local.name + cidr = local.vpc_cidr - cidr = "10.0.0.0/16" - secondary_cidr_blocks = ["10.1.0.0/16", "10.2.0.0/16"] - - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] - private_subnets = ["10.0.1.0/24", "10.1.2.0/24", "10.2.3.0/24"] - public_subnets = ["10.0.101.0/24", "10.1.102.0/24", "10.2.103.0/24"] + secondary_cidr_blocks = local.secondary_cidr_blocks # can add up to 5 total CIDR blocks - enable_ipv6 = true + azs = local.azs + private_subnets = concat( + [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)], + [for k, v in local.azs : cidrsubnet(element(local.secondary_cidr_blocks, 0), 2, k)], + [for k, v in local.azs : cidrsubnet(element(local.secondary_cidr_blocks, 1), 2, k)], + ) + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] - enable_nat_gateway = true - single_nat_gateway = true - - public_subnet_tags = { - Name = "overridden-name-public" - } + enable_nat_gateway = false tags = local.tags - - vpc_tags = { - Name = "vpc-name" - } } diff --git a/examples/secondary-cidr-blocks/versions.tf b/examples/secondary-cidr-blocks/versions.tf index 979baa847..4d4bddd64 100644 --- a/examples/secondary-cidr-blocks/versions.tf +++ b/examples/secondary-cidr-blocks/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.73" + version = ">= 4.35" } } } diff --git a/examples/vpc-separate-private-route-tables/README.md b/examples/separate-route-tables/README.md similarity index 97% rename from examples/vpc-separate-private-route-tables/README.md rename to examples/separate-route-tables/README.md index 0b2765a48..328e501ec 100644 --- a/examples/vpc-separate-private-route-tables/README.md +++ b/examples/separate-route-tables/README.md @@ -21,12 +21,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.35 | ## Modules @@ -36,7 +38,9 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | ## Inputs diff --git a/examples/separate-route-tables/main.tf b/examples/separate-route-tables/main.tf new file mode 100644 index 000000000..99cf9828f --- /dev/null +++ b/examples/separate-route-tables/main.tf @@ -0,0 +1,47 @@ +provider "aws" { + region = local.region +} + +data "aws_availability_zones" "available" {} + +locals { + name = "ex-${basename(path.cwd)}" + region = "eu-west-1" + + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + tags = { + Example = local.name + GithubRepo = "terraform-aws-vpc" + GithubOrg = "terraform-aws-modules" + } +} + +################################################################################ +# VPC Module +################################################################################ + +module "vpc" { + source = "../../" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] + database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)] + elasticache_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 12)] + redshift_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 16)] + intra_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)] + + create_database_subnet_route_table = true + create_elasticache_subnet_route_table = true + create_redshift_subnet_route_table = true + + single_nat_gateway = true + enable_nat_gateway = true + + tags = local.tags +} diff --git a/examples/vpc-separate-private-route-tables/outputs.tf b/examples/separate-route-tables/outputs.tf similarity index 100% rename from examples/vpc-separate-private-route-tables/outputs.tf rename to examples/separate-route-tables/outputs.tf diff --git a/examples/vpc-separate-private-route-tables/variables.tf b/examples/separate-route-tables/variables.tf similarity index 100% rename from examples/vpc-separate-private-route-tables/variables.tf rename to examples/separate-route-tables/variables.tf diff --git a/examples/separate-route-tables/versions.tf b/examples/separate-route-tables/versions.tf new file mode 100644 index 000000000..4d4bddd64 --- /dev/null +++ b/examples/separate-route-tables/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.35" + } + } +} diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf deleted file mode 100644 index e9071a794..000000000 --- a/examples/simple-vpc/main.tf +++ /dev/null @@ -1,50 +0,0 @@ -provider "aws" { - region = local.region -} - -locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" - region = "eu-west-1" - - tags = { - Example = local.name - GithubRepo = "terraform-aws-vpc" - GithubOrg = "terraform-aws-modules" - } -} - -################################################################################ -# VPC Module -################################################################################ - -module "vpc" { - source = "../../" - - name = local.name - cidr = "10.0.0.0/16" - - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] - - enable_ipv6 = true - - enable_nat_gateway = false - single_nat_gateway = true - - public_subnet_tags = { - Name = "overridden-name-public" - } - - public_subnet_tags_per_az = { - "${local.region}a" = { - "availability-zone" = "${local.region}a" - } - } - - tags = local.tags - - vpc_tags = { - Name = "vpc-name" - } -} diff --git a/examples/simple-vpc/README.md b/examples/simple/README.md similarity index 97% rename from examples/simple-vpc/README.md rename to examples/simple/README.md index 9584de634..0f8a665f1 100644 --- a/examples/simple-vpc/README.md +++ b/examples/simple/README.md @@ -25,12 +25,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.73 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.35 | ## Modules @@ -40,7 +42,9 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | ## Inputs diff --git a/examples/simple/main.tf b/examples/simple/main.tf new file mode 100644 index 000000000..f747a271a --- /dev/null +++ b/examples/simple/main.tf @@ -0,0 +1,38 @@ +provider "aws" { + region = local.region +} + +data "aws_availability_zones" "available" {} + +locals { + name = "ex-${basename(path.cwd)}" + region = "eu-west-1" + + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + tags = { + Example = local.name + GithubRepo = "terraform-aws-vpc" + GithubOrg = "terraform-aws-modules" + } +} + +################################################################################ +# VPC Module +################################################################################ + +module "vpc" { + source = "../../" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] + + enable_nat_gateway = false + + tags = local.tags +} diff --git a/examples/simple/outputs.tf b/examples/simple/outputs.tf new file mode 100644 index 000000000..77f244a90 --- /dev/null +++ b/examples/simple/outputs.tf @@ -0,0 +1,535 @@ +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +output "vpc_arn" { + description = "The ARN of the VPC" + value = module.vpc.vpc_arn +} + +output "vpc_cidr_block" { + description = "The CIDR block of the VPC" + value = module.vpc.vpc_cidr_block +} + +output "default_security_group_id" { + description = "The ID of the security group created by default on VPC creation" + value = module.vpc.default_security_group_id +} + +output "default_network_acl_id" { + description = "The ID of the default network ACL" + value = module.vpc.default_network_acl_id +} + +output "default_route_table_id" { + description = "The ID of the default route table" + value = module.vpc.default_route_table_id +} + +output "vpc_instance_tenancy" { + description = "Tenancy of instances spin up within VPC" + value = module.vpc.vpc_instance_tenancy +} + +output "vpc_enable_dns_support" { + description = "Whether or not the VPC has DNS support" + value = module.vpc.vpc_enable_dns_support +} + +output "vpc_enable_dns_hostnames" { + description = "Whether or not the VPC has DNS hostname support" + value = module.vpc.vpc_enable_dns_hostnames +} + +output "vpc_main_route_table_id" { + description = "The ID of the main route table associated with this VPC" + value = module.vpc.vpc_main_route_table_id +} + +output "vpc_ipv6_association_id" { + description = "The association ID for the IPv6 CIDR block" + value = module.vpc.vpc_ipv6_association_id +} + +output "vpc_ipv6_cidr_block" { + description = "The IPv6 CIDR block" + value = module.vpc.vpc_ipv6_cidr_block +} + +output "vpc_secondary_cidr_blocks" { + description = "List of secondary CIDR blocks of the VPC" + value = module.vpc.vpc_secondary_cidr_blocks +} + +output "vpc_owner_id" { + description = "The ID of the AWS account that owns the VPC" + value = module.vpc.vpc_owner_id +} + +output "private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.private_subnets +} + +output "private_subnet_arns" { + description = "List of ARNs of private subnets" + value = module.vpc.private_subnet_arns +} + +output "private_subnets_cidr_blocks" { + description = "List of cidr_blocks of private subnets" + value = module.vpc.private_subnets_cidr_blocks +} + +output "private_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of private subnets in an IPv6 enabled VPC" + value = module.vpc.private_subnets_ipv6_cidr_blocks +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.public_subnets +} + +output "public_subnet_arns" { + description = "List of ARNs of public subnets" + value = module.vpc.public_subnet_arns +} + +output "public_subnets_cidr_blocks" { + description = "List of cidr_blocks of public subnets" + value = module.vpc.public_subnets_cidr_blocks +} + +output "public_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC" + value = module.vpc.public_subnets_ipv6_cidr_blocks +} + +output "outpost_subnets" { + description = "List of IDs of outpost subnets" + value = module.vpc.outpost_subnets +} + +output "outpost_subnet_arns" { + description = "List of ARNs of outpost subnets" + value = module.vpc.outpost_subnet_arns +} + +output "outpost_subnets_cidr_blocks" { + description = "List of cidr_blocks of outpost subnets" + value = module.vpc.outpost_subnets_cidr_blocks +} + +output "outpost_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of outpost subnets in an IPv6 enabled VPC" + value = module.vpc.outpost_subnets_ipv6_cidr_blocks +} + +output "database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc.database_subnets +} + +output "database_subnet_arns" { + description = "List of ARNs of database subnets" + value = module.vpc.database_subnet_arns +} + +output "database_subnets_cidr_blocks" { + description = "List of cidr_blocks of database subnets" + value = module.vpc.database_subnets_cidr_blocks +} + +output "database_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of database subnets in an IPv6 enabled VPC" + value = module.vpc.database_subnets_ipv6_cidr_blocks +} + +output "database_subnet_group" { + description = "ID of database subnet group" + value = module.vpc.database_subnet_group +} + +output "database_subnet_group_name" { + description = "Name of database subnet group" + value = module.vpc.database_subnet_group_name +} + +output "redshift_subnets" { + description = "List of IDs of redshift subnets" + value = module.vpc.redshift_subnets +} + +output "redshift_subnet_arns" { + description = "List of ARNs of redshift subnets" + value = module.vpc.redshift_subnet_arns +} + +output "redshift_subnets_cidr_blocks" { + description = "List of cidr_blocks of redshift subnets" + value = module.vpc.redshift_subnets_cidr_blocks +} + +output "redshift_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of redshift subnets in an IPv6 enabled VPC" + value = module.vpc.redshift_subnets_ipv6_cidr_blocks +} + +output "redshift_subnet_group" { + description = "ID of redshift subnet group" + value = module.vpc.redshift_subnet_group +} + +output "elasticache_subnets" { + description = "List of IDs of elasticache subnets" + value = module.vpc.elasticache_subnets +} + +output "elasticache_subnet_arns" { + description = "List of ARNs of elasticache subnets" + value = module.vpc.elasticache_subnet_arns +} + +output "elasticache_subnets_cidr_blocks" { + description = "List of cidr_blocks of elasticache subnets" + value = module.vpc.elasticache_subnets_cidr_blocks +} + +output "elasticache_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of elasticache subnets in an IPv6 enabled VPC" + value = module.vpc.elasticache_subnets_ipv6_cidr_blocks +} + +output "intra_subnets" { + description = "List of IDs of intra subnets" + value = module.vpc.intra_subnets +} + +output "intra_subnet_arns" { + description = "List of ARNs of intra subnets" + value = module.vpc.intra_subnet_arns +} + +output "intra_subnets_cidr_blocks" { + description = "List of cidr_blocks of intra subnets" + value = module.vpc.intra_subnets_cidr_blocks +} + +output "intra_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC" + value = module.vpc.intra_subnets_ipv6_cidr_blocks +} + +output "elasticache_subnet_group" { + description = "ID of elasticache subnet group" + value = module.vpc.elasticache_subnet_group +} + +output "elasticache_subnet_group_name" { + description = "Name of elasticache subnet group" + value = module.vpc.elasticache_subnet_group_name +} + +output "public_route_table_ids" { + description = "List of IDs of public route tables" + value = module.vpc.public_route_table_ids +} + +output "private_route_table_ids" { + description = "List of IDs of private route tables" + value = module.vpc.private_route_table_ids +} + +output "database_route_table_ids" { + description = "List of IDs of database route tables" + value = module.vpc.database_route_table_ids +} + +output "redshift_route_table_ids" { + description = "List of IDs of redshift route tables" + value = module.vpc.redshift_route_table_ids +} + +output "elasticache_route_table_ids" { + description = "List of IDs of elasticache route tables" + value = module.vpc.elasticache_route_table_ids +} + +output "intra_route_table_ids" { + description = "List of IDs of intra route tables" + value = module.vpc.intra_route_table_ids +} + +output "public_internet_gateway_route_id" { + description = "ID of the internet gateway route" + value = module.vpc.public_internet_gateway_route_id +} + +output "public_internet_gateway_ipv6_route_id" { + description = "ID of the IPv6 internet gateway route" + value = module.vpc.public_internet_gateway_ipv6_route_id +} + +output "database_internet_gateway_route_id" { + description = "ID of the database internet gateway route" + value = module.vpc.database_internet_gateway_route_id +} + +output "database_nat_gateway_route_ids" { + description = "List of IDs of the database nat gateway route" + value = module.vpc.database_nat_gateway_route_ids +} + +output "database_ipv6_egress_route_id" { + description = "ID of the database IPv6 egress route" + value = module.vpc.database_ipv6_egress_route_id +} + +output "private_nat_gateway_route_ids" { + description = "List of IDs of the private nat gateway route" + value = module.vpc.private_nat_gateway_route_ids +} + +output "private_ipv6_egress_route_ids" { + description = "List of IDs of the ipv6 egress route" + value = module.vpc.private_ipv6_egress_route_ids +} + +output "private_route_table_association_ids" { + description = "List of IDs of the private route table association" + value = module.vpc.private_route_table_association_ids +} + +output "database_route_table_association_ids" { + description = "List of IDs of the database route table association" + value = module.vpc.database_route_table_association_ids +} + +output "redshift_route_table_association_ids" { + description = "List of IDs of the redshift route table association" + value = module.vpc.redshift_route_table_association_ids +} + +output "redshift_public_route_table_association_ids" { + description = "List of IDs of the public redshift route table association" + value = module.vpc.redshift_public_route_table_association_ids +} + +output "elasticache_route_table_association_ids" { + description = "List of IDs of the elasticache route table association" + value = module.vpc.elasticache_route_table_association_ids +} + +output "intra_route_table_association_ids" { + description = "List of IDs of the intra route table association" + value = module.vpc.intra_route_table_association_ids +} + +output "public_route_table_association_ids" { + description = "List of IDs of the public route table association" + value = module.vpc.public_route_table_association_ids +} + +output "dhcp_options_id" { + description = "The ID of the DHCP options" + value = module.vpc.dhcp_options_id +} + +output "nat_ids" { + description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway" + value = module.vpc.nat_ids +} + +output "nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = module.vpc.nat_public_ips +} + +output "natgw_ids" { + description = "List of NAT Gateway IDs" + value = module.vpc.natgw_ids +} + +output "igw_id" { + description = "The ID of the Internet Gateway" + value = module.vpc.igw_id +} + +output "igw_arn" { + description = "The ARN of the Internet Gateway" + value = module.vpc.igw_arn +} + +output "egress_only_internet_gateway_id" { + description = "The ID of the egress only Internet Gateway" + value = module.vpc.egress_only_internet_gateway_id +} + +output "cgw_ids" { + description = "List of IDs of Customer Gateway" + value = module.vpc.cgw_ids +} + +output "cgw_arns" { + description = "List of ARNs of Customer Gateway" + value = module.vpc.cgw_arns +} + +output "this_customer_gateway" { + description = "Map of Customer Gateway attributes" + value = module.vpc.this_customer_gateway +} + +output "vgw_id" { + description = "The ID of the VPN Gateway" + value = module.vpc.vgw_id +} + +output "vgw_arn" { + description = "The ARN of the VPN Gateway" + value = module.vpc.vgw_arn +} + +output "default_vpc_id" { + description = "The ID of the Default VPC" + value = module.vpc.default_vpc_id +} + +output "default_vpc_arn" { + description = "The ARN of the Default VPC" + value = module.vpc.default_vpc_arn +} + +output "default_vpc_cidr_block" { + description = "The CIDR block of the Default VPC" + value = module.vpc.default_vpc_cidr_block +} + +output "default_vpc_default_security_group_id" { + description = "The ID of the security group created by default on Default VPC creation" + value = module.vpc.default_vpc_default_security_group_id +} + +output "default_vpc_default_network_acl_id" { + description = "The ID of the default network ACL of the Default VPC" + value = module.vpc.default_vpc_default_network_acl_id +} + +output "default_vpc_default_route_table_id" { + description = "The ID of the default route table of the Default VPC" + value = module.vpc.default_vpc_default_route_table_id +} + +output "default_vpc_instance_tenancy" { + description = "Tenancy of instances spin up within Default VPC" + value = module.vpc.default_vpc_instance_tenancy +} + +output "default_vpc_enable_dns_support" { + description = "Whether or not the Default VPC has DNS support" + value = module.vpc.default_vpc_enable_dns_support +} + +output "default_vpc_enable_dns_hostnames" { + description = "Whether or not the Default VPC has DNS hostname support" + value = module.vpc.default_vpc_enable_dns_hostnames +} + +output "default_vpc_main_route_table_id" { + description = "The ID of the main route table associated with the Default VPC" + value = module.vpc.default_vpc_main_route_table_id +} + +output "public_network_acl_id" { + description = "ID of the public network ACL" + value = module.vpc.public_network_acl_id +} + +output "public_network_acl_arn" { + description = "ARN of the public network ACL" + value = module.vpc.public_network_acl_arn +} + +output "private_network_acl_id" { + description = "ID of the private network ACL" + value = module.vpc.private_network_acl_id +} + +output "private_network_acl_arn" { + description = "ARN of the private network ACL" + value = module.vpc.private_network_acl_arn +} + +output "outpost_network_acl_id" { + description = "ID of the outpost network ACL" + value = module.vpc.outpost_network_acl_id +} + +output "outpost_network_acl_arn" { + description = "ARN of the outpost network ACL" + value = module.vpc.outpost_network_acl_arn +} + +output "intra_network_acl_id" { + description = "ID of the intra network ACL" + value = module.vpc.intra_network_acl_id +} + +output "intra_network_acl_arn" { + description = "ARN of the intra network ACL" + value = module.vpc.intra_network_acl_arn +} + +output "database_network_acl_id" { + description = "ID of the database network ACL" + value = module.vpc.database_network_acl_id +} + +output "database_network_acl_arn" { + description = "ARN of the database network ACL" + value = module.vpc.database_network_acl_arn +} + +output "redshift_network_acl_id" { + description = "ID of the redshift network ACL" + value = module.vpc.redshift_network_acl_id +} + +output "redshift_network_acl_arn" { + description = "ARN of the redshift network ACL" + value = module.vpc.redshift_network_acl_arn +} + +output "elasticache_network_acl_id" { + description = "ID of the elasticache network ACL" + value = module.vpc.elasticache_network_acl_id +} + +output "elasticache_network_acl_arn" { + description = "ARN of the elasticache network ACL" + value = module.vpc.elasticache_network_acl_arn +} + +# VPC flow log +output "vpc_flow_log_id" { + description = "The ID of the Flow Log resource" + value = module.vpc.vpc_flow_log_id +} + +output "vpc_flow_log_destination_arn" { + description = "The ARN of the destination for VPC Flow Logs" + value = module.vpc.vpc_flow_log_destination_arn +} + +output "vpc_flow_log_destination_type" { + description = "The type of the destination for VPC Flow Logs" + value = module.vpc.vpc_flow_log_destination_type +} + +output "vpc_flow_log_cloudwatch_iam_role_arn" { + description = "The ARN of the IAM role used when pushing logs to Cloudwatch log group" + value = module.vpc.vpc_flow_log_cloudwatch_iam_role_arn +} diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf new file mode 100644 index 000000000..e69de29bb diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf new file mode 100644 index 000000000..4d4bddd64 --- /dev/null +++ b/examples/simple/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.35" + } + } +} diff --git a/examples/vpc-flow-logs/README.md b/examples/vpc-flow-logs/README.md index 877ccf3c0..89edcc0f0 100644 --- a/examples/vpc-flow-logs/README.md +++ b/examples/vpc-flow-logs/README.md @@ -23,15 +23,15 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.75 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | | [random](#requirement\_random) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.75 | +| [aws](#provider\_aws) | >= 4.35 | | [random](#provider\_random) | >= 2.0 | ## Modules @@ -53,6 +53,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP | [aws_iam_role.