SourceFuse's AWS Reference Architecture (ARC) Terraform module facilitates the management of AWS VPC and associated networking resources. It includes features like VPC creation, Client VPN, and VPC endpoints for services like S3 and DynamoDB, enhancing network connectivity and security.
For more information about this repository and its usage, please see Terraform AWS ARC Network Module Usage Guide.
Create the following resources in a single region.
- VPC
- Multi-AZ private and public subnets
- Route tables, internet gateway, and NAT gateways
- Configurable VPC Endpoints
Before using this module, ensure you have the following:
- AWS credentials configured.
- Terraform installed.
- A working knowledge of Terraform.
See the examples
folder for a complete example.
module "network" {
namespace = var.namespace
environment = var.environment
name = "arc-poc"
create_internet_geteway = true
availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
cidr_block = "10.0.0.0/16"
vpc_endpoint_data = [
{
service = "s3"
route_table_filter = "private"
},
{
service = "dynamodb"
route_table_filter = "private"
}
]
tags = module.tags.tags
}
module "network" {
source = "sourcefuse/arc-network/aws"
version = "3.0.0"
namespace = var.namespace
environment = var.environment
name = "arc-poc"
create_internet_geteway = true
subnet_map = local.subnet_map
cidr_block = "10.0.0.0/16"
vpc_endpoint_data = [
{
service = "s3"
route_table_filter = "private"
},
{
service = "dynamodb"
route_table_filter = "private"
}
]
tags = module.tags.tags
}
locals {
prefix = "arc-poc"
subnet_map = {
"${local.prefix}-public-az1" = {
name = "${local.prefix}-public-az1"
cidr_block = "10.0.0.0/19"
availability_zone = "us-east-1a"
nat_gateway_name = "${local.prefix}-az1-ngtw01"
attach_nat_gateway = false
create_nat_gateway = true
attach_internet_gateway = true
},
"${local.prefix}-public-az2" = {
name = "${local.prefix}-public-az2"
cidr_block = "10.0.32.0/19"
availability_zone = "us-east-1b"
nat_gateway_name = "${local.prefix}-az2-ngtw01"
attach_nat_gateway = false
create_nat_gateway = true
attach_internet_gateway = true
},
"${local.prefix}-db-az1" = {
name = "${local.prefix}-db-az1"
cidr_block = "10.0.64.0/19"
availability_zone = "us-east-1a"
nat_gateway_name = "${local.prefix}-az1-ngtw01"
attach_nat_gateway = true
create_nat_gateway = false
attach_internet_gateway = false
},
"${local.prefix}-db-az2" = {
name = "${local.prefix}-db-az2"
cidr_block = "10.0.96.0/19"
availability_zone = "us-east-1b"
nat_gateway_name = "${local.prefix}-az2-ngtw01"
attach_nat_gateway = true
create_nat_gateway = false
attach_internet_gateway = false
},
"${local.prefix}-app-az1" = {
name = "${local.prefix}-app-az1"
cidr_block = "10.0.128.0/19"
availability_zone = "us-east-1a"
nat_gateway_name = "${local.prefix}-az1-ngtw01"
attach_nat_gateway = true
create_nat_gateway = false
attach_internet_gateway = false
},
"${local.prefix}-app-az2" = {
name = "${local.prefix}-app-az2"
cidr_block = "10.0.160.0/19"
availability_zone = "us-east-1b"
nat_gateway_name = "${local.prefix}-az2-ngtw01"
attach_nat_gateway = true
create_nat_gateway = false
attach_internet_gateway = false
}
}
}
Name | Version |
---|---|
terraform | >= 1.3, < 2.0.0 |
aws | >= 4.0, < 6.0 |
Name | Version |
---|---|
aws | 5.75.0 |
Name | Source | Version |
---|---|---|
kms | sourcefuse/arc-kms/aws | 1.0.9 |
Name | Type |
---|---|
aws_cloudwatch_log_group.this | resource |
aws_eip.nat_gw | resource |
aws_flow_log.this | resource |
aws_iam_policy.this | resource |
aws_iam_role.this | resource |
aws_iam_role_policy_attachment.attach_flow_logs_policy | resource |
aws_internet_gateway.this | resource |
aws_nat_gateway.this | resource |
aws_route.additional | resource |
aws_route.internet_gw | resource |
aws_route.nat | resource |
aws_route_table.this | resource |
aws_route_table_association.additional | resource |
aws_route_table_association.this | resource |
aws_subnet.this | resource |
aws_vpc.this | resource |
aws_vpc_endpoint.this | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.assume | data source |
aws_iam_policy_document.flow_logs_policy | data source |
aws_region.current | data source |
aws_region.this | data source |
aws_route_tables.private | data source |
aws_route_tables.public | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
assign_generated_ipv6_cidr_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. | bool |
false |
no |
availability_zones | (optional) List of availability zones , if subnet map is null , subnet map autimatically derived | list(string) |
[] |
no |
cidr_block | The CIDR block for the VPC. | string |
n/a | yes |
create_internet_geteway | (optional) Whether to create internet gateway | bool |
