Skip to content

vtstanescu/aws-vpc

BranchesTags

Repository files navigation

aws-vpc

Terraform module for creating and managing AWS Virtual Private Cloud (VPC).

Features

  • Auto subnetting with 2 algorithms available (see subnet-addresses submodule)
  • VPC & Subnets
  • Delete rules from VPC default Network ACL & Security Group
  • Custom Network ACL & Route Table(s) for private subnets
  • Public infrastructure (see public-infra submodule)
    • Internet Gateway
    • NAT Gateway(s) with 3 setups available
      one-az - only one NAT Gateway shared by all subnets across all AZs
      failover - two NAT Gateways in different AZs one is used like in one-az setup and one is ready for failover
      ha - high availability setup; each AZ has its own NAT Gateway, this setup is considerably pricier)
    • Subnets
    • Custom Network ACL & Route Table for public subnets
  • VPC Endpoints
    • Gateway endpoints for S3 & DynamoDB services
    • Interface endpoints for supported AWS services
  • Flow logs
  • IPv6 support
  • Multiple IPv4 & IPv6 CIDR blocks support via BYOIP pools
  • Multiple IPv4 & IPv6 CIDR blocks via IPAM pools (Amazon IP Address Manager)
  • Local Zones support
  • Wavelength Zones support

Requirements

Name Version
terraform >= 1.0
aws >= 5.0

Providers

Name Version
aws >= 5.0

Modules

Name Source Version
flow_log ./modules/flow-log n/a
public_infra ./modules/public-infra n/a
subnet_addresses ./modules/subnet-addresses n/a

Inputs

Name Description Type Default Required
name VPC name. string n/a yes
main_cidr_block Main IPv4 CIDR block for the VPC. string n/a yes
instance_tenancy Tenancy of instances launched into the VPC. Dedicated or host tenancy cost at least 2$/h. string "default" no
enable_dns_support Whether to enable DNS support in the VPC. bool true no
enable_dns_hostnames Whether to enable DNS hostnames in the VPC. bool true no
ipv6_cidr_block Whether to request an Amazon-provider IPv6 CIDR block with /56 prefix length for the VPC. bool false no
availability_zones_count Number of Availability Zones to use for VPC subnets. number 3 no
subnetting_algorithm Algorithm type for subnetting the VPC IPv4 CIDR blocks.
Supported algorithms:
* nowaste - Use the whole CIDR block, leaving no subnet addresses unused.
It attempts an equal split. When the number of subnets is not a power of 2, the last subnets will have bigger prefix lengths
Ie. Less usable host IPs
* equalsplit - The subnets will be split equally - ie. same prefix length
This will result in unused subnet addresses when the number of requested subnets is not a power of 2.		 string "nowaste" no
subnets List of IPv4 CIDR blocks to use for each subnet, both private and public.
The # of subnets created is not decide by the length of the private & public lists, but rather the value of availability_zones_count,
but no more than the number of AZs available in the AWS Region where the VPC is created.
ie. min(var.availability_zones_count, length(data.aws_availability_zones.available.names))

If private_subnets_only is true, the public list can be passed as null or empty list.
By default, this variables is null, which means the subnets are computed by the internal algorithms, controlled by subnetting_algorithm variable.		 
object({
    private = list(string)
    public  = list(string)
  })
 null no
private_subnets_only Whether to create only private subnets from VPC IPv4 CIDR block. bool false no
empty_network_acls Do not create default allow all traffic rule in network ACLs. bool false no
nat_gateway_setup NAT Gateway setup. Available options: one-az, failover, ha string "ha" no
force_internet_gateway Force creation of an Internet Gateway for a VPC with only private subnets. Required if an AWS Global Accelerator is pointing to a private resource in the VPC. bool false no
create_vpc_gateway_endpoints Create VPC Endpoints (Gateway) for S3 & DynamoDB services. bool true no
flow_logs_config Config block for VPC Flow Logs. It must be a map with the following optional keys: destination, retention, aggregation_interval, kms_key_id.

Properties allowed values:
destination => "cloud-watch-logs" or "s3"
Default: "cloud-watch-logs"
retention => 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, 0 (indefinetely)
Default: 30 (days)
Valid only for CloudWatch destination
aggregation_interval => 60 or 600
Default: 600
log_format => Check AWS documentation
kms_key_id => ARN of a CMK in AWS KMS
Default: AWS managed key
s3_tiering => configuration for S3 Intelligent-Tiering
Default: Archive access after 90 days & Deep Archive Access after 180 days
Pass this as null or with both properties set to 0 to disable S3 Intelligent-Tiering
archive_access => Days after which data is tiered to ARCHIVE_ACCESS
Default: 90
Pass as 0 to disable ARCHIVE_ACCESS tiering
deep_archive_access => Days after which data is tiered to DEEP_ARCHIVE_ACCESS
Default: 180
Pass as 0 to disable DEEP_ARCHIVE_ACCESS tiering

Pass the variable as null to disable flow logs.		 any {} no
tags Common tags for all resources created by this module. Reserved tag keys: Name, net/type map(string) n/a yes

Outputs

Name Description
vpc_id The VPC ID.
subnets Map of both private & public subnets with IP CIDR block, associated route table & network ACL IDs as properties.
private_subnet_addresses n/a
public_subnet_addresses n/a
unused_subnet_addresses n/a

TODOs

  • Terraform docs
  • Unit tests using Golang & GitHub Actions
  • Run tfsec & checkov within GitHub Actions

Test scenarios

  • Update from private-only VPC to public with 1, 2 or multi-AZ NAT Gateways and all combinations. Total cases: 6 + 2 + 2 + 2
  • Update NACL rules. Total cases: 3
  • Update private-only VPC to use or not IGW. Total cases: 2
  • Disable/enable flow logs. Switch between destinations in flow logs. Total cases: 6

About

Terraform module for AWS Virtual Private Cloud

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 3

2.0.0 Latest
Apr 13, 2024
+ 2 releases

Packages

No packages published

Languages