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_iam_policy_document.flow_log_cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.flow_log_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf index d22b4eed7..140aa0cd6 100644 --- a/examples/vpc-flow-logs/main.tf +++ b/examples/vpc-flow-logs/main.tf @@ -2,18 +2,22 @@ provider "aws" { region = local.region } +data "aws_availability_zones" "available" {} + locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" + name = "ex-${basename(path.cwd)}" region = "eu-west-1" + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + tags = { Example = local.name GithubRepo = "terraform-aws-vpc" GithubOrg = "terraform-aws-modules" } - s3_bucket_name = "vpc-flow-logs-to-s3-${random_pet.this.id}" - cloudwatch_log_group_name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}" + s3_bucket_name = "vpc-flow-logs-to-s3-${random_pet.this.id}" } ################################################################################ @@ -24,10 +28,11 @@ module "vpc_with_flow_logs_s3_bucket" { source = "../../" name = local.name - cidr = "10.30.0.0/16" + cidr = local.vpc_cidr - azs = ["${local.region}a"] - public_subnets = ["10.30.101.0/24"] + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] enable_flow_log = true flow_log_destination_type = "s3" @@ -40,10 +45,11 @@ module "vpc_with_flow_logs_s3_bucket_parquet" { source = "../../" name = "${local.name}-parquet" - cidr = "10.30.0.0/16" + cidr = local.vpc_cidr - azs = ["${local.region}a"] - public_subnets = ["10.30.101.0/24"] + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] enable_flow_log = true flow_log_destination_type = "s3" @@ -58,10 +64,11 @@ module "vpc_with_flow_logs_cloudwatch_logs_default" { source = "../../" name = "${local.name}-cloudwatch-logs-default" - cidr = "10.10.0.0/16" + cidr = local.vpc_cidr - azs = ["${local.region}a"] - public_subnets = ["10.10.101.0/24"] + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] # Cloudwatch log group and IAM role will be created enable_flow_log = true @@ -80,10 +87,11 @@ module "vpc_with_flow_logs_cloudwatch_logs" { source = "../../" name = "${local.name}-cloudwatch-logs" - cidr = "10.20.0.0/16" + cidr = local.vpc_cidr - azs = ["${local.region}a"] - public_subnets = ["10.20.101.0/24"] + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] enable_flow_log = true flow_log_destination_type = "cloud-watch-logs" @@ -143,7 +151,7 @@ data "aws_iam_policy_document" "flow_log_s3" { # Cloudwatch logs resource "aws_cloudwatch_log_group" "flow_log" { - name = local.cloudwatch_log_group_name + name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}" } resource "aws_iam_role" "vpc_flow_log_cloudwatch" { diff --git a/examples/vpc-flow-logs/versions.tf b/examples/vpc-flow-logs/versions.tf index 41fdb0689..e7837022e 100644 --- a/examples/vpc-flow-logs/versions.tf +++ b/examples/vpc-flow-logs/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.75" + version = ">= 4.35" } random = { diff --git a/examples/vpc-separate-private-route-tables/main.tf b/examples/vpc-separate-private-route-tables/main.tf deleted file mode 100644 index dc1a75274..000000000 --- a/examples/vpc-separate-private-route-tables/main.tf +++ /dev/null @@ -1,42 +0,0 @@ -provider "aws" { - region = local.region -} - -locals { - name = "ex-${replace(basename(path.cwd), "_", "-")}" - region = "eu-west-1" - - tags = { - Example = local.name - GithubRepo = "terraform-aws-vpc" - GithubOrg = "terraform-aws-modules" - } -} - -################################################################################ -# VPC Module -################################################################################ - -module "vpc" { - source = "../../" - - name = local.name - - cidr = "10.10.0.0/16" - - azs = ["${local.region}a", "${local.region}b", "${local.region}c"] - private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"] - public_subnets = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"] - database_subnets = ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"] - elasticache_subnets = ["10.10.31.0/24", "10.10.32.0/24", "10.10.33.0/24"] - redshift_subnets = ["10.10.41.0/24", "10.10.42.0/24", "10.10.43.0/24"] - - create_database_subnet_route_table = true - create_elasticache_subnet_route_table = true - create_redshift_subnet_route_table = true - - single_nat_gateway = true - enable_nat_gateway = true - - tags = local.tags -} diff --git a/examples/vpc-separate-private-route-tables/versions.tf b/examples/vpc-separate-private-route-tables/versions.tf deleted file mode 100644 index 979baa847..000000000 --- a/examples/vpc-separate-private-route-tables/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 0.13.1" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.73" - } - } -} diff --git a/main.tf b/main.tf index 7da643e60..3eceb363b 100644 --- a/main.tf +++ b/main.tf @@ -1,11 +1,18 @@ locals { + len_public_subnets = max(length(var.public_subnets), length(var.public_subnet_ipv6_prefixes)) + len_private_subnets = max(length(var.private_subnets), length(var.private_subnet_ipv6_prefixes)) + len_database_subnets = max(length(var.database_subnets), length(var.database_subnet_ipv6_prefixes)) + len_elasticache_subnets = max(length(var.elasticache_subnets), length(var.elasticache_subnet_ipv6_prefixes)) + len_redshift_subnets = max(length(var.redshift_subnets), length(var.redshift_subnet_ipv6_prefixes)) + len_intra_subnets = max(length(var.intra_subnets), length(var.intra_subnet_ipv6_prefixes)) + len_outpost_subnets = max(length(var.outpost_subnets), length(var.outpost_subnet_ipv6_prefixes)) + max_subnet_length = max( - length(var.private_subnets), - length(var.elasticache_subnets), - length(var.database_subnets), - length(var.redshift_subnets), + local.len_public_subnets, + local.len_elasticache_subnets, + local.len_database_subnets, + local.len_redshift_subnets, ) - nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length # Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free! vpc_id = try(aws_vpc_ipv4_cidr_block_association.this[0].vpc_id, aws_vpc.this[0].id, "") @@ -24,16 +31,16 @@ resource "aws_vpc" "this" { ipv4_ipam_pool_id = var.ipv4_ipam_pool_id ipv4_netmask_length = var.ipv4_netmask_length - assign_generated_ipv6_cidr_block = var.enable_ipv6 && !var.use_ipam_pool ? true : null - ipv6_cidr_block = var.ipv6_cidr - ipv6_ipam_pool_id = var.ipv6_ipam_pool_id - ipv6_netmask_length = var.ipv6_netmask_length + assign_generated_ipv6_cidr_block = var.enable_ipv6 && !var.use_ipam_pool ? true : null + ipv6_cidr_block = var.ipv6_cidr + ipv6_ipam_pool_id = var.ipv6_ipam_pool_id + ipv6_netmask_length = var.ipv6_netmask_length + ipv6_cidr_block_network_border_group = var.ipv6_cidr_block_network_border_group - instance_tenancy = var.instance_tenancy - enable_dns_hostnames = var.enable_dns_hostnames - enable_dns_support = var.enable_dns_support - enable_classiclink = null # https://github.com/hashicorp/terraform/issues/31730 - enable_classiclink_dns_support = null # https://github.com/hashicorp/terraform/issues/31730 + instance_tenancy = var.instance_tenancy + enable_dns_hostnames = var.enable_dns_hostnames + enable_dns_support = var.enable_dns_support + enable_network_address_usage_metrics = var.enable_network_address_usage_metrics tags = merge( { "Name" = var.name }, @@ -51,48 +58,6 @@ resource "aws_vpc_ipv4_cidr_block_association" "this" { cidr_block = element(var.secondary_cidr_blocks, count.index) } -resource "aws_default_security_group" "this" { - count = local.create_vpc && var.manage_default_security_group ? 1 : 0 - - vpc_id = aws_vpc.this[0].id - - dynamic "ingress" { - for_each = var.default_security_group_ingress - content { - self = lookup(ingress.value, "self", null) - cidr_blocks = compact(split(",", lookup(ingress.value, "cidr_blocks", ""))) - ipv6_cidr_blocks = compact(split(",", lookup(ingress.value, "ipv6_cidr_blocks", ""))) - prefix_list_ids = compact(split(",", lookup(ingress.value, "prefix_list_ids", ""))) - security_groups = compact(split(",", lookup(ingress.value, "security_groups", ""))) - description = lookup(ingress.value, "description", null) - from_port = lookup(ingress.value, "from_port", 0) - to_port = lookup(ingress.value, "to_port", 0) - protocol = lookup(ingress.value, "protocol", "-1") - } - } - - dynamic "egress" { - for_each = var.default_security_group_egress - content { - self = lookup(egress.value, "self", null) - cidr_blocks = compact(split(",", lookup(egress.value, "cidr_blocks", ""))) - ipv6_cidr_blocks = compact(split(",", lookup(egress.value, "ipv6_cidr_blocks", ""))) - prefix_list_ids = compact(split(",", lookup(egress.value, "prefix_list_ids", ""))) - security_groups = compact(split(",", lookup(egress.value, "security_groups", ""))) - description = lookup(egress.value, "description", null) - from_port = lookup(egress.value, "from_port", 0) - to_port = lookup(egress.value, "to_port", 0) - protocol = lookup(egress.value, "protocol", "-1") - } - } - - tags = merge( - { "Name" = coalesce(var.default_security_group_name, var.name) }, - var.tags, - var.default_security_group_tags, - ) -} - ################################################################################ # DHCP Options Set ################################################################################ @@ -121,379 +86,444 @@ resource "aws_vpc_dhcp_options_association" "this" { } ################################################################################ -# Internet Gateway +# Publiс Subnets ################################################################################ -resource "aws_internet_gateway" "this" { - count = local.create_vpc && var.create_igw && length(var.public_subnets) > 0 ? 1 : 0 +locals { + create_public_subnets = local.create_vpc && local.len_public_subnets > 0 +} - vpc_id = local.vpc_id +resource "aws_subnet" "public" { + count = local.create_public_subnets && (!var.one_nat_gateway_per_az || local.len_public_subnets >= length(var.azs)) ? local.len_public_subnets : 0 + + assign_ipv6_address_on_creation = var.enable_ipv6 && var.public_subnet_ipv6_native ? true : var.public_subnet_assign_ipv6_address_on_creation + availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null + availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null + cidr_block = var.public_subnet_ipv6_native ? null : element(concat(var.public_subnets, [""]), count.index) + enable_dns64 = var.enable_ipv6 && var.public_subnet_enable_dns64 + enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.public_subnet_enable_resource_name_dns_aaaa_record_on_launch + enable_resource_name_dns_a_record_on_launch = !var.public_subnet_ipv6_native && var.public_subnet_enable_resource_name_dns_a_record_on_launch + ipv6_cidr_block = var.enable_ipv6 && length(var.public_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.public_subnet_ipv6_prefixes[count.index]) : null + ipv6_native = var.enable_ipv6 && var.public_subnet_ipv6_native + map_public_ip_on_launch = var.map_public_ip_on_launch + private_dns_hostname_type_on_launch = var.public_subnet_private_dns_hostname_type_on_launch + vpc_id = local.vpc_id tags = merge( - { "Name" = var.name }, + { + Name = try( + var.public_subnet_names[count.index], + format("${var.name}-${var.public_subnet_suffix}-%s", element(var.azs, count.index)) + ) + }, var.tags, - var.igw_tags, + var.public_subnet_tags, + lookup(var.public_subnet_tags_per_az, element(var.azs, count.index), {}) ) } -resource "aws_egress_only_internet_gateway" "this" { - count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && local.max_subnet_length > 0 ? 1 : 0 +resource "aws_route_table" "public" { + count = local.create_public_subnets ? 1 : 0 vpc_id = local.vpc_id tags = merge( - { "Name" = var.name }, + { "Name" = "${var.name}-${var.public_subnet_suffix}" }, var.tags, - var.igw_tags, + var.public_route_table_tags, ) } -################################################################################ -# Default route -################################################################################ - -resource "aws_default_route_table" "default" { - count = local.create_vpc && var.manage_default_route_table ? 1 : 0 +resource "aws_route_table_association" "public" { + count = local.create_public_subnets ? local.len_public_subnets : 0 - default_route_table_id = aws_vpc.this[0].default_route_table_id - propagating_vgws = var.default_route_table_propagating_vgws + subnet_id = element(aws_subnet.public[*].id, count.index) + route_table_id = aws_route_table.public[0].id +} - dynamic "route" { - for_each = var.default_route_table_routes - content { - # One of the following destinations must be provided - cidr_block = route.value.cidr_block - ipv6_cidr_block = lookup(route.value, "ipv6_cidr_block", null) +resource "aws_route" "public_internet_gateway" { + count = local.create_public_subnets && var.create_igw ? 1 : 0 - # One of the following targets must be provided - egress_only_gateway_id = lookup(route.value, "egress_only_gateway_id", null) - gateway_id = lookup(route.value, "gateway_id", null) - instance_id = lookup(route.value, "instance_id", null) - nat_gateway_id = lookup(route.value, "nat_gateway_id", null) - network_interface_id = lookup(route.value, "network_interface_id", null) - transit_gateway_id = lookup(route.value, "transit_gateway_id", null) - vpc_endpoint_id = lookup(route.value, "vpc_endpoint_id", null) - vpc_peering_connection_id = lookup(route.value, "vpc_peering_connection_id", null) - } - } + route_table_id = aws_route_table.public[0].id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.this[0].id timeouts { create = "5m" - update = "5m" } +} - tags = merge( - { "Name" = coalesce(var.default_route_table_name, var.name) }, - var.tags, - var.default_route_table_tags, - ) +resource "aws_route" "public_internet_gateway_ipv6" { + count = local.create_public_subnets && var.create_igw && var.enable_ipv6 ? 1 : 0 + + route_table_id = aws_route_table.public[0].id + destination_ipv6_cidr_block = "::/0" + gateway_id = aws_internet_gateway.this[0].id } ################################################################################ -# Publiс routes +# Public Network ACLs ################################################################################ -resource "aws_route_table" "public" { - count = local.create_vpc && length(var.public_subnets) > 0 ? 1 : 0 +resource "aws_network_acl" "public" { + count = local.create_public_subnets && var.public_dedicated_network_acl ? 1 : 0 - vpc_id = local.vpc_id + vpc_id = local.vpc_id + subnet_ids = aws_subnet.public[*].id tags = merge( { "Name" = "${var.name}-${var.public_subnet_suffix}" }, var.tags, - var.public_route_table_tags, + var.public_acl_tags, ) } -resource "aws_route" "public_internet_gateway" { - count = local.create_vpc && var.create_igw && length(var.public_subnets) > 0 ? 1 : 0 +resource "aws_network_acl_rule" "public_inbound" { + count = local.create_public_subnets && var.public_dedicated_network_acl ? length(var.public_inbound_acl_rules) : 0 - route_table_id = aws_route_table.public[0].id - destination_cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.this[0].id + network_acl_id = aws_network_acl.public[0].id - timeouts { - create = "5m" - } + egress = false + rule_number = var.public_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.public_inbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.public_inbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.public_inbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null) + protocol = var.public_inbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.public_inbound_acl_rules[count.index], "ipv6_cidr_block", null) } -resource "aws_route" "public_internet_gateway_ipv6" { - count = local.create_vpc && var.create_igw && var.enable_ipv6 && length(var.public_subnets) > 0 ? 1 : 0 +resource "aws_network_acl_rule" "public_outbound" { + count = local.create_public_subnets && var.public_dedicated_network_acl ? length(var.public_outbound_acl_rules) : 0 - route_table_id = aws_route_table.public[0].id - destination_ipv6_cidr_block = "::/0" - gateway_id = aws_internet_gateway.this[0].id + network_acl_id = aws_network_acl.public[0].id + + egress = true + rule_number = var.public_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.public_outbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.public_outbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.public_outbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null) + protocol = var.public_outbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.public_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } ################################################################################ -# Private routes -# There are as many routing tables as the number of NAT gateways +# Private Subnets ################################################################################ -resource "aws_route_table" "private" { - count = local.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0 +locals { + create_private_subnets = local.create_vpc && local.len_private_subnets > 0 +} - vpc_id = local.vpc_id +resource "aws_subnet" "private" { + count = local.create_private_subnets ? local.len_private_subnets : 0 + + assign_ipv6_address_on_creation = var.enable_ipv6 && var.private_subnet_ipv6_native ? true : var.private_subnet_assign_ipv6_address_on_creation + availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null + availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null + cidr_block = var.private_subnet_ipv6_native ? null : element(concat(var.private_subnets, [""]), count.index) + enable_dns64 = var.enable_ipv6 && var.private_subnet_enable_dns64 + enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.private_subnet_enable_resource_name_dns_aaaa_record_on_launch + enable_resource_name_dns_a_record_on_launch = !var.private_subnet_ipv6_native && var.private_subnet_enable_resource_name_dns_a_record_on_launch + ipv6_cidr_block = var.enable_ipv6 && length(var.private_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.private_subnet_ipv6_prefixes[count.index]) : null + ipv6_native = var.enable_ipv6 && var.private_subnet_ipv6_native + private_dns_hostname_type_on_launch = var.private_subnet_private_dns_hostname_type_on_launch + vpc_id = local.vpc_id tags = merge( { - "Name" = var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format( - "${var.name}-${var.private_subnet_suffix}-%s", - element(var.azs, count.index), + Name = try( + var.private_subnet_names[count.index], + format("${var.name}-${var.private_subnet_suffix}-%s", element(var.azs, count.index)) ) }, var.tags, - var.private_route_table_tags, + var.private_subnet_tags, + lookup(var.private_subnet_tags_per_az, element(var.azs, count.index), {}) ) } -################################################################################ -# Database routes -################################################################################ - -resource "aws_route_table" "database" { - count = local.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 1 : length(var.database_subnets) : 0 +# There are as many routing tables as the number of NAT gateways +resource "aws_route_table" "private" { + count = local.create_private_subnets && local.max_subnet_length > 0 ? local.nat_gateway_count : 0 vpc_id = local.vpc_id tags = merge( { - "Name" = var.single_nat_gateway || var.create_database_internet_gateway_route ? "${var.name}-${var.database_subnet_suffix}" : format( - "${var.name}-${var.database_subnet_suffix}-%s", + "Name" = var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format( + "${var.name}-${var.private_subnet_suffix}-%s", element(var.azs, count.index), ) }, var.tags, - var.database_route_table_tags, + var.private_route_table_tags, ) } -resource "aws_route" "database_internet_gateway" { - count = local.create_vpc && var.create_igw && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && false == var.create_database_nat_gateway_route ? 1 : 0 - - route_table_id = aws_route_table.database[0].id - destination_cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.this[0].id - - timeouts { - create = "5m" - } -} - -resource "aws_route" "database_nat_gateway" { - count = local.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && false == var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? var.single_nat_gateway ? 1 : length(var.database_subnets) : 0 - - route_table_id = element(aws_route_table.database[*].id, count.index) - destination_cidr_block = "0.0.0.0/0" - nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index) - - timeouts { - create = "5m" - } -} - -resource "aws_route" "database_ipv6_egress" { - count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route ? 1 : 0 - - route_table_id = aws_route_table.database[0].id - destination_ipv6_cidr_block = "::/0" - egress_only_gateway_id = aws_egress_only_internet_gateway.this[0].id +resource "aws_route_table_association" "private" { + count = local.create_private_subnets ? local.len_private_subnets : 0 - timeouts { - create = "5m" - } + subnet_id = element(aws_subnet.private[*].id, count.index) + route_table_id = element( + aws_route_table.private[*].id, + var.single_nat_gateway ? 0 : count.index, + ) } ################################################################################ -# Redshift routes +# Private Network ACLs ################################################################################ -resource "aws_route_table" "redshift" { - count = local.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0 +locals { + create_private_network_acl = local.create_private_subnets && var.private_dedicated_network_acl +} - vpc_id = local.vpc_id +resource "aws_network_acl" "private" { + count = local.create_private_network_acl ? 1 : 0 + + vpc_id = local.vpc_id + subnet_ids = aws_subnet.private[*].id tags = merge( - { "Name" = "${var.name}-${var.redshift_subnet_suffix}" }, + { "Name" = "${var.name}-${var.private_subnet_suffix}" }, var.tags, - var.redshift_route_table_tags, + var.private_acl_tags, ) } -################################################################################ -# Elasticache routes -################################################################################ - -resource "aws_route_table" "elasticache" { - count = local.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0 +resource "aws_network_acl_rule" "private_inbound" { + count = local.create_private_network_acl ? length(var.private_inbound_acl_rules) : 0 - vpc_id = local.vpc_id + network_acl_id = aws_network_acl.private[0].id - tags = merge( - { "Name" = "${var.name}-${var.elasticache_subnet_suffix}" }, - var.tags, - var.elasticache_route_table_tags, - ) + egress = false + rule_number = var.private_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.private_inbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.private_inbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.private_inbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.private_inbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.private_inbound_acl_rules[count.index], "icmp_type", null) + protocol = var.private_inbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.private_inbound_acl_rules[count.index], "ipv6_cidr_block", null) } -################################################################################ -# Intra routes -################################################################################ +resource "aws_network_acl_rule" "private_outbound" { + count = local.create_private_network_acl ? length(var.private_outbound_acl_rules) : 0 -resource "aws_route_table" "intra" { - count = local.