true |
no |
enable_dns_hostnames | A boolean flag to enable/disable DNS hostnames in the VPC. | bool |
true |
no |
enable_dns_support | A boolean flag to enable/disable DNS support in the VPC. | bool |
true |
no |
enable_network_address_usage_metrics | Enable or disable network address usage metrics. | bool |
false |
no |
environment | Environmenr name | string |
n/a | yes |
instance_tenancy | A tenancy option for instances launched into the VPC. Can be 'default' or 'dedicated'. | string |
"default" |
no |
internet_geteway_name | (optional) If the Internet Gateway name is not provided, it will be automatically derived. | string |
null |
no |
ipv4_ipam_pool_id | The IPv4 IPAM pool ID from which to allocate the CIDR. | string |
null |
no |
ipv4_netmask_length | The netmask length of the IPv4 CIDR block to allocate to the VPC. | number |
null |
no |
ipv6_cidr_block | The IPv6 CIDR block to associate with your VPC. | string |
null |
no |
ipv6_cidr_block_network_border_group | The network border group of the IPv6 CIDR block. | string |
null |
no |
ipv6_ipam_pool_id | The IPv6 IPAM pool ID from which to allocate the CIDR. | string |
null |
no |
ipv6_netmask_length | The netmask length of the IPv6 CIDR block to allocate to the VPC. | number |
null |
no |
kms_config | n/a | object({ |
{ |
no |
name | VPC name | string |
n/a | yes |
namespace | Namespace name | string |
n/a | yes |
subnet_map | A map defining the configuration of subnets, their attributes, and associated resources. Each subnet configuration can include the following details: - name: Name of the subnet. - cidr_block: CIDR block for the subnet. - availability_zone: The availability zone where the subnet is located. - enable_resource_name_dns_a_record_on_launch: Enable or disable DNS A records for EC2 instances launched in this subnet (default: false). - enable_resource_name_dns_aaaa_record_on_launch: Enable or disable DNS AAAA records for EC2 instances launched in this subnet (default: false). - map_public_ip_on_launch: Specify whether to auto-assign a public IP for instances in this subnet (default: false). - ipv6_native: Enable or disable native IPv6 support for the subnet (default: false). - assign_ipv6_address_on_creation: Whether to automatically assign an IPv6 address to instances launched in the subnet (default: false). - ipv6_cidr_block: The IPv6 CIDR block associated with the subnet (optional). - enable_dns64: Enable or disable DNS64 in the subnet (default: false). - nat_gateway_name: Name of the NAT Gateway attached to the subnet (optional). - create_nat_gateway: Specify whether to create a NAT Gateway for the subnet (default: true). - attach_nat_gateway: Specify whether to attach an existing NAT Gateway to the subnet (default: false). - attach_internet_gateway: Specify whether to attach an Internet Gateway to the subnet (default: false). - additional_routes: List of additional routes to be added to the subnet route table, typically to route traffic to other services like Transit Gateway. Each route includes: - type: Type of resource (default: "transit-gateway"). - id: The ID of the route target (e.g., a Transit Gateway ID). - cidr_block: The destination CIDR block for the route. - destination_ipv6_cidr_block: The destination IPV6 CIDR block for the route. |
map(object({ |
null |
no |
tags | (optional) Tags for VPC resources | map(string) |
{} |
no |
vpc_endpoint_data | (optional) List of VPC endpoints to be created | list(object({ |
[] |
no |
vpc_flow_log_config | If s3_bucket_arn is null, only CloudWatch logging is enabled by default. If s3_bucket_arn is provided, S3 logging is enabled. |
object({ |
{ |
no |
Name | Description |
---|---|
default_route_table_id | The Default Route Table ID for the VPC |
id | The VPC ID |
igw_id | Internet gateway ID for the VPC |
main_route_table_id | The Main Route Table ID for the VPC |
private_subnet_ids | Private subnet IDs |
public_subnet_ids | Public subnet IDs |
vpc_cidr | The VPC CIDR block |
vpc_default_network_acl_id | The ID of the network ACL created by default on VPC creation |
vpn_endpoint_arn | The ARN of the Client VPN Endpoint Connection. |
- Configure pre-commit hooks
pre-commit install
- Configure golang deps for tests
go get github.com/gruntwork-io/terratest/modules/terraform go get github.com/stretchr/testify/assert
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
git commit -m "your commit message #major"
By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly
- Tests are available in
test
directory - In the test directory, run the below command
go test -timeout 1800s
This project is authored by:
- SourceFuse