The purpose of this module is to provide a consistent way to provision a VPC and associated resources in AWS.
Add example usage here
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
availability_zones = var.availability_zones
enable_ssm = var.enable_ssm
enable_transit_gateway_appliance_mode = true
ipam_pool_id = data.aws_vpc_ipam_pool.current.id
name = var.name
private_subnet_netmask = var.private_subnet_netmask
public_subnet_netmask = var.public_subnet_netmask
tags = var.tags
transit_gateway_id = data.aws_ec2_transit_gateway.this.id
vpc_cidr = var.vpc_cidr
transit_gateway_routes = {
private = aws_ec2_managed_prefix_list.internal.id
}
}To enable NAT gateways in your VPC, you can use the enable_nat_gateway and nat_gateway_mode variables. Here are some examples:
# Single NAT Gateway for all AZs
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
nat_gateway_mode = "single"
# ... other configuration ...
}
# One NAT Gateway per AZ for high availability
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
nat_gateway_mode = "one_per_az"
# ... other configuration ...
}Remember that NAT gateways incur costs, so choose the configuration that best balances your availability requirements and budget.
The module supports connecting your VPC to an AWS Transit Gateway. Here are some common configurations:
# Basic Transit Gateway connection
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
transit_gateway_id = "tgw-1234567890abcdef0" # Your Transit Gateway ID
# Default route to Transit Gateway for private subnets
transit_gateway_routes = {
private = "10.0.0.0/8" # Route all 10.0.0.0/8 traffic to Transit Gateway
}
# ... other configuration ...
}
# Transit Gateway with appliance mode (for network appliances)
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_transit_gateway_appliance_mode = true
transit_gateway_id = "tgw-1234567890abcdef0"
# Using a prefix list for routes
transit_gateway_routes = {
private = "pl-1234567890abcdef0" # AWS prefix list ID
}
# ... other configuration ...
}The Transit Gateway configuration supports:
- Connecting to an existing Transit Gateway
- Appliance mode for network appliance deployments
- Custom routing using CIDR blocks or prefix lists
- Optional NAT Gateway access for Transit Gateway subnets
The module supports creating VPC endpoints for AWS services. Here are some common configurations:
# Enable SSM endpoints (Session Manager)
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_ssm = true
# ... other configuration ...
}
# Enable specific private endpoints
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_private_endpoints = [
"ecr.api",
"ecr.dkr",
"s3",
"logs"
]
# ... other configuration ...
}Note, by default Gateway endpoints are automatically created for S3 and DynamoDB, though these can be controlled by the enable_s3_endpoint and enable_dynamodb_endpoint variables.
You can use enable_ssm as a shortcut to enable the SSM endpoints.
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_ssm = true
}To enable DNS request logging in your VPC, you can use the enable_dns_request_logging variable. This feature allows you to log DNS queries made within your VPC, which can be useful for monitoring and troubleshooting.
Here is an example configuration:
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_dns_request_logging = true
# ... other configuration ...
}The module supports automatically associating shared Route53 Resolver Rules with your VPC. By default, any resolver rules shared with your account will be automatically associated. Here are some configuration examples:
# Disable automatic resolver rule association
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_route53_resolver_rules = false
# ... other configuration ...
}
# Exclude specific resolver rules from association
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_route53_resolver_rules = true
exclude_route53_resolver_rules = ["rslvr-rr-1234567890abcdef0"] # Resolver Rule IDs to exclude
# ... other configuration ...
}By default (enable_route53_resolver_rules = true), the module will:
- Automatically discover all resolver rules shared with your account
- Associate them with the VPC being created
- Allow you to exclude specific rules using the
exclude_route53_resolver_rulesvariable
To add more subnets to your VPC, you can extend the subnet configurations in your Terraform code. Here are some examples:
module "vpc" {
subnets = {
public = {
cidr_blocks = ["10.0.10.0/24", "10.0.11.0/24", "10.0.12.0/24"]
tags = {
Name = "public-subnets"
}
}
}
}VPC sharing allows multiple AWS accounts to create their application resources, such as Amazon EC2 instances, Amazon RDS databases, and Amazon Redshift clusters, into a shared, centrally managed VPC. The benefits of VPC sharing include:
- Cost Savings: By sharing a single VPC across multiple accounts, you can reduce the number of VPCs needed, which can lead to cost savings.
- Simplified Network Management: Centralized management of network resources simplifies the administration and monitoring of network configurations.
- Improved Security: VPC sharing allows for consistent security policies and monitoring across multiple accounts, enhancing the overall security posture.
Remember to:
- Ensure CIDR blocks don't overlap
- Consider your IP address space requirements
- Follow your organization's IP addressing scheme
The module include a convenient way to share subnets using AWS Resource Access Manager (RAM). Here is an example configuration:
## Provision a network is no subnets inside
module "vpc" {
source = "../.."
availability_zones = 3
name = "development"
tags = local.tags
vpc_cidr = "10.90.0.0/16"
}
## Curve out subnets for sharing
module "subnets" {
source = "../../modules/shared"
name = "product-a"
share = { accounts = ["123456789012"] }
tags = local.tags
vpc_id = module.vpc.vpc_id
## Additional subnet to add to the isolation zone
permitted_subnets = [
"10.90.20.0/24",
]
subnets = {
web = {
cidrs = ["10.90.0.0/24", "10.90.1.0/24"]
}
app = {
cidrs = ["10.90.10.0/24", "10.90.11.0/24"]
}
}
}Note, this module will automatically create a network access control list (NACL) for the shared subnets, it will any
- Permit all outbound and inbound traffic from the subnets
- Permit all outbound and inbound traffic from the
var.permitted_subnetsvariable cidr_blocks. - Deny all other traffic to the VPC CIDR block.
- Permit all outbound and inbound traffic not destined to the VPC CIDR block.
By performing the above to ensure the subnets are isolated from the rest of the VPC, while still allowing access to external resources.
Network Access Control Lists (NACLs) are an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Unlike security groups, NACLs are stateless, meaning that responses to allowed inbound traffic are subject to the rules for outbound traffic. NACLs allow you to explicitly allow or deny traffic based on IP address, port, and protocol. Here's an example of how to configure NACLs in this module:
module "vpc" {
source = "../.."
name = "production"
vpc_cidr = "10.0.0.0/16"
availability_zones = 3
tags = local.tags
subnets = {
private = {
netmask = 24
}
}
nacl_rules = {
private = {
inbound_rules = [
{
cidr_block = "10.0.0.0/24"
from_port = 22
to_port = 22
protocol = 6 # TCP
rule_action = "allow"
rule_number = 100
}
],
outbound_rules = [
{
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 65535
protocol = -1 # All traffic
rule_action = "allow"
rule_number = 100
}
]
}
}
}The terraform-docs utility is used to generate this README. Follow the below steps to update:
- Make changes to the
.terraform-docs.ymlfile - Fetch the
terraform-docsbinary (https://terraform-docs.io/user-guide/installation/) - Run
terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
| Name | Version |
|---|---|
| aws | ~> 6.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Is the name of the network to provision | string |
n/a | yes |
| tags | Tags to apply to all resources | map(string) |
n/a | yes |
| associate_hosted_ids | The list of hosted zone ids to associate with the VPC | list(string) |
[] |
no |
| availability_zones | The number of availability zone the network should be deployed into | number |
2 |
no |
| dns_query_log_retention | The number of days to retain DNS query logs | number |
7 |
no |
| enable_default_route_table_association | Indicates the transit gateway default route table should be associated with the subnets | bool |
true |
no |
| enable_default_route_table_propagation | Indicates the transit gateway default route table should be propagated to the subnets | bool |
true |
no |
| enable_dns_request_logging | Enable logging of DNS requests | bool |
false |
no |
| enable_dynamodb_endpoint | Enable DynamoDB VPC Gateway endpoint | bool |
true |
no |
| enable_private_endpoints | Indicates the network should provision private endpoints | list(string) |
[] |
no |
| enable_route53_resolver_rules | Automatically associates any shared route53 resolver rules with the VPC | bool |
true |
no |
| enable_s3_endpoint | Enable S3 VPC Gateway endpoint | bool |
true |
no |
| enable_ssm | Indicates we should provision SSM private endpoints | bool |
false |
no |
| enable_transit_gateway_appliance_mode | Indicates the network should be connected to a transit gateway in appliance mode | bool |
false |
no |
| enable_transit_gateway_subnet_natgw | Indicates if the transit gateway subnets should be connected to a nat gateway | bool |
false |
no |
| exclude_route53_resolver_rules | List of resolver rules to exclude from association | list(string) |
[] |
no |
| ipam_pool_id | An optional pool id to use for IPAM pool to use | string |
null |
no |
| nacl_rules | Map of NACL rules to apply to different subnet types. Each rule requires from_port, to_port, protocol, rule_action, cidr_block, and rule_number | map(object({ |
{} |
no |
| nat_gateway_mode | The configuration mode of the NAT gateways | string |
"none" |
no |
| private_subnet_netmask | The netmask for the private subnets | number |
0 |
no |
| private_subnet_tags | Additional tags for the private subnets | map(string) |
{} |
no |
| public_subnet_netmask | The netmask for the public subnets | number |
0 |
no |
| public_subnet_tags | Additional tags for the public subnets | map(string) |
{} |
no |
| subnets | Additional subnets to create in the network, keyed by the subnet name | any |
{} |
no |
| transit_gateway_id | If enabled, and not lookup is disabled, the transit gateway id to connect to | string |
null |
no |
| transit_gateway_routes | If enabled, this is the cidr block to route down the transit gateway | map(string) |
{ |
no |
| transit_subnet_tags | Additional tags for the transit subnets | map(string) |
{} |
no |
| vpc_cidr | An optional cidr block to assign to the VPC (if not using IPAM) | string |
null |
no |
| vpc_instance_tenancy | The name of the VPC to create | string |
"default" |
no |
| vpc_netmask | An optional range assigned to the VPC | number |
null |
no |
| Name | Description |
|---|---|
| all_subnets_by_name | A map of the subnet name to the subnet ID i.e. private/us-east-1a => subnet_id |
| nat_public_ips | The public IPs of the NAT Gateways i.e [public_ip, public_ip] |
| natgw_id_per_az | The IDs of the NAT Gateways (see aws-ia/vpc/aws for details) |
| private_route_table_ids | The IDs of the private route tables ie. [route_table_id, route_table_id] |
| private_subnet_attributes_by_az | The attributes of the private subnets (see aws-ia/vpc/aws for details) |
| private_subnet_cidr_by_id | A map of the private subnet ID to CIDR block i.e. us-west-2a => subnet_cidr |
| private_subnet_cidrs | A list of the CIDRs for the private subnets |
| private_subnet_id_by_az | A map of availability zone to subnet id of the private subnets i.e. eu-west-2a => subnet_id |
| private_subnet_ids | The IDs of the private subnets i.e. [subnet_id, subnet_id] |
| public_route_table_ids | The IDs of the public route tables ie. [route_table_id, route_table_id] |
| public_subnet_attributes_by_az | The attributes of the public subnets (see aws-ia/vpc/aws for details) |
| public_subnet_cidr_by_id | A map of the public subnet ID to CIDR block i.e. us-west-2a => subnet_cidr |
| public_subnet_cidrs | A list of the CIDRs for the public subnets i.e. [subnet_cidr, subnet_cidr] |
| public_subnet_id_by_az | A map of availability zone to subnet id of the public subnets i.e. eu-west-2a => subnet_id |
| public_subnet_ids | The IDs of the public subnets i.e. [subnet_id, subnet_id] |
| rt_attributes_by_type_by_az | The attributes of the route tables (see aws-ia/vpc/aws for details) |
| subnets | The subnets created by the module |
| transit_gateway_attachment_id | The ID of the transit gateway attachment if enabled |
| transit_route_table_by_az | A map of availability zone to transit gateway route table ID i.e eu-west-2a => route_table_id |
| transit_route_table_ids | The IDs of the transit gateway route tables ie. [route_table_id, route_table_id] |
| transit_subnet_attributes_by_az | The attributes of the transit gateway subnets (see aws-ia/vpc/aws for details) |
| transit_subnet_ids | The IDs of the transit gateway subnets ie. [subnet_id, subnet_id] |
| vpc_attributes | The attributes of the VPC (see aws-ia/vpc/aws for details) |
| vpc_cidr | The CIDR block of the VPC |
| vpc_id | The ID of the VPC |