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0 + network_acl_id = aws_network_acl.private[0].id - vpc_id = local.vpc_id - - tags = merge( - { "Name" = "${var.name}-${var.intra_subnet_suffix}" }, - var.tags, - var.intra_route_table_tags, - ) + egress = true + rule_number = var.private_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.private_outbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.private_outbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.private_outbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.private_outbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.private_outbound_acl_rules[count.index], "icmp_type", null) + protocol = var.private_outbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.private_outbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.private_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } ################################################################################ -# Public subnet +# Database Subnets ################################################################################ -resource "aws_subnet" "public" { - count = local.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0 - - vpc_id = local.vpc_id - cidr_block = element(concat(var.public_subnets, [""]), count.index) - availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null - availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null - map_public_ip_on_launch = var.map_public_ip_on_launch - assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.public_subnet_assign_ipv6_address_on_creation +locals { + create_database_subnets = local.create_vpc && local.len_database_subnets > 0 + create_database_route_table = local.create_database_subnets && var.create_database_subnet_route_table +} - ipv6_cidr_block = var.enable_ipv6 && length(var.public_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.public_subnet_ipv6_prefixes[count.index]) : null +resource "aws_subnet" "database" { + count = local.create_database_subnets ? local.len_database_subnets : 0 + + assign_ipv6_address_on_creation = var.enable_ipv6 && var.database_subnet_ipv6_native ? true : var.database_subnet_assign_ipv6_address_on_creation + availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null + availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null + cidr_block = var.database_subnet_ipv6_native ? null : element(concat(var.database_subnets, [""]), count.index) + enable_dns64 = var.enable_ipv6 && var.database_subnet_enable_dns64 + enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.database_subnet_enable_resource_name_dns_aaaa_record_on_launch + enable_resource_name_dns_a_record_on_launch = !var.database_subnet_ipv6_native && var.database_subnet_enable_resource_name_dns_a_record_on_launch + ipv6_cidr_block = var.enable_ipv6 && length(var.database_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.database_subnet_ipv6_prefixes[count.index]) : null + ipv6_native = var.enable_ipv6 && var.database_subnet_ipv6_native + private_dns_hostname_type_on_launch = var.database_subnet_private_dns_hostname_type_on_launch + vpc_id = local.vpc_id tags = merge( { Name = try( - var.public_subnet_names[count.index], - format("${var.name}-${var.public_subnet_suffix}-%s", element(var.azs, count.index)) + var.database_subnet_names[count.index], + format("${var.name}-${var.database_subnet_suffix}-%s", element(var.azs, count.index), ) ) }, var.tags, - var.public_subnet_tags, - lookup(var.public_subnet_tags_per_az, element(var.azs, count.index), {}) + var.database_subnet_tags, ) } -################################################################################ -# Private subnet -################################################################################ - -resource "aws_subnet" "private" { - count = local.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0 - - vpc_id = local.vpc_id - cidr_block = var.private_subnets[count.index] - availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null - availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null - assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.private_subnet_assign_ipv6_address_on_creation +resource "aws_db_subnet_group" "database" { + count = local.create_database_subnets && var.create_database_subnet_group ? 1 : 0 - ipv6_cidr_block = var.enable_ipv6 && length(var.private_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.private_subnet_ipv6_prefixes[count.index]) : null + name = lower(coalesce(var.database_subnet_group_name, var.name)) + description = "Database subnet group for ${var.name}" + subnet_ids = aws_subnet.database[*].id tags = merge( { - Name = try( - var.private_subnet_names[count.index], - format("${var.name}-${var.private_subnet_suffix}-%s", element(var.azs, count.index)) - ) + "Name" = lower(coalesce(var.database_subnet_group_name, var.name)) }, var.tags, - var.private_subnet_tags, - lookup(var.private_subnet_tags_per_az, element(var.azs, count.index), {}) + var.database_subnet_group_tags, ) } -################################################################################ -# Outpost subnet -################################################################################ - -resource "aws_subnet" "outpost" { - count = local.create_vpc && length(var.outpost_subnets) > 0 ? length(var.outpost_subnets) : 0 - - vpc_id = local.vpc_id - cidr_block = var.outpost_subnets[count.index] - availability_zone = var.outpost_az - assign_ipv6_address_on_creation = var.outpost_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.outpost_subnet_assign_ipv6_address_on_creation - - ipv6_cidr_block = var.enable_ipv6 && length(var.outpost_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.outpost_subnet_ipv6_prefixes[count.index]) : null +resource "aws_route_table" "database" { + count = local.create_database_route_table ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 1 : local.len_database_subnets : 0 - outpost_arn = var.outpost_arn + vpc_id = local.vpc_id tags = merge( { - Name = try( - var.outpost_subnet_names[count.index], - format("${var.name}-${var.outpost_subnet_suffix}-%s", var.outpost_az) + "Name" = var.single_nat_gateway || var.create_database_internet_gateway_route ? "${var.name}-${var.database_subnet_suffix}" : format( + "${var.name}-${var.database_subnet_suffix}-%s", + element(var.azs, count.index), ) }, var.tags, - var.outpost_subnet_tags, + var.database_route_table_tags, + ) +} + +resource "aws_route_table_association" "database" { + count = local.create_database_subnets ? local.len_database_subnets : 0 + + subnet_id = element(aws_subnet.database[*].id, count.index) + route_table_id = element( + coalescelist(aws_route_table.database[*].id, aws_route_table.private[*].id), + var.create_database_subnet_route_table ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 0 : count.index : count.index, ) } +resource "aws_route" "database_internet_gateway" { + count = local.create_database_route_table && var.create_igw && var.create_database_internet_gateway_route && !var.create_database_nat_gateway_route ? 1 : 0 + + route_table_id = aws_route_table.database[0].id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.this[0].id + + timeouts { + create = "5m" + } +} + +resource "aws_route" "database_nat_gateway" { + count = local.create_database_route_table && !var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? var.single_nat_gateway ? 1 : local.len_database_subnets : 0 + + route_table_id = element(aws_route_table.database[*].id, count.index) + destination_cidr_block = "0.0.0.0/0" + nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index) + + timeouts { + create = "5m" + } +} + +resource "aws_route" "database_ipv6_egress" { + count = local.create_database_route_table && var.create_egress_only_igw && var.enable_ipv6 && var.create_database_internet_gateway_route ? 1 : 0 + + route_table_id = aws_route_table.database[0].id + destination_ipv6_cidr_block = "::/0" + egress_only_gateway_id = aws_egress_only_internet_gateway.this[0].id + + timeouts { + create = "5m" + } +} + ################################################################################ -# Database subnet +# Database Network ACLs ################################################################################ -resource "aws_subnet" "database" { - count = local.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0 +locals { + create_database_network_acl = local.create_database_subnets && var.database_dedicated_network_acl +} - vpc_id = local.vpc_id - cidr_block = var.database_subnets[count.index] - availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null - availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null - assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.database_subnet_assign_ipv6_address_on_creation +resource "aws_network_acl" "database" { + count = local.create_database_network_acl ? 1 : 0 - ipv6_cidr_block = var.enable_ipv6 && length(var.database_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.database_subnet_ipv6_prefixes[count.index]) : null + vpc_id = local.vpc_id + subnet_ids = aws_subnet.database[*].id tags = merge( - { - Name = try( - var.database_subnet_names[count.index], - format("${var.name}-${var.database_subnet_suffix}-%s", element(var.azs, count.index), ) - ) - }, + { "Name" = "${var.name}-${var.database_subnet_suffix}" }, var.tags, - var.database_subnet_tags, + var.database_acl_tags, ) } -resource "aws_db_subnet_group" "database" { - count = local.create_vpc && length(var.database_subnets) > 0 && var.create_database_subnet_group ? 1 : 0 +resource "aws_network_acl_rule" "database_inbound" { + count = local.create_database_network_acl ? length(var.database_inbound_acl_rules) : 0 - name = lower(coalesce(var.database_subnet_group_name, var.name)) - description = "Database subnet group for ${var.name}" - subnet_ids = aws_subnet.database[*].id + network_acl_id = aws_network_acl.database[0].id - tags = merge( - { - "Name" = lower(coalesce(var.database_subnet_group_name, var.name)) - }, - var.tags, - var.database_subnet_group_tags, - ) + egress = false + rule_number = var.database_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.database_inbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.database_inbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.database_inbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.database_inbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.database_inbound_acl_rules[count.index], "icmp_type", null) + protocol = var.database_inbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.database_inbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.database_inbound_acl_rules[count.index], "ipv6_cidr_block", null) +} + +resource "aws_network_acl_rule" "database_outbound" { + count = local.create_database_network_acl ? length(var.database_outbound_acl_rules) : 0 + + network_acl_id = aws_network_acl.database[0].id + + egress = true + rule_number = var.database_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.database_outbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.database_outbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.database_outbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.database_outbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.database_outbound_acl_rules[count.index], "icmp_type", null) + protocol = var.database_outbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.database_outbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.database_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } ################################################################################ -# Redshift subnet +# Redshift Subnets ################################################################################ -resource "aws_subnet" "redshift" { - count = local.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0 - - vpc_id = local.vpc_id - cidr_block = var.redshift_subnets[count.index] - availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null - availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null - assign_ipv6_address_on_creation = var.redshift_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.redshift_subnet_assign_ipv6_address_on_creation +locals { + create_redshift_subnets = local.create_vpc && local.len_redshift_subnets > 0 + create_redshift_route_table = local.create_redshift_subnets && var.create_redshift_subnet_route_table +} - ipv6_cidr_block = var.enable_ipv6 && length(var.redshift_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.redshift_subnet_ipv6_prefixes[count.index]) : null +resource "aws_subnet" "redshift" { + count = local.create_redshift_subnets ? local.len_redshift_subnets : 0 + + assign_ipv6_address_on_creation = var.enable_ipv6 && var.redshift_subnet_ipv6_native ? true : var.redshift_subnet_assign_ipv6_address_on_creation + availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null + availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null + cidr_block = var.redshift_subnet_ipv6_native ? null : element(concat(var.redshift_subnets, [""]), count.index) + enable_dns64 = var.enable_ipv6 && var.redshift_subnet_enable_dns64 + enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch + enable_resource_name_dns_a_record_on_launch = !var.redshift_subnet_ipv6_native && var.redshift_subnet_enable_resource_name_dns_a_record_on_launch + ipv6_cidr_block = var.enable_ipv6 && length(var.redshift_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.redshift_subnet_ipv6_prefixes[count.index]) : null + ipv6_native = var.enable_ipv6 && var.redshift_subnet_ipv6_native + private_dns_hostname_type_on_launch = var.redshift_subnet_private_dns_hostname_type_on_launch + vpc_id = local.vpc_id tags = merge( { @@ -508,7 +538,7 @@ resource "aws_subnet" "redshift" { } resource "aws_redshift_subnet_group" "redshift" { - count = local.create_vpc && length(var.redshift_subnets) > 0 && var.create_redshift_subnet_group ? 1 : 0 + count = local.create_redshift_subnets && var.create_redshift_subnet_group ? 1 : 0 name = lower(coalesce(var.redshift_subnet_group_name, var.name)) description = "Redshift subnet group for ${var.name}" @@ -521,286 +551,287 @@ resource "aws_redshift_subnet_group" "redshift" { ) } -################################################################################ -# ElastiCache subnet -################################################################################ - -resource "aws_subnet" "elasticache" { - count = local.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0 - - vpc_id = local.vpc_id - cidr_block = var.elasticache_subnets[count.index] - availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null - availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null - assign_ipv6_address_on_creation = var.elasticache_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.elasticache_subnet_assign_ipv6_address_on_creation +resource "aws_route_table" "redshift" { + count = local.create_redshift_route_table ? 1 : 0 - ipv6_cidr_block = var.enable_ipv6 && length(var.elasticache_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.elasticache_subnet_ipv6_prefixes[count.index]) : null + vpc_id = local.vpc_id tags = merge( - { - Name = try( - var.elasticache_subnet_names[count.index], - format("${var.name}-${var.elasticache_subnet_suffix}-%s", element(var.azs, count.index)) - ) - }, + { "Name" = "${var.name}-${var.redshift_subnet_suffix}" }, var.tags, - var.elasticache_subnet_tags, + var.redshift_route_table_tags, ) } -resource "aws_elasticache_subnet_group" "elasticache" { - count = local.create_vpc && length(var.elasticache_subnets) > 0 && var.create_elasticache_subnet_group ? 1 : 0 +resource "aws_route_table_association" "redshift" { + count = local.create_redshift_subnets && !var.enable_public_redshift ? local.len_redshift_subnets : 0 - name = coalesce(var.elasticache_subnet_group_name, var.name) - description = "ElastiCache subnet group for ${var.name}" - subnet_ids = aws_subnet.elasticache[*].id + subnet_id = element(aws_subnet.redshift[*].id, count.index) + route_table_id = element( + coalescelist(aws_route_table.redshift[*].id, aws_route_table.private[*].id), + var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index, + ) +} - tags = merge( - { "Name" = coalesce(var.elasticache_subnet_group_name, var.name) }, - var.tags, - var.elasticache_subnet_group_tags, +resource "aws_route_table_association" "redshift_public" { + count = local.create_redshift_subnets && var.enable_public_redshift ? local.len_redshift_subnets : 0 + + subnet_id = element(aws_subnet.redshift[*].id, count.index) + route_table_id = element( + coalescelist(aws_route_table.redshift[*].id, aws_route_table.public[*].id), + var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index, ) } ################################################################################ -# Intra subnets - private subnet without NAT gateway +# Redshift Network ACLs ################################################################################ -resource "aws_subnet" "intra" { - count = local.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0 +locals { + create_redshift_network_acl = local.create_redshift_subnets && var.redshift_dedicated_network_acl +} - vpc_id = local.vpc_id - cidr_block = var.intra_subnets[count.index] - availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null - availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null - assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.intra_subnet_assign_ipv6_address_on_creation +resource "aws_network_acl" "redshift" { + count = local.create_redshift_network_acl ? 1 : 0 - ipv6_cidr_block = var.enable_ipv6 && length(var.intra_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.intra_subnet_ipv6_prefixes[count.index]) : null + vpc_id = local.vpc_id + subnet_ids = aws_subnet.redshift[*].id tags = merge( - { - Name = try( - var.intra_subnet_names[count.index], - format("${var.name}-${var.intra_subnet_suffix}-%s", element(var.azs, count.index)) - ) - }, + { "Name" = "${var.name}-${var.redshift_subnet_suffix}" }, var.tags, - var.intra_subnet_tags, + var.redshift_acl_tags, ) } -################################################################################ -# Default Network ACLs -################################################################################ - -resource "aws_default_network_acl" "this" { - count = local.create_vpc && var.manage_default_network_acl ? 1 : 0 +resource "aws_network_acl_rule" "redshift_inbound" { + count = local.create_redshift_network_acl ? length(var.redshift_inbound_acl_rules) : 0 - default_network_acl_id = aws_vpc.this[0].default_network_acl_id + network_acl_id = aws_network_acl.redshift[0].id - # subnet_ids is using lifecycle ignore_changes, so it is not necessary to list - # any explicitly. See https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/736. - subnet_ids = null + egress = false + rule_number = var.redshift_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.redshift_inbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.redshift_inbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.redshift_inbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_type", null) + protocol = var.redshift_inbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "ipv6_cidr_block", null) +} - dynamic "ingress" { - for_each = var.default_network_acl_ingress - content { - action = ingress.value.action - cidr_block = lookup(ingress.value, "cidr_block", null) - from_port = ingress.value.from_port - icmp_code = lookup(ingress.value, "icmp_code", null) - icmp_type = lookup(ingress.value, "icmp_type", null) - ipv6_cidr_block = lookup(ingress.value, "ipv6_cidr_block", null) - protocol = ingress.value.protocol - rule_no = ingress.value.rule_no - to_port = ingress.value.to_port - } - } - dynamic "egress" { - for_each = var.default_network_acl_egress - content { - action = egress.value.action - cidr_block = lookup(egress.value, "cidr_block", null) - from_port = egress.value.from_port - icmp_code = lookup(egress.value, "icmp_code", null) - icmp_type = lookup(egress.value, "icmp_type", null) - ipv6_cidr_block = lookup(egress.value, "ipv6_cidr_block", null) - protocol = egress.value.protocol - rule_no = egress.value.rule_no - to_port = egress.value.to_port - } - } +resource "aws_network_acl_rule" "redshift_outbound" { + count = local.create_redshift_network_acl ? length(var.redshift_outbound_acl_rules) : 0 - tags = merge( - { "Name" = coalesce(var.default_network_acl_name, var.name) }, - var.tags, - var.default_network_acl_tags, - ) + network_acl_id = aws_network_acl.redshift[0].id - lifecycle { - ignore_changes = [subnet_ids] - } + egress = true + rule_number = var.redshift_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.redshift_outbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.redshift_outbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.redshift_outbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_type", null) + protocol = var.redshift_outbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } ################################################################################ -# Public Network ACLs +# Elasticache Subnets ################################################################################ -resource "aws_network_acl" "public" { - count = local.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0 +locals { + create_elasticache_subnets = local.create_vpc && local.len_elasticache_subnets > 0 + create_elasticache_route_table = local.create_elasticache_subnets && var.create_elasticache_subnet_route_table +} - vpc_id = local.vpc_id - subnet_ids = aws_subnet.public[*].id +resource "aws_subnet" "elasticache" { + count = local.create_elasticache_subnets ? local.len_elasticache_subnets : 0 + + assign_ipv6_address_on_creation = var.enable_ipv6 && var.elasticache_subnet_ipv6_native ? true : var.elasticache_subnet_assign_ipv6_address_on_creation + availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null + availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null + cidr_block = var.elasticache_subnet_ipv6_native ? null : element(concat(var.elasticache_subnets, [""]), count.index) + enable_dns64 = var.enable_ipv6 && var.elasticache_subnet_enable_dns64 + enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch + enable_resource_name_dns_a_record_on_launch = !var.elasticache_subnet_ipv6_native && var.elasticache_subnet_enable_resource_name_dns_a_record_on_launch + ipv6_cidr_block = var.enable_ipv6 && length(var.elasticache_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.elasticache_subnet_ipv6_prefixes[count.index]) : null + ipv6_native = var.enable_ipv6 && var.elasticache_subnet_ipv6_native + private_dns_hostname_type_on_launch = var.elasticache_subnet_private_dns_hostname_type_on_launch + vpc_id = local.vpc_id tags = merge( - { "Name" = "${var.name}-${var.public_subnet_suffix}" }, + { + Name = try( + var.elasticache_subnet_names[count.index], + format("${var.name}-${var.elasticache_subnet_suffix}-%s", element(var.azs, count.index)) + ) + }, var.tags, - var.public_acl_tags, + var.elasticache_subnet_tags, ) } -resource "aws_network_acl_rule" "public_inbound" { - count = local.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0 +resource "aws_elasticache_subnet_group" "elasticache" { + count = local.create_elasticache_subnets && var.create_elasticache_subnet_group ? 1 : 0 - network_acl_id = aws_network_acl.public[0].id + name = coalesce(var.elasticache_subnet_group_name, var.name) + description = "ElastiCache subnet group for ${var.name}" + subnet_ids = aws_subnet.elasticache[*].id - egress = false - rule_number = var.public_inbound_acl_rules[count.index]["rule_number"] - rule_action = var.public_inbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.public_inbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.public_inbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null) - protocol = var.public_inbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.public_inbound_acl_rules[count.index], "ipv6_cidr_block", null) + tags = merge( + { "Name" = coalesce(var.elasticache_subnet_group_name, var.name) }, + var.tags, + var.elasticache_subnet_group_tags, + ) } -resource "aws_network_acl_rule" "public_outbound" { - count = local.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0 +resource "aws_route_table" "elasticache" { + count = local.create_elasticache_route_table ? 1 : 0 - network_acl_id = aws_network_acl.public[0].id + vpc_id = local.vpc_id - egress = true - rule_number = var.public_outbound_acl_rules[count.index]["rule_number"] - rule_action = var.public_outbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.public_outbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.public_outbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null) - protocol = var.public_outbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.public_outbound_acl_rules[count.index], "ipv6_cidr_block", null) + tags = merge( + { "Name" = "${var.name}-${var.elasticache_subnet_suffix}" }, + var.tags, + var.elasticache_route_table_tags, + ) +} + +resource "aws_route_table_association" "elasticache" { + count = local.create_elasticache_subnets ? local.len_elasticache_subnets : 0 + + subnet_id = element(aws_subnet.elasticache[*].id, count.index) + route_table_id = element( + coalescelist( + aws_route_table.elasticache[*].id, + aws_route_table.private[*].id, + ), + var.single_nat_gateway || var.create_elasticache_subnet_route_table ? 0 : count.index, + ) } ################################################################################ -# Private Network ACLs +# Elasticache Network ACLs ################################################################################ -resource "aws_network_acl" "private" { - count = local.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0 +locals { + create_elasticache_network_acl = local.create_elasticache_subnets && var.elasticache_dedicated_network_acl +} + +resource "aws_network_acl" "elasticache" { + count = local.create_elasticache_network_acl ? 1 : 0 vpc_id = local.vpc_id - subnet_ids = aws_subnet.private[*].id + subnet_ids = aws_subnet.elasticache[*].id tags = merge( - { "Name" = "${var.name}-${var.private_subnet_suffix}" }, + { "Name" = "${var.name}-${var.elasticache_subnet_suffix}" }, var.tags, - var.private_acl_tags, + var.elasticache_acl_tags, ) } -resource "aws_network_acl_rule" "private_inbound" { - count = local.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0 +resource "aws_network_acl_rule" "elasticache_inbound" { + count = local.create_elasticache_network_acl ? length(var.elasticache_inbound_acl_rules) : 0 - network_acl_id = aws_network_acl.private[0].id + network_acl_id = aws_network_acl.elasticache[0].id egress = false - rule_number = var.private_inbound_acl_rules[count.index]["rule_number"] - rule_action = var.private_inbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.private_inbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.private_inbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.private_inbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.private_inbound_acl_rules[count.index], "icmp_type", null) - protocol = var.private_inbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.private_inbound_acl_rules[count.index], "ipv6_cidr_block", null) + rule_number = var.elasticache_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.elasticache_inbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.elasticache_inbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.elasticache_inbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_type", null) + protocol = var.elasticache_inbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "ipv6_cidr_block", null) } -resource "aws_network_acl_rule" "private_outbound" { - count = local.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0 +resource "aws_network_acl_rule" "elasticache_outbound" { + count = local.create_elasticache_network_acl ? length(var.elasticache_outbound_acl_rules) : 0 - network_acl_id = aws_network_acl.private[0].id + network_acl_id = aws_network_acl.elasticache[0].id egress = true - rule_number = var.private_outbound_acl_rules[count.index]["rule_number"] - rule_action = var.private_outbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.private_outbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.private_outbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.private_outbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.private_outbound_acl_rules[count.index], "icmp_type", null) - protocol = var.private_outbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.private_outbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.private_outbound_acl_rules[count.index], "ipv6_cidr_block", null) + rule_number = var.elasticache_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.elasticache_outbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.elasticache_outbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.elasticache_outbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_type", null) + protocol = var.elasticache_outbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } ################################################################################ -# Outpost Network ACLs +# Intra Subnets ################################################################################ -resource "aws_network_acl" "outpost" { - count = local.create_vpc && var.outpost_dedicated_network_acl && length(var.outpost_subnets) > 0 ? 1 : 0 +locals { + create_intra_subnets = local.create_vpc && local.len_intra_subnets > 0 +} - vpc_id = local.vpc_id - subnet_ids = aws_subnet.outpost[*].id +resource "aws_subnet" "intra" { + count = local.create_intra_subnets ? local.len_intra_subnets : 0 + + assign_ipv6_address_on_creation = var.enable_ipv6 && var.intra_subnet_ipv6_native ? true : var.intra_subnet_assign_ipv6_address_on_creation + availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null + availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null + cidr_block = var.intra_subnet_ipv6_native ? null : element(concat(var.intra_subnets, [""]), count.index) + enable_dns64 = var.enable_ipv6 && var.intra_subnet_enable_dns64 + enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.intra_subnet_enable_resource_name_dns_aaaa_record_on_launch + enable_resource_name_dns_a_record_on_launch = !var.intra_subnet_ipv6_native && var.intra_subnet_enable_resource_name_dns_a_record_on_launch + ipv6_cidr_block = var.enable_ipv6 && length(var.intra_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.intra_subnet_ipv6_prefixes[count.index]) : null + ipv6_native = var.enable_ipv6 && var.intra_subnet_ipv6_native + private_dns_hostname_type_on_launch = var.intra_subnet_private_dns_hostname_type_on_launch + vpc_id = local.vpc_id tags = merge( - { "Name" = "${var.name}-${var.outpost_subnet_suffix}" }, + { + Name = try( + var.intra_subnet_names[count.index], + format("${var.name}-${var.intra_subnet_suffix}-%s", element(var.azs, count.index)) + ) + }, var.tags, - var.outpost_acl_tags, + var.intra_subnet_tags, ) } -resource "aws_network_acl_rule" "outpost_inbound" { - count = local.create_vpc && var.outpost_dedicated_network_acl && length(var.outpost_subnets) > 0 ? length(var.outpost_inbound_acl_rules) : 0 +resource "aws_route_table" "intra" { + count = local.create_intra_subnets ? 1 : 0 - network_acl_id = aws_network_acl.outpost[0].id + vpc_id = local.vpc_id - egress = false - rule_number = var.outpost_inbound_acl_rules[count.index]["rule_number"] - rule_action = var.outpost_inbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.outpost_inbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.outpost_inbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.outpost_inbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.outpost_inbound_acl_rules[count.index], "icmp_type", null) - protocol = var.outpost_inbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.outpost_inbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.outpost_inbound_acl_rules[count.index], "ipv6_cidr_block", null) + tags = merge( + { "Name" = "${var.name}-${var.intra_subnet_suffix}" }, + var.tags, + var.intra_route_table_tags, + ) } -resource "aws_network_acl_rule" "outpost_outbound" { - count = local.create_vpc && var.outpost_dedicated_network_acl && length(var.outpost_subnets) > 0 ? length(var.outpost_outbound_acl_rules) : 0 - - network_acl_id = aws_network_acl.outpost[0].id +resource "aws_route_table_association" "intra" { + count = local.create_intra_subnets ? local.len_intra_subnets : 0 - egress = true - rule_number = var.outpost_outbound_acl_rules[count.index]["rule_number"] - rule_action = var.outpost_outbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.outpost_outbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.outpost_outbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.outpost_outbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.outpost_outbound_acl_rules[count.index], "icmp_type", null) - protocol = var.outpost_outbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "ipv6_cidr_block", null) + subnet_id = element(aws_subnet.intra[*].id, count.index) + route_table_id = element(aws_route_table.intra[*].id, 0) } ################################################################################ # Intra Network ACLs ################################################################################ +locals { + create_intra_network_acl = local.create_intra_subnets && var.intra_dedicated_network_acl +} + resource "aws_network_acl" "intra" { - count = local.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0 + count = local.create_intra_network_acl ? 1 : 0 vpc_id = local.vpc_id subnet_ids = aws_subnet.intra[*].id @@ -813,7 +844,7 @@ resource "aws_network_acl" "intra" { } resource "aws_network_acl_rule" "intra_inbound" { - count = local.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0 + count = local.create_intra_network_acl ? length(var.intra_inbound_acl_rules) : 0 network_acl_id = aws_network_acl.intra[0].id @@ -830,7 +861,7 @@ resource "aws_network_acl_rule" "intra_inbound" { } resource "aws_network_acl_rule" "intra_outbound" { - count = local.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0 + count = local.create_intra_network_acl ? length(var.intra_outbound_acl_rules) : 0 network_acl_id = aws_network_acl.intra[0].id @@ -847,156 +878,141 @@ resource "aws_network_acl_rule" "intra_outbound" { } ################################################################################ -# Database Network ACLs +# Outpost Subnets ################################################################################ -resource "aws_network_acl" "database" { - count = local.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0 +locals { + create_outpost_subnets = local.create_vpc && local.len_outpost_subnets > 0 +} - vpc_id = local.vpc_id - subnet_ids = aws_subnet.database[*].id +resource "aws_subnet" "outpost" { + count = local.create_outpost_subnets ? local.len_outpost_subnets : 0 + + assign_ipv6_address_on_creation = var.enable_ipv6 && var.outpost_subnet_ipv6_native ? true : var.outpost_subnet_assign_ipv6_address_on_creation + availability_zone = var.outpost_az + cidr_block = var.outpost_subnet_ipv6_native ? null : element(concat(var.outpost_subnets, [""]), count.index) + customer_owned_ipv4_pool = var.customer_owned_ipv4_pool + enable_dns64 = var.enable_ipv6 && var.outpost_subnet_enable_dns64 + enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch + enable_resource_name_dns_a_record_on_launch = !var.outpost_subnet_ipv6_native && var.outpost_subnet_enable_resource_name_dns_a_record_on_launch + ipv6_cidr_block = var.enable_ipv6 && length(var.outpost_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.outpost_subnet_ipv6_prefixes[count.index]) : null + ipv6_native = var.enable_ipv6 && var.outpost_subnet_ipv6_native + map_customer_owned_ip_on_launch = var.map_customer_owned_ip_on_launch + outpost_arn = var.outpost_arn + private_dns_hostname_type_on_launch = var.outpost_subnet_private_dns_hostname_type_on_launch + vpc_id = local.vpc_id tags = merge( - { "Name" = "${var.name}-${var.database_subnet_suffix}" }, + { + Name = try( + var.outpost_subnet_names[count.index], + format("${var.name}-${var.outpost_subnet_suffix}-%s", var.outpost_az) + ) + }, var.tags, - var.database_acl_tags, + var.outpost_subnet_tags, ) } -resource "aws_network_acl_rule" "database_inbound" { - count = local.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0 - - network_acl_id = aws_network_acl.database[0].id - - egress = false - rule_number = var.database_inbound_acl_rules[count.index]["rule_number"] - rule_action = var.database_inbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.database_inbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.database_inbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.database_inbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.database_inbound_acl_rules[count.index], "icmp_type", null) - protocol = var.database_inbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.database_inbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.database_inbound_acl_rules[count.index], "ipv6_cidr_block", null) -} - -resource "aws_network_acl_rule" "database_outbound" { - count = local.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0 - - network_acl_id = aws_network_acl.database[0].id +resource "aws_route_table_association" "outpost" { + count = local.create_outpost_subnets ? local.len_outpost_subnets : 0 - egress = true - rule_number = var.database_outbound_acl_rules[count.index]["rule_number"] - rule_action = var.database_outbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.database_outbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.database_outbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.database_outbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.database_outbound_acl_rules[count.index], "icmp_type", null) - protocol = var.database_outbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.database_outbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.database_outbound_acl_rules[count.index], "ipv6_cidr_block", null) + subnet_id = element(aws_subnet.outpost[*].id, count.index) + route_table_id = element( + aws_route_table.private[*].id, + var.single_nat_gateway ? 0 : count.index, + ) } ################################################################################ -# Redshift Network ACLs +# Outpost Network ACLs ################################################################################ -resource "aws_network_acl" "redshift" { - count = local.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0 +locals { + create_outpost_network_acl = local.create_outpost_subnets && var.outpost_dedicated_network_acl +} + +resource "aws_network_acl" "outpost" { + count = local.create_outpost_network_acl ? 1 : 0 vpc_id = local.vpc_id - subnet_ids = aws_subnet.redshift[*].id + subnet_ids = aws_subnet.outpost[*].id tags = merge( - { "Name" = "${var.name}-${var.redshift_subnet_suffix}" }, + { "Name" = "${var.name}-${var.outpost_subnet_suffix}" }, var.tags, - var.redshift_acl_tags, + var.outpost_acl_tags, ) } -resource "aws_network_acl_rule" "redshift_inbound" { - count = local.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0 +resource "aws_network_acl_rule" "outpost_inbound" { + count = local.create_outpost_network_acl ? length(var.outpost_inbound_acl_rules) : 0 - network_acl_id = aws_network_acl.redshift[0].id + network_acl_id = aws_network_acl.outpost[0].id egress = false - rule_number = var.redshift_inbound_acl_rules[count.index]["rule_number"] - rule_action = var.redshift_inbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.redshift_inbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.redshift_inbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_type", null) - protocol = var.redshift_inbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "ipv6_cidr_block", null) + rule_number = var.outpost_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.outpost_inbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.outpost_inbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.outpost_inbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.outpost_inbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.outpost_inbound_acl_rules[count.index], "icmp_type", null) + protocol = var.outpost_inbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.outpost_inbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.outpost_inbound_acl_rules[count.index], "ipv6_cidr_block", null) } -resource "aws_network_acl_rule" "redshift_outbound" { - count = local.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0 +resource "aws_network_acl_rule" "outpost_outbound" { + count = local.create_outpost_network_acl ? length(var.outpost_outbound_acl_rules) : 0 - network_acl_id = aws_network_acl.redshift[0].id + network_acl_id = aws_network_acl.outpost[0].id egress = true - rule_number = var.redshift_outbound_acl_rules[count.index]["rule_number"] - rule_action = var.redshift_outbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.redshift_outbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.redshift_outbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_type", null) - protocol = var.redshift_outbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "ipv6_cidr_block", null) + rule_number = var.outpost_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.outpost_outbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.outpost_outbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.outpost_outbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.outpost_outbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.outpost_outbound_acl_rules[count.index], "icmp_type", null) + protocol = var.outpost_outbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } ################################################################################ -# Elasticache Network ACLs +# Internet Gateway ################################################################################ -resource "aws_network_acl" "elasticache" { - count = local.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0 +resource "aws_internet_gateway" "this" { + count = local.create_public_subnets && var.create_igw ? 1 : 0 - vpc_id = local.vpc_id - subnet_ids = aws_subnet.elasticache[*].id + vpc_id = local.vpc_id tags = merge( - { "Name" = "${var.name}-${var.elasticache_subnet_suffix}" }, + { "Name" = var.name }, var.tags, - var.elasticache_acl_tags, + var.igw_tags, ) } -resource "aws_network_acl_rule" "elasticache_inbound" { - count = local.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0 +resource "aws_egress_only_internet_gateway" "this" { + count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && local.max_subnet_length > 0 ? 1 : 0 - network_acl_id = aws_network_acl.elasticache[0].id + vpc_id = local.vpc_id - egress = false - rule_number = var.elasticache_inbound_acl_rules[count.index]["rule_number"] - rule_action = var.elasticache_inbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.elasticache_inbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.elasticache_inbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_type", null) - protocol = var.elasticache_inbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "ipv6_cidr_block", null) + tags = merge( + { "Name" = var.name }, + var.tags, + var.igw_tags, + ) } -resource "aws_network_acl_rule" "elasticache_outbound" { - count = local.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0 - - network_acl_id = aws_network_acl.elasticache[0].id +resource "aws_route" "private_ipv6_egress" { + count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? local.len_private_subnets : 0 - egress = true - rule_number = var.elasticache_outbound_acl_rules[count.index]["rule_number"] - rule_action = var.elasticache_outbound_acl_rules[count.index]["rule_action"] - from_port = lookup(var.elasticache_outbound_acl_rules[count.index], "from_port", null) - to_port = lookup(var.elasticache_outbound_acl_rules[count.index], "to_port", null) - icmp_code = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_code", null) - icmp_type = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_type", null) - protocol = var.elasticache_outbound_acl_rules[count.index]["protocol"] - cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block", null) - ipv6_cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "ipv6_cidr_block", null) + route_table_id = element(aws_route_table.private[*].id, count.index) + destination_ipv6_cidr_block = "::/0" + egress_only_gateway_id = element(aws_egress_only_internet_gateway.this[*].id, 0) } ################################################################################ @@ -1004,11 +1020,12 @@ resource "aws_network_acl_rule" "elasticache_outbound" { ################################################################################ locals { - nat_gateway_ips = var.reuse_nat_ips ? var.external_nat_ip_ids : try(aws_eip.nat[*].id, []) + nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length + nat_gateway_ips = var.reuse_nat_ips ? var.external_nat_ip_ids : try(aws_eip.nat[*].id, []) } resource "aws_eip" "nat" { - count = local.create_vpc && var.enable_nat_gateway && false == var.reuse_nat_ips ? local.nat_gateway_count : 0 + count = local.create_vpc && var.enable_nat_gateway && !var.reuse_nat_ips ? local.nat_gateway_count : 0 vpc = true @@ -1062,95 +1079,6 @@ resource "aws_route" "private_nat_gateway" { } } -resource "aws_route" "private_ipv6_egress" { - count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? length(var.private_subnets) : 0 - - route_table_id = element(aws_route_table.private[*].id, count.index) - destination_ipv6_cidr_block = "::/0" - egress_only_gateway_id = element(aws_egress_only_internet_gateway.this[*].id, 0) -} - -################################################################################ -# Route table association -################################################################################ - -resource "aws_route_table_association" "private" { - count = local.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0 - - subnet_id = element(aws_subnet.private[*].id, count.index) - route_table_id = element( - aws_route_table.private[*].id, - var.single_nat_gateway ? 0 : count.index, - ) -} - -resource "aws_route_table_association" "outpost" { - count = local.create_vpc && length(var.outpost_subnets) > 0 ? length(var.outpost_subnets) : 0 - - subnet_id = element(aws_subnet.outpost[*].id, count.index) - route_table_id = element( - aws_route_table.private[*].id, - var.single_nat_gateway ? 0 : count.index, - ) -} - -resource "aws_route_table_association" "database" { - count = local.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0 - - subnet_id = element(aws_subnet.database[*].id, count.index) - route_table_id = element( - coalescelist(aws_route_table.database[*].id, aws_route_table.private[*].id), - var.create_database_subnet_route_table ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 0 : count.index : count.index, - ) -} - -resource "aws_route_table_association" "redshift" { - count = local.create_vpc && length(var.redshift_subnets) > 0 && false == var.enable_public_redshift ? length(var.redshift_subnets) : 0 - - subnet_id = element(aws_subnet.redshift[*].id, count.index) - route_table_id = element( - coalescelist(aws_route_table.redshift[*].id, aws_route_table.private[*].id), - var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index, - ) -} - -resource "aws_route_table_association" "redshift_public" { - count = local.create_vpc && length(var.redshift_subnets) > 0 && var.enable_public_redshift ? length(var.redshift_subnets) : 0 - - subnet_id = element(aws_subnet.redshift[*].id, count.index) - route_table_id = element( - coalescelist(aws_route_table.redshift[*].id, aws_route_table.public[*].id), - var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index, - ) -} - -resource "aws_route_table_association" "elasticache" { - count = local.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0 - - subnet_id = element(aws_subnet.elasticache[*].id, count.index) - route_table_id = element( - coalescelist( - aws_route_table.elasticache[*].id, - aws_route_table.private[*].id, - ), - var.single_nat_gateway || var.create_elasticache_subnet_route_table ? 0 : count.index, - ) -} - -resource "aws_route_table_association" "intra" { - count = local.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0 - - subnet_id = element(aws_subnet.intra[*].id, count.index) - route_table_id = element(aws_route_table.intra[*].id, 0) -} - -resource "aws_route_table_association" "public" { - count = local.create_vpc && length(var.public_subnets) > 0 ? length(var.public_subnets) : 0 - - subnet_id = element(aws_subnet.public[*].id, count.index) - route_table_id = aws_route_table.public[0].id -} - ################################################################################ # Customer Gateways ################################################################################ @@ -1209,7 +1137,7 @@ resource "aws_vpn_gateway_route_propagation" "public" { } resource "aws_vpn_gateway_route_propagation" "private" { - count = local.create_vpc && var.propagate_private_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.private_subnets) : 0 + count = local.create_vpc && var.propagate_private_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? local.len_private_subnets : 0 route_table_id = element(aws_route_table.private[*].id, count.index) vpn_gateway_id = element( @@ -1222,7 +1150,7 @@ resource "aws_vpn_gateway_route_propagation" "private" { } resource "aws_vpn_gateway_route_propagation" "intra" { - count = local.create_vpc && var.propagate_intra_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.intra_subnets) : 0 + count = local.create_vpc && var.propagate_intra_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? local.len_intra_subnets : 0 route_table_id = element(aws_route_table.intra[*].id, count.index) vpn_gateway_id = element( @@ -1235,7 +1163,7 @@ resource "aws_vpn_gateway_route_propagation" "intra" { } ################################################################################ -# Defaults +# Default VPC ################################################################################ resource "aws_default_vpc" "this" { @@ -1243,7 +1171,6 @@ resource "aws_default_vpc" "this" { enable_dns_support = var.default_vpc_enable_dns_support enable_dns_hostnames = var.default_vpc_enable_dns_hostnames - enable_classiclink = null # https://github.com/hashicorp/terraform/issues/31730 tags = merge( { "Name" = coalesce(var.default_vpc_name, "default") }, @@ -1251,3 +1178,139 @@ resource "aws_default_vpc" "this" { var.default_vpc_tags, ) } + +resource "aws_default_security_group" "this" { + count = local.create_vpc && var.manage_default_security_group ? 1 : 0 + + vpc_id = aws_vpc.this[0].id + + dynamic "ingress" { + for_each = var.default_security_group_ingress + content { + self = lookup(ingress.value, "self", null) + cidr_blocks = compact(split(",", lookup(ingress.value, "cidr_blocks", ""))) + ipv6_cidr_blocks = compact(split(",", lookup(ingress.value, "ipv6_cidr_blocks", ""))) + prefix_list_ids = compact(split(",", lookup(ingress.value, "prefix_list_ids", ""))) + security_groups = compact(split(",", lookup(ingress.value, "security_groups", ""))) + description = lookup(ingress.value, "description", null) + from_port = lookup(ingress.value, "from_port", 0) + to_port = lookup(ingress.value, "to_port", 0) + protocol = lookup(ingress.value, "protocol", "-1") + } + } + + dynamic "egress" { + for_each = var.default_security_group_egress + content { + self = lookup(egress.value, "self", null) + cidr_blocks = compact(split(",", lookup(egress.value, "cidr_blocks", ""))) + ipv6_cidr_blocks = compact(split(",", lookup(egress.value, "ipv6_cidr_blocks", ""))) + prefix_list_ids = compact(split(",", lookup(egress.value, "prefix_list_ids", ""))) + security_groups = compact(split(",", lookup(egress.value, "security_groups", ""))) + description = lookup(egress.value, "description", null) + from_port = lookup(egress.value, "from_port", 0) + to_port = lookup(egress.value, "to_port", 0) + protocol = lookup(egress.value, "protocol", "-1") + } + } + + tags = merge( + { "Name" = coalesce(var.default_security_group_name, "${var.name}-default") }, + var.tags, + var.default_security_group_tags, + ) +} + +################################################################################ +# Default Network ACLs +################################################################################ + +resource "aws_default_network_acl" "this" { + count = local.create_vpc && var.manage_default_network_acl ? 1 : 0 + + default_network_acl_id = aws_vpc.this[0].default_network_acl_id + + # subnet_ids is using lifecycle ignore_changes, so it is not necessary to list + # any explicitly. See https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/736 + subnet_ids = null + + dynamic "ingress" { + for_each = var.default_network_acl_ingress + content { + action = ingress.value.action + cidr_block = lookup(ingress.value, "cidr_block", null) + from_port = ingress.value.from_port + icmp_code = lookup(ingress.value, "icmp_code", null) + icmp_type = lookup(ingress.value, "icmp_type", null) + ipv6_cidr_block = lookup(ingress.value, "ipv6_cidr_block", null) + protocol = ingress.value.protocol + rule_no = ingress.value.rule_no + to_port = ingress.value.to_port + } + } + dynamic "egress" { + for_each = var.default_network_acl_egress + content { + action = egress.value.action + cidr_block = lookup(egress.value, "cidr_block", null) + from_port = egress.value.from_port + icmp_code = lookup(egress.value, "icmp_code", null) + icmp_type = lookup(egress.value, "icmp_type", null) + ipv6_cidr_block = lookup(egress.value, "ipv6_cidr_block", null) + protocol = egress.value.protocol + rule_no = egress.value.rule_no + to_port = egress.value.to_port + } + } + + tags = merge( + { "Name" = coalesce(var.default_network_acl_name, "${var.name}-default") }, + var.tags, + var.default_network_acl_tags, + ) + + lifecycle { + ignore_changes = [subnet_ids] + } +} + +################################################################################ +# Default Route +################################################################################ + +resource "aws_default_route_table" "default" { + count = local.create_vpc && var.manage_default_route_table ? 1 : 0 + + default_route_table_id = aws_vpc.this[0].default_route_table_id + propagating_vgws = var.default_route_table_propagating_vgws + + dynamic "route" { + for_each = var.default_route_table_routes + content { + # One of the following destinations must be provided + cidr_block = route.value.cidr_block + ipv6_cidr_block = lookup(route.value, "ipv6_cidr_block", null) + + # One of the following targets must be provided + egress_only_gateway_id = lookup(route.value, "egress_only_gateway_id", null) + gateway_id = lookup(route.value, "gateway_id", null) + instance_id = lookup(route.value, "instance_id", null) + nat_gateway_id = lookup(route.value, "nat_gateway_id", null) + network_interface_id = lookup(route.value, "network_interface_id", null) + transit_gateway_id = lookup(route.value, "transit_gateway_id", null) + vpc_endpoint_id = lookup(route.value, "vpc_endpoint_id", null) + vpc_peering_connection_id = lookup(route.value, "vpc_peering_connection_id", null) + } + } + + timeouts { + create = "5m" + update = "5m" + } + + tags = merge( + { "Name" = coalesce(var.default_route_table_name, "${var.name}-default") }, + var.tags, + var.default_route_table_tags, + ) +} diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md index e5d758b2b..dbeea14ba 100644 --- a/modules/vpc-endpoints/README.md +++ b/modules/vpc-endpoints/README.md @@ -55,14 +55,14 @@ module "endpoints" { | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.28 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.35 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.28 | +| [aws](#provider\_aws) | >= 4.35 | ## Modules diff --git a/modules/vpc-endpoints/versions.tf b/modules/vpc-endpoints/versions.tf index ab4d354a9..4d4bddd64 100644 --- a/modules/vpc-endpoints/versions.tf +++ b/modules/vpc-endpoints/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.28" + version = ">= 4.35" } } } diff --git a/outputs.tf b/outputs.tf index 9d93dda4b..1d59daa36 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,61 +1,71 @@ +locals { + redshift_route_table_ids = aws_route_table.redshift[*].id + public_route_table_ids = aws_route_table.public[*].id + private_route_table_ids = aws_route_table.private[*].id +} + +################################################################################ +# VPC +################################################################################ + output "vpc_id" { description = "The ID of the VPC" - value = try(aws_vpc.this[0].id, "") + value = try(aws_vpc.this[0].id, null) } output "vpc_arn" { description = "The ARN of the VPC" - value = try(aws_vpc.this[0].arn, "") + value = try(aws_vpc.this[0].arn, null) } output "vpc_cidr_block" { description = "The CIDR block of the VPC" - value = try(aws_vpc.this[0].cidr_block, "") + value = try(aws_vpc.this[0].cidr_block, null) } output "default_security_group_id" { description = "The ID of the security group created by default on VPC creation" - value = try(aws_vpc.this[0].default_security_group_id, "") + value = try(aws_vpc.this[0].default_security_group_id, null) } output "default_network_acl_id" { description = "The ID of the default network ACL" - value = try(aws_vpc.this[0].default_network_acl_id, "") + value = try(aws_vpc.this[0].default_network_acl_id, null) } output "default_route_table_id" { description = "The ID of the default route table" - value = try(aws_vpc.this[0].default_route_table_id, "") + value = try(aws_vpc.this[0].default_route_table_id, null) } output "vpc_instance_tenancy" { description = "Tenancy of instances spin up within VPC" - value = try(aws_vpc.this[0].instance_tenancy, "") + value = try(aws_vpc.this[0].instance_tenancy, null) } output "vpc_enable_dns_support" { description = "Whether or not the VPC has DNS support" - value = try(aws_vpc.this[0].enable_dns_support, "") + value = try(aws_vpc.this[0].enable_dns_support, null) } output "vpc_enable_dns_hostnames" { description = "Whether or not the VPC has DNS hostname support" - value = try(aws_vpc.this[0].enable_dns_hostnames, "") + value = try(aws_vpc.this[0].enable_dns_hostnames, null) } output "vpc_main_route_table_id" { description = "The ID of the main route table associated with this VPC" - value = try(aws_vpc.this[0].main_route_table_id, "") + value = try(aws_vpc.this[0].main_route_table_id, null) } output "vpc_ipv6_association_id" { description = "The association ID for the IPv6 CIDR block" - value = try(aws_vpc.this[0].ipv6_association_id, "") + value = try(aws_vpc.this[0].ipv6_association_id, null) } output "vpc_ipv6_cidr_block" { description = "The IPv6 CIDR block" - value = try(aws_vpc.this[0].ipv6_cidr_block, "") + value = try(aws_vpc.this[0].ipv6_cidr_block, null) } output "vpc_secondary_cidr_blocks" { @@ -65,9 +75,90 @@ output "vpc_secondary_cidr_blocks" { output "vpc_owner_id" { description = "The ID of the AWS account that owns the VPC" - value = try(aws_vpc.this[0].owner_id, "") + value = try(aws_vpc.this[0].owner_id, null) +} + +################################################################################ +# DHCP Options Set +################################################################################ + +output "dhcp_options_id" { + description = "The ID of the DHCP options" + value = try(aws_vpc_dhcp_options.this[0].id, null) +} + +################################################################################ +# Internet Gateway +################################################################################ + +output "igw_id" { + description = "The ID of the Internet Gateway" + value = try(aws_internet_gateway.this[0].id, null) +} + +output "igw_arn" { + description = "The ARN of the Internet Gateway" + value = try(aws_internet_gateway.this[0].arn, null) } +################################################################################ +# Publiс Subnets +################################################################################ + +output "public_subnets" { + description = "List of IDs of public subnets" + value = aws_subnet.public[*].id +} + +output "public_subnet_arns" { + description = "List of ARNs of public subnets" + value = aws_subnet.public[*].arn +} + +output "public_subnets_cidr_blocks" { + description = "List of cidr_blocks of public subnets" + value = compact(aws_subnet.public[*].cidr_block) +} + +output "public_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC" + value = compact(aws_subnet.public[*].ipv6_cidr_block) +} + +output "public_route_table_ids" { + description = "List of IDs of public route tables" + value = local.public_route_table_ids +} + +output "public_internet_gateway_route_id" { + description = "ID of the internet gateway route" + value = try(aws_route.public_internet_gateway[0].id, null) +} + +output "public_internet_gateway_ipv6_route_id" { + description = "ID of the IPv6 internet gateway route" + value = try(aws_route.public_internet_gateway_ipv6[0].id, null) +} + +output "public_route_table_association_ids" { + description = "List of IDs of the public route table association" + value = aws_route_table_association.public[*].id +} + +output "public_network_acl_id" { + description = "ID of the public network ACL" + value = try(aws_network_acl.public[0].id, null) +} + +output "public_network_acl_arn" { + description = "ARN of the public network ACL" + value = try(aws_network_acl.public[0].arn, null) +} + +################################################################################ +# Private Subnets +################################################################################ + output "private_subnets" { description = "List of IDs of private subnets" value = aws_subnet.private[*].id @@ -88,26 +179,40 @@ output "private_subnets_ipv6_cidr_blocks" { value = compact(aws_subnet.private[*].ipv6_cidr_block) } -output "public_subnets" { - description = "List of IDs of public subnets" - value = aws_subnet.public[*].id +output "private_route_table_ids" { + description = "List of IDs of private route tables" + value = local.private_route_table_ids } -output "public_subnet_arns" { - description = "List of ARNs of public subnets" - value = aws_subnet.public[*].arn +output "private_nat_gateway_route_ids" { + description = "List of IDs of the private nat gateway route" + value = aws_route.private_nat_gateway[*].id } -output "public_subnets_cidr_blocks" { - description = "List of cidr_blocks of public subnets" - value = compact(aws_subnet.public[*].cidr_block) +output "private_ipv6_egress_route_ids" { + description = "List of IDs of the ipv6 egress route" + value = aws_route.private_ipv6_egress[*].id } -output "public_subnets_ipv6_cidr_blocks" { - description = "List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC" - value = compact(aws_subnet.public[*].ipv6_cidr_block) +output "private_route_table_association_ids" { + description = "List of IDs of the private route table association" + value = aws_route_table_association.private[*].id +} + +output "private_network_acl_id" { + description = "ID of the private network ACL" + value = try(aws_network_acl.private[0].id, null) } +output "private_network_acl_arn" { + description = "ARN of the private network ACL" + value = try(aws_network_acl.private[0].arn, null) +} + +################################################################################ +# Outpost Subnets +################################################################################ + output "outpost_subnets" { description = "List of IDs of outpost subnets" value = aws_subnet.outpost[*].id @@ -128,6 +233,20 @@ output "outpost_subnets_ipv6_cidr_blocks" { value = compact(aws_subnet.outpost[*].ipv6_cidr_block) } +output "outpost_network_acl_id" { + description = "ID of the outpost network ACL" + value = try(aws_network_acl.outpost[0].id, null) +} + +output "outpost_network_acl_arn" { + description = "ARN of the outpost network ACL" + value = try(aws_network_acl.outpost[0].arn, null) +} + +################################################################################ +# Database Subnets +################################################################################ + output "database_subnets" { description = "List of IDs of database subnets" value = aws_subnet.database[*].id @@ -150,14 +269,53 @@ output "database_subnets_ipv6_cidr_blocks" { output "database_subnet_group" { description = "ID of database subnet group" - value = try(aws_db_subnet_group.database[0].id, "") + value = try(aws_db_subnet_group.database[0].id, null) } output "database_subnet_group_name" { description = "Name of database subnet group" - value = try(aws_db_subnet_group.database[0].name, "") + value = try(aws_db_subnet_group.database[0].name, null) +} + +output "database_route_table_ids" { + description = "List of IDs of database route tables" + value = try(coalescelist(aws_route_table.database[*].id, local.private_route_table_ids), []) +} + +output "database_internet_gateway_route_id" { + description = "ID of the database internet gateway route" + value = try(aws_route.database_internet_gateway[0].id, null) +} + +output "database_nat_gateway_route_ids" { + description = "List of IDs of the database nat gateway route" + value = aws_route.database_nat_gateway[*].id +} + +output "database_ipv6_egress_route_id" { + description = "ID of the database IPv6 egress route" + value = try(aws_route.database_ipv6_egress[0].id, null) +} + +output "database_route_table_association_ids" { + description = "List of IDs of the database route table association" + value = aws_route_table_association.database[*].id } +output "database_network_acl_id" { + description = "ID of the database network ACL" + value = try(aws_network_acl.database[0].id, null) +} + +output "database_network_acl_arn" { + description = "ARN of the database network ACL" + value = try(aws_network_acl.database[0].arn, null) +} + +################################################################################ +# Redshift Subnets +################################################################################ + output "redshift_subnets" { description = "List of IDs of redshift subnets" value = aws_subnet.redshift[*].id @@ -180,9 +338,38 @@ output "redshift_subnets_ipv6_cidr_blocks" { output "redshift_subnet_group" { description = "ID of redshift subnet group" - value = try(aws_redshift_subnet_group.redshift[0].id, "") + value = try(aws_redshift_subnet_group.redshift[0].id, null) +} + +output "redshift_route_table_ids" { + description = "List of IDs of redshift route tables" + value = length(local.redshift_route_table_ids) > 0 ? local.redshift_route_table_ids : (var.enable_public_redshift ? local.public_route_table_ids : local.private_route_table_ids) +} + +output "redshift_route_table_association_ids" { + description = "List of IDs of the redshift route table association" + value = aws_route_table_association.redshift[*].id +} + +output "redshift_public_route_table_association_ids" { + description = "List of IDs of the public redshift route table association" + value = aws_route_table_association.redshift_public[*].id +} + +output "redshift_network_acl_id" { + description = "ID of the redshift network ACL" + value = try(aws_network_acl.redshift[0].id, null) } +output "redshift_network_acl_arn" { + description = "ARN of the redshift network ACL" + value = try(aws_network_acl.redshift[0].arn, null) +} + +################################################################################ +# Elasticache Subnets +################################################################################ + output "elasticache_subnets" { description = "List of IDs of elasticache subnets" value = aws_subnet.elasticache[*].id @@ -203,124 +390,63 @@ output "elasticache_subnets_ipv6_cidr_blocks" { value = compact(aws_subnet.elasticache[*].ipv6_cidr_block) } -output "intra_subnets" { - description = "List of IDs of intra subnets" - value = aws_subnet.intra[*].id -} - -output "intra_subnet_arns" { - description = "List of ARNs of intra subnets" - value = aws_subnet.intra[*].arn -} - -output "intra_subnets_cidr_blocks" { - description = "List of cidr_blocks of intra subnets" - value = compact(aws_subnet.intra[*].cidr_block) -} - -output "intra_subnets_ipv6_cidr_blocks" { - description = "List of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC" - value = compact(aws_subnet.intra[*].ipv6_cidr_block) -} - output "elasticache_subnet_group" { description = "ID of elasticache subnet group" - value = try(aws_elasticache_subnet_group.elasticache[0].id, "") + value = try(aws_elasticache_subnet_group.elasticache[0].id, null) } output "elasticache_subnet_group_name" { description = "Name of elasticache subnet group" - value = try(aws_elasticache_subnet_group.elasticache[0].name, "") -} - -output "public_route_table_ids" { - description = "List of IDs of public route tables" - value = aws_route_table.public[*].id -} - -output "private_route_table_ids" { - description = "List of IDs of private route tables" - value = aws_route_table.private[*].id -} - -output "database_route_table_ids" { - description = "List of IDs of database route tables" - value = try(coalescelist(aws_route_table.database[*].id, aws_route_table.private[*].id), []) -} - -output "redshift_route_table_ids" { - description = "List of IDs of redshift route tables" - value = length(aws_route_table.redshift[*].id) > 0 ? aws_route_table.redshift[*].id : (var.enable_public_redshift ? aws_route_table.public[*].id : aws_route_table.private[*].id) + value = try(aws_elasticache_subnet_group.elasticache[0].name, null) } output "elasticache_route_table_ids" { description = "List of IDs of elasticache route tables" - value = try(coalescelist(aws_route_table.elasticache[*].id, aws_route_table.private[*].id), []) -} - -output "intra_route_table_ids" { - description = "List of IDs of intra route tables" - value = aws_route_table.intra[*].id -} - -output "public_internet_gateway_route_id" { - description = "ID of the internet gateway route" - value = try(aws_route.public_internet_gateway[0].id, "") -} - -output "public_internet_gateway_ipv6_route_id" { - description = "ID of the IPv6 internet gateway route" - value = try(aws_route.public_internet_gateway_ipv6[0].id, "") -} - -output "database_internet_gateway_route_id" { - description = "ID of the database internet gateway route" - value = try(aws_route.database_internet_gateway[0].id, "") + value = try(coalescelist(aws_route_table.elasticache[*].id, local.private_route_table_ids), []) } -output "database_nat_gateway_route_ids" { - description = "List of IDs of the database nat gateway route" - value = aws_route.database_nat_gateway[*].id +output "elasticache_route_table_association_ids" { + description = "List of IDs of the elasticache route table association" + value = aws_route_table_association.elasticache[*].id } -output "database_ipv6_egress_route_id" { - description = "ID of the database IPv6 egress route" - value = try(aws_route.database_ipv6_egress[0].id, "") +output "elasticache_network_acl_id" { + description = "ID of the elasticache network ACL" + value = try(aws_network_acl.elasticache[0].id, null) } -output "private_nat_gateway_route_ids" { - description = "List of IDs of the private nat gateway route" - value = aws_route.private_nat_gateway[*].id +output "elasticache_network_acl_arn" { + description = "ARN of the elasticache network ACL" + value = try(aws_network_acl.elasticache[0].arn, null) } -output "private_ipv6_egress_route_ids" { - description = "List of IDs of the ipv6 egress route" - value = aws_route.private_ipv6_egress[*].id -} +################################################################################ +# Intra Subnets +################################################################################ -output "private_route_table_association_ids" { - description = "List of IDs of the private route table association" - value = aws_route_table_association.private[*].id +output "intra_subnets" { + description = "List of IDs of intra subnets" + value = aws_subnet.intra[*].id } -output "database_route_table_association_ids" { - description = "List of IDs of the database route table association" - value = aws_route_table_association.database[*].id +output "intra_subnet_arns" { + description = "List of ARNs of intra subnets" + value = aws_subnet.intra[*].arn } -output "redshift_route_table_association_ids" { - description = "List of IDs of the redshift route table association" - value = aws_route_table_association.redshift[*].id +output "intra_subnets_cidr_blocks" { + description = "List of cidr_blocks of intra subnets" + value = compact(aws_subnet.intra[*].cidr_block) } -output "redshift_public_route_table_association_ids" { - description = "List of IDs of the public redshift route table association" - value = aws_route_table_association.redshift_public[*].id +output "intra_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC" + value = compact(aws_subnet.intra[*].ipv6_cidr_block) } -output "elasticache_route_table_association_ids" { - description = "List of IDs of the elasticache route table association" - value = aws_route_table_association.elasticache[*].id +output "intra_route_table_ids" { + description = "List of IDs of intra route tables" + value = aws_route_table.intra[*].id } output "intra_route_table_association_ids" { @@ -328,16 +454,20 @@ output "intra_route_table_association_ids" { value = aws_route_table_association.intra[*].id } -output "public_route_table_association_ids" { - description = "List of IDs of the public route table association" - value = aws_route_table_association.public[*].id +output "intra_network_acl_id" { + description = "ID of the intra network ACL" + value = try(aws_network_acl.intra[0].id, null) } -output "dhcp_options_id" { - description = "The ID of the DHCP options" - value = try(aws_vpc_dhcp_options.this[0].id, "") +output "intra_network_acl_arn" { + description = "ARN of the intra network ACL" + value = try(aws_network_acl.intra[0].arn, null) } +################################################################################ +# NAT Gateway +################################################################################ + output "nat_ids" { description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway" value = aws_eip.nat[*].id @@ -353,21 +483,19 @@ output "natgw_ids" { value = aws_nat_gateway.this[*].id } -output "igw_id" { - description = "The ID of the Internet Gateway" - value = try(aws_internet_gateway.this[0].id, "") -} - -output "igw_arn" { - description = "The ARN of the Internet Gateway" - value = try(aws_internet_gateway.this[0].arn, "") -} +################################################################################ +# Egress Only Gateway +################################################################################ output "egress_only_internet_gateway_id" { description = "The ID of the egress only Internet Gateway" - value = try(aws_egress_only_internet_gateway.this[0].id, "") + value = try(aws_egress_only_internet_gateway.this[0].id, null) } +################################################################################ +# Customer Gateway +################################################################################ + output "cgw_ids" { description = "List of IDs of Customer Gateway" value = [for k, v in aws_customer_gateway.this : v.id] @@ -383,140 +511,81 @@ output "this_customer_gateway" { value = aws_customer_gateway.this } +################################################################################ +# VPN Gateway +################################################################################ + output "vgw_id" { description = "The ID of the VPN Gateway" - value = try(aws_vpn_gateway.this[0].id, aws_vpn_gateway_attachment.this[0].vpn_gateway_id, "") + value = try(aws_vpn_gateway.this[0].id, aws_vpn_gateway_attachment.this[0].vpn_gateway_id, null) } output "vgw_arn" { description = "The ARN of the VPN Gateway" - value = try(aws_vpn_gateway.this[0].arn, "") + value = try(aws_vpn_gateway.this[0].arn, null) } +################################################################################ +# Default VPC +################################################################################ + output "default_vpc_id" { description = "The ID of the Default VPC" - value = try(aws_default_vpc.this[0].id, "") + value = try(aws_default_vpc.this[0].id, null) } output "default_vpc_arn" { description = "The ARN of the Default VPC" - value = try(aws_default_vpc.this[0].arn, "") + value = try(aws_default_vpc.this[0].arn, null) } output "default_vpc_cidr_block" { description = "The CIDR block of the Default VPC" - value = try(aws_default_vpc.this[0].cidr_block, "") + value = try(aws_default_vpc.this[0].cidr_block, null) } output "default_vpc_default_security_group_id" { description = "The ID of the security group created by default on Default VPC creation" - value = try(aws_default_vpc.this[0].default_security_group_id, "") + value = try(aws_default_vpc.this[0].default_security_group_id, null) } output "default_vpc_default_network_acl_id" { description = "The ID of the default network ACL of the Default VPC" - value = try(aws_default_vpc.this[0].default_network_acl_id, "") + value = try(aws_default_vpc.this[0].default_network_acl_id, null) } output "default_vpc_default_route_table_id" { description = "The ID of the default route table of the Default VPC" - value = try(aws_default_vpc.this[0].default_route_table_id, "") + value = try(aws_default_vpc.this[0].default_route_table_id, null) } output "default_vpc_instance_tenancy" { description = "Tenancy of instances spin up within Default VPC" - value = try(aws_default_vpc.this[0].instance_tenancy, "") + value = try(aws_default_vpc.this[0].instance_tenancy, null) } output "default_vpc_enable_dns_support" { description = "Whether or not the Default VPC has DNS support" - value = try(aws_default_vpc.this[0].enable_dns_support, "") + value = try(aws_default_vpc.this[0].enable_dns_support, null) } output "default_vpc_enable_dns_hostnames" { description = "Whether or not the Default VPC has DNS hostname support" - value = try(aws_default_vpc.this[0].enable_dns_hostnames, "") + value = try(aws_default_vpc.this[0].enable_dns_hostnames, null) } output "default_vpc_main_route_table_id" { description = "The ID of the main route table associated with the Default VPC" - value = try(aws_default_vpc.this[0].main_route_table_id, "") -} - -output "public_network_acl_id" { - description = "ID of the public network ACL" - value = try(aws_network_acl.public[0].id, "") -} - -output "public_network_acl_arn" { - description = "ARN of the public network ACL" - value = try(aws_network_acl.public[0].arn, "") -} - -output "private_network_acl_id" { - description = "ID of the private network ACL" - value = try(aws_network_acl.private[0].id, "") -} - -output "private_network_acl_arn" { - description = "ARN of the private network ACL" - value = try(aws_network_acl.private[0].arn, "") -} - -output "outpost_network_acl_id" { - description = "ID of the outpost network ACL" - value = try(aws_network_acl.outpost[0].id, "") -} - -output "outpost_network_acl_arn" { - description = "ARN of the outpost network ACL" - value = try(aws_network_acl.outpost[0].arn, "") -} - -output "intra_network_acl_id" { - description = "ID of the intra network ACL" - value = try(aws_network_acl.intra[0].id, "") -} - -output "intra_network_acl_arn" { - description = "ARN of the intra network ACL" - value = try(aws_network_acl.intra[0].arn, "") -} - -output "database_network_acl_id" { - description = "ID of the database network ACL" - value = try(aws_network_acl.database[0].id, "") + value = try(aws_default_vpc.this[0].main_route_table_id, null) } -output "database_network_acl_arn" { - description = "ARN of the database network ACL" - value = try(aws_network_acl.database[0].arn, "") -} +################################################################################ +# VPC Flow Log +################################################################################ -output "redshift_network_acl_id" { - description = "ID of the redshift network ACL" - value = try(aws_network_acl.redshift[0].id, "") -} - -output "redshift_network_acl_arn" { - description = "ARN of the redshift network ACL" - value = try(aws_network_acl.redshift[0].arn, "") -} - -output "elasticache_network_acl_id" { - description = "ID of the elasticache network ACL" - value = try(aws_network_acl.elasticache[0].id, "") -} - -output "elasticache_network_acl_arn" { - description = "ARN of the elasticache network ACL" - value = try(aws_network_acl.elasticache[0].arn, "") -} - -# VPC flow log output "vpc_flow_log_id" { description = "The ID of the Flow Log resource" - value = try(aws_flow_log.this[0].id, "") + value = try(aws_flow_log.this[0].id, null) } output "vpc_flow_log_destination_arn" { @@ -534,7 +603,10 @@ output "vpc_flow_log_cloudwatch_iam_role_arn" { value = local.flow_log_iam_role_arn } +################################################################################ # Static values (arguments) +################################################################################ + output "azs" { description = "A list of availability zones specified as argument to this module" value = var.azs diff --git a/variables.tf b/variables.tf index 4bd5da093..148ce3f19 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,7 @@ +################################################################################ +# VPC +################################################################################ + variable "create_vpc" { description = "Controls if VPC should be created (it affects almost all resources)" type = bool @@ -13,200 +17,154 @@ variable "name" { variable "cidr" { description = "(Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id`" type = string - default = "0.0.0.0/0" -} - -variable "enable_ipv6" { - description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block." - type = bool - default = false -} - -variable "private_subnet_ipv6_prefixes" { - description = "Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "public_subnet_ipv6_prefixes" { - description = "Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "outpost_subnet_ipv6_prefixes" { - description = "Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "database_subnet_ipv6_prefixes" { - description = "Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] + default = "10.0.0.0/16" } -variable "redshift_subnet_ipv6_prefixes" { - description = "Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" +variable "secondary_cidr_blocks" { + description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool" type = list(string) default = [] } -variable "elasticache_subnet_ipv6_prefixes" { - description = "Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] +variable "instance_tenancy" { + description = "A tenancy option for instances launched into the VPC" + type = string + default = "default" } -variable "intra_subnet_ipv6_prefixes" { - description = "Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" +variable "azs" { + description = "A list of availability zones names or ids in the region" type = list(string) default = [] } -variable "assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" +variable "enable_dns_hostnames" { + description = "Should be true to enable DNS hostnames in the VPC" type = bool - default = false + default = true } -variable "private_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" +variable "enable_dns_support" { + description = "Should be true to enable DNS support in the VPC" type = bool - default = null + default = true } -variable "public_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" +variable "enable_network_address_usage_metrics" { + description = "Determines whether network address usage metrics are enabled for the VPC" type = bool default = null } -variable "outpost_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on outpost subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" +variable "use_ipam_pool" { + description = "Determines whether IPAM pool is used for CIDR allocation" type = bool - default = null + default = false } -variable "database_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool +variable "ipv4_ipam_pool_id" { + description = "(Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR" + type = string default = null } -variable "redshift_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool +variable "ipv4_netmask_length" { + description = "(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id" + type = number default = null } -variable "elasticache_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" +variable "enable_ipv6" { + description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block" type = bool - default = null + default = false } -variable "intra_subnet_assign_ipv6_address_on_creation" { - description = "Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch" - type = bool +variable "ipv6_cidr" { + description = "(Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`" + type = string default = null } -variable "secondary_cidr_blocks" { - description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool" - type = list(string) - default = [] -} - -variable "instance_tenancy" { - description = "A tenancy option for instances launched into the VPC" +variable "ipv6_ipam_pool_id" { + description = "(Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`" type = string - default = "default" + default = null } -variable "public_subnet_suffix" { - description = "Suffix to append to public subnets name" - type = string - default = "public" +variable "ipv6_netmask_length" { + description = "(Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`" + type = number + default = null } -variable "private_subnet_suffix" { - description = "Suffix to append to private subnets name" +variable "ipv6_cidr_block_network_border_group" { + description = "By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones" type = string - default = "private" + default = null } -variable "public_subnet_names" { - description = "Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated." - type = list(string) - default = [] +variable "vpc_tags" { + description = "Additional tags for the VPC" + type = map(string) + default = {} } -variable "private_subnet_names" { - description = "Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated." - type = list(string) - default = [] +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} } -variable "outpost_subnet_names" { - description = "Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated." - type = list(string) - default = [] +################################################################################ +# DHCP Options Set +################################################################################ + +variable "enable_dhcp_options" { + description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type" + type = bool + default = false } -variable "intra_subnet_names" { - description = "Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated." - type = list(string) - default = [] +variable "dhcp_options_domain_name" { + description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)" + type = string + default = "" } -variable "database_subnet_names" { - description = "Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated." +variable "dhcp_options_domain_name_servers" { + description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)" type = list(string) - default = [] + default = ["AmazonProvidedDNS"] } -variable "redshift_subnet_names" { - description = "Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated." +variable "dhcp_options_ntp_servers" { + description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)" type = list(string) default = [] } -variable "elasticache_subnet_names" { - description = "Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated." +variable "dhcp_options_netbios_name_servers" { + description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)" type = list(string) default = [] } -variable "outpost_subnet_suffix" { - description = "Suffix to append to outpost subnets name" - type = string - default = "outpost" -} - -variable "intra_subnet_suffix" { - description = "Suffix to append to intra subnets name" - type = string - default = "intra" -} - -variable "database_subnet_suffix" { - description = "Suffix to append to database subnets name" +variable "dhcp_options_netbios_node_type" { + description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)" type = string - default = "db" + default = "" } -variable "redshift_subnet_suffix" { - description = "Suffix to append to redshift subnets name" - type = string - default = "redshift" +variable "dhcp_options_tags" { + description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" + type = map(string) + default = {} } -variable "elasticache_subnet_suffix" { - description = "Suffix to append to elasticache subnets name" - type = string - default = "elasticache" -} +################################################################################ +# Publiс Subnets +################################################################################ variable "public_subnets" { description = "A list of public subnets inside the VPC" @@ -214,683 +172,803 @@ variable "public_subnets" { default = [] } -variable "private_subnets" { - description = "A list of private subnets inside the VPC" - type = list(string) - default = [] -} - -variable "outpost_subnets" { - description = "A list of outpost subnets inside the VPC" - type = list(string) - default = [] +variable "public_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false } -variable "database_subnets" { - description = "A list of database subnets" - type = list(string) - default = [] +variable "public_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true } -variable "redshift_subnets" { - description = "A list of redshift subnets" - type = list(string) - default = [] +variable "public_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true } -variable "elasticache_subnets" { - description = "A list of elasticache subnets" - type = list(string) - default = [] +variable "public_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false } -variable "intra_subnets" { - description = "A list of intra subnets" +variable "public_subnet_ipv6_prefixes" { + description = "Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" type = list(string) default = [] } -variable "create_database_subnet_route_table" { - description = "Controls if separate route table for database should be created" +variable "public_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" type = bool default = false } -variable "create_redshift_subnet_route_table" { - description = "Controls if separate route table for redshift should be created" +variable "map_public_ip_on_launch" { + description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false`" type = bool default = false } -variable "enable_public_redshift" { - description = "Controls if redshift should have public routing table" - type = bool - default = false +variable "public_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null } -variable "create_elasticache_subnet_route_table" { - description = "Controls if separate route table for elasticache should be created" - type = bool - default = false +variable "public_subnet_names" { + description = "Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated" + type = list(string) + default = [] } -variable "create_database_subnet_group" { - description = "Controls if database subnet group should be created (n.b. database_subnets must also be set)" - type = bool - default = true +variable "public_subnet_suffix" { + description = "Suffix to append to public subnets name" + type = string + default = "public" } -variable "create_elasticache_subnet_group" { - description = "Controls if elasticache subnet group should be created" - type = bool - default = true +variable "public_subnet_tags" { + description = "Additional tags for the public subnets" + type = map(string) + default = {} } -variable "create_redshift_subnet_group" { - description = "Controls if redshift subnet group should be created" - type = bool - default = true +variable "public_subnet_tags_per_az" { + description = "Additional tags for the public subnets where the primary key is the AZ" + type = map(map(string)) + default = {} } -variable "create_database_internet_gateway_route" { - description = "Controls if an internet gateway route for public database access should be created" +variable "public_route_table_tags" { + description = "Additional tags for the public route tables" + type = map(string) + default = {} +} + +################################################################################ +# Public Network ACLs +################################################################################ + +variable "public_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" type = bool default = false } -variable "create_database_nat_gateway_route" { - description = "Controls if a nat gateway route should be created to give internet access to the database subnets" - type = bool - default = false +variable "public_inbound_acl_rules" { + description = "Public subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] } -variable "azs" { - description = "A list of availability zones names or ids in the region" +variable "public_outbound_acl_rules" { + description = "Public subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "public_acl_tags" { + description = "Additional tags for the public subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Private Subnets +################################################################################ + +variable "private_subnets" { + description = "A list of private subnets inside the VPC" type = list(string) default = [] } -variable "enable_dns_hostnames" { - description = "Should be true to enable DNS hostnames in the VPC" +variable "private_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" type = bool default = false } -variable "enable_dns_support" { - description = "Should be true to enable DNS support in the VPC" +variable "private_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" type = bool default = true } -# tflint-ignore: terraform_unused_declarations -variable "enable_classiclink" { - description = "[DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic." - type = bool - default = null -} - -# tflint-ignore: terraform_unused_declarations -variable "enable_classiclink_dns_support" { - description = "[DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic." +variable "private_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" type = bool - default = null + default = true } -variable "enable_nat_gateway" { - description = "Should be true if you want to provision NAT Gateways for each of your private networks" +variable "private_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" type = bool default = false } -variable "nat_gateway_destination_cidr_block" { - description = "Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route." - type = string - default = "0.0.0.0/0" -} - -variable "single_nat_gateway" { - description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks" - type = bool - default = false +variable "private_subnet_ipv6_prefixes" { + description = "Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] } -variable "one_nat_gateway_per_az" { - description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`." +variable "private_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" type = bool default = false } -variable "reuse_nat_ips" { - description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable" - type = bool - default = false +variable "private_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null } -variable "external_nat_ip_ids" { - description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)" +variable "private_subnet_names" { + description = "Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated" type = list(string) default = [] } -variable "external_nat_ips" { - description = "List of EIPs to be used for `nat_public_ips` output (used in combination with reuse_nat_ips and external_nat_ip_ids)" - type = list(string) - default = [] +variable "private_subnet_suffix" { + description = "Suffix to append to private subnets name" + type = string + default = "private" } -variable "map_public_ip_on_launch" { - description = "Should be false if you do not want to auto-assign public IP on launch" - type = bool - default = true +variable "private_subnet_tags" { + description = "Additional tags for the private subnets" + type = map(string) + default = {} } -variable "customer_gateways" { - description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)" - type = map(map(any)) +variable "private_subnet_tags_per_az" { + description = "Additional tags for the private subnets where the primary key is the AZ" + type = map(map(string)) default = {} } -variable "enable_vpn_gateway" { - description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC" +variable "private_route_table_tags" { + description = "Additional tags for the private route tables" + type = map(string) + default = {} +} + +################################################################################ +# Private Network ACLs +################################################################################ + +variable "private_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" type = bool default = false } -variable "vpn_gateway_id" { - description = "ID of VPN Gateway to attach to the VPC" - type = string - default = "" +variable "private_inbound_acl_rules" { + description = "Private subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] } -variable "amazon_side_asn" { - description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN." - type = string - default = "64512" +variable "private_outbound_acl_rules" { + description = "Private subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] } -variable "vpn_gateway_az" { - description = "The Availability Zone for the VPN Gateway" - type = string - default = null +variable "private_acl_tags" { + description = "Additional tags for the private subnets network ACL" + type = map(string) + default = {} } -variable "propagate_intra_route_tables_vgw" { - description = "Should be true if you want route table propagation" +################################################################################ +# Database Subnets +################################################################################ + +variable "database_subnets" { + description = "A list of database subnets inside the VPC" + type = list(string) + default = [] +} + +variable "database_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" type = bool default = false } -variable "propagate_private_route_tables_vgw" { - description = "Should be true if you want route table propagation" +variable "database_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" type = bool - default = false + default = true } -variable "propagate_public_route_tables_vgw" { - description = "Should be true if you want route table propagation" +variable "database_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "database_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" type = bool default = false } -variable "manage_default_route_table" { - description = "Should be true to manage default route table" +variable "database_subnet_ipv6_prefixes" { + description = "Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "database_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" type = bool default = false } -variable "default_route_table_name" { - description = "Name to be used on the default route table" +variable "database_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" type = string default = null } -variable "default_route_table_propagating_vgws" { - description = "List of virtual gateways for propagation" +variable "database_subnet_names" { + description = "Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated" type = list(string) default = [] } -variable "default_route_table_routes" { - description = "Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route" - type = list(map(string)) - default = [] +variable "database_subnet_suffix" { + description = "Suffix to append to database subnets name" + type = string + default = "db" } -variable "default_route_table_tags" { - description = "Additional tags for the default route table" - type = map(string) - default = {} +variable "create_database_subnet_route_table" { + description = "Controls if separate route table for database should be created" + type = bool + default = false } -variable "tags" { - description = "A map of tags to add to all resources" - type = map(string) - default = {} +variable "create_database_internet_gateway_route" { + description = "Controls if an internet gateway route for public database access should be created" + type = bool + default = false } -variable "vpc_tags" { - description = "Additional tags for the VPC" - type = map(string) - default = {} +variable "create_database_nat_gateway_route" { + description = "Controls if a nat gateway route should be created to give internet access to the database subnets" + type = bool + default = false } -variable "igw_tags" { - description = "Additional tags for the internet gateway" +variable "database_route_table_tags" { + description = "Additional tags for the database route tables" type = map(string) default = {} } -variable "public_subnet_tags" { - description = "Additional tags for the public subnets" +variable "database_subnet_tags" { + description = "Additional tags for the database subnets" type = map(string) default = {} } -variable "public_subnet_tags_per_az" { - description = "Additional tags for the public subnets where the primary key is the AZ" - type = map(map(string)) - default = {} -} - -variable "private_subnet_tags" { - description = "Additional tags for the private subnets" - type = map(string) - default = {} +variable "create_database_subnet_group" { + description = "Controls if database subnet group should be created (n.b. database_subnets must also be set)" + type = bool + default = true } -variable "private_subnet_tags_per_az" { - description = "Additional tags for the private subnets where the primary key is the AZ" - type = map(map(string)) - default = {} +variable "database_subnet_group_name" { + description = "Name of database subnet group" + type = string + default = null } -variable "outpost_subnet_tags" { - description = "Additional tags for the outpost subnets" +variable "database_subnet_group_tags" { + description = "Additional tags for the database subnet group" type = map(string) default = {} } -variable "public_route_table_tags" { - description = "Additional tags for the public route tables" - type = map(string) - default = {} -} +################################################################################ +# Database Network ACLs +################################################################################ -variable "private_route_table_tags" { - description = "Additional tags for the private route tables" - type = map(string) - default = {} +variable "database_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" + type = bool + default = false } -variable "database_route_table_tags" { - description = "Additional tags for the database route tables" - type = map(string) - default = {} +variable "database_inbound_acl_rules" { + description = "Database subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] } -variable "redshift_route_table_tags" { - description = "Additional tags for the redshift route tables" - type = map(string) - default = {} +variable "database_outbound_acl_rules" { + description = "Database subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] } -variable "elasticache_route_table_tags" { - description = "Additional tags for the elasticache route tables" +variable "database_acl_tags" { + description = "Additional tags for the database subnets network ACL" type = map(string) default = {} } -variable "intra_route_table_tags" { - description = "Additional tags for the intra route tables" - type = map(string) - default = {} +################################################################################ +# Redshift Subnets +################################################################################ + +variable "redshift_subnets" { + description = "A list of redshift subnets inside the VPC" + type = list(string) + default = [] } -variable "database_subnet_group_name" { - description = "Name of database subnet group" - type = string - default = null +variable "redshift_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false } -variable "database_subnet_tags" { - description = "Additional tags for the database subnets" - type = map(string) - default = {} +variable "redshift_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true } -variable "database_subnet_group_tags" { - description = "Additional tags for the database subnet group" - type = map(string) - default = {} +variable "redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true } -variable "redshift_subnet_tags" { - description = "Additional tags for the redshift subnets" - type = map(string) - default = {} +variable "redshift_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false } -variable "redshift_subnet_group_name" { - description = "Name of redshift subnet group" - type = string - default = null +variable "redshift_subnet_ipv6_prefixes" { + description = "Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] } -variable "redshift_subnet_group_tags" { - description = "Additional tags for the redshift subnet group" - type = map(string) - default = {} +variable "redshift_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false } -variable "elasticache_subnet_group_name" { - description = "Name of elasticache subnet group" +variable "redshift_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" type = string default = null } -variable "elasticache_subnet_group_tags" { - description = "Additional tags for the elasticache subnet group" - type = map(string) - default = {} -} - -variable "elasticache_subnet_tags" { - description = "Additional tags for the elasticache subnets" - type = map(string) - default = {} +variable "redshift_subnet_names" { + description = "Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated" + type = list(string) + default = [] } -variable "intra_subnet_tags" { - description = "Additional tags for the intra subnets" - type = map(string) - default = {} +variable "redshift_subnet_suffix" { + description = "Suffix to append to redshift subnets name" + type = string + default = "redshift" } -variable "public_acl_tags" { - description = "Additional tags for the public subnets network ACL" - type = map(string) - default = {} +variable "enable_public_redshift" { + description = "Controls if redshift should have public routing table" + type = bool + default = false } -variable "private_acl_tags" { - description = "Additional tags for the private subnets network ACL" - type = map(string) - default = {} +variable "create_redshift_subnet_route_table" { + description = "Controls if separate route table for redshift should be created" + type = bool + default = false } -variable "outpost_acl_tags" { - description = "Additional tags for the outpost subnets network ACL" +variable "redshift_route_table_tags" { + description = "Additional tags for the redshift route tables" type = map(string) default = {} } -variable "intra_acl_tags" { - description = "Additional tags for the intra subnets network ACL" +variable "redshift_subnet_tags" { + description = "Additional tags for the redshift subnets" type = map(string) default = {} } -variable "database_acl_tags" { - description = "Additional tags for the database subnets network ACL" - type = map(string) - default = {} +variable "create_redshift_subnet_group" { + description = "Controls if redshift subnet group should be created" + type = bool + default = true } -variable "redshift_acl_tags" { - description = "Additional tags for the redshift subnets network ACL" - type = map(string) - default = {} +variable "redshift_subnet_group_name" { + description = "Name of redshift subnet group" + type = string + default = null } -variable "elasticache_acl_tags" { - description = "Additional tags for the elasticache subnets network ACL" +variable "redshift_subnet_group_tags" { + description = "Additional tags for the redshift subnet group" type = map(string) default = {} } -variable "dhcp_options_tags" { - description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" - type = map(string) - default = {} -} +################################################################################ +# Redshift Network ACLs +################################################################################ -variable "nat_gateway_tags" { - description = "Additional tags for the NAT gateways" - type = map(string) - default = {} +variable "redshift_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets" + type = bool + default = false } -variable "nat_eip_tags" { - description = "Additional tags for the NAT EIP" - type = map(string) - default = {} +variable "redshift_inbound_acl_rules" { + description = "Redshift subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] } -variable "customer_gateway_tags" { - description = "Additional tags for the Customer Gateway" - type = map(string) - default = {} +variable "redshift_outbound_acl_rules" { + description = "Redshift subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] } -variable "vpn_gateway_tags" { - description = "Additional tags for the VPN gateway" +variable "redshift_acl_tags" { + description = "Additional tags for the redshift subnets network ACL" type = map(string) default = {} } -variable "vpc_flow_log_tags" { - description = "Additional tags for the VPC Flow Logs" - type = map(string) - default = {} -} +################################################################################ +# Elasticache Subnets +################################################################################ -variable "vpc_flow_log_permissions_boundary" { - description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role" - type = string - default = null +variable "elasticache_subnets" { + description = "A list of elasticache subnets inside the VPC" + type = list(string) + default = [] } -variable "enable_dhcp_options" { - description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type" +variable "elasticache_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" type = bool default = false } -variable "dhcp_options_domain_name" { - description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)" - type = string - default = "" +variable "elasticache_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true } -variable "dhcp_options_domain_name_servers" { - description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)" - type = list(string) - default = ["AmazonProvidedDNS"] +variable "elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true } -variable "dhcp_options_ntp_servers" { - description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)" - type = list(string) - default = [] +variable "elasticache_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false } -variable "dhcp_options_netbios_name_servers" { - description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)" +variable "elasticache_subnet_ipv6_prefixes" { + description = "Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" type = list(string) default = [] } -variable "dhcp_options_netbios_node_type" { - description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)" - type = string - default = "" -} - -variable "manage_default_vpc" { - description = "Should be true to adopt and manage Default VPC" +variable "elasticache_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" type = bool default = false } -variable "default_vpc_name" { - description = "Name to be used on the Default VPC" +variable "elasticache_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" type = string default = null } -variable "default_vpc_enable_dns_support" { - description = "Should be true to enable DNS support in the Default VPC" - type = bool - default = true +variable "elasticache_subnet_names" { + description = "Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated" + type = list(string) + default = [] } -variable "default_vpc_enable_dns_hostnames" { - description = "Should be true to enable DNS hostnames in the Default VPC" - type = bool - default = false +variable "elasticache_subnet_suffix" { + description = "Suffix to append to elasticache subnets name" + type = string + default = "elasticache" } -# tflint-ignore: terraform_unused_declarations -variable "default_vpc_enable_classiclink" { - description = "[DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink in the Default VPC" +variable "elasticache_subnet_tags" { + description = "Additional tags for the elasticache subnets" + type = map(string) + default = {} +} + +variable "create_elasticache_subnet_route_table" { + description = "Controls if separate route table for elasticache should be created" type = bool default = false } -variable "default_vpc_tags" { - description = "Additional tags for the Default VPC" +variable "elasticache_route_table_tags" { + description = "Additional tags for the elasticache route tables" type = map(string) default = {} } -variable "manage_default_network_acl" { - description = "Should be true to adopt and manage Default Network ACL" +variable "create_elasticache_subnet_group" { + description = "Controls if elasticache subnet group should be created" type = bool - default = false + default = true } -variable "default_network_acl_name" { - description = "Name to be used on the Default Network ACL" +variable "elasticache_subnet_group_name" { + description = "Name of elasticache subnet group" type = string default = null } -variable "default_network_acl_tags" { - description = "Additional tags for the Default Network ACL" +variable "elasticache_subnet_group_tags" { + description = "Additional tags for the elasticache subnet group" type = map(string) default = {} } -variable "public_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" +################################################################################ +# Elasticache Network ACLs +################################################################################ + +variable "elasticache_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets" type = bool default = false } -variable "private_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" - type = bool - default = false +variable "elasticache_inbound_acl_rules" { + description = "Elasticache subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] } -variable "outpost_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for outpost subnets" +variable "elasticache_outbound_acl_rules" { + description = "Elasticache subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "elasticache_acl_tags" { + description = "Additional tags for the elasticache subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Intra Subnets +################################################################################ + +variable "intra_subnets" { + description = "A list of intra subnets inside the VPC" + type = list(string) + default = [] +} + +variable "intra_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" type = bool default = false } -variable "intra_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" +variable "intra_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" type = bool - default = false + default = true } -variable "database_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" +variable "intra_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" type = bool - default = false + default = true } -variable "redshift_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets" +variable "intra_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" type = bool default = false } -variable "elasticache_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets" +variable "intra_subnet_ipv6_prefixes" { + description = "Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "intra_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" type = bool default = false } -variable "default_network_acl_ingress" { - description = "List of maps of ingress rules to set on the Default Network ACL" - type = list(map(string)) +variable "intra_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} - default = [ - { - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 101 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_block = "::/0" - }, - ] +variable "intra_subnet_names" { + description = "Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated" + type = list(string) + default = [] } -variable "default_network_acl_egress" { - description = "List of maps of egress rules to set on the Default Network ACL" - type = list(map(string)) +variable "intra_subnet_suffix" { + description = "Suffix to append to intra subnets name" + type = string + default = "intra" +} - default = [ - { - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 101 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_block = "::/0" - }, - ] +variable "intra_subnet_tags" { + description = "Additional tags for the intra subnets" + type = map(string) + default = {} } -variable "public_inbound_acl_rules" { - description = "Public subnets inbound network ACLs" - type = list(map(string)) +variable "intra_route_table_tags" { + description = "Additional tags for the intra route tables" + type = map(string) + default = {} +} - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] +################################################################################ +# Intra Network ACLs +################################################################################ + +variable "intra_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" + type = bool + default = false } -variable "public_outbound_acl_rules" { - description = "Public subnets outbound network ACLs" +variable "intra_inbound_acl_rules" { + description = "Intra subnets inbound network ACLs" type = list(map(string)) - default = [ { rule_number = 100 @@ -903,10 +981,9 @@ variable "public_outbound_acl_rules" { ] } -variable "private_inbound_acl_rules" { - description = "Private subnets inbound network ACLs" +variable "intra_outbound_acl_rules" { + description = "Intra subnets outbound network ACLs" type = list(map(string)) - default = [ { rule_number = 100 @@ -919,26 +996,119 @@ variable "private_inbound_acl_rules" { ] } -variable "private_outbound_acl_rules" { - description = "Private subnets outbound network ACLs" - type = list(map(string)) +variable "intra_acl_tags" { + description = "Additional tags for the intra subnets network ACL" + type = map(string) + default = {} +} - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] +################################################################################ +# Outpost Subnets +################################################################################ + +variable "outpost_subnets" { + description = "A list of outpost subnets inside the VPC" + type = list(string) + default = [] +} + +variable "outpost_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "outpost_az" { + description = "AZ where Outpost is anchored" + type = string + default = null +} + +variable "customer_owned_ipv4_pool" { + description = "The customer owned IPv4 address pool. Typically used with the `map_customer_owned_ip_on_launch` argument. The `outpost_arn` argument must be specified when configured" + type = string + default = null +} + +variable "outpost_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "outpost_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "outpost_subnet_ipv6_prefixes" { + description = "Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "outpost_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "map_customer_owned_ip_on_launch" { + description = "Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The `customer_owned_ipv4_pool` and `outpost_arn` arguments must be specified when set to `true`. Default is `false`" + type = bool + default = false +} + +variable "outpost_arn" { + description = "ARN of Outpost you want to create a subnet in" + type = string + default = null +} + +variable "outpost_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "outpost_subnet_names" { + description = "Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "outpost_subnet_suffix" { + description = "Suffix to append to outpost subnets name" + type = string + default = "outpost" +} + +variable "outpost_subnet_tags" { + description = "Additional tags for the outpost subnets" + type = map(string) + default = {} +} + +################################################################################ +# Outpost Network ACLs +################################################################################ + +variable "outpost_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for outpost subnets" + type = bool + default = false } variable "outpost_inbound_acl_rules" { description = "Outpost subnets inbound network ACLs" type = list(map(string)) - default = [ { rule_number = 100 @@ -954,7 +1124,6 @@ variable "outpost_inbound_acl_rules" { variable "outpost_outbound_acl_rules" { description = "Outpost subnets outbound network ACLs" type = list(map(string)) - default = [ { rule_number = 100 @@ -967,138 +1136,198 @@ variable "outpost_outbound_acl_rules" { ] } -variable "intra_inbound_acl_rules" { - description = "Intra subnets inbound network ACLs" - type = list(map(string)) +variable "outpost_acl_tags" { + description = "Additional tags for the outpost subnets network ACL" + type = map(string) + default = {} +} - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] +################################################################################ +# Internet Gateway +################################################################################ + +variable "create_igw" { + description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them" + type = bool + default = true } -variable "intra_outbound_acl_rules" { - description = "Intra subnets outbound network ACLs" - type = list(map(string)) +variable "create_egress_only_igw" { + description = "Controls if an Egress Only Internet Gateway is created and its related routes" + type = bool + default = true +} - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] +variable "igw_tags" { + description = "Additional tags for the internet gateway" + type = map(string) + default = {} } -variable "database_inbound_acl_rules" { - description = "Database subnets inbound network ACL rules" - type = list(map(string)) +################################################################################ +# NAT Gateway +################################################################################ - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] +variable "enable_nat_gateway" { + description = "Should be true if you want to provision NAT Gateways for each of your private networks" + type = bool + default = false } -variable "database_outbound_acl_rules" { - description = "Database subnets outbound network ACL rules" - type = list(map(string)) +variable "nat_gateway_destination_cidr_block" { + description = "Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route" + type = string + default = "0.0.0.0/0" +} - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] +variable "single_nat_gateway" { + description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks" + type = bool + default = false } -variable "redshift_inbound_acl_rules" { - description = "Redshift subnets inbound network ACL rules" - type = list(map(string)) +variable "one_nat_gateway_per_az" { + description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`" + type = bool + default = false +} + +variable "reuse_nat_ips" { + description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable" + type = bool + default = false +} + +variable "external_nat_ip_ids" { + description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)" + type = list(string) + default = [] +} + +variable "external_nat_ips" { + description = "List of EIPs to be used for `nat_public_ips` output (used in combination with reuse_nat_ips and external_nat_ip_ids)" + type = list(string) + default = [] +} + +variable "nat_gateway_tags" { + description = "Additional tags for the NAT gateways" + type = map(string) + default = {} +} + +variable "nat_eip_tags" { + description = "Additional tags for the NAT EIP" + type = map(string) + default = {} +} + +################################################################################ +# Customer Gateways +################################################################################ + +variable "customer_gateways" { + description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)" + type = map(map(any)) + default = {} +} + +variable "customer_gateway_tags" { + description = "Additional tags for the Customer Gateway" + type = map(string) + default = {} +} + +################################################################################ +# VPN Gateway +################################################################################ + +variable "enable_vpn_gateway" { + description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC" + type = bool + default = false +} + +variable "vpn_gateway_id" { + description = "ID of VPN Gateway to attach to the VPC" + type = string + default = "" +} + +variable "amazon_side_asn" { + description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN" + type = string + default = "64512" +} + +variable "vpn_gateway_az" { + description = "The Availability Zone for the VPN Gateway" + type = string + default = null +} + +variable "propagate_intra_route_tables_vgw" { + description = "Should be true if you want route table propagation" + type = bool + default = false +} + +variable "propagate_private_route_tables_vgw" { + description = "Should be true if you want route table propagation" + type = bool + default = false +} + +variable "propagate_public_route_tables_vgw" { + description = "Should be true if you want route table propagation" + type = bool + default = false +} - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] +variable "vpn_gateway_tags" { + description = "Additional tags for the VPN gateway" + type = map(string) + default = {} } -variable "redshift_outbound_acl_rules" { - description = "Redshift subnets outbound network ACL rules" - type = list(map(string)) +################################################################################ +# Default VPC +################################################################################ - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] +variable "manage_default_vpc" { + description = "Should be true to adopt and manage Default VPC" + type = bool + default = false } -variable "elasticache_inbound_acl_rules" { - description = "Elasticache subnets inbound network ACL rules" - type = list(map(string)) +variable "default_vpc_name" { + description = "Name to be used on the Default VPC" + type = string + default = null +} - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] +variable "default_vpc_enable_dns_support" { + description = "Should be true to enable DNS support in the Default VPC" + type = bool + default = true } -variable "elasticache_outbound_acl_rules" { - description = "Elasticache subnets outbound network ACL rules" - type = list(map(string)) +variable "default_vpc_enable_dns_hostnames" { + description = "Should be true to enable DNS hostnames in the Default VPC" + type = bool + default = true +} - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] +variable "default_vpc_tags" { + description = "Additional tags for the Default VPC" + type = map(string) + default = {} } variable "manage_default_security_group" { description = "Should be true to adopt and manage default security group" type = bool - default = false + default = true } variable "default_security_group_name" { @@ -1113,12 +1342,6 @@ variable "default_security_group_ingress" { default = [] } -variable "enable_flow_log" { - description = "Whether or not to enable VPC Flow Logs" - type = bool - default = false -} - variable "default_security_group_egress" { description = "List of maps of egress rules to set on the default security group" type = list(map(string)) @@ -1131,161 +1354,224 @@ variable "default_security_group_tags" { default = {} } -variable "create_flow_log_cloudwatch_log_group" { - description = "Whether to create CloudWatch log group for VPC Flow Logs" - type = bool - default = false -} +################################################################################ +# Default Network ACLs +################################################################################ -variable "create_flow_log_cloudwatch_iam_role" { - description = "Whether to create IAM role for VPC Flow Logs" +variable "manage_default_network_acl" { + description = "Should be true to adopt and manage Default Network ACL" type = bool - default = false + default = true } -variable "flow_log_traffic_type" { - description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL." +variable "default_network_acl_name" { + description = "Name to be used on the Default Network ACL" type = string - default = "ALL" + default = null } -variable "flow_log_destination_type" { - description = "Type of flow log destination. Can be s3 or cloud-watch-logs." - type = string - default = "cloud-watch-logs" +variable "default_network_acl_ingress" { + description = "List of maps of ingress rules to set on the Default Network ACL" + type = list(map(string)) + default = [ + { + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + { + rule_no = 101 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_block = "::/0" + }, + ] } -variable "flow_log_log_format" { - description = "The fields to include in the flow log record, in the order in which they should appear." - type = string - default = null +variable "default_network_acl_egress" { + description = "List of maps of egress rules to set on the Default Network ACL" + type = list(map(string)) + default = [ + { + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + { + rule_no = 101 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_block = "::/0" + }, + ] } -variable "flow_log_destination_arn" { - description = "The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided." - type = string - default = "" +variable "default_network_acl_tags" { + description = "Additional tags for the Default Network ACL" + type = map(string) + default = {} } -variable "flow_log_cloudwatch_iam_role_arn" { - description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided." - type = string - default = "" +################################################################################ +# Default Route +################################################################################ + +variable "manage_default_route_table" { + description = "Should be true to manage default route table" + type = bool + default = true } -variable "flow_log_cloudwatch_log_group_name_prefix" { - description = "Specifies the name prefix of CloudWatch Log Group for VPC flow logs." +variable "default_route_table_name" { + description = "Name to be used on the default route table" type = string - default = "/aws/vpc-flow-log/" + default = null } -variable "flow_log_cloudwatch_log_group_name_suffix" { - description = "Specifies the name suffix of CloudWatch Log Group for VPC flow logs." - type = string - default = "" +variable "default_route_table_propagating_vgws" { + description = "List of virtual gateways for propagation" + type = list(string) + default = [] } -variable "flow_log_cloudwatch_log_group_retention_in_days" { - description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs." - type = number - default = null +variable "default_route_table_routes" { + description = "Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route" + type = list(map(string)) + default = [] } -variable "flow_log_cloudwatch_log_group_kms_key_id" { - description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs." +variable "default_route_table_tags" { + description = "Additional tags for the default route table" + type = map(string) + default = {} +} + +################################################################################ +# Flow Log +################################################################################ + +variable "enable_flow_log" { + description = "Whether or not to enable VPC Flow Logs" + type = bool + default = false +} + +variable "vpc_flow_log_permissions_boundary" { + description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role" type = string default = null } variable "flow_log_max_aggregation_interval" { - description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds." + description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" type = number default = 600 } -variable "create_igw" { - description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them." - type = bool - default = true +variable "flow_log_traffic_type" { + description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL" + type = string + default = "ALL" } -variable "create_egress_only_igw" { - description = "Controls if an Egress Only Internet Gateway is created and its related routes." - type = bool - default = true +variable "flow_log_destination_type" { + description = "Type of flow log destination. Can be s3 or cloud-watch-logs" + type = string + default = "cloud-watch-logs" } -variable "outpost_arn" { - description = "ARN of Outpost you want to create a subnet in." +variable "flow_log_log_format" { + description = "The fields to include in the flow log record, in the order in which they should appear" type = string default = null } -variable "outpost_az" { - description = "AZ where Outpost is anchored." +variable "flow_log_destination_arn" { + description = "The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided" type = string - default = null + default = "" } variable "flow_log_file_format" { - description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`." + description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`" type = string - default = "plain-text" - validation { - condition = can(regex("^(plain-text|parquet)$", - var.flow_log_file_format)) - error_message = "ERROR valid values: plain-text, parquet." - } + default = null } variable "flow_log_hive_compatible_partitions" { - description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3." + description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3" type = bool default = false } variable "flow_log_per_hour_partition" { - description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries." + description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries" type = bool default = false } -variable "use_ipam_pool" { - description = "Determines whether IPAM pool is used for CIDR allocation" +variable "vpc_flow_log_tags" { + description = "Additional tags for the VPC Flow Logs" + type = map(string) + default = {} +} + +################################################################################ +# Flow Log CloudWatch +################################################################################ + +variable "create_flow_log_cloudwatch_log_group" { + description = "Whether to create CloudWatch log group for VPC Flow Logs" type = bool default = false } -variable "ipv4_ipam_pool_id" { - description = "(Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR." - type = string - default = null +variable "create_flow_log_cloudwatch_iam_role" { + description = "Whether to create IAM role for VPC Flow Logs" + type = bool + default = false } -variable "ipv4_netmask_length" { - description = "(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id." - type = number - default = null +variable "flow_log_cloudwatch_iam_role_arn" { + description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided" + type = string + default = "" } -variable "ipv6_cidr" { - description = "(Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`." +variable "flow_log_cloudwatch_log_group_name_prefix" { + description = "Specifies the name prefix of CloudWatch Log Group for VPC flow logs" type = string - default = null + default = "/aws/vpc-flow-log/" } -variable "ipv6_ipam_pool_id" { - description = "(Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`." +variable "flow_log_cloudwatch_log_group_name_suffix" { + description = "Specifies the name suffix of CloudWatch Log Group for VPC flow logs" type = string - default = null + default = "" } -variable "ipv6_netmask_length" { - description = "(Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`." +variable "flow_log_cloudwatch_log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs" type = number default = null } +variable "flow_log_cloudwatch_log_group_kms_key_id" { + description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs" + type = string + default = null +} + variable "putin_khuylo" { description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" type = bool diff --git a/versions.tf b/versions.tf index 979baa847..4d4bddd64 100644 --- a/versions.tf +++ b/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.73" + version = ">= 4.35" } } }